1 /* 2 * Copyright (c) 2016, The OpenThread Authors. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 3. Neither the name of the copyright holder nor the 13 * names of its contributors may be used to endorse or promote products 14 * derived from this software without specific prior written permission. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 * POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /** 30 * @file 31 * This file includes definitions for Thread security material generation. 32 */ 33 34 #ifndef KEY_MANAGER_HPP_ 35 #define KEY_MANAGER_HPP_ 36 37 #include "openthread-core-config.h" 38 39 #include <stdint.h> 40 41 #include <openthread/dataset.h> 42 #include <openthread/platform/crypto.h> 43 44 #include "common/as_core_type.hpp" 45 #include "common/clearable.hpp" 46 #include "common/encoding.hpp" 47 #include "common/equatable.hpp" 48 #include "common/locator.hpp" 49 #include "common/non_copyable.hpp" 50 #include "common/random.hpp" 51 #include "common/timer.hpp" 52 #include "crypto/hmac_sha256.hpp" 53 #include "mac/mac_types.hpp" 54 #include "thread/mle_types.hpp" 55 56 namespace ot { 57 58 /** 59 * @addtogroup core-security 60 * 61 * @brief 62 * This module includes definitions for Thread security material generation. 63 * 64 * @{ 65 */ 66 67 /** 68 * Represents Security Policy Rotation and Flags. 69 * 70 */ 71 class SecurityPolicy : public otSecurityPolicy, public Equatable<SecurityPolicy>, public Clearable<SecurityPolicy> 72 { 73 public: 74 /** 75 * Offset between the Thread Version and the Version-threshold valid for Routing. 76 * 77 */ 78 static constexpr uint8_t kVersionThresholdOffsetVersion = 3; 79 80 /** 81 * Default Key Rotation Time (in unit of hours). 82 * 83 */ 84 static constexpr uint16_t kDefaultKeyRotationTime = 672; 85 86 /** 87 * Minimum Key Rotation Time (in unit of hours). 88 * 89 */ 90 static constexpr uint16_t kMinKeyRotationTime = 2; 91 92 /** 93 * Initializes the object with default Key Rotation Time 94 * and Security Policy Flags. 95 * 96 */ SecurityPolicy(void)97 SecurityPolicy(void) { SetToDefault(); } 98 99 /** 100 * Sets the Security Policy to default values. 101 * 102 */ 103 void SetToDefault(void); 104 105 /** 106 * Sets the Security Policy Flags. 107 * 108 * @param[in] aFlags The Security Policy Flags. 109 * @param[in] aFlagsLength The length of the Security Policy Flags, 1 byte for 110 * Thread 1.1 devices, and 2 bytes for Thread 1.2 or higher. 111 * 112 */ 113 void SetFlags(const uint8_t *aFlags, uint8_t aFlagsLength); 114 115 /** 116 * Returns the Security Policy Flags. 117 * 118 * @param[out] aFlags A pointer to the Security Policy Flags buffer. 119 * @param[in] aFlagsLength The length of the Security Policy Flags buffer. 120 * 121 */ 122 void GetFlags(uint8_t *aFlags, uint8_t aFlagsLength) const; 123 124 private: 125 static constexpr uint8_t kDefaultFlags = 0xff; 126 static constexpr uint8_t kObtainNetworkKeyMask = 1 << 7; 127 static constexpr uint8_t kNativeCommissioningMask = 1 << 6; 128 static constexpr uint8_t kRoutersMask = 1 << 5; 129 static constexpr uint8_t kExternalCommissioningMask = 1 << 4; 130 static constexpr uint8_t kBeaconsMask = 1 << 3; 131 static constexpr uint8_t kCommercialCommissioningMask = 1 << 2; 132 static constexpr uint8_t kAutonomousEnrollmentMask = 1 << 1; 133 static constexpr