Merge pull request ARMmbed#1994 from ARMmbed/enable_eapol

Enable EAPOL flags
artokin · Mar 13, 2019 · 74dc531 · 74dc531
2 parents e921dcd + 2b6ddf0
commit 74dc531
Show file tree

Hide file tree

Showing 23 changed files with 138 additions and 48 deletions.
diff --git a/source/6LoWPAN/ws/ws_pae_auth.c b/source/6LoWPAN/ws/ws_pae_auth.c
@@ -361,7 +361,7 @@ int8_t ws_pae_auth_node_access_revoke_start(protocol_interface_info_entry_t *int
  // If active GTK lifetime is larger than revocation lifetime decrements active GTK lifetime
  if (active_lifetime > revocation_lifetime) {
  sec_prot_keys_gtk_lifetime_decrement(pae_auth->gtks, active_index, active_lifetime - revocation_lifetime);
- tr_info("Access revocation start, GTK active index: %i, revoked lifetime: %i", active_index, revocation_lifetime);
+ tr_info("Access revocation start, GTK active index: %i, revoked lifetime: %"PRIu32"", active_index, revocation_lifetime);
  } else {
  // Otherwise decrements lifetime of the GTK to be installed after the active one
  int8_t second_index = sec_prot_keys_gtk_install_order_second_index_get(pae_auth->gtks);
@@ -372,7 +372,7 @@ int8_t ws_pae_auth_node_access_revoke_start(protocol_interface_info_entry_t *int
  uint32_t second_lifetime = sec_prot_keys_gtk_lifetime_get(pae_auth->gtks, second_index);
  if (second_lifetime > second_revocation_lifetime) {
  sec_prot_keys_gtk_lifetime_decrement(pae_auth->gtks, second_index, second_lifetime - second_revocation_lifetime);
- tr_info("Access revocation start, GTK second active index: %i, revoked lifetime: %i", second_index, second_revocation_lifetime);
+ tr_info("Access revocation start, GTK second active index: %i, revoked lifetime: %"PRIu32"", second_index, second_revocation_lifetime);
  }
  // Removes other keys than active and GTK to be installed next
  not_removed_index = second_index;
@@ -547,11 +547,11 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
  if (pae_auth->gtk_new_inst_req_exp) {
  int8_t second_index = sec_prot_keys_gtk_install_order_second_index_get(pae_auth->gtks);
  if (second_index < 0) {
- tr_info("GTK new install required active index: %i, time: %i, system time: %i", active_index, timer_seconds, protocol_core_monotonic_time / 10);
+ tr_info("GTK new install required active index: %i, time: %"PRIu32", system time: %"PRIu32"", active_index, timer_seconds, protocol_core_monotonic_time / 10);
  ws_pae_auth_gtk_key_insert(pae_auth);
  ws_pae_auth_network_keys_from_gtks_set(pae_auth);
  } else {
- tr_info("GTK new install already done; second index: %i, time: %i, system time: %i", second_index, timer_seconds, protocol_core_monotonic_time / 10);
+ tr_info("GTK new install already done; second index: %i, time: %"PRIu32", system time: %"PRIu32"", second_index, timer_seconds, protocol_core_monotonic_time / 10);
  }
  }
  }
@@ -560,7 +560,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
  pae_auth->gtk_new_act_time_exp = ws_pae_timers_gtk_new_activation_time(pae_auth->timer_settings, timer_seconds);
  if (pae_auth->gtk_new_act_time_exp) {
  int8_t new_active_index = ws_pae_auth_new_gtk_activate(pae_auth);
- tr_info("GTK new activation time active index: %i, time: %i, new index: %i, system time: %i", active_index, timer_seconds, new_active_index, protocol_core_monotonic_time / 10);
+ tr_info("GTK new activation time active index: %i, time: %"PRIu32", new index: %i, system time: %"PRIu32"", active_index, timer_seconds, new_active_index, protocol_core_monotonic_time / 10);
  if (new_active_index >= 0) {
  ws_pae_auth_network_key_index_set(pae_auth, new_active_index);
  }
@@ -571,7 +571,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
  }
 
  if (timer_seconds == 0) {
- tr_info("GTK expired index: %i, system time: %i", i, protocol_core_monotonic_time / 10);
+ tr_info("GTK expired index: %i, system time: %"PRIu32"", i, protocol_core_monotonic_time / 10);
  ws_pae_auth_gtk_clear(pae_auth, i);
  ws_pae_auth_network_keys_from_gtks_set(pae_auth);
  }
@@ -621,7 +621,7 @@ static void ws_pae_auth_gtk_key_insert(pae_auth_t *pae_auth)
  // Authenticator keys are always fresh
  sec_prot_keys_gtk_status_all_fresh_set(pae_auth->gtks);
 
