2 * IEEE 802.1X-2010 Controlled Port of PAE state machine - CP state machine
3 * Copyright (c) 2013-2014, Qualcomm Atheros, Inc.
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "utils/eloop.h"
13 #include "common/defs.h"
14 #include "common/ieee802_1x_defs.h"
15 #include "utils/state_machine.h"
16 #include "ieee802_1x_kay.h"
17 #include "ieee802_1x_secy_ops.h"
18 #include "pae/ieee802_1x_cp.h"
20 #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
21 #define STATE_MACHINE_DEBUG_PREFIX "CP"
23 static u64 default_cs_id = CS_ID_GCM_AES_128;
25 /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
26 enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
28 struct ieee802_1x_cp_sm {
30 CP_BEGIN, CP_INIT, CP_CHANGE, CP_ALLOWED, CP_AUTHENTICATED,
31 CP_SECURED, CP_RECEIVE, CP_RECEIVING, CP_READY, CP_TRANSMIT,
32 CP_TRANSMITTING, CP_ABANDON, CP_RETIRE
40 enum connect_type connect;
41 u8 *authorization_data;
44 Boolean chgd_server; /* clear by CP */
46 u8 *authorization_data1;
47 enum confidentiality_offset cipher_offset;
49 Boolean new_sak; /* clear by CP */
50 struct ieee802_1x_mka_ki distributed_ki;
52 Boolean using_receive_sas;
53 Boolean all_receiving;
54 Boolean server_transmitting;
55 Boolean using_transmit_sa;
58 struct ieee802_1x_mka_ki *lki;
62 struct ieee802_1x_mka_ki *oki;
68 Boolean protect_frames;
69 enum validate_frames validate_frames;
71 Boolean replay_protect;
74 u64 current_cipher_suite;
75 enum confidentiality_offset confidentiality_offset;
76 Boolean controlled_port_enabled;
79 Boolean port_enabled; /* SecY->CP */
87 /* not defined IEEE Std 802.1X-2010 */
88 struct ieee802_1x_kay *kay;
91 static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx,
93 static void ieee802_1x_cp_transmit_when_timeout(void *eloop_ctx,
97 static int changed_cipher(struct ieee802_1x_cp_sm *sm)
99 return sm->confidentiality_offset != sm->cipher_offset ||
100 sm->current_cipher_suite != sm->cipher_suite;
104 static int changed_connect(struct ieee802_1x_cp_sm *sm)
106 return sm->connect != SECURE || sm->chgd_server || changed_cipher(sm);
114 sm->controlled_port_enabled = FALSE;
115 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
117 sm->port_valid = FALSE;
129 sm->port_enabled = TRUE;
130 sm->chgd_server = FALSE;
136 SM_ENTRY(CP, CHANGE);
138 sm->port_valid = FALSE;
139 sm->controlled_port_enabled = FALSE;
140 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
143 ieee802_1x_kay_delete_sas(sm->kay, sm->lki);
145 ieee802_1x_kay_delete_sas(sm->kay, sm->oki);
149 SM_STATE(CP, ALLOWED)
151 SM_ENTRY(CP, ALLOWED);
153 sm->protect_frames = FALSE;
154 sm->replay_protect = FALSE;
155 sm->validate_frames = Checked;
157 sm->port_valid = FALSE;
158 sm->controlled_port_enabled = TRUE;
160 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
161 secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
162 secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
163 secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
167 SM_STATE(CP, AUTHENTICATED)
169 SM_ENTRY(CP, AUTHENTICATED);
171 sm->protect_frames = FALSE;
172 sm->replay_protect = FALSE;
173 sm->validate_frames = Checked;
175 sm->port_valid = FALSE;
176 sm->controlled_port_enabled = TRUE;
178 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
179 secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
180 secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
181 secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
185 SM_STATE(CP, SECURED)
187 struct ieee802_1x_cp_conf conf;
189 SM_ENTRY(CP, SECURED);