uint8_t kNetworkKeyProvisioningMask = 1 << 0; 134 static constexpr uint8_t kTobleLinkMask = 1 << 7; 135 static constexpr uint8_t kNonCcmRoutersMask = 1 << 6; 136 static constexpr uint8_t kReservedMask = 0x38; 137 static constexpr uint8_t kVersionThresholdForRoutingMask = 0x07; 138 139 void SetToDefaultFlags(void); 140 }; 141 142 /** 143 * Represents a Thread Network Key. 144 * 145 */ 146 OT_TOOL_PACKED_BEGIN 147 class NetworkKey : public otNetworkKey, public Equatable<NetworkKey>, public Clearable<NetworkKey> 148 { 149 public: 150 static constexpr uint8_t kSize = OT_NETWORK_KEY_SIZE; ///< Size of the Thread Network Key (in bytes). 151 152 #if !OPENTHREAD_RADIO 153 /** 154 * Generates a cryptographically secure random sequence to populate the Thread Network Key. 155 * 156 * @retval kErrorNone Successfully generated a random Thread Network Key. 157 * @retval kErrorFailed Failed to generate random sequence. 158 * 159 */ GenerateRandom(void)160 Error GenerateRandom(void) { return Random::Crypto::Fill(*this); } 161 #endif 162 163 } OT_TOOL_PACKED_END; 164 165 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 166 /** 167 * Provides a representation for Network Key reference. 168 * 169 */ 170 typedef otNetworkKeyRef NetworkKeyRef; 171 #endif 172 173 /** 174 * Represents a Thread Pre-Shared Key for the Commissioner (PSKc). 175 * 176 */ 177 OT_TOOL_PACKED_BEGIN 178 class Pskc : public otPskc, public Equatable<Pskc>, public Clearable<Pskc> 179 { 180 public: 181 static constexpr uint8_t kSize = OT_PSKC_MAX_SIZE; ///< Size (number of bytes) of the PSKc. 182 183 #if !OPENTHREAD_RADIO 184 /** 185 * Generates a cryptographically secure random sequence to populate the Thread PSKc. 186 * 187 * @retval kErrorNone Successfully generated a random Thread PSKc. 188 * 189 */ GenerateRandom(void)190 Error GenerateRandom(void) { return Random::Crypto::Fill(*this); } 191 #endif 192 } OT_TOOL_PACKED_END; 193 194 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 195 /** 196 * Provides a representation for Network Key reference. 197 * 198 */ 199 typedef otPskcRef PskcRef; 200 #endif 201 202 /** 203 * 204 * Represents a Key Encryption Key (KEK). 205 * 206 */ 207 typedef Mac::Key Kek; 208 209 /** 210 * 211 * Represents a Key Material for Key Encryption Key (KEK). 212 * 213 */ 214 typedef Mac::KeyMaterial KekKeyMaterial; 215 216 /** 217 * Defines Thread Key Manager. 218 * 219 */ 220 class KeyManager : public InstanceLocator, private NonCopyable 221 { 222 public: 223 /** 224 * Defines bit-flag constants specifying how to handle key sequence update used in `KeySeqUpdateFlags`. 225 * 226 */ 227 enum KeySeqUpdateFlag : uint8_t 228 { 229 kApplySwitchGuard = (1 << 0), ///< Apply key switch guard check. 230 kForceUpdate = (0 << 0), ///< Ignore key switch guard check and forcibly update. 231 kResetGuardTimer = (1 << 1), ///< On key seq change, reset the guard timer. 232 kGuardTimerUnchanged = (0 << 1), ///< On key seq change, leave guard timer unchanged. 233 }; 234 235 /** 236 * Represents a combination of `KeySeqUpdateFlag` bits. 237 * 238 * Used as input by `SetCurrentKeySequence()`. 239 * 240 */ 241 typedef uint8_t KeySeqUpdateFlags; 242 243 /** 244 * Initializes the object. 245 * 246 * @param[in] aInstance A reference to the OpenThread instance. 