|
 |
6c9f0c |
From 6b6175b788c5f44ff40f61003cbdb315dfabe0a2 Mon Sep 17 00:00:00 2001
|
|
|
6c9f0c |
Message-Id: <6b6175b788c5f44ff40f61003cbdb315dfabe0a2.1488376601.git.dcaratti@redhat.com>
|
|
|
6c9f0c |
From: Sabrina Dubroca <sd@queasysnail.net>
|
|
|
6c9f0c |
Date: Fri, 21 Oct 2016 14:45:27 +0200
|
|
|
6c9f0c |
Subject: [PATCH] mka: Sync structs definitions with IEEE Std 802.1X-2010
|
|
|
6c9f0c |
|
|
|
6c9f0c |
Document some data structures from IEEE Std 802.1X-2010, and add the
|
|
|
6c9f0c |
(not used yet) struct ieee802_1x_mka_dist_cak_body.
|
|
|
6c9f0c |
|
|
|
6c9f0c |
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
|
|
|
6c9f0c |
---
|
|
|
6c9f0c |
src/pae/ieee802_1x_kay.h | 8 +++-
|
|
|
6c9f0c |
src/pae/ieee802_1x_kay_i.h | 97 +++++++++++++++++++++++++++++++++++++++++++++-
|
|
|
6c9f0c |
2 files changed, 103 insertions(+), 2 deletions(-)
|
|
|
6c9f0c |
|
|
|
6c9f0c |
diff --git a/src/pae/ieee802_1x_kay.h b/src/pae/ieee802_1x_kay.h
|
|
|
6c9f0c |
index c6fa387..e2ba180 100644
|
|
|
6c9f0c |
--- a/src/pae/ieee802_1x_kay.h
|
|
|
6c9f0c |
+++ b/src/pae/ieee802_1x_kay.h
|
|
|
6c9f0c |
@@ -15,7 +15,7 @@
|
|
|
6c9f0c |
|
|
|
6c9f0c |
struct macsec_init_params;
|
|
|
6c9f0c |
|
|
|
6c9f0c |
-#define MI_LEN 12
|
|
|
6c9f0c |
+#define MI_LEN 12 /* 96-bit Member Identifier */
|
|
|
6c9f0c |
#define MAX_KEY_LEN 32 /* 32 bytes, 256 bits */
|
|
|
6c9f0c |
#define MAX_CKN_LEN 32 /* 32 bytes, 256 bits */
|
|
|
6c9f0c |
|
|
|
6c9f0c |
@@ -24,6 +24,12 @@ struct macsec_init_params;
|
|
|
6c9f0c |
#define MKA_LIFE_TIME 6000
|
|
|
6c9f0c |
#define MKA_SAK_RETIRE_TIME 3000
|
|
|
6c9f0c |
|
|
|
6c9f0c |
+/**
|
|
|
6c9f0c |
+ * struct ieee802_1x_mka_ki - Key Identifier (KI)
|
|
|
6c9f0c |
+ * @mi: Key Server's Member Identifier
|
|
|
6c9f0c |
+ * @kn: Key Number, assigned by the Key Server
|
|
|
6c9f0c |
+ * IEEE 802.1X-2010 9.8 SAK generation, distribution, and selection
|
|
|
6c9f0c |
+ */
|
|
|
6c9f0c |
struct ieee802_1x_mka_ki {
|
|
|
6c9f0c |
u8 mi[MI_LEN];
|
|
|
6c9f0c |
u32 kn;
|
|
|
6c9f0c |
diff --git a/src/pae/ieee802_1x_kay_i.h b/src/pae/ieee802_1x_kay_i.h
|
|
|
6c9f0c |
index e3d7db4..0c4bb8e 100644
|
|
|
6c9f0c |
--- a/src/pae/ieee802_1x_kay_i.h
|
|
|
6c9f0c |
+++ b/src/pae/ieee802_1x_kay_i.h
|
|
|
6c9f0c |
@@ -168,6 +168,22 @@ struct ieee802_1x_mka_hdr {
|
|
|
6c9f0c |
|
|
|
6c9f0c |
#define MKA_HDR_LEN sizeof(struct ieee802_1x_mka_hdr)
|
|
|
6c9f0c |
|
|
|
6c9f0c |
+/**
|
|
|
6c9f0c |
+ * struct ieee802_1x_mka_basic_body - Basic Parameter Set (Figure 11-8)
