libnm-core: add NMSettingMacsec

The new NMSettingMacsec contains information necessary to establish a
MACsec connection. At the moment we support two different MACsec
modes, both using wpa_supplicant: PSK and EAP.

PSK mode is based on a static CAK key for the MACsec key agreement
protocol, while EAP mode derives keys from a 802.1x authentication and
thus requires the presence of a NMSetting8021x in the connection.

10 files changed, 758 insertions, 0 deletions

diff --git a/Makefile.am b/Makefile.am
index 4ebf7b0bd9..609e4be225 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -379,6 +379,7 @@ libnm_core_lib_h_pub_real = \
 	libnm-core/nm-setting-ip-tunnel.h \
 	libnm-core/nm-setting-ip4-config.h \
 	libnm-core/nm-setting-ip6-config.h \
+	libnm-core/nm-setting-macsec.h \
 	libnm-core/nm-setting-macvlan.h \
 	libnm-core/nm-setting-olpc-mesh.h \
 	libnm-core/nm-setting-ppp.h \
@@ -441,6 +442,7 @@ libnm_core_lib_c_real = \
 	libnm-core/nm-setting-ip-tunnel.c \
 	libnm-core/nm-setting-ip4-config.c \
 	libnm-core/nm-setting-ip6-config.c \
+	libnm-core/nm-setting-macsec.c \
 	libnm-core/nm-setting-macvlan.c \
 	libnm-core/nm-setting-olpc-mesh.c \
 	libnm-core/nm-setting-ppp.c \
diff --git a/libnm-core/nm-connection.c b/libnm-core/nm-connection.c
index 923df3d976..40322427b4 100644
--- a/libnm-core/nm-connection.c
+++ b/libnm-core/nm-connection.c
@@ -1850,6 +1850,7 @@ nm_connection_is_virtual (NMConnection *connection)
 	    || !strcmp (type, NM_SETTING_VLAN_SETTING_NAME)
 	    || !strcmp (type, NM_SETTING_TUN_SETTING_NAME)
 	    || !strcmp (type, NM_SETTING_IP_TUNNEL_SETTING_NAME)
+	    || !strcmp (type, NM_SETTING_MACSEC_SETTING_NAME)
 	    || !strcmp (type, NM_SETTING_MACVLAN_SETTING_NAME)
 	    || !strcmp (type, NM_SETTING_VXLAN_SETTING_NAME))
 		return TRUE;
@@ -2162,6 +2163,24 @@ nm_connection_get_setting_ip6_config (NMConnection *connection)
 }
 
 /**
+ * nm_connection_get_setting_macsec:
+ * @connection: the #NMConnection
+ *
+ * A shortcut to return any #NMSettingMacsec the connection might contain.
+ *
+ * Returns: (transfer none): an #NMSettingMacsec if the connection contains one, otherwise %NULL
+ *
+ * Since: 1.6
+ **/
+NMSettingMacsec *
+nm_connection_get_setting_macsec (NMConnection *connection)
+{
+	g_return_val_if_fail (NM_IS_CONNECTION (connection), NULL);
+
+	return (NMSettingMacsec *) nm_connection_get_setting (connection, NM_TYPE_SETTING_MACSEC);
+}
+
+/**
  * nm_connection_get_setting_macvlan:
  * @connection: the #NMConnection
  *
diff --git a/libnm-core/nm-connection.h b/libnm-core/nm-connection.h
index 4de15c9263..36ef7b6f34 100644
--- a/libnm-core/nm-connection.h
+++ b/libnm-core/nm-connection.h
@@ -206,6 +206,8 @@ NM_AVAILABLE_IN_1_2
 NMSettingIPTunnel *        nm_connection_get_setting_ip_tunnel         (NMConnection *connection);
 NMSettingIPConfig *        nm_connection_get_setting_ip4_config        (NMConnection *connection);
 NMSettingIPConfig *        nm_connection_get_setting_ip6_config        (NMConnection *connection);
+NM_AVAILABLE_IN_1_6
+NMSettingMacsec *          nm_connection_get_setting_macsec            (NMConnection *connection);
