1 /* 2 * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine 3 * Copyright (c) 2013, Qualcomm Atheros, Inc. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #ifndef IEEE802_1X_KAY_H 10 #define IEEE802_1X_KAY_H 11 12 #include "utils/list.h" 13 #include "common/defs.h" 14 #include "common/ieee802_1x_defs.h" 15 16 struct macsec_init_params; 17 18 #define MI_LEN 12 19 #define MAX_KEY_LEN 32 /* 32 bytes, 256 bits */ 20 #define MAX_CKN_LEN 32 /* 32 bytes, 256 bits */ 21 22 /* MKA timer, unit: millisecond */ 23 #define MKA_HELLO_TIME 2000 24 #define MKA_LIFE_TIME 6000 25 #define MKA_SAK_RETIRE_TIME 3000 26 27 struct ieee802_1x_mka_ki { 28 u8 mi[MI_LEN]; 29 u32 kn; 30 }; 31 32 struct ieee802_1x_mka_sci { 33 u8 addr[ETH_ALEN]; 34 be16 port; 35 }; 36 37 struct mka_key { 38 u8 key[MAX_KEY_LEN]; 39 size_t len; 40 }; 41 42 struct mka_key_name { 43 u8 name[MAX_CKN_LEN]; 44 size_t len; 45 }; 46 47 enum mka_created_mode { 48 PSK, 49 EAP_EXCHANGE, 50 }; 51 52 struct ieee802_1x_kay_ctx { 53 /* pointer to arbitrary upper level context */ 54 void *ctx; 55 56 /* abstract wpa driver interface */ 57 int (*macsec_init)(void *ctx, struct macsec_init_params *params); 58 int (*macsec_deinit)(void *ctx); 59 int (*enable_protect_frames)(void *ctx, Boolean enabled); 60 int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window); 61 int (*set_current_cipher_suite)(void *ctx, u64 cs); 62 int (*enable_controlled_port)(void *ctx, Boolean enabled); 63 int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an, 64 u32 *lowest_pn); 65 int (*get_transmit_next_pn)(void *ctx, u32 channel, u8 an, 66 u32 *next_pn); 67 int (*set_transmit_next_pn)(void *ctx, u32 channel, u8 an, u32 next_pn); 68 int (*get_available_receive_sc)(void *ctx, u32 *channel); 69 int (*create_receive_sc)(void *ctx, u32 channel, 70 struct ieee802_1x_mka_sci *sci, 71 enum validate_frames vf, 72 enum confidentiality_offset co); 73 int (*delete_receive_sc)(void *ctx, u32 channel); 74 int (*create_receive_sa)(void *ctx, u32 channel, u8 an, u32 lowest_pn, 75 const u8 *sak); 76 int (*enable_receive_sa)(void *ctx, u32 channel, u8 an); 77 int (*disable_receive_sa)(void *ctx, u32 channel, u8 an); 78 int (*get_available_transmit_sc)(void *ctx, u32 *channel); 79 int (*create_transmit_sc)(void *ctx, u32 channel, 80 const struct ieee802_1x_mka_sci *sci, 81 enum confidentiality_offset co); 82 int (*delete_transmit_sc)(void *ctx, u32 channel); 83 int (*create_transmit_sa)(void *ctx, u32 channel, u8 an, u32 next_pn, 84 Boolean confidentiality, const u8 *sak); 85 int (*enable_transmit_sa)(void *ctx, u32 channel, u8 an); 86 int (*disable_transmit_sa)(void *ctx, u32 channel, u8 an); 87 }; 88 89 struct ieee802_1x_kay { 90 Boolean enable; 91 Boolean active; 92 93 Boolean authenticated; 94 Boolean secured; 95 Boolean failed; 96 97 struct ieee802_1x_mka_sci actor_sci; 98 u8 actor_priority; 99 struct ieee802_1x_mka_sci key_server_sci; 100 u8 key_server_priority; 101 102 enum macsec_cap macsec_capable; 103 Boolean macsec_desired; 104 Boolean macsec_protect; 105 Boolean macsec_replay_protect; 106 u32 macsec_replay_window; 107 enum validate_frames macsec_validate; 108 enum confidentiality_offset macsec_confidentiality; 109 110 u32 ltx_kn; 111 u8 ltx_an; 112 u32 lrx_kn; 113 u8 lrx_an; 114 115 u32 otx_kn; 116 u8 otx_an; 117 u32 orx_kn; 118 u8 orx_an; 119 120 /* not defined in IEEE802.1X */ 121 struct ieee802_1x_kay_ctx *ctx; 122 Boolean is_key_server; 123 Boolean is_obliged_key_server; 124 char if_name[IFNAMSIZ]; 125 126 unsigned int macsec_csindex; /* MACsec cipher suite table index */ 127 int mka_algindex; /* MKA alg table index */ 128 129 u32 dist_kn; 130 u8 dist_an; 131 time_t dist_time; 132 133 u8 mka_version; 134 u8 algo_agility[4]; 135 u32 sc_ch; 136 137 u32 pn_exhaustion; 138 Boolean port_enable; 139 Boolean rx_enable; 140 Boolean tx_enable; 141 142 struct dl_list participant_list; 143 enum macsec_policy policy; 144 145 struct ieee802_1x_cp_sm *cp; 146 147 struct l2_packet_data *l2_mka; 148 149 enum validate_frames vf; 150 enum confidentiality_offset co; 151 }; 152 153 154 struct ieee802_1x_kay * 155 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, 156 const char *ifname, const u8 *addr); 157 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); 158 159 struct ieee802_1x_mka_participant * 160 ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, 161 struct mka_key_name *ckn, struct mka_key *cak, 162 u32 life, enum mka_created_mode mode, 163 Boolean is_authenticator); 164 void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, 165 struct mka_key_name *ckn); 166 void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay, 167 struct mka_key_name *ckn, 168 Boolean status); 169 int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay); 170 int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay, 171 unsigned int cs_index); 172 173 int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay, 174 struct ieee802_1x_mka_ki *lki, u8 lan, 175 Boolean ltx, Boolean lrx); 176 int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay, 177 struct ieee802_1x_mka_ki *oki, 178 u8 oan, Boolean otx, Boolean orx); 179 int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay, 180 struct ieee802_1x_mka_ki *lki); 181 int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay, 182 struct ieee802_1x_mka_ki *ki); 183 int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay, 184 struct ieee802_1x_mka_ki *lki); 185 int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay, 186 struct ieee802_1x_mka_ki *lki); 187 int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay); 188 189 #endif /* IEEE802_1X_KAY_H */ 190