1 /* 2 * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine 3 * Copyright (c) 2013, Qualcomm Atheros, Inc. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef IEEE802_1X_KAY_H 10 #define IEEE802_1X_KAY_H 11 12 #include "utils/list.h" 13 #include "common/defs.h" 14 #include "common/ieee802_1x_defs.h" 15 16 struct macsec_init_params; 17 18 #define MI_LEN 12 /* 96-bit Member Identifier */ 19 #define MAX_KEY_LEN 32 /* 32 bytes, 256 bits */ 20 #define MAX_CKN_LEN 32 /* 32 bytes, 256 bits */ 21 22 /* MKA timer, unit: millisecond */ 23 #define MKA_HELLO_TIME 2000 24 #define MKA_BOUNDED_HELLO_TIME 500 25 #define MKA_LIFE_TIME 6000 26 #define MKA_SAK_RETIRE_TIME 3000 27 28 /** 29 * struct ieee802_1x_mka_ki - Key Identifier (KI) 30 * @mi: Key Server's Member Identifier 31 * @kn: Key Number, assigned by the Key Server 32 * IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection 33 */ 34 struct ieee802_1x_mka_ki { 35 u8 mi[MI_LEN]; 36 u32 kn; 37 }; 38 39 struct ieee802_1x_mka_sci { 40 u8 addr[ETH_ALEN]; 41 be16 port; 42 } STRUCT_PACKED; 43 44 struct mka_key { 45 u8 key[MAX_KEY_LEN]; 46 size_t len; 47 }; 48 49 struct mka_key_name { 50 u8 name[MAX_CKN_LEN]; 51 size_t len; 52 }; 53 54 enum mka_created_mode { 55 PSK, 56 EAP_EXCHANGE, 57 }; 58 59 struct data_key { 60 u8 *key; 61 int key_len; 62 struct ieee802_1x_mka_ki key_identifier; 63 enum confidentiality_offset confidentiality_offset; 64 u8 an; 65 bool transmits; 66 bool receives; 67 struct os_time created_time; 68 u32 next_pn; 69 70 /* not defined data */ 71 bool rx_latest; 72 bool tx_latest; 73 74 int user; 75 76 struct dl_list list; 77 }; 78 79 /* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */ 80 struct transmit_sc { 81 struct ieee802_1x_mka_sci sci; /* const SCI sci */ 82 bool transmitting; /* bool transmitting (read only) */ 83 84 struct os_time created_time; /* Time createdTime */ 85 86 u8 encoding_sa; /* AN encodingSA (read only) */ 87 u8 enciphering_sa; /* AN encipheringSA (read only) */ 88 89 /* not defined data */ 90 struct dl_list list; 91 struct dl_list sa_list; 92 }; 93 94 /* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */ 95 struct transmit_sa { 96 bool in_use; /* bool inUse (read only) */ 97 u32 next_pn; /* PN nextPN (read only) */ 98 struct os_time created_time; /* Time createdTime */ 99 100 bool enable_transmit; /* bool EnableTransmit */ 101 102 u8 an; 103 bool confidentiality; 104 struct data_key *pkey; 105 106 struct transmit_sc *sc; 107 struct dl_list list; /* list entry in struct transmit_sc::sa_list */ 108 }; 109 110 /* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */ 111 struct receive_sc { 112 struct ieee802_1x_mka_sci sci; /* const SCI sci */ 113 bool receiving; /* bool receiving (read only) */ 114 115 struct os_time created_time; /* Time createdTime */ 116 117 struct dl_list list; 118 struct dl_list sa_list; 119 }; 120 121 /* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */ 122 struct receive_sa { 123 bool enable_receive; /* bool enableReceive */ 124 bool in_use; /* bool inUse (read only) */ 125 126 u32 next_pn; /* PN nextPN (read only) */ 127 u32 lowest_pn; /* PN lowestPN (read only) */ 128 u8 an; 129 struct os_time created_time; 130 131 struct data_key *pkey; 132 struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */ 133 134 struct dl_list list; 135 }; 136 137 struct ieee802_1x_kay_ctx { 138 /* pointer to arbitrary upper level context */ 139 void *ctx; 140 141 /* abstract wpa driver interface */ 142 int (*macsec_init)(void *ctx, struct macsec_init_params *params); 143 int (*macsec_deinit)(void *ctx); 144 int (*macsec_get_capability)(void *priv, enum macsec_cap *cap); 145 int (*enable_protect_frames)(void *ctx, bool enabled); 146 int (*enable_encrypt)(void *ctx, bool enabled); 147 int (*set_replay_protect)(void *ctx, bool enabled, u32 window); 148 int (*set_current_cipher_suite)(void *ctx, u64 cs); 149 int (*enable_controlled_port)(void *ctx, bool enabled); 150 int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa); 151 int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa); 152 int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa); 153 int (*set_receive_lowest_pn)(void *ctx, struct receive_sa *sa); 154 int (*create_receive_sc)(void *ctx, struct receive_sc *sc, 155 enum validate_frames vf, 156 enum confidentiality_offset co); 157 int (*delete_receive_sc)(void *ctx, struct receive_sc *sc); 158 int (*create_receive_sa)(void *ctx, struct receive_sa *sa); 159 int (*delete_receive_sa)(void *ctx, struct receive_sa *sa); 160 int (*enable_receive_sa)(void *ctx, struct receive_sa *sa); 161 int (*disable_receive_sa)(void *ctx, struct receive_sa *sa); 162 int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc, 163 enum confidentiality_offset co); 164 int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc); 165 int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa); 166 int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa); 167 int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa); 168 int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa); 169 int (*set_offload)(void *ctx, u8 offload); 170 }; 171 172 struct ieee802_1x_kay { 173 bool enable; 174 bool active; 175 176 bool authenticated; 177 bool secured; 178 bool failed; 179 180 struct ieee802_1x_mka_sci actor_sci; 181 u8 actor_priority; 182 struct ieee802_1x_mka_sci key_server_sci; 183 u8 key_server_priority; 184 185 enum macsec_cap macsec_capable; 186 bool macsec_desired; 187 bool macsec_protect; 188 bool macsec_encrypt; 189 bool macsec_replay_protect; 190 u32 macsec_replay_window; 191 enum validate_frames macsec_validate; 192 enum confidentiality_offset macsec_confidentiality; 193 u32 mka_hello_time; 194 195 u32 ltx_kn; 196 u8 ltx_an; 197 u32 lrx_kn; 198 u8 lrx_an; 199 200 u32 otx_kn; 201 u8 otx_an; 202 u32 orx_kn; 203 u8 orx_an; 204 205 /* not defined in IEEE802.1X */ 206 struct ieee802_1x_kay_ctx *ctx; 207 bool is_key_server; 208 bool is_obliged_key_server; 209 char if_name[IFNAMSIZ]; 210 u8 macsec_offload; 211 212 unsigned int macsec_csindex; /* MACsec cipher suite table index */ 213 int mka_algindex; /* MKA alg table index */ 214 215 u32 dist_kn; 216 u32 rcvd_keys; 217 u8 dist_an; 218 time_t dist_time; 219 220 u8 mka_version; 221 u8 algo_agility[4]; 222 223 u32 pn_exhaustion; 224 bool port_enable; 225 bool rx_enable; 226 bool tx_enable; 227 228 struct dl_list participant_list; 229 enum macsec_policy policy; 230 231 struct ieee802_1x_cp_sm *cp; 232 233 struct l2_packet_data *l2_mka; 234 235 enum validate_frames vf; 236 enum confidentiality_offset co; 237 }; 238 239 240 u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci); 241 242 struct ieee802_1x_kay * 243 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, 244 bool macsec_replay_protect, u32 macsec_replay_window, 245 u8 macsec_offload, u16 port, u8 priority, 246 u32 macsec_csindex, const char *ifname, const u8 *addr); 247 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); 248 249 struct ieee802_1x_mka_participant * 250 ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, 251 const struct mka_key_name *ckn, 252 const struct mka_key *cak, 253 u32 life, enum mka_created_mode mode, 254 bool is_authenticator); 255 void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, 256 struct mka_key_name *ckn); 257 void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay, 258 struct mka_key_name *ckn, 259 bool status); 260 int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay); 261 int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay, 262 unsigned int cs_index); 263 264 int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay, 265 struct ieee802_1x_mka_ki *lki, u8 lan, 266 bool ltx, bool lrx); 267 int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay, 268 struct ieee802_1x_mka_ki *oki, 269 u8 oan, bool otx, bool orx); 270 int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay, 271 struct ieee802_1x_mka_ki *lki); 272 int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay, 273 struct ieee802_1x_mka_ki *ki); 274 int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay, 275 struct ieee802_1x_mka_ki *lki); 276 int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay, 277 struct ieee802_1x_mka_ki *lki); 278 int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay); 279 int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf, 280 size_t buflen); 281 int ieee802_1x_kay_get_mib(struct ieee802_1x_kay *kay, char *buf, 282 size_t buflen); 283 284 #endif /* IEEE802_1X_KAY_H */ 285