]>
Commit | Line | Data |
---|---|---|
887d9d01 HW |
1 | /* |
2 | * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine | |
3 | * Copyright (c) 2013, Qualcomm Atheros, Inc. | |
4 | * | |
5 | * This software may be distributed under the terms of the BSD license. | |
6 | * See README for more details. | |
7 | */ | |
8 | ||
9 | #ifndef IEEE802_1X_KAY_H | |
10 | #define IEEE802_1X_KAY_H | |
11 | ||
12 | #include "utils/list.h" | |
13 | #include "common/defs.h" | |
14 | #include "common/ieee802_1x_defs.h" | |
15 | ||
16 | struct macsec_init_params; | |
887d9d01 | 17 | |
6b6175b7 | 18 | #define MI_LEN 12 /* 96-bit Member Identifier */ |
887d9d01 HW |
19 | #define MAX_KEY_LEN 32 /* 32 bytes, 256 bits */ |
20 | #define MAX_CKN_LEN 32 /* 32 bytes, 256 bits */ | |
21 | ||
22 | /* MKA timer, unit: millisecond */ | |
23 | #define MKA_HELLO_TIME 2000 | |
d9a0a722 | 24 | #define MKA_BOUNDED_HELLO_TIME 500 |
887d9d01 HW |
25 | #define MKA_LIFE_TIME 6000 |
26 | #define MKA_SAK_RETIRE_TIME 3000 | |
27 | ||
6b6175b7 SD |
28 | /** |
29 | * struct ieee802_1x_mka_ki - Key Identifier (KI) | |
30 | * @mi: Key Server's Member Identifier | |
31 | * @kn: Key Number, assigned by the Key Server | |
32 | * IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection | |
33 | */ | |
887d9d01 HW |
34 | struct ieee802_1x_mka_ki { |
35 | u8 mi[MI_LEN]; | |
36 | u32 kn; | |
37 | }; | |
38 | ||
39 | struct ieee802_1x_mka_sci { | |
40 | u8 addr[ETH_ALEN]; | |
4e7f5a4a | 41 | be16 port; |
f1ac2b8e | 42 | } STRUCT_PACKED; |
887d9d01 HW |
43 | |
44 | struct mka_key { | |
45 | u8 key[MAX_KEY_LEN]; | |
46 | size_t len; | |
47 | }; | |
48 | ||
49 | struct mka_key_name { | |
50 | u8 name[MAX_CKN_LEN]; | |
51 | size_t len; | |
52 | }; | |
53 | ||
54 | enum mka_created_mode { | |
55 | PSK, | |
56 | EAP_EXCHANGE, | |
887d9d01 HW |
57 | }; |
58 | ||
f75f6e2b SD |
59 | struct data_key { |
60 | u8 *key; | |
61 | int key_len; | |
62 | struct ieee802_1x_mka_ki key_identifier; | |
63 | enum confidentiality_offset confidentiality_offset; | |
64 | u8 an; | |
65 | Boolean transmits; | |
66 | Boolean receives; | |
67 | struct os_time created_time; | |
68 | u32 next_pn; | |
69 | ||
70 | /* not defined data */ | |
71 | Boolean rx_latest; | |
72 | Boolean tx_latest; | |
73 | ||
99b82bf5 | 74 | int user; |
f75f6e2b SD |
75 | |
76 | struct dl_list list; | |
77 | }; | |
78 | ||
79 | /* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */ | |
80 | struct transmit_sc { | |
81 | struct ieee802_1x_mka_sci sci; /* const SCI sci */ | |
82 | Boolean transmitting; /* bool transmitting (read only) */ | |
83 | ||
84 | struct os_time created_time; /* Time createdTime */ | |
85 | ||
86 | u8 encoding_sa; /* AN encodingSA (read only) */ | |
87 | u8 enciphering_sa; /* AN encipheringSA (read only) */ | |
88 | ||
89 | /* not defined data */ | |
f75f6e2b SD |
90 | struct dl_list list; |
91 | struct dl_list sa_list; | |
92 | }; | |
93 | ||
94 | /* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */ | |
95 | struct transmit_sa { | |
96 | Boolean in_use; /* bool inUse (read only) */ | |
97 | u32 next_pn; /* PN nextPN (read only) */ | |
98 | struct os_time created_time; /* Time createdTime */ | |
99 | ||
100 | Boolean enable_transmit; /* bool EnableTransmit */ | |
101 | ||
102 | u8 an; | |
103 | Boolean confidentiality; | |
104 | struct data_key *pkey; | |
105 | ||
106 | struct transmit_sc *sc; | |
107 | struct dl_list list; /* list entry in struct transmit_sc::sa_list */ | |
108 | }; | |
109 | ||
110 | /* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */ | |
111 | struct receive_sc { | |
