12 #include <netlink-private/netlink.h> 13 #include <netlink/netlink.h> 14 #include <netlink/attr.h> 15 #include <netlink/utils.h> 16 #include <netlink/object.h> 17 #include <netlink/route/rtnl.h> 18 #include <netlink-private/route/link/api.h> 20 #include <linux/if_macsec.h> 22 #define MACSEC_ATTR_SCI (1 << 0) 23 #define MACSEC_ATTR_ICV_LEN (1 << 1) 24 #define MACSEC_ATTR_CIPHER_SUITE (1 << 2) 25 #define MACSEC_ATTR_WINDOW (1 << 3) 26 #define MACSEC_ATTR_ENCODING_SA (1 << 4) 27 #define MACSEC_ATTR_ENCRYPT (1 << 5) 28 #define MACSEC_ATTR_PROTECT (1 << 6) 29 #define MACSEC_ATTR_INC_SCI (1 << 7) 30 #define MACSEC_ATTR_ES (1 << 8) 31 #define MACSEC_ATTR_SCB (1 << 9) 32 #define MACSEC_ATTR_REPLAY_PROTECT (1 << 10) 33 #define MACSEC_ATTR_VALIDATION (1 << 11) 34 #define MACSEC_ATTR_PORT (1 << 12) 40 uint64_t cipher_suite;
43 enum macsec_validation_type validate;
46 uint8_t send_sci, end_station, scb, replay_protect, protect, encrypt;
51 static struct nla_policy macsec_policy[IFLA_MACSEC_MAX+1] = {
53 [IFLA_MACSEC_ICV_LEN] = { .type =
NLA_U8 },
54 [IFLA_MACSEC_CIPHER_SUITE] = { .type =
NLA_U64 },
55 [IFLA_MACSEC_WINDOW] = { .type =
NLA_U32 },
56 [IFLA_MACSEC_ENCODING_SA] = { .type =
NLA_U8 },
57 [IFLA_MACSEC_ENCRYPT] = { .type =
NLA_U8 },
58 [IFLA_MACSEC_PROTECT] = { .type =
NLA_U8 },
59 [IFLA_MACSEC_INC_SCI] = { .type =
NLA_U8 },
60 [IFLA_MACSEC_ES] = { .type =
NLA_U8 },
61 [IFLA_MACSEC_SCB] = { .type =
NLA_U8 },
62 [IFLA_MACSEC_REPLAY_PROTECT] = { .type =
NLA_U8 },
63 [IFLA_MACSEC_VALIDATION] = { .type =
NLA_U8 },
66 #define DEFAULT_ICV_LEN 16 68 static int macsec_alloc(
struct rtnl_link *link)
78 memset(link->l_info, 0,
sizeof(
struct macsec_info));
81 info->cipher_suite = MACSEC_DEFAULT_CIPHER_ID;
82 info->icv_len = DEFAULT_ICV_LEN;
83 info->ce_mask = MACSEC_ATTR_CIPHER_SUITE | MACSEC_ATTR_ICV_LEN;
88 static int macsec_parse(
struct rtnl_link *link,
struct nlattr *data,
89 struct nlattr *xstats)
91 struct nlattr *tb[IFLA_MACSEC_MAX+1];
95 NL_DBG(3,
"Parsing MACsec link info\n");
100 if ((err = macsec_alloc(link)) < 0)
105 if (tb[IFLA_MACSEC_SCI]) {
107 info->ce_mask |= MACSEC_ATTR_SCI;
110 if (tb[IFLA_MACSEC_PROTECT]) {
111 info->protect =
nla_get_u8(tb[IFLA_MACSEC_PROTECT]);
112 info->ce_mask |= MACSEC_ATTR_PROTECT;
115 if (tb[IFLA_MACSEC_CIPHER_SUITE]) {
116 info->cipher_suite =
nla_get_u64(tb[IFLA_MACSEC_CIPHER_SUITE]);
117 info->ce_mask |= MACSEC_ATTR_CIPHER_SUITE;
120 if (tb[IFLA_MACSEC_ICV_LEN]) {
121 info->icv_len =
nla_get_u8(tb[IFLA_MACSEC_ICV_LEN]);
122 info->ce_mask |= MACSEC_ATTR_ICV_LEN;
125 if (tb[IFLA_MACSEC_ENCODING_SA]) {
126 info->encoding_sa =
nla_get_u8(tb[IFLA_MACSEC_ENCODING_SA]);
127 info->ce_mask |= MACSEC_ATTR_ENCODING_SA;
130 if (tb[IFLA_MACSEC_VALIDATION]) {
131 info->validate =
nla_get_u8(tb[IFLA_MACSEC_VALIDATION]);
132 info->ce_mask |= MACSEC_ATTR_VALIDATION;
135 if (tb[IFLA_MACSEC_ENCRYPT]) {
136 info->encrypt =
nla_get_u8(tb[IFLA_MACSEC_ENCRYPT]);
137 info->ce_mask |= MACSEC_ATTR_ENCRYPT;
140 if (tb[IFLA_MACSEC_INC_SCI]) {