- tr_info("GTK install new index: %i, lifetime: %i", install_index, lifetime);
+ tr_info("GTK install new index: %i, lifetime: %"PRIu32"", install_index, lifetime);
 }
 
 static int8_t ws_pae_auth_new_gtk_activate(pae_auth_t *pae_auth)

diff --git a/source/6LoWPAN/ws/ws_pae_controller.c b/source/6LoWPAN/ws/ws_pae_controller.c
@@ -763,7 +763,7 @@ int8_t ws_pae_controller_gtk_update(int8_t interface_id, uint8_t *gtk[4])
  uint32_t lifetime = sec_prot_keys_gtk_install_order_last_lifetime_get(&controller->gtks);
  lifetime += controller->timer_settings.gtk_expire_offset;
  if (sec_prot_keys_gtk_set(&controller->gtks, i, gtk[i], lifetime) >= 0) {
- tr_info("GTK set index: %i, lifetime %"PRIx32", system time: %"PRIx32"", i, lifetime, protocol_core_monotonic_time / 10);
+ tr_info("GTK set index: %i, lifetime %"PRIu32", system time: %"PRIu32"", i, lifetime, protocol_core_monotonic_time / 10);
  }
  }
  }

diff --git a/source/6LoWPAN/ws/ws_pae_lib.c b/source/6LoWPAN/ws/ws_pae_lib.c
@@ -213,10 +213,10 @@ void ws_pae_lib_supp_list_slow_timer_update(supp_list_t *supp_list, timer_settin
 {
  ns_list_foreach(supp_entry_t, entry, supp_list) {
  if (sec_prot_keys_pmk_lifetime_decrement(&entry->sec_keys, timer_settings->pmk_lifetime, seconds)) {
- tr_info("PMK and PTK expired, eui-64: %s, system time: %"PRIx32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);
+ tr_info("PMK and PTK expired, eui-64: %s, system time: %"PRIu32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);
  }
  if (sec_prot_keys_ptk_lifetime_decrement(&entry->sec_keys, timer_settings->ptk_lifetime, seconds)) {
- tr_info("PTK expired, eui-64: %s, system time: %"PRIx32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);
+ tr_info("PTK expired, eui-64: %s, system time: %"PRIu32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);
  }
  }
 

diff --git a/source/6LoWPAN/ws/ws_pae_timers.c b/source/6LoWPAN/ws/ws_pae_timers.c
@@ -117,7 +117,7 @@ static void ws_pae_timers_calculate(timer_settings_t *timer_settings)
  time_to_update = gtk_revocation_lifetime - new_activation_time;
  }
 
- tr_info("Key timers revocation lifetime: %"PRIx32", new activation time: %"PRIx32", max mismatch %i, time to update: %"PRIx32"", gtk_revocation_lifetime, new_activation_time, timer_settings->gtk_max_mismatch, time_to_update);
+ tr_info("Key timers revocation lifetime: %"PRIu32", new activation time: %"PRIu32", max mismatch %i, time to update: %"PRIu32"", gtk_revocation_lifetime, new_activation_time, timer_settings->gtk_max_mismatch, time_to_update);
 
