1
2
3
4
5
6
7
8
9
10
11
12#include <linux/types.h>
13#include <linux/skbuff.h>
14#include <linux/socket.h>
15#include <linux/module.h>
16#include <crypto/aead.h>
17#include <linux/etherdevice.h>
18#include <linux/rtnetlink.h>
19#include <linux/refcount.h>
20#include <net/genetlink.h>
21#include <net/sock.h>
22#include <net/gro_cells.h>
23#include <linux/if_arp.h>
24
25#include <uapi/linux/if_macsec.h>
26
27typedef u64 __bitwise sci_t;
28
29#define MACSEC_SCI_LEN 8
30
31
32#define MACSEC_TAG_LEN 6
33
34struct macsec_eth_header {
35 struct ethhdr eth;
36
37 u8 tci_an;
38#if defined(__LITTLE_ENDIAN_BITFIELD)
39 u8 short_length:6,
40 unused:2;
41#elif defined(__BIG_ENDIAN_BITFIELD)
42 u8 unused:2,
43 short_length:6;
44#else
45#error "Please fix <asm/byteorder.h>"
46#endif
47 __be32 packet_number;
48 u8 secure_channel_id[8];
49} __packed;
50
51#define MACSEC_TCI_VERSION 0x80
52#define MACSEC_TCI_ES 0x40
53#define MACSEC_TCI_SC 0x20
54#define MACSEC_TCI_SCB 0x10
55#define MACSEC_TCI_E 0x08
56#define MACSEC_TCI_C 0x04
57#define MACSEC_AN_MASK 0x03
58#define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
59
60
61#define MIN_NON_SHORT_LEN 48
62
63#define GCM_AES_IV_LEN 12
64#define DEFAULT_ICV_LEN 16
65
66#define MACSEC_NUM_AN 4
67
68#define for_each_rxsc(secy, sc) \
69 for (sc = rcu_dereference_bh(secy->rx_sc); \
70 sc; \
71 sc = rcu_dereference_bh(sc->next))
72#define for_each_rxsc_rtnl(secy, sc) \
73 for (sc = rtnl_dereference(secy->rx_sc); \
74 sc; \
75 sc = rtnl_dereference(sc->next))
76
77struct gcm_iv {
78 union {
79 u8 secure_channel_id[8];
80 sci_t sci;
81 };
82 __be32 pn;
83};
84
85
86
87
88
89
90struct macsec_key {
91 u8 id[MACSEC_KEYID_LEN];
92 struct crypto_aead *tfm;
93};
94
95struct macsec_rx_sc_stats {
96 __u64 InOctetsValidated;
97 __u64 InOctetsDecrypted;
98 __u64 InPktsUnchecked;
99 __u64 InPktsDelayed;
100 __u64 InPktsOK;
101 __u64 InPktsInvalid;
102 __u64 InPktsLate;
103 __u64 InPktsNotValid;
104 __u64 InPktsNotUsingSA;
105 __u64 InPktsUnusedSA;
106};
107
108struct macsec_rx_sa_stats {
109 __u32 InPktsOK;
110 __u32 InPktsInvalid;
111 __u32 InPktsNotValid;
112 __u32 InPktsNotUsingSA;
113 __u32 InPktsUnusedSA;
114};
115
116struct macsec_tx_sa_stats {
117 __u32 OutPktsProtected;
118 __u32 OutPktsEncrypted;
119};
120
121struct macsec_tx_sc_stats {
122 __u64 OutPktsProtected;
123 __u64 OutPktsEncrypted;
124 __u64 OutOctetsProtected;
125 __u64 OutOctetsEncrypted;
126};
127
128struct macsec_dev_stats {
129 __u64 OutPktsUntagged;
130 __u64 InPktsUntagged;
131 __u64 OutPktsTooLong;
132 __u64 InPktsNoTag;
133 __u64 InPktsBadTag;
134 __u64 InPktsUnknownSCI;
135 __u64 InPktsNoSCI;
136 __u64 InPktsOverrun;
137};
138
139
140
141
142
143
144
145
146
147struct macsec_rx_sa {
148 struct macsec_key key;
149 spinlock_t lock;
150 u32 next_pn;
151 refcount_t refcnt;
152 bool active;
153 struct macsec_rx_sa_stats __percpu *stats;
154 struct macsec_rx_sc *sc;
155 struct rcu_head rcu;
156};
157
158struct pcpu_rx_sc_stats {
159 struct macsec_rx_sc_stats stats;
160 struct u64_stats_sync syncp;
161};
162
163
164
165
166
167
168
169
170struct macsec_rx_sc {
171 struct macsec_rx_sc __rcu *next;
172 sci_t sci;
173 bool active;
174 struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
175 struct pcpu_rx_sc_stats __percpu *stats;
176 refcount_t refcnt;
177 struct rcu_head rcu_head;
178};
179
180
181
182
183
184
185
186
187
188struct macsec_tx_sa {
189 struct macsec_key key;
190 spinlock_t lock;
191 u32 next_pn;
192 refcount_t refcnt;
193 bool active;
194 struct macsec_tx_sa_stats __percpu *stats;
195 struct rcu_head rcu;
196};
197
198struct pcpu_tx_sc_stats {
199 struct macsec_tx_sc_stats stats;
200 struct u64_stats_sync syncp;
201};
202
203
204
205
206
207
208
209
210
211
212
213
214struct macsec_tx_sc {
215 bool active;
216 u8 encoding_sa;
217 bool encrypt;
218 bool send_sci;
219 bool end_station;
220 bool scb;
221 struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
222 struct pcpu_tx_sc_stats __percpu *stats;
223};
224
225#define MACSEC_VALIDATE_DEFAULT MACSEC_VALIDATE_STRICT
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242struct macsec_secy {
243 struct net_device *netdev;
244 unsigned int n_rx_sc;
245 sci_t sci;
246 u16 key_len;
247 u16 icv_len;
248 enum macsec_validation_type validate_frames;
249 bool operational;
250 bool protect_frames;
251 bool replay_protect;
252 u32 replay_window;
253 struct macsec_tx_sc tx_sc;
254 struct macsec_rx_sc __rcu *rx_sc;
255};
256
257struct pcpu_secy_stats {
258 struct macsec_dev_stats stats;
259 struct u64_stats_sync syncp;
260};
261
262
263
264
265
266
267
268
269struct macsec_dev {
270 struct macsec_secy secy;
271 struct net_device *real_dev;
272 struct pcpu_secy_stats __percpu *stats;
273 struct list_head secys;
274 struct gro_cells gro_cells;
275};
276
277
278
279
280
281struct macsec_rxh_data {
282 struct list_head secys;
283};
284
285static struct macsec_dev *macsec_priv(const struct net_device *dev)
286{
287 return (struct macsec_dev *)netdev_priv(dev);
288}
289
290static struct macsec_rxh_data *macsec_data_rcu(const struct net_device *dev)
291{
292 return rcu_dereference_bh(dev->rx_handler_data);
293}
294
295static struct macsec_rxh_data *macsec_data_rtnl(const struct net_device *dev)
296{
297 return rtnl_dereference(dev->rx_handler_data);
298}
299
300struct macsec_cb {
301 struct aead_request *req;
302 union {
303 struct macsec_tx_sa *tx_sa;
304 struct macsec_rx_sa *rx_sa;
305 };
306 u8 assoc_num;
307 bool valid;
308 bool has_sci;
309};
310
311static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
312{
313 struct macsec_rx_sa *sa = rcu_dereference_bh(ptr);
314
315 if (!sa || !sa->active)
316 return NULL;
317
318 if (!refcount_inc_not_zero(&sa->refcnt))
319 return NULL;
320
321 return sa;
322}
323
324static void free_rx_sc_rcu(struct rcu_head *head)
325{
326 struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
327
328 free_percpu(rx_sc->stats);
329 kfree(rx_sc);
330}
331
332static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc)
333{
334 return refcount_inc_not_zero(&sc->refcnt) ? sc : NULL;
335}
336
337static void macsec_rxsc_put(struct macsec_rx_sc *sc)
338{
339 if (refcount_dec_and_test(&sc->refcnt))
340 call_rcu(&sc->rcu_head, free_rx_sc_rcu);
341}
342
343static void free_rxsa(struct rcu_head *head)
344{
345 struct macsec_rx_sa *sa = container_of(head, struct macsec_rx_sa, rcu);
346
347 crypto_free_aead(sa->key.tfm);
348 free_percpu(sa->stats);
349 kfree(sa);
350}
351
352static void macsec_rxsa_put(struct macsec_rx_sa *sa)
353{
354 if (refcount_dec_and_test(&sa->refcnt))
355 call_rcu(&sa->rcu, free_rxsa);
356}
357
358static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr)
359{
360 struct macsec_tx_sa *sa = rcu_dereference_bh(ptr);
361
362 if (!sa || !sa->active)
363 return NULL;
364
365 if (!refcount_inc_not_zero(&sa->refcnt))
366 return NULL;
367
368 return sa;
369}
370
371static void free_txsa(struct rcu_head *head)
372{
373 struct macsec_tx_sa *sa = container_of(head, struct macsec_tx_sa, rcu);
374
375 crypto_free_aead(sa->key.tfm);
376 free_percpu(sa->stats);
377 kfree(sa);
378}
379
380static void macsec_txsa_put(struct macsec_tx_sa *sa)
381{
382 if (refcount_dec_and_test(&sa->refcnt))
383 call_rcu(&sa->rcu, free_txsa);
384}
385
386static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb)
387{
388 BUILD_BUG_ON(sizeof(struct macsec_cb) > sizeof(skb->cb));
389 return (struct macsec_cb *)skb->cb;
390}
391
392#define MACSEC_PORT_ES (htons(0x0001))
393#define MACSEC_PORT_SCB (0x0000)
394#define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL)
395
396#define MACSEC_GCM_AES_128_SAK_LEN 16
397#define MACSEC_GCM_AES_256_SAK_LEN 32
398
399#define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN
400#define DEFAULT_SEND_SCI true
401#define DEFAULT_ENCRYPT false
402#define DEFAULT_ENCODING_SA 0
403
404static bool send_sci(const struct macsec_secy *secy)
405{
406 const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
407
408 return tx_sc->send_sci ||
409 (secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb);
410}
411
412static sci_t make_sci(u8 *addr, __be16 port)
413{
414 sci_t sci;
415
416 memcpy(&sci, addr, ETH_ALEN);
417 memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
418
419 return sci;
420}
421
422static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present)
423{
424 sci_t sci;
425
426 if (sci_present)
427 memcpy(&sci, hdr->secure_channel_id,
428 sizeof(hdr->secure_channel_id));
429 else
430 sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES);
431
432 return sci;
433}
434
435static unsigned int macsec_sectag_len(bool sci_present)
436{
437 return MACSEC_TAG_LEN + (sci_present ? MACSEC_SCI_LEN : 0);
438}
439
440static unsigned int macsec_hdr_len(bool sci_present)
441{
442 return macsec_sectag_len(sci_present) + ETH_HLEN;
443}
444
445static unsigned int macsec_extra_len(bool sci_present)
446{
447 return macsec_sectag_len(sci_present) + sizeof(__be16);
448}
449
450
451static void macsec_fill_sectag(struct macsec_eth_header *h,
452 const struct macsec_secy *secy, u32 pn,
453 bool sci_present)
454{
455 const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
456
457 memset(&h->tci_an, 0, macsec_sectag_len(sci_present));
458 h->eth.h_proto = htons(ETH_P_MACSEC);
459
460 if (sci_present) {
461 h->tci_an |= MACSEC_TCI_SC;
462 memcpy(&h->secure_channel_id, &secy->sci,
463 sizeof(h->secure_channel_id));
464 } else {
465 if (tx_sc->end_station)
466 h->tci_an |= MACSEC_TCI_ES;
467 if (tx_sc->scb)
468 h->tci_an |= MACSEC_TCI_SCB;
469 }
470
471 h->packet_number = htonl(pn);
472
473
474 if (tx_sc->encrypt)
475 h->tci_an |= MACSEC_TCI_CONFID;
476 else if (secy->icv_len != DEFAULT_ICV_LEN)
477 h->tci_an |= MACSEC_TCI_C;
478
479 h->tci_an |= tx_sc->encoding_sa;
480}
481
482static void macsec_set_shortlen(struct macsec_eth_header *h, size_t data_len)
483{
484 if (data_len < MIN_NON_SHORT_LEN)
485 h->short_length = data_len;
486}
487
488
489static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len)
490{
491 struct macsec_eth_header *h = (struct macsec_eth_header *)skb->data;
492 int len = skb->len - 2 * ETH_ALEN;
493 int extra_len = macsec_extra_len(!!(h->tci_an & MACSEC_TCI_SC)) + icv_len;
494
495
496 if (skb->len <= 16)
497 return false;
498
499
500
501
502 if (h->tci_an & MACSEC_TCI_VERSION)
503 return false;
504
505
506 if ((h->tci_an & MACSEC_TCI_ES || h->tci_an & MACSEC_TCI_SCB) &&
507 (h->tci_an & MACSEC_TCI_SC))
508 return false;
509
510
511 if (h->unused)
512 return false;
513
514
515 if (!h->packet_number)
516 return false;
517
518
519 if (h->short_length)
520 return len == extra_len + h->short_length;
521 return len >= extra_len + MIN_NON_SHORT_LEN;
522}
523
524#define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true))
525#define MACSEC_NEEDED_TAILROOM MACSEC_STD_ICV_LEN
526
527static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn)
528{
529 struct gcm_iv *gcm_iv = (struct gcm_iv *)iv;
530
531 gcm_iv->sci = sci;
532 gcm_iv->pn = htonl(pn);
533}
534
535static struct macsec_eth_header *macsec_ethhdr(struct sk_buff *skb)
536{
537 return (struct macsec_eth_header *)skb_mac_header(skb);
538}
539
540static u32 tx_sa_update_pn(struct macsec_tx_sa *tx_sa, struct macsec_secy *secy)
541{
542 u32 pn;
543
544 spin_lock_bh(&tx_sa->lock);
545 pn = tx_sa->next_pn;
546
547 tx_sa->next_pn++;
548 if (tx_sa->next_pn == 0) {
549 pr_debug("PN wrapped, transitioning to !oper\n");
550 tx_sa->active = false;
551 if (secy->protect_frames)
552 secy->operational = false;
553 }
554 spin_unlock_bh(&tx_sa->lock);
555
556 return pn;
557}
558
559static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev)
560{
561 struct macsec_dev *macsec = netdev_priv(dev);
562
563 skb->dev = macsec->real_dev;
564 skb_reset_mac_header(skb);