141 info->send_sci =
nla_get_u8(tb[IFLA_MACSEC_INC_SCI]);
142 info->ce_mask |= MACSEC_ATTR_INC_SCI;
145 if (tb[IFLA_MACSEC_ES]) {
146 info->end_station =
nla_get_u8(tb[IFLA_MACSEC_ES]);
147 info->ce_mask |= MACSEC_ATTR_ES;
150 if (tb[IFLA_MACSEC_SCB]) {
152 info->ce_mask |= MACSEC_ATTR_SCB;
155 if (tb[IFLA_MACSEC_REPLAY_PROTECT]) {
156 info->replay_protect =
nla_get_u8(tb[IFLA_MACSEC_REPLAY_PROTECT]);
157 info->ce_mask |= MACSEC_ATTR_REPLAY_PROTECT;
160 if (tb[IFLA_MACSEC_WINDOW]) {
161 info->window =
nla_get_u32(tb[IFLA_MACSEC_WINDOW]);
162 info->ce_mask |= MACSEC_ATTR_WINDOW;
170 static void macsec_free(
struct rtnl_link *link)
176 static const char *values_on_off[] = {
"off",
"on" };
178 static const char *VALIDATE_STR[] = {
179 [MACSEC_VALIDATE_DISABLED] =
"disabled",
180 [MACSEC_VALIDATE_CHECK] =
"check",
181 [MACSEC_VALIDATE_STRICT] =
"strict",
184 static char *replay_protect_str(
char *buf, uint8_t replay_protect, uint8_t window)
186 if (replay_protect == 1) {
187 sprintf(buf,
"replay_protect on window %d", window);
188 }
else if (replay_protect == 0) {
189 sprintf(buf,
"replay_protect off");
197 #define PRINT_FLAG(buf, i, field, c) ({ if (i->field == 1) *buf++ = c; }) 198 static char *flags_str(
char *buf,
unsigned char len,
struct macsec_info *info)
203 PRINT_FLAG(tmp, info, protect,
'P');
204 PRINT_FLAG(tmp, info, encrypt,
'E');
205 PRINT_FLAG(tmp, info, send_sci,
'S');
206 PRINT_FLAG(tmp, info, end_station,
'e');
207 PRINT_FLAG(tmp, info, scb,
's');
208 PRINT_FLAG(tmp, info, replay_protect,
'R');
212 switch (info->validate) {
213 case MACSEC_VALIDATE_DISABLED:
216 case MACSEC_VALIDATE_CHECK:
219 case MACSEC_VALIDATE_STRICT:
226 sprintf(tmp,
" %d", info->encoding_sa);
236 nl_dump(p,
"sci %016llx <%s>", info->sci, flags_str(tmp,
sizeof(tmp), info));
244 nl_dump(p,
" sci %016llx protect %s encoding_sa %d encrypt %s send_sci %s validate %s %s\n",
245 info->sci, values_on_off[info->protect], info->encoding_sa, values_on_off[info->encrypt], values_on_off[info->send_sci],
246 VALIDATE_STR[info->validate],
247 replay_protect_str(tmp, info->replay_protect, info->window));
248 nl_dump(p,
" cipher suite: %016llx, icv_len %d\n",
249 info->cipher_suite, info->icv_len);
270 static int macsec_put_attrs(
struct nl_msg *msg,
struct rtnl_link *link)
278 if (info->ce_mask & MACSEC_ATTR_SCI)
280 else if (info->ce_mask & MACSEC_ATTR_PORT)
281 NLA_PUT_U16(msg, IFLA_MACSEC_PORT, htons(info->port));
283 if ((info->ce_mask & MACSEC_ATTR_ENCRYPT))
284 NLA_PUT_U8(msg, IFLA_MACSEC_ENCRYPT, info->encrypt);
286 if (info->cipher_suite != MACSEC_DEFAULT_CIPHER_ID || info->icv_len != DEFAULT_ICV_LEN) {
287 NLA_PUT_U64(msg, IFLA_MACSEC_CIPHER_SUITE, info->cipher_suite);
288 NLA_PUT_U8(msg, IFLA_MACSEC_ICV_LEN, info->icv_len);
291 if ((info->ce_mask & MACSEC_ATTR_INC_SCI))
292 NLA_PUT_U8(msg, IFLA_MACSEC_INC_SCI, info->send_sci);
294 if ((info->ce_mask & MACSEC_ATTR_ES))
295 NLA_PUT_U8(msg, IFLA_MACSEC_ES, info->end_station);
297 if ((info->ce_mask & MACSEC_ATTR_SCB))
300 if ((info->ce_mask & MACSEC_ATTR_PROTECT))
301 NLA_PUT_U8(msg, IFLA_MACSEC_PROTECT, info->protect);
303 if ((info->ce_mask & MACSEC_ATTR_REPLAY_PROTECT)) {
304 if (info->replay_protect && !(info->ce_mask & MACSEC_ATTR_WINDOW))
307 NLA_PUT_U8(msg, IFLA_MACSEC_REPLAY_PROTECT, info->replay_protect);
308 NLA_PUT_U32(msg, IFLA_MACSEC_WINDOW, info->window);
311 if ((info->ce_mask & MACSEC_ATTR_VALIDATION))
312 NLA_PUT_U8(msg, IFLA_MACSEC_VALIDATION, info->validate);
314 if ((info->ce_mask & MACSEC_ATTR_ENCODING_SA))
315 NLA_PUT_U8(msg, IFLA_MACSEC_ENCODING_SA, info->encoding_sa);
331 uint32_t attrs = flags & LOOSE_COMPARISON ? b->ce_mask : ~0;
333 #define MACSEC_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, MACSEC_ATTR_##ATTR, a, b, EXPR) 335 if (a->ce_mask & MACSEC_ATTR_SCI && b->ce_mask & MACSEC_ATTR_SCI)
336 diff |= MACSEC_DIFF(SCI, a->sci != b->sci);
337 else if (a->ce_mask & MACSEC_ATTR_PORT && b->ce_mask & MACSEC_ATTR_PORT)
338 diff |= MACSEC_DIFF(PORT, a->port != b->port);
340 if (a->ce_mask & MACSEC_ATTR_CIPHER_SUITE && b->ce_mask & MACSEC_ATTR_CIPHER_SUITE) {
341 diff |= MACSEC_DIFF(ICV_LEN, a->icv_len != b->icv_len);
342 diff |= MACSEC_DIFF(CIPHER_SUITE, a->cipher_suite != b->cipher_suite);
345 if (a->ce_mask & MACSEC_ATTR_REPLAY_PROTECT && b->ce_mask & MACSEC_ATTR_REPLAY_PROTECT) {
346 int d = MACSEC_DIFF(REPLAY_PROTECT, a->replay_protect != b->replay_protect);
347 if (a->replay_protect && b->replay_protect)
348 d |= MACSEC_DIFF(WINDOW, a->window != b->window);
352 diff |= MACSEC_DIFF(ENCODING_SA, a->encoding_sa != b->encoding_sa);
353 diff |= MACSEC_DIFF(ENCRYPT, a->encrypt != b->encrypt);
354 diff |= MACSEC_DIFF(PROTECT, a->protect != b->protect);
355 diff |= MACSEC_DIFF(INC_SCI, a->send_sci != b->send_sci);
356 diff |= MACSEC_DIFF(ES, a->end_station != b->end_station);
357 diff |= MACSEC_DIFF(SCB, a->scb != b->scb);
358 diff |= MACSEC_DIFF(VALIDATION, a->validate != b->validate);
365 static struct rtnl_link_info_ops macsec_info_ops = {
367 .io_alloc = macsec_alloc,
368 .io_parse = macsec_parse,
373 .io_clone = macsec_clone,
374 .io_put_attrs = macsec_put_attrs,
375 .io_free = macsec_free,
376 .io_compare = macsec_compare,
379 static void __init macsec_init(
void)
384 static void __exit macsec_exit(
void)
389 #define IS_MACSEC_LINK_ASSERT(link) \ 390 if ((link)->l_info_ops != &macsec_info_ops) { \ 391 APPBUG("Link is not a MACsec link. set type \"macsec\" first."); \ 392 return -NLE_OPNOTSUPP; \ 395 struct rtnl_link *rtnl_link_macsec_alloc(
void)
410 int rtnl_link_macsec_set_sci(
struct rtnl_link *link, uint64_t sci)
414 IS_MACSEC_LINK_ASSERT(link);
417 info->ce_mask |= MACSEC_ATTR_SCI;
422 int rtnl_link_macsec_get_sci(
struct rtnl_link *link, uint64_t *sci)
426 IS_MACSEC_LINK_ASSERT(link);
428 if (!(info->ce_mask & MACSEC_ATTR_SCI))
437 int rtnl_link_macsec_set_port(
struct rtnl_link *link, uint16_t port)
441 IS_MACSEC_LINK_ASSERT(link);
444 info->ce_mask |= MACSEC_ATTR_PORT;
449 int rtnl_link_macsec_get_port(
struct rtnl_link *link, uint16_t *port)