  // If time to update results smaller GTK request Imax use it for calculation otherwise use GTK max mismatch
  if (time_to_update < timer_settings->gtk_max_mismatch) {

diff --git a/source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c b/source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c
@@ -272,7 +272,7 @@ static void auth_eap_tls_sec_prot_tls_finished_indication(sec_prot_t *tls_prot,
 
  if (result == SEC_RESULT_OK) {
  data->tls_result = EAP_TLS_RESULT_HANDSHAKE_OVER;
- tr_error("EAP-TLS: handshake success");
+ tr_info("EAP-TLS: handshake success");
  } else if (result == SEC_RESULT_CONF_ERROR) {
  data->tls_result = EAP_TLS_RESULT_HANDSHAKE_FATAL_ERROR;
  tr_error("EAP-TLS: handshake fatal error");

diff --git a/source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c b/source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c
@@ -281,7 +281,7 @@ static void supp_eap_tls_sec_prot_tls_finished_indication(sec_prot_t *tls_prot,
 
  if (result == SEC_RESULT_OK) {
  data->tls_result = EAP_TLS_RESULT_HANDSHAKE_OVER;
- tr_error("EAP-TLS: handshake success");
+ tr_info("EAP-TLS: handshake success");
  } else if (result == SEC_RESULT_CONF_ERROR) {
  data->tls_result = EAP_TLS_RESULT_HANDSHAKE_FATAL_ERROR;
  tr_error("EAP-TLS: handshake fatal error");

diff --git a/source/Security/protocols/fwh_sec_prot/supp_fwh_sec_prot.c b/source/Security/protocols/fwh_sec_prot/supp_fwh_sec_prot.c
@@ -86,7 +86,7 @@ static int8_t supp_fwh_sec_prot_init(sec_prot_t *prot);
 static void supp_fwh_sec_prot_create_response(sec_prot_t *prot, sec_prot_result_e result);
 static void supp_fwh_sec_prot_delete(sec_prot_t *prot);
 static int8_t supp_fwh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t size);
-static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu, sec_prot_keys_t *sec_keys);
+static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(sec_prot_t *prot, eapol_pdu_t *eapol_pdu);
 static void supp_fwh_sec_prot_state_machine(sec_prot_t *prot);
 
 static int8_t supp_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg);
@@ -96,6 +96,7 @@ static int8_t supp_fwh_sec_prot_ptk_generate(sec_prot_t *prot, sec_prot_keys_t *
 static int8_t supp_fwh_sec_prot_mic_validate(sec_prot_t *prot);
 
 static void supp_fwh_sec_prot_recv_replay_counter_store(sec_prot_t *prot);
+static uint64_t supp_fwh_sec_prot_recv_replay_counter_get(sec_prot_t *prot);
 static void supp_fwh_sec_prot_anonce_store(sec_prot_t *prot);
 static int8_t supp_fwh_sec_prot_anonce_validate(sec_prot_t *prot);
 static void supp_fwh_sec_prot_security_replay_counter_update(sec_prot_t *prot);
@@ -137,6 +138,7 @@ static int8_t supp_fwh_sec_prot_init(sec_prot_t *prot)
 
  data->common.ticks = 30 * 10; // 30 seconds
  data->msg3_retry_wait = false;
+ data->recv_replay_cnt = 0;
 
  uint8_t eui64[8] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
  sec_prot_lib_nonce_init(data->snonce, eui64, 1000);
@@ -167,7 +169,7 @@ static int8_t supp_fwh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t si
  // Decoding is successful
  if (eapol_parse_pdu_header(pdu, size, &data->recv_eapol_pdu)) {
  // Get message
- data->recv_msg = supp_fwh_sec_prot_message_get(&data->recv_eapol_pdu, prot->sec_keys);
+ data->recv_msg = supp_fwh_sec_prot_message_get(prot, &data->recv_eapol_pdu);
  if (data->recv_msg != FWH_MESSAGE_UNKNOWN) {
  tr_info("4WH: recv %s", data->recv_msg == FWH_MESSAGE_1 ? "Message 1" : "Message 3");
 
@@ -191,7 +193,7 @@ static int8_t supp_fwh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t si
  return ret_val;
 }
 
-static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu, sec_prot_keys_t *sec_keys)
+static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(sec_prot_t *prot, eapol_pdu_t *eapol_pdu)
 {
  fwh_sec_prot_msg_e msg = FWH_MESSAGE_UNKNOWN;
 