247 * 248 */ 249 explicit KeyManager(Instance &aInstance); 250 251 /** 252 * Starts KeyManager rotation timer and sets guard timer to initial value. 253 * 254 */ 255 void Start(void); 256 257 /** 258 * Stops KeyManager timers. 259 * 260 */ 261 void Stop(void); 262 263 /** 264 * Gets the Thread Network Key. 265 * 266 * @param[out] aNetworkKey A reference to a `NetworkKey` to output the Thread Network Key. 267 * 268 */ 269 void GetNetworkKey(NetworkKey &aNetworkKey) const; 270 271 /** 272 * Sets the Thread Network Key. 273 * 274 * @param[in] aNetworkKey A Thread Network Key. 275 * 276 */ 277 void SetNetworkKey(const NetworkKey &aNetworkKey); 278 279 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 280 /** 281 * Returns a Key Ref to Thread Network Key. 282 * 283 * @returns A key reference to the Thread Network Key. 284 * 285 */ GetNetworkKeyRef(void) const286 NetworkKeyRef GetNetworkKeyRef(void) const { return mNetworkKeyRef; } 287 288 /** 289 * Sets the Thread Network Key using Key Reference. 290 * 291 * @param[in] aKeyRef Reference to Thread Network Key. 292 * 293 */ 294 void SetNetworkKeyRef(NetworkKeyRef aKeyRef); 295 #endif 296 297 /** 298 * Indicates whether the PSKc is configured. 299 * 300 * A value of all zeros indicates that the PSKc is not configured. 301 * 302 * @retval TRUE if the PSKc is configured. 303 * @retval FALSE if the PSKc is not not configured. 304 * 305 */ IsPskcSet(void) const306 bool IsPskcSet(void) const { return mIsPskcSet; } 307 308 /** 309 * Gets the PKSc. 310 * 311 * @param[out] aPskc A reference to a `Pskc` to return the PSKc. 312 * 313 */ 314 void GetPskc(Pskc &aPskc) const; 315 316 /** 317 * Sets the PSKc. 318 * 319 * @param[in] aPskc A reference to the PSKc. 320 * 321 */ 322 void SetPskc(const Pskc &aPskc); 323 324 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 325 /** 326 * Returns a Key Ref to PSKc. 327 * 328 * @returns A key reference to the PSKc. 329 * 330 */ GetPskcRef(void) const331 const PskcRef &GetPskcRef(void) const { return mPskcRef; } 332 333 /** 334 * Sets the PSKc as a Key reference. 335 * 336 * @param[in] aPskc A reference to the PSKc. 337 * 338 */ 339 void SetPskcRef(PskcRef aKeyRef); 340 #endif 341 342 /** 343 * Returns the current key sequence value. 344 * 345 * @returns The current key sequence value. 346 * 347 */ GetCurrentKeySequence(void) const348 uint32_t GetCurrentKeySequence(void) const { return mKeySequence; } 349 350 /** 351 * Sets the current key sequence value. 352 * 353 * @param[in] aKeySequence The key sequence value. 354 * @param[in] aFlags Specify behavior when updating the key sequence, i.e., whether or not to apply the 355 * key switch guard or reset guard timer upon change. 356 * 357 */ 358 void SetCurrentKeySequence(uint32_t aKeySequence, KeySeqUpdateFlags aFlags); 359 360 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 361 /** 362 * Returns the current MAC key for TREL radio link. 363 * 364 * @returns The current TREL MAC key. 365 * 366 */ GetCurrentTrelMacKey(void) const367 const Mac::KeyMaterial &GetCurrentTrelMacKey(void) const { return mTrelKey; } 368 369 /** 370 * Returns a temporary MAC key for TREL radio link computed from the given key sequence. 371 * 372 * @param[in] aKeySequence The key sequence value. 