From: Yu Watanabe Date: Fri, 5 Apr 2019 06:33:52 +0000 (+0900) Subject: network: add MACsec*Association.Activate= setting X-Git-Tag: v243-rc1~561^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a7b9c52f1f79feae800647b77796115f899222cc;p=thirdparty%2Fsystemd.git network: add MACsec*Association.Activate= setting --- diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 7ab9faac6da..030de474383 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -941,6 +941,13 @@ root:systemd-network with a 0640 file mode. + + Activate= + + Takes a boolean. If enabled, then the security association is activated. Defaults to + unset. + + @@ -986,6 +993,12 @@ Accepts the same key in [MACsecTransmitAssociation] section. + + Activate= + + Accepts the same key in [MACsecTransmitAssociation] section. + + diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c index 977c03eeb1b..ee1f15909e1 100644 --- a/src/network/netdev/macsec.c +++ b/src/network/netdev/macsec.c @@ -32,6 +32,12 @@ static void security_association_clear(SecurityAssociation *sa) { free(sa->key_file); } +static void security_association_init(SecurityAssociation *sa) { + assert(sa); + + sa->activate = -1; +} + static void macsec_receive_association_free(ReceiveAssociation *c) { if (!c) return; @@ -76,6 +82,8 @@ static int macsec_receive_association_new_static(MACsec *s, const char *filename .section = TAKE_PTR(n), }; + security_association_init(&c->sa); + r = ordered_hashmap_ensure_allocated(&s->receive_associations_by_section, &network_config_hash_ops); if (r < 0) return r; @@ -209,6 +217,8 @@ static int macsec_transmit_association_new_static(MACsec *s, const char *filenam .section = TAKE_PTR(n), }; + security_association_init(&a->sa); + r = ordered_hashmap_ensure_allocated(&s->transmit_associations_by_section, &network_config_hash_ops); if (r < 0) return r; @@ -295,6 +305,12 @@ static int netdev_macsec_fill_message_sa(NetDev *netdev, SecurityAssociation *a, return log_netdev_error_errno(netdev, r, "Could not append MACSEC_SA_ATTR_KEY attribute: %m"); } + if (a->activate >= 0) { + r = sd_netlink_message_append_u8(m, MACSEC_SA_ATTR_ACTIVE, a->activate); + if (r < 0) + return log_netdev_error_errno(netdev, r, "Could not append MACSEC_SA_ATTR_ACTIVE attribute: %m"); + } + r = sd_netlink_message_close_container(m); if (r < 0) return log_netdev_error_errno(netdev, r, "Could not append MACSEC_ATTR_SA_CONFIG attribute: %m"); @@ -849,6 +865,60 @@ int config_parse_macsec_key_id( return 0; } +int config_parse_macsec_sa_activate( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + _cleanup_(macsec_transmit_association_free_or_set_invalidp) TransmitAssociation *a = NULL; + _cleanup_(macsec_receive_association_free_or_set_invalidp) ReceiveAssociation *b = NULL; + MACsec *s = userdata; + int *dest; + int r; + + assert(filename); + assert(section); + assert(lvalue); + assert(rvalue); + assert(data); + + if (streq(section, "MACsecTransmitAssociation")) + r = macsec_transmit_association_new_static(s, filename, section_line, &a); + else + r = macsec_receive_association_new_static(s, filename, section_line, &b); + if (r < 0) + return r; + + dest = a ? &a->sa.activate : &b->sa.activate; + + if (isempty(rvalue)) + r = -1; + else { + r = parse_boolean(rvalue); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, + "Failed to parse activation mode of %s security association. " + "Ignoring assignment: %s", + streq(section, "MACsecTransmitAssociation") ? "transmit" : "receive", + rvalue); + return 0; + } + } + + *dest = r; + TAKE_PTR(a); + TAKE_PTR(b); + + return 0; +} + static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) { _cleanup_free_ uint8_t *key = NULL; size_t key_len; diff --git a/src/network/netdev/macsec.h b/src/network/netdev/macsec.h index 36c90d47ab4..167e9ca8eb3 100644 --- a/src/network/netdev/macsec.h +++ b/src/network/netdev/macsec.h @@ -31,6 +31,7 @@ typedef struct SecurityAssociation { uint8_t *key; uint32_t key_len; char *key_file; + int activate; } SecurityAssociation; typedef struct TransmitAssociation { @@ -78,3 +79,4 @@ CONFIG_PARSER_PROTOTYPE(config_parse_macsec_packet_number); CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_id); CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key); CONFIG_PARSER_PROTOTYPE(config_parse_macsec_key_file); +CONFIG_PARSER_PROTOTYPE(config_parse_macsec_sa_activate); diff --git a/src/network/netdev/netdev-gperf.gperf b/src/network/netdev/netdev-gperf.gperf index d06ef23a8ba..20d7c143a03 100644 --- a/src/network/netdev/netdev-gperf.gperf +++ b/src/network/netdev/netdev-gperf.gperf @@ -141,12 +141,14 @@ MACsecTransmitAssociation.PacketNumber, config_parse_macsec_packet_number, 0, MACsecTransmitAssociation.KeyId, config_parse_macsec_key_id, 0, 0 MACsecTransmitAssociation.Key, config_parse_macsec_key, 0, 0 MACsecTransmitAssociation.KeyFile, config_parse_macsec_key_file, 0, 0 +MACsecTransmitAssociation.Activate, config_parse_macsec_sa_activate, 0, 0 MACsecReceiveAssociation.Port, config_parse_macsec_port, 0, 0 MACsecReceiveAssociation.MACAddress, config_parse_macsec_hw_address, 0, 0 MACsecReceiveAssociation.PacketNumber, config_parse_macsec_packet_number, 0, 0 MACsecReceiveAssociation.KeyId, config_parse_macsec_key_id, 0, 0 MACsecReceiveAssociation.Key, config_parse_macsec_key, 0, 0 MACsecReceiveAssociation.KeyFile, config_parse_macsec_key_file, 0, 0 +MACsecReceiveAssociation.Activate, config_parse_macsec_sa_activate, 0, 0 Tun.OneQueue, config_parse_bool, 0, offsetof(TunTap, one_queue) Tun.MultiQueue, config_parse_bool, 0, offsetof(TunTap, multi_queue) Tun.PacketInfo, config_parse_bool, 0, offsetof(TunTap, packet_info) diff --git a/test/fuzz/fuzz-netdev-parser/directives.netdev b/test/fuzz/fuzz-netdev-parser/directives.netdev index 344ffdf9b05..f09b92d28ee 100644 --- a/test/fuzz/fuzz-netdev-parser/directives.netdev +++ b/test/fuzz/fuzz-netdev-parser/directives.netdev @@ -184,6 +184,7 @@ PacketNumber= KeyId= Key= KeyFile= +Activate= [MACsecReceiveChannel] Port= MACAddress= @@ -192,3 +193,4 @@ PacketNumber= KeyId= Key= KeyFile= +Activate=