fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-05 09:10:17 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
NetworkManager/src/devices/nm-device-macsec.c
Beniamino Galvani 4a6fd0e83e device: honor the connection.autoconnect-retries for 802.1X 
NMDeviceEthernet and NMDeviceMacsec implement their own retry policy
for connection using 802.1X, and consider the credentials wrong when
the authentication fails for 3 times. In such case, they also disable
autoconnection for the device by setting the state reason NO_SECRETS.

This means that it's not possible at the moment to choose how many
times the authentication will be retried since they don't use the
standard reconnection logic.

Change NMDeviceEthernet and NMDeviceMacsec to use the number of
retries from connection.autoconnect-retries instead of a hardcoded
value to decide how many times the authentication must be restarted.
2017-02-21 09:18:53 +01:00

990 lines
32 KiB
C
Raw Blame History

/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/* NetworkManager -- Network link manager
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Copyright 2017 Red Hat, Inc.
*/
#include "nm-default.h"
#include "nm-device-macsec.h"
#include "nm-act-request.h"
#include "nm-device-private.h"
#include "platform/nm-platform.h"
#include "nm-device-factory.h"
#include "nm-manager.h"
#include "nm-setting-macsec.h"
#include "nm-core-internal.h"
#include "supplicant/nm-supplicant-manager.h"
#include "supplicant/nm-supplicant-interface.h"
#include "supplicant/nm-supplicant-config.h"
#include "introspection/org.freedesktop.NetworkManager.Device.Macsec.h"
#include "nm-device-logging.h"
_LOG_DECLARE_SELF(NMDeviceMacsec);
/*****************************************************************************/
typedef struct Supplicant {
NMSupplicantManager *mgr;
NMSupplicantInterface *iface;
/* signal handler ids */
gulong iface_state_id;
/* Timeouts and idles */
guint con_timeout_id;
} Supplicant;
NM_GOBJECT_PROPERTIES_DEFINE (NMDeviceMacsec,
PROP_SCI,
PROP_CIPHER_SUITE,
PROP_ICV_LENGTH,
PROP_WINDOW,
PROP_ENCODING_SA,
PROP_ENCRYPT,
PROP_PROTECT,
PROP_INCLUDE_SCI,
PROP_ES,
PROP_SCB,
PROP_REPLAY_PROTECT,
PROP_VALIDATION,
);
typedef struct {
NMPlatformLnkMacsec props;
gulong parent_state_id;
Supplicant supplicant;
guint supplicant_timeout_id;
NMActRequestGetSecretsCallId macsec_secrets_id;
} NMDeviceMacsecPrivate;
struct _NMDeviceMacsec {
NMDevice parent;
NMDeviceMacsecPrivate _priv;
};
struct _NMDeviceMacsecClass {
NMDeviceClass parent;
};
G_DEFINE_TYPE (NMDeviceMacsec, nm_device_macsec, NM_TYPE_DEVICE)
#define NM_DEVICE_MACSEC_GET_PRIVATE(self) _NM_GET_PRIVATE (self, NMDeviceMacsec, NM_IS_DEVICE_MACSEC)
/******************************************************************/
static void macsec_secrets_cancel (NMDeviceMacsec *self);
/******************************************************************/
NM_UTILS_LOOKUP_STR_DEFINE_STATIC (validation_mode_to_string, guint8,
NM_UTILS_LOOKUP_DEFAULT_WARN ("<unknown>"),
NM_UTILS_LOOKUP_STR_ITEM (0, "disable"),
NM_UTILS_LOOKUP_STR_ITEM (1, "check"),
NM_UTILS_LOOKUP_STR_ITEM (2, "strict"),
);
static void
parent_state_changed (NMDevice *parent,
NMDeviceState new_state,
NMDeviceState old_state,
NMDeviceStateReason reason,
gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
/* We'll react to our own carrier state notifications. Ignore the parent's. */
if (reason == NM_DEVICE_STATE_REASON_CARRIER)
return;