191 sm->chgd_server = FALSE;
193 ieee802_1x_kay_cp_conf(sm->kay, &conf);
194 sm->protect_frames = conf.protect;
195 sm->replay_protect = conf.replay_protect;
196 sm->validate_frames = conf.validate;
198 /* NOTE: now no other than default cipher suite (AES-GCM-128) */
199 sm->current_cipher_suite = sm->cipher_suite;
200 secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
202 sm->confidentiality_offset = sm->cipher_offset;
204 sm->port_valid = TRUE;
206 secy_cp_control_confidentiality_offset(sm->kay,
207 sm->confidentiality_offset);
208 secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
209 secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
210 secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
214 SM_STATE(CP, RECEIVE)
216 SM_ENTRY(CP, RECEIVE);
217 /* RECEIVE state machine not keep with Figure 12-2 in
218 * IEEE Std 802.1X-2010 */
223 ieee802_1x_kay_set_old_sa_attr(sm->kay, sm->oki, sm->oan,
226 sm->lki = os_malloc(sizeof(*sm->lki));
228 wpa_printf(MSG_ERROR, "CP-%s: Out of memory", __func__);
231 os_memcpy(sm->lki, &sm->distributed_ki, sizeof(*sm->lki));
232 sm->lan = sm->distributed_an;
235 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
237 ieee802_1x_kay_create_sas(sm->kay, sm->lki);
238 ieee802_1x_kay_enable_rx_sas(sm->kay, sm->lki);
240 sm->all_receiving = FALSE;
244 SM_STATE(CP, RECEIVING)
246 SM_ENTRY(CP, RECEIVING);
249 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
251 sm->transmit_when = sm->transmit_delay;
252 eloop_cancel_timeout(ieee802_1x_cp_transmit_when_timeout, sm, NULL);
253 eloop_register_timeout(sm->transmit_when / 1000, 0,
254 ieee802_1x_cp_transmit_when_timeout, sm, NULL);
255 /* the electedSelf have been set before CP entering to RECEIVING
256 * but the CP will transmit from RECEIVING to READY under
257 * the !electedSelf when KaY is not key server */
258 ieee802_1x_cp_sm_step(sm);
259 sm->using_receive_sas = FALSE;
260 sm->server_transmitting = FALSE;
268 ieee802_1x_kay_enable_new_info(sm->kay);
272 SM_STATE(CP, TRANSMIT)
274 SM_ENTRY(CP, TRANSMIT);
276 sm->controlled_port_enabled = TRUE;
277 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
279 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
281 ieee802_1x_kay_enable_tx_sas(sm->kay, sm->lki);
282 sm->all_receiving = FALSE;
283 sm->server_transmitting = FALSE;
287 SM_STATE(CP, TRANSMITTING)
289 SM_ENTRY(CP, TRANSMITTING);
290 sm->retire_when = sm->orx ? sm->retire_delay : 0;
292 ieee802_1x_kay_set_old_sa_attr(sm->kay, sm->oki, sm->oan,
294 ieee802_1x_kay_enable_new_info(sm->kay);
295 eloop_cancel_timeout(ieee802_1x_cp_retire_when_timeout, sm, NULL);
296 eloop_register_timeout(sm->retire_when / 1000, 0,
297 ieee802_1x_cp_retire_when_timeout, sm, NULL);
298 sm->using_transmit_sa = FALSE;
302 SM_STATE(CP, ABANDON)
304 SM_ENTRY(CP, ABANDON);
306 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
308 ieee802_1x_kay_delete_sas(sm->kay, sm->lki);
312 ieee802_1x_kay_set_latest_sa_attr(sm->kay, sm->lki, sm->lan,
320 SM_ENTRY(CP, RETIRE);
321 /* RETIRE state machine not keep with Figure 12-2 in
322 * IEEE Std 802.1X-2010 */
327 ieee802_1x_kay_set_old_sa_attr(sm->kay, sm->oki, sm->oan,
333 * CP state machine handler entry
337 if (!sm->port_enabled)
340 switch (sm->CP_state) {
346 SM_ENTER(CP, CHANGE);
350 if (sm->connect == UNAUTHENTICATED)
351 SM_ENTER(CP, ALLOWED);
352 else if (sm->connect == AUTHENTICATED)
353 SM_ENTER(CP, AUTHENTICATED);
354 else if (sm->connect == SECURE)
355 SM_ENTER(CP, SECURED);
359 if (sm->connect != UNAUTHENTICATED)
360 SM_ENTER(CP, CHANGE);
