2016-03-12 01:07:33 +08:00
|
|
|
/*
|
|
|
|
* drivers/net/macsec.c - MACsec device
|
|
|
|
*
|
|
|
|
* Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/socket.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <crypto/aead.h>
|
|
|
|
#include <linux/etherdevice.h>
|
|
|
|
#include <linux/rtnetlink.h>
|
2017-10-20 15:23:43 +08:00
|
|
|
#include <linux/refcount.h>
|
2016-03-12 01:07:33 +08:00
|
|
|
#include <net/genetlink.h>
|
|
|
|
#include <net/sock.h>
|
2016-07-21 00:11:32 +08:00
|
|
|
#include <net/gro_cells.h>
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
#include <uapi/linux/if_macsec.h>
|
|
|
|
|
|
|
|
typedef u64 __bitwise sci_t;
|
|
|
|
|
|
|
|
#define MACSEC_SCI_LEN 8
|
|
|
|
|
|
|
|
/* SecTAG length = macsec_eth_header without the optional SCI */
|
|
|
|
#define MACSEC_TAG_LEN 6
|
|
|
|
|
|
|
|
struct macsec_eth_header {
|
|
|
|
struct ethhdr eth;
|
|
|
|
/* SecTAG */
|
|
|
|
u8 tci_an;
|
|
|
|
#if defined(__LITTLE_ENDIAN_BITFIELD)
|
|
|
|
u8 short_length:6,
|
|
|
|
unused:2;
|
|
|
|
#elif defined(__BIG_ENDIAN_BITFIELD)
|
|
|
|
u8 unused:2,
|
|
|
|
short_length:6;
|
|
|
|
#else
|
|
|
|
#error "Please fix <asm/byteorder.h>"
|
|
|
|
#endif
|
|
|
|
__be32 packet_number;
|
|
|
|
u8 secure_channel_id[8]; /* optional */
|
|
|
|
} __packed;
|
|
|
|
|
|
|
|
#define MACSEC_TCI_VERSION 0x80
|
|
|
|
#define MACSEC_TCI_ES 0x40 /* end station */
|
|
|
|
#define MACSEC_TCI_SC 0x20 /* SCI present */
|
|
|
|
#define MACSEC_TCI_SCB 0x10 /* epon */
|
|
|
|
#define MACSEC_TCI_E 0x08 /* encryption */
|
|
|
|
#define MACSEC_TCI_C 0x04 /* changed text */
|
|
|
|
#define MACSEC_AN_MASK 0x03 /* association number */
|
|
|
|
#define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
|
|
|
|
|
|
|
|
/* minimum secure data length deemed "not short", see IEEE 802.1AE-2006 9.7 */
|
|
|
|
#define MIN_NON_SHORT_LEN 48
|
|
|
|
|
|
|
|
#define GCM_AES_IV_LEN 12
|
|
|
|
#define DEFAULT_ICV_LEN 16
|
|
|
|
|
|
|
|
#define MACSEC_NUM_AN 4 /* 2 bits for the association number */
|
|
|
|
|
2018-09-21 03:33:08 +08:00
|
|
|
#define for_each_rxsc(secy, sc) \
|
2016-03-12 01:07:33 +08:00
|
|
|
for (sc = rcu_dereference_bh(secy->rx_sc); \
|
2018-09-21 03:33:08 +08:00
|
|
|
sc; \
|
2016-03-12 01:07:33 +08:00
|
|
|
sc = rcu_dereference_bh(sc->next))
|
|
|
|
#define for_each_rxsc_rtnl(secy, sc) \
|
|
|
|
for (sc = rtnl_dereference(secy->rx_sc); \
|
|
|
|
sc; \
|
|
|
|
sc = rtnl_dereference(sc->next))
|
|
|
|
|
|
|
|
struct gcm_iv {
|
|
|
|
union {
|
|
|
|
u8 secure_channel_id[8];
|
|
|
|
sci_t sci;
|
|
|
|
};
|
|
|
|
__be32 pn;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct macsec_key - SA key
|
|
|
|
* @id: user-provided key identifier
|
|
|
|
* @tfm: crypto struct, key storage
|
|
|
|
*/
|
|
|
|
struct macsec_key {
|
2016-05-08 02:19:29 +08:00
|
|
|
u8 id[MACSEC_KEYID_LEN];
|
2016-03-12 01:07:33 +08:00
|
|
|
struct crypto_aead *tfm;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct macsec_rx_sc_stats {
|
|
|
|
__u64 InOctetsValidated;
|
|
|
|
__u64 InOctetsDecrypted;
|
|
|
|
__u64 InPktsUnchecked;
|
|
|
|
__u64 InPktsDelayed;
|
|
|
|
__u64 InPktsOK;
|
|
|
|
__u64 InPktsInvalid;
|
|
|
|
__u64 InPktsLate;
|
|
|
|
__u64 InPktsNotValid;
|
|
|
|
__u64 InPktsNotUsingSA;
|
|
|
|
__u64 InPktsUnusedSA;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct macsec_rx_sa_stats {
|
|
|
|
__u32 InPktsOK;
|
|
|
|
__u32 InPktsInvalid;
|
|
|
|
__u32 InPktsNotValid;
|
|
|
|
__u32 InPktsNotUsingSA;
|
|
|
|
__u32 InPktsUnusedSA;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct macsec_tx_sa_stats {
|
|
|
|
__u32 OutPktsProtected;
|
|
|
|
__u32 OutPktsEncrypted;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct macsec_tx_sc_stats {
|
|
|
|
__u64 OutPktsProtected;
|
|
|
|
__u64 OutPktsEncrypted;
|
|
|
|
__u64 OutOctetsProtected;
|
|
|
|
__u64 OutOctetsEncrypted;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct macsec_dev_stats {
|
|
|
|
__u64 OutPktsUntagged;
|
|
|
|
__u64 InPktsUntagged;
|
|
|
|
__u64 OutPktsTooLong;
|
|
|
|
__u64 InPktsNoTag;
|
|
|
|
__u64 InPktsBadTag;
|
|
|
|
__u64 InPktsUnknownSCI;
|
|
|
|
__u64 InPktsNoSCI;
|
|
|
|
__u64 InPktsOverrun;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct macsec_rx_sa - receive secure association
|
|
|
|
* @active:
|
|
|
|
* @next_pn: packet number expected for the next packet
|
|
|
|
* @lock: protects next_pn manipulations
|
|
|
|
* @key: key structure
|
|
|
|
* @stats: per-SA stats
|
|
|
|
*/
|
|
|
|
struct macsec_rx_sa {
|
|
|
|
struct macsec_key key;
|
|
|
|
spinlock_t lock;
|
|
|
|
u32 next_pn;
|
2017-10-20 15:23:43 +08:00
|
|
|
refcount_t refcnt;
|
2016-03-12 01:07:33 +08:00
|
|
|
bool active;
|
|
|
|
struct macsec_rx_sa_stats __percpu *stats;
|
|
|
|
struct macsec_rx_sc *sc;
|
|
|
|
struct rcu_head rcu;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct pcpu_rx_sc_stats {
|
|
|
|
struct macsec_rx_sc_stats stats;
|
|
|
|
struct u64_stats_sync syncp;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct macsec_rx_sc - receive secure channel
|
|
|
|
* @sci: secure channel identifier for this SC
|
|
|
|
* @active: channel is active
|
|
|
|
* @sa: array of secure associations
|
|
|
|
* @stats: per-SC stats
|
|
|
|
*/
|
|
|
|
struct macsec_rx_sc {
|
|
|
|
struct macsec_rx_sc __rcu *next;
|
|
|
|
sci_t sci;
|
|
|
|
bool active;
|
|
|
|
struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
|
|
|
|
struct pcpu_rx_sc_stats __percpu *stats;
|
2017-10-20 15:23:44 +08:00
|
|
|
refcount_t refcnt;
|
2016-03-12 01:07:33 +08:00
|
|
|
struct rcu_head rcu_head;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct macsec_tx_sa - transmit secure association
|
|
|
|
* @active:
|
|
|
|
* @next_pn: packet number to use for the next packet
|
|
|
|
* @lock: protects next_pn manipulations
|
|
|
|
* @key: key structure
|
|
|
|
* @stats: per-SA stats
|
|
|
|
*/
|
|
|
|
struct macsec_tx_sa {
|
|
|
|
struct macsec_key key;
|
|
|
|
spinlock_t lock;
|
|
|
|
u32 next_pn;
|
2017-10-20 15:23:45 +08:00
|
|
|
refcount_t refcnt;
|
2016-03-12 01:07:33 +08:00
|
|
|
bool active;
|
|
|
|
struct macsec_tx_sa_stats __percpu *stats;
|
|
|
|
struct rcu_head rcu;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct pcpu_tx_sc_stats {
|
|
|
|
struct macsec_tx_sc_stats stats;
|
|
|
|
struct u64_stats_sync syncp;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct macsec_tx_sc - transmit secure channel
|
|
|
|
* @active:
|
|
|
|
* @encoding_sa: association number of the SA currently in use
|
|
|
|
* @encrypt: encrypt packets on transmit, or authenticate only
|
|
|
|
* @send_sci: always include the SCI in the SecTAG
|
|
|
|
* @end_station:
|
|
|
|
* @scb: single copy broadcast flag
|
|
|
|
* @sa: array of secure associations
|
|
|
|
* @stats: stats for this TXSC
|
|
|
|
*/
|
|
|
|
struct macsec_tx_sc {
|
|
|
|
bool active;
|
|
|
|
u8 encoding_sa;
|
|
|
|
bool encrypt;
|
|
|
|
bool send_sci;
|
|
|
|
bool end_station;
|
|
|
|
bool scb;
|
|
|
|
struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
|
|
|
|
struct pcpu_tx_sc_stats __percpu *stats;
|
|
|
|
};
|
|
|
|
|
|
|
|
#define MACSEC_VALIDATE_DEFAULT MACSEC_VALIDATE_STRICT
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct macsec_secy - MACsec Security Entity
|
|
|
|
* @netdev: netdevice for this SecY
|
|
|
|
* @n_rx_sc: number of receive secure channels configured on this SecY
|
|
|
|
* @sci: secure channel identifier used for tx
|
|
|
|
* @key_len: length of keys used by the cipher suite
|
|
|
|
* @icv_len: length of ICV used by the cipher suite
|
|
|
|
* @validate_frames: validation mode
|
|
|
|
* @operational: MAC_Operational flag
|
|
|
|
* @protect_frames: enable protection for this SecY
|
|
|
|
* @replay_protect: enable packet number checks on receive
|
|
|
|
* @replay_window: size of the replay window
|
|
|
|
* @tx_sc: transmit secure channel
|
|
|
|
* @rx_sc: linked list of receive secure channels
|
|
|
|
*/
|
|
|
|
struct macsec_secy {
|
|
|
|
struct net_device *netdev;
|
|
|
|
unsigned int n_rx_sc;
|
|
|
|
sci_t sci;
|
|
|
|
u16 key_len;
|
|
|
|
u16 icv_len;
|
|
|
|
enum macsec_validation_type validate_frames;
|
|
|
|
bool operational;
|
|
|
|
bool protect_frames;
|
|
|
|
bool replay_protect;
|
|
|
|
u32 replay_window;
|
|
|
|
struct macsec_tx_sc tx_sc;
|
|
|
|
struct macsec_rx_sc __rcu *rx_sc;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct pcpu_secy_stats {
|
|
|
|
struct macsec_dev_stats stats;
|
|
|
|
struct u64_stats_sync syncp;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct macsec_dev - private data
|
|
|
|
* @secy: SecY config
|
|
|
|
* @real_dev: pointer to underlying netdevice
|
|
|
|
* @stats: MACsec device stats
|
|
|
|
* @secys: linked list of SecY's on the underlying device
|
|
|
|
*/
|
|
|
|
struct macsec_dev {
|
|
|
|
struct macsec_secy secy;
|
|
|
|
struct net_device *real_dev;
|
|
|
|
struct pcpu_secy_stats __percpu *stats;
|
|
|
|
struct list_head secys;
|
2016-07-21 00:11:32 +08:00
|
|
|
struct gro_cells gro_cells;
|
2016-08-12 22:10:32 +08:00
|
|
|
unsigned int nest_level;
|
2016-03-12 01:07:33 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* struct macsec_rxh_data - rx_handler private argument
|
|
|
|
* @secys: linked list of SecY's on this underlying device
|
|
|
|
*/
|
|
|
|
struct macsec_rxh_data {
|
|
|
|
struct list_head secys;
|
|
|
|
};
|
|
|
|
|
|
|
|
static struct macsec_dev *macsec_priv(const struct net_device *dev)
|
|
|
|
{
|
|
|
|
return (struct macsec_dev *)netdev_priv(dev);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_rxh_data *macsec_data_rcu(const struct net_device *dev)
|
|
|
|
{
|
|
|
|
return rcu_dereference_bh(dev->rx_handler_data);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_rxh_data *macsec_data_rtnl(const struct net_device *dev)
|
|
|
|
{
|
|
|
|
return rtnl_dereference(dev->rx_handler_data);
|
|
|
|
}
|
|
|
|
|
|
|
|
struct macsec_cb {
|
|
|
|
struct aead_request *req;
|
|
|
|
union {
|
|
|
|
struct macsec_tx_sa *tx_sa;
|
|
|
|
struct macsec_rx_sa *rx_sa;
|
|
|
|
};
|
|
|
|
u8 assoc_num;
|
|
|
|
bool valid;
|
|
|
|
bool has_sci;
|
|
|
|
};
|
|
|
|
|
|
|
|
static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
|
|
|
|
{
|
|
|
|
struct macsec_rx_sa *sa = rcu_dereference_bh(ptr);
|
|
|
|
|
|
|
|
if (!sa || !sa->active)
|
|
|
|
return NULL;
|
|
|
|
|
2017-10-20 15:23:43 +08:00
|
|
|
if (!refcount_inc_not_zero(&sa->refcnt))
|
2016-03-12 01:07:33 +08:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return sa;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void free_rx_sc_rcu(struct rcu_head *head)
|
|
|
|
{
|
|
|
|
struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
|
|
|
|
|
|
|
|
free_percpu(rx_sc->stats);
|
|
|
|
kfree(rx_sc);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc)
|
|
|
|
{
|
2017-10-20 15:23:44 +08:00
|
|
|
return refcount_inc_not_zero(&sc->refcnt) ? sc : NULL;
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_rxsc_put(struct macsec_rx_sc *sc)
|
|
|
|
{
|
2017-10-20 15:23:44 +08:00
|
|
|
if (refcount_dec_and_test(&sc->refcnt))
|
2016-03-12 01:07:33 +08:00
|
|
|
call_rcu(&sc->rcu_head, free_rx_sc_rcu);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void free_rxsa(struct rcu_head *head)
|
|
|
|
{
|
|
|
|
struct macsec_rx_sa *sa = container_of(head, struct macsec_rx_sa, rcu);
|
|
|
|
|
|
|
|
crypto_free_aead(sa->key.tfm);
|
|
|
|
free_percpu(sa->stats);
|
|
|
|
kfree(sa);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_rxsa_put(struct macsec_rx_sa *sa)
|
|
|
|
{
|
2017-10-20 15:23:43 +08:00
|
|
|
if (refcount_dec_and_test(&sa->refcnt))
|
2016-03-12 01:07:33 +08:00
|
|
|
call_rcu(&sa->rcu, free_rxsa);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr)
|
|
|
|
{
|
|
|
|
struct macsec_tx_sa *sa = rcu_dereference_bh(ptr);
|
|
|
|
|
|
|
|
if (!sa || !sa->active)
|
|
|
|
return NULL;
|
|
|
|
|
2017-10-20 15:23:45 +08:00
|
|
|
if (!refcount_inc_not_zero(&sa->refcnt))
|
2016-03-12 01:07:33 +08:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return sa;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void free_txsa(struct rcu_head *head)
|
|
|
|
{
|
|
|
|
struct macsec_tx_sa *sa = container_of(head, struct macsec_tx_sa, rcu);
|
|
|
|
|
|
|
|
crypto_free_aead(sa->key.tfm);
|
|
|
|
free_percpu(sa->stats);
|
|
|
|
kfree(sa);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_txsa_put(struct macsec_tx_sa *sa)
|
|
|
|
{
|
2017-10-20 15:23:45 +08:00
|
|
|
if (refcount_dec_and_test(&sa->refcnt))
|
2016-03-12 01:07:33 +08:00
|
|
|
call_rcu(&sa->rcu, free_txsa);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
BUILD_BUG_ON(sizeof(struct macsec_cb) > sizeof(skb->cb));
|
|
|
|
return (struct macsec_cb *)skb->cb;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define MACSEC_PORT_ES (htons(0x0001))
|
|
|
|
#define MACSEC_PORT_SCB (0x0000)
|
|
|
|
#define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL)
|
|
|
|
|
2018-01-05 21:33:31 +08:00
|
|
|
#define MACSEC_GCM_AES_128_SAK_LEN 16
|
|
|
|
#define MACSEC_GCM_AES_256_SAK_LEN 32
|
|
|
|
|
|
|
|
#define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN
|
2016-03-12 01:07:33 +08:00
|
|
|
#define DEFAULT_SEND_SCI true
|
|
|
|
#define DEFAULT_ENCRYPT false
|
|
|
|
#define DEFAULT_ENCODING_SA 0
|
|
|
|
|
2016-10-24 21:44:26 +08:00
|
|
|
static bool send_sci(const struct macsec_secy *secy)
|
|
|
|
{
|
|
|
|
const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
|
|
|
|
|
|
|
return tx_sc->send_sci ||
|
|
|
|
(secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb);
|
|
|
|
}
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
static sci_t make_sci(u8 *addr, __be16 port)
|
|
|
|
{
|
|
|
|
sci_t sci;
|
|
|
|
|
|
|
|
memcpy(&sci, addr, ETH_ALEN);
|
|
|
|
memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
|
|
|
|
|
|
|
|
return sci;
|
|
|
|
}
|
|
|
|
|
|
|
|
static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present)
|
|
|
|
{
|
|
|
|
sci_t sci;
|
|
|
|
|
|
|
|
if (sci_present)
|
|
|
|
memcpy(&sci, hdr->secure_channel_id,
|
|
|
|
sizeof(hdr->secure_channel_id));
|
|
|
|
else
|
|
|
|
sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES);
|
|
|
|
|
|
|
|
return sci;
|
|
|
|
}
|
|
|
|
|
|
|
|
static unsigned int macsec_sectag_len(bool sci_present)
|
|
|
|
{
|
|
|
|
return MACSEC_TAG_LEN + (sci_present ? MACSEC_SCI_LEN : 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static unsigned int macsec_hdr_len(bool sci_present)
|
|
|
|
{
|
|
|
|
return macsec_sectag_len(sci_present) + ETH_HLEN;
|
|
|
|
}
|
|
|
|
|
|
|
|
static unsigned int macsec_extra_len(bool sci_present)
|
