-
Notifications
You must be signed in to change notification settings - Fork 1.6k
[iproute2]: Add macsec-xpn-support iproute2 in syncd #8702
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
b9dd790
ae2d37f
a48f58b
4b4e171
bfb322d
1478966
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,11 @@ | ||
# iproute2 package | ||
|
||
IPROUTE2_VERSION = 4.9.0-1 | ||
IPROUTE2_VERSION = 5.10.0 | ||
IPROUTE2_VERSION_FULL = $(IPROUTE2_VERSION)-4~bpo10+1 | ||
|
||
IPROUTE2 = iproute2_$(IPROUTE2_VERSION)_$(CONFIGURED_ARCH).deb | ||
export IPROUTE2_VERSION | ||
export IPROUTE2_VERSION_FULL | ||
|
||
IPROUTE2 = iproute2_$(IPROUTE2_VERSION_FULL)_$(CONFIGURED_ARCH).deb | ||
$(IPROUTE2)_SRC_PATH = $(SRC_PATH)/iproute2 | ||
SONIC_MAKE_DEBS += $(IPROUTE2) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
* | ||
!.gitignore | ||
!Makefile | ||
!patch/* |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,213 @@ | ||
From f1ea3235b5250dfd1193b5033620b030b9789fd9 Mon Sep 17 00:00:00 2001 | ||
From: Ze Gan <[email protected]> | ||
Date: Mon, 30 Aug 2021 06:45:28 +0000 | ||
Subject: [PATCH] MACsec XPN support | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Did you submit this patch to upstream? #Pending There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No, I just generated this patch from my private repo, is it a right way? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just a recommendation. If the feature is useful in general, you may collect more feedback there. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure, I will do that, but I think it will take a long cycle to merge my change to the upstream and backport it to the debian. |
||
|
||
Signed-off-by: Ze Gan <[email protected]> | ||
--- | ||
ip/ipmacsec.c | 86 ++++++++++++++++++++++++++++++++++++++++++++------- | ||
1 file changed, 74 insertions(+), 12 deletions(-) | ||
|
||
diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c | ||
index 18289ecd..1df19bf1 100644 | ||
--- a/ip/ipmacsec.c | ||
+++ b/ip/ipmacsec.c | ||
@@ -10,6 +10,7 @@ | ||
*/ | ||
|
||
#include <stdio.h> | ||
+#include <inttypes.h> | ||
#include <stdlib.h> | ||
#include <string.h> | ||
#include <errno.h> | ||
@@ -23,6 +24,8 @@ | ||
#include "ll_map.h" | ||
#include "libgenl.h" | ||
|
||
+#define MACSEC_SALT_LEN 12 | ||
+ | ||
static const char * const values_on_off[] = { "off", "on" }; | ||
|
||
static const char * const validate_str[] = { | ||
@@ -45,11 +48,13 @@ struct sci { | ||
|
||
struct sa_desc { | ||
__u8 an; | ||
- __u32 pn; | ||
+ __u64 pn; | ||
__u8 key_id[MACSEC_KEYID_LEN]; | ||
__u32 key_len; | ||
__u8 key[MACSEC_MAX_KEY_LEN]; | ||
__u8 active; | ||
+ __u32 ssci; | ||
+ __u8 salt[MACSEC_SALT_LEN]; | ||
}; | ||
|
||
struct cipher_args { | ||
@@ -88,7 +93,7 @@ static int genl_family = -1; | ||
static void ipmacsec_usage(void) | ||
{ | ||
fprintf(stderr, | ||
- "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY\n" | ||
+ "Usage: ip macsec add DEV tx sa { 0..3 } [ OPTS ] [ ssci SSCI salt SALT] key ID KEY\n" | ||
" ip macsec set DEV tx sa { 0..3 } [ OPTS ]\n" | ||
