lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 11 Sep 2022 10:35:17 +0200
From:   Sabrina Dubroca <sd@...asysnail.net>
To:     Emeel Hakim <ehakim@...dia.com>
Cc:     dsahern@...nel.org, netdev@...r.kernel.org, raeds@...dia.com,
        tariqt@...dia.com
Subject: Re: [PATCH main v4 1/2] macsec: add Extended Packet Number support

2022-09-08, 13:53:37 +0300, Emeel Hakim wrote:
> This patch adds support for extended packet number (XPN).
> XPN can be configured by passing 'xpn on' as part of the ip

"cipher ..."

> link add command using macsec type.
> In addition, using 'xpn' keyword instead of the 'pn', passing a 12
> bytes salt using the 'salt' keyword and passing short secure channel
> id (ssci) using the 'ssci' keyword as part of the ip macsec command
> is required (see example).
> 
> e.g:
> 
> create a MACsec device on link eth0 with enabled xpn
>   # ip link add link eth0 macsec0 type macsec port 11
> 	encrypt on xpn on

                   cipher ...

[...]
> @@ -392,9 +439,21 @@ static int do_modify_nl(enum cmd c, enum macsec_nl_commands cmd, int ifindex,
>  	addattr8(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_AN, sa->an);
>  
>  	if (c != CMD_DEL) {
> -		if (sa->pn)
> -			addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
> -				  sa->pn);
> +		if (sa->xpn) {
> +			if (sa->pn.pn64)
> +				addattr64(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
> +					  sa->pn.pn64);
> +			if (sa->salt[0] != '\0')

                        if (sa->salt_set)

> +				addattr_l(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SALT,
> +					  sa->salt, MACSEC_SALT_LEN);
> +			if (sa->ssci != 0)

                        if (sa->ssci_set)

> +				addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_SSCI,
> +					  sa->ssci);
> +		} else {
> +			if (sa->pn.pn32)
> +				addattr32(&req.n, MACSEC_BUFLEN, MACSEC_SA_ATTR_PN,
> +					  sa->pn.pn32);
> +		}

[...]
> @@ -1251,6 +1339,7 @@ static void usage(FILE *f)
>  		"                  [ send_sci { on | off } ]\n"
>  		"                  [ end_station { on | off } ]\n"
>  		"                  [ scb { on | off } ]\n"
> +		"                  [ xpn { on | off } ]\n"

That should be the new "cipher" options instead of "xpn on/off".

>  		"                  [ protect { on | off } ]\n"
>  		"                  [ replay { on | off} window { 0..2^32-1 } ]\n"
>  		"                  [ validate { strict | check | disabled } ]\n"

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