2 * IEEE 802.1X-2010 Controlled Port of PAE state machine - CP state machine
3 * Copyright (c) 2013-2014, Qualcomm Atheros, Inc.
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "common/defs.h"
14 #include "common/ieee802_1x_defs.h"
15 #include "utils/state_machine.h"
16 #include "ieee802_1x_kay.h"
17 #include "ieee802_1x_secy_ops.h"
18 #include "pae/ieee802_1x_cp.h"
20 #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
21 #define STATE_MACHINE_DEBUG_PREFIX "CP"
23 static u8 default_cs_id[] = CS_ID_GCM_AES_128;
25 /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
26 enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
28 struct ieee802_1x_cp_sm {
30 CP_BEGIN, CP_INIT, CP_CHANGE, CP_ALLOWED, CP_AUTHENTICATED,
31 CP_SECURED, CP_RECEIVE, CP_RECEIVING, CP_READY, CP_TRANSMIT,
32 CP_TRANSMITTING, CP_ABANDON, CP_RETIRE
40 enum connect_type connect;
41 u8 *authorization_data;
44 Boolean chgd_server; /* clear by CP */
46 u8 *authorization_data1;
47 enum confidentiality_offset cipher_offset;
49 Boolean new_sak; /* clear by CP */
50 struct ieee802_1x_mka_ki distributed_ki;
52 Boolean using_receive_sas;
53 Boolean all_receiving;
54 Boolean server_transmitting;
55 Boolean using_transmit_sa;
58 struct ieee802_1x_mka_ki *lki;
62 struct ieee802_1x_mka_ki *oki;
68 Boolean protect_frames;
69 enum validate_frames validate_frames;
71 Boolean replay_protect;
74 u8 *current_cipher_suite;
75 enum confidentiality_offset confidentiality_offset;
76 Boolean controlled_port_enabled;
79 Boolean port_enabled; /* SecY->CP */
87 /* not defined IEEE Std 802.1X-2010 */
88 struct ieee802_1x_kay *kay;
91 static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx,
93 static void ieee802_1x_cp_transmit_when_timeout(void *eloop_ctx,
97 static int changed_cipher(struct ieee802_1x_cp_sm *sm)
99 return sm->confidentiality_offset != sm->cipher_offset ||
100 os_memcmp(sm->current_cipher_suite, sm->cipher_suite,
105 static int changed_connect(struct ieee802_1x_cp_sm *sm)
107 return sm->connect != SECURE || sm->chgd_server || changed_cipher(sm);
115 sm->controlled_port_enabled = FALSE;
116 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
118 sm->port_valid = FALSE;
130 sm->port_enabled = TRUE;
131 sm->chgd_server = FALSE;
137 SM_ENTRY(CP, CHANGE);
139 sm->port_valid = FALSE;
140 sm->controlled_port_enabled = FALSE;
141 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
144 ieee802_1x_kay_delete_sas(sm->kay, sm->lki);
146 ieee802_1x_kay_delete_sas(sm->kay, sm->oki);
150 SM_STATE(CP, ALLOWED)
152 SM_ENTRY(CP, ALLOWED);
154 sm->protect_frames = FALSE;
155 sm->replay_protect = FALSE;
156 sm->validate_frames = Checked;
158 sm->port_valid = FALSE;
159 sm->controlled_port_enabled = TRUE;
161 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
162 secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
163 secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
164 secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
168 SM_STATE(CP, AUTHENTICATED)
170 SM_ENTRY(CP, AUTHENTICATED);
172 sm->protect_frames = FALSE;
173 sm->replay_protect = FALSE;
174 sm->validate_frames = Checked;
176 sm->port_valid = FALSE;
177 sm->controlled_port_enabled = TRUE;
179 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
180 secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
181 secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
182 secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
186 SM_STATE(CP, SECURED)
188 struct ieee802_1x_cp_conf conf;
190 SM_ENTRY(CP, SECURED);
192 sm->chgd_server = FALSE;
194 ieee802_1x_kay_cp_conf(sm->kay, &conf);
195 sm->protect_frames = conf.protect;
