Date: Sat, 17 Jun 2006 10:22:43 +1200 From: Andrew Thompson <thompsa@freebsd.org> To: Max Laier <max@love2party.net> Cc: freebsd-net@freebsd.org, freebsd-arch@freebsd.org, Scott Ullrich <sullrich@gmail.com> Subject: Re: enc0 patch for ipsec Message-ID: <20060616222243.GC64552@heff.fud.org.nz> In-Reply-To: <200606161814.19336.max@love2party.net> References: <20060615225312.GB64552@heff.fud.org.nz> <200606161805.06651.max@love2party.net> <d5992baf0606160909q66df7c05wf0cd133196339f03@mail.gmail.com> <200606161814.19336.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--H+4ONPRPur6+Ovig Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jun 16, 2006 at 06:14:12PM +0200, Max Laier wrote: > On Friday 16 June 2006 18:09, Scott Ullrich wrote: > > On 6/16/06, Max Laier <max@love2party.net> wrote: > > > The issue is, if an attacker manages to get root on your box they are > > > automatically able to read your IPSEC traffic ending at that box. If you > > > don't have enc(4) compiled in, that would be more difficult to do. Same > > > reason you don't want SADB_FLUSH on by default. > > > > Okay, this makes sense. But couldn't you also argue that if someone > > gets access to the machine they could also use tcpdump to do the same > > thing technically on the internal interface? Just playing devils > > advocate.. :) > > Think tunnel2tunnel or an SA for a local connection, then. Given, if you are > root you *might* have other means to obtain that information, but that is why > we have a switch to turn off bpf, kmem or the like. While the encryption keys are just a setkey -D away, I can see the reason for seperating it out. I have attached another patch with the changes made. Andrew --H+4ONPRPur6+Ovig Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipsec_enc.diff" Index: share/man/man4/enc.4 =================================================================== RCS file: share/man/man4/enc.4 diff -N share/man/man4/enc.4 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ share/man/man4/enc.4 16 Jun 2006 22:04:25 -0000 @@ -0,0 +1,82 @@ +.\" $OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $ +.\" +.\" Copyright (c) 1999 Angelos D. Keromytis +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by Angelos D. Keromytis. +.\" 4. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd June 16, 2006 +.Dt ENC 4 +.Os +.Sh NAME +.Nm enc +.Nd Encapsulating Interface +.Sh SYNOPSIS +.Cd "device enc" +.Sh DESCRIPTION +The +.Nm +interface is a software loopback mechanism that allows hosts or +firewalls to filter +.Xr fast_ipsec 4 +traffic using any firewall package that hooks in via the +.Xr pfil 9 +framework. +.Pp +The +.Nm +interface allows an administrator +to see outgoing packets before they have been processed by +.Xr fast_ipsec 4 , +or incoming packets after they have been similarly processed, via +.Xr tcpdump 8 . +.Pp +The +.Dq enc0 +interface inherits all IPsec traffic. +Thus all IPsec traffic can be filtered based on +.Dq enc0 , +and all IPsec traffic could be seen by invoking +.Xr tcpdump 8 +on the +.Dq enc0 +interface. +.Sh EXAMPLES +To see all outgoing packets before they have been processed via +.Xr fast_ipsec 4 , +or all incoming packets after they have been similarly processed: +.Pp +.Dl # tcpdump -i enc0 +.Sh SEE ALSO +.Xr bpf 4 , +.Xr fast_ipsec 4 , +.Xr ipf 4 , +.Xr ipfw 4 , +.Xr pf 4 , +.Xr tcpdump 8 Index: share/man/man4/fast_ipsec.4 =================================================================== RCS file: /home/ncvs/src/share/man/man4/fast_ipsec.4,v retrieving revision 1.3 diff -u -p -r1.3 fast_ipsec.4 --- share/man/man4/fast_ipsec.4 21 Jan 2005 08:36:37 -0000 1.3 +++ share/man/man4/fast_ipsec.4 15 Jun 2006 22:32:58 -0000 @@ -78,10 +78,16 @@ When the protocols are configured for use, all protocols are included in the system. To selectively