/* SPDX-License-Identifier: LGPL-2.1-or-later */

/*

 * Copyright (C) 2017 Red Hat, Inc.

 */

#include "nm-default.h"

#include "nm-setting-macsec.h"

#include <stdlib.h>

#include "nm-glib-aux/nm-secret-utils.h"

#include "nm-utils.h"

#include "nm-core-types-internal.h"

#include "nm-setting-connection.h"

#include "nm-setting-private.h"

#include "nm-setting-wired.h"

#include "nm-connection-private.h"

/**

 * SECTION:nm-setting-macsec

 * @short_description: Describes connection properties for MACSEC interfaces

 *

 * The #NMSettingMacsec object is a #NMSetting subclass that describes properties

 * necessary for connection to MACsec (IEEE 802.1AE) interfaces.

 **/

/*****************************************************************************/

NM_GOBJECT_PROPERTIES_DEFINE_BASE(PROP_PARENT,

                                  PROP_MODE,

                                  PROP_ENCRYPT,

                                  PROP_MKA_CAK,

                                  PROP_MKA_CAK_FLAGS,

                                  PROP_MKA_CKN,

                                  PROP_PORT,

                                  PROP_VALIDATION,

                                  PROP_SEND_SCI, );

typedef struct {

    char *                    parent;

    char *                    mka_cak;

    char *                    mka_ckn;

    int                       port;

    NMSettingMacsecMode       mode;

    NMSettingSecretFlags      mka_cak_flags;

    NMSettingMacsecValidation validation;

    bool                      encrypt : 1;

    bool                      send_sci : 1;

} NMSettingMacsecPrivate;

G_DEFINE_TYPE(NMSettingMacsec, nm_setting_macsec, NM_TYPE_SETTING)

#define NM_SETTING_MACSEC_GET_PRIVATE(o) \

    (G_TYPE_INSTANCE_GET_PRIVATE((o), NM_TYPE_SETTING_MACSEC, NMSettingMacsecPrivate))

/*****************************************************************************/

/**

 * nm_setting_macsec_get_parent:

 * @setting: the #NMSettingMacsec

 *

 * Returns: the #NMSettingMacsec:parent property of the setting

 *

 * Since: 1.6

 **/

const char *

nm_setting_macsec_get_parent(NMSettingMacsec *setting)

{

    g_return_val_if_fail(NM_IS_SETTING_MACSEC(setting), NULL);

    return NM_SETTING_MACSEC_GET_PRIVATE(setting)->parent;

}

/**

 * nm_setting_macsec_get_mode:

 * @setting: the #NMSettingMacsec

 *

 * Returns: the #NMSettingMacsec:mode property of the setting

 *

 * Since: 1.6

 **/

NMSettingMacsecMode

nm_setting_macsec_get_mode(NMSettingMacsec *setting)

{

    g_return_val_if_fail(NM_IS_SETTING_MACSEC(setting), NM_SETTING_MACSEC_MODE_PSK);

    return NM_SETTING_MACSEC_GET_PRIVATE(setting)->mode;

}

/**

 * nm_setting_macsec_get_encrypt:

 * @setting: the #NMSettingMacsec

 *

 * Returns: the #NMSettingMacsec:encrypt property of the setting

 *

 * Since: 1.6

 **/

gboolean

nm_setting_macsec_get_encrypt(NMSettingMacsec *setting)

{

    g_return_val_if_fail(NM_IS_SETTING_MACSEC(setting), TRUE);

    return NM_SETTING_MACSEC_GET_PRIVATE(setting)->encrypt;

}

/**

 * nm_setting_macsec_get_mka_cak

 * @setting: the #NMSettingMacsec

 *

 * Returns: the #NMSettingMacsec:mka-cak property of the setting

 *

 * Since: 1.6

 **/

const char *

nm_setting_macsec_get_mka_cak(NMSettingMacsec *setting)

