mirror of
https://github.com/systemd/systemd
synced 2024-10-15 20:45:09 +00:00
network: add MACsec*Association.KeyFile= setting
This commit is contained in:
parent
e482018672
commit
eb4705fb36
|
@ -931,6 +931,16 @@
|
||||||
<literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
|
<literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><varname>KeyFile=</varname></term>
|
||||||
|
<listitem>
|
||||||
|
<para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
|
||||||
|
string, which will be used in the transmission channel. When this option is specified,
|
||||||
|
<varname>Key=</varname> is ignored. Note that the file must be readable by the user
|
||||||
|
<literal>systemd-network</literal>, so it should be, e.g., owned by
|
||||||
|
<literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
@ -970,6 +980,12 @@
|
||||||
<para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
|
<para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term><varname>KeyFile=</varname></term>
|
||||||
|
<listitem>
|
||||||
|
<para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
#include <linux/genetlink.h>
|
#include <linux/genetlink.h>
|
||||||
|
|
||||||
#include "conf-parser.h"
|
#include "conf-parser.h"
|
||||||
|
#include "fileio.h"
|
||||||
#include "hashmap.h"
|
#include "hashmap.h"
|
||||||
#include "hexdecoct.h"
|
#include "hexdecoct.h"
|
||||||
#include "macsec.h"
|
#include "macsec.h"
|
||||||
|
@ -15,6 +16,7 @@
|
||||||
#include "network-internal.h"
|
#include "network-internal.h"
|
||||||
#include "networkd-address.h"
|
#include "networkd-address.h"
|
||||||
#include "networkd-manager.h"
|
#include "networkd-manager.h"
|
||||||
|
#include "path-util.h"
|
||||||
#include "sd-netlink.h"
|
#include "sd-netlink.h"
|
||||||
#include "socket-util.h"
|
#include "socket-util.h"
|
||||||
#include "string-table.h"
|
#include "string-table.h"
|
||||||
|
@ -27,6 +29,7 @@ static void security_association_clear(SecurityAssociation *sa) {
|
||||||
|
|
||||||
explicit_bzero_safe(sa->key, sa->key_len);
|
explicit_bzero_safe(sa->key, sa->key_len);
|
||||||
free(sa->key);
|
free(sa->key);
|
||||||
|
free(sa->key_file);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void macsec_receive_association_free(ReceiveAssociation *c) {
|
static void macsec_receive_association_free(ReceiveAssociation *c) {
|
||||||
|
@ -738,6 +741,59 @@ int config_parse_macsec_key(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int config_parse_macsec_key_file(
|
||||||
|
const char *unit,
|
||||||
|
const char *filename,
|
||||||
|
unsigned line,
|
||||||
|
const char *section,
|
||||||
|
unsigned section_line,
|
||||||
|
const char *lvalue,
|
||||||
|
int ltype,
|
||||||
|
const char *rvalue,
|
||||||
|
void *data,
|
||||||
|
void *userdata) {
|
||||||
|
|
||||||
|
_cleanup_(macsec_transmit_association_free_or_set_invalidp) TransmitAssociation *a = NULL;
|
||||||
|
_cleanup_(macsec_receive_association_free_or_set_invalidp) ReceiveAssociation *b = NULL;
|
||||||
|
_cleanup_free_ char *path = NULL;
|
||||||
|
MACsec *s = userdata;
|
||||||
|
char **dest;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(filename);
|
||||||
|
assert(section);
|
||||||
|
assert(lvalue);
|
||||||
|
assert(rvalue);
|
||||||
|
assert(data);
|
||||||
|
|
||||||
|
if (streq(section, "MACsecTransmitAssociation"))
|
||||||
|
r = macsec_transmit_association_new_static(s, filename, section_line, &a);
|
||||||
|
else
|
||||||
|
r = macsec_receive_association_new_static(s, filename, section_line, &b);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
