nsm: add authentication tlv for nsm

add sad_process_auth() and sad_append_auth_tlv() to the nsm_recv() and
nsm_request() functions. In addition, add spp to the nsm structure and
add sad_create() & sad_destroy() to functions.

Signed-off-by: Clay Kaiser <Clay.Kaiser@ibm.com>
Reviewed-by: Erez Geva <ErezGeva2@gmail.com>
Reviewed-by: Miroslav Lichvar <mlichvar@redhat.com>

makefile

@@ -72,7 +72,7 @@ all: $(PRG)
 ptp4l: $(OBJ)
 
 nsm: config.o $(FILTERS) hash.o interface.o msg.o nsm.o phc.o print.o \
- rtnl.o sk.o $(TRANSP) tlv.o tsproc.o util.o version.o
+ rtnl.o $(SECURITY) sk.o $(TRANSP) tlv.o tsproc.o util.o version.o
 
 pmc: config.o hash.o interface.o msg.o phc.o pmc.o pmc_common.o print.o \
  $(SECURITY) sk.o tlv.o $(TRANSP) util.o version.o

nsm.8

@@ -1,4 +1,4 @@
-.TH NSM 8 "June 2019" "linuxptp"
+.TH NSM 8 "March 2024" "linuxptp"
 .SH NAME
 nsm \- NetSync Monitor client
 
@@ -85,6 +85,14 @@ options. The name of the section is the name of the configured port (e.g.
 
 .SH PORT OPTIONS
 .TP
+.B active_key_id
+Used in conjunction with \fBspp\fR and \fBsa_file\fR directives to
+specify which key from the \fBspp\fR defined Security Association
+should be used for outbound icv calculations. All Security Assocations
+are read from the file specified by \fBsa_file\fR. Requires \fBspp\fR
+and \fBsa_file\fR directives. Must be in the range of 1 to 2^32-1,
+inclusive. The default is 0 (disabled).
+.TP
 .B delayAsymmetry
 The time difference in nanoseconds of the transmit and receive
 paths. This value should be positive when the master-to-slave
@@ -95,6 +103,19 @@ is longer. The default is 0 nanoseconds.
 Select the network transport. Possible values are UDPv4 and L2. The default
 is UDPv4.
 .TP
+.B spp
+Specifies the Security Parameters Pointer of the desired Security
+Association to be used for Authentication TLV support for a given port.
+Any port with an assigned spp will attach Authentication TLVs to all
+outbound messages and check for Authentication TLVs on all inbound
+messages in accordance to the corresponding security association
+sourced via the \fBsa_file\fR directive. Outbound Authentication TLVs
+are generated using the key specified by \fBactive_key_id\fR. Not
+compatible with one step ports or advertised versions less then
+PTPv2.1. Requires \fBsa_file\fR and \fBactive_key_id\fR directives.
+Must be in the range of 0 to 255, inclusive.
+The default is -1 (disabled).
+.TP
 .B transportSpecific
 The transport specific field. Must be in the range 0 to 255.
 The default is 0.
@@ -104,6 +125,16 @@ The default is 0.
 .TP
 .B domainNumber
 The domain attribute of the local clock. The default is 0.
+.TP
+.B sa_file
+Specifies the location of the file containing Security Associations
+used for immediate security processing of the Authentication TLV in
+support of the optional security mechanism defined in ieee1588-2019
+ch 14.16. See \fBSECURITY ASSOCIATION OPTIONS\fR for information on how
+this file should be formatted. \fBspp\fR and \fBactive_key_id\fR should
+be specifed for each port to indicate which Security Association from
+the /fBsa_file/fR should be used. The default is an empty string.
+.TP
 .B time_stamping
 The time stamping method. The allowed values are hardware, software and legacy.
 The default is hardware.

nsm.c

@@ -29,6 +29,7 @@
 #include "config.h"
 #include "print.h"
 #include "rtnl.h"
+#include "sad.h"
 #include "util.h"
 #include "version.h"
 
@@ -51,6 +52,8 @@ struct nsm {
 	struct PortIdentity	port_identity;
 	UInteger16		sequence_id;
 	const char		*name;
+	int			spp;
+	UInteger32		active_key_id;
 } the_nsm;
 
 static void nsm_help(FILE *fp);
@@ -285,6 +288,11 @@ static int nsm_open(struct nsm *nsm, struct config *cfg)
 	iface = STAILQ_FIRST(&cfg->interfaces);
 	nsm->name = name = interface_name(iface);
 	nsm->cfg = cfg;
+	nsm->spp = config_get_int(cfg, name, "spp");
+	nsm->active_key_id = config_get_uint(cfg, name, "active_key_id");
+	if (sad_readiness_check(nsm->spp, nsm->active_key_id, nsm->cfg)) {
+		return -1;
+	}
 
 	transport = config_get_int(cfg, name, "network_transport");
 
@@ -321,7 +329,7 @@ static int nsm_open(struct nsm *nsm, struct config *cfg)
 
 static struct ptp_message *nsm_recv(struct nsm *nsm, int fd)
 {
-	struct ptp_message *msg;
+	struct ptp_message *msg, *dup = NULL;
 	int cnt, err;
 
 	msg = msg_allocate();
@@ -336,6 +344,12 @@ static struct ptp_message *nsm_recv(struct nsm *nsm, int fd)
 		pr_err("recv message failed");
 		goto failed;
 	}
+	if (nsm->spp >= 0) {
+		dup = msg_duplicate(msg, 0);
+		if (!dup) {
+			goto failed;
+		}
+	}
 	err = msg_post_recv(msg, cnt);
 	if (err) {
 		switch (err) {
@@ -353,10 +367,27 @@ static struct ptp_message *nsm_recv(struct nsm *nsm, int fd)
 		       msg_type_string(msg_type(msg)));
 		goto failed;
 	}
-
+	err = sad_process_auth(nsm->cfg, nsm->spp, msg, dup);
+	if (err) {
+		switch (err) {
+		case -EBADMSG:
+			pr_err("auth: bad message");
+			break;
+		case -EPROTO:
+			pr_debug("auth: ignoring message");
+			break;
+		}
+		goto failed;
+	}
+	if (dup) {
+		msg_put(dup);
+	}
 	return msg;
 failed:
 	msg_put(msg);
+	if (dup) {
+		msg_put(dup);
+	}
 	return NULL;
 }
 
@@ -407,7 +438,12 @@ static int nsm_request(struct nsm *nsm, char *target)
 	extra->tlv->type = TLV_PTPMON_REQ;
 	extra->tlv->length = 0;
 
-	err = msg_pre_send(msg);
+	if (nsm->spp >= 0) {
+		err = sad_append_auth_tlv(nsm->cfg, nsm->spp,
+					  nsm->active_key_id, msg);
+	} else {
+		err = msg_pre_send(msg);
+	}
 	if (err) {
 		pr_err("msg_pre_send failed");
 		goto out;
@@ -531,6 +567,10 @@ int main(int argc, char *argv[])
 	print_set_tag(config_get_string(cfg, NULL, "message_tag"));
 	print_set_level(config_get_int(cfg, NULL, "logging_level"));
 
+	if (sad_create(cfg)) {
+		goto out;
+	}
+
 	err = nsm_open(nsm, cfg);
 	if (err) {
 		goto out;
@@ -620,6 +660,7 @@ int main(int argc, char *argv[])
 	nsm_close(nsm);
 out:
 	msg_cleanup();
+	sad_destroy(cfg);
 	config_destroy(cfg);
 	return err;
 }