112 | struct ieee802_1x_mka_sci sci; /* const SCI sci */ | |
113 | Boolean receiving; /* bool receiving (read only) */ | |
114 | ||
115 | struct os_time created_time; /* Time createdTime */ | |
116 | ||
f75f6e2b SD |
117 | struct dl_list list; |
118 | struct dl_list sa_list; | |
119 | }; | |
120 | ||
121 | /* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */ | |
122 | struct receive_sa { | |
123 | Boolean enable_receive; /* bool enableReceive */ | |
124 | Boolean in_use; /* bool inUse (read only) */ | |
125 | ||
126 | u32 next_pn; /* PN nextPN (read only) */ | |
127 | u32 lowest_pn; /* PN lowestPN (read only) */ | |
128 | u8 an; | |
129 | struct os_time created_time; | |
130 | ||
131 | struct data_key *pkey; | |
132 | struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */ | |
133 | ||
134 | struct dl_list list; | |
135 | }; | |
136 | ||
887d9d01 HW |
137 | struct ieee802_1x_kay_ctx { |
138 | /* pointer to arbitrary upper level context */ | |
139 | void *ctx; | |
140 | ||
141 | /* abstract wpa driver interface */ | |
142 | int (*macsec_init)(void *ctx, struct macsec_init_params *params); | |
143 | int (*macsec_deinit)(void *ctx); | |
a25e4efc | 144 | int (*macsec_get_capability)(void *priv, enum macsec_cap *cap); |
887d9d01 | 145 | int (*enable_protect_frames)(void *ctx, Boolean enabled); |
1d3d0666 | 146 | int (*enable_encrypt)(void *ctx, Boolean enabled); |
887d9d01 | 147 | int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window); |
07a6bfe1 | 148 | int (*set_current_cipher_suite)(void *ctx, u64 cs); |
887d9d01 | 149 | int (*enable_controlled_port)(void *ctx, Boolean enabled); |
7fa5eff8 SD |
150 | int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa); |
151 | int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa); | |
152 | int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa); | |
2fc06756 | 153 | int (*set_receive_lowest_pn)(void *ctx, struct receive_sa *sa); |
5f5ca284 | 154 | int (*create_receive_sc)(void *ctx, struct receive_sc *sc, |
887d9d01 HW |
155 | enum validate_frames vf, |
156 | enum confidentiality_offset co); | |
5f5ca284 | 157 | int (*delete_receive_sc)(void *ctx, struct receive_sc *sc); |
cecdecdb | 158 | int (*create_receive_sa)(void *ctx, struct receive_sa *sa); |
23c3528a | 159 | int (*delete_receive_sa)(void *ctx, struct receive_sa *sa); |
cecdecdb SD |
160 | int (*enable_receive_sa)(void *ctx, struct receive_sa *sa); |
161 | int (*disable_receive_sa)(void *ctx, struct receive_sa *sa); | |
8ebfc7c2 | 162 | int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc, |
887d9d01 | 163 | enum confidentiality_offset co); |
8ebfc7c2 | 164 | int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc); |
909c1b98 | 165 | int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa); |
23c3528a | 166 | int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa); |
909c1b98 SD |
167 | int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa); |
168 | int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa); | |
887d9d01 HW |
169 | }; |
170 | ||
171 | struct ieee802_1x_kay { | |
172 | Boolean enable; | |
173 | Boolean active; | |
174 | ||
175 | Boolean authenticated; | |
176 | Boolean secured; | |
177 | Boolean failed; | |
178 | ||
179 | struct ieee802_1x_mka_sci actor_sci; | |
180 | u8 actor_priority; | |
181 | struct ieee802_1x_mka_sci key_server_sci; | |
182 | u8 key_server_priority; | |
183 | ||
184 | enum macsec_cap macsec_capable; | |
185 | Boolean macsec_desired; | |
186 | Boolean macsec_protect; | |
7b4d546e | 187 | Boolean macsec_encrypt; |
887d9d01 HW |
188 | Boolean macsec_replay_protect; |
