1 /* Copyright (c) 2017, Sabrina Dubroca <sd@queasysnail.net>
2 *
3 * Redistribution and use in source and binary forms, with or without
4 * modification, are permitted provided that the following conditions
5 * are met:
6 *
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in
11 * the documentation and/or other materials provided with the
12 * distribution.
13 * 3. The names of the authors may not be used to endorse or promote
14 * products derived from this software without specific prior
15 * written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 /* \summary: MACsec printer */
23
24 #include <config.h>
25
26 #include "netdissect-stdinc.h"
27
28 #include "netdissect.h"
29 #include "addrtoname.h"
30 #include "extract.h"
31
32 #define MACSEC_DEFAULT_ICV_LEN 16
33
34 /* Header format (SecTAG), following an Ethernet header
35 * IEEE 802.1AE-2006 9.3
36 *
37 * +---------------------------------+----------------+----------------+
38 * | (MACsec ethertype) | TCI_AN | SL |
39 * +---------------------------------+----------------+----------------+
40 * | Packet Number |
41 * +-------------------------------------------------------------------+
42 * | Secure Channel Identifier |
43 * | (optional) |
44 * +-------------------------------------------------------------------+
45 *
46 * MACsec ethertype = 0x88e5
47 * TCI: Tag Control Information, set of flags
48 * AN: association number, 2 bits
49 * SL (short length): 6-bit length of the protected payload, if < 48
50 * Packet Number: 32-bits packet identifier
51 * Secure Channel Identifier: 64-bit unique identifier, usually
52 * composed of a MAC address + 16-bit port number
53 */
54 struct macsec_sectag {
55 nd_uint8_t tci_an;
56 nd_uint8_t short_length;
57 nd_uint32_t packet_number;
58 nd_uint8_t secure_channel_id[8]; /* optional */
59 };
60
61 /* IEEE 802.1AE-2006 9.5 */
62 #define MACSEC_TCI_VERSION 0x80
63 #define MACSEC_TCI_ES 0x40 /* end station */
64 #define MACSEC_TCI_SC 0x20 /* SCI present */
65 #define MACSEC_TCI_SCB 0x10 /* epon */
66 #define MACSEC_TCI_E 0x08 /* encryption */
67 #define MACSEC_TCI_C 0x04 /* changed text */
68 #define MACSEC_AN_MASK 0x03 /* association number */
69 #define MACSEC_TCI_FLAGS (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C)
70 #define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
71 #define MACSEC_SL_MASK 0x3F /* short length */
72
73 #define MACSEC_SECTAG_LEN_NOSCI 6 /* length of MACsec header without SCI */
74 #define MACSEC_SECTAG_LEN_SCI 14 /* length of MACsec header with SCI */
75
76 #define SCI_FMT "%016" PRIx64
77
78 static const struct tok macsec_flag_values[] = {
79 { MACSEC_TCI_E, "E" },
80 { MACSEC_TCI_C, "C" },
81 { MACSEC_TCI_ES, "S" },
82 { MACSEC_TCI_SCB, "B" },
83 { MACSEC_TCI_SC, "I" },
84 { 0, NULL }
85 };
86
macsec_print_header(netdissect_options * ndo,const struct macsec_sectag * sectag,u_int short_length)87 static void macsec_print_header(netdissect_options *ndo,
88 const struct macsec_sectag *sectag,
89 u_int short_length)
90 {
91 ND_PRINT("an %u, pn %u, flags %s",
92 GET_U_1(sectag->tci_an) & MACSEC_AN_MASK,
93 GET_BE_U_4(sectag->packet_number),
94 bittok2str_nosep(macsec_flag_values, "none",
95 GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS));
96
97 if (short_length != 0)
98 ND_PRINT(", sl %u", short_length);
99
100 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC)
101 ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id));
102
103 ND_PRINT(", ");
104 }
105
106 /* returns < 0 iff the packet can be decoded completely */
macsec_print(netdissect_options * ndo,const u_char ** bp,u_int * lengthp,u_int * caplenp,u_int * hdrlenp,const struct lladdr_info * src,const struct lladdr_info * dst)107 int macsec_print(netdissect_options *ndo, const u_char **bp,
108 u_int *lengthp, u_int *caplenp, u_int *hdrlenp,
109 const struct lladdr_info *src, const struct lladdr_info *dst)
110 {
111 const char *save_protocol;
