Added timer to supplicant to filter EAP-TLS re-transmission bursts

Mika Leppänen · Mika Leppänen · commit d04523e5768b · 2019-05-17T11:42:56.000+03:00
If burst of EAP-TLS re-transmissions arrive in a fast pace (re-transmissions
are made by lower layers) ignores those and does not reply. Filtering
is made by timer that runs for 5 seconds after a message with fresh
sequence id is received.

Timer is started again if re-transmission with same sequence id arrives while
the timer is running. Also if re-transmission arrives after the timer
has timeouted, sends one reply to re-transmission and starts the timer
again.
diff --git a/source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c b/source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c
@@ -53,12 +53,16 @@ typedef enum {
     EAP_TLS_STATE_FINISHED = SEC_STATE_FINISHED
 } eap_tls_sec_prot_state_e;
 
+// Filters EAP re-transmission bursts that arrive with same EAP sequence number
+#define BURST_FILTER_TIMER_TIMEOUT                  5 * 10
+
 typedef struct {
     sec_prot_common_t             common;           /**< Common data */
     sec_prot_t                    *tls_prot;        /**< TLS security protocol */
     eapol_pdu_t                   recv_eapol_pdu;   /**< Received EAPOL PDU */
     tls_data_t                    tls_send;         /**< EAP-TLS send buffer */
     tls_data_t                    tls_recv;         /**< EAP-TLS receive buffer */
+    uint16_t                      burst_filt_timer; /**< Burst filter timer */
     uint8_t                       eap_id_seq;       /**< EAP sequence */
     uint8_t                       eap_code;         /**< Received EAP code */
     uint8_t                       eap_type;         /**< Received EAP type */
@@ -127,6 +131,7 @@ static int8_t supp_eap_tls_sec_prot_init(sec_prot_t *prot)
     sec_prot_state_set(prot, &data->common, EAP_TLS_STATE_INIT);
 
     data->tls_prot = NULL;
+    data->burst_filt_timer = 0;
     data->eap_id_seq = 0;
     data->eap_code = 0;
     data->eap_type = 0;
@@ -193,7 +198,18 @@ static int8_t supp_eap_tls_sec_prot_message_handle(sec_prot_t *prot)
     uint8_t new_seq_id = false;
     // New sequence identifier received
     if (data->recv_eapol_pdu.msg.eap.id_seq > data->eap_id_seq) {
+        data->burst_filt_timer = BURST_FILTER_TIMER_TIMEOUT;
         new_seq_id = true;
+    } else if (data->recv_eapol_pdu.msg.eap.id_seq == data->eap_id_seq) {
+        if (data->burst_filt_timer > 0) {
+            /* If retransmission arrives when burst filter timer is running, ignores it
+               and starts timer again */
+            data->burst_filt_timer = BURST_FILTER_TIMER_TIMEOUT;
+            return EAP_TLS_MSG_DECODE_ERROR;
+        } else {
+            // If retransmission arrives after timeout, starts timer again
+            data->burst_filt_timer = BURST_FILTER_TIMER_TIMEOUT;
+        }
     } else if (data->recv_eapol_pdu.msg.eap.id_seq < data->eap_id_seq) {
         // Already received sequence ID is received again, ignore
         return EAP_TLS_MSG_DECODE_ERROR;
@@ -256,6 +272,12 @@ static void supp_eap_tls_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks
 {
     eap_tls_sec_prot_int_t *data = eap_tls_sec_prot_get(prot);
     sec_prot_timer_timeout_handle(prot, &data->common, &eap_tls_trickle_params, ticks);
+
+    if (data->burst_filt_timer > ticks) {
+        data->burst_filt_timer -= ticks;
+    } else {
+        data->burst_filt_timer = 0;
+    }
 }
 
 static void supp_eap_tls_sec_prot_tls_create_confirm(sec_prot_t *tls_prot, sec_prot_result_e result)