565 skb->protocol = eth_hdr(skb)->h_proto;
566}
567
568static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc,
569 struct macsec_tx_sa *tx_sa)
570{
571 struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats);
572
573 u64_stats_update_begin(&txsc_stats->syncp);
574 if (tx_sc->encrypt) {
575 txsc_stats->stats.OutOctetsEncrypted += skb->len;
576 txsc_stats->stats.OutPktsEncrypted++;
577 this_cpu_inc(tx_sa->stats->OutPktsEncrypted);
578 } else {
579 txsc_stats->stats.OutOctetsProtected += skb->len;
580 txsc_stats->stats.OutPktsProtected++;
581 this_cpu_inc(tx_sa->stats->OutPktsProtected);
582 }
583 u64_stats_update_end(&txsc_stats->syncp);
584}
585
586static void count_tx(struct net_device *dev, int ret, int len)
587{
588 if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
589 struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
590
591 u64_stats_update_begin(&stats->syncp);
592 stats->tx_packets++;
593 stats->tx_bytes += len;
594 u64_stats_update_end(&stats->syncp);
595 }
596}
597
598static void macsec_encrypt_done(struct crypto_async_request *base, int err)
599{
600 struct sk_buff *skb = base->data;
601 struct net_device *dev = skb->dev;
602 struct macsec_dev *macsec = macsec_priv(dev);
603 struct macsec_tx_sa *sa = macsec_skb_cb(skb)->tx_sa;
604 int len, ret;
605
606 aead_request_free(macsec_skb_cb(skb)->req);
607
608 rcu_read_lock_bh();
609 macsec_encrypt_finish(skb, dev);
610 macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
611 len = skb->len;
612 ret = dev_queue_xmit(skb);
613 count_tx(dev, ret, len);
614 rcu_read_unlock_bh();
615
616 macsec_txsa_put(sa);
617 dev_put(dev);
618}
619
620static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm,
621 unsigned char **iv,
622 struct scatterlist **sg,
623 int num_frags)
624{
625 size_t size, iv_offset, sg_offset;
626 struct aead_request *req;
627 void *tmp;
628
629 size = sizeof(struct aead_request) + crypto_aead_reqsize(tfm);
630 iv_offset = size;
631 size += GCM_AES_IV_LEN;
632
633 size = ALIGN(size, __alignof__(struct scatterlist));
634 sg_offset = size;
635 size += sizeof(struct scatterlist) * num_frags;
636
637 tmp = kmalloc(size, GFP_ATOMIC);
638 if (!tmp)
639 return NULL;
640
641 *iv = (unsigned char *)(tmp + iv_offset);
642 *sg = (struct scatterlist *)(tmp + sg_offset);
643 req = tmp;
644
645 aead_request_set_tfm(req, tfm);
646
647 return req;
648}
649
650static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
651 struct net_device *dev)
652{
653 int ret;
654 struct scatterlist *sg;
655 struct sk_buff *trailer;
656 unsigned char *iv;
657 struct ethhdr *eth;
658 struct macsec_eth_header *hh;
659 size_t unprotected_len;
660 struct aead_request *req;
661 struct macsec_secy *secy;
662 struct macsec_tx_sc *tx_sc;
663 struct macsec_tx_sa *tx_sa;
664 struct macsec_dev *macsec = macsec_priv(dev);
665 bool sci_present;
666 u32 pn;
667
668 secy = &macsec->secy;
669 tx_sc = &secy->tx_sc;
670
671
672 tx_sa = macsec_txsa_get(tx_sc->sa[tx_sc->encoding_sa]);
673 if (!tx_sa) {
674 secy->operational = false;
675 kfree_skb(skb);
676 return ERR_PTR(-EINVAL);
677 }
678
679 if (unlikely(skb_headroom(skb) < MACSEC_NEEDED_HEADROOM ||
680 skb_tailroom(skb) < MACSEC_NEEDED_TAILROOM)) {
681 struct sk_buff *nskb = skb_copy_expand(skb,
682 MACSEC_NEEDED_HEADROOM,
683 MACSEC_NEEDED_TAILROOM,
684 GFP_ATOMIC);
685 if (likely(nskb)) {
686 consume_skb(skb);
687 skb = nskb;
688 } else {
689 macsec_txsa_put(tx_sa);
690 kfree_skb(skb);
691 return ERR_PTR(-ENOMEM);
692 }
693 } else {
694 skb = skb_unshare(skb, GFP_ATOMIC);
695 if (!skb) {
696 macsec_txsa_put(tx_sa);
697 return ERR_PTR(-ENOMEM);
698 }
699 }
700
701 unprotected_len = skb->len;
702 eth = eth_hdr(skb);
703 sci_present = send_sci(secy);
704 hh = skb_push(skb, macsec_extra_len(sci_present));
705 memmove(hh, eth, 2 * ETH_ALEN);
706
707 pn = tx_sa_update_pn(tx_sa, secy);
708 if (pn == 0) {
709 macsec_txsa_put(tx_sa);
710 kfree_skb(skb);
711 return ERR_PTR(-ENOLINK);
712 }
713 macsec_fill_sectag(hh, secy, pn, sci_present);
714 macsec_set_shortlen(hh, unprotected_len - 2 * ETH_ALEN);
715
716 skb_put(skb, secy->icv_len);
717
718 if (skb->len - ETH_HLEN > macsec_priv(dev)->real_dev->mtu) {
719 struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
720
721 u64_stats_update_begin(&secy_stats->syncp);
722 secy_stats->stats.OutPktsTooLong++;
723 u64_stats_update_end(&secy_stats->syncp);
724
725 macsec_txsa_put(tx_sa);
726 kfree_skb(skb);
727 return ERR_PTR(-EINVAL);
728 }
729
730 ret = skb_cow_data(skb, 0, &trailer);
731 if (unlikely(ret < 0)) {
732 macsec_txsa_put(tx_sa);
733 kfree_skb(skb);
734 return ERR_PTR(ret);
735 }
736
737 req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg, ret);
738 if (!req) {
739 macsec_txsa_put(tx_sa);
740 kfree_skb(skb);
741 return ERR_PTR(-ENOMEM);
742 }
743
744 macsec_fill_iv(iv, secy->sci, pn);
745
746 sg_init_table(sg, ret);
747 ret = skb_to_sgvec(skb, sg, 0, skb->len);
748 if (unlikely(ret < 0)) {
749 aead_request_free(req);
750 macsec_txsa_put(tx_sa);
751 kfree_skb(skb);
752 return ERR_PTR(ret);
753 }
754
755 if (tx_sc->encrypt) {
756 int len = skb->len - macsec_hdr_len(sci_present) -
757 secy->icv_len;
758 aead_request_set_crypt(req, sg, sg, len, iv);
759 aead_request_set_ad(req, macsec_hdr_len(sci_present));
760 } else {
761 aead_request_set_crypt(req, sg, sg, 0, iv);
762 aead_request_set_ad(req, skb->len - secy->icv_len);
763 }
764
765 macsec_skb_cb(skb)->req = req;
766 macsec_skb_cb(skb)->tx_sa = tx_sa;
767 aead_request_set_callback(req, 0, macsec_encrypt_done, skb);
768
769 dev_hold(skb->dev);
770 ret = crypto_aead_encrypt(req);
771 if (ret == -EINPROGRESS) {
772 return ERR_PTR(ret);
773 } else if (ret != 0) {
774 dev_put(skb->dev);
775 kfree_skb(skb);
776 aead_request_free(req);
777 macsec_txsa_put(tx_sa);
778 return ERR_PTR(-EINVAL);
779 }
780
781 dev_put(skb->dev);
782 aead_request_free(req);
783 macsec_txsa_put(tx_sa);
784
785 return skb;
786}
787
788static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u32 pn)
789{
790 struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
791 struct pcpu_rx_sc_stats *rxsc_stats = this_cpu_ptr(rx_sa->sc->stats);
792 struct macsec_eth_header *hdr = macsec_ethhdr(skb);
793 u32 lowest_pn = 0;
794
795 spin_lock(&rx_sa->lock);
796 if (rx_sa->next_pn >= secy->replay_window)
797 lowest_pn = rx_sa->next_pn - secy->replay_window;
798
799
800
801
802 if (secy->replay_protect && pn < lowest_pn) {
803 spin_unlock(&rx_sa->lock);
804 u64_stats_update_begin(&rxsc_stats->syncp);
805 rxsc_stats->stats.InPktsLate++;
806 u64_stats_update_end(&rxsc_stats->syncp);
807 return false;
808 }
809
810 if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) {
811 u64_stats_update_begin(&rxsc_stats->syncp);
812 if (hdr->tci_an & MACSEC_TCI_E)
813 rxsc_stats->stats.InOctetsDecrypted += skb->len;
814 else
815 rxsc_stats->stats.InOctetsValidated += skb->len;
816 u64_stats_update_end(&rxsc_stats->syncp);
817 }
818
819 if (!macsec_skb_cb(skb)->valid) {
820 spin_unlock(&rx_sa->lock);
821
822
823 if (hdr->tci_an & MACSEC_TCI_C ||
824 secy->validate_frames == MACSEC_VALIDATE_STRICT) {
825 u64_stats_update_begin(&rxsc_stats->syncp);
826 rxsc_stats->stats.InPktsNotValid++;
827 u64_stats_update_end(&rxsc_stats->syncp);
828 return false;
829 }
830
831 u64_stats_update_begin(&rxsc_stats->syncp);
832 if (secy->validate_frames == MACSEC_VALIDATE_CHECK) {
833 rxsc_stats->stats.InPktsInvalid++;
834 this_cpu_inc(rx_sa->stats->InPktsInvalid);
835 } else if (pn < lowest_pn) {
836 rxsc_stats->stats.InPktsDelayed++;
837 } else {
838 rxsc_stats->stats.InPktsUnchecked++;
839 }
840 u64_stats_update_end(&rxsc_stats->syncp);
841 } else {
842 u64_stats_update_begin(&rxsc_stats->syncp);
843 if (pn < lowest_pn) {
844 rxsc_stats->stats.InPktsDelayed++;
845 } else {
846 rxsc_stats->stats.InPktsOK++;
847 this_cpu_inc(rx_sa->stats->InPktsOK);
848 }
849 u64_stats_update_end(&rxsc_stats->syncp);
850
851 if (pn >= rx_sa->next_pn)
852 rx_sa->next_pn = pn + 1;
853 spin_unlock(&rx_sa->lock);
854 }
855
856 return true;
857}
858
859static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev)
860{
861 skb->pkt_type = PACKET_HOST;
862 skb->protocol = eth_type_trans(skb, dev);
863
864 skb_reset_network_header(skb);
865 if (!skb_transport_header_was_set(skb))
866 skb_reset_transport_header(skb);
867 skb_reset_mac_len(skb);
868}
869
870static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
871{
872 skb->ip_summed = CHECKSUM_NONE;
873 memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
874 skb_pull(skb, hdr_len);
875 pskb_trim_unique(skb, skb->len - icv_len);
876}
877
878static void count_rx(struct net_device *dev, int len)
879{
880 struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
881
882 u64_stats_update_begin(&stats->syncp);
883 stats->rx_packets++;
884 stats->rx_bytes += len;
885 u64_stats_update_end(&stats->syncp);
886}
887
888static void macsec_decrypt_done(struct crypto_async_request *base, int err)
889{
890 struct sk_buff *skb = base->data;
891 struct net_device *dev = skb->dev;
892 struct macsec_dev *macsec = macsec_priv(dev);
893 struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
894 struct macsec_rx_sc *rx_sc = rx_sa->sc;
895 int len;
896 u32 pn;
897
898 aead_request_free(macsec_skb_cb(skb)->req);
899
900 if (!err)
901 macsec_skb_cb(skb)->valid = true;
902
903 rcu_read_lock_bh();
904 pn = ntohl(macsec_ethhdr(skb)->packet_number);
905 if (!macsec_post_decrypt(skb, &macsec->secy, pn)) {
906 rcu_read_unlock_bh();
907 kfree_skb(skb);
908 goto out;
909 }
910
911 macsec_finalize_skb(skb, macsec->secy.icv_len,
912 macsec_extra_len(macsec_skb_cb(skb)->has_sci));
913 macsec_reset_skb(skb, macsec->secy.netdev);
914
915 len = skb->len;
916 if (gro_cells_receive(&macsec->gro_cells, skb) == NET_RX_SUCCESS)
917 count_rx(dev, len);
918
919 rcu_read_unlock_bh();
920
921out:
922 macsec_rxsa_put(rx_sa);
923 macsec_rxsc_put(rx_sc);
924 dev_put(dev);
925}
926
927static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
928 struct net_device *dev,
929 struct macsec_rx_sa *rx_sa,
930 sci_t sci,
931 struct macsec_secy *secy)
932{
933 int ret;
934 struct scatterlist *sg;
935 struct sk_buff *trailer;
936 unsigned char *iv;
937 struct aead_request *req;
938 struct macsec_eth_header *hdr;
939 u16 icv_len = secy->icv_len;
940
941 macsec_skb_cb(skb)->valid = false;
942 skb = skb_share_check(skb, GFP_ATOMIC);
943 if (!skb)
944 return ERR_PTR(-ENOMEM);
945
946 ret = skb_cow_data(skb, 0, &trailer);
947 if (unlikely(ret < 0)) {
948 kfree_skb(skb);
949 return ERR_PTR(ret);
950 }
951 req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg, ret);
952 if (!req) {
953 kfree_skb(skb);
954 return ERR_PTR(-ENOMEM);
955 }
956
957 hdr = (struct macsec_eth_header *)skb->data;
958 macsec_fill_iv(iv, sci, ntohl(hdr->packet_number));
959
960 sg_init_table(sg, ret);
961 ret = skb_to_sgvec(skb, sg, 0, skb->len);
962 if (unlikely(ret < 0)) {
963 aead_request_free(req);
964 kfree_skb(skb);
965 return ERR_PTR(ret);
966 }
967
968 if (hdr->tci_an & MACSEC_TCI_E) {
969
970
971
972 int len = skb->len - macsec_hdr_len(macsec_skb_cb(skb)->has_sci);
973
974 aead_request_set_crypt(req, sg, sg, len, iv);
975 aead_request_set_ad(req, macsec_hdr_len(macsec_skb_cb(skb)->has_sci));
976 skb = skb_unshare(skb, GFP_ATOMIC);
977 if (!skb) {
978 aead_request_free(req);
979 return ERR_PTR(-ENOMEM);
980 }
981 } else {
982
983 aead_request_set_crypt(req, sg, sg, icv_len, iv);
984 aead_request_set_ad(req, skb->len - icv_len);
985 }
986
987 macsec_skb_cb(skb)->req = req;
988 skb->dev = dev;
989 aead_request_set_callback(req, 0, macsec_decrypt_done, skb);
990
991 dev_hold(dev);
992 ret = crypto_aead_decrypt(req);
993 if (ret == -EINPROGRESS) {
994 return ERR_PTR(ret);
995 } else if (ret != 0) {
996
997
998
999 if (ret != -EBADMSG) {
