From b669a186dc9a68efb82595d991726bb5e3cb51b6 Mon Sep 17 00:00:00 2001
From: Davide Caratti <dcaratti@redhat.com>
Date: Wed, 3 Aug 2016 17:22:11 +0200
Subject: [PATCH] macsec: cipher and icvlen can be set separately

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1354408
Upstream Status: iproute2.git commit 89bb6e673a6a

commit 89bb6e673a6ae9dd9b6845ed95358dd6653c167e
Author: Davide Caratti <dcaratti@redhat.com>
Date:   Tue Jul 26 11:03:20 2016 +0200

    macsec: cipher and icvlen can be set separately

    since kernel driver has valid default values for 'cipher' and 'icvlen',
    there is no need for requiring users to specify both of them when a new
    link is added. Also, prompt an error message and exit with appropriate
    exit status in case of unsupported cipher suite.

    Signed-off-by: Davide Caratti <dcaratti@redhat.com>

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
 ip/ipmacsec.c         | 52 +++++++++++++++++----------------------------------
 man/man8/ip-link.8.in |  6 ++++++
 man/man8/ip-macsec.8  |  4 ++--
 3 files changed, 25 insertions(+), 37 deletions(-)

diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
index 34ba341..329be00 100644
--- a/ip/ipmacsec.c
+++ b/ip/ipmacsec.c
@@ -1071,34 +1071,6 @@ static void macsec_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
 	}
 }
 
-
-static int do_cipher_suite(struct cipher_args *cipher, int *argcp,
-			   char ***argvp)
-{
-	char **argv = *argvp;
-	int argc = *argcp;
-
-	if (argc == 0)
-		return -1;
-
-	if (strcmp(*argv, "default") == 0 ||
-	    strcmp(*argv, "gcm-aes-128") == 0 ||
-	    strcmp(*argv, "GCM-AES-128") == 0)
-		cipher->id = MACSEC_DEFAULT_CIPHER_ID;
-	NEXT_ARG();
-
-	if (strcmp(*argv, "icvlen") == 0) {
-		NEXT_ARG();
-		if (cipher->icv_len != 0)
-			duparg2("icvlen", "icvlen");
-		get_icvlen(&cipher->icv_len, *argv);
-	}
-	*argcp = argc;
-	*argvp = argv;
-
-	return 0;
-}
-
 static bool check_txsc_flags(bool es, bool scb, bool sci)
 {
 	if (sci && (es || scb))
@@ -1112,7 +1084,8 @@ static void usage(FILE *f)
 {
 	fprintf(f,
 		"Usage: ... macsec [ port PORT | sci SCI ]\n"
-		"                  [ cipher CIPHER_SUITE ]\n"
+		"                  [ cipher { default | gcm-aes-128 } ]\n"
+		"                  [ icvlen { 8..16 } ]\n"
 		"                  [ encrypt { on | off } ]\n"
 		"                  [ send_sci { on | off } ]\n"
 		"                  [ end_station { on | off } ]\n"
@@ -1122,7 +1095,6 @@ static void usage(FILE *f)
 		"                  [ validate { strict | check | disabled } ]\n"
 		"                  [ encodingsa { 0..3 } ]\n"
 		);
-	fprintf(f, "CIPHER_SUITE := [ default = gcm-aes-128 ] icvlen { 8..32 }\n");
 }
 
 static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
@@ -1154,11 +1126,21 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
 
 	while (argc > 0) {
 		if (strcmp(*argv, "cipher") == 0) {
+			NEXT_ARG();
 			if (cipher.id)
-				duparg2("cipher", "cipher");
+				duparg("cipher", *argv);
+			if (strcmp(*argv, "default") == 0 ||
+			    strcmp(*argv, "gcm-aes-128") == 0 ||
+			    strcmp(*argv, "GCM-AES-128") == 0)
+				cipher.id = MACSEC_DEFAULT_CIPHER_ID;
+			else
+				invarg("expected: default or gcm-aes-128",
+				       *argv);
+		} else if (strcmp(*argv, "icvlen") == 0) {
 			NEXT_ARG();
-			if (do_cipher_suite(&cipher, &argc, &argv))
-				return -1;
+			if (cipher.icv_len)
+				duparg("icvlen", *argv);
+			get_icvlen(&cipher.icv_len, *argv);
 		} else if (strcmp(*argv, "encrypt") == 0) {
 			NEXT_ARG();
 			int i;
@@ -1264,12 +1246,12 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
 		return -1;
 	}
 
-	if (cipher.id) {
+	if (cipher.id)
 		addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_CIPHER_SUITE,
 			  &cipher.id, sizeof(cipher.id));
+	if (cipher.icv_len)
 		addattr_l(hdr, MACSEC_BUFLEN, IFLA_MACSEC_ICV_LEN,
 			  &cipher.icv_len, sizeof(cipher.icv_len));
-	}
 
 	if (replay_protect != -1) {
 		addattr32(hdr, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index 2633521..18c7040 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -753,6 +753,8 @@ the following additional arguments are supported:
 ] [
 .BI cipher " CIPHER_SUITE"
 ] [
+.BR icvlen " { "
+.IR 8..16 " } ] ["
 .BR encrypt " {"
 .BR on " | " off " } ] [ "
 .BR send_sci " { " on " | " off " } ] ["
@@ -780,6 +782,10 @@ the following additional arguments are supported:
 - defines the cipher suite to use.
 
 .sp
+.BI icvlen " LENGTH "
+- sets the length of the Integrity Check Value (ICV).
+
+.sp
 .BR "encrypt on " or " encrypt off"
 - switches between authenticated encryption, or authenticity mode only.
 
diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8
index f928c43..105aeec 100644
--- a/man/man8/ip-macsec.8
+++ b/man/man8/ip-macsec.8
@@ -7,8 +7,8 @@ ip-macsec \- MACsec device configuration
 .BI port " PORT"
 |
 .BI sci  " SCI"
-] [ [
-.BR cipher " { " default " | " gcm-aes-128 " } ] "
+] [
+.BR cipher " { " default " | " gcm-aes-128 " } ] ["
 .BI icvlen " ICVLEN"
 ] [
 .BR encrypt " { " on " | " off " } ] ["
-- 
1.8.3.1