Modifying Cryptography Code

Modifying Cryptography Code

[Alaa Dalghan]

Hello everyone,
I need to modify some CRYPTOGRAPHY code in Linux Kernel to get a specific 
VPN behavior, but I don't know where to start.

The situation is the following:

I have a VPN gateway (Linux kernel 2.6.10 with Openswan 2.3.1 installed). I 
have only installed the user land tools from openswan package in order to 
use the native ipsec stack in the kernel.
I have 30 laptops equipped with Windows XP configured to launch secure 
tunnels towards the VPN gateway (so I have 30 tunnels). The laptops can 
communicate securely VIA the gateway and everything works fine but..

the problem is the following:

Each packet sent from a given client to the other get processed 4 times 
(encryption at the sender, decryption at the gateway, encryption at the 
gateway, decryption at the receiver). This is the normal behavior but it 
imposes too much processing overhead on the linux VPN gateway. The required 
behavior is that the VPN gateway just RELAYS encrypted data (ESP envelopes) 
without decrypting them. This is impossible in the current ipsec 
implementation since"the end of a tunnel HAS ALWAYS to be decrypted".

Note that this required behavior can be achieved by launching a tunnel from 
each client to every other client making the VPN gateway 
transparent..BUT..this would mean 900 tunnels!! instead of 30, so it is not 
the answer.

What I am looking for is the portion of the C code in the kernel where the 
Decryption function is called to decrypt a received packet. When I find this 
statement, maybe i can make it conditionnal such as:  If the destination is 
me then Decrypt  else DO NOT!

I hope that someone can help me with finding this portion of the code and 
modify it. By the way I searched in the kernel file "esp4.c" but can't seem 
to find what I want.




           
----------------------------------------------------------WinXP(1)
          |
Openswan 
box------------------------------------------------------------WinXP(2)
          |
           
----------------------------------------------------------WinXP(3)
          |
          |
          |
          |
           
---------------------------------------------------------WinXP(30)

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: Modifying Cryptography Code

[Martijn van Oosterhout]

[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]

On Tue, Sep 06, 2005 at 01:56:56PM +0000, Alaa Dalghan wrote:
> Hello everyone,
> I need to modify some CRYPTOGRAPHY code in Linux Kernel to get a specific 
> VPN behavior, but I don't know where to start.

<snip>

> Each packet sent from a given client to the other get processed 4 times 
> (encryption at the sender, decryption at the gateway, encryption at the 
> gateway, decryption at the receiver). This is the normal behavior but it 
> imposes too much processing overhead on the linux VPN gateway. The required 
> behavior is that the VPN gateway just RELAYS encrypted data (ESP envelopes) 
> without decrypting them. This is impossible in the current ipsec 
> implementation since"the end of a tunnel HAS ALWAYS to be decrypted".

Umm, if I understand correctly, unless each tunnel is using the same
keys, the decrypt and reencrypt ends up with *different* data. So
just skipping the decrypt won't work, you'll just end up sending
packets which the other end can't read.

If your using the same keys, perhaps the kernal can see that, I don't
know...

Hope this helps,
-- 
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: Modifying Cryptography Code

[Aidas Kasparas]

Alaa Dalghan wrote:
> imposes too much processing overhead on the linux VPN gateway. The
> required behavior is that the VPN gateway just RELAYS encrypted data
> (ESP envelopes) without decrypting them. This is impossible in the
> current ipsec implementation since"the end of a tunnel HAS ALWAYS to be
> decrypted".
> 

That can work only in case when you set esp's encryption keys manually
and the same on all 30 your clients. Also, SPIs should be the same. I
would not call such setup secure.

Better way is to put all these clients into single subnet and configure
them to require transport mode esp transformation in that subnet +
employ automatic keying and auth by certs. And required subset of these
scarry 900 tunnels will set up automatically. [Don't ask me how to
configure this setup in windows -- I don't know].

> I hope that someone can help me with finding this portion of the code
> and modify it. By the way I searched in the kernel file "esp4.c" but
> can't seem to find what I want.

Check xfrm*.c files, also net/xfrm directory.

-- 
Aidas Kasparas
IT administrator
GM Consult Group, UAB