1  /*
2   * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine
3   * Copyright (c) 2013, Qualcomm Atheros, Inc.
4   *
5   * This software may be distributed under the terms of the BSD license.
6   * See README for more details.
7   */
8  
9  #ifndef IEEE802_1X_KAY_H
10  #define IEEE802_1X_KAY_H
11  
12  #include "utils/list.h"
13  #include "common/defs.h"
14  #include "common/ieee802_1x_defs.h"
15  
16  struct macsec_init_params;
17  
18  #define MI_LEN			12  /* 96-bit Member Identifier */
19  #define MAX_KEY_LEN		32  /* 32 bytes, 256 bits */
20  #define MAX_CKN_LEN		32  /* 32 bytes, 256 bits */
21  
22  /* MKA timer, unit: millisecond */
23  #define MKA_HELLO_TIME		2000
24  #define MKA_BOUNDED_HELLO_TIME	 500
25  #define MKA_LIFE_TIME		6000
26  #define MKA_SAK_RETIRE_TIME	3000
27  
28  /**
29   * struct ieee802_1x_mka_ki - Key Identifier (KI)
30   * @mi: Key Server's Member Identifier
31   * @kn: Key Number, assigned by the Key Server
32   * IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection
33   */
34  struct ieee802_1x_mka_ki {
35  	u8 mi[MI_LEN];
36  	u32 kn;
37  };
38  
39  struct ieee802_1x_mka_sci {
40  	u8 addr[ETH_ALEN];
41  	be16 port;
42  } STRUCT_PACKED;
43  
44  struct mka_key {
45  	u8 key[MAX_KEY_LEN];
46  	size_t len;
47  };
48  
49  struct mka_key_name {
50  	u8 name[MAX_CKN_LEN];
51  	size_t len;
52  };
53  
54  enum mka_created_mode {
55  	PSK,
56  	EAP_EXCHANGE,
57  };
58  
59  struct data_key {
60  	u8 *key;
61  	int key_len;
62  	struct ieee802_1x_mka_ki key_identifier;
63  	enum confidentiality_offset confidentiality_offset;
64  	u8 an;
65  	bool transmits;
66  	bool receives;
67  	struct os_time created_time;
68  	u32 next_pn;
69  
70  	/* not defined data */
71  	bool rx_latest;
72  	bool tx_latest;
73  
74  	int user;
75  
76  	struct dl_list list;
77  };
78  
79  /* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */
80  struct transmit_sc {
81  	struct ieee802_1x_mka_sci sci; /* const SCI sci */
82  	bool transmitting; /* bool transmitting (read only) */
83  
84  	struct os_time created_time; /* Time createdTime */
85  
86  	u8 encoding_sa; /* AN encodingSA (read only) */
87  	u8 enciphering_sa; /* AN encipheringSA (read only) */
88  
89  	/* not defined data */
90  	struct dl_list list;
91  	struct dl_list sa_list;
92  };
93  
94  /* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */
95  struct transmit_sa {
96  	bool in_use; /* bool inUse (read only) */
97  	u32 next_pn; /* PN nextPN (read only) */
98  	struct os_time created_time; /* Time createdTime */
99  
100  	bool enable_transmit; /* bool EnableTransmit */
101  
102  	u8 an;
103  	bool confidentiality;
104  	struct data_key *pkey;
105  
106  	struct transmit_sc *sc;
107  	struct dl_list list; /* list entry in struct transmit_sc::sa_list */
108  };
109  
110  /* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */
111  struct receive_sc {
112  	struct ieee802_1x_mka_sci sci; /* const SCI sci */
113  	bool receiving; /* bool receiving (read only) */
114  
115  	struct os_time created_time; /* Time createdTime */
116  
117  	struct dl_list list;
118  	struct dl_list sa_list;
119  };
120  
121  /* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */
122  struct receive_sa {
123  	bool enable_receive; /* bool enableReceive */
124  	bool in_use; /* bool inUse (read only) */
125  
126  	u32 next_pn; /* PN nextPN (read only) */
127  	u32 lowest_pn; /* PN lowestPN (read only) */
128  	u8 an;
129  	struct os_time created_time;
130  
131  	struct data_key *pkey;
132  	struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */
133  
134  	struct dl_list list;
135  };
136  
137  struct ieee802_1x_kay_ctx {
138  	/* pointer to arbitrary upper level context */
139  	void *ctx;
140  
141  	/* abstract wpa driver interface */
142  	int (*macsec_init)(void *ctx, struct macsec_init_params *params);
143  	int (*macsec_deinit)(void *ctx);
144  	int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
145  	int (*enable_protect_frames)(void *ctx, bool enabled);
146  	int (*enable_encrypt)(void *ctx, bool enabled);
147  	int (*set_replay_protect)(void *ctx, bool enabled, u32 window);
148  	int (*set_current_cipher_suite)(void *ctx, u64 cs);
149  	int (*enable_controlled_port)(void *ctx, bool enabled);
150  	int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
151  	int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
152  	int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
153  	int (*set_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
154  	int (*create_receive_sc)(void *ctx, struct receive_sc *sc,
155  				 enum validate_frames vf,
156  				 enum confidentiality_offset co);
