mirror of
https://github.com/systemd/systemd
synced 2024-10-15 20:45:09 +00:00
network: add MACsecTransmitAssociation.UseForEncoding= setting
This commit is contained in:
parent
a7b9c52f1f
commit
b0e13c3122
|
@ -948,6 +948,14 @@
|
||||||
unset.</para>
|
unset.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><varname>UseForEncoding=</varname></term>
|
||||||
|
<listitem>
|
||||||
|
<para>Takes a boolean. If enabled, then the security association is used for encoding. Only
|
||||||
|
one <literal>[MACsecTransmitAssociation]</literal> section can enable this option. When enabled,
|
||||||
|
<varname>Activate=yes</varname> is implied. Defaults to unset.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -36,6 +36,7 @@ static void security_association_init(SecurityAssociation *sa) {
|
||||||
assert(sa);
|
assert(sa);
|
||||||
|
|
||||||
sa->activate = -1;
|
sa->activate = -1;
|
||||||
|
sa->use_for_encoding = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void macsec_receive_association_free(ReceiveAssociation *c) {
|
static void macsec_receive_association_free(ReceiveAssociation *c) {
|
||||||
|
@ -539,6 +540,10 @@ static int netdev_macsec_fill_message_create(NetDev *netdev, Link *link, sd_netl
|
||||||
return log_netdev_error_errno(netdev, r, "Could not append IFLA_MACSEC_ENCRYPT attribute: %m");
|
return log_netdev_error_errno(netdev, r, "Could not append IFLA_MACSEC_ENCRYPT attribute: %m");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
r = sd_netlink_message_append_u8(m, IFLA_MACSEC_ENCODING_SA, v->encoding_an);
|
||||||
|
if (r < 0)
|
||||||
|
return log_netdev_error_errno(netdev, r, "Could not append IFLA_MACSEC_ENCODING_SA attribute: %m");
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -919,6 +924,53 @@ int config_parse_macsec_sa_activate(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int config_parse_macsec_use_for_encoding(
|
||||||
|
const char *unit,
|
||||||
|
const char *filename,
|
||||||
|
unsigned line,
|
||||||
|
const char *section,
|
||||||
|
unsigned section_line,
|
||||||
|
const char *lvalue,
|
||||||
|
int ltype,
|
||||||
|
const char *rvalue,
|
||||||
|
void *data,
|
||||||
|
void *userdata) {
|
||||||
|
|
||||||
|
_cleanup_(macsec_transmit_association_free_or_set_invalidp) TransmitAssociation *a = NULL;
|
||||||
|
MACsec *s = userdata;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(filename);
|
||||||
|
assert(section);
|
||||||
|
assert(lvalue);
|
||||||
|
assert(rvalue);
|
||||||
|
assert(data);
|
||||||
|
|
||||||
|
r = macsec_transmit_association_new_static(s, filename, section_line, &a);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
if (isempty(rvalue))
|
||||||
|
r = -1;
|
||||||
|
else {
|
||||||
|
r = parse_boolean(rvalue);
|
||||||
|
if (r < 0) {
|
||||||
|
log_syntax(unit, LOG_ERR, filename, line, r,
|
||||||
|
"Failed to parse %s= setting. Ignoring assignment: %s",
|
||||||
|
lvalue, rvalue);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
a->sa.use_for_encoding = r;
|
||||||
|
if (a->sa.use_for_encoding > 0)
|
||||||
|
a->sa.activate = true;
|
||||||
|
|
||||||
|
TAKE_PTR(a);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
|
static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
|
||||||
_cleanup_free_ uint8_t *key = NULL;
|
_cleanup_free_ uint8_t *key = NULL;
|
||||||
size_t key_len;
|
size_t key_len;
|
||||||
|
@ -1095,7 +1147,8 @@ static int netdev_macsec_verify(NetDev *netdev, const char *filename) {
|
||||||
ReceiveAssociation *n;
|
ReceiveAssociation *n;
|
||||||
ReceiveChannel *c;
|
ReceiveChannel *c;
|
||||||
Iterator i;
|
Iterator i;
|
||||||
uint8_t an;
|
uint8_t an, encoding_an;
|
||||||
|
bool use_for_encoding;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
assert(netdev);
|
assert(netdev);
|
||||||
|
@ -1109,6 +1162,8 @@ static int netdev_macsec_verify(NetDev *netdev, const char *filename) {
|
||||||
}
|
}
|
||||||
|
|
||||||
an = 0;
|
an = 0;
|
||||||
|
use_for_encoding = false;
|
||||||
|
encoding_an = 0;
|
||||||
ORDERED_HASHMAP_FOREACH(a, v->transmit_associations_by_section, i) {
|
ORDERED_HASHMAP_FOREACH(a, v->transmit_associations_by_section, i) {
|
||||||
r = macsec_transmit_association_verify(a);
|
r = macsec_transmit_association_verify(a);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
|
@ -1126,8 +1181,24 @@ static int netdev_macsec_verify(NetDev *netdev, const char *filename) {
|
||||||
}
|
}
|
||||||
|
|
||||||
a->sa.association_number = an++;
|
a->sa.association_number = an++;
|
||||||
|
|
||||||
|
if (a->sa.use_for_encoding > 0) {
|
||||||
|
if (use_for_encoding) {
|
||||||
|
log_netdev_warning(netdev,
|
||||||
|
"%s: Multiple security associations are set to be used for transmit channel."