 NM_AVAILABLE_IN_1_2
 NMSettingMacvlan *         nm_connection_get_setting_macvlan           (NMConnection *connection);
 NMSettingOlpcMesh *        nm_connection_get_setting_olpc_mesh         (NMConnection *connection);
diff --git a/libnm-core/nm-core-internal.h b/libnm-core/nm-core-internal.h
index 1b4c469420..74f45100b1 100644
--- a/libnm-core/nm-core-internal.h
+++ b/libnm-core/nm-core-internal.h
@@ -52,6 +52,7 @@
 #include "nm-setting-proxy.h"
 #include "nm-setting-ip4-config.h"
 #include "nm-setting-ip6-config.h"
+#include "nm-setting-macsec.h"
 #include "nm-setting-macvlan.h"
 #include "nm-setting-olpc-mesh.h"
 #include "nm-setting-ppp.h"
diff --git a/libnm-core/nm-core-types.h b/libnm-core/nm-core-types.h
index 8e7c0ce8c6..2948b5f596 100644
--- a/libnm-core/nm-core-types.h
+++ b/libnm-core/nm-core-types.h
@@ -46,6 +46,7 @@ typedef struct _NMSettingIPTunnel         NMSettingIPTunnel;
 typedef struct _NMSettingProxy            NMSettingProxy;
 typedef struct _NMSettingIP4Config        NMSettingIP4Config;
 typedef struct _NMSettingIP6Config        NMSettingIP6Config;
+typedef struct _NMSettingMacsec           NMSettingMacsec;
 typedef struct _NMSettingMacvlan          NMSettingMacvlan;
 typedef struct _NMSettingOlpcMesh         NMSettingOlpcMesh;
 typedef struct _NMSettingPpp              NMSettingPpp;
diff --git a/libnm-core/nm-setting-macsec.c b/libnm-core/nm-setting-macsec.c
new file mode 100644
index 0000000000..60df6839f0
--- /dev/null
+++ b/libnm-core/nm-setting-macsec.c
@@ -0,0 +1,592 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+/*
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301 USA.
+ *
+ * Copyright 2017 Red Hat, Inc.
+ */
+
+#include "nm-default.h"
+
+#include "nm-setting-macsec.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "nm-utils.h"
+#include "nm-core-types-internal.h"
+#include "nm-setting-connection.h"
+#include "nm-setting-private.h"
+#include "nm-setting-wired.h"
+#include "nm-connection-private.h"
+
+/**
+ * SECTION:nm-setting-macsec
+ * @short_description: Describes connection properties for MACSEC interfaces
+ *
+ * The #NMSettingMacsec object is a #NMSetting subclass that describes properties
+ * necessary for connection to MACsec (IEEE 802.1AE) interfaces.
+ **/
+
+G_DEFINE_TYPE_WITH_CODE (NMSettingMacsec, nm_setting_macsec, NM_TYPE_SETTING,
+                         _nm_register_setting (MACSEC, 1))
+NM_SETTING_REGISTER_TYPE (NM_TYPE_SETTING_MACSEC)
+
+#define NM_SETTING_MACSEC_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_SETTING_MACSEC, NMSettingMacsecPrivate))
+
+typedef struct {
+	char *parent;
+	NMSettingMacsecMode mode;
+	gboolean encrypt;
+	char *mka_cak;
+	NMSettingSecretFlags mka_cak_flags;
+	char *mka_ckn;
+	int port;
+	NMSettingMacsecValidation validation;
+} NMSettingMacsecPrivate;
+
+NM_GOBJECT_PROPERTIES_DEFINE_BASE (
+	PROP_PARENT,
+	PROP_MODE,
+	PROP_ENCRYPT,
+	PROP_MKA_CAK,
+	PROP_MKA_CAK_FLAGS,
+	PROP_MKA_CKN,
+	PROP_PORT,
+	PROP_VALIDATION,
+);
+
+/**
+ * nm_setting_macsec_new:
+ *
+ * Creates a new #NMSettingMacsec object with default values.
