diff options
| author | Beniamino Galvani <bgalvani@redhat.com> | 2017-01-16 17:50:42 +0100 |
|---|---|---|
| committer | Beniamino Galvani <bgalvani@redhat.com> | 2017-01-16 17:50:42 +0100 |
| commit | 1a24f528c8645148e9612adff34d6edf70fdbb34 (patch) | |
| tree | a0f09b489cc9b3b665155706ebbdedc326ebf1e7 | |
| parent | 2b51d39671bc7fa6fa78a730333647c137e8ac3b (diff) | |
| parent | c46627e1dc628e09b34d9b4250a3a1a7df3cfcb8 (diff) | |
| download | NetworkManager-1a24f528c8645148e9612adff34d6edf70fdbb34.tar.gz | |
merge: branch 'bg/macsec-bgo762114'
https://bugzilla.gnome.org/show_bug.cgi?id=762114
44 files changed, 3488 insertions, 47 deletions
diff --git a/Makefile.am b/Makefile.am index 1631c3c957..609e4be225 100644 --- a/Makefile.am +++ b/Makefile.am @@ -195,6 +195,8 @@ introspection_sources = \ introspection/org.freedesktop.NetworkManager.Device.Infiniband.h \ introspection/org.freedesktop.NetworkManager.Device.IPTunnel.c \ introspection/org.freedesktop.NetworkManager.Device.IPTunnel.h \ + introspection/org.freedesktop.NetworkManager.Device.Macsec.c \ + introspection/org.freedesktop.NetworkManager.Device.Macsec.h \ introspection/org.freedesktop.NetworkManager.Device.Macvlan.c \ introspection/org.freedesktop.NetworkManager.Device.Macvlan.h \ introspection/org.freedesktop.NetworkManager.Device.Modem.c \ @@ -262,6 +264,7 @@ DBUS_INTERFACE_DOCS = \ docs/api/dbus-org.freedesktop.NetworkManager.Device.Vxlan.xml \ docs/api/dbus-org.freedesktop.NetworkManager.Settings.Connection.xml \ docs/api/dbus-org.freedesktop.NetworkManager.Device.Bond.xml \ + docs/api/dbus-org.freedesktop.NetworkManager.Device.Macsec.xml \ docs/api/dbus-org.freedesktop.NetworkManager.Device.Macvlan.xml \ docs/api/dbus-org.freedesktop.NetworkManager.PPP.xml \ docs/api/dbus-org.freedesktop.NetworkManager.Device.Vlan.xml \ @@ -313,6 +316,7 @@ dbusinterfaces_DATA = \ introspection/org.freedesktop.NetworkManager.Device.Generic.xml \ introspection/org.freedesktop.NetworkManager.Device.Infiniband.xml \ introspection/org.freedesktop.NetworkManager.Device.IPTunnel.xml \ + introspection/org.freedesktop.NetworkManager.Device.Macsec.xml \ introspection/org.freedesktop.NetworkManager.Device.Macvlan.xml \ introspection/org.freedesktop.NetworkManager.Device.Modem.xml \ introspection/org.freedesktop.NetworkManager.Device.OlpcMesh.xml \ @@ -375,6 +379,7 @@ libnm_core_lib_h_pub_real = \ libnm-core/nm-setting-ip-tunnel.h \ libnm-core/nm-setting-ip4-config.h \ libnm-core/nm-setting-ip6-config.h \ + libnm-core/nm-setting-macsec.h \ libnm-core/nm-setting-macvlan.h \ libnm-core/nm-setting-olpc-mesh.h \ libnm-core/nm-setting-ppp.h \ @@ -437,6 +442,7 @@ libnm_core_lib_c_real = \ libnm-core/nm-setting-ip-tunnel.c \ libnm-core/nm-setting-ip4-config.c \ libnm-core/nm-setting-ip6-config.c \ + libnm-core/nm-setting-macsec.c \ libnm-core/nm-setting-macvlan.c \ libnm-core/nm-setting-olpc-mesh.c \ libnm-core/nm-setting-ppp.c \ @@ -668,6 +674,7 @@ libnm_lib_h_pub_real = \ libnm/nm-device-generic.h \ libnm/nm-device-infiniband.h \ libnm/nm-device-ip-tunnel.h \ + libnm/nm-device-macsec.h \ libnm/nm-device-macvlan.h \ libnm/nm-device-modem.h \ libnm/nm-device-olpc-mesh.h \ @@ -717,6 +724,7 @@ libnm_lib_c_real = \ libnm/nm-device-generic.c \ libnm/nm-device-infiniband.c \ libnm/nm-device-ip-tunnel.c \ + libnm/nm-device-macsec.c \ libnm/nm-device-macvlan.c \ libnm/nm-device-modem.c \ libnm/nm-device-olpc-mesh.c \ @@ -1291,6 +1299,8 @@ src_libNetworkManager_la_SOURCES = \ src/devices/nm-device-infiniband.h \ src/devices/nm-device-ip-tunnel.c \ src/devices/nm-device-ip-tunnel.h \ + src/devices/nm-device-macsec.c \ + src/devices/nm-device-macsec.h \ src/devices/nm-device-macvlan.c \ src/devices/nm-device-macvlan.h \ src/devices/nm-device-tun.c \ diff --git a/clients/cli/connections.c b/clients/cli/connections.c index 851ed85f21..02f5ed9e4e 100644 --- a/clients/cli/connections.c +++ b/clients/cli/connections.c @@ -169,9 +169,10 @@ NmcOutputField nmc_fields_settings_names[] = { SETTING_FIELD (NM_SETTING_DCB_SETTING_NAME, nmc_fields_setting_dcb + 1), /* 24 */ SETTING_FIELD (NM_SETTING_TUN_SETTING_NAME, nmc_fields_setting_tun + 1), /* 25 */ SETTING_FIELD (NM_SETTING_IP_TUNNEL_SETTING_NAME, nmc_fields_setting_ip_tunnel + 1), /* 26 */ - SETTING_FIELD (NM_SETTING_MACVLAN_SETTING_NAME, nmc_fields_setting_macvlan + 1), /* 27 */ - SETTING_FIELD (NM_SETTING_VXLAN_SETTING_NAME, nmc_fields_setting_vxlan + 1), /* 28 */ - SETTING_FIELD (NM_SETTING_PROXY_SETTING_NAME, nmc_fields_setting_proxy + 1), /* 29 */ + SETTING_FIELD (NM_SETTING_MACSEC_SETTING_NAME, nmc_fields_setting_macsec + 1), /* 27 */ + SETTING_FIELD (NM_SETTING_MACVLAN_SETTING_NAME, nmc_fields_setting_macvlan + 1), /* 28 */ + SETTING_FIELD (NM_SETTING_VXLAN_SETTING_NAME, nmc_fields_setting_vxlan + 1), /* 29 */ + SETTING_FIELD (NM_SETTING_PROXY_SETTING_NAME, nmc_fields_setting_proxy + 1), /* 30 */ {NULL, NULL, 0, NULL, NULL, FALSE, FALSE, 0} }; #define NMC_FIELDS_SETTINGS_NAMES_ALL_X NM_SETTING_CONNECTION_SETTING_NAME","\ @@ -200,6 +201,7 @@ NmcOutputField nmc_fields_settings_names[] = { NM_SETTING_DCB_SETTING_NAME"," \ NM_SETTING_TUN_SETTING_NAME"," \ NM_SETTING_IP_TUNNEL_SETTING_NAME"," \ + NM_SETTING_MACSEC_SETTING_NAME"," \ NM_SETTING_MACVLAN_SETTING_NAME"," \ NM_SETTING_VXLAN_SETTING_NAME"," \ NM_SETTING_PROXY_SETTING_NAME @@ -450,6 +452,11 @@ usage_connection_add (void) " remote <remote endpoint IP>\n" " [local <local endpoint IP>]\n" " [dev <parent device (ifname or connection UUID)>]\n\n" + " macsec: dev <parent device (connection UUID, ifname, or MAC)>\n" + " mode <psk|eap>\n" + " [cak <key> ckn <key>]\n" + " [encrypt yes|no]\n" + " [port 1-65534]\n\n\n" " macvlan: dev <parent device (connection UUID, ifname, or MAC)>\n" " mode vepa|bridge|private|passthru|source\n" " [tap yes|no]\n\n" @@ -3028,6 +3035,14 @@ static const NameItem nmc_ip_tunnel_settings [] = { { NULL, NULL, NULL, FALSE } }; +static const NameItem nmc_macsec_settings [] = { + { NM_SETTING_CONNECTION_SETTING_NAME, NULL, NULL, TRUE }, + { NM_SETTING_WIRED_SETTING_NAME, "ethernet", NULL, FALSE }, + { NM_SETTING_802_1X_SETTING_NAME, NULL, NULL, FALSE }, + { NM_SETTING_MACSEC_SETTING_NAME, NULL, NULL, TRUE }, + { NULL, NULL, NULL, FALSE } +}; + static const NameItem nmc_macvlan_settings [] = { { NM_SETTING_CONNECTION_SETTING_NAME, NULL, NULL, TRUE }, { NM_SETTING_WIRED_SETTING_NAME, "ethernet", NULL, FALSE }, @@ -3066,6 +3081,7 @@ static const NameItem nmc_valid_connection_types[] = { { "no-slave", NULL, nmc_no_slave_settings }, { NM_SETTING_TUN_SETTING_NAME, NULL, nmc_tun_settings }, { NM_SETTING_IP_TUNNEL_SETTING_NAME, NULL, nmc_ip_tunnel_settings }, + { NM_SETTING_MACSEC_SETTING_NAME, NULL, nmc_macsec_settings }, { NM_SETTING_MACVLAN_SETTING_NAME, NULL, nmc_macvlan_settings }, { NM_SETTING_VXLAN_SETTING_NAME, NULL, nmc_vxlan_settings }, { NULL, NULL, NULL } @@ -3878,6 +3894,17 @@ gen_func_ip_tunnel_mode (const char *text, int state) } static char * +gen_func_macsec_mode (const char *text, int state) +{ + gs_free const char **words = NULL; + + words = nm_utils_enum_get_values (nm_setting_macsec_mode_get_type (), + G_MININT, + G_MAXINT); + return nmc_rl_gen_func_basic (text, state, words); +} + +static char * gen_func_macvlan_mode (const char *text, int state) { gs_free const char **words = NULL; @@ -4292,6 +4319,13 @@ static OptionInfo option_info[] = { { NM_SETTING_ADSL_SETTING_NAME, NM_SETTING_ADSL_PASSWORD, "password", OPTION_NONE, N_("Password [none]"), NULL, NULL, NULL }, { NM_SETTING_ADSL_SETTING_NAME, NM_SETTING_ADSL_ENCAPSULATION, "encapsulation", OPTION_NONE, PROMPT_ADSL_ENCAP, PROMPT_ADSL_ENCAP_CHOICES, NULL, gen_func_adsl_encap }, + { NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT, "dev", OPTION_REQD, N_("MACsec parent device or connection UUID"), NULL, NULL, NULL }, + { NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MODE, "mode", OPTION_REQD, N_("Mode"), NULL, NULL, gen_func_macsec_mode }, + { NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_ENCRYPT, "encrypt", OPTION_NONE, N_("Enable encryption [yes]"), NULL, set_yes_no, gen_func_bool_values_l10n }, + { NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MKA_CAK, "cak", OPTION_NONE, N_("MKA CAK"), NULL, NULL, NULL }, + { NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MKA_CKN, "ckn", OPTION_NONE, N_("MKA_CKN"), NULL, NULL, NULL }, + { NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PORT, "port", OPTION_NONE, N_("SCI port [1]"), NULL, NULL, NULL }, + { NM_SETTING_MACVLAN_SETTING_NAME, NM_SETTING_MACVLAN_PARENT, "dev", OPTION_REQD, N_("MACVLAN parent device or connection UUID"), NULL, NULL, nmc_rl_gen_func_ifnames }, { NM_SETTING_MACVLAN_SETTING_NAME, NM_SETTING_MACVLAN_MODE, "mode", OPTION_REQD, PROMPT_MACVLAN_MODE, NULL, @@ -4823,6 +4857,8 @@ setting_name_to_name (const char *name) return _("OLPC Mesh connection"); if (strcmp (name, NM_SETTING_ADSL_SETTING_NAME) == 0) return _("ADSL connection"); + if (strcmp (name, NM_SETTING_MACSEC_SETTING_NAME) == 0) + return _("MACsec connection"); if (strcmp (name, NM_SETTING_MACVLAN_SETTING_NAME) == 0) return _("macvlan connection"); if (strcmp (name, NM_SETTING_VXLAN_SETTING_NAME) == 0) diff --git a/clients/cli/settings.c b/clients/cli/settings.c index c88892383a..5b5822610b 100644 --- a/clients/cli/settings.c +++ b/clients/cli/settings.c @@ -743,6 +743,29 @@ NmcOutputField nmc_fields_setting_ip_tunnel[] = { NM_SETTING_IP_TUNNEL_FLOW_LABEL","\ NM_SETTING_IP_TUNNEL_MTU +/* Available fields for NM_SETTING_MACSEC_SETTING_NAME */ +NmcOutputField nmc_fields_setting_macsec[] = { + SETTING_FIELD ("name"), /* 0 */ + SETTING_FIELD (NM_SETTING_MACSEC_PARENT), /* 1 */ + SETTING_FIELD (NM_SETTING_MACSEC_MODE), /* 2 */ + SETTING_FIELD (NM_SETTING_MACSEC_ENCRYPT), /* 3 */ + SETTING_FIELD (NM_SETTING_MACSEC_MKA_CAK), /* 4 */ + SETTING_FIELD (NM_SETTING_MACSEC_MKA_CAK_FLAGS), /* 5 */ + SETTING_FIELD (NM_SETTING_MACSEC_MKA_CKN), /* 6 */ + SETTING_FIELD (NM_SETTING_MACSEC_PORT), /* 7 */ + SETTING_FIELD (NM_SETTING_MACSEC_VALIDATION), /* 8 */ + {NULL, NULL, 0, NULL, FALSE, FALSE, 0} +}; +#define NMC_FIELDS_SETTING_MACSEC_ALL "name"","\ + NM_SETTING_MACSEC_PARENT","\ + NM_SETTING_MACSEC_MODE","\ + NM_SETTING_MACSEC_ENCRYPT","\ + NM_SETTING_MACSEC_MKA_CAK","\ + NM_SETTING_MACSEC_MKA_CAK_FLAGS","\ + NM_SETTING_MACSEC_MKA_CKN","\ + NM_SETTING_MACSEC_PORT","\ + NM_SETTING_MACSEC_VALIDATION + /* Available fields for NM_SETTING_MACVLAN_SETTING_NAME */ NmcOutputField nmc_fields_setting_macvlan[] = { SETTING_FIELD ("name"), /* 0 */ @@ -2115,6 +2138,94 @@ nmc_property_wifi_sec_get_wep_key_type (NMSetting *setting, NmcPropertyGetType g return wep_key_type_to_string (nm_setting_wireless_security_get_wep_key_type (s_wireless_sec)); } +/* --- NM_SETTING_MACSEC_SETTING_NAME property get functions --- */ +DEFINE_GETTER (nmc_property_macsec_get_parent, NM_SETTING_MACSEC_PARENT) +DEFINE_GETTER (nmc_property_macsec_get_encrypt, NM_SETTING_MACSEC_ENCRYPT) +DEFINE_GETTER (nmc_property_macsec_get_mka_cak, NM_SETTING_MACSEC_MKA_CAK) +DEFINE_SECRET_FLAGS_GETTER (nmc_property_macsec_get_mka_cak_flags, NM_SETTING_MACSEC_MKA_CAK_FLAGS) +DEFINE_GETTER (nmc_property_macsec_get_mka_ckn, NM_SETTING_MACSEC_MKA_CKN) +DEFINE_GETTER (nmc_property_macsec_get_port, NM_SETTING_MACSEC_PORT) + +/* 'mode' */ +static char * +nmc_property_macsec_get_mode (NMSetting *setting, NmcPropertyGetType get_type) +{ + NMSettingMacsec *s_macsec = NM_SETTING_MACSEC (setting); + NMSettingMacsecMode mode; + + mode = nm_setting_macsec_get_mode (s_macsec); + return nm_utils_enum_to_str (nm_setting_macsec_mode_get_type (), mode); +} + + +static gboolean +nmc_property_macsec_set_mode (NMSetting *setting, const char *prop, + const char *val, GError **error) +{ + NMSettingMacsecMode mode; + gs_free char *options = NULL; + + if (!nm_utils_enum_from_str (nm_setting_macsec_mode_get_type (), val, + (int *) &mode, NULL)) { + options = g_strjoinv (",", + (char **) nm_utils_enum_get_values (nm_setting_macsec_mode_get_type (), + G_MININT, + G_MAXINT)); + g_set_error (error, 1, 0, _("invalid option '%s', use one of [%s]"), + val, options); + return FALSE; + } + + g_object_set (setting, prop, mode, NULL); + return TRUE; +} + +/* 'mode' */ +static char * +nmc_property_macsec_get_validation (NMSetting *setting, NmcPropertyGetType get_type) +{ + NMSettingMacsec *s_macsec = NM_SETTING_MACSEC (setting); + NMSettingMacsecValidation validation; + + validation = nm_setting_macsec_get_validation (s_macsec); + return nm_utils_enum_to_str (nm_setting_macsec_validation_get_type (), validation); +} + + +static gboolean +nmc_property_macsec_set_validation (NMSetting *setting, const char *prop, + const char *val, GError **error) +{ + NMSettingMacsecMode validation; + gs_free char *options = NULL; + + if (!nm_utils_enum_from_str (nm_setting_macsec_validation_get_type (), val, + (int *) &validation, NULL)) { + options = g_strjoinv (",", + (char **) nm_utils_enum_get_values (nm_setting_macsec_validation_get_type (), + G_MININT, + G_MAXINT)); + g_set_error (error, 1, 0, _("invalid option '%s', use one of [%s]"), + val, options); + return FALSE; + } + + g_object_set (setting, prop, validation, NULL); + return TRUE; +} + +static const char ** +nmc_property_macsec_allowed_validation (NMSetting *setting, const char *prop) +{ + static const char **words = NULL; + + if (!words) + words = nm_utils_enum_get_values (nm_setting_macsec_validation_get_type(), + G_MININT, + G_MAXINT); + return words; +} + /* --- NM_SETTING_MACVLAN_SETTING_NAME property get functions --- */ DEFINE_GETTER (nmc_property_macvlan_get_parent, NM_SETTING_MACVLAN_PARENT) DEFINE_GETTER (nmc_property_macvlan_get_promiscuous, NM_SETTING_MACVLAN_PROMISCUOUS) @@ -7836,6 +7947,64 @@ nmc_properties_init (void) NULL, NULL); + /* Add editable properties for NM_SETTING_MACSEC_SETTING_NAME */ + nmc_add_prop_funcs (GLUE (MACSEC, PARENT), + nmc_property_macsec_get_parent, + nmc_property_set_string, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (MACSEC, MODE), + nmc_property_macsec_get_mode, + nmc_property_macsec_set_mode, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (MACSEC, ENCRYPT), + nmc_property_macsec_get_encrypt, + nmc_property_set_bool, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (MACSEC, MKA_CAK), + nmc_property_macsec_get_mka_cak, + nmc_property_set_string, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (MACSEC, MKA_CAK_FLAGS), + nmc_property_macsec_get_mka_cak_flags, + nmc_property_set_secret_flags, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (MACSEC, MKA_CKN), + nmc_property_macsec_get_mka_ckn, + nmc_property_set_string, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (MACSEC, PORT), + nmc_property_macsec_get_port, + nmc_property_set_int, + NULL, + NULL, + NULL, + NULL); + nmc_add_prop_funcs (GLUE (MACSEC, VALIDATION), + nmc_property_macsec_get_validation, + nmc_property_macsec_set_validation, + NULL, + NULL, + nmc_property_macsec_allowed_validation, + NULL); + /* Add editable properties for NM_SETTING_MACVLAN_SETTING_NAME */ nmc_add_prop_funcs (GLUE (MACVLAN, PARENT), nmc_property_macvlan_get_parent, @@ -9233,6 +9402,39 @@ setting_ip_tunnel_details (NMSetting *setting, NmCli *nmc, const char *one_prop } static gboolean +setting_macsec_details (NMSetting *setting, NmCli *nmc, const char *one_prop, gboolean secrets) +{ + NMSettingMacsec *s_macsec = NM_SETTING_MACSEC (setting); + NmcOutputField *tmpl, *arr; + size_t tmpl_len; + + g_return_val_if_fail (NM_IS_SETTING_MACSEC (s_macsec), FALSE); + + tmpl = nmc_fields_setting_macsec; + tmpl_len = sizeof (nmc_fields_setting_macsec); + nmc->print_fields.indices = parse_output_fields (one_prop ? one_prop : NMC_FIELDS_SETTING_MACSEC_ALL, + tmpl, FALSE, NULL, NULL); + arr = nmc_dup_fields_array (tmpl, tmpl_len, NMC_OF_FLAG_FIELD_NAMES); + g_ptr_array_add (nmc->output_data, arr); + + arr = nmc_dup_fields_array (tmpl, tmpl_len, NMC_OF_FLAG_SECTION_PREFIX); + set_val_str (arr, 0, g_strdup (nm_setting_get_name (setting))); + set_val_str (arr, 1, nmc_property_macsec_get_parent (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 2, nmc_property_macsec_get_mode (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 3, nmc_property_macsec_get_encrypt (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 4, GET_SECRET (secrets, setting, nmc_property_macsec_get_mka_cak)); + set_val_str (arr, 5, nmc_property_macsec_get_mka_cak_flags (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 6, nmc_property_macsec_get_mka_ckn (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 7, nmc_property_macsec_get_port (setting, NMC_PROPERTY_GET_PRETTY)); + set_val_str (arr, 8, nmc_property_macsec_get_validation (setting, NMC_PROPERTY_GET_PRETTY)); + g_ptr_array_add (nmc->output_data, arr); + + print_data (nmc); /* Print all data */ + + return TRUE; +} + +static gboolean setting_macvlan_details (NMSetting *setting, NmCli *nmc, const char *one_prop, gboolean secrets) { NMSettingMacvlan *s_macvlan = NM_SETTING_MACVLAN (setting); @@ -9364,6 +9566,7 @@ static const SettingDetails detail_printers[] = { { NM_SETTING_DCB_SETTING_NAME, setting_dcb_details }, { NM_SETTING_TUN_SETTING_NAME, setting_tun_details }, { NM_SETTING_IP_TUNNEL_SETTING_NAME, setting_ip_tunnel_details }, + { NM_SETTING_MACSEC_SETTING_NAME, setting_macsec_details }, { NM_SETTING_MACVLAN_SETTING_NAME, setting_macvlan_details }, { NM_SETTING_VXLAN_SETTING_NAME, setting_vxlan_details }, { NM_SETTING_PROXY_SETTING_NAME, setting_proxy_details }, diff --git a/clients/cli/settings.h b/clients/cli/settings.h index 9ef9c270d2..ad503f9ef6 100644 --- a/clients/cli/settings.h +++ b/clients/cli/settings.h @@ -92,6 +92,7 @@ extern NmcOutputField nmc_fields_setting_dcb[]; extern NmcOutputField nmc_fields_setting_tun[]; extern NmcOutputField nmc_fields_setting_ip_tunnel[]; extern NmcOutputField nmc_fields_setting_macvlan[]; +extern NmcOutputField nmc_fields_setting_macsec[]; extern NmcOutputField nmc_fields_setting_vxlan[]; extern NmcOutputField nmc_fields_setting_proxy[]; diff --git a/clients/common/nm-secret-agent-simple.c b/clients/common/nm-secret-agent-simple.c index 4e59f489f0..b763bf8985 100644 --- a/clients/common/nm-secret-agent-simple.c +++ b/clients/common/nm-secret-agent-simple.c @@ -492,7 +492,7 @@ request_secrets_from_ui (NMSecretAgentSimpleRequest *request) secret = nm_secret_agent_simple_secret_new (_("PIN"), NM_SETTING (s_gsm), NM_SETTING_GSM_PIN, - NULL, + NULL, NULL, FALSE); g_ptr_array_add (secrets, secret); @@ -509,6 +509,25 @@ request_secrets_from_ui (NMSecretAgentSimpleRequest *request) TRUE); g_ptr_array_add (secrets, secret); } + } else if (nm_connection_is_type (request->connection, NM_SETTING_MACSEC_SETTING_NAME)) { + NMSettingMacsec *s_macsec = nm_connection_get_setting_macsec (request->connection); + + msg = g_strdup_printf (_("Secrets are required to access the MACsec network '%s'"), + nm_connection_get_id (request->connection)); + + if (nm_setting_macsec_get_mode (s_macsec) == NM_SETTING_MACSEC_MODE_PSK) { + title = _("MACsec PSK authentication"); + secret = nm_secret_agent_simple_secret_new (_("MKA CAK"), + NM_SETTING (s_macsec), + NM_SETTING_MACSEC_MKA_CAK, + NULL, + NULL, + TRUE); + g_ptr_array_add (secrets, secret); + } else { + title = _("MACsec EAP authentication"); + ok = add_8021x_secrets (request, secrets); + } } else if (nm_connection_is_type (request->connection, NM_SETTING_CDMA_SETTING_NAME)) { NMSettingCdma *s_cdma = nm_connection_get_setting_cdma (request->connection); diff --git a/contrib/scripts/test-macsec b/contrib/scripts/test-macsec new file mode 100755 index 0000000000..60f207bb05 --- /dev/null +++ b/contrib/scripts/test-macsec @@ -0,0 +1,102 @@ +#!/bin/sh + +# Test for MACsec in PSK mode + +if [ "$#" = 2 ]; then + # DHCP helper + dev=$1 + addr=$2 + net=${addr%.*} + + while [ ! -d "/sys/class/net/$dev" ]; do + sleep 1 + done + + ip a add $addr/24 dev "$dev" + + dnsmasq --conf-file --no-hosts --keep-in-foreground --listen-address=$addr \ + --dhcp-range=$net.250,$net.255,60m -i "$dev" \ + --bind-interface --except-interface=lo + + exit 0 +fi + +TMPDIR=$(mktemp -d /tmp/macsec-XXXXXX) +ADDR=172.16.10.1 +MKA_CAK=00112233445566778899001122334455 +MKA_CKN=5544332211009988776655443322110055443322110099887766554433221100 + +trap 'rm -rf "$TMPDIR"; kill $(jobs -p)' EXIT + +echo "* Setup..." + +# Clean up +ip netns del macsec-ns 2> /dev/null +ip link del macsec-veth 2> /dev/null +# Create namespace +ip netns add macsec-ns +# Create interfaces +ip link add macsec-veth type veth peer name macsec-vethp +# Move interfaces into namespace +ip link set macsec-vethp netns macsec-ns +# Bring up interfaces +ip link set macsec-veth up +ip -n macsec-ns link set macsec-vethp up + +echo "* Start wpa_supplicant..." + +cat <<EOF > $TMPDIR/wpa_supplicant.conf +ctrl_interface=/var/run/hostapd1 +eapol_version=3 +ap_scan=0 +fast_reauth=1 +network={ + key_mgmt=NONE + eapol_flags=0 + macsec_policy=1 + mka_cak=$MKA_CAK + mka_ckn=$MKA_CKN +} +EOF +ip netns exec macsec-ns wpa_supplicant \ + -c "$TMPDIR/wpa_supplicant.conf" -i macsec-vethp -Dmacsec_linux -dd > /dev/null 2>&1 & +ip netns exec macsec-ns $0 macsec0 $ADDR > /dev/null 2>&1 & + +echo "* Create connections..." + +nmcli connection delete test-macsec+ test-veth+ > /dev/null 2>&1 +nmcli connection add type ethernet ifname macsec-veth con-name test-veth+ \ + ipv4.method disabled ipv6.method ignore +nmcli connection add type macsec con-name test-macsec+ ifname macsec0 \ + connection.autoconnect no \ + macsec.parent macsec-veth macsec.mode psk \ + macsec.mka-cak $MKA_CAK \ + macsec.mka-cak-flags 0 \ + macsec.mka-ckn $MKA_CKN + +echo "* Bring up connections..." +nmcli connection up test-veth+ +nmcli connection up test-macsec+ + +echo "* Test connectivity..." +ping $ADDR -c2 -q > /dev/null +res=$? + +echo "* Clean up..." + +nmcli connection delete test-macsec+ test-veth+ > /dev/null 2>&1 +ip link del macsec-veth 2> /dev/null +ip netns del macsec-ns 2> /dev/null + +echo + +if [ "$res" = 0 ]; then + echo "Success" +else + echo "Failure" +fi + +exit $res + + + diff --git a/docs/api/Makefile.am b/docs/api/Makefile.am index 18cb167dc7..bb54fb35ea 100644 --- a/docs/api/Makefile.am +++ b/docs/api/Makefile.am @@ -55,6 +55,7 @@ content_files = \ dbus-org.freedesktop.NetworkManager.Settings.Connection.xml \ dbus-org.freedesktop.NetworkManager.Device.Bond.xml \ dbus-org.freedesktop.NetworkManager.Device.Macvlan.xml \ + dbus-org.freedesktop.NetworkManager.Device.Macsec.xml \ dbus-org.freedesktop.NetworkManager.PPP.xml \ dbus-org.freedesktop.NetworkManager.Device.Vlan.xml \ dbus-org.freedesktop.NetworkManager.Device.Adsl.xml \ diff --git a/docs/api/network-manager-docs.xml b/docs/api/network-manager-docs.xml index 51ac3d1483..45164ce068 100644 --- a/docs/api/network-manager-docs.xml +++ b/docs/api/network-manager-docs.xml @@ -82,6 +82,7 @@ <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Generic.xml"/> <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Infiniband.xml"/> <xi:include href="dbus-org.freedesktop.NetworkManager.Device.IPTunnel.xml"/> + <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Macsec.xml"/> <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Macvlan.xml"/> <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Modem.xml"/> <xi:include href="dbus-org.freedesktop.NetworkManager.Device.OlpcMesh.xml"/> diff --git a/introspection/org.freedesktop.NetworkManager.Device.Macsec.xml b/introspection/org.freedesktop.NetworkManager.Device.Macsec.xml new file mode 100644 index 0000000000..e67f937cbb --- /dev/null +++ b/introspection/org.freedesktop.NetworkManager.Device.Macsec.xml @@ -0,0 +1,113 @@ +<?xml version="1.0" encoding="UTF-8"?> +<node name="/"> + <interface name="org.freedesktop.NetworkManager.Device.Macsec"> + + <!-- + Parent: + + The object path of the parent device. + --> + <property name="Parent" type="o" access="read"/> + + <!-- + Sci: + + The Secure Channel Identifier in use. + --> + <property name="Sci" type="t" access="read"/> + + <!-- + IcvLength: + + The length of ICV (Integrity Check Value). + --> + <property name="IcvLength" type="y" access="read"/> + + <!-- + CipherSuite: + + The set of cryptographic algorithms in use + (e.g. 0x0080020001000001 for GCM-AES-128). + --> + <property name="CipherSuite" type="t" access="read"/> + + <!-- + Window: + + The size of the replay window. + --> + <property name="Window" type="u" access="read"/> + + <!-- + EncodingSa: + + The value of the Association Number (0..3) for the Security + Association in use. + --> + <property name="EncodingSa" type="y" access="read"/> + + <!-- + Validation: + + The validation mode for incoming packets (strict, check, + disabled). + --> + <property name="Validation" type="s" access="read"/> + + <!-- + Encrypt: + + Whether encryption of transmitted frames is enabled. + --> + <property name="Encrypt" type="b" access="read"/> + + <!-- + Protect: + + Whether protection of transmitted frames is enabled. + --> + <property name="Protect" type="b" access="read"/> + + <!-- + IncludeSci: + + Whether the SCI is always included in SecTAG for transmitted + frames. + + --> + <property name="IncludeSci" type="b" access="read"/> + + <!-- + Es: + + Whether the ES (End station) bit is enabled in SecTAG for + transmitted frames. + --> + <property name="Es" type="b" access="read"/> + + <!-- + Scb: + + Whether the SCB (Single Copy Broadcast) bit is enabled in + SecTAG for transmitted frames. + --> + <property name="Scb" type="b" access="read"/> + + <!-- + ReplayProtect: + + Whether replay protection is enabled. + --> + <property name="ReplayProtect" type="b" access="read"/> + + <!-- + PropertiesChanged: + @properties: A dictionary mapping property names to variant boxed values + + DEPRECATED. Use the standard "PropertiesChanged" signal from "org.freedesktop.DBus.Properties" instead which exists since version NetworkManager 1.2.0. + --> + <signal name="PropertiesChanged"> + <arg name="properties" type="a{sv}"/> + </signal> + </interface> +</node> diff --git a/libnm-core/nm-connection.c b/libnm-core/nm-connection.c index 923df3d976..40322427b4 100644 --- a/libnm-core/nm-connection.c +++ b/libnm-core/nm-connection.c @@ -1850,6 +1850,7 @@ nm_connection_is_virtual (NMConnection *connection) || !strcmp (type, NM_SETTING_VLAN_SETTING_NAME) || !strcmp (type, NM_SETTING_TUN_SETTING_NAME) || !strcmp (type, NM_SETTING_IP_TUNNEL_SETTING_NAME) + || !strcmp (type, NM_SETTING_MACSEC_SETTING_NAME) || !strcmp (type, NM_SETTING_MACVLAN_SETTING_NAME) || !strcmp (type, NM_SETTING_VXLAN_SETTING_NAME)) return TRUE; @@ -2162,6 +2163,24 @@ nm_connection_get_setting_ip6_config (NMConnection *connection) } /** + * nm_connection_get_setting_macsec: + * @connection: the #NMConnection + * + * A shortcut to return any #NMSettingMacsec the connection might contain. + * + * Returns: (transfer none): an #NMSettingMacsec if the connection contains one, otherwise %NULL + * + * Since: 1.6 + **/ +NMSettingMacsec * +nm_connection_get_setting_macsec (NMConnection *connection) +{ + g_return_val_if_fail (NM_IS_CONNECTION (connection), NULL); + + return (NMSettingMacsec *) nm_connection_get_setting (connection, NM_TYPE_SETTING_MACSEC); +} + +/** * nm_connection_get_setting_macvlan: * @connection: the #NMConnection * diff --git a/libnm-core/nm-connection.h b/libnm-core/nm-connection.h index 4de15c9263..36ef7b6f34 100644 --- a/libnm-core/nm-connection.h +++ b/libnm-core/nm-connection.h @@ -206,6 +206,8 @@ NM_AVAILABLE_IN_1_2 NMSettingIPTunnel * nm_connection_get_setting_ip_tunnel (NMConnection *connection); NMSettingIPConfig * nm_connection_get_setting_ip4_config (NMConnection *connection); NMSettingIPConfig * nm_connection_get_setting_ip6_config (NMConnection *connection); +NM_AVAILABLE_IN_1_6 +NMSettingMacsec * nm_connection_get_setting_macsec (NMConnection *connection); NM_AVAILABLE_IN_1_2 NMSettingMacvlan * nm_connection_get_setting_macvlan (NMConnection *connection); NMSettingOlpcMesh * nm_connection_get_setting_olpc_mesh (NMConnection *connection); diff --git a/libnm-core/nm-core-internal.h b/libnm-core/nm-core-internal.h index 1b4c469420..74f45100b1 100644 --- a/libnm-core/nm-core-internal.h +++ b/libnm-core/nm-core-internal.h @@ -52,6 +52,7 @@ #include "nm-setting-proxy.h" #include "nm-setting-ip4-config.h" #include "nm-setting-ip6-config.h" +#include "nm-setting-macsec.h" #include "nm-setting-macvlan.h" #include "nm-setting-olpc-mesh.h" #include "nm-setting-ppp.h" diff --git a/libnm-core/nm-core-types.h b/libnm-core/nm-core-types.h index 8e7c0ce8c6..2948b5f596 100644 --- a/libnm-core/nm-core-types.h +++ b/libnm-core/nm-core-types.h @@ -46,6 +46,7 @@ typedef struct _NMSettingIPTunnel NMSettingIPTunnel; typedef struct _NMSettingProxy NMSettingProxy; typedef struct _NMSettingIP4Config NMSettingIP4Config; typedef struct _NMSettingIP6Config NMSettingIP6Config; +typedef struct _NMSettingMacsec NMSettingMacsec; typedef struct _NMSettingMacvlan NMSettingMacvlan; typedef struct _NMSettingOlpcMesh NMSettingOlpcMesh; typedef struct _NMSettingPpp NMSettingPpp; diff --git a/libnm-core/nm-dbus-interface.h b/libnm-core/nm-dbus-interface.h index 9ad3aad30d..d2d54f69c5 100644 --- a/libnm-core/nm-dbus-interface.h +++ b/libnm-core/nm-dbus-interface.h @@ -64,6 +64,7 @@ #define NM_DBUS_INTERFACE_DEVICE_GENERIC NM_DBUS_INTERFACE_DEVICE ".Generic" #define NM_DBUS_INTERFACE_DEVICE_VETH NM_DBUS_INTERFACE_DEVICE ".Veth" #define NM_DBUS_INTERFACE_DEVICE_TUN NM_DBUS_INTERFACE_DEVICE ".Tun" +#define NM_DBUS_INTERFACE_DEVICE_MACSEC NM_DBUS_INTERFACE_DEVICE ".Macsec" #define NM_DBUS_INTERFACE_DEVICE_MACVLAN NM_DBUS_INTERFACE_DEVICE ".Macvlan" #define NM_DBUS_INTERFACE_DEVICE_VXLAN NM_DBUS_INTERFACE_DEVICE ".Vxlan" #define NM_DBUS_INTERFACE_DEVICE_GRE NM_DBUS_INTERFACE_DEVICE ".Gre" @@ -169,6 +170,7 @@ typedef enum { * @NM_DEVICE_TYPE_MACVLAN: a MACVLAN interface * @NM_DEVICE_TYPE_VXLAN: a VXLAN interface * @NM_DEVICE_TYPE_VETH: a VETH interface + * @NM_DEVICE_TYPE_MACSEC: a MACsec interface * * #NMDeviceType values indicate the type of hardware represented by a * device object. @@ -195,6 +197,7 @@ typedef enum { NM_DEVICE_TYPE_MACVLAN = 18, NM_DEVICE_TYPE_VXLAN = 19, NM_DEVICE_TYPE_VETH = 20, + NM_DEVICE_TYPE_MACSEC = 21, } NMDeviceType; /** diff --git a/libnm-core/nm-setting-macsec.c b/libnm-core/nm-setting-macsec.c new file mode 100644 index 0000000000..60df6839f0 --- /dev/null +++ b/libnm-core/nm-setting-macsec.c @@ -0,0 +1,592 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + * Boston, MA 02110-1301 USA. + * + * Copyright 2017 Red Hat, Inc. + */ + +#include "nm-default.h" + +#include "nm-setting-macsec.h" + +#include <stdlib.h> +#include <string.h> + +#include "nm-utils.h" +#include "nm-core-types-internal.h" +#include "nm-setting-connection.h" +#include "nm-setting-private.h" +#include "nm-setting-wired.h" +#include "nm-connection-private.h" + +/** + * SECTION:nm-setting-macsec + * @short_description: Describes connection properties for MACSEC interfaces + * + * The #NMSettingMacsec object is a #NMSetting subclass that describes properties + * necessary for connection to MACsec (IEEE 802.1AE) interfaces. + **/ + +G_DEFINE_TYPE_WITH_CODE (NMSettingMacsec, nm_setting_macsec, NM_TYPE_SETTING, + _nm_register_setting (MACSEC, 1)) +NM_SETTING_REGISTER_TYPE (NM_TYPE_SETTING_MACSEC) + +#define NM_SETTING_MACSEC_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_SETTING_MACSEC, NMSettingMacsecPrivate)) + +typedef struct { + char *parent; + NMSettingMacsecMode mode; + gboolean encrypt; + char *mka_cak; + NMSettingSecretFlags mka_cak_flags; + char *mka_ckn; + int port; + NMSettingMacsecValidation validation; +} NMSettingMacsecPrivate; + +NM_GOBJECT_PROPERTIES_DEFINE_BASE ( + PROP_PARENT, + PROP_MODE, + PROP_ENCRYPT, + PROP_MKA_CAK, + PROP_MKA_CAK_FLAGS, + PROP_MKA_CKN, + PROP_PORT, + PROP_VALIDATION, +); + +/** + * nm_setting_macsec_new: + * + * Creates a new #NMSettingMacsec object with default values. + * + * Returns: (transfer full): the new empty #NMSettingMacsec object + * + * Since: 1.6 + **/ +NMSetting * +nm_setting_macsec_new (void) +{ + return (NMSetting *) g_object_new (NM_TYPE_SETTING_MACSEC, NULL); +} + +/** + * nm_setting_macsec_get_parent: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:parent property of the setting + * + * Since: 1.6 + **/ +const char * +nm_setting_macsec_get_parent (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NULL); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->parent; +} + +/** + * nm_setting_macsec_get_mode: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:mode property of the setting + * + * Since: 1.6 + **/ +NMSettingMacsecMode +nm_setting_macsec_get_mode (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NM_SETTING_MACSEC_MODE_PSK); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mode; +} + +/** + * nm_setting_macsec_get_encrypt: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:encrypt property of the setting + * + * Since: 1.6 + **/ +gboolean +nm_setting_macsec_get_encrypt (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), TRUE); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->encrypt; +} + +/** + * nm_setting_macsec_get_mka_cak + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:mka-cak property of the setting + * + * Since: 1.6 + **/ +const char * +nm_setting_macsec_get_mka_cak (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NULL); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mka_cak; +} + +/** + * nm_setting_macsec_get_mka_cak_flags: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingSecretFlags pertaining to the #NMSettingMacsec:mka-cak + * + * Since: 1.6 + **/ +NMSettingSecretFlags +nm_setting_macsec_get_mka_cak_flags (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NM_SETTING_SECRET_FLAG_NONE); + + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mka_cak_flags; +} + +/** + * nm_setting_macsec_get_mka_ckn: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:mka-ckn property of the setting + * + * Since: 1.6 + **/ +const char * +nm_setting_macsec_get_mka_ckn (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NULL); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mka_ckn; +} + +/** + * nm_setting_macsec_get_port: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:port property of the setting + * + * Since: 1.6 + **/ +int +nm_setting_macsec_get_port (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), 1); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->port; +} + +/** + * nm_setting_macsec_get_validation: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:validation property of the setting + * + * Since: 1.6 + **/ +NMSettingMacsecValidation +nm_setting_macsec_get_validation (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NM_SETTING_MACSEC_VALIDATION_DISABLE); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->validation; +} + +static GPtrArray * +need_secrets (NMSetting *setting) +{ + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + GPtrArray *secrets = NULL; + + if (priv->mode == NM_SETTING_MACSEC_MODE_PSK) { + if ( !priv->mka_cak + && !NM_FLAGS_HAS (priv->mka_cak_flags, NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) { + secrets = g_ptr_array_sized_new (1); + g_ptr_array_add (secrets, NM_SETTING_MACSEC_MKA_CAK); + } + } + + return secrets; +} + +/*********************************************************************/ + +static gboolean +verify_macsec_key (const char *key, gboolean cak, GError **error) +{ + int req_len; + + if (!key || !key[0]) { + g_set_error_literal (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key is empty")); + return FALSE; + } + + req_len = cak ? + NM_SETTING_MACSEC_MKA_CAK_LENGTH : + NM_SETTING_MACSEC_MKA_CKN_LENGTH; + if (strlen (key) != req_len) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key must be %d characters"), req_len); + return FALSE; + } + + if (!NM_STRCHAR_ALL (key, ch, g_ascii_isxdigit (ch))) { + g_set_error_literal (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key contais non-hexadecimal characters")); + return FALSE; + } + + return TRUE; +} + +static gboolean +verify (NMSetting *setting, NMConnection *connection, GError **error) +{ + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + NMSettingConnection *s_con = NULL; + NMSettingWired *s_wired = NULL; + NMSetting8021x *s_8021x = NULL; + + if (connection) { + s_con = nm_connection_get_setting_connection (connection); + s_wired = nm_connection_get_setting_wired (connection); + s_8021x = nm_connection_get_setting_802_1x (connection); + } + + if (priv->parent) { + if (nm_utils_is_uuid (priv->parent)) { + /* If we have an NMSettingConnection:master with slave-type="macsec", + * then it must be the same UUID. + */ + if (s_con) { + const char *master = NULL, *slave_type = NULL; + + slave_type = nm_setting_connection_get_slave_type (s_con); + if (!g_strcmp0 (slave_type, NM_SETTING_MACSEC_SETTING_NAME)) + master = nm_setting_connection_get_master (s_con); + + if (master && g_strcmp0 (priv->parent, master) != 0) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("'%s' value doesn't match '%s=%s'"), + priv->parent, NM_SETTING_CONNECTION_MASTER, master); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT); + return FALSE; + } + } + } else if (!nm_utils_iface_valid_name (priv->parent)) { + /* parent must be either a UUID or an interface name */ + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("'%s' is neither an UUID nor an interface name"), + priv->parent); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT); + return FALSE; + } + } else { + /* If parent is NULL, the parent must be specified via + * NMSettingWired:mac-address. + */ + if ( connection + && (!s_wired || !nm_setting_wired_get_mac_address (s_wired))) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_MISSING_PROPERTY, + _("property is not specified and neither is '%s:%s'"), + NM_SETTING_WIRED_SETTING_NAME, NM_SETTING_WIRED_MAC_ADDRESS); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT); + return FALSE; + } + } + + if (priv->mode == NM_SETTING_MACSEC_MODE_PSK) { + if (!verify_macsec_key (priv->mka_ckn, FALSE, error)) { + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MKA_CKN); + return FALSE; + } + } else if (priv->mode == NM_SETTING_MACSEC_MODE_EAP) { + if (!s_8021x) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_MISSING_SETTING, + _("EAP key management requires '%s' setting presence"), + NM_SETTING_802_1X_SETTING_NAME); + g_prefix_error (error, "%s: ", NM_SETTING_MACSEC_SETTING_NAME); + return FALSE; + } + } + + if (priv->port <= 0 || priv->port > 65534) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_MISSING_PROPERTY, + _("invalid port %d"), + priv->port); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PORT); + return FALSE; + } + + return TRUE; +} + +static void +nm_setting_macsec_init (NMSettingMacsec *setting) +{ +} + +static void +set_property (GObject *object, guint prop_id, + const GValue *value, GParamSpec *pspec) +{ + NMSettingMacsec *setting = NM_SETTING_MACSEC (object); + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + + switch (prop_id) { + case PROP_PARENT: + g_free (priv->parent); + priv->parent = g_value_dup_string (value); + break; + case PROP_MODE: + priv->mode = g_value_get_int (value); + break; + case PROP_ENCRYPT: + priv->encrypt = g_value_get_boolean (value); + break; + case PROP_MKA_CAK: + g_free (priv->mka_cak); + priv->mka_cak = g_value_dup_string (value); + break; + case PROP_MKA_CAK_FLAGS: + priv->mka_cak_flags = g_value_get_flags (value); + break; + case PROP_MKA_CKN: + g_free (priv->mka_ckn); + priv->mka_ckn = g_value_dup_string (value); + break; + case PROP_PORT: + priv->port = g_value_get_int (value); + break; + case PROP_VALIDATION: + priv->validation = g_value_get_int (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; + } +} + +static void +get_property (GObject *object, guint prop_id, + GValue *value, GParamSpec *pspec) +{ + NMSettingMacsec *setting = NM_SETTING_MACSEC (object); + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + + switch (prop_id) { + case PROP_PARENT: + g_value_set_string (value, priv->parent); + break; + case PROP_MODE: + g_value_set_int (value, priv->mode); + break; + case PROP_ENCRYPT: + g_value_set_boolean (value, priv->encrypt); + break; + case PROP_MKA_CAK: + g_value_set_string (value, priv->mka_cak); + break; + case PROP_MKA_CAK_FLAGS: + g_value_set_flags (value, priv->mka_cak_flags); + break; + case PROP_MKA_CKN: + g_value_set_string (value, priv->mka_ckn); + break; + case PROP_PORT: + g_value_set_int (value, priv->port); + break; + case PROP_VALIDATION: + g_value_set_int (value, priv->validation); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; + } +} + +static void +finalize (GObject *object) +{ + NMSettingMacsec *setting = NM_SETTING_MACSEC (object); + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + + g_free (priv->parent); + if (priv->mka_cak) { + memset (priv->mka_cak, 0, strlen (priv->mka_cak)); + g_free (priv->mka_cak); + } + g_free (priv->mka_ckn); + + G_OBJECT_CLASS (nm_setting_macsec_parent_class)->finalize (object); +} + +static void +nm_setting_macsec_class_init (NMSettingMacsecClass *setting_class) +{ + GObjectClass *object_class = G_OBJECT_CLASS (setting_class); + NMSettingClass *parent_class = NM_SETTING_CLASS (setting_class); + + g_type_class_add_private (setting_class, sizeof (NMSettingMacsecPrivate)); + + object_class->set_property = set_property; + object_class->get_property = get_property; + object_class->finalize = finalize; + parent_class->verify = verify; + parent_class->need_secrets = need_secrets; + + /** + * NMSettingMacsec:parent: + * + * If given, specifies the parent interface name or parent connection UUID + * from which this MACSEC interface should be created. If this property is + * not specified, the connection must contain an #NMSettingWired setting + * with a #NMSettingWired:mac-address property. + * + * Since: 1.6 + **/ + obj_properties[PROP_PARENT] = + g_param_spec_string (NM_SETTING_MACSEC_PARENT, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_INFERRABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:mode: + * + * Specifies how the CAK (Connectivity Association Key) for MKA (MACsec Key + * Agreement) is obtained. + * + * Since: 1.6 + **/ + obj_properties[PROP_MODE] = + g_param_spec_int (NM_SETTING_MACSEC_MODE, "", "", + G_MININT, G_MAXINT, NM_SETTING_MACSEC_MODE_PSK, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_INFERRABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:encrypt: + * + * Whether the transmitted traffic must be encrypted. + * + * Since: 1.6 + **/ + obj_properties[PROP_ENCRYPT] = + g_param_spec_boolean (NM_SETTING_MACSEC_ENCRYPT, "", "", + TRUE, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:mka-cak: + * + * The pre-shared CAK (Connectivity Association Key) for MACsec + * Key Agreement. + * + * Since: 1.6 + **/ + obj_properties[PROP_MKA_CAK] = + g_param_spec_string (NM_SETTING_MACSEC_MKA_CAK, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_SECRET | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:mka-cak-flags: + * + * Flags indicating how to handle the #NMSettingMacsec:mka-cak + * property. + * + * Since: 1.6 + **/ + obj_properties[PROP_MKA_CAK_FLAGS] = + g_param_spec_flags (NM_SETTING_MACSEC_MKA_CAK_FLAGS, "", "", + NM_TYPE_SETTING_SECRET_FLAGS, + NM_SETTING_SECRET_FLAG_NONE, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:mka-ckn: + * + * The pre-shared CKN (Connectivity-association Key Name) for + * MACsec Key Agreement. + * + * Since: 1.6 + **/ + obj_properties[PROP_MKA_CKN] = + g_param_spec_string (NM_SETTING_MACSEC_MKA_CKN, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:port: + * + * The port component of the SCI (Secure Channel Identifier), between 1 and 65534. + * + * Since: 1.6 + **/ + obj_properties[PROP_PORT] = + g_param_spec_int (NM_SETTING_MACSEC_PORT, "", "", + 1, 65534, 1, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_INFERRABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:validation: + * + * Specifies the validation mode for incoming frames. + * + * Since: 1.6 + **/ + obj_properties[PROP_VALIDATION] = + g_param_spec_int (NM_SETTING_MACSEC_VALIDATION, "", "", + G_MININT, G_MAXINT, NM_SETTING_MACSEC_VALIDATION_STRICT, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_INFERRABLE | + G_PARAM_STATIC_STRINGS); + + g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties); +} diff --git a/libnm-core/nm-setting-macsec.h b/libnm-core/nm-setting-macsec.h new file mode 100644 index 0000000000..f9431dfe51 --- /dev/null +++ b/libnm-core/nm-setting-macsec.h @@ -0,0 +1,126 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ + +/* + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + * Boston, MA 02110-1301 USA. + * + * Copyright 2017 Red Hat, Inc. + */ + +#ifndef __NM_SETTING_MACSEC_H__ +#define __NM_SETTING_MACSEC_H__ + +#if !defined (__NETWORKMANAGER_H_INSIDE__) && !defined (NETWORKMANAGER_COMPILATION) +#error "Only <NetworkManager.h> can be included directly." +#endif + +#include "nm-setting.h" + +G_BEGIN_DECLS + +#define NM_TYPE_SETTING_MACSEC (nm_setting_macsec_get_type ()) +#define NM_SETTING_MACSEC(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_SETTING_MACSEC, NMSettingMacsec)) +#define NM_SETTING_MACSEC_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_SETTING_MACSECCONFIG, NMSettingMacsecClass)) +#define NM_IS_SETTING_MACSEC(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_SETTING_MACSEC)) +#define NM_IS_SETTING_MACSEC_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), NM_TYPE_SETTING_MACSEC)) +#define NM_SETTING_MACSEC_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_SETTING_MACSEC, NMSettingMacsecClass)) + +#define NM_SETTING_MACSEC_SETTING_NAME "macsec" + +#define NM_SETTING_MACSEC_PARENT "parent" +#define NM_SETTING_MACSEC_MODE "mode" +#define NM_SETTING_MACSEC_ENCRYPT "encrypt" +#define NM_SETTING_MACSEC_MKA_CAK "mka-cak" +#define NM_SETTING_MACSEC_MKA_CAK_FLAGS "mka-cak-flags" +#define NM_SETTING_MACSEC_MKA_CKN "mka-ckn" +#define NM_SETTING_MACSEC_PORT "port" +#define NM_SETTING_MACSEC_VALIDATION "validation" + +/** + * NMSettingMacsec: + */ +struct _NMSettingMacsec { + NMSetting parent; +}; + +typedef struct { + NMSettingClass parent; + + /*< private >*/ + gpointer padding[4]; +} NMSettingMacsecClass; + +/** + * NMSettingMacsecMode: + * @NM_SETTING_MACSEC_MODE_PSK: The CAK is pre-shared + * @NM_SETTING_MACSEC_MODE_EAP: The CAK is the result of participation in EAP + * + * #NMSettingMacsecMode controls how the CAK (Connectivity Association Key) used + * in MKA (MACsec Key Agreement) is obtained. + * + * Since: 1.6 + */ +typedef enum { + NM_SETTING_MACSEC_MODE_PSK = 0, + NM_SETTING_MACSEC_MODE_EAP = 1, +} NMSettingMacsecMode; + +/** + * NMSettingMacsecValidation: + * @NM_SETTING_MACSEC_VALIDATION_DISABLE: All incoming frames are accepted if + * possible + * @NM_SETTING_MACSEC_VALIDATION_CHECK: Non protected, invalid, or impossible to + * verify frames are accepted and counted as "invalid" + * @NM_SETTING_MACSEC_VALIDATION_STRICT: Non protected, invalid, or impossible to + * verify frames are dropped + * + * #NMSettingMacsecValidation specifies a validation mode for incoming frames. + * + * Since: 1.6 + */ +typedef enum { + NM_SETTING_MACSEC_VALIDATION_DISABLE = 0, + NM_SETTING_MACSEC_VALIDATION_CHECK = 1, + NM_SETTING_MACSEC_VALIDATION_STRICT = 2, +} NMSettingMacsecValidation; + +#define NM_SETTING_MACSEC_MKA_CAK_LENGTH 32 +#define NM_SETTING_MACSEC_MKA_CKN_LENGTH 64 + +NM_AVAILABLE_IN_1_6 +GType nm_setting_macsec_get_type (void); +NM_AVAILABLE_IN_1_6 +NMSetting *nm_setting_macsec_new (void); + +NM_AVAILABLE_IN_1_6 +const char *nm_setting_macsec_get_parent (NMSettingMacsec *setting); +NM_AVAILABLE_IN_1_6 +NMSettingMacsecMode nm_setting_macsec_get_mode (NMSettingMacsec *setting); +NM_AVAILABLE_IN_1_6 +gboolean nm_setting_macsec_get_encrypt (NMSettingMacsec *setting); +NM_AVAILABLE_IN_1_6 +const char *nm_setting_macsec_get_mka_cak (NMSettingMacsec *setting); +NM_AVAILABLE_IN_1_6 +NMSettingSecretFlags nm_setting_macsec_get_mka_cak_flags (NMSettingMacsec *setting); +NM_AVAILABLE_IN_1_6 +const char *nm_setting_macsec_get_mka_ckn (NMSettingMacsec *setting); +NM_AVAILABLE_IN_1_6 +int nm_setting_macsec_get_port (NMSettingMacsec *setting); +NM_AVAILABLE_IN_1_6 +NMSettingMacsecValidation nm_setting_macsec_get_validation (NMSettingMacsec *setting); + +G_END_DECLS + +#endif /* __NM_SETTING_MACSEC_H__ */ diff --git a/libnm/NetworkManager.h b/libnm/NetworkManager.h index 6af091faeb..d0dec1a019 100644 --- a/libnm/NetworkManager.h +++ b/libnm/NetworkManager.h @@ -68,6 +68,7 @@ #include <nm-setting-ip6-config.h> #include <nm-setting-ip-config.h> #include <nm-setting-ip-tunnel.h> +#include <nm-setting-macsec.h> #include <nm-setting-macvlan.h> #include <nm-setting-olpc-mesh.h> #include <nm-setting-ppp.h> diff --git a/libnm/libnm.ver b/libnm/libnm.ver index cc39286564..d0562e2c11 100644 --- a/libnm/libnm.ver +++ b/libnm/libnm.ver @@ -1090,7 +1090,22 @@ global: nm_client_get_dns_configuration; nm_client_get_dns_mode; nm_client_get_dns_rc_manager; + nm_connection_get_setting_macsec; nm_connection_get_setting_proxy; + nm_device_macsec_get_cipher_suite; + nm_device_macsec_get_encoding_sa; + nm_device_macsec_get_encrypt; + nm_device_macsec_get_es; + nm_device_macsec_get_hw_address; + nm_device_macsec_get_icv_length; + nm_device_macsec_get_include_sci; + nm_device_macsec_get_protect; + nm_device_macsec_get_replay_protect; + nm_device_macsec_get_scb; + nm_device_macsec_get_sci; + nm_device_macsec_get_type; + nm_device_macsec_get_validation; + nm_device_macsec_get_window; nm_dns_entry_get_domains; nm_dns_entry_get_interface; nm_dns_entry_get_nameservers; @@ -1099,6 +1114,18 @@ global: nm_dns_entry_get_vpn; nm_dns_entry_unref; nm_setting_connection_get_autoconnect_retries; + nm_setting_macsec_get_encrypt; + nm_setting_macsec_get_mka_cak; + nm_setting_macsec_get_mka_cak_flags; + nm_setting_macsec_get_mka_ckn; + nm_setting_macsec_get_mode; + nm_setting_macsec_get_parent; + nm_setting_macsec_get_port; + nm_setting_macsec_get_type; + nm_setting_macsec_get_validation; + nm_setting_macsec_mode_get_type; + nm_setting_macsec_new; + nm_setting_macsec_validation_get_type; nm_setting_proxy_get_type; nm_setting_proxy_new; nm_setting_proxy_get_method; diff --git a/libnm/nm-client.c b/libnm/nm-client.c index 4b31236e39..63eaa84ce3 100644 --- a/libnm/nm-client.c +++ b/libnm/nm-client.c @@ -56,6 +56,7 @@ #include "nm-device-generic.h" #include "nm-device-infiniband.h" #include "nm-device-ip-tunnel.h" +#include "nm-device-macsec.h" #include "nm-device-macvlan.h" #include "nm-device-modem.h" #include "nm-device-olpc-mesh.h" @@ -2061,6 +2062,8 @@ obj_nm_for_gdbus_object (GDBusObject *object, GDBusObjectManager *object_manager type = NM_TYPE_DEVICE_INFINIBAND; else if (strcmp (ifname, NM_DBUS_INTERFACE_DEVICE_IP_TUNNEL) == 0) type = NM_TYPE_DEVICE_IP_TUNNEL; + else if (strcmp (ifname, NM_DBUS_INTERFACE_DEVICE_MACSEC) == 0) + type = NM_TYPE_DEVICE_MACSEC; else if (strcmp (ifname, NM_DBUS_INTERFACE_DEVICE_MACVLAN) == 0) type = NM_TYPE_DEVICE_MACVLAN; else if (strcmp (ifname, NM_DBUS_INTERFACE_DEVICE_MODEM) == 0) diff --git a/libnm/nm-device-macsec.c b/libnm/nm-device-macsec.c new file mode 100644 index 0000000000..c4762041be --- /dev/null +++ b/libnm/nm-device-macsec.c @@ -0,0 +1,639 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + * Boston, MA 02110-1301 USA. + * + * Copyright 2017 Red Hat, Inc. + */ + +#include "nm-default.h" + +#include <string.h> + +#include "nm-device-macsec.h" +#include "nm-device-private.h" +#include "nm-object-private.h" +#include "nm-utils.h" + +G_DEFINE_TYPE (NMDeviceMacsec, nm_device_macsec, NM_TYPE_DEVICE) + +#define NM_DEVICE_MACSEC_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecPrivate)) + +typedef struct { + NMDevice *parent; + char *hw_address; + guint64 sci; + guint64 cipher_suite; + guint8 icv_length; + guint32 window; + guint8 encoding_sa; + gboolean encrypt; + gboolean protect; + gboolean include_sci; + gboolean es; + gboolean scb; + gboolean replay_protect; + char *validation; +} NMDeviceMacsecPrivate; + +NM_GOBJECT_PROPERTIES_DEFINE_BASE ( + PROP_PARENT, + PROP_HW_ADDRESS, + PROP_SCI, + PROP_CIPHER_SUITE, + PROP_ICV_LENGTH, + PROP_WINDOW, + PROP_ENCODING_SA, + PROP_ENCRYPT, + PROP_PROTECT, + PROP_INCLUDE_SCI, + PROP_ES, + PROP_SCB, + PROP_REPLAY_PROTECT, + PROP_VALIDATION, +); + +/** + * nm_device_macsec_get_parent: + * @device: a #NMDeviceMacsec + * + * Returns: (transfer none): the device's parent device + * + * Since: 1.6 + **/ +NMDevice * +nm_device_macsec_get_parent (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), NULL); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->parent; +} + +/** + * nm_device_macsec_get_hw_address: + * @device: a #NMDeviceMacsec + * + * Gets the hardware (MAC) address of the #NMDeviceMacsec + * + * Returns: the hardware address. This is the internal string used by the + * device, and must not be modified. + * + * Since: 1.6 + **/ +const char * +nm_device_macsec_get_hw_address (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), NULL); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->hw_address; +} + +/** + * nm_device_macsec_get_sci: + * @device: a #NMDeviceMacsec + * + * Gets the Secure Channel Identifier in use + * + * Returns: the SCI + * + * Since: 1.6 + **/ +guint64 +nm_device_macsec_get_sci (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->sci; +} + +/** + * nm_device_macsec_get_icv_length: + * @device: a #NMDeviceMacsec + * + * Gets the length of ICV (Integrity Check Value) + * + * Returns: the length of ICV + * + * Since: 1.6 + **/ +guint8 +nm_device_macsec_get_icv_length (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->icv_length; +} + +/** + * nm_device_macsec_get_cipher_suite: + * @device: a #NMDeviceMacsec + * + * Gets the set of cryptographic algorithms in use + * + * Returns: + * + * Since: 1.6 + **/ +guint64 +nm_device_macsec_get_cipher_suite (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->cipher_suite; +} + +/** + * nm_device_macsec_get_window: + * @device: a #NMDeviceMacsec + * + * Gets the size of the replay window + * + * Returns: size of the replay window + * + * Since: 1.6 + **/ +guint +nm_device_macsec_get_window (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->window; +} + +/** + * nm_device_macsec_get_encoding_sa: + * @device: a #NMDeviceMacsec + * + * Gets the value of the Association Number (0..3) for the Security + * Association in use. + * + * Returns: the current Security Association + * + * Since: 1.6 + **/ +guint8 +nm_device_macsec_get_encoding_sa (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->encoding_sa; +} + +/** + * nm_device_macsec_get_validation: + * @device: a #NMDeviceMacsec + * + * Gets the validation mode for incoming packets (strict, check, + * disabled) + * + * Returns: the validation mode + * + * Since: 1.6 + **/ +const char * +nm_device_macsec_get_validation (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), NULL); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->validation; +} + +/** + * nm_device_macsec_get_encrypt: + * @device: a #NMDeviceMacsec + * + * Gets whether encryption of transmitted frames is enabled + * + * Returns: whether encryption is enabled + * + * Since: 1.6 + **/ +gboolean +nm_device_macsec_get_encrypt (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->encrypt; +} + +/** + * nm_device_macsec_get_protect: + * @device: a #NMDeviceMacsec + * + * Gets whether protection of transmitted frames is enabled + * + * Returns: whether protection is enabled + * + * Since: 1.6 + **/ +gboolean +nm_device_macsec_get_protect (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->protect; +} + +/** + * nm_device_macsec_get_include_sci: + * @device: a #NMDeviceMacsec + * + * Gets whether the SCI is always included in SecTAG for transmitted + * frames + * + * Returns: whether the SCI is always included + * + * Since: 1.6 + **/ +gboolean +nm_device_macsec_get_include_sci (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->include_sci; +} + +/** + * nm_device_macsec_get_es: + * @device: a #NMDeviceMacsec + * + * Gets whether the ES (End station) bit is enabled in SecTAG for + * transmitted frames + * + * Returns: whether the ES (End station) bit is enabled + * + * Since: 1.6 + **/ +gboolean +nm_device_macsec_get_es (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->es; +} + +/** + * nm_device_macsec_get_scb: + * @device: a #NMDeviceMacsec + * + * Gets whether the SCB (Single Copy Broadcast) bit is enabled in + * SecTAG for transmitted frames + * + * Returns: whether the SCB (Single Copy Broadcast) bit is enabled + * + * Since: 1.6 + **/ +gboolean +nm_device_macsec_get_scb (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->scb; +} + +/** + * nm_device_macsec_get_replay_protect: + * @device: a #NMDeviceMacsec + * + * Gets whether replay protection is enabled + * + * Returns: whether replay protection is enabled + * + * Since: 1.6 + **/ +gboolean +nm_device_macsec_get_replay_protect (NMDeviceMacsec *device) +{ + g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE); + + return NM_DEVICE_MACSEC_GET_PRIVATE (device)->replay_protect; +} + +static const char * +get_hw_address (NMDevice *device) +{ + return nm_device_macsec_get_hw_address (NM_DEVICE_MACSEC (device)); +} + +/***********************************************************/ + +static void +nm_device_macsec_init (NMDeviceMacsec *device) +{ +} + +static void +init_dbus (NMObject *object) +{ + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (object); + const NMPropertiesInfo property_info[] = { + { NM_DEVICE_MACSEC_PARENT, &priv->parent, NULL, NM_TYPE_DEVICE }, + { NM_DEVICE_MACSEC_HW_ADDRESS, &priv->hw_address }, + { NM_DEVICE_MACSEC_SCI, &priv->sci }, + { NM_DEVICE_MACSEC_CIPHER_SUITE, &priv->cipher_suite }, + { NM_DEVICE_MACSEC_ICV_LENGTH, &priv->icv_length }, + { NM_DEVICE_MACSEC_WINDOW, &priv->window }, + { NM_DEVICE_MACSEC_ENCODING_SA, &priv->encoding_sa }, + { NM_DEVICE_MACSEC_ENCRYPT, &priv->encrypt }, + { NM_DEVICE_MACSEC_PROTECT, &priv->protect }, + { NM_DEVICE_MACSEC_INCLUDE_SCI, &priv->include_sci }, + { NM_DEVICE_MACSEC_ES, &priv->es }, + { NM_DEVICE_MACSEC_SCB, &priv->scb }, + { NM_DEVICE_MACSEC_REPLAY_PROTECT, &priv->replay_protect }, + { NM_DEVICE_MACSEC_VALIDATION, &priv->validation }, + { NULL }, + }; + + NM_OBJECT_CLASS (nm_device_macsec_parent_class)->init_dbus (object); + + _nm_object_register_properties (object, + NM_DBUS_INTERFACE_DEVICE_MACSEC, + property_info); +} + +static void +finalize (GObject *object) +{ + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (object); + + g_free (priv->validation); + g_free (priv->hw_address); + g_clear_object (&priv->parent); + + G_OBJECT_CLASS (nm_device_macsec_parent_class)->finalize (object); +} + +static void +get_property (GObject *object, + guint prop_id, + GValue *value, + GParamSpec *pspec) +{ + NMDeviceMacsec *device = NM_DEVICE_MACSEC (object); + + switch (prop_id) { + case PROP_PARENT: + g_value_set_object (value, nm_device_macsec_get_parent (device)); + break; + case PROP_HW_ADDRESS: + g_value_set_string (value, nm_device_macsec_get_hw_address (device)); + break; + case PROP_SCI: + g_value_set_uint64 (value, nm_device_macsec_get_sci (device)); + break; + case PROP_ICV_LENGTH: + g_value_set_uchar (value, nm_device_macsec_get_icv_length (device)); + break; + case PROP_CIPHER_SUITE: + g_value_set_uint64 (value, nm_device_macsec_get_cipher_suite (device)); + break; + case PROP_WINDOW: + g_value_set_uint (value, nm_device_macsec_get_window (device)); + break; + case PROP_ENCODING_SA: + g_value_set_uchar (value, nm_device_macsec_get_encoding_sa (device)); + break; + case PROP_VALIDATION: + g_value_set_string (value, nm_device_macsec_get_validation (device)); + break; + case PROP_ENCRYPT: + g_value_set_boolean (value, nm_device_macsec_get_encrypt (device)); + break; + case PROP_PROTECT: + g_value_set_boolean (value, nm_device_macsec_get_protect (device)); + break; + case PROP_INCLUDE_SCI: + g_value_set_boolean (value, nm_device_macsec_get_include_sci (device)); + break; + case PROP_ES: + g_value_set_boolean (value, nm_device_macsec_get_es (device)); + break; + case PROP_SCB: + g_value_set_boolean (value, nm_device_macsec_get_scb (device)); + break; + case PROP_REPLAY_PROTECT: + g_value_set_boolean (value, nm_device_macsec_get_replay_protect (device)); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; + } +} + +static void +nm_device_macsec_class_init (NMDeviceMacsecClass *macsec_class) +{ + GObjectClass *object_class = G_OBJECT_CLASS (macsec_class); + NMObjectClass *nm_object_class = NM_OBJECT_CLASS (macsec_class); + NMDeviceClass *device_class = NM_DEVICE_CLASS (macsec_class); + + g_type_class_add_private (macsec_class, sizeof (NMDeviceMacsecPrivate)); + + object_class->finalize = finalize; + object_class->get_property = get_property; + + nm_object_class->init_dbus = init_dbus; + + device_class->get_hw_address = get_hw_address; + + /** + * NMDeviceMacsec:parent: + * + * The devices's parent device. + * + * Since: 1.6 + **/ + obj_properties[PROP_PARENT] = + g_param_spec_object (NM_DEVICE_MACSEC_PARENT, "", "", + NM_TYPE_DEVICE, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:hw-address: + * + * The hardware (MAC) address of the device. + * + * Since: 1.6 + **/ + obj_properties[PROP_HW_ADDRESS] = + g_param_spec_string (NM_DEVICE_MACSEC_HW_ADDRESS, "", "", + NULL, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:sci: + * + * The Secure Channel Identifier in use. + * + * Since: 1.6 + **/ + obj_properties[PROP_SCI] = + g_param_spec_uint64 (NM_DEVICE_MACSEC_SCI, "", "", + 0, G_MAXUINT64, 0, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:icv-length: + * + * The length of ICV (Integrity Check Value). + * + * Since: 1.6 + **/ + obj_properties[PROP_ICV_LENGTH] = + g_param_spec_uchar (NM_DEVICE_MACSEC_ICV_LENGTH, "", "", + 0, G_MAXUINT8, 0, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:cipher-suite: + * + * The set of cryptographic algorithms in use. + * + * Since: 1.6 + **/ + obj_properties[PROP_CIPHER_SUITE] = + g_param_spec_uint64 (NM_DEVICE_MACSEC_CIPHER_SUITE, "", "", + 0, G_MAXUINT64, 0, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:window: + * + * The size of the replay window. + * + * Since: 1.6 + **/ + obj_properties[PROP_WINDOW] = + g_param_spec_uint (NM_DEVICE_MACSEC_WINDOW, "", "", + 0, G_MAXUINT32, 0, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:encoding-sa: + * + * The value of the Association Number (0..3) for the Security + * Association in use. + * + * Since: 1.6 + **/ + obj_properties[PROP_ENCODING_SA] = + g_param_spec_uchar (NM_DEVICE_MACSEC_ENCODING_SA, "", "", + 0, G_MAXUINT8, 0, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:validation: + * + * The validation mode for incoming packets (strict, check, + * disabled). + * + * Since: 1.6 + **/ + obj_properties[PROP_VALIDATION] = + g_param_spec_string (NM_DEVICE_MACSEC_VALIDATION, "", "", + NULL, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:encrypt: + * + * Whether encryption of transmitted frames is enabled. + * + * Since: 1.6 + **/ + obj_properties[PROP_ENCRYPT] = + g_param_spec_boolean (NM_DEVICE_MACSEC_ENCRYPT, "", "", + FALSE, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:protect: + * + * Whether protection of transmitted frames is enabled. + * + * Since: 1.6 + **/ + obj_properties[PROP_PROTECT] = + g_param_spec_boolean (NM_DEVICE_MACSEC_PROTECT, "", "", + FALSE, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:include-sci: + * + * Whether the SCI is always included in SecTAG for transmitted + * frames. + * + * Since: 1.6 + **/ + obj_properties[PROP_INCLUDE_SCI] = + g_param_spec_boolean (NM_DEVICE_MACSEC_INCLUDE_SCI, "", "", + FALSE, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:es: + * + * Whether the ES (End station) bit is enabled in SecTAG for + * transmitted frames. + * + * Since: 1.6 + **/ + obj_properties[PROP_ES] = + g_param_spec_boolean (NM_DEVICE_MACSEC_ES, "", "", + FALSE, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:scb: + * + * Whether the SCB (Single Copy Broadcast) bit is enabled in + * SecTAG for transmitted frames. + * + * Since: 1.6 + **/ + obj_properties[PROP_SCB] = + g_param_spec_boolean (NM_DEVICE_MACSEC_SCB, "", "", + FALSE, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMDeviceMacsec:replay-protect: + * + * Whether replay protection is enabled. + * + * Since: 1.6 + **/ + obj_properties[PROP_REPLAY_PROTECT] = + g_param_spec_boolean (NM_DEVICE_MACSEC_REPLAY_PROTECT, "", "", + FALSE, + G_PARAM_READABLE | + G_PARAM_STATIC_STRINGS); + + g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties); +} diff --git a/libnm/nm-device-macsec.h b/libnm/nm-device-macsec.h new file mode 100644 index 0000000000..d6d7c0ef79 --- /dev/null +++ b/libnm/nm-device-macsec.h @@ -0,0 +1,101 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + * Boston, MA 02110-1301 USA. + * + * Copyright 2017 Red Hat, Inc. + */ + +#ifndef __NM_DEVICE_MACSEC_H__ +#define __NM_DEVICE_MACSEC_H__ + +#if !defined (__NETWORKMANAGER_H_INSIDE__) && !defined(NETWORKMANAGER_COMPILATION) +#error "Only <NetworkManager.h> can be included directly." +#endif + +#include <nm-device.h> + +G_BEGIN_DECLS + +#define NM_TYPE_DEVICE_MACSEC (nm_device_macsec_get_type ()) +#define NM_DEVICE_MACSEC(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsec)) +#define NM_DEVICE_MACSEC_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecClass)) +#define NM_IS_DEVICE_MACSEC(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_DEVICE_MACSEC)) +#define NM_IS_DEVICE_MACSEC_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), NM_TYPE_DEVICE_MACSEC)) +#define NM_DEVICE_MACSEC_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecClass)) + +#define NM_DEVICE_MACSEC_PARENT "parent" +#define NM_DEVICE_MACSEC_HW_ADDRESS "hw-address" +#define NM_DEVICE_MACSEC_SCI "sci" +#define NM_DEVICE_MACSEC_ICV_LENGTH "icv-length" +#define NM_DEVICE_MACSEC_CIPHER_SUITE "cipher-suite" +#define NM_DEVICE_MACSEC_WINDOW "window" +#define NM_DEVICE_MACSEC_ENCODING_SA "encoding-sa" +#define NM_DEVICE_MACSEC_VALIDATION "validation" +#define NM_DEVICE_MACSEC_ENCRYPT "encrypt" +#define