enable/disable protocols, use .Xr sysctl 8 . +.Pp +The packets can be passed to a virtual interface, +.Dq enc0 , +to perform packet filtering before outbound encryption and after decapsulation +inbound. .Sh DIAGNOSTICS To be added. .Sh SEE ALSO .Xr crypto 4 , +.Xr enc 4 , .Xr ipsec 4 , .Xr setkey 8 , .Xr sysctl 8 Index: sys/conf/files =================================================================== RCS file: /home/ncvs/src/sys/conf/files,v retrieving revision 1.1125 diff -u -p -r1.1125 files --- sys/conf/files 14 Jun 2006 03:03:08 -0000 1.1125 +++ sys/conf/files 16 Jun 2006 21:13:10 -0000 @@ -1459,6 +1459,7 @@ net/if_bridge.c optional if_bridge net/if_clone.c standard net/if_disc.c optional disc net/if_ef.c optional ef +net/if_enc.c optional enc net/if_ethersubr.c optional ether net/if_faith.c optional faith net/if_fddisubr.c optional fddi Index: sys/conf/options =================================================================== RCS file: /home/ncvs/src/sys/conf/options,v retrieving revision 1.546 diff -u -p -r1.546 options --- sys/conf/options 13 Jun 2006 13:12:55 -0000 1.546 +++ sys/conf/options 16 Jun 2006 21:24:28 -0000 @@ -340,6 +340,7 @@ BOOTP_NFSROOT opt_bootp.h BOOTP_NFSV3 opt_bootp.h BOOTP_WIRED_TO opt_bootp.h DEVICE_POLLING +DEV_ENC opt_enc.h DEV_PF opt_pf.h DEV_PFLOG opt_pf.h DEV_PFSYNC opt_pf.h Index: sys/net/if_enc.c =================================================================== RCS file: sys/net/if_enc.c diff -N sys/net/if_enc.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sys/net/if_enc.c 16 Jun 2006 21:15:45 -0000 @@ -0,0 +1,323 @@ +/*- + * Copyright (c) 2006 The FreeBSD Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/malloc.h> +#include <sys/mbuf.h> +#include <sys/module.h> +#include <machine/bus.h> +#include <sys/rman.h> +#include <sys/socket.h> +#include <sys/sockio.h> +#include <sys/sysctl.h> + +#include <net/if.h> +#include <net/if_clone.h> +#include <net/if_types.h> +#include <net/pfil.h> +#include <net/route.h> +#include <net/netisr.h> +#include <net/bpf.h> +#include <net/bpfdesc.h> + +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/ip_var.h> +#include <netinet/in_var.h> +#include "opt_inet6.h" + +#ifdef INET6 +#include <netinet/ip6.h> +#include <netinet6/ip6_var.h> +#endif + +#include <netipsec/ipsec.h> + +#define ENCMTU (1024+512) +#define ENC_HDRLEN 12 + +/* XXX this define must have the same value as in OpenBSD */ +#define M_CONF 0x0400 /* payload was encrypted (ESP-transport) */ +#define M_AUTH 0x0800 /* payload was authenticated (AH or ESP auth) */ +#define M_AUTH_AH 0x2000 /* header was authenticated (AH) */ + +struct enchdr { + u_int32_t af; + u_int32_t spi; + u_int32_t flags; +}; + +struct ifnet *encif; +struct mtx enc_mtx; + +struct enc_softc { + struct ifnet *sc_ifp; +}; + +int encioctl(struct ifnet *, u_long, caddr_t); +int encoutput(struct ifnet *ifp, struct mbuf *m, + struct sockaddr *dst, struct rtentry *rt); +static int enc_clone_create(struct if_clone *, int); +static void enc_clone_destroy(struct ifnet *); + +IFC_SIMPLE_DECLARE(enc, 1); + +static void +enc_clone_destroy(struct ifnet *ifp) +{ + + KASSERT(encif == ifp, ("%s: unknown ifnet", __func__)); + + mtx_lock(&enc_mtx); + encif = NULL; + mtx_unlock(&enc_mtx); + + bpfdetach(ifp); + if_detach(ifp); + if_free(ifp); + +} + +static int +enc_clone_create(struct if_clone *ifc, int unit) +{ + struct ifnet *ifp; + struct enc_softc *sc; + + mtx_lock(&enc_mtx); + if (encif != NULL) + return (EBUSY); + mtx_unlock(&enc_mtx); + + sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO); + ifp = sc->sc_ifp = if_alloc(IFT_ENC); + if (ifp == NULL) { + free(sc, M_DEVBUF); + return (ENOSPC); + } + + if_initname(ifp, ifc->ifc_name, unit); + ifp->if_mtu = ENCMTU; + ifp->if_ioctl = encioctl; + ifp->if_output = encoutput; + ifp->if_snd.ifq_maxlen = ifqmaxlen; + ifp->if_softc = sc; + if_attach(ifp); + bpfattach(ifp, DLT_ENC, ENC_HDRLEN); + + mtx_lock(&enc_mtx); + encif = ifp; + mtx_unlock(&enc_mtx); + + return (0); +} + +static int +enc_modevent(module_t mod, int type, void *data) +{ + switch (type) { + case MOD_LOAD: + mtx_init(&enc_mtx, "enc mtx", NULL, MTX_DEF); + if_clone_attach(&enc_cloner); + break; + case MOD_UNLOAD: + printf("enc module unload - not possible for this module\n"); + return (EINVAL); + default: + return (EOPNOTSUPP); + } + return (0); +} + +static moduledata_t enc_mod = { + "enc", + enc_modevent, + 0 +}; + +DECLARE_MODULE(enc, enc_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY); + +int +encoutput(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, + struct rtentry *rt) +{ + m_freem(m); + return (0); +} + +/* + * Process an ioctl request. + */ +/* ARGSUSED */ +int +encioctl(struct ifnet *ifp, u_long cmd, caddr_t data) +{ + int error = 0; + + switch (cmd) { + + case SIOCSIFFLAGS: + if (ifp->if_flags & IFF_UP) + ifp->if_drv_flags |= IFF_DRV_RUNNING; + else + ifp->if_drv_flags &= ~IFF_DRV_RUNNING; + + break; + + default: + error = EINVAL; + } + return (error); +} + +int +ipsec_filter(struct mbuf **mp, int dir) +{ + int error, i; + struct ip *ip; + + mtx_lock(&enc_mtx); + if (encif == NULL || (encif->if_drv_flags & IFF_DRV_RUNNING) == 0) { + mtx_unlock(&enc_mtx); + return (0); + } + + /* Skip pfil(9) if no filters are loaded */ + if (inet_pfil_hook.ph_busy_count < 0 +#ifdef INET6 + && inet6_pfil_hook.ph_busy_count < 0 +#endif + ) { + mtx_unlock(&enc_mtx); + return (0); + } + + i = min((*mp)->m_pkthdr.len, max_protohdr); + if ((*mp)->m_len < i) { + *mp = m_pullup(*mp, i); + if (*mp == NULL) { + printf("%s: m_pullup failed\n", __func__); + mtx_unlock(&enc_mtx); + return (-1); + } + } + + error = 0; + ip = mtod(*mp, struct ip *); + switch (ip->ip_v) { + case 4: + /* + * before calling the firewall, swap fields the same as + * IP does. here we assume the header is contiguous + */ + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); + + error = pfil_run_hooks(&inet_pfil_hook, mp, + encif, dir, NULL); + + if (*mp == NULL || error != 0) + break; + + /* restore byte ordering */ + ip = mtod(*mp, struct ip *); + ip->ip_len = htons(ip->ip_len); + ip->ip_off = htons(ip->ip_off); + break; + +#ifdef INET6 + case 6: + error = pfil_run_hooks(&inet6_pfil_hook, mp, + encif, dir, NULL); + break; +#endif + default: + printf("%s: unknown IP version\n", __func__); + } + + mtx_unlock(&enc_mtx); + if (*mp == NULL) + return (error); + if (error != 0) + goto bad; + + return (error); + +bad: + mtx_unlock(&enc_mtx); + m_freem(*mp); + *mp = NULL; + return (error); +} + +void +ipsec_bpf(struct mbuf *m, struct secasvar *sav, int af) +{ + int flags; + struct enchdr hdr; + struct mbuf m1; + + KASSERT(sav != NULL, ("%s: sav is null", __func__)); + + mtx_lock(&enc_mtx); + if (encif == NULL || (encif->if_drv_flags & IFF_DRV_RUNNING) == 0) { + mtx_unlock(&enc_mtx); + return; + } + + if (encif->if_bpf) { + flags = 0; + if (sav->alg_enc != SADB_EALG_NONE) + flags |= M_CONF; + if (sav->alg_auth != SADB_AALG_NONE) + flags |= M_AUTH; + + /* + * We need to prepend the address family as a four byte + * field. Cons up a dummy header to pacify bpf. This + * is safe because bpf will only read from the mbuf + * (i.e., it won't try to free it or keep a pointer a + * to it). + */ + hdr.af = af; + hdr.spi = sav->spi; + hdr.flags = flags; + + m1.m_flags = 0; + m1.m_next = m; + m1.m_len = ENC_HDRLEN; + m1.m_data = (char *) &hdr; + + bpf_mtap(encif->if_bpf, &m1); + } + mtx_unlock(&enc_mtx); +} Index: sys/net/if_types.h =================================================================== RCS file: /home/ncvs/src/sys/net/if_types.h,v retrieving revision 1.21 diff -u -p -r1.21 if_types.h --- sys/net/if_types.h 