Skip to content

Commit

Permalink
[macsecmgrd] MACsec XPN changes (#1821)
Browse files Browse the repository at this point in the history 
* MACsec XPN changes

* MACsec XPN changes
  • Loading branch information
@qbdwlr
qbdwlr authored Aug 23, 2021
1 parent 756471a commit 4bf3d61
Show file tree
Hide file tree
Showing 4 changed files with 82 additions and 26 deletions.
40 changes: 40 additions & 0 deletions cfgmgr/macsecmgr.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,32 @@ static void lexical_convert(const std::string &policy_str, MACsecMgr::MACsecProf
}
}

static void lexical_convert(const std::string &cipher_str, MACsecMgr::MACsecProfile::CipherSuite & cipher_suite)
{
SWSS_LOG_ENTER();

if (boost::iequals(cipher_str, "GCM-AES-128"))
{
cipher_suite = MACsecMgr::MACsecProfile::CipherSuite::GCM_AES_128;
}
else if (boost::iequals(cipher_str, "GCM-AES-256"))
{
cipher_suite = MACsecMgr::MACsecProfile::CipherSuite::GCM_AES_256;
}
else if (boost::iequals(cipher_str, "GCM-AES-XPN-128"))
{
cipher_suite = MACsecMgr::MACsecProfile::CipherSuite::GCM_AES_XPN_128;
}
else if (boost::iequals(cipher_str, "GCM-AES-XPN-256"))
{
cipher_suite = MACsecMgr::MACsecProfile::CipherSuite::GCM_AES_XPN_256;
}
else
{
throw std::invalid_argument("Invalid cipher_suite : " + cipher_str);
}
}

template<class T>
static bool get_value(
const MACsecMgr::TaskArgs & ta,
Expand Down Expand Up @@ -686,6 +712,20 @@ bool MACsecMgr::configureMACsec(
"mka_priority",
profile.priority);

wpa_cli_exec_and_check(
session.sock,
port_name,
network_id,
"macsec_ciphersuite",
profile.cipher_suite);

wpa_cli_exec_and_check(
session.sock,
port_name,
network_id,
"macsec_include_sci",
(profile.send_sci ? 1 : 0));

wpa_cli_exec_and_check(
session.sock,
port_name,
Expand Down
8 changes: 7 additions & 1 deletion cfgmgr/macsecmgr.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,13 @@ class MACsecMgr : public Orch
struct MACsecProfile
{
std::uint32_t priority;
std::string cipher_suite;
enum CipherSuite
{
GCM_AES_128,
GCM_AES_256,
GCM_AES_XPN_128,
GCM_AES_XPN_256,
} cipher_suite;
std::string primary_cak;
std::string primary_ckn;
std::string fallback_cak;
Expand Down
6 changes: 4 additions & 2 deletions orchagent/macsecorch.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -219,7 +219,7 @@ class MACsecOrchContext

sai_object_id_t *get_port_id()
{
if(m_port_id == nullptr)
if (m_port_id == nullptr)
{
auto port = get_port();
if (port == nullptr)
Expand Down Expand Up @@ -2231,7 +2231,9 @@ bool MACsecOrch::createMACsecACLDataEntry(
if (sci_in_sectag)
{
attr.id = SAI_ACL_ENTRY_ATTR_FIELD_MACSEC_SCI;
attr.value.u64 = sci;
attr.value.aclfield.enable = true;
attr.value.aclfield.mask.u64 = 0xFFFFFFFFFFFFFFFF;
attr.value.aclfield.data.u64 = sci;
attrs.push_back(attr);
}

Expand Down
54 changes: 31 additions & 23 deletions tests/test_macsec.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,34 +102,34 @@ def gen_sci(macsec_system_identifier: str, macsec_port_identifier: int) -> str:


def gen_sc_key(
seperator: str,
separator: str,
port_name: str,
macsec_system_identifier: str,
macsec_port_identifier: int) -> str:
sci = gen_sci(macsec_system_identifier, macsec_port_identifier)
key = "{}{}{}".format(
port_name,
seperator,
separator,
sci)
return key


def gen_sa_key(
seperator: str,
separator: str,
port_name: str,
macsec_system_identifier: str,
macsec_port_identifier: int,
an: int):
sc_key = gen_sc_key(
seperator,
separator,
port_name,
macsec_system_identifier,
macsec_port_identifier)
key = "{}{}{}".format(sc_key, seperator, an)
key = "{}{}{}".format(sc_key, separator, an)
return key


def macsec_sc(seperator: str = AppDBTable.SEPARATOR):
def macsec_sc(separator: str = AppDBTable.SEPARATOR):
def inner(func: typing.Callable) -> typing.Callable:
@functools.wraps(func)
def wrap_func(
Expand All @@ -140,7 +140,7 @@ def wrap_func(
*args,
**kwargs) -> typing.Any:
key = gen_sc_key(
seperator,
separator,
port_name,
macsec_system_identifier,
macsec_port_identifier)
Expand All @@ -149,7 +149,7 @@ def wrap_func(
return inner


def macsec_sa(seperator: str = AppDBTable.SEPARATOR):
def macsec_sa(separator: str = AppDBTable.SEPARATOR):
def inner(func: typing.Callable) -> typing.Callable:
@functools.wraps(func)
def wrap_func(
Expand All @@ -161,7 +161,7 @@ def wrap_func(
*args,
**kwargs) -> typing.Any:
key = gen_sa_key(
seperator,
separator,
port_name,
macsec_system_identifier,
macsec_port_identifier,
Expand Down Expand Up @@ -216,8 +216,8 @@ def set_macsec_control(self, port_name: str, enable: bool):
self.app_port_table[port_name] = {"enable": True}