" ip macsec del DEV tx sa { 0..3 }\n" | ||
" ip macsec add DEV rx SCI [ on | off ]\n" | ||
@@ -100,10 +105,12 @@ static void ipmacsec_usage(void) | ||
" ip macsec show\n" | ||
" ip macsec show DEV\n" | ||
" ip macsec offload DEV [ off | phy | mac ]\n" | ||
- "where OPTS := [ pn <u32> ] [ on | off ]\n" | ||
+ "where OPTS := [ pn <u64> ] [ on | off ]\n" | ||
" ID := 128-bit hex string\n" | ||
" KEY := 128-bit or 256-bit hex string\n" | ||
- " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n"); | ||
+ " SCI := { sci <u64> | port { 1..2^16-1 } address <lladdr> }\n" | ||
+ " SSCI := <u32>\n" | ||
+ " SALT := 96-bit hex string\n"); | ||
|
||
exit(-1); | ||
} | ||
@@ -198,7 +205,7 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa) | ||
if (sa->pn != 0) | ||
duparg2("pn", "pn"); | ||
NEXT_ARG(); | ||
- ret = get_u32(&sa->pn, *argv, 0); | ||
+ ret = get_u64(&sa->pn, *argv, 0); | ||
if (ret) | ||
invarg("expected pn", *argv); | ||
if (sa->pn == 0) | ||
@@ -224,6 +231,22 @@ static int parse_sa_args(int *argcp, char ***argvp, struct sa_desc *sa) | ||
duparg2("on/off", "off"); | ||
sa->active = false; | ||
active_set = true; | ||
+ } else if (strcmp(*argv, "ssci") == 0) { | ||
+ if (sa->ssci != 0) | ||
+ duparg2("ssci", "ssci"); | ||
+ NEXT_ARG(); | ||
+ ret = get_u32(&sa->ssci, *argv, 0); | ||
+ if (ret) | ||
+ invarg("expected ssci", *argv); | ||
+ if (sa->ssci == 0) | ||
+ invarg("expected ssci != 0", *argv); | ||
+ } else if (strcmp(*argv, "salt") == 0) { | ||
+ unsigned int len; | ||
+ | ||
+ NEXT_ARG(); | ||
+ if (!hexstring_a2n(*argv, sa->salt, MACSEC_SALT_LEN, | ||
+ &len)) | ||
+ invarg("expected salt", *argv); | ||
} else { | ||
fprintf(stderr, "macsec: unknown command \"%s\"?\n", | ||
*argv); | ||
@@ -413,9 +436,15 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex, | ||
addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an); | ||
|
||
if (c != CMD_DEL) { | ||
- if (sa->pn) | ||
- addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN, | ||
- sa->pn); | ||
+ if (sa->pn) { | ||
+ if (sa->ssci == 0) { | ||
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN, | ||
+ sa->pn); | ||
+ } else { | ||
+ addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN, | ||
+ sa->pn); | ||
+ } | ||
+ } | ||
|
||
if (sa->key_len) { | ||
addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_KEYID, | ||
@@ -428,6 +457,13 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex, | ||
addattr8(&req.n, MACSEC_BUFLEN, | ||
MACSEC_SA_ATTR_ACTIVE, sa->active); | ||
} | ||
+ | ||
+ if (sa->ssci != 0) { | ||
+ addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI, | ||
+ sa->ssci); | ||
+ addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT, | ||
+ sa->salt, MACSEC_SALT_LEN); | ||
+ } | ||
} | ||
|
||
addattr_nest_end(&req.n, attr_sa); | ||
@@ -456,6 +492,11 @@ static bool check_sa_args(enum cmd c, struct sa_desc *sa) | ||
fprintf(stderr, "cannot change key on SA\n"); | ||
return -1; | ||
} | ||
+ | ||
+ if (sa->ssci) { | ||
+ fprintf(stderr, "cannot change SSCI on SA\n"); | ||
+ return -1; | ||
