lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Aug 2011 20:31:08 +0530 From: krbmit siso <krbmit@...il.com> To: netdev@...r.kernel.org, ipsec-tools-users@...ts.sourceforge.net, ipsec-tools-devel@...ts.sourceforge.net, ikev2-devel@...ts.sourceforge.net, Timo Teräs <timo.teras@....fi> Subject: Re: protect raw sockets Hi All, After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc() I am able to see packet sent using RAW_SOCKET getting protected . Please let me know how can it be done better and provide it has a feature , so that others can also use it if packet sent using RAW_SOCKET needs to be protected. /************** net/ipv4/raw.c *************/ struct flowi fl; struct dst_entry *dst; int res; if (xfrm_decode_session(skb, &fl, AF_INET)<0){ printk("\n xfrm_decode_session FAILED \n"); XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR); return 0; } dst = skb_dst(skb); printk("\n xfrm_lookup called \n"); res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0; skb_dst_set(skb, dst); err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev, dst_output); /*************************************************/ Thanks and Regards Naveen On Thu, Aug 18, 2011 at 1:58 PM, krbmit siso <krbmit@...il.com> wrote: > Hi Timo, > > Thanks for your reply . > Yes i did explore this yesterday and i was successful in sending the IKE > messages unprotected after using the below code only for UDP sockets. > > int setsockopt_bypass(int fd, int family) > { > struct sadb_x_policy policy; > int level, optname; > > switch (family) { > case AF_INET: > level = IPPROTO_IP; > optname = IP_IPSEC_POLICY; > break; > case AF_INET6: > level = IPPROTO_IPV6; > optname = IPV6_IPSEC_POLICY; > break; > default: > return -1; > } > > memset(&policy, 0, sizeof(policy)); > policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(policy)); > policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; > policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS; > policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND; > if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) { > return -1; > } > policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; > if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) { > return -1; > } > return 0; > } > > But i did try the same on RAW socket by setting the policy has > policy.sadb_x_policy_type = IPSEC_POLICY_ENTRUST|IPSEC_POLICY_IPSEC; > But the packet is going unprotected . > Please show some light on how to protect RAW packets if there is a Policy > matching in the SPD saying it need to be protected. > I have checked the posting there is no help on this isues , could > you please give some options , if it is possible from Application. > > > Thanks and Regards > Naveen > > On Thu, Aug 18, 2011 at 1:45 PM, Naveen B N (nbn) <nbn@...co.com> wrote: >> Hi All, >> Is there a way to enforce IPsec protection for packets sent from >> application using RAW_SOCKET. >> >> My analysis is to add a code at the raw_sendmsg() & raw_v4_input() to >> call xfrm_policy_check() .. >> Is it a good method to proceed or is there a better and smart way to >> achieve this . >> >> Hoping for some guide lines .. >> >> Thanks in advance .. >> >> Thanks and Regards >> Naveen >> -- >> To unsubscribe from this list: send the line "unsubscribe netdev" in >> the body of a message to majordomo@...r.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists