Merge branch 'release_internal' into release_external

* release_internal:
  Key update to MAC is forced when nw name changes
  Corrected identifier range alloc and added define for timeout
  FHSS WS: spread broadcast messages better on BC channel (ARMmbed#2449)

Author: Arto Kinnunen

source/6LoWPAN/ws/ws_pae_auth.c

@@ -108,7 +108,7 @@ typedef struct {
     bool gtk_new_act_time_exp: 1;                            /**< GTK new activation time expired */
 } pae_auth_t;
 
-static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth);
+static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth, bool force_install);
 static int8_t ws_pae_auth_active_gtk_set(pae_auth_t *pae_auth, uint8_t index);
 static int8_t ws_pae_auth_network_key_index_set(pae_auth_t *pae_auth, uint8_t index);
 static void ws_pae_auth_free(pae_auth_t *pae_auth);
@@ -345,7 +345,7 @@ void ws_pae_auth_start(protocol_interface_info_entry_t *interface_ptr)
     pae_auth->nw_info_updated(pae_auth->interface_ptr);
 
     // Inserts keys and updates GTK hash on stack
-    ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+    ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
 
     // Sets active key index
     ws_pae_auth_network_key_index_set(pae_auth, index);
@@ -362,7 +362,7 @@ void ws_pae_auth_gtks_updated(protocol_interface_info_entry_t *interface_ptr)
         return;
     }
 
-    ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+    ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
 }
 
 int8_t ws_pae_auth_nw_key_index_update(protocol_interface_info_entry_t *interface_ptr, uint8_t index)
@@ -470,7 +470,7 @@ int8_t ws_pae_auth_node_access_revoke_start(protocol_interface_info_entry_t *int
 
     // Adds new GTK
     ws_pae_auth_gtk_key_insert(pae_auth);
-    ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+    ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
 
     // Update keys to NVM as needed
     pae_auth->nw_info_updated(pae_auth->interface_ptr);
@@ -535,8 +535,11 @@ int8_t ws_pae_auth_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u
     }
     pae_auth->pan_id = pan_id;
 
+    bool force_install = false;
     if (strlen((char *) &pae_auth->network_name) > 0 && strcmp((char *) &pae_auth->network_name, network_name) != 0) {
         update_keys = true;
+        // Force GTK install to update the new network name to GAK
+        force_install = true;
     }
     strcpy((char *) &pae_auth->network_name, network_name);
 
@@ -548,7 +551,7 @@ int8_t ws_pae_auth_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u
         pae_auth->nw_keys_remove(pae_auth->interface_ptr);
     }
 
-    ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+    ws_pae_auth_network_keys_from_gtks_set(pae_auth, force_install);
 
     int8_t index = sec_prot_keys_gtk_status_active_get(pae_auth->sec_keys_nw_info->gtks);
     if (index >= 0) {
@@ -559,7 +562,7 @@ int8_t ws_pae_auth_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u
     return 0;
 }
 
-static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth)
+static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth, bool force_install)
 {
     // Authenticator keys are always fresh
     sec_prot_keys_gtk_status_all_fresh_set(pae_auth->sec_keys_nw_info->gtks);
@@ -571,7 +574,7 @@ static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth)
     }
 
     if (pae_auth->nw_key_insert) {
-        pae_auth->nw_key_insert(pae_auth->interface_ptr, pae_auth->sec_keys_nw_info->gtks);
+        pae_auth->nw_key_insert(pae_auth->interface_ptr, pae_auth->sec_keys_nw_info->gtks, force_install);
     }
 
     return 0;
@@ -716,7 +719,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
                         if (second_index < 0) {
                             tr_info("GTK new install required active index: %i, time: %"PRIu32", system time: %"PRIu32"", active_index, timer_seconds, protocol_core_monotonic_time / 10);
                             ws_pae_auth_gtk_key_insert(pae_auth);
-                            ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+                            ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
                             // Update keys to NVM as needed
                             pae_auth->nw_info_updated(pae_auth->interface_ptr);
                         } else {
@@ -744,7 +747,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
             if (timer_seconds == 0) {
                 tr_info("GTK expired index: %i, system time: %"PRIu32"", i, protocol_core_monotonic_time / 10);
                 ws_pae_auth_gtk_clear(pae_auth, i);
-                ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+                ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
                 // Update keys to NVM as needed
                 pae_auth->nw_info_updated(pae_auth->interface_ptr);
             }