|
|
|
6c9f0c |
+ * @version: MKA Version Identifier
|
|
|
6c9f0c |
+ * @priority: Key Server Priority
|
|
|
6c9f0c |
+ * @length: Parameter set body length
|
|
|
6c9f0c |
+ * @macsec_capability: MACsec capability, as defined in ieee802_1x_defs.h
|
|
|
6c9f0c |
+ * @macsec_desired: the participant wants MACsec to be used to protect frames
|
|
|
6c9f0c |
+ * (9.6.1)
|
|
|
6c9f0c |
+ * @key_server: the participant has not decided that another participant is or
|
|
|
6c9f0c |
+ * will be the key server (9.5.1)
|
|
|
6c9f0c |
+ * @length1: Parameter set body length (cont)
|
|
|
6c9f0c |
+ * @actor_mi: Actor's Member Identifier
|
|
|
6c9f0c |
+ * @actor_mn: Actor's Message Number
|
|
|
6c9f0c |
+ * @algo_agility: Algorithm Agility parameter
|
|
|
6c9f0c |
+ * @ckn: CAK Name
|
|
|
6c9f0c |
+ */
|
|
|
6c9f0c |
struct ieee802_1x_mka_basic_body {
|
|
|
6c9f0c |
/* octet 1 */
|
|
|
6c9f0c |
u8 version;
|
|
|
6c9f0c |
@@ -197,6 +213,14 @@ struct ieee802_1x_mka_basic_body {
|
|
|
6c9f0c |
u8 ckn[0];
|
|
|
6c9f0c |
};
|
|
|
6c9f0c |
|
|
|
6c9f0c |
+/**
|
|
|
6c9f0c |
+ * struct ieee802_1x_mka_peer_body - Live Peer List and Potential Peer List
|
|
|
6c9f0c |
+ * parameter sets (Figure 11-9)
|
|
|
6c9f0c |
+ * @type: Parameter set type (1 or 2)
|
|
|
6c9f0c |
+ * @length: Parameter set body length
|
|
|
6c9f0c |
+ * @length1: Parameter set body length (cont)
|
|
|
6c9f0c |
+ * @peer: array of (MI, MN) pairs
|
|
|
6c9f0c |
+ */
|
|
|
6c9f0c |
struct ieee802_1x_mka_peer_body {
|
|
|
6c9f0c |
/* octet 1 */
|
|
|
6c9f0c |
u8 type;
|
|
|
6c9f0c |
@@ -217,6 +241,28 @@ struct ieee802_1x_mka_peer_body {
|
|
|
6c9f0c |
/* followed by Peers */
|
|
|
6c9f0c |
};
|
|
|
6c9f0c |
|
|
|
6c9f0c |
+/**
|
|
|
6c9f0c |
+ * struct ieee802_1x_mka_sak_use_body - MACsec SAK Use parameter set (Figure
|
|
|
6c9f0c |
+ * 11-10)
|
|
|
6c9f0c |
+ * @type: MKA message type
|
|
|
6c9f0c |
+ * @lan: latest key AN
|
|
|
6c9f0c |
+ * @ltx: latest key TX
|
|
|
6c9f0c |
+ * @lrx: latest key RX
|
|
|
6c9f0c |
+ * @oan: old key AN
|
|
|
6c9f0c |
+ * @otx: old key TX
|
|
|
6c9f0c |
+ * @orx: old key RX
|
|
|
6c9f0c |
+ * @ptx: plain TX, ie protectFrames is False
|
|
|
6c9f0c |
+ * @prx: plain RX, ie validateFrames is not Strict
|
|
|
6c9f0c |
+ * @delay_protect: True if LPNs are being reported sufficiently frequently to
|
|
|
6c9f0c |
+ * allow the recipient to provide data delay protection. If False, the LPN
|
|
|
6c9f0c |
+ * can be reported as zero.
