diff options
| -rw-r--r-- | drivers/net/macsec.c | 72 | ||||
| -rw-r--r-- | include/uapi/linux/if_macsec.h | 11 |
2 files changed, 67 insertions, 16 deletions
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c index 1d025ab9568f..f522715c6595 100644 --- a/drivers/net/macsec.c +++ b/drivers/net/macsec.c | |||
| @@ -393,7 +393,12 @@ static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb) | |||
| 393 | #define MACSEC_PORT_SCB (0x0000) | 393 | #define MACSEC_PORT_SCB (0x0000) |
| 394 | #define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL) | 394 | #define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL) |
| 395 | 395 | ||
| 396 | #define DEFAULT_SAK_LEN 16 | 396 | #define MACSEC_GCM_AES_128_SAK_LEN 16 |
| 397 | #define MACSEC_GCM_AES_256_SAK_LEN 32 | ||
| 398 | |||
| 399 | #define MAX_SAK_LEN MACSEC_GCM_AES_256_SAK_LEN | ||
| 400 | |||
| 401 | #define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN | ||
| 397 | #define DEFAULT_SEND_SCI true | 402 | #define DEFAULT_SEND_SCI true |
| 398 | #define DEFAULT_ENCRYPT false | 403 | #define DEFAULT_ENCRYPT false |
| 399 | #define DEFAULT_ENCODING_SA 0 | 404 | #define DEFAULT_ENCODING_SA 0 |
| @@ -1600,7 +1605,7 @@ static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = { | |||
| 1600 | [MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY, | 1605 | [MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY, |
| 1601 | .len = MACSEC_KEYID_LEN, }, | 1606 | .len = MACSEC_KEYID_LEN, }, |
| 1602 | [MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY, | 1607 | [MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY, |
| 1603 | .len = MACSEC_MAX_KEY_LEN, }, | 1608 | .len = MAX_SAK_LEN, }, |
| 1604 | }; | 1609 | }; |
| 1605 | 1610 | ||
| 1606 | static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa) | 1611 | static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa) |
| @@ -2362,15 +2367,26 @@ static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb) | |||
| 2362 | { | 2367 | { |
| 2363 | struct macsec_tx_sc *tx_sc = &secy->tx_sc; | 2368 | struct macsec_tx_sc *tx_sc = &secy->tx_sc; |
| 2364 | struct nlattr *secy_nest = nla_nest_start(skb, MACSEC_ATTR_SECY); | 2369 | struct nlattr *secy_nest = nla_nest_start(skb, MACSEC_ATTR_SECY); |
| 2370 | u64 csid; | ||
| 2365 | 2371 | ||
| 2366 | if (!secy_nest) | 2372 | if (!secy_nest) |
| 2367 | return 1; | 2373 | return 1; |
| 2368 | 2374 | ||
| 2375 | switch (secy->key_len) { | ||
| 2376 | case MACSEC_GCM_AES_128_SAK_LEN: | ||
| 2377 | csid = MACSEC_CIPHER_ID_GCM_AES_128; | ||
| 2378 | break; | ||
| 2379 | case MACSEC_GCM_AES_256_SAK_LEN: | ||
| 2380 | csid = MACSEC_CIPHER_ID_GCM_AES_256; | ||
| 2381 | break; | ||
| 2382 | default: | ||
| 2383 | goto cancel; | ||
| 2384 | } | ||
| 2385 | |||
| 2369 | if (nla_put_sci(skb, MACSEC_SECY_ATTR_SCI, secy->sci, | 2386 | if (nla_put_sci(skb, MACSEC_SECY_ATTR_SCI, secy->sci, |
| 2370 | MACSEC_SECY_ATTR_PAD) || | 2387 | MACSEC_SECY_ATTR_PAD) || |
| 2371 | nla_put_u64_64bit(skb, MACSEC_SECY_ATTR_CIPHER_SUITE, | 2388 | nla_put_u64_64bit(skb, MACSEC_SECY_ATTR_CIPHER_SUITE, |
| 2372 | MACSEC_DEFAULT_CIPHER_ID, | 2389 | csid, MACSEC_SECY_ATTR_PAD) || |
| 2373 | MACSEC_SECY_ATTR_PAD) || | ||
| 2374 | nla_put_u8(skb, MACSEC_SECY_ATTR_ICV_LEN, secy->icv_len) || | 2390 | nla_put_u8(skb, MACSEC_SECY_ATTR_ICV_LEN, secy->icv_len) || |
