xref: /freebsd/contrib/tcpdump/print-macsec.c (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1 /* Copyright (c) 2017, Sabrina Dubroca <sd@queasysnail.net>
2  *
3  * Redistribution and use in source and binary forms, with or without
4  * modification, are permitted provided that the following conditions
5  * are met:
6  *
7  *   1. Redistributions of source code must retain the above copyright
8  *      notice, this list of conditions and the following disclaimer.
9  *   2. Redistributions in binary form must reproduce the above copyright
10  *      notice, this list of conditions and the following disclaimer in
11  *      the documentation and/or other materials provided with the
12  *      distribution.
13  *   3. The names of the authors may not be used to endorse or promote
14  *      products derived from this software without specific prior
15  *      written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
18  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
19  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  */
21 
22 /* \summary: MACsec printer */
23 
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27 
28 #include "netdissect-stdinc.h"
29 
30 #include "netdissect.h"
31 #include "addrtoname.h"
32 #include "ethertype.h"
33 #include "extract.h"
34 
35 #define MACSEC_DEFAULT_ICV_LEN 16
36 
37 /* Header format (SecTAG), following an Ethernet header
38  * IEEE 802.1AE-2006 9.3
39  *
40  * +---------------------------------+----------------+----------------+
41  * |        (MACsec ethertype)       |     TCI_AN     |       SL       |
42  * +---------------------------------+----------------+----------------+
43  * |                           Packet Number                           |
44  * +-------------------------------------------------------------------+
45  * |                     Secure Channel Identifier                     |
46  * |                            (optional)                             |
47  * +-------------------------------------------------------------------+
48  *
49  * MACsec ethertype = 0x88e5
50  * TCI: Tag Control Information, set of flags
51  * AN: association number, 2 bits
52  * SL (short length): 6-bit length of the protected payload, if < 48
53  * Packet Number: 32-bits packet identifier
54  * Secure Channel Identifier: 64-bit unique identifier, usually
55  *     composed of a MAC address + 16-bit port number
56  */
57 struct macsec_sectag {
58 	nd_uint8_t  tci_an;
59 	nd_uint8_t  short_length;
60 	nd_uint32_t packet_number;
61 	nd_uint8_t  secure_channel_id[8]; /* optional */
62 };
63 
64 /* IEEE 802.1AE-2006 9.5 */
65 #define MACSEC_TCI_VERSION 0x80
66 #define MACSEC_TCI_ES      0x40 /* end station */
67 #define MACSEC_TCI_SC      0x20 /* SCI present */
68 #define MACSEC_TCI_SCB     0x10 /* epon */
69 #define MACSEC_TCI_E       0x08 /* encryption */
70 #define MACSEC_TCI_C       0x04 /* changed text */
71 #define MACSEC_AN_MASK     0x03 /* association number */
72 #define MACSEC_TCI_FLAGS   (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C)
73 #define MACSEC_TCI_CONFID  (MACSEC_TCI_E | MACSEC_TCI_C)
74 #define MACSEC_SL_MASK     0x3F /* short length */
75 
76 #define MACSEC_SECTAG_LEN_NOSCI 6  /* length of MACsec header without SCI */
77 #define MACSEC_SECTAG_LEN_SCI   14 /* length of MACsec header with SCI */
78 
79 #define SCI_FMT "%016" PRIx64
80 
81 static const struct tok macsec_flag_values[] = {
82 	{ MACSEC_TCI_E,   "E" },
83 	{ MACSEC_TCI_C,   "C" },
84 	{ MACSEC_TCI_ES,  "S" },
85 	{ MACSEC_TCI_SCB, "B" },
86 	{ MACSEC_TCI_SC,  "I" },
87 	{ 0, NULL }
88 };
89 
90 static void macsec_print_header(netdissect_options *ndo,
91 				const struct macsec_sectag *sectag,
92 				u_int short_length)
93 {
94 	ND_PRINT("an %u, pn %u, flags %s",
95 		 GET_U_1(sectag->tci_an) & MACSEC_AN_MASK,
96 		 GET_BE_U_4(sectag->packet_number),
97 		 bittok2str_nosep(macsec_flag_values, "none",
98 				  GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS));
99 
100 	if (short_length != 0)
101 		ND_PRINT(", sl %u", short_length);
102 
103 	if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC)
104 		ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id));
105 
106 	ND_PRINT(", ");
107 }
108 
109 /* returns < 0 iff the packet can be decoded completely */
110 int macsec_print(netdissect_options *ndo, const u_char **bp,
