lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 18 Aug 2011 20:31:08 +0530
From:	krbmit siso <krbmit@...il.com>
To:	netdev@...r.kernel.org, ipsec-tools-users@...ts.sourceforge.net,
	ipsec-tools-devel@...ts.sourceforge.net,
	ikev2-devel@...ts.sourceforge.net,
	Timo Teräs <timo.teras@....fi>
Subject: Re: protect raw sockets

Hi All,
After adding the below code in net/ipv4/raw.c in function raw_send_hdrinc()
I am able to see packet sent using RAW_SOCKET getting protected .

Please  let me know how can it be done better and provide it has a feature
, so that others can also use it  if  packet sent using RAW_SOCKET
needs to be protected.

/**************  net/ipv4/raw.c *************/
  struct flowi fl;
        struct dst_entry *dst;
        int res;

        if (xfrm_decode_session(skb, &fl, AF_INET)<0){

        printk("\n xfrm_decode_session FAILED \n");
                XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
                return 0;
        }

        dst = skb_dst(skb);

        printk("\n xfrm_lookup called \n");
        res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0;
        skb_dst_set(skb, dst);

       err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
                      dst_output);
/*************************************************/

Thanks and Regards
Naveen

On Thu, Aug 18, 2011 at 1:58 PM, krbmit siso <krbmit@...il.com> wrote:
> Hi Timo,
>
> Thanks for your reply .
> Yes i did explore this yesterday and i was successful in sending the IKE
> messages unprotected after using the below code only for UDP sockets.
>
> int setsockopt_bypass(int fd, int family)
> {
>        struct sadb_x_policy policy;
>        int level, optname;
>
>        switch (family) {
>                case AF_INET:
>                        level = IPPROTO_IP;
>                        optname = IP_IPSEC_POLICY;
>                        break;
>                case AF_INET6:
>                        level = IPPROTO_IPV6;
>                        optname = IPV6_IPSEC_POLICY;
>                        break;
>                default:
>                        return -1;
>        }
>
>        memset(&policy, 0, sizeof(policy));
>        policy.sadb_x_policy_len = PFKEY_UNIT64(sizeof(policy));
>        policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
>        policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
>        policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
>        if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) {
>                return -1;
>        }
>        policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
>        if (setsockopt(fd, level, optname, &policy, sizeof(policy)) == -1) {
>                return -1;
>        }
>        return 0;
> }
>
> But i did try the same on RAW socket by setting the policy has
> policy.sadb_x_policy_type = IPSEC_POLICY_ENTRUST|IPSEC_POLICY_IPSEC;
> But the packet is going unprotected .
> Please show some light on how to protect RAW packets if there is a Policy
> matching in the SPD saying it need to be protected.
> I have checked the posting there is no help on this isues , could
> you please give some options , if it is possible from Application.
>
>
> Thanks and Regards
> Naveen
>
> On Thu, Aug 18, 2011 at 1:45 PM, Naveen B N (nbn) <nbn@...co.com> wrote:
>> Hi All,
>> Is there a way to enforce IPsec protection for packets sent from
>> application using RAW_SOCKET.
>>
>> My analysis is to add a code at the raw_sendmsg() & raw_v4_input() to
>> call xfrm_policy_check() ..
>> Is it a good method to proceed or is there a better and smart way to
>> achieve this .
>>
>> Hoping for some guide lines ..
>>
>> Thanks in advance ..
>>
>> Thanks and Regards
>> Naveen
>> --
>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>> the body of a message to majordomo@...r.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists