[thirdparty/hostap.git] / src / pae / ieee802_1x_kay.h

/*
 * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine
 * Copyright (c) 2013, Qualcomm Atheros, Inc.
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#ifndef IEEE802_1X_KAY_H
#define IEEE802_1X_KAY_H

#include "utils/list.h"
#include "common/defs.h"
#include "common/ieee802_1x_defs.h"

struct macsec_init_params;

#define MI_LEN			12  /* 96-bit Member Identifier */
#define MAX_KEY_LEN		32  /* 32 bytes, 256 bits */
#define MAX_CKN_LEN		32  /* 32 bytes, 256 bits */

/* MKA timer, unit: millisecond */
#define MKA_HELLO_TIME		2000
#define MKA_BOUNDED_HELLO_TIME	 500
#define MKA_LIFE_TIME		6000
#define MKA_SAK_RETIRE_TIME	3000

/**
 * struct ieee802_1x_mka_ki - Key Identifier (KI)
 * @mi: Key Server's Member Identifier
 * @kn: Key Number, assigned by the Key Server
 * IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection
 */
struct ieee802_1x_mka_ki {
	u8 mi[MI_LEN];
	u32 kn;
};

struct ieee802_1x_mka_sci {
	u8 addr[ETH_ALEN];
	be16 port;
} STRUCT_PACKED;

struct mka_key {
	u8 key[MAX_KEY_LEN];
	size_t len;
};

struct mka_key_name {
	u8 name[MAX_CKN_LEN];
	size_t len;
};

enum mka_created_mode {
	PSK,
	EAP_EXCHANGE,
};

struct data_key {
	u8 *key;
	int key_len;
	struct ieee802_1x_mka_ki key_identifier;
	enum confidentiality_offset confidentiality_offset;
	u8 an;
	Boolean transmits;
	Boolean receives;
	struct os_time created_time;
	u32 next_pn;

	/* not defined data */
	Boolean rx_latest;
	Boolean tx_latest;

	int user;

	struct dl_list list;
};

/* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */
struct transmit_sc {
	struct ieee802_1x_mka_sci sci; /* const SCI sci */
	Boolean transmitting; /* bool transmitting (read only) */

	struct os_time created_time; /* Time createdTime */

	u8 encoding_sa; /* AN encodingSA (read only) */
	u8 enciphering_sa; /* AN encipheringSA (read only) */

	/* not defined data */
	struct dl_list list;
	struct dl_list sa_list;
};

/* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */
struct transmit_sa {
	Boolean in_use; /* bool inUse (read only) */
	u32 next_pn; /* PN nextPN (read only) */
	struct os_time created_time; /* Time createdTime */

	Boolean enable_transmit; /* bool EnableTransmit */

	u8 an;
	Boolean confidentiality;
	struct data_key *pkey;

	struct transmit_sc *sc;
	struct dl_list list; /* list entry in struct transmit_sc::sa_list */
};

/* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */
struct receive_sc {
	struct ieee802_1x_mka_sci sci; /* const SCI sci */
	Boolean receiving; /* bool receiving (read only) */

	struct os_time created_time; /* Time createdTime */

	struct dl_list list;
	struct dl_list sa_list;
};

/* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */
struct receive_sa {
	Boolean enable_receive; /* bool enableReceive */
	Boolean in_use; /* bool inUse (read only) */

	u32 next_pn; /* PN nextPN (read only) */
	u32 lowest_pn; /* PN lowestPN (read only) */
	u8 an;
	struct os_time created_time;

	struct data_key *pkey;
	struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */

	struct dl_list list;
};

struct ieee802_1x_kay_ctx {
	/* pointer to arbitrary upper level context */
	void *ctx;

