2 * IEEE 802.1X-2010 Key Agree Protocol of PAE state machine
3 * Copyright (c) 2013, Qualcomm Atheros, Inc.
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #ifndef IEEE802_1X_KAY_H
10 #define IEEE802_1X_KAY_H
12 #include "utils/list.h"
13 #include "common/defs.h"
14 #include "common/ieee802_1x_defs.h"
16 struct macsec_init_params;
18 #define MI_LEN 12 /* 96-bit Member Identifier */
19 #define MAX_KEY_LEN 32 /* 32 bytes, 256 bits */
20 #define MAX_CKN_LEN 32 /* 32 bytes, 256 bits */
22 /* MKA timer, unit: millisecond */
23 #define MKA_HELLO_TIME 2000
24 #define MKA_BOUNDED_HELLO_TIME 500
25 #define MKA_LIFE_TIME 6000
26 #define MKA_SAK_RETIRE_TIME 3000
29 * struct ieee802_1x_mka_ki - Key Identifier (KI)
30 * @mi: Key Server's Member Identifier
31 * @kn: Key Number, assigned by the Key Server
32 * IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection
34 struct ieee802_1x_mka_ki {
39 struct ieee802_1x_mka_sci {
54 enum mka_created_mode {
62 struct ieee802_1x_mka_ki key_identifier;
63 enum confidentiality_offset confidentiality_offset;
67 struct os_time created_time;
70 /* not defined data */
79 /* TransmitSC in IEEE Std 802.1AE-2006, Figure 10-6 */
81 struct ieee802_1x_mka_sci sci; /* const SCI sci */
82 Boolean transmitting; /* bool transmitting (read only) */
84 struct os_time created_time; /* Time createdTime */
86 u8 encoding_sa; /* AN encodingSA (read only) */
87 u8 enciphering_sa; /* AN encipheringSA (read only) */
89 /* not defined data */
91 struct dl_list sa_list;
94 /* TransmitSA in IEEE Std 802.1AE-2006, Figure 10-6 */
96 Boolean in_use; /* bool inUse (read only) */
97 u32 next_pn; /* PN nextPN (read only) */
98 struct os_time created_time; /* Time createdTime */
100 Boolean enable_transmit; /* bool EnableTransmit */
103 Boolean confidentiality;
104 struct data_key *pkey;
106 struct transmit_sc *sc;
107 struct dl_list list; /* list entry in struct transmit_sc::sa_list */
110 /* ReceiveSC in IEEE Std 802.1AE-2006, Figure 10-6 */
112 struct ieee802_1x_mka_sci sci; /* const SCI sci */
113 Boolean receiving; /* bool receiving (read only) */
115 struct os_time created_time; /* Time createdTime */
118 struct dl_list sa_list;
121 /* ReceiveSA in IEEE Std 802.1AE-2006, Figure 10-6 */
123 Boolean enable_receive; /* bool enableReceive */
124 Boolean in_use; /* bool inUse (read only) */
126 u32 next_pn; /* PN nextPN (read only) */
127 u32 lowest_pn; /* PN lowestPN (read only) */
129 struct os_time created_time;
131 struct data_key *pkey;
132 struct receive_sc *sc; /* list entry in struct receive_sc::sa_list */
137 struct ieee802_1x_kay_ctx {
138 /* pointer to arbitrary upper level context */
141 /* abstract wpa driver interface */
142 int (*macsec_init)(void *ctx, struct macsec_init_params *params);
143 int (*macsec_deinit)(void *ctx);
144 int (*macsec_get_capability)(void *priv, enum macsec_cap *cap);
145 int (*enable_protect_frames)(void *ctx, Boolean enabled);
146 int (*enable_encrypt)(void *ctx, Boolean enabled);
147 int (*set_replay_protect)(void *ctx, Boolean enabled, u32 window);
148 int (*set_current_cipher_suite)(void *ctx, u64 cs);
149 int (*enable_controlled_port)(void *ctx, Boolean enabled);
150 int (*get_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
151 int (*get_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
152 int (*set_transmit_next_pn)(void *ctx, struct transmit_sa *sa);
153 int (*set_receive_lowest_pn)(void *ctx, struct receive_sa *sa);
154 int (*create_receive_sc)(void *ctx, struct receive_sc *sc,
155 enum validate_frames vf,
