diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2016-06-30 18:20:43 +0200 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2017-01-16 17:37:14 +0100 |
commit | d252a99fa25359e3795abcacfae08c76dc5386b8 (patch) | |
tree | c266f2437bdbcc71ab58d468a98825d2a2a7b120 /libnm-core/nm-setting-macsec.c | |
parent | 67adbda83e0f4ee3a03d7c40c30a1058fd76a211 (diff) | |
download | NetworkManager-d252a99fa25359e3795abcacfae08c76dc5386b8.tar.gz |
libnm-core: add NMSettingMacsec
The new NMSettingMacsec contains information necessary to establish a
MACsec connection. At the moment we support two different MACsec
modes, both using wpa_supplicant: PSK and EAP.
PSK mode is based on a static CAK key for the MACsec key agreement
protocol, while EAP mode derives keys from a 802.1x authentication and
thus requires the presence of a NMSetting8021x in the connection.
Diffstat (limited to 'libnm-core/nm-setting-macsec.c')
-rw-r--r-- | libnm-core/nm-setting-macsec.c | 592 |
1 files changed, 592 insertions, 0 deletions
diff --git a/libnm-core/nm-setting-macsec.c b/libnm-core/nm-setting-macsec.c new file mode 100644 index 0000000000..60df6839f0 --- /dev/null +++ b/libnm-core/nm-setting-macsec.c @@ -0,0 +1,592 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */ +/* + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + * Boston, MA 02110-1301 USA. + * + * Copyright 2017 Red Hat, Inc. + */ + +#include "nm-default.h" + +#include "nm-setting-macsec.h" + +#include <stdlib.h> +#include <string.h> + +#include "nm-utils.h" +#include "nm-core-types-internal.h" +#include "nm-setting-connection.h" +#include "nm-setting-private.h" +#include "nm-setting-wired.h" +#include "nm-connection-private.h" + +/** + * SECTION:nm-setting-macsec + * @short_description: Describes connection properties for MACSEC interfaces + * + * The #NMSettingMacsec object is a #NMSetting subclass that describes properties + * necessary for connection to MACsec (IEEE 802.1AE) interfaces. + **/ + +G_DEFINE_TYPE_WITH_CODE (NMSettingMacsec, nm_setting_macsec, NM_TYPE_SETTING, + _nm_register_setting (MACSEC, 1)) +NM_SETTING_REGISTER_TYPE (NM_TYPE_SETTING_MACSEC) + +#define NM_SETTING_MACSEC_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_SETTING_MACSEC, NMSettingMacsecPrivate)) + +typedef struct { + char *parent; + NMSettingMacsecMode mode; + gboolean encrypt; + char *mka_cak; + NMSettingSecretFlags mka_cak_flags; + char *mka_ckn; + int port; + NMSettingMacsecValidation validation; +} NMSettingMacsecPrivate; + +NM_GOBJECT_PROPERTIES_DEFINE_BASE ( + PROP_PARENT, + PROP_MODE, + PROP_ENCRYPT, + PROP_MKA_CAK, + PROP_MKA_CAK_FLAGS, + PROP_MKA_CKN, + PROP_PORT, + PROP_VALIDATION, +); + +/** + * nm_setting_macsec_new: + * + * Creates a new #NMSettingMacsec object with default values. + * + * Returns: (transfer full): the new empty #NMSettingMacsec object + * + * Since: 1.6 + **/ +NMSetting * +nm_setting_macsec_new (void) +{ + return (NMSetting *) g_object_new (NM_TYPE_SETTING_MACSEC, NULL); +} + +/** + * nm_setting_macsec_get_parent: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:parent property of the setting + * + * Since: 1.6 + **/ +const char * +nm_setting_macsec_get_parent (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NULL); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->parent; +} + +/** + * nm_setting_macsec_get_mode: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:mode property of the setting + * + * Since: 1.6 + **/ +NMSettingMacsecMode +nm_setting_macsec_get_mode (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NM_SETTING_MACSEC_MODE_PSK); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mode; +} + +/** + * nm_setting_macsec_get_encrypt: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:encrypt property of the setting + * + * Since: 1.6 + **/ +gboolean +nm_setting_macsec_get_encrypt (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), TRUE); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->encrypt; +} + +/** + * nm_setting_macsec_get_mka_cak + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:mka-cak property of the setting + * + * Since: 1.6 + **/ +const char * +nm_setting_macsec_get_mka_cak (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NULL); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mka_cak; +} + +/** + * nm_setting_macsec_get_mka_cak_flags: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingSecretFlags pertaining to the #NMSettingMacsec:mka-cak + * + * Since: 1.6 + **/ +NMSettingSecretFlags +nm_setting_macsec_get_mka_cak_flags (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NM_SETTING_SECRET_FLAG_NONE); + + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mka_cak_flags; +} + +/** + * nm_setting_macsec_get_mka_ckn: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:mka-ckn property of the setting + * + * Since: 1.6 + **/ +const char * +nm_setting_macsec_get_mka_ckn (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NULL); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->mka_ckn; +} + +/** + * nm_setting_macsec_get_port: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:port property of the setting + * + * Since: 1.6 + **/ +int +nm_setting_macsec_get_port (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), 1); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->port; +} + +/** + * nm_setting_macsec_get_validation: + * @setting: the #NMSettingMacsec + * + * Returns: the #NMSettingMacsec:validation property of the setting + * + * Since: 1.6 + **/ +NMSettingMacsecValidation +nm_setting_macsec_get_validation (NMSettingMacsec *setting) +{ + g_return_val_if_fail (NM_IS_SETTING_MACSEC (setting), NM_SETTING_MACSEC_VALIDATION_DISABLE); + return NM_SETTING_MACSEC_GET_PRIVATE (setting)->validation; +} + +static GPtrArray * +need_secrets (NMSetting *setting) +{ + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + GPtrArray *secrets = NULL; + + if (priv->mode == NM_SETTING_MACSEC_MODE_PSK) { + if ( !priv->mka_cak + && !NM_FLAGS_HAS (priv->mka_cak_flags, NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) { + secrets = g_ptr_array_sized_new (1); + g_ptr_array_add (secrets, NM_SETTING_MACSEC_MKA_CAK); + } + } + + return secrets; +} + +/*********************************************************************/ + +static gboolean +verify_macsec_key (const char *key, gboolean cak, GError **error) +{ + int req_len; + + if (!key || !key[0]) { + g_set_error_literal (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key is empty")); + return FALSE; + } + + req_len = cak ? + NM_SETTING_MACSEC_MKA_CAK_LENGTH : + NM_SETTING_MACSEC_MKA_CKN_LENGTH; + if (strlen (key) != req_len) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key must be %d characters"), req_len); + return FALSE; + } + + if (!NM_STRCHAR_ALL (key, ch, g_ascii_isxdigit (ch))) { + g_set_error_literal (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("the key contais non-hexadecimal characters")); + return FALSE; + } + + return TRUE; +} + +static gboolean +verify (NMSetting *setting, NMConnection *connection, GError **error) +{ + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + NMSettingConnection *s_con = NULL; + NMSettingWired *s_wired = NULL; + NMSetting8021x *s_8021x = NULL; + + if (connection) { + s_con = nm_connection_get_setting_connection (connection); + s_wired = nm_connection_get_setting_wired (connection); + s_8021x = nm_connection_get_setting_802_1x (connection); + } + + if (priv->parent) { + if (nm_utils_is_uuid (priv->parent)) { + /* If we have an NMSettingConnection:master with slave-type="macsec", + * then it must be the same UUID. + */ + if (s_con) { + const char *master = NULL, *slave_type = NULL; + + slave_type = nm_setting_connection_get_slave_type (s_con); + if (!g_strcmp0 (slave_type, NM_SETTING_MACSEC_SETTING_NAME)) + master = nm_setting_connection_get_master (s_con); + + if (master && g_strcmp0 (priv->parent, master) != 0) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("'%s' value doesn't match '%s=%s'"), + priv->parent, NM_SETTING_CONNECTION_MASTER, master); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT); + return FALSE; + } + } + } else if (!nm_utils_iface_valid_name (priv->parent)) { + /* parent must be either a UUID or an interface name */ + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_INVALID_PROPERTY, + _("'%s' is neither an UUID nor an interface name"), + priv->parent); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT); + return FALSE; + } + } else { + /* If parent is NULL, the parent must be specified via + * NMSettingWired:mac-address. + */ + if ( connection + && (!s_wired || !nm_setting_wired_get_mac_address (s_wired))) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_MISSING_PROPERTY, + _("property is not specified and neither is '%s:%s'"), + NM_SETTING_WIRED_SETTING_NAME, NM_SETTING_WIRED_MAC_ADDRESS); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PARENT); + return FALSE; + } + } + + if (priv->mode == NM_SETTING_MACSEC_MODE_PSK) { + if (!verify_macsec_key (priv->mka_ckn, FALSE, error)) { + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MKA_CKN); + return FALSE; + } + } else if (priv->mode == NM_SETTING_MACSEC_MODE_EAP) { + if (!s_8021x) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_MISSING_SETTING, + _("EAP key management requires '%s' setting presence"), + NM_SETTING_802_1X_SETTING_NAME); + g_prefix_error (error, "%s: ", NM_SETTING_MACSEC_SETTING_NAME); + return FALSE; + } + } + + if (priv->port <= 0 || priv->port > 65534) { + g_set_error (error, + NM_CONNECTION_ERROR, + NM_CONNECTION_ERROR_MISSING_PROPERTY, + _("invalid port %d"), + priv->port); + g_prefix_error (error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PORT); + return FALSE; + } + + return TRUE; +} + +static void +nm_setting_macsec_init (NMSettingMacsec *setting) +{ +} + +static void +set_property (GObject *object, guint prop_id, + const GValue *value, GParamSpec *pspec) +{ + NMSettingMacsec *setting = NM_SETTING_MACSEC (object); + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + + switch (prop_id) { + case PROP_PARENT: + g_free (priv->parent); + priv->parent = g_value_dup_string (value); + break; + case PROP_MODE: + priv->mode = g_value_get_int (value); + break; + case PROP_ENCRYPT: + priv->encrypt = g_value_get_boolean (value); + break; + case PROP_MKA_CAK: + g_free (priv->mka_cak); + priv->mka_cak = g_value_dup_string (value); + break; + case PROP_MKA_CAK_FLAGS: + priv->mka_cak_flags = g_value_get_flags (value); + break; + case PROP_MKA_CKN: + g_free (priv->mka_ckn); + priv->mka_ckn = g_value_dup_string (value); + break; + case PROP_PORT: + priv->port = g_value_get_int (value); + break; + case PROP_VALIDATION: + priv->validation = g_value_get_int (value); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; + } +} + +static void +get_property (GObject *object, guint prop_id, + GValue *value, GParamSpec *pspec) +{ + NMSettingMacsec *setting = NM_SETTING_MACSEC (object); + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + + switch (prop_id) { + case PROP_PARENT: + g_value_set_string (value, priv->parent); + break; + case PROP_MODE: + g_value_set_int (value, priv->mode); + break; + case PROP_ENCRYPT: + g_value_set_boolean (value, priv->encrypt); + break; + case PROP_MKA_CAK: + g_value_set_string (value, priv->mka_cak); + break; + case PROP_MKA_CAK_FLAGS: + g_value_set_flags (value, priv->mka_cak_flags); + break; + case PROP_MKA_CKN: + g_value_set_string (value, priv->mka_ckn); + break; + case PROP_PORT: + g_value_set_int (value, priv->port); + break; + case PROP_VALIDATION: + g_value_set_int (value, priv->validation); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; + } +} + +static void +finalize (GObject *object) +{ + NMSettingMacsec *setting = NM_SETTING_MACSEC (object); + NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE (setting); + + g_free (priv->parent); + if (priv->mka_cak) { + memset (priv->mka_cak, 0, strlen (priv->mka_cak)); + g_free (priv->mka_cak); + } + g_free (priv->mka_ckn); + + G_OBJECT_CLASS (nm_setting_macsec_parent_class)->finalize (object); +} + +static void +nm_setting_macsec_class_init (NMSettingMacsecClass *setting_class) +{ + GObjectClass *object_class = G_OBJECT_CLASS (setting_class); + NMSettingClass *parent_class = NM_SETTING_CLASS (setting_class); + + g_type_class_add_private (setting_class, sizeof (NMSettingMacsecPrivate)); + + object_class->set_property = set_property; + object_class->get_property = get_property; + object_class->finalize = finalize; + parent_class->verify = verify; + parent_class->need_secrets = need_secrets; + + /** + * NMSettingMacsec:parent: + * + * If given, specifies the parent interface name or parent connection UUID + * from which this MACSEC interface should be created. If this property is + * not specified, the connection must contain an #NMSettingWired setting + * with a #NMSettingWired:mac-address property. + * + * Since: 1.6 + **/ + obj_properties[PROP_PARENT] = + g_param_spec_string (NM_SETTING_MACSEC_PARENT, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_INFERRABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:mode: + * + * Specifies how the CAK (Connectivity Association Key) for MKA (MACsec Key + * Agreement) is obtained. + * + * Since: 1.6 + **/ + obj_properties[PROP_MODE] = + g_param_spec_int (NM_SETTING_MACSEC_MODE, "", "", + G_MININT, G_MAXINT, NM_SETTING_MACSEC_MODE_PSK, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_INFERRABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:encrypt: + * + * Whether the transmitted traffic must be encrypted. + * + * Since: 1.6 + **/ + obj_properties[PROP_ENCRYPT] = + g_param_spec_boolean (NM_SETTING_MACSEC_ENCRYPT, "", "", + TRUE, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:mka-cak: + * + * The pre-shared CAK (Connectivity Association Key) for MACsec + * Key Agreement. + * + * Since: 1.6 + **/ + obj_properties[PROP_MKA_CAK] = + g_param_spec_string (NM_SETTING_MACSEC_MKA_CAK, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_SECRET | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:mka-cak-flags: + * + * Flags indicating how to handle the #NMSettingMacsec:mka-cak + * property. + * + * Since: 1.6 + **/ + obj_properties[PROP_MKA_CAK_FLAGS] = + g_param_spec_flags (NM_SETTING_MACSEC_MKA_CAK_FLAGS, "", "", + NM_TYPE_SETTING_SECRET_FLAGS, + NM_SETTING_SECRET_FLAG_NONE, + G_PARAM_READWRITE | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:mka-ckn: + * + * The pre-shared CKN (Connectivity-association Key Name) for + * MACsec Key Agreement. + * + * Since: 1.6 + **/ + obj_properties[PROP_MKA_CKN] = + g_param_spec_string (NM_SETTING_MACSEC_MKA_CKN, "", "", + NULL, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:port: + * + * The port component of the SCI (Secure Channel Identifier), between 1 and 65534. + * + * Since: 1.6 + **/ + obj_properties[PROP_PORT] = + g_param_spec_int (NM_SETTING_MACSEC_PORT, "", "", + 1, 65534, 1, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_INFERRABLE | + G_PARAM_STATIC_STRINGS); + + /** + * NMSettingMacsec:validation: + * + * Specifies the validation mode for incoming frames. + * + * Since: 1.6 + **/ + obj_properties[PROP_VALIDATION] = + g_param_spec_int (NM_SETTING_MACSEC_VALIDATION, "", "", + G_MININT, G_MAXINT, NM_SETTING_MACSEC_VALIDATION_STRICT, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + NM_SETTING_PARAM_INFERRABLE | + G_PARAM_STATIC_STRINGS); + + g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties); +} |