1 /* 2 * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine 3 * Copyright (c) 2013, Qualcomm Atheros, Inc. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef IEEE802_1X_KAY_H 10 #define IEEE802_1X_KAY_H 11 12 #include "utils/list.h" 13 #include "common/defs.h" 14 #include "common/ieee802_1x_defs.h" 15 16 struct macsec_init_params; 17 18 #define MI_LEN 12 /* 96-bit Member Identifier */ 19 #define MAX_KEY_LEN 32 /* 32 bytes, 256 bits */ 20 #define MAX_CKN_LEN 32 /* 32 bytes, 256 bits */ 21 22 /* MKA timer, unit: millisecond */ 23 #define MKA_HELLO_TIME 2000 24 #define MKA_LIFE_TIME 6000 25 #define MKA_SAK_RETIRE_TIME 3000 26 27 /** 28 * struct ieee802_1x_mka_ki - Key Identifier (KI) 29 * @mi: Key Server's Member Identifier 30 * @kn: Key Number, assigned by the Key Server 31 * IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection 32 */ 33 struct ieee802_1x_mka_ki { 34 u8 mi[MI_LEN]; 35 u32 kn; 36 }; 37 38 struct ieee802_1x_mka_sci { 39 u8 addr[ETH_ALEN]; 40 be16 port; 41 }; 42 43 struct mka_key { 44 u8 key[MAX_KEY_LEN]; 45 size_t len; 46 }; 47 48 struct mka_key_name { 49 u8 name[MAX_CKN_LEN]; 50 size_t len; 51 }; 52 53 enum mka_created_mode { 54 PSK, 55 EAP_EXCHANGE, 56 }; 57 58 struct data_key { 59 u8 *key; 60 int key_len; 61 struct ieee802_1x_mka_ki key_identifier; 62 enum confidentiality_offset confidentiality_offset; 63 u8 an; 64 Boolean transmits; 65 Boolean receives; 66 struct os_time created_time; 67 u32 next_pn; 68 69 /* not defined data */ 70 Boolean rx_latest; 71 Boolean tx_latest; 72 73 int user; 74 75 struct dl_list list; 76 }; 77 78 /* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */ 79 struct transmit_sc { 80 struct ieee802_1x_mka_sci sci; /* const SCI sci */ 81 Boolean transmitting; /* bool transmitting (read only) */ 82 83 struct os_time created_time; /* Time createdTime */ 84 85 u8 encoding_sa; /* AN encodingSA (read only) */ 86 u8 enciphering_sa; /* AN encipheringSA (read only) */ 87 88 /* not defined data */ 89 struct dl_list list; 90 struct dl_list sa_list; 91 }; 92 93 /* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */ 94 struct transmit_sa { 95 Boolean in_use; /* bool inUse (read only) */ 96 u32 next_pn; /* PN nextPN (read only) */ 97 struct os_time created_time; /* Time createdTime */ 98 99 Boolean enable_transmit; /* bool EnableTransmit */ 100 101 u8 an; 102 Boolean confidentiality; 103 struct data_key *pkey; 104 105 struct transmit_sc *sc; 106 struct dl_list list; /* list entry in struct transmit_sc::sa_list */ 107 }; 108 109 /* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */ 110 struct receive_sc { 111 struct ieee802_1x_mka_sci sci; /* const SCI sci */ 112 Boolean receiving; /* bool receiving (read only) */ 113 114 struct os_time created_time; /* Time createdTime */ 115 116 struct dl_list list; 117 struct dl_list sa_list; 118 }; 119 120 /* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */ 121 struct receive_sa { 122 Boolean enable_receive; /* bool enableReceive */ 123 Boolean in_use; /* bool inUse (read only) */ 124 125 u32 next_pn; /* PN nextPN (read only) */ 126 u32 lowest_pn; /* PN lowestPN (read only) */ 127 u8 an; 128 struct os_time created_time; 129 130 struct data_key *pkey; 131 struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */ 132 133 struct dl_list list; 134 }; 135 136 struct ieee802_1x_kay_ctx { 137 /* pointer to arbitrary upper level context */ 138 void *ctx; 139 140 /* abstract wpa driver interface */ 141 int (*macsec_init)(void *ctx, struct macsec_init_params *params); 142 int (*macsec_deinit)(void *ctx); 143 int (*macsec_get_capability)(void *priv, enum macsec_cap *cap); 144 int (*enable_protect_frames)(void *ctx, Boolean enabled); 145 int (*enable_encrypt)(void *ctx, Boolean enabled); 146 int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window); 147 int (*set_current_cipher_suite)(void *ctx, u64 cs); 148 int (*enable_controlled_port)(void *ctx, Boolean enabled); 149 int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa); 150 int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa); 151 int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa); 