453 IS_MACSEC_LINK_ASSERT(link);
455 if (!(info->ce_mask & MACSEC_ATTR_PORT))
464 int rtnl_link_macsec_set_cipher_suite(
struct rtnl_link *link, uint64_t cipher_suite)
468 IS_MACSEC_LINK_ASSERT(link);
470 info->cipher_suite = cipher_suite;
471 info->ce_mask |= MACSEC_ATTR_CIPHER_SUITE;
476 int rtnl_link_macsec_get_cipher_suite(
struct rtnl_link *link, uint64_t *cs)
480 IS_MACSEC_LINK_ASSERT(link);
482 if (!(info->ce_mask & MACSEC_ATTR_CIPHER_SUITE))
486 *cs = info->cipher_suite;
491 int rtnl_link_macsec_set_icv_len(
struct rtnl_link *link, uint16_t icv_len)
495 IS_MACSEC_LINK_ASSERT(link);
497 if (icv_len > MACSEC_MAX_ICV_LEN)
500 info->icv_len = icv_len;
501 info->ce_mask |= MACSEC_ATTR_ICV_LEN;
506 int rtnl_link_macsec_get_icv_len(
struct rtnl_link *link, uint16_t *icv_len)
510 IS_MACSEC_LINK_ASSERT(link);
512 if (!(info->ce_mask & MACSEC_ATTR_ICV_LEN))
516 *icv_len = info->icv_len;
521 int rtnl_link_macsec_set_protect(
struct rtnl_link *link, uint8_t protect)
525 IS_MACSEC_LINK_ASSERT(link);
530 info->protect = protect;
531 info->ce_mask |= MACSEC_ATTR_PROTECT;
536 int rtnl_link_macsec_get_protect(
struct rtnl_link *link, uint8_t *protect)
540 IS_MACSEC_LINK_ASSERT(link);
542 if (!(info->ce_mask & MACSEC_ATTR_PROTECT))
546 *protect = info->protect;
551 int rtnl_link_macsec_set_encrypt(
struct rtnl_link *link, uint8_t encrypt)
555 IS_MACSEC_LINK_ASSERT(link);
560 info->encrypt = encrypt;
561 info->ce_mask |= MACSEC_ATTR_ENCRYPT;
566 int rtnl_link_macsec_get_encrypt(
struct rtnl_link *link, uint8_t *encrypt)
570 IS_MACSEC_LINK_ASSERT(link);
572 if (!(info->ce_mask & MACSEC_ATTR_ENCRYPT))
576 *encrypt = info->encrypt;
581 int rtnl_link_macsec_set_encoding_sa(
struct rtnl_link *link, uint8_t encoding_sa)
585 IS_MACSEC_LINK_ASSERT(link);
590 info->encoding_sa = encoding_sa;
591 info->ce_mask |= MACSEC_ATTR_ENCODING_SA;
596 int rtnl_link_macsec_get_encoding_sa(
struct rtnl_link *link, uint8_t *encoding_sa)
600 IS_MACSEC_LINK_ASSERT(link);
602 if (!(info->ce_mask & MACSEC_ATTR_ENCODING_SA))
606 *encoding_sa = info->encoding_sa;
611 int rtnl_link_macsec_set_validation_type(
struct rtnl_link *link,
enum macsec_validation_type validate)
615 IS_MACSEC_LINK_ASSERT(link);
620 info->validate = validate;
621 info->ce_mask |= MACSEC_ATTR_VALIDATION;
626 int rtnl_link_macsec_get_validation_type(
struct rtnl_link *link,
enum macsec_validation_type *validate)
630 IS_MACSEC_LINK_ASSERT(link);
632 if (!(info->ce_mask & MACSEC_ATTR_VALIDATION))
636 *validate = info->validate;
641 int rtnl_link_macsec_set_replay_protect(
struct rtnl_link *link, uint8_t replay_protect)
645 IS_MACSEC_LINK_ASSERT(link);
647 if (replay_protect > 1)
650 info->replay_protect = replay_protect;
651 info->ce_mask |= MACSEC_ATTR_REPLAY_PROTECT;
656 int rtnl_link_macsec_get_replay_protect(
struct rtnl_link *link, uint8_t *replay_protect)
660 IS_MACSEC_LINK_ASSERT(link);
662 if (!(info->ce_mask & MACSEC_ATTR_REPLAY_PROTECT))
666 *replay_protect = info->replay_protect;
671 int rtnl_link_macsec_set_window(