111 		 u_int *lengthp, u_int *caplenp, u_int *hdrlenp,
112 		 const struct lladdr_info *src, const struct lladdr_info *dst)
113 {
114 	const char *save_protocol;
115 	const u_char *p = *bp;
116 	u_int length = *lengthp;
117 	u_int caplen = *caplenp;
118 	u_int hdrlen = *hdrlenp;
119 	const struct macsec_sectag *sectag = (const struct macsec_sectag *)p;
120 	u_int sectag_len;
121 	u_int short_length;
122 
123 	save_protocol = ndo->ndo_protocol;
124 	ndo->ndo_protocol = "macsec";
125 
126 	/* we need the full MACsec header in the capture */
127 	if (caplen < MACSEC_SECTAG_LEN_NOSCI) {
128 		nd_print_trunc(ndo);
129 		ndo->ndo_protocol = save_protocol;
130 		return hdrlen + caplen;
131 	}
132 	if (length < MACSEC_SECTAG_LEN_NOSCI) {
133 		nd_print_trunc(ndo);
134 		ndo->ndo_protocol = save_protocol;
135 		return hdrlen + caplen;
136 	}
137 
138 	if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) {
139 		sectag_len = MACSEC_SECTAG_LEN_SCI;
140 		if (caplen < MACSEC_SECTAG_LEN_SCI) {
141 			nd_print_trunc(ndo);
142 			ndo->ndo_protocol = save_protocol;
143 			return hdrlen + caplen;
144 		}
145 		if (length < MACSEC_SECTAG_LEN_SCI) {
146 			nd_print_trunc(ndo);
147 			ndo->ndo_protocol = save_protocol;
148 			return hdrlen + caplen;
149 		}
150 	} else
151 		sectag_len = MACSEC_SECTAG_LEN_NOSCI;
152 
153 	if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 ||
154 	    GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) {
155 		nd_print_invalid(ndo);
156 		ndo->ndo_protocol = save_protocol;
157 		return hdrlen + caplen;
158 	}
159 
160 	short_length = GET_U_1(sectag->short_length) & MACSEC_SL_MASK;
161 	if (ndo->ndo_eflag)
162 		macsec_print_header(ndo, sectag, short_length);
163 
164 	/* Skip the MACsec header. */
165 	*bp += sectag_len;
166 	*hdrlenp += sectag_len;
167 
168 	/* Remove it from the lengths, as it's been processed. */
169 	*lengthp -= sectag_len;
170 	*caplenp -= sectag_len;
171 
172 	if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) {
173 		/*
174 		 * The payload is encrypted.  Print link-layer
175 		 * information, if it hasn't already been printed.
176 		 */
177 		if (!ndo->ndo_eflag) {
178 			/*
179 			 * Nobody printed the link-layer addresses,
180 			 * so print them, if we have any.
181 			 */
182 			if (src != NULL && dst != NULL) {
183 				ND_PRINT("%s > %s ",
184 					(src->addr_string)(ndo, src->addr),
185 					(dst->addr_string)(ndo, dst->addr));
186 			}
187 
188 			ND_PRINT("802.1AE MACsec, ");
189 
190 			/*
191 			 * Print the MACsec header.
192 			 */
193 			macsec_print_header(ndo, sectag, short_length);
194 		}
195 
196 		/*
197 		 * Tell our caller it can't be dissected.
198 		 */
199 		ndo->ndo_protocol = save_protocol;
200 		return 0;
201 	}
202 
203 	/*
204 	 * The payload isn't encrypted; remove the
205 	 * ICV length from the lengths, so our caller
206 	 * doesn't treat it as payload.
207 	 */
208 	if (*lengthp < MACSEC_DEFAULT_ICV_LEN) {
209 		nd_print_trunc(ndo);
210 		ndo->ndo_protocol = save_protocol;
211 		return hdrlen + caplen;
212 	}
213 	if (*caplenp < MACSEC_DEFAULT_ICV_LEN) {
214 		nd_print_trunc(ndo);
215 		ndo->ndo_protocol = save_protocol;
216 		return hdrlen + caplen;
217 	}
218 	*lengthp -= MACSEC_DEFAULT_ICV_LEN;
219 	*caplenp -= MACSEC_DEFAULT_ICV_LEN;
220 	/*
221 	 * Update the snapend thus the ICV field is not in the payload for
222 	 * the caller.
223 	 * The ICV (Integrity Check Value) is at the end of the frame, after
224 	 * the secure data.
225 	 */
226 	ndo->ndo_snapend -= MACSEC_DEFAULT_ICV_LEN;
227 
228 	/*
229 	 * If the SL field is non-zero, then it's the length of the
230 	 * Secure Data; otherwise, the Secure Data is what's left
231 	 * ver after the MACsec header and ICV are removed.
232 	 */
233 	if (short_length != 0) {
234 		/*
235 		 * If the short length is more than we *have*,
236 		 * that's an error.
237 		 */
238 		if (short_length > *lengthp) {
239 			nd_print_trunc(ndo);
240 			ndo->ndo_protocol = save_protocol;
241 			return hdrlen + caplen;
242 		}
243 		if (short_length > *caplenp) {
244 			nd_print_trunc(ndo);
245 			ndo->ndo_protocol = save_protocol;
246 			return hdrlen + caplen;
247 		}
248 		if (*lengthp > short_length)
249 			*lengthp = short_length;
250 		if (*caplenp > short_length)
251 			*caplenp = short_length;
252 	}
253 
254 	ndo->ndo_protocol = save_protocol;
255 	return -1;
256 }
257