nm_device_set_unmanaged_by_flags (NM_DEVICE (self), NM_UNMANAGED_PARENT, !nm_device_get_managed (parent, FALSE), reason);
}
static void
parent_changed_notify (NMDevice *device,
int old_ifindex,
NMDevice *old_parent,
int new_ifindex,
NMDevice *new_parent)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (device);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NM_DEVICE_CLASS (nm_device_macsec_parent_class)->parent_changed_notify (device,
old_ifindex,
old_parent,
new_ifindex,
new_parent);
/* note that @self doesn't have to clear @parent_state_id on dispose,
* because NMDevice's dispose() will unset the parent, which in turn calls
* parent_changed_notify(). */
nm_clear_g_signal_handler (old_parent, &priv->parent_state_id);
if (new_parent) {
priv->parent_state_id = g_signal_connect (new_parent,
NM_DEVICE_STATE_CHANGED,
G_CALLBACK (parent_state_changed),
device);
/* Set parent-dependent unmanaged flag */
nm_device_set_unmanaged_by_flags (device,
NM_UNMANAGED_PARENT,
!nm_device_get_managed (new_parent, FALSE),
NM_DEVICE_STATE_REASON_PARENT_MANAGED_CHANGED);
}
/* Recheck availability now that the parent has changed */
if (new_ifindex > 0) {
nm_device_queue_recheck_available (device,
NM_DEVICE_STATE_REASON_PARENT_CHANGED,
NM_DEVICE_STATE_REASON_PARENT_CHANGED);
}
}
static void
update_properties (NMDevice *device)
{
NMDeviceMacsec *self;
NMDeviceMacsecPrivate *priv;
const NMPlatformLink *plink = NULL;
const NMPlatformLnkMacsec *props = NULL;
int ifindex;
g_return_if_fail (NM_IS_DEVICE_MACSEC (device));
self = NM_DEVICE_MACSEC (device);
priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
ifindex = nm_device_get_ifindex (device);
g_return_if_fail (ifindex > 0);
props = nm_platform_link_get_lnk_macsec (NM_PLATFORM_GET, ifindex, &plink);
if (!props) {
_LOGW (LOGD_PLATFORM, "could not get macsec properties");
return;
}
g_object_freeze_notify ((GObject *) device);
if (priv->props.parent_ifindex != props->parent_ifindex)
nm_device_parent_set_ifindex (device, props->parent_ifindex);
#define CHECK_PROPERTY_CHANGED(field, prop) \
if (props->field != priv->props.field) \
_notify (self, prop)
CHECK_PROPERTY_CHANGED (sci, PROP_SCI);
CHECK_PROPERTY_CHANGED (cipher_suite, PROP_CIPHER_SUITE);
CHECK_PROPERTY_CHANGED (window, PROP_WINDOW);
CHECK_PROPERTY_CHANGED (icv_length, PROP_ICV_LENGTH);
CHECK_PROPERTY_CHANGED (encoding_sa, PROP_ENCODING_SA);
CHECK_PROPERTY_CHANGED (validation, PROP_VALIDATION);
CHECK_PROPERTY_CHANGED (encrypt, PROP_ENCRYPT);
CHECK_PROPERTY_CHANGED (protect, PROP_PROTECT);
CHECK_PROPERTY_CHANGED (include_sci, PROP_INCLUDE_SCI);
CHECK_PROPERTY_CHANGED (es, PROP_ES);
CHECK_PROPERTY_CHANGED (scb, PROP_SCB);
CHECK_PROPERTY_CHANGED (replay_protect, PROP_REPLAY_PROTECT);
priv->props = *props;
g_object_thaw_notify ((GObject *) device);
}
static NMSupplicantConfig *
build_supplicant_config (NMDeviceMacsec *self, GError **error)
{
NMSupplicantConfig *config = NULL;
NMSettingMacsec *s_macsec;
NMSetting8021x *s_8021x;
NMConnection *connection;
const char *con_uuid;
guint32 mtu;
connection = nm_device_get_applied_connection (NM_DEVICE (self));
g_assert (connection);
con_uuid = nm_connection_get_uuid (connection);
mtu = nm_platform_link_get_mtu (NM_PLATFORM_GET,
nm_device_get_ifindex (NM_DEVICE (self)));
config = nm_supplicant_config_new ();
s_macsec = (NMSettingMacsec *)
nm_device_get_applied_setting (NM_DEVICE (self), NM_TYPE_SETTING_MACSEC);
if (!nm_supplicant_config_add_setting_macsec (config, s_macsec, error)) {
g_prefix_error (error, "macsec-setting: ");
g_object_unref (config);
