]> The Tcpdump Group git mirrors - tcpdump/blob - print-macsec.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Replace some command name 'Tcpdump' with 'tcpdump'
[tcpdump] / print-macsec.c
1 /* Copyright (c) 2017, Sabrina Dubroca <sd@queasysnail.net>
2 *
3 * Redistribution and use in source and binary forms, with or without
4 * modification, are permitted provided that the following conditions
5 * are met:
6 *
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in
11 * the documentation and/or other materials provided with the
12 * distribution.
13 * 3. The names of the authors may not be used to endorse or promote
14 * products derived from this software without specific prior
15 * written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 /* \summary: MACsec printer */
23
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27
28 #include "netdissect-stdinc.h"
29
30 #include "netdissect.h"
31 #include "addrtoname.h"
32 #include "extract.h"
33
34 #define MACSEC_DEFAULT_ICV_LEN 16
35
36 /* Header format (SecTAG), following an Ethernet header
37 * IEEE 802.1AE-2006 9.3
38 *
39 * +---------------------------------+----------------+----------------+
40 * | (MACsec ethertype) | TCI_AN | SL |
41 * +---------------------------------+----------------+----------------+
42 * | Packet Number |
43 * +-------------------------------------------------------------------+
44 * | Secure Channel Identifier |
45 * | (optional) |
46 * +-------------------------------------------------------------------+
47 *
48 * MACsec ethertype = 0x88e5
49 * TCI: Tag Control Information, set of flags
50 * AN: association number, 2 bits
51 * SL (short length): 6-bit length of the protected payload, if < 48
52 * Packet Number: 32-bits packet identifier
53 * Secure Channel Identifier: 64-bit unique identifier, usually
54 * composed of a MAC address + 16-bit port number
55 */
56 struct macsec_sectag {
57 nd_uint8_t tci_an;
58 nd_uint8_t short_length;
59 nd_uint32_t packet_number;
60 nd_uint8_t secure_channel_id[8]; /* optional */
61 };
62
63 /* IEEE 802.1AE-2006 9.5 */
64 #define MACSEC_TCI_VERSION 0x80
65 #define MACSEC_TCI_ES 0x40 /* end station */
66 #define MACSEC_TCI_SC 0x20 /* SCI present */
67 #define MACSEC_TCI_SCB 0x10 /* epon */
68 #define MACSEC_TCI_E 0x08 /* encryption */
69 #define MACSEC_TCI_C 0x04 /* changed text */
70 #define MACSEC_AN_MASK 0x03 /* association number */
71 #define MACSEC_TCI_FLAGS (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C)
72 #define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
73 #define MACSEC_SL_MASK 0x3F /* short length */
74
75 #define MACSEC_SECTAG_LEN_NOSCI 6 /* length of MACsec header without SCI */
76 #define MACSEC_SECTAG_LEN_SCI 14 /* length of MACsec header with SCI */
77
78 #define SCI_FMT "%016" PRIx64
79
80 static const struct tok macsec_flag_values[] = {
81 { MACSEC_TCI_E, "E" },
82 { MACSEC_TCI_C, "C" },
83 { MACSEC_TCI_ES, "S" },
84 { MACSEC_TCI_SCB, "B" },
85 { MACSEC_TCI_SC, "I" },
86 { 0, NULL }
87 };
88
89 static void
90 macsec_print_header(netdissect_options *ndo,
91 const struct macsec_sectag *sectag,
92 u_int short_length)
93 {
94 ND_PRINT("an %u, pn %u, flags %s",
95 GET_U_1(sectag->tci_an) & MACSEC_AN_MASK,
96 GET_BE_U_4(sectag->packet_number),
97 bittok2str_nosep(macsec_flag_values, "none",
98 GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS));
99
100 if (short_length != 0)
101 ND_PRINT(", sl %u", short_length);
102
103 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC)
104 ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id));
105
106 ND_PRINT(", ");
107 }
108
109 /* returns < 0 iff the packet can be decoded completely */
110 int
111 macsec_print(netdissect_options *ndo, const u_char **bp,
112 u_int *lengthp, u_int *caplenp, u_int *hdrlenp,
113 const struct lladdr_info *src, const struct lladdr_info *dst)
114 {
115 const char *save_protocol;
116 const u_char *p = *bp;
117 u_int length = *lengthp;
