1 /* 2 * Copyright (c) 2016, The OpenThread Authors. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 3. Neither the name of the copyright holder nor the 13 * names of its contributors may be used to endorse or promote products 14 * derived from this software without specific prior written permission. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 20 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 * POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /** 30 * @file 31 * This file includes definitions for Thread security material generation. 32 */ 33 34 #ifndef KEY_MANAGER_HPP_ 35 #define KEY_MANAGER_HPP_ 36 37 #include "openthread-core-config.h" 38 39 #include <stdint.h> 40 41 #include <openthread/dataset.h> 42 #include <openthread/platform/crypto.h> 43 44 #include "common/as_core_type.hpp" 45 #include "common/clearable.hpp" 46 #include "common/encoding.hpp" 47 #include "common/equatable.hpp" 48 #include "common/locator.hpp" 49 #include "common/non_copyable.hpp" 50 #include "common/random.hpp" 51 #include "common/timer.hpp" 52 #include "crypto/hmac_sha256.hpp" 53 #include "mac/mac_types.hpp" 54 #include "thread/mle_types.hpp" 55 56 namespace ot { 57 58 /** 59 * @addtogroup core-security 60 * 61 * @brief 62 * This module includes definitions for Thread security material generation. 63 * 64 * @{ 65 */ 66 67 /** 68 * Represents Security Policy Rotation and Flags. 69 */ 70 class SecurityPolicy : public otSecurityPolicy, public Equatable<SecurityPolicy>, public Clearable<SecurityPolicy> 71 { 72 public: 73 /** 74 * Offset between the Thread Version and the Version-threshold valid for Routing. 75 */ 76 static constexpr uint8_t kVersionThresholdOffsetVersion = 3; 77 78 /** 79 * Default Key Rotation Time (in unit of hours). 80 */ 81 static constexpr uint16_t kDefaultKeyRotationTime = 672; 82 83 /** 84 * Minimum Key Rotation Time (in unit of hours). 85 */ 86 static constexpr uint16_t kMinKeyRotationTime = 2; 87 88 /** 89 * Initializes the object with default Key Rotation Time 90 * and Security Policy Flags. 91 */ SecurityPolicy(void)92 SecurityPolicy(void) { SetToDefault(); } 93 94 /** 95 * Sets the Security Policy to default values. 96 */ 97 void SetToDefault(void); 98 99 /** 100 * Sets the Security Policy Flags. 101 * 102 * @param[in] aFlags The Security Policy Flags. 103 * @param[in] aFlagsLength The length of the Security Policy Flags, 1 byte for 104 * Thread 1.1 devices, and 2 bytes for Thread 1.2 or higher. 105 */ 106 void SetFlags(const uint8_t *aFlags, uint8_t aFlagsLength); 107 108 /** 109 * Returns the Security Policy Flags. 110 * 111 * @param[out] aFlags A pointer to the Security Policy Flags buffer. 112 * @param[in] aFlagsLength The length of the Security Policy Flags buffer. 113 */ 114 void GetFlags(uint8_t *aFlags, uint8_t aFlagsLength) const; 115 116 private: 117 static constexpr uint8_t kDefaultFlags = 0xff; 118 static constexpr uint8_t kObtainNetworkKeyMask = 1 << 7; 119 static constexpr uint8_t kNativeCommissioningMask = 1 << 6; 120 static constexpr uint8_t kRoutersMask = 1 << 5; 121 static constexpr uint8_t kExternalCommissioningMask = 1 << 4; 122 static constexpr uint8_t kBeaconsMask = 1 << 3; 123 static constexpr uint8_t kCommercialCommissioningMask = 1 << 2; 124 static constexpr uint8_t kAutonomousEnrollmentMask = 1 << 1; 125 static constexpr