Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / tcpdump / refs/heads/int/13/fp3 / . / print-macsec.c
blob: 607f696ef2654e7bcf6b0173f035e45afc1dc461 [file] [log] [blame]
Elliott Hughes820eced2021-08-20 18:00:50 -0700[diff] [blame]1/* Copyright (c) 2017, Sabrina Dubroca <sd@queasysnail.net>
2 *
3 * Redistribution and use in source and binary forms, with or without
4 * modification, are permitted provided that the following conditions
5 * are met:
6 *
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in
11 * the documentation and/or other materials provided with the
12 * distribution.
13 * 3. The names of the authors may not be used to endorse or promote
14 * products derived from this software without specific prior
15 * written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22/* \summary: MACsec printer */
23
24#ifdef HAVE_CONFIG_H
25#include <config.h>
26#endif
27
28#include "netdissect-stdinc.h"
29
30#include "netdissect.h"
31#include "addrtoname.h"
32#include "ethertype.h"
33#include "extract.h"
34
35#define MACSEC_DEFAULT_ICV_LEN 16
36
37/* Header format (SecTAG), following an Ethernet header
38 * IEEE 802.1AE-2006 9.3
39 *
40 * +---------------------------------+----------------+----------------+
41 * | (MACsec ethertype) | TCI_AN | SL |
42 * +---------------------------------+----------------+----------------+
43 * | Packet Number |
44 * +-------------------------------------------------------------------+
45 * | Secure Channel Identifier |
46 * | (optional) |
47 * +-------------------------------------------------------------------+
48 *
49 * MACsec ethertype = 0x88e5
50 * TCI: Tag Control Information, set of flags
51 * AN: association number, 2 bits
52 * SL (short length): 6-bit length of the protected payload, if < 48
53 * Packet Number: 32-bits packet identifier
54 * Secure Channel Identifier: 64-bit unique identifier, usually
55 * composed of a MAC address + 16-bit port number
56 */
57struct macsec_sectag {
58 nd_uint8_t tci_an;
59 nd_uint8_t short_length;
60 nd_uint32_t packet_number;
61 nd_uint8_t secure_channel_id[8]; /* optional */
62};
63
64/* IEEE 802.1AE-2006 9.5 */
65#define MACSEC_TCI_VERSION 0x80
66#define MACSEC_TCI_ES 0x40 /* end station */
67#define MACSEC_TCI_SC 0x20 /* SCI present */
68#define MACSEC_TCI_SCB 0x10 /* epon */
69#define MACSEC_TCI_E 0x08 /* encryption */
70#define MACSEC_TCI_C 0x04 /* changed text */
71#define MACSEC_AN_MASK 0x03 /* association number */
72#define MACSEC_TCI_FLAGS (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C)
73#define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
74#define MACSEC_SL_MASK 0x3F /* short length */
75
76#define MACSEC_SECTAG_LEN_NOSCI 6 /* length of MACsec header without SCI */
77#define MACSEC_SECTAG_LEN_SCI 14 /* length of MACsec header with SCI */
78
79#define SCI_FMT "%016" PRIx64
80
81static const struct tok macsec_flag_values[] = {
82 { MACSEC_TCI_E, "E" },
83 { MACSEC_TCI_C, "C" },
84 { MACSEC_TCI_ES, "S" },
85 { MACSEC_TCI_SCB, "B" },
86 { MACSEC_TCI_SC, "I" },
87 { 0, NULL }
88};
89
90static void macsec_print_header(netdissect_options *ndo,
91 const struct macsec_sectag *sectag,
92 u_int short_length)
93{
94 ND_PRINT("an %u, pn %u, flags %s",
95 GET_U_1(sectag->tci_an) & MACSEC_AN_MASK,
96 GET_BE_U_4(sectag->packet_number),
97 bittok2str_nosep(macsec_flag_values, "none",
98 GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS));
99
100 if (short_length != 0)
101 ND_PRINT(", sl %u", short_length);
102
103 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC)
104 ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id));
105
106 ND_PRINT(", ");
107}
108
109/* returns < 0 iff the packet can be decoded completely */
110int macsec_print(netdissect_options *ndo, const u_char **bp,
111 u_int *lengthp, u_int *caplenp, u_int *hdrlenp,
112 const struct lladdr_info *src, const struct lladdr_info *dst)
113{
114 const char *save_protocol;
