The Tcpdump Group git mirrors - tcpdump/blob - print-macsec.c

   1 /* Copyright (c) 2017, Sabrina Dubroca <sd@queasysnail.net>
   2  *
   3  * Redistribution and use in source and binary forms, with or without
   4  * modification, are permitted provided that the following conditions
   5  * are met:
   6  *
   7  *   1. Redistributions of source code must retain the above copyright
   8  *      notice, this list of conditions and the following disclaimer.
   9  *   2. Redistributions in binary form must reproduce the above copyright
  10  *      notice, this list of conditions and the following disclaimer in
  11  *      the documentation and/or other materials provided with the
  12  *      distribution.
  13  *   3. The names of the authors may not be used to endorse or promote
  14  *      products derived from this software without specific prior
  15  *      written permission.
  16  *
  17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  18  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  19  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  20  */
  21
  22 /* \summary: MACsec printer */
  23
  24 #ifdef HAVE_CONFIG_H
  25 #include "config.h"
  26 #endif
  27
  28 #include <netdissect-stdinc.h>
  29
  30 #include <string.h>
  31
  32 #include "netdissect.h"
  33 #include "addrtoname.h"
  34 #include "ethertype.h"
  35 #include "extract.h"
  36
  37 static const char tstr[] = "[|MACsec]";
  38
  39 #define MACSEC_DEFAULT_ICV_LEN 16
  40
  41 /* Header format (SecTAG), following an Ethernet header
  42  * IEEE 802.1AE-2006 9.3
  43  *
  44  * +---------------------------------+----------------+----------------+
  45  * |        (MACsec ethertype)       |     TCI_AN     |       SL       |
  46  * +---------------------------------+----------------+----------------+
  47  * |                           Packet Number                           |
  48  * +-------------------------------------------------------------------+
  49  * |                     Secure Channel Identifier                     |
  50  * |                            (optional)                             |
  51  * +-------------------------------------------------------------------+
  52  *
  53  * MACsec ethertype = 0x88e5
  54  * TCI: Tag Control Information, set of flags
  55  * AN: association number, 2 bits
  56  * SL (short length): 6-bit length of the protected payload, if < 48
  57  * Packet Number: 32-bits packet identifier
  58  * Secure Channel Identifier: 64-bit unique identifier, usually
  59  *     composed of a MAC address + 16-bit port number
  60  */
  61 struct macsec_sectag {
  62         nd_uint8_t  tci_an;
  63         nd_uint8_t  short_length;
  64         nd_uint32_t packet_number;
  65         nd_uint8_t  secure_channel_id[8]; /* optional */
  66 };
  67
  68 /* IEEE 802.1AE-2006 9.5 */
  69 #define MACSEC_TCI_VERSION 0x80
  70 #define MACSEC_TCI_ES      0x40 /* end station */
  71 #define MACSEC_TCI_SC      0x20 /* SCI present */
  72 #define MACSEC_TCI_SCB     0x10 /* epon */
  73 #define MACSEC_TCI_E       0x08 /* encryption */
  74 #define MACSEC_TCI_C       0x04 /* changed text */
  75 #define MACSEC_AN_MASK     0x03 /* association number */
  76 #define MACSEC_TCI_FLAGS   (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C)
  77 #define MACSEC_TCI_CONFID  (MACSEC_TCI_E | MACSEC_TCI_C)
  78 #define MACSEC_SL_MASK     0x3F /* short length */
  79
  80 #define MACSEC_SECTAG_LEN_NOSCI 6
  81 #define MACSEC_SECTAG_LEN_SCI 14
  82 static int
  83 ieee8021ae_sectag_len(netdissect_options *ndo, const struct macsec_sectag *sectag)
  84 {
  85         return (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) ?