|
|
|
{
|
|
|
|
return macsec_sectag_len(sci_present) + sizeof(__be16);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Fill SecTAG according to IEEE 802.1AE-2006 10.5.3 */
|
|
|
|
static void macsec_fill_sectag(struct macsec_eth_header *h,
|
2016-10-24 21:44:26 +08:00
|
|
|
const struct macsec_secy *secy, u32 pn,
|
|
|
|
bool sci_present)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
|
|
|
|
2016-10-24 21:44:26 +08:00
|
|
|
memset(&h->tci_an, 0, macsec_sectag_len(sci_present));
|
2016-03-12 01:07:33 +08:00
|
|
|
h->eth.h_proto = htons(ETH_P_MACSEC);
|
|
|
|
|
2016-10-24 21:44:26 +08:00
|
|
|
if (sci_present) {
|
2016-03-12 01:07:33 +08:00
|
|
|
h->tci_an |= MACSEC_TCI_SC;
|
|
|
|
memcpy(&h->secure_channel_id, &secy->sci,
|
|
|
|
sizeof(h->secure_channel_id));
|
|
|
|
} else {
|
|
|
|
if (tx_sc->end_station)
|
|
|
|
h->tci_an |= MACSEC_TCI_ES;
|
|
|
|
if (tx_sc->scb)
|
|
|
|
h->tci_an |= MACSEC_TCI_SCB;
|
|
|
|
}
|
|
|
|
|
|
|
|
h->packet_number = htonl(pn);
|
|
|
|
|
|
|
|
/* with GCM, C/E clear for !encrypt, both set for encrypt */
|
|
|
|
if (tx_sc->encrypt)
|
|
|
|
h->tci_an |= MACSEC_TCI_CONFID;
|
|
|
|
else if (secy->icv_len != DEFAULT_ICV_LEN)
|
|
|
|
h->tci_an |= MACSEC_TCI_C;
|
|
|
|
|
|
|
|
h->tci_an |= tx_sc->encoding_sa;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_set_shortlen(struct macsec_eth_header *h, size_t data_len)
|
|
|
|
{
|
|
|
|
if (data_len < MIN_NON_SHORT_LEN)
|
|
|
|
h->short_length = data_len;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* validate MACsec packet according to IEEE 802.1AE-2006 9.12 */
|
|
|
|
static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len)
|
|
|
|
{
|
|
|
|
struct macsec_eth_header *h = (struct macsec_eth_header *)skb->data;
|
|
|
|
int len = skb->len - 2 * ETH_ALEN;
|
|
|
|
int extra_len = macsec_extra_len(!!(h->tci_an & MACSEC_TCI_SC)) + icv_len;
|
|
|
|
|
|
|
|
/* a) It comprises at least 17 octets */
|
|
|
|
if (skb->len <= 16)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* b) MACsec EtherType: already checked */
|
|
|
|
|
|
|
|
/* c) V bit is clear */
|
|
|
|
if (h->tci_an & MACSEC_TCI_VERSION)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* d) ES or SCB => !SC */
|
|
|
|
if ((h->tci_an & MACSEC_TCI_ES || h->tci_an & MACSEC_TCI_SCB) &&
|
|
|
|
(h->tci_an & MACSEC_TCI_SC))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* e) Bits 7 and 8 of octet 4 of the SecTAG are clear */
|
|
|
|
if (h->unused)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* rx.pn != 0 (figure 10-5) */
|
|
|
|
if (!h->packet_number)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* length check, f) g) h) i) */
|
|
|
|
if (h->short_length)
|
|
|
|
return len == extra_len + h->short_length;
|
|
|
|
return len >= extra_len + MIN_NON_SHORT_LEN;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true))
|
2016-07-22 21:07:56 +08:00
|
|
|
#define MACSEC_NEEDED_TAILROOM MACSEC_STD_ICV_LEN
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn)
|
|
|
|
{
|
|
|
|
struct gcm_iv *gcm_iv = (struct gcm_iv *)iv;
|
|
|
|
|
|
|
|
gcm_iv->sci = sci;
|
|
|
|
gcm_iv->pn = htonl(pn);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_eth_header *macsec_ethhdr(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return (struct macsec_eth_header *)skb_mac_header(skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 tx_sa_update_pn(struct macsec_tx_sa *tx_sa, struct macsec_secy *secy)
|
|
|
|
{
|
|
|
|
u32 pn;
|
|
|
|
|
|
|
|
spin_lock_bh(&tx_sa->lock);
|
|
|
|
pn = tx_sa->next_pn;
|
|
|
|
|
|
|
|
tx_sa->next_pn++;
|
|
|
|
if (tx_sa->next_pn == 0) {
|
|
|
|
pr_debug("PN wrapped, transitioning to !oper\n");
|
|
|
|
tx_sa->active = false;
|
|
|
|
if (secy->protect_frames)
|
|
|
|
secy->operational = false;
|
|
|
|
}
|
|
|
|
spin_unlock_bh(&tx_sa->lock);
|
|
|
|
|
|
|
|
return pn;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = netdev_priv(dev);
|
|
|
|
|
|
|
|
skb->dev = macsec->real_dev;
|
|
|
|
skb_reset_mac_header(skb);
|
|
|
|
skb->protocol = eth_hdr(skb)->h_proto;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc,
|
|
|
|
struct macsec_tx_sa *tx_sa)
|
|
|
|
{
|
|
|
|
struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats);
|
|
|
|
|
|
|
|
u64_stats_update_begin(&txsc_stats->syncp);
|
|
|
|
if (tx_sc->encrypt) {
|
|
|
|
txsc_stats->stats.OutOctetsEncrypted += skb->len;
|
|
|
|
txsc_stats->stats.OutPktsEncrypted++;
|
|
|
|
this_cpu_inc(tx_sa->stats->OutPktsEncrypted);
|
|
|
|
} else {
|
|
|
|
txsc_stats->stats.OutOctetsProtected += skb->len;
|
|
|
|
txsc_stats->stats.OutPktsProtected++;
|
|
|
|
this_cpu_inc(tx_sa->stats->OutPktsProtected);
|
|
|
|
}
|
|
|
|
u64_stats_update_end(&txsc_stats->syncp);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void count_tx(struct net_device *dev, int ret, int len)
|
|
|
|
{
|
|
|
|
if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
|
|
|
|
struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
|
|
|
|
|
|
|
|
u64_stats_update_begin(&stats->syncp);
|
|
|
|
stats->tx_packets++;
|
|
|
|
stats->tx_bytes += len;
|
|
|
|
u64_stats_update_end(&stats->syncp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_encrypt_done(struct crypto_async_request *base, int err)
|
|
|
|
{
|
|
|
|
struct sk_buff *skb = base->data;
|
|
|
|
struct net_device *dev = skb->dev;
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct macsec_tx_sa *sa = macsec_skb_cb(skb)->tx_sa;
|
|
|
|
int len, ret;
|
|
|
|
|
|
|
|
aead_request_free(macsec_skb_cb(skb)->req);
|
|
|
|
|
|
|
|
rcu_read_lock_bh();
|
|
|
|
macsec_encrypt_finish(skb, dev);
|
|
|
|
macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
|
|
|
|
len = skb->len;
|
|
|
|
ret = dev_queue_xmit(skb);
|
|
|
|
count_tx(dev, ret, len);
|
|
|
|
rcu_read_unlock_bh();
|
|
|
|
|
|
|
|
macsec_txsa_put(sa);
|
|
|
|
dev_put(dev);
|
|
|
|
}
|
|
|
|
|
2016-06-14 21:25:15 +08:00
|
|
|
static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm,
|
|
|
|
unsigned char **iv,
|
2017-04-26 01:08:18 +08:00
|
|
|
struct scatterlist **sg,
|
|
|
|
int num_frags)
|
2016-06-14 21:25:15 +08:00
|
|
|
{
|
|
|
|
size_t size, iv_offset, sg_offset;
|
|
|
|
struct aead_request *req;
|
|
|
|
void *tmp;
|
|
|
|
|
|
|
|
size = sizeof(struct aead_request) + crypto_aead_reqsize(tfm);
|
|
|
|
iv_offset = size;
|
|
|
|
size += GCM_AES_IV_LEN;
|
|
|
|
|
|
|
|
size = ALIGN(size, __alignof__(struct scatterlist));
|
|
|
|
sg_offset = size;
|
2017-04-26 01:08:18 +08:00
|
|
|
size += sizeof(struct scatterlist) * num_frags;
|
2016-06-14 21:25:15 +08:00
|
|
|
|
|
|
|
tmp = kmalloc(size, GFP_ATOMIC);
|
|
|
|
if (!tmp)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
*iv = (unsigned char *)(tmp + iv_offset);
|
|
|
|
*sg = (struct scatterlist *)(tmp + sg_offset);
|
|
|
|
req = tmp;
|
|
|
|
|
|
|
|
aead_request_set_tfm(req, tfm);
|
|
|
|
|
|
|
|
return req;
|
|
|
|
}
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
|
|
|
|
struct net_device *dev)
|
|
|
|
{
|
|
|
|
int ret;
|
2016-06-14 21:25:15 +08:00
|
|
|
struct scatterlist *sg;
|
2017-04-26 01:08:18 +08:00
|
|
|
struct sk_buff *trailer;
|
2016-06-14 21:25:15 +08:00
|
|
|
unsigned char *iv;
|
2016-03-12 01:07:33 +08:00
|
|
|
struct ethhdr *eth;
|
|
|
|
struct macsec_eth_header *hh;
|
|
|
|
size_t unprotected_len;
|
|
|
|
struct aead_request *req;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_tx_sc *tx_sc;
|
|
|
|
struct macsec_tx_sa *tx_sa;
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
2016-10-24 21:44:26 +08:00
|
|
|
bool sci_present;
|
2016-03-12 01:07:33 +08:00
|
|
|
u32 pn;
|
|
|
|
|
|
|
|
secy = &macsec->secy;
|
|
|
|
tx_sc = &secy->tx_sc;
|
|
|
|
|
|
|
|
/* 10.5.1 TX SA assignment */
|
|
|
|
tx_sa = macsec_txsa_get(tx_sc->sa[tx_sc->encoding_sa]);
|
|
|
|
if (!tx_sa) {
|
|
|
|
secy->operational = false;
|
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (unlikely(skb_headroom(skb) < MACSEC_NEEDED_HEADROOM ||
|
|
|
|
skb_tailroom(skb) < MACSEC_NEEDED_TAILROOM)) {
|
|
|
|
struct sk_buff *nskb = skb_copy_expand(skb,
|
|
|
|
MACSEC_NEEDED_HEADROOM,
|
|
|
|
MACSEC_NEEDED_TAILROOM,
|
|
|
|
GFP_ATOMIC);
|
|
|
|
if (likely(nskb)) {
|
|
|
|
consume_skb(skb);
|
|
|
|
skb = nskb;
|
|
|
|
} else {
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
skb = skb_unshare(skb, GFP_ATOMIC);
|
|
|
|
if (!skb) {
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
unprotected_len = skb->len;
|
|
|
|
eth = eth_hdr(skb);
|
2016-10-24 21:44:26 +08:00
|
|
|
sci_present = send_sci(secy);
|
networking: make skb_push & __skb_push return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions return void * and remove all the casts across
the tree, adding a (u8 *) cast only where the unsigned char pointer
was used directly, all done with the following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_push, __skb_push, skb_push_rcsum };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_push, __skb_push, skb_push_rcsum };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
@@
expression SKB, LEN;
identifier fn = { skb_push, __skb_push, skb_push_rcsum };
@@
- fn(SKB, LEN)[0]
+ *(u8 *)fn(SKB, LEN)
Note that the last part there converts from push(...)[0] to the
more idiomatic *(u8 *)push(...).
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 20:29:23 +08:00
|
|
|
hh = skb_push(skb, macsec_extra_len(sci_present));
|
2016-03-12 01:07:33 +08:00
|
|
|
memmove(hh, eth, 2 * ETH_ALEN);
|
|
|
|
|
|
|
|
pn = tx_sa_update_pn(tx_sa, secy);
|
|
|
|
if (pn == 0) {
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(-ENOLINK);
|
|
|
|
}
|
2016-10-24 21:44:26 +08:00
|
|
|
macsec_fill_sectag(hh, secy, pn, sci_present);
|
2016-03-12 01:07:33 +08:00
|
|
|
macsec_set_shortlen(hh, unprotected_len - 2 * ETH_ALEN);
|
|
|
|
|
|
|
|
skb_put(skb, secy->icv_len);
|
|
|
|
|
|
|
|
if (skb->len - ETH_HLEN > macsec_priv(dev)->real_dev->mtu) {
|
|
|
|
struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
|
|
|
|
|
|
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
|
|
secy_stats->stats.OutPktsTooLong++;
|
|
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
|
|
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
}
|
|
|
|
|
2017-04-26 01:08:18 +08:00
|
|
|
ret = skb_cow_data(skb, 0, &trailer);
|
|
|
|
if (unlikely(ret < 0)) {
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(ret);
|
|
|
|
}
|
|
|
|
|
|
|
|
req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg, ret);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!req) {
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
}
|
|
|
|
|
2016-06-14 21:25:15 +08:00
|
|
|
macsec_fill_iv(iv, secy->sci, pn);
|
|
|
|
|
2017-04-26 01:08:18 +08:00
|
|
|
sg_init_table(sg, ret);
|
2017-06-04 10:16:25 +08:00
|
|
|
ret = skb_to_sgvec(skb, sg, 0, skb->len);
|
|
|
|
if (unlikely(ret < 0)) {
|
2017-10-10 23:07:12 +08:00
|
|
|
aead_request_free(req);
|
2017-06-04 10:16:25 +08:00
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(ret);
|
|
|
|
}
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
if (tx_sc->encrypt) {
|
2016-10-24 21:44:26 +08:00
|
|
|
int len = skb->len - macsec_hdr_len(sci_present) -
|
2016-03-12 01:07:33 +08:00
|
|
|
secy->icv_len;
|
|
|
|
aead_request_set_crypt(req, sg, sg, len, iv);
|
2016-10-24 21:44:26 +08:00
|
|
|
aead_request_set_ad(req, macsec_hdr_len(sci_present));
|
2016-03-12 01:07:33 +08:00
|
|
|
} else {
|
|
|
|
aead_request_set_crypt(req, sg, sg, 0, iv);
|
|
|
|
aead_request_set_ad(req, skb->len - secy->icv_len);
|
|
|
|
}
|
|
|
|
|
|
|
|
macsec_skb_cb(skb)->req = req;
|
|
|
|
macsec_skb_cb(skb)->tx_sa = tx_sa;
|
|
|
|
aead_request_set_callback(req, 0, macsec_encrypt_done, skb);
|
|
|
|
|
|
|
|
dev_hold(skb->dev);
|
|
|
|
ret = crypto_aead_encrypt(req);
|
|
|
|
if (ret == -EINPROGRESS) {
|
|
|
|
return ERR_PTR(ret);
|
|
|
|
} else if (ret != 0) {
|
|
|
|
dev_put(skb->dev);
|
|
|
|
kfree_skb(skb);
|
|
|
|
aead_request_free(req);
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
}
|
|
|
|
|
|
|
|
dev_put(skb->dev);
|
|
|
|
aead_request_free(req);
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
|
|
|
|
return skb;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u32 pn)
|
|
|
|
{
|
|
|
|
struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
|
|
|
|
struct pcpu_rx_sc_stats *rxsc_stats = this_cpu_ptr(rx_sa->sc->stats);
|
|
|
|
struct macsec_eth_header *hdr = macsec_ethhdr(skb);
|
|
|
|
u32 lowest_pn = 0;
|
|
|
|
|
|
|
|
spin_lock(&rx_sa->lock);
|
|
|
|
if (rx_sa->next_pn >= secy->replay_window)
|
|
|
|
lowest_pn = rx_sa->next_pn - secy->replay_window;
|
|
|
|
|
|
|
|
/* Now perform replay protection check again
|
|
|
|
* (see IEEE 802.1AE-2006 figure 10-5)
|
|
|
|
*/
|
|
|
|
if (secy->replay_protect && pn < lowest_pn) {
|
|
|
|
spin_unlock(&rx_sa->lock);
|
|
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
|
|
rxsc_stats->stats.InPktsLate++;
|
|
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) {
|
|
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
|
|
if (hdr->tci_an & MACSEC_TCI_E)
|
|
|
|
rxsc_stats->stats.InOctetsDecrypted += skb->len;
|
|
|
|
else
|
|
|
|
rxsc_stats->stats.InOctetsValidated += skb->len;
|
|
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!macsec_skb_cb(skb)->valid) {
|
|
|
|
spin_unlock(&rx_sa->lock);
|
|
|
|
|
|
|
|
/* 10.6.5 */
|
|
|
|
if (hdr->tci_an & MACSEC_TCI_C ||
|
|
|
|
secy->validate_frames == MACSEC_VALIDATE_STRICT) {
|
|
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
|
|
rxsc_stats->stats.InPktsNotValid++;
|
|
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
|
|
if (secy->validate_frames == MACSEC_VALIDATE_CHECK) {
|
|
|
|
rxsc_stats->stats.InPktsInvalid++;
|
|
|
|
this_cpu_inc(rx_sa->stats->InPktsInvalid);
|
|
|
|
} else if (pn < lowest_pn) {
|
|
|
|
rxsc_stats->stats.InPktsDelayed++;
|
|
|
|
} else {
|
|
|
|
rxsc_stats->stats.InPktsUnchecked++;
|
|
|
|
}
|
|
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
|
|
} else {
|
|
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
|
|
if (pn < lowest_pn) {
|
|
|
|
rxsc_stats->stats.InPktsDelayed++;
|
|
|
|
} else {
|
|
|
|
rxsc_stats->stats.InPktsOK++;
|
|
|
|
this_cpu_inc(rx_sa->stats->InPktsOK);
|
|
|
|
}
|
|
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
|
|
|
|
|
|
if (pn >= rx_sa->next_pn)
|
|
|
|
rx_sa->next_pn = pn + 1;
|
|
|
|
spin_unlock(&rx_sa->lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev)
|
|
|
|
{
|
|
|
|
skb->pkt_type = PACKET_HOST;
|
|
|
|
skb->protocol = eth_type_trans(skb, dev);
|
|
|
|
|
|
|
|
skb_reset_network_header(skb);
|
|
|
|
if (!skb_transport_header_was_set(skb))