196 sm->replay_protect = conf.replay_protect;
197 sm->validate_frames = conf.validate;
199 /* NOTE: now no other than default cipher suiter(AES-GCM-128) */
200 os_memcpy(sm->current_cipher_suite, sm->cipher_suite, CS_ID_LEN);
201 secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite,
204 sm->confidentiality_offset = sm->cipher_offset;
206 sm->port_valid = TRUE;
208 secy_cp_control_confidentiality_offset(sm->kay,
209 sm->confidentiality_offset);
210 secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
211 secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
212 secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
216 SM_STATE(CP, RECEIVE)
218 SM_ENTRY(CP, RECEIVE);
219 /* RECEIVE state machine not keep with Figure 12-2 in
220 * IEEE Std 802.1X-2010 */
225 ieee802_1x_kay_set_old_sa_attr(sm->kay, sm->oki, sm->oan,
228 sm->lki = os_malloc(sizeof(*sm->lki));
230 wpa_printf(MSG_ERROR, "CP-%s: Out of memory", __func__);
233 os_memcpy(sm->lki, &sm->distributed_ki, sizeof(*sm->lki));
234 sm->lan = sm->distributed_an;
237 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
239 ieee802_1x_kay_create_sas(sm->kay, sm->lki);
240 ieee802_1x_kay_enable_rx_sas(sm->kay, sm->lki);
242 sm->all_receiving = FALSE;
246 SM_STATE(CP, RECEIVING)
248 SM_ENTRY(CP, RECEIVING);
251 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
253 sm->transmit_when = sm->transmit_delay;
254 eloop_cancel_timeout(ieee802_1x_cp_transmit_when_timeout, sm, NULL);
255 eloop_register_timeout(sm->transmit_when / 1000, 0,
256 ieee802_1x_cp_transmit_when_timeout, sm, NULL);
257 /* the electedSelf have been set before CP entering to RECEIVING
258 * but the CP will transmit from RECEIVING to READY under
259 * the !electedSelf when KaY is not key server */
260 ieee802_1x_cp_sm_step(sm);
261 sm->using_receive_sas = FALSE;
262 sm->server_transmitting = FALSE;
270 ieee802_1x_kay_enable_new_info(sm->kay);
274 SM_STATE(CP, TRANSMIT)
276 SM_ENTRY(CP, TRANSMIT);
278 sm->controlled_port_enabled = TRUE;
279 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
281 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
283 ieee802_1x_kay_enable_tx_sas(sm->kay, sm->lki);
284 sm->all_receiving = FALSE;
285 sm->server_transmitting = FALSE;
289 SM_STATE(CP, TRANSMITTING)
291 SM_ENTRY(CP, TRANSMITTING);
292 sm->retire_when = sm->orx ? sm->retire_delay : 0;
294 ieee802_1x_kay_set_old_sa_attr(sm->kay, sm->oki, sm->oan,
296 ieee802_1x_kay_enable_new_info(sm->kay);
297 eloop_cancel_timeout(ieee802_1x_cp_retire_when_timeout, sm, NULL);
298 eloop_register_timeout(sm->retire_when / 1000, 0,
299 ieee802_1x_cp_retire_when_timeout, sm, NULL);
300 sm->using_transmit_sa = FALSE;
304 SM_STATE(CP, ABANDON)
306 SM_ENTRY(CP, ABANDON);
308 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
310 ieee802_1x_kay_delete_sas(sm->kay, sm->lki);
314 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
322 SM_ENTRY(CP, RETIRE);
323 /* RETIRE state machine not keep with Figure 12-2 in
324 * IEEE Std 802.1X-2010 */
329 ieee802_1x_kay_set_old_sa_attr(sm->kay, sm->oki, sm->oan,
335 * CP state machine handler entry
339 if (!sm->port_enabled)
342 switch (sm->CP_state) {
348 SM_ENTER(CP, CHANGE);
352 if (sm->connect == UNAUTHENTICATED)
353 SM_ENTER(CP, ALLOWED);
354 else if (sm->connect == AUTHENTICATED)
355 SM_ENTER(CP, AUTHENTICATED);
356 else if (sm->connect == SECURE)
357 SM_ENTER(CP, SECURED);
361 if (sm->connect != UNAUTHENTICATED)
362 SM_ENTER(CP, CHANGE);
365 case CP_AUTHENTICATED:
366 if (sm->connect != AUTHENTICATED)
367 SM_ENTER(CP, CHANGE);
371 if (changed_connect(sm))
372 SM_ENTER(CP, CHANGE);
373 else if (sm->new_sak)
374 SM_ENTER(CP, RECEIVE);
378 if (sm->using_receive_sas)