10 Jun 2005 16:49:19 -0000 1.21 +++ sys/net/if_types.h 15 Jun 2006 21:38:18 -0000 @@ -246,6 +246,7 @@ #define IFT_GIF 0xf0 #define IFT_PVC 0xf1 #define IFT_FAITH 0xf2 +#define IFT_ENC 0xf4 #define IFT_PFLOG 0xf6 #define IFT_PFSYNC 0xf7 #define IFT_CARP 0xf8 /* Common Address Redundancy Protocol */ Index: sys/netipsec/ipsec.h =================================================================== RCS file: /home/ncvs/src/sys/netipsec/ipsec.h,v retrieving revision 1.11 diff -u -p -r1.11 ipsec.h --- sys/netipsec/ipsec.h 10 Apr 2006 15:04:36 -0000 1.11 +++ sys/netipsec/ipsec.h 16 Jun 2006 21:21:57 -0000 @@ -417,6 +417,8 @@ extern void m_checkalignment(const char* extern struct mbuf *m_makespace(struct mbuf *m0, int skip, int hlen, int *off); extern caddr_t m_pad(struct mbuf *m, int n); extern int m_striphdr(struct mbuf *m, int skip, int hlen); +extern int ipsec_filter(struct mbuf **, int); +extern void ipsec_bpf(struct mbuf *, struct secasvar *, int); #endif /* _KERNEL */ #ifndef _KERNEL Index: sys/netipsec/ipsec_input.c =================================================================== RCS file: /home/ncvs/src/sys/netipsec/ipsec_input.c,v retrieving revision 1.11 diff -u -p -r1.11 ipsec_input.c --- sys/netipsec/ipsec_input.c 4 Jun 2006 19:32:32 -0000 1.11 +++ sys/netipsec/ipsec_input.c 16 Jun 2006 21:21:19 -0000 @@ -43,6 +43,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_enc.h" #include <sys/param.h> #include <sys/systm.h> @@ -442,6 +443,18 @@ ipsec4_common_input_cb(struct mbuf *m, s key_sa_recordxfer(sav, m); /* record data transfer */ +#ifdef DEV_ENC + /* + * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP + * packet later after it has been decapsulated. + */ + ipsec_bpf(m, sav, AF_INET); + + if (prot != IPPROTO_IPIP) + if ((error = ipsec_filter(&m, 1)) != 0) + return (error); +#endif + /* * Re-dispatch via software interrupt. */ Index: sys/netipsec/ipsec_output.c =================================================================== RCS file: /home/ncvs/src/sys/netipsec/ipsec_output.c,v retrieving revision 1.11 diff -u -p -r1.11 ipsec_output.c --- sys/netipsec/ipsec_output.c 2 Nov 2005 13:46:32 -0000 1.11 +++ sys/netipsec/ipsec_output.c 16 Jun 2006 21:21:33 -0000 @@ -32,6 +32,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_enc.h" #include <sys/param.h> #include <sys/systm.h> @@ -358,6 +359,13 @@ ipsec4_process_packet( goto bad; sav = isr->sav; + +#ifdef DEV_ENC + /* pass the mbuf to enc0 for packet filtering */ + if ((error = ipsec_filter(&m, 2)) != 0) + goto bad; +#endif + if (!tunalready) { union sockaddr_union *dst = &sav->sah->saidx.dst; int setdf; @@ -455,6 +463,11 @@ ipsec4_process_packet( } } +#ifdef DEV_ENC + /* pass the mbuf to enc0 for bpf processing */ + ipsec_bpf(m, sav, AF_INET); +#endif + /* * Dispatch to the appropriate IPsec transform logic. The * packet will be returned for transmission after crypto Index: sys/netipsec/xform_ipip.c =================================================================== RCS file: /home/ncvs/src/sys/netipsec/xform_ipip.c,v retrieving revision 1.12 diff -u -p -r1.12 xform_ipip.c --- sys/netipsec/xform_ipip.c 30 Mar 2006 18:57:04 -0000 1.12 +++ sys/netipsec/xform_ipip.c 16 Jun 2006 21:21:02 -0000 @@ -41,6 +41,7 @@ */ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_enc.h" #include <sys/param.h> #include <sys/systm.h> @@ -345,6 +346,12 @@ _ipip_input(struct mbuf *m, int iphlen, /* Statistics */ ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; +#ifdef DEV_ENC + /* pass the mbuf to enc0 for packet filtering */ + if (ipsec_filter(&m, 1) != 0) + return; +#endif + /* * Interface pointer stays the same; if no IPsec processing has * been done (or will be done), this will point to a normal --H+4ONPRPur6+Ovig--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060616222243.GC64552>