162 lines
		
	
	
		
			3.2 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			162 lines
		
	
	
		
			3.2 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0
 | |
| /* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
 | |
| 
 | |
| #include "vmlinux.h"
 | |
| #include "bpf_tracing_net.h"
 | |
| #include <bpf/bpf_helpers.h>
 | |
| #include <bpf/bpf_endian.h>
 | |
| #include <bpf/bpf_tracing.h>
 | |
| #include "bpf_misc.h"
 | |
| #include "bpf_kfuncs.h"
 | |
| #include "crypto_common.h"
 | |
| 
 | |
| unsigned char key[256] = {};
 | |
| u16 udp_test_port = 7777;
 | |
| u32 authsize, key_len;
 | |
| char algo[128] = {};
 | |
| char dst[16] = {};
 | |
| int status;
 | |
| 
 | |
| static int skb_dynptr_validate(struct __sk_buff *skb, struct bpf_dynptr *psrc)
 | |
| {
 | |
| 	struct ipv6hdr ip6h;
 | |
| 	struct udphdr udph;
 | |
| 	u32 offset;
 | |
| 
 | |
| 	if (skb->protocol != __bpf_constant_htons(ETH_P_IPV6))
 | |
| 		return -1;
 | |
| 
 | |
| 	if (bpf_skb_load_bytes(skb, ETH_HLEN, &ip6h, sizeof(ip6h)))
 | |
| 		return -1;
 | |
| 
 | |
| 	if (ip6h.nexthdr != IPPROTO_UDP)
 | |
| 		return -1;
 | |
| 
 | |
| 	if (bpf_skb_load_bytes(skb, ETH_HLEN + sizeof(ip6h), &udph, sizeof(udph)))
 | |
| 		return -1;
 | |
| 
 | |
| 	if (udph.dest != __bpf_htons(udp_test_port))
 | |
| 		return -1;
 | |
| 
 | |
| 	offset = ETH_HLEN + sizeof(ip6h) + sizeof(udph);
 | |
| 	if (skb->len < offset + 16)
 | |
| 		return -1;
 | |
| 
 | |
| 	/* let's make sure that 16 bytes of payload are in the linear part of skb */
 | |
| 	bpf_skb_pull_data(skb, offset + 16);
 | |
| 	bpf_dynptr_from_skb(skb, 0, psrc);
 | |
| 	bpf_dynptr_adjust(psrc, offset, offset + 16);
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| SEC("syscall")
 | |
| int skb_crypto_setup(void *ctx)
 | |
| {
 | |
| 	struct bpf_crypto_params params = {
 | |
| 		.type = "skcipher",
 | |
| 		.key_len = key_len,
 | |
| 		.authsize = authsize,
 | |
| 	};
 | |
| 	struct bpf_crypto_ctx *cctx;
 | |
| 	int err = 0;
 | |
| 
 | |
| 	status = 0;
 | |
| 
 | |
| 	if (key_len > 256) {
 | |
| 		status = -EINVAL;
 | |
| 		return 0;
 | |
| 	}
 | |
| 
 | |
| 	__builtin_memcpy(¶ms.algo, algo, sizeof(algo));
 | |
| 	__builtin_memcpy(¶ms.key, key, sizeof(key));
 | |
| 	cctx = bpf_crypto_ctx_create(¶ms, sizeof(params), &err);
 | |
| 
 | |
| 	if (!cctx) {
 | |
| 		status = err;
 | |
| 		return 0;
 | |
| 	}
 | |
| 
 | |
| 	err = crypto_ctx_insert(cctx);
 | |
| 	if (err && err != -EEXIST)
 | |
| 		status = err;
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| SEC("tc")
 | |
| int decrypt_sanity(struct __sk_buff *skb)
 | |
| {
 | |
| 	struct __crypto_ctx_value *v;
 | |
| 	struct bpf_crypto_ctx *ctx;
 | |
| 	struct bpf_dynptr psrc, pdst;
 | |
| 	int err;
 | |
| 
 | |
| 	err = skb_dynptr_validate(skb, &psrc);
 | |
| 	if (err < 0) {
 | |
| 		status = err;
 | |
| 		return TC_ACT_SHOT;
 | |
| 	}
 | |
| 
 | |
| 	v = crypto_ctx_value_lookup();
 | |
| 	if (!v) {
 | |
| 		status = -ENOENT;
 | |
| 		return TC_ACT_SHOT;
 | |
| 	}
 | |
| 
 | |
| 	ctx = v->ctx;
 | |
| 	if (!ctx) {
 | |
| 		status = -ENOENT;
 | |
| 		return TC_ACT_SHOT;
 | |
| 	}
 | |
| 
 | |
| 	/* dst is a global variable to make testing part easier to check. In real
 | |
| 	 * production code, a percpu map should be used to store the result.
 | |
| 	 */
 | |
| 	bpf_dynptr_from_mem(dst, sizeof(dst), 0, &pdst);
 | |
| 
 | |
| 	status = bpf_crypto_decrypt(ctx, &psrc, &pdst, NULL);
 | |
| 
 | |
| 	return TC_ACT_SHOT;
 | |
| }
 | |
| 
 | |
| SEC("tc")
 | |
| int encrypt_sanity(struct __sk_buff *skb)
 | |
| {
 | |
| 	struct __crypto_ctx_value *v;
 | |
| 	struct bpf_crypto_ctx *ctx;
 | |
| 	struct bpf_dynptr psrc, pdst;
 | |
| 	int err;
 | |
| 
 | |
| 	status = 0;
 | |
| 
 | |
| 	err = skb_dynptr_validate(skb, &psrc);
 | |
| 	if (err < 0) {
 | |
| 		status = err;
 | |
| 		return TC_ACT_SHOT;
 | |
| 	}
 | |
| 
 | |
| 	v = crypto_ctx_value_lookup();
 | |
| 	if (!v) {
 | |
| 		status = -ENOENT;
 | |
| 		return TC_ACT_SHOT;
 | |
| 	}
 | |
| 
 | |
| 	ctx = v->ctx;
 | |
| 	if (!ctx) {
 | |
| 		status = -ENOENT;
 | |
| 		return TC_ACT_SHOT;
 | |
| 	}
 | |
| 
 | |
| 	/* dst is a global variable to make testing part easier to check. In real
 | |
| 	 * production code, a percpu map should be used to store the result.
 | |
| 	 */
 | |
| 	bpf_dynptr_from_mem(dst, sizeof(dst), 0, &pdst);
 | |
| 
 | |
| 	status = bpf_crypto_encrypt(ctx, &psrc, &pdst, NULL);
 | |
| 
 | |
| 	return TC_ACT_SHOT;
 | |
| }
 | |
| 
 | |
| char __license[] SEC("license") = "GPL";
 |