1 /* Copyright (c) 2017, Sabrina Dubroca <sd@queasysnail.net> 2 * 3 * Redistribution and use in source and binary forms, with or without 4 * modification, are permitted provided that the following conditions 5 * are met: 6 * 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in 11 * the documentation and/or other materials provided with the 12 * distribution. 13 * 3. The names of the authors may not be used to endorse or promote 14 * products derived from this software without specific prior 15 * written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 */ 21 22 /* \summary: MACsec printer */ 23 24 #ifdef HAVE_CONFIG_H 25 #include <config.h> 26 #endif 27 28 #include "netdissect-stdinc.h" 29 30 #include "netdissect.h" 31 #include "addrtoname.h" 32 #include "ethertype.h" 33 #include "extract.h" 34 35 #define MACSEC_DEFAULT_ICV_LEN 16 36 37 /* Header format (SecTAG), following an Ethernet header 38 * IEEE 802.1AE-2006 9.3 39 * 40 * +---------------------------------+----------------+----------------+ 41 * | (MACsec ethertype) | TCI_AN | SL | 42 * +---------------------------------+----------------+----------------+ 43 * | Packet Number | 44 * +-------------------------------------------------------------------+ 45 * | Secure Channel Identifier | 46 * | (optional) | 47 * +-------------------------------------------------------------------+ 48 * 49 * MACsec ethertype = 0x88e5 50 * TCI: Tag Control Information, set of flags 51 * AN: association number, 2 bits 52 * SL (short length): 6-bit length of the protected payload, if < 48 53 * Packet Number: 32-bits packet identifier 54 * Secure Channel Identifier: 64-bit unique identifier, usually 55 * composed of a MAC address + 16-bit port number 56 */ 57 struct macsec_sectag { 58 nd_uint8_t tci_an; 59 nd_uint8_t short_length; 60 nd_uint32_t packet_number; 61 nd_uint8_t secure_channel_id[8]; /* optional */ 62 }; 63 64 /* IEEE 802.1AE-2006 9.5 */ 65 #define MACSEC_TCI_VERSION 0x80 66 #define MACSEC_TCI_ES 0x40 /* end station */ 67 #define MACSEC_TCI_SC 0x20 /* SCI present */ 68 #define MACSEC_TCI_SCB 0x10 /* epon */ 69 #define MACSEC_TCI_E 0x08 /* encryption */ 70 #define MACSEC_TCI_C 0x04 /* changed text */ 71 #define MACSEC_AN_MASK 0x03 /* association number */ 72 #define MACSEC_TCI_FLAGS (MACSEC_TCI_ES | MACSEC_TCI_SC | MACSEC_TCI_SCB | MACSEC_TCI_E | MACSEC_TCI_C) 73 #define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C) 74 #define MACSEC_SL_MASK 0x3F /* short length */ 75 76 #define MACSEC_SECTAG_LEN_NOSCI 6 /* length of MACsec header without SCI */ 77 #define MACSEC_SECTAG_LEN_SCI 14 /* length of MACsec header with SCI */ 78 79 #define SCI_FMT "%016" PRIx64 80 81 static const struct tok macsec_flag_values[] = { 82 { MACSEC_TCI_E, "E" }, 83 { MACSEC_TCI_C, "C" }, 84 { MACSEC_TCI_ES, "S" }, 85 { MACSEC_TCI_SCB, "B" }, 86 { MACSEC_TCI_SC, "I" }, 87 { 0, NULL } 88 }; 89 90 static void macsec_print_header(netdissect_options *ndo, 91 const struct macsec_sectag *sectag, 92 u_int short_length) 93 { 94 ND_PRINT("an %u, pn %u, flags %s", 95 GET_U_1(sectag->tci_an) & MACSEC_AN_MASK, 96 GET_BE_U_4(sectag->packet_number), 97 bittok2str_nosep(macsec_flag_values, "none", 98 GET_U_1(sectag->tci_an) & MACSEC_TCI_FLAGS)); 99 100 if (short_length != 0) 101 ND_PRINT(", sl %u", short_length); 102 103 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) 104 ND_PRINT(", sci " SCI_FMT, GET_BE_U_8(sectag->secure_channel_id)); 105 106 ND_PRINT(", "); 107 } 108 109 /* returns < 0 iff the packet can be decoded completely */ 110 int macsec_print(netdissect_options *ndo, const u_char **bp, 111 u_int *lengthp, u_int *caplenp, u_int *hdrlenp, 112 const struct lladdr_info *src, const struct lladdr_info *dst) 113 { 114 const char *save_protocol; 115 const u_char *p = *bp; 116 u_int length = *lengthp; 117 u_int caplen = *caplenp; 118 