struct rtnl_link *link, uint32_t window)
675 IS_MACSEC_LINK_ASSERT(link);
677 info->window = window;
678 info->ce_mask |= MACSEC_ATTR_WINDOW;
683 int rtnl_link_macsec_get_window(
struct rtnl_link *link, uint32_t *window)
687 IS_MACSEC_LINK_ASSERT(link);
689 if (!(info->ce_mask & MACSEC_ATTR_WINDOW))
693 *window = info->window;
698 int rtnl_link_macsec_set_send_sci(
struct rtnl_link *link, uint8_t send_sci)
702 IS_MACSEC_LINK_ASSERT(link);
707 info->send_sci = send_sci;
708 info->ce_mask |= MACSEC_ATTR_INC_SCI;
713 int rtnl_link_macsec_get_send_sci(
struct rtnl_link *link, uint8_t *send_sci)
717 IS_MACSEC_LINK_ASSERT(link);
719 if (!(info->ce_mask & MACSEC_ATTR_INC_SCI))
723 *send_sci = info->send_sci;
728 int rtnl_link_macsec_set_end_station(
struct rtnl_link *link, uint8_t end_station)
732 IS_MACSEC_LINK_ASSERT(link);
737 info->end_station = end_station;
738 info->ce_mask |= MACSEC_ATTR_ES;
743 int rtnl_link_macsec_get_end_station(
struct rtnl_link *link, uint8_t *es)
747 IS_MACSEC_LINK_ASSERT(link);
749 if (!(info->ce_mask & MACSEC_ATTR_ES))
753 *es = info->end_station;
758 int rtnl_link_macsec_set_scb(
struct rtnl_link *link, uint8_t scb)
762 IS_MACSEC_LINK_ASSERT(link);
768 info->ce_mask |= MACSEC_ATTR_SCB;
773 int rtnl_link_macsec_get_scb(
struct rtnl_link *link, uint8_t *scb)
777 IS_MACSEC_LINK_ASSERT(link);
779 if (!(info->ce_mask & MACSEC_ATTR_SCB))
Dump object briefly on one line.
int rtnl_link_register_info(struct rtnl_link_info_ops *ops)
Register operations for a link info type.
Attribute validation policy.
uint8_t nla_get_u8(const struct nlattr *nla)
Return value of 8 bit integer attribute.
struct rtnl_link * rtnl_link_alloc(void)
Allocate link object.
#define NLA_PUT_U64(msg, attrtype, value)
Add 64 bit integer attribute to netlink message.
uint32_t nla_get_u32(const struct nlattr *nla)
Return payload of 32 bit integer attribute.
#define NLA_PUT_U8(msg, attrtype, value)
Add 8 bit integer attribute to netlink message.
Dump all attributes but no statistics.
int nla_nest_end(struct nl_msg *msg, struct nlattr *start)
Finalize nesting of attributes.
int nla_parse_nested(struct nlattr *tb[], int maxtype, struct nlattr *nla, struct nla_policy *policy)
Create attribute index based on nested attribute.
int rtnl_link_set_type(struct rtnl_link *link, const char *type)
Set type of link object.
#define NLA_PUT_U32(msg, attrtype, value)
Add 32 bit integer attribute to netlink message.
int rtnl_link_unregister_info(struct rtnl_link_info_ops *ops)
Unregister operations for a link info type.
uint16_t type
Type of attribute or NLA_UNSPEC.
#define NLA_PUT_U16(msg, attrtype, value)
Add 16 bit integer attribute to netlink message.
uint64_t nla_get_u64(const struct nlattr *nla)
Return payload of u64 attribute.
void nl_dump(struct nl_dump_params *params, const char *fmt,...)
Dump a formatted character string.
void rtnl_link_put(struct rtnl_link *link)
Return a link object reference.
struct nlattr * nla_nest_start(struct nl_msg *msg, int attrtype)
Start a new level of nested attributes.