+ } | ||
} | ||
|
||
return 0; | ||
@@ -637,6 +678,8 @@ static void print_key(struct rtattr *key) | ||
|
||
#define CIPHER_NAME_GCM_AES_128 "GCM-AES-128" | ||
#define CIPHER_NAME_GCM_AES_256 "GCM-AES-256" | ||
+#define CIPHER_NAME_GCM_AES_XPN_128 "GCM-AES-XPN-128" | ||
+#define CIPHER_NAME_GCM_AES_XPN_256 "GCM-AES-XPN-256" | ||
#define DEFAULT_CIPHER_NAME CIPHER_NAME_GCM_AES_128 | ||
|
||
static const char *cs_id_to_name(__u64 cid) | ||
@@ -649,6 +692,10 @@ static const char *cs_id_to_name(__u64 cid) | ||
return CIPHER_NAME_GCM_AES_128; | ||
case MACSEC_CIPHER_ID_GCM_AES_256: | ||
return CIPHER_NAME_GCM_AES_256; | ||
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_128: | ||
+ return CIPHER_NAME_GCM_AES_XPN_128; | ||
+ case MACSEC_CIPHER_ID_GCM_AES_XPN_256: | ||
+ return CIPHER_NAME_GCM_AES_XPN_256; | ||
default: | ||
return "(unknown)"; | ||
} | ||
@@ -897,13 +944,22 @@ static void print_tx_sc(const char *prefix, __u64 sci, __u8 encoding_sa, | ||
print_string(PRINT_FP, NULL, "%s", prefix); | ||
print_uint(PRINT_ANY, "an", "%d:", | ||
rta_getattr_u8(sa_attr[MACSEC_SA_ATTR_AN])); | ||
- print_uint(PRINT_ANY, "pn", " PN %u,", | ||
- rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN])); | ||
+ if (!sa_attr[MACSEC_SA_ATTR_SSCI]) { | ||
+ print_uint(PRINT_ANY, "pn", " PN %u,", | ||
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_PN])); | ||
+ } else { | ||
+ print_uint(PRINT_ANY, "pn", " PN %" PRIu64 ",", | ||
+ rta_getattr_u64(sa_attr[MACSEC_SA_ATTR_PN])); | ||
+ } | ||
|
||
print_bool(PRINT_JSON, "active", NULL, state); | ||
print_string(PRINT_FP, NULL, | ||
" state %s,", state ? "on" : "off"); | ||
print_key(sa_attr[MACSEC_SA_ATTR_KEYID]); | ||
+ if (sa_attr[MACSEC_SA_ATTR_SSCI]) { | ||
+ print_uint(PRINT_ANY, "ssci", " SSCI %u,", | ||
+ rta_getattr_u32(sa_attr[MACSEC_SA_ATTR_SSCI])); | ||
+ } | ||
|
||
print_txsa_stats(prefix, sa_attr[MACSEC_SA_ATTR_STATS]); | ||
close_json_object(); | ||
@@ -1322,9 +1378,15 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv, | ||
else if (strcmp(*argv, "gcm-aes-256") == 0 || | ||
strcmp(*argv, "GCM-AES-256") == 0) | ||
cipher.id = MACSEC_CIPHER_ID_GCM_AES_256; | ||
+ else if (strcmp(*argv, "gcm-aes-xpn-128") == 0 || | ||
+ strcmp(*argv, "GCM-AES-XPN-128") == 0) | ||
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_128; | ||
+ else if (strcmp(*argv, "gcm-aes-xpn-256") == 0 || | ||
+ strcmp(*argv, "GCM-AES-XPN-256") == 0) | ||
+ cipher.id = MACSEC_CIPHER_ID_GCM_AES_XPN_256; | ||
else | ||
- invarg("expected: default, gcm-aes-128 or" | ||
- " gcm-aes-256", *argv); | ||
+ invarg("expected: default, gcm-aes-128" | ||
+ " gcm-aes-256 gcm-aes-xpn-128 gcm-aes-xpn-256", *argv); | ||
} else if (strcmp(*argv, "icvlen") == 0) { | ||
NEXT_ARG(); | ||
if (cipher.icv_len) | ||
-- | ||
2.17.1 | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xumia, for reproducible build, do we still need to manually backup the downloaded files to sonicstorage?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not necessary, it will upload the package automatically.