363 case CP_AUTHENTICATED:
364 if (sm->connect != AUTHENTICATED)
365 SM_ENTER(CP, CHANGE);
369 if (changed_connect(sm))
370 SM_ENTER(CP, CHANGE);
371 else if (sm->new_sak)
372 SM_ENTER(CP, RECEIVE);
376 if (sm->using_receive_sas)
377 SM_ENTER(CP, RECEIVING);
381 if (sm->new_sak || changed_connect(sm))
382 SM_ENTER(CP, ABANDON);
383 if (!sm->elected_self)
385 if (sm->elected_self &&
386 (sm->all_receiving || !sm->transmit_when))
387 SM_ENTER(CP, TRANSMIT);
391 if (sm->using_transmit_sa)
392 SM_ENTER(CP, TRANSMITTING);
395 case CP_TRANSMITTING:
396 if (!sm->retire_when || changed_connect(sm))
397 SM_ENTER(CP, RETIRE);
401 if (changed_connect(sm))
402 SM_ENTER(CP, CHANGE);
403 else if (sm->new_sak)
404 SM_ENTER(CP, RECEIVE);
408 if (sm->new_sak || changed_connect(sm))
409 SM_ENTER(CP, RECEIVE);
410 if (sm->server_transmitting)
411 SM_ENTER(CP, TRANSMIT);
414 if (changed_connect(sm))
415 SM_ENTER(CP, RETIRE);
416 else if (sm->new_sak)
417 SM_ENTER(CP, RECEIVE);
420 wpa_printf(MSG_ERROR, "CP: the state machine is not defined");
427 * ieee802_1x_cp_sm_init -
429 struct ieee802_1x_cp_sm * ieee802_1x_cp_sm_init(
430 struct ieee802_1x_kay *kay,
431 struct ieee802_1x_cp_conf *pcp_conf)
433 struct ieee802_1x_cp_sm *sm;
435 sm = os_zalloc(sizeof(*sm));
437 wpa_printf(MSG_ERROR, "CP-%s: out of memory", __func__);
443 sm->port_valid = FALSE;
445 sm->chgd_server = FALSE;
447 sm->protect_frames = pcp_conf->protect;
448 sm->validate_frames = pcp_conf->validate;
449 sm->replay_protect = pcp_conf->replay_protect;
450 sm->replay_window = pcp_conf->replay_window;
452 sm->controlled_port_enabled = FALSE;
461 sm->current_cipher_suite = default_cs_id;
462 sm->cipher_suite = default_cs_id;
463 sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
464 sm->confidentiality_offset = sm->cipher_offset;
465 sm->transmit_delay = MKA_LIFE_TIME;
466 sm->retire_delay = MKA_SAK_RETIRE_TIME;
467 sm->CP_state = CP_BEGIN;
469 sm->authorization_data = NULL;
471 wpa_printf(MSG_DEBUG, "CP: state machine created");
473 secy_cp_control_protect_frames(sm->kay, sm->protect_frames);
474 secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
475 secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
476 secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
477 secy_cp_control_confidentiality_offset(sm->kay,
478 sm->confidentiality_offset);
487 static void ieee802_1x_cp_step_run(struct ieee802_1x_cp_sm *sm)
489 enum cp_states prev_state;
492 for (i = 0; i < 100; i++) {
493 prev_state = sm->CP_state;
495 if (prev_state == sm->CP_state)
501 static void ieee802_1x_cp_step_cb(void *eloop_ctx, void *timeout_ctx)
503 struct ieee802_1x_cp_sm *sm = eloop_ctx;
504 ieee802_1x_cp_step_run(sm);
509 * ieee802_1x_cp_sm_deinit -
511 void ieee802_1x_cp_sm_deinit(struct ieee802_1x_cp_sm *sm)
513 wpa_printf(MSG_DEBUG, "CP: state machine removed");
517 eloop_cancel_timeout(ieee802_1x_cp_retire_when_timeout, sm, NULL);
518 eloop_cancel_timeout(ieee802_1x_cp_transmit_when_timeout, sm, NULL);
519 eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL);
522 os_free(sm->authorization_data);
528 * ieee802_1x_cp_connect_pending
530 void ieee802_1x_cp_connect_pending(void *cp_ctx)
532 struct ieee802_1x_cp_sm *sm = cp_ctx;
534 sm->connect = PENDING;
539 * ieee802_1x_cp_connect_unauthenticated
541 void ieee802_1x_cp_connect_unauthenticated(void *cp_ctx)
543 struct ieee802_1x_cp_sm *sm = (struct ieee802_1x_cp_sm *)cp_ctx;
545 sm->connect = UNAUTHENTICATED;
550 * ieee802_1x_cp_connect_authenticated
552 void ieee802_1x_cp_connect_authenticated(void *cp_ctx)