@@ -203,17 +205,23 @@ static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu,
  uint8_t key_mask = sec_prot_lib_key_mask_get(eapol_pdu);
 
  switch (key_mask) {
+ // Message 1
  case KEY_INFO_KEY_ACK:
- // Must have valid replay counter
- if (eapol_pdu->msg.key.replay_counter > sec_prot_keys_pmk_replay_cnt_get(sec_keys)) {
+ /* Must have valid replay counter, both larger for PMK and larger that is used on
+ * the four way handshake session (note: PMK replay counter is not updated for Message 1
+ * but session specific counter is)
+ */
+ if (eapol_pdu->msg.key.replay_counter > sec_prot_keys_pmk_replay_cnt_get(prot->sec_keys) &&
+ eapol_pdu->msg.key.replay_counter > supp_fwh_sec_prot_recv_replay_counter_get(prot)) {
  msg = FWH_MESSAGE_1;
  } else {
  tr_error("4WH: invalid replay counter %"PRId64, eapol_pdu->msg.key.replay_counter);
  }
  break;
+ // Message 3
  case KEY_INFO_INSTALL | KEY_INFO_KEY_ACK | KEY_INFO_KEY_MIC | KEY_INFO_SECURED_KEY_FRAME:
  // Must have valid replay counter
- if (eapol_pdu->msg.key.replay_counter > sec_prot_keys_pmk_replay_cnt_get(sec_keys)) {
+ if (eapol_pdu->msg.key.replay_counter > sec_prot_keys_pmk_replay_cnt_get(prot->sec_keys)) {
  if (eapol_pdu->msg.key.key_information.encrypted_key_data) {
  // This should include the GTK KDE, Lifetime KDE and GTKL KDE.
  // At least some of them should be present
@@ -346,6 +354,7 @@ static void supp_fwh_sec_prot_state_machine(sec_prot_t *prot)
  // Send 4WH message 2
  supp_fwh_sec_prot_message_send(prot, FWH_MESSAGE_2);
  data->common.ticks = 30 * 10; // 30 seconds
+ return;
  } else if (data->recv_msg != FWH_MESSAGE_3) {
  return;
  }
@@ -467,6 +476,12 @@ static void supp_fwh_sec_prot_recv_replay_counter_store(sec_prot_t *prot)
  data->recv_replay_cnt = data->recv_eapol_pdu.msg.key.replay_counter;
 }
 
+static uint64_t supp_fwh_sec_prot_recv_replay_counter_get(sec_prot_t *prot)
+{
+ fwh_sec_prot_int_t *data = fwh_sec_prot_get(prot);
+ return data->recv_replay_cnt;
+}
+
 static void supp_fwh_sec_prot_anonce_store(sec_prot_t *prot)
 {
  fwh_sec_prot_int_t *data = fwh_sec_prot_get(prot);

diff --git a/source/Security/protocols/sec_prot.h b/source/Security/protocols/sec_prot.h
@@ -217,6 +217,8 @@ typedef sec_prot_t *sec_prot_by_type_get(sec_prot_t *prot, uint8_t type);
  */
 typedef void sec_prot_receive_disable(sec_prot_t *prot);
 
+typedef struct sec_prot_int_data_s sec_prot_int_data_t;
+
 // Security protocol data
 struct sec_prot_s {
  sec_prot_create_request *create_req; /**< Create request */
@@ -246,7 +248,7 @@ struct sec_prot_s {
 
  sec_prot_keys_t *sec_keys; /**< Security keys storage pointer */
  uint8_t header_size; /**< Header size */
- uint8_t  data;  /**< Protocol internal data */
+ sec_prot_int_data_t *data; /**< Protocol internal data */
 };
 
 #endif /* SEC_PROT_H_ */
diff --git a/source/Security/protocols/sec_prot_keys.c b/source/Security/protocols/sec_prot_keys.c
@@ -225,7 +225,7 @@ void sec_prot_keys_ptk_eui_64_write(sec_prot_keys_t *sec_keys, const uint8_t *eu
 
 uint8_t *sec_prot_keys_ptk_eui_64_get(sec_prot_keys_t *sec_keys)
 {
- if (!sec_keys->ptk_eui_64 || !sec_keys->ptk_eui_64_set) {
+ if (!sec_keys->ptk_eui_64_set) {
  return NULL;
  }
 
