developer | 7e32f7e | 2022-05-18 21:10:08 +0800 | [diff] [blame] | 1 | From 48ef50fa866aae087f63c7de8a47e76537f88691 Mon Sep 17 00:00:00 2001 |
| 2 | From: Era Mayflower <mayflowerera@gmail.com> |
| 3 | Date: Mon, 9 Mar 2020 19:47:02 +0000 |
| 4 | Subject: macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw) |
| 5 | |
| 6 | Netlink support of extended packet number cipher suites, |
| 7 | allows adding and updating XPN macsec interfaces. |
| 8 | |
| 9 | Added support in: |
| 10 | * Creating interfaces with GCM-AES-XPN-128 and GCM-AES-XPN-256 suites. |
| 11 | * Setting and getting 64bit packet numbers with of SAs. |
| 12 | * Setting (only on SA creation) and getting ssci of SAs. |
| 13 | * Setting salt when installing a SAK. |
| 14 | |
| 15 | Added 2 cipher suite identifiers according to 802.1AE-2018 table 14-1: |
| 16 | * MACSEC_CIPHER_ID_GCM_AES_XPN_128 |
| 17 | * MACSEC_CIPHER_ID_GCM_AES_XPN_256 |
| 18 | |
| 19 | In addition, added 2 new netlink attribute types: |
| 20 | * MACSEC_SA_ATTR_SSCI |
| 21 | * MACSEC_SA_ATTR_SALT |
| 22 | |
| 23 | Depends on: macsec: Support XPN frame handling - IEEE 802.1AEbw. |
| 24 | |
| 25 | Signed-off-by: Era Mayflower <mayflowerera@gmail.com> |
| 26 | Signed-off-by: David S. Miller <davem@davemloft.net> |
| 27 | --- |
| 28 | drivers/net/macsec.c | 161 +++++++++++++++++++++++++++++++++++++---- |
| 29 | include/net/macsec.h | 3 + |
| 30 | include/uapi/linux/if_macsec.h | 8 +- |
| 31 | 3 files changed, 157 insertions(+), 15 deletions(-) |
| 32 | |
| 33 | diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c |
| 34 | index 6c71e250cccb0..49b138e7aeac3 100644 |
| 35 | --- a/drivers/net/macsec.c |
| 36 | +++ b/drivers/net/macsec.c |
| 37 | @@ -240,11 +240,13 @@ static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb) |
| 38 | #define MACSEC_PORT_ES (htons(0x0001)) |
| 39 | #define MACSEC_PORT_SCB (0x0000) |
| 40 | #define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL) |
| 41 | +#define MACSEC_UNDEF_SSCI ((__force ssci_t)0xffffffff) |
| 42 | |
| 43 | #define MACSEC_GCM_AES_128_SAK_LEN 16 |
| 44 | #define MACSEC_GCM_AES_256_SAK_LEN 32 |
| 45 | |
| 46 | #define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN |
| 47 | +#define DEFAULT_XPN false |
| 48 | #define DEFAULT_SEND_SCI true |
| 49 | #define DEFAULT_ENCRYPT false |
| 50 | #define DEFAULT_ENCODING_SA 0 |
| 51 | @@ -1311,6 +1313,7 @@ static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len, |
| 52 | return PTR_ERR(rx_sa->key.tfm); |
| 53 | } |
| 54 | |
| 55 | + rx_sa->ssci = MACSEC_UNDEF_SSCI; |
| 56 | rx_sa->active = false; |
| 57 | rx_sa->next_pn = 1; |
| 58 | refcount_set(&rx_sa->refcnt, 1); |
| 59 | @@ -1409,6 +1412,7 @@ static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len, |
| 60 | return PTR_ERR(tx_sa->key.tfm); |
| 61 | } |
| 62 | |
| 63 | + tx_sa->ssci = MACSEC_UNDEF_SSCI; |
| 64 | tx_sa->active = false; |
| 65 | refcount_set(&tx_sa->refcnt, 1); |
| 66 | spin_lock_init(&tx_sa->lock); |
| 67 | @@ -1452,6 +1456,16 @@ static int nla_put_sci(struct sk_buff *skb, int attrtype, sci_t value, |
| 68 | return nla_put_u64_64bit(skb, attrtype, (__force u64)value, padattr); |
| 69 | } |
| 70 | |
| 71 | +static ssci_t nla_get_ssci(const struct nlattr *nla) |