157  	int (*delete_receive_sc)(void *ctx, struct receive_sc *sc);
158  	int (*create_receive_sa)(void *ctx, struct receive_sa *sa);
159  	int (*delete_receive_sa)(void *ctx, struct receive_sa *sa);
160  	int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
161  	int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
162  	int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc,
163  				  enum confidentiality_offset co);
164  	int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc);
165  	int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa);
166  	int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa);
167  	int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
168  	int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
169  	int (*set_offload)(void *ctx, u8 offload);
170  };
171  
172  struct ieee802_1x_kay {
173  	bool enable;
174  	bool active;
175  
176  	bool authenticated;
177  	bool secured;
178  	bool failed;
179  
180  	struct ieee802_1x_mka_sci actor_sci;
181  	u8 actor_priority;
182  	struct ieee802_1x_mka_sci key_server_sci;
183  	u8 key_server_priority;
184  
185  	enum macsec_cap macsec_capable;
186  	bool macsec_desired;
187  	bool macsec_protect;
188  	bool macsec_encrypt;
189  	bool macsec_replay_protect;
190  	u32 macsec_replay_window;
191  	enum validate_frames macsec_validate;
192  	enum confidentiality_offset macsec_confidentiality;
193  	u32 mka_hello_time;
194  
195  	u32 ltx_kn;
196  	u8 ltx_an;
197  	u32 lrx_kn;
198  	u8 lrx_an;
199  
200  	u32 otx_kn;
201  	u8 otx_an;
202  	u32 orx_kn;
203  	u8 orx_an;
204  
205  	/* not defined in IEEE802.1X */
206  	struct ieee802_1x_kay_ctx *ctx;
207  	bool is_key_server;
208  	bool is_obliged_key_server;
209  	bool include_icv_indicator; /* Always include ICV Indicator */
210  	char if_name[IFNAMSIZ];
211  	u8 macsec_offload;
212  
213  	unsigned int macsec_csindex;  /* MACsec cipher suite table index */
214  	int mka_algindex;  /* MKA alg table index */
215  
216  	u32 dist_kn;
217  	u32 rcvd_keys;
218  	u8 dist_an;
219  	time_t dist_time;
220  
221  	u8 mka_version;
222  	u8 algo_agility[4];
223  
224  	u32 pn_exhaustion;
225  	bool port_enable;
226  	bool rx_enable;
227  	bool tx_enable;
228  
229  	struct dl_list participant_list;
230  	enum macsec_policy policy;
231  
232  	struct ieee802_1x_cp_sm *cp;
233  
234  	struct l2_packet_data *l2_mka;
235  
236  	enum validate_frames vf;
237  	enum confidentiality_offset co;
238  };
239  
240  
241  u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci);
242  
243  struct ieee802_1x_kay *
244  ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
245  		    bool macsec_replay_protect, u32 macsec_replay_window,
246  		    u8 macsec_offload, u16 port, u8 priority,
247  		    u32 macsec_csindex, bool include_icv_indicator,
248  		    const char *ifname, const u8 *addr);
249  void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
250  
251  struct ieee802_1x_mka_participant *
252  ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
253  			  const struct mka_key_name *ckn,
254  			  const struct mka_key *cak,
255  			  u32 life, enum mka_created_mode mode,
256  			  bool is_authenticator);
257  void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay,
258  			       struct mka_key_name *ckn);
259  void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay,
260  				    struct mka_key_name *ckn,
261  				    bool status);
262  int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay);
263  int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
264  				       unsigned int cs_index);
265  
266  int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay,
267  				      struct ieee802_1x_mka_ki *lki, u8 lan,
268  				      bool ltx, bool lrx);
269  int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay,
270  				   struct ieee802_1x_mka_ki *oki,
271  				   u8 oan, bool otx, bool orx);
272  int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
273  			      struct ieee802_1x_mka_ki *lki);
274  int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
275  			      struct ieee802_1x_mka_ki *ki);
276  int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay,
277  				 struct ieee802_1x_mka_ki *lki);
278  int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay,
279  				 struct ieee802_1x_mka_ki *lki);
280  int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay);
281  int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf,
282  			      size_t buflen);
283  int ieee802_1x_kay_get_mib(struct ieee802_1x_kay *kay, char *buf,
284  			   size_t buflen);
285  
286  #endif /* IEEE802_1X_KAY_H */
287