Home | History | Annotate | Download | only in pae
      1 /*
      2  * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine
      3  * Copyright (c) 2013, Qualcomm Atheros, Inc.
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #ifndef IEEE802_1X_KAY_H
     10 #define IEEE802_1X_KAY_H
     11 
     12 #include "utils/list.h"
     13 #include "common/defs.h"
     14 #include "common/ieee802_1x_defs.h"
     15 
     16 struct macsec_init_params;
     17 struct ieee802_1x_cp_conf;
     18 
     19 #define MI_LEN			12
     20 #define MAX_KEY_LEN		32  /* 32 bytes, 256 bits */
     21 #define MAX_CKN_LEN		32  /* 32 bytes, 256 bits */
     22 
     23 /* MKA timer, unit: millisecond */
     24 #define MKA_HELLO_TIME		2000
     25 #define MKA_LIFE_TIME		6000
     26 #define MKA_SAK_RETIRE_TIME	3000
     27 
     28 struct ieee802_1x_mka_ki {
     29 	u8 mi[MI_LEN];
     30 	u32 kn;
     31 };
     32 
     33 struct ieee802_1x_mka_sci {
     34 	u8 addr[ETH_ALEN];
     35 	u16 port;
     36 };
     37 
     38 struct mka_key {
     39 	u8 key[MAX_KEY_LEN];
     40 	size_t len;
     41 };
     42 
     43 struct mka_key_name {
     44 	u8 name[MAX_CKN_LEN];
     45 	size_t len;
     46 };
     47 
     48 enum mka_created_mode {
     49 	PSK,
     50 	EAP_EXCHANGE,
     51 	DISTRIBUTED,
     52 	CACHED,
     53 };
     54 
     55 struct ieee802_1x_kay_ctx {
     56 	/* pointer to arbitrary upper level context */
     57 	void *ctx;
     58 
     59 	/* abstract wpa driver interface */
     60 	int (*macsec_init)(void *ctx, struct macsec_init_params *params);
     61 	int (*macsec_deinit)(void *ctx);
     62 	int (*enable_protect_frames)(void *ctx, Boolean enabled);
     63 	int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
     64 	int (*set_current_cipher_suite)(void *ctx, const u8 *cs, size_t cs_len);
     65 	int (*enable_controlled_port)(void *ctx, Boolean enabled);
     66 	int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an,
     67 				     u32 *lowest_pn);
     68 	int (*get_transmit_next_pn)(void *ctx, u32 channel, u8 an,
     69 				    u32 *next_pn);
     70 	int (*set_transmit_next_pn)(void *ctx, u32 channel, u8 an, u32 next_pn);
     71 	int (*get_available_receive_sc)(void *ctx, u32 *channel);
     72 	int (*create_receive_sc)(void *ctx, u32 channel,
     73 				 struct ieee802_1x_mka_sci *sci,
     74 				 enum validate_frames vf,
     75 				 enum confidentiality_offset co);
     76 	int (*delete_receive_sc)(void *ctx, u32 channel);
     77 	int (*create_receive_sa)(void *ctx, u32 channel, u8 an, u32 lowest_pn,
     78 				 const u8 *sak);
     79 	int (*enable_receive_sa)(void *ctx, u32 channel, u8 an);
     80 	int (*disable_receive_sa)(void *ctx, u32 channel, u8 an);
     81 	int (*get_available_transmit_sc)(void *ctx, u32 *channel);
     82 	int (*create_transmit_sc)(void *ctx, u32 channel,
     83 				  const struct ieee802_1x_mka_sci *sci,
     84 				  enum confidentiality_offset co);
     85 	int (*delete_transmit_sc)(void *ctx, u32 channel);
     86 	int (*create_transmit_sa)(void *ctx, u32 channel, u8 an, u32 next_pn,
     87 				  Boolean confidentiality, const u8 *sak);
     88 	int (*enable_transmit_sa)(void *ctx, u32 channel, u8 an);
     89 	int (*disable_transmit_sa)(void *ctx, u32 channel, u8 an);
     90 };
     91 
     92 struct ieee802_1x_kay {
     93 	Boolean enable;
     94 	Boolean active;
     95 
     96 	Boolean authenticated;
     97 	Boolean secured;
     98 	Boolean failed;