dest = a ? &a->sa.key_file : &b->sa.key_file;
|
||||||
|
|
||||||
|
if (isempty(rvalue)) {
|
||||||
|
*dest = mfree(*dest);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
path = strdup(rvalue);
|
||||||
|
if (!path)
|
||||||
|
return log_oom();
|
||||||
|
|
||||||
|
if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
free_and_replace(*dest, path);
|
||||||
|
TAKE_PTR(a);
|
||||||
|
TAKE_PTR(b);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
int config_parse_macsec_key_id(
|
int config_parse_macsec_key_id(
|
||||||
const char *unit,
|
const char *unit,
|
||||||
const char *filename,
|
const char *filename,
|
||||||
|
@ -793,6 +849,36 @@ int config_parse_macsec_key_id(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
|
||||||
|
_cleanup_free_ uint8_t *key = NULL;
|
||||||
|
size_t key_len;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(netdev);
|
||||||
|
assert(sa);
|
||||||
|
|
||||||
|
if (!sa->key_file)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
r = read_full_file_full(sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX, (char **) &key, &key_len);
|
||||||
|
if (r < 0)
|
||||||
|
return log_netdev_error_errno(netdev, r,
|
||||||
|
"Failed to read key from '%s', ignoring: %m",
|
||||||
|
sa->key_file);
|
||||||
|
if (key_len != 16) {
|
||||||
|
explicit_bzero_safe(key, key_len);
|
||||||
|
return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
|
||||||
|
"Invalid key length (%zu bytes), ignoring: %m",
|
||||||
|
key_len);
|
||||||
|
}
|
||||||
|
|
||||||
|
explicit_bzero_safe(sa->key, sa->key_len);
|
||||||
|
free_and_replace(sa->key, key);
|
||||||
|
sa->key_len = key_len;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int macsec_receive_channel_verify(ReceiveChannel *c) {
|
static int macsec_receive_channel_verify(ReceiveChannel *c) {
|
||||||
NetDev *netdev;
|
NetDev *netdev;
|
||||||
int r;
|
int r;
|
||||||
|
@ -837,6 +923,7 @@ static int macsec_receive_channel_verify(ReceiveChannel *c) {
|
||||||
|
|
||||||
static int macsec_transmit_association_verify(TransmitAssociation *t) {
|
static int macsec_transmit_association_verify(TransmitAssociation *t) {
|
||||||
NetDev *netdev;
|
NetDev *netdev;
|
||||||
|
int r;
|
||||||
|
|
||||||
assert(t);
|
assert(t);
|
||||||
assert(t->macsec);
|
assert(t->macsec);
|
||||||
|
@ -852,6 +939,10 @@ static int macsec_transmit_association_verify(TransmitAssociation *t) {
|
||||||
"Ignoring [MACsecTransmitAssociation] section from line %u",
|
"Ignoring [MACsecTransmitAssociation] section from line %u",
|
||||||
t->section->filename, t->section->line);
|
t->section->filename, t->section->line);
|
||||||
|
|
||||||
|
r = macsec_read_key_file(netdev, &t->sa);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
if (t->sa.key_len <= 0)
|
if (t->sa.key_len <= 0)
|
||||||
return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
|
return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
|
||||||
"%s: MACsec transmit secure association without key configured. "
|
"%s: MACsec transmit secure association without key configured. "
|
||||||
|
@ -874,6 +965,10 @@ static int macsec_receive_association_verify(ReceiveAssociation *a) {
|
||||||
if (section_is_invalid(a->section))
|
if (section_is_invalid(a->section))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
|
r = macsec_read_key_file(netdev, &a->sa);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
if (a->sa.key_len <= 0)
|
if (a->sa.key_len <= 0)
|
||||||