|
||||||
|
"Disabling UseForEncoding= in [MACsecTransmitAssociation] section from line %u",
|
||||||
|
a->section->filename, a->section->line);
|
||||||
|
a->sa.use_for_encoding = false;
|
||||||
|
} else {
|
||||||
|
encoding_an = a->sa.association_number;
|
||||||
|
use_for_encoding = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
assert(encoding_an < MACSEC_MAX_ASSOCIATION_NUMBER);
|
||||||
|
v->encoding_an = encoding_an;
|
||||||
|
|
||||||
ORDERED_HASHMAP_FOREACH(n, v->receive_associations_by_section, i) {
|
ORDERED_HASHMAP_FOREACH(n, v->receive_associations_by_section, i) {
|
||||||
r = macsec_receive_association_verify(n);
|
r = macsec_receive_association_verify(n);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|
|
@ -32,6 +32,7 @@ typedef struct SecurityAssociation {
|
||||||
uint32_t key_len;
|
uint32_t key_len;
|
||||||
char *key_file;
|
char *key_file;
|
||||||
int activate;
|
int activate;
|
||||||
|
int use_for_encoding;
|
||||||
} SecurityAssociation;
|
} SecurityAssociation;
|
||||||
|
|
||||||
typedef struct TransmitAssociation {
|
typedef struct TransmitAssociation {
|
||||||
|
@ -63,6 +64,7 @@ struct MACsec {
|
||||||
|
|
||||||
uint16_t port;
|
uint16_t port;
|
||||||
int encrypt;
|
int encrypt;
|
||||||
|
uint8_t encoding_an;
|
||||||
|
|
||||||
OrderedHashmap *receive_channels;
|
OrderedHashmap *receive_channels;
|
||||||
OrderedHashmap *receive_channels_by_section;
|
OrderedHashmap *receive_channels_by_section;
|
||||||
|
@ -80,3 +82,4 @@ CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_id);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key);
|
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_file);
|
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_file);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_sa_activate);
|
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_sa_activate);
|
||||||
|
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_use_for_encoding);
|
||||||
|
|
|
@ -142,6 +142,7 @@ MACsecTransmitAssociation.KeyId, config_parse_macsec_key_id, 0,
|
||||||
MACsecTransmitAssociation.Key, config_parse_macsec_key, 0, 0
|
MACsecTransmitAssociation.Key, config_parse_macsec_key, 0, 0
|
||||||
MACsecTransmitAssociation.KeyFile, config_parse_macsec_key_file, 0, 0
|
MACsecTransmitAssociation.KeyFile, config_parse_macsec_key_file, 0, 0
|
||||||
MACsecTransmitAssociation.Activate, config_parse_macsec_sa_activate, 0, 0
|
MACsecTransmitAssociation.Activate, config_parse_macsec_sa_activate, 0, 0
|
||||||
|
MACsecTransmitAssociation.UseForEncoding, config_parse_macsec_use_for_encoding, 0, 0
|
||||||
MACsecReceiveAssociation.Port, config_parse_macsec_port, 0, 0
|
MACsecReceiveAssociation.Port, config_parse_macsec_port, 0, 0
|
||||||
MACsecReceiveAssociation.MACAddress, config_parse_macsec_hw_address, 0, 0
|
MACsecReceiveAssociation.MACAddress, config_parse_macsec_hw_address, 0, 0
|
||||||
MACsecReceiveAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0
|
MACsecReceiveAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0
|
||||||
|
|
|
@ -185,6 +185,7 @@ KeyId=
|
||||||
Key=
|
Key=
|
||||||
KeyFile=
|
KeyFile=
|
||||||
Activate=
|
Activate=
|
||||||
|
UseForEncoding=
|
||||||
[MACsecReceiveChannel]
|
[MACsecReceiveChannel]
|
||||||
Port=
|
Port=
|
||||||
MACAddress=
|
MACAddress=
|
||||||
|
|
Loading…
Reference in a new issue