source/6LoWPAN/ws/ws_pae_auth.h

@@ -207,12 +207,13 @@ typedef void ws_pae_auth_gtk_hash_set(protocol_interface_info_entry_t *interface
  *
  * \param interface_ptr interface
  * \param gtks group keys
+ * \param force_install TRUE force install keys, FALSE install keys only if GTKs has changed
  *
  * \return < 0 failure
  * \return >= 0 success
  *
  */
-typedef int8_t ws_pae_auth_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks);
+typedef int8_t ws_pae_auth_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install);
 
 /**
  * ws_pae_auth_nw_keys_remove remove network keys callback

source/6LoWPAN/ws/ws_pae_controller.c

@@ -126,7 +126,7 @@ static void ws_pae_controller_nvm_frame_counter_write(nvm_tlv_t *tlv_entry);
 static int8_t ws_pae_controller_nvm_frame_counter_read(uint32_t *restart_cnt, uint64_t *stored_time, uint16_t *pan_version, frame_counters_t *counters);
 static pae_controller_t *ws_pae_controller_get_or_create(int8_t interface_id);
 static void ws_pae_controller_gtk_hash_set(protocol_interface_info_entry_t *interface_ptr, uint8_t *gtkhash);
-static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks);
+static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install);
 static void ws_pae_controller_active_nw_key_clear(nw_key_t *nw_key);
 static void ws_pae_controller_active_nw_key_set(protocol_interface_info_entry_t *cur, uint8_t index);
 static int8_t ws_pae_controller_gak_from_gtk(uint8_t *gak, uint8_t *gtk, char *network_name);
@@ -137,6 +137,7 @@ static void ws_pae_controller_nw_key_index_check_and_set(protocol_interface_info
 static void ws_pae_controller_data_init(pae_controller_t *controller);
 static int8_t ws_pae_controller_frame_counter_read(pae_controller_t *controller);
 static void ws_pae_controller_frame_counter_reset(frame_counters_t *frame_counters);
+static void ws_pae_controller_frame_counter_index_reset(frame_counters_t *frame_counters, uint8_t index);
 static int8_t ws_pae_controller_nw_info_read(pae_controller_t *controller, sec_prot_gtk_keys_t *gtks);
 static int8_t ws_pae_controller_nvm_nw_info_write(protocol_interface_info_entry_t *interface_ptr, uint16_t pan_id, char *network_name, sec_prot_gtk_keys_t *gtks);
 static int8_t ws_pae_controller_nvm_nw_info_read(protocol_interface_info_entry_t *interface_ptr, uint16_t *pan_id, char *network_name, sec_prot_gtk_keys_t *gtks);
@@ -165,7 +166,7 @@ int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface
     // In case test keys are set uses those and does not initiate authentication
     if (controller->gtks_set) {
         if (sec_prot_keys_gtks_are_updated(&controller->gtks)) {
-            ws_pae_controller_nw_key_check_and_insert(controller->interface_ptr, &controller->gtks);
+            ws_pae_controller_nw_key_check_and_insert(controller->interface_ptr, &controller->gtks, false);
             sec_prot_keys_gtks_updated_reset(&controller->gtks);
             ws_pae_supp_gtks_set(controller->interface_ptr, &controller->gtks);
         }
@@ -403,7 +404,7 @@ int8_t ws_pae_controller_nw_key_valid(protocol_interface_info_entry_t *interface
     return ws_pae_supp_nw_key_valid(interface_ptr, br_iid);
 }
 
-static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks)
+static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install)
 {
     pae_controller_t *controller = ws_pae_controller_get(interface_ptr);
     if (!controller) {
@@ -429,6 +430,13 @@ static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_
             tr_info("NW key remove: %i", i);
         }
 