156 enum confidentiality_offset co);
157 int (*delete_receive_sc)(void *ctx, struct receive_sc *sc);
158 int (*create_receive_sa)(void *ctx, struct receive_sa *sa);
159 int (*delete_receive_sa)(void *ctx, struct receive_sa *sa);
160 int (*enable_receive_sa)(void *ctx, struct receive_sa *sa);
161 int (*disable_receive_sa)(void *ctx, struct receive_sa *sa);
162 int (*create_transmit_sc)(void *ctx, struct transmit_sc *sc,
163 enum confidentiality_offset co);
164 int (*delete_transmit_sc)(void *ctx, struct transmit_sc *sc);
165 int (*create_transmit_sa)(void *ctx, struct transmit_sa *sa);
166 int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa);
167 int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
168 int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
171 struct ieee802_1x_kay {
175 Boolean authenticated;
179 struct ieee802_1x_mka_sci actor_sci;
181 struct ieee802_1x_mka_sci key_server_sci;
182 u8 key_server_priority;
184 enum macsec_cap macsec_capable;
185 Boolean macsec_desired;
186 Boolean macsec_protect;
187 Boolean macsec_encrypt;
188 Boolean macsec_replay_protect;
189 u32 macsec_replay_window;
190 enum validate_frames macsec_validate;
191 enum confidentiality_offset macsec_confidentiality;
204 /* not defined in IEEE802.1X */
205 struct ieee802_1x_kay_ctx *ctx;
206 Boolean is_key_server;
207 Boolean is_obliged_key_server;
208 char if_name[IFNAMSIZ];
210 unsigned int macsec_csindex; /* MACsec cipher suite table index */
211 int mka_algindex; /* MKA alg table index */
226 struct dl_list participant_list;
227 enum macsec_policy policy;
229 struct ieee802_1x_cp_sm *cp;
231 struct l2_packet_data *l2_mka;
233 enum validate_frames vf;
234 enum confidentiality_offset co;
238 u64 mka_sci_u64(struct ieee802_1x_mka_sci *sci);
240 struct ieee802_1x_kay *
241 ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
242 Boolean macsec_replay_protect, u32 macsec_replay_window,
243 u16 port, u8 priority, const char *ifname, const u8 *addr);
244 void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
246 struct ieee802_1x_mka_participant *
247 ieee802_1x_kay_create_mka(struct ieee802_1x_kay *kay,
248 const struct mka_key_name *ckn,
249 const struct mka_key *cak,
250 u32 life, enum mka_created_mode mode,
251 Boolean is_authenticator);
252 void ieee802_1x_kay_delete_mka(struct ieee802_1x_kay *kay,
253 struct mka_key_name *ckn);
254 void ieee802_1x_kay_mka_participate(struct ieee802_1x_kay *kay,
255 struct mka_key_name *ckn,
257 int ieee802_1x_kay_new_sak(struct ieee802_1x_kay *kay);
258 int ieee802_1x_kay_change_cipher_suite(struct ieee802_1x_kay *kay,
259 unsigned int cs_index);
261 int ieee802_1x_kay_set_latest_sa_attr(struct ieee802_1x_kay *kay,
262 struct ieee802_1x_mka_ki *lki, u8 lan,
263 Boolean ltx, Boolean lrx);
264 int ieee802_1x_kay_set_old_sa_attr(struct ieee802_1x_kay *kay,
265 struct ieee802_1x_mka_ki *oki,
266 u8 oan, Boolean otx, Boolean orx);
267 int ieee802_1x_kay_create_sas(struct ieee802_1x_kay *kay,
268 struct ieee802_1x_mka_ki *lki);
269 int ieee802_1x_kay_delete_sas(struct ieee802_1x_kay *kay,
270 struct ieee802_1x_mka_ki *ki);
271 int ieee802_1x_kay_enable_tx_sas(struct ieee802_1x_kay *kay,
272 struct ieee802_1x_mka_ki *lki);
273 int ieee802_1x_kay_enable_rx_sas(struct ieee802_1x_kay *kay,
274 struct ieee802_1x_mka_ki *lki);
275 int ieee802_1x_kay_enable_new_info(struct ieee802_1x_kay *kay);
276 int ieee802_1x_kay_get_status(struct ieee802_1x_kay *kay, char *buf,
278 int ieee802_1x_kay_get_mib(struct ieee802_1x_kay *kay, char *buf,
281 #endif /* IEEE802_1X_KAY_H */