#include "netdissect.h"
#include "addrtoname.h"
-#include "ether.h"
#include "ethertype.h"
#include "extract.h"
-static const char tstr[] = "[|MACsec]";
-
#define MACSEC_DEFAULT_ICV_LEN 16
/* Header format (SecTAG), following an Ethernet header
* composed of a MAC address + 16-bit port number
*/
struct macsec_sectag {
- u_char tci_an;
-#if __BYTE_ORDER == __LITTLE_ENDIAN
- u_char short_length:6,
- unused:2;
-#else /* __BYTE_ORDER == __BIG_ENDIAN */
- u_char unused:2,
- short_length:6;
-#endif
- uint32_t packet_number;
- u_char secure_channel_id[8]; /* optional */
-} __attribute__((packed));
+ nd_uint8_t tci_an;
+ nd_uint8_t short_length;
+ nd_uint32_t packet_number;
+ nd_uint8_t secure_channel_id[8]; /* optional */
+};
/* IEEE 802.1AE-2006 9.5 */
#define MACSEC_TCI_VERSION 0x80
#define MACSEC_AN_MASK 0x03 /* association number */
#define MACSEC_TCI_FLAGS (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C)
#define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
+#define MACSEC_SL_MASK 0x3F /* short length */
-#define MACSEC_SECTAG_LEN_NOSCI 6
-#define MACSEC_SECTAG_LEN_SCI 14
-static int
-ieee8021ae_sectag_len(const struct macsec_sectag *sectag)
-{
- return (sectag->tci_an & MACSEC_TCI_SC) ?
- MACSEC_SECTAG_LEN_SCI :
- MACSEC_SECTAG_LEN_NOSCI;
-}
-
-static int macsec_check_length(const struct macsec_sectag *sectag, u_int length, u_int caplen)
-{
- u_int len;
-
- /* we need the full MACsec header in the capture */
- if (caplen < (MACSEC_SECTAG_LEN_NOSCI + 2))
- return 0;
-
- len = ieee8021ae_sectag_len(sectag);
- if (caplen < (len + 2))
- return 0;
-
- if (sectag->short_length != 0) {
- /* original packet must have exact length */
- u_int exact = ETHER_HDRLEN + len + 2 + sectag->short_length;
- return exact == length;
- } else {
- /* original packet must not be short */
- u_int minlen = ETHER_HDRLEN + len + 2 + 48;
- return length >= minlen;
- }
-
- return 1;
-}
+#define MACSEC_SECTAG_LEN_NOSCI 6 /* length of MACsec header without SCI */
+#define MACSEC_SECTAG_LEN_SCI 14 /* length of MACsec header with SCI */
#define SCI_FMT "%016" PRIx64
/* returns < 0 iff the packet can be decoded completely */
int macsec_print(netdissect_options *ndo, const u_char **bp,
- u_int *lengthp, u_int *caplenp, u_int *hdrlenp,
- u_short *length_type)
+ u_int *lengthp, u_int *caplenp, u_int *hdrlenp)
{
+ const char *save_protocol;
const u_char *p = *bp;
u_int length = *lengthp;
u_int caplen = *caplenp;
u_int hdrlen = *hdrlenp;
const struct macsec_sectag *sectag = (const struct macsec_sectag *)p;
- u_int len;
+ u_int sectag_len;
- if (!macsec_check_length(sectag, length, caplen)) {
- ND_PRINT((ndo, tstr));
+ save_protocol = ndo->ndo_protocol;
+ ndo->ndo_protocol = "MACsec";
+
+ /* we need the full MACsec header in the capture */
+ if (caplen < MACSEC_SECTAG_LEN_NOSCI) {
+ nd_print_trunc(ndo);
+ ndo->ndo_protocol = save_protocol;
return hdrlen + caplen;
}
-
- if (sectag->unused || sectag->tci_an & MACSEC_TCI_VERSION) {
- ND_PRINT((ndo, "%s", istr));
+ if (length < MACSEC_SECTAG_LEN_NOSCI) {
+ nd_print_trunc(ndo);
+ ndo->ndo_protocol = save_protocol;
return hdrlen + caplen;