| 72 | +{ |
| 73 | + return (__force ssci_t)nla_get_u32(nla); |
| 74 | +} |
| 75 | + |
| 76 | +static int nla_put_ssci(struct sk_buff *skb, int attrtype, ssci_t value) |
| 77 | +{ |
| 78 | + return nla_put_u32(skb, attrtype, (__force u64)value); |
| 79 | +} |
| 80 | + |
| 81 | static struct macsec_tx_sa *get_txsa_from_nl(struct net *net, |
| 82 | struct nlattr **attrs, |
| 83 | struct nlattr **tb_sa, |
| 84 | @@ -1567,11 +1581,14 @@ static const struct nla_policy macsec_genl_rxsc_policy[NUM_MACSEC_RXSC_ATTR] = { |
| 85 | static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = { |
| 86 | [MACSEC_SA_ATTR_AN] = { .type = NLA_U8 }, |
| 87 | [MACSEC_SA_ATTR_ACTIVE] = { .type = NLA_U8 }, |
| 88 | - [MACSEC_SA_ATTR_PN] = { .type = NLA_U32 }, |
| 89 | + [MACSEC_SA_ATTR_PN] = { .type = NLA_MIN_LEN, .len = 4 }, |
| 90 | [MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY, |
| 91 | .len = MACSEC_KEYID_LEN, }, |
| 92 | [MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY, |
| 93 | .len = MACSEC_MAX_KEY_LEN, }, |
| 94 | + [MACSEC_SA_ATTR_SSCI] = { .type = NLA_U32 }, |
| 95 | + [MACSEC_SA_ATTR_SALT] = { .type = NLA_BINARY, |
| 96 | + .len = MACSEC_SALT_LEN, }, |
| 97 | }; |
| 98 | |
| 99 | static const struct nla_policy macsec_genl_offload_policy[NUM_MACSEC_OFFLOAD_ATTR] = { |
| 100 | @@ -1644,7 +1661,8 @@ static bool validate_add_rxsa(struct nlattr **attrs) |
| 101 | if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) |
| 102 | return false; |
| 103 | |
| 104 | - if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0) |
| 105 | + if (attrs[MACSEC_SA_ATTR_PN] && |
| 106 | + *(u64 *)nla_data(attrs[MACSEC_SA_ATTR_PN]) == 0) |
| 107 | return false; |
| 108 | |
| 109 | if (attrs[MACSEC_SA_ATTR_ACTIVE]) { |
| 110 | @@ -1666,6 +1684,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) |
| 111 | struct macsec_rx_sc *rx_sc; |
| 112 | struct macsec_rx_sa *rx_sa; |
| 113 | unsigned char assoc_num; |
| 114 | + int pn_len; |
| 115 | struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; |
| 116 | struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; |
| 117 | int err; |
| 118 | @@ -1698,6 +1717,29 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) |
| 119 | return -EINVAL; |
| 120 | } |
| 121 | |
| 122 | + pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; |
| 123 | + if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { |
| 124 | + pr_notice("macsec: nl: add_rxsa: bad pn length: %d != %d\n", |
| 125 | + nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); |
| 126 | + rtnl_unlock(); |
| 127 | + return -EINVAL; |
| 128 | + } |
| 129 | + |
| 130 | + if (secy->xpn) { |
| 131 | + if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) { |
| 132 | + rtnl_unlock(); |
| 133 | + return -EINVAL; |
| 134 | + } |
| 135 | + |
| 136 | + if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) { |
| 137 | + pr_notice("macsec: nl: add_rxsa: bad salt length: %d != %d\n", |
| 138 | + nla_len(tb_sa[MACSEC_SA_ATTR_SALT]), |
| 139 | + MACSEC_SA_ATTR_SALT); |
| 140 | + rtnl_unlock(); |
| 141 | + return -EINVAL; |
| 142 | + } |
| 143 | + } |
| 144 | + |
| 145 | rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]); |
| 146 | if (rx_sa) { |
| 147 | rtnl_unlock(); |