379 SM_ENTER(CP, RECEIVING);
383 if (sm->new_sak || changed_connect(sm))
384 SM_ENTER(CP, ABANDON);
385 if (!sm->elected_self)
387 if (sm->elected_self &&
388 (sm->all_receiving || !sm->transmit_when))
389 SM_ENTER(CP, TRANSMIT);
393 if (sm->using_transmit_sa)
394 SM_ENTER(CP, TRANSMITTING);
397 case CP_TRANSMITTING:
398 if (!sm->retire_when || changed_connect(sm))
399 SM_ENTER(CP, RETIRE);
403 if (changed_connect(sm))
404 SM_ENTER(CP, CHANGE);
405 else if (sm->new_sak)
406 SM_ENTER(CP, RECEIVE);
410 if (sm->new_sak || changed_connect(sm))
411 SM_ENTER(CP, RECEIVE);
412 if (sm->server_transmitting)
413 SM_ENTER(CP, TRANSMIT);
416 if (changed_connect(sm))
417 SM_ENTER(CP, RETIRE);
418 else if (sm->new_sak)
419 SM_ENTER(CP, RECEIVE);
422 wpa_printf(MSG_ERROR, "CP: the state machine is not defined");
429 * ieee802_1x_cp_sm_init -
431 struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(
432 struct ieee802_1x_kay *kay,
433 struct ieee802_1x_cp_conf *pcp_conf)
435 struct ieee802_1x_cp_sm *sm;
437 sm = os_zalloc(sizeof(*sm));
439 wpa_printf(MSG_ERROR, "CP-%s: out of memory", __func__);
445 sm->port_valid = FALSE;
447 sm->chgd_server = FALSE;
449 sm->protect_frames = pcp_conf->protect;
450 sm->validate_frames = pcp_conf->validate;
451 sm->replay_protect = pcp_conf->replay_protect;
452 sm->replay_window = pcp_conf->replay_window;
454 sm->controlled_port_enabled = FALSE;
463 sm->cipher_suite = os_zalloc(CS_ID_LEN);
464 sm->current_cipher_suite = os_zalloc(CS_ID_LEN);
465 if (!sm->cipher_suite || !sm->current_cipher_suite) {
466 wpa_printf(MSG_ERROR, "CP-%s: out of memory", __func__);
467 os_free(sm->cipher_suite);
468 os_free(sm->current_cipher_suite);
472 os_memcpy(sm->current_cipher_suite, default_cs_id, CS_ID_LEN);
473 os_memcpy(sm->cipher_suite, default_cs_id, CS_ID_LEN);
474 sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
475 sm->confidentiality_offset = sm->cipher_offset;
476 sm->transmit_delay = MKA_LIFE_TIME;
477 sm->retire_delay = MKA_SAK_RETIRE_TIME;
478 sm->CP_state = CP_BEGIN;
480 sm->authorization_data = NULL;
482 wpa_printf(MSG_DEBUG, "CP: state machine created");
484 secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
485 secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
486 secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
487 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
488 secy_cp_control_confidentiality_offset(sm->kay,
489 sm->confidentiality_offset);
498 static void ieee802_1x_cp_step_run(struct ieee802_1x_cp_sm *sm)
500 enum cp_states prev_state;
503 for (i = 0; i < 100; i++) {
504 prev_state = sm->CP_state;
506 if (prev_state == sm->CP_state)
512 static void ieee802_1x_cp_step_cb(void *eloop_ctx, void *timeout_ctx)
514 struct ieee802_1x_cp_sm *sm = eloop_ctx;
515 ieee802_1x_cp_step_run(sm);
520 * ieee802_1x_cp_sm_deinit -
522 void ieee802_1x_cp_sm_deinit(struct ieee802_1x_cp_sm *sm)
524 wpa_printf(MSG_DEBUG, "CP: state machine removed");
528 eloop_cancel_timeout(ieee802_1x_cp_retire_when_timeout, sm, NULL);
529 eloop_cancel_timeout(ieee802_1x_cp_transmit_when_timeout, sm, NULL);
530 eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL);
533 os_free(sm->cipher_suite);
534 os_free(sm->current_cipher_suite);
535 os_free(sm->authorization_data);
541 * ieee802_1x_cp_connect_pending
543 void ieee802_1x_cp_connect_pending(void *cp_ctx)
545 struct ieee802_1x_cp_sm *sm = cp_ctx;
547 sm->connect = PENDING;
552 * ieee802_1x_cp_connect_unauthenticated
554 void ieee802_1x_cp_connect_unauthenticated(void *cp_ctx)
556 struct ieee802_1x_cp_sm *sm = (struct ieee802_1x_cp_sm *)cp_ctx;
558 sm->connect = UNAUTHENTICATED;