@macsec_sc()
def create_receive_sc(self, sci: str, ssci: int):
self.app_receive_sc_table[sci] = {"ssci": ssci}
def create_receive_sc(self, sci: str):
self.app_receive_sc_table[sci] = {"NULL": "NULL"}
self.state_receive_sc_table.wait(sci)

@macsec_sc()
Expand All @@ -226,8 +226,8 @@ def delete_receive_sc(self, sci: str):
self.state_receive_sc_table.wait_delete(sci)

@macsec_sc()
def create_transmit_sc(self, sci: str, ssci: int):
self.app_transmit_sc_table[sci] = {"sci": sci, "encoding_an": 0}
def create_transmit_sc(self, sci: str):
self.app_transmit_sc_table[sci] = {"encoding_an": 0}
self.state_transmit_sc_table.wait(sci)

@macsec_sc()
Expand All @@ -240,6 +240,7 @@ def check_valid_sa_parameter(
sak: str,
auth_key: str,
lowest_acceptable_pn: int,
ssci: int,
salt: str) -> bool:
# Check SAK is hex string
int(sak, 16)
Expand Down Expand Up @@ -268,17 +269,20 @@ def create_receive_sa(
sak: str,
auth_key: str,
lowest_acceptable_pn: int,
ssci: int,
salt: str):
assert(
self.check_valid_sa_parameter(
sak,
auth_key,
lowest_acceptable_pn,
ssci,
salt),
"Wrong parameter to MACsec receive SA")
self.app_receive_sa_table[sai] = {
"active": False, "sak": sak, "auth_key": auth_key,
"lowest_acceptable_pn": lowest_acceptable_pn, "salt": salt}
"lowest_acceptable_pn": lowest_acceptable_pn,
"ssci": ssci, "salt": salt}

@macsec_sa()
def delete_receive_sa(self, sai: str):
Expand All @@ -298,17 +302,19 @@ def create_transmit_sa(
sak: str,
auth_key: str,
init_pn: int,
ssci: int,
salt: str):
assert(
self.check_valid_sa_parameter(
sak,
auth_key,
init_pn,
ssci,
salt),
"Wrong parameter to MACsec receive SA")
self.app_transmit_sa_table[sai] = {
"sak": sak, "auth_key": auth_key,
"next_pn": init_pn, "salt": salt}
"next_pn": init_pn, "ssci": ssci, "salt": salt}

@macsec_sa()
def delete_transmit_sa(self, sai: str):
Expand Down Expand Up @@ -388,8 +394,7 @@ def init_macsec(
wpa: WPASupplicantMock,
port_name: str,
local_mac_address: str,
macsec_port_identifier: int,
ssci: int):
macsec_port_identifier: int):
wpa.init_macsec_port(port_name)
wpa.config_macsec_port(port_name, {"enable_protect": True})
wpa.config_macsec_port(port_name, {"enable_encrypt": True})
Expand All @@ -403,8 +408,7 @@ def init_macsec(
wpa.create_transmit_sc(
port_name,
local_mac_address,
macsec_port_identifier,
ssci)
macsec_port_identifier)

def establish_macsec(
self,
Expand All @@ -422,8 +426,7 @@ def establish_macsec(
wpa.create_receive_sc(
port_name,
peer_mac_address,
macsec_port_identifier,
ssci)
macsec_port_identifier)
wpa.create_receive_sa(
port_name,
peer_mac_address,
Expand All @@ -432,6 +435,7 @@ def establish_macsec(
sak,
auth_key,
packet_number,
ssci,
salt)
wpa.create_transmit_sa(
port_name,
Expand All @@ -441,6 +445,7 @@ def establish_macsec(
sak,
auth_key,
packet_number,
ssci,
salt)
wpa.set_enable_receive_sa(
port_name,
Expand Down Expand Up @@ -468,6 +473,7 @@ def rekey_macsec(
sak: str,
packet_number: int,
auth_key: str,
ssci: int,
salt: str):
wpa.create_receive_sa(
port_name,
Expand All @@ -477,6 +483,7 @@ def rekey_macsec(
sak,
auth_key,
packet_number,
ssci,
salt)
wpa.create_transmit_sa(
port_name,
Expand All @@ -486,6 +493,7 @@ def rekey_macsec(
sak,
auth_key,
packet_number,
ssci,
salt)
wpa.set_enable_receive_sa(
port_name,
Expand Down Expand Up @@ -606,8 +614,7 @@ def test_macsec_term_orch(self, dvs: conftest.DockerVirtualSwitch, testlog):
wpa,
port_name,
local_mac_address,
macsec_port_identifier,
ssci)
macsec_port_identifier)
self.establish_macsec(
wpa,
port_name,
Expand Down Expand Up @@ -654,6 +661,7 @@ def test_macsec_term_orch(self, dvs: conftest.DockerVirtualSwitch, testlog):
sak,
packet_number,
auth_key,
ssci,
salt)
assert(
inspector.get_macsec_sa(
Expand Down

0 comments on commit 4bf3d61

Please sign in to comment.