| 148 | @@ -1720,7 +1762,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) |
| 149 | |
| 150 | if (tb_sa[MACSEC_SA_ATTR_PN]) { |
| 151 | spin_lock_bh(&rx_sa->lock); |
| 152 | - rx_sa->next_pn_halves.lower = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]); |
| 153 | + rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); |
| 154 | spin_unlock_bh(&rx_sa->lock); |
| 155 | } |
| 156 | |
| 157 | @@ -1750,6 +1792,12 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) |
| 158 | goto cleanup; |
| 159 | } |
| 160 | |
| 161 | + if (secy->xpn) { |
| 162 | + rx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]); |
| 163 | + nla_memcpy(rx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT], |
| 164 | + MACSEC_SALT_LEN); |
| 165 | + } |
| 166 | + |
| 167 | nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); |
| 168 | rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa); |
| 169 | |
| 170 | @@ -1874,6 +1922,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) |
| 171 | struct macsec_tx_sc *tx_sc; |
| 172 | struct macsec_tx_sa *tx_sa; |
| 173 | unsigned char assoc_num; |
| 174 | + int pn_len; |
| 175 | struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; |
| 176 | bool was_operational; |
| 177 | int err; |
| 178 | @@ -1906,6 +1955,29 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) |
| 179 | return -EINVAL; |
| 180 | } |
| 181 | |
| 182 | + pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; |
| 183 | + if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { |
| 184 | + pr_notice("macsec: nl: add_txsa: bad pn length: %d != %d\n", |
| 185 | + nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); |
| 186 | + rtnl_unlock(); |
| 187 | + return -EINVAL; |
| 188 | + } |
| 189 | + |
| 190 | + if (secy->xpn) { |
| 191 | + if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) { |
| 192 | + rtnl_unlock(); |
| 193 | + return -EINVAL; |
| 194 | + } |
| 195 | + |
| 196 | + if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) { |
| 197 | + pr_notice("macsec: nl: add_txsa: bad salt length: %d != %d\n", |
| 198 | + nla_len(tb_sa[MACSEC_SA_ATTR_SALT]), |
| 199 | + MACSEC_SA_ATTR_SALT); |
| 200 | + rtnl_unlock(); |
| 201 | + return -EINVAL; |
| 202 | + } |
| 203 | + } |
| 204 | + |
| 205 | tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]); |
| 206 | if (tx_sa) { |
| 207 | rtnl_unlock(); |
| 208 | @@ -1927,7 +1999,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) |
| 209 | } |
| 210 | |
| 211 | spin_lock_bh(&tx_sa->lock); |
| 212 | - tx_sa->next_pn_halves.lower = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]); |
| 213 | + tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); |
| 214 | spin_unlock_bh(&tx_sa->lock); |
| 215 | |
| 216 | if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) |
| 217 | @@ -1958,6 +2030,12 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) |
| 218 | goto cleanup; |
| 219 | } |
| 220 | |
| 221 | + if (secy->xpn) { |
| 222 | + tx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]); |
| 223 | + nla_memcpy(tx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT], |
| 224 | + MACSEC_SALT_LEN); |
| 225 | + } |
| 226 | + |
| 227 | nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); |