|
|
|
6c9f0c |
+ * @lsrv_mi: latest key server MI
|
|
|
6c9f0c |
+ * @lkn: latest key number (together with MI, form the KI)
|
|
|
6c9f0c |
+ * @llpn: latest lowest acceptable PN (LPN)
|
|
|
6c9f0c |
+ * @osrv_mi: old key server MI
|
|
|
6c9f0c |
+ * @okn: old key number (together with MI, form the KI)
|
|
|
6c9f0c |
+ * @olpn: old lowest acceptable PN (LPN)
|
|
|
6c9f0c |
+ */
|
|
|
6c9f0c |
struct ieee802_1x_mka_sak_use_body {
|
|
|
6c9f0c |
/* octet 1 */
|
|
|
6c9f0c |
u8 type;
|
|
|
6c9f0c |
@@ -270,7 +316,21 @@ struct ieee802_1x_mka_sak_use_body {
|
|
|
6c9f0c |
be32 olpn;
|
|
|
6c9f0c |
};
|
|
|
6c9f0c |
|
|
|
6c9f0c |
-
|
|
|
6c9f0c |
+/**
|
|
|
6c9f0c |
+ * struct ieee802_1x_mka_dist_sak_body - Distributed SAK parameter set
|
|
|
6c9f0c |
+ * (GCM-AES-128, Figure 11-11)
|
|
|
6c9f0c |
+ * @type: Parameter set type (4)
|
|
|
6c9f0c |
+ * @length: Parameter set body length
|
|
|
6c9f0c |
+ * @length1: Parameter set body length (cont)
|
|
|
6c9f0c |
+ * Total parameter body length values:
|
|
|
6c9f0c |
+ * - 0 for plain text
|
|
|
6c9f0c |
+ * - 28 for GCM-AES-128
|
|
|
6c9f0c |
+ * - 36 or more for other cipher suites
|
|
|
6c9f0c |
+ * @confid_offset: confidentiality offset, as defined in ieee802_1x_defs.h
|
|
|
6c9f0c |
+ * @dan: distributed AN (0 for plain text)
|
|
|
6c9f0c |
+ * @kn: Key Number
|
|
|
6c9f0c |
+ * @sak: AES Key Wrap of SAK (see 9.8)
|
|
|
6c9f0c |
+ */
|
|
|
6c9f0c |
struct ieee802_1x_mka_dist_sak_body {
|
|
|
6c9f0c |
/* octet 1 */
|
|
|
6c9f0c |
u8 type;
|
|
|
6c9f0c |
@@ -303,6 +363,41 @@ struct ieee802_1x_mka_dist_sak_body {
|
|
|
6c9f0c |
u8 sak[0];
|
|
|
6c9f0c |
};
|
|
|
6c9f0c |
|
|
|
6c9f0c |
+/**
|
|
|
6c9f0c |
+ * struct ieee802_1x_mka_dist_cak_body - Distributed CAK parameter set (Figure
|
|
|
6c9f0c |
+ * 11-13)
|
|
|
6c9f0c |
+ * @type: Parameter set type (5)
|
|
|
6c9f0c |
+ * @length: Parameter set body length
|
|
|
6c9f0c |
+ * @length1: Parameter set body length (cont)
|
|
|
6c9f0c |
+ * Total parameter body length values:
|
|
|
6c9f0c |
+ * - 0 for plain text
|
|
|
6c9f0c |
+ * - 28 for GCM-AES-128
|
|
|
6c9f0c |
+ * - 36 or more for other cipher suites
|
|
|
6c9f0c |
+ * @cak: AES Key Wrap of CAK (see 9.8)
|
|
|
6c9f0c |
+ * @ckn: CAK Name
|
|
|
6c9f0c |
+ */
|
|
|
6c9f0c |
+struct ieee802_1x_mka_dist_cak_body {
|
|
|
6c9f0c |
+ /* octet 1 */
|
|
|
6c9f0c |
+ u8 type;
|
|
|
6c9f0c |
+ /* octet 2 */
|
|
|
6c9f0c |
+ u8 reserve;
|
|
|
6c9f0c |
+ /* octet 3 */
|
|
|
6c9f0c |
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
|
|
6c9f0c |
+ u8 length:4;
|
|
|
6c9f0c |
+ u8 reserve1:4;
|
|
|
6c9f0c |
+#elif __BYTE_ORDER == __BIG_ENDIAN
|
|
|
6c9f0c |
+ u8 reserve1:4;
|
|
|
6c9f0c |
+ u8 length:4;
|
|
|
6c9f0c |
+#endif
|
|
|
6c9f0c |
+ /* octet 4 */
|
|
|
6c9f0c |
+ u8 length1;
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+ /* octet 5 - 28 */
|
|
|
6c9f0c |
+ u8 cak[24];
|
|
|
6c9f0c |
+
|
|
|
6c9f0c |
+ /* followed by CAK Name, 29- */
|
|
|
6c9f0c |
+ u8 ckn[0];
|
|
|
6c9f0c |
+};
|
|
|
6c9f0c |
|
|
|
6c9f0c |
struct ieee802_1x_mka_icv_body {
|
|
|
6c9f0c |
/* octet 1 */
|
|
|
6c9f0c |
--
|
|
|
6c9f0c |
2.7.4
|
|
|
6c9f0c |
|