+        if (force_install) {
+            // Install always
+            nw_key[i].installed = false;
+            // Frame counters are fresh
+            ws_pae_controller_frame_counter_index_reset(&controller->frame_counters, i);
+        }
+
         // If GTK key is not set, continues to next GTK
         if (!gtk) {
             continue;
@@ -798,13 +806,18 @@ static int8_t ws_pae_controller_frame_counter_read(pae_controller_t *controller)
 static void ws_pae_controller_frame_counter_reset(frame_counters_t *frame_counters)
 {
     for (uint8_t index = 0; index < GTK_NUM; index++) {
-        memset(frame_counters->counter[index].gtk, 0, GTK_LEN);
-        frame_counters->counter[index].frame_counter = 0;
-        frame_counters->counter[index].stored_frame_counter = 0;
-        frame_counters->counter[index].set = false;
+        ws_pae_controller_frame_counter_index_reset(frame_counters, index);
     }
 }
 
+static void ws_pae_controller_frame_counter_index_reset(frame_counters_t *frame_counters, uint8_t index)
+{
+    memset(frame_counters->counter[index].gtk, 0, GTK_LEN);
+    frame_counters->counter[index].frame_counter = 0;
+    frame_counters->counter[index].stored_frame_counter = 0;
+    frame_counters->counter[index].set = false;
+}
+
 static int8_t ws_pae_controller_nw_info_read(pae_controller_t *controller, sec_prot_gtk_keys_t *gtks)
 {
     if (ws_pae_controller_nvm_nw_info_read(controller->interface_ptr, &controller->sec_keys_nw_info.key_pan_id, controller->sec_keys_nw_info.network_name, gtks) < 0) {

source/6LoWPAN/ws/ws_pae_supp.c

@@ -355,7 +355,7 @@ int8_t ws_pae_supp_gtk_hash_update(protocol_interface_info_entry_t *interface_pt
     }
 
     // Modify keys
-    pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks);
+    pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks, false);
 
     return 0;
 }
@@ -521,7 +521,7 @@ static int8_t ws_pae_supp_nw_keys_valid_check(pae_supp_t *pae_supp, uint16_t pan
             (sec_prot_keys_pmk_get(&pae_supp->entry.sec_keys) != NULL) &&
             (sec_prot_keys_ptk_get(&pae_supp->entry.sec_keys) != NULL)) {
         tr_debug("Existing keys used, counter %i", pae_supp->nw_keys_used_cnt);
-        if (pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks) >= 0) {
+        if (pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks, false) >= 0) {
             tr_debug("Keys inserted");
         }
         pae_supp->nw_keys_used_cnt++;
@@ -1260,7 +1260,7 @@ static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e
     if ((type == IEEE_802_11_4WH || type == IEEE_802_11_GKH) && result == KMP_RESULT_OK) {
         if (sec_keys) {
             sec_prot_keys_t *keys = sec_keys;
-            pae_supp->nw_key_insert(pae_supp->interface_ptr, keys->gtks);
+            pae_supp->nw_key_insert(pae_supp->interface_ptr, keys->gtks, false);
         }
 
         ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_OK);

source/6LoWPAN/ws/ws_pae_supp.h

@@ -221,12 +221,13 @@ typedef const uint8_t *ws_pae_supp_auth_next_target(protocol_interface_info_entr
  *
  * \param interface_ptr interface
  * \param gtks group keys
+ * \param force_install TRUE force install keys, FALSE install keys only if GTKs has changed
  *
  * \return < 0 failure
  * \return >= 0 success
  *
  */
-typedef int8_t ws_pae_supp_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks);
+typedef int8_t ws_pae_supp_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install);
 
 /**
  * ws_pae_supp_gtk_hash_ptr_get get pointer to GTK hash storage callback

source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c

@@ -79,6 +79,8 @@ typedef enum {
 #define RADIUS_ID_RANGE_SIZE          10
 #define RADIUS_ID_RANGE_NUM           (255 / RADIUS_ID_RANGE_SIZE) - 1
 