	/* abstract wpa driver interface */
	int (*macsec_init)(void *ctx, struct macsec_init_params *params);
	int (*macsec_deinit)(void *ctx);
	int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
	int (*enable_protect_frames)(void *ctx, Boolean enabled);
	int (*enable_encrypt)(void *ctx, Boolean enabled);
	int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
	int (*set_current_cipher_suite)(void *ctx, u64 cs);
	int (*enable_controlled_port)(void *ctx, Boolean enabled);
	int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
	int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
	int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
	int (*set_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
	int (*create_receive_sc)(void *ctx, struct receive_sc *sc,
				 enum validate_frames vf,
				 enum confidentiality_offset co);
	int (*delete_receive_sc)(void *ctx, struct receive_sc *sc);
	int (*create_receive_sa)(void *ctx, struct receive_sa *sa);
	int (*delete_receive_sa)(void *ctx, struct receive_sa *sa);
	int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
	int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
	int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc,
				  enum confidentiality_offset co);
	int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc);
	int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa);
	int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa);
	int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
	int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
};

struct ieee802_1x_kay {
	Boolean enable;
	Boolean active;

	Boolean authenticated;
	Boolean secured;
	Boolean failed;

	struct ieee802_1x_mka_sci actor_sci;
	u8 actor_priority;
	struct ieee802_1x_mka_sci key_server_sci;
	u8 key_server_priority;

	enum macsec_cap macsec_capable;
	Boolean macsec_desired;
	Boolean macsec_protect;
	Boolean macsec_encrypt;
	Boolean macsec_replay_protect;
	u32 macsec_replay_window;
	enum validate_frames macsec_validate;
	enum confidentiality_offset macsec_confidentiality;
	u32 mka_hello_time;

	u32 ltx_kn;
	u8 ltx_an;
	u32 lrx_kn;
	u8 lrx_an;

	u32 otx_kn;
	u8 otx_an;
	u32 orx_kn;
	u8 orx_an;

	/* not defined in IEEE802.1X */
	struct ieee802_1x_kay_ctx *ctx;
	Boolean is_key_server;
	Boolean is_obliged_key_server;
	char if_name[IFNAMSIZ];

	unsigned int macsec_csindex;  /* MACsec cipher suite table index */
	int mka_algindex;  /* MKA alg table index */

	u32 dist_kn;
	u32 rcvd_keys;
	u8 dist_an;
	time_t dist_time;

	u8 mka_version;
	u8 algo_agility[4];

	u32 pn_exhaustion;
	Boolean port_enable;
	Boolean rx_enable;
	Boolean tx_enable;

	struct dl_list participant_list;
	enum macsec_policy policy;

	struct ieee802_1x_cp_sm *cp;

	struct l2_packet_data *l2_mka;

	enum validate_frames vf;
	enum confidentiality_offset co;
};


u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci);

struct ieee802_1x_kay *
ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
		    Boolean macsec_replay_protect, u32 macsec_replay_window,
		    u16 port, u8 priority, const char *ifname, const u8 *addr);
void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);

struct ieee802_1x_mka_participant *
ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
			  const struct mka_key_name *ckn,
			  const struct mka_key *cak,
			  u32 life, enum mka_created_mode mode,
			  Boolean is_authenticator);
void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay,
			       struct mka_key_name *ckn);
void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay,
				    struct mka_key_name *ckn,
				    Boolean status);
int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay);
int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
				       unsigned int cs_index);

int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay,
				      struct ieee802_1x_mka_ki *lki, u8 lan,
				      Boolean ltx, Boolean lrx);
int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay,
				   struct ieee802_1x_mka_ki *oki,
				   u8 oan, Boolean otx, Boolean orx);
int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
			      struct ieee802_1x_mka_ki *lki);
int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
			      struct ieee802_1x_mka_ki *ki);
int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay,
				 struct ieee802_1x_mka_ki *lki);
int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay,
				 struct ieee802_1x_mka_ki *lki);
int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay);
int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf,
			      size_t buflen);

