summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--man/systemd.netdev.xml8
-rw-r--r--src/network/netdev/macsec.c73
-rw-r--r--src/network/netdev/macsec.h3
-rw-r--r--src/network/netdev/netdev-gperf.gperf1
-rw-r--r--test/fuzz/fuzz-netdev-parser/directives.netdev1
5 files changed, 85 insertions, 1 deletions
diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index 030de47438..a58de37b3c 100644
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -948,6 +948,14 @@
unset.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>UseForEncoding=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If enabled, then the security association is used for encoding. Only
+ one <literal>[MACsecTransmitAssociation]</literal> section can enable this option. When enabled,
+ <varname>Activate=yes</varname> is implied. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1>
diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index ee1f15909e..8e25bf6498 100644
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -36,6 +36,7 @@ static void security_association_init(SecurityAssociation *sa) {
assert(sa);
sa->activate = -1;
+ sa->use_for_encoding = -1;
}
static void macsec_receive_association_free(ReceiveAssociation *c) {
@@ -539,6 +540,10 @@ static int netdev_macsec_fill_message_create(NetDev *netdev, Link *link, sd_netl
return log_netdev_error_errno(netdev, r, "Could not append IFLA_MACSEC_ENCRYPT attribute: %m");
}
+ r = sd_netlink_message_append_u8(m, IFLA_MACSEC_ENCODING_SA, v->encoding_an);
+ if (r < 0)
+ return log_netdev_error_errno(netdev, r, "Could not append IFLA_MACSEC_ENCODING_SA attribute: %m");
+
return r;
}
@@ -919,6 +924,53 @@ int config_parse_macsec_sa_activate(
return 0;
}
+int config_parse_macsec_use_for_encoding(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ _cleanup_(macsec_transmit_association_free_or_set_invalidp) TransmitAssociation *a = NULL;
+ MACsec *s = userdata;
+ int r;
+
+ assert(filename);
+ assert(section);
+ assert(lvalue);
+ assert(rvalue);
+ assert(data);
+
+ r = macsec_transmit_association_new_static(s, filename, section_line, &a);
+ if (r < 0)
+ return r;
+
+ if (isempty(rvalue))
+ r = -1;
+ else {
+ r = parse_boolean(rvalue);
+ if (r < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, r,
+ "Failed to parse %s= setting. Ignoring assignment: %s",
+ lvalue, rvalue);
+ return 0;
+ }
+ }
+
+ a->sa.use_for_encoding = r;
+ if (a->sa.use_for_encoding > 0)
+ a->sa.activate = true;
+
+ TAKE_PTR(a);
+
+ return 0;
+}
+
static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
_cleanup_free_ uint8_t *key = NULL;
size_t key_len;
@@ -1095,7 +1147,8 @@ static int netdev_macsec_verify(NetDev *netdev, const char *filename) {
ReceiveAssociation *n;
ReceiveChannel *c;
Iterator i;
- uint8_t an;
+ uint8_t an, encoding_an;
+ bool use_for_encoding;
int r;
assert(netdev);
@@ -1109,6 +1162,8 @@ static int netdev_macsec_verify(NetDev *netdev, const char *filename) {
}
an = 0;
+ use_for_encoding = false;
+ encoding_an = 0;
ORDERED_HASHMAP_FOREACH(a, v->transmit_associations_by_section, i) {
r = macsec_transmit_association_verify(a);
if (r < 0) {
@@ -1126,8 +1181,24 @@ static int netdev_macsec_verify(NetDev *netdev, const char *filename) {
}
a->sa.association_number = an++;
+
+ if (a->sa.use_for_encoding > 0) {
+ if (use_for_encoding) {
+ log_netdev_warning(netdev,
+ "%s: Multiple security associations are set to be used for transmit channel."
+ "Disabling UseForEncoding= in [MACsecTransmitAssociation] section from line %u",
+ a->section->filename, a->section->line);
+ a->sa.use_for_encoding = false;
+ } else {
+ encoding_an = a->sa.association_number;
+ use_for_encoding = true;
+ }
+ }
}
+ assert(encoding_an < MACSEC_MAX_ASSOCIATION_NUMBER);
+ v->encoding_an = encoding_an;
+
ORDERED_HASHMAP_FOREACH(n, v->receive_associations_by_section, i) {
r = macsec_receive_association_verify(n);
if (r < 0)
diff --git a/src/network/netdev/macsec.h b/src/network/netdev/macsec.h
index 167e9ca8eb..2bd08ac500 100644
--- a/src/network/netdev/macsec.h
+++ b/src/network/netdev/macsec.h
@@ -32,6 +32,7 @@ typedef struct SecurityAssociation {
uint32_t key_len;
char *key_file;
int activate;
+ int use_for_encoding;
} SecurityAssociation;
typedef struct TransmitAssociation {
@@ -63,6 +64,7 @@ struct MACsec {
uint16_t port;
int encrypt;
+ uint8_t encoding_an;
OrderedHashmap *receive_channels;
OrderedHashmap *receive_channels_by_section;
@@ -80,3 +82,4 @@ CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_id);
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key);
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_file);
CONFIG_PARSER_PROTOTYPE(config_parse_macsec_sa_activate);
+CONFIG_PARSER_PROTOTYPE(config_parse_macsec_use_for_encoding);
diff --git a/src/network/netdev/netdev-gperf.gperf b/src/network/netdev/netdev-gperf.gperf
index 20d7c143a0..a06694ad62 100644
--- a/src/network/netdev/netdev-gperf.gperf
+++ b/src/network/netdev/netdev-gperf.gperf
@@ -142,6 +142,7 @@ MACsecTransmitAssociation.KeyId, config_parse_macsec_key_id, 0,
MACsecTransmitAssociation.Key, config_parse_macsec_key, 0, 0
MACsecTransmitAssociation.KeyFile, config_parse_macsec_key_file, 0, 0
MACsecTransmitAssociation.Activate, config_parse_macsec_sa_activate, 0, 0
+MACsecTransmitAssociation.UseForEncoding, config_parse_macsec_use_for_encoding, 0, 0
MACsecReceiveAssociation.Port, config_parse_macsec_port, 0, 0
MACsecReceiveAssociation.MACAddress, config_parse_macsec_hw_address, 0, 0
MACsecReceiveAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0
diff --git a/test/fuzz/fuzz-netdev-parser/directives.netdev b/test/fuzz/fuzz-netdev-parser/directives.netdev
index f09b92d28e..128f8b6341 100644
--- a/test/fuzz/fuzz-netdev-parser/directives.netdev
+++ b/test/fuzz/fuzz-netdev-parser/directives.netdev
@@ -185,6 +185,7 @@ KeyId=
Key=
KeyFile=
Activate=
+UseForEncoding=
[MACsecReceiveChannel]
Port=
MACAddress=