Added check to prevent installing new GTK to used index using GKH

Mika Leppänen · Mika Leppänen · commit 930741617f90 · 2019-11-21T09:43:56.000+02:00
Border router now records what GTKs it has installed to supplicant
using group key handshake. If a GTK for an index (0, 1, 2 or 3), would
be updated to new value second time with GKH, border router initiates 4WH
instead of GKH, to update also PTK.

This makes re-playing GKH messages harder, since both replay counters
and keys for old messages, are invalid.

On normal border router PMK/PTK/GTK update cycle, this is already
forced also without changes in this commit, since default GTK lifetime
is one month and PTK is two monts. For a specific GTK index, the PTK
will be updated several times, before the GTK index is re-used.
diff --git a/source/6LoWPAN/ws/ws_pae_auth.c b/source/6LoWPAN/ws/ws_pae_auth.c
@@ -70,6 +70,9 @@
    nanostack monitor */
 #define SUPPLICANT_NUMBER_TO_PURGE             5
 
+// Short GTK lifetime value, for GTK install check
+#define SHORT_GTK_LIFETIME                     10 * 3600  // 10 hours
+
 typedef struct {
     ns_list_link_t link;                                     /**< Link */
     kmp_service_t *kmp_service;                              /**< KMP service */
@@ -113,7 +116,7 @@ static void ws_pae_auth_kmp_api_create_confirm(kmp_api_t *kmp, kmp_result_e resu
 static void ws_pae_auth_kmp_api_create_indication(kmp_api_t *kmp, kmp_type_e type, kmp_addr_t *addr);
 static void ws_pae_auth_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e result, kmp_sec_keys_t *sec_keys);
 static void ws_pae_auth_next_kmp_trigger(pae_auth_t *pae_auth, supp_entry_t *supp_entry);
-static kmp_type_e ws_pae_auth_next_protocol_get(supp_entry_t *supp_entry);
+static kmp_type_e ws_pae_auth_next_protocol_get(pae_auth_t *pae_auth, supp_entry_t *supp_entry);
 static kmp_api_t *ws_pae_auth_kmp_create_and_start(kmp_service_t *service, kmp_type_e type, supp_entry_t *supp_entry);
 static void ws_pae_auth_kmp_api_finished(kmp_api_t *kmp);
 
@@ -666,7 +669,9 @@ static void ws_pae_auth_gtk_key_insert(pae_auth_t *pae_auth)
         sec_prot_keys_gtk_clear(pae_auth->next_gtks, next_gtk_index);
         sec_prot_keys_gtk_set(pae_auth->next_gtks, next_gtk_index, gtk_value, 0);
     } else {
-        randLIB_get_n_bytes_random(gtk_value, GTK_LEN);
+        do {
+            randLIB_get_n_bytes_random(gtk_value, GTK_LEN);
+        } while (sec_prot_keys_gtk_valid_check(gtk_value) < 0);
     }
 
     // Gets latest installed key lifetime and adds GTK expire offset to it
@@ -910,7 +915,7 @@ static void ws_pae_auth_next_kmp_trigger(pae_auth_t *pae_auth, supp_entry_t *sup
     supp_entry->retry_ticks = 0;
 
     // Get next protocol based on what keys supplicant has
-    kmp_type_e next_type = ws_pae_auth_next_protocol_get(supp_entry);
+    kmp_type_e next_type = ws_pae_auth_next_protocol_get(pae_auth, supp_entry);
 
     if (next_type == KMP_TYPE_NONE) {
         // All done
@@ -969,7 +974,7 @@ static void ws_pae_auth_next_kmp_trigger(pae_auth_t *pae_auth, supp_entry_t *sup
     kmp_api_create_request(new_kmp, next_type, &supp_entry->addr, &supp_entry->sec_keys);
 }
 