{

    g_return_val_if_fail(NM_IS_SETTING_MACSEC(setting), NULL);

    return NM_SETTING_MACSEC_GET_PRIVATE(setting)->mka_cak;

}

/**

 * nm_setting_macsec_get_mka_cak_flags:

 * @setting: the #NMSettingMacsec

 *

 * Returns: the #NMSettingSecretFlags pertaining to the #NMSettingMacsec:mka-cak

 *

 * Since: 1.6

 **/

NMSettingSecretFlags

nm_setting_macsec_get_mka_cak_flags(NMSettingMacsec *setting)

{

    g_return_val_if_fail(NM_IS_SETTING_MACSEC(setting), NM_SETTING_SECRET_FLAG_NONE);

    return NM_SETTING_MACSEC_GET_PRIVATE(setting)->mka_cak_flags;

}

/**

 * nm_setting_macsec_get_mka_ckn:

 * @setting: the #NMSettingMacsec

 *

 * Returns: the #NMSettingMacsec:mka-ckn property of the setting

 *

 * Since: 1.6

 **/

const char *

nm_setting_macsec_get_mka_ckn(NMSettingMacsec *setting)

{

    g_return_val_if_fail(NM_IS_SETTING_MACSEC(setting), NULL);

    return NM_SETTING_MACSEC_GET_PRIVATE(setting)->mka_ckn;

}

/**

 * nm_setting_macsec_get_port:

 * @setting: the #NMSettingMacsec

 *

 * Returns: the #NMSettingMacsec:port property of the setting

 *

 * Since: 1.6

 **/

int

nm_setting_macsec_get_port(NMSettingMacsec *setting)

{

    g_return_val_if_fail(NM_IS_SETTING_MACSEC(setting), 1);

    return NM_SETTING_MACSEC_GET_PRIVATE(setting)->port;

}

/**

 * nm_setting_macsec_get_validation:

 * @setting: the #NMSettingMacsec

 *

 * Returns: the #NMSettingMacsec:validation property of the setting

 *

 * Since: 1.6

 **/

NMSettingMacsecValidation

nm_setting_macsec_get_validation(NMSettingMacsec *setting)

{

    g_return_val_if_fail(NM_IS_SETTING_MACSEC(setting), NM_SETTING_MACSEC_VALIDATION_DISABLE);

    return NM_SETTING_MACSEC_GET_PRIVATE(setting)->validation;

}

/**

 * nm_setting_macsec_get_send_sci:

 * @setting: the #NMSettingMacsec

 *

 * Returns: the #NMSettingMacsec:send-sci property of the setting

 *

 * Since: 1.12

 **/

gboolean

nm_setting_macsec_get_send_sci(NMSettingMacsec *setting)

{

    g_return_val_if_fail(NM_IS_SETTING_MACSEC(setting), TRUE);

    return NM_SETTING_MACSEC_GET_PRIVATE(setting)->send_sci;

}

static GPtrArray *

need_secrets(NMSetting *setting)

{

    NMSettingMacsecPrivate *priv    = NM_SETTING_MACSEC_GET_PRIVATE(setting);

    GPtrArray *             secrets = NULL;

    if (priv->mode == NM_SETTING_MACSEC_MODE_PSK) {

        if (!priv->mka_cak

            && !NM_FLAGS_HAS(priv->mka_cak_flags, NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) {

            secrets = g_ptr_array_sized_new(1);

            g_ptr_array_add(secrets, NM_SETTING_MACSEC_MKA_CAK);

        }

    }

    return secrets;

}

/*********************************************************************/

static gboolean

verify_macsec_key(const char *key, gboolean cak, GError **error)

{

    int req_len;

    /* CAK is a connection secret and can be NULL for various

     * reasons (agent-owned, no permissions to get secrets, etc.)