1000 kfree_skb(skb);
1001 skb = ERR_PTR(ret);
1002 }
1003 } else {
1004 macsec_skb_cb(skb)->valid = true;
1005 }
1006 dev_put(dev);
1007
1008 aead_request_free(req);
1009
1010 return skb;
1011}
1012
1013static struct macsec_rx_sc *find_rx_sc(struct macsec_secy *secy, sci_t sci)
1014{
1015 struct macsec_rx_sc *rx_sc;
1016
1017 for_each_rxsc(secy, rx_sc) {
1018 if (rx_sc->sci == sci)
1019 return rx_sc;
1020 }
1021
1022 return NULL;
1023}
1024
1025static struct macsec_rx_sc *find_rx_sc_rtnl(struct macsec_secy *secy, sci_t sci)
1026{
1027 struct macsec_rx_sc *rx_sc;
1028
1029 for_each_rxsc_rtnl(secy, rx_sc) {
1030 if (rx_sc->sci == sci)
1031 return rx_sc;
1032 }
1033
1034 return NULL;
1035}
1036
1037static void handle_not_macsec(struct sk_buff *skb)
1038{
1039 struct macsec_rxh_data *rxd;
1040 struct macsec_dev *macsec;
1041
1042 rcu_read_lock();
1043 rxd = macsec_data_rcu(skb->dev);
1044
1045
1046
1047
1048
1049 list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
1050 struct sk_buff *nskb;
1051 struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
1052
1053 if (macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
1054 u64_stats_update_begin(&secy_stats->syncp);
1055 secy_stats->stats.InPktsNoTag++;
1056 u64_stats_update_end(&secy_stats->syncp);
1057 continue;
1058 }
1059
1060
1061 nskb = skb_clone(skb, GFP_ATOMIC);
1062 if (!nskb)
1063 break;
1064
1065 nskb->dev = macsec->secy.netdev;
1066
1067 if (netif_rx(nskb) == NET_RX_SUCCESS) {
1068 u64_stats_update_begin(&secy_stats->syncp);
1069 secy_stats->stats.InPktsUntagged++;
1070 u64_stats_update_end(&secy_stats->syncp);
1071 }
1072 }
1073
1074 rcu_read_unlock();
1075}
1076
1077static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
1078{
1079 struct sk_buff *skb = *pskb;
1080 struct net_device *dev = skb->dev;
1081 struct macsec_eth_header *hdr;
1082 struct macsec_secy *secy = NULL;
1083 struct macsec_rx_sc *rx_sc;
1084 struct macsec_rx_sa *rx_sa;
1085 struct macsec_rxh_data *rxd;
1086 struct macsec_dev *macsec;
1087 sci_t sci;
1088 u32 pn;
1089 bool cbit;
1090 struct pcpu_rx_sc_stats *rxsc_stats;
1091 struct pcpu_secy_stats *secy_stats;
1092 bool pulled_sci;
1093 int ret;
1094
1095 if (skb_headroom(skb) < ETH_HLEN)
1096 goto drop_direct;
1097
1098 hdr = macsec_ethhdr(skb);
1099 if (hdr->eth.h_proto != htons(ETH_P_MACSEC)) {
1100 handle_not_macsec(skb);
1101
1102
1103 return RX_HANDLER_PASS;
1104 }
1105
1106 skb = skb_unshare(skb, GFP_ATOMIC);
1107 *pskb = skb;
1108 if (!skb)
1109 return RX_HANDLER_CONSUMED;
1110
1111 pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
1112 if (!pulled_sci) {
1113 if (!pskb_may_pull(skb, macsec_extra_len(false)))
1114 goto drop_direct;
1115 }
1116
1117 hdr = macsec_ethhdr(skb);
1118
1119
1120
1121
1122
1123
1124 if ((hdr->tci_an & (MACSEC_TCI_C | MACSEC_TCI_E)) == MACSEC_TCI_E)
1125 return RX_HANDLER_PASS;
1126
1127
1128 if (hdr->tci_an & MACSEC_TCI_SC) {
1129 if (!pulled_sci)
1130 goto drop_direct;
1131 }
1132
1133
1134 skb_push(skb, ETH_HLEN);
1135
1136 macsec_skb_cb(skb)->has_sci = !!(hdr->tci_an & MACSEC_TCI_SC);
1137 macsec_skb_cb(skb)->assoc_num = hdr->tci_an & MACSEC_AN_MASK;
1138 sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci);
1139
1140 rcu_read_lock();
1141 rxd = macsec_data_rcu(skb->dev);
1142
1143 list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
1144 struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
1145
1146 sc = sc ? macsec_rxsc_get(sc) : NULL;
1147
1148 if (sc) {
1149 secy = &macsec->secy;
1150 rx_sc = sc;
1151 break;
1152 }
1153 }
1154
1155 if (!secy)
1156 goto nosci;
1157
1158 dev = secy->netdev;
1159 macsec = macsec_priv(dev);
1160 secy_stats = this_cpu_ptr(macsec->stats);
1161 rxsc_stats = this_cpu_ptr(rx_sc->stats);
1162
1163 if (!macsec_validate_skb(skb, secy->icv_len)) {
1164 u64_stats_update_begin(&secy_stats->syncp);
1165 secy_stats->stats.InPktsBadTag++;
1166 u64_stats_update_end(&secy_stats->syncp);
1167 goto drop_nosa;
1168 }
1169
1170 rx_sa = macsec_rxsa_get(rx_sc->sa[macsec_skb_cb(skb)->assoc_num]);
1171 if (!rx_sa) {
1172
1173
1174
1175
1176
1177 if (hdr->tci_an & MACSEC_TCI_C ||
1178 secy->validate_frames == MACSEC_VALIDATE_STRICT) {
1179 u64_stats_update_begin(&rxsc_stats->syncp);
1180 rxsc_stats->stats.InPktsNotUsingSA++;
1181 u64_stats_update_end(&rxsc_stats->syncp);
1182 goto drop_nosa;
1183 }
1184
1185
1186
1187
1188 u64_stats_update_begin(&rxsc_stats->syncp);
1189 rxsc_stats->stats.InPktsUnusedSA++;
1190 u64_stats_update_end(&rxsc_stats->syncp);
1191 goto deliver;
1192 }
1193
1194
1195 pn = ntohl(hdr->packet_number);
1196 if (secy->replay_protect) {
1197 bool late;
1198
1199 spin_lock(&rx_sa->lock);
1200 late = rx_sa->next_pn >= secy->replay_window &&
1201 pn < (rx_sa->next_pn - secy->replay_window);
1202 spin_unlock(&rx_sa->lock);
1203
1204 if (late) {
1205 u64_stats_update_begin(&rxsc_stats->syncp);
1206 rxsc_stats->stats.InPktsLate++;
1207 u64_stats_update_end(&rxsc_stats->syncp);
1208 goto drop;
1209 }
1210 }
1211
1212 macsec_skb_cb(skb)->rx_sa = rx_sa;
1213
1214
1215 if (hdr->tci_an & MACSEC_TCI_C ||
1216 secy->validate_frames != MACSEC_VALIDATE_DISABLED)
1217 skb = macsec_decrypt(skb, dev, rx_sa, sci, secy);
1218
1219 if (IS_ERR(skb)) {
1220
1221 if (PTR_ERR(skb) != -EINPROGRESS) {
1222 macsec_rxsa_put(rx_sa);
1223 macsec_rxsc_put(rx_sc);
1224 }
1225 rcu_read_unlock();
1226 *pskb = NULL;
1227 return RX_HANDLER_CONSUMED;
1228 }
1229
1230 if (!macsec_post_decrypt(skb, secy, pn))
1231 goto drop;
1232
1233deliver:
1234 macsec_finalize_skb(skb, secy->icv_len,
1235 macsec_extra_len(macsec_skb_cb(skb)->has_sci));
1236 macsec_reset_skb(skb, secy->netdev);
1237
1238 if (rx_sa)
1239 macsec_rxsa_put(rx_sa);
1240 macsec_rxsc_put(rx_sc);
1241
1242 skb_orphan(skb);
1243 ret = gro_cells_receive(&macsec->gro_cells, skb);
1244 if (ret == NET_RX_SUCCESS)
1245 count_rx(dev, skb->len);
1246 else
1247 macsec->secy.netdev->stats.rx_dropped++;
1248
1249 rcu_read_unlock();
1250
1251 *pskb = NULL;
1252 return RX_HANDLER_CONSUMED;
1253
1254drop:
1255 macsec_rxsa_put(rx_sa);
1256drop_nosa:
1257 macsec_rxsc_put(rx_sc);
1258 rcu_read_unlock();
1259drop_direct:
1260 kfree_skb(skb);
1261 *pskb = NULL;
1262 return RX_HANDLER_CONSUMED;
1263
1264nosci:
1265
1266 cbit = !!(hdr->tci_an & MACSEC_TCI_C);
1267 if (!cbit)
1268 macsec_finalize_skb(skb, DEFAULT_ICV_LEN,
1269 macsec_extra_len(macsec_skb_cb(skb)->has_sci));
1270
1271 list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
1272 struct sk_buff *nskb;
1273
1274 secy_stats = this_cpu_ptr(macsec->stats);
1275
1276
1277
1278
1279 if (cbit ||
1280 macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
1281 u64_stats_update_begin(&secy_stats->syncp);
1282 secy_stats->stats.InPktsNoSCI++;
1283 u64_stats_update_end(&secy_stats->syncp);
1284 continue;
1285 }
1286
1287
1288
1289
1290 nskb = skb_clone(skb, GFP_ATOMIC);
1291 if (!nskb)
1292 break;
1293
1294 macsec_reset_skb(nskb, macsec->secy.netdev);
1295
1296 ret = netif_rx(nskb);
1297 if (ret == NET_RX_SUCCESS) {
1298 u64_stats_update_begin(&secy_stats->syncp);
1299 secy_stats->stats.InPktsUnknownSCI++;
1300 u64_stats_update_end(&secy_stats->syncp);
1301 } else {
1302 macsec->secy.netdev->stats.rx_dropped++;
1303 }
1304 }
1305
1306 rcu_read_unlock();
1307 *pskb = skb;
1308 return RX_HANDLER_PASS;
1309}
1310
1311static struct crypto_aead *macsec_alloc_tfm(char *key, int key_len, int icv_len)
1312{
1313 struct crypto_aead *tfm;
1314 int ret;
1315
1316 tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
1317
1318 if (IS_ERR(tfm))
1319 return tfm;
1320
1321 ret = crypto_aead_setkey(tfm, key, key_len);
1322 if (ret < 0)
1323 goto fail;
1324
1325 ret = crypto_aead_setauthsize(tfm, icv_len);
1326 if (ret < 0)
1327 goto fail;
1328
1329 return tfm;
1330fail:
1331 crypto_free_aead(tfm);
1332 return ERR_PTR(ret);
1333}
1334
1335static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len,
1336 int icv_len)
1337{
1338 rx_sa->stats = alloc_percpu(struct macsec_rx_sa_stats);
1339 if (!rx_sa->stats)
1340 return -ENOMEM;
1341
1342 rx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
1343 if (IS_ERR(rx_sa->key.tfm)) {
1344 free_percpu(rx_sa->stats);
1345 return PTR_ERR(rx_sa->key.tfm);
1346 }
1347
1348 rx_sa->active = false;
1349 rx_sa->next_pn = 1;
1350 refcount_set(&rx_sa->refcnt, 1);
1351 spin_lock_init(&rx_sa->lock);
1352
1353 return 0;
1354}
1355
1356static void clear_rx_sa(struct macsec_rx_sa *rx_sa)
1357{
1358 rx_sa->active = false;
1359
1360 macsec_rxsa_put(rx_sa);
1361}
1362
1363static void free_rx_sc(struct macsec_rx_sc *rx_sc)
1364{
1365 int i;
1366
1367 for (i = 0; i < MACSEC_NUM_AN; i++) {
1368 struct macsec_rx_sa *sa = rtnl_dereference(rx_sc->sa[i]);
1369
1370 RCU_INIT_POINTER(rx_sc->sa[i], NULL);
1371 if (sa)
1372 clear_rx_sa(sa);
1373 }
1374
1375 macsec_rxsc_put(rx_sc);
1376}
1377
1378static struct macsec_rx_sc *del_rx_sc(struct macsec_secy *secy, sci_t sci)
1379{
1380 struct macsec_rx_sc *rx_sc, __rcu **rx_scp;
1381
1382 for (rx_scp = &secy->rx_sc, rx_sc = rtnl_dereference(*rx_scp);
1383 rx_sc;
1384 rx_scp = &rx_sc->next, rx_sc = rtnl_dereference(*rx_scp)) {
1385 if (rx_sc->sci == sci) {
1386 if (rx_sc->active)
1387 secy->n_rx_sc--;
1388 rcu_assign_pointer(*rx_scp, rx_sc->next);
1389 return rx_sc;
1390 }
1391 }
1392
1393 return NULL;
1394}
1395
1396static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci)
1397{
1398 struct macsec_rx_sc *rx_sc;
1399 struct macsec_dev *macsec;
1400 struct net_device *real_dev = macsec_priv(dev)->real_dev;
1401 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
1402 struct macsec_secy *secy;
1403
1404 list_for_each_entry(macsec, &rxd->secys, secys) {
1405 if (find_rx_sc_rtnl(&macsec->secy, sci))
1406 return ERR_PTR(-EEXIST);
1407 }
1408
1409 rx_sc = kzalloc(sizeof(*rx_sc), GFP_KERNEL);
1410 if (!rx_sc)
1411 return ERR_PTR(-ENOMEM);
1412
1413 rx_sc->stats = netdev_alloc_pcpu_stats(struct pcpu_rx_sc_stats);
1414 if (!rx_sc->stats) {
1415 kfree(rx_sc);
1416 return ERR_PTR(-ENOMEM);
1417 }
1418
1419 rx_sc->sci = sci;
1420 rx_sc->active = true;
1421 refcount_set(&rx_sc->refcnt, 1);
1422
1423 secy = &macsec_priv(dev)->secy;
1424 rcu_assign_pointer(rx_sc->next, secy->rx_sc);
1425 rcu_assign_pointer(secy->rx_sc, rx_sc);
1426
1427 if (rx_sc->active)
1428 secy->n_rx_sc++;
1429
1430 return rx_sc;
1431}
1432
1433static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len,
1434 int icv_len)
1435{
1436 tx_sa->stats = alloc_percpu(struct macsec_tx_sa_stats);
1437 if (!tx_sa->stats)
1438 return -ENOMEM;
1439
1440 tx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
1441 if (IS_ERR(tx_sa->key.tfm)) {
1442 free_percpu(tx_sa->stats);
1443 return PTR_ERR(tx_sa->key.tfm);
1444 }
1445
1446 tx_sa->active = false;
1447 refcount_set(&tx_sa->refcnt, 1);
1448 spin_lock_init(&tx_sa->lock);
1449
1450 return 0;
1451}
1452
1453static void clear_tx_sa(struct macsec_tx_sa *tx_sa)
1454{
1455 tx_sa->active = false;
1456
1457 macsec_txsa_put(tx_sa);
1458}
1459
1460static struct genl_family macsec_fam;
1461
1462static struct net_device *get_dev_from_nl(struct net *net,
1463 struct nlattr **attrs)
1464{
1465 int ifindex = nla_get_u32(attrs[MACSEC_ATTR_IFINDEX]);
1466 struct net_device *dev;
1467
1468 dev = __dev_get_by_index(net, ifindex);
1469 if (!dev)
1470 return ERR_PTR(-ENODEV);
1471
1472 if (!netif_is_macsec(dev))
1473 return ERR_PTR(-ENODEV);
1474
1475 return dev;
1476}
1477
1478static sci_t nla_get_sci(const struct nlattr *nla)
1479{
1480 return (__force sci_t)nla_get_u64(nla);
1481}
1482
1483static int nla_put_sci(struct sk_buff *skb, int attrtype, sci_t value,
1484 int padattr)
1485{
1486 return nla_put_u64_64bit(skb, attrtype, (__force u64)value, padattr);
1487}
1488
1489static struct macsec_tx_sa *get_txsa_from_nl(struct net *net,
1490 struct nlattr **attrs,