-static kmp_type_e ws_pae_auth_next_protocol_get(supp_entry_t *supp_entry)
+static kmp_type_e ws_pae_auth_next_protocol_get(pae_auth_t *pae_auth, supp_entry_t *supp_entry)
 {
     kmp_type_e next_type = KMP_TYPE_NONE;
     sec_prot_keys_t *sec_keys = &supp_entry->sec_keys;
@@ -999,9 +1004,22 @@ static kmp_type_e ws_pae_auth_next_protocol_get(supp_entry_t *supp_entry)
 
     if (gtk_index >= 0) {
         if (next_type == KMP_TYPE_NONE && gtk_index >= 0) {
-            // Update just GTK
-            next_type = IEEE_802_11_GKH;
-            tr_info("PAE start GKH, eui-64: %s", trace_array(supp_entry->addr.eui_64, 8));
+
+            /* Check if the PTK has been already used to install GTK to specific index and if it
+             * has been, trigger 4WH to update also the PTK. This prevents writing multiple
+             * GTK keys to same index using same PTK.
+             */
+            if (pae_auth->timer_settings->gtk_expire_offset > SHORT_GTK_LIFETIME &&
+                    sec_prot_keys_ptk_installed_gtk_hash_mismatch_check(sec_keys, gtk_index)) {
+                // start 4WH towards supplicant
+                next_type = IEEE_802_11_4WH;
+                sec_keys->ptk_mismatch = true;
+                tr_info("PAE start 4WH due to GTK index re-use, eui-64: %s", trace_array(supp_entry->addr.eui_64, 8));
+            } else {
+                // Update just GTK
+                next_type = IEEE_802_11_GKH;
+                tr_info("PAE start GKH, eui-64: %s", trace_array(supp_entry->addr.eui_64, 8));
+            }
         }
 
         tr_info("PAE update GTK index: %i, eui-64: %s", gtk_index, trace_array(supp_entry->addr.eui_64, 8));
diff --git a/source/Security/protocols/fwh_sec_prot/auth_fwh_sec_prot.c b/source/Security/protocols/fwh_sec_prot/auth_fwh_sec_prot.c
@@ -414,7 +414,8 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
                 if (auth_fwh_sec_prot_mic_validate(prot) < 0) {
                     return;
                 }
-
+                // PTK is fresh for installing any GTKs
+                sec_prot_keys_ptk_installed_gtk_hash_clear_all(prot->sec_keys);
                 // If GTK was inserted set it valid
                 sec_prot_keys_gtkl_from_gtk_insert_index_set(prot->sec_keys);
                 // Reset PTK mismatch
diff --git a/source/Security/protocols/gkh_sec_prot/auth_gkh_sec_prot.c b/source/Security/protocols/gkh_sec_prot/auth_gkh_sec_prot.c
@@ -315,6 +315,9 @@ static void auth_gkh_sec_prot_state_machine(sec_prot_t *prot)
             sec_prot_timer_trickle_start(&data->common, &gkh_trickle_params);
 
             sec_prot_state_set(prot, &data->common, GKH_STATE_MESSAGE_2);
+
+            // Store the hash for to-be installed GTK as used for the PTK
+            sec_prot_keys_ptk_installed_gtk_hash_set(prot->sec_keys);
             break;
 
         // Wait GKH message 2
diff --git a/source/Security/protocols/sec_prot_keys.c b/source/Security/protocols/sec_prot_keys.c
@@ -38,6 +38,8 @@
 
 #define TRACE_GROUP "spke"
 
+static const uint8_t empty_hash[GTK_HASH_LEN] = {0};
+
 sec_prot_keys_t *sec_prot_keys_create(sec_prot_gtk_keys_t *gtks, const sec_prot_certs_t *certs)
 {
     sec_prot_keys_t *sec_keys = ns_dyn_mem_alloc(sizeof(sec_prot_keys_t));
@@ -67,6 +69,7 @@ void sec_prot_keys_init(sec_prot_keys_t *sec_keys, sec_prot_gtk_keys_t *gtks, co
     sec_keys->ptk_eui_64_set = false;
     sec_keys->pmk_mismatch = false;
     sec_keys->ptk_mismatch = false;
+    sec_prot_keys_ptk_installed_gtk_hash_clear_all(sec_keys);
 }
 
 void sec_prot_keys_delete(sec_prot_keys_t *sec_keys)
@@ -581,9 +584,22 @@ void sec_prot_keys_gtks_hash_generate(sec_prot_gtk_keys_t *gtks, uint8_t *gtkhas
     }
 }
 