+ *
+ * Returns: (transfer full): the new empty #NMSettingMacsec object
+ *
+ * Since: 1.6
+ **/
+NMSetting *
+nm_setting_macsec_new (void)
+{
+	return (NMSetting *) g_object_new (NM_TYPE_SETTING_MACSEC, NULL);
+}
+
+/**
+ * nm_setting_macsec_get_parent:
+ * @setting: the #NMSettingMacsec
+ *
+ * Returns: the #NMSettingMacsec:parent property of the setting
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_setting_macsec_get_parent (NMSettingMacsec *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NULL);
+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->parent;
+}
+
+/**
+ * nm_setting_macsec_get_mode:
+ * @setting: the #NMSettingMacsec
+ *
+ * Returns: the #NMSettingMacsec:mode property of the setting
+ *
+ * Since: 1.6
+ **/
+NMSettingMacsecMode
+nm_setting_macsec_get_mode (NMSettingMacsec *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NM_SETTING_MACSEC_MODE_PSK);
+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mode;
+}
+
+/**
+ * nm_setting_macsec_get_encrypt:
+ * @setting: the #NMSettingMacsec
+ *
+ * Returns: the #NMSettingMacsec:encrypt property of the setting
+ *
+ * Since: 1.6
+ **/
+gboolean
+nm_setting_macsec_get_encrypt (NMSettingMacsec *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), TRUE);
+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->encrypt;
+}
+
+/**
+ * nm_setting_macsec_get_mka_cak
+ * @setting: the #NMSettingMacsec
+ *
+ * Returns: the #NMSettingMacsec:mka-cak property of the setting
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_setting_macsec_get_mka_cak (NMSettingMacsec *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NULL);
+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mka_cak;
+}
+
+/**
+ * nm_setting_macsec_get_mka_cak_flags:
+ * @setting: the #NMSettingMacsec
+ *
+ * Returns: the #NMSettingSecretFlags pertaining to the #NMSettingMacsec:mka-cak
+ *
+ * Since: 1.6
+ **/
+NMSettingSecretFlags
+nm_setting_macsec_get_mka_cak_flags (NMSettingMacsec *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NM_SETTING_SECRET_FLAG_NONE);
+
+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mka_cak_flags;
+}
+
+/**
+ * nm_setting_macsec_get_mka_ckn:
+ * @setting: the #NMSettingMacsec
+ *
+ * Returns: the #NMSettingMacsec:mka-ckn property of the setting
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_setting_macsec_get_mka_ckn (NMSettingMacsec *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NULL);
+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mka_ckn;
+}
+
+/**
+ * nm_setting_macsec_get_port:
+ * @setting: the #NMSettingMacsec
+ *
+ * Returns: the #NMSettingMacsec:port property of the setting
+ *
+ * Since: 1.6
+ **/
+int
+nm_setting_macsec_get_port (NMSettingMacsec *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), 1);
+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->port;
+}
+
+/**
+ * nm_setting_macsec_get_validation:
+ * @setting: the #NMSettingMacsec
+ *
+ * Returns: the #NMSettingMacsec:validation property of the setting
+ *
+ * Since: 1.6
+ **/
+NMSettingMacsecValidation
+nm_setting_macsec_get_validation (NMSettingMacsec *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NM_SETTING_MACSEC_VALIDATION_DISABLE);
+	return NM_SETTING_MACSEC_GET_PRIVATE (setting)->validation;
+}
+
+static GPtrArray *
+need_secrets (NMSetting *setting)
+{
+	NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting);
+	GPtrArray *secrets = NULL;
+
+	if (priv->mode == NM_SETTING_MACSEC_MODE_PSK) {
+		if (   !priv->mka_cak
+		    && !NM_FLAGS_HAS (priv->mka_cak_flags, NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) {
+			secrets = g_ptr_array_sized_new (1);
+			g_ptr_array_add (secrets, NM_SETTING_MACSEC_MKA_CAK);
+		}
+	}
+
+	return secrets;
+}
+
+/*********************************************************************/
+
+static gboolean
+verify_macsec_key (const char *key, gboolean cak, GError **error)
+{
+	int req_len;
+
+	if (!key || !key[0]) {
+		g_set_error_literal (error,
+		                     NM_CONNECTION_ERROR,
+		                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		                     _("the key is empty"));
+		return FALSE;
+	}
+
+	req_len = cak ?