118 u_int caplen = *caplenp;
119 u_int hdrlen = *hdrlenp;
120 const struct macsec_sectag *sectag = (const struct macsec_sectag *)p;
121 u_int sectag_len;
122 u_int short_length;
123
124 save_protocol = ndo->ndo_protocol;
125 ndo->ndo_protocol = "macsec";
126
127 /* we need the full MACsec header in the capture */
128 if (caplen < MACSEC_SECTAG_LEN_NOSCI) {
129 nd_print_trunc(ndo);
130 ndo->ndo_protocol = save_protocol;
131 return hdrlen + caplen;
132 }
133 if (length < MACSEC_SECTAG_LEN_NOSCI) {
134 nd_print_trunc(ndo);
135 ndo->ndo_protocol = save_protocol;
136 return hdrlen + caplen;
137 }
138
139 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
140 sectag_len = MACSEC_SECTAG_LEN_SCI;
141 if (caplen < MACSEC_SECTAG_LEN_SCI) {
142 nd_print_trunc(ndo);
143 ndo->ndo_protocol = save_protocol;
144 return hdrlen + caplen;
145 }
146 if (length < MACSEC_SECTAG_LEN_SCI) {
147 nd_print_trunc(ndo);
148 ndo->ndo_protocol = save_protocol;
149 return hdrlen + caplen;
150 }
151 } else
152 sectag_len = MACSEC_SECTAG_LEN_NOSCI;
153
154 if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 ||
155 GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) {
156 nd_print_invalid(ndo);
157 ndo->ndo_protocol = save_protocol;
158 return hdrlen + caplen;
159 }
160
161 short_length = GET_U_1(sectag->short_length) & MACSEC_SL_MASK;
162 if (ndo->ndo_eflag)
163 macsec_print_header(ndo, sectag, short_length);
164
165 /* Skip the MACsec header. */
166 *bp += sectag_len;
167 *hdrlenp += sectag_len;
168
169 /* Remove it from the lengths, as it's been processed. */
170 *lengthp -= sectag_len;
171 *caplenp -= sectag_len;
172
173 if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
174 /*
175 * The payload is encrypted. Print link-layer
176 * information, if it hasn't already been printed.
177 */
178 if (!ndo->ndo_eflag) {
179 /*
180 * Nobody printed the link-layer addresses,
181 * so print them, if we have any.
182 */
183 if (src != NULL && dst != NULL) {
184 ND_PRINT("%s > %s ",
185 (src->addr_string)(ndo, src->addr),
186 (dst->addr_string)(ndo, dst->addr));
187 }
188
189 ND_PRINT("802.1AE MACsec, ");
190
191 /*
192 * Print the MACsec header.
193 */
194 macsec_print_header(ndo, sectag, short_length);
195 }
196
197 /*
198 * Tell our caller it can't be dissected.
199 */
200 ndo->ndo_protocol = save_protocol;
201 return 0;
202 }
203
204 /*
205 * The payload isn't encrypted; remove the
206 * ICV length from the lengths, so our caller
207 * doesn't treat it as payload.
208 */
209 if (*lengthp < MACSEC_DEFAULT_ICV_LEN) {
210 nd_print_trunc(ndo);
211 ndo->ndo_protocol = save_protocol;
212 return hdrlen + caplen;
213 }
214 if (*caplenp < MACSEC_DEFAULT_ICV_LEN) {
215 nd_print_trunc(ndo);
216 ndo->ndo_protocol = save_protocol;
217 return hdrlen + caplen;
218 }
219 *lengthp -= MACSEC_DEFAULT_ICV_LEN;
220 *caplenp -= MACSEC_DEFAULT_ICV_LEN;
221 /*
222 * Update the snapend thus the ICV field is not in the payload for
223 * the caller.
224 * The ICV (Integrity Check Value) is at the end of the frame, after
225 * the secure data.
226 */
227 ndo->ndo_snapend -= MACSEC_DEFAULT_ICV_LEN;
228
229 /*
230 * If the SL field is non-zero, then it's the length of the
231 * Secure Data; otherwise, the Secure Data is what's left
232 * ver after the MACsec header and ICV are removed.
233 */
234 if (short_length != 0) {
235 /*
236 * If the short length is more than we *have*,
237 * that's an error.
238 */
239 if (short_length > *lengthp) {
240 nd_print_trunc(ndo);
241 ndo->ndo_protocol = save_protocol;
242 return hdrlen + caplen;
243 }
244 if (short_length > *caplenp) {
245 nd_print_trunc(ndo);
246 ndo->ndo_protocol = save_protocol;
247 return hdrlen + caplen;
248 }
249 if (*lengthp > short_length)
250 *lengthp = short_length;
251 if (*caplenp > short_length)
252 *caplenp = short_length;
253 }
254
255 ndo->ndo_protocol = save_protocol;
256 return -1;
257 }
[mirror] the TCPdump network dissector