-void sec_prot_keys_gtk_hash_generate(uint8_t *gtk, uint8_t *gtk_hash)
+int8_t sec_prot_keys_gtk_hash_generate(uint8_t *gtk, uint8_t *gtk_hash)
 {
+    return sec_prot_lib_gtkhash_generate(gtk, gtk_hash);
+}
+
+int8_t sec_prot_keys_gtk_valid_check(uint8_t *gtk)
+{
+    uint8_t gtk_hash[8];
     sec_prot_lib_gtkhash_generate(gtk, gtk_hash);
+
+    // Checks if GTK hash for the GTK would be all zero
+    if (memcmp(gtk_hash, empty_hash, GTK_HASH_LEN) == 0) {
+        return -1;
+    }
+
+    return 0;
 }
 
 gtk_mismatch_e sec_prot_keys_gtks_hash_update(sec_prot_gtk_keys_t *gtks, uint8_t *gtkhash)
@@ -639,7 +655,6 @@ gtk_mismatch_e sec_prot_keys_gtks_hash_update(sec_prot_gtk_keys_t *gtks, uint8_t
 
 bool sec_prot_keys_gtk_hash_empty(uint8_t *gtkhash)
 {
-    const uint8_t empty_hash[GTK_HASH_LEN] = {0};
     if (memcmp(gtkhash, empty_hash, GTK_HASH_LEN) == 0) {
         return true;
     } else {
@@ -783,4 +798,57 @@ uint8_t sec_prot_keys_gtk_count(sec_prot_gtk_keys_t *gtks)
     return count;
 }
 
+void sec_prot_keys_ptk_installed_gtk_hash_clear_all(sec_prot_keys_t *sec_keys)
+{
+    for (uint8_t index = 0; index < GTK_NUM; index++) {
+        memset(sec_keys->ins_gtk_hash[sec_keys->gtk_set_index].hash, 0, INS_GTK_HASH_LEN);
+    }
+    sec_keys->ins_gtk_hash_set = 0;
+}
+
+void sec_prot_keys_ptk_installed_gtk_hash_set(sec_prot_keys_t *sec_keys)
+{
+    if (sec_keys->gtk_set_index >= 0) {
+        uint8_t *gtk = sec_prot_keys_gtk_get(sec_keys->gtks, sec_keys->gtk_set_index);
+        if (!gtk) {
+            return;
+        }
+        uint8_t gtk_hash[GTK_HASH_LEN];
+        if (sec_prot_keys_gtk_hash_generate(gtk, gtk_hash) < 0) {
+            return;
+        }
+        /* Store two byte hash. This is long enough for the GTK installed check, since
+         * possible conflict between hashes causes only that 4WH is initiated/is not
+         * initiated instead of GKH.
+         */
+        memcpy(sec_keys->ins_gtk_hash[sec_keys->gtk_set_index].hash, gtk_hash, INS_GTK_HASH_LEN);
+        sec_keys->ins_gtk_hash_set |= (1 << sec_keys->gtk_set_index);
+    }
+}
+
+bool sec_prot_keys_ptk_installed_gtk_hash_mismatch_check(sec_prot_keys_t *sec_keys, uint8_t gtk_index)
+{
+    if ((sec_keys->ins_gtk_hash_set & (1 << sec_keys->gtk_set_index)) == 0) {
+        return false;
+    }
+
+    uint8_t *gtk = sec_prot_keys_gtk_get(sec_keys->gtks, gtk_index);
+    if (!gtk) {
+        return false;
+    }
+
+    // Calculated GTK hash for the current GTK on the defined index
+    uint8_t gtk_hash[GTK_HASH_LEN];
+    if (sec_prot_keys_gtk_hash_generate(gtk, gtk_hash) < 0) {
+        return false;
+    }
+
+    // If PTK has been used to install different GTK to index than the current one, trigger mismatch
+    if (memcmp(sec_keys->ins_gtk_hash[sec_keys->gtk_set_index].hash, gtk_hash, INS_GTK_HASH_LEN) != 0) {
+        return true;
+    }
+
+    return false;
+}
+
 #endif /* HAVE_WS */
diff --git a/source/Security/protocols/sec_prot_keys.h b/source/Security/protocols/sec_prot_keys.h
@@ -54,6 +54,7 @@
 
 #define GTK_HASH_LEN              8
 #define GTK_ALL_HASHES_LEN        GTK_HASH_LEN * GTK_NUM
+#define INS_GTK_HASH_LEN          2
 
