Date: Sat, 17 Jun 2006 10:22:43 +1200 From: Andrew Thompson <thompsa@freebsd.org> To: Max Laier <max@love2party.net> Cc: freebsd-net@freebsd.org, freebsd-arch@freebsd.org, Scott Ullrich <sullrich@gmail.com> Subject: Re: enc0 patch for ipsec Message-ID: <20060616222243.GC64552@heff.fud.org.nz> In-Reply-To: <200606161814.19336.max@love2party.net> References: <20060615225312.GB64552@heff.fud.org.nz> <200606161805.06651.max@love2party.net> <d5992baf0606160909q66df7c05wf0cd133196339f03@mail.gmail.com> <200606161814.19336.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--H+4ONPRPur6+Ovig
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Fri, Jun 16, 2006 at 06:14:12PM +0200, Max Laier wrote:
> On Friday 16 June 2006 18:09, Scott Ullrich wrote:
> > On 6/16/06, Max Laier <max@love2party.net> wrote:
> > > The issue is, if an attacker manages to get root on your box they are
> > > automatically able to read your IPSEC traffic ending at that box. If you
> > > don't have enc(4) compiled in, that would be more difficult to do. Same
> > > reason you don't want SADB_FLUSH on by default.
> >
> > Okay, this makes sense. But couldn't you also argue that if someone
> > gets access to the machine they could also use tcpdump to do the same
> > thing technically on the internal interface? Just playing devils
> > advocate.. :)
>
> Think tunnel2tunnel or an SA for a local connection, then. Given, if you are
> root you *might* have other means to obtain that information, but that is why
> we have a switch to turn off bpf, kmem or the like.
While the encryption keys are just a setkey -D away, I can see the
reason for seperating it out. I have attached another patch with the
changes made.
Andrew
--H+4ONPRPur6+Ovig
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipsec_enc.diff"
Index: share/man/man4/enc.4
===================================================================
RCS file: share/man/man4/enc.4
diff -N share/man/man4/enc.4
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ share/man/man4/enc.4 16 Jun 2006 22:04:25 -0000
@@ -0,0 +1,82 @@
+.\" $OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $
+.\"
+.\" Copyright (c) 1999 Angelos D. Keromytis
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\" must display the following acknowledgement:
+.\" This product includes software developed by Angelos D. Keromytis.
+.\" 4. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd June 16, 2006
+.Dt ENC 4
+.Os
+.Sh NAME
+.Nm enc
+.Nd Encapsulating Interface
+.Sh SYNOPSIS
+.Cd "device enc"
+.Sh DESCRIPTION
+The
+.Nm
+interface is a software loopback mechanism that allows hosts or
+firewalls to filter
+.Xr fast_ipsec 4
+traffic using any firewall package that hooks in via the
+.Xr pfil 9
+framework.
+.Pp
+The
+.Nm
+interface allows an administrator
+to see outgoing packets before they have been processed by
+.Xr fast_ipsec 4 ,
+or incoming packets after they have been similarly processed, via
+.Xr tcpdump 8 .
+.Pp
+The
+.Dq enc0
+interface inherits all IPsec traffic.
+Thus all IPsec traffic can be filtered based on
+.Dq enc0 ,
+and all IPsec traffic could be seen by invoking
+.Xr tcpdump 8
+on the
+.Dq enc0
+interface.
+.Sh EXAMPLES
+To see all outgoing packets before they have been processed via
+.Xr fast_ipsec 4 ,
+or all incoming packets after they have been similarly processed:
+.Pp
+.Dl # tcpdump -i enc0
+.Sh SEE ALSO
+.Xr bpf 4 ,
+.Xr fast_ipsec 4 ,
+.Xr ipf 4 ,
+.Xr ipfw 4 ,
+.Xr pf 4 ,
+.Xr tcpdump 8
Index: share/man/man4/fast_ipsec.4
===================================================================
RCS file: /home/ncvs/src/share/man/man4/fast_ipsec.4,v
retrieving revision 1.3
diff -u -p -r1.3 fast_ipsec.4
--- share/man/man4/fast_ipsec.4 21 Jan 2005 08:36:37 -0000 1.3
+++ share/man/man4/fast_ipsec.4 15 Jun 2006 22:32:58 -0000
@@ -78,10 +78,16 @@ When the
protocols are configured for use, all protocols are included in the system.