| 228 | rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa); |
| 229 | |
| 230 | @@ -2164,7 +2242,9 @@ static bool validate_upd_sa(struct nlattr **attrs) |
| 231 | { |
| 232 | if (!attrs[MACSEC_SA_ATTR_AN] || |
| 233 | attrs[MACSEC_SA_ATTR_KEY] || |
| 234 | - attrs[MACSEC_SA_ATTR_KEYID]) |
| 235 | + attrs[MACSEC_SA_ATTR_KEYID] || |
| 236 | + attrs[MACSEC_SA_ATTR_SSCI] || |
| 237 | + attrs[MACSEC_SA_ATTR_SALT]) |
| 238 | return false; |
| 239 | |
| 240 | if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) |
| 241 | @@ -2214,9 +2294,19 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info) |
| 242 | } |
| 243 | |
| 244 | if (tb_sa[MACSEC_SA_ATTR_PN]) { |
| 245 | + int pn_len; |
| 246 | + |
| 247 | + pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; |
| 248 | + if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { |
| 249 | + pr_notice("macsec: nl: upd_txsa: bad pn length: %d != %d\n", |
| 250 | + nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); |
| 251 | + rtnl_unlock(); |
| 252 | + return -EINVAL; |
| 253 | + } |
| 254 | + |
| 255 | spin_lock_bh(&tx_sa->lock); |
| 256 | prev_pn = tx_sa->next_pn_halves; |
| 257 | - tx_sa->next_pn_halves.lower = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]); |
| 258 | + tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); |
| 259 | spin_unlock_bh(&tx_sa->lock); |
| 260 | } |
| 261 | |
| 262 | @@ -2300,9 +2390,19 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info) |
| 263 | } |
| 264 | |
| 265 | if (tb_sa[MACSEC_SA_ATTR_PN]) { |
| 266 | + int pn_len; |
| 267 | + |
| 268 | + pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; |
| 269 | + if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { |
| 270 | + pr_notice("macsec: nl: upd_rxsa: bad pn length: %d != %d\n", |
| 271 | + nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); |
| 272 | + rtnl_unlock(); |
| 273 | + return -EINVAL; |
| 274 | + } |
| 275 | + |
| 276 | spin_lock_bh(&rx_sa->lock); |
| 277 | prev_pn = rx_sa->next_pn_halves; |
| 278 | - rx_sa->next_pn_halves.lower = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]); |
| 279 | + rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); |
| 280 | spin_unlock_bh(&rx_sa->lock); |
| 281 | } |
| 282 | |
| 283 | @@ -2749,10 +2849,10 @@ static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb) |
| 284 | |
| 285 | switch (secy->key_len) { |
| 286 | case MACSEC_GCM_AES_128_SAK_LEN: |
| 287 | - csid = MACSEC_DEFAULT_CIPHER_ID; |
| 288 | + csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID; |
| 289 | break; |
| 290 | case MACSEC_GCM_AES_256_SAK_LEN: |
| 291 | - csid = MACSEC_CIPHER_ID_GCM_AES_256; |
| 292 | + csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256; |
| 293 | break; |
| 294 | default: |
| 295 | goto cancel; |
| 296 | @@ -2843,6 +2943,8 @@ dump_secy(struct macsec_secy *secy, struct net_device *dev, |
| 297 | for (i = 0, j = 1; i < MACSEC_NUM_AN; i++) { |
| 298 | struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]); |
| 299 | struct nlattr *txsa_nest; |
| 300 | + u64 pn; |
| 301 | + int pn_len; |
| 302 | |
| 303 | if (!tx_sa) |
| 304 | continue; |
| 305 | @@ -2853,9 +2955,18 @@ dump_secy(struct macsec_secy *secy, struct net_device *dev, |
| 306 | goto nla_put_failure; |
