The Tcpdump Group git mirrors - tcpdump/blob - print-macsec.c

   1 /* Copyright (c) 2017, Sabrina Dubroca <sd@queasysnail.net>
   2  *
   3  * Redistribution and use in source and binary forms, with or without
   4  * modification, are permitted provided that the following conditions
   5  * are met:
   6  *
   7  *   1. Redistributions of source code must retain the above copyright
   8  *      notice, this list of conditions and the following disclaimer.
   9  *   2. Redistributions in binary form must reproduce the above copyright
  10  *      notice, this list of conditions and the following disclaimer in
  11  *      the documentation and/or other materials provided with the
  12  *      distribution.
  13  *   3. The names of the authors may not be used to endorse or promote
  14  *      products derived from this software without specific prior
  15  *      written permission.
  16  *
  17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  18  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  19  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  20  */
  21
  22 /* \summary: MACsec printer */
  23
  24 #ifdef HAVE_CONFIG_H
  25 #include "config.h"
  26 #endif
  27
  28 #include <netdissect-stdinc.h>
  29
  30 #include <string.h>
  31
  32 #include "netdissect.h"
  33 #include "addrtoname.h"
  34 #include "ethertype.h"
  35 #include "extract.h"
  36
  37 #define MACSEC_DEFAULT_ICV_LEN 16
  38
  39 /* Header format (SecTAG), following an Ethernet header
  40  * IEEE 802.1AE-2006 9.3
  41  *
  42  * +---------------------------------+----------------+----------------+
  43  * |        (MACsec ethertype)       |     TCI_AN     |       SL       |
  44  * +---------------------------------+----------------+----------------+
  45  * |                           Packet Number                           |
  46  * +-------------------------------------------------------------------+
  47  * |                     Secure Channel Identifier                     |
  48  * |                            (optional)                             |
  49  * +-------------------------------------------------------------------+
  50  *
  51  * MACsec ethertype = 0x88e5
  52  * TCI: Tag Control Information, set of flags
  53  * AN: association number, 2 bits
  54  * SL (short length): 6-bit length of the protected payload, if < 48
  55  * Packet Number: 32-bits packet identifier
  56  * Secure Channel Identifier: 64-bit unique identifier, usually
  57  *     composed of a MAC address + 16-bit port number
  58  */
  59 struct macsec_sectag {
  60         nd_uint8_t  tci_an;
  61         nd_uint8_t  short_length;
  62         nd_uint32_t packet_number;
  63         nd_uint8_t  secure_channel_id[8]; /* optional */
  64 };
  65
  66 /* IEEE 802.1AE-2006 9.5 */
  67 #define MACSEC_TCI_VERSION 0x80
  68 #define MACSEC_TCI_ES      0x40 /* end station */
  69 #define MACSEC_TCI_SC      0x20 /* SCI present */
  70 #define MACSEC_TCI_SCB     0x10 /* epon */
  71 #define MACSEC_TCI_E       0x08 /* encryption */
  72 #define MACSEC_TCI_C       0x04 /* changed text */
  73 #define MACSEC_AN_MASK     0x03 /* association number */
  74 #define MACSEC_TCI_FLAGS   (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C)
  75 #define MACSEC_TCI_CONFID  (MACSEC_TCI_E | MACSEC_TCI_C)
  76 #define MACSEC_SL_MASK     0x3F /* short length */
  77
  78 #define MACSEC_SECTAG_LEN_NOSCI 6  /* length of MACsec header without SCI */
  79 #define MACSEC_SECTAG_LEN_SCI   14 /* length of MACsec header with SCI */
  80
  81 #define SCI_FMT "%016" PRIx64
  82
  83 static const struct tok macsec_flag_values[] = {
  84         { MACSEC_TCI_E,   "E" },
  85         { MACSEC_TCI_C,   "C" },
  86         { MACSEC_TCI_ES,  "S" },
  87         { MACSEC_TCI_SCB, "B" },
  88         { MACSEC_TCI_SC,  "I" },
  89         { 0, NULL }
  90 };
  91
  92 /* returns < 0 iff the packet can be decoded completely */
  93 int macsec_print(netdissect_options *ndo, const u_char **bp,