To selectively enable/disable protocols, use
.Xr sysctl 8 .
+.Pp
+The packets can be passed to a virtual interface,
+.Dq enc0 ,
+to perform packet filtering before outbound encryption and after decapsulation
+inbound.
.Sh DIAGNOSTICS
To be added.
.Sh SEE ALSO
.Xr crypto 4 ,
+.Xr enc 4 ,
.Xr ipsec 4 ,
.Xr setkey 8 ,
.Xr sysctl 8
Index: sys/conf/files
===================================================================
RCS file: /home/ncvs/src/sys/conf/files,v
retrieving revision 1.1125
diff -u -p -r1.1125 files
--- sys/conf/files 14 Jun 2006 03:03:08 -0000 1.1125
+++ sys/conf/files 16 Jun 2006 21:13:10 -0000
@@ -1459,6 +1459,7 @@ net/if_bridge.c optional if_bridge
net/if_clone.c standard
net/if_disc.c optional disc
net/if_ef.c optional ef
+net/if_enc.c optional enc
net/if_ethersubr.c optional ether
net/if_faith.c optional faith
net/if_fddisubr.c optional fddi
Index: sys/conf/options
===================================================================
RCS file: /home/ncvs/src/sys/conf/options,v
retrieving revision 1.546
diff -u -p -r1.546 options
--- sys/conf/options 13 Jun 2006 13:12:55 -0000 1.546
+++ sys/conf/options 16 Jun 2006 21:24:28 -0000
@@ -340,6 +340,7 @@ BOOTP_NFSROOT opt_bootp.h
BOOTP_NFSV3 opt_bootp.h
BOOTP_WIRED_TO opt_bootp.h
DEVICE_POLLING
+DEV_ENC opt_enc.h
DEV_PF opt_pf.h
DEV_PFLOG opt_pf.h
DEV_PFSYNC opt_pf.h
Index: sys/net/if_enc.c
===================================================================
RCS file: sys/net/if_enc.c
diff -N sys/net/if_enc.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ sys/net/if_enc.c 16 Jun 2006 21:15:45 -0000
@@ -0,0 +1,323 @@
+/*-
+ * Copyright (c) 2006 The FreeBSD Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
+#include <sys/malloc.h>
+#include <sys/mbuf.h>
+#include <sys/module.h>
+#include <machine/bus.h>
+#include <sys/rman.h>
+#include <sys/socket.h>
+#include <sys/sockio.h>
+#include <sys/sysctl.h>
+
+#include <net/if.h>
+#include <net/if_clone.h>
+#include <net/if_types.h>
+#include <net/pfil.h>
+#include <net/route.h>
+#include <net/netisr.h>
+#include <net/bpf.h>
+#include <net/bpfdesc.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/ip_var.h>
+#include <netinet/in_var.h>
+#include "opt_inet6.h"
+
+#ifdef INET6
+#include <netinet/ip6.h>
+#include <netinet6/ip6_var.h>
+#endif
+
+#include <netipsec/ipsec.h>
+
+#define ENCMTU (1024+512)
+#define ENC_HDRLEN 12
+
+/* XXX this define must have the same value as in OpenBSD */
+#define M_CONF 0x0400 /* payload was encrypted (ESP-transport) */
+#define M_AUTH 0x0800 /* payload was authenticated (AH or ESP auth) */
+#define M_AUTH_AH 0x2000 /* header was authenticated (AH) */
+
+struct enchdr {
+ u_int32_t af;
+ u_int32_t spi;
+ u_int32_t flags;
+};
+
+struct ifnet *encif;
+struct mtx enc_mtx;
+
+struct enc_softc {
+ struct ifnet *sc_ifp;
+};
+
+int encioctl(struct ifnet *, u_long, caddr_t);
+int encoutput(struct ifnet *ifp, struct mbuf *m,