#endif /* IEEE802_1X_KAY_H */
Commit	Line	Data
887d9d01 HW	1	/*
	2	* IEEE 802.1X-2010 Key Agree Protocol of PAE state machine
	3	* Copyright (c) 2013, Qualcomm Atheros, Inc.
	4	*
	5	* This software may be distributed under the terms of the BSD license.
	6	* See README for more details.
	7	*/
	8
	9	#ifndef IEEE802_1X_KAY_H
	10	#define IEEE802_1X_KAY_H
	11
	12	#include "utils/list.h"
	13	#include "common/defs.h"
	14	#include "common/ieee802_1x_defs.h"
	15
	16	struct macsec_init_params;
887d9d01	17
6b6175b7	18	#define MI_LEN 12 /* 96-bit Member Identifier */
887d9d01 HW	19	#define MAX_KEY_LEN 32 /* 32 bytes, 256 bits */
	20	#define MAX_CKN_LEN 32 /* 32 bytes, 256 bits */
	21
	22	/* MKA timer, unit: millisecond */
	23	#define MKA_HELLO_TIME 2000
d9a0a722	24	#define MKA_BOUNDED_HELLO_TIME 500
887d9d01 HW	25	#define MKA_LIFE_TIME 6000
	26	#define MKA_SAK_RETIRE_TIME 3000
	27
6b6175b7 SD	28	/**
	29	* struct ieee802_1x_mka_ki - Key Identifier (KI)
	30	* @mi: Key Server's Member Identifier
	31	* @kn: Key Number, assigned by the Key Server
	32	* IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection
	33	*/
887d9d01 HW	34	struct ieee802_1x_mka_ki {
	35	u8 mi[MI_LEN];
	36	u32 kn;
	37	};
	38
	39	struct ieee802_1x_mka_sci {
	40	u8 addr[ETH_ALEN];
4e7f5a4a	41	be16 port;
f1ac2b8e	42	} STRUCT_PACKED;
887d9d01 HW	43
	44	struct mka_key {
	45	u8 key[MAX_KEY_LEN];
	46	size_t len;
	47	};
	48
	49	struct mka_key_name {
	50	u8 name[MAX_CKN_LEN];
	51	size_t len;
	52	};
	53
	54	enum mka_created_mode {
	55	PSK,
	56	EAP_EXCHANGE,
887d9d01 HW	57	};
887d9d01 HW	58
f75f6e2b SD	59	struct data_key {
	60	u8 *key;
	61	int key_len;
	62	struct ieee802_1x_mka_ki key_identifier;
	63	enum confidentiality_offset confidentiality_offset;
	64	u8 an;
	65	Boolean transmits;
	66	Boolean receives;
	67	struct os_time created_time;
	68	u32 next_pn;
	69
	70	/* not defined data */
	71	Boolean rx_latest;
	72	Boolean tx_latest;
	73
99b82bf5	74	int user;
f75f6e2b SD	75
	76	struct dl_list list;
	77	};
	78
	79	/* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */
	80	struct transmit_sc {
	81	struct ieee802_1x_mka_sci sci; /* const SCI sci */
	82	Boolean transmitting; /* bool transmitting (read only) */
	83
	84	struct os_time created_time; /* Time createdTime */
	85
	86	u8 encoding_sa; /* AN encodingSA (read only) */
	87	u8 enciphering_sa; /* AN encipheringSA (read only) */
	88
	89	/* not defined data */
f75f6e2b SD	90	struct dl_list list;
	91	struct dl_list sa_list;
	92	};
	93
	94	/* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */
	95	struct transmit_sa {
	96	Boolean in_use; /* bool inUse (read only) */
	97	u32 next_pn; /* PN nextPN (read only) */
	98	struct os_time created_time; /* Time createdTime */
	99
	100	Boolean enable_transmit; /* bool EnableTransmit */
	101
	102	u8 an;
	103	Boolean confidentiality;
	104	struct data_key *pkey;
	105
	106	struct transmit_sc *sc;
	107	struct dl_list list; /* list entry in struct transmit_sc::sa_list */
	108	};
	109
	110	/* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */
	111	struct receive_sc {
	112	struct ieee802_1x_mka_sci sci; /* const SCI sci */
	113	Boolean receiving; /* bool receiving (read only) */