NM_DEVICE_MACSEC_PROTECT "protect" +#define NM_DEVICE_MACSEC_INCLUDE_SCI "include-sci" +#define NM_DEVICE_MACSEC_ES "es" +#define NM_DEVICE_MACSEC_SCB "scb" +#define NM_DEVICE_MACSEC_REPLAY_PROTECT "replay-protect" + +/** + * NMDeviceMacsec: + */ +struct _NMDeviceMacsec { + NMDevice parent; +}; + +typedef struct { + NMDeviceClass parent; + + /*< private >*/ + gpointer padding[4]; +} NMDeviceMacsecClass; + +NM_AVAILABLE_IN_1_6 +GType nm_device_macsec_get_type (void); + +NM_AVAILABLE_IN_1_6 +NMDevice * nm_device_macsec_get_parent (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +const char * nm_device_macsec_get_hw_address (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +guint64 nm_device_macsec_get_sci (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +guint8 nm_device_macsec_get_icv_length (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +guint64 nm_device_macsec_get_cipher_suite (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +guint nm_device_macsec_get_window (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +guint8 nm_device_macsec_get_encoding_sa (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +const char * nm_device_macsec_get_validation (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +gboolean nm_device_macsec_get_encrypt (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +gboolean nm_device_macsec_get_protect (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +gboolean nm_device_macsec_get_include_sci (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +gboolean nm_device_macsec_get_es (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +gboolean nm_device_macsec_get_scb (NMDeviceMacsec *device); +NM_AVAILABLE_IN_1_6 +gboolean nm_device_macsec_get_replay_protect (NMDeviceMacsec *device); +G_END_DECLS + +#endif /* __NM_DEVICE_MACSEC_H__ */ diff --git a/libnm/nm-device.c b/libnm/nm-device.c index 5c5988862c..02b5cad550 100644 --- a/libnm/nm-device.c +++ b/libnm/nm-device.c @@ -267,6 +267,7 @@ coerce_type (NMDeviceType type) case NM_DEVICE_TYPE_BRIDGE: case NM_DEVICE_TYPE_VLAN: case NM_DEVICE_TYPE_ADSL: + case NM_DEVICE_TYPE_MACSEC: case NM_DEVICE_TYPE_MACVLAN: case NM_DEVICE_TYPE_VXLAN: case NM_DEVICE_TYPE_IP_TUNNEL: @@ -1691,6 +1692,8 @@ get_type_name (NMDevice *device) return _("Tun"); case NM_DEVICE_TYPE_VETH: return _("Veth"); + case NM_DEVICE_TYPE_MACSEC: + return _("MACsec"); case NM_DEVICE_TYPE_GENERIC: case NM_DEVICE_TYPE_UNUSED1: case NM_DEVICE_TYPE_UNUSED2: diff --git a/libnm/nm-types.h b/libnm/nm-types.h index be09daaf89..7d224c86fe 100644 --- a/libnm/nm-types.h +++ b/libnm/nm-types.h @@ -38,6 +38,7 @@ typedef struct _NMDeviceEthernet NMDeviceEthernet; typedef struct _NMDeviceGeneric NMDeviceGeneric; typedef struct _NMDeviceInfiniband NMDeviceInfiniband; typedef struct _NMDeviceIPTunnel NMDeviceIPTunnel; +typedef struct _NMDeviceMacsec NMDeviceMacsec; typedef struct _NMDeviceMacvlan NMDeviceMacvlan; typedef struct _NMDeviceModem NMDeviceModem; typedef struct _NMDeviceOlpcMesh NMDeviceOlpcMesh; diff --git a/po/POTFILES.in b/po/POTFILES.in index 411868b8c8..d9faa7b112 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -68,6 +68,7 @@ libnm-core/nm-setting-ip-config.c libnm-core/nm-setting-ip4-config.c libnm-core/nm-setting-ip6-config.c libnm-core/nm-setting-ip-tunnel.c +libnm-core/nm-setting-macsec.c libnm-core/nm-setting-macvlan.c libnm-core/nm-setting-olpc-mesh.c libnm-core/nm-setting-ppp.c diff --git a/src/devices/nm-device-ethernet.c b/src/devices/nm-device-ethernet.c index 0dc09762aa..f9d753a58f 100644 --- a/src/devices/nm-device-ethernet.c +++ b/src/devices/nm-device-ethernet.c @@ -75,7 +75,6 @@ typedef struct Supplicant { gulong iface_state_id; /* Timeouts and idles */ - guint iface_con_error_cb_id; guint con_timeout_id; } Supplicant; @@ -430,7 +429,6 @@ supplicant_interface_clear_handlers (NMDeviceEthernet *self) nm_clear_g_source (&priv->supplicant_timeout_id); nm_clear_g_source (&priv->supplicant.con_timeout_id); - nm_clear_g_source (&priv->supplicant.iface_con_error_cb_id); nm_clear_g_signal_handler (priv->supplicant.iface, &priv->supplicant.iface_error_id); } @@ -679,19 +677,6 @@ supplicant_iface_state_cb (NMSupplicantInterface *iface, } } -static gboolean -supplicant_iface_connection_error_cb_handler (gpointer user_data) -{ - NMDeviceEthernet *self = NM_DEVICE_ETHERNET (user_data); - NMDeviceEthernetPrivate *priv = NM_DEVICE_ETHERNET_GET_PRIVATE (self); - - supplicant_interface_release (self); - nm_device_state_changed (NM_DEVICE (self), NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_SUPPLICANT_CONFIG_FAILED); - - priv->supplicant.iface_con_error_cb_id = 0; - return FALSE; -} - static void supplicant_iface_connection_error_cb (NMSupplicantInterface *iface, const char *name, @@ -699,18 +684,15 @@ supplicant_iface_connection_error_cb (NMSupplicantInterface *iface, gpointer user_data) { NMDeviceEthernet *self = NM_DEVICE_ETHERNET (user_data); - NMDeviceEthernetPrivate *priv = NM_DEVICE_ETHERNET_GET_PRIVATE (self); - guint id; _LOGW (LOGD_DEVICE | LOGD_ETHER, "Activation: (ethernet) association request to the supplicant failed: %s - %s", name, message); - if (priv->supplicant.iface_con_error_cb_id) - g_source_remove (priv->supplicant.iface_con_error_cb_id); - - id = g_idle_add (supplicant_iface_connection_error_cb_handler, self); - priv->supplicant.iface_con_error_cb_id = id; + supplicant_interface_release (self); + nm_device_queue_state (NM_DEVICE (self), + NM_DEVICE_STATE_FAILED, + NM_DEVICE_STATE_REASON_SUPPLICANT_CONFIG_FAILED); } static NMActStageReturn @@ -794,7 +776,7 @@ supplicant_interface_init (NMDeviceEthernet *self) priv->supplicant.iface = nm_supplicant_manager_create_interface (priv->supplicant.mgr, nm_device_get_iface (NM_DEVICE (self)), - FALSE); + NM_SUPPLICANT_DRIVER_WIRED); if (!priv->supplicant.iface) { _LOGE (LOGD_DEVICE | LOGD_ETHER, @@ -810,7 +792,7 @@ supplicant_interface_init (NMDeviceEthernet *self) /* Hook up error signal handler to capture association errors */ priv->supplicant.iface_error_id = g_signal_connect (priv->supplicant.iface, - "connection-error", + NM_SUPPLICANT_INTERFACE_CONNECTION_ERROR, G_CALLBACK (supplicant_iface_connection_error_cb), self); diff --git a/src/devices/nm-device-factory.c b/src/devices/nm-device-factory.c index dc8e26605b..0ce2cb48c5 100644 --- a/src/devices/nm-device-factory.c +++ b/src/devices/nm-device-factory.c @@ -405,6 +405,7 @@ nm_device_factory_manager_load_factories (NMDeviceFactoryManagerFactoryFunc call _ADD_INTERNAL (nm_ethernet_device_factory_get_type); _ADD_INTERNAL (nm_infiniband_device_factory_get_type); _ADD_INTERNAL (nm_ip_tunnel_device_factory_get_type); + _ADD_INTERNAL (nm_macsec_device_factory_get_type); _ADD_INTERNAL (nm_macvlan_device_factory_get_type); _ADD_INTERNAL (nm_tun_device_factory_get_type); _ADD_INTERNAL (nm_veth_device_factory_get_type); diff --git a/src/devices/nm-device-macsec.c b/src/devices/nm-device-macsec.c new file mode 100644 index 0000000000..c511a0e721 --- /dev/null +++ b/src/devices/nm-device-macsec.c @@ -0,0 +1,1009 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* NetworkManager -- Network link manager + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright 2017 Red Hat, Inc. + */ + +#include "nm-default.h" + +#include "nm-device-macsec.h" + +#include "nm-act-request.h" +#include "nm-device-private.h" +#include "platform/nm-platform.h" +#include "nm-device-factory.h" +#include "nm-manager.h" +#include "nm-setting-macsec.h" +#include "nm-core-internal.h" +#include "supplicant/nm-supplicant-manager.h" +#include "supplicant/nm-supplicant-interface.h" +#include "supplicant/nm-supplicant-config.h" + +#include "introspection/org.freedesktop.NetworkManager.Device.Macsec.h" + +#include "nm-device-logging.h" +_LOG_DECLARE_SELF(NMDeviceMacsec); + +/*****************************************************************************/ + +typedef struct Supplicant { + NMSupplicantManager *mgr; + NMSupplicantInterface *iface; + + /* signal handler ids */ + gulong iface_error_id; + gulong iface_state_id; + + /* Timeouts and idles */ + guint con_timeout_id; +} Supplicant; + +NM_GOBJECT_PROPERTIES_DEFINE (NMDeviceMacsec, + PROP_SCI, + PROP_CIPHER_SUITE, + PROP_ICV_LENGTH, + PROP_WINDOW, + PROP_ENCODING_SA, + PROP_ENCRYPT, + PROP_PROTECT, + PROP_INCLUDE_SCI, + PROP_ES, + PROP_SCB, + PROP_REPLAY_PROTECT, + PROP_VALIDATION, +); + +typedef struct { + NMPlatformLnkMacsec props; + gulong parent_state_id; + Supplicant supplicant; + guint supplicant_timeout_id; + NMActRequestGetSecretsCallId macsec_secrets_id; +} NMDeviceMacsecPrivate; + +struct _NMDeviceMacsec { + NMDevice parent; + NMDeviceMacsecPrivate _priv; +}; + +struct _NMDeviceMacsecClass { + NMDeviceClass parent; +}; + +G_DEFINE_TYPE (NMDeviceMacsec, nm_device_macsec, NM_TYPE_DEVICE) + +#define NM_DEVICE_MACSEC_GET_PRIVATE(self) _NM_GET_PRIVATE (self, NMDeviceMacsec, NM_IS_DEVICE_MACSEC) + +/******************************************************************/ + +#define MACSEC_SECRETS_TRIES "macsec-secrets-tries" + +static void macsec_secrets_cancel (NMDeviceMacsec *self); + +/******************************************************************/ + +NM_UTILS_LOOKUP_STR_DEFINE_STATIC (validation_mode_to_string, guint8, + NM_UTILS_LOOKUP_DEFAULT_WARN ("<unknown>"), + NM_UTILS_LOOKUP_STR_ITEM (0, "disable"), + NM_UTILS_LOOKUP_STR_ITEM (1, "check"), + NM_UTILS_LOOKUP_STR_ITEM (2, "strict"), +); + +static void +parent_state_changed (NMDevice *parent, + NMDeviceState new_state, + NMDeviceState old_state, + NMDeviceStateReason reason, + gpointer user_data) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data); + + /* We'll react to our own carrier state notifications. Ignore the parent's. */ + if (reason == NM_DEVICE_STATE_REASON_CARRIER) + return; + + nm_device_set_unmanaged_by_flags (NM_DEVICE (self), NM_UNMANAGED_PARENT, !nm_device_get_managed (parent, FALSE), reason); +} + +static void +parent_changed_notify (NMDevice *device, + int old_ifindex, + NMDevice *old_parent, + int new_ifindex, + NMDevice *new_parent) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (device); + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + + NM_DEVICE_CLASS (nm_device_macsec_parent_class)->parent_changed_notify (device, + old_ifindex, + old_parent, + new_ifindex, + new_parent); + + /* note that @self doesn't have to clear @parent_state_id on dispose, + * because NMDevice's dispose() will unset the parent, which in turn calls + * parent_changed_notify(). */ + nm_clear_g_signal_handler (old_parent, &priv->parent_state_id); + + if (new_parent) { + priv->parent_state_id = g_signal_connect (new_parent, + NM_DEVICE_STATE_CHANGED, + G_CALLBACK (parent_state_changed), + device); + + /* Set parent-dependent unmanaged flag */ + nm_device_set_unmanaged_by_flags (device, + NM_UNMANAGED_PARENT, + !nm_device_get_managed (new_parent, FALSE), + NM_DEVICE_STATE_REASON_PARENT_MANAGED_CHANGED); + } + + /* Recheck availability now that the parent has changed */ + if (new_ifindex > 0) { + nm_device_queue_recheck_available (device, + NM_DEVICE_STATE_REASON_PARENT_CHANGED, + NM_DEVICE_STATE_REASON_PARENT_CHANGED); + } +} + +static void +update_properties (NMDevice *device) +{ + NMDeviceMacsec *self; + NMDeviceMacsecPrivate *priv; + const NMPlatformLink *plink = NULL; + const NMPlatformLnkMacsec *props = NULL; + int ifindex; + + g_return_if_fail (NM_IS_DEVICE_MACSEC (device)); + self = NM_DEVICE_MACSEC (device); + priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + + ifindex = nm_device_get_ifindex (device); + g_return_if_fail (ifindex > 0); + props = nm_platform_link_get_lnk_macsec (NM_PLATFORM_GET, ifindex, &plink); + + if (!props) { + _LOGW (LOGD_PLATFORM, "could not get macsec properties"); + return; + } + + g_object_freeze_notify ((GObject *) device); + + if (priv->props.parent_ifindex != props->parent_ifindex) + nm_device_parent_set_ifindex (device, props->parent_ifindex); + +#define CHECK_PROPERTY_CHANGED(field, prop) \ + if (props->field != priv->props.field) \ + _notify (self, prop) + + CHECK_PROPERTY_CHANGED (sci, PROP_SCI); + CHECK_PROPERTY_CHANGED (cipher_suite, PROP_CIPHER_SUITE); + CHECK_PROPERTY_CHANGED (window, PROP_WINDOW); + CHECK_PROPERTY_CHANGED (icv_length, PROP_ICV_LENGTH); + CHECK_PROPERTY_CHANGED (encoding_sa, PROP_ENCODING_SA); + CHECK_PROPERTY_CHANGED (validation, PROP_VALIDATION); + CHECK_PROPERTY_CHANGED (encrypt, PROP_ENCRYPT); + CHECK_PROPERTY_CHANGED (protect, PROP_PROTECT); + CHECK_PROPERTY_CHANGED (include_sci, PROP_INCLUDE_SCI); + CHECK_PROPERTY_CHANGED (es, PROP_ES); + CHECK_PROPERTY_CHANGED (scb, PROP_SCB); + CHECK_PROPERTY_CHANGED (replay_protect, PROP_REPLAY_PROTECT); + + priv->props = *props; + g_object_thaw_notify ((GObject *) device); +} + +static NMSupplicantConfig * +build_supplicant_config (NMDeviceMacsec *self, GError **error) +{ + NMSupplicantConfig *config = NULL; + NMSettingMacsec *s_macsec; + NMSetting8021x *s_8021x; + NMConnection *connection; + const char *con_uuid; + guint32 mtu; + + connection = nm_device_get_applied_connection (NM_DEVICE (self)); + g_assert (connection); + con_uuid = nm_connection_get_uuid (connection); + mtu = nm_platform_link_get_mtu (NM_PLATFORM_GET, + nm_device_get_ifindex (NM_DEVICE (self))); + + config = nm_supplicant_config_new (); + + s_macsec = (NMSettingMacsec *) + nm_device_get_applied_setting (NM_DEVICE (self), NM_TYPE_SETTING_MACSEC); + + if (!nm_supplicant_config_add_setting_macsec (config, s_macsec, error)) { + g_prefix_error (error, "macsec-setting: "); + g_object_unref (config); + return NULL; + } + + if (nm_setting_macsec_get_mode (s_macsec) == NM_SETTING_MACSEC_MODE_EAP) { + s_8021x = nm_connection_get_setting_802_1x (connection); + if (!nm_supplicant_config_add_setting_8021x (config, s_8021x, con_uuid, mtu, TRUE, error)) { + g_prefix_error (error, "802-1x-setting: "); + g_clear_object (&config); + } + } + + return config; +} + +static void +supplicant_interface_clear_handlers (NMDeviceMacsec *self) +{ + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + + nm_clear_g_source (&priv->supplicant_timeout_id); + nm_clear_g_source (&priv->supplicant.con_timeout_id); + nm_clear_g_signal_handler (priv->supplicant.iface, &priv->supplicant.iface_error_id); +} + +static void +supplicant_interface_release (NMDeviceMacsec *self) +{ + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + + supplicant_interface_clear_handlers (self); + + nm_clear_g_signal_handler (priv->supplicant.iface, &priv->supplicant.iface_state_id); + + if (priv->supplicant.iface) { + nm_supplicant_interface_disconnect (priv->supplicant.iface); + g_clear_object (&priv->supplicant.iface); + } +} + +static void +supplicant_iface_connection_error_cb (NMSupplicantInterface *iface, + const char *name, + const char *message, + gpointer user_data) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data); + + _LOGW (LOGD_DEVICE, + "Activation: association request to the supplicant failed: %s - %s", + name, message); + + supplicant_interface_release (self); + nm_device_queue_state (NM_DEVICE (self), + NM_DEVICE_STATE_FAILED, + NM_DEVICE_STATE_REASON_SUPPLICANT_CONFIG_FAILED); +} + +static void +macsec_secrets_cb (NMActRequest *req, + NMActRequestGetSecretsCallId call_id, + NMSettingsConnection *connection, + GError *error, + gpointer user_data) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data); + NMDevice *device = NM_DEVICE (self); + NMDeviceMacsecPrivate *priv; + + g_return_if_fail (NM_IS_DEVICE_MACSEC (self)); + g_return_if_fail (NM_IS_ACT_REQUEST (req)); + + priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + + g_return_if_fail (priv->macsec_secrets_id == call_id); + + priv->macsec_secrets_id = NULL; + + if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED)) + return; + + g_return_if_fail (req == nm_device_get_act_request (device)); + g_return_if_fail (nm_device_get_state (device) == NM_DEVICE_STATE_NEED_AUTH); + g_return_if_fail (nm_act_request_get_settings_connection (req) == connection); + + if (error) { + _LOGW (LOGD_ETHER, "%s", error->message); + nm_device_state_changed (device, + NM_DEVICE_STATE_FAILED, + NM_DEVICE_STATE_REASON_NO_SECRETS); + } else + nm_device_activate_schedule_stage1_device_prepare (device); +} + +static void +macsec_secrets_cancel (NMDeviceMacsec *self) +{ + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + + if (priv->macsec_secrets_id) + nm_act_request_cancel_secrets (NULL, priv->macsec_secrets_id); + nm_assert (!priv->macsec_secrets_id); +} + +static void +macsec_secrets_get_secrets (NMDeviceMacsec *self, + const char *setting_name, + NMSecretAgentGetSecretsFlags flags) +{ + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + NMActRequest *req; + + macsec_secrets_cancel (self); + + req = nm_device_get_act_request (NM_DEVICE (self)); + g_return_if_fail (NM_IS_ACT_REQUEST (req)); + + priv->macsec_secrets_id = nm_act_request_get_secrets (req, + TRUE, + setting_name, + flags, + NULL, + macsec_secrets_cb, + self); + g_return_if_fail (priv->macsec_secrets_id); +} + +static gboolean +link_timeout_cb (gpointer user_data) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data); + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + NMDevice *dev = NM_DEVICE (self); + NMActRequest *req; + NMConnection *applied_connection; + const char *setting_name; + + priv->supplicant_timeout_id = 0; + + req = nm_device_get_act_request (dev); + + if (nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED) { + nm_device_state_changed (dev, + NM_DEVICE_STATE_FAILED, + NM_DEVICE_STATE_REASON_SUPPLICANT_TIMEOUT); + return FALSE; + } + + /* Disconnect event during initial authentication and credentials + * ARE checked - we are likely to have wrong key. Ask the user for + * another one. + */ + if (nm_device_get_state (dev) != NM_DEVICE_STATE_CONFIG) + goto time_out; + + nm_active_connection_clear_secrets (NM_ACTIVE_CONNECTION (req)); + + applied_connection = nm_act_request_get_applied_connection (req); + setting_name = nm_connection_need_secrets (applied_connection, NULL); + if (!setting_name) + goto time_out; + + _LOGI (LOGD_DEVICE | LOGD_ETHER, + "Activation: disconnected during authentication, asking for new key."); + supplicant_interface_release (self); + + nm_device_state_changed (dev, NM_DEVICE_STATE_NEED_AUTH, NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT); + macsec_secrets_get_secrets (self, setting_name, NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW); + + return FALSE; + +time_out: + _LOGW (LOGD_DEVICE | LOGD_ETHER, "link timed out."); + nm_device_state_changed (dev, NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT); + + return FALSE; +} + +static void +supplicant_iface_state_cb (NMSupplicantInterface *iface, + guint32 new_state, + guint32 old_state, + int disconnect_reason, + gpointer user_data) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data); + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + NMDevice *device = NM_DEVICE (self); + NMSupplicantConfig *config; + gboolean success = FALSE; + NMDeviceState devstate; + GError *error = NULL; + + if (new_state == old_state) + return; + + _LOGI (LOGD_DEVICE, "supplicant interface state: %s -> %s", + nm_supplicant_interface_state_to_string (old_state), + nm_supplicant_interface_state_to_string (new_state)); + + devstate = nm_device_get_state (device); + + switch (new_state) { + case NM_SUPPLICANT_INTERFACE_STATE_READY: + config = build_supplicant_config (self, &error); + if (config) { + success = nm_supplicant_interface_set_config (priv->supplicant.iface, config, &error); + g_object_unref (config); + + if (!success) { + _LOGE (LOGD_DEVICE, + "Activation: couldn't send security configuration to the supplicant: %s", + error->message); + g_clear_error (&error); + } + } else { + _LOGE (LOGD_DEVICE, + "Activation: couldn't build security configuration: %s", + error->message); + g_clear_error (&error); + } + + if (!success) { + nm_device_state_changed (device, + NM_DEVICE_STATE_FAILED, + NM_DEVICE_STATE_REASON_SUPPLICANT_CONFIG_FAILED); + } + break; + case NM_SUPPLICANT_INTERFACE_STATE_COMPLETED: + supplicant_interface_clear_handlers (self); + nm_device_bring_up (device, TRUE, NULL); + + /* If this is the initial association during device activation, + * schedule the next activation stage. + */ + if (devstate == NM_DEVICE_STATE_CONFIG) { + _LOGI (LOGD_DEVICE, + "Activation: Stage 2 of 5 (Device Configure) successful."); + nm_device_activate_schedule_stage3_ip_config_start (device); + } + break; + case NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED: + if ((devstate == NM_DEVICE_STATE_ACTIVATED) || nm_device_is_activating (device)) { + /* Start the link timeout so we allow some time for reauthentication */ + if (!priv->supplicant_timeout_id) + priv->supplicant_timeout_id = g_timeout_add_seconds (15, link_timeout_cb, device); + } + break; + case NM_SUPPLICANT_INTERFACE_STATE_DOWN: + supplicant_interface_release (self); + + if ((devstate == NM_DEVICE_STATE_ACTIVATED) || nm_device_is_activating (device)) { + nm_device_state_changed (device, + NM_DEVICE_STATE_FAILED, + NM_DEVICE_STATE_REASON_SUPPLICANT_FAILED); + } + break; + default: + ; + } +} + +static NMActStageReturn +handle_auth_or_fail (NMDeviceMacsec *self, + NMActRequest *req, + gboolean new_secrets) +{ + const char *setting_name; + guint32 tries; + NMConnection *applied_connection; + + applied_connection = nm_act_request_get_applied_connection (req); + + tries = GPOINTER_TO_UINT (g_object_get_data (G_OBJECT (applied_connection), MACSEC_SECRETS_TRIES)); + if (tries > 3) + return NM_ACT_STAGE_RETURN_FAILURE; + + nm_device_state_changed (NM_DEVICE (self), NM_DEVICE_STATE_NEED_AUTH, NM_DEVICE_STATE_REASON_NONE); + + nm_active_connection_clear_secrets (NM_ACTIVE_CONNECTION (req)); + + setting_name = nm_connection_need_secrets (applied_connection, NULL); + if (setting_name) { + macsec_secrets_get_secrets (self, setting_name, + NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION + | (new_secrets ? NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW : 0)); + g_object_set_data (G_OBJECT (applied_connection), MACSEC_SECRETS_TRIES, GUINT_TO_POINTER (++tries)); + } else + _LOGI (LOGD_DEVICE, "Cleared secrets, but setting didn't need any secrets."); + + return NM_ACT_STAGE_RETURN_POSTPONE; +} + +static gboolean +supplicant_connection_timeout_cb (gpointer user_data) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data); + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + NMDevice *device = NM_DEVICE (self); + NMActRequest *req; + NMSettingsConnection *connection; + guint64 timestamp = 0; + gboolean new_secrets = TRUE; + + priv->supplicant.con_timeout_id = 0; + + /* Authentication failed; either driver problems, the encryption key is + * wrong, the passwords or certificates were wrong or the Ethernet switch's + * port is not configured for 802.1x. */ + _LOGW (LOGD_DEVICE, + "Activation: (macsec) association took too long."); + + supplicant_interface_release (self); + req = nm_device_get_act_request (device); + g_assert (req); + + connection = nm_act_request_get_settings_connection (req); + g_assert (connection); + + /* Ask for new secrets only if we've never activated this connection + * before. If we've connected before, don't bother the user with dialogs, + * just retry or fail, and if we never connect the user can fix the + * password somewhere else. */ + if (nm_settings_connection_get_timestamp (connection, ×tamp)) + new_secrets = !timestamp; + + if (handle_auth_or_fail (self, req, new_secrets) == NM_ACT_STAGE_RETURN_POSTPONE) + _LOGW (LOGD_DEVICE, "Activation: (macsec) asking for new secrets"); + else + nm_device_state_changed (device, NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_NO_SECRETS); + + return FALSE; +} + +static gboolean +supplicant_interface_init (NMDeviceMacsec *self) +{ + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + NMDevice *parent; + + parent = nm_device_parent_get_device (NM_DEVICE (self)); + g_return_val_if_fail (parent, FALSE); + + supplicant_interface_release (self); + + priv->supplicant.iface = nm_supplicant_manager_create_interface (priv->supplicant.mgr, + nm_device_get_iface (parent), + NM_SUPPLICANT_DRIVER_MACSEC); + + if (!priv->supplicant.iface) { + _LOGE (LOGD_DEVICE, + "Couldn't initialize supplicant interface"); + return FALSE; + } + + /* Listen for its state signals */ + priv->supplicant.iface_state_id = g_signal_connect (priv->supplicant.iface, + NM_SUPPLICANT_INTERFACE_STATE, + G_CALLBACK (supplicant_iface_state_cb), + self); + + /* Hook up error signal handler to capture association errors */ + priv->supplicant.iface_error_id = g_signal_connect (priv->supplicant.iface, + NM_SUPPLICANT_INTERFACE_CONNECTION_ERROR, + G_CALLBACK (supplicant_iface_connection_error_cb), + self); + + /* Set up a timeout on the connection attempt to fail it after 25 seconds */ + priv->supplicant.con_timeout_id = g_timeout_add_seconds (25, supplicant_connection_timeout_cb, self); + + return TRUE; +} + +static NMActStageReturn +act_stage2_config (NMDevice *device, NMDeviceStateReason *reason) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (device); + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + NMConnection *connection; + NMActStageReturn ret = NM_ACT_STAGE_RETURN_FAILURE; + const char *setting_name; + + connection = nm_device_get_applied_connection (NM_DEVICE (self)); + g_assert (connection); + + if (!priv->supplicant.mgr) + priv->supplicant.mgr = g_object_ref (nm_supplicant_manager_get ()); + + /* If we need secrets, get them */ + setting_name = nm_connection_need_secrets (connection, NULL); + if (setting_name) { + NMActRequest *req = nm_device_get_act_request (NM_DEVICE (self)); + + _LOGI (LOGD_DEVICE, + "Activation: connection '%s' has security, but secrets are required.", + nm_connection_get_id (connection)); + + ret = handle_auth_or_fail (self, req, FALSE); + if (ret != NM_ACT_STAGE_RETURN_POSTPONE) + *reason = NM_DEVICE_STATE_REASON_NO_SECRETS; + } else { + _LOGI (LOGD_DEVICE | LOGD_ETHER, + "Activation: connection '%s' requires no security. No secrets needed.", + nm_connection_get_id (connection)); + + if (supplicant_interface_init (self)) + ret = NM_ACT_STAGE_RETURN_POSTPONE; + else + *reason = NM_DEVICE_STATE_REASON_CONFIG_FAILED; + } + + return ret; +} + +static void +deactivate (NMDevice *device) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (device); + + supplicant_interface_release (self); +} + +static gboolean +check_connection_compatible (NMDevice *device, NMConnection *connection) +{ + NMSettingMacsec *s_macsec; + + if (!NM_DEVICE_CLASS (nm_device_macsec_parent_class)->check_connection_compatible (device, connection)) + return FALSE; + + s_macsec = nm_connection_get_setting_macsec (connection); + if (!s_macsec) + return FALSE; + + return TRUE; +} + +/******************************************************************/ + +static NMDeviceCapabilities +get_generic_capabilities (NMDevice *dev) +{ + /* We assume MACsec interfaces always support carrier detect */ + return NM_DEVICE_CAP_CARRIER_DETECT | NM_DEVICE_CAP_IS_SOFTWARE; +} + +/******************************************************************/ + +static gboolean +is_available (NMDevice *device, NMDeviceCheckDevAvailableFlags flags) +{ + if (!nm_device_parent_get_device (device)) + return FALSE; + return NM_DEVICE_CLASS (nm_device_macsec_parent_class)->is_available (device, flags); +} + +static gboolean +create_and_realize (NMDevice *device, + NMConnection *connection, + NMDevice *parent, + const NMPlatformLink **out_plink, + GError **error) +{ + const char *iface = nm_device_get_iface (device); + NMPlatformError plerr; + NMSettingMacsec *s_macsec; + NMPlatformLnkMacsec lnk = { }; + int parent_ifindex; + const char *hw_addr; + union { + struct { + guint8 mac[6]; + guint16 port; + } s; + guint64 u; + } sci; + + s_macsec = nm_connection_get_setting_macsec (connection); + g_assert (s_macsec); + + if (!parent) { + g_set_error (error, NM_DEVICE_ERROR, NM_DEVICE_ERROR_FAILED, + "MACsec devices can not be created without a parent interface"); + return FALSE; + } + + lnk.encrypt = nm_setting_macsec_get_encrypt (s_macsec); + + hw_addr = nm_device_get_hw_address (parent); + if (!hw_addr) { + g_set_error (error, NM_DEVICE_ERROR, NM_DEVICE_ERROR_FAILED, + "can't read parent MAC"); + return FALSE; + } + + nm_utils_hwaddr_aton (hw_addr, sci.s.mac, ETH_ALEN); + sci.s.port = htons (nm_setting_macsec_get_port (s_macsec)); + lnk.sci = be64toh (sci.u); + lnk.validation = nm_setting_macsec_get_validation (s_macsec); + + parent_ifindex = nm_device_get_ifindex (parent); + g_warn_if_fail (parent_ifindex > 0); + + plerr = nm_platform_link_macsec_add (NM_PLATFORM_GET, iface, parent_ifindex, &lnk, out_plink); + if (plerr != NM_PLATFORM_ERROR_SUCCESS) { + g_set_error (error, NM_DEVICE_ERROR, NM_DEVICE_ERROR_CREATION_FAILED, + "Failed to create macsec interface '%s' for '%s': %s", + iface, + nm_connection_get_id (connection), + nm_platform_error_to_string (plerr)); + return FALSE; + } + + nm_device_parent_set_ifindex (device, parent_ifindex); + + return TRUE; +} + +static void +link_changed (NMDevice *device, + const NMPlatformLink *pllink) +{ + NM_DEVICE_CLASS (nm_device_macsec_parent_class)->link_changed (device, pllink); + update_properties (device); +} + +static void +clear_secrets_tries (NMDevice *device) +{ + NMActRequest *req; + NMConnection *connection; + + req = nm_device_get_act_request (device); + if (req) { + connection = nm_act_request_get_applied_connection (req); + /* Clear macsec secrets tries on success, failure, or when deactivating */ + g_object_set_data (G_OBJECT (connection), MACSEC_SECRETS_TRIES, NULL); + } +} + +static void +device_state_changed (NMDevice *device, + NMDeviceState new_state, + NMDeviceState old_state, + NMDeviceStateReason reason) +{ + if (new_state > NM_DEVICE_STATE_ACTIVATED) + macsec_secrets_cancel (NM_DEVICE_MACSEC (device)); + + if ( new_state == NM_DEVICE_STATE_ACTIVATED + || new_state == NM_DEVICE_STATE_FAILED + || new_state == NM_DEVICE_STATE_DISCONNECTED) + clear_secrets_tries (device); +} + +/******************************************************************/ + +static void +get_property (GObject *object, guint prop_id, + GValue *value, GParamSpec *pspec) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (object); + NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self); + + switch (prop_id) { + case PROP_SCI: + g_value_set_uint64 (value, priv->props.sci); + break; + case PROP_CIPHER_SUITE: + g_value_set_uint64 (value, priv->props.cipher_suite); + break; + case PROP_ICV_LENGTH: + g_value_set_uchar (value, priv->props.icv_length); + break; + case PROP_WINDOW: + g_value_set_uint (value, priv->props.window); + break; + case PROP_ENCODING_SA: + g_value_set_uchar (value, priv->props.encoding_sa); + break; + case PROP_ENCRYPT: + g_value_set_boolean (value, priv->props.encrypt); + break; + case PROP_PROTECT: + g_value_set_boolean (value, priv->props.protect); + break; + case PROP_INCLUDE_SCI: + g_value_set_boolean (value, priv->props.include_sci); + break; + case PROP_ES: + g_value_set_boolean (value, priv->props.es); + break; + case PROP_SCB: + g_value_set_boolean (value, priv->props.scb); + break; + case PROP_REPLAY_PROTECT: + g_value_set_boolean (value, priv->props.replay_protect); + break; + case PROP_VALIDATION: + g_value_set_string (value, + validation_mode_to_string (priv->props.validation)); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; + } +} + +static void +nm_device_macsec_init (NMDeviceMacsec * self) +{ +} + +static void +dispose (GObject *object) +{ + NMDeviceMacsec *self = NM_DEVICE_MACSEC (object); + + macsec_secrets_cancel (self); + supplicant_interface_release (self); + + G_OBJECT_CLASS (nm_device_macsec_parent_class)->dispose (object); +} + +static void +nm_device_macsec_class_init (NMDeviceMacsecClass *klass) +{ + GObjectClass *object_class = G_OBJECT_CLASS (klass); + NMDeviceClass *parent_class = NM_DEVICE_CLASS (klass); + + NM_DEVICE_CLASS_DECLARE_TYPES (klass, NULL, NM_LINK_TYPE_MACSEC) + + object_class->get_property = get_property; + object_class->dispose = dispose; + + parent_class->act_stage2_config = act_stage2_config; + parent_class->check_connection_compatible = check_connection_compatible; + parent_class->create_and_realize = create_and_realize; + parent_class->deactivate = deactivate; + parent_class->get_generic_capabilities = get_generic_capabilities; + parent_class->link_changed = link_changed; + parent_class->is_available = is_available; + parent_class->parent_changed_notify = parent_changed_notify; + parent_class->state_changed = device_state_changed; + parent_class->get_configured_mtu = nm_device_get_configured_mtu_for_wired; + + parent_class->connection_type = NM_SETTING_MACSEC_SETTING_NAME; + + obj_properties[PROP_SCI] = + g_param_spec_uint64 (NM_DEVICE_MACSEC_SCI, "", "", + 0, G_MAXUINT64, 0, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_CIPHER_SUITE] = + g_param_spec_uint64 (NM_DEVICE_MACSEC_CIPHER_SUITE, "", "", + 0, G_MAXUINT64, 0, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_ICV_LENGTH] = + g_param_spec_uchar (NM_DEVICE_MACSEC_ICV_LENGTH, "", "", + 0, G_MAXUINT8, 0, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_WINDOW] = + g_param_spec_uint (NM_DEVICE_MACSEC_WINDOW, "", "", + 0, G_MAXUINT32, 0, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_ENCODING_SA] = + g_param_spec_uchar (NM_DEVICE_MACSEC_ENCODING_SA, "", "", + 0, 3, 0, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_VALIDATION] = + g_param_spec_string (NM_DEVICE_MACSEC_VALIDATION, "", "", + NULL, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_ENCRYPT] = + g_param_spec_boolean (NM_DEVICE_MACSEC_ENCRYPT, "", "", + FALSE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_PROTECT] = + g_param_spec_boolean (NM_DEVICE_MACSEC_PROTECT, "", "", + FALSE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_INCLUDE_SCI] = + g_param_spec_boolean (NM_DEVICE_MACSEC_INCLUDE_SCI, "", "", + FALSE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_ES] = + g_param_spec_boolean (NM_DEVICE_MACSEC_ES, "", "", + FALSE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_SCB] = + g_param_spec_boolean (NM_DEVICE_MACSEC_SCB, "", "", + FALSE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + obj_properties[PROP_REPLAY_PROTECT] = + g_param_spec_boolean (NM_DEVICE_MACSEC_REPLAY_PROTECT, "", "", + FALSE, + G_PARAM_READABLE | G_PARAM_STATIC_STRINGS); + + g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties); + + nm_exported_object_class_add_interface (NM_EXPORTED_OBJECT_CLASS (klass), + NMDBUS_TYPE_DEVICE_MACSEC_SKELETON, + NULL); +} + +/*************************************************************/ + +#define NM_TYPE_MACSEC_DEVICE_FACTORY (nm_macsec_device_factory_get_type ()) +#define NM_MACSEC_DEVICE_FACTORY(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_MACSEC_DEVICE_FACTORY, NMMacsecDeviceFactory)) + +static NMDevice * +create_device (NMDeviceFactory *factory, + const char *iface, + const NMPlatformLink *plink, + NMConnection *connection, + gboolean *out_ignore) +{ + return (NMDevice *) g_object_new (NM_TYPE_DEVICE_MACSEC, + NM_DEVICE_IFACE, iface, + NM_DEVICE_TYPE_DESC, "Macsec", + NM_DEVICE_DEVICE_TYPE, NM_DEVICE_TYPE_MACSEC, + NM_DEVICE_LINK_TYPE, NM_LINK_TYPE_MACSEC, + NULL); +} + +static const char * +get_connection_parent (NMDeviceFactory *factory, NMConnection *connection) +{ + NMSettingMacsec *s_macsec; + NMSettingWired *s_wired; + const char *parent = NULL; + + g_return_val_if_fail (nm_connection_is_type (connection, NM_SETTING_MACSEC_SETTING_NAME), NULL); + + s_macsec = nm_connection_get_setting_macsec (connection); + g_assert (s_macsec); + + parent = nm_setting_macsec_get_parent (s_macsec); + if (parent) + return parent; + + /* Try the hardware address from the MACsec connection's hardware setting */ + s_wired = nm_connection_get_setting_wired (connection); + if (s_wired) + return nm_setting_wired_get_mac_address (s_wired); + + return NULL; +} + +static char * +get_connection_iface (NMDeviceFactory *factory, + NMConnection *connection, + const char *parent_iface) +{ + NMSettingMacsec *s_macsec; + const char *ifname; + + g_return_val_if_fail (nm_connection_is_type (connection, NM_SETTING_MACSEC_SETTING_NAME), NULL); + + s_macsec = nm_connection_get_setting_macsec (connection); + g_assert (s_macsec); + + if (!parent_iface) + return NULL; + + ifname = nm_connection_get_interface_name (connection); + return g_strdup (ifname); +} + +NM_DEVICE_FACTORY_DEFINE_INTERNAL (MACSEC, Macsec, macsec, + NM_DEVICE_FACTORY_DECLARE_LINK_TYPES (NM_LINK_TYPE_MACSEC) + NM_DEVICE_FACTORY_DECLARE_SETTING_TYPES (NM_SETTING_MACSEC_SETTING_NAME), + factory_class->create_device = create_device; + factory_class->get_connection_parent = get_connection_parent; + factory_class->get_connection_iface = get_connection_iface; +) diff --git a/src/devices/nm-device-macsec.h b/src/devices/nm-device-macsec.h new file mode 100644 index 0000000000..17b33bf593 --- /dev/null +++ b/src/devices/nm-device-macsec.h @@ -0,0 +1,54 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* NetworkManager -- Network link manager + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright 2017 Red Hat, Inc. + */ + +#ifndef __NM_DEVICE_MACSEC_H__ +#define __NM_DEVICE_MACSEC_H__ + +#include "nm-device.h" + +#define NM_TYPE_DEVICE_MACSEC (nm_device_macsec_get_type ()) +#define NM_DEVICE_MACSEC(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsec)) +#define NM_DEVICE_MACSEC_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecClass)) +#define NM_IS_DEVICE_MACSEC(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_DEVICE_MACSEC)) +#define NM_IS_DEVICE_MACSEC_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), NM_TYPE_DEVICE_MACSEC)) +#define NM_DEVICE_MACSEC_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecClass)) + +#define NM_DEVICE_MACSEC_SCI "sci" +#define NM_DEVICE_MACSEC_CIPHER_SUITE "cipher-suite" +#define NM_DEVICE_MACSEC_ICV_LENGTH "icv-length" +#define NM_DEVICE_MACSEC_WINDOW "window" +#define NM_DEVICE_MACSEC_ENCODING_SA "encoding-sa" +#define NM_DEVICE_MACSEC_VALIDATION "validation" +#define NM_DEVICE_MACSEC_ENCRYPT "encrypt" +#define NM_DEVICE_MACSEC_PROTECT "protect" +#define NM_DEVICE_MACSEC_INCLUDE_SCI "include-sci" +#define NM_DEVICE_MACSEC_ES "es" +#define NM_DEVICE_MACSEC_SCB "scb" +#define NM_DEVICE_MACSEC_REPLAY_PROTECT "replay-protect" + +/* defined in the parent class, but exposed on D-Bus by the subclass. */ +#define NM_DEVICE_MACSEC_PARENT NM_DEVICE_PARENT + +typedef struct _NMDeviceMacsec NMDeviceMacsec; +typedef struct _NMDeviceMacsecClass NMDeviceMacsecClass; + +GType nm_device_macsec_get_type (void); + +#endif /* __NM_DEVICE_MACSEC_H__ */ diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c index c236a85803..f0a218ee18 100644 --- a/src/devices/nm-device.c +++ b/src/devices/nm-device.c @@ -1330,6 +1330,8 @@ nm_device_get_priority (NMDevice *self) case NM_DEVICE_TYPE_ETHERNET: case NM_DEVICE_TYPE_VETH: return 100; + case NM_DEVICE_TYPE_MACSEC: + return 125; case NM_DEVICE_TYPE_INFINIBAND: return 150; case NM_DEVICE_TYPE_ADSL: diff --git a/src/devices/wifi/nm-device-wifi.c b/src/devices/wifi/nm-device-wifi.c index 9d002e8362..9e7196d3ec 100644 --- a/src/devices/wifi/nm-device-wifi.c +++ b/src/devices/wifi/nm-device-wifi.c @@ -232,7 +232,7 @@ supplicant_interface_acquire (NMDeviceWifi *self) priv->sup_iface = nm_supplicant_manager_create_interface (priv->sup_mgr, nm_device_get_iface (NM_DEVICE (self)), - TRUE); + NM_SUPPLICANT_DRIVER_WIRELESS); if (!priv->sup_iface) { _LOGE (LOGD_WIFI, "Couldn't initialize supplicant interface"); return FALSE; diff --git a/src/nm-types.h b/src/nm-types.h index 8f0cc5849f..c323c9a786 100644 --- a/src/nm-types.h +++ b/src/nm-types.h @@ -129,6 +129,7 @@ typedef enum { NM_LINK_TYPE_IP6TNL, NM_LINK_TYPE_IPIP, NM_LINK_TYPE_LOOPBACK, + NM_LINK_TYPE_MACSEC, NM_LINK_TYPE_MACVLAN, NM_LINK_TYPE_MACVTAP, NM_LINK_TYPE_OPENVSWITCH, @@ -160,6 +161,7 @@ typedef enum { NMP_OBJECT_TYPE_LNK_INFINIBAND, NMP_OBJECT_TYPE_LNK_IP6TNL, NMP_OBJECT_TYPE_LNK_IPIP, + NMP_OBJECT_TYPE_LNK_MACSEC, NMP_OBJECT_TYPE_LNK_MACVLAN, NMP_OBJECT_TYPE_LNK_MACVTAP, NMP_OBJECT_TYPE_LNK_SIT, diff --git a/src/platform/nm-linux-platform.c b/src/platform/nm-linux-platform.c index 7b68d14437..ef946e39a0 100644 --- a/src/platform/nm-linux-platform.c +++ b/src/platform/nm-linux-platform.c @@ -21,6 +21,7 @@ #include "nm-linux-platform.h" +#include <endian.h> #include <errno.h> #include <unistd.h> #include <sys/socket.h> @@ -111,6 +112,25 @@ /*****************************************************************************/ +#define IFLA_MACSEC_UNSPEC 0 +#define IFLA_MACSEC_SCI 1 +#define IFLA_MACSEC_PORT 2 +#define IFLA_MACSEC_ICV_LEN 3 +#define IFLA_MACSEC_CIPHER_SUITE 4 +#define IFLA_MACSEC_WINDOW 5 +#define IFLA_MACSEC_ENCODING_SA 6 +#define IFLA_MACSEC_ENCRYPT 7 +#define IFLA_MACSEC_PROTECT 8 +#define IFLA_MACSEC_INC_SCI 9 +#define IFLA_MACSEC_ES 10 +#define IFLA_MACSEC_SCB 11 +#define IFLA_MACSEC_REPLAY_PROTECT 12 +#define IFLA_MACSEC_VALIDATION 13 +#define IFLA_MACSEC_PAD 14 +#define __IFLA_MACSEC_MAX 15 + +/*****************************************************************************/ + #define _NMLOG_PREFIX_NAME "platform-linux" #define _NMLOG_DOMAIN LOGD_PLATFORM #define _NMLOG2_DOMAIN LOGD_PLATFORM @@ -365,6 +385,7 @@ static const LinkDesc linktypes[] = { { NM_LINK_TYPE_IP6TNL, "ip6tnl", "ip6tnl", NULL }, { NM_LINK_TYPE_IPIP, "ipip", "ipip", NULL }, { NM_LINK_TYPE_LOOPBACK, "loopback", NULL, NULL }, + { NM_LINK_TYPE_MACSEC, "macsec", "macsec", NULL }, { NM_LINK_TYPE_MACVLAN, "macvlan", "macvlan", NULL }, { NM_LINK_TYPE_MACVTAP, "macvtap", "macvtap", NULL }, { NM_LINK_TYPE_OPENVSWITCH, "openvswitch", "openvswitch", NULL }, @@ -1110,6 +1131,56 @@ _parse_lnk_macvlan (const char *kind, struct nlattr *info_data) /*****************************************************************************/ static NMPObject * +_parse_lnk_macsec (const char *kind, struct nlattr *info_data) +{ + static struct nla_policy policy[__IFLA_MACSEC_MAX] = { + [IFLA_MACSEC_SCI] = { .type = NLA_U64 }, + [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 }, + [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 }, + [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 }, + [IFLA_MACSEC_ENCODING_SA] = { .type = NLA_U8 }, + [IFLA_MACSEC_ENCRYPT] = { .type = NLA_U8 }, + [IFLA_MACSEC_PROTECT] = { .type = NLA_U8 }, + [IFLA_MACSEC_INC_SCI] = { .type = NLA_U8 }, + [IFLA_MACSEC_ES] = { .type = NLA_U8 }, + [IFLA_MACSEC_SCB] = { .type = NLA_U8 }, + [IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 }, + [IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 }, + }; + struct nlattr *tb[__IFLA_MACSEC_MAX]; + int err; + NMPObject *obj; + NMPlatformLnkMacsec *props; + + if (!info_data || !nm_streq0 (kind, "macsec")) + return NULL; + + err = nla_parse_nested (tb, __IFLA_MACSEC_MAX - 1, info_data, policy); + if (err < 0) + return NULL; + + obj = nmp_object_new (NMP_OBJECT_TYPE_LNK_MACSEC, NULL); + props = &obj->lnk_macsec; + + props->sci = tb[IFLA_MACSEC_SCI] ? be64toh (nla_get_u64 (tb[IFLA_MACSEC_SCI])) : 0; + props->icv_length = tb[IFLA_MACSEC_ICV_LEN] ? nla_get_u8 (tb[IFLA_MACSEC_ICV_LEN]) : 0; + props->cipher_suite = tb [IFLA_MACSEC_CIPHER_SUITE] ? nla_get_u64 (tb[IFLA_MACSEC_CIPHER_SUITE]) : 0; + props->window = tb [IFLA_MACSEC_WINDOW] ? nla_get_u32 (tb[IFLA_MACSEC_WINDOW]) : 0; + props->encoding_sa = tb[IFLA_MACSEC_ENCODING_SA] ? !!nla_get_u8 (tb[IFLA_MACSEC_ENCODING_SA]) : 0; + props->encrypt = tb[IFLA_MACSEC_ENCRYPT] ? !!nla_get_u8 (tb[IFLA_MACSEC_ENCRYPT]) : 0; + props->protect = tb[IFLA_MACSEC_PROTECT] ? !!nla_get_u8 (tb[IFLA_MACSEC_PROTECT]) : 0; + props->include_sci = tb[IFLA_MACSEC_INC_SCI] ? !!nla_get_u8 (tb[IFLA_MACSEC_INC_SCI]) : 0; + props->es = tb[IFLA_MACSEC_ES] ? !!nla_get_u8 (tb[IFLA_MACSEC_ES]) : 0; + props->scb = tb[IFLA_MACSEC_SCB] ? !!nla_get_u8 (tb[IFLA_MACSEC_SCB]) : 0; + props->replay_protect = tb[IFLA_MACSEC_REPLAY_PROTECT] ? !!nla_get_u8 (tb[IFLA_MACSEC_REPLAY_PROTECT]) : 0; + props->validation = tb[IFLA_MACSEC_VALIDATION] ? nla_get_u8 (tb[IFLA_MACSEC_VALIDATION]) : 0; + + return obj; +} + +/*****************************************************************************/ + +static NMPObject * _parse_lnk_sit (const char *kind, struct nlattr *info_data) { static struct nla_policy policy[IFLA_IPTUN_MAX + 1] = { @@ -1555,6 +1626,9 @@ _new_from_nl_link (NMPlatform *platform, const NMPCache *cache, struct nlmsghdr case NM_LINK_TYPE_IPIP: lnk_data = _parse_lnk_ipip (nl_info_kind, nl_info_data); break; + case NM_LINK_TYPE_MACSEC: + lnk_data = _parse_lnk_macsec (nl_info_kind, nl_info_data); + break; case NM_LINK_TYPE_MACVLAN: case NM_LINK_TYPE_MACVTAP: lnk_data = _parse_lnk_macvlan (nl_info_kind, nl_info_data); @@ -4813,6 +4887,68 @@ nla_put_failure: } static int +link_macsec_add (NMPlatform *platform, + const char *name, + int parent, + const NMPlatformLnkMacsec *props, + const NMPlatformLink **out_link) +{ + nm_auto_nlmsg struct nl_msg *nlmsg = NULL; + struct nlattr *info; + struct nlattr *data; + + _LOGD ("adding macsec '%s' parent %u sci %llx", + name, + parent, + (unsigned long long) props->sci); + + nlmsg = _nl_msg_new_link (RTM_NEWLINK, + NLM_F_CREATE | NLM_F_EXCL, + 0, + name, + 0, + 0); + if (!nlmsg) + return FALSE; + + NLA_PUT_U32 (nlmsg, IFLA_LINK, parent); + + if (!(info = nla_nest_start (nlmsg, IFLA_LINKINFO))) + goto nla_put_failure; + + NLA_PUT_STRING (nlmsg, IFLA_INFO_KIND, "macsec"); + + if (!(data = nla_nest_start (nlmsg, IFLA_INFO_DATA))) + goto nla_put_failure; + + if (props->icv_length) + NLA_PUT_U8 (nlmsg, IFLA_MACSEC_ICV_LEN, 16); + if (props->cipher_suite) + NLA_PUT_U64 (nlmsg, IFLA_MACSEC_CIPHER_SUITE, props->cipher_suite); + if (props->replay_protect) + NLA_PUT_U32 (nlmsg, IFLA_MACSEC_WINDOW, props->window); + + NLA_PUT_U64 (nlmsg, IFLA_MACSEC_SCI, htobe64 (props->sci)); + NLA_PUT_U8 (nlmsg, IFLA_MACSEC_ENCODING_SA, props->encoding_sa); + NLA_PUT_U8 (nlmsg, IFLA_MACSEC_ENCRYPT, props->encrypt); + NLA_PUT_U8 (nlmsg, IFLA_MACSEC_PROTECT, props->protect); + NLA_PUT_U8 (nlmsg, IFLA_MACSEC_INC_SCI, props->include_sci); + NLA_PUT_U8 (nlmsg, IFLA_MACSEC_ES, props->es); + NLA_PUT_U8 (nlmsg, IFLA_MACSEC_SCB, props->scb); + NLA_PUT_U8 (nlmsg, IFLA_MACSEC_REPLAY_PROTECT, props->replay_protect); + NLA_PUT_U8 (nlmsg, IFLA_MACSEC_VALIDATION, props->validation); + + nla_nest_end (nlmsg, data); + nla_nest_end (nlmsg, info); + + return do_add_link_with_lookup (platform, + NM_LINK_TYPE_MACSEC, + name, nlmsg, out_link); +nla_put_failure: + g_return_val_if_reached (FALSE); +} + +static int link_macvlan_add (NMPlatform *platform, const char *name, int parent, @@ -6654,6 +6790,7 @@ nm_linux_platform_class_init (NMLinuxPlatformClass *klass) platform_class->link_gre_add = link_gre_add; platform_class->link_ip6tnl_add = link_ip6tnl_add; + platform_class->link_macsec_add = link_macsec_add; platform_class->link_macvlan_add = link_macvlan_add; platform_class->link_ipip_add = link_ipip_add; platform_class->link_sit_add = link_sit_add; diff --git a/src/platform/nm-platform.c b/src/platform/nm-platform.c index 0b23b67f14..4552f76069 100644 --- a/src/platform/nm-platform.c +++ b/src/platform/nm-platform.c @@ -1527,6 +1527,12 @@ nm_platform_link_get_lnk_ipip (NMPlatform *self, int ifindex, const NMPlatformLi return _link_get_lnk (self, ifindex, NM_LINK_TYPE_IPIP, out_link); } +const NMPlatformLnkMacsec * +nm_platform_link_get_lnk_macsec (NMPlatform *self, int ifindex, const NMPlatformLink **out_link) +{ + return _link_get_lnk (self, ifindex, NM_LINK_TYPE_MACSEC, out_link); +} + const NMPlatformLnkMacvlan * nm_platform_link_get_lnk_macvlan (NMPlatform *self, int ifindex, const NMPlatformLink **out_link) { @@ -2171,6 +2177,43 @@ nm_platform_link_ipip_add (NMPlatform *self, } /** + * nm_platform_macsec_add: + * @self: platform instance + * @name: name of the new interface + * @props: interface properties + * @out_link: on success, the link object + * + * Create a MACsec interface. + */ +NMPlatformError +nm_platform_link_macsec_add (NMPlatform *self, + const char *name, + int parent, + const NMPlatformLnkMacsec *props, + const NMPlatformLink **out_link) +{ + NMPlatformError plerr; + + _CHECK_SELF (self, klass, NM_PLATFORM_ERROR_BUG); + + g_return_val_if_fail (props, NM_PLATFORM_ERROR_BUG); + g_return_val_if_fail (name, NM_PLATFORM_ERROR_BUG); + + plerr = _link_add_check_existing (self, name, NM_LINK_TYPE_MACSEC, out_link); + if (plerr != NM_PLATFORM_ERROR_SUCCESS) + return plerr; + + _LOGD ("adding macsec '%s' parent %u sci %llx", + name, + parent, + (unsigned long long) props->sci); + + if (!klass->link_macsec_add (self, name, parent, props, out_link)) + return NM_PLATFORM_ERROR_UNSPECIFIED; + return NM_PLATFORM_ERROR_SUCCESS; +} + +/** * nm_platform_macvlan_add: * @self: platform instance * @name: name of the new interface @@ -3484,6 +3527,39 @@ nm_platform_lnk_ipip_to_string (const NMPlatformLnkIpIp *lnk, char *buf, gsize l } const char * +nm_platform_lnk_macsec_to_string (const NMPlatformLnkMacsec *lnk, char *buf, gsize len) +{ + if (!nm_utils_to_string_buffer_init_null (lnk, &buf, &len)) + return buf; + + g_snprintf (buf, len, + "macsec " + "sci %016llx " + "protect %s " + "cipher %016llx " + "icvlen %u " + "encodingsa %u " + "validate %u " + "encrypt %s " + "send_sci %s " + "end_station %s " + "scb %s " + "replay %s", + (unsigned long long) lnk->sci, + lnk->protect ? "on" : "off", + (unsigned long long) lnk->cipher_suite, + lnk->icv_length, + lnk->encoding_sa, + lnk->validation, + lnk->encrypt ? "on" : "off", + lnk->include_sci ? "on" : "off", + lnk->es ? "on" : "off", + lnk->scb ? "on" : "off", + lnk->replay_protect ? "on" : "off"); + return buf; +} + +const char * nm_platform_lnk_macvlan_to_string (const NMPlatformLnkMacvlan *lnk, char *buf, gsize len) { if (!nm_utils_to_string_buffer_init_null (lnk, &buf, &len)) @@ -4065,6 +4141,25 @@ nm_platform_lnk_ipip_cmp (const NMPlatformLnkIpIp *a, const NMPlatformLnkIpIp *b } int +nm_platform_lnk_macsec_cmp (const NMPlatformLnkMacsec *a, const NMPlatformLnkMacsec *b) +{ + _CMP_SELF (a, b); + _CMP_FIELD (a, b, sci); + _CMP_FIELD (a, b, icv_length); + _CMP_FIELD (a, b, cipher_suite); + _CMP_FIELD (a, b, window); + _CMP_FIELD (a, b, encoding_sa); + _CMP_FIELD (a, b, validation); + _CMP_FIELD (a, b, encrypt); + _CMP_FIELD (a, b, protect); + _CMP_FIELD (a, b, include_sci); + _CMP_FIELD (a, b, es); + _CMP_FIELD (a, b, scb); + _CMP_FIELD (a, b, replay_protect); + return 0; +} + +int nm_platform_lnk_macvlan_cmp (const NMPlatformLnkMacvlan *a, const NMPlatformLnkMacvlan *b) { _CMP_SELF (a, b); diff --git a/src/platform/nm-platform.h b/src/platform/nm-platform.h index 91f8ab5d6f..f0b2cc8225 100644 --- a/src/platform/nm-platform.h +++ b/src/platform/nm-platform.h @@ -427,6 +427,22 @@ typedef struct { } NMPlatformLnkIpIp; typedef struct { + int parent_ifindex; + guint64 sci; /* host byte order */ + guint64 cipher_suite; + guint32 window; + guint8 icv_length; + guint8 encoding_sa; + guint8 validation; + bool encrypt:1; + bool protect:1; + bool include_sci:1; + bool es:1; + bool scb:1; + bool replay_protect:1; +} NMPlatformLnkMacsec; + +typedef struct { guint mode; bool no_promisc:1; bool tap:1; @@ -588,6 +604,11 @@ typedef struct { const char *name, const NMPlatformLnkIpIp *props, const NMPlatformLink **out_link); + gboolean (*link_macsec_add) (NMPlatform *, + const char *name, + int parent, + const NMPlatformLnkMacsec *props, + const NMPlatformLink **out_link); gboolean (*link_macvlan_add) (NMPlatform *, const char *name, int parent, @@ -818,6 +839,7 @@ const NMPlatformLnkIp6Tnl *nm_platform_link_get_lnk_ip6tnl (NMPlatform *self, in const NMPlatformLnkIpIp *nm_platform_link_get_lnk_ipip (NMPlatform *self, int ifindex, const NMPlatformLink **out_link); const NMPlatformLnkInfiniband *nm_platform_link_get_lnk_infiniband (NMPlatform *self, int ifindex, const NMPlatformLink **out_link); const NMPlatformLnkIpIp *nm_platform_link_get_lnk_ipip (NMPlatform *self, int ifindex, const NMPlatformLink **out_link); +const NMPlatformLnkMacsec *nm_platform_link_get_lnk_macsec (NMPlatform *self, int ifindex, const NMPlatformLink **out_link); const NMPlatformLnkMacvlan *nm_platform_link_get_lnk_macvlan (NMPlatform *self, int ifindex, const NMPlatformLink **out_link); const NMPlatformLnkMacvtap *nm_platform_link_get_lnk_macvtap (NMPlatform *self, int ifindex, const NMPlatformLink **out_link); const NMPlatformLnkSit *nm_platform_link_get_lnk_sit (NMPlatform *self, int ifindex, const NMPlatformLink **out_link); @@ -902,6 +924,11 @@ NMPlatformError nm_platform_link_ipip_add (NMPlatform *self, const char *name, const NMPlatformLnkIpIp *props, const NMPlatformLink **out_link); +NMPlatformError nm_platform_link_macsec_add (NMPlatform *self, + const char *name, + int parent, + const NMPlatformLnkMacsec *props, + const NMPlatformLink **out_link); NMPlatformError nm_platform_link_macvlan_add (NMPlatform *self, const char *name, int parent, @@ -956,6 +983,7 @@ const char *nm_platform_lnk_gre_to_string (const NMPlatformLnkGre *lnk, char *bu const char *nm_platform_lnk_infiniband_to_string (const NMPlatformLnkInfiniband *lnk, char *buf, gsize len); const char *nm_platform_lnk_ip6tnl_to_string (const NMPlatformLnkIp6Tnl *lnk, char *buf, gsize len); const char *nm_platform_lnk_ipip_to_string (const NMPlatformLnkIpIp *lnk, char *buf, gsize len); +const char *nm_platform_lnk_macsec_to_string (const NMPlatformLnkMacsec *lnk, char *buf, gsize len); const char *nm_platform_lnk_macvlan_to_string (const NMPlatformLnkMacvlan *lnk, char *buf, gsize len); const char *nm_platform_lnk_sit_to_string (const NMPlatformLnkSit *lnk, char *buf, gsize len); const char *nm_platform_lnk_vlan_to_string (const NMPlatformLnkVlan *lnk, char *buf, gsize len); @@ -976,6 +1004,7 @@ int nm_platform_lnk_gre_cmp (const NMPlatformLnkGre *a, const NMPlatformLnkGre * int nm_platform_lnk_infiniband_cmp (const NMPlatformLnkInfiniband *a, const NMPlatformLnkInfiniband *b); int nm_platform_lnk_ip6tnl_cmp (const NMPlatformLnkIp6Tnl *a, const NMPlatformLnkIp6Tnl *b); int nm_platform_lnk_ipip_cmp (const NMPlatformLnkIpIp *a, const NMPlatformLnkIpIp *b); +int nm_platform_lnk_macsec_cmp (const NMPlatformLnkMacsec *a, const NMPlatformLnkMacsec *b); int nm_platform_lnk_macvlan_cmp (const NMPlatformLnkMacvlan *a, const NMPlatformLnkMacvlan *b); int nm_platform_lnk_sit_cmp (const NMPlatformLnkSit *a, const NMPlatformLnkSit *b); int nm_platform_lnk_vlan_cmp (const NMPlatformLnkVlan *a, const NMPlatformLnkVlan *b); diff --git a/src/platform/nmp-object.c b/src/platform/nmp-object.c index e1e13882da..1503ca9a17 100644 --- a/src/platform/nmp-object.c +++ b/src/platform/nmp-object.c @@ -2230,6 +2230,15 @@ const NMPClass _nmp_classes[NMP_OBJECT_TYPE_MAX] = { .cmd_plobj_to_string = (const char *(*) (const NMPlatformObject *obj, char *buf, gsize len)) nm_platform_lnk_ipip_to_string, .cmd_plobj_cmp = (int (*) (const NMPlatformObject *obj1, const NMPlatformObject *obj2)) nm_platform_lnk_ipip_cmp, }, + [NMP_OBJECT_TYPE_LNK_MACSEC - 1] = { + .obj_type = NMP_OBJECT_TYPE_LNK_MACSEC, + .sizeof_data = sizeof (NMPObjectLnkMacsec), + .sizeof_public = sizeof (NMPlatformLnkMacsec), + .obj_type_name = "macsec", + .lnk_link_type = NM_LINK_TYPE_MACSEC, + .cmd_plobj_to_string = (const char *(*) (const NMPlatformObject *obj, char *buf, gsize len)) nm_platform_lnk_macsec_to_string, + .cmd_plobj_cmp = (int (*) (const NMPlatformObject *obj1, const NMPlatformObject *obj2)) nm_platform_lnk_macsec_cmp, + }, [NMP_OBJECT_TYPE_LNK_MACVLAN - 1] = { .obj_type = NMP_OBJECT_TYPE_LNK_MACVLAN, .sizeof_data = sizeof (NMPObjectLnkMacvlan), diff --git a/src/platform/nmp-object.h b/src/platform/nmp-object.h index 7a91583a25..dd11b98586 100644 --- a/src/platform/nmp-object.h +++ b/src/platform/nmp-object.h @@ -207,6 +207,10 @@ typedef struct { } NMPObjectLnkIpIp; typedef struct { + NMPlatformLnkMacsec _public; +} NMPObjectLnkMacsec; + +typedef struct { NMPlatformLnkMacvlan _public; } NMPObjectLnkMacvlan; @@ -267,6 +271,9 @@ struct _NMPObject { NMPlatformLnkIp6Tnl lnk_ip6tnl; NMPObjectLnkIp6Tnl _lnk_ip6tnl; + NMPlatformLnkMacsec lnk_macsec; + NMPObjectLnkMacsec _lnk_macsec; + NMPlatformLnkMacvlan lnk_macvlan; NMPObjectLnkMacvlan _lnk_macvlan; diff --git a/src/supplicant/nm-supplicant-config.c b/src/supplicant/nm-supplicant-config.c index a312d65919..8f766d7cb9 100644 --- a/src/supplicant/nm-supplicant-config.c +++ b/src/supplicant/nm-supplicant-config.c @@ -363,6 +363,83 @@ wifi_freqs_to_string (gboolean bg_band) } gboolean +nm_supplicant_config_add_setting_macsec (NMSupplicantConfig * self, + NMSettingMacsec * setting, + GError **error) +{ + NMSupplicantConfigPrivate *priv; + gs_unref_bytes GBytes *bytes = NULL; + const char *value; + char buf[32]; + int port; + + g_return_val_if_fail (NM_IS_SUPPLICANT_CONFIG (self), FALSE); + g_return_val_if_fail (setting != NULL, FALSE); + g_return_val_if_fail (!error || !*error, FALSE); + + priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE (self); + + if (!nm_supplicant_config_add_option (self, "macsec_policy", "1", -1, NULL, error)) + return FALSE; + + value = nm_setting_macsec_get_encrypt (setting) ? "0" : "1"; + if (!nm_supplicant_config_add_option (self, "macsec_integ_only", value, -1, NULL, error)) + return FALSE; + + port = nm_setting_macsec_get_port (setting); + if (port > 0 && port < 65534) { + snprintf (buf, sizeof (buf), "%d", port); + if (!nm_supplicant_config_add_option (self, "macsec_port", buf, -1, NULL, error)) + return FALSE; + } + + if (nm_setting_macsec_get_mode (setting) == NM_SETTING_MACSEC_MODE_PSK) { + if (!nm_supplicant_config_add_option (self, "key_mgmt", "NONE", -1, NULL, error)) + return FALSE; + + /* CAK */ + value = nm_setting_macsec_get_mka_cak (setting); + if (!value) { + g_set_error_literal (error, + NM_SUPPLICANT_ERROR, + NM_SUPPLICANT_ERROR_CONFIG, + "missing MKA CAK"); + return FALSE; + } + + bytes = nm_utils_hexstr2bin (value); + if (!nm_supplicant_config_add_option (self, + "mka_cak", + g_bytes_get_data (bytes, NULL), + g_bytes_get_size (bytes), + "<hidden>", + error)) + return FALSE; + + /* CKN */ + value = nm_setting_macsec_get_mka_ckn (setting); + if (!value) { + g_set_error_literal (error, + NM_SUPPLICANT_ERROR, + NM_SUPPLICANT_ERROR_CONFIG, + "missing MKA CKN"); + return FALSE; + } + + bytes = nm_utils_hexstr2bin (value); + if (!nm_supplicant_config_add_option (self, + "mka_ckn", + g_bytes_get_data (bytes, NULL), + g_bytes_get_size (bytes), + NULL, + error)) + return FALSE; + } + + return TRUE; +} + +gboolean nm_supplicant_config_add_setting_wireless (NMSupplicantConfig * self, NMSettingWireless * setting, guint32 fixed_freq, diff --git a/src/supplicant/nm-supplicant-config.h b/src/supplicant/nm-supplicant-config.h index 5b12a41175..40fca61b03 100644 --- a/src/supplicant/nm-supplicant-config.h +++ b/src/supplicant/nm-supplicant-config.h @@ -22,6 +22,7 @@ #ifndef __NETWORKMANAGER_SUPPLICANT_CONFIG_H__ #define __NETWORKMANAGER_SUPPLICANT_CONFIG_H__ +#include <nm-setting-macsec.h> #include <nm-setting-wireless.h> #include <nm-setting-wireless-security.h> #include <nm-setting-8021x.h> @@ -71,4 +72,8 @@ gboolean nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self, gboolean wired, GError **error); +gboolean nm_supplicant_config_add_setting_macsec (NMSupplicantConfig *self, + NMSettingMacsec *setting, + GError **error); + #endif /* __NETWORKMANAGER_SUPPLICANT_CONFIG_H__ */ diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c index 408704bc60..6fc8553584 100644 --- a/src/supplicant/nm-supplicant-interface.c +++ b/src/supplicant/nm-supplicant-interface.c @@ -56,14 +56,14 @@ NM_GOBJECT_PROPERTIES_DEFINE (NMSupplicantInterface, PROP_IFACE, PROP_SCANNING, PROP_CURRENT_BSS, - PROP_IS_WIRELESS, + PROP_DRIVER, PROP_FAST_SUPPORTED, PROP_AP_SUPPORT, ); typedef struct { char * dev; - bool is_wireless; + NMSupplicantDriver driver; bool fast_supported; gboolean has_credreq; /* Whether querying 802.1x credentials is supported */ NMSupplicantFeature ap_support; /* Lightweight AP mode support */ @@ -918,6 +918,7 @@ on_wpas_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_d gs_free_error GError *error = NULL; GDBusProxy *wpas_proxy; GVariantBuilder props; + const char *driver_name = NULL; wpas_proxy = g_dbus_proxy_new_for_bus_finish (result, &error); if (!wpas_proxy) { @@ -939,10 +940,24 @@ on_wpas_proxy_acquired (GDBusProxy *proxy, GAsyncResult *result, gpointer user_d * when the supplicant has started. */ + switch (priv->driver) { + case NM_SUPPLICANT_DRIVER_WIRELESS: + driver_name = DEFAULT_WIFI_DRIVER; + break; + case NM_SUPPLICANT_DRIVER_WIRED: + driver_name = "wired"; + break; + case NM_SUPPLICANT_DRIVER_MACSEC: + driver_name = "macsec_linux"; + break; + } + + g_return_if_fail (driver_name); + g_variant_builder_init (&props, G_VARIANT_TYPE_VARDICT); g_variant_builder_add (&props, "{sv}", "Driver", - g_variant_new_string (priv->is_wireless ? DEFAULT_WIFI_DRIVER : "wired")); + g_variant_new_string (driver_name)); g_variant_builder_add (&props, "{sv}", "Ifname", g_variant_new_string (priv->dev)); @@ -1448,7 +1463,7 @@ nm_supplicant_interface_get_max_scan_ssids (NMSupplicantInterface *self) NMSupplicantInterface * nm_supplicant_interface_new (const char *ifname, - gboolean is_wireless, + NMSupplicantDriver driver, gboolean fast_supported, NMSupplicantFeature ap_support) { @@ -1456,7 +1471,7 @@ nm_supplicant_interface_new (const char *ifname, return g_object_new (NM_TYPE_SUPPLICANT_INTERFACE, NM_SUPPLICANT_INTERFACE_IFACE, ifname, - NM_SUPPLICANT_INTERFACE_IS_WIRELESS, is_wireless, + NM_SUPPLICANT_INTERFACE_DRIVER, (guint) driver, NM_SUPPLICANT_INTERFACE_FAST_SUPPORTED, fast_supported, NM_SUPPLICANT_INTERFACE_AP_SUPPORT, (int) ap_support, NULL); @@ -1485,9 +1500,9 @@ set_property (GObject *object, priv->dev = g_value_dup_string (value); g_return_if_fail (priv->dev); break; - case PROP_IS_WIRELESS: + case PROP_DRIVER: /* construct-only */ - priv->is_wireless = g_value_get_boolean (value); + priv->driver = g_value_get_uint (value); break; case PROP_FAST_SUPPORTED: /* construct-only */ @@ -1576,12 +1591,12 @@ nm_supplicant_interface_class_init (NMSupplicantInterfaceClass *klass) G_PARAM_WRITABLE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS); - obj_properties[PROP_IS_WIRELESS] = - g_param_spec_boolean (NM_SUPPLICANT_INTERFACE_IS_WIRELESS, "", "", - TRUE, - G_PARAM_WRITABLE | - G_PARAM_CONSTRUCT_ONLY | - G_PARAM_STATIC_STRINGS); + obj_properties[PROP_DRIVER] = + g_param_spec_uint (NM_SUPPLICANT_INTERFACE_DRIVER, "", "", + 0, G_MAXUINT, NM_SUPPLICANT_DRIVER_WIRELESS, + G_PARAM_WRITABLE | + G_PARAM_CONSTRUCT_ONLY | + G_PARAM_STATIC_STRINGS); obj_properties[PROP_FAST_SUPPORTED] = g_param_spec_boolean (NM_SUPPLICANT_INTERFACE_FAST_SUPPORTED, "", "", TRUE, diff --git a/src/supplicant/nm-supplicant-interface.h b/src/supplicant/nm-supplicant-interface.h index 852bf10409..5ab66d5dee 100644 --- a/src/supplicant/nm-supplicant-interface.h +++ b/src/supplicant/nm-supplicant-interface.h @@ -57,7 +57,7 @@ enum { #define NM_SUPPLICANT_INTERFACE_IFACE "iface" #define NM_SUPPLICANT_INTERFACE_SCANNING "scanning" #define NM_SUPPLICANT_INTERFACE_CURRENT_BSS "current-bss" -#define NM_SUPPLICANT_INTERFACE_IS_WIRELESS "is-wireless" +#define NM_SUPPLICANT_INTERFACE_DRIVER "driver" #define NM_SUPPLICANT_INTERFACE_FAST_SUPPORTED "fast-supported" #define NM_SUPPLICANT_INTERFACE_AP_SUPPORT "ap-support" @@ -76,7 +76,7 @@ typedef struct _NMSupplicantInterfaceClass NMSupplicantInterfaceClass; GType nm_supplicant_interface_get_type (void); NMSupplicantInterface * nm_supplicant_interface_new (const char *ifname, - gboolean is_wireless, + NMSupplicantDriver driver, gboolean fast_supported, NMSupplicantFeature ap_support); diff --git a/src/supplicant/nm-supplicant-manager.c b/src/supplicant/nm-supplicant-manager.c index 573fdaa0fa..2fbfa391ba 100644 --- a/src/supplicant/nm-supplicant-manager.c +++ b/src/supplicant/nm-supplicant-manager.c @@ -137,7 +137,7 @@ _sup_iface_last_ref (gpointer data, NMSupplicantInterface * nm_supplicant_manager_create_interface (NMSupplicantManager *self, const char *ifname, - gboolean is_wireless) + NMSupplicantDriver driver) { NMSupplicantManagerPrivate *priv; NMSupplicantInterface *iface; @@ -157,7 +157,7 @@ nm_supplicant_manager_create_interface (NMSupplicantManager *self, } iface = nm_supplicant_interface_new (ifname, - is_wireless, + driver, priv->fast_supported, priv->ap_support); diff --git a/src/supplicant/nm-supplicant-manager.h b/src/supplicant/nm-supplicant-manager.h index 3c1627b5aa..8928cf206b 100644 --- a/src/supplicant/nm-supplicant-manager.h +++ b/src/supplicant/nm-supplicant-manager.h @@ -40,6 +40,6 @@ NMSupplicantManager *nm_supplicant_manager_get (void); NMSupplicantInterface *nm_supplicant_manager_create_interface (NMSupplicantManager *mgr, const char *ifname, - gboolean is_wireless); + NMSupplicantDriver driver); #endif /* __NETWORKMANAGER_SUPPLICANT_MANAGER_H__ */ diff --git a/src/supplicant/nm-supplicant-settings-verify.c b/src/supplicant/nm-supplicant-settings-verify.c index 9355b210bc..9e22080857 100644 --- a/src/supplicant/nm-supplicant-settings-verify.c +++ b/src/supplicant/nm-supplicant-settings-verify.c @@ -141,6 +141,11 @@ static const struct Opt opt_table[] = { { "bgscan", TYPE_BYTES, 0, 0, FALSE, NULL }, { "pac_file", TYPE_BYTES, 0, 1024, FALSE, NULL }, { "freq_list", TYPE_KEYWORD, 0, 0, FALSE, NULL }, + { "macsec_policy", TYPE_INT, 0, 1, FALSE, NULL }, + { "macsec_integ_only", TYPE_INT, 0, 1, FALSE, NULL }, + { "mka_cak", TYPE_BYTES, 0, 65536, FALSE, NULL }, + { "mka_ckn", TYPE_BYTES, 0, 65536, FALSE, NULL }, + { "macsec_port", TYPE_INT, 1, 65534, FALSE, NULL }, }; diff --git a/src/supplicant/nm-supplicant-types.h b/src/supplicant/nm-supplicant-types.h index e9be5be463..f75827ec60 100644 --- a/src/supplicant/nm-supplicant-types.h +++ b/src/supplicant/nm-supplicant-types.h @@ -46,6 +46,12 @@ typedef enum { NM_SUPPLICANT_ERROR_CONFIG = 1, /*< nick=Config >*/ } NMSupplicantError; +typedef enum { + NM_SUPPLICANT_DRIVER_WIRELESS, + NM_SUPPLICANT_DRIVER_WIRED, + NM_SUPPLICANT_DRIVER_MACSEC, +} NMSupplicantDriver; + #define NM_SUPPLICANT_ERROR (nm_supplicant_error_quark ()) GQuark nm_supplicant_error_quark (void); |