+	    NM_SETTING_MACSEC_MKA_CAK_LENGTH :
+	    NM_SETTING_MACSEC_MKA_CKN_LENGTH;
+	if (strlen (key) != req_len) {
+		g_set_error (error,
+		             NM_CONNECTION_ERROR,
+		             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		             _("the key must be %d characters"), req_len);
+		return FALSE;
+	}
+
+	if (!NM_STRCHAR_ALL (key, ch, g_ascii_isxdigit (ch))) {
+		g_set_error_literal (error,
+		                     NM_CONNECTION_ERROR,
+		                     NM_CONNECTION_ERROR_INVALID_PROPERTY,
+		                     _("the key contais non-hexadecimal characters"));
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+static gboolean
+verify (NMSetting *setting, NMConnection *connection, GError **error)
+{
+	NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting);
+	NMSettingConnection *s_con = NULL;
+	NMSettingWired *s_wired = NULL;
+	NMSetting8021x *s_8021x = NULL;
+
+	if (connection) {
+		s_con = nm_connection_get_setting_connection (connection);
+		s_wired = nm_connection_get_setting_wired (connection);
+		s_8021x = nm_connection_get_setting_802_1x (connection);
+	}
+
+	if (priv->parent) {
+		if (nm_utils_is_uuid (priv->parent)) {
+			/* If we have an NMSettingConnection:master with slave-type="macsec",
+			 * then it must be the same UUID.
+			 */
+			if (s_con) {
+				const char *master = NULL, *slave_type = NULL;
+
+				slave_type = nm_setting_connection_get_slave_type (s_con);
+				if (!g_strcmp0 (slave_type, NM_SETTING_MACSEC_SETTING_NAME))
+					master = nm_setting_connection_get_master (s_con);
+
+				if (master && g_strcmp0 (priv->parent, master) != 0) {
+					g_set_error (error,
+					             NM_CONNECTION_ERROR,
+					             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+					             _("'%s' value doesn't match '%s=%s'"),
+					             priv->parent, NM_SETTING_CONNECTION_MASTER, master);
+					g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT);
+					return FALSE;
+				}
+			}
+		} else if (!nm_utils_iface_valid_name (priv->parent)) {
+			/* parent must be either a UUID or an interface name */
+			g_set_error (error,
+			             NM_CONNECTION_ERROR,
+			             NM_CONNECTION_ERROR_INVALID_PROPERTY,
+			             _("'%s' is neither an UUID nor an interface name"),
+			             priv->parent);
+			g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT);
+			return FALSE;
+		}
+	} else {
+		/* If parent is NULL, the parent must be specified via
+		 * NMSettingWired:mac-address.
