src/pae/ieee802_1x_kay.h

   1 /*
   2  * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine
   3  * Copyright (c) 2013, Qualcomm Atheros, Inc.
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #ifndef IEEE802_1X_KAY_H
  10 #define IEEE802_1X_KAY_H
  11
  12 #include "utils/list.h"
  13 #include "common/defs.h"
  14 #include "common/ieee802_1x_defs.h"
  15
  16 struct macsec_init_params;
  17
  18 #define MI_LEN                  12
  19 #define MAX_KEY_LEN             32  /* 32 bytes, 256 bits */
  20 #define MAX_CKN_LEN             32  /* 32 bytes, 256 bits */
  21
  22 /* MKA timer, unit: millisecond */
  23 #define MKA_HELLO_TIME          2000
  24 #define MKA_LIFE_TIME           6000
  25 #define MKA_SAK_RETIRE_TIME     3000
  26
  27 struct ieee802_1x_mka_ki {
  28         u8 mi[MI_LEN];
  29         u32 kn;
  30 };
  31
  32 struct ieee802_1x_mka_sci {
  33         u8 addr[ETH_ALEN];
  34         be16 port;
  35 };
  36
  37 struct mka_key {
  38         u8 key[MAX_KEY_LEN];
  39         size_t len;
  40 };
  41
  42 struct mka_key_name {
  43         u8 name[MAX_CKN_LEN];
  44         size_t len;
  45 };
  46
  47 enum mka_created_mode {
  48         PSK,
  49         EAP_EXCHANGE,
  50 };
  51
  52 struct data_key {
  53         u8 *key;
  54         int key_len;
  55         struct ieee802_1x_mka_ki key_identifier;
  56         enum confidentiality_offset confidentiality_offset;
  57         u8 an;
  58         Boolean transmits;
  59         Boolean receives;
  60         struct os_time created_time;
  61         u32 next_pn;
  62
  63         /* not defined data */
  64         Boolean rx_latest;
  65         Boolean tx_latest;
  66
  67         int user;  /* FIXME: to indicate if it can be delete safely */
  68
  69         struct dl_list list;
  70 };
  71
  72 /* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */
  73 struct transmit_sc {
  74         struct ieee802_1x_mka_sci sci; /* const SCI sci */
  75         Boolean transmitting; /* bool transmitting (read only) */
  76
  77         struct os_time created_time; /* Time createdTime */
  78
  79         u8 encoding_sa; /* AN encodingSA (read only) */
  80         u8 enciphering_sa; /* AN encipheringSA (read only) */
  81
  82         /* not defined data */
  83         unsigned int channel;
  84
  85         struct dl_list list;
  86         struct dl_list sa_list;
  87 };
  88
  89 /* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */
  90 struct transmit_sa {
  91         Boolean in_use; /* bool inUse (read only) */
  92         u32 next_pn; /* PN nextPN (read only) */
  93         struct os_time created_time; /* Time createdTime */
  94
  95         Boolean enable_transmit; /* bool EnableTransmit */
  96
  97         u8 an;
  98         Boolean confidentiality;
  99         struct data_key *pkey;
 100
 101         struct transmit_sc *sc;
 102         struct dl_list list; /* list entry in struct transmit_sc::sa_list */
 103 };
 104
 105 /* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */
 106 struct receive_sc {
 107         struct ieee802_1x_mka_sci sci; /* const SCI sci */
 108         Boolean receiving; /* bool receiving (read only) */
 109
 110         struct os_time created_time; /* Time createdTime */
 111
 112         unsigned int channel;
 113
 114         struct dl_list list;
 115         struct dl_list sa_list;
 116 };
 117
 118 /* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */
 119 struct receive_sa {
 120         Boolean enable_receive; /* bool enableReceive */
 121         Boolean in_use; /* bool inUse (read only) */
 122
 123         u32 next_pn; /* PN nextPN (read only) */
 124         u32 lowest_pn; /* PN lowestPN (read only) */
 125         u8 an;
 126         struct os_time created_time;
 127
 128         struct data_key *pkey;
 129         struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */
 130
 131         struct dl_list list;
 132 };
 133
 134 struct ieee802_1x_kay_ctx {
 135         /* pointer to arbitrary upper level context */
 136         void *ctx;
 137
 138         /* abstract wpa driver interface */
 139         int (*macsec_init)(void *ctx, struct macsec_init_params *params);
 140         int (*macsec_deinit)(void *ctx);
 141         int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
 142         int (*enable_protect_frames)(void *ctx, Boolean enabled);
 143         int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
 144         int (*set_current_cipher_suite)(void *ctx, u64 cs);
 145         int (*enable_controlled_port)(void *ctx, Boolean enabled);
 146         int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
 147         int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
 148         int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
 149         int (*get_available_receive_sc)(void *ctx, u32 *channel);
 150         int (*create_receive_sc)(void *ctx, struct receive_sc *sc,
