1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
3
4 #include "vmlinux.h"
5 #include "bpf_tracing_net.h"
6 #include <bpf/bpf_helpers.h>
7 #include <bpf/bpf_endian.h>
8 #include <bpf/bpf_tracing.h>
9 #include "bpf_misc.h"
10 #include "bpf_kfuncs.h"
11 #include "crypto_common.h"
12
13 unsigned char key[256] = {};
14 u16 udp_test_port = 7777;
15 u32 authsize, key_len;
16 char algo[128] = {};
17 char dst[16] = {};
18 int status;
19
skb_dynptr_validate(struct __sk_buff * skb,struct bpf_dynptr * psrc)20 static int skb_dynptr_validate(struct __sk_buff *skb, struct bpf_dynptr *psrc)
21 {
22 struct ipv6hdr ip6h;
23 struct udphdr udph;
24 u32 offset;
25
26 if (skb->protocol != __bpf_constant_htons(ETH_P_IPV6))
27 return -1;
28
29 if (bpf_skb_load_bytes(skb, ETH_HLEN, &ip6h, sizeof(ip6h)))
30 return -1;
31
32 if (ip6h.nexthdr != IPPROTO_UDP)
33 return -1;
34
35 if (bpf_skb_load_bytes(skb, ETH_HLEN + sizeof(ip6h), &udph, sizeof(udph)))
36 return -1;
37
38 if (udph.dest != __bpf_htons(udp_test_port))
39 return -1;
40
41 offset = ETH_HLEN + sizeof(ip6h) + sizeof(udph);
42 if (skb->len < offset + 16)
43 return -1;
44
45 /* let's make sure that 16 bytes of payload are in the linear part of skb */
46 bpf_skb_pull_data(skb, offset + 16);
47 bpf_dynptr_from_skb(skb, 0, psrc);
48 bpf_dynptr_adjust(psrc, offset, offset + 16);
49
50 return 0;
51 }
52
53 SEC("syscall")
skb_crypto_setup(void * ctx)54 int skb_crypto_setup(void *ctx)
55 {
56 struct bpf_crypto_params params = {
57 .type = "skcipher",
58 .key_len = key_len,
59 .authsize = authsize,
60 };
61 struct bpf_crypto_ctx *cctx;
62 int err = 0;
63
64 status = 0;
65
66 if (key_len > 256) {
67 status = -EINVAL;
68 return 0;
69 }
70
71 __builtin_memcpy(¶ms.algo, algo, sizeof(algo));
72 __builtin_memcpy(¶ms.key, key, sizeof(key));
73 cctx = bpf_crypto_ctx_create(¶ms, sizeof(params), &err);
74
75 if (!cctx) {
76 status = err;
77 return 0;
78 }
79
80 err = crypto_ctx_insert(cctx);
81 if (err && err != -EEXIST)
82 status = err;
83
84 return 0;
85 }
86
87 SEC("tc")
decrypt_sanity(struct __sk_buff * skb)88 int decrypt_sanity(struct __sk_buff *skb)
89 {
90 struct __crypto_ctx_value *v;
91 struct bpf_crypto_ctx *ctx;
92 struct bpf_dynptr psrc, pdst;
93 int err;
94
95 err = skb_dynptr_validate(skb, &psrc);
96 if (err < 0) {
97 status = err;
98 return TC_ACT_SHOT;
99 }
100
101 v = crypto_ctx_value_lookup();
102 if (!v) {
103 status = -ENOENT;
104 return TC_ACT_SHOT;
105 }
106
107 ctx = v->ctx;
108 if (!ctx) {
109 status = -ENOENT;
110 return TC_ACT_SHOT;
111 }
112
113 /* dst is a global variable to make testing part easier to check. In real
114 * production code, a percpu map should be used to store the result.
115 */
116 bpf_dynptr_from_mem(dst, sizeof(dst), 0, &pdst);
117
118 status = bpf_crypto_decrypt(ctx, &psrc, &pdst, NULL);
119
120 return TC_ACT_SHOT;
121 }
122
123 SEC("tc")
encrypt_sanity(struct __sk_buff * skb)124 int encrypt_sanity(struct __sk_buff *skb)
125 {
126 struct __crypto_ctx_value *v;
127 struct bpf_crypto_ctx *ctx;
128 struct bpf_dynptr psrc, pdst;
129 int err;
130
131 status = 0;
132
133 err = skb_dynptr_validate(skb, &psrc);
134 if (err < 0) {
135 status = err;
136 return TC_ACT_SHOT;
137 }
138
139 v = crypto_ctx_value_lookup();
140 if (!v) {
141 status = -ENOENT;
142 return TC_ACT_SHOT;
143 }
144
145 ctx = v->ctx;
146 if (!ctx) {
147 status = -ENOENT;
148 return TC_ACT_SHOT;
149 }
150
151 /* dst is a global variable to make testing part easier to check. In real
152 * production code, a percpu map should be used to store the result.
153 */
154 bpf_dynptr_from_mem(dst, sizeof(dst), 0, &pdst);
155
156 status = bpf_crypto_encrypt(ctx, &psrc, &pdst, NULL);
157
158 return TC_ACT_SHOT;
159 }
160
161 char __license[] SEC("license") = "GPL";
162