return NULL;
}
if (nm_setting_macsec_get_mode (s_macsec) == NM_SETTING_MACSEC_MODE_EAP) {
s_8021x = nm_connection_get_setting_802_1x (connection);
if (!nm_supplicant_config_add_setting_8021x (config, s_8021x, con_uuid, mtu, TRUE, error)) {
g_prefix_error (error, "802-1x-setting: ");
g_clear_object (&config);
}
}
return config;
}
static void
supplicant_interface_release (NMDeviceMacsec *self)
{
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
nm_clear_g_source (&priv->supplicant_timeout_id);
nm_clear_g_source (&priv->supplicant.con_timeout_id);
nm_clear_g_signal_handler (priv->supplicant.iface, &priv->supplicant.iface_state_id);
if (priv->supplicant.iface) {
nm_supplicant_interface_disconnect (priv->supplicant.iface);
g_clear_object (&priv->supplicant.iface);
}
}
static void
supplicant_iface_assoc_cb (NMSupplicantInterface *iface,
GError *error,
gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
if (error && !nm_utils_error_is_cancelled (error, TRUE)) {
supplicant_interface_release (self);
nm_device_queue_state (NM_DEVICE (self),
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_SUPPLICANT_CONFIG_FAILED);
}
}
static void
macsec_secrets_cb (NMActRequest *req,
NMActRequestGetSecretsCallId call_id,
NMSettingsConnection *connection,
GError *error,
gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
NMDevice *device = NM_DEVICE (self);
NMDeviceMacsecPrivate *priv;
g_return_if_fail (NM_IS_DEVICE_MACSEC (self));
g_return_if_fail (NM_IS_ACT_REQUEST (req));
priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
g_return_if_fail (priv->macsec_secrets_id == call_id);
priv->macsec_secrets_id = NULL;
if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
return;
g_return_if_fail (req == nm_device_get_act_request (device));
g_return_if_fail (nm_device_get_state (device) == NM_DEVICE_STATE_NEED_AUTH);
g_return_if_fail (nm_act_request_get_settings_connection (req) == connection);
if (error) {
_LOGW (LOGD_ETHER, "%s", error->message);
nm_device_state_changed (device,
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_NO_SECRETS);
} else
nm_device_activate_schedule_stage1_device_prepare (device);
}
static void
macsec_secrets_cancel (NMDeviceMacsec *self)
{
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
if (priv->macsec_secrets_id)
nm_act_request_cancel_secrets (NULL, priv->macsec_secrets_id);
nm_assert (!priv->macsec_secrets_id);
}
static void
macsec_secrets_get_secrets (NMDeviceMacsec *self,
const char *setting_name,
NMSecretAgentGetSecretsFlags flags)
{
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMActRequest *req;
macsec_secrets_cancel (self);
req = nm_device_get_act_request (NM_DEVICE (self));
g_return_if_fail (NM_IS_ACT_REQUEST (req));
priv->macsec_secrets_id = nm_act_request_get_secrets (req,
TRUE,
setting_name,
flags,
NULL,
macsec_secrets_cb,
self);
g_return_if_fail (priv->macsec_secrets_id);
}
static gboolean
link_timeout_cb (gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMDevice *dev = NM_DEVICE (self);
NMActRequest *req;
NMConnection *applied_connection;
const char *setting_name;
priv->supplicant_timeout_id = 0;
req = nm_device_get_act_request (dev);
if (nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED) {
nm_device_state_changed (dev,
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_SUPPLICANT_TIMEOUT);
return FALSE;
}
/* Disconnect event during initial authentication and credentials
* ARE checked - we are likely to have wrong key. Ask the user for
* another one.