@@ -564,7 +564,7 @@ bool sec_prot_keys_gtks_hash_update(sec_prot_gtk_keys_t *gtks, uint8_t *gtkhash)
  if (sec_prot_keys_gtk_is_set(gtks, i)) {
  uint32_t lifetime = sec_prot_keys_gtk_lifetime_get(gtks, i);
  if (lifetime > GTK_EXPIRE_MISMATCH_TIME) {
- tr_info("GTK mismatch %i expired time, lifetime: %"PRIx32"", i, lifetime);
+ tr_info("GTK mismatch %i expired time, lifetime: %"PRIu32"", i, lifetime);
  mismatch = true;
  }
  sec_prot_keys_gtk_clear(gtks, i);

diff --git a/source/Security/protocols/sec_prot_lib.c b/source/Security/protocols/sec_prot_lib.c
@@ -278,7 +278,7 @@ int8_t sec_prot_lib_pmkid_calc(const uint8_t *pmk, const uint8_t *auth_eui64, co
  ptr += EUI64_LEN;
  memcpy(ptr, supp_eui64, EUI64_LEN);
 
- if (hmac_sha1_calc(pmk, PMK_LEN, data, data_len, pmkid) < 0) {
+ if (hmac_sha1_calc(pmk, PMK_LEN, data, data_len, pmkid, PMKID_LEN) < 0) {
  return -1;
  }
 
@@ -300,7 +300,7 @@ int8_t sec_prot_lib_ptkid_calc(const uint8_t *ptk, const uint8_t *auth_eui64, co
  ptr += EUI64_LEN;
  memcpy(ptr, supp_eui64, EUI64_LEN);
 
- if (hmac_sha1_calc(ptk, PTK_LEN, data, data_len, ptkid) < 0) {
+ if (hmac_sha1_calc(ptk, PTK_LEN, data, data_len, ptkid, PTKID_LEN) < 0) {
  return -1;
  }
 
@@ -332,7 +332,7 @@ uint8_t *sec_prot_lib_message_build(uint8_t *ptk, uint8_t *kde, uint16_t kde_len
 
  if (eapol_pdu->msg.key.key_information.key_mic) {
  uint8_t mic[EAPOL_KEY_MIC_LEN];
- if (hmac_sha1_calc(ptk, KCK_LEN, eapol_pdu_frame + header_size, eapol_pdu_size, mic) < 0) {
+ if (hmac_sha1_calc(ptk, KCK_LEN, eapol_pdu_frame + header_size, eapol_pdu_size, mic, EAPOL_KEY_MIC_LEN) < 0) {
  ns_dyn_mem_free(eapol_pdu_frame);
  return NULL;
  }
@@ -402,7 +402,7 @@ int8_t sec_prot_lib_gtk_read(uint8_t *kde, uint16_t kde_len, sec_prot_keys_t *se
  }
  }
 
- tr_info("GTK recv index %i lifetime %"PRIx32"", gtk_index, sec_prot_keys_gtk_lifetime_get(sec_keys->gtks, gtk_index));
+ tr_info("GTK recv index %i lifetime %"PRIu32"", gtk_index, sec_prot_keys_gtk_lifetime_get(sec_keys->gtks, gtk_index));
 
  return 0;
 }
@@ -415,7 +415,7 @@ int8_t sec_prot_lib_mic_validate(uint8_t *ptk, uint8_t *mic, uint8_t *pdu, uint8
  eapol_write_key_packet_mic(pdu, 0);
 
  uint8_t calc_mic[EAPOL_KEY_MIC_LEN];
- if (hmac_sha1_calc(ptk, EAPOL_KEY_MIC_LEN, pdu, pdu_size, calc_mic) < 0) {
+ if (hmac_sha1_calc(ptk, EAPOL_KEY_MIC_LEN, pdu, pdu_size, calc_mic, EAPOL_KEY_MIC_LEN) < 0) {
  tr_error("MIC invalid");
  return -1;
  }

diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot.c
@@ -54,6 +54,8 @@ typedef enum {
  TLS_STATE_FINISHED = SEC_STATE_FINISHED
 } eap_tls_sec_prot_state_e;
 