+		 */
+		if (   connection
+		    && (!s_wired || !nm_setting_wired_get_mac_address (s_wired))) {
+			g_set_error (error,
+			             NM_CONNECTION_ERROR,
+			             NM_CONNECTION_ERROR_MISSING_PROPERTY,
+			             _("property is not specified and neither is '%s:%s'"),
+			             NM_SETTING_WIRED_SETTING_NAME, NM_SETTING_WIRED_MAC_ADDRESS);
+			g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT);
+			return FALSE;
+		}
+	}
+
+	if (priv->mode == NM_SETTING_MACSEC_MODE_PSK) {
+		if (!verify_macsec_key (priv->mka_ckn, FALSE, error)) {
+			g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MKA_CKN);
+			return FALSE;
+		}
+	} else if (priv->mode == NM_SETTING_MACSEC_MODE_EAP) {
+		if (!s_8021x) {
+			g_set_error (error,
+			             NM_CONNECTION_ERROR,
+			             NM_CONNECTION_ERROR_MISSING_SETTING,
+			             _("EAP key management requires '%s' setting presence"),
+			             NM_SETTING_802_1X_SETTING_NAME);
+			g_prefix_error (error, "%s: ", NM_SETTING_MACSEC_SETTING_NAME);
+			return FALSE;
+		}
+	}
+
+	if (priv->port <= 0 || priv->port > 65534) {
+		g_set_error (error,
+		             NM_CONNECTION_ERROR,
+		             NM_CONNECTION_ERROR_MISSING_PROPERTY,
+		             _("invalid port %d"),
+		             priv->port);
+		g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PORT);
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+static void
+nm_setting_macsec_init (NMSettingMacsec *setting)
+{
+}
+
+static void
+set_property (GObject *object, guint prop_id,
+              const GValue *value, GParamSpec *pspec)
+{
+	NMSettingMacsec *setting = NM_SETTING_MACSEC (object);
+	NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting);
+
+	switch (prop_id) {
+	case PROP_PARENT:
+		g_free (priv->parent);
+		priv->parent = g_value_dup_string (value);
+		break;
+	case PROP_MODE:
+		priv->mode = g_value_get_int (value);
+		break;
+	case PROP_ENCRYPT:
+		priv->encrypt = g_value_get_boolean (value);
+		break;
+	case PROP_MKA_CAK:
+		g_free (priv->mka_cak);
+		priv->mka_cak = g_value_dup_string (value);
+		break;
+	case PROP_MKA_CAK_FLAGS:
+		priv->mka_cak_flags = g_value_get_flags (value);
+		break;
+	case PROP_MKA_CKN:
+		g_free (priv->mka_ckn);
+		priv->mka_ckn = g_value_dup_string (value);
+		break;
+	case PROP_PORT:
+		priv->port = g_value_get_int (value);
+		break;
+	case PROP_VALIDATION:
+		priv->validation = g_value_get_int (value);
+		break;
+	default:
+		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+		break;
+	}
+}
+
+static void
+get_property (GObject *object, guint prop_id,
+              GValue *value, GParamSpec *pspec)
+{
+	NMSettingMacsec *setting = NM_SETTING_MACSEC (object);
+	NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting);
+
+	switch (prop_id) {
+	case PROP_PARENT:
+		g_value_set_string (value, priv->parent);
+		break;
+	case PROP_MODE:
+		g_value_set_int (value, priv->mode);
+		break;
+	case PROP_ENCRYPT:
+		g_value_set_boolean (value, priv->encrypt);
+		break;
+	case PROP_MKA_CAK:
+		g_value_set_string (value, priv->mka_cak);
+		break;
+	case PROP_MKA_CAK_FLAGS:
+		g_value_set_flags (value, priv->mka_cak_flags);
+		break;
+	case PROP_MKA_CKN:
+		g_value_set_string (value, priv->mka_ckn);
+		break;
+	case PROP_PORT:
+		g_value_set_int (value, priv->port);
+		break;
+	case PROP_VALIDATION:
+		g_value_set_int (value, priv->validation);
+		break;
+	default:
+		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+		break;
+	}
+}
+
+static void
+finalize (GObject *object)
+{
+	NMSettingMacsec *setting = NM_SETTING_MACSEC (object);
+	NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting);
+
+	g_free (priv->parent);
+	if (priv->mka_cak) {
+		memset (priv->mka_cak, 0, strlen (priv->mka_cak));
+		g_free (priv->mka_cak);
+	}
+	g_free (priv->mka_ckn);
+
+	G_OBJECT_CLASS (nm_setting_macsec_parent_class)->finalize (object);
+}
+
+static void
+nm_setting_macsec_class_init (NMSettingMacsecClass *setting_class)
+{
+	GObjectClass *object_class = G_OBJECT_CLASS (setting_class);
+	NMSettingClass *parent_class = NM_SETTING_CLASS (setting_class);
+
+	g_type_class_add_private (setting_class, sizeof (NMSettingMacsecPrivate));
+
+	object_class->set_property = set_property;
+	object_class->get_property = get_property;
+	object_class->finalize     = finalize;
+	parent_class->verify       = verify;
+	parent_class->need_secrets = need_secrets;
+
+	/**
+	 * NMSettingMacsec:parent:
+	 *