*/
if (nm_device_get_state (dev) != NM_DEVICE_STATE_CONFIG)
goto time_out;
nm_active_connection_clear_secrets (NM_ACTIVE_CONNECTION (req));
applied_connection = nm_act_request_get_applied_connection (req);
setting_name = nm_connection_need_secrets (applied_connection, NULL);
if (!setting_name)
goto time_out;
_LOGI (LOGD_DEVICE | LOGD_ETHER,
"Activation: disconnected during authentication, asking for new key.");
supplicant_interface_release (self);
nm_device_state_changed (dev, NM_DEVICE_STATE_NEED_AUTH, NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
macsec_secrets_get_secrets (self, setting_name, NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
return FALSE;
time_out:
_LOGW (LOGD_DEVICE | LOGD_ETHER, "link timed out.");
nm_device_state_changed (dev, NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
return FALSE;
}
static void
supplicant_iface_state_cb (NMSupplicantInterface *iface,
int new_state_i,
int old_state_i,
int disconnect_reason,
gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMDevice *device = NM_DEVICE (self);
NMSupplicantConfig *config;
NMDeviceState devstate;
GError *error = NULL;
NMSupplicantInterfaceState new_state = new_state_i;
NMSupplicantInterfaceState old_state = old_state_i;
if (new_state == old_state)
return;
_LOGI (LOGD_DEVICE, "supplicant interface state: %s -> %s",
nm_supplicant_interface_state_to_string (old_state),
nm_supplicant_interface_state_to_string (new_state));
devstate = nm_device_get_state (device);
switch (new_state) {
case NM_SUPPLICANT_INTERFACE_STATE_READY:
config = build_supplicant_config (self, &error);
if (config) {
nm_supplicant_interface_assoc (priv->supplicant.iface, config,
supplicant_iface_assoc_cb, self);
g_object_unref (config);
} else {
_LOGE (LOGD_DEVICE,
"Activation: couldn't build security configuration: %s",
error->message);
g_clear_error (&error);
nm_device_state_changed (device,
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_SUPPLICANT_CONFIG_FAILED);
}
break;
case NM_SUPPLICANT_INTERFACE_STATE_COMPLETED:
nm_clear_g_source (&priv->supplicant_timeout_id);
nm_clear_g_source (&priv->supplicant.con_timeout_id);
nm_device_bring_up (device, TRUE, NULL);
/* If this is the initial association during device activation,
* schedule the next activation stage.
*/
if (devstate == NM_DEVICE_STATE_CONFIG) {
_LOGI (LOGD_DEVICE,
"Activation: Stage 2 of 5 (Device Configure) successful.");
nm_device_activate_schedule_stage3_ip_config_start (device);
}
break;
case NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED:
if ((devstate == NM_DEVICE_STATE_ACTIVATED) || nm_device_is_activating (device)) {
/* Start the link timeout so we allow some time for reauthentication */
if (!priv->supplicant_timeout_id)
priv->supplicant_timeout_id = g_timeout_add_seconds (15, link_timeout_cb, device);
}
break;
case NM_SUPPLICANT_INTERFACE_STATE_DOWN:
supplicant_interface_release (self);
if ((devstate == NM_DEVICE_STATE_ACTIVATED) || nm_device_is_activating (device)) {
nm_device_state_changed (device,
NM_DEVICE_STATE_FAILED,
NM_DEVICE_STATE_REASON_SUPPLICANT_FAILED);
}
break;
default:
;
}
}
static NMActStageReturn
handle_auth_or_fail (NMDeviceMacsec *self,
NMActRequest *req,
gboolean new_secrets)
{
const char *setting_name;
int tries_left;
NMConnection *applied_connection;
NMSettingsConnection *settings_connection;
applied_connection = nm_act_request_get_applied_connection (req);
settings_connection = nm_act_request_get_settings_connection (req);
tries_left = nm_settings_connection_get_autoconnect_retries (settings_connection);
