[vslib]: Add MACsec xpn support (sonic-net#924)

* Add macsec xpn support

Signed-off-by: Ze Gan <[email protected]>

* Add unit test for loadMACsecAttrFromMACsecSC

Signed-off-by: Ze Gan <[email protected]>

* Add SWSS_LOG_ENTER

Signed-off-by: Ze Gan <[email protected]>

* Fix bug and refactor code

Signed-off-by: Ubuntu <zegan@zegan-test-hk.0y0yh0pwahvetntlrcfftojvof.hx.internal.cloudapp.net>

Co-authored-by: Ubuntu <zegan@zegan-test-hk.0y0yh0pwahvetntlrcfftojvof.hx.internal.cloudapp.net>

Author: Pterosaur

unittest/vslib/Makefile.am

@@ -42,7 +42,7 @@ tests_SOURCES = main.cpp \
 				TestSwitchBCM56850.cpp \
 				TestSwitchBCM81724.cpp
 
-tests_CXXFLAGS = $(DBGFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS_COMMON)
+tests_CXXFLAGS = $(DBGFLAGS) $(AM_CXXFLAGS) $(CXXFLAGS_COMMON) -fno-access-control
 tests_LDADD = $(LDADD_GTEST) $(top_srcdir)/vslib/libSaiVS.a -lhiredis -lswsscommon -lnl-genl-3 -lnl-nf-3 -lnl-route-3 -lnl-3 \
 			  -lpthread -L$(top_srcdir)/meta/.libs -lsaimetadata -lsaimeta -lzmq $(CODE_COVERAGE_LIBS)
 

unittest/vslib/TestMACsecAttr.cpp

@@ -13,3 +13,36 @@ TEST(MACsecAttr, dtr)
 {
     MACsecAttr sec;
 }
+
+TEST(MACsecAttr, get_cipher_name)
+{
+    EXPECT_EQ(MACsecAttr::get_cipher_name(sai_macsec_cipher_suite_t::SAI_MACSEC_CIPHER_SUITE_GCM_AES_128), MACsecAttr::CIPHER_NAME_GCM_AES_128);
+
+    EXPECT_EQ(MACsecAttr::get_cipher_name(sai_macsec_cipher_suite_t::SAI_MACSEC_CIPHER_SUITE_GCM_AES_256), MACsecAttr::CIPHER_NAME_GCM_AES_256);
+
+    EXPECT_EQ(MACsecAttr::get_cipher_name(sai_macsec_cipher_suite_t::SAI_MACSEC_CIPHER_SUITE_GCM_AES_XPN_128), MACsecAttr::CIPHER_NAME_GCM_AES_XPN_128);
+
+    EXPECT_EQ(MACsecAttr::get_cipher_name(sai_macsec_cipher_suite_t::SAI_MACSEC_CIPHER_SUITE_GCM_AES_XPN_256), MACsecAttr::CIPHER_NAME_GCM_AES_XPN_256);
+
+    EXPECT_EQ(MACsecAttr::get_cipher_name(100), MACsecAttr::CIPHER_NAME_INVALID);
+}
+
+TEST(MACsecAttr, is_xpn)
+{
+    MACsecAttr attr;
+    attr.m_cipher = MACsecAttr::CIPHER_NAME_GCM_AES_128;
+
+    EXPECT_FALSE(attr.is_xpn());
+
+    attr.m_cipher = MACsecAttr::CIPHER_NAME_GCM_AES_256;
+
+    EXPECT_FALSE(attr.is_xpn());
+
+    attr.m_cipher = MACsecAttr::CIPHER_NAME_GCM_AES_XPN_128;
+
+    EXPECT_TRUE(attr.is_xpn());
+
+    attr.m_cipher = MACsecAttr::CIPHER_NAME_GCM_AES_XPN_256;
+
+    EXPECT_TRUE(attr.is_xpn());
+}

vslib/MACsecAttr.cpp

@@ -1,9 +1,22 @@
 #include "MACsecAttr.h"
 
+#include "saimacsec.h"
 #include "swss/logger.h"
 
 using namespace saivs;
 
+const std::string MACsecAttr::CIPHER_NAME_INVALID = "";
+
+const std::string MACsecAttr::CIPHER_NAME_GCM_AES_128 = "GCM-AES-128";
+
+const std::string MACsecAttr::CIPHER_NAME_GCM_AES_256 = "GCM-AES-256";
+
+const std::string MACsecAttr::CIPHER_NAME_GCM_AES_XPN_128 = "GCM-AES-XPN-128";
+
+const std::string MACsecAttr::CIPHER_NAME_GCM_AES_XPN_256 = "GCM-AES-XPN-256";
+
+const std::string MACsecAttr::DEFAULT_CIPHER_NAME = MACsecAttr::CIPHER_NAME_GCM_AES_128;
+
 MACsecAttr::MACsecAttr()
 {
     SWSS_LOG_ENTER();
@@ -17,3 +30,35 @@ MACsecAttr::~MACsecAttr()
 