+#define RADIUS_ID_TIMEOUT             60
+
 typedef struct radius_client_sec_prot_lib_int_s radius_client_sec_prot_lib_int_t;
 
 typedef struct {
@@ -120,7 +122,6 @@ typedef struct {
 static uint16_t radius_client_sec_prot_size(void);
 static int8_t radius_client_sec_prot_init(sec_prot_t *prot);
 static int8_t radius_client_sec_prot_shared_data_timeout(uint16_t ticks);
-static void radius_identifier_timer_value_set(uint8_t conn_num, uint8_t id_range, uint8_t value);
 static int8_t radius_client_sec_prot_shared_data_delete(void);
 static void radius_identifier_timer_value_set(uint8_t conn_num, uint8_t id_range, uint8_t value);
 static void radius_client_sec_prot_create_response(sec_prot_t *prot, sec_prot_result_e result);
@@ -541,17 +542,17 @@ static uint8_t radius_client_sec_prot_identifier_allocate(sec_prot_t *prot, uint
 {
     radius_client_sec_prot_int_t *data = radius_client_sec_prot_get(prot);
 
-    if (!data->radius_id_range_set || value >= (data->radius_id_range * RADIUS_ID_RANGE_SIZE) + RADIUS_ID_RANGE_SIZE) {
+    if (!data->radius_id_range_set || value >= (data->radius_id_range * RADIUS_ID_RANGE_SIZE) + RADIUS_ID_RANGE_SIZE - 1) {
         for (uint8_t conn_num = 0; conn_num < RADIUS_CONN_NUMBER; conn_num++) {
             for (uint8_t id_range = 0; id_range < RADIUS_ID_RANGE_NUM; id_range++) {
                 if (shared_data->radius_identifier_timer[conn_num][id_range] == 0) {
                     // If range has been already reserved
                     if (data->radius_id_range_set) {
-                        // Set previous range to timeout in 5 seconds
-                        radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, 5);
+                        // Set previous range to timeout at 1/5 of identifier timeout
+                        radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, RADIUS_ID_TIMEOUT / 5);
                     }
                     // Set timeout for new range to 60 seconds
-                    radius_identifier_timer_value_set(conn_num, id_range, 60);
+                    radius_identifier_timer_value_set(conn_num, id_range, RADIUS_ID_TIMEOUT);
                     data->radius_id_conn_num = conn_num;
                     data->radius_id_range = id_range;
                     data->radius_id_range_set = true;
@@ -560,7 +561,7 @@ static uint8_t radius_client_sec_prot_identifier_allocate(sec_prot_t *prot, uint
             }
         }
     } else {
-        radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, 60);
+        radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, RADIUS_ID_TIMEOUT);
         return value + 1;
     }
 
@@ -572,7 +573,8 @@ static void radius_client_sec_prot_identifier_free(sec_prot_t *prot)
     radius_client_sec_prot_int_t *data = radius_client_sec_prot_get(prot);
 
     if (data->radius_id_range_set) {
-        radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, 5);
+        // Timeout at 1/5 of identifier timeout
+        radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, RADIUS_ID_TIMEOUT / 5);
     }
 }
 

source/Service_Libs/fhss/fhss_ws.c

@@ -305,12 +305,12 @@ static void fhss_broadcast_handler(const fhss_api_t *fhss_api, uint16_t delay)
 
         /* Start timer with random timeout to trigger broadcast TX queue poll event.
          * Min random is 1/50 of the channel dwell interval.
-         * Max random is 1/10 of the channel dwell interval.
+         * Max random is 3/4 of the channel dwell interval.
          * Event timer resolution is 50us.
          */
         uint32_t bc_dwell_us = MS_TO_US(fhss_structure->ws->fhss_configuration.fhss_bc_dwell_interval);
         uint16_t bc_min_random = (bc_dwell_us / 50) / 50;
-        uint16_t bc_max_random = (bc_dwell_us / 10) / 50;
+        uint16_t bc_max_random = (bc_dwell_us - (bc_dwell_us / 4)) / 50;
         eventOS_callback_timer_start(fhss_structure->fhss_event_timer, randLIB_get_random_in_range(bc_min_random, bc_max_random));
     } else {
         fhss_structure->ws->unicast_start_time_us = fhss_structure->callbacks.read_timestamp(fhss_structure->fhss_api);