     99 
    100 	struct ieee802_1x_mka_sci actor_sci;
    101 	u8 actor_priority;
    102 	struct ieee802_1x_mka_sci key_server_sci;
    103 	u8 key_server_priority;
    104 
    105 	enum macsec_cap macsec_capable;
    106 	Boolean macsec_desired;
    107 	Boolean macsec_protect;
    108 	Boolean macsec_replay_protect;
    109 	u32 macsec_replay_window;
    110 	enum validate_frames macsec_validate;
    111 	enum confidentiality_offset macsec_confidentiality;
    112 
    113 	u32 ltx_kn;
    114 	u8 ltx_an;
    115 	u32 lrx_kn;
    116 	u8 lrx_an;
    117 
    118 	u32 otx_kn;
    119 	u8 otx_an;
    120 	u32 orx_kn;
    121 	u8 orx_an;
    122 
    123 	/* not defined in IEEE802.1X */
    124 	struct ieee802_1x_kay_ctx *ctx;
    125 	Boolean is_key_server;
    126 	Boolean is_obliged_key_server;
    127 	char if_name[IFNAMSIZ];
    128 
    129 	int macsec_csindex;  /*  MACsec cipher suite table index */
    130 	int mka_algindex;  /* MKA alg table index */
    131 
    132 	u32 dist_kn;
    133 	u8 dist_an;
    134 	time_t dist_time;
    135 
    136 	u8 mka_version;
    137 	u8 algo_agility[4];
    138 	u32 sc_ch;
    139 
    140 	u32 pn_exhaustion;
    141 	Boolean port_enable;
    142 	Boolean rx_enable;
    143 	Boolean tx_enable;
    144 
    145 	struct dl_list participant_list;
    146 	enum macsec_policy policy;
    147 
    148 	struct ieee802_1x_cp_sm *cp;
    149 
    150 	struct l2_packet_data *l2_mka;
    151 
    152 	enum validate_frames vf;
    153 	enum confidentiality_offset co;
    154 };
    155 
    156 
    157 struct ieee802_1x_kay *
    158 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
    159 		    const char *ifname, const u8 *addr);
    160 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
    161 
    162 struct ieee802_1x_mka_participant *
    163 ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
    164 			  struct mka_key_name *ckn, struct mka_key *cak,
    165 			  u32 life, enum mka_created_mode mode,
    166 			  Boolean is_authenticator);
    167 void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay,
    168 			       struct mka_key_name *ckn);
    169 void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay,
    170 				    struct mka_key_name *ckn,
    171 				    Boolean status);
    172 int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay);
    173 int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
    174 				       int cs_index);
    175 
    176 int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay,
    177 				      struct ieee802_1x_mka_ki *lki, u8 lan,
    178 				      Boolean ltx, Boolean lrx);
    179 int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay,
    180 				   struct ieee802_1x_mka_ki *oki,
    181 				   u8 oan, Boolean otx, Boolean orx);
    182 int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
    183 			      struct ieee802_1x_mka_ki *lki);
    184 int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
    185 			      struct ieee802_1x_mka_ki *ki);
    186 int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay,
    187 				 struct ieee802_1x_mka_ki *lki);
    188 int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay,
    189 				 struct ieee802_1x_mka_ki *lki);
    190 int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay);
    191 int ieee802_1x_kay_cp_conf(struct ieee802_1x_kay *kay,
    192 			   struct ieee802_1x_cp_conf *pconf);
    193 
    194 #endif /* IEEE802_1X_KAY_H */
    195