if (tries_left == 0)
return NM_ACT_STAGE_RETURN_FAILURE;
if (tries_left > 0)
nm_settings_connection_set_autoconnect_retries (settings_connection, tries_left - 1);
nm_device_state_changed (NM_DEVICE (self), NM_DEVICE_STATE_NEED_AUTH, NM_DEVICE_STATE_REASON_NONE);
nm_active_connection_clear_secrets (NM_ACTIVE_CONNECTION (req));
setting_name = nm_connection_need_secrets (applied_connection, NULL);
if (setting_name) {
macsec_secrets_get_secrets (self, setting_name,
NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
| (new_secrets ? NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW : 0));
} else
_LOGI (LOGD_DEVICE, "Cleared secrets, but setting didn't need any secrets.");
return NM_ACT_STAGE_RETURN_POSTPONE;
}
static gboolean
supplicant_connection_timeout_cb (gpointer user_data)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMDevice *device = NM_DEVICE (self);
NMActRequest *req;
NMSettingsConnection *connection;
guint64 timestamp = 0;
gboolean new_secrets = TRUE;
priv->supplicant.con_timeout_id = 0;
/* Authentication failed; either driver problems, the encryption key is
* wrong, the passwords or certificates were wrong or the Ethernet switch's
* port is not configured for 802.1x. */
_LOGW (LOGD_DEVICE,
"Activation: (macsec) association took too long.");
supplicant_interface_release (self);
req = nm_device_get_act_request (device);
g_assert (req);
connection = nm_act_request_get_settings_connection (req);
g_assert (connection);
/* Ask for new secrets only if we've never activated this connection
* before. If we've connected before, don't bother the user with dialogs,
* just retry or fail, and if we never connect the user can fix the
* password somewhere else. */
if (nm_settings_connection_get_timestamp (connection, &timestamp))
new_secrets = !timestamp;
if (handle_auth_or_fail (self, req, new_secrets) == NM_ACT_STAGE_RETURN_POSTPONE)
_LOGW (LOGD_DEVICE, "Activation: (macsec) asking for new secrets");
else
nm_device_state_changed (device, NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_NO_SECRETS);
return FALSE;
}
static gboolean
supplicant_interface_init (NMDeviceMacsec *self)
{
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMDevice *parent;
guint timeout;
parent = nm_device_parent_get_device (NM_DEVICE (self));
g_return_val_if_fail (parent, FALSE);
supplicant_interface_release (self);
priv->supplicant.iface = nm_supplicant_manager_create_interface (priv->supplicant.mgr,
nm_device_get_iface (parent),
NM_SUPPLICANT_DRIVER_MACSEC);
if (!priv->supplicant.iface) {
_LOGE (LOGD_DEVICE,
"Couldn't initialize supplicant interface");
return FALSE;
}
/* Listen for its state signals */
priv->supplicant.iface_state_id = g_signal_connect (priv->supplicant.iface,
NM_SUPPLICANT_INTERFACE_STATE,
G_CALLBACK (supplicant_iface_state_cb),
self);
/* Set up a timeout on the connection attempt */
timeout = nm_device_get_supplicant_timeout (NM_DEVICE (self));
priv->supplicant.con_timeout_id = g_timeout_add_seconds (timeout,
supplicant_connection_timeout_cb,
self);
return TRUE;
}
static NMActStageReturn
act_stage2_config (NMDevice *device, NMDeviceStateReason *reason)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (device);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
NMConnection *connection;
NMActStageReturn ret = NM_ACT_STAGE_RETURN_FAILURE;
const char *setting_name;
connection = nm_device_get_applied_connection (NM_DEVICE (self));
g_assert (connection);
if (!priv->supplicant.mgr)
priv->supplicant.mgr = g_object_ref (nm_supplicant_manager_get ());
/* If we need secrets, get them */