|
|
|
|
skb_reset_transport_header(skb);
|
|
|
|
skb_reset_mac_len(skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
|
|
|
|
{
|
|
|
|
memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
|
|
|
|
skb_pull(skb, hdr_len);
|
|
|
|
pskb_trim_unique(skb, skb->len - icv_len);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void count_rx(struct net_device *dev, int len)
|
|
|
|
{
|
|
|
|
struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
|
|
|
|
|
|
|
|
u64_stats_update_begin(&stats->syncp);
|
|
|
|
stats->rx_packets++;
|
|
|
|
stats->rx_bytes += len;
|
|
|
|
u64_stats_update_end(&stats->syncp);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_decrypt_done(struct crypto_async_request *base, int err)
|
|
|
|
{
|
|
|
|
struct sk_buff *skb = base->data;
|
|
|
|
struct net_device *dev = skb->dev;
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
|
2016-07-29 21:37:53 +08:00
|
|
|
struct macsec_rx_sc *rx_sc = rx_sa->sc;
|
2017-05-20 06:25:44 +08:00
|
|
|
int len;
|
2016-03-12 01:07:33 +08:00
|
|
|
u32 pn;
|
|
|
|
|
|
|
|
aead_request_free(macsec_skb_cb(skb)->req);
|
|
|
|
|
2017-02-21 17:40:45 +08:00
|
|
|
if (!err)
|
|
|
|
macsec_skb_cb(skb)->valid = true;
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
rcu_read_lock_bh();
|
|
|
|
pn = ntohl(macsec_ethhdr(skb)->packet_number);
|
|
|
|
if (!macsec_post_decrypt(skb, &macsec->secy, pn)) {
|
|
|
|
rcu_read_unlock_bh();
|
|
|
|
kfree_skb(skb);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
macsec_finalize_skb(skb, macsec->secy.icv_len,
|
|
|
|
macsec_extra_len(macsec_skb_cb(skb)->has_sci));
|
|
|
|
macsec_reset_skb(skb, macsec->secy.netdev);
|
|
|
|
|
|
|
|
len = skb->len;
|
2017-05-20 06:25:44 +08:00
|
|
|
if (gro_cells_receive(&macsec->gro_cells, skb) == NET_RX_SUCCESS)
|
2016-03-12 01:07:33 +08:00
|
|
|
count_rx(dev, len);
|
|
|
|
|
|
|
|
rcu_read_unlock_bh();
|
|
|
|
|
|
|
|
out:
|
|
|
|
macsec_rxsa_put(rx_sa);
|
2016-07-29 21:37:53 +08:00
|
|
|
macsec_rxsc_put(rx_sc);
|
2016-03-12 01:07:33 +08:00
|
|
|
dev_put(dev);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
|
|
|
|
struct net_device *dev,
|
|
|
|
struct macsec_rx_sa *rx_sa,
|
|
|
|
sci_t sci,
|
|
|
|
struct macsec_secy *secy)
|
|
|
|
{
|
|
|
|
int ret;
|
2016-06-14 21:25:15 +08:00
|
|
|
struct scatterlist *sg;
|
2017-04-26 01:08:18 +08:00
|
|
|
struct sk_buff *trailer;
|
2016-06-14 21:25:15 +08:00
|
|
|
unsigned char *iv;
|
2016-03-12 01:07:33 +08:00
|
|
|
struct aead_request *req;
|
|
|
|
struct macsec_eth_header *hdr;
|
|
|
|
u16 icv_len = secy->icv_len;
|
|
|
|
|
|
|
|
macsec_skb_cb(skb)->valid = false;
|
|
|
|
skb = skb_share_check(skb, GFP_ATOMIC);
|
|
|
|
if (!skb)
|
2016-04-22 17:28:04 +08:00
|
|
|
return ERR_PTR(-ENOMEM);
|
2016-03-12 01:07:33 +08:00
|
|
|
|
2017-04-26 01:08:18 +08:00
|
|
|
ret = skb_cow_data(skb, 0, &trailer);
|
|
|
|
if (unlikely(ret < 0)) {
|
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(ret);
|
|
|
|
}
|
|
|
|
req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg, ret);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!req) {
|
|
|
|
kfree_skb(skb);
|
2016-04-22 17:28:04 +08:00
|
|
|
return ERR_PTR(-ENOMEM);
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
hdr = (struct macsec_eth_header *)skb->data;
|
|
|
|
macsec_fill_iv(iv, sci, ntohl(hdr->packet_number));
|
|
|
|
|
2017-04-26 01:08:18 +08:00
|
|
|
sg_init_table(sg, ret);
|
2017-06-04 10:16:25 +08:00
|
|
|
ret = skb_to_sgvec(skb, sg, 0, skb->len);
|
|
|
|
if (unlikely(ret < 0)) {
|
2017-10-10 23:07:12 +08:00
|
|
|
aead_request_free(req);
|
2017-06-04 10:16:25 +08:00
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(ret);
|
|
|
|
}
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
if (hdr->tci_an & MACSEC_TCI_E) {
|
|
|
|
/* confidentiality: ethernet + macsec header
|
|
|
|
* authenticated, encrypted payload
|
|
|
|
*/
|
|
|
|
int len = skb->len - macsec_hdr_len(macsec_skb_cb(skb)->has_sci);
|
|
|
|
|
|
|
|
aead_request_set_crypt(req, sg, sg, len, iv);
|
|
|
|
aead_request_set_ad(req, macsec_hdr_len(macsec_skb_cb(skb)->has_sci));
|
|
|
|
skb = skb_unshare(skb, GFP_ATOMIC);
|
|
|
|
if (!skb) {
|
|
|
|
aead_request_free(req);
|
2016-04-22 17:28:04 +08:00
|
|
|
return ERR_PTR(-ENOMEM);
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* integrity only: all headers + data authenticated */
|
|
|
|
aead_request_set_crypt(req, sg, sg, icv_len, iv);
|
|
|
|
aead_request_set_ad(req, skb->len - icv_len);
|
|
|
|
}
|
|
|
|
|
|
|
|
macsec_skb_cb(skb)->req = req;
|
|
|
|
skb->dev = dev;
|
|
|
|
aead_request_set_callback(req, 0, macsec_decrypt_done, skb);
|
|
|
|
|
|
|
|
dev_hold(dev);
|
|
|
|
ret = crypto_aead_decrypt(req);
|
|
|
|
if (ret == -EINPROGRESS) {
|
2016-04-22 17:28:04 +08:00
|
|
|
return ERR_PTR(ret);
|
2016-03-12 01:07:33 +08:00
|
|
|
} else if (ret != 0) {
|
|
|
|
/* decryption/authentication failed
|
|
|
|
* 10.6 if validateFrames is disabled, deliver anyway
|
|
|
|
*/
|
|
|
|
if (ret != -EBADMSG) {
|
|
|
|
kfree_skb(skb);
|
2016-04-22 17:28:04 +08:00
|
|
|
skb = ERR_PTR(ret);
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
macsec_skb_cb(skb)->valid = true;
|
|
|
|
}
|
|
|
|
dev_put(dev);
|
|
|
|
|
|
|
|
aead_request_free(req);
|
|
|
|
|
|
|
|
return skb;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_rx_sc *find_rx_sc(struct macsec_secy *secy, sci_t sci)
|
|
|
|
{
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
|
|
|
|
for_each_rxsc(secy, rx_sc) {
|
|
|
|
if (rx_sc->sci == sci)
|
|
|
|
return rx_sc;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_rx_sc *find_rx_sc_rtnl(struct macsec_secy *secy, sci_t sci)
|
|
|
|
{
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
|
|
|
|
for_each_rxsc_rtnl(secy, rx_sc) {
|
|
|
|
if (rx_sc->sci == sci)
|
|
|
|
return rx_sc;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void handle_not_macsec(struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct macsec_rxh_data *rxd;
|
|
|
|
struct macsec_dev *macsec;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
rxd = macsec_data_rcu(skb->dev);
|
|
|
|
|
|
|
|
/* 10.6 If the management control validateFrames is not
|
|
|
|
* Strict, frames without a SecTAG are received, counted, and
|
|
|
|
* delivered to the Controlled Port
|
|
|
|
*/
|
|
|
|
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
|
|
|
|
struct sk_buff *nskb;
|
|
|
|
struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
|
|
|
|
|
|
|
|
if (macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
|
|
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
|
|
secy_stats->stats.InPktsNoTag++;
|
|
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* deliver on this port */
|
|
|
|
nskb = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
if (!nskb)
|
|
|
|
break;
|
|
|
|
|
|
|
|
nskb->dev = macsec->secy.netdev;
|
|
|
|
|
2017-05-20 06:25:44 +08:00
|
|
|
if (netif_rx(nskb) == NET_RX_SUCCESS) {
|
2016-03-12 01:07:33 +08:00
|
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
|
|
secy_stats->stats.InPktsUntagged++;
|
|
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
}
|
|
|
|
|
|
|
|
static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
|
|
|
|
{
|
|
|
|
struct sk_buff *skb = *pskb;
|
|
|
|
struct net_device *dev = skb->dev;
|
|
|
|
struct macsec_eth_header *hdr;
|
|
|
|
struct macsec_secy *secy = NULL;
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
struct macsec_rx_sa *rx_sa;
|
|
|
|
struct macsec_rxh_data *rxd;
|
|
|
|
struct macsec_dev *macsec;
|
|
|
|
sci_t sci;
|
|
|
|
u32 pn;
|
|
|
|
bool cbit;
|
|
|
|
struct pcpu_rx_sc_stats *rxsc_stats;
|
|
|
|
struct pcpu_secy_stats *secy_stats;
|
|
|
|
bool pulled_sci;
|
2016-07-21 00:11:32 +08:00
|
|
|
int ret;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
if (skb_headroom(skb) < ETH_HLEN)
|
|
|
|
goto drop_direct;
|
|
|
|
|
|
|
|
hdr = macsec_ethhdr(skb);
|
|
|
|
if (hdr->eth.h_proto != htons(ETH_P_MACSEC)) {
|
|
|
|
handle_not_macsec(skb);
|
|
|
|
|
|
|
|
/* and deliver to the uncontrolled port */
|
|
|
|
return RX_HANDLER_PASS;
|
|
|
|
}
|
|
|
|
|
|
|
|
skb = skb_unshare(skb, GFP_ATOMIC);
|
|
|
|
if (!skb) {
|
|
|
|
*pskb = NULL;
|
|
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
}
|
|
|
|
|
|
|
|
pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
|
|
|
|
if (!pulled_sci) {
|
|
|
|
if (!pskb_may_pull(skb, macsec_extra_len(false)))
|
|
|
|
goto drop_direct;
|
|
|
|
}
|
|
|
|
|
|
|
|
hdr = macsec_ethhdr(skb);
|
|
|
|
|
|
|
|
/* Frames with a SecTAG that has the TCI E bit set but the C
|
|
|
|
* bit clear are discarded, as this reserved encoding is used
|
|
|
|
* to identify frames with a SecTAG that are not to be
|
|
|
|
* delivered to the Controlled Port.
|
|
|
|
*/
|
|
|
|
if ((hdr->tci_an & (MACSEC_TCI_C | MACSEC_TCI_E)) == MACSEC_TCI_E)
|
|
|
|
return RX_HANDLER_PASS;
|
|
|
|
|
|
|
|
/* now, pull the extra length */
|
|
|
|
if (hdr->tci_an & MACSEC_TCI_SC) {
|
|
|
|
if (!pulled_sci)
|
|
|
|
goto drop_direct;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ethernet header is part of crypto processing */
|
|
|
|
skb_push(skb, ETH_HLEN);
|
|
|
|
|
|
|
|
macsec_skb_cb(skb)->has_sci = !!(hdr->tci_an & MACSEC_TCI_SC);
|
|
|
|
macsec_skb_cb(skb)->assoc_num = hdr->tci_an & MACSEC_AN_MASK;
|
|
|
|
sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci);
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
rxd = macsec_data_rcu(skb->dev);
|
|
|
|
|
|
|
|
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
|
|
|
|
struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
|
2018-09-21 03:33:08 +08:00
|
|
|
|
2016-07-29 21:37:53 +08:00
|
|
|
sc = sc ? macsec_rxsc_get(sc) : NULL;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
if (sc) {
|
|
|
|
secy = &macsec->secy;
|
|
|
|
rx_sc = sc;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!secy)
|
|
|
|
goto nosci;
|
|
|
|
|
|
|
|
dev = secy->netdev;
|
|
|
|
macsec = macsec_priv(dev);
|
|
|
|
secy_stats = this_cpu_ptr(macsec->stats);
|
|
|
|
rxsc_stats = this_cpu_ptr(rx_sc->stats);
|
|
|
|
|
|
|
|
if (!macsec_validate_skb(skb, secy->icv_len)) {
|
|
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
|
|
secy_stats->stats.InPktsBadTag++;
|
|
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
|
|
goto drop_nosa;
|
|
|
|
}
|
|
|
|
|
|
|
|
rx_sa = macsec_rxsa_get(rx_sc->sa[macsec_skb_cb(skb)->assoc_num]);
|
|
|
|
if (!rx_sa) {
|
|
|
|
/* 10.6.1 if the SA is not in use */
|
|
|
|
|
|
|
|
/* If validateFrames is Strict or the C bit in the
|
|
|
|
* SecTAG is set, discard
|
|
|
|
*/
|
|
|
|
if (hdr->tci_an & MACSEC_TCI_C ||
|
|
|
|
secy->validate_frames == MACSEC_VALIDATE_STRICT) {
|
|
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
|
|
rxsc_stats->stats.InPktsNotUsingSA++;
|
|
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
|
|
goto drop_nosa;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* not Strict, the frame (with the SecTAG and ICV
|
|
|
|
* removed) is delivered to the Controlled Port.
|
|
|
|
*/
|
|
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
|
|
rxsc_stats->stats.InPktsUnusedSA++;
|
|
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
|
|
goto deliver;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* First, PN check to avoid decrypting obviously wrong packets */
|
|
|
|
pn = ntohl(hdr->packet_number);
|
|
|
|
if (secy->replay_protect) {
|
|
|
|
bool late;
|
|
|
|
|
|
|
|
spin_lock(&rx_sa->lock);
|
|
|
|
late = rx_sa->next_pn >= secy->replay_window &&
|
|
|
|
pn < (rx_sa->next_pn - secy->replay_window);
|
|
|
|
spin_unlock(&rx_sa->lock);
|
|
|
|
|
|
|
|
if (late) {
|
|
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
|
|
rxsc_stats->stats.InPktsLate++;
|
|
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
|
|
goto drop;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-07-26 18:24:53 +08:00
|
|
|
macsec_skb_cb(skb)->rx_sa = rx_sa;
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
/* Disabled && !changed text => skip validation */
|
|
|
|
if (hdr->tci_an & MACSEC_TCI_C ||
|
|
|
|
secy->validate_frames != MACSEC_VALIDATE_DISABLED)
|
|
|
|
skb = macsec_decrypt(skb, dev, rx_sa, sci, secy);
|
|
|
|
|
2016-04-22 17:28:04 +08:00
|
|
|
if (IS_ERR(skb)) {
|
|
|
|
/* the decrypt callback needs the reference */
|
2016-07-29 21:37:53 +08:00
|
|
|
if (PTR_ERR(skb) != -EINPROGRESS) {
|
2016-04-22 17:28:04 +08:00
|
|
|
macsec_rxsa_put(rx_sa);
|
2016-07-29 21:37:53 +08:00
|
|
|
macsec_rxsc_put(rx_sc);
|
|
|
|
}
|
2016-03-12 01:07:33 +08:00
|
|
|
rcu_read_unlock();
|
|
|
|
*pskb = NULL;
|
|
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!macsec_post_decrypt(skb, secy, pn))
|
|
|
|
goto drop;
|
|
|
|
|
|
|
|
deliver:
|
|
|
|
macsec_finalize_skb(skb, secy->icv_len,
|
|
|
|
macsec_extra_len(macsec_skb_cb(skb)->has_sci));
|
|
|
|
macsec_reset_skb(skb, secy->netdev);
|
|
|
|
|
2016-04-22 17:28:03 +08:00
|
|
|
if (rx_sa)
|
|
|
|
macsec_rxsa_put(rx_sa);
|
2016-07-29 21:37:53 +08:00
|
|
|
macsec_rxsc_put(rx_sc);
|
2016-07-21 00:11:32 +08:00
|
|
|
|
|
|
|
ret = gro_cells_receive(&macsec->gro_cells, skb);
|
|
|
|
if (ret == NET_RX_SUCCESS)
|
|
|
|
count_rx(dev, skb->len);
|
|
|
|
else
|
|
|
|
macsec->secy.netdev->stats.rx_dropped++;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
2016-07-21 00:11:32 +08:00
|
|
|
*pskb = NULL;
|
|
|
|
return RX_HANDLER_CONSUMED;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
drop:
|
|
|
|
macsec_rxsa_put(rx_sa);
|
|
|
|
drop_nosa:
|
2016-07-29 21:37:53 +08:00
|
|
|
macsec_rxsc_put(rx_sc);
|
2016-03-12 01:07:33 +08:00
|
|
|
rcu_read_unlock();
|
|
|
|
drop_direct:
|
|
|
|
kfree_skb(skb);
|
|
|
|
*pskb = NULL;
|
|
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
|
|
|
|
nosci:
|
|
|
|
/* 10.6.1 if the SC is not found */
|
|
|
|
cbit = !!(hdr->tci_an & MACSEC_TCI_C);
|
|
|
|
if (!cbit)
|
|
|
|
macsec_finalize_skb(skb, DEFAULT_ICV_LEN,
|
|
|
|
macsec_extra_len(macsec_skb_cb(skb)->has_sci));
|
|
|
|
|
|
|
|
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
|
|
|
|
struct sk_buff *nskb;
|
|
|
|
|
|
|
|
secy_stats = this_cpu_ptr(macsec->stats);
|
|
|
|
|
|
|
|
/* If validateFrames is Strict or the C bit in the
|
|
|
|
* SecTAG is set, discard
|
|
|
|
*/
|
|
|
|
if (cbit ||
|
|
|
|
macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
|
|
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
|
|
secy_stats->stats.InPktsNoSCI++;
|
|
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* not strict, the frame (with the SecTAG and ICV
|
|
|
|
* removed) is delivered to the Controlled Port.