+ struct sockaddr *dst, struct rtentry *rt);
+static int enc_clone_create(struct if_clone *, int);
+static void enc_clone_destroy(struct ifnet *);
+
+IFC_SIMPLE_DECLARE(enc, 1);
+
+static void
+enc_clone_destroy(struct ifnet *ifp)
+{
+
+ KASSERT(encif == ifp, ("%s: unknown ifnet", __func__));
+
+ mtx_lock(&enc_mtx);
+ encif = NULL;
+ mtx_unlock(&enc_mtx);
+
+ bpfdetach(ifp);
+ if_detach(ifp);
+ if_free(ifp);
+
+}
+
+static int
+enc_clone_create(struct if_clone *ifc, int unit)
+{
+ struct ifnet *ifp;
+ struct enc_softc *sc;
+
+ mtx_lock(&enc_mtx);
+ if (encif != NULL)
+ return (EBUSY);
+ mtx_unlock(&enc_mtx);
+
+ sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
+ ifp = sc->sc_ifp = if_alloc(IFT_ENC);
+ if (ifp == NULL) {
+ free(sc, M_DEVBUF);
+ return (ENOSPC);
+ }
+
+ if_initname(ifp, ifc->ifc_name, unit);
+ ifp->if_mtu = ENCMTU;
+ ifp->if_ioctl = encioctl;
+ ifp->if_output = encoutput;
+ ifp->if_snd.ifq_maxlen = ifqmaxlen;
+ ifp->if_softc = sc;
+ if_attach(ifp);
+ bpfattach(ifp, DLT_ENC, ENC_HDRLEN);
+
+ mtx_lock(&enc_mtx);
+ encif = ifp;
+ mtx_unlock(&enc_mtx);
+
+ return (0);
+}
+
+static int
+enc_modevent(module_t mod, int type, void *data)
+{
+ switch (type) {
+ case MOD_LOAD:
+ mtx_init(&enc_mtx, "enc mtx", NULL, MTX_DEF);
+ if_clone_attach(&enc_cloner);
+ break;
+ case MOD_UNLOAD:
+ printf("enc module unload - not possible for this module\n");
+ return (EINVAL);
+ default:
+ return (EOPNOTSUPP);
+ }
+ return (0);
+}
+
+static moduledata_t enc_mod = {
+ "enc",
+ enc_modevent,
+ 0
+};
+
+DECLARE_MODULE(enc, enc_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
+
+int
+encoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
+ struct rtentry *rt)
+{
+ m_freem(m);
+ return (0);
+}
+
+/*
+ * Process an ioctl request.
+ */
+/* ARGSUSED */
+int
+encioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
+{
+ int error = 0;
+
+ switch (cmd) {
+
+ case SIOCSIFFLAGS:
+ if (ifp->if_flags & IFF_UP)
+ ifp->if_drv_flags |= IFF_DRV_RUNNING;
+ else
+ ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
+
+ break;
+
+ default:
+ error = EINVAL;
+ }
+ return (error);
+}
+
+int
+ipsec_filter(struct mbuf **mp, int dir)
+{
+ int error, i;
+ struct ip *ip;
+
+ mtx_lock(&enc_mtx);
+ if (encif == NULL || (encif->if_drv_flags & IFF_DRV_RUNNING) == 0) {
+ mtx_unlock(&enc_mtx);
+ return (0);
+ }
+
+ /* Skip pfil(9) if no filters are loaded */
+ if (inet_pfil_hook.ph_busy_count < 0
+#ifdef INET6
+ && inet6_pfil_hook.ph_busy_count < 0
+#endif
+ ) {
+ mtx_unlock(&enc_mtx);
+ return (0);
+ }
+
+ i = min((*mp)->m_pkthdr.len, max_protohdr);
+ if ((*mp)->m_len < i) {
+ *mp = m_pullup(*mp, i);
+ if (*mp == NULL) {
+ printf("%s: m_pullup failed\n", __func__);
+ mtx_unlock(&enc_mtx);
+ return (-1);
+ }
+ }
+
+ error = 0;
+ ip = mtod(*mp, struct ip *);
+ switch (ip->ip_v) {
+ case 4:
+ /*
+ * before calling the firewall, swap fields the same as
