From b669a186dc9a68efb82595d991726bb5e3cb51b6 Mon Sep 17 00:00:00 2001

From: Davide Caratti <dcaratti@redhat.com>

Date: Wed, 3 Aug 2016 17:22:11 +0200

Subject: [PATCH] macsec: cipher and icvlen can be set separately

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1354408

Upstream Status: iproute2.git commit 89bb6e673a6a

commit 89bb6e673a6ae9dd9b6845ed95358dd6653c167e

Author: Davide Caratti <dcaratti@redhat.com>

Date:   Tue Jul 26 11:03:20 2016 +0200

    macsec: cipher and icvlen can be set separately

    since kernel driver has valid default values for 'cipher' and 'icvlen',

    there is no need for requiring users to specify both of them when a new

    link is added. Also, prompt an error message and exit with appropriate

    exit status in case of unsupported cipher suite.

    Signed-off-by: Davide Caratti <dcaratti@redhat.com>

Signed-off-by: Davide Caratti <dcaratti@redhat.com>

---

 ip/ipmacsec.c         | 52 +++++++++++++++++----------------------------------

 man/man8/ip-link.8.in |  6 ++++++

 man/man8/ip-macsec.8  |  4 ++--

 3 files changed, 25 insertions(+), 37 deletions(-)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c

index 34ba341..329be00 100644

--- a/ip/ipmacsec.c

+++ b/ip/ipmacsec.c

@@ -1071,34 +1071,6 @@ static void macsec_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])

 	}

 }

-

-static int do_cipher_suite(struct cipher_args *cipher, int *argcp,

-			   char ***argvp)

-{

-	char **argv = *argvp;

-	int argc = *argcp;

-

-	if (argc == 0)

-		return -1;

-

-	if (strcmp(*argv, "default") == 0 ||

-	    strcmp(*argv, "gcm-aes-128") == 0 ||

-	    strcmp(*argv, "GCM-AES-128") == 0)

-		cipher->id = MACSEC_DEFAULT_CIPHER_ID;

-	NEXT_ARG();

-

-	if (strcmp(*argv, "icvlen") == 0) {

-		NEXT_ARG();

-		if (cipher->icv_len != 0)

-			duparg2("icvlen", "icvlen");

-		get_icvlen(&cipher->icv_len, *argv);

-	}

-	*argcp = argc;

-	*argvp = argv;

-

-	return 0;

-}

-

 static bool check_txsc_flags(bool es, bool scb, bool sci)

 {

 	if (sci && (es || scb))

@@ -1112,7 +1084,8 @@ static void usage(FILE *f)

 {

 	fprintf(f,

 		"Usage: ... macsec [ port PORT | sci SCI ]\n"

-		"                  [ cipher CIPHER_SUITE ]\n"

+		"                  [ cipher { default | gcm-aes-128 } ]\n"

+		"                  [ icvlen { 8..16 } ]\n"

 		"                  [ encrypt { on | off } ]\n"

 		"                  [ send_sci { on | off } ]\n"

 		"                  [ end_station { on | off } ]\n"

@@ -1122,7 +1095,6 @@ static void usage(FILE *f)

 		"                  [ validate { strict | check | disabled } ]\n"

 		"                  [ encodingsa { 0..3 } ]\n"

 		);

-	fprintf(f, "CIPHER_SUITE := [ default = gcm-aes-128 ] icvlen { 8..32 }\n");

 }

 static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,

@@ -1154,11 +1126,21 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,

 	while (argc > 0) {

 		if (strcmp(*argv, "cipher") == 0) {

+			NEXT_ARG();

 			if (cipher.id)

-				duparg2("cipher", "cipher");

+				duparg("cipher", *argv);

+			if (strcmp(*argv, "default") == 0 ||

+			    strcmp(*argv, "gcm-aes-128") == 0 ||

+			    strcmp(*argv, "GCM-AES-128") == 0)

+				cipher.id = MACSEC_DEFAULT_CIPHER_ID;

+			else

+				invarg("expected: default or gcm-aes-128",

+				       *argv);

+		} else if (strcmp(*argv, "icvlen") == 0) {

 			NEXT_ARG();

-			if (do_cipher_suite(&cipher, &argc, &argv))

-				return -1;

+			if (cipher.icv_len)

+				duparg("icvlen", *argv);

+			get_icvlen(&cipher.icv_len, *argv);

 		} else if (strcmp(*argv, "encrypt") == 0) {

 			NEXT_ARG();

 			int i;

@@ -1264,12 +1246,12 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,

 		return -1;

 	}

-	if (cipher.id) {

+	if (cipher.id)

 		addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_CIPHER_SUITE,

 			  &cipher.id, sizeof(cipher.id));

+	if (cipher.icv_len)

 		addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_ICV_LEN,

 			  &cipher.icv_len, sizeof(cipher.icv_len));

-	}

 	if (replay_protect != -1) {

 		addattr32(hdr, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);

diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in

index 2633521..18c7040 100644

--- a/man/man8/ip-link.8.in

+++ b/man/man8/ip-link.8.in

@@ -753,6 +753,8 @@ the following additional arguments are supported:

 ] [

 .BI cipher " CIPHER_SUITE"

 ] [

+.BR icvlen " { "

+.IR 8..16 " } ] ["

 .BR encrypt " {"

 .BR on " | " off " } ] [ "

 .BR send_sci " { " on " | " off " } ] ["

@@ -780,6 +782,10 @@ the following additional arguments are supported:

 - defines the cipher suite to use.

 .sp

+.BI icvlen " LENGTH "

+- sets the length of the Integrity Check Value (ICV).

+

+.sp

 .BR "encrypt on " or " encrypt off"

 - switches between authenticated encryption, or authenticity mode only.

diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8

index f928c43..105aeec 100644

--- a/man/man8/ip-macsec.8

+++ b/man/man8/ip-macsec.8

@@ -7,8 +7,8 @@ ip-macsec \- MACsec device configuration

 .BI port " PORT"

 |

 .BI sci  " SCI"

-] [ [

-.BR cipher " { " default " | " gcm-aes-128 " } ] "

+] [

+.BR cipher " { " default " | " gcm-aes-128 " } ] ["

 .BI icvlen " ICVLEN"

 ] [

 .BR encrypt " { " on " | " off " } ] ["

-- 

1.8.3.1