uint8_t kNetworkKeyProvisioningMask = 1 << 0; 126 static constexpr uint8_t kTobleLinkMask = 1 << 7; 127 static constexpr uint8_t kNonCcmRoutersMask = 1 << 6; 128 static constexpr uint8_t kReservedMask = 0x38; 129 static constexpr uint8_t kVersionThresholdForRoutingMask = 0x07; 130 131 void SetToDefaultFlags(void); 132 }; 133 134 /** 135 * Represents a Thread Network Key. 136 */ 137 OT_TOOL_PACKED_BEGIN 138 class NetworkKey : public otNetworkKey, public Equatable<NetworkKey>, public Clearable<NetworkKey> 139 { 140 public: 141 static constexpr uint8_t kSize = OT_NETWORK_KEY_SIZE; ///< Size of the Thread Network Key (in bytes). 142 143 #if !OPENTHREAD_RADIO 144 /** 145 * Generates a cryptographically secure random sequence to populate the Thread Network Key. 146 * 147 * @retval kErrorNone Successfully generated a random Thread Network Key. 148 * @retval kErrorFailed Failed to generate random sequence. 149 */ GenerateRandom(void)150 Error GenerateRandom(void) { return Random::Crypto::Fill(*this); } 151 #endif 152 153 } OT_TOOL_PACKED_END; 154 155 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 156 /** 157 * Provides a representation for Network Key reference. 158 */ 159 typedef otNetworkKeyRef NetworkKeyRef; 160 #endif 161 162 /** 163 * Represents a Thread Pre-Shared Key for the Commissioner (PSKc). 164 */ 165 OT_TOOL_PACKED_BEGIN 166 class Pskc : public otPskc, public Equatable<Pskc>, public Clearable<Pskc> 167 { 168 public: 169 static constexpr uint8_t kSize = OT_PSKC_MAX_SIZE; ///< Size (number of bytes) of the PSKc. 170 171 #if !OPENTHREAD_RADIO 172 /** 173 * Generates a cryptographically secure random sequence to populate the Thread PSKc. 174 * 175 * @retval kErrorNone Successfully generated a random Thread PSKc. 176 */ GenerateRandom(void)177 Error GenerateRandom(void) { return Random::Crypto::Fill(*this); } 178 #endif 179 } OT_TOOL_PACKED_END; 180 181 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 182 /** 183 * Provides a representation for Network Key reference. 184 */ 185 typedef otPskcRef PskcRef; 186 #endif 187 188 /** 189 * 190 * Represents a Key Encryption Key (KEK). 191 */ 192 typedef Mac::Key Kek; 193 194 /** 195 * 196 * Represents a Key Material for Key Encryption Key (KEK). 197 */ 198 typedef Mac::KeyMaterial KekKeyMaterial; 199 200 /** 201 * Defines Thread Key Manager. 202 */ 203 class KeyManager : public InstanceLocator, private NonCopyable 204 { 205 public: 206 /** 207 * Defines bit-flag constants specifying how to handle key sequence update used in `KeySeqUpdateFlags`. 208 */ 209 enum KeySeqUpdateFlag : uint8_t 210 { 211 kApplySwitchGuard = (1 << 0), ///< Apply key switch guard check. 212 kForceUpdate = (0 << 0), ///< Ignore key switch guard check and forcibly update. 213 kResetGuardTimer = (1 << 1), ///< On key seq change, reset the guard timer. 214 kGuardTimerUnchanged = (0 << 1), ///< On key seq change, leave guard timer unchanged. 215 }; 216 217 /** 218 * Represents a combination of `KeySeqUpdateFlag` bits. 219 * 220 * Used as input by `SetCurrentKeySequence()`. 221 */ 222 typedef uint8_t KeySeqUpdateFlags; 223 224 /** 225 * Initializes the object. 226 * 227 * @param[in] aInstance A reference to the OpenThread instance. 228 */ 229 explicit KeyManager(Instance &aInstance); 230 231 /** 232 * Starts KeyManager rotation timer and sets guard timer to initial value. 