1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */ 3 4 #include <sys/types.h> 5 #include <sys/socket.h> 6 #include <net/if.h> 7 #include <linux/if_alg.h> 8 9 #include "test_progs.h" 10 #include "network_helpers.h" 11 #include "crypto_sanity.skel.h" 12 #include "crypto_basic.skel.h" 13 14 #define NS_TEST "crypto_sanity_ns" 15 #define IPV6_IFACE_ADDR "face::1" 16 static const unsigned char crypto_key[] = "testtest12345678"; 17 static const char plain_text[] = "stringtoencrypt0"; 18 static int opfd = -1, tfmfd = -1; 19 static const char algo[] = "ecb(aes)"; 20 static int init_afalg(void) 21 { 22 struct sockaddr_alg sa = { 23 .salg_family = AF_ALG, 24 .salg_type = "skcipher", 25 .salg_name = "ecb(aes)" 26 }; 27 28 tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0); 29 if (tfmfd == -1) 30 return errno; 31 if (bind(tfmfd, (struct sockaddr *)&sa, sizeof(sa)) == -1) 32 return errno; 33 if (setsockopt(tfmfd, SOL_ALG, ALG_SET_KEY, crypto_key, 16) == -1) 34 return errno; 35 opfd = accept(tfmfd, NULL, 0); 36 if (opfd == -1) 37 return errno; 38 return 0; 39 } 40 41 static void deinit_afalg(void) 42 { 43 if (tfmfd != -1) 44 close(tfmfd); 45 if (opfd != -1) 46 close(opfd); 47 } 48 49 static void do_crypt_afalg(const void *src, void *dst, int size, bool encrypt) 50 { 51 struct msghdr msg = {}; 52 struct cmsghdr *cmsg; 53 char cbuf[CMSG_SPACE(4)] = {0}; 54 struct iovec iov; 55 56 msg.msg_control = cbuf; 57 msg.msg_controllen = sizeof(cbuf); 58 59 cmsg = CMSG_FIRSTHDR(&msg); 60 cmsg->cmsg_level = SOL_ALG; 61 cmsg->cmsg_type = ALG_SET_OP; 62 cmsg->cmsg_len = CMSG_LEN(4); 63 *(__u32 *)CMSG_DATA(cmsg) = encrypt ? ALG_OP_ENCRYPT : ALG_OP_DECRYPT; 64 65 iov.iov_base = (char *)src; 66 iov.iov_len = size; 67 68 msg.msg_iov = &iov; 69 msg.msg_iovlen = 1; 70 71 sendmsg(opfd, &msg, 0); 72 read(opfd, dst, size); 73 } 74 75 void test_crypto_basic(void) 76 { 77 RUN_TESTS(crypto_basic); 78 } 79 80 void test_crypto_sanity(void) 81 { 82 LIBBPF_OPTS(bpf_tc_hook, qdisc_hook, .attach_point = BPF_TC_EGRESS); 83 LIBBPF_OPTS(bpf_tc_opts, tc_attach_enc); 84 LIBBPF_OPTS(bpf_tc_opts, tc_attach_dec); 85 LIBBPF_OPTS(bpf_test_run_opts, opts); 86 struct nstoken *nstoken = NULL; 87 struct crypto_sanity *skel; 88 char afalg_plain[16] = {0}; 89 char afalg_dst[16] = {0}; 90 struct sockaddr_in6 addr; 91 int sockfd, err, pfd; 92 socklen_t addrlen; 93 u16 udp_test_port; 94 95 skel = crypto_sanity__open_and_load(); 96 if (!ASSERT_OK_PTR(skel, "skel open")) 97 return; 98 99 SYS(fail, "ip netns add %s", NS_TEST); 100 SYS(fail, "ip -net %s -6 addr add %s/128 dev lo nodad", NS_TEST, IPV6_IFACE_ADDR); 101 SYS(fail, "ip -net %s link set dev lo up", NS_TEST); 102 103 nstoken = open_netns(NS_TEST); 104 if (!ASSERT_OK_PTR(nstoken, "open_netns")) 105 goto fail; 106 107 err = init_afalg(); 108 if (!ASSERT_OK(err, "AF_ALG init fail")) 109 goto fail; 110 111 qdisc_hook.ifindex = if_nametoindex("lo"); 112 if (!ASSERT_GT(qdisc_hook.ifindex, 0, "if_nametoindex lo")) 113 goto fail; 114 115 skel->bss->key_