554 struct ieee802_1x_cp_sm *sm = cp_ctx;
556 sm->connect = AUTHENTICATED;
561 * ieee802_1x_cp_connect_secure
563 void ieee802_1x_cp_connect_secure(void *cp_ctx)
565 struct ieee802_1x_cp_sm *sm = cp_ctx;
567 sm->connect = SECURE;
572 * ieee802_1x_cp_set_chgdserver -
574 void ieee802_1x_cp_signal_chgdserver(void *cp_ctx)
576 struct ieee802_1x_cp_sm *sm = cp_ctx;
578 sm->chgd_server = TRUE;
583 * ieee802_1x_cp_set_electedself -
585 void ieee802_1x_cp_set_electedself(void *cp_ctx, Boolean status)
587 struct ieee802_1x_cp_sm *sm = cp_ctx;
588 sm->elected_self = status;
593 * ieee802_1x_cp_set_authorizationdata -
595 void ieee802_1x_cp_set_authorizationdata(void *cp_ctx, u8 *pdata, int len)
597 struct ieee802_1x_cp_sm *sm = cp_ctx;
598 os_free(sm->authorization_data);
599 sm->authorization_data = os_zalloc(len);
600 if (sm->authorization_data)
601 os_memcpy(sm->authorization_data, pdata, len);
606 * ieee802_1x_cp_set_ciphersuite -
608 void ieee802_1x_cp_set_ciphersuite(void *cp_ctx, u64 cs)
610 struct ieee802_1x_cp_sm *sm = cp_ctx;
611 sm->cipher_suite = cs;
616 * ieee802_1x_cp_set_offset -
618 void ieee802_1x_cp_set_offset(void *cp_ctx, enum confidentiality_offset offset)
620 struct ieee802_1x_cp_sm *sm = cp_ctx;
621 sm->cipher_offset = offset;
626 * ieee802_1x_cp_signal_newsak -
628 void ieee802_1x_cp_signal_newsak(void *cp_ctx)
630 struct ieee802_1x_cp_sm *sm = cp_ctx;
636 * ieee802_1x_cp_set_distributedki -
638 void ieee802_1x_cp_set_distributedki(void *cp_ctx,
639 const struct ieee802_1x_mka_ki *dki)
641 struct ieee802_1x_cp_sm *sm = cp_ctx;
642 os_memcpy(&sm->distributed_ki, dki, sizeof(struct ieee802_1x_mka_ki));
647 * ieee802_1x_cp_set_distributedan -
649 void ieee802_1x_cp_set_distributedan(void *cp_ctx, u8 an)
651 struct ieee802_1x_cp_sm *sm = cp_ctx;
652 sm->distributed_an = an;
657 * ieee802_1x_cp_set_usingreceivesas -
659 void ieee802_1x_cp_set_usingreceivesas(void *cp_ctx, Boolean status)
661 struct ieee802_1x_cp_sm *sm = cp_ctx;
662 sm->using_receive_sas = status;
667 * ieee802_1x_cp_set_allreceiving -
669 void ieee802_1x_cp_set_allreceiving(void *cp_ctx, Boolean status)
671 struct ieee802_1x_cp_sm *sm = cp_ctx;
672 sm->all_receiving = status;
677 * ieee802_1x_cp_set_servertransmitting -
679 void ieee802_1x_cp_set_servertransmitting(void *cp_ctx, Boolean status)
681 struct ieee802_1x_cp_sm *sm = cp_ctx;
682 sm->server_transmitting = status;
687 * ieee802_1x_cp_set_usingtransmitsas -
689 void ieee802_1x_cp_set_usingtransmitas(void *cp_ctx, Boolean status)
691 struct ieee802_1x_cp_sm *sm = cp_ctx;
692 sm->using_transmit_sa = status;
697 * ieee802_1x_cp_sm_step - Advance EAPOL state machines
698 * @sm: EAPOL state machine
700 * This function is called to advance CP state machines after any change
701 * that could affect their state.
703 void ieee802_1x_cp_sm_step(void *cp_ctx)
706 * Run ieee802_1x_cp_step_run from a registered timeout
707 * to make sure that other possible timeouts/events are processed
708 * and to avoid long function call chains.
710 struct ieee802_1x_cp_sm *sm = cp_ctx;
711 eloop_cancel_timeout(ieee802_1x_cp_step_cb, sm, NULL);
712 eloop_register_timeout(0, 0, ieee802_1x_cp_step_cb, sm, NULL);
716 static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx,
719 struct ieee802_1x_cp_sm *sm = eloop_ctx;
721 ieee802_1x_cp_step_run(sm);
726 ieee802_1x_cp_transmit_when_timeout(void *eloop_ctx, void *timeout_ctx)
728 struct ieee802_1x_cp_sm *sm = eloop_ctx;
729 sm->transmit_when = 0;
730 ieee802_1x_cp_step_run(sm);
projects / mech_eap.git / blob