233 */ 234 void Start(void); 235 236 /** 237 * Stops KeyManager timers. 238 */ 239 void Stop(void); 240 241 /** 242 * Gets the Thread Network Key. 243 * 244 * @param[out] aNetworkKey A reference to a `NetworkKey` to output the Thread Network Key. 245 */ 246 void GetNetworkKey(NetworkKey &aNetworkKey) const; 247 248 /** 249 * Sets the Thread Network Key. 250 * 251 * @param[in] aNetworkKey A Thread Network Key. 252 */ 253 void SetNetworkKey(const NetworkKey &aNetworkKey); 254 255 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 256 /** 257 * Returns a Key Ref to Thread Network Key. 258 * 259 * @returns A key reference to the Thread Network Key. 260 */ GetNetworkKeyRef(void) const261 NetworkKeyRef GetNetworkKeyRef(void) const { return mNetworkKeyRef; } 262 263 /** 264 * Sets the Thread Network Key using Key Reference. 265 * 266 * @param[in] aKeyRef Reference to Thread Network Key. 267 */ 268 void SetNetworkKeyRef(NetworkKeyRef aKeyRef); 269 #endif 270 271 /** 272 * Indicates whether the PSKc is configured. 273 * 274 * A value of all zeros indicates that the PSKc is not configured. 275 * 276 * @retval TRUE if the PSKc is configured. 277 * @retval FALSE if the PSKc is not not configured. 278 */ IsPskcSet(void) const279 bool IsPskcSet(void) const { return mIsPskcSet; } 280 281 /** 282 * Gets the PKSc. 283 * 284 * @param[out] aPskc A reference to a `Pskc` to return the PSKc. 285 */ 286 void GetPskc(Pskc &aPskc) const; 287 288 /** 289 * Sets the PSKc. 290 * 291 * @param[in] aPskc A reference to the PSKc. 292 */ 293 void SetPskc(const Pskc &aPskc); 294 295 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 296 /** 297 * Returns a Key Ref to PSKc. 298 * 299 * @returns A key reference to the PSKc. 300 */ GetPskcRef(void) const301 const PskcRef &GetPskcRef(void) const { return mPskcRef; } 302 303 /** 304 * Sets the PSKc as a Key reference. 305 * 306 * @param[in] aPskc A reference to the PSKc. 307 */ 308 void SetPskcRef(PskcRef aKeyRef); 309 #endif 310 311 /** 312 * Returns the current key sequence value. 313 * 314 * @returns The current key sequence value. 315 */ GetCurrentKeySequence(void) const316 uint32_t GetCurrentKeySequence(void) const { return mKeySequence; } 317 318 /** 319 * Sets the current key sequence value. 320 * 321 * @param[in] aKeySequence The key sequence value. 322 * @param[in] aFlags Specify behavior when updating the key sequence, i.e., whether or not to apply the 323 * key switch guard or reset guard timer upon change. 324 */ 325 void SetCurrentKeySequence(uint32_t aKeySequence, KeySeqUpdateFlags aFlags); 326 327 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 328 /** 329 * Returns the current MAC key for TREL radio link. 330 * 331 * @returns The current TREL MAC key. 332 */ GetCurrentTrelMacKey(void) const333 const Mac::KeyMaterial &GetCurrentTrelMacKey(void) const { return mTrelKey; } 334 335 /** 336 * Returns a temporary MAC key for TREL radio link computed from the given key sequence. 337 * 338 * @param[in] aKeySequence The key sequence value. 339 * 340 * @returns The temporary TREL MAC key. 341 */ 342 const Mac::KeyMaterial &GetTemporaryTrelMacKey(uint32_t aKeySequence); 343 #endif 344 345 /** 346 * Returns the current MLE key Material. 