"Fossies" - the Fresh Open Source Software Archive

Member "tcpdump-4.99.1/./print-macsec.c" (7 Jun 2021, 7764 Bytes) of package /linux/misc/tcpdump-4.99.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "print-macsec.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 4.99.0_vs_4.99.1.

    1 /* Copyright (c) 2017, Sabrina Dubroca <sd@queasysnail.net>
    2  *
    3  * Redistribution and use in source and binary forms, with or without
    4  * modification, are permitted provided that the following conditions
    5  * are met:
    6  *
    7  *   1. Redistributions of source code must retain the above copyright
    8  *      notice, this list of conditions and the following disclaimer.
    9  *   2. Redistributions in binary form must reproduce the above copyright
   10  *      notice, this list of conditions and the following disclaimer in
   11  *      the documentation and/or other materials provided with the
   12  *      distribution.
   13  *   3. The names of the authors may not be used to endorse or promote
   14  *      products derived from this software without specific prior
   15  *      written permission.
   16  *
   17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
   18  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
   19  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
   20  */
   21 
   22 /* \summary: MACsec printer */
   23 
   24 #ifdef HAVE_CONFIG_H
   25 #include <config.h>
   26 #endif
   27 
   28 #include "netdissect-stdinc.h"
   29 
   30 #include "netdissect.h"
   31 #include "addrtoname.h"
   32 #include "ethertype.h"
   33 #include "extract.h"
   34 
   35 #define MACSEC_DEFAULT_ICV_LEN 16
   36 
   37 /* Header format (SecTAG), following an Ethernet header
   38  * IEEE 802.1AE-2006 9.3
   39  *
   40  * +---------------------------------+----------------+----------------+
   41  * |        (MACsec ethertype)       |     TCI_AN     |       SL       |
   42  * +---------------------------------+----------------+----------------+
   43  * |                           Packet Number                           |
   44  * +-------------------------------------------------------------------+
   45  * |                     Secure Channel Identifier                     |
   46  * |                            (optional)                             |
   47  * +-------------------------------------------------------------------+
   48  *
   49  * MACsec ethertype = 0x88e5
   50  * TCI: Tag Control Information, set of flags
   51  * AN: association number, 2 bits
   52  * SL (short length): 6-bit length of the protected payload, if < 48
   53  * Packet Number: 32-bits packet identifier
   54  * Secure Channel Identifier: 64-bit unique identifier, usually
   55  *     composed of a MAC address + 16-bit port number
   56  */
   57 struct macsec_sectag {
   58     nd_uint8_t  tci_an;
   59     nd_uint8_t  short_length;
   60     nd_uint32_t packet_number;
   61     nd_uint8_t  secure_channel_id[8]; /* optional */
   62 };
   63 
   64 /* IEEE 802.1AE-2006 9.5 */
   65 #define MACSEC_TCI_VERSION 0x80
   66 #define MACSEC_TCI_ES      0x40 /* end station */
   67 #define MACSEC_TCI_SC      0x20 /* SCI present */
   68 #define MACSEC_TCI_SCB     0x10 /* epon */
   69 #define MACSEC_TCI_E       0x08 /* encryption */
   70 #define MACSEC_TCI_C       0x04 /* changed text */
   71 #define MACSEC_AN_MASK     0x03 /* association number */
   72 #define MACSEC_TCI_FLAGS   (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C)
   73 #define MACSEC_TCI_CONFID  (MACSEC_TCI_E | MACSEC_TCI_C)
   74 #define MACSEC_SL_MASK     0x3F /* short length */
   75 
   76 #define MACSEC_SECTAG_LEN_NOSCI 6  /* length of MACsec header without SCI */
   77 #define MACSEC_SECTAG_LEN_SCI   14 /* length of MACsec header with SCI */
   78 
   79 #define SCI_FMT "%016" PRIx64
   80 
   81 static const struct tok macsec_flag_values[] = {
   82     { MACSEC_TCI_E,   "E" },
   83     { MACSEC_TCI_C,   "C" },
   84     { MACSEC_TCI_ES,  "S" },
   85     { MACSEC_TCI_SCB, "B" },
   86     { MACSEC_TCI_SC,  "I" },
   87     { 0, NULL }
   88 };
   89 
   90 static void macsec_print_header(netdissect_options *ndo,
   91                 const struct macsec_sectag *sectag,
   92                 u_int short_length)
   93 {
   94     ND_PRINT("an %u, pn %u, flags %s",
   95          GET_U_1(sectag->tci_an) & MACSEC_AN_MASK,
   96          GET_BE_U_4(sectag->packet_number),
   97          bittok2str_nosep(macsec_flag_values, "none",
   98                   GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS));
   99 
  100     if (short_length != 0)
  101         ND_PRINT(", sl %u", short_length);
  102 
  103     if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC)
  104         ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id));
  105 
  106     ND_PRINT(", ");
  107 }
  108 
  109 /* returns < 0 iff the packet can be decoded completely */
  110 int macsec_print(netdissect_options *ndo, const u_char **bp,
  111          u_int *lengthp, u_int *caplenp, u_int *hdrlenp,
  112          const struct lladdr_info *src, const struct lladdr_info *dst)
  113 {
  114     const char *save_protocol;