112 const u_char *p = *bp;
113 u_int length = *lengthp;
114 u_int caplen = *caplenp;
115 u_int hdrlen = *hdrlenp;
116 const struct macsec_sectag *sectag = (const struct macsec_sectag *)p;
117 u_int sectag_len;
118 u_int short_length;
119
120 save_protocol = ndo->ndo_protocol;
121 ndo->ndo_protocol = "macsec";
122
123 /* we need the full MACsec header in the capture */
124 if (caplen < MACSEC_SECTAG_LEN_NOSCI) {
125 nd_print_trunc(ndo);
126 ndo->ndo_protocol = save_protocol;
127 return hdrlen + caplen;
128 }
129 if (length < MACSEC_SECTAG_LEN_NOSCI) {
130 nd_print_trunc(ndo);
131 ndo->ndo_protocol = save_protocol;
132 return hdrlen + caplen;
133 }
134
135 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
136 sectag_len = MACSEC_SECTAG_LEN_SCI;
137 if (caplen < MACSEC_SECTAG_LEN_SCI) {
138 nd_print_trunc(ndo);
139 ndo->ndo_protocol = save_protocol;
140 return hdrlen + caplen;
141 }
142 if (length < MACSEC_SECTAG_LEN_SCI) {
143 nd_print_trunc(ndo);
144 ndo->ndo_protocol = save_protocol;
145 return hdrlen + caplen;
146 }
147 } else
148 sectag_len = MACSEC_SECTAG_LEN_NOSCI;
149
150 if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 ||
151 GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) {
152 nd_print_invalid(ndo);
153 ndo->ndo_protocol = save_protocol;
154 return hdrlen + caplen;
155 }
156
157 short_length = GET_U_1(sectag->short_length) & MACSEC_SL_MASK;
158 if (ndo->ndo_eflag)
159 macsec_print_header(ndo, sectag, short_length);
160
161 /* Skip the MACsec header. */
162 *bp += sectag_len;
163 *hdrlenp += sectag_len;
164
165 /* Remove it from the lengths, as it's been processed. */
166 *lengthp -= sectag_len;
167 *caplenp -= sectag_len;
168
169 if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
170 /*
171 * The payload is encrypted. Print link-layer
172 * information, if it hasn't already been printed.
173 */
174 if (!ndo->ndo_eflag) {
175 /*
176 * Nobody printed the link-layer addresses,
177 * so print them, if we have any.
178 */
179 if (src != NULL && dst != NULL) {
180 ND_PRINT("%s > %s ",
181 (src->addr_string)(ndo, src->addr),
182 (dst->addr_string)(ndo, dst->addr));
183 }
184
185 ND_PRINT("802.1AE MACsec, ");
186
187 /*
188 * Print the MACsec header.
189 */
190 macsec_print_header(ndo, sectag, short_length);
191 }
192
193 /*
194 * Tell our caller it can't be dissected.
195 */
196 ndo->ndo_protocol = save_protocol;
197 return 0;
198 }
199
200 /*
201 * The payload isn't encrypted; remove the
202 * ICV length from the lengths, so our caller
203 * doesn't treat it as payload.
204 */
205 if (*lengthp < MACSEC_DEFAULT_ICV_LEN) {
206 nd_print_trunc(ndo);
207 ndo->ndo_protocol = save_protocol;
208 return hdrlen + caplen;
209 }
210 if (*caplenp < MACSEC_DEFAULT_ICV_LEN) {
211 nd_print_trunc(ndo);
212 ndo->ndo_protocol = save_protocol;
213 return hdrlen + caplen;
214 }
215 *lengthp -= MACSEC_DEFAULT_ICV_LEN;
216 *caplenp -= MACSEC_DEFAULT_ICV_LEN;
217 /*
218 * Update the snapend thus the ICV field is not in the payload for
219 * the caller.
220 * The ICV (Integrity Check Value) is at the end of the frame, after
221 * the secure data.
222 */
223 ndo->ndo_snapend -= MACSEC_DEFAULT_ICV_LEN;
224
225 /*
226 * If the SL field is non-zero, then it's the length of the
227 * Secure Data; otherwise, the Secure Data is what's left
228 * ver after the MACsec header and ICV are removed.
229 */
230 if (short_length != 0) {
231 /*
232 * If the short length is more than we *have*,
233 * that's an error.
234 */
235 if (short_length > *lengthp) {
236 nd_print_trunc(ndo);
237 ndo->ndo_protocol = save_protocol;
238 return hdrlen + caplen;
239 }
240 if (short_length > *caplenp) {
241 nd_print_trunc(ndo);
242 ndo->ndo_protocol = save_protocol;
243 return hdrlen + caplen;
244 }
245 if (*lengthp > short_length)
246 *lengthp = short_length;
247 if (*caplenp > short_length)
248 *caplenp = short_length;
249 }
250
251 ndo->ndo_protocol = save_protocol;
252 return -1;
253 }
254