	114
	115	struct os_time created_time; /* Time createdTime */
	116
f75f6e2b SD	117	struct dl_list list;
	118	struct dl_list sa_list;
	119	};
	120
	121	/* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */
	122	struct receive_sa {
	123	Boolean enable_receive; /* bool enableReceive */
	124	Boolean in_use; /* bool inUse (read only) */
	125
	126	u32 next_pn; /* PN nextPN (read only) */
	127	u32 lowest_pn; /* PN lowestPN (read only) */
	128	u8 an;
	129	struct os_time created_time;
	130
	131	struct data_key *pkey;
	132	struct receive_sc sc; / list entry in struct receive_sc::sa_list */
	133
	134	struct dl_list list;
	135	};
	136
887d9d01 HW	137	struct ieee802_1x_kay_ctx {
	138	/* pointer to arbitrary upper level context */
	139	void *ctx;
	140
	141	/* abstract wpa driver interface */
	142	int (macsec_init)(void ctx, struct macsec_init_params *params);
	143	int (macsec_deinit)(void ctx);
a25e4efc	144	int (macsec_get_capability)(void priv, enum macsec_cap *cap);
887d9d01	145	int (enable_protect_frames)(void ctx, Boolean enabled);
1d3d0666	146	int (enable_encrypt)(void ctx, Boolean enabled);
887d9d01	147	int (set_replay_protect)(void ctx, Boolean enabled, u32 window);
07a6bfe1	148	int (set_current_cipher_suite)(void ctx, u64 cs);
887d9d01	149	int (enable_controlled_port)(void ctx, Boolean enabled);
7fa5eff8 SD	150	int (get_receive_lowest_pn)(void ctx, struct receive_sa *sa);
	151	int (get_transmit_next_pn)(void ctx, struct transmit_sa *sa);
	152	int (set_transmit_next_pn)(void ctx, struct transmit_sa *sa);
2fc06756	153	int (set_receive_lowest_pn)(void ctx, struct receive_sa *sa);
5f5ca284	154	int (create_receive_sc)(void ctx, struct receive_sc *sc,
887d9d01 HW	155	enum validate_frames vf,
887d9d01 HW	156	enum confidentiality_offset co);
5f5ca284	157	int (delete_receive_sc)(void ctx, struct receive_sc *sc);
cecdecdb	158	int (create_receive_sa)(void ctx, struct receive_sa *sa);
23c3528a	159	int (delete_receive_sa)(void ctx, struct receive_sa *sa);
cecdecdb SD	160	int (enable_receive_sa)(void ctx, struct receive_sa *sa);
cecdecdb SD	161	int (disable_receive_sa)(void ctx, struct receive_sa *sa);
8ebfc7c2	162	int (create_transmit_sc)(void ctx, struct transmit_sc *sc,
887d9d01	163	enum confidentiality_offset co);
8ebfc7c2	164	int (delete_transmit_sc)(void ctx, struct transmit_sc *sc);
909c1b98	165	int (create_transmit_sa)(void ctx, struct transmit_sa *sa);
23c3528a	166	int (delete_transmit_sa)(void ctx, struct transmit_sa *sa);
909c1b98 SD	167	int (enable_transmit_sa)(void ctx, struct transmit_sa *sa);
909c1b98 SD	168	int (disable_transmit_sa)(void ctx, struct transmit_sa *sa);
887d9d01 HW	169	};
	170
	171	struct ieee802_1x_kay {
	172	Boolean enable;
	173	Boolean active;
	174
	175	Boolean authenticated;
	176	Boolean secured;
	177	Boolean failed;
	178
	179	struct ieee802_1x_mka_sci actor_sci;
	180	u8 actor_priority;
	181	struct ieee802_1x_mka_sci key_server_sci;
	182	u8 key_server_priority;
	183
	184	enum macsec_cap macsec_capable;
	185	Boolean macsec_desired;
	186	Boolean macsec_protect;
7b4d546e	187	Boolean macsec_encrypt;
887d9d01 HW	188	Boolean macsec_replay_protect;
	189	u32 macsec_replay_window;