     // empty intentionally
 }
+
+const std::string & MACsecAttr::get_cipher_name(std::int32_t cipher_id)
+{
+    SWSS_LOG_ENTER();
+
+    switch(cipher_id)
+    {
+        case sai_macsec_cipher_suite_t::SAI_MACSEC_CIPHER_SUITE_GCM_AES_128:
+            return CIPHER_NAME_GCM_AES_128;
+
+        case sai_macsec_cipher_suite_t::SAI_MACSEC_CIPHER_SUITE_GCM_AES_256:
+            return CIPHER_NAME_GCM_AES_256;
+
+        case sai_macsec_cipher_suite_t::SAI_MACSEC_CIPHER_SUITE_GCM_AES_XPN_128:
+            return CIPHER_NAME_GCM_AES_XPN_128;
+
+        case sai_macsec_cipher_suite_t::SAI_MACSEC_CIPHER_SUITE_GCM_AES_XPN_256:
+            return CIPHER_NAME_GCM_AES_XPN_256;
+
+        default:
+            SWSS_LOG_ERROR("Unkown MACsec cipher %d", cipher_id);
+
+            return CIPHER_NAME_INVALID;
+    }
+}
+
+bool MACsecAttr::is_xpn() const
+{
+    SWSS_LOG_ENTER();
+
+    return m_cipher == CIPHER_NAME_GCM_AES_XPN_128 || m_cipher == CIPHER_NAME_GCM_AES_XPN_256;
+}

vslib/MACsecAttr.h

@@ -10,23 +10,44 @@ namespace saivs
     using macsec_sci_t = std::string;
     using macsec_an_t = std::uint16_t;
     using macsec_pn_t = std::uint64_t;
+    using macsec_ssci_t = std::uint32_t;
 
     struct MACsecAttr
     {
+
+        static const std::string CIPHER_NAME_INVALID;
+
+        static const std::string CIPHER_NAME_GCM_AES_128;
+
+        static const std::string CIPHER_NAME_GCM_AES_256;
+
+        static const std::string CIPHER_NAME_GCM_AES_XPN_128;
+
+        static const std::string CIPHER_NAME_GCM_AES_XPN_256;
+
+        static const std::string DEFAULT_CIPHER_NAME;
+
         // Explicitly declare constructor and destructor as non-inline functions
         // to avoid 'call is unlikely and code size would grow [-Werror=inline]'
         MACsecAttr();
 
         ~MACsecAttr();
 
+        static const std::string &get_cipher_name(std::int32_t cipher_id);
+
+        bool is_xpn() const;
+
+        std::string m_cipher;
         std::string m_vethName;
         std::string m_macsecName;
         std::string m_authKey;
         std::string m_sak;
         std::string m_sci;
+        std::string m_salt;
 
         macsec_an_t m_an;
         macsec_pn_t m_pn;
+        macsec_ssci_t m_ssci;
 
         bool m_sendSci;
         bool m_encryptionEnable;

vslib/MACsecManager.cpp

@@ -11,6 +11,7 @@
 #include <cstring>
 #include <system_error>
 #include <cinttypes>
+#include <string>
 
 using namespace saivs;
 
@@ -360,6 +361,7 @@ bool MACsecManager::create_macsec_egress_sc(
         << " type macsec "
         << " sci " << attr.m_sci
         << " encrypt " << (attr.m_encryptionEnable ? " on " : " off ")
+        << " cipher " << attr.m_cipher
         << " && ip link set dev "
         << shellquote(attr.m_macsecName)
         << " up";
@@ -412,6 +414,10 @@ bool MACsecManager::create_macsec_egress_sa(
         << attr.m_an
         << " pn "
         << attr.m_pn
+        << ( attr.is_xpn() ? " ssci " : "" )
+        << ( attr.is_xpn() ? std::to_string(attr.m_ssci) : "" )
+        << ( attr.is_xpn() ? " salt " : "" )
+        << ( attr.is_xpn() ? attr.m_salt : "" )
         << " on key "
         << attr.m_authKey
         << " "

vslib/SwitchStateBaseMACsec.cpp

@@ -463,6 +463,15 @@ sai_status_t SwitchStateBase::loadMACsecAttrFromMACsecSC(
 
     const sai_attribute_t *attr = nullptr;
 
+    SAI_METADATA_GET_ATTR_BY_ID(attr, SAI_MACSEC_SC_ATTR_MACSEC_CIPHER_SUITE, attrCount, attrList);
+
+    macsecAttr.m_cipher = MACsecAttr::get_cipher_name(attr->value.s32);
+
+    if (macsecAttr.m_cipher == MACsecAttr::CIPHER_NAME_INVALID)
+    {
+        return SAI_STATUS_FAILURE;
+    }
+
     SAI_METADATA_GET_ATTR_BY_ID(attr, SAI_MACSEC_SC_ATTR_MACSEC_DIRECTION, attrCount, attrList);
 
     macsecAttr.m_direction = attr->value.s32;
@@ -541,6 +550,13 @@ sai_status_t SwitchStateBase::loadMACsecAttrFromMACsecSA(
 
     CHECK_STATUS(get(SAI_OBJECT_TYPE_MACSEC_SC, attr->value.oid, static_cast<uint32_t>(attrs.size()), attrs.data()));
 
+    macsecAttr.m_cipher = MACsecAttr::get_cipher_name(attr->value.s32);
+
+    if (macsecAttr.m_cipher == MACsecAttr::CIPHER_NAME_INVALID)
+    {
+        return SAI_STATUS_FAILURE;
+    }
+
     auto flow_id = attrs[0].value.oid;
     auto sci = attrs[1].value.u64;
     std::stringstream sciHexStr;
@@ -612,6 +628,17 @@ sai_status_t SwitchStateBase::loadMACsecAttrFromMACsecSA(
 
     macsecAttr.m_pn = attr->value.u64;
 
+    if (macsecAttr.is_xpn())
+    {
+        SAI_METADATA_GET_ATTR_BY_ID(attr, SAI_MACSEC_SA_ATTR_MACSEC_SSCI, attrCount, attrList);
+
+        macsecAttr.m_ssci = attr->value.u32;
+
+        SAI_METADATA_GET_ATTR_BY_ID(attr, SAI_MACSEC_SA_ATTR_SALT, attrCount, attrList);
+
+        macsecAttr.m_salt = sai_serialize_hex_binary(attr->value.macsecsalt);
+    }
+
     return SAI_STATUS_SUCCESS;
 }