|
|
|
|
*/
|
|
|
|
nskb = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
if (!nskb)
|
|
|
|
break;
|
|
|
|
|
|
|
|
macsec_reset_skb(nskb, macsec->secy.netdev);
|
|
|
|
|
|
|
|
ret = netif_rx(nskb);
|
|
|
|
if (ret == NET_RX_SUCCESS) {
|
|
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
|
|
secy_stats->stats.InPktsUnknownSCI++;
|
|
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
|
|
} else {
|
|
|
|
macsec->secy.netdev->stats.rx_dropped++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
*pskb = skb;
|
|
|
|
return RX_HANDLER_PASS;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct crypto_aead *macsec_alloc_tfm(char *key, int key_len, int icv_len)
|
|
|
|
{
|
|
|
|
struct crypto_aead *tfm;
|
|
|
|
int ret;
|
|
|
|
|
2016-06-14 21:25:16 +08:00
|
|
|
tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
|
2016-07-22 21:07:57 +08:00
|
|
|
|
|
|
|
if (IS_ERR(tfm))
|
|
|
|
return tfm;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
ret = crypto_aead_setkey(tfm, key, key_len);
|
2016-07-22 21:07:57 +08:00
|
|
|
if (ret < 0)
|
|
|
|
goto fail;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
ret = crypto_aead_setauthsize(tfm, icv_len);
|
2016-07-22 21:07:57 +08:00
|
|
|
if (ret < 0)
|
|
|
|
goto fail;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
return tfm;
|
2016-07-22 21:07:57 +08:00
|
|
|
fail:
|
|
|
|
crypto_free_aead(tfm);
|
|
|
|
return ERR_PTR(ret);
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len,
|
|
|
|
int icv_len)
|
|
|
|
{
|
|
|
|
rx_sa->stats = alloc_percpu(struct macsec_rx_sa_stats);
|
|
|
|
if (!rx_sa->stats)
|
2016-07-22 21:07:57 +08:00
|
|
|
return -ENOMEM;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
rx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
|
2016-07-22 21:07:57 +08:00
|
|
|
if (IS_ERR(rx_sa->key.tfm)) {
|
2016-03-12 01:07:33 +08:00
|
|
|
free_percpu(rx_sa->stats);
|
2016-07-22 21:07:57 +08:00
|
|
|
return PTR_ERR(rx_sa->key.tfm);
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
rx_sa->active = false;
|
|
|
|
rx_sa->next_pn = 1;
|
2017-10-20 15:23:43 +08:00
|
|
|
refcount_set(&rx_sa->refcnt, 1);
|
2016-03-12 01:07:33 +08:00
|
|
|
spin_lock_init(&rx_sa->lock);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void clear_rx_sa(struct macsec_rx_sa *rx_sa)
|
|
|
|
{
|
|
|
|
rx_sa->active = false;
|
|
|
|
|
|
|
|
macsec_rxsa_put(rx_sa);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void free_rx_sc(struct macsec_rx_sc *rx_sc)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < MACSEC_NUM_AN; i++) {
|
|
|
|
struct macsec_rx_sa *sa = rtnl_dereference(rx_sc->sa[i]);
|
|
|
|
|
|
|
|
RCU_INIT_POINTER(rx_sc->sa[i], NULL);
|
|
|
|
if (sa)
|
|
|
|
clear_rx_sa(sa);
|
|
|
|
}
|
|
|
|
|
|
|
|
macsec_rxsc_put(rx_sc);
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_rx_sc *del_rx_sc(struct macsec_secy *secy, sci_t sci)
|
|
|
|
{
|
|
|
|
struct macsec_rx_sc *rx_sc, __rcu **rx_scp;
|
|
|
|
|
|
|
|
for (rx_scp = &secy->rx_sc, rx_sc = rtnl_dereference(*rx_scp);
|
|
|
|
rx_sc;
|
|
|
|
rx_scp = &rx_sc->next, rx_sc = rtnl_dereference(*rx_scp)) {
|
|
|
|
if (rx_sc->sci == sci) {
|
|
|
|
if (rx_sc->active)
|
|
|
|
secy->n_rx_sc--;
|
|
|
|
rcu_assign_pointer(*rx_scp, rx_sc->next);
|
|
|
|
return rx_sc;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci)
|
|
|
|
{
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
struct macsec_dev *macsec;
|
|
|
|
struct net_device *real_dev = macsec_priv(dev)->real_dev;
|
|
|
|
struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
|
|
|
|
list_for_each_entry(macsec, &rxd->secys, secys) {
|
|
|
|
if (find_rx_sc_rtnl(&macsec->secy, sci))
|
|
|
|
return ERR_PTR(-EEXIST);
|
|
|
|
}
|
|
|
|
|
|
|
|
rx_sc = kzalloc(sizeof(*rx_sc), GFP_KERNEL);
|
|
|
|
if (!rx_sc)
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
|
|
|
rx_sc->stats = netdev_alloc_pcpu_stats(struct pcpu_rx_sc_stats);
|
|
|
|
if (!rx_sc->stats) {
|
|
|
|
kfree(rx_sc);
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
}
|
|
|
|
|
|
|
|
rx_sc->sci = sci;
|
|
|
|
rx_sc->active = true;
|
2017-10-20 15:23:44 +08:00
|
|
|
refcount_set(&rx_sc->refcnt, 1);
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
|
|
rcu_assign_pointer(rx_sc->next, secy->rx_sc);
|
|
|
|
rcu_assign_pointer(secy->rx_sc, rx_sc);
|
|
|
|
|
|
|
|
if (rx_sc->active)
|
|
|
|
secy->n_rx_sc++;
|
|
|
|
|
|
|
|
return rx_sc;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len,
|
|
|
|
int icv_len)
|
|
|
|
{
|
|
|
|
tx_sa->stats = alloc_percpu(struct macsec_tx_sa_stats);
|
|
|
|
if (!tx_sa->stats)
|
2016-07-22 21:07:57 +08:00
|
|
|
return -ENOMEM;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
tx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
|
2016-07-22 21:07:57 +08:00
|
|
|
if (IS_ERR(tx_sa->key.tfm)) {
|
2016-03-12 01:07:33 +08:00
|
|
|
free_percpu(tx_sa->stats);
|
2016-07-22 21:07:57 +08:00
|
|
|
return PTR_ERR(tx_sa->key.tfm);
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
tx_sa->active = false;
|
2017-10-20 15:23:45 +08:00
|
|
|
refcount_set(&tx_sa->refcnt, 1);
|
2016-03-12 01:07:33 +08:00
|
|
|
spin_lock_init(&tx_sa->lock);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void clear_tx_sa(struct macsec_tx_sa *tx_sa)
|
|
|
|
{
|
|
|
|
tx_sa->active = false;
|
|
|
|
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
}
|
|
|
|
|
2016-10-24 20:40:03 +08:00
|
|
|
static struct genl_family macsec_fam;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
static struct net_device *get_dev_from_nl(struct net *net,
|
|
|
|
struct nlattr **attrs)
|
|
|
|
{
|
|
|
|
int ifindex = nla_get_u32(attrs[MACSEC_ATTR_IFINDEX]);
|
|
|
|
struct net_device *dev;
|
|
|
|
|
|
|
|
dev = __dev_get_by_index(net, ifindex);
|
|
|
|
if (!dev)
|
|
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
|
|
|
|
if (!netif_is_macsec(dev))
|
|
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
|
|
|
|
return dev;
|
|
|
|
}
|
|
|
|
|
|
|
|
static sci_t nla_get_sci(const struct nlattr *nla)
|
|
|
|
{
|
|
|
|
return (__force sci_t)nla_get_u64(nla);
|
|
|
|
}
|
|
|
|
|
2016-04-26 16:06:11 +08:00
|
|
|
static int nla_put_sci(struct sk_buff *skb, int attrtype, sci_t value,
|
|
|
|
int padattr)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
2016-04-26 16:06:11 +08:00
|
|
|
return nla_put_u64_64bit(skb, attrtype, (__force u64)value, padattr);
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_tx_sa *get_txsa_from_nl(struct net *net,
|
|
|
|
struct nlattr **attrs,
|
|
|
|
struct nlattr **tb_sa,
|
|
|
|
struct net_device **devp,
|
|
|
|
struct macsec_secy **secyp,
|
|
|
|
struct macsec_tx_sc **scp,
|
|
|
|
u8 *assoc_num)
|
|
|
|
{
|
|
|
|
struct net_device *dev;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_tx_sc *tx_sc;
|
|
|
|
struct macsec_tx_sa *tx_sa;
|
|
|
|
|
|
|
|
if (!tb_sa[MACSEC_SA_ATTR_AN])
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
*assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
|
|
|
|
|
|
|
|
dev = get_dev_from_nl(net, attrs);
|
|
|
|
if (IS_ERR(dev))
|
|
|
|
return ERR_CAST(dev);
|
|
|
|
|
|
|
|
if (*assoc_num >= MACSEC_NUM_AN)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
|
|
tx_sc = &secy->tx_sc;
|
|
|
|
|
|
|
|
tx_sa = rtnl_dereference(tx_sc->sa[*assoc_num]);
|
|
|
|
if (!tx_sa)
|
|
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
|
|
|
|
*devp = dev;
|
|
|
|
*scp = tx_sc;
|
|
|
|
*secyp = secy;
|
|
|
|
return tx_sa;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_rx_sc *get_rxsc_from_nl(struct net *net,
|
|
|
|
struct nlattr **attrs,
|
|
|
|
struct nlattr **tb_rxsc,
|
|
|
|
struct net_device **devp,
|
|
|
|
struct macsec_secy **secyp)
|
|
|
|
{
|
|
|
|
struct net_device *dev;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
sci_t sci;
|
|
|
|
|
|
|
|
dev = get_dev_from_nl(net, attrs);
|
|
|
|
if (IS_ERR(dev))
|
|
|
|
return ERR_CAST(dev);
|
|
|
|
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
|
|
|
|
|
|
if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI])
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
|
|
|
|
rx_sc = find_rx_sc_rtnl(secy, sci);
|
|
|
|
if (!rx_sc)
|
|
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
|
|
|
|
*secyp = secy;
|
|
|
|
*devp = dev;
|
|
|
|
|
|
|
|
return rx_sc;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct macsec_rx_sa *get_rxsa_from_nl(struct net *net,
|
|
|
|
struct nlattr **attrs,
|
|
|
|
struct nlattr **tb_rxsc,
|
|
|
|
struct nlattr **tb_sa,
|
|
|
|
struct net_device **devp,
|
|
|
|
struct macsec_secy **secyp,
|
|
|
|
struct macsec_rx_sc **scp,
|
|
|
|
u8 *assoc_num)
|
|
|
|
{
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
struct macsec_rx_sa *rx_sa;
|
|
|
|
|
|
|
|
if (!tb_sa[MACSEC_SA_ATTR_AN])
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
*assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
|
|
|
|
if (*assoc_num >= MACSEC_NUM_AN)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
rx_sc = get_rxsc_from_nl(net, attrs, tb_rxsc, devp, secyp);
|
|
|
|
if (IS_ERR(rx_sc))
|
|
|
|
return ERR_CAST(rx_sc);
|
|
|
|
|
|
|
|
rx_sa = rtnl_dereference(rx_sc->sa[*assoc_num]);
|
|
|
|
if (!rx_sa)
|
|
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
|
|
|
|
*scp = rx_sc;
|
|
|
|
return rx_sa;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct nla_policy macsec_genl_policy[NUM_MACSEC_ATTR] = {
|
|
|
|
[MACSEC_ATTR_IFINDEX] = { .type = NLA_U32 },
|
|
|
|
[MACSEC_ATTR_RXSC_CONFIG] = { .type = NLA_NESTED },
|
|
|
|
[MACSEC_ATTR_SA_CONFIG] = { .type = NLA_NESTED },
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct nla_policy macsec_genl_rxsc_policy[NUM_MACSEC_RXSC_ATTR] = {
|
|
|
|
[MACSEC_RXSC_ATTR_SCI] = { .type = NLA_U64 },
|
|
|
|
[MACSEC_RXSC_ATTR_ACTIVE] = { .type = NLA_U8 },
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = {
|
|
|
|
[MACSEC_SA_ATTR_AN] = { .type = NLA_U8 },
|
|
|
|
[MACSEC_SA_ATTR_ACTIVE] = { .type = NLA_U8 },
|
|
|
|
[MACSEC_SA_ATTR_PN] = { .type = NLA_U32 },
|
2016-05-08 02:19:29 +08:00
|
|
|
[MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY,
|
|
|
|
.len = MACSEC_KEYID_LEN, },
|
2016-03-12 01:07:33 +08:00
|
|
|
[MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY,
|
2018-01-19 00:48:18 +08:00
|
|
|
.len = MACSEC_MAX_KEY_LEN, },
|
2016-03-12 01:07:33 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa)
|
|
|
|
{
|
|
|
|
if (!attrs[MACSEC_ATTR_SA_CONFIG])
|
|
|
|
return -EINVAL;
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 20:07:28 +08:00
|
|
|
if (nla_parse_nested_deprecated(tb_sa, MACSEC_SA_ATTR_MAX, attrs[MACSEC_ATTR_SA_CONFIG], macsec_genl_sa_policy, NULL))
|
2016-03-12 01:07:33 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int parse_rxsc_config(struct nlattr **attrs, struct nlattr **tb_rxsc)
|
|
|
|
{
|
|
|
|
if (!attrs[MACSEC_ATTR_RXSC_CONFIG])
|
|
|
|
return -EINVAL;
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 20:07:28 +08:00
|
|
|
if (nla_parse_nested_deprecated(tb_rxsc, MACSEC_RXSC_ATTR_MAX, attrs[MACSEC_ATTR_RXSC_CONFIG], macsec_genl_rxsc_policy, NULL))
|
2016-03-12 01:07:33 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool validate_add_rxsa(struct nlattr **attrs)
|
|
|
|
{
|
|
|
|
if (!attrs[MACSEC_SA_ATTR_AN] ||
|
|
|
|
!attrs[MACSEC_SA_ATTR_KEY] ||
|
|
|
|
!attrs[MACSEC_SA_ATTR_KEYID])
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
|
|
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2016-05-08 02:19:29 +08:00
|
|
|
if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN)
|
|
|
|
return false;
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
|
|
|
|
{
|
|
|
|
struct net_device *dev;
|
|
|
|
struct nlattr **attrs = info->attrs;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
struct macsec_rx_sa *rx_sa;
|
|
|
|
unsigned char assoc_num;
|
|
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
2016-07-22 21:07:57 +08:00
|
|
|
int err;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!validate_add_rxsa(tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy);
|
2016-07-29 21:37:54 +08:00
|
|
|
if (IS_ERR(rx_sc)) {
|
2016-03-12 01:07:33 +08:00
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(rx_sc);
|
|
|
|
}
|
|
|
|
|
|
|
|
assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
|
|
|
|
|
|
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) {
|
|
|
|
pr_notice("macsec: nl: add_rxsa: bad key length: %d != %d\n",
|
|
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len);
|
|
|
|
rtnl_unlock();
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]);
|
|
|
|
if (rx_sa) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return -EBUSY;
|
|
|
|
}
|
|
|
|
|
|
|
|
rx_sa = kmalloc(sizeof(*rx_sa), GFP_KERNEL);
|
2016-07-22 21:07:57 +08:00
|
|
|
if (!rx_sa) {
|
2016-03-12 01:07:33 +08:00
|
|
|
rtnl_unlock();
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
2016-07-22 21:07:57 +08:00
|
|
|
err = init_rx_sa(rx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
|
|
|
|
secy->key_len, secy->icv_len);
|
|
|
|
if (err < 0) {
|
|
|
|
kfree(rx_sa);
|
|
|
|
rtnl_unlock();
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
if (tb_sa[MACSEC_SA_ATTR_PN]) {
|
|
|
|
spin_lock_bh(&rx_sa->lock);
|
|
|
|
rx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
|
|
|
|
spin_unlock_bh(&rx_sa->lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
|
|
|
|
rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
|
|
|
|
|
2016-05-18 19:34:40 +08:00
|
|
|
nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
|
2016-03-12 01:07:33 +08:00
|
|
|
rx_sa->sc = rx_sc;
|
|
|
|
rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa);
|
|
|
|
|
|
|
|
rtnl_unlock();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool validate_add_rxsc(struct nlattr **attrs)
|
|
|
|
{
|
|
|
|
if (!attrs[MACSEC_RXSC_ATTR_SCI])
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (attrs[MACSEC_RXSC_ATTR_ACTIVE]) {
|
|
|
|
if (nla_get_u8(attrs[MACSEC_RXSC_ATTR_ACTIVE]) > 1)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
|
|
|
|
{
|
|
|
|
struct net_device *dev;
|
|
|
|
sci_t sci = MACSEC_UNDEF_SCI;
|
|
|
|
struct nlattr **attrs = info->attrs;
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
|
|
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!validate_add_rxsc(tb_rxsc))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
dev = get_dev_from_nl(genl_info_net(info), attrs);
|
|
|
|
if (IS_ERR(dev)) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(dev);
|
|
|
|
}
|
|
|
|
|
|
|
|
sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
|
|
|
|
|
|
|
|
rx_sc = create_rx_sc(dev, sci);
|
|
|
|
if (IS_ERR(rx_sc)) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(rx_sc);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE])
|
|
|
|
rx_sc->active = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
|
|
|
|
|
|
|
|
rtnl_unlock();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool validate_add_txsa(struct nlattr **attrs)
|
|
|
|
{
|
|
|
|
if (!attrs[MACSEC_SA_ATTR_AN] ||
|
|
|
|
!attrs[MACSEC_SA_ATTR_PN] ||
|
|
|
|
!attrs[MACSEC_SA_ATTR_KEY] ||
|
|
|
|
!attrs[MACSEC_SA_ATTR_KEYID])
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
|
|
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2016-05-08 02:19:29 +08:00
|
|
|
if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN)
|
|
|
|
return false;
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
|
|
|
|
{
|
|
|
|
struct net_device *dev;
|
|
|
|
struct nlattr **attrs = info->attrs;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_tx_sc *tx_sc;
|
|
|
|
struct macsec_tx_sa *tx_sa;
|
|
|
|
unsigned char assoc_num;
|
|
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
2016-07-22 21:07:57 +08:00
|
|
|
int err;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!validate_add_txsa(tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
dev = get_dev_from_nl(genl_info_net(info), attrs);
|
|
|
|
if (IS_ERR(dev)) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(dev);
|
|
|
|
}
|
|
|
|
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
|
|
tx_sc = &secy->tx_sc;
|
|
|
|
|
|
|
|
assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
|
|
|
|
|
|
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) {
|
|
|
|
pr_notice("macsec: nl: add_txsa: bad key length: %d != %d\n",
|
|
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len);
|
|
|
|
rtnl_unlock();
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]);
|
|
|
|
if (tx_sa) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return -EBUSY;
|
|
|
|
}
|
|
|
|
|
|
|
|
tx_sa = kmalloc(sizeof(*tx_sa), GFP_KERNEL);
|
2016-07-22 21:07:57 +08:00
|
|
|
if (!tx_sa) {
|
2016-03-12 01:07:33 +08:00
|
|
|
rtnl_unlock();
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