	190	enum validate_frames macsec_validate;
	191	enum confidentiality_offset macsec_confidentiality;
d9a0a722	192	u32 mka_hello_time;
887d9d01 HW	193
	194	u32 ltx_kn;
	195	u8 ltx_an;
	196	u32 lrx_kn;
	197	u8 lrx_an;
	198
	199	u32 otx_kn;
	200	u8 otx_an;
	201	u32 orx_kn;
	202	u8 orx_an;
	203
	204	/* not defined in IEEE802.1X */
	205	struct ieee802_1x_kay_ctx *ctx;
	206	Boolean is_key_server;
	207	Boolean is_obliged_key_server;
	208	char if_name[IFNAMSIZ];
	209
535a8b87	210	unsigned int macsec_csindex; /* MACsec cipher suite table index */
887d9d01 HW	211	int mka_algindex; /* MKA alg table index */
	212
	213	u32 dist_kn;
7508c2ad	214	u32 rcvd_keys;
887d9d01 HW	215	u8 dist_an;
	216	time_t dist_time;
	217
	218	u8 mka_version;
	219	u8 algo_agility[4];
887d9d01 HW	220
	221	u32 pn_exhaustion;
	222	Boolean port_enable;
	223	Boolean rx_enable;
	224	Boolean tx_enable;
	225
	226	struct dl_list participant_list;
	227	enum macsec_policy policy;
	228
	229	struct ieee802_1x_cp_sm *cp;
	230
	231	struct l2_packet_data *l2_mka;
	232
	233	enum validate_frames vf;
	234	enum confidentiality_offset co;
	235	};
	236
	237
f014d9db SD	238	u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci);
f014d9db SD	239
887d9d01 HW	240	struct ieee802_1x_kay *
887d9d01 HW	241	ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
e49b78c0	242	Boolean macsec_replay_protect, u32 macsec_replay_window,
65dfa872	243	u16 port, u8 priority, const char ifname, const u8 addr);
887d9d01 HW	244	void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
	245
	246	struct ieee802_1x_mka_participant *
	247	ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
cce16e43 JM	248	const struct mka_key_name *ckn,
cce16e43 JM	249	const struct mka_key *cak,
887d9d01 HW	250	u32 life, enum mka_created_mode mode,
	251	Boolean is_authenticator);
	252	void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay,
	253	struct mka_key_name *ckn);
	254	void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay,
	255	struct mka_key_name *ckn,
	256	Boolean status);
	257	int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay);
	258	int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
535a8b87	259	unsigned int cs_index);
887d9d01 HW	260
	261	int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay,
	262	struct ieee802_1x_mka_ki *lki, u8 lan,
	263	Boolean ltx, Boolean lrx);
	264	int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay,
	265	struct ieee802_1x_mka_ki *oki,
	266	u8 oan, Boolean otx, Boolean orx);
	267	int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
	268	struct ieee802_1x_mka_ki *lki);
	269	int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
	270	struct ieee802_1x_mka_ki *ki);
	271	int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay,
	272	struct ieee802_1x_mka_ki *lki);
	273	int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay,
	274	struct ieee802_1x_mka_ki *lki);
	275	int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay);
7508c2ad BA	276	int ieee802_1x_kay_get_status(struct ieee802_1x_kay kay, char buf,
7508c2ad BA	277	size_t buflen);
887d9d01 HW	278
887d9d01 HW	279	#endif /* IEEE802_1X_KAY_H */