<literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>KeyFile=</varname></term>
+ <listitem>
+ <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
+ string, which will be used in the transmission channel. When this option is specified,
+ <varname>Key=</varname> is ignored. Note that the file must be readable by the user
+ <literal>systemd-network</literal>, so it should be, e.g., owned by
+ <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>KeyFile=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1>
#include <linux/genetlink.h>
#include "conf-parser.h"
+#include "fileio.h"
#include "hashmap.h"
#include "hexdecoct.h"
#include "macsec.h"
#include "network-internal.h"
#include "networkd-address.h"
#include "networkd-manager.h"
+#include "path-util.h"
#include "sd-netlink.h"
#include "socket-util.h"
#include "string-table.h"
explicit_bzero_safe(sa->key, sa->key_len);
free(sa->key);
+ free(sa->key_file);
}
static void macsec_receive_association_free(ReceiveAssociation *c) {
return 0;
}
+int config_parse_macsec_key_file(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ _cleanup_(macsec_transmit_association_free_or_set_invalidp) TransmitAssociation *a = NULL;
+ _cleanup_(macsec_receive_association_free_or_set_invalidp) ReceiveAssociation *b = NULL;
+ _cleanup_free_ char *path = NULL;
+ MACsec *s = userdata;
+ char **dest;
+ int r;
+
+ assert(filename);
+ assert(section);
+ assert(lvalue);
+ assert(rvalue);
+ assert(data);
+
+ if (streq(section, "MACsecTransmitAssociation"))
+ r = macsec_transmit_association_new_static(s, filename, section_line, &a);
+ else
+ r = macsec_receive_association_new_static(s, filename, section_line, &b);
+ if (r < 0)
+ return r;
+
+ dest = a ? &a->sa.key_file : &b->sa.key_file;
+
+ if (isempty(rvalue)) {
+ *dest = mfree(*dest);
+ return 0;
+ }
+
+ path = strdup(rvalue);
+ if (!path)
+ return log_oom();
+
+ if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0)
+ return 0;
+
+ free_and_replace(*dest, path);
+ TAKE_PTR(a);
+ TAKE_PTR(b);
+
+ return 0;
+}
+
int config_parse_macsec_key_id(
const char *unit,
const char *filename,
return 0;
}
+static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
+ _cleanup_free_ uint8_t *key = NULL;
+ size_t key_len;
+ int r;
+
+ assert(netdev);
+ assert(sa);
+
+ if (!sa->key_file)
+ return 0;
+
+ r = read_full_file_full(sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX, (char **) &key, &key_len);
+ if (r < 0)
+ return log_netdev_error_errno(netdev, r,
+ "Failed to read key from '%s', ignoring: %m",
+ sa->key_file);
+ if (key_len != 16) {
+ explicit_bzero_safe(key, key_len);
+ return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
+ "Invalid key length (%zu bytes), ignoring: %m",
+ key_len);
+ }
+
+ explicit_bzero_safe(sa->key, sa->key_len);
+ free_and_replace(sa->key, key);
+ sa->key_len = key_len;
+
+ return 0;
+}
+
static int macsec_receive_channel_verify(ReceiveChannel *c) {
NetDev *netdev;
int r;
static int macsec_transmit_association_verify(TransmitAssociation *t) {
NetDev *netdev;
+ int r;
assert(t);
assert(t->macsec);
"Ignoring [MACsecTransmitAssociation] section from line %u",
t->section->filename, t->section->line);
+ r = macsec_read_key_file(netdev, &t->sa);
+ if (r < 0)
+ return r;
+
if (t->sa.key_len <= 0)
return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
"%s: MACsec transmit secure association without key configured. "
if (section_is_invalid(a->section))
return -EINVAL;
+ r = macsec_read_key_file(netdev, &a->sa);
+ if (r < 0)
+ return r;
+
if (a->sa.key_len <= 0)
return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
"%s: MACsec receive secure association without key configured. "
MACsecTransmitAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0
MACsecTransmitAssociation.KeyId, config_parse_macsec_key_id, 0, 0
MACsecTransmitAssociation.Key, config_parse_macsec_key, 0, 0
+MACsecTransmitAssociation.KeyFile, config_parse_macsec_key_file, 0, 0
MACsecReceiveAssociation.Port, config_parse_macsec_port, 0, 0
MACsecReceiveAssociation.MACAddress, config_parse_macsec_hw_address, 0, 0
MACsecReceiveAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0
MACsecReceiveAssociation.KeyId, config_parse_macsec_key_id, 0, 0
MACsecReceiveAssociation.Key, config_parse_macsec_key, 0, 0
+MACsecReceiveAssociation.KeyFile, config_parse_macsec_key_file, 0, 0
Tun.OneQueue, config_parse_bool, 0, offsetof(TunTap, one_queue)
Tun.MultiQueue, config_parse_bool, 0, offsetof(TunTap, multi_queue)
Tun.PacketInfo, config_parse_bool, 0, offsetof(TunTap, packet_info)