u_int hdrlen = *hdrlenp; 119 const struct macsec_sectag *sectag = (const struct macsec_sectag *)p; 120 u_int sectag_len; 121 u_int short_length; 122 123 save_protocol = ndo->ndo_protocol; 124 ndo->ndo_protocol = "macsec"; 125 126 /* we need the full MACsec header in the capture */ 127 if (caplen < MACSEC_SECTAG_LEN_NOSCI) { 128 nd_print_trunc(ndo); 129 ndo->ndo_protocol = save_protocol; 130 return hdrlen + caplen; 131 } 132 if (length < MACSEC_SECTAG_LEN_NOSCI) { 133 nd_print_trunc(ndo); 134 ndo->ndo_protocol = save_protocol; 135 return hdrlen + caplen; 136 } 137 138 if (GET_U_1(sectag->tci_an) & MACSEC_TCI_SC) { 139 sectag_len = MACSEC_SECTAG_LEN_SCI; 140 if (caplen < MACSEC_SECTAG_LEN_SCI) { 141 nd_print_trunc(ndo); 142 ndo->ndo_protocol = save_protocol; 143 return hdrlen + caplen; 144 } 145 if (length < MACSEC_SECTAG_LEN_SCI) { 146 nd_print_trunc(ndo); 147 ndo->ndo_protocol = save_protocol; 148 return hdrlen + caplen; 149 } 150 } else 151 sectag_len = MACSEC_SECTAG_LEN_NOSCI; 152 153 if ((GET_U_1(sectag->short_length) & ~MACSEC_SL_MASK) != 0 || 154 GET_U_1(sectag->tci_an) & MACSEC_TCI_VERSION) { 155 nd_print_invalid(ndo); 156 ndo->ndo_protocol = save_protocol; 157 return hdrlen + caplen; 158 } 159 160 short_length = GET_U_1(sectag->short_length) & MACSEC_SL_MASK; 161 if (ndo->ndo_eflag) 162 macsec_print_header(ndo, sectag, short_length); 163 164 /* Skip the MACsec header. */ 165 *bp += sectag_len; 166 *hdrlenp += sectag_len; 167 168 /* Remove it from the lengths, as it's been processed. */ 169 *lengthp -= sectag_len; 170 *caplenp -= sectag_len; 171 172 if ((GET_U_1(sectag->tci_an) & MACSEC_TCI_CONFID)) { 173 /* 174 * The payload is encrypted. Print link-layer 175 * information, if it hasn't already been printed. 176 */ 177 if (!ndo->ndo_eflag) { 178 /* 179 * Nobody printed the link-layer addresses, 180 * so print them, if we have any. 181 */ 182 if (src != NULL && dst != NULL) { 183 ND_PRINT("%s > %s ", 184 (src->addr_string)(ndo, src->addr), 185 (dst->addr_string)(ndo, dst->addr)); 186 } 187 188 ND_PRINT("802.1AE MACsec, "); 189 190 /* 191 * Print the MACsec header. 192 */ 193 macsec_print_header(ndo, sectag, short_length); 194 } 195 196 /* 197 * Tell our caller it can't be dissected. 198 */ 199 ndo->ndo_protocol = save_protocol; 200 return 0; 201 } 202 203 /* 204 * The payload isn't encrypted; remove the 205 * ICV length from the lengths, so our caller 206 * doesn't treat it as payload. 207 */ 208 if (*lengthp < MACSEC_DEFAULT_ICV_LEN) { 209 nd_print_trunc(ndo); 210 ndo->ndo_protocol = save_protocol; 211 return hdrlen + caplen; 212 } 213 if (*caplenp < MACSEC_DEFAULT_ICV_LEN) { 214 nd_print_trunc(ndo); 215 ndo->ndo_protocol = save_protocol; 216 return hdrlen + caplen; 217 } 218 *lengthp -= MACSEC_DEFAULT_ICV_LEN; 219 *caplenp -= MACSEC_DEFAULT_ICV_LEN; 220 /* 221 * Update the snapend thus the ICV field is not in the payload for 222 * the caller. 223 * The ICV (Integrity Check Value) is at the end of the frame, after 224 * the secure data. 225 */ 226 ndo->ndo_snapend -= MACSEC_DEFAULT_ICV_LEN; 227 228 /* 229 * If the SL field is non-zero, then it's the length of the 230 * Secure Data; otherwise, the Secure Data is what's left 231 * ver after the MACsec header and ICV are removed. 232 */ 233 if (short_length != 0) { 234 /* 235 * If the short length is more than we *have*, 236 * that's an error. 237 */ 238 if (short_length > *lengthp) { 239 nd_print_trunc(ndo); 240 ndo->ndo_protocol = save_protocol; 241 return hdrlen + caplen; 242 } 243 if (short_length > *caplenp) { 244 nd_print_trunc(ndo); 245 ndo->ndo_protocol = save_protocol; 246 return hdrlen + caplen; 247 } 248 if (*lengthp > short_length) 249 *lengthp = short_length; 250 if (*caplenp > short_length) 251 *caplenp = short_length; 252 } 253 254 ndo->ndo_protocol = save_protocol; 255 return -1; 256 } 257