embox

1
/**
2
 * @file
3
 *
4
 * @date Jun 19, 2014
5
 * @author: Anton Bondarev
6
 */
7
#include <stdint.h>
8
#include <kernel/task/resource/idesc.h>
9
#include <net/sock.h>
10
#include <net/l3/ipv4/ip.h>
11
#include <security/security.h>
12

13
#include <net/skbuff.h>
14

15
int ip_header_size(struct sock *sock) {
16
	int header_size = IP_MIN_HEADER_SIZE;
17
	char label[32];
18

19
	if (0 > security_sock_label(sock, label, sizeof(label))) {
20
		return header_size;
21
	}
22

23
	header_size += 12;
24

25
	return header_size;
26
}
27

28
uint16_t smac_label_to_secure_level(const char *label) {
29

30
	if (0 == strncmp(label, "secret", sizeof("secret"))) {
31
		return htons(0x8000);
32
	}
33
	if (0 == strncmp(label, "confidentially", sizeof("confidentially"))) {
34
		return htons(0x4000);
35
	}
36
	if (0 == strncmp(label, "service", sizeof("service"))) {
37
		return htons(0x2000);
38
	}
39
	if (0 == strncmp(label, "unclassified", sizeof("unclassified"))) {
40
		return htons(0x1000);
41
	}
42
	return htons(0x1000);
43
}
44

45
const char *smac_secure_level_to_label(uint16_t level) {
46
	switch(level) {
47
	case 0x8000:
48
		return "secret";
49
	case 0x4000:
50
		return "confidentially";
51
	case 0x2000:
52
		return "service";
53
	case 0x1000:
54
		return "unclassified";
55
	default:
56
		return "unclassified";
57
	}
58
}
59

60
int ip_header_make_secure(struct sock *sock, struct sk_buff *skb) {
61
	uint8_t *options;
62
	char label[32];
63
	uint16_t level;
64

65
	options = (unsigned char *)skb->nh.iph + skb->nh.iph->ihl * 4;
66
	options[0] = 0x80 | 0x00 | 0x02; /* copy | class = 0 | number = 2 */
67
	options[1] = 11; /* length = 11 = b00001011*/
68

69
	/* Security. 16 bits.
70
	 Specifies one of 16 levels of security.
71
	*/
72

73
	if (0 > security_sock_label(sock, label, sizeof(label))) {
74
		return -1;
75
	}
76
	level = smac_label_to_secure_level(label);
77
	options[2] = (uint8_t)(level >> 8 & 0xFF);
78
	options[3] = (uint8_t)(level & 0x00FF);
79

80
	/* Compartments. 16 bits.
81
	 * An all zero value is used when the information transmitted is not
82
	 * compartmented. Other values for the compartments field may be obtained
83
	 * from the Defense Intelligence Agency.
84
	 */
85
	options[4] = 0;
86
	options[5] = 0;
87

88
	/* Handling restrictions. 16 bits.
89
	 * The values for the control and release markings are alphanumeric digraphs
90
	 * and	are defined in the Defense Intelligence Agency Manual DIAM 65-19,
91
	 * "Standard Security Markings".
92
	 */
93
	options[6] = 0;
94
	options[7] = 0;
95

96
	/*
97
	 * Transmission Control Code. 24 bits.
98
	 * Provides a means to segregate traffic and define controlled communities of
99
	 * interest among subscribers. The TCC values are trigraphs, and are available
100
	 * from HQ DCA Code 530.
101
	 */
102

103
	options[8] = 0;
104
	options[9] = 0;
105
	options[10] = 0;
106

107
	skb->nh.iph->ihl += 12 / 4;
108
	/* because reserve 12 bytes */
109
	options[11] = 0;
110

111
	return 0;
112
}
113

114
uint16_t sock_get_secure_level(struct sock *sk) {
115
	char label[32];
116

117
	if (0 > security_sock_label(sk, label, sizeof(label))) {
118
		return 0;
119
	}
120

121
	return smac_label_to_secure_level(label);
122
}
123

124