1491 struct nlattr **tb_sa,
1492 struct net_device **devp,
1493 struct macsec_secy **secyp,
1494 struct macsec_tx_sc **scp,
1495 u8 *assoc_num)
1496{
1497 struct net_device *dev;
1498 struct macsec_secy *secy;
1499 struct macsec_tx_sc *tx_sc;
1500 struct macsec_tx_sa *tx_sa;
1501
1502 if (!tb_sa[MACSEC_SA_ATTR_AN])
1503 return ERR_PTR(-EINVAL);
1504
1505 *assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
1506
1507 dev = get_dev_from_nl(net, attrs);
1508 if (IS_ERR(dev))
1509 return ERR_CAST(dev);
1510
1511 if (*assoc_num >= MACSEC_NUM_AN)
1512 return ERR_PTR(-EINVAL);
1513
1514 secy = &macsec_priv(dev)->secy;
1515 tx_sc = &secy->tx_sc;
1516
1517 tx_sa = rtnl_dereference(tx_sc->sa[*assoc_num]);
1518 if (!tx_sa)
1519 return ERR_PTR(-ENODEV);
1520
1521 *devp = dev;
1522 *scp = tx_sc;
1523 *secyp = secy;
1524 return tx_sa;
1525}
1526
1527static struct macsec_rx_sc *get_rxsc_from_nl(struct net *net,
1528 struct nlattr **attrs,
1529 struct nlattr **tb_rxsc,
1530 struct net_device **devp,
1531 struct macsec_secy **secyp)
1532{
1533 struct net_device *dev;
1534 struct macsec_secy *secy;
1535 struct macsec_rx_sc *rx_sc;
1536 sci_t sci;
1537
1538 dev = get_dev_from_nl(net, attrs);
1539 if (IS_ERR(dev))
1540 return ERR_CAST(dev);
1541
1542 secy = &macsec_priv(dev)->secy;
1543
1544 if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI])
1545 return ERR_PTR(-EINVAL);
1546
1547 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
1548 rx_sc = find_rx_sc_rtnl(secy, sci);
1549 if (!rx_sc)
1550 return ERR_PTR(-ENODEV);
1551
1552 *secyp = secy;
1553 *devp = dev;
1554
1555 return rx_sc;
1556}
1557
1558static struct macsec_rx_sa *get_rxsa_from_nl(struct net *net,
1559 struct nlattr **attrs,
1560 struct nlattr **tb_rxsc,
1561 struct nlattr **tb_sa,
1562 struct net_device **devp,
1563 struct macsec_secy **secyp,
1564 struct macsec_rx_sc **scp,
1565 u8 *assoc_num)
1566{
1567 struct macsec_rx_sc *rx_sc;
1568 struct macsec_rx_sa *rx_sa;
1569
1570 if (!tb_sa[MACSEC_SA_ATTR_AN])
1571 return ERR_PTR(-EINVAL);
1572
1573 *assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
1574 if (*assoc_num >= MACSEC_NUM_AN)
1575 return ERR_PTR(-EINVAL);
1576
1577 rx_sc = get_rxsc_from_nl(net, attrs, tb_rxsc, devp, secyp);
1578 if (IS_ERR(rx_sc))
1579 return ERR_CAST(rx_sc);
1580
1581 rx_sa = rtnl_dereference(rx_sc->sa[*assoc_num]);
1582 if (!rx_sa)
1583 return ERR_PTR(-ENODEV);
1584
1585 *scp = rx_sc;
1586 return rx_sa;
1587}
1588
1589static const struct nla_policy macsec_genl_policy[NUM_MACSEC_ATTR] = {
1590 [MACSEC_ATTR_IFINDEX] = { .type = NLA_U32 },
1591 [MACSEC_ATTR_RXSC_CONFIG] = { .type = NLA_NESTED },
1592 [MACSEC_ATTR_SA_CONFIG] = { .type = NLA_NESTED },
1593};
1594
1595static const struct nla_policy macsec_genl_rxsc_policy[NUM_MACSEC_RXSC_ATTR] = {
1596 [MACSEC_RXSC_ATTR_SCI] = { .type = NLA_U64 },
1597 [MACSEC_RXSC_ATTR_ACTIVE] = { .type = NLA_U8 },
1598};
1599
1600static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = {
1601 [MACSEC_SA_ATTR_AN] = { .type = NLA_U8 },
1602 [MACSEC_SA_ATTR_ACTIVE] = { .type = NLA_U8 },
1603 [MACSEC_SA_ATTR_PN] = { .type = NLA_U32 },
1604 [MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY,
1605 .len = MACSEC_KEYID_LEN, },
1606 [MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY,
1607 .len = MACSEC_MAX_KEY_LEN, },
1608};
1609
1610static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa)
1611{
1612 if (!attrs[MACSEC_ATTR_SA_CONFIG])
1613 return -EINVAL;
1614
1615 if (nla_parse_nested_deprecated(tb_sa, MACSEC_SA_ATTR_MAX, attrs[MACSEC_ATTR_SA_CONFIG], macsec_genl_sa_policy, NULL))
1616 return -EINVAL;
1617
1618 return 0;
1619}
1620
1621static int parse_rxsc_config(struct nlattr **attrs, struct nlattr **tb_rxsc)
1622{
1623 if (!attrs[MACSEC_ATTR_RXSC_CONFIG])
1624 return -EINVAL;
1625
1626 if (nla_parse_nested_deprecated(tb_rxsc, MACSEC_RXSC_ATTR_MAX, attrs[MACSEC_ATTR_RXSC_CONFIG], macsec_genl_rxsc_policy, NULL))
1627 return -EINVAL;
1628
1629 return 0;
1630}
1631
1632static bool validate_add_rxsa(struct nlattr **attrs)
1633{
1634 if (!attrs[MACSEC_SA_ATTR_AN] ||
1635 !attrs[MACSEC_SA_ATTR_KEY] ||
1636 !attrs[MACSEC_SA_ATTR_KEYID])
1637 return false;
1638
1639 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
1640 return false;
1641
1642 if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
1643 return false;
1644
1645 if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
1646 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
1647 return false;
1648 }
1649
1650 if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN)
1651 return false;
1652
1653 return true;
1654}
1655
1656static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
1657{
1658 struct net_device *dev;
1659 struct nlattr **attrs = info->attrs;
1660 struct macsec_secy *secy;
1661 struct macsec_rx_sc *rx_sc;
1662 struct macsec_rx_sa *rx_sa;
1663 unsigned char assoc_num;
1664 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
1665 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
1666 int err;
1667
1668 if (!attrs[MACSEC_ATTR_IFINDEX])
1669 return -EINVAL;
1670
1671 if (parse_sa_config(attrs, tb_sa))
1672 return -EINVAL;
1673
1674 if (parse_rxsc_config(attrs, tb_rxsc))
1675 return -EINVAL;
1676
1677 if (!validate_add_rxsa(tb_sa))
1678 return -EINVAL;
1679
1680 rtnl_lock();
1681 rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy);
1682 if (IS_ERR(rx_sc)) {
1683 rtnl_unlock();
1684 return PTR_ERR(rx_sc);
1685 }
1686
1687 assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
1688
1689 if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) {
1690 pr_notice("macsec: nl: add_rxsa: bad key length: %d != %d\n",
1691 nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len);
1692 rtnl_unlock();
1693 return -EINVAL;
1694 }
1695
1696 rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]);
1697 if (rx_sa) {
1698 rtnl_unlock();
1699 return -EBUSY;
1700 }
1701
1702 rx_sa = kmalloc(sizeof(*rx_sa), GFP_KERNEL);
1703 if (!rx_sa) {
1704 rtnl_unlock();
1705 return -ENOMEM;
1706 }
1707
1708 err = init_rx_sa(rx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
1709 secy->key_len, secy->icv_len);
1710 if (err < 0) {
1711 kfree(rx_sa);
1712 rtnl_unlock();
1713 return err;
1714 }
1715
1716 if (tb_sa[MACSEC_SA_ATTR_PN]) {
1717 spin_lock_bh(&rx_sa->lock);
1718 rx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
1719 spin_unlock_bh(&rx_sa->lock);
1720 }
1721
1722 if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
1723 rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
1724
1725 nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
1726 rx_sa->sc = rx_sc;
1727 rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa);
1728
1729 rtnl_unlock();
1730
1731 return 0;
1732}
1733
1734static bool validate_add_rxsc(struct nlattr **attrs)
1735{
1736 if (!attrs[MACSEC_RXSC_ATTR_SCI])
1737 return false;
1738
1739 if (attrs[MACSEC_RXSC_ATTR_ACTIVE]) {
1740 if (nla_get_u8(attrs[MACSEC_RXSC_ATTR_ACTIVE]) > 1)
1741 return false;
1742 }
1743
1744 return true;
1745}
1746
1747static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
1748{
1749 struct net_device *dev;
1750 sci_t sci = MACSEC_UNDEF_SCI;
1751 struct nlattr **attrs = info->attrs;
1752 struct macsec_rx_sc *rx_sc;
1753 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
1754
1755 if (!attrs[MACSEC_ATTR_IFINDEX])
1756 return -EINVAL;
1757
1758 if (parse_rxsc_config(attrs, tb_rxsc))
1759 return -EINVAL;
1760
1761 if (!validate_add_rxsc(tb_rxsc))
1762 return -EINVAL;
1763
1764 rtnl_lock();
1765 dev = get_dev_from_nl(genl_info_net(info), attrs);
1766 if (IS_ERR(dev)) {
1767 rtnl_unlock();
1768 return PTR_ERR(dev);
1769 }
1770
1771 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
1772
1773 rx_sc = create_rx_sc(dev, sci);
1774 if (IS_ERR(rx_sc)) {
1775 rtnl_unlock();
1776 return PTR_ERR(rx_sc);
1777 }
1778
1779 if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE])
1780 rx_sc->active = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
1781
1782 rtnl_unlock();
1783
1784 return 0;
1785}
1786
1787static bool validate_add_txsa(struct nlattr **attrs)
1788{
1789 if (!attrs[MACSEC_SA_ATTR_AN] ||
1790 !attrs[MACSEC_SA_ATTR_PN] ||
1791 !attrs[MACSEC_SA_ATTR_KEY] ||
1792 !attrs[MACSEC_SA_ATTR_KEYID])
1793 return false;
1794
1795 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
1796 return false;
1797
1798 if (nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
1799 return false;
1800
1801 if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
1802 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
1803 return false;
1804 }
1805
1806 if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN)
1807 return false;
1808
1809 return true;
1810}
1811
1812static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
1813{
1814 struct net_device *dev;
1815 struct nlattr **attrs = info->attrs;
1816 struct macsec_secy *secy;
1817 struct macsec_tx_sc *tx_sc;
1818 struct macsec_tx_sa *tx_sa;
1819 unsigned char assoc_num;
1820 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
1821 int err;
1822
1823 if (!attrs[MACSEC_ATTR_IFINDEX])
1824 return -EINVAL;
1825
1826 if (parse_sa_config(attrs, tb_sa))
1827 return -EINVAL;
1828
1829 if (!validate_add_txsa(tb_sa))
1830 return -EINVAL;
1831
1832 rtnl_lock();
1833 dev = get_dev_from_nl(genl_info_net(info), attrs);
1834 if (IS_ERR(dev)) {
1835 rtnl_unlock();
1836 return PTR_ERR(dev);
1837 }
1838
1839 secy = &macsec_priv(dev)->secy;
1840 tx_sc = &secy->tx_sc;
1841
1842 assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
1843
1844 if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) {
1845 pr_notice("macsec: nl: add_txsa: bad key length: %d != %d\n",
1846 nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len);
1847 rtnl_unlock();
1848 return -EINVAL;
1849 }
1850
1851 tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]);
1852 if (tx_sa) {
1853 rtnl_unlock();
1854 return -EBUSY;
1855 }
1856
1857 tx_sa = kmalloc(sizeof(*tx_sa), GFP_KERNEL);
1858 if (!tx_sa) {
1859 rtnl_unlock();
1860 return -ENOMEM;
1861 }
1862
1863 err = init_tx_sa(tx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
1864 secy->key_len, secy->icv_len);
1865 if (err < 0) {
1866 kfree(tx_sa);
1867 rtnl_unlock();
1868 return err;
1869 }
1870
1871 nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
1872
1873 spin_lock_bh(&tx_sa->lock);
1874 tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
1875 spin_unlock_bh(&tx_sa->lock);
1876
1877 if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
1878 tx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
1879
1880 if (assoc_num == tx_sc->encoding_sa && tx_sa->active)
1881 secy->operational = true;
1882
1883 rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa);
1884
1885 rtnl_unlock();
1886
1887 return 0;
1888}
1889
1890static int macsec_del_rxsa(struct sk_buff *skb, struct genl_info *info)
1891{
1892 struct nlattr **attrs = info->attrs;
1893 struct net_device *dev;
1894 struct macsec_secy *secy;
1895 struct macsec_rx_sc *rx_sc;
1896 struct macsec_rx_sa *rx_sa;
1897 u8 assoc_num;
1898 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
1899 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
1900
1901 if (!attrs[MACSEC_ATTR_IFINDEX])
1902 return -EINVAL;
1903
1904 if (parse_sa_config(attrs, tb_sa))
1905 return -EINVAL;
1906
1907 if (parse_rxsc_config(attrs, tb_rxsc))
1908 return -EINVAL;
1909
1910 rtnl_lock();
1911 rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa,
1912 &dev, &secy, &rx_sc, &assoc_num);
1913 if (IS_ERR(rx_sa)) {
1914 rtnl_unlock();
1915 return PTR_ERR(rx_sa);
1916 }
1917
1918 if (rx_sa->active) {
1919 rtnl_unlock();
1920 return -EBUSY;
1921 }
1922
1923 RCU_INIT_POINTER(rx_sc->sa[assoc_num], NULL);
1924 clear_rx_sa(rx_sa);
1925
1926 rtnl_unlock();
1927
1928 return 0;
1929}