+	 * If given, specifies the parent interface name or parent connection UUID
+	 * from which this MACSEC interface should be created.  If this property is
+	 * not specified, the connection must contain an #NMSettingWired setting
+	 * with a #NMSettingWired:mac-address property.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_PARENT] =
+	    g_param_spec_string (NM_SETTING_MACSEC_PARENT, "", "",
+	                         NULL,
+	                         G_PARAM_READWRITE |
+	                         G_PARAM_CONSTRUCT |
+	                         NM_SETTING_PARAM_INFERRABLE |
+	                         G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMSettingMacsec:mode:
+	 *
+	 * Specifies how the CAK (Connectivity Association Key) for MKA (MACsec Key
+	 * Agreement) is obtained.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_MODE] =
+	    g_param_spec_int (NM_SETTING_MACSEC_MODE, "", "",
+	                      G_MININT, G_MAXINT, NM_SETTING_MACSEC_MODE_PSK,
+	                      G_PARAM_READWRITE |
+	                      G_PARAM_CONSTRUCT |
+	                      NM_SETTING_PARAM_INFERRABLE |
+	                      G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMSettingMacsec:encrypt:
+	 *
+	 * Whether the transmitted traffic must be encrypted.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_ENCRYPT] =
+	    g_param_spec_boolean (NM_SETTING_MACSEC_ENCRYPT, "", "",
+	                          TRUE,
+	                          G_PARAM_READWRITE |
+	                          G_PARAM_CONSTRUCT |
+	                          G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMSettingMacsec:mka-cak:
+	 *
+	 * The pre-shared CAK (Connectivity Association Key) for MACsec
+	 * Key Agreement.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_MKA_CAK] =
+	    g_param_spec_string (NM_SETTING_MACSEC_MKA_CAK, "", "",
+	                         NULL,
+	                         G_PARAM_READWRITE |
+	                         G_PARAM_CONSTRUCT |
+	                         NM_SETTING_PARAM_SECRET |
+	                         G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMSettingMacsec:mka-cak-flags:
+	 *
+	 * Flags indicating how to handle the #NMSettingMacsec:mka-cak
+	 * property.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_MKA_CAK_FLAGS] =
+	    g_param_spec_flags (NM_SETTING_MACSEC_MKA_CAK_FLAGS, "", "",
+	                        NM_TYPE_SETTING_SECRET_FLAGS,
+	                        NM_SETTING_SECRET_FLAG_NONE,
+	                        G_PARAM_READWRITE |
+	                        G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMSettingMacsec:mka-ckn:
+	 *
+	 * The pre-shared CKN (Connectivity-association Key Name) for
+	 * MACsec Key Agreement.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_MKA_CKN] =
+	    g_param_spec_string (NM_SETTING_MACSEC_MKA_CKN, "", "",
+	                         NULL,
+	                         G_PARAM_READWRITE |
+	                         G_PARAM_CONSTRUCT |
+	                         G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMSettingMacsec:port:
+	 *
+	 * The port component of the SCI (Secure Channel Identifier), between 1 and 65534.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_PORT] =
+	    g_param_spec_int (NM_SETTING_MACSEC_PORT, "", "",
+	                      1, 65534, 1,
+	                      G_PARAM_READWRITE |
+	                      G_PARAM_CONSTRUCT |
+	                      NM_SETTING_PARAM_INFERRABLE |
+	                      G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMSettingMacsec:validation:
+	 *
+	 * Specifies the validation mode for incoming frames.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_VALIDATION] =
+	    g_param_spec_int (NM_SETTING_MACSEC_VALIDATION, "", "",
+	                      G_MININT, G_MAXINT, NM_SETTING_MACSEC_VALIDATION_STRICT,
+	                      G_PARAM_READWRITE |
+	                      G_PARAM_CONSTRUCT |
+	                      NM_SETTING_PARAM_INFERRABLE |
+	                      G_PARAM_STATIC_STRINGS);
+
+	g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties);
+}
diff --git a/libnm-core/nm-setting-macsec.h b/libnm-core/nm-setting-macsec.h
new file mode 100644
index 0000000000..f9431dfe51
--- /dev/null
+++ b/libnm-core/nm-setting-macsec.h
@@ -0,0 +1,126 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+
+/*
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301 USA.