373 * 374 * @returns The temporary TREL MAC key. 375 * 376 */ 377 const Mac::KeyMaterial &GetTemporaryTrelMacKey(uint32_t aKeySequence); 378 #endif 379 380 /** 381 * Returns the current MLE key Material. 382 * 383 * @returns The current MLE key. 384 * 385 */ GetCurrentMleKey(void) const386 const Mle::KeyMaterial &GetCurrentMleKey(void) const { return mMleKey; } 387 388 /** 389 * Returns a temporary MLE key Material computed from the given key sequence. 390 * 391 * @param[in] aKeySequence The key sequence value. 392 * 393 * @returns The temporary MLE key. 394 * 395 */ 396 const Mle::KeyMaterial &GetTemporaryMleKey(uint32_t aKeySequence); 397 398 #if OPENTHREAD_CONFIG_RADIO_LINK_IEEE_802_15_4_ENABLE 399 /** 400 * Returns the current MAC Frame Counter value for 15.4 radio link. 401 * 402 * @returns The current MAC Frame Counter value. 403 * 404 */ Get154MacFrameCounter(void) const405 uint32_t Get154MacFrameCounter(void) const { return mMacFrameCounters.Get154(); } 406 #endif 407 408 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 409 /** 410 * Returns the current MAC Frame Counter value for TREL radio link. 411 * 412 * @returns The current MAC Frame Counter value for TREL radio link. 413 * 414 */ GetTrelMacFrameCounter(void) const415 uint32_t GetTrelMacFrameCounter(void) const { return mMacFrameCounters.GetTrel(); } 416 417 /** 418 * Increments the current MAC Frame Counter value for TREL radio link. 419 * 420 */ 421 void IncrementTrelMacFrameCounter(void); 422 #endif 423 424 /** 425 * Gets the maximum MAC Frame Counter among all supported radio links. 426 * 427 * @return The maximum MAC frame Counter among all supported radio links. 428 * 429 */ GetMaximumMacFrameCounter(void) const430 uint32_t GetMaximumMacFrameCounter(void) const { return mMacFrameCounters.GetMaximum(); } 431 432 /** 433 * Sets the current MAC Frame Counter value for all radio links. 434 * 435 * @param[in] aFrameCounter The MAC Frame Counter value. 436 * @param[in] aSetIfLarger If `true`, set only if the new value @p aFrameCounter is larger than current value. 437 * If `false`, set the new value independent of the current value. 438 439 */ 440 void SetAllMacFrameCounters(uint32_t aFrameCounter, bool aSetIfLarger); 441 442 /** 443 * Sets the MAC Frame Counter value which is stored in non-volatile memory. 444 * 445 * @param[in] aStoredMacFrameCounter The stored MAC Frame Counter value. 446 * 447 */ SetStoredMacFrameCounter(uint32_t aStoredMacFrameCounter)448 void SetStoredMacFrameCounter(uint32_t aStoredMacFrameCounter) { mStoredMacFrameCounter = aStoredMacFrameCounter; } 449 450 /** 451 * Returns the current MLE Frame Counter value. 452 * 453 * @returns The current MLE Frame Counter value. 454 * 455 */ GetMleFrameCounter(void) const456 uint32_t GetMleFrameCounter(void) const { return mMleFrameCounter; } 457 458 /** 459 * Sets the current MLE Frame Counter value. 460 * 461 * @param[in] aMleFrameCounter The MLE Frame Counter value. 462 * 463 */ SetMleFrameCounter(uint32_t aMleFrameCounter)464 void SetMleFrameCounter(uint32_t aMleFrameCounter) { mMleFrameCounter = aMleFrameCounter; } 465 466 /** 467 * Sets the MLE Frame Counter value which is stored in non-volatile memory. 468 * 469 * @param[in] aStoredMleFrameCounter The stored MLE Frame Counter value. 470 * 471 */ SetStoredMleFrameCounter(uint32_t aStoredMleFrameCounter)472 void SetStoredMleFrameCounter(uint32_t aStoredMleFrameCounter) { mStoredMleFrameCounter = aStoredMleFrameCounter; } 473 474 /** 475 * Increments the current MLE Frame Counter value. 