setting_name = nm_connection_need_secrets (connection, NULL);
if (setting_name) {
NMActRequest *req = nm_device_get_act_request (NM_DEVICE (self));
_LOGI (LOGD_DEVICE,
"Activation: connection '%s' has security, but secrets are required.",
nm_connection_get_id (connection));
ret = handle_auth_or_fail (self, req, FALSE);
if (ret != NM_ACT_STAGE_RETURN_POSTPONE)
*reason = NM_DEVICE_STATE_REASON_NO_SECRETS;
} else {
_LOGI (LOGD_DEVICE | LOGD_ETHER,
"Activation: connection '%s' requires no security. No secrets needed.",
nm_connection_get_id (connection));
if (supplicant_interface_init (self))
ret = NM_ACT_STAGE_RETURN_POSTPONE;
else
*reason = NM_DEVICE_STATE_REASON_CONFIG_FAILED;
}
return ret;
}
static void
deactivate (NMDevice *device)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (device);
supplicant_interface_release (self);
}
static gboolean
check_connection_compatible (NMDevice *device, NMConnection *connection)
{
NMSettingMacsec *s_macsec;
if (!NM_DEVICE_CLASS (nm_device_macsec_parent_class)->check_connection_compatible (device, connection))
return FALSE;
s_macsec = nm_connection_get_setting_macsec (connection);
if (!s_macsec)
return FALSE;
return TRUE;
}
/******************************************************************/
static NMDeviceCapabilities
get_generic_capabilities (NMDevice *dev)
{
/* We assume MACsec interfaces always support carrier detect */
return NM_DEVICE_CAP_CARRIER_DETECT | NM_DEVICE_CAP_IS_SOFTWARE;
}
/******************************************************************/
static gboolean
is_available (NMDevice *device, NMDeviceCheckDevAvailableFlags flags)
{
if (!nm_device_parent_get_device (device))
return FALSE;
return NM_DEVICE_CLASS (nm_device_macsec_parent_class)->is_available (device, flags);
}
static gboolean
create_and_realize (NMDevice *device,
NMConnection *connection,
NMDevice *parent,
const NMPlatformLink **out_plink,
GError **error)
{
const char *iface = nm_device_get_iface (device);
NMPlatformError plerr;
NMSettingMacsec *s_macsec;
NMPlatformLnkMacsec lnk = { };
int parent_ifindex;
const char *hw_addr;
union {
struct {
guint8 mac[6];
guint16 port;
} s;
guint64 u;
} sci;
s_macsec = nm_connection_get_setting_macsec (connection);
g_assert (s_macsec);
if (!parent) {
g_set_error (error, NM_DEVICE_ERROR, NM_DEVICE_ERROR_FAILED,
"MACsec devices can not be created without a parent interface");
return FALSE;
}
lnk.encrypt = nm_setting_macsec_get_encrypt (s_macsec);
hw_addr = nm_device_get_hw_address (parent);
if (!hw_addr) {
g_set_error (error, NM_DEVICE_ERROR, NM_DEVICE_ERROR_FAILED,
"can't read parent MAC");
return FALSE;
}
nm_utils_hwaddr_aton (hw_addr, sci.s.mac, ETH_ALEN);
sci.s.port = htons (nm_setting_macsec_get_port (s_macsec));
lnk.sci = be64toh (sci.u);
lnk.validation = nm_setting_macsec_get_validation (s_macsec);
parent_ifindex = nm_device_get_ifindex (parent);
g_warn_if_fail (parent_ifindex > 0);
plerr = nm_platform_link_macsec_add (NM_PLATFORM_GET, iface, parent_ifindex, &lnk, out_plink);
if (plerr != NM_PLATFORM_ERROR_SUCCESS) {
g_set_error (error, NM_DEVICE_ERROR, NM_DEVICE_ERROR_CREATION_FAILED,
"Failed to create macsec interface '%s' for '%s': %s",
iface,
nm_connection_get_id (connection),
nm_platform_error_to_string (plerr));
return FALSE;
}
nm_device_parent_set_ifindex (device, parent_ifindex);
return TRUE;
}
static void
link_changed (NMDevice *device,
const NMPlatformLink *pllink)
{
NM_DEVICE_CLASS (nm_device_macsec_parent_class)->link_changed (device, pllink);
update_properties (device);
}
static void
reset_autoconnect_retries (NMDevice *device)