152 int (*create_receive_sc)(void *ctx, struct receive_sc *sc, 153 enum validate_frames vf, 154 enum confidentiality_offset co); 155 int (*delete_receive_sc)(void *ctx, struct receive_sc *sc); 156 int (*create_receive_sa)(void *ctx, struct receive_sa *sa); 157 int (*delete_receive_sa)(void *ctx, struct receive_sa *sa); 158 int (*enable_receive_sa)(void *ctx, struct receive_sa *sa); 159 int (*disable_receive_sa)(void *ctx, struct receive_sa *sa); 160 int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc, 161 enum confidentiality_offset co); 162 int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc); 163 int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa); 164 int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa); 165 int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa); 166 int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa); 167 }; 168 169 struct ieee802_1x_kay { 170 Boolean enable; 171 Boolean active; 172 173 Boolean authenticated; 174 Boolean secured; 175 Boolean failed; 176 177 struct ieee802_1x_mka_sci actor_sci; 178 u8 actor_priority; 179 struct ieee802_1x_mka_sci key_server_sci; 180 u8 key_server_priority; 181 182 enum macsec_cap macsec_capable; 183 Boolean macsec_desired; 184 Boolean macsec_protect; 185 Boolean macsec_encrypt; 186 Boolean macsec_replay_protect; 187 u32 macsec_replay_window; 188 enum validate_frames macsec_validate; 189 enum confidentiality_offset macsec_confidentiality; 190 191 u32 ltx_kn; 192 u8 ltx_an; 193 u32 lrx_kn; 194 u8 lrx_an; 195 196 u32 otx_kn; 197 u8 otx_an; 198 u32 orx_kn; 199 u8 orx_an; 200 201 /* not defined in IEEE802.1X */ 202 struct ieee802_1x_kay_ctx *ctx; 203 Boolean is_key_server; 204 Boolean is_obliged_key_server; 205 char if_name[IFNAMSIZ]; 206 207 unsigned int macsec_csindex; /* MACsec cipher suite table index */ 208 int mka_algindex; /* MKA alg table index */ 209 210 u32 dist_kn; 211 u32 rcvd_keys; 212 u8 dist_an; 213 time_t dist_time; 214 215 u8 mka_version; 216 u8 algo_agility[4]; 217 218 u32 pn_exhaustion; 219 Boolean port_enable; 220 Boolean rx_enable; 221 Boolean tx_enable; 222 223 struct dl_list participant_list; 224 enum macsec_policy policy; 225 226 struct ieee802_1x_cp_sm *cp; 227 228 struct l2_packet_data *l2_mka; 229 230 enum validate_frames vf; 231 enum confidentiality_offset co; 232 }; 233 234 235 u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci); 236 237 struct ieee802_1x_kay * 238 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, 239 u16 port, u8 priority, const char *ifname, const u8 *addr); 240 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); 241 242 struct ieee802_1x_mka_participant * 243 ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, 244 struct mka_key_name *ckn, struct mka_key *cak, 245 u32 life, enum mka_created_mode mode, 246 Boolean is_authenticator); 247 void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, 248 struct mka_key_name *ckn); 249 void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay, 250 struct mka_key_name *ckn, 251 Boolean status); 252 int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay); 253 int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay, 254 unsigned int cs_index); 255 256 int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay, 257 struct ieee802_1x_mka_ki *lki, u8 lan, 258 Boolean ltx, Boolean lrx); 259 int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay, 260 struct ieee802_1x_mka_ki *oki, 261 u8 oan, Boolean otx, Boolean orx); 262 int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay, 263 struct ieee802_1x_mka_ki *lki); 264 int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay, 265 struct ieee802_1x_mka_ki *ki); 266 int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay, 267 struct ieee802_1x_mka_ki *lki); 268 int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay, 269 struct ieee802_1x_mka_ki *lki); 270 int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay); 271 int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf, 272 size_t buflen); 273 274 #endif /* IEEE802_1X_KAY_H */ 275