+ * IP does. here we assume the header is contiguous
+ */
+ ip->ip_len = ntohs(ip->ip_len);
+ ip->ip_off = ntohs(ip->ip_off);
+
+ error = pfil_run_hooks(&inet_pfil_hook, mp,
+ encif, dir, NULL);
+
+ if (*mp == NULL || error != 0)
+ break;
+
+ /* restore byte ordering */
+ ip = mtod(*mp, struct ip *);
+ ip->ip_len = htons(ip->ip_len);
+ ip->ip_off = htons(ip->ip_off);
+ break;
+
+#ifdef INET6
+ case 6:
+ error = pfil_run_hooks(&inet6_pfil_hook, mp,
+ encif, dir, NULL);
+ break;
+#endif
+ default:
+ printf("%s: unknown IP version\n", __func__);
+ }
+
+ mtx_unlock(&enc_mtx);
+ if (*mp == NULL)
+ return (error);
+ if (error != 0)
+ goto bad;
+
+ return (error);
+
+bad:
+ mtx_unlock(&enc_mtx);
+ m_freem(*mp);
+ *mp = NULL;
+ return (error);
+}
+
+void
+ipsec_bpf(struct mbuf *m, struct secasvar *sav, int af)
+{
+ int flags;
+ struct enchdr hdr;
+ struct mbuf m1;
+
+ KASSERT(sav != NULL, ("%s: sav is null", __func__));
+
+ mtx_lock(&enc_mtx);
+ if (encif == NULL || (encif->if_drv_flags & IFF_DRV_RUNNING) == 0) {
+ mtx_unlock(&enc_mtx);
+ return;
+ }
+
+ if (encif->if_bpf) {
+ flags = 0;
+ if (sav->alg_enc != SADB_EALG_NONE)
+ flags |= M_CONF;
+ if (sav->alg_auth != SADB_AALG_NONE)
+ flags |= M_AUTH;
+
+ /*
+ * We need to prepend the address family as a four byte
+ * field. Cons up a dummy header to pacify bpf. This
+ * is safe because bpf will only read from the mbuf
+ * (i.e., it won't try to free it or keep a pointer a
+ * to it).
+ */
+ hdr.af = af;
+ hdr.spi = sav->spi;
+ hdr.flags = flags;
+
+ m1.m_flags = 0;
+ m1.m_next = m;
+ m1.m_len = ENC_HDRLEN;
+ m1.m_data = (char *) &hdr;
+
+ bpf_mtap(encif->if_bpf, &m1);
+ }
+ mtx_unlock(&enc_mtx);
+}
Index: sys/net/if_types.h
===================================================================
RCS file: /home/ncvs/src/sys/net/if_types.h,v
retrieving revision 1.21
diff -u -p -r1.21 if_types.h
--- sys/net/if_types.h 10 Jun 2005 16:49:19 -0000 1.21
+++ sys/net/if_types.h 15 Jun 2006 21:38:18 -0000
@@ -246,6 +246,7 @@
#define IFT_GIF 0xf0
#define IFT_PVC 0xf1
#define IFT_FAITH 0xf2
+#define IFT_ENC 0xf4
#define IFT_PFLOG 0xf6
#define IFT_PFSYNC 0xf7
#define IFT_CARP 0xf8 /* Common Address Redundancy Protocol */
Index: sys/netipsec/ipsec.h
===================================================================
RCS file: /home/ncvs/src/sys/netipsec/ipsec.h,v
retrieving revision 1.11
diff -u -p -r1.11 ipsec.h
--- sys/netipsec/ipsec.h 10 Apr 2006 15:04:36 -0000 1.11
+++ sys/netipsec/ipsec.h 16 Jun 2006 21:21:57 -0000
@@ -417,6 +417,8 @@ extern void m_checkalignment(const char*
extern struct mbuf *m_makespace(struct mbuf *m0, int skip, int hlen, int *off);
extern caddr_t m_pad(struct mbuf *m, int n);
extern int m_striphdr(struct mbuf *m, int skip, int hlen);
+extern int ipsec_filter(struct mbuf **, int);
+extern void ipsec_bpf(struct mbuf *, struct secasvar *, int);
#endif /* _KERNEL */