1930
1931static int macsec_del_rxsc(struct sk_buff *skb, struct genl_info *info)
1932{
1933 struct nlattr **attrs = info->attrs;
1934 struct net_device *dev;
1935 struct macsec_secy *secy;
1936 struct macsec_rx_sc *rx_sc;
1937 sci_t sci;
1938 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
1939
1940 if (!attrs[MACSEC_ATTR_IFINDEX])
1941 return -EINVAL;
1942
1943 if (parse_rxsc_config(attrs, tb_rxsc))
1944 return -EINVAL;
1945
1946 if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI])
1947 return -EINVAL;
1948
1949 rtnl_lock();
1950 dev = get_dev_from_nl(genl_info_net(info), info->attrs);
1951 if (IS_ERR(dev)) {
1952 rtnl_unlock();
1953 return PTR_ERR(dev);
1954 }
1955
1956 secy = &macsec_priv(dev)->secy;
1957 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
1958
1959 rx_sc = del_rx_sc(secy, sci);
1960 if (!rx_sc) {
1961 rtnl_unlock();
1962 return -ENODEV;
1963 }
1964
1965 free_rx_sc(rx_sc);
1966 rtnl_unlock();
1967
1968 return 0;
1969}
1970
1971static int macsec_del_txsa(struct sk_buff *skb, struct genl_info *info)
1972{
1973 struct nlattr **attrs = info->attrs;
1974 struct net_device *dev;
1975 struct macsec_secy *secy;
1976 struct macsec_tx_sc *tx_sc;
1977 struct macsec_tx_sa *tx_sa;
1978 u8 assoc_num;
1979 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
1980
1981 if (!attrs[MACSEC_ATTR_IFINDEX])
1982 return -EINVAL;
1983
1984 if (parse_sa_config(attrs, tb_sa))
1985 return -EINVAL;
1986
1987 rtnl_lock();
1988 tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa,
1989 &dev, &secy, &tx_sc, &assoc_num);
1990 if (IS_ERR(tx_sa)) {
1991 rtnl_unlock();
1992 return PTR_ERR(tx_sa);
1993 }
1994
1995 if (tx_sa->active) {
1996 rtnl_unlock();
1997 return -EBUSY;
1998 }
1999
2000 RCU_INIT_POINTER(tx_sc->sa[assoc_num], NULL);
2001 clear_tx_sa(tx_sa);
2002
2003 rtnl_unlock();
2004
2005 return 0;
2006}
2007
2008static bool validate_upd_sa(struct nlattr **attrs)
2009{
2010 if (!attrs[MACSEC_SA_ATTR_AN] ||
2011 attrs[MACSEC_SA_ATTR_KEY] ||
2012 attrs[MACSEC_SA_ATTR_KEYID])
2013 return false;
2014
2015 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
2016 return false;
2017
2018 if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
2019 return false;
2020
2021 if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
2022 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
2023 return false;
2024 }
2025
2026 return true;
2027}
2028
2029static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
2030{
2031 struct nlattr **attrs = info->attrs;
2032 struct net_device *dev;
2033 struct macsec_secy *secy;
2034 struct macsec_tx_sc *tx_sc;
2035 struct macsec_tx_sa *tx_sa;
2036 u8 assoc_num;
2037 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
2038
2039 if (!attrs[MACSEC_ATTR_IFINDEX])
2040 return -EINVAL;
2041
2042 if (parse_sa_config(attrs, tb_sa))
2043 return -EINVAL;
2044
2045 if (!validate_upd_sa(tb_sa))
2046 return -EINVAL;
2047
2048 rtnl_lock();
2049 tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa,
2050 &dev, &secy, &tx_sc, &assoc_num);
2051 if (IS_ERR(tx_sa)) {
2052 rtnl_unlock();
2053 return PTR_ERR(tx_sa);
2054 }
2055
2056 if (tb_sa[MACSEC_SA_ATTR_PN]) {
2057 spin_lock_bh(&tx_sa->lock);
2058 tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
2059 spin_unlock_bh(&tx_sa->lock);
2060 }
2061
2062 if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
2063 tx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
2064
2065 if (assoc_num == tx_sc->encoding_sa)
2066 secy->operational = tx_sa->active;
2067
2068 rtnl_unlock();
2069
2070 return 0;
2071}
2072
2073static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
2074{
2075 struct nlattr **attrs = info->attrs;
2076 struct net_device *dev;
2077 struct macsec_secy *secy;
2078 struct macsec_rx_sc *rx_sc;
2079 struct macsec_rx_sa *rx_sa;
2080 u8 assoc_num;
2081 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
2082 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
2083
2084 if (!attrs[MACSEC_ATTR_IFINDEX])
2085 return -EINVAL;
2086
2087 if (parse_rxsc_config(attrs, tb_rxsc))
2088 return -EINVAL;
2089
2090 if (parse_sa_config(attrs, tb_sa))
2091 return -EINVAL;
2092
2093 if (!validate_upd_sa(tb_sa))
2094 return -EINVAL;
2095
2096 rtnl_lock();
2097 rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa,
2098 &dev, &secy, &rx_sc, &assoc_num);
2099 if (IS_ERR(rx_sa)) {
2100 rtnl_unlock();
2101 return PTR_ERR(rx_sa);
2102 }
2103
2104 if (tb_sa[MACSEC_SA_ATTR_PN]) {
2105 spin_lock_bh(&rx_sa->lock);
2106 rx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
2107 spin_unlock_bh(&rx_sa->lock);
2108 }
2109
2110 if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
2111 rx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
2112
2113 rtnl_unlock();
2114 return 0;
2115}
2116
2117static int macsec_upd_rxsc(struct sk_buff *skb, struct genl_info *info)
2118{
2119 struct nlattr **attrs = info->attrs;
2120 struct net_device *dev;
2121 struct macsec_secy *secy;
2122 struct macsec_rx_sc *rx_sc;
2123 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
2124
2125 if (!attrs[MACSEC_ATTR_IFINDEX])
2126 return -EINVAL;
2127
2128 if (parse_rxsc_config(attrs, tb_rxsc))
2129 return -EINVAL;
2130
2131 if (!validate_add_rxsc(tb_rxsc))
2132 return -EINVAL;
2133
2134 rtnl_lock();
2135 rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy);
2136 if (IS_ERR(rx_sc)) {
2137 rtnl_unlock();
2138 return PTR_ERR(rx_sc);
2139 }
2140
2141 if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) {
2142 bool new = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
2143
2144 if (rx_sc->active != new)
2145 secy->n_rx_sc += new ? 1 : -1;
2146
2147 rx_sc->active = new;
2148 }
2149
2150 rtnl_unlock();
2151
2152 return 0;
2153}
2154
2155static int copy_tx_sa_stats(struct sk_buff *skb,
2156 struct macsec_tx_sa_stats __percpu *pstats)
2157{
2158 struct macsec_tx_sa_stats sum = {0, };
2159 int cpu;
2160
2161 for_each_possible_cpu(cpu) {
2162 const struct macsec_tx_sa_stats *stats = per_cpu_ptr(pstats, cpu);
2163
2164 sum.OutPktsProtected += stats->OutPktsProtected;
2165 sum.OutPktsEncrypted += stats->OutPktsEncrypted;
2166 }
2167
2168 if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_PROTECTED, sum.OutPktsProtected) ||
2169 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_ENCRYPTED, sum.OutPktsEncrypted))
2170 return -EMSGSIZE;
2171
2172 return 0;
2173}
2174
2175static int copy_rx_sa_stats(struct sk_buff *skb,
2176 struct macsec_rx_sa_stats __percpu *pstats)
2177{
2178 struct macsec_rx_sa_stats sum = {0, };
2179 int cpu;
2180
2181 for_each_possible_cpu(cpu) {
2182 const struct macsec_rx_sa_stats *stats = per_cpu_ptr(pstats, cpu);
2183
2184 sum.InPktsOK += stats->InPktsOK;
2185 sum.InPktsInvalid += stats->InPktsInvalid;
2186 sum.InPktsNotValid += stats->InPktsNotValid;
2187 sum.InPktsNotUsingSA += stats->InPktsNotUsingSA;
2188 sum.InPktsUnusedSA += stats->InPktsUnusedSA;
2189 }
2190
2191 if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_OK, sum.InPktsOK) ||
2192 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_INVALID, sum.InPktsInvalid) ||
2193 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_VALID, sum.InPktsNotValid) ||
2194 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_USING_SA, sum.InPktsNotUsingSA) ||
2195 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_UNUSED_SA, sum.InPktsUnusedSA))
2196 return -EMSGSIZE;
2197
2198 return 0;
2199}
2200
2201static int copy_rx_sc_stats(struct sk_buff *skb,
2202 struct pcpu_rx_sc_stats __percpu *pstats)
2203{
2204 struct macsec_rx_sc_stats sum = {0, };
2205 int cpu;
2206
2207 for_each_possible_cpu(cpu) {
2208 const struct pcpu_rx_sc_stats *stats;
2209 struct macsec_rx_sc_stats tmp;
2210 unsigned int start;
2211
2212 stats = per_cpu_ptr(pstats, cpu);
2213 do {
2214 start = u64_stats_fetch_begin_irq(&stats->syncp);
2215 memcpy(&tmp, &stats->stats, sizeof(tmp));
2216 } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
2217
2218 sum.InOctetsValidated += tmp.InOctetsValidated;
2219 sum.InOctetsDecrypted += tmp.InOctetsDecrypted;
2220 sum.InPktsUnchecked += tmp.InPktsUnchecked;
2221 sum.InPktsDelayed += tmp.InPktsDelayed;
2222 sum.InPktsOK += tmp.InPktsOK;
2223 sum.InPktsInvalid += tmp.InPktsInvalid;
2224 sum.InPktsLate += tmp.InPktsLate;
2225 sum.InPktsNotValid += tmp.InPktsNotValid;
2226 sum.InPktsNotUsingSA += tmp.InPktsNotUsingSA;
2227 sum.InPktsUnusedSA += tmp.InPktsUnusedSA;
2228 }
2229
2230 if (nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_VALIDATED,
2231 sum.InOctetsValidated,
2232 MACSEC_RXSC_STATS_ATTR_PAD) ||
2233 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_DECRYPTED,
2234 sum.InOctetsDecrypted,
2235 MACSEC_RXSC_STATS_ATTR_PAD) ||
2236 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNCHECKED,
2237 sum.InPktsUnchecked,
2238 MACSEC_RXSC_STATS_ATTR_PAD) ||
2239 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_DELAYED,
2240 sum.InPktsDelayed,
2241 MACSEC_RXSC_STATS_ATTR_PAD) ||
2242 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_OK,
2243 sum.InPktsOK,
2244 MACSEC_RXSC_STATS_ATTR_PAD) ||
2245 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_INVALID,
2246 sum.InPktsInvalid,
2247 MACSEC_RXSC_STATS_ATTR_PAD) ||
2248 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_LATE,
2249 sum.InPktsLate,
2250 MACSEC_RXSC_STATS_ATTR_PAD) ||
2251 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_VALID,
2252 sum.InPktsNotValid,
2253 MACSEC_RXSC_STATS_ATTR_PAD) ||
2254 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_USING_SA,
2255 sum.InPktsNotUsingSA,
2256 MACSEC_RXSC_STATS_ATTR_PAD) ||
2257 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNUSED_SA,
2258 sum.InPktsUnusedSA,
2259 MACSEC_RXSC_STATS_ATTR_PAD))
2260 return -EMSGSIZE;
2261
2262 return 0;
2263}
2264
2265static int copy_tx_sc_stats(struct sk_buff *skb,
2266 struct pcpu_tx_sc_stats __percpu *pstats)
2267{
2268 struct macsec_tx_sc_stats sum = {0, };
2269 int cpu;
2270
2271 for_each_possible_cpu(cpu) {
2272 const struct pcpu_tx_sc_stats *stats;
2273 struct macsec_tx_sc_stats tmp;
2274 unsigned int start;
2275
2276 stats = per_cpu_ptr(pstats, cpu);
2277 do {
2278 start = u64_stats_fetch_begin_irq(&stats->syncp);
2279 memcpy(&tmp, &stats->stats, sizeof(tmp));
2280 } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
2281
2282 sum.OutPktsProtected += tmp.OutPktsProtected;
2283 sum.OutPktsEncrypted += tmp.OutPktsEncrypted;
2284 sum.OutOctetsProtected += tmp.OutOctetsProtected;
2285 sum.OutOctetsEncrypted += tmp.OutOctetsEncrypted;
2286 }
2287
2288 if (nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_PROTECTED,
2289 sum.OutPktsProtected,
2290 MACSEC_TXSC_STATS_ATTR_PAD) ||
2291 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_ENCRYPTED,
2292 sum.OutPktsEncrypted,
2293 MACSEC_TXSC_STATS_ATTR_PAD) ||
2294 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_PROTECTED,
2295 sum.OutOctetsProtected,
2296 MACSEC_TXSC_STATS_ATTR_PAD) ||
2297 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_ENCRYPTED,
2298 sum.OutOctetsEncrypted,
2299 MACSEC_TXSC_STATS_ATTR_PAD))
2300 return -EMSGSIZE;
2301
2302 return 0;
2303}
2304
2305static int copy_secy_stats(struct sk_buff *skb,
2306 struct pcpu_secy_stats __percpu *pstats)
2307{
2308 struct macsec_dev_stats sum = {0, };
2309 int cpu;
2310
2311 for_each_possible_cpu(cpu) {
2312 const struct pcpu_secy_stats *stats;
2313 struct macsec_dev_stats tmp;
2314 unsigned int start;
2315
2316 stats = per_cpu_ptr(pstats, cpu);
2317 do {
2318 start = u64_stats_fetch_begin_irq(&stats->syncp);
2319 memcpy(&tmp, &stats->stats, sizeof(tmp));
2320 } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
2321
2322 sum.OutPktsUntagged += tmp.OutPktsUntagged;
2323 sum.InPktsUntagged += tmp.InPktsUntagged;
2324 sum.OutPktsTooLong += tmp.OutPktsTooLong;
2325 sum.InPktsNoTag += tmp.InPktsNoTag;
2326 sum.InPktsBadTag += tmp.InPktsBadTag;
2327 sum.InPktsUnknownSCI += tmp.InPktsUnknownSCI;
2328 sum.InPktsNoSCI += tmp.InPktsNoSCI;
2329 sum.InPktsOverrun += tmp.InPktsOverrun;
2330 }
2331
2332 if (nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_UNTAGGED,
2333 sum.OutPktsUntagged,
2334 MACSEC_SECY_STATS_ATTR_PAD) ||
2335 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNTAGGED,
2336 sum.InPktsUntagged,
2337 MACSEC_SECY_STATS_ATTR_PAD) ||
2338 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_TOO_LONG,
2339 sum.OutPktsTooLong,
2340 MACSEC_SECY_STATS_ATTR_PAD) ||
2341 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_TAG,
2342 sum.InPktsNoTag,
2343 MACSEC_SECY_STATS_ATTR_PAD) ||
2344 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_BAD_TAG,
2345 sum.InPktsBadTag,
2346 MACSEC_SECY_STATS_ATTR_PAD) ||
2347 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNKNOWN_SCI,
2348 sum.InPktsUnknownSCI,
2349 MACSEC_SECY_STATS_ATTR_PAD) ||
2350 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_SCI,
2351 sum.InPktsNoSCI,
2352 MACSEC_SECY_STATS_ATTR_PAD) ||
2353 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_OVERRUN,
2354 sum.InPktsOverrun,
2355 MACSEC_SECY_STATS_ATTR_PAD))
2356 return -EMSGSIZE;
2357
2358 return 0;
2359}
2360
2361static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb)
2362{
2363 struct macsec_tx_sc *tx_sc = &secy->tx_sc;
2364 struct nlattr *secy_nest = nla_nest_start_noflag(skb,
2365 MACSEC_ATTR_SECY);
2366 u64 csid;
2367
2368 if (!secy_nest)
2369 return 1;
2370
2371 switch (secy->key_len) {
2372 case MACSEC_GCM_AES_128_SAK_LEN:
2373 csid = MACSEC_DEFAULT_CIPHER_ID;
2374 break;
2375 case MACSEC_GCM_AES_256_SAK_LEN:
2376 csid = MACSEC_CIPHER_ID_GCM_AES_256;
2377 break;
2378 default:
2379 goto cancel;
2380 }
2381
2382 if (nla_put_sci(skb, MACSEC_SECY_ATTR_SCI, secy->sci,
2383 MACSEC_SECY_ATTR_PAD) ||
2384 nla_put_u64_64bit(skb, MACSEC_SECY_ATTR_CIPHER_SUITE,
2385 csid, MACSEC_SECY_ATTR_PAD) ||
2386 nla_put_u8(skb, MACSEC_SECY_ATTR_ICV_LEN, secy->icv_len) ||
2387 nla_put_u8(skb, MACSEC_SECY_ATTR_OPER, secy->operational) ||
2388 nla_put_u8(skb, MACSEC_SECY_ATTR_PROTECT, secy->protect_frames) ||
2389 nla_put_u8(skb, MACSEC_SECY_ATTR_REPLAY, secy->replay_protect) ||
2390 nla_put_u8(skb, MACSEC_SECY_ATTR_VALIDATE, secy->validate_frames) ||
2391 nla_put_u8(skb, MACSEC_SECY_ATTR_ENCRYPT, tx_sc->encrypt) ||
2392 nla_put_u8(skb, MACSEC_SECY_ATTR_INC_SCI, tx_sc->send_sci) ||
2393 nla_put_u8(skb, MACSEC_SECY_ATTR_ES, tx_sc->end_station) ||
2394 nla_put_u8(skb, MACSEC_SECY_ATTR_SCB, tx_sc->scb) ||
2395 nla_put_u8(skb, MACSEC_SECY_ATTR_ENCODING_SA, tx_sc->encoding_sa))
2396 goto cancel;
2397
2398 if (secy->replay_protect) {
2399 if (nla_put_u32(skb, MACSEC_SECY_ATTR_WINDOW, secy->replay_window))
2400 goto cancel;
2401 }
2402
2403 nla_nest_end(skb, secy_nest);
2404 return 0;
2405
2406cancel:
2407 nla_nest_cancel(skb, secy_nest);
2408 return 1;
2409}
2410
2411static int dump_secy(struct macsec_secy *secy, struct net_device *dev,
2412 struct sk_buff *skb, struct netlink_callback *cb)
2413{
2414 struct macsec_rx_sc *rx_sc;
2415 struct macsec_tx_sc *tx_sc = &secy->tx_sc;
2416 struct nlattr *txsa_list, *rxsc_list;
2417 int i, j;
2418 void *hdr;
2419 struct nlattr *attr;
2420
2421 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
2422 &macsec_fam, NLM_F_MULTI, MACSEC_CMD_GET_TXSC);
2423 if (!hdr)
2424 return -EMSGSIZE;
2425
2426 genl_dump_check_consistent(cb, hdr);
2427
2428 if (nla_put_u32(skb, MACSEC_ATTR_IFINDEX, dev->ifindex))
2429 goto nla_put_failure;
2430
2431 if (nla_put_secy(secy, skb))
2432 goto nla_put_failure;
2433
2434 attr = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSC_STATS);
2435 if (!attr)
2436 goto nla_put_failure;
2437 if (copy_tx_sc_stats(skb, tx_sc->stats)) {
2438 nla_nest_cancel(skb, attr);
2439 goto nla_put_failure;
2440 }
2441 nla_nest_end(skb, attr);
2442
2443 attr = nla_nest_start_noflag(skb, MACSEC_ATTR_SECY_STATS);
2444 if (!attr)
2445 goto nla_put_failure;
2446 if (copy_secy_stats(skb, macsec_priv(dev)->stats)) {
2447 nla_nest_cancel(skb, attr);
2448 goto nla_put_failure;
2449 }
2450 nla_nest_end(skb, attr);
2451
2452 txsa_list = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSA_LIST);
2453 if (!txsa_list)
2454 goto nla_put_failure;
2455 for (i = 0, j = 1; i < MACSEC_NUM_AN; i++) {
2456 struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]);
2457 struct nlattr *txsa_nest;
2458
2459 if (!tx_sa)
2460 continue;
2461
2462 txsa_nest = nla_nest_start_noflag(skb, j++);
2463 if (!txsa_nest) {
2464 nla_nest_cancel(skb, txsa_list);
2465 goto nla_put_failure;
2466 }
2467
2468 if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
2469 nla_put_u32(skb, MACSEC_SA_ATTR_PN, tx_sa->next_pn) ||
2470 nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, tx_sa->key.id) ||
2471 nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, tx_sa->active)) {
2472 nla_nest_cancel(skb, txsa_nest);
2473 nla_nest_cancel(skb, txsa_list);
2474 goto nla_put_failure;
2475 }
2476
2477 attr = nla_nest_start_noflag(skb, MACSEC_SA_ATTR_STATS);
2478 if (!attr) {
2479 nla_nest_cancel(skb, txsa_nest);
2480 nla_nest_cancel(skb, txsa_list);
2481 goto nla_put_failure;
2482 }
2483 if (copy_tx_sa_stats(skb, tx_sa->stats)) {
2484 nla_nest_cancel(skb, attr);
2485 nla_nest_cancel(skb, txsa_nest);
2486 nla_nest_cancel(skb, txsa_list);
2487 goto nla_put_failure;
2488 }
2489 nla_nest_end(skb, attr);
2490
2491 nla_nest_end(skb, txsa_nest);
2492 }
2493 nla_nest_end(skb, txsa_list);
2494
2495 rxsc_list = nla_nest_start_noflag(skb, MACSEC_ATTR_RXSC_LIST);
2496 if (!rxsc_list)
2497 goto nla_put_failure;
2498
2499 j = 1;
2500 for_each_rxsc_rtnl(secy, rx_sc) {
2501 int k;
2502 struct nlattr *rxsa_list;
2503 struct nlattr *rxsc_nest = nla_nest_start_noflag(skb, j++);
2504
2505 if (!rxsc_nest) {
2506 nla_nest_cancel(skb, rxsc_list);
2507 goto nla_put_failure;
2508 }
2509
2510 if (nla_put_u8(skb, MACSEC_RXSC_ATTR_ACTIVE, rx_sc->active) ||
2511 nla_put_sci(skb, MACSEC_RXSC_ATTR_SCI, rx_sc->sci,
2512 MACSEC_RXSC_ATTR_PAD)) {
2513 nla_nest_cancel(skb, rxsc_nest);
2514 nla_nest_cancel(skb, rxsc_list);
2515 goto nla_put_failure;
2516 }
2517
2518 attr = nla_nest_start_noflag(skb, MACSEC_RXSC_ATTR_STATS);
2519 if (!attr) {
2520 nla_nest_cancel(skb, rxsc_nest);
2521 nla_nest_cancel(skb, rxsc_list);
2522 goto nla_put_failure;
2523 }
2524 if (copy_rx_sc_stats(skb, rx_sc->stats)) {
2525 nla_nest_cancel(skb, attr);
2526 nla_nest_cancel(skb, rxsc_nest);
2527 nla_nest_cancel(skb, rxsc_list);
2528 goto nla_put_failure;
2529 }
2530 nla_nest_end(skb, attr);
2531
2532 rxsa_list = nla_nest_start_noflag(skb,
2533 MACSEC_RXSC_ATTR_SA_LIST);
2534 if (!rxsa_list) {
2535 nla_nest_cancel(skb, rxsc_nest);
2536 nla_nest_cancel(skb, rxsc_list);
2537 goto nla_put_failure;
2538 }
2539
2540 for (i = 0, k = 1; i < MACSEC_NUM_AN; i++) {
2541 struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]);
2542 struct nlattr *rxsa_nest;
2543
2544 if (!rx_sa)
2545 continue;
2546
2547 rxsa_nest = nla_nest_start_noflag(skb, k++);
2548 if (!rxsa_nest) {
2549 nla_nest_cancel(skb, rxsa_list);
2550 nla_nest_cancel(skb, rxsc_nest);
2551 nla_nest_cancel(skb, rxsc_list);
2552 goto nla_put_failure;
2553 }
2554
2555 attr = nla_nest_start_noflag(skb,
2556 MACSEC_SA_ATTR_STATS);
2557 if (!attr) {
2558 nla_nest_cancel(skb, rxsa_list);
2559 nla_nest_cancel(skb, rxsc_nest);
2560 nla_nest_cancel(skb, rxsc_list);
2561 goto nla_put_failure;
2562 }
2563 if (copy_rx_sa_stats(skb, rx_sa->stats)) {
2564 nla_nest_cancel(skb, attr);
2565 nla_nest_cancel(skb, rxsa_list);
2566 nla_nest_cancel(skb, rxsc_nest);
2567 nla_nest_cancel(skb, rxsc_list);
2568 goto nla_put_failure;
2569 }
2570 nla_nest_end(skb, attr);
2571
2572 if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
2573 nla_put_u32(skb, MACSEC_SA_ATTR_PN, rx_sa->next_pn) ||
2574 nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, rx_sa->key.id) ||
2575 nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, rx_sa->active)) {
2576 nla_nest_cancel(skb, rxsa_nest);
2577 nla_nest_cancel(skb, rxsc_nest);
2578 nla_nest_cancel(skb, rxsc_list);
2579 goto nla_put_failure;
2580 }
2581 nla_nest_end(skb, rxsa_nest);
2582 }
2583
2584 nla_nest_end(skb, rxsa_list);
2585 nla_nest_end(skb, rxsc_nest);
2586 }
2587
2588 nla_nest_end(skb, rxsc_list);
2589
2590 genlmsg_end(skb, hdr);
2591
2592 return 0;
2593
2594nla_put_failure:
2595 genlmsg_cancel(skb, hdr);
2596 return -EMSGSIZE;
2597}
2598
2599static int macsec_generation = 1;
2600
2601static int macsec_dump_txsc(struct sk_buff *skb, struct netlink_callback *cb)
2602{
2603 struct net *net = sock_net(skb->sk);
2604 struct net_device *dev;
2605 int dev_idx, d;
2606
2607 dev_idx = cb->args[0];
2608
2609 d = 0;
2610 rtnl_lock();
2611
2612 cb->seq = macsec_generation;
2613
2614 for_each_netdev(net, dev) {
2615 struct macsec_secy *secy;
2616
2617 if (d < dev_idx)
2618 goto next;
2619
2620 if (!netif_is_macsec(dev))
2621 goto next;
2622
2623 secy = &macsec_priv(dev)->secy;
2624 if (dump_secy(secy, dev, skb, cb) < 0)
2625 goto done;
2626next:
2627 d++;
2628 }
2629
2630done:
2631 rtnl_unlock();
2632 cb->args[0] = d;
2633 return skb->len;
2634}
2635
2636static const struct genl_ops macsec_genl_ops[] = {
2637 {
2638 .cmd = MACSEC_CMD_GET_TXSC,
2639 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2640 .dumpit = macsec_dump_txsc,
2641 },
2642 {
2643 .cmd = MACSEC_CMD_ADD_RXSC,
2644 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2645 .doit = macsec_add_rxsc,
2646 .flags = GENL_ADMIN_PERM,
2647 },
2648 {
2649 .cmd = MACSEC_CMD_DEL_RXSC,
2650 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2651 .doit = macsec_del_rxsc,
2652 .flags = GENL_ADMIN_PERM,
2653 },
2654 {
2655 .cmd = MACSEC_CMD_UPD_RXSC,
2656 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2657 .doit = macsec_upd_rxsc,
2658 .flags = GENL_ADMIN_PERM,
2659 },
2660 {
2661 .cmd = MACSEC_CMD_ADD_TXSA,
2662 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2663 .doit = macsec_add_txsa,
2664 .flags = GENL_ADMIN_PERM,
2665 },
2666 {
2667 .cmd = MACSEC_CMD_DEL_TXSA,
2668 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2669 .doit = macsec_del_txsa,
2670 .flags = GENL_ADMIN_PERM,
2671 },
2672 {
2673 .cmd = MACSEC_CMD_UPD_TXSA,
2674 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2675 .doit = macsec_upd_txsa,
2676 .flags = GENL_ADMIN_PERM,
2677 },
2678 {
2679 .cmd = MACSEC_CMD_ADD_RXSA,
2680 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2681 .doit = macsec_add_rxsa,
2682 .flags = GENL_ADMIN_PERM,
2683 },
2684 {
2685 .cmd = MACSEC_CMD_DEL_RXSA,
2686 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2687 .doit = macsec_del_rxsa,
2688 .flags = GENL_ADMIN_PERM,
2689 },
2690 {
2691 .cmd = MACSEC_CMD_UPD_RXSA,
2692 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
2693 .doit = macsec_upd_rxsa,
2694 .flags = GENL_ADMIN_PERM,
2695 },
2696};
2697
2698static struct genl_family macsec_fam __ro_after_init = {
2699 .name = MACSEC_GENL_NAME,
2700 .hdrsize = 0,
2701 .version = MACSEC_GENL_VERSION,
2702 .maxattr = MACSEC_ATTR_MAX,
2703 .policy = macsec_genl_policy,
2704 .netnsok = true,
2705 .module = THIS_MODULE,
2706 .ops = macsec_genl_ops,
2707 .n_ops = ARRAY_SIZE(macsec_genl_ops),
2708};
2709
2710static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
2711 struct net_device *dev)
2712{
2713 struct macsec_dev *macsec = netdev_priv(dev);
2714 struct macsec_secy *secy = &macsec->secy;
2715 struct pcpu_secy_stats *secy_stats;
2716 int ret, len;
2717
2718
2719 if (!secy->protect_frames) {
2720 secy_stats = this_cpu_ptr(macsec->stats);
2721 u64_stats_update_begin(&secy_stats->syncp);
2722 secy_stats->stats.OutPktsUntagged++;
2723 u64_stats_update_end(&secy_stats->syncp);
2724 skb->dev = macsec->real_dev;
