| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABjs8yVOgKBrF2dMopzPmsfouWz5WHCAZCqjG3nY76CaqTFRLw@mail.gmail.com>
Date: Thu, 18 Aug 2011 20:31:08 +0530
From: krbmit siso <krbmit@...il.com>
To: netdev@...r.kernel.org, ipsec-tools-users@...ts.sourceforge.net,
ipsec-tools-devel@...ts.sourceforge.net,
ikev2-devel@...ts.sourceforge.net,
Timo Teräs <timo.teras@....fi>
Subject: Re: protect raw sockets
Hi All,
After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc()
I am able to see packet sent using RAW_SOCKET getting protected .
Please let me know how can it be done better and provide it has a feature
, so that others can also use it if packet sent using RAW_SOCKET
needs to be protected.
/************** net/ipv4/raw.c *************/
struct flowi fl;
struct dst_entry *dst;
int res;
if (xfrm_decode_session(skb, &fl, AF_INET)<0){
printk("\n xfrm_decode_session FAILED \n");
XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
return 0;
}
dst = skb_dst(skb);
printk("\n xfrm_lookup called \n");
res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0;
skb_dst_set(skb, dst);
err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
dst_output);
/*************************************************/
Thanks and Regards
Naveen
On Thu, Aug 18, 2011 at 1:58 PM, krbmit siso <krbmit@...il.com> wrote:
> Hi Timo,
>
> Thanks for your reply .
> Yes i did explore this yesterday and i was successful in sending the IKE
> messages unprotected after using the below code only for UDP sockets.
>
> int setsockopt_bypass(int fd, int family)
> {
> struct sadb_x_policy policy;
> int level, optname;
>
> switch (family) {
> case AF_INET:
> level = IPPROTO_IP;
> optname = IP_IPSEC_POLICY;
> break;
> case AF_INET6:
> level = IPPROTO_IPV6;
> optname = IPV6_IPSEC_POLICY;
> break;
> default:
> return -1;
> }
>
> memset(&policy, 0, sizeof(policy));
> policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(policy));
> policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
> policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
> policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
> if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) {
> return -1;
> }
> policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
> if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) {
> return -1;
> }
> return 0;
> }
>
> But i did try the same on RAW socket by setting the policy has
> policy.sadb_x_policy_type = IPSEC_POLICY_ENTRUST|IPSEC_POLICY_IPSEC;
> But the packet is going unprotected .
> Please show some light on how to protect RAW packets if there is a Policy
> matching in the SPD saying it need to be protected.
> I have checked the posting there is no help on this isues , could
> you please give some options , if it is possible from Application.
>
>
> Thanks and Regards
> Naveen
>
> On Thu, Aug 18, 2011 at 1:45 PM, Naveen B N (nbn) <nbn@...co.com> wrote:
>> Hi All,
>> Is there a way to enforce IPsec protection for packets sent from
>> application using RAW_SOCKET.
>>
>> My analysis is to add a code at the raw_sendmsg() & raw_v4_input() to
>> call xfrm_policy_check() ..
>> Is it a good method to proceed or is there a better and smart way to
>> achieve this .
>>
>> Hoping for some guide lines ..
>>
>> Thanks in advance ..
>>
>> Thanks and Regards
>> Naveen
>> --
>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>> the body of a message to majordomo@...r.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists