xref: /freebsd/contrib/wpa/src/pae/ieee802_1x_kay.h (revision 357378bbdedf24ce2b90e9bd831af4a9db3ec70a)
1 /*
2  * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine
3  * Copyright (c) 2013, Qualcomm Atheros, Inc.
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef IEEE802_1X_KAY_H
10 #define IEEE802_1X_KAY_H
11 
12 #include "utils/list.h"
13 #include "common/defs.h"
14 #include "common/ieee802_1x_defs.h"
15 
16 struct macsec_init_params;
17 
18 #define MI_LEN			12  /* 96-bit Member Identifier */
19 #define MAX_KEY_LEN		32  /* 32 bytes, 256 bits */
20 #define MAX_CKN_LEN		32  /* 32 bytes, 256 bits */
21 
22 /* MKA timer, unit: millisecond */
23 #define MKA_HELLO_TIME		2000
24 #define MKA_BOUNDED_HELLO_TIME	 500
25 #define MKA_LIFE_TIME		6000
26 #define MKA_SAK_RETIRE_TIME	3000
27 
28 /**
29  * struct ieee802_1x_mka_ki - Key Identifier (KI)
30  * @mi: Key Server's Member Identifier
31  * @kn: Key Number, assigned by the Key Server
32  * IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection
33  */
34 struct ieee802_1x_mka_ki {
35 	u8 mi[MI_LEN];
36 	u32 kn;
37 };
38 
39 struct ieee802_1x_mka_sci {
40 	u8 addr[ETH_ALEN];
41 	be16 port;
42 } STRUCT_PACKED;
43 
44 struct mka_key {
45 	u8 key[MAX_KEY_LEN];
46 	size_t len;
47 };
48 
49 struct mka_key_name {
50 	u8 name[MAX_CKN_LEN];
51 	size_t len;
52 };
53 
54 enum mka_created_mode {
55 	PSK,
56 	EAP_EXCHANGE,
57 };
58 
59 struct data_key {
60 	u8 *key;
61 	int key_len;
62 	struct ieee802_1x_mka_ki key_identifier;
63 	enum confidentiality_offset confidentiality_offset;
64 	u8 an;
65 	bool transmits;
66 	bool receives;
67 	struct os_time created_time;
68 	u32 next_pn;
69 
70 	/* not defined data */
71 	bool rx_latest;
72 	bool tx_latest;
73 
74 	int user;
75 
76 	struct dl_list list;
77 };
78 
79 /* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */
80 struct transmit_sc {
81 	struct ieee802_1x_mka_sci sci; /* const SCI sci */
82 	bool transmitting; /* bool transmitting (read only) */
83 
84 	struct os_time created_time; /* Time createdTime */
85 
86 	u8 encoding_sa; /* AN encodingSA (read only) */
87 	u8 enciphering_sa; /* AN encipheringSA (read only) */
88 
89 	/* not defined data */
90 	struct dl_list list;
91 	struct dl_list sa_list;
92 };
93 
94 /* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */
95 struct transmit_sa {
96 	bool in_use; /* bool inUse (read only) */
97 	u32 next_pn; /* PN nextPN (read only) */
98 	struct os_time created_time; /* Time createdTime */
99 
100 	bool enable_transmit; /* bool EnableTransmit */
101 
102 	u8 an;
103 	bool confidentiality;
104 	struct data_key *pkey;
105 
106 	struct transmit_sc *sc;
107 	struct dl_list list; /* list entry in struct transmit_sc::sa_list */
108 };
109 
110 /* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */
111 struct receive_sc {
112 	struct ieee802_1x_mka_sci sci; /* const SCI sci */
113 	bool receiving; /* bool receiving (read only) */
114 
115 	struct os_time created_time; /* Time createdTime */
116 
117 	struct dl_list list;
118 	struct dl_list sa_list;
119 };
120 
121 /* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */
122 struct receive_sa {
123 	bool enable_receive; /* bool enableReceive */
124 	bool in_use; /* bool inUse (read only) */
125 
126 	u32 next_pn; /* PN nextPN (read only) */
127 	u32 lowest_pn; /* PN lowestPN (read only) */
128 	u8 an;
129 	struct os_time created_time;
130 
131 	struct data_key *pkey;
132 	struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */
133 
134 	struct dl_list list;
135 };
136 
137 struct ieee802_1x_kay_ctx {
138 	/* pointer to arbitrary upper level context */
139 	void *ctx;
140 
141 	/* abstract wpa driver interface */
142 	int (*macsec_init)(void *ctx, struct macsec_init_params *params);
143 	int (*macsec_deinit)(void *ctx);
144 	int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
145 	int (*enable_protect_frames)(void *ctx, bool enabled);
146 	int (*enable_encrypt)(void *ctx, bool enabled);
147 	int (*set_replay_protect)(void *ctx, bool enabled, u32 window);
148 	int (*set_current_cipher_suite)(void *ctx, u64 cs);
149 	int (*enable_controlled_port)(void *ctx, bool enabled);
150 	int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
151 	int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
152 	int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
153 	int (*set_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
154 	int (*create_receive_sc)(void *ctx, struct receive_sc *sc,