{
NMActRequest *req;
NMSettingsConnection *connection;
req = nm_device_get_act_request (device);
if (req) {
connection = nm_act_request_get_settings_connection (req);
g_return_if_fail (connection);
/* Reset autoconnect retries on success, failure, or when deactivating */
nm_settings_connection_reset_autoconnect_retries (connection);
}
}
static void
device_state_changed (NMDevice *device,
NMDeviceState new_state,
NMDeviceState old_state,
NMDeviceStateReason reason)
{
if (new_state > NM_DEVICE_STATE_ACTIVATED)
macsec_secrets_cancel (NM_DEVICE_MACSEC (device));
if ( new_state == NM_DEVICE_STATE_ACTIVATED
|| new_state == NM_DEVICE_STATE_FAILED
|| new_state == NM_DEVICE_STATE_DISCONNECTED)
reset_autoconnect_retries (device);
}
/******************************************************************/
static void
get_property (GObject *object, guint prop_id,
GValue *value, GParamSpec *pspec)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (object);
NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
switch (prop_id) {
case PROP_SCI:
g_value_set_uint64 (value, priv->props.sci);
break;
case PROP_CIPHER_SUITE:
g_value_set_uint64 (value, priv->props.cipher_suite);
break;
case PROP_ICV_LENGTH:
g_value_set_uchar (value, priv->props.icv_length);
break;
case PROP_WINDOW:
g_value_set_uint (value, priv->props.window);
break;
case PROP_ENCODING_SA:
g_value_set_uchar (value, priv->props.encoding_sa);
break;
case PROP_ENCRYPT:
g_value_set_boolean (value, priv->props.encrypt);
break;
case PROP_PROTECT:
g_value_set_boolean (value, priv->props.protect);
break;
case PROP_INCLUDE_SCI:
g_value_set_boolean (value, priv->props.include_sci);
break;
case PROP_ES:
g_value_set_boolean (value, priv->props.es);
break;
case PROP_SCB:
g_value_set_boolean (value, priv->props.scb);
break;
case PROP_REPLAY_PROTECT:
g_value_set_boolean (value, priv->props.replay_protect);
break;
case PROP_VALIDATION:
g_value_set_string (value,
validation_mode_to_string (priv->props.validation));
break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
break;
}
}
static void
nm_device_macsec_init (NMDeviceMacsec * self)
{
}
static void
dispose (GObject *object)
{
NMDeviceMacsec *self = NM_DEVICE_MACSEC (object);
macsec_secrets_cancel (self);
supplicant_interface_release (self);
G_OBJECT_CLASS (nm_device_macsec_parent_class)->dispose (object);
}
static void
nm_device_macsec_class_init (NMDeviceMacsecClass *klass)
{
GObjectClass *object_class = G_OBJECT_CLASS (klass);
NMDeviceClass *parent_class = NM_DEVICE_CLASS (klass);
NM_DEVICE_CLASS_DECLARE_TYPES (klass, NULL, NM_LINK_TYPE_MACSEC)
object_class->get_property = get_property;
object_class->dispose = dispose;
parent_class->act_stage2_config = act_stage2_config;
parent_class->check_connection_compatible = check_connection_compatible;
parent_class->create_and_realize = create_and_realize;
parent_class->deactivate = deactivate;
parent_class->get_generic_capabilities = get_generic_capabilities;
parent_class->link_changed = link_changed;
parent_class->is_available = is_available;
parent_class->parent_changed_notify = parent_changed_notify;
parent_class->state_changed = device_state_changed;
parent_class->get_configured_mtu = nm_device_get_configured_mtu_for_wired;
parent_class->connection_type = NM_SETTING_MACSEC_SETTING_NAME;
obj_properties[PROP_SCI] =
g_param_spec_uint64 (NM_DEVICE_MACSEC_SCI, "", "",
0, G_MAXUINT64, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_CIPHER_SUITE] =
g_param_spec_uint64 (NM_DEVICE_MACSEC_CIPHER_SUITE, "", "",
0, G_MAXUINT64, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_ICV_LENGTH] =