  115     const u_char *p = *bp;
  116     u_int length = *lengthp;
  117     u_int caplen = *caplenp;
  118     u_int hdrlen = *hdrlenp;
  119     const struct macsec_sectag *sectag = (const struct macsec_sectag *)p;
  120     u_int sectag_len;
  121     u_int short_length;
  122 
  123     save_protocol = ndo->ndo_protocol;
  124     ndo->ndo_protocol = "macsec";
  125 
  126     /* we need the full MACsec header in the capture */
  127     if (caplen < MACSEC_SECTAG_LEN_NOSCI) {
  128         nd_print_trunc(ndo);
  129         ndo->ndo_protocol = save_protocol;
  130         return hdrlen + caplen;
  131     }
  132     if (length < MACSEC_SECTAG_LEN_NOSCI) {
  133         nd_print_trunc(ndo);
  134         ndo->ndo_protocol = save_protocol;
  135         return hdrlen + caplen;
  136     }
  137 
  138     if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
  139         sectag_len = MACSEC_SECTAG_LEN_SCI;
  140         if (caplen < MACSEC_SECTAG_LEN_SCI) {
  141             nd_print_trunc(ndo);
  142             ndo->ndo_protocol = save_protocol;
  143             return hdrlen + caplen;
  144         }
  145         if (length < MACSEC_SECTAG_LEN_SCI) {
  146             nd_print_trunc(ndo);
  147             ndo->ndo_protocol = save_protocol;
  148             return hdrlen + caplen;
  149         }
  150     } else
  151         sectag_len = MACSEC_SECTAG_LEN_NOSCI;
  152 
  153     if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 ||
  154         GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) {
  155         nd_print_invalid(ndo);
  156         ndo->ndo_protocol = save_protocol;
  157         return hdrlen + caplen;
  158     }
  159 
  160     short_length = GET_U_1(sectag->short_length) & MACSEC_SL_MASK;
  161     if (ndo->ndo_eflag)
  162         macsec_print_header(ndo, sectag, short_length);
  163 
  164     /* Skip the MACsec header. */
  165     *bp += sectag_len;
  166     *hdrlenp += sectag_len;
  167 
  168     /* Remove it from the lengths, as it's been processed. */
  169     *lengthp -= sectag_len;
  170     *caplenp -= sectag_len;
  171 
  172     if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
  173         /*
  174          * The payload is encrypted.  Print link-layer
  175          * information, if it hasn't already been printed.
  176          */
  177         if (!ndo->ndo_eflag) {
  178             /*
  179              * Nobody printed the link-layer addresses,
  180              * so print them, if we have any.
  181              */
  182             if (src != NULL && dst != NULL) {
  183                 ND_PRINT("%s > %s ",
  184                     (src->addr_string)(ndo, src->addr),
  185                     (dst->addr_string)(ndo, dst->addr));
  186             }
  187 
  188             ND_PRINT("802.1AE MACsec, ");
  189 
  190             /*
  191              * Print the MACsec header.
  192              */
  193             macsec_print_header(ndo, sectag, short_length);
  194         }
  195 
  196         /*
  197          * Tell our caller it can't be dissected.
  198          */
  199         ndo->ndo_protocol = save_protocol;
  200         return 0;
  201     }
  202 
  203     /*
  204      * The payload isn't encrypted; remove the
  205      * ICV length from the lengths, so our caller
  206      * doesn't treat it as payload.
  207      */
  208     if (*lengthp < MACSEC_DEFAULT_ICV_LEN) {
  209         nd_print_trunc(ndo);
  210         ndo->ndo_protocol = save_protocol;
  211         return hdrlen + caplen;
  212     }
  213     if (*caplenp < MACSEC_DEFAULT_ICV_LEN) {
  214         nd_print_trunc(ndo);
  215         ndo->ndo_protocol = save_protocol;
  216         return hdrlen + caplen;
  217     }
  218     *lengthp -= MACSEC_DEFAULT_ICV_LEN;
  219     *caplenp -= MACSEC_DEFAULT_ICV_LEN;
  220     /*
  221      * Update the snapend thus the ICV field is not in the payload for
  222      * the caller.
  223      * The ICV (Integrity Check Value) is at the end of the frame, after
  224      * the secure data.
  225      */
  226     ndo->ndo_snapend -= MACSEC_DEFAULT_ICV_LEN;
  227 
  228     /*
  229      * If the SL field is non-zero, then it's the length of the
  230      * Secure Data; otherwise, the Secure Data is what's left
  231      * ver after the MACsec header and ICV are removed.
  232      */
  233     if (short_length != 0) {
  234         /*
  235          * If the short length is more than we *have*,
  236          * that's an error.
  237          */
  238         if (short_length > *lengthp) {
  239             nd_print_trunc(ndo);
  240             ndo->ndo_protocol = save_protocol;
  241             return hdrlen + caplen;
  242         }
  243         if (short_length > *caplenp) {
  244             nd_print_trunc(ndo);
  245             ndo->ndo_protocol = save_protocol;
  246             return hdrlen + caplen;
  247         }
  248         if (*lengthp > short_length)
  249             *lengthp = short_length;
  250         if (*caplenp > short_length)
  251             *caplenp = short_length;
  252     }
  253 
  254     ndo->ndo_protocol = save_protocol;
  255     return -1;
  256 }