+typedef struct tls_sec_prot_lib_int_s tls_sec_prot_lib_int_t;
+
 typedef struct {
  sec_prot_common_t common; /**< Common data */
  uint8_t new_pmk[PMK_LEN]; /**< New Pair Wise Master Key */
@@ -64,7 +66,7 @@ typedef struct {
  bool timer_running; /**< TLS timer running */
  bool finished; /**< TLS finished */
  bool calculating; /**< TLS is calculating */
- uint8_t  tls_sec_inst;  /**< TLS security library storage, SHALL BE THE LAST FIELD */
+ tls_sec_prot_lib_int_t *tls_sec_inst; /**< TLS security library storage, SHALL BE THE LAST FIELD */
 } tls_sec_prot_int_t;
 
 static uint16_t tls_sec_prot_size(void);

diff --git a/source/Service_Libs/hmac/hmac_sha1.c b/source/Service_Libs/hmac/hmac_sha1.c
@@ -25,7 +25,7 @@
 
 #define TRACE_GROUP "hmac"
 
-int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data, uint16_t data_len, uint8_t *result)
+int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data, uint16_t data_len, uint8_t *result, uint8_t result_len)
 {
 #ifdef EXTRA_DEBUG_INFO
  // Extensive debug for now, to be disabled later
@@ -62,13 +62,21 @@ int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data,
  if (mbedtls_md_hmac_update(&ctx, (const unsigned char *) data, data_len) != 0) {
  goto error;
  }
- if (mbedtls_md_hmac_finish(&ctx, result) != 0) {
+
+ uint8_t result_value[20];
+ if (mbedtls_md_hmac_finish(&ctx, result_value) != 0) {
  goto error;
  }
  mbedtls_md_free(&ctx);
 
+ if (result_len > 20) {
+ result_len = 20;
+ }
+
+ memcpy(result, result_value, result_len);
+
 #ifdef EXTRA_DEBUG_INFO
- tr_debug("hmac_sha_1 result %s\n", trace_array(result, 20));
+ tr_debug("hmac_sha_1 result %s\n", trace_array(result_value, 20));
 #endif
  return 0;
 

diff --git a/source/Service_Libs/hmac/hmac_sha1.h b/source/Service_Libs/hmac/hmac_sha1.h
@@ -27,12 +27,13 @@
  * \param key_len key length
  * \param data pointer to data
  * \param data_len data length
- * \param result pointer to result, must be at least 160 bytes
+ * \param result pointer to result
+ * \param result_len in bytes, maximum is 20 bytes
  *
  * \return < 0 failure
  * \return >= 0 success
  *
  */
-int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data, uint16_t data_len, uint8_t *result);
+int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data, uint16_t data_len, uint8_t *result, uint8_t result_len);
 
 #endif /* HMAC_SHA1_ */
diff --git a/source/Service_Libs/ieee_802_11/ieee_802_11.c b/source/Service_Libs/ieee_802_11/ieee_802_11.c
@@ -67,7 +67,7 @@ int8_t ieee_802_11_prf_finish(ieee_802_11_prf_t *prf, uint8_t *result)
 
  for (uint8_t i = 0; i < (prf->bits + 159) / 160; i++) {
  prf->string[prf->a_len + 1 + prf->b_len] = i; /* X (index) */
- if (hmac_sha1_calc(prf->key, prf->key_len, prf->string, string_len, result) < 0) {
+ if (hmac_sha1_calc(prf->key, prf->key_len, prf->string, string_len, result, 20) < 0) {
  return -1;
  }
  result += 160 / 8;

diff --git a/source/configs/base/cfg_ws_border_router.h b/source/configs/base/cfg_ws_border_router.h
@@ -24,3 +24,5 @@
 #define HAVE_WS_BORDER_ROUTER
 #define HAVE_ND_PROXY
 #define MULTICAST_FORWARDING
+#define HAVE_PAE_AUTH
+#define HAVE_EAPOL_RELAY
diff --git a/source/configs/base/cfg_ws_router.h b/source/configs/base/cfg_ws_router.h
@@ -22,3 +22,5 @@
 #define HAVE_6LOWPAN_ND
 #define HAVE_MPL
 #define HAVE_WS
+#define HAVE_PAE_SUPP
+#define HAVE_EAPOL_RELAY