  86                MACSEC_SECTAG_LEN_SCI :
  87                MACSEC_SECTAG_LEN_NOSCI;
  88 }
  89
  90 static int macsec_check_length(netdissect_options *ndo, const struct macsec_sectag *sectag, u_int length, u_int caplen)
  91 {
  92         u_int len;
  93
  94         /* we need the full MACsec header in the capture */
  95         if (caplen < (MACSEC_SECTAG_LEN_NOSCI + 2))
  96                 return 0;
  97
  98         len = ieee8021ae_sectag_len(ndo, sectag);
  99         if (caplen < (len + 2))
 100                 return 0;
 101
 102         if ((GET_U_1(sectag->short_length) & MACSEC_SL_MASK) != 0) {
 103                 /* original packet must have exact length */
 104                 u_int exact = ETHER_HDRLEN + len + 2 + (GET_U_1(sectag->short_length) & MACSEC_SL_MASK);
 105                 return exact == length;
 106         } else {
 107                 /* original packet must not be short */
 108                 u_int minlen = ETHER_HDRLEN + len + 2 + 48;
 109                 return length >= minlen;
 110         }
 111
 112         return 1;
 113 }
 114
 115 #define SCI_FMT "%016" PRIx64
 116
 117 static const struct tok macsec_flag_values[] = {
 118         { MACSEC_TCI_E,   "E" },
 119         { MACSEC_TCI_C,   "C" },
 120         { MACSEC_TCI_ES,  "S" },
 121         { MACSEC_TCI_SCB, "B" },
 122         { MACSEC_TCI_SC,  "I" },
 123         { 0, NULL }
 124 };
 125
 126 /* returns < 0 iff the packet can be decoded completely */
 127 int macsec_print(netdissect_options *ndo, const u_char **bp,
 128                  u_int *lengthp, u_int *caplenp, u_int *hdrlenp,
 129                  u_short *length_type)
 130 {
 131         const u_char *p = *bp;
 132         u_int length = *lengthp;
 133         u_int caplen = *caplenp;
 134         u_int hdrlen = *hdrlenp;
 135         const struct macsec_sectag *sectag = (const struct macsec_sectag *)p;
 136         u_int len;
 137
 138         if (!macsec_check_length(sectag, length, caplen)) {
 139                 nd_print_trunc(ndo);
 140                 return hdrlen + caplen;
 141         }
 142
 143         if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 ||
 144             GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) {
 145                 nd_print_invalid(ndo);
 146                 return hdrlen + caplen;
 147         }
 148
 149         if (ndo->ndo_eflag) {
 150                 ND_PRINT("an %u, pn %u, flags %s",
 151                          GET_U_1(sectag->tci_an) & MACSEC_AN_MASK,
 152                          GET_BE_U_4(sectag->packet_number),
 153                          bittok2str_nosep(macsec_flag_values, "none",
 154                                           GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS));
 155
 156                 if ((GET_U_1(sectag->short_length) & MACSEC_SL_MASK) != 0)
 157                         ND_PRINT(", sl %u", GET_U_1(sectag->short_length) & MACSEC_SL_MASK);
 158
 159                 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC)
 160                         ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id));
 161
 162                 ND_PRINT(", ");
 163         }
 164
 165         len = ieee8021ae_sectag_len(ndo, sectag);
 166
 167         /* Skip the MACsec header. */
 168         *bp += len;
 169         *hdrlenp += len;
 170
 171         /* Remove it from the lengths, as it's been processed. */
 172         *lengthp -= len;
 173         *caplenp -= len;
 174
 175         if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
 176                 /*
 177                  * The payload is encrypted.  Tell our
 178                  * caller it can't be dissected.
 179                  */
 180                 return 0;
 181         } else {
 182                 /*
 183                  * The payload isn't encrypted; remove the
 184                  * ICV length from the lengths, so our caller
 185                  * doesn't treat it as payload.
 186                  */
 187                 *lengthp -= MACSEC_DEFAULT_ICV_LEN;
 188                 *caplenp -= MACSEC_DEFAULT_ICV_LEN;
 189                 return -1;
 190         }
 191 }