 #define PMK_LIFETIME_INSTALL      0xFFFFF
 #define PTK_LIFETIME_INSTALL      0xFFFFF
@@ -71,18 +72,24 @@ typedef struct {
     bool                   updated: 1;                /**< Group Transient Keys has been updated */
 } sec_prot_gtk_keys_t;
 
+typedef struct {
+    uint8_t                hash[INS_GTK_HASH_LEN];    /**< Inserted GTKs for a PTK hash */
+} sec_prot_gtk_hash_t;
+
 // Security key data
 typedef struct {
     uint64_t               pmk_key_replay_cnt;        /**< Pairwise Master Key replay counter */
     uint8_t                pmk[PMK_LEN];              /**< Pairwise Master Key (256 bits) */
     uint8_t                ptk[PTK_LEN];              /**< Pairwise Transient Key (384 bits) */
     uint8_t                ptk_eui_64[8];             /**< Remote EUI-64 used to derive PTK or NULL */
+    sec_prot_gtk_hash_t    ins_gtk_hash[GTK_NUM];     /**< Hashes for inserted GTKs for a PTK */
     sec_prot_gtk_keys_t    *gtks;                     /**< Group Transient Keys */
     const sec_prot_certs_t *certs;                    /**< Certificates */
     uint32_t               pmk_lifetime;              /**< PMK lifetime in seconds */
     uint32_t               ptk_lifetime;              /**< PTK lifetime in seconds */
     uint8_t                gtkl;                      /**< Remote GTKL information */
     int8_t                 gtk_set_index;             /**< Index of GTK to set */
+    uint8_t                ins_gtk_hash_set: 4;       /**< Hash for inserted GTKs for a PTK set */
     bool                   pmk_set: 1;                /**< Pairwise Master Key set */
     bool                   ptk_set: 1;                /**< Pairwise Transient Key set */
     bool                   pmk_key_replay_cnt_set: 1; /**< Pairwise Master Key replay counter set */
@@ -649,8 +656,20 @@ void sec_prot_keys_gtks_hash_generate(sec_prot_gtk_keys_t *gtks, uint8_t *gtk_ha
  * \param gtk GTK key
  * \param gtk_hash GTK hash for a GTK
  *
+ * \return < 0 failure
+ * \return >= 0 success
  */
-void sec_prot_keys_gtk_hash_generate(uint8_t *gtk, uint8_t *gtk_hash);
+int8_t sec_prot_keys_gtk_hash_generate(uint8_t *gtk, uint8_t *gtk_hash);
+
+/**
+ * sec_prot_keys_gtk_valid_check check if GTK is valid
+ *
+ * \param gtk GTK key
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ */
+int8_t sec_prot_keys_gtk_valid_check(uint8_t *gtk);
 
 /**
  * sec_prot_keys_gtks_hash_update update GTKs based on GTK hash
@@ -751,4 +770,30 @@ int8_t sec_prot_keys_gtk_install_index_get(sec_prot_gtk_keys_t *gtks);
  */
 uint8_t sec_prot_keys_gtk_count(sec_prot_gtk_keys_t *gtks);
 
+/**
+ * sec_prot_keys_ptk_installed_gtk_hash_clear_all clear GTK hashes of the GTKs that has been installed
+ *                                                to supplicant using the PTK
+ * \param sec_keys security keys
+ *
+ */
+void sec_prot_keys_ptk_installed_gtk_hash_clear_all(sec_prot_keys_t *sec_keys);
+
+/**
+ * sec_prot_keys_ptk_installed_gtk_hash_set set GTK hash of the GTK that has been installed
+ *                                          to supplicant using the current PTK
+ *
+ * \param sec_keys security keys
+ *
+ */
+void sec_prot_keys_ptk_installed_gtk_hash_set(sec_prot_keys_t *sec_keys);
+
+/**
+ * sec_prot_keys_ptk_installed_gtk_hash_set check if PTK is being used to store new GTK for the index
+ *                                          for the supplicant i.e. GTK hash would change
+ *
+ * \param sec_keys security keys
+ *
+ */
+bool sec_prot_keys_ptk_installed_gtk_hash_mismatch_check(sec_prot_keys_t *sec_keys, uint8_t gtk_index);
+
 #endif /* SEC_PROT_KEYS_H_ */