}
- if (ndo->ndo_eflag) {
- char buf[128];
- int n = snprintf(buf, sizeof(buf), "an %d, pn %d, flags %s",
- sectag->tci_an & MACSEC_AN_MASK,
- EXTRACT_32BITS(§ag->packet_number),
- bittok2str_nosep(macsec_flag_values, "none",
- sectag->tci_an & MACSEC_TCI_FLAGS));
- if (n < 0)
+ if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
+ sectag_len = MACSEC_SECTAG_LEN_SCI;
+ if (caplen < MACSEC_SECTAG_LEN_SCI) {
+ nd_print_trunc(ndo);
+ ndo->ndo_protocol = save_protocol;
return hdrlen + caplen;
-
-
- if (sectag->short_length) {
- int r = snprintf(buf + n, sizeof(buf) - n, ", sl %d",
- sectag->short_length);
- if (r < 0)
- return hdrlen + caplen;
- n += r;
}
-
- if (sectag->tci_an & MACSEC_TCI_SC) {
- uint64_t sci;
- int r;
- sci = EXTRACT_64BITS(sectag->secure_channel_id);
- r = snprintf(buf + n, sizeof(buf) - n, ", sci " SCI_FMT, sci);
- if (r < 0)
- return hdrlen + caplen;
- n += r;
+ if (length < MACSEC_SECTAG_LEN_SCI) {
+ nd_print_trunc(ndo);
+ ndo->ndo_protocol = save_protocol;
+ return hdrlen + caplen;
}
+ } else
+ sectag_len = MACSEC_SECTAG_LEN_NOSCI;
- ND_PRINT((ndo, "%s, ", buf));
+ if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 ||
+ GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) {
+ nd_print_invalid(ndo);
+ ndo->ndo_protocol = save_protocol;
+ return hdrlen + caplen;
}
- len = ieee8021ae_sectag_len(sectag);
- *length_type = EXTRACT_16BITS(*bp + len);
- if (ndo->ndo_eflag && *length_type > ETHERMTU && !(sectag->tci_an & MACSEC_TCI_E))
- ND_PRINT((ndo, "ethertype %s, ", tok2str(ethertype_values,"0x%04x", *length_type)));
+ if (ndo->ndo_eflag) {
+ ND_PRINT("an %u, pn %u, flags %s",
+ GET_U_1(sectag->tci_an) & MACSEC_AN_MASK,
+ GET_BE_U_4(sectag->packet_number),
+ bittok2str_nosep(macsec_flag_values, "none",
+ GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS));
+
+ if ((GET_U_1(sectag->short_length) & MACSEC_SL_MASK) != 0)
+ ND_PRINT(", sl %u", GET_U_1(sectag->short_length) & MACSEC_SL_MASK);
+
+ if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC)
+ ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id));
+
+ ND_PRINT(", ");
+ }
+
+ /* Skip the MACsec header. */
+ *bp += sectag_len;
+ *hdrlenp += sectag_len;
- if ((sectag->tci_an & MACSEC_TCI_CONFID)) {
- *bp += len;
- *hdrlenp += len;
+ /* Remove it from the lengths, as it's been processed. */
+ *lengthp -= sectag_len;
+ *caplenp -= sectag_len;
- *lengthp -= len;
- *caplenp -= len;
+ if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
+ /*
+ * The payload is encrypted. Tell our
+ * caller it can't be dissected.
+ */
+ ndo->ndo_protocol = save_protocol;
return 0;
} else {
- len += 2;
- *bp += len;
- *hdrlenp += len;
-
- len += MACSEC_DEFAULT_ICV_LEN;
- *lengthp -= len;
- *caplenp -= len;
+ /*
+ * The payload isn't encrypted; remove the
+ * ICV length from the lengths, so our caller
+ * doesn't treat it as payload.
+ */
+ if (*lengthp >= MACSEC_DEFAULT_ICV_LEN)
+ *lengthp -= MACSEC_DEFAULT_ICV_LEN;
+ if (*caplenp >= MACSEC_DEFAULT_ICV_LEN)
+ *caplenp -= MACSEC_DEFAULT_ICV_LEN;
+ ndo->ndo_protocol = save_protocol;
return -1;
}
}
projects / tcpdump / blobdiff