| 307 | } |
| 308 | |
| 309 | + if (secy->xpn) { |
| 310 | + pn = tx_sa->next_pn; |
| 311 | + pn_len = MACSEC_XPN_PN_LEN; |
| 312 | + } else { |
| 313 | + pn = tx_sa->next_pn_halves.lower; |
| 314 | + pn_len = MACSEC_DEFAULT_PN_LEN; |
| 315 | + } |
| 316 | + |
| 317 | if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) || |
| 318 | - nla_put_u32(skb, MACSEC_SA_ATTR_PN, tx_sa->next_pn_halves.lower) || |
| 319 | + nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) || |
| 320 | nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, tx_sa->key.id) || |
| 321 | + (secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, tx_sa->ssci)) || |
| 322 | nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, tx_sa->active)) { |
| 323 | nla_nest_cancel(skb, txsa_nest); |
| 324 | nla_nest_cancel(skb, txsa_list); |
| 325 | @@ -2928,6 +3039,8 @@ dump_secy(struct macsec_secy *secy, struct net_device *dev, |
| 326 | for (i = 0, k = 1; i < MACSEC_NUM_AN; i++) { |
| 327 | struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]); |
| 328 | struct nlattr *rxsa_nest; |
| 329 | + u64 pn; |
| 330 | + int pn_len; |
| 331 | |
| 332 | if (!rx_sa) |
| 333 | continue; |
| 334 | @@ -2957,9 +3070,18 @@ dump_secy(struct macsec_secy *secy, struct net_device *dev, |
| 335 | } |
| 336 | nla_nest_end(skb, attr); |
| 337 | |
| 338 | + if (secy->xpn) { |
| 339 | + pn = rx_sa->next_pn; |
| 340 | + pn_len = MACSEC_XPN_PN_LEN; |
| 341 | + } else { |
| 342 | + pn = rx_sa->next_pn_halves.lower; |
| 343 | + pn_len = MACSEC_DEFAULT_PN_LEN; |
| 344 | + } |
| 345 | + |
| 346 | if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) || |
| 347 | - nla_put_u32(skb, MACSEC_SA_ATTR_PN, rx_sa->next_pn_halves.lower) || |
| 348 | + nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) || |
| 349 | nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, rx_sa->key.id) || |
| 350 | + (secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, rx_sa->ssci)) || |
| 351 | nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, rx_sa->active)) { |
| 352 | nla_nest_cancel(skb, rxsa_nest); |
| 353 | nla_nest_cancel(skb, rxsc_nest); |
| 354 | @@ -3503,9 +3625,19 @@ static int macsec_changelink_common(struct net_device *dev, |
| 355 | case MACSEC_CIPHER_ID_GCM_AES_128: |
| 356 | case MACSEC_DEFAULT_CIPHER_ID: |
| 357 | secy->key_len = MACSEC_GCM_AES_128_SAK_LEN; |
| 358 | + secy->xpn = false; |
| 359 | break; |
| 360 | case MACSEC_CIPHER_ID_GCM_AES_256: |
| 361 | secy->key_len = MACSEC_GCM_AES_256_SAK_LEN; |
| 362 | + secy->xpn = false; |
| 363 | + break; |
| 364 | + case MACSEC_CIPHER_ID_GCM_AES_XPN_128: |
| 365 | + secy->key_len = MACSEC_GCM_AES_128_SAK_LEN; |
| 366 | + secy->xpn = true; |
| 367 | + break; |
| 368 | + case MACSEC_CIPHER_ID_GCM_AES_XPN_256: |
| 369 | + secy->key_len = MACSEC_GCM_AES_256_SAK_LEN; |
| 370 | + secy->xpn = true; |
| 371 | break; |
| 372 | default: |
| 373 | return -EINVAL; |
| 374 | @@ -3695,6 +3827,7 @@ static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len) |
| 375 | secy->validate_frames = MACSEC_VALIDATE_DEFAULT; |
| 376 | secy->protect_frames = true; |
| 377 | secy->replay_protect = false; |
| 378 | + secy->xpn = DEFAULT_XPN; |
| 379 | |
| 380 | secy->sci = sci; |
| 381 | secy->tx_sc.active = true; |