     */

    if (cak && !key)

        return TRUE;

    if (!key || !key[0]) {

        g_set_error_literal(error,

                            NM_CONNECTION_ERROR,

                            NM_CONNECTION_ERROR_INVALID_PROPERTY,

                            _("the key is empty"));

        return FALSE;

    }

    req_len = cak ? NM_SETTING_MACSEC_MKA_CAK_LENGTH : NM_SETTING_MACSEC_MKA_CKN_LENGTH;

    if (strlen(key) != (gsize) req_len) {

        g_set_error(error,

                    NM_CONNECTION_ERROR,

                    NM_CONNECTION_ERROR_INVALID_PROPERTY,

                    _("the key must be %d characters"),

                    req_len);

        return FALSE;

    }

    if (!NM_STRCHAR_ALL(key, ch, g_ascii_isxdigit(ch))) {

        g_set_error_literal(error,

                            NM_CONNECTION_ERROR,

                            NM_CONNECTION_ERROR_INVALID_PROPERTY,

                            _("the key contains non-hexadecimal characters"));

        return FALSE;

    }

    return TRUE;

}

static gboolean

verify(NMSetting *setting, NMConnection *connection, GError **error)

{

    NMSettingMacsecPrivate *priv    = NM_SETTING_MACSEC_GET_PRIVATE(setting);

    NMSettingConnection *   s_con   = NULL;

    NMSettingWired *        s_wired = NULL;

    NMSetting8021x *        s_8021x = NULL;

    if (connection) {

        s_con   = nm_connection_get_setting_connection(connection);

        s_wired = nm_connection_get_setting_wired(connection);

        s_8021x = nm_connection_get_setting_802_1x(connection);

    }

    if (priv->parent) {

        if (nm_utils_is_uuid(priv->parent)) {

            /* If we have an NMSettingConnection:master with slave-type="macsec",

             * then it must be the same UUID.

             */

            if (s_con) {

                const char *master = NULL, *slave_type = NULL;

                slave_type = nm_setting_connection_get_slave_type(s_con);

                if (!g_strcmp0(slave_type, NM_SETTING_MACSEC_SETTING_NAME))

                    master = nm_setting_connection_get_master(s_con);

                if (master && g_strcmp0(priv->parent, master) != 0) {

                    g_set_error(error,

                                NM_CONNECTION_ERROR,

                                NM_CONNECTION_ERROR_INVALID_PROPERTY,

                                _("'%s' value doesn't match '%s=%s'"),

                                priv->parent,

                                NM_SETTING_CONNECTION_MASTER,

                                master);

                    g_prefix_error(error,

                                   "%s.%s: ",

                                   NM_SETTING_MACSEC_SETTING_NAME,

                                   NM_SETTING_MACSEC_PARENT);

                    return FALSE;

                }

            }

        } else if (!nm_utils_iface_valid_name(priv->parent)) {

            /* parent must be either a UUID or an interface name */

            g_set_error(error,

                        NM_CONNECTION_ERROR,

                        NM_CONNECTION_ERROR_INVALID_PROPERTY,

                        _("'%s' is neither an UUID nor an interface name"),

                        priv->parent);

            g_prefix_error(error,

                           "%s.%s: ",

                           NM_SETTING_MACSEC_SETTING_NAME,

                           NM_SETTING_MACSEC_PARENT);

            return FALSE;

        }

    } else {

        /* If parent is NULL, the parent must be specified via

         * NMSettingWired:mac-address.

         */

        if (connection && (!s_wired || !nm_setting_wired_get_mac_address(s_wired))) {

            g_set_error(error,

                        NM_CONNECTION_ERROR,

                        NM_CONNECTION_ERROR_MISSING_PROPERTY,

                        _("property is not specified and neither is '%s:%s'"),

                        NM_SETTING_WIRED_SETTING_NAME,

                        NM_SETTING_WIRED_MAC_ADDRESS);

            g_prefix_error(error,

                           "%s.%s: ",

                           NM_SETTING_MACSEC_SETTING_NAME,

                           NM_SETTING_MACSEC_PARENT);

            return FALSE;