2725 len = skb->len;
2726 ret = dev_queue_xmit(skb);
2727 count_tx(dev, ret, len);
2728 return ret;
2729 }
2730
2731 if (!secy->operational) {
2732 kfree_skb(skb);
2733 dev->stats.tx_dropped++;
2734 return NETDEV_TX_OK;
2735 }
2736
2737 skb = macsec_encrypt(skb, dev);
2738 if (IS_ERR(skb)) {
2739 if (PTR_ERR(skb) != -EINPROGRESS)
2740 dev->stats.tx_dropped++;
2741 return NETDEV_TX_OK;
2742 }
2743
2744 macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
2745
2746 macsec_encrypt_finish(skb, dev);
2747 len = skb->len;
2748 ret = dev_queue_xmit(skb);
2749 count_tx(dev, ret, len);
2750 return ret;
2751}
2752
2753#define MACSEC_FEATURES \
2754 (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
2755
2756static int macsec_dev_init(struct net_device *dev)
2757{
2758 struct macsec_dev *macsec = macsec_priv(dev);
2759 struct net_device *real_dev = macsec->real_dev;
2760 int err;
2761
2762 dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
2763 if (!dev->tstats)
2764 return -ENOMEM;
2765
2766 err = gro_cells_init(&macsec->gro_cells, dev);
2767 if (err) {
2768 free_percpu(dev->tstats);
2769 return err;
2770 }
2771
2772 dev->features = real_dev->features & MACSEC_FEATURES;
2773 dev->features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE;
2774
2775 dev->needed_headroom = real_dev->needed_headroom +
2776 MACSEC_NEEDED_HEADROOM;
2777 dev->needed_tailroom = real_dev->needed_tailroom +
2778 MACSEC_NEEDED_TAILROOM;
2779
2780 if (is_zero_ether_addr(dev->dev_addr))
2781 eth_hw_addr_inherit(dev, real_dev);
2782 if (is_zero_ether_addr(dev->broadcast))
2783 memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len);
2784
2785 return 0;
2786}
2787
2788static void macsec_dev_uninit(struct net_device *dev)
2789{
2790 struct macsec_dev *macsec = macsec_priv(dev);
2791
2792 gro_cells_destroy(&macsec->gro_cells);
2793 free_percpu(dev->tstats);
2794}
2795
2796static netdev_features_t macsec_fix_features(struct net_device *dev,
2797 netdev_features_t features)
2798{
2799 struct macsec_dev *macsec = macsec_priv(dev);
2800 struct net_device *real_dev = macsec->real_dev;
2801
2802 features &= (real_dev->features & MACSEC_FEATURES) |
2803 NETIF_F_GSO_SOFTWARE | NETIF_F_SOFT_FEATURES;
2804 features |= NETIF_F_LLTX;
2805
2806 return features;
2807}
2808
2809static int macsec_dev_open(struct net_device *dev)
2810{
2811 struct macsec_dev *macsec = macsec_priv(dev);
2812 struct net_device *real_dev = macsec->real_dev;
2813 int err;
2814
2815 err = dev_uc_add(real_dev, dev->dev_addr);
2816 if (err < 0)
2817 return err;
2818
2819 if (dev->flags & IFF_ALLMULTI) {
2820 err = dev_set_allmulti(real_dev, 1);
2821 if (err < 0)
2822 goto del_unicast;
2823 }
2824
2825 if (dev->flags & IFF_PROMISC) {
2826 err = dev_set_promiscuity(real_dev, 1);
2827 if (err < 0)
2828 goto clear_allmulti;
2829 }
2830
2831 if (netif_carrier_ok(real_dev))
2832 netif_carrier_on(dev);
2833
2834 return 0;
2835clear_allmulti:
2836 if (dev->flags & IFF_ALLMULTI)
2837 dev_set_allmulti(real_dev, -1);
2838del_unicast:
2839 dev_uc_del(real_dev, dev->dev_addr);
2840 netif_carrier_off(dev);
2841 return err;
2842}
2843
2844static int macsec_dev_stop(struct net_device *dev)
2845{
2846 struct macsec_dev *macsec = macsec_priv(dev);
2847 struct net_device *real_dev = macsec->real_dev;
2848
2849 netif_carrier_off(dev);
2850
2851 dev_mc_unsync(real_dev, dev);
2852 dev_uc_unsync(real_dev, dev);
2853
2854 if (dev->flags & IFF_ALLMULTI)
2855 dev_set_allmulti(real_dev, -1);
2856
2857 if (dev->flags & IFF_PROMISC)
2858 dev_set_promiscuity(real_dev, -1);
2859
2860 dev_uc_del(real_dev, dev->dev_addr);
2861
2862 return 0;
2863}
2864
2865static void macsec_dev_change_rx_flags(struct net_device *dev, int change)
2866{
2867 struct net_device *real_dev = macsec_priv(dev)->real_dev;
2868
2869 if (!(dev->flags & IFF_UP))
2870 return;
2871
2872 if (change & IFF_ALLMULTI)
2873 dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
2874
2875 if (change & IFF_PROMISC)
2876 dev_set_promiscuity(real_dev,
2877 dev->flags & IFF_PROMISC ? 1 : -1);
2878}
2879
2880static void macsec_dev_set_rx_mode(struct net_device *dev)
2881{
2882 struct net_device *real_dev = macsec_priv(dev)->real_dev;
2883
2884 dev_mc_sync(real_dev, dev);
2885 dev_uc_sync(real_dev, dev);
2886}
2887
2888static int macsec_set_mac_address(struct net_device *dev, void *p)
2889{
2890 struct macsec_dev *macsec = macsec_priv(dev);
2891 struct net_device *real_dev = macsec->real_dev;
2892 struct sockaddr *addr = p;
2893 int err;
2894
2895 if (!is_valid_ether_addr(addr->sa_data))
2896 return -EADDRNOTAVAIL;
2897
2898 if (!(dev->flags & IFF_UP))
2899 goto out;
2900
2901 err = dev_uc_add(real_dev, addr->sa_data);
2902 if (err < 0)
2903 return err;
2904
2905 dev_uc_del(real_dev, dev->dev_addr);
2906
2907out:
2908 ether_addr_copy(dev->dev_addr, addr->sa_data);
2909 return 0;
2910}
2911
2912static int macsec_change_mtu(struct net_device *dev, int new_mtu)
2913{
2914 struct macsec_dev *macsec = macsec_priv(dev);
2915 unsigned int extra = macsec->secy.icv_len + macsec_extra_len(true);
2916
2917 if (macsec->real_dev->mtu - extra < new_mtu)
2918 return -ERANGE;
2919
2920 dev->mtu = new_mtu;
2921
2922 return 0;
2923}
2924
2925static void macsec_get_stats64(struct net_device *dev,
2926 struct rtnl_link_stats64 *s)
2927{
2928 int cpu;
2929
2930 if (!dev->tstats)
2931 return;
2932
2933 for_each_possible_cpu(cpu) {
2934 struct pcpu_sw_netstats *stats;
2935 struct pcpu_sw_netstats tmp;
2936 int start;
2937
2938 stats = per_cpu_ptr(dev->tstats, cpu);
2939 do {
2940 start = u64_stats_fetch_begin_irq(&stats->syncp);
2941 tmp.rx_packets = stats->rx_packets;
2942 tmp.rx_bytes = stats->rx_bytes;
2943 tmp.tx_packets = stats->tx_packets;
2944 tmp.tx_bytes = stats->tx_bytes;
2945 } while (u64_stats_fetch_retry_irq(&stats->syncp, start));
2946
2947 s->rx_packets += tmp.rx_packets;
2948 s->rx_bytes += tmp.rx_bytes;
2949 s->tx_packets += tmp.tx_packets;
2950 s->tx_bytes += tmp.tx_bytes;
2951 }
2952
2953 s->rx_dropped = dev->stats.rx_dropped;
2954 s->tx_dropped = dev->stats.tx_dropped;
2955}
2956
2957static int macsec_get_iflink(const struct net_device *dev)
2958{
2959 return macsec_priv(dev)->real_dev->ifindex;
2960}
2961
2962static const struct net_device_ops macsec_netdev_ops = {
2963 .ndo_init = macsec_dev_init,
2964 .ndo_uninit = macsec_dev_uninit,
2965 .ndo_open = macsec_dev_open,
2966 .ndo_stop = macsec_dev_stop,
2967 .ndo_fix_features = macsec_fix_features,
2968 .ndo_change_mtu = macsec_change_mtu,
2969 .ndo_set_rx_mode = macsec_dev_set_rx_mode,
2970 .ndo_change_rx_flags = macsec_dev_change_rx_flags,
2971 .ndo_set_mac_address = macsec_set_mac_address,
2972 .ndo_start_xmit = macsec_start_xmit,
2973 .ndo_get_stats64 = macsec_get_stats64,
2974 .ndo_get_iflink = macsec_get_iflink,
2975};
2976
2977static const struct device_type macsec_type = {
2978 .name = "macsec",
2979};
2980
2981static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
2982 [IFLA_MACSEC_SCI] = { .type = NLA_U64 },
2983 [IFLA_MACSEC_PORT] = { .type = NLA_U16 },
2984 [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 },
2985 [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 },
2986 [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 },
2987 [IFLA_MACSEC_ENCODING_SA] = { .type = NLA_U8 },
2988 [IFLA_MACSEC_ENCRYPT] = { .type = NLA_U8 },
2989 [IFLA_MACSEC_PROTECT] = { .type = NLA_U8 },
2990 [IFLA_MACSEC_INC_SCI] = { .type = NLA_U8 },
2991 [IFLA_MACSEC_ES] = { .type = NLA_U8 },
2992 [IFLA_MACSEC_SCB] = { .type = NLA_U8 },
2993 [IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 },
2994 [IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 },
2995};
2996
2997static void macsec_free_netdev(struct net_device *dev)
2998{
2999 struct macsec_dev *macsec = macsec_priv(dev);
3000
3001 free_percpu(macsec->stats);
3002 free_percpu(macsec->secy.tx_sc.stats);
3003
3004}
3005
3006static void macsec_setup(struct net_device *dev)
3007{
3008 ether_setup(dev);
3009 dev->min_mtu = 0;
3010 dev->max_mtu = ETH_MAX_MTU;
3011 dev->priv_flags |= IFF_NO_QUEUE;
3012 dev->netdev_ops = &macsec_netdev_ops;
3013 dev->needs_free_netdev = true;
3014 dev->priv_destructor = macsec_free_netdev;
3015 SET_NETDEV_DEVTYPE(dev, &macsec_type);
3016
3017 eth_zero_addr(dev->broadcast);
3018}
3019
3020static int macsec_changelink_common(struct net_device *dev,
3021 struct nlattr *data[])
3022{
3023 struct macsec_secy *secy;
3024 struct macsec_tx_sc *tx_sc;
3025
3026 secy = &macsec_priv(dev)->secy;
3027 tx_sc = &secy->tx_sc;
3028
3029 if (data[IFLA_MACSEC_ENCODING_SA]) {
3030 struct macsec_tx_sa *tx_sa;
3031
3032 tx_sc->encoding_sa = nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]);
3033 tx_sa = rtnl_dereference(tx_sc->sa[tx_sc->encoding_sa]);
3034
3035 secy->operational = tx_sa && tx_sa->active;
3036 }
3037
3038 if (data[IFLA_MACSEC_WINDOW])
3039 secy->replay_window = nla_get_u32(data[IFLA_MACSEC_WINDOW]);
3040
3041 if (data[IFLA_MACSEC_ENCRYPT])
3042 tx_sc->encrypt = !!nla_get_u8(data[IFLA_MACSEC_ENCRYPT]);
3043
3044 if (data[IFLA_MACSEC_PROTECT])
3045 secy->protect_frames = !!nla_get_u8(data[IFLA_MACSEC_PROTECT]);
3046
3047 if (data[IFLA_MACSEC_INC_SCI])
3048 tx_sc->send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]);
3049
3050 if (data[IFLA_MACSEC_ES])
3051 tx_sc->end_station = !!nla_get_u8(data[IFLA_MACSEC_ES]);
3052
3053 if (data[IFLA_MACSEC_SCB])
3054 tx_sc->scb = !!nla_get_u8(data[IFLA_MACSEC_SCB]);
3055
3056 if (data[IFLA_MACSEC_REPLAY_PROTECT])
3057 secy->replay_protect = !!nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT]);
3058
3059 if (data[IFLA_MACSEC_VALIDATION])
3060 secy->validate_frames = nla_get_u8(data[IFLA_MACSEC_VALIDATION]);
3061
3062 if (data[IFLA_MACSEC_CIPHER_SUITE]) {
3063 switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) {
3064 case MACSEC_CIPHER_ID_GCM_AES_128:
3065 case MACSEC_DEFAULT_CIPHER_ID:
3066 secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
3067 break;
3068 case MACSEC_CIPHER_ID_GCM_AES_256:
3069 secy->key_len = MACSEC_GCM_AES_256_SAK_LEN;
3070 break;
3071 default:
3072 return -EINVAL;
3073 }
3074 }
3075
3076 return 0;
3077}
3078
3079static int macsec_changelink(struct net_device *dev, struct nlattr *tb[],
3080 struct nlattr *data[],
3081 struct netlink_ext_ack *extack)
3082{
3083 if (!data)
3084 return 0;
3085
3086 if (data[IFLA_MACSEC_CIPHER_SUITE] ||
3087 data[IFLA_MACSEC_ICV_LEN] ||
3088 data[IFLA_MACSEC_SCI] ||
3089 data[IFLA_MACSEC_PORT])
3090 return -EINVAL;
3091
3092 return macsec_changelink_common(dev, data);
3093}
3094
3095static void macsec_del_dev(struct macsec_dev *macsec)
3096{
3097 int i;
3098
3099 while (macsec->secy.rx_sc) {
3100 struct macsec_rx_sc *rx_sc = rtnl_dereference(macsec->secy.rx_sc);
3101
3102 rcu_assign_pointer(macsec->secy.rx_sc, rx_sc->next);
3103 free_rx_sc(rx_sc);
3104 }
3105
3106 for (i = 0; i < MACSEC_NUM_AN; i++) {
3107 struct macsec_tx_sa *sa = rtnl_dereference(macsec->secy.tx_sc.sa[i]);
3108
3109 if (sa) {
3110 RCU_INIT_POINTER(macsec->secy.tx_sc.sa[i], NULL);
3111 clear_tx_sa(sa);
3112 }
3113 }
3114}
3115
3116static void macsec_common_dellink(struct net_device *dev, struct list_head *head)
3117{
3118 struct macsec_dev *macsec = macsec_priv(dev);
3119 struct net_device *real_dev = macsec->real_dev;
3120
3121 unregister_netdevice_queue(dev, head);
3122 list_del_rcu(&macsec->secys);
3123 macsec_del_dev(macsec);
3124 netdev_upper_dev_unlink(real_dev, dev);
3125
3126 macsec_generation++;
3127}
3128
3129static void macsec_dellink(struct net_device *dev, struct list_head *head)
3130{
3131 struct macsec_dev *macsec = macsec_priv(dev);
3132 struct net_device *real_dev = macsec->real_dev;
3133 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
3134
3135 macsec_common_dellink(dev, head);
3136
3137 if (list_empty(&rxd->secys)) {