155 				 enum validate_frames vf,
156 				 enum confidentiality_offset co);
157 	int (*delete_receive_sc)(void *ctx, struct receive_sc *sc);
158 	int (*create_receive_sa)(void *ctx, struct receive_sa *sa);
159 	int (*delete_receive_sa)(void *ctx, struct receive_sa *sa);
160 	int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
161 	int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
162 	int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc,
163 				  enum confidentiality_offset co);
164 	int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc);
165 	int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa);
166 	int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa);
167 	int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
168 	int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
169 	int (*set_offload)(void *ctx, u8 offload);
170 };
171 
172 struct ieee802_1x_kay {
173 	bool enable;
174 	bool active;
175 
176 	bool authenticated;
177 	bool secured;
178 	bool failed;
179 
180 	struct ieee802_1x_mka_sci actor_sci;
181 	u8 actor_priority;
182 	struct ieee802_1x_mka_sci key_server_sci;
183 	u8 key_server_priority;
184 
185 	enum macsec_cap macsec_capable;
186 	bool macsec_desired;
187 	bool macsec_protect;
188 	bool macsec_encrypt;
189 	bool macsec_replay_protect;
190 	u32 macsec_replay_window;
191 	enum validate_frames macsec_validate;
192 	enum confidentiality_offset macsec_confidentiality;
193 	u32 mka_hello_time;
194 
195 	u32 ltx_kn;
196 	u8 ltx_an;
197 	u32 lrx_kn;
198 	u8 lrx_an;
199 
200 	u32 otx_kn;
201 	u8 otx_an;
202 	u32 orx_kn;
203 	u8 orx_an;
204 
205 	/* not defined in IEEE802.1X */
206 	struct ieee802_1x_kay_ctx *ctx;
207 	bool is_key_server;
208 	bool is_obliged_key_server;
209 	char if_name[IFNAMSIZ];
210 	u8 macsec_offload;
211 
212 	unsigned int macsec_csindex;  /* MACsec cipher suite table index */
213 	int mka_algindex;  /* MKA alg table index */
214 
215 	u32 dist_kn;
216 	u32 rcvd_keys;
217 	u8 dist_an;
218 	time_t dist_time;
219 
220 	u8 mka_version;
221 	u8 algo_agility[4];
222 
223 	u32 pn_exhaustion;
224 	bool port_enable;
225 	bool rx_enable;
226 	bool tx_enable;
227 
228 	struct dl_list participant_list;
229 	enum macsec_policy policy;
230 
231 	struct ieee802_1x_cp_sm *cp;
232 
233 	struct l2_packet_data *l2_mka;
234 
235 	enum validate_frames vf;
236 	enum confidentiality_offset co;
237 };
238 
239 
240 u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci);
241 
242 struct ieee802_1x_kay *
243 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
244 		    bool macsec_replay_protect, u32 macsec_replay_window,
245 		    u8 macsec_offload, u16 port, u8 priority,
246 		    u32 macsec_csindex, const char *ifname, const u8 *addr);
247 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
248 
249 struct ieee802_1x_mka_participant *
250 ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
251 			  const struct mka_key_name *ckn,
252 			  const struct mka_key *cak,
253 			  u32 life, enum mka_created_mode mode,
254 			  bool is_authenticator);
255 void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay,
256 			       struct mka_key_name *ckn);
257 void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay,
258 				    struct mka_key_name *ckn,
259 				    bool status);
260 int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay);
261 int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
262 				       unsigned int cs_index);
263 
264 int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay,
265 				      struct ieee802_1x_mka_ki *lki, u8 lan,
266 				      bool ltx, bool lrx);
267 int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay,
268 				   struct ieee802_1x_mka_ki *oki,
269 				   u8 oan, bool otx, bool orx);
270 int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
271 			      struct ieee802_1x_mka_ki *lki);
272 int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
273 			      struct ieee802_1x_mka_ki *ki);
274 int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay,
275 				 struct ieee802_1x_mka_ki *lki);
276 int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay,
277 				 struct ieee802_1x_mka_ki *lki);
278 int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay);
279 int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf,
280 			      size_t buflen);
281 int ieee802_1x_kay_get_mib(struct ieee802_1x_kay *kay, char *buf,
282 			   size_t buflen);
283 
284 #endif /* IEEE802_1X_KAY_H */
285