+ *
+ * Copyright 2017 Red Hat, Inc.
+ */
+
+#ifndef __NM_SETTING_MACSEC_H__
+#define __NM_SETTING_MACSEC_H__
+
+#if !defined (__NETWORKMANAGER_H_INSIDE__) && !defined (NETWORKMANAGER_COMPILATION)
+#error "Only <NetworkManager.h> can be included directly."
+#endif
+
+#include "nm-setting.h"
+
+G_BEGIN_DECLS
+
+#define NM_TYPE_SETTING_MACSEC            (nm_setting_macsec_get_type ())
+#define NM_SETTING_MACSEC(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_SETTING_MACSEC, NMSettingMacsec))
+#define NM_SETTING_MACSEC_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_SETTING_MACSECCONFIG, NMSettingMacsecClass))
+#define NM_IS_SETTING_MACSEC(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_SETTING_MACSEC))
+#define NM_IS_SETTING_MACSEC_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), NM_TYPE_SETTING_MACSEC))
+#define NM_SETTING_MACSEC_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_SETTING_MACSEC, NMSettingMacsecClass))
+
+#define NM_SETTING_MACSEC_SETTING_NAME         "macsec"
+
+#define NM_SETTING_MACSEC_PARENT               "parent"
+#define NM_SETTING_MACSEC_MODE                 "mode"
+#define NM_SETTING_MACSEC_ENCRYPT              "encrypt"
+#define NM_SETTING_MACSEC_MKA_CAK              "mka-cak"
+#define NM_SETTING_MACSEC_MKA_CAK_FLAGS        "mka-cak-flags"
+#define NM_SETTING_MACSEC_MKA_CKN              "mka-ckn"
+#define NM_SETTING_MACSEC_PORT                 "port"
+#define NM_SETTING_MACSEC_VALIDATION           "validation"
+
+/**
+ * NMSettingMacsec:
+ */
+struct _NMSettingMacsec {
+	NMSetting parent;
+};
+
+typedef struct {
+	NMSettingClass parent;
+
+	/*< private >*/
+	gpointer padding[4];
+} NMSettingMacsecClass;
+
+/**
+ * NMSettingMacsecMode:
+ * @NM_SETTING_MACSEC_MODE_PSK: The CAK is pre-shared
+ * @NM_SETTING_MACSEC_MODE_EAP: The CAK is the result of participation in EAP
+ *
+ * #NMSettingMacsecMode controls how the CAK (Connectivity Association Key) used
+ * in MKA (MACsec Key Agreement) is obtained.
+ *
+ * Since: 1.6
+ */
+typedef enum {
+	NM_SETTING_MACSEC_MODE_PSK = 0,
+	NM_SETTING_MACSEC_MODE_EAP = 1,
+} NMSettingMacsecMode;
+
+/**
+ * NMSettingMacsecValidation:
+ * @NM_SETTING_MACSEC_VALIDATION_DISABLE: All incoming frames are accepted if
+ *   possible
+ * @NM_SETTING_MACSEC_VALIDATION_CHECK: Non protected, invalid, or impossible to
+ *   verify frames are accepted and counted as "invalid"
+ * @NM_SETTING_MACSEC_VALIDATION_STRICT: Non protected, invalid, or impossible to
+ *   verify frames are dropped
+ *
+ * #NMSettingMacsecValidation specifies a validation mode for incoming frames.
