]>
The Tcpdump Group git mirrors - tcpdump/blob - print-macsec.c
1 /* Copyright (c) 2017, Sabrina Dubroca <sd@queasysnail.net>
3 * Redistribution and use in source and binary forms, with or without
4 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in
11 * the documentation and/or other materials provided with the
13 * 3. The names of the authors may not be used to endorse or promote
14 * products derived from this software without specific prior
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
22 /* \summary: MACsec printer */
28 #include <netdissect-stdinc.h>
32 #include "netdissect.h"
33 #include "addrtoname.h"
35 #include "ethertype.h"
38 static const char tstr
[] = "[|MACsec]";
40 #define MACSEC_DEFAULT_ICV_LEN 16
42 /* Header format (SecTAG), following an Ethernet header
43 * IEEE 802.1AE-2006 9.3
45 * +---------------------------------+----------------+----------------+
46 * | (MACsec ethertype) | TCI_AN | SL |
47 * +---------------------------------+----------------+----------------+
49 * +-------------------------------------------------------------------+
50 * | Secure Channel Identifier |
52 * +-------------------------------------------------------------------+
54 * MACsec ethertype = 0x88e5
55 * TCI: Tag Control Information, set of flags
56 * AN: association number, 2 bits
57 * SL (short length): 6-bit length of the protected payload, if < 48
58 * Packet Number: 32-bits packet identifier
59 * Secure Channel Identifier: 64-bit unique identifier, usually
60 * composed of a MAC address + 16-bit port number
62 struct macsec_sectag
{
64 #if __BYTE_ORDER == __LITTLE_ENDIAN
65 u_char short_length
:6,
67 #else /* __BYTE_ORDER == __BIG_ENDIAN */
71 uint32_t packet_number
;
72 u_char secure_channel_id
[8]; /* optional */
73 } __attribute__((packed
));
75 /* IEEE 802.1AE-2006 9.5 */
76 #define MACSEC_TCI_VERSION 0x80
77 #define MACSEC_TCI_ES 0x40 /* end station */
78 #define MACSEC_TCI_SC 0x20 /* SCI present */
79 #define MACSEC_TCI_SCB 0x10 /* epon */
80 #define MACSEC_TCI_E 0x08 /* encryption */
81 #define MACSEC_TCI_C 0x04 /* changed text */
82 #define MACSEC_AN_MASK 0x03 /* association number */
83 #define MACSEC_TCI_FLAGS (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C)
84 #define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
86 #define MACSEC_SECTAG_LEN_NOSCI 6
87 #define MACSEC_SECTAG_LEN_SCI 14
89 ieee8021ae_sectag_len(const struct macsec_sectag
*sectag
)
91 return (sectag
->tci_an
& MACSEC_TCI_SC
) ?
92 MACSEC_SECTAG_LEN_SCI
:
93 MACSEC_SECTAG_LEN_NOSCI
;
96 static int macsec_check_length(const struct macsec_sectag
*sectag
, u_int length
, u_int caplen
)
100 /* we need the full MACsec header in the capture */
101 if (caplen
< (MACSEC_SECTAG_LEN_NOSCI
+ 2))
104 len
= ieee8021ae_sectag_len(sectag
);
105 if (caplen
< (len
+ 2))
108 if (sectag
->short_length
!= 0) {
109 /* original packet must have exact length */
110 u_int exact
= ETHER_HDRLEN
+ len
+ 2 + sectag
->short_length
;
111 return exact
== length
;
113 /* original packet must not be short */
114 u_int minlen
= ETHER_HDRLEN
+ len
+ 2 + 48;
115 return length
>= minlen
;
121 #define SCI_FMT "%016" PRIx64
123 static const struct tok macsec_flag_values
[] = {
124 { MACSEC_TCI_E
, "E" },
125 { MACSEC_TCI_C
, "C" },
126 { MACSEC_TCI_ES
, "S" },
127 { MACSEC_TCI_SCB
, "B" },
128 { MACSEC_TCI_SC
, "I" },
132 /* returns < 0 iff the packet can be decoded completely */
133 int macsec_print(netdissect_options
*ndo
, const u_char
**bp
,
134 u_int
*lengthp
, u_int
*caplenp
, u_int
*hdrlenp
,
135 u_short
*length_type
)
137 const u_char
*p
= *bp
;
138 u_int length
= *lengthp
;
139 u_int caplen
= *caplenp
;
140 u_int hdrlen
= *hdrlenp
;
141 const struct macsec_sectag
*sectag
= (const struct macsec_sectag
*)p
;
144 if (!macsec_check_length(sectag
, length
, caplen
)) {
145 ND_PRINT((ndo
, tstr
));
146 return hdrlen
+ caplen
;
149 if (sectag
->unused
|| sectag
->tci_an
& MACSEC_TCI_VERSION
) {
150 ND_PRINT((ndo
, "%s", istr
));
151 return hdrlen
+ caplen
;
154 if (ndo
->ndo_eflag
) {
156 int n
= snprintf(buf
, sizeof(buf
), "an %d, pn %d, flags %s",
157 sectag
->tci_an
& MACSEC_AN_MASK
,
158 EXTRACT_32BITS(§ag
->packet_number
),
159 bittok2str_nosep(macsec_flag_values
, "none",
160 sectag
->tci_an
& MACSEC_TCI_FLAGS
));
162 return hdrlen
+ caplen
;
165 if (sectag
->short_length
) {
166 int r
= snprintf(buf
+ n
, sizeof(buf
) - n
, ", sl %d",
167 sectag
->short_length
);
169 return hdrlen
+ caplen
;
173 if (sectag
->tci_an
& MACSEC_TCI_SC
) {
176 sci
= EXTRACT_64BITS(sectag
->secure_channel_id
);
177 r
= snprintf(buf
+ n
, sizeof(buf
) - n
, ", sci " SCI_FMT
, sci
);
179 return hdrlen
+ caplen
;
183 ND_PRINT((ndo
, "%s, ", buf
));
186 len
= ieee8021ae_sectag_len(sectag
);
187 *length_type
= EXTRACT_16BITS(*bp
+ len
);
188 if (ndo
->ndo_eflag
&& *length_type
> ETHERMTU
&& !(sectag
->tci_an
& MACSEC_TCI_E
))
189 ND_PRINT((ndo
, "ethertype %s, ", tok2str(ethertype_values
,"0x%04x", *length_type
)));
191 if ((sectag
->tci_an
& MACSEC_TCI_CONFID
)) {
203 len
+= MACSEC_DEFAULT_ICV_LEN
;
projects / tcpdump / blob