        }

    }

    if (priv->mode == NM_SETTING_MACSEC_MODE_PSK) {

        if (!verify_macsec_key(priv->mka_ckn, FALSE, error)) {

            g_prefix_error(error,

                           "%s.%s: ",

                           NM_SETTING_MACSEC_SETTING_NAME,

                           NM_SETTING_MACSEC_MKA_CKN);

            return FALSE;

        }

        if (!verify_macsec_key(priv->mka_cak, TRUE, error)) {

            g_prefix_error(error,

                           "%s.%s: ",

                           NM_SETTING_MACSEC_SETTING_NAME,

                           NM_SETTING_MACSEC_MKA_CAK);

            return FALSE;

        }

    } else if (priv->mode == NM_SETTING_MACSEC_MODE_EAP) {

        if (!s_8021x) {

            g_set_error(error,

                        NM_CONNECTION_ERROR,

                        NM_CONNECTION_ERROR_MISSING_SETTING,

                        _("EAP key management requires '%s' setting presence"),

                        NM_SETTING_802_1X_SETTING_NAME);

            g_prefix_error(error, "%s: ", NM_SETTING_MACSEC_SETTING_NAME);

            return FALSE;

        }

    } else {

        g_set_error_literal(error,

                            NM_CONNECTION_ERROR,

                            NM_CONNECTION_ERROR_INVALID_PROPERTY,

                            _("must be either psk (0) or eap (1)"));

        g_prefix_error(error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_MODE);

        return FALSE;

    }

    if (priv->port <= 0 || priv->port > 65534) {

        g_set_error(error,

                    NM_CONNECTION_ERROR,

                    NM_CONNECTION_ERROR_MISSING_PROPERTY,

                    _("invalid port %d"),

                    priv->port);

        g_prefix_error(error, "%s.%s: ", NM_SETTING_MACSEC_SETTING_NAME, NM_SETTING_MACSEC_PORT);

        return FALSE;

    }

    if (priv->mode != NM_SETTING_MACSEC_MODE_PSK && (priv->mka_cak || priv->mka_ckn)) {

        g_set_error_literal(error,

                            NM_CONNECTION_ERROR,

                            NM_CONNECTION_ERROR_INVALID_PROPERTY,

                            _("only valid for psk mode"));

        g_prefix_error(error,

                       "%s.%s: ",

                       NM_SETTING_MACSEC_SETTING_NAME,

                       priv->mka_cak ? NM_SETTING_MACSEC_MKA_CAK : NM_SETTING_MACSEC_MKA_CKN);

        return NM_SETTING_VERIFY_NORMALIZABLE;

    }

    return TRUE;

}

/*****************************************************************************/

static void

get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)

{

    NMSettingMacsec *       setting = NM_SETTING_MACSEC(object);

    NMSettingMacsecPrivate *priv    = NM_SETTING_MACSEC_GET_PRIVATE(setting);

    switch (prop_id) {

    case PROP_PARENT:

        g_value_set_string(value, priv->parent);

        break;

    case PROP_MODE:

        g_value_set_int(value, priv->mode);

        break;

    case PROP_ENCRYPT:

        g_value_set_boolean(value, priv->encrypt);

        break;

    case PROP_MKA_CAK:

        g_value_set_string(value, priv->mka_cak);

        break;

    case PROP_MKA_CAK_FLAGS:

        g_value_set_flags(value, priv->mka_cak_flags);

        break;

    case PROP_MKA_CKN:

        g_value_set_string(value, priv->mka_ckn);

        break;

    case PROP_PORT:

        g_value_set_int(value, priv->port);

        break;

    case PROP_VALIDATION:

        g_value_set_int(value, priv->validation);

        break;

    case PROP_SEND_SCI:

        g_value_set_boolean(value, priv->send_sci);

        break;

    default:

        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);

        break;

    }

}

static void

set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *pspec)