 151                                  enum validate_frames vf,
 152                                  enum confidentiality_offset co);
 153         int (*delete_receive_sc)(void *ctx, struct receive_sc *sc);
 154         int (*create_receive_sa)(void *ctx, struct receive_sa *sa);
 155         int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
 156         int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
 157         int (*get_available_transmit_sc)(void *ctx, u32 *channel);
 158         int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc,
 159                                   enum confidentiality_offset co);
 160         int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc);
 161         int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa);
 162         int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
 163         int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
 164 };
 165
 166 struct ieee802_1x_kay {
 167         Boolean enable;
 168         Boolean active;
 169
 170         Boolean authenticated;
 171         Boolean secured;
 172         Boolean failed;
 173
 174         struct ieee802_1x_mka_sci actor_sci;
 175         u8 actor_priority;
 176         struct ieee802_1x_mka_sci key_server_sci;
 177         u8 key_server_priority;
 178
 179         enum macsec_cap macsec_capable;
 180         Boolean macsec_desired;
 181         Boolean macsec_protect;
 182         Boolean macsec_replay_protect;
 183         u32 macsec_replay_window;
 184         enum validate_frames macsec_validate;
 185         enum confidentiality_offset macsec_confidentiality;
 186
 187         u32 ltx_kn;
 188         u8 ltx_an;
 189         u32 lrx_kn;
 190         u8 lrx_an;
 191
 192         u32 otx_kn;
 193         u8 otx_an;
 194         u32 orx_kn;
 195         u8 orx_an;
 196
 197         /* not defined in IEEE802.1X */
 198         struct ieee802_1x_kay_ctx *ctx;
 199         Boolean is_key_server;
 200         Boolean is_obliged_key_server;
 201         char if_name[IFNAMSIZ];
 202
 203         unsigned int macsec_csindex;  /* MACsec cipher suite table index */
 204         int mka_algindex;  /* MKA alg table index */
 205
 206         u32 dist_kn;
 207         u8 dist_an;
 208         time_t dist_time;
 209
 210         u8 mka_version;
 211         u8 algo_agility[4];
 212         u32 sc_ch;
 213
 214         u32 pn_exhaustion;
 215         Boolean port_enable;
 216         Boolean rx_enable;
 217         Boolean tx_enable;
 218
 219         struct dl_list participant_list;
 220         enum macsec_policy policy;
 221
 222         struct ieee802_1x_cp_sm *cp;
 223
 224         struct l2_packet_data *l2_mka;
 225
 226         enum validate_frames vf;
 227         enum confidentiality_offset co;
 228 };
 229
 230
 231 struct ieee802_1x_kay *
 232 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
 233                     const char *ifname, const u8 *addr);
 234 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
 235
 236 struct ieee802_1x_mka_participant *
 237 ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
 238                           struct mka_key_name *ckn, struct mka_key *cak,
 239                           u32 life, enum mka_created_mode mode,
 240                           Boolean is_authenticator);
 241 void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay,
 242                                struct mka_key_name *ckn);
 243 void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay,
 244                                     struct mka_key_name *ckn,
 245                                     Boolean status);
 246 int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay);
 247 int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
 248                                        unsigned int cs_index);
 249
 250 int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay,
 251                                       struct ieee802_1x_mka_ki *lki, u8 lan,
 252                                       Boolean ltx, Boolean lrx);
 253 int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay,
 254                                    struct ieee802_1x_mka_ki *oki,
 255                                    u8 oan, Boolean otx, Boolean orx);
 256 int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
 257                               struct ieee802_1x_mka_ki *lki);
 258 int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
 259                               struct ieee802_1x_mka_ki *ki);
 260 int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay,
 261                                  struct ieee802_1x_mka_ki *lki);
 262 int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay,
 263                                  struct ieee802_1x_mka_ki *lki);
 264 int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay);
 265
 266 #endif /* IEEE802_1X_KAY_H */