3138 netdev_rx_handler_unregister(real_dev);
3139 kfree(rxd);
3140 }
3141}
3142
3143static int register_macsec_dev(struct net_device *real_dev,
3144 struct net_device *dev)
3145{
3146 struct macsec_dev *macsec = macsec_priv(dev);
3147 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
3148
3149 if (!rxd) {
3150 int err;
3151
3152 rxd = kmalloc(sizeof(*rxd), GFP_KERNEL);
3153 if (!rxd)
3154 return -ENOMEM;
3155
3156 INIT_LIST_HEAD(&rxd->secys);
3157
3158 err = netdev_rx_handler_register(real_dev, macsec_handle_frame,
3159 rxd);
3160 if (err < 0) {
3161 kfree(rxd);
3162 return err;
3163 }
3164 }
3165
3166 list_add_tail_rcu(&macsec->secys, &rxd->secys);
3167 return 0;
3168}
3169
3170static bool sci_exists(struct net_device *dev, sci_t sci)
3171{
3172 struct macsec_rxh_data *rxd = macsec_data_rtnl(dev);
3173 struct macsec_dev *macsec;
3174
3175 list_for_each_entry(macsec, &rxd->secys, secys) {
3176 if (macsec->secy.sci == sci)
3177 return true;
3178 }
3179
3180 return false;
3181}
3182
3183static sci_t dev_to_sci(struct net_device *dev, __be16 port)
3184{
3185 return make_sci(dev->dev_addr, port);
3186}
3187
3188static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len)
3189{
3190 struct macsec_dev *macsec = macsec_priv(dev);
3191 struct macsec_secy *secy = &macsec->secy;
3192
3193 macsec->stats = netdev_alloc_pcpu_stats(struct pcpu_secy_stats);
3194 if (!macsec->stats)
3195 return -ENOMEM;
3196
3197 secy->tx_sc.stats = netdev_alloc_pcpu_stats(struct pcpu_tx_sc_stats);
3198 if (!secy->tx_sc.stats) {
3199 free_percpu(macsec->stats);
3200 return -ENOMEM;
3201 }
3202
3203 if (sci == MACSEC_UNDEF_SCI)
3204 sci = dev_to_sci(dev, MACSEC_PORT_ES);
3205
3206 secy->netdev = dev;
3207 secy->operational = true;
3208 secy->key_len = DEFAULT_SAK_LEN;
3209 secy->icv_len = icv_len;
3210 secy->validate_frames = MACSEC_VALIDATE_DEFAULT;
3211 secy->protect_frames = true;
3212 secy->replay_protect = false;
3213
3214 secy->sci = sci;
3215 secy->tx_sc.active = true;
3216 secy->tx_sc.encoding_sa = DEFAULT_ENCODING_SA;
3217 secy->tx_sc.encrypt = DEFAULT_ENCRYPT;
3218 secy->tx_sc.send_sci = DEFAULT_SEND_SCI;
3219 secy->tx_sc.end_station = false;
3220 secy->tx_sc.scb = false;
3221
3222 return 0;
3223}
3224
3225static int macsec_newlink(struct net *net, struct net_device *dev,
3226 struct nlattr *tb[], struct nlattr *data[],
3227 struct netlink_ext_ack *extack)
3228{
3229 struct macsec_dev *macsec = macsec_priv(dev);
3230 rx_handler_func_t *rx_handler;
3231 u8 icv_len = DEFAULT_ICV_LEN;
3232 struct net_device *real_dev;
3233 int err, mtu;
3234 sci_t sci;
3235
3236 if (!tb[IFLA_LINK])
3237 return -EINVAL;
3238 real_dev = __dev_get_by_index(net, nla_get_u32(tb[IFLA_LINK]));
3239 if (!real_dev)
3240 return -ENODEV;
3241 if (real_dev->type != ARPHRD_ETHER)
3242 return -EINVAL;
3243
3244 dev->priv_flags |= IFF_MACSEC;
3245
3246 macsec->real_dev = real_dev;
3247
3248 if (data && data[IFLA_MACSEC_ICV_LEN])
3249 icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
3250 mtu = real_dev->mtu - icv_len - macsec_extra_len(true);
3251 if (mtu < 0)
3252 dev->mtu = 0;
3253 else
3254 dev->mtu = mtu;
3255
3256 rx_handler = rtnl_dereference(real_dev->rx_handler);
3257 if (rx_handler && rx_handler != macsec_handle_frame)
3258 return -EBUSY;
3259
3260 err = register_netdevice(dev);
3261 if (err < 0)
3262 return err;
3263
3264 err = netdev_upper_dev_link(real_dev, dev, extack);
3265 if (err < 0)
3266 goto unregister;
3267
3268
3269
3270
3271 if (data && data[IFLA_MACSEC_SCI])
3272 sci = nla_get_sci(data[IFLA_MACSEC_SCI]);
3273 else if (data && data[IFLA_MACSEC_PORT])
3274 sci = dev_to_sci(dev, nla_get_be16(data[IFLA_MACSEC_PORT]));
3275 else
3276 sci = dev_to_sci(dev, MACSEC_PORT_ES);
3277
3278 if (rx_handler && sci_exists(real_dev, sci)) {
3279 err = -EBUSY;
3280 goto unlink;
3281 }
3282
3283 err = macsec_add_dev(dev, sci, icv_len);
3284 if (err)
3285 goto unlink;
3286
3287 if (data) {
3288 err = macsec_changelink_common(dev, data);
3289 if (err)
3290 goto del_dev;
3291 }
3292
3293 err = register_macsec_dev(real_dev, dev);
3294 if (err < 0)
3295 goto del_dev;
3296
3297 netif_stacked_transfer_operstate(real_dev, dev);
3298 linkwatch_fire_event(dev);
3299
3300 macsec_generation++;
3301
3302 return 0;
3303
3304del_dev:
3305 macsec_del_dev(macsec);
3306unlink:
3307 netdev_upper_dev_unlink(real_dev, dev);
3308unregister:
3309 unregister_netdevice(dev);
3310 return err;
3311}
3312
3313static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[],
3314 struct netlink_ext_ack *extack)
3315{
3316 u64 csid = MACSEC_DEFAULT_CIPHER_ID;
3317 u8 icv_len = DEFAULT_ICV_LEN;
3318 int flag;
3319 bool es, scb, sci;
3320
3321 if (!data)
3322 return 0;
3323
3324 if (data[IFLA_MACSEC_CIPHER_SUITE])
3325 csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);
3326
3327 if (data[IFLA_MACSEC_ICV_LEN]) {
3328 icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
3329 if (icv_len != DEFAULT_ICV_LEN) {
3330 char dummy_key[DEFAULT_SAK_LEN] = { 0 };
3331 struct crypto_aead *dummy_tfm;
3332
3333 dummy_tfm = macsec_alloc_tfm(dummy_key,
3334 DEFAULT_SAK_LEN,
3335 icv_len);
3336 if (IS_ERR(dummy_tfm))
3337 return PTR_ERR(dummy_tfm);
3338 crypto_free_aead(dummy_tfm);
3339 }
3340 }
3341
3342 switch (csid) {
3343 case MACSEC_CIPHER_ID_GCM_AES_128:
3344 case MACSEC_CIPHER_ID_GCM_AES_256:
3345 case MACSEC_DEFAULT_CIPHER_ID:
3346 if (icv_len < MACSEC_MIN_ICV_LEN ||
3347 icv_len > MACSEC_STD_ICV_LEN)
3348 return -EINVAL;
3349 break;
3350 default:
3351 return -EINVAL;
3352 }
3353
3354 if (data[IFLA_MACSEC_ENCODING_SA]) {
3355 if (nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]) >= MACSEC_NUM_AN)
3356 return -EINVAL;
3357 }
3358
3359 for (flag = IFLA_MACSEC_ENCODING_SA + 1;
3360 flag < IFLA_MACSEC_VALIDATION;
3361 flag++) {
3362 if (data[flag]) {
3363 if (nla_get_u8(data[flag]) > 1)
3364 return -EINVAL;
3365 }
3366 }
3367
3368 es = data[IFLA_MACSEC_ES] ? nla_get_u8(data[IFLA_MACSEC_ES]) : false;
3369 sci = data[IFLA_MACSEC_INC_SCI] ? nla_get_u8(data[IFLA_MACSEC_INC_SCI]) : false;
3370 scb = data[IFLA_MACSEC_SCB] ? nla_get_u8(data[IFLA_MACSEC_SCB]) : false;
3371
3372 if ((sci && (scb || es)) || (scb && es))
3373 return -EINVAL;
3374
3375 if (data[IFLA_MACSEC_VALIDATION] &&
3376 nla_get_u8(data[IFLA_MACSEC_VALIDATION]) > MACSEC_VALIDATE_MAX)
3377 return -EINVAL;
3378
3379 if ((data[IFLA_MACSEC_REPLAY_PROTECT] &&
3380 nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT])) &&
3381 !data[IFLA_MACSEC_WINDOW])
3382 return -EINVAL;
3383
3384 return 0;
3385}
3386
3387static struct net *macsec_get_link_net(const struct net_device *dev)
3388{
3389 return dev_net(macsec_priv(dev)->real_dev);
3390}
3391
3392static size_t macsec_get_size(const struct net_device *dev)
3393{
3394 return nla_total_size_64bit(8) +
3395 nla_total_size(1) +
3396 nla_total_size_64bit(8) +
3397 nla_total_size(4) +
3398 nla_total_size(1) +
3399 nla_total_size(1) +
3400 nla_total_size(1) +
3401 nla_total_size(1) +
3402 nla_total_size(1) +
3403 nla_total_size(1) +
3404 nla_total_size(1) +
3405 nla_total_size(1) +
3406 0;
3407}
3408
3409static int macsec_fill_info(struct sk_buff *skb,
3410 const struct net_device *dev)
3411{
3412 struct macsec_secy *secy = &macsec_priv(dev)->secy;
3413 struct macsec_tx_sc *tx_sc = &secy->tx_sc;
3414 u64 csid;
3415
3416 switch (secy->key_len) {
3417 case MACSEC_GCM_AES_128_SAK_LEN:
3418 csid = MACSEC_DEFAULT_CIPHER_ID;
3419 break;
3420 case MACSEC_GCM_AES_256_SAK_LEN:
3421 csid = MACSEC_CIPHER_ID_GCM_AES_256;
3422 break;
3423 default:
3424 goto nla_put_failure;
3425 }
3426
3427 if (nla_put_sci(skb, IFLA_MACSEC_SCI, secy->sci,
3428 IFLA_MACSEC_PAD) ||
3429 nla_put_u8(skb, IFLA_MACSEC_ICV_LEN, secy->icv_len) ||
3430 nla_put_u64_64bit(skb, IFLA_MACSEC_CIPHER_SUITE,
3431 csid, IFLA_MACSEC_PAD) ||
3432 nla_put_u8(skb, IFLA_MACSEC_ENCODING_SA, tx_sc->encoding_sa) ||
3433 nla_put_u8(skb, IFLA_MACSEC_ENCRYPT, tx_sc->encrypt) ||
3434 nla_put_u8(skb, IFLA_MACSEC_PROTECT, secy->protect_frames) ||
3435 nla_put_u8(skb, IFLA_MACSEC_INC_SCI, tx_sc->send_sci) ||
3436 nla_put_u8(skb, IFLA_MACSEC_ES, tx_sc->end_station) ||
3437 nla_put_u8(skb, IFLA_MACSEC_SCB, tx_sc->scb) ||
3438 nla_put_u8(skb, IFLA_MACSEC_REPLAY_PROTECT, secy->replay_protect) ||
3439 nla_put_u8(skb, IFLA_MACSEC_VALIDATION, secy->validate_frames) ||
3440 0)
3441 goto nla_put_failure;
3442
3443 if (secy->replay_protect) {
3444 if (nla_put_u32(skb, IFLA_MACSEC_WINDOW, secy->replay_window))
3445 goto nla_put_failure;
3446 }
3447
3448 return 0;
3449
3450nla_put_failure:
3451 return -EMSGSIZE;
3452}
3453
3454static struct rtnl_link_ops macsec_link_ops __read_mostly = {
3455 .kind = "macsec",
3456 .priv_size = sizeof(struct macsec_dev),
3457 .maxtype = IFLA_MACSEC_MAX,
3458 .policy = macsec_rtnl_policy,
3459 .setup = macsec_setup,
3460 .validate = macsec_validate_attr,
3461 .newlink = macsec_newlink,
3462 .changelink = macsec_changelink,
3463 .dellink = macsec_dellink,
3464 .get_size = macsec_get_size,
3465 .fill_info = macsec_fill_info,
3466 .get_link_net = macsec_get_link_net,
3467};
3468
3469static bool is_macsec_master(struct net_device *dev)
3470{
3471 return rcu_access_pointer(dev->rx_handler) == macsec_handle_frame;
3472}
3473
3474static int macsec_notify(struct notifier_block *this, unsigned long event,
3475 void *ptr)
3476{
3477 struct net_device *real_dev = netdev_notifier_info_to_dev(ptr);
3478 LIST_HEAD(head);
3479
3480 if (!is_macsec_master(real_dev))
3481 return NOTIFY_DONE;
3482
3483 switch (event) {
3484 case NETDEV_DOWN:
3485 case NETDEV_UP:
3486 case NETDEV_CHANGE: {
3487 struct macsec_dev *m, *n;
3488 struct macsec_rxh_data *rxd;
3489
3490 rxd = macsec_data_rtnl(real_dev);
3491 list_for_each_entry_safe(m, n, &rxd->secys, secys) {
3492 struct net_device *dev = m->secy.netdev;
3493
3494 netif_stacked_transfer_operstate(real_dev, dev);
3495 }
3496 break;
3497 }
3498 case NETDEV_UNREGISTER: {
3499 struct macsec_dev *m, *n;
3500 struct macsec_rxh_data *rxd;
3501
3502 rxd = macsec_data_rtnl(real_dev);
3503 list_for_each_entry_safe(m, n, &rxd->secys, secys) {
3504 macsec_common_dellink(m->secy.netdev, &head);
3505 }
3506
3507 netdev_rx_handler_unregister(real_dev);
3508 kfree(rxd);
3509
3510 unregister_netdevice_many(&head);
3511 break;
3512 }
3513 case NETDEV_CHANGEMTU: {
3514 struct macsec_dev *m;
3515 struct macsec_rxh_data *rxd;
3516
3517 rxd = macsec_data_rtnl(real_dev);
3518 list_for_each_entry(m, &rxd->secys, secys) {
3519 struct net_device *dev = m->secy.netdev;
3520 unsigned int mtu = real_dev->mtu - (m->secy.icv_len +
3521 macsec_extra_len(true));
3522
3523 if (dev->mtu > mtu)
3524 dev_set_mtu(dev, mtu);
3525 }
3526 }
3527 }
3528
3529 return NOTIFY_OK;
3530}
3531
3532static struct notifier_block macsec_notifier = {
3533 .notifier_call = macsec_notify,
3534};
3535
3536static int __init macsec_init(void)
3537{
3538 int err;
3539
3540 pr_info("MACsec IEEE 802.1AE\n");
3541 err = register_netdevice_notifier(&macsec_notifier);
3542 if (err)
3543 return err;
3544
3545 err = rtnl_link_register(&macsec_link_ops);
3546 if (err)
3547 goto notifier;
3548
3549 err = genl_register_family(&macsec_fam);
3550 if (err)
3551 goto rtnl;
3552
3553 return 0;
3554
3555rtnl:
3556 rtnl_link_unregister(&macsec_link_ops);
3557notifier:
3558 unregister_netdevice_notifier(&macsec_notifier);
3559 return err;
3560}
3561
3562static void __exit macsec_exit(void)
3563{
3564 genl_unregister_family(&macsec_fam);
3565 rtnl_link_unregister(&macsec_link_ops);
3566 unregister_netdevice_notifier(&macsec_notifier);
3567 rcu_barrier();
3568}
3569
3570module_init(macsec_init);
3571module_exit(macsec_exit);
3572
3573MODULE_ALIAS_RTNL_LINK("macsec");
3574MODULE_ALIAS_GENL_FAMILY("macsec");
3575
3576MODULE_DESCRIPTION("MACsec IEEE 802.1AE");
3577MODULE_LICENSE("GPL v2");
3578