{

    NMSettingMacsec *       setting = NM_SETTING_MACSEC(object);

    NMSettingMacsecPrivate *priv    = NM_SETTING_MACSEC_GET_PRIVATE(setting);

    switch (prop_id) {

    case PROP_PARENT:

        g_free(priv->parent);

        priv->parent = g_value_dup_string(value);

        break;

    case PROP_MODE:

        priv->mode = g_value_get_int(value);

        break;

    case PROP_ENCRYPT:

        priv->encrypt = g_value_get_boolean(value);

        break;

    case PROP_MKA_CAK:

        nm_free_secret(priv->mka_cak);

        priv->mka_cak = g_value_dup_string(value);

        break;

    case PROP_MKA_CAK_FLAGS:

        priv->mka_cak_flags = g_value_get_flags(value);

        break;

    case PROP_MKA_CKN:

        g_free(priv->mka_ckn);

        priv->mka_ckn = g_value_dup_string(value);

        break;

    case PROP_PORT:

        priv->port = g_value_get_int(value);

        break;

    case PROP_VALIDATION:

        priv->validation = g_value_get_int(value);

        break;

    case PROP_SEND_SCI:

        priv->send_sci = g_value_get_boolean(value);

        break;

    default:

        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);

        break;

    }

}

/*****************************************************************************/

static void

nm_setting_macsec_init(NMSettingMacsec *self)

{

    NMSettingMacsecPrivate *priv = NM_SETTING_MACSEC_GET_PRIVATE(self);

    nm_assert(priv->mode == NM_SETTING_MACSEC_MODE_PSK);

    priv->encrypt    = TRUE;

    priv->port       = 1;

    priv->send_sci   = TRUE;

    priv->validation = NM_SETTING_MACSEC_VALIDATION_STRICT;

}

/**

 * nm_setting_macsec_new:

 *

 * Creates a new #NMSettingMacsec object with default values.

 *

 * Returns: (transfer full): the new empty #NMSettingMacsec object

 *

 * Since: 1.6

 **/

NMSetting *

nm_setting_macsec_new(void)

{

    return g_object_new(NM_TYPE_SETTING_MACSEC, NULL);

}

static void

finalize(GObject *object)

{

    NMSettingMacsec *       setting = NM_SETTING_MACSEC(object);

    NMSettingMacsecPrivate *priv    = NM_SETTING_MACSEC_GET_PRIVATE(setting);

    g_free(priv->parent);

    nm_free_secret(priv->mka_cak);

    g_free(priv->mka_ckn);

    G_OBJECT_CLASS(nm_setting_macsec_parent_class)->finalize(object);

}

static void

nm_setting_macsec_class_init(NMSettingMacsecClass *klass)

{

    GObjectClass *  object_class  = G_OBJECT_CLASS(klass);

    NMSettingClass *setting_class = NM_SETTING_CLASS(klass);

    g_type_class_add_private(klass, sizeof(NMSettingMacsecPrivate));

    object_class->get_property = get_property;

    object_class->set_property = set_property;

    object_class->finalize     = finalize;

    setting_class->verify       = verify;

    setting_class->need_secrets = need_secrets;

    /**

     * NMSettingMacsec:parent:

     *

     * If given, specifies the parent interface name or parent connection UUID

     * from which this MACSEC interface should be created.  If this property is

     * not specified, the connection must contain an #NMSettingWired setting

     * with a #NMSettingWired:mac-address property.

     *

     * Since: 1.6

     **/

    obj_properties[PROP_PARENT] = g_param_spec_string(

        NM_SETTING_MACSEC_PARENT,

        "",

        "",

        NULL,

        G_PARAM_READWRITE | NM_SETTING_PARAM_INFERRABLE | G_PARAM_STATIC_STRINGS);

    /**

     * NMSettingMacsec:mode:

     *

     * Specifies how the CAK (Connectivity Association Key) for MKA (MACsec Key

     * Agreement) is obtained.