563 * ieee802_1x_cp_connect_authenticated
565 void ieee802_1x_cp_connect_authenticated(void *cp_ctx)
567 struct ieee802_1x_cp_sm *sm = cp_ctx;
569 sm->connect = AUTHENTICATED;
574 * ieee802_1x_cp_connect_secure
576 void ieee802_1x_cp_connect_secure(void *cp_ctx)
578 struct ieee802_1x_cp_sm *sm = cp_ctx;
580 sm->connect = SECURE;
585 * ieee802_1x_cp_set_chgdserver -
587 void ieee802_1x_cp_signal_chgdserver(void *cp_ctx)
589 struct ieee802_1x_cp_sm *sm = cp_ctx;
591 sm->chgd_server = TRUE;
596 * ieee802_1x_cp_set_electedself -
598 void ieee802_1x_cp_set_electedself(void *cp_ctx, Boolean status)
600 struct ieee802_1x_cp_sm *sm = cp_ctx;
601 sm->elected_self = status;
606 * ieee802_1x_cp_set_authorizationdata -
608 void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len)
610 struct ieee802_1x_cp_sm *sm = cp_ctx;
611 os_free(sm->authorization_data);
612 sm->authorization_data = os_zalloc(len);
613 if (sm->authorization_data)
614 os_memcpy(sm->authorization_data, pdata, len);
619 * ieee802_1x_cp_set_ciphersuite -
621 void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, void *pid)
623 struct ieee802_1x_cp_sm *sm = cp_ctx;
624 os_memcpy(sm->cipher_suite, pid, CS_ID_LEN);
629 * ieee802_1x_cp_set_offset -
631 void ieee802_1x_cp_set_offset(void *cp_ctx, enum confidentiality_offset offset)
633 struct ieee802_1x_cp_sm *sm = cp_ctx;
634 sm->cipher_offset = offset;
639 * ieee802_1x_cp_signal_newsak -
641 void ieee802_1x_cp_signal_newsak(void *cp_ctx)
643 struct ieee802_1x_cp_sm *sm = cp_ctx;
649 * ieee802_1x_cp_set_distributedki -
651 void ieee802_1x_cp_set_distributedki(void *cp_ctx,
652 const struct ieee802_1x_mka_ki *dki)
654 struct ieee802_1x_cp_sm *sm = cp_ctx;
655 os_memcpy(&sm->distributed_ki, dki, sizeof(struct ieee802_1x_mka_ki));
660 * ieee802_1x_cp_set_distributedan -
662 void ieee802_1x_cp_set_distributedan(void *cp_ctx, u8 an)
664 struct ieee802_1x_cp_sm *sm = cp_ctx;
665 sm->distributed_an = an;
670 * ieee802_1x_cp_set_usingreceivesas -
672 void ieee802_1x_cp_set_usingreceivesas(void *cp_ctx, Boolean status)
674 struct ieee802_1x_cp_sm *sm = cp_ctx;
675 sm->using_receive_sas = status;
680 * ieee802_1x_cp_set_allreceiving -
682 void ieee802_1x_cp_set_allreceiving(void *cp_ctx, Boolean status)
684 struct ieee802_1x_cp_sm *sm = cp_ctx;
685 sm->all_receiving = status;
690 * ieee802_1x_cp_set_servertransmitting -
692 void ieee802_1x_cp_set_servertransmitting(void *cp_ctx, Boolean status)
694 struct ieee802_1x_cp_sm *sm = cp_ctx;
695 sm->server_transmitting = status;
700 * ieee802_1x_cp_set_usingtransmitsas -
702 void ieee802_1x_cp_set_usingtransmitas(void *cp_ctx, Boolean status)
704 struct ieee802_1x_cp_sm *sm = cp_ctx;
705 sm->using_transmit_sa = status;
710 * ieee802_1x_cp_sm_step - Advance EAPOL state machines
711 * @sm: EAPOL state machine
713 * This function is called to advance CP state machines after any change
714 * that could affect their state.
716 void ieee802_1x_cp_sm_step(void *cp_ctx)
719 * Run ieee802_1x_cp_step_run from a registered timeout
720 * to make sure that other possible timeouts/events are processed
721 * and to avoid long function call chains.
723 struct ieee802_1x_cp_sm *sm = cp_ctx;
724 eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL);
725 eloop_register_timeout(0, 0, ieee802_1x_cp_step_cb, sm, NULL);
729 static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx,
732 struct ieee802_1x_cp_sm *sm = eloop_ctx;
734 ieee802_1x_cp_step_run(sm);
739 ieee802_1x_cp_transmit_when_timeout(void *eloop_ctx, void *timeout_ctx)
741 struct ieee802_1x_cp_sm *sm = eloop_ctx;
742 sm->transmit_when = 0;
743 ieee802_1x_cp_step_run(sm);
projects / mech_eap.git / blob