347 * 348 * @returns The current MLE key. 349 */ GetCurrentMleKey(void) const350 const Mle::KeyMaterial &GetCurrentMleKey(void) const { return mMleKey; } 351 352 /** 353 * Returns a temporary MLE key Material computed from the given key sequence. 354 * 355 * @param[in] aKeySequence The key sequence value. 356 * 357 * @returns The temporary MLE key. 358 */ 359 const Mle::KeyMaterial &GetTemporaryMleKey(uint32_t aKeySequence); 360 361 /** 362 * Returns a temporary MAC key Material computed from the given key sequence. 363 * 364 * @param[in] aKeySequence The key sequence value. 365 * 366 * @returns The temporary MAC key. 367 */ 368 const Mle::KeyMaterial &GetTemporaryMacKey(uint32_t aKeySequence); 369 370 #if OPENTHREAD_CONFIG_RADIO_LINK_IEEE_802_15_4_ENABLE 371 /** 372 * Returns the current MAC Frame Counter value for 15.4 radio link. 373 * 374 * @returns The current MAC Frame Counter value. 375 */ Get154MacFrameCounter(void) const376 uint32_t Get154MacFrameCounter(void) const { return mMacFrameCounters.Get154(); } 377 #endif 378 379 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 380 /** 381 * Returns the current MAC Frame Counter value for TREL radio link. 382 * 383 * @returns The current MAC Frame Counter value for TREL radio link. 384 */ GetTrelMacFrameCounter(void) const385 uint32_t GetTrelMacFrameCounter(void) const { return mMacFrameCounters.GetTrel(); } 386 387 /** 388 * Increments the current MAC Frame Counter value for TREL radio link. 389 */ 390 void IncrementTrelMacFrameCounter(void); 391 #endif 392 393 /** 394 * Gets the maximum MAC Frame Counter among all supported radio links. 395 * 396 * @return The maximum MAC frame Counter among all supported radio links. 397 */ GetMaximumMacFrameCounter(void) const398 uint32_t GetMaximumMacFrameCounter(void) const { return mMacFrameCounters.GetMaximum(); } 399 400 /** 401 * Sets the current MAC Frame Counter value for all radio links. 402 * 403 * @param[in] aFrameCounter The MAC Frame Counter value. 404 * @param[in] aSetIfLarger If `true`, set only if the new value @p aFrameCounter is larger than current value. 405 * If `false`, set the new value independent of the current value. 406 407 */ 408 void SetAllMacFrameCounters(uint32_t aFrameCounter, bool aSetIfLarger); 409 410 /** 411 * Sets the MAC Frame Counter value which is stored in non-volatile memory. 412 * 413 * @param[in] aStoredMacFrameCounter The stored MAC Frame Counter value. 414 */ SetStoredMacFrameCounter(uint32_t aStoredMacFrameCounter)415 void SetStoredMacFrameCounter(uint32_t aStoredMacFrameCounter) { mStoredMacFrameCounter = aStoredMacFrameCounter; } 416 417 /** 418 * Returns the current MLE Frame Counter value. 419 * 420 * @returns The current MLE Frame Counter value. 421 */ GetMleFrameCounter(void) const422 uint32_t GetMleFrameCounter(void) const { return mMleFrameCounter; } 423 424 /** 425 * Sets the current MLE Frame Counter value. 426 * 427 * @param[in] aMleFrameCounter The MLE Frame Counter value. 428 */ SetMleFrameCounter(uint32_t aMleFrameCounter)429 void SetMleFrameCounter(uint32_t aMleFrameCounter) { mMleFrameCounter = aMleFrameCounter; } 430 431 /** 432 * Sets the MLE Frame Counter value which is stored in non-volatile memory. 433 * 434 * @param[in] aStoredMleFrameCounter The stored MLE Frame Counter value. 435 */ SetStoredMleFrameCounter(uint32_t aStoredMleFrameCounter)436 void SetStoredMleFrameCounter(uint32_t aStoredMleFrameCounter) { mStoredMleFrameCounter = aStoredMleFrameCounter; } 437 438 /** 439 * Increments the current MLE Frame Counter value. 440 */ 441 void IncrementMleFrameCounter(void); 442 443 /** 444 * Returns the KEK as `KekKeyMaterial` 445 * 446 * @returns The KEK as `KekKeyMaterial`. 447 */ GetKek(void) const448 const KekKeyMaterial &GetKek(void) const { return mKek; } 449 450 /** 451 * Retrieves the KEK as literal `Kek` key. 452 * 453 * @param[out] aKek A reference to a `Kek` to output the retrieved KEK. 454 */ ExtractKek(Kek & aKek)455 void ExtractKek(Kek &aKek) { mKek.ExtractKey(aKek); } 456 457 /** 458 * Sets the KEK. 459 * 460 * @param[in] aKek A KEK. 461 */ 462 void SetKek(const Kek &aKek); 463 464 /** 465 * Sets the KEK. 466 * 467 * @param[in] aKekBytes A pointer to the KEK bytes. 468 */ SetKek(const uint8_t * aKekBytes)469 void SetKek(const uint8_t *aKekBytes) { SetKek(*reinterpret_cast<const Kek *>(aKekBytes)); } 470 471 /** 472 * Returns the current KEK Frame Counter value. 473 * 474 * @returns The current KEK Frame Counter value. 475 */ GetKekFrameCounter(void) const476 uint32_t GetKekFrameCounter(void) const { return mKekFrameCounter; } 477 478 /** 479 * Increments the current KEK Frame Counter value. 480 */ IncrementKekFrameCounter(void)481 void IncrementKekFrameCounter(void) { mKekFrameCounter++; } 482 483 /** 484 * Returns the KeySwitchGuardTime. 485 * 486 * The KeySwitchGuardTime is the time interval during which key rotation procedure is prevented. 487 * 488 * @returns The KeySwitchGuardTime value in hours. 489 */ GetKeySwitchGuardTime(void) const490 uint16_t GetKeySwitchGuardTime(void) const { return mKeySwitchGuardTime; } 491 492 /** 493 * Sets the KeySwitchGuardTime. 494 * 495 * The KeySwitchGuardTime is the time interval during which key rotation procedure is prevented. 496 * 497 * Intended for testing only. Changing the guard time will render device non-compliant with the Thread spec. 498 * 499 * @param[in] aGuardTime The KeySwitchGuardTime value in hours. 500 */ SetKeySwitchGuardTime(uint16_t aGuardTime)501 void SetKeySwitchGuardTime(uint16_t aGuardTime) { mKeySwitchGuardTime = aGuardTime; } 502 503 /** 504 * Returns the Security Policy. 505 * 506 * The Security Policy specifies Key Rotation Time and network administrator preferences 507 * for which security-related operations are allowed or disallowed. 508 * 509 * @returns The SecurityPolicy. 510 */ GetSecurityPolicy(void) const511 const SecurityPolicy &GetSecurityPolicy(void) const { return mSecurityPolicy; } 512 513 /** 514 * Sets the Security Policy. 515 * 516 * The Security Policy specifies Key Rotation Time and network administrator preferences 517 * for which security-related operations are allowed or disallowed. 518 * 519 * @param[in] aSecurityPolicy The Security Policy. 520 */ 521 void SetSecurityPolicy(const SecurityPolicy &aSecurityPolicy); 522 523 /** 524 * Updates the MAC keys and MLE key. 525 */ 526 void UpdateKeyMaterial(void); 527 528 /** 529 * Handles MAC frame counter changes (callback from `SubMac` for 15.4 security frame change). 530 * 531 * This is called to indicate the @p aMacFrameCounter value is now used. 532 * 533 * @param[in] aMacFrameCounter The 15.4 link MAC frame counter value. 