     *

     * Since: 1.6

     **/

    obj_properties[PROP_MODE] =

        g_param_spec_int(NM_SETTING_MACSEC_MODE,

                         "",

                         "",

                         G_MININT,

                         G_MAXINT,

                         NM_SETTING_MACSEC_MODE_PSK,

                         G_PARAM_READWRITE | NM_SETTING_PARAM_INFERRABLE | G_PARAM_STATIC_STRINGS);

    /**

     * NMSettingMacsec:encrypt:

     *

     * Whether the transmitted traffic must be encrypted.

     *

     * Since: 1.6

     **/

    obj_properties[PROP_ENCRYPT] = g_param_spec_boolean(NM_SETTING_MACSEC_ENCRYPT,

                                                        "",

                                                        "",

                                                        TRUE,

                                                        G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);

    /**

     * NMSettingMacsec:mka-cak:

     *

     * The pre-shared CAK (Connectivity Association Key) for MACsec

     * Key Agreement.

     *

     * Since: 1.6

     **/

    obj_properties[PROP_MKA_CAK] =

        g_param_spec_string(NM_SETTING_MACSEC_MKA_CAK,

                            "",

                            "",

                            NULL,

                            G_PARAM_READWRITE | NM_SETTING_PARAM_SECRET | G_PARAM_STATIC_STRINGS);

    /**

     * NMSettingMacsec:mka-cak-flags:

     *

     * Flags indicating how to handle the #NMSettingMacsec:mka-cak

     * property.

     *

     * Since: 1.6

     **/

    obj_properties[PROP_MKA_CAK_FLAGS] =

        g_param_spec_flags(NM_SETTING_MACSEC_MKA_CAK_FLAGS,

                           "",

                           "",

                           NM_TYPE_SETTING_SECRET_FLAGS,

                           NM_SETTING_SECRET_FLAG_NONE,

                           G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);

    /**

     * NMSettingMacsec:mka-ckn:

     *

     * The pre-shared CKN (Connectivity-association Key Name) for

     * MACsec Key Agreement.

     *

     * Since: 1.6

     **/

    obj_properties[PROP_MKA_CKN] = g_param_spec_string(NM_SETTING_MACSEC_MKA_CKN,

                                                       "",

                                                       "",

                                                       NULL,

                                                       G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);

    /**

     * NMSettingMacsec:port:

     *

     * The port component of the SCI (Secure Channel Identifier), between 1 and 65534.

     *

     * Since: 1.6

     **/

    obj_properties[PROP_PORT] =

        g_param_spec_int(NM_SETTING_MACSEC_PORT,

                         "",

                         "",

                         1,

                         65534,

                         1,

                         G_PARAM_READWRITE | NM_SETTING_PARAM_INFERRABLE | G_PARAM_STATIC_STRINGS);

    /**

     * NMSettingMacsec:validation:

     *

     * Specifies the validation mode for incoming frames.

     *

     * Since: 1.6

     **/

    obj_properties[PROP_VALIDATION] =

        g_param_spec_int(NM_SETTING_MACSEC_VALIDATION,

                         "",

                         "",

                         G_MININT,

                         G_MAXINT,

                         NM_SETTING_MACSEC_VALIDATION_STRICT,

                         G_PARAM_READWRITE | NM_SETTING_PARAM_INFERRABLE | G_PARAM_STATIC_STRINGS);

    /**

     * NMSettingMacsec:send-sci:

     *

     * Specifies whether the SCI (Secure Channel Identifier) is included

     * in every packet.

     *

     * Since: 1.12

     **/

    obj_properties[PROP_SEND_SCI] =

        g_param_spec_boolean(NM_SETTING_MACSEC_SEND_SCI,

                             "",

                             "",

                             TRUE,

                             G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);

    g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);

    _nm_setting_class_commit(setting_class, NM_META_SETTING_TYPE_MACSEC);

}