| 2375 | nla_put_u8(skb, MACSEC_SECY_ATTR_OPER, secy->operational) || | 2391 | nla_put_u8(skb, MACSEC_SECY_ATTR_OPER, secy->operational) || |
| 2376 | nla_put_u8(skb, MACSEC_SECY_ATTR_PROTECT, secy->protect_frames) || | 2392 | nla_put_u8(skb, MACSEC_SECY_ATTR_PROTECT, secy->protect_frames) || |
| @@ -3015,8 +3031,8 @@ static void macsec_setup(struct net_device *dev) | |||
| 3015 | eth_zero_addr(dev->broadcast); | 3031 | eth_zero_addr(dev->broadcast); |
| 3016 | } | 3032 | } |
| 3017 | 3033 | ||
| 3018 | static void macsec_changelink_common(struct net_device *dev, | 3034 | static int macsec_changelink_common(struct net_device *dev, |
| 3019 | struct nlattr *data[]) | 3035 | struct nlattr *data[]) |
| 3020 | { | 3036 | { |
| 3021 | struct macsec_secy *secy; | 3037 | struct macsec_secy *secy; |
| 3022 | struct macsec_tx_sc *tx_sc; | 3038 | struct macsec_tx_sc *tx_sc; |
| @@ -3056,6 +3072,22 @@ static void macsec_changelink_common(struct net_device *dev, | |||
| 3056 | 3072 | ||
| 3057 | if (data[IFLA_MACSEC_VALIDATION]) | 3073 | if (data[IFLA_MACSEC_VALIDATION]) |
| 3058 | secy->validate_frames = nla_get_u8(data[IFLA_MACSEC_VALIDATION]); | 3074 | secy->validate_frames = nla_get_u8(data[IFLA_MACSEC_VALIDATION]); |
| 3075 | |||
| 3076 | if (data[IFLA_MACSEC_CIPHER_SUITE]) { | ||
| 3077 | switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) { | ||
| 3078 | case MACSEC_CIPHER_ID_GCM_AES_128: | ||
| 3079 | case MACSEC_DEFAULT_CIPHER_ALT: | ||
| 3080 | secy->key_len = MACSEC_GCM_AES_128_SAK_LEN; | ||
| 3081 | break; | ||
| 3082 | case MACSEC_CIPHER_ID_GCM_AES_256: | ||
| 3083 | secy->key_len = MACSEC_GCM_AES_256_SAK_LEN; | ||
| 3084 | break; | ||
| 3085 | default: | ||
| 3086 | return -EINVAL; | ||
| 3087 | } | ||
| 3088 | } | ||
| 3089 | |||
| 3090 | return 0; | ||
| 3059 | } | 3091 | } |
| 3060 | 3092 | ||
| 3061 | static int macsec_changelink(struct net_device *dev, struct nlattr *tb[], | 3093 | static int macsec_changelink(struct net_device *dev, struct nlattr *tb[], |
| @@ -3071,9 +3103,7 @@ static int macsec_changelink(struct net_device *dev, struct nlattr *tb[], | |||
| 3071 | data[IFLA_MACSEC_PORT]) | 3103 | data[IFLA_MACSEC_PORT]) |
| 3072 | return -EINVAL; | 3104 | return -EINVAL; |
| 3073 | 3105 | ||
| 3074 | macsec_changelink_common(dev, data); | 3106 | return macsec_changelink_common(dev, data); |
| 3075 | |||
| 3076 | return 0; | ||
| 3077 | } | 3107 | } |
| 3078 | 3108 | ||
| 3079 | static void macsec_del_dev(struct macsec_dev *macsec) | 3109 | static void macsec_del_dev(struct macsec_dev *macsec) |
| @@ -3270,8 +3300,11 @@ static int macsec_newlink(struct net *net, struct net_device *dev, | |||
| 3270 | if (err) | 3300 | if (err) |
| 3271 | goto unlink; | 3301 | goto unlink; |
| 3272 | 3302 | ||
| 3273 | if (data) | 3303 | if (data) { |
| 3274 | macsec_changelink_common(dev, data); | 3304 | err = macsec_changelink_common(dev, data); |
| 3305 | if (err) | ||
| 3306 | goto del_dev; | ||
| 3307 | } | ||
| 3275 | 3308 | ||
| 3276 | err = register_macsec_dev(real_dev, dev); | 3309 | err = register_macsec_dev(real_dev, dev); |
| 3277 | if (err < 0) | 3310 | if (err < 0) |
| @@ -3320,7 +3353,8 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[], | |||
| 3320 | } | 3353 | } |
| 3321 | 3354 | ||
| 3322 | switch (csid) { | 3355 | switch (csid) { |