| 382 | @@ -3824,6 +3957,8 @@ static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[], |
| 383 | switch (csid) { |
| 384 | case MACSEC_CIPHER_ID_GCM_AES_128: |
| 385 | case MACSEC_CIPHER_ID_GCM_AES_256: |
| 386 | + case MACSEC_CIPHER_ID_GCM_AES_XPN_128: |
| 387 | + case MACSEC_CIPHER_ID_GCM_AES_XPN_256: |
| 388 | case MACSEC_DEFAULT_CIPHER_ID: |
| 389 | if (icv_len < MACSEC_MIN_ICV_LEN || |
| 390 | icv_len > MACSEC_STD_ICV_LEN) |
| 391 | @@ -3897,10 +4032,10 @@ static int macsec_fill_info(struct sk_buff *skb, |
| 392 | |
| 393 | switch (secy->key_len) { |
| 394 | case MACSEC_GCM_AES_128_SAK_LEN: |
| 395 | - csid = MACSEC_DEFAULT_CIPHER_ID; |
| 396 | + csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID; |
| 397 | break; |
| 398 | case MACSEC_GCM_AES_256_SAK_LEN: |
| 399 | - csid = MACSEC_CIPHER_ID_GCM_AES_256; |
| 400 | + csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256; |
| 401 | break; |
| 402 | default: |
| 403 | goto nla_put_failure; |
| 404 | diff --git a/include/net/macsec.h b/include/net/macsec.h |
| 405 | index 43cd54e178770..2e4780dbf5c6a 100644 |
| 406 | --- a/include/net/macsec.h |
| 407 | +++ b/include/net/macsec.h |
| 408 | @@ -11,6 +11,9 @@ |
| 409 | #include <uapi/linux/if_link.h> |
| 410 | #include <uapi/linux/if_macsec.h> |
| 411 | |
| 412 | +#define MACSEC_DEFAULT_PN_LEN 4 |
| 413 | +#define MACSEC_XPN_PN_LEN 8 |
| 414 | + |
| 415 | #define MACSEC_SALT_LEN 12 |
| 416 | #define MACSEC_NUM_AN 4 /* 2 bits for the association number */ |
| 417 | |
| 418 | diff --git a/include/uapi/linux/if_macsec.h b/include/uapi/linux/if_macsec.h |
| 419 | index 1d63c43c38cca..3af2aa069a367 100644 |
| 420 | --- a/include/uapi/linux/if_macsec.h |
| 421 | +++ b/include/uapi/linux/if_macsec.h |
| 422 | @@ -22,9 +22,11 @@ |
| 423 | |
| 424 | #define MACSEC_KEYID_LEN 16 |
| 425 | |
| 426 | -/* cipher IDs as per IEEE802.1AEbn-2011 */ |
| 427 | +/* cipher IDs as per IEEE802.1AE-2018 (Table 14-1) */ |
| 428 | #define MACSEC_CIPHER_ID_GCM_AES_128 0x0080C20001000001ULL |
| 429 | #define MACSEC_CIPHER_ID_GCM_AES_256 0x0080C20001000002ULL |
| 430 | +#define MACSEC_CIPHER_ID_GCM_AES_XPN_128 0x0080C20001000003ULL |
| 431 | +#define MACSEC_CIPHER_ID_GCM_AES_XPN_256 0x0080C20001000004ULL |
| 432 | |
| 433 | /* deprecated cipher ID for GCM-AES-128 */ |
| 434 | #define MACSEC_DEFAULT_CIPHER_ID 0x0080020001000001ULL |
| 435 | @@ -88,11 +90,13 @@ enum macsec_sa_attrs { |
| 436 | MACSEC_SA_ATTR_UNSPEC, |
| 437 | MACSEC_SA_ATTR_AN, /* config/dump, u8 0..3 */ |
| 438 | MACSEC_SA_ATTR_ACTIVE, /* config/dump, u8 0..1 */ |
| 439 | - MACSEC_SA_ATTR_PN, /* config/dump, u32 */ |
| 440 | + MACSEC_SA_ATTR_PN, /* config/dump, u32/u64 (u64 if XPN) */ |
| 441 | MACSEC_SA_ATTR_KEY, /* config, data */ |
| 442 | MACSEC_SA_ATTR_KEYID, /* config/dump, 128-bit */ |
| 443 | MACSEC_SA_ATTR_STATS, /* dump, nested, macsec_sa_stats_attr */ |
| 444 | MACSEC_SA_ATTR_PAD, |
| 445 | + MACSEC_SA_ATTR_SSCI, /* config/dump, u32 - XPN only */ |
| 446 | + MACSEC_SA_ATTR_SALT, /* config, 96-bit - XPN only */ |
| 447 | __MACSEC_SA_ATTR_END, |
| 448 | NUM_MACSEC_SA_ATTR = __MACSEC_SA_ATTR_END, |
| 449 | MACSEC_SA_ATTR_MAX = __MACSEC_SA_ATTR_END - 1, |
| 450 | -- |
| 451 | cgit 1.2.3-1.el7 |
| 452 | |