115 const u_char *p = *bp;
116 u_int length = *lengthp;
117 u_int caplen = *caplenp;
118 u_int hdrlen = *hdrlenp;
119 const struct macsec_sectag *sectag = (const struct macsec_sectag *)p;
120 u_int sectag_len;
121 u_int short_length;
122
123 save_protocol = ndo->ndo_protocol;
124 ndo->ndo_protocol = "macsec";
125
126 /* we need the full MACsec header in the capture */
127 if (caplen < MACSEC_SECTAG_LEN_NOSCI) {
128 nd_print_trunc(ndo);
129 ndo->ndo_protocol = save_protocol;
130 return hdrlen + caplen;
131 }
132 if (length < MACSEC_SECTAG_LEN_NOSCI) {
133 nd_print_trunc(ndo);
134 ndo->ndo_protocol = save_protocol;
135 return hdrlen + caplen;
136 }
137
138 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
139 sectag_len = MACSEC_SECTAG_LEN_SCI;
140 if (caplen < MACSEC_SECTAG_LEN_SCI) {
141 nd_print_trunc(ndo);
142 ndo->ndo_protocol = save_protocol;
143 return hdrlen + caplen;
144 }
145 if (length < MACSEC_SECTAG_LEN_SCI) {
146 nd_print_trunc(ndo);
147 ndo->ndo_protocol = save_protocol;
148 return hdrlen + caplen;
149 }
150 } else
151 sectag_len = MACSEC_SECTAG_LEN_NOSCI;
152
153 if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 ||
154 GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) {
155 nd_print_invalid(ndo);
156 ndo->ndo_protocol = save_protocol;
157 return hdrlen + caplen;
158 }
159
160 short_length = GET_U_1(sectag->short_length) & MACSEC_SL_MASK;
161 if (ndo->ndo_eflag)
162 macsec_print_header(ndo, sectag, short_length);
163
164 /* Skip the MACsec header. */
165 *bp += sectag_len;
166 *hdrlenp += sectag_len;
167
168 /* Remove it from the lengths, as it's been processed. */
169 *lengthp -= sectag_len;
170 *caplenp -= sectag_len;
171
172 if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
173 /*
174 * The payload is encrypted. Print link-layer
175 * information, if it hasn't already been printed.
176 */
177 if (!ndo->ndo_eflag) {
178 /*
179 * Nobody printed the link-layer addresses,
180 * so print them, if we have any.
181 */
182 if (src != NULL && dst != NULL) {
183 ND_PRINT("%s > %s ",
184 (src->addr_string)(ndo, src->addr),
185 (dst->addr_string)(ndo, dst->addr));
186 }
187
188 ND_PRINT("802.1AE MACsec, ");
189
190 /*
191 * Print the MACsec header.
192 */
193 macsec_print_header(ndo, sectag, short_length);
194 }
195
196 /*
197 * Tell our caller it can't be dissected.
198 */
199 ndo->ndo_protocol = save_protocol;
200 return 0;
201 }
202
203 /*
204 * The payload isn't encrypted; remove the
205 * ICV length from the lengths, so our caller
206 * doesn't treat it as payload.
207 */
208 if (*lengthp < MACSEC_DEFAULT_ICV_LEN) {
209 nd_print_trunc(ndo);
210 ndo->ndo_protocol = save_protocol;
211 return hdrlen + caplen;
212 }
213 if (*caplenp < MACSEC_DEFAULT_ICV_LEN) {
214 nd_print_trunc(ndo);
215 ndo->ndo_protocol = save_protocol;
216 return hdrlen + caplen;
217 }
218 *lengthp -= MACSEC_DEFAULT_ICV_LEN;
219 *caplenp -= MACSEC_DEFAULT_ICV_LEN;
220 /*
221 * Update the snapend thus the ICV field is not in the payload for
222 * the caller.
223 * The ICV (Integrity Check Value) is at the end of the frame, after
224 * the secure data.
225 */
226 ndo->ndo_snapend -= MACSEC_DEFAULT_ICV_LEN;
227
228 /*
229 * If the SL field is non-zero, then it's the length of the
230 * Secure Data; otherwise, the Secure Data is what's left
231 * ver after the MACsec header and ICV are removed.
232 */
233 if (short_length != 0) {
234 /*
235 * If the short length is more than we *have*,
236 * that's an error.
237 */
238 if (short_length > *lengthp) {
239 nd_print_trunc(ndo);
240 ndo->ndo_protocol = save_protocol;
241 return hdrlen + caplen;
242 }
243 if (short_length > *caplenp) {
244 nd_print_trunc(ndo);
245 ndo->ndo_protocol = save_protocol;
246 return hdrlen + caplen;
247 }
248 if (*lengthp > short_length)
249 *lengthp = short_length;
250 if (*caplenp > short_length)
251 *caplenp = short_length;
252 }
253
254 ndo->ndo_protocol = save_protocol;
255 return -1;
256}