  94                  u_int *lengthp, u_int *caplenp, u_int *hdrlenp)
  95 {
  96         const char *save_protocol;
  97         const u_char *p = *bp;
  98         u_int length = *lengthp;
  99         u_int caplen = *caplenp;
 100         u_int hdrlen = *hdrlenp;
 101         const struct macsec_sectag *sectag = (const struct macsec_sectag *)p;
 102         u_int sectag_len;
 103
 104         save_protocol = ndo->ndo_protocol;
 105         ndo->ndo_protocol = "MACsec";
 106
 107         /* we need the full MACsec header in the capture */
 108         if (caplen < MACSEC_SECTAG_LEN_NOSCI) {
 109                 nd_print_trunc(ndo);
 110                 ndo->ndo_protocol = save_protocol;
 111                 return hdrlen + caplen;
 112         }
 113         if (length < MACSEC_SECTAG_LEN_NOSCI) {
 114                 nd_print_trunc(ndo);
 115                 ndo->ndo_protocol = save_protocol;
 116                 return hdrlen + caplen;
 117         }
 118
 119         if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
 120                 sectag_len = MACSEC_SECTAG_LEN_SCI;
 121                 if (caplen < MACSEC_SECTAG_LEN_SCI) {
 122                         nd_print_trunc(ndo);
 123                         ndo->ndo_protocol = save_protocol;
 124                         return hdrlen + caplen;
 125                 }
 126                 if (length < MACSEC_SECTAG_LEN_SCI) {
 127                         nd_print_trunc(ndo);
 128                         ndo->ndo_protocol = save_protocol;
 129                         return hdrlen + caplen;
 130                 }
 131         } else
 132                 sectag_len = MACSEC_SECTAG_LEN_NOSCI;
 133
 134         if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 ||
 135             GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) {
 136                 nd_print_invalid(ndo);
 137                 ndo->ndo_protocol = save_protocol;
 138                 return hdrlen + caplen;
 139         }
 140
 141         if (ndo->ndo_eflag) {
 142                 ND_PRINT("an %u, pn %u, flags %s",
 143                          GET_U_1(sectag->tci_an) & MACSEC_AN_MASK,
 144                          GET_BE_U_4(sectag->packet_number),
 145                          bittok2str_nosep(macsec_flag_values, "none",
 146                                           GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS));
 147
 148                 if ((GET_U_1(sectag->short_length) & MACSEC_SL_MASK) != 0)
 149                         ND_PRINT(", sl %u", GET_U_1(sectag->short_length) & MACSEC_SL_MASK);
 150
 151                 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC)
 152                         ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id));
 153
 154                 ND_PRINT(", ");
 155         }
 156
 157         /* Skip the MACsec header. */
 158         *bp += sectag_len;
 159         *hdrlenp += sectag_len;
 160
 161         /* Remove it from the lengths, as it's been processed. */
 162         *lengthp -= sectag_len;
 163         *caplenp -= sectag_len;
 164
 165         if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
 166                 /*
 167                  * The payload is encrypted.  Tell our
 168                  * caller it can't be dissected.
 169                  */
 170                 ndo->ndo_protocol = save_protocol;
 171                 return 0;
 172         } else {
 173                 /*
 174                  * The payload isn't encrypted; remove the
 175                  * ICV length from the lengths, so our caller
 176                  * doesn't treat it as payload.
 177                  */
 178                 if (*lengthp >= MACSEC_DEFAULT_ICV_LEN)
 179                         *lengthp -= MACSEC_DEFAULT_ICV_LEN;
 180                 if (*caplenp >= MACSEC_DEFAULT_ICV_LEN)
 181                         *caplenp -= MACSEC_DEFAULT_ICV_LEN;
 182                 ndo->ndo_protocol = save_protocol;
 183                 return -1;
 184         }
 185 }