#ifndef _KERNEL
Index: sys/netipsec/ipsec_input.c
===================================================================
RCS file: /home/ncvs/src/sys/netipsec/ipsec_input.c,v
retrieving revision 1.11
diff -u -p -r1.11 ipsec_input.c
--- sys/netipsec/ipsec_input.c 4 Jun 2006 19:32:32 -0000 1.11
+++ sys/netipsec/ipsec_input.c 16 Jun 2006 21:21:19 -0000
@@ -43,6 +43,7 @@
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
+#include "opt_enc.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -442,6 +443,18 @@ ipsec4_common_input_cb(struct mbuf *m, s
key_sa_recordxfer(sav, m); /* record data transfer */
+#ifdef DEV_ENC
+ /*
+ * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
+ * packet later after it has been decapsulated.
+ */
+ ipsec_bpf(m, sav, AF_INET);
+
+ if (prot != IPPROTO_IPIP)
+ if ((error = ipsec_filter(&m, 1)) != 0)
+ return (error);
+#endif
+
/*
* Re-dispatch via software interrupt.
*/
Index: sys/netipsec/ipsec_output.c
===================================================================
RCS file: /home/ncvs/src/sys/netipsec/ipsec_output.c,v
retrieving revision 1.11
diff -u -p -r1.11 ipsec_output.c
--- sys/netipsec/ipsec_output.c 2 Nov 2005 13:46:32 -0000 1.11
+++ sys/netipsec/ipsec_output.c 16 Jun 2006 21:21:33 -0000
@@ -32,6 +32,7 @@
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
+#include "opt_enc.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -358,6 +359,13 @@ ipsec4_process_packet(
goto bad;
sav = isr->sav;
+
+#ifdef DEV_ENC
+ /* pass the mbuf to enc0 for packet filtering */
+ if ((error = ipsec_filter(&m, 2)) != 0)
+ goto bad;
+#endif
+
if (!tunalready) {
union sockaddr_union *dst = &sav->sah->saidx.dst;
int setdf;
@@ -455,6 +463,11 @@ ipsec4_process_packet(
}
}
+#ifdef DEV_ENC
+ /* pass the mbuf to enc0 for bpf processing */
+ ipsec_bpf(m, sav, AF_INET);
+#endif
+
/*
* Dispatch to the appropriate IPsec transform logic. The
* packet will be returned for transmission after crypto
Index: sys/netipsec/xform_ipip.c
===================================================================
RCS file: /home/ncvs/src/sys/netipsec/xform_ipip.c,v
retrieving revision 1.12
diff -u -p -r1.12 xform_ipip.c
--- sys/netipsec/xform_ipip.c 30 Mar 2006 18:57:04 -0000 1.12
+++ sys/netipsec/xform_ipip.c 16 Jun 2006 21:21:02 -0000
@@ -41,6 +41,7 @@
*/
#include "opt_inet.h"
#include "opt_inet6.h"
+#include "opt_enc.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -345,6 +346,12 @@ _ipip_input(struct mbuf *m, int iphlen,
/* Statistics */
ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen;
+#ifdef DEV_ENC
+ /* pass the mbuf to enc0 for packet filtering */
+ if (ipsec_filter(&m, 1) != 0)
+ return;
+#endif
+
/*
* Interface pointer stays the same; if no IPsec processing has
* been done (or will be done), this will point to a normal
--H+4ONPRPur6+Ovig--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060616222243.GC64552>