476 * 477 */ 478 void IncrementMleFrameCounter(void); 479 480 /** 481 * Returns the KEK as `KekKeyMaterial` 482 * 483 * @returns The KEK as `KekKeyMaterial`. 484 * 485 */ GetKek(void) const486 const KekKeyMaterial &GetKek(void) const { return mKek; } 487 488 /** 489 * Retrieves the KEK as literal `Kek` key. 490 * 491 * @param[out] aKek A reference to a `Kek` to output the retrieved KEK. 492 * 493 */ ExtractKek(Kek & aKek)494 void ExtractKek(Kek &aKek) { mKek.ExtractKey(aKek); } 495 496 /** 497 * Sets the KEK. 498 * 499 * @param[in] aKek A KEK. 500 * 501 */ 502 void SetKek(const Kek &aKek); 503 504 /** 505 * Sets the KEK. 506 * 507 * @param[in] aKekBytes A pointer to the KEK bytes. 508 * 509 */ SetKek(const uint8_t * aKekBytes)510 void SetKek(const uint8_t *aKekBytes) { SetKek(*reinterpret_cast<const Kek *>(aKekBytes)); } 511 512 /** 513 * Returns the current KEK Frame Counter value. 514 * 515 * @returns The current KEK Frame Counter value. 516 * 517 */ GetKekFrameCounter(void) const518 uint32_t GetKekFrameCounter(void) const { return mKekFrameCounter; } 519 520 /** 521 * Increments the current KEK Frame Counter value. 522 * 523 */ IncrementKekFrameCounter(void)524 void IncrementKekFrameCounter(void) { mKekFrameCounter++; } 525 526 /** 527 * Returns the KeySwitchGuardTime. 528 * 529 * The KeySwitchGuardTime is the time interval during which key rotation procedure is prevented. 530 * 531 * @returns The KeySwitchGuardTime value in hours. 532 * 533 */ GetKeySwitchGuardTime(void) const534 uint16_t GetKeySwitchGuardTime(void) const { return mKeySwitchGuardTime; } 535 536 /** 537 * Sets the KeySwitchGuardTime. 538 * 539 * The KeySwitchGuardTime is the time interval during which key rotation procedure is prevented. 540 * 541 * Intended for testing only. Changing the guard time will render device non-compliant with the Thread spec. 542 * 543 * @param[in] aGuardTime The KeySwitchGuardTime value in hours. 544 * 545 */ SetKeySwitchGuardTime(uint16_t aGuardTime)546 void SetKeySwitchGuardTime(uint16_t aGuardTime) { mKeySwitchGuardTime = aGuardTime; } 547 548 /** 549 * Returns the Security Policy. 550 * 551 * The Security Policy specifies Key Rotation Time and network administrator preferences 552 * for which security-related operations are allowed or disallowed. 553 * 554 * @returns The SecurityPolicy. 555 * 556 */ GetSecurityPolicy(void) const557 const SecurityPolicy &GetSecurityPolicy(void) const { return mSecurityPolicy; } 558 559 /** 560 * Sets the Security Policy. 561 * 562 * The Security Policy specifies Key Rotation Time and network administrator preferences 563 * for which security-related operations are allowed or disallowed. 564 * 565 * @param[in] aSecurityPolicy The Security Policy. 566 * 567 */ 568 void SetSecurityPolicy(const SecurityPolicy &aSecurityPolicy); 569 570 /** 571 * Updates the MAC keys and MLE key. 572 * 573 */ 574 void UpdateKeyMaterial(void); 575 576 /** 577 * Handles MAC frame counter changes (callback from `SubMac` for 15.4 security frame change). 578 * 579 * This is called to indicate the @p aMacFrameCounter value is now used. 580 * 581 * @param[in] aMacFrameCounter The 15.4 link MAC frame counter value. 