+ *
+ * Since: 1.6
+ */
+typedef enum {
+	NM_SETTING_MACSEC_VALIDATION_DISABLE   = 0,
+	NM_SETTING_MACSEC_VALIDATION_CHECK     = 1,
+	NM_SETTING_MACSEC_VALIDATION_STRICT    = 2,
+} NMSettingMacsecValidation;
+
+#define NM_SETTING_MACSEC_MKA_CAK_LENGTH     32
+#define NM_SETTING_MACSEC_MKA_CKN_LENGTH     64
+
+NM_AVAILABLE_IN_1_6
+GType nm_setting_macsec_get_type (void);
+NM_AVAILABLE_IN_1_6
+NMSetting *nm_setting_macsec_new (void);
+
+NM_AVAILABLE_IN_1_6
+const char *nm_setting_macsec_get_parent         (NMSettingMacsec *setting);
+NM_AVAILABLE_IN_1_6
+NMSettingMacsecMode nm_setting_macsec_get_mode   (NMSettingMacsec *setting);
+NM_AVAILABLE_IN_1_6
+gboolean    nm_setting_macsec_get_encrypt        (NMSettingMacsec *setting);
+NM_AVAILABLE_IN_1_6
+const char *nm_setting_macsec_get_mka_cak        (NMSettingMacsec *setting);
+NM_AVAILABLE_IN_1_6
+NMSettingSecretFlags nm_setting_macsec_get_mka_cak_flags  (NMSettingMacsec *setting);
+NM_AVAILABLE_IN_1_6
+const char *nm_setting_macsec_get_mka_ckn        (NMSettingMacsec *setting);
+NM_AVAILABLE_IN_1_6
+int         nm_setting_macsec_get_port           (NMSettingMacsec *setting);
+NM_AVAILABLE_IN_1_6
+NMSettingMacsecValidation nm_setting_macsec_get_validation (NMSettingMacsec *setting);
+
+G_END_DECLS
+
+#endif /* __NM_SETTING_MACSEC_H__ */
diff --git a/libnm/NetworkManager.h b/libnm/NetworkManager.h
index 6af091faeb..d0dec1a019 100644
--- a/libnm/NetworkManager.h
+++ b/libnm/NetworkManager.h
@@ -68,6 +68,7 @@
 #include <nm-setting-ip6-config.h>
 #include <nm-setting-ip-config.h>
 #include <nm-setting-ip-tunnel.h>
+#include <nm-setting-macsec.h>
 #include <nm-setting-macvlan.h>
 #include <nm-setting-olpc-mesh.h>
 #include <nm-setting-ppp.h>
diff --git a/libnm/libnm.ver b/libnm/libnm.ver
index 1c58d6c14b..d0562e2c11 100644
--- a/libnm/libnm.ver
+++ b/libnm/libnm.ver
@@ -1090,6 +1090,7 @@ global:
 	nm_client_get_dns_configuration;
 	nm_client_get_dns_mode;
 	nm_client_get_dns_rc_manager;
+	nm_connection_get_setting_macsec;
 	nm_connection_get_setting_proxy;
 	nm_device_macsec_get_cipher_suite;
 	nm_device_macsec_get_encoding_sa;
@@ -1113,6 +1114,18 @@ global:
 	nm_dns_entry_get_vpn;
 	nm_dns_entry_unref;
 	nm_setting_connection_get_autoconnect_retries;
+	nm_setting_macsec_get_encrypt;
+	nm_setting_macsec_get_mka_cak;
+	nm_setting_macsec_get_mka_cak_flags;
+	nm_setting_macsec_get_mka_ckn;
+	nm_setting_macsec_get_mode;
+	nm_setting_macsec_get_parent;
+	nm_setting_macsec_get_port;
+	nm_setting_macsec_get_type;
+	nm_setting_macsec_get_validation;
+	nm_setting_macsec_mode_get_type;
+	nm_setting_macsec_new;
+	nm_setting_macsec_validation_get_type;
 	nm_setting_proxy_get_type;
 	nm_setting_proxy_new;
 	nm_setting_proxy_get_method;
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 411868b8c8..d9faa7b112 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -68,6 +68,7 @@ libnm-core/nm-setting-ip-config.c
 libnm-core/nm-setting-ip4-config.c
 libnm-core/nm-setting-ip6-config.c
 libnm-core/nm-setting-ip-tunnel.c
+libnm-core/nm-setting-macsec.c
 libnm-core/nm-setting-macvlan.c
 libnm-core/nm-setting-olpc-mesh.c
 libnm-core/nm-setting-ppp.c