1/* 2 * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine 3 * Copyright (c) 2013, Qualcomm Atheros, Inc. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#ifndef IEEE802_1X_KAY_H 10#define IEEE802_1X_KAY_H 11 12#include "utils/list.h" 13#include "common/defs.h" 14#include "common/ieee802_1x_defs.h" 15 16struct macsec_init_params; 17struct ieee802_1x_cp_conf; 18 19#define MI_LEN 12 20#define MAX_KEY_LEN 32 /* 32 bytes, 256 bits */ 21#define MAX_CKN_LEN 32 /* 32 bytes, 256 bits */ 22 23/* MKA timer, unit: millisecond */ 24#define MKA_HELLO_TIME 2000 25#define MKA_LIFE_TIME 6000 26#define MKA_SAK_RETIRE_TIME 3000 27 28struct ieee802_1x_mka_ki { 29 u8 mi[MI_LEN]; 30 u32 kn; 31}; 32 33struct ieee802_1x_mka_sci { 34 u8 addr[ETH_ALEN]; 35 u16 port; 36}; 37 38struct mka_key { 39 u8 key[MAX_KEY_LEN]; 40 size_t len; 41}; 42 43struct mka_key_name { 44 u8 name[MAX_CKN_LEN]; 45 size_t len; 46}; 47 48enum mka_created_mode { 49 PSK, 50 EAP_EXCHANGE, 51 DISTRIBUTED, 52 CACHED, 53}; 54 55struct ieee802_1x_kay_ctx { 56 /* pointer to arbitrary upper level context */ 57 void *ctx; 58 59 /* abstract wpa driver interface */ 60 int (*macsec_init)(void *ctx, struct macsec_init_params *params); 61 int (*macsec_deinit)(void *ctx); 62 int (*enable_protect_frames)(void *ctx, Boolean enabled); 63 int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window); 64 int (*set_current_cipher_suite)(void *ctx, const u8 *cs, size_t cs_len); 65 int (*enable_controlled_port)(void *ctx, Boolean enabled); 66 int (*get_receive_lowest_pn)(void *ctx, u32 channel, u8 an, 67 u32 *lowest_pn); 68 int (*get_transmit_next_pn)(void *ctx, u32 channel, u8 an, 69 u32 *next_pn); 70 int (*set_transmit_next_pn)(void *ctx, u32 channel, u8 an, u32 next_pn); 71 int (*get_available_receive_sc)(void *ctx, u32 *channel); 72 int (*create_receive_sc)(void *ctx, u32 channel, 73 struct ieee802_1x_mka_sci *sci, 74 enum validate_frames vf, 75 enum confidentiality_offset co); 76 int (*delete_receive_sc)(void *ctx, u32 channel); 77 int (*create_receive_sa)(void *ctx, u32 channel, u8 an, u32 lowest_pn, 78 const u8 *sak); 79 int (*enable_receive_sa)(void *ctx, u32 channel, u8 an); 80 int (*disable_receive_sa)(void *ctx, u32 channel, u8 an); 81 int (*get_available_transmit_sc)(void *ctx, u32 *channel); 82 int (*create_transmit_sc)(void *ctx, u32 channel, 83 const struct ieee802_1x_mka_sci *sci, 84 enum confidentiality_offset co); 85 int (*delete_transmit_sc)(void *ctx, u32 channel); 86 int (*create_transmit_sa)(void *ctx, u32 channel, u8 an, u32 next_pn, 87 Boolean confidentiality, const u8 *sak); 88 int (*enable_transmit_sa)(void *ctx, u32 channel, u8 an); 89 int (*disable_transmit_sa)(void *ctx, u32 channel, u8 an); 90}; 91 92struct ieee802_1x_kay { 93 Boolean enable; 94 Boolean active; 95 96 Boolean authenticated; 97 Boolean secured; 98 Boolean failed; 99 100 struct ieee802_1x_mka_sci actor_sci; 101 u8 actor_priority; 102 struct ieee802_1x_mka_sci key_server_sci; 103 u8 key_server_priority; 104 105 enum macsec_cap macsec_capable; 106 Boolean macsec_desired; 107 Boolean macsec_protect; 108 Boolean macsec_replay_protect; 109 u32 macsec_replay_window; 110 enum validate_frames macsec_validate; 111 enum confidentiality_offset macsec_confidentiality; 112 113 u32 ltx_kn; 114 u8 ltx_an; 115 u32 lrx_kn; 116 u8 lrx_an; 117 118 u32 otx_kn; 119 u8 otx_an; 120 u32 orx_kn; 121 u8 orx_an; 122 123 /* not defined in IEEE802.1X */ 124 struct ieee802_1x_kay_ctx *ctx; 125 Boolean is_key_server; 126 Boolean is_obliged_key_server; 127 char if_name[IFNAMSIZ]; 128 129 int macsec_csindex; /* MACsec cipher suite table index */ 130 int mka_algindex; /* MKA alg table index */ 131 132 u32 dist_kn; 133 u8 dist_an; 134 time_t dist_time; 135 136 u8 mka_version; 137 u8 algo_agility[4]; 138 u32 sc_ch; 139 140 u32 pn_exhaustion; 141 Boolean port_enable; 142 Boolean rx_enable; 143 Boolean tx_enable; 144 145 struct dl_list participant_list; 146 enum macsec_policy policy; 147 148 struct ieee802_1x_cp_sm *cp; 149 150 struct l2_packet_data *l2_mka; 151 152 enum validate_frames vf; 153 enum confidentiality_offset co; 154}; 155 156 157struct ieee802_1x_kay * 158ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy, 159 const char *ifname, const u8 *addr); 160void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay); 161 162struct ieee802_1x_mka_participant * 163ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay, 164 struct mka_key_name *ckn, struct mka_key *cak, 165 u32 life, enum mka_created_mode mode, 166 Boolean is_authenticator); 167void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay, 168 struct mka_key_name *ckn); 169void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay, 170 struct mka_key_name *ckn, 171 Boolean status); 172int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay); 173int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay, 174 int cs_index); 175 176int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay, 177 struct ieee802_1x_mka_ki *lki, u8 lan, 178 Boolean ltx, Boolean lrx); 179int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay, 180 struct ieee802_1x_mka_ki *oki, 181 u8 oan, Boolean otx, Boolean orx); 182int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay, 183 struct ieee802_1x_mka_ki *lki); 184int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay, 185 struct ieee802_1x_mka_ki *ki); 186int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay, 187 struct ieee802_1x_mka_ki *lki); 188int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay, 189 struct ieee802_1x_mka_ki *lki); 190int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay); 191int ieee802_1x_kay_cp_conf(struct ieee802_1x_kay *kay, 192 struct ieee802_1x_cp_conf *pconf); 193 194#endif /* IEEE802_1X_KAY_H */ 195