g_param_spec_uchar (NM_DEVICE_MACSEC_ICV_LENGTH, "", "",
0, G_MAXUINT8, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_WINDOW] =
g_param_spec_uint (NM_DEVICE_MACSEC_WINDOW, "", "",
0, G_MAXUINT32, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_ENCODING_SA] =
g_param_spec_uchar (NM_DEVICE_MACSEC_ENCODING_SA, "", "",
0, 3, 0,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_VALIDATION] =
g_param_spec_string (NM_DEVICE_MACSEC_VALIDATION, "", "",
NULL,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_ENCRYPT] =
g_param_spec_boolean (NM_DEVICE_MACSEC_ENCRYPT, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_PROTECT] =
g_param_spec_boolean (NM_DEVICE_MACSEC_PROTECT, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_INCLUDE_SCI] =
g_param_spec_boolean (NM_DEVICE_MACSEC_INCLUDE_SCI, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_ES] =
g_param_spec_boolean (NM_DEVICE_MACSEC_ES, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_SCB] =
g_param_spec_boolean (NM_DEVICE_MACSEC_SCB, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
obj_properties[PROP_REPLAY_PROTECT] =
g_param_spec_boolean (NM_DEVICE_MACSEC_REPLAY_PROTECT, "", "",
FALSE,
G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties);
nm_exported_object_class_add_interface (NM_EXPORTED_OBJECT_CLASS (klass),
NMDBUS_TYPE_DEVICE_MACSEC_SKELETON,
NULL);
}
/*************************************************************/
#define NM_TYPE_MACSEC_DEVICE_FACTORY (nm_macsec_device_factory_get_type ())
#define NM_MACSEC_DEVICE_FACTORY(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_MACSEC_DEVICE_FACTORY, NMMacsecDeviceFactory))
static NMDevice *
create_device (NMDeviceFactory *factory,
const char *iface,
const NMPlatformLink *plink,
NMConnection *connection,
gboolean *out_ignore)
{
return (NMDevice *) g_object_new (NM_TYPE_DEVICE_MACSEC,
NM_DEVICE_IFACE, iface,
NM_DEVICE_TYPE_DESC, "Macsec",
NM_DEVICE_DEVICE_TYPE, NM_DEVICE_TYPE_MACSEC,
NM_DEVICE_LINK_TYPE, NM_LINK_TYPE_MACSEC,
NULL);
}
static const char *
get_connection_parent (NMDeviceFactory *factory, NMConnection *connection)
{
NMSettingMacsec *s_macsec;
NMSettingWired *s_wired;
const char *parent = NULL;
g_return_val_if_fail (nm_connection_is_type (connection, NM_SETTING_MACSEC_SETTING_NAME), NULL);
s_macsec = nm_connection_get_setting_macsec (connection);
g_assert (s_macsec);
parent = nm_setting_macsec_get_parent (s_macsec);
if (parent)
return parent;
/* Try the hardware address from the MACsec connection's hardware setting */
s_wired = nm_connection_get_setting_wired (connection);
if (s_wired)
return nm_setting_wired_get_mac_address (s_wired);
return NULL;
}
static char *
get_connection_iface (NMDeviceFactory *factory,
NMConnection *connection,
const char *parent_iface)
{
NMSettingMacsec *s_macsec;
const char *ifname;
g_return_val_if_fail (nm_connection_is_type (connection, NM_SETTING_MACSEC_SETTING_NAME), NULL);
s_macsec = nm_connection_get_setting_macsec (connection);
g_assert (s_macsec);
if (!parent_iface)
return NULL;
ifname = nm_connection_get_interface_name (connection);
return g_strdup (ifname);
}
NM_DEVICE_FACTORY_DEFINE_INTERNAL (MACSEC, Macsec, macsec,
NM_DEVICE_FACTORY_DECLARE_LINK_TYPES (NM_LINK_TYPE_MACSEC)
NM_DEVICE_FACTORY_DECLARE_SETTING_TYPES (NM_SETTING_MACSEC_SETTING_NAME),
factory_class->create_device = create_device;
factory_class->get_connection_parent = get_connection_parent;
factory_class->get_connection_iface = get_connection_iface;
)
Reference in a new issue View git blame Copy permalink