macsec: cipher and icvlen can be set separately

since kernel driver has valid default values for 'cipher' and 'icvlen',
there is no need for requiring users to specify both of them when a new
link is added. Also, prompt an error message and exit with appropriate
exit status in case of unsupported cipher suite.

Signed-off-by: Davide Caratti <dcaratti@redhat.com>

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index 34ba341a82f8e4201f92ba9959c4548b3c1a5484..329be00fb32b4f4d02df1452fc0c5446a0c5d6cf 100644 (file)
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -1071,34 +1071,6 @@ static void macsec_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
        }
 }
 
-
-static int do_cipher_suite(struct cipher_args *cipher, int *argcp,
-                          char ***argvp)
-{
-       char **argv = *argvp;
-       int argc = *argcp;
-
-       if (argc == 0)
-               return -1;
-
-       if (strcmp(*argv, "default") == 0 ||
-           strcmp(*argv, "gcm-aes-128") == 0 ||
-           strcmp(*argv, "GCM-AES-128") == 0)
-               cipher->id = MACSEC_DEFAULT_CIPHER_ID;
-       NEXT_ARG();
-
-       if (strcmp(*argv, "icvlen") == 0) {
-               NEXT_ARG();
-               if (cipher->icv_len != 0)
-                       duparg2("icvlen", "icvlen");
-               get_icvlen(&cipher->icv_len, *argv);
-       }
-       *argcp = argc;
-       *argvp = argv;
-
-       return 0;
-}
-
 static bool check_txsc_flags(bool es, bool scb, bool sci)
 {
        if (sci && (es || scb))
@@ -1112,7 +1084,8 @@ static void usage(FILE *f)
 {
        fprintf(f,
                "Usage: ... macsec [ port PORT | sci SCI ]\n"
-               "                  [ cipher CIPHER_SUITE ]\n"
+               "                  [ cipher { default | gcm-aes-128 } ]\n"
+               "                  [ icvlen { 8..16 } ]\n"
                "                  [ encrypt { on | off } ]\n"
                "                  [ send_sci { on | off } ]\n"
                "                  [ end_station { on | off } ]\n"
@@ -1122,7 +1095,6 @@ static void usage(FILE *f)
                "                  [ validate { strict | check | disabled } ]\n"
                "                  [ encodingsa { 0..3 } ]\n"
                );
-       fprintf(f, "CIPHER_SUITE := [ default = gcm-aes-128 ] icvlen { 8..32 }\n");
 }
 
 static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
@@ -1154,11 +1126,21 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
 
        while (argc > 0) {
                if (strcmp(*argv, "cipher") == 0) {
+                       NEXT_ARG();
                        if (cipher.id)
-                               duparg2("cipher", "cipher");
+                               duparg("cipher", *argv);
+                       if (strcmp(*argv, "default") == 0 ||
+                           strcmp(*argv, "gcm-aes-128") == 0 ||
+                           strcmp(*argv, "GCM-AES-128") == 0)
+                               cipher.id = MACSEC_DEFAULT_CIPHER_ID;
+                       else
+                               invarg("expected: default or gcm-aes-128",
+                                      *argv);
+               } else if (strcmp(*argv, "icvlen") == 0) {
                        NEXT_ARG();
-                       if (do_cipher_suite(&cipher, &argc, &argv))
-                               return -1;
+                       if (cipher.icv_len)
+                               duparg("icvlen", *argv);
+                       get_icvlen(&cipher.icv_len, *argv);
                } else if (strcmp(*argv, "encrypt") == 0) {
                        NEXT_ARG();
                        int i;
@@ -1264,12 +1246,12 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
                return -1;
        }
 
-       if (cipher.id) {
+       if (cipher.id)
                addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_CIPHER_SUITE,
                          &cipher.id, sizeof(cipher.id));
+       if (cipher.icv_len)
                addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_ICV_LEN,
                          &cipher.icv_len, sizeof(cipher.icv_len));
-       }
 
        if (replay_protect != -1) {
                addattr32(hdr, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);

diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index ad49c9d28ee0d7be5280ab72ee082269b4e493ec..f4782ee5b855574cb9615f54ec5b0e62f49cbf16 100644 (file)
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -923,6 +923,8 @@ the following additional arguments are supported:
 ] [
 .BI cipher " CIPHER_SUITE"
 ] [
+.BR icvlen " { "
+.IR 8..16 " } ] ["
 .BR encrypt " {"
 .BR on " | " off " } ] [ "
 .BR send_sci " { " on " | " off " } ] ["
@@ -949,6 +951,10 @@ the following additional arguments are supported:
 .BI cipher " CIPHER_SUITE "
 - defines the cipher suite to use.
 
+.sp
+.BI icvlen " LENGTH "
+- sets the length of the Integrity Check Value (ICV).
+
 .sp
 .BR "encrypt on " or " encrypt off"
 - switches between authenticated encryption, or authenticity mode only.

diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8
index f928c43f30f941a371e9c77bd018e9609bd0d345..105aeecd850d150daf1451c3d9dc390715d9a696 100644 (file)
--- a/man/man8/ip-macsec.8
+++ b/man/man8/ip-macsec.8
@@ -7,8 +7,8 @@ ip-macsec \- MACsec device configuration
 .BI port " PORT"
 |
 .BI sci  " SCI"
-] [ [
-.BR cipher " { " default " | " gcm-aes-128 " } ] "
+] [
+.BR cipher " { " default " | " gcm-aes-128 " } ] ["
 .BI icvlen " ICVLEN"
 ] [
 .BR encrypt " { " on " | " off " } ] ["