| 3323 | case MACSEC_DEFAULT_CIPHER_ID: | 3356 | case MACSEC_CIPHER_ID_GCM_AES_128: |
| 3357 | case MACSEC_CIPHER_ID_GCM_AES_256: | ||
| 3324 | case MACSEC_DEFAULT_CIPHER_ALT: | 3358 | case MACSEC_DEFAULT_CIPHER_ALT: |
| 3325 | if (icv_len < MACSEC_MIN_ICV_LEN || | 3359 | if (icv_len < MACSEC_MIN_ICV_LEN || |
| 3326 | icv_len > MACSEC_STD_ICV_LEN) | 3360 | icv_len > MACSEC_STD_ICV_LEN) |
| @@ -3390,12 +3424,24 @@ static int macsec_fill_info(struct sk_buff *skb, | |||
| 3390 | { | 3424 | { |
| 3391 | struct macsec_secy *secy = &macsec_priv(dev)->secy; | 3425 | struct macsec_secy *secy = &macsec_priv(dev)->secy; |
| 3392 | struct macsec_tx_sc *tx_sc = &secy->tx_sc; | 3426 | struct macsec_tx_sc *tx_sc = &secy->tx_sc; |
| 3427 | u64 csid; | ||
| 3428 | |||
| 3429 | switch (secy->key_len) { | ||
| 3430 | case MACSEC_GCM_AES_128_SAK_LEN: | ||
| 3431 | csid = MACSEC_CIPHER_ID_GCM_AES_128; | ||
| 3432 | break; | ||
| 3433 | case MACSEC_GCM_AES_256_SAK_LEN: | ||
| 3434 | csid = MACSEC_CIPHER_ID_GCM_AES_256; | ||
| 3435 | break; | ||
| 3436 | default: | ||
| 3437 | goto nla_put_failure; | ||
| 3438 | } | ||
| 3393 | 3439 | ||
| 3394 | if (nla_put_sci(skb, IFLA_MACSEC_SCI, secy->sci, | 3440 | if (nla_put_sci(skb, IFLA_MACSEC_SCI, secy->sci, |
| 3395 | IFLA_MACSEC_PAD) || | 3441 | IFLA_MACSEC_PAD) || |
| 3396 | nla_put_u8(skb, IFLA_MACSEC_ICV_LEN, secy->icv_len) || | 3442 | nla_put_u8(skb, IFLA_MACSEC_ICV_LEN, secy->icv_len) || |
| 3397 | nla_put_u64_64bit(skb, IFLA_MACSEC_CIPHER_SUITE, | 3443 | nla_put_u64_64bit(skb, IFLA_MACSEC_CIPHER_SUITE, |
| 3398 | MACSEC_DEFAULT_CIPHER_ID, IFLA_MACSEC_PAD) || | 3444 | csid, IFLA_MACSEC_PAD) || |
| 3399 | nla_put_u8(skb, IFLA_MACSEC_ENCODING_SA, tx_sc->encoding_sa) || | 3445 | nla_put_u8(skb, IFLA_MACSEC_ENCODING_SA, tx_sc->encoding_sa) || |
| 3400 | nla_put_u8(skb, IFLA_MACSEC_ENCRYPT, tx_sc->encrypt) || | 3446 | nla_put_u8(skb, IFLA_MACSEC_ENCRYPT, tx_sc->encrypt) || |
| 3401 | nla_put_u8(skb, IFLA_MACSEC_PROTECT, secy->protect_frames) || | 3447 | nla_put_u8(skb, IFLA_MACSEC_PROTECT, secy->protect_frames) || |
diff --git a/include/uapi/linux/if_macsec.h b/include/uapi/linux/if_macsec.h index 719d243471f4..2e522835a4af 100644 --- a/include/uapi/linux/if_macsec.h +++ b/include/uapi/linux/if_macsec.h | |||
| @@ -18,12 +18,17 @@ | |||
| 18 | #define MACSEC_GENL_NAME "macsec" | 18 | #define MACSEC_GENL_NAME "macsec" |
| 19 | #define MACSEC_GENL_VERSION 1 | 19 | #define MACSEC_GENL_VERSION 1 |
| 20 | 20 | ||
| 21 | #define MACSEC_MAX_KEY_LEN 128 | 21 | #define MACSEC_MAX_KEY_LEN 256 |
| 22 | 22 | ||
| 23 | #define MACSEC_KEYID_LEN 16 | 23 | #define MACSEC_KEYID_LEN 16 |
| 24 | 24 | ||
| 25 | #define MACSEC_DEFAULT_CIPHER_ID 0x0080020001000001ULL | 25 | /* cipher IDs as per IEEE802.1AEbn-2011 */ |
| 26 | #define MACSEC_DEFAULT_CIPHER_ALT 0x0080C20001000001ULL | 26 | #define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL |
| 27 | #define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL | ||
| 28 | |||
| 29 | #define MACSEC_DEFAULT_CIPHER_ID MACSEC_CIPHER_ID_GCM_AES_128 | ||
| 30 | /* deprecated cipher ID for GCM-AES-128 */ | ||
| 31 | #define MACSEC_DEFAULT_CIPHER_ALT 0x0080020001000001ULL | ||
| 27 | 32 | ||
| 28 | #define MACSEC_MIN_ICV_LEN 8 | 33 | #define MACSEC_MIN_ICV_LEN 8 |
| 29 | #define MACSEC_MAX_ICV_LEN 32 | 34 | #define MACSEC_MAX_ICV_LEN 32 |