return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
|
return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
|
||||||
"%s: MACsec receive secure association without key configured. "
|
"%s: MACsec receive secure association without key configured. "
|
||||||
|
|
|
@ -30,6 +30,7 @@ typedef struct SecurityAssociation {
|
||||||
uint8_t key_id[MACSEC_KEYID_LEN];
|
uint8_t key_id[MACSEC_KEYID_LEN];
|
||||||
uint8_t *key;
|
uint8_t *key;
|
||||||
uint32_t key_len;
|
uint32_t key_len;
|
||||||
|
char *key_file;
|
||||||
} SecurityAssociation;
|
} SecurityAssociation;
|
||||||
|
|
||||||
typedef struct TransmitAssociation {
|
typedef struct TransmitAssociation {
|
||||||
|
@ -76,3 +77,4 @@ CONFIG_PARSER_PROTOTYPE(config_parse_macsec_hw_address);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_packet_number);
|
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_packet_number);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_id);
|
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_id);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key);
|
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key);
|
||||||
|
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_file);
|
||||||
|
|
|
@ -140,11 +140,13 @@ MACsecReceiveChannel.MACAddress, config_parse_macsec_hw_address, 0,
|
||||||
MACsecTransmitAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0
|
MACsecTransmitAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0
|
||||||
MACsecTransmitAssociation.KeyId, config_parse_macsec_key_id, 0, 0
|
MACsecTransmitAssociation.KeyId, config_parse_macsec_key_id, 0, 0
|
||||||
MACsecTransmitAssociation.Key, config_parse_macsec_key, 0, 0
|
MACsecTransmitAssociation.Key, config_parse_macsec_key, 0, 0
|
||||||
|
MACsecTransmitAssociation.KeyFile, config_parse_macsec_key_file, 0, 0
|
||||||
MACsecReceiveAssociation.Port, config_parse_macsec_port, 0, 0
|
MACsecReceiveAssociation.Port, config_parse_macsec_port, 0, 0
|
||||||
MACsecReceiveAssociation.MACAddress, config_parse_macsec_hw_address, 0, 0
|
MACsecReceiveAssociation.MACAddress, config_parse_macsec_hw_address, 0, 0
|
||||||
MACsecReceiveAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0
|
MACsecReceiveAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0
|
||||||
MACsecReceiveAssociation.KeyId, config_parse_macsec_key_id, 0, 0
|
MACsecReceiveAssociation.KeyId, config_parse_macsec_key_id, 0, 0
|
||||||
MACsecReceiveAssociation.Key, config_parse_macsec_key, 0, 0
|
MACsecReceiveAssociation.Key, config_parse_macsec_key, 0, 0
|
||||||
|
MACsecReceiveAssociation.KeyFile, config_parse_macsec_key_file, 0, 0
|
||||||
Tun.OneQueue, config_parse_bool, 0, offsetof(TunTap, one_queue)
|
Tun.OneQueue, config_parse_bool, 0, offsetof(TunTap, one_queue)
|
||||||
Tun.MultiQueue, config_parse_bool, 0, offsetof(TunTap, multi_queue)
|
Tun.MultiQueue, config_parse_bool, 0, offsetof(TunTap, multi_queue)
|
||||||
Tun.PacketInfo, config_parse_bool, 0, offsetof(TunTap, packet_info)
|
Tun.PacketInfo, config_parse_bool, 0, offsetof(TunTap, packet_info)
|
||||||
|
|
|
@ -183,6 +183,7 @@ MACAddress=
|
||||||
PacketNumber=
|
PacketNumber=
|
||||||
KeyId=
|
KeyId=
|
||||||
Key=
|
Key=
|
||||||
|
KeyFile=
|
||||||
[MACsecReceiveChannel]
|
[MACsecReceiveChannel]
|
||||||
Port=
|
Port=
|
||||||
MACAddress=
|
MACAddress=
|
||||||
|
@ -190,3 +191,4 @@ MACAddress=
|
||||||
PacketNumber=
|
PacketNumber=
|
||||||
KeyId=
|
KeyId=
|
||||||
Key=
|
Key=
|
||||||
|
KeyFile=
|
||||||
|
|
Loading…
Reference in a new issue