534 */ 535 void MacFrameCounterUsed(uint32_t aMacFrameCounter); 536 537 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 538 /** 539 * Destroys all the volatile mac keys stored in PSA ITS. 540 */ 541 void DestroyTemporaryKeys(void); 542 543 /** 544 * Destroys all the persistent keys stored in PSA ITS. 545 */ 546 void DestroyPersistentKeys(void); 547 #endif 548 549 private: 550 static constexpr uint16_t kDefaultKeySwitchGuardTime = 624; // ~ 93% of 672 (default key rotation time) 551 static constexpr uint32_t kKeySwitchGuardTimePercentage = 93; // Percentage of key rotation time. 552 static constexpr bool kExportableMacKeys = OPENTHREAD_CONFIG_PLATFORM_MAC_KEYS_EXPORTABLE_ENABLE; 553 554 static_assert(kDefaultKeySwitchGuardTime == 555 SecurityPolicy::kDefaultKeyRotationTime * kKeySwitchGuardTimePercentage / 100, 556 "Default key switch guard time value is not correct"); 557 558 OT_TOOL_PACKED_BEGIN 559 struct Keys 560 { 561 Mle::Key mMleKey; 562 Mac::Key mMacKey; 563 } OT_TOOL_PACKED_END; 564 565 union HashKeys 566 { 567 Crypto::HmacSha256::Hash mHash; 568 Keys mKeys; 569 GetMleKey(void) const570 const Mle::Key &GetMleKey(void) const { return mKeys.mMleKey; } GetMacKey(void) const571 const Mac::Key &GetMacKey(void) const { return mKeys.mMacKey; } 572 }; 573 574 void ComputeKeys(uint32_t aKeySequence, HashKeys &aHashKeys) const; 575 576 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 577 void ComputeTrelKey(uint32_t aKeySequence, Mac::Key &aKey) const; 578 #endif 579 580 void ResetKeyRotationTimer(void); 581 void HandleKeyRotationTimer(void); 582 void CheckForKeyRotation(void); 583 584 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 585 void StoreNetworkKey(const NetworkKey &aNetworkKey, bool aOverWriteExisting); 586 void StorePskc(const Pskc &aPskc); 587 #endif 588 589 void ResetFrameCounters(void); 590 591 using RotationTimer = TimerMilliIn<KeyManager, &KeyManager::HandleKeyRotationTimer>; 592 593 static const uint8_t kThreadString[]; 594 595 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 596 static const uint8_t kHkdfExtractSaltString[]; 597 static const uint8_t kTrelInfoString[]; 598 #endif 599 600 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 601 NetworkKeyRef mNetworkKeyRef; 602 #else 603 NetworkKey mNetworkKey; 604 #endif 605 606 uint32_t mKeySequence; 607 Mle::KeyMaterial mMleKey; 608 Mle::KeyMaterial mTemporaryMleKey; 609 610 #if OPENTHREAD_CONFIG_WAKEUP_END_DEVICE_ENABLE 611 Mle::KeyMaterial mTemporaryMacKey; 612 #endif 613 614 #if OPENTHREAD_CONFIG_RADIO_LINK_TREL_ENABLE 615 Mac::KeyMaterial mTrelKey; 616 Mac::KeyMaterial mTemporaryTrelKey; 617 #endif 618 619 Mac::LinkFrameCounters mMacFrameCounters; 620 uint32_t mMleFrameCounter; 621 uint32_t mStoredMacFrameCounter; 622 uint32_t mStoredMleFrameCounter; 623 624 uint16_t mHoursSinceKeyRotation; 625 uint16_t mKeySwitchGuardTime; 626 uint16_t mKeySwitchGuardTimer; 627 RotationTimer mKeyRotationTimer; 628 629 #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 630 PskcRef mPskcRef; 631 #else 632 Pskc mPskc; 633 #endif 634 635 KekKeyMaterial mKek; 636 uint32_t mKekFrameCounter; 637 638 SecurityPolicy mSecurityPolicy; 639 bool mIsPskcSet : 1; 640 }; 641 642 /** 643 * @} 644 */ 645 646 DefineCoreType(otSecurityPolicy, SecurityPolicy); 647 DefineCoreType(otNetworkKey, NetworkKey); 648 DefineCoreType(otPskc, Pskc); 649 650 } // namespace ot 651 652 #endif // KEY_MANAGER_HPP_ 653