582 * 583 */ 584 void MacFrameCounterUsed(uint32_t aMacFrameCounter); 585 586 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 587 /** 588 * Destroys all the volatile mac keys stored in PSA ITS. 589 * 590 */ 591 void DestroyTemporaryKeys(void); 592 593 /** 594 * Destroys all the persistent keys stored in PSA ITS. 595 * 596 */ 597 void DestroyPersistentKeys(void); 598 #endif 599 600 private: 601 static constexpr uint16_t kDefaultKeySwitchGuardTime = 624; // ~ 93% of 672 (default key rotation time) 602 static constexpr uint32_t kKeySwitchGuardTimePercentage = 93; // Percentage of key rotation time. 603 static constexpr bool kExportableMacKeys = OPENTHREAD_CONFIG_PLATFORM_MAC_KEYS_EXPORTABLE_ENABLE; 604 605 static_assert(kDefaultKeySwitchGuardTime == 606 SecurityPolicy::kDefaultKeyRotationTime * kKeySwitchGuardTimePercentage / 100, 607 "Default key switch guard time value is not correct"); 608 609 OT_TOOL_PACKED_BEGIN 610 struct Keys 611 { 612 Mle::Key mMleKey; 613 Mac::Key mMacKey; 614 } OT_TOOL_PACKED_END; 615 616 union HashKeys 617 { 618 Crypto::HmacSha256::Hash mHash; 619 Keys mKeys; 620 GetMleKey(void) const621 const Mle::Key &GetMleKey(void) const { return mKeys.mMleKey; } GetMacKey(void) const622 const Mac::Key &GetMacKey(void) const { return mKeys.mMacKey; } 623 }; 624 625 void ComputeKeys(uint32_t aKeySequence, HashKeys &aHashKeys) const; 626 627 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 628 void ComputeTrelKey(uint32_t aKeySequence, Mac::Key &aKey) const; 629 #endif 630 631 void ResetKeyRotationTimer(void); 632 void HandleKeyRotationTimer(void); 633 void CheckForKeyRotation(void); 634 635 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 636 void StoreNetworkKey(const NetworkKey &aNetworkKey, bool aOverWriteExisting); 637 void StorePskc(const Pskc &aPskc); 638 #endif 639 640 void ResetFrameCounters(void); 641 642 using RotationTimer = TimerMilliIn<KeyManager, &KeyManager::HandleKeyRotationTimer>; 643 644 static const uint8_t kThreadString[]; 645 646 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 647 static const uint8_t kHkdfExtractSaltString[]; 648 static const uint8_t kTrelInfoString[]; 649 #endif 650 651 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 652 NetworkKeyRef mNetworkKeyRef; 653 #else 654 NetworkKey mNetworkKey; 655 #endif 656 657 uint32_t mKeySequence; 658 Mle::KeyMaterial mMleKey; 659 Mle::KeyMaterial mTemporaryMleKey; 660 661 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 662 Mac::KeyMaterial mTrelKey; 663 Mac::KeyMaterial mTemporaryTrelKey; 664 #endif 665 666 Mac::LinkFrameCounters mMacFrameCounters; 667 uint32_t mMleFrameCounter; 668 uint32_t mStoredMacFrameCounter; 669 uint32_t mStoredMleFrameCounter; 670 671 uint16_t mHoursSinceKeyRotation; 672 uint16_t mKeySwitchGuardTime; 673 uint16_t mKeySwitchGuardTimer; 674 RotationTimer mKeyRotationTimer; 675 676 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 677 PskcRef mPskcRef; 678 #else 679 Pskc mPskc; 680 #endif 681 682 KekKeyMaterial mKek; 683 uint32_t mKekFrameCounter; 684 685 SecurityPolicy mSecurityPolicy; 686 bool mIsPskcSet : 1; 687 }; 688 689 /** 690 * @} 691 */ 692 693 DefineCoreType(otSecurityPolicy, SecurityPolicy); 694 DefineCoreType(otNetworkKey, NetworkKey); 695 DefineCoreType(otPskc, Pskc); 696 697 } // namespace ot 698 699 #endif // KEY_MANAGER_HPP_ 700