189 | u32 macsec_replay_window; | |
190 | enum validate_frames macsec_validate; | |
191 | enum confidentiality_offset macsec_confidentiality; | |
d9a0a722 | 192 | u32 mka_hello_time; |
887d9d01 HW |
193 | |
194 | u32 ltx_kn; | |
195 | u8 ltx_an; | |
196 | u32 lrx_kn; | |
197 | u8 lrx_an; | |
198 | ||
199 | u32 otx_kn; | |
200 | u8 otx_an; | |
201 | u32 orx_kn; | |
202 | u8 orx_an; | |
203 | ||
204 | /* not defined in IEEE802.1X */ | |
205 | struct ieee802_1x_kay_ctx *ctx; | |
206 | Boolean is_key_server; | |
207 | Boolean is_obliged_key_server; | |
208 | char if_name[IFNAMSIZ]; | |
209 | ||
535a8b87 | 210 | unsigned int macsec_csindex; /* MACsec cipher suite table index */ |
887d9d01 HW |
211 | int mka_algindex; /* MKA alg table index */ |
212 | ||
213 | u32 dist_kn; | |
7508c2ad | 214 | u32 rcvd_keys; |
887d9d01 HW |
215 | u8 dist_an; |
216 | time_t dist_time; | |
217 | ||
218 | u8 mka_version; | |
219 | u8 algo_agility[4]; | |
887d9d01 HW |
220 | |
221 | u32 pn_exhaustion; | |
222 | Boolean port_enable; | |
223 | Boolean rx_enable; | |
224 | Boolean tx_enable; | |
225 | ||
226 | struct dl_list participant_list; | |
227 | enum macsec_policy policy; | |
228 | ||
229 | struct ieee802_1x_cp_sm *cp; | |
230 | ||
231 | struct l2_packet_data *l2_mka; | |
232 | ||
233 | enum validate_frames vf; | |
234 | enum confidentiality_offset co; | |
235 | }; | |
236 | ||
237 | ||
f014d9db SD |
238 | u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci); |
239 | ||
887d9d01 HW |
240 | struct ieee802_1x_kay * |
241 | ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, | |
e49b78c0 | 242 | Boolean macsec_replay_protect, u32 macsec_replay_window, |
65dfa872 | 243 | u16 port, u8 priority, const char *ifname, const u8 *addr); |
887d9d01 HW |
244 | void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); |
245 | ||
246 | struct ieee802_1x_mka_participant * | |
247 | ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, | |
cce16e43 JM |
248 | const struct mka_key_name *ckn, |
249 | const struct mka_key *cak, | |
887d9d01 HW |
250 | u32 life, enum mka_created_mode mode, |
251 | Boolean is_authenticator); | |
252 | void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, | |
253 | struct mka_key_name *ckn); | |
254 | void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay, | |
255 | struct mka_key_name *ckn, | |
256 | Boolean status); | |
257 | int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay); | |
258 | int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay, | |
535a8b87 | 259 | unsigned int cs_index); |
887d9d01 HW |
260 | |
261 | int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay, | |
262 | struct ieee802_1x_mka_ki *lki, u8 lan, | |
263 | Boolean ltx, Boolean lrx); | |
264 | int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay, | |
265 | struct ieee802_1x_mka_ki *oki, | |
266 | u8 oan, Boolean otx, Boolean orx); | |
267 | int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay, | |
268 | struct ieee802_1x_mka_ki *lki); | |
269 | int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay, | |
270 | struct ieee802_1x_mka_ki *ki); | |
271 | int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay, | |
272 | struct ieee802_1x_mka_ki *lki); | |
273 | int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay, | |
274 | struct ieee802_1x_mka_ki *lki); | |
275 | int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay); | |
7508c2ad BA |
276 | int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf, |
277 | size_t buflen); | |
887d9d01 HW |
278 | |
279 | #endif /* IEEE802_1X_KAY_H */ |