2016-07-22 21:07:57 +08:00
|
|
|
err = init_tx_sa(tx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
|
|
|
|
secy->key_len, secy->icv_len);
|
|
|
|
if (err < 0) {
|
|
|
|
kfree(tx_sa);
|
|
|
|
rtnl_unlock();
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2016-05-18 19:34:40 +08:00
|
|
|
nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
spin_lock_bh(&tx_sa->lock);
|
|
|
|
tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
|
|
|
|
spin_unlock_bh(&tx_sa->lock);
|
|
|
|
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
|
|
|
|
tx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
|
|
|
|
|
|
|
|
if (assoc_num == tx_sc->encoding_sa && tx_sa->active)
|
|
|
|
secy->operational = true;
|
|
|
|
|
|
|
|
rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa);
|
|
|
|
|
|
|
|
rtnl_unlock();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_del_rxsa(struct sk_buff *skb, struct genl_info *info)
|
|
|
|
{
|
|
|
|
struct nlattr **attrs = info->attrs;
|
|
|
|
struct net_device *dev;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
struct macsec_rx_sa *rx_sa;
|
|
|
|
u8 assoc_num;
|
|
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
|
|
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa,
|
|
|
|
&dev, &secy, &rx_sc, &assoc_num);
|
|
|
|
if (IS_ERR(rx_sa)) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(rx_sa);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (rx_sa->active) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return -EBUSY;
|
|
|
|
}
|
|
|
|
|
|
|
|
RCU_INIT_POINTER(rx_sc->sa[assoc_num], NULL);
|
|
|
|
clear_rx_sa(rx_sa);
|
|
|
|
|
|
|
|
rtnl_unlock();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_del_rxsc(struct sk_buff *skb, struct genl_info *info)
|
|
|
|
{
|
|
|
|
struct nlattr **attrs = info->attrs;
|
|
|
|
struct net_device *dev;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
sci_t sci;
|
|
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
|
|
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
dev = get_dev_from_nl(genl_info_net(info), info->attrs);
|
|
|
|
if (IS_ERR(dev)) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(dev);
|
|
|
|
}
|
|
|
|
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
|
|
sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
|
|
|
|
|
|
|
|
rx_sc = del_rx_sc(secy, sci);
|
|
|
|
if (!rx_sc) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return -ENODEV;
|
|
|
|
}
|
|
|
|
|
|
|
|
free_rx_sc(rx_sc);
|
|
|
|
rtnl_unlock();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_del_txsa(struct sk_buff *skb, struct genl_info *info)
|
|
|
|
{
|
|
|
|
struct nlattr **attrs = info->attrs;
|
|
|
|
struct net_device *dev;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_tx_sc *tx_sc;
|
|
|
|
struct macsec_tx_sa *tx_sa;
|
|
|
|
u8 assoc_num;
|
|
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
|
|
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa,
|
|
|
|
&dev, &secy, &tx_sc, &assoc_num);
|
|
|
|
if (IS_ERR(tx_sa)) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(tx_sa);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tx_sa->active) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return -EBUSY;
|
|
|
|
}
|
|
|
|
|
|
|
|
RCU_INIT_POINTER(tx_sc->sa[assoc_num], NULL);
|
|
|
|
clear_tx_sa(tx_sa);
|
|
|
|
|
|
|
|
rtnl_unlock();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool validate_upd_sa(struct nlattr **attrs)
|
|
|
|
{
|
|
|
|
if (!attrs[MACSEC_SA_ATTR_AN] ||
|
|
|
|
attrs[MACSEC_SA_ATTR_KEY] ||
|
|
|
|
attrs[MACSEC_SA_ATTR_KEYID])
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
|
|
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
|
|
|
|
{
|
|
|
|
struct nlattr **attrs = info->attrs;
|
|
|
|
struct net_device *dev;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_tx_sc *tx_sc;
|
|
|
|
struct macsec_tx_sa *tx_sa;
|
|
|
|
u8 assoc_num;
|
|
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
|
|
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!validate_upd_sa(tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa,
|
|
|
|
&dev, &secy, &tx_sc, &assoc_num);
|
|
|
|
if (IS_ERR(tx_sa)) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(tx_sa);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_PN]) {
|
|
|
|
spin_lock_bh(&tx_sa->lock);
|
|
|
|
tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
|
|
|
|
spin_unlock_bh(&tx_sa->lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
|
|
|
|
tx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
|
|
|
|
|
|
|
|
if (assoc_num == tx_sc->encoding_sa)
|
|
|
|
secy->operational = tx_sa->active;
|
|
|
|
|
|
|
|
rtnl_unlock();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
|
|
|
|
{
|
|
|
|
struct nlattr **attrs = info->attrs;
|
|
|
|
struct net_device *dev;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
struct macsec_rx_sa *rx_sa;
|
|
|
|
u8 assoc_num;
|
|
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
|
|
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!validate_upd_sa(tb_sa))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa,
|
|
|
|
&dev, &secy, &rx_sc, &assoc_num);
|
|
|
|
if (IS_ERR(rx_sa)) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(rx_sa);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_PN]) {
|
|
|
|
spin_lock_bh(&rx_sa->lock);
|
|
|
|
rx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
|
|
|
|
spin_unlock_bh(&rx_sa->lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
|
|
|
|
rx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
|
|
|
|
|
|
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_upd_rxsc(struct sk_buff *skb, struct genl_info *info)
|
|
|
|
{
|
|
|
|
struct nlattr **attrs = info->attrs;
|
|
|
|
struct net_device *dev;
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
|
|
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!validate_add_rxsc(tb_rxsc))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rtnl_lock();
|
|
|
|
rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy);
|
|
|
|
if (IS_ERR(rx_sc)) {
|
|
|
|
rtnl_unlock();
|
|
|
|
return PTR_ERR(rx_sc);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) {
|
|
|
|
bool new = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
|
|
|
|
|
|
|
|
if (rx_sc->active != new)
|
|
|
|
secy->n_rx_sc += new ? 1 : -1;
|
|
|
|
|
|
|
|
rx_sc->active = new;
|
|
|
|
}
|
|
|
|
|
|
|
|
rtnl_unlock();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int copy_tx_sa_stats(struct sk_buff *skb,
|
2018-09-21 03:33:08 +08:00
|
|
|
struct macsec_tx_sa_stats __percpu *pstats)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
struct macsec_tx_sa_stats sum = {0, };
|
|
|
|
int cpu;
|
|
|
|
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
|
|
const struct macsec_tx_sa_stats *stats = per_cpu_ptr(pstats, cpu);
|
|
|
|
|
|
|
|
sum.OutPktsProtected += stats->OutPktsProtected;
|
|
|
|
sum.OutPktsEncrypted += stats->OutPktsEncrypted;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_PROTECTED, sum.OutPktsProtected) ||
|
|
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_ENCRYPTED, sum.OutPktsEncrypted))
|
|
|
|
return -EMSGSIZE;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-04-02 04:59:09 +08:00
|
|
|
static noinline_for_stack int
|
|
|
|
copy_rx_sa_stats(struct sk_buff *skb,
|
|
|
|
struct macsec_rx_sa_stats __percpu *pstats)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
struct macsec_rx_sa_stats sum = {0, };
|
|
|
|
int cpu;
|
|
|
|
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
|
|
const struct macsec_rx_sa_stats *stats = per_cpu_ptr(pstats, cpu);
|
|
|
|
|
|
|
|
sum.InPktsOK += stats->InPktsOK;
|
|
|
|
sum.InPktsInvalid += stats->InPktsInvalid;
|
|
|
|
sum.InPktsNotValid += stats->InPktsNotValid;
|
|
|
|
sum.InPktsNotUsingSA += stats->InPktsNotUsingSA;
|
|
|
|
sum.InPktsUnusedSA += stats->InPktsUnusedSA;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_OK, sum.InPktsOK) ||
|
|
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_INVALID, sum.InPktsInvalid) ||
|
|
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_VALID, sum.InPktsNotValid) ||
|
|
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_USING_SA, sum.InPktsNotUsingSA) ||
|
|
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_UNUSED_SA, sum.InPktsUnusedSA))
|
|
|
|
return -EMSGSIZE;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-04-02 04:59:09 +08:00
|
|
|
static noinline_for_stack int
|
|
|
|
copy_rx_sc_stats(struct sk_buff *skb, struct pcpu_rx_sc_stats __percpu *pstats)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
struct macsec_rx_sc_stats sum = {0, };
|
|
|
|
int cpu;
|
|
|
|
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
|
|
const struct pcpu_rx_sc_stats *stats;
|
|
|
|
struct macsec_rx_sc_stats tmp;
|
|
|
|
unsigned int start;
|
|
|
|
|
|
|
|
stats = per_cpu_ptr(pstats, cpu);
|
|
|
|
do {
|
|
|
|
start = u64_stats_fetch_begin_irq(&stats->syncp);
|
|
|
|
memcpy(&tmp, &stats->stats, sizeof(tmp));
|
|
|
|
} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
|
|
|
|
|
|
|
|
sum.InOctetsValidated += tmp.InOctetsValidated;
|
|
|
|
sum.InOctetsDecrypted += tmp.InOctetsDecrypted;
|
|
|
|
sum.InPktsUnchecked += tmp.InPktsUnchecked;
|
|
|
|
sum.InPktsDelayed += tmp.InPktsDelayed;
|
|
|
|
sum.InPktsOK += tmp.InPktsOK;
|
|
|
|
sum.InPktsInvalid += tmp.InPktsInvalid;
|
|
|
|
sum.InPktsLate += tmp.InPktsLate;
|
|
|
|
sum.InPktsNotValid += tmp.InPktsNotValid;
|
|
|
|
sum.InPktsNotUsingSA += tmp.InPktsNotUsingSA;
|
|
|
|
sum.InPktsUnusedSA += tmp.InPktsUnusedSA;
|
|
|
|
}
|
|
|
|
|
2016-04-26 16:06:11 +08:00
|
|
|
if (nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_VALIDATED,
|
|
|
|
sum.InOctetsValidated,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_DECRYPTED,
|
|
|
|
sum.InOctetsDecrypted,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNCHECKED,
|
|
|
|
sum.InPktsUnchecked,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_DELAYED,
|
|
|
|
sum.InPktsDelayed,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_OK,
|
|
|
|
sum.InPktsOK,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_INVALID,
|
|
|
|
sum.InPktsInvalid,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_LATE,
|
|
|
|
sum.InPktsLate,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_VALID,
|
|
|
|
sum.InPktsNotValid,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_USING_SA,
|
|
|
|
sum.InPktsNotUsingSA,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNUSED_SA,
|
|
|
|
sum.InPktsUnusedSA,
|
|
|
|
MACSEC_RXSC_STATS_ATTR_PAD))
|
2016-03-12 01:07:33 +08:00
|
|
|
return -EMSGSIZE;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-04-02 04:59:09 +08:00
|
|
|
static noinline_for_stack int
|
|
|
|
copy_tx_sc_stats(struct sk_buff *skb, struct pcpu_tx_sc_stats __percpu *pstats)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
struct macsec_tx_sc_stats sum = {0, };
|
|
|
|
int cpu;
|
|
|
|
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
|
|
const struct pcpu_tx_sc_stats *stats;
|
|
|
|
struct macsec_tx_sc_stats tmp;
|
|
|
|
unsigned int start;
|
|
|
|
|
|
|
|
stats = per_cpu_ptr(pstats, cpu);
|
|
|
|
do {
|
|
|
|
start = u64_stats_fetch_begin_irq(&stats->syncp);
|
|
|
|
memcpy(&tmp, &stats->stats, sizeof(tmp));
|
|
|
|
} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
|
|
|
|
|
|
|
|
sum.OutPktsProtected += tmp.OutPktsProtected;
|
|
|
|
sum.OutPktsEncrypted += tmp.OutPktsEncrypted;
|
|
|
|
sum.OutOctetsProtected += tmp.OutOctetsProtected;
|
|
|
|
sum.OutOctetsEncrypted += tmp.OutOctetsEncrypted;
|
|
|
|
}
|
|
|
|
|
2016-04-26 16:06:11 +08:00
|
|
|
if (nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_PROTECTED,
|
|
|
|
sum.OutPktsProtected,
|
|
|
|
MACSEC_TXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_ENCRYPTED,
|
|
|
|
sum.OutPktsEncrypted,
|
|
|
|
MACSEC_TXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_PROTECTED,
|
|
|
|
sum.OutOctetsProtected,
|
|
|
|
MACSEC_TXSC_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_ENCRYPTED,
|
|
|
|
sum.OutOctetsEncrypted,
|
|
|
|
MACSEC_TXSC_STATS_ATTR_PAD))
|
2016-03-12 01:07:33 +08:00
|
|
|
return -EMSGSIZE;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-04-02 04:59:09 +08:00
|
|
|
static noinline_for_stack int
|
|
|
|
copy_secy_stats(struct sk_buff *skb, struct pcpu_secy_stats __percpu *pstats)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
struct macsec_dev_stats sum = {0, };
|
|
|
|
int cpu;
|
|
|
|
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
|
|
const struct pcpu_secy_stats *stats;
|
|
|
|
struct macsec_dev_stats tmp;
|
|
|
|
unsigned int start;
|
|
|
|
|
|
|
|
stats = per_cpu_ptr(pstats, cpu);
|
|
|
|
do {
|
|
|
|
start = u64_stats_fetch_begin_irq(&stats->syncp);
|
|
|
|
memcpy(&tmp, &stats->stats, sizeof(tmp));
|
|
|
|
} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
|
|
|
|
|
|
|
|
sum.OutPktsUntagged += tmp.OutPktsUntagged;
|
|
|
|
sum.InPktsUntagged += tmp.InPktsUntagged;
|
|
|
|
sum.OutPktsTooLong += tmp.OutPktsTooLong;
|
|
|
|
sum.InPktsNoTag += tmp.InPktsNoTag;
|
|
|
|
sum.InPktsBadTag += tmp.InPktsBadTag;
|
|
|
|
sum.InPktsUnknownSCI += tmp.InPktsUnknownSCI;
|
|
|
|
sum.InPktsNoSCI += tmp.InPktsNoSCI;
|
|
|
|
sum.InPktsOverrun += tmp.InPktsOverrun;
|
|
|
|
}
|
|
|
|
|
2016-04-26 16:06:11 +08:00
|
|
|
if (nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_UNTAGGED,
|
|
|
|
sum.OutPktsUntagged,
|
|
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNTAGGED,
|
|
|
|
sum.InPktsUntagged,
|
|
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_TOO_LONG,
|
|
|
|
sum.OutPktsTooLong,
|
|
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_TAG,
|
|
|
|
sum.InPktsNoTag,
|
|
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_BAD_TAG,
|
|
|
|
sum.InPktsBadTag,
|
|
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNKNOWN_SCI,
|
|
|
|
sum.InPktsUnknownSCI,
|
|
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_SCI,
|
|
|
|
sum.InPktsNoSCI,
|
|
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_OVERRUN,
|
|
|
|
sum.InPktsOverrun,
|
|
|
|
MACSEC_SECY_STATS_ATTR_PAD))
|
2016-03-12 01:07:33 +08:00
|
|
|
return -EMSGSIZE;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
2019-04-26 17:13:06 +08:00
|
|
|
struct nlattr *secy_nest = nla_nest_start_noflag(skb,
|
|
|
|
MACSEC_ATTR_SECY);
|
2018-01-05 21:33:31 +08:00
|
|
|
u64 csid;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
if (!secy_nest)
|
|
|
|
return 1;
|
|
|
|
|
2018-01-05 21:33:31 +08:00
|
|
|
switch (secy->key_len) {
|
|
|
|
case MACSEC_GCM_AES_128_SAK_LEN:
|
2018-01-19 00:48:18 +08:00
|
|
|
csid = MACSEC_DEFAULT_CIPHER_ID;
|
2018-01-05 21:33:31 +08:00
|
|
|
break;
|
|
|
|
case MACSEC_GCM_AES_256_SAK_LEN:
|
|
|
|
csid = MACSEC_CIPHER_ID_GCM_AES_256;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
goto cancel;
|
|
|
|
}
|
|
|
|
|
2016-04-26 16:06:11 +08:00
|
|
|
if (nla_put_sci(skb, MACSEC_SECY_ATTR_SCI, secy->sci,
|
|
|
|
MACSEC_SECY_ATTR_PAD) ||
|
|
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_ATTR_CIPHER_SUITE,
|
2018-01-05 21:33:31 +08:00
|
|
|
csid, MACSEC_SECY_ATTR_PAD) ||
|
2016-03-12 01:07:33 +08:00
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_ICV_LEN, secy->icv_len) ||
|
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_OPER, secy->operational) ||
|
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_PROTECT, secy->protect_frames) ||
|
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_REPLAY, secy->replay_protect) ||
|
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_VALIDATE, secy->validate_frames) ||
|
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_ENCRYPT, tx_sc->encrypt) ||
|
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_INC_SCI, tx_sc->send_sci) ||
|
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_ES, tx_sc->end_station) ||
|
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_SCB, tx_sc->scb) ||
|
|
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_ENCODING_SA, tx_sc->encoding_sa))
|
|
|
|
goto cancel;
|
|
|
|
|
|
|
|
if (secy->replay_protect) {
|
|
|
|
if (nla_put_u32(skb, MACSEC_SECY_ATTR_WINDOW, secy->replay_window))
|
|
|
|
goto cancel;
|
|
|
|
}
|
|
|
|
|
|
|
|
nla_nest_end(skb, secy_nest);
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
cancel:
|
|
|
|
nla_nest_cancel(skb, secy_nest);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2019-04-02 04:59:09 +08:00
|
|
|
static noinline_for_stack int
|
|
|
|
dump_secy(struct macsec_secy *secy, struct net_device *dev,
|
|
|
|
struct sk_buff *skb, struct netlink_callback *cb)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
|
|
|
struct nlattr *txsa_list, *rxsc_list;
|
|
|
|
int i, j;
|
|
|
|
void *hdr;
|
|
|
|
struct nlattr *attr;
|
|
|
|
|
|
|
|
hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
|
|
|
|
&macsec_fam, NLM_F_MULTI, MACSEC_CMD_GET_TXSC);
|
|
|
|
if (!hdr)
|
|
|
|
return -EMSGSIZE;
|
|
|
|
|
2017-11-15 20:09:32 +08:00
|
|
|
genl_dump_check_consistent(cb, hdr);
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
if (nla_put_u32(skb, MACSEC_ATTR_IFINDEX, dev->ifindex))
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
|
|
if (nla_put_secy(secy, skb))
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
attr = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSC_STATS);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!attr)
|
|
|
|
goto nla_put_failure;
|
|
|
|
if (copy_tx_sc_stats(skb, tx_sc->stats)) {
|
|
|
|
nla_nest_cancel(skb, attr);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
nla_nest_end(skb, attr);
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
attr = nla_nest_start_noflag(skb, MACSEC_ATTR_SECY_STATS);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!attr)
|
|
|
|
goto nla_put_failure;
|
|
|
|
if (copy_secy_stats(skb, macsec_priv(dev)->stats)) {
|
|
|
|
nla_nest_cancel(skb, attr);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
nla_nest_end(skb, attr);
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
txsa_list = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSA_LIST);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!txsa_list)
|
|
|
|
goto nla_put_failure;
|
|
|
|
for (i = 0, j = 1; i < MACSEC_NUM_AN; i++) {
|
|
|
|
struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]);
|
|
|
|
struct nlattr *txsa_nest;
|
|
|
|
|
|
|
|
if (!tx_sa)
|
|
|
|
continue;
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
txsa_nest = nla_nest_start_noflag(skb, j++);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!txsa_nest) {
|
|
|
|
nla_nest_cancel(skb, txsa_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
|
|
|
|
nla_put_u32(skb, MACSEC_SA_ATTR_PN, tx_sa->next_pn) ||
|
2016-05-08 02:19:29 +08:00
|
|
|
nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, tx_sa->key.id) ||
|
2016-03-12 01:07:33 +08:00
|
|
|
nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, tx_sa->active)) {
|
|
|
|
nla_nest_cancel(skb, txsa_nest);
|
|
|
|
nla_nest_cancel(skb, txsa_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
attr = nla_nest_start_noflag(skb, MACSEC_SA_ATTR_STATS);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!attr) {
|
|
|
|
nla_nest_cancel(skb, txsa_nest);
|
|
|
|
nla_nest_cancel(skb, txsa_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
if (copy_tx_sa_stats(skb, tx_sa->stats)) {
|
|
|
|
nla_nest_cancel(skb, attr);
|
|
|
|
nla_nest_cancel(skb, txsa_nest);
|
|
|
|
nla_nest_cancel(skb, txsa_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
nla_nest_end(skb, attr);
|
|
|
|
|
|
|
|
nla_nest_end(skb, txsa_nest);
|
|
|
|
}
|
|
|
|
nla_nest_end(skb, txsa_list);
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
rxsc_list = nla_nest_start_noflag(skb, MACSEC_ATTR_RXSC_LIST);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!rxsc_list)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
|
|
j = 1;
|
|
|
|
for_each_rxsc_rtnl(secy, rx_sc) {
|
|
|
|
int k;
|
|
|
|
struct nlattr *rxsa_list;
|
2019-04-26 17:13:06 +08:00
|
|
|
struct nlattr *rxsc_nest = nla_nest_start_noflag(skb, j++);
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
if (!rxsc_nest) {
|
|
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nla_put_u8(skb, MACSEC_RXSC_ATTR_ACTIVE, rx_sc->active) ||
|
2016-04-26 16:06:11 +08:00
|
|
|
nla_put_sci(skb, MACSEC_RXSC_ATTR_SCI, rx_sc->sci,
|
|
|
|
MACSEC_RXSC_ATTR_PAD)) {
|
2016-03-12 01:07:33 +08:00
|
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
attr = nla_nest_start_noflag(skb, MACSEC_RXSC_ATTR_STATS);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!attr) {
|
|
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
if (copy_rx_sc_stats(skb, rx_sc->stats)) {
|
|
|
|
nla_nest_cancel(skb, attr);
|
|
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
nla_nest_end(skb, attr);
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
rxsa_list = nla_nest_start_noflag(skb,
|
|
|
|
MACSEC_RXSC_ATTR_SA_LIST);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!rxsa_list) {
|
|
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0, k = 1; i < MACSEC_NUM_AN; i++) {
|
|
|
|
struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]);
|
|
|
|
struct nlattr *rxsa_nest;
|
|
|
|
|
|
|
|
if (!rx_sa)
|
|
|
|
continue;
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
rxsa_nest = nla_nest_start_noflag(skb, k++);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!rxsa_nest) {
|
|
|
|
nla_nest_cancel(skb, rxsa_list);
|
|
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
|
2019-04-26 17:13:06 +08:00
|
|
|
attr = nla_nest_start_noflag(skb,
|
|
|
|
MACSEC_SA_ATTR_STATS);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (!attr) {
|
|
|
|
nla_nest_cancel(skb, rxsa_list);
|
|
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
if (copy_rx_sa_stats(skb, rx_sa->stats)) {
|
|
|
|
nla_nest_cancel(skb, attr);
|
|
|
|
nla_nest_cancel(skb, rxsa_list);
|
|
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
nla_nest_end(skb, attr);
|
|
|
|
|
|
|
|
if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
|
|
|
|
nla_put_u32(skb, MACSEC_SA_ATTR_PN, rx_sa->next_pn) ||
|
2016-05-08 02:19:29 +08:00
|
|
|
nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, rx_sa->key.id) ||
|
2016-03-12 01:07:33 +08:00
|
|
|
nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, rx_sa->active)) {
|
|
|
|
nla_nest_cancel(skb, rxsa_nest);
|
|
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
nla_nest_end(skb, rxsa_nest);
|
|
|
|
}
|
|
|
|
|
|
|
|
nla_nest_end(skb, rxsa_list);
|
|
|
|
nla_nest_end(skb, rxsc_nest);
|
|
|
|
}
|
|
|
|
|
|
|
|
nla_nest_end(skb, rxsc_list);
|
|
|
|
|
|
|
|
genlmsg_end(skb, hdr);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
genlmsg_cancel(skb, hdr);
|
|
|
|
return -EMSGSIZE;
|
|
|
|
}
|
|
|
|
|
2016-04-22 17:28:05 +08:00
|
|
|
static int macsec_generation = 1; /* protected by RTNL */
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
static int macsec_dump_txsc(struct sk_buff *skb, struct netlink_callback *cb)
|
|
|
|
{
|
|
|
|
struct net *net = sock_net(skb->sk);
|
|
|
|
struct net_device *dev;
|
|
|
|
int dev_idx, d;
|
|
|
|
|
|
|
|
dev_idx = cb->args[0];
|
|
|
|
|
|
|
|
d = 0;
|
2016-04-22 17:28:02 +08:00
|
|
|
rtnl_lock();
|
2016-04-22 17:28:05 +08:00
|
|
|
|
|
|
|
cb->seq = macsec_generation;
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
for_each_netdev(net, dev) {
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
|
|
|
|
if (d < dev_idx)
|
|
|
|
goto next;
|
|
|
|
|
|
|
|
if (!netif_is_macsec(dev))
|
|
|
|
goto next;
|
|
|
|
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
|
|
if (dump_secy(secy, dev, skb, cb) < 0)
|
|
|
|
goto done;
|
|
|
|
next:
|
|
|
|
d++;
|
|
|
|
}
|
|
|
|
|
|
|
|
done:
|
2016-04-22 17:28:02 +08:00
|
|
|
rtnl_unlock();
|
2016-03-12 01:07:33 +08:00
|
|
|
cb->args[0] = d;
|
|
|
|
return skb->len;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct genl_ops macsec_genl_ops[] = {
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_GET_TXSC,
|
|
|
|
.dumpit = macsec_dump_txsc,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_ADD_RXSC,
|
|
|
|
.doit = macsec_add_rxsc,
|
|
|
|
.flags = GENL_ADMIN_PERM,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_DEL_RXSC,
|
|
|
|
.doit = macsec_del_rxsc,
|
|
|
|
.flags = GENL_ADMIN_PERM,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_UPD_RXSC,
|
|
|
|
.doit = macsec_upd_rxsc,
|
|
|
|
.flags = GENL_ADMIN_PERM,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_ADD_TXSA,
|
|
|
|
.doit = macsec_add_txsa,
|
|
|
|
.flags = GENL_ADMIN_PERM,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_DEL_TXSA,
|
|
|
|
.doit = macsec_del_txsa,
|
|
|
|
.flags = GENL_ADMIN_PERM,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_UPD_TXSA,
|
|
|
|
.doit = macsec_upd_txsa,
|
|
|
|
.flags = GENL_ADMIN_PERM,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_ADD_RXSA,
|
|
|
|
.doit = macsec_add_rxsa,
|
|
|
|
.flags = GENL_ADMIN_PERM,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_DEL_RXSA,
|
|
|
|
.doit = macsec_del_rxsa,
|
|
|
|
.flags = GENL_ADMIN_PERM,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.cmd = MACSEC_CMD_UPD_RXSA,
|
|
|
|
.doit = macsec_upd_rxsa,
|
|
|
|
.flags = GENL_ADMIN_PERM,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
2016-10-24 20:40:05 +08:00
|
|
|
static struct genl_family macsec_fam __ro_after_init = {
|
2016-10-24 20:40:03 +08:00
|
|
|
.name = MACSEC_GENL_NAME,
|
|
|
|
.hdrsize = 0,
|
|
|
|
.version = MACSEC_GENL_VERSION,
|
|
|
|
.maxattr = MACSEC_ATTR_MAX,
|
genetlink: make policy common to family
Since maxattr is common, the policy can't really differ sanely,
so make it common as well.
The only user that did in fact manage to make a non-common policy
is taskstats, which has to be really careful about it (since it's
still using a common maxattr!). This is no longer supported, but
we can fake it using pre_doit.
This reduces the size of e.g. nl80211.o (which has lots of commands):
text data bss dec hex filename
398745 14323 2240 415308 6564c net/wireless/nl80211.o (before)
397913 14331 2240 414484 65314 net/wireless/nl80211.o (after)
--------------------------------
-832 +8 0 -824
Which is obviously just 8 bytes for each command, and an added 8
bytes for the new policy pointer. I'm not sure why the ops list is
counted as .text though.
Most of the code transformations were done using the following spatch:
@ops@
identifier OPS;
expression POLICY;
@@
struct genl_ops OPS[] = {
...,
{
- .policy = POLICY,
},
...
};
@@
identifier ops.OPS;
expression ops.POLICY;
identifier fam;
expression M;
@@
struct genl_family fam = {
.ops = OPS,
.maxattr = M,
+ .policy = POLICY,
...
};
This also gets rid of devlink_nl_cmd_region_read_dumpit() accessing
the cb->data as ops, which we want to change in a later genl patch.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-22 05:51:02 +08:00
|
|
|
.policy = macsec_genl_policy,
|
2016-10-24 20:40:03 +08:00
|
|
|
.netnsok = true,
|
|
|
|
.module = THIS_MODULE,
|
|
|
|
.ops = macsec_genl_ops,
|
|
|
|
.n_ops = ARRAY_SIZE(macsec_genl_ops),
|
|
|
|
};
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
|
|
|
|
struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = netdev_priv(dev);
|
|
|
|
struct macsec_secy *secy = &macsec->secy;
|
|
|
|
struct pcpu_secy_stats *secy_stats;
|
|
|
|
int ret, len;
|
|
|
|
|
|
|
|
/* 10.5 */
|
|
|
|
if (!secy->protect_frames) {
|
|
|
|
secy_stats = this_cpu_ptr(macsec->stats);
|
|
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
|
|
secy_stats->stats.OutPktsUntagged++;
|
|
|
|
u64_stats_update_end(&secy_stats->syncp);
|
2016-07-01 06:00:54 +08:00
|
|
|
skb->dev = macsec->real_dev;
|
2016-03-12 01:07:33 +08:00
|
|
|
len = skb->len;
|
|
|
|
ret = dev_queue_xmit(skb);
|
|
|
|
count_tx(dev, ret, len);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!secy->operational) {
|
|
|
|
kfree_skb(skb);
|
|
|
|
dev->stats.tx_dropped++;
|
|
|
|
return NETDEV_TX_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
skb = macsec_encrypt(skb, dev);
|
|
|
|
if (IS_ERR(skb)) {
|
|
|
|
if (PTR_ERR(skb) != -EINPROGRESS)
|
|
|
|
dev->stats.tx_dropped++;
|
|
|
|
return NETDEV_TX_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
|
|
|
|
|
|
|
|
macsec_encrypt_finish(skb, dev);
|
|
|
|
len = skb->len;
|
|
|
|
ret = dev_queue_xmit(skb);
|
|
|
|
count_tx(dev, ret, len);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define MACSEC_FEATURES \
|
|
|
|
(NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
|
2016-08-12 22:10:32 +08:00
|
|
|
static struct lock_class_key macsec_netdev_addr_lock_key;
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
static int macsec_dev_init(struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct net_device *real_dev = macsec->real_dev;
|
2016-07-21 00:11:32 +08:00
|
|
|
int err;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
|
|
|
|
if (!dev->tstats)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2016-07-21 00:11:32 +08:00
|
|
|
err = gro_cells_init(&macsec->gro_cells, dev);
|
|
|
|
if (err) {
|
|
|
|
free_percpu(dev->tstats);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
dev->features = real_dev->features & MACSEC_FEATURES;
|
|
|
|
dev->features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE;
|
|
|
|
|
|
|
|
dev->needed_headroom = real_dev->needed_headroom +
|
|
|
|
MACSEC_NEEDED_HEADROOM;
|
|
|
|
dev->needed_tailroom = real_dev->needed_tailroom +
|
|
|
|
MACSEC_NEEDED_TAILROOM;
|
|
|
|
|
|
|
|
if (is_zero_ether_addr(dev->dev_addr))
|
|
|
|
eth_hw_addr_inherit(dev, real_dev);
|
|
|
|
if (is_zero_ether_addr(dev->broadcast))
|
|
|
|
memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_dev_uninit(struct net_device *dev)
|
|
|
|
{
|
2016-07-21 00:11:32 +08:00
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
|
|
|
|
gro_cells_destroy(&macsec->gro_cells);
|
2016-03-12 01:07:33 +08:00
|
|
|
free_percpu(dev->tstats);
|
|
|
|
}
|
|
|
|
|
|
|
|
static netdev_features_t macsec_fix_features(struct net_device *dev,
|
|
|
|
netdev_features_t features)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
|
|
|
2016-07-21 00:11:32 +08:00
|
|
|
features &= (real_dev->features & MACSEC_FEATURES) |
|
|
|
|
NETIF_F_GSO_SOFTWARE | NETIF_F_SOFT_FEATURES;
|
|
|
|
features |= NETIF_F_LLTX;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
return features;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_dev_open(struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = dev_uc_add(real_dev, dev->dev_addr);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
if (dev->flags & IFF_ALLMULTI) {
|
|
|
|
err = dev_set_allmulti(real_dev, 1);
|
|
|
|
if (err < 0)
|
|
|
|
goto del_unicast;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (dev->flags & IFF_PROMISC) {
|
|
|
|
err = dev_set_promiscuity(real_dev, 1);
|
|
|
|
if (err < 0)
|
|
|
|
goto clear_allmulti;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (netif_carrier_ok(real_dev))
|
|
|
|
netif_carrier_on(dev);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
clear_allmulti:
|
|
|
|
if (dev->flags & IFF_ALLMULTI)
|
|
|
|
dev_set_allmulti(real_dev, -1);
|
|
|
|
del_unicast:
|
|
|
|
dev_uc_del(real_dev, dev->dev_addr);
|
|
|
|
netif_carrier_off(dev);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_dev_stop(struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
|
|
|
|
|
|
netif_carrier_off(dev);
|
|
|
|
|
|
|
|
dev_mc_unsync(real_dev, dev);
|
|
|
|
dev_uc_unsync(real_dev, dev);
|
|
|
|
|
|
|
|
if (dev->flags & IFF_ALLMULTI)
|
|
|
|
dev_set_allmulti(real_dev, -1);
|
|
|
|
|
|
|
|
if (dev->flags & IFF_PROMISC)
|
|
|
|
dev_set_promiscuity(real_dev, -1);
|
|
|
|
|
|
|
|
dev_uc_del(real_dev, dev->dev_addr);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_dev_change_rx_flags(struct net_device *dev, int change)
|
|
|
|
{
|
|
|
|
struct net_device *real_dev = macsec_priv(dev)->real_dev;
|
|
|
|
|
|
|
|
if (!(dev->flags & IFF_UP))
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (change & IFF_ALLMULTI)
|
|
|
|
dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
|
|
|
|
|
|
|
|
if (change & IFF_PROMISC)
|
|
|
|
dev_set_promiscuity(real_dev,
|
|
|
|
dev->flags & IFF_PROMISC ? 1 : -1);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_dev_set_rx_mode(struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct net_device *real_dev = macsec_priv(dev)->real_dev;
|
|
|
|
|
|
|
|
dev_mc_sync(real_dev, dev);
|
|
|
|
dev_uc_sync(real_dev, dev);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_set_mac_address(struct net_device *dev, void *p)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
|
|
struct sockaddr *addr = p;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (!is_valid_ether_addr(addr->sa_data))
|
|
|
|
return -EADDRNOTAVAIL;
|
|
|
|
|
|
|
|
if (!(dev->flags & IFF_UP))
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
err = dev_uc_add(real_dev, addr->sa_data);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
dev_uc_del(real_dev, dev->dev_addr);
|
|
|
|
|
|
|
|
out:
|
|
|
|
ether_addr_copy(dev->dev_addr, addr->sa_data);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_change_mtu(struct net_device *dev, int new_mtu)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
unsigned int extra = macsec->secy.icv_len + macsec_extra_len(true);
|
|
|
|
|
|
|
|
if (macsec->real_dev->mtu - extra < new_mtu)
|
|
|
|
return -ERANGE;
|
|
|
|
|
|
|
|
dev->mtu = new_mtu;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-01-07 11:12:52 +08:00
|
|
|
static void macsec_get_stats64(struct net_device *dev,
|
|
|
|
struct rtnl_link_stats64 *s)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
int cpu;
|
|
|
|
|
|
|
|
if (!dev->tstats)
|
2017-01-07 11:12:52 +08:00
|
|
|
return;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
|
|
struct pcpu_sw_netstats *stats;
|
|
|
|
struct pcpu_sw_netstats tmp;
|
|
|
|
int start;
|
|
|
|
|
|
|
|
stats = per_cpu_ptr(dev->tstats, cpu);
|
|
|
|
do {
|
|
|
|
start = u64_stats_fetch_begin_irq(&stats->syncp);
|
|
|
|
tmp.rx_packets = stats->rx_packets;
|
|
|
|
tmp.rx_bytes = stats->rx_bytes;
|
|
|
|
tmp.tx_packets = stats->tx_packets;
|
|
|
|
tmp.tx_bytes = stats->tx_bytes;
|
|
|
|
} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
|
|
|
|
|
|
|
|
s->rx_packets += tmp.rx_packets;
|
|
|
|
s->rx_bytes += tmp.rx_bytes;
|
|
|
|
s->tx_packets += tmp.tx_packets;
|
|
|
|
s->tx_bytes += tmp.tx_bytes;
|
|
|
|
}
|
|
|
|
|
|
|
|
s->rx_dropped = dev->stats.rx_dropped;
|
|
|
|
s->tx_dropped = dev->stats.tx_dropped;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_get_iflink(const struct net_device *dev)
|
|
|
|
{
|
|
|
|
return macsec_priv(dev)->real_dev->ifindex;
|
|
|
|
}
|
|
|
|
|
2016-08-12 22:10:32 +08:00
|
|
|
static int macsec_get_nest_level(struct net_device *dev)
|
|
|
|
{
|
|
|
|
return macsec_priv(dev)->nest_level;
|
|
|
|
}
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
static const struct net_device_ops macsec_netdev_ops = {
|
|
|
|
.ndo_init = macsec_dev_init,
|
|
|
|
.ndo_uninit = macsec_dev_uninit,
|
|
|
|
.ndo_open = macsec_dev_open,
|
|
|
|
.ndo_stop = macsec_dev_stop,
|
|
|
|
.ndo_fix_features = macsec_fix_features,
|
|
|
|
.ndo_change_mtu = macsec_change_mtu,
|
|
|
|
.ndo_set_rx_mode = macsec_dev_set_rx_mode,
|
|
|
|
.ndo_change_rx_flags = macsec_dev_change_rx_flags,
|
|
|
|
.ndo_set_mac_address = macsec_set_mac_address,
|
|
|
|
.ndo_start_xmit = macsec_start_xmit,
|
|
|
|
.ndo_get_stats64 = macsec_get_stats64,
|
|
|
|
.ndo_get_iflink = macsec_get_iflink,
|
2016-08-12 22:10:32 +08:00
|
|
|
.ndo_get_lock_subclass = macsec_get_nest_level,
|
2016-03-12 01:07:33 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
static const struct device_type macsec_type = {
|
|
|
|
.name = "macsec",
|
|
|
|
};
|
|
|
|
|
|
|
|
static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
|
|
|
|
[IFLA_MACSEC_SCI] = { .type = NLA_U64 },
|
|
|
|
[IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 },
|
|
|
|
[IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 },
|
|
|
|
[IFLA_MACSEC_WINDOW] = { .type = NLA_U32 },
|
|
|
|
[IFLA_MACSEC_ENCODING_SA] = { .type = NLA_U8 },
|
|
|
|
[IFLA_MACSEC_ENCRYPT] = { .type = NLA_U8 },
|
|
|
|
[IFLA_MACSEC_PROTECT] = { .type = NLA_U8 },
|
|
|
|
[IFLA_MACSEC_INC_SCI] = { .type = NLA_U8 },
|
|
|
|
[IFLA_MACSEC_ES] = { .type = NLA_U8 },
|
|
|
|
[IFLA_MACSEC_SCB] = { .type = NLA_U8 },
|
|
|
|
[IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 },
|
|
|
|
[IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 },
|
|
|
|
};
|
|
|
|
|
|
|
|
static void macsec_free_netdev(struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
|
|
|
|
|
|
free_percpu(macsec->stats);
|
|
|
|
free_percpu(macsec->secy.tx_sc.stats);
|
|
|
|
|
|
|
|
dev_put(real_dev);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_setup(struct net_device *dev)
|
|
|
|
{
|
|
|
|
ether_setup(dev);
|
net: use core MTU range checking in core net infra
geneve:
- Merge __geneve_change_mtu back into geneve_change_mtu, set max_mtu
- This one isn't quite as straight-forward as others, could use some
closer inspection and testing
macvlan:
- set min/max_mtu
tun:
- set min/max_mtu, remove tun_net_change_mtu
vxlan:
- Merge __vxlan_change_mtu back into vxlan_change_mtu
- Set max_mtu to IP_MAX_MTU and retain dynamic MTU range checks in
change_mtu function
- This one is also not as straight-forward and could use closer inspection
and testing from vxlan folks
bridge:
- set max_mtu of IP_MAX_MTU and retain dynamic MTU range checks in
change_mtu function
openvswitch:
- set min/max_mtu, remove internal_dev_change_mtu
- note: max_mtu wasn't checked previously, it's been set to 65535, which
is the largest possible size supported
sch_teql:
- set min/max_mtu (note: max_mtu previously unchecked, used max of 65535)
macsec:
- min_mtu = 0, max_mtu = 65535
macvlan:
- min_mtu = 0, max_mtu = 65535
ntb_netdev:
- min_mtu = 0, max_mtu = 65535
veth:
- min_mtu = 68, max_mtu = 65535
8021q:
- min_mtu = 0, max_mtu = 65535
CC: netdev@vger.kernel.org
CC: Nicolas Dichtel <nicolas.dichtel@6wind.com>
CC: Hannes Frederic Sowa <hannes@stressinduktion.org>
CC: Tom Herbert <tom@herbertland.com>
CC: Daniel Borkmann <daniel@iogearbox.net>
CC: Alexander Duyck <alexander.h.duyck@intel.com>
CC: Paolo Abeni <pabeni@redhat.com>
CC: Jiri Benc <jbenc@redhat.com>
CC: WANG Cong <xiyou.wangcong@gmail.com>
CC: Roopa Prabhu <roopa@cumulusnetworks.com>
CC: Pravin B Shelar <pshelar@ovn.org>
CC: Sabrina Dubroca <sd@queasysnail.net>
CC: Patrick McHardy <kaber@trash.net>
CC: Stephen Hemminger <stephen@networkplumber.org>
CC: Pravin Shelar <pshelar@nicira.com>
CC: Maxim Krasnyansky <maxk@qti.qualcomm.com>
Signed-off-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-10-21 01:55:20 +08:00
|
|
|
dev->min_mtu = 0;
|
|
|
|
dev->max_mtu = ETH_MAX_MTU;
|
2016-04-22 20:02:42 +08:00
|
|
|
dev->priv_flags |= IFF_NO_QUEUE;
|
2016-03-12 01:07:33 +08:00
|
|
|
dev->netdev_ops = &macsec_netdev_ops;
|
net: Fix inconsistent teardown and release of private netdev state.
Network devices can allocate reasources and private memory using
netdev_ops->ndo_init(). However, the release of these resources
can occur in one of two different places.
Either netdev_ops->ndo_uninit() or netdev->destructor().
The decision of which operation frees the resources depends upon
whether it is necessary for all netdev refs to be released before it
is safe to perform the freeing.
netdev_ops->ndo_uninit() presumably can occur right after the
NETDEV_UNREGISTER notifier completes and the unicast and multicast
address lists are flushed.
netdev->destructor(), on the other hand, does not run until the
netdev references all go away.
Further complicating the situation is that netdev->destructor()
almost universally does also a free_netdev().
This creates a problem for the logic in register_netdevice().
Because all callers of register_netdevice() manage the freeing
of the netdev, and invoke free_netdev(dev) if register_netdevice()
fails.
If netdev_ops->ndo_init() succeeds, but something else fails inside
of register_netdevice(), it does call ndo_ops->ndo_uninit(). But
it is not able to invoke netdev->destructor().
This is because netdev->destructor() will do a free_netdev() and
then the caller of register_netdevice() will do the same.
However, this means that the resources that would normally be released
by netdev->destructor() will not be.
Over the years drivers have added local hacks to deal with this, by
invoking their destructor parts by hand when register_netdevice()
fails.
Many drivers do not try to deal with this, and instead we have leaks.
Let's close this hole by formalizing the distinction between what
private things need to be freed up by netdev->destructor() and whether
the driver needs unregister_netdevice() to perform the free_netdev().
netdev->priv_destructor() performs all actions to free up the private
resources that used to be freed by netdev->destructor(), except for
free_netdev().
netdev->needs_free_netdev is a boolean that indicates whether
free_netdev() should be done at the end of unregister_netdevice().
Now, register_netdevice() can sanely release all resources after
ndo_ops->ndo_init() succeeds, by invoking both ndo_ops->ndo_uninit()
and netdev->priv_destructor().
And at the end of unregister_netdevice(), we invoke
netdev->priv_destructor() and optionally call free_netdev().
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-05-09 00:52:56 +08:00
|
|
|
dev->needs_free_netdev = true;
|
|
|
|
dev->priv_destructor = macsec_free_netdev;
|
2016-09-08 05:07:32 +08:00
|
|
|
SET_NETDEV_DEVTYPE(dev, &macsec_type);
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
eth_zero_addr(dev->broadcast);
|
|
|
|
}
|
|
|
|
|
2018-01-05 21:33:31 +08:00
|
|
|
static int macsec_changelink_common(struct net_device *dev,
|
|
|
|
struct nlattr *data[])
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
struct macsec_secy *secy;
|
|
|
|
struct macsec_tx_sc *tx_sc;
|
|
|
|
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
|
|
tx_sc = &secy->tx_sc;
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_ENCODING_SA]) {
|
|
|
|
struct macsec_tx_sa *tx_sa;
|
|
|
|
|
|
|
|
tx_sc->encoding_sa = nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]);
|
|
|
|
tx_sa = rtnl_dereference(tx_sc->sa[tx_sc->encoding_sa]);
|
|
|
|
|
|
|
|
secy->operational = tx_sa && tx_sa->active;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_WINDOW])
|
|
|
|
secy->replay_window = nla_get_u32(data[IFLA_MACSEC_WINDOW]);
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_ENCRYPT])
|
|
|
|
tx_sc->encrypt = !!nla_get_u8(data[IFLA_MACSEC_ENCRYPT]);
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_PROTECT])
|
|
|
|
secy->protect_frames = !!nla_get_u8(data[IFLA_MACSEC_PROTECT]);
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_INC_SCI])
|
|
|
|
tx_sc->send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]);
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_ES])
|
|
|
|
tx_sc->end_station = !!nla_get_u8(data[IFLA_MACSEC_ES]);
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_SCB])
|
|
|
|
tx_sc->scb = !!nla_get_u8(data[IFLA_MACSEC_SCB]);
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_REPLAY_PROTECT])
|
|
|
|
secy->replay_protect = !!nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT]);
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_VALIDATION])
|
|
|
|
secy->validate_frames = nla_get_u8(data[IFLA_MACSEC_VALIDATION]);
|
2018-01-05 21:33:31 +08:00
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_CIPHER_SUITE]) {
|
|
|
|
switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) {
|
|
|
|
case MACSEC_CIPHER_ID_GCM_AES_128:
|
2018-01-19 00:48:18 +08:00
|
|
|
case MACSEC_DEFAULT_CIPHER_ID:
|
2018-01-05 21:33:31 +08:00
|
|
|
secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
|
|
|
|
break;
|
|
|
|
case MACSEC_CIPHER_ID_GCM_AES_256:
|
|
|
|
secy->key_len = MACSEC_GCM_AES_256_SAK_LEN;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_changelink(struct net_device *dev, struct nlattr *tb[],
|
2017-06-26 05:56:00 +08:00
|
|
|
struct nlattr *data[],
|
|
|
|
struct netlink_ext_ack *extack)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
if (!data)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_CIPHER_SUITE] ||
|
|
|
|
data[IFLA_MACSEC_ICV_LEN] ||
|
|
|
|
data[IFLA_MACSEC_SCI] ||
|
|
|
|
data[IFLA_MACSEC_PORT])
|
|
|
|
return -EINVAL;
|
|
|
|
|
2018-01-05 21:33:31 +08:00
|
|
|
return macsec_changelink_common(dev, data);
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void macsec_del_dev(struct macsec_dev *macsec)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
while (macsec->secy.rx_sc) {
|
|
|
|
struct macsec_rx_sc *rx_sc = rtnl_dereference(macsec->secy.rx_sc);
|
|
|
|
|
|
|
|
rcu_assign_pointer(macsec->secy.rx_sc, rx_sc->next);
|
|
|
|
free_rx_sc(rx_sc);
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < MACSEC_NUM_AN; i++) {
|
|
|
|
struct macsec_tx_sa *sa = rtnl_dereference(macsec->secy.tx_sc.sa[i]);
|
|
|
|
|
|
|
|
if (sa) {
|
|
|
|
RCU_INIT_POINTER(macsec->secy.tx_sc.sa[i], NULL);
|
|
|
|
clear_tx_sa(sa);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-08-11 21:24:27 +08:00
|
|
|
static void macsec_common_dellink(struct net_device *dev, struct list_head *head)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
2016-08-12 22:10:32 +08:00
|
|
|
struct net_device *real_dev = macsec->real_dev;
|
2016-08-11 21:24:27 +08:00
|
|
|
|
|
|
|
unregister_netdevice_queue(dev, head);
|
|
|
|
list_del_rcu(&macsec->secys);
|
|
|
|
macsec_del_dev(macsec);
|
2016-08-12 22:10:32 +08:00
|
|
|
netdev_upper_dev_unlink(real_dev, dev);
|
2016-08-11 21:24:27 +08:00
|
|
|
|
|
|
|
macsec_generation++;
|
|
|
|
}
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
static void macsec_dellink(struct net_device *dev, struct list_head *head)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
|
|
struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
|
|
|
|
|
2016-08-11 21:24:27 +08:00
|
|
|
macsec_common_dellink(dev, head);
|
2016-04-22 17:28:05 +08:00
|
|
|
|
2016-04-22 17:28:06 +08:00
|
|
|
if (list_empty(&rxd->secys)) {
|
2016-03-12 01:07:33 +08:00
|
|
|
netdev_rx_handler_unregister(real_dev);
|
2016-04-22 17:28:06 +08:00
|
|
|
kfree(rxd);
|
|
|
|
}
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int register_macsec_dev(struct net_device *real_dev,
|
|
|
|
struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
|
|
|
|
|
|
|
|
if (!rxd) {
|
|
|
|
int err;
|
|
|
|
|
|
|
|
rxd = kmalloc(sizeof(*rxd), GFP_KERNEL);
|
|
|
|
if (!rxd)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
INIT_LIST_HEAD(&rxd->secys);
|
|
|
|
|
|
|
|
err = netdev_rx_handler_register(real_dev, macsec_handle_frame,
|
|
|
|
rxd);
|
2016-04-22 17:28:06 +08:00
|
|
|
if (err < 0) {
|
|
|
|
kfree(rxd);
|
2016-03-12 01:07:33 +08:00
|
|
|
return err;
|
2016-04-22 17:28:06 +08:00
|
|
|
}
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
list_add_tail_rcu(&macsec->secys, &rxd->secys);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool sci_exists(struct net_device *dev, sci_t sci)
|
|
|
|
{
|
|
|
|
struct macsec_rxh_data *rxd = macsec_data_rtnl(dev);
|
|
|
|
struct macsec_dev *macsec;
|
|
|
|
|
|
|
|
list_for_each_entry(macsec, &rxd->secys, secys) {
|
|
|
|
if (macsec->secy.sci == sci)
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
static sci_t dev_to_sci(struct net_device *dev, __be16 port)
|
|
|
|
{
|
|
|
|
return make_sci(dev->dev_addr, port);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len)
|
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct macsec_secy *secy = &macsec->secy;
|
|
|
|
|
|
|
|
macsec->stats = netdev_alloc_pcpu_stats(struct pcpu_secy_stats);
|
|
|
|
if (!macsec->stats)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
secy->tx_sc.stats = netdev_alloc_pcpu_stats(struct pcpu_tx_sc_stats);
|
|
|
|
if (!secy->tx_sc.stats) {
|
|
|
|
free_percpu(macsec->stats);
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sci == MACSEC_UNDEF_SCI)
|
|
|
|
sci = dev_to_sci(dev, MACSEC_PORT_ES);
|
|
|
|
|
|
|
|
secy->netdev = dev;
|
|
|
|
secy->operational = true;
|
|
|
|
secy->key_len = DEFAULT_SAK_LEN;
|
|
|
|
secy->icv_len = icv_len;
|
|
|
|
secy->validate_frames = MACSEC_VALIDATE_DEFAULT;
|
|
|
|
secy->protect_frames = true;
|
|
|
|
secy->replay_protect = false;
|
|
|
|
|
|
|
|
secy->sci = sci;
|
|
|
|
secy->tx_sc.active = true;
|
|
|
|
secy->tx_sc.encoding_sa = DEFAULT_ENCODING_SA;
|
|
|
|
secy->tx_sc.encrypt = DEFAULT_ENCRYPT;
|
|
|
|
secy->tx_sc.send_sci = DEFAULT_SEND_SCI;
|
|
|
|
secy->tx_sc.end_station = false;
|
|
|
|
secy->tx_sc.scb = false;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_newlink(struct net *net, struct net_device *dev,
|
2017-06-26 05:55:59 +08:00
|
|
|
struct nlattr *tb[], struct nlattr *data[],
|
|
|
|
struct netlink_ext_ack *extack)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
|
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
struct net_device *real_dev;
|
|
|
|
int err;
|
|
|
|
sci_t sci;
|
|
|
|
u8 icv_len = DEFAULT_ICV_LEN;
|
|
|
|
rx_handler_func_t *rx_handler;
|
|
|
|
|
|
|
|
if (!tb[IFLA_LINK])
|
|
|
|
return -EINVAL;
|
|
|
|
real_dev = __dev_get_by_index(net, nla_get_u32(tb[IFLA_LINK]));
|
|
|
|
if (!real_dev)
|
|
|
|
return -ENODEV;
|
|
|
|
|
|
|
|
dev->priv_flags |= IFF_MACSEC;
|
|
|
|
|
|
|
|
macsec->real_dev = real_dev;
|
|
|
|
|
|
|
|
if (data && data[IFLA_MACSEC_ICV_LEN])
|
|
|
|
icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
|
|
|
|
dev->mtu = real_dev->mtu - icv_len - macsec_extra_len(true);
|
|
|
|
|
|
|
|
rx_handler = rtnl_dereference(real_dev->rx_handler);
|
|
|
|
if (rx_handler && rx_handler != macsec_handle_frame)
|
|
|
|
return -EBUSY;
|
|
|
|
|
|
|
|
err = register_netdevice(dev);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
2016-07-29 21:37:55 +08:00
|
|
|
dev_hold(real_dev);
|
|
|
|
|
net: remove type_check from dev_get_nest_level()
The idea for type_check in dev_get_nest_level() was to count the number
of nested devices of the same type (currently, only macvlan or vlan
devices).
This prevented the false positive lockdep warning on configurations such
as:
eth0 <--- macvlan0 <--- vlan0 <--- macvlan1
However, this doesn't prevent a warning on a configuration such as:
eth0 <--- macvlan0 <--- vlan0
eth1 <--- vlan1 <--- macvlan1
In this case, all the locks end up with a nesting subclass of 1, so
lockdep thinks that there is still a deadlock:
- in the first case we have (macvlan_netdev_addr_lock_key, 1) and then
take (vlan_netdev_xmit_lock_key, 1)
- in the second case, we have (vlan_netdev_xmit_lock_key, 1) and then
take (macvlan_netdev_addr_lock_key, 1)
By removing the linktype check in dev_get_nest_level() and always
incrementing the nesting depth, lockdep considers this configuration
valid.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-12 22:10:33 +08:00
|
|
|
macsec->nest_level = dev_get_nest_level(real_dev) + 1;
|
2016-08-12 22:10:32 +08:00
|
|
|
netdev_lockdep_set_classes(dev);
|
|
|
|
lockdep_set_class_and_subclass(&dev->addr_list_lock,
|
|
|
|
&macsec_netdev_addr_lock_key,
|
|
|
|
macsec_get_nest_level(dev));
|
|
|
|
|
2017-10-05 08:48:47 +08:00
|
|
|
err = netdev_upper_dev_link(real_dev, dev, extack);
|
2016-08-12 22:10:32 +08:00
|
|
|
if (err < 0)
|
2018-04-16 18:17:50 +08:00
|
|
|
goto unregister;
|
2016-08-12 22:10:32 +08:00
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
/* need to be already registered so that ->init has run and
|
|
|
|
* the MAC addr is set
|
|
|
|
*/
|
|
|
|
if (data && data[IFLA_MACSEC_SCI])
|
|
|
|
sci = nla_get_sci(data[IFLA_MACSEC_SCI]);
|
|
|
|
else if (data && data[IFLA_MACSEC_PORT])
|
|
|
|
sci = dev_to_sci(dev, nla_get_be16(data[IFLA_MACSEC_PORT]));
|
|
|
|
else
|
|
|
|
sci = dev_to_sci(dev, MACSEC_PORT_ES);
|
|
|
|
|
|
|
|
if (rx_handler && sci_exists(real_dev, sci)) {
|
|
|
|
err = -EBUSY;
|
2016-08-12 22:10:32 +08:00
|
|
|
goto unlink;
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
err = macsec_add_dev(dev, sci, icv_len);
|
|
|
|
if (err)
|
2016-08-12 22:10:32 +08:00
|
|
|
goto unlink;
|
2016-03-12 01:07:33 +08:00
|
|
|
|
2018-01-05 21:33:31 +08:00
|
|
|
if (data) {
|
|
|
|
err = macsec_changelink_common(dev, data);
|
|
|
|
if (err)
|
|
|
|
goto del_dev;
|
|
|
|
}
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
err = register_macsec_dev(real_dev, dev);
|
|
|
|
if (err < 0)
|
|
|
|
goto del_dev;
|
|
|
|
|
2018-10-28 16:33:09 +08:00
|
|
|
netif_stacked_transfer_operstate(real_dev, dev);
|
|
|
|
linkwatch_fire_event(dev);
|
|
|
|
|
2016-04-22 17:28:05 +08:00
|
|
|
macsec_generation++;
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
del_dev:
|
|
|
|
macsec_del_dev(macsec);
|
2016-08-12 22:10:32 +08:00
|
|
|
unlink:
|
|
|
|
netdev_upper_dev_unlink(real_dev, dev);
|
2018-04-16 18:17:50 +08:00
|
|
|
unregister:
|
2016-03-12 01:07:33 +08:00
|
|
|
unregister_netdevice(dev);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2017-06-26 05:56:01 +08:00
|
|
|
static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[],
|
|
|
|
struct netlink_ext_ack *extack)
|
2016-03-12 01:07:33 +08:00
|
|
|
{
|
2016-04-22 17:28:08 +08:00
|
|
|
u64 csid = MACSEC_DEFAULT_CIPHER_ID;
|
2016-03-12 01:07:33 +08:00
|
|
|
u8 icv_len = DEFAULT_ICV_LEN;
|
|
|
|
int flag;
|
|
|
|
bool es, scb, sci;
|
|
|
|
|
|
|
|
if (!data)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_CIPHER_SUITE])
|
|
|
|
csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);
|
|
|
|
|
2016-07-22 21:07:58 +08:00
|
|
|
if (data[IFLA_MACSEC_ICV_LEN]) {
|
2016-03-12 01:07:33 +08:00
|
|
|
icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
|
2016-07-22 21:07:58 +08:00
|
|
|
if (icv_len != DEFAULT_ICV_LEN) {
|
|
|
|
char dummy_key[DEFAULT_SAK_LEN] = { 0 };
|
|
|
|
struct crypto_aead *dummy_tfm;
|
|
|
|
|
|
|
|
dummy_tfm = macsec_alloc_tfm(dummy_key,
|
|
|
|
DEFAULT_SAK_LEN,
|
|
|
|
icv_len);
|
|
|
|
if (IS_ERR(dummy_tfm))
|
|
|
|
return PTR_ERR(dummy_tfm);
|
|
|
|
crypto_free_aead(dummy_tfm);
|
|
|
|
}
|
|
|
|
}
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
switch (csid) {
|
2018-01-05 21:33:31 +08:00
|
|
|
case MACSEC_CIPHER_ID_GCM_AES_128:
|
|
|
|
case MACSEC_CIPHER_ID_GCM_AES_256:
|
2018-01-19 00:48:18 +08:00
|
|
|
case MACSEC_DEFAULT_CIPHER_ID:
|
2016-03-12 01:07:33 +08:00
|
|
|
if (icv_len < MACSEC_MIN_ICV_LEN ||
|
2016-07-22 21:07:56 +08:00
|
|
|
icv_len > MACSEC_STD_ICV_LEN)
|
2016-03-12 01:07:33 +08:00
|
|
|
return -EINVAL;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_ENCODING_SA]) {
|
|
|
|
if (nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]) >= MACSEC_NUM_AN)
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (flag = IFLA_MACSEC_ENCODING_SA + 1;
|
|
|
|
flag < IFLA_MACSEC_VALIDATION;
|
|
|
|
flag++) {
|
|
|
|
if (data[flag]) {
|
|
|
|
if (nla_get_u8(data[flag]) > 1)
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
es = data[IFLA_MACSEC_ES] ? nla_get_u8(data[IFLA_MACSEC_ES]) : false;
|
|
|
|
sci = data[IFLA_MACSEC_INC_SCI] ? nla_get_u8(data[IFLA_MACSEC_INC_SCI]) : false;
|
|
|
|
scb = data[IFLA_MACSEC_SCB] ? nla_get_u8(data[IFLA_MACSEC_SCB]) : false;
|
|
|
|
|
|
|
|
if ((sci && (scb || es)) || (scb && es))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (data[IFLA_MACSEC_VALIDATION] &&
|
|
|
|
nla_get_u8(data[IFLA_MACSEC_VALIDATION]) > MACSEC_VALIDATE_MAX)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2016-04-22 17:28:09 +08:00
|
|
|
if ((data[IFLA_MACSEC_REPLAY_PROTECT] &&
|
|
|
|
nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT])) &&
|
2016-03-12 01:07:33 +08:00
|
|
|
!data[IFLA_MACSEC_WINDOW])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct net *macsec_get_link_net(const struct net_device *dev)
|
|
|
|
{
|
|
|
|
return dev_net(macsec_priv(dev)->real_dev);
|
|
|
|
}
|
|
|
|
|
|
|
|
static size_t macsec_get_size(const struct net_device *dev)
|
|
|
|
{
|
2016-12-07 23:02:09 +08:00
|
|
|
return nla_total_size_64bit(8) + /* IFLA_MACSEC_SCI */
|
|
|
|
nla_total_size(1) + /* IFLA_MACSEC_ICV_LEN */
|
|
|
|
nla_total_size_64bit(8) + /* IFLA_MACSEC_CIPHER_SUITE */
|
|
|
|
nla_total_size(4) + /* IFLA_MACSEC_WINDOW */
|
|
|
|
nla_total_size(1) + /* IFLA_MACSEC_ENCODING_SA */
|
|
|
|
nla_total_size(1) + /* IFLA_MACSEC_ENCRYPT */
|
|
|
|
nla_total_size(1) + /* IFLA_MACSEC_PROTECT */
|
|
|
|
nla_total_size(1) + /* IFLA_MACSEC_INC_SCI */
|
|
|
|
nla_total_size(1) + /* IFLA_MACSEC_ES */
|
|
|
|
nla_total_size(1) + /* IFLA_MACSEC_SCB */
|
|
|
|
nla_total_size(1) + /* IFLA_MACSEC_REPLAY_PROTECT */
|
|
|
|
nla_total_size(1) + /* IFLA_MACSEC_VALIDATION */
|
2016-03-12 01:07:33 +08:00
|
|
|
0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_fill_info(struct sk_buff *skb,
|
|
|
|
const struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct macsec_secy *secy = &macsec_priv(dev)->secy;
|
|
|
|
struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
2018-01-05 21:33:31 +08:00
|
|
|
u64 csid;
|
|
|
|
|
|
|
|
switch (secy->key_len) {
|
|
|
|
case MACSEC_GCM_AES_128_SAK_LEN:
|
2018-01-19 00:48:18 +08:00
|
|
|
csid = MACSEC_DEFAULT_CIPHER_ID;
|
2018-01-05 21:33:31 +08:00
|
|
|
break;
|
|
|
|
case MACSEC_GCM_AES_256_SAK_LEN:
|
|
|
|
csid = MACSEC_CIPHER_ID_GCM_AES_256;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
2016-03-12 01:07:33 +08:00
|
|
|
|
2016-04-26 16:06:11 +08:00
|
|
|
if (nla_put_sci(skb, IFLA_MACSEC_SCI, secy->sci,
|
|
|
|
IFLA_MACSEC_PAD) ||
|
2016-03-12 01:07:33 +08:00
|
|
|
nla_put_u8(skb, IFLA_MACSEC_ICV_LEN, secy->icv_len) ||
|
2016-04-26 16:06:11 +08:00
|
|
|
nla_put_u64_64bit(skb, IFLA_MACSEC_CIPHER_SUITE,
|
2018-01-05 21:33:31 +08:00
|
|
|
csid, IFLA_MACSEC_PAD) ||
|
2016-03-12 01:07:33 +08:00
|
|
|
nla_put_u8(skb, IFLA_MACSEC_ENCODING_SA, tx_sc->encoding_sa) ||
|
|
|
|
nla_put_u8(skb, IFLA_MACSEC_ENCRYPT, tx_sc->encrypt) ||
|
|
|
|
nla_put_u8(skb, IFLA_MACSEC_PROTECT, secy->protect_frames) ||
|
|
|
|
nla_put_u8(skb, IFLA_MACSEC_INC_SCI, tx_sc->send_sci) ||
|
|
|
|
nla_put_u8(skb, IFLA_MACSEC_ES, tx_sc->end_station) ||
|
|
|
|
nla_put_u8(skb, IFLA_MACSEC_SCB, tx_sc->scb) ||
|
|
|
|
nla_put_u8(skb, IFLA_MACSEC_REPLAY_PROTECT, secy->replay_protect) ||
|
|
|
|
nla_put_u8(skb, IFLA_MACSEC_VALIDATION, secy->validate_frames) ||
|
|
|
|
0)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
|
|
if (secy->replay_protect) {
|
|
|
|
if (nla_put_u32(skb, IFLA_MACSEC_WINDOW, secy->replay_window))
|
|
|
|
goto nla_put_failure;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
return -EMSGSIZE;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct rtnl_link_ops macsec_link_ops __read_mostly = {
|
|
|
|
.kind = "macsec",
|
|
|
|
.priv_size = sizeof(struct macsec_dev),
|
|
|
|
.maxtype = IFLA_MACSEC_MAX,
|
|
|
|
.policy = macsec_rtnl_policy,
|
|
|
|
.setup = macsec_setup,
|
|
|
|
.validate = macsec_validate_attr,
|
|
|
|
.newlink = macsec_newlink,
|
|
|
|
.changelink = macsec_changelink,
|
|
|
|
.dellink = macsec_dellink,
|
|
|
|
.get_size = macsec_get_size,
|
|
|
|
.fill_info = macsec_fill_info,
|
|
|
|
.get_link_net = macsec_get_link_net,
|
|
|
|
};
|
|
|
|
|
|
|
|
static bool is_macsec_master(struct net_device *dev)
|
|
|
|
{
|
|
|
|
return rcu_access_pointer(dev->rx_handler) == macsec_handle_frame;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int macsec_notify(struct notifier_block *this, unsigned long event,
|
|
|
|
void *ptr)
|
|
|
|
{
|
|
|
|
struct net_device *real_dev = netdev_notifier_info_to_dev(ptr);
|
|
|
|
LIST_HEAD(head);
|
|
|
|
|
|
|
|
if (!is_macsec_master(real_dev))
|
|
|
|
return NOTIFY_DONE;
|
|
|
|
|
|
|
|
switch (event) {
|
2018-10-28 16:33:09 +08:00
|
|
|
case NETDEV_DOWN:
|
|
|
|
case NETDEV_UP:
|
|
|
|
case NETDEV_CHANGE: {
|
|
|
|
struct macsec_dev *m, *n;
|
|
|
|
struct macsec_rxh_data *rxd;
|
|
|
|
|
|
|
|
rxd = macsec_data_rtnl(real_dev);
|
|
|
|
list_for_each_entry_safe(m, n, &rxd->secys, secys) {
|
|
|
|
struct net_device *dev = m->secy.netdev;
|
|
|
|
|
|
|
|
netif_stacked_transfer_operstate(real_dev, dev);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
2016-03-12 01:07:33 +08:00
|
|
|
case NETDEV_UNREGISTER: {
|
|
|
|
struct macsec_dev *m, *n;
|
|
|
|
struct macsec_rxh_data *rxd;
|
|
|
|
|
|
|
|
rxd = macsec_data_rtnl(real_dev);
|
|
|
|
list_for_each_entry_safe(m, n, &rxd->secys, secys) {
|
2016-08-11 21:24:27 +08:00
|
|
|
macsec_common_dellink(m->secy.netdev, &head);
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
2016-08-11 21:24:27 +08:00
|
|
|
|
|
|
|
netdev_rx_handler_unregister(real_dev);
|
|
|
|
kfree(rxd);
|
|
|
|
|
2016-03-12 01:07:33 +08:00
|
|
|
unregister_netdevice_many(&head);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
case NETDEV_CHANGEMTU: {
|
|
|
|
struct macsec_dev *m;
|
|
|
|
struct macsec_rxh_data *rxd;
|
|
|
|
|
|
|
|
rxd = macsec_data_rtnl(real_dev);
|
|
|
|
list_for_each_entry(m, &rxd->secys, secys) {
|
|
|
|
struct net_device *dev = m->secy.netdev;
|
|
|
|
unsigned int mtu = real_dev->mtu - (m->secy.icv_len +
|
|
|
|
macsec_extra_len(true));
|
|
|
|
|
|
|
|
if (dev->mtu > mtu)
|
|
|
|
dev_set_mtu(dev, mtu);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return NOTIFY_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct notifier_block macsec_notifier = {
|
|
|
|
.notifier_call = macsec_notify,
|
|
|
|
};
|
|
|
|
|
|
|
|
static int __init macsec_init(void)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
|
|
|
pr_info("MACsec IEEE 802.1AE\n");
|
|
|
|
err = register_netdevice_notifier(&macsec_notifier);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
err = rtnl_link_register(&macsec_link_ops);
|
|
|
|
if (err)
|
|
|
|
goto notifier;
|
|
|
|
|
2016-10-24 20:40:03 +08:00
|
|
|
err = genl_register_family(&macsec_fam);
|
2016-03-12 01:07:33 +08:00
|
|
|
if (err)
|
|
|
|
goto rtnl;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
rtnl:
|
|
|
|
rtnl_link_unregister(&macsec_link_ops);
|
|
|
|
notifier:
|
|
|
|
unregister_netdevice_notifier(&macsec_notifier);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit macsec_exit(void)
|
|
|
|
{
|
|
|
|
genl_unregister_family(&macsec_fam);
|
|
|
|
rtnl_link_unregister(&macsec_link_ops);
|
|
|
|
unregister_netdevice_notifier(&macsec_notifier);
|
2016-06-14 21:25:14 +08:00
|
|
|
rcu_barrier();
|
2016-03-12 01:07:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
module_init(macsec_init);
|
|
|
|
module_exit(macsec_exit);
|
|
|
|
|
|
|
|
MODULE_ALIAS_RTNL_LINK("macsec");
|
2017-08-22 21:36:08 +08:00
|
|
|
MODULE_ALIAS_GENL_FAMILY("macsec");
|
2016-03-12 01:07:33 +08:00
|
|
|
|
|
|
|
MODULE_DESCRIPTION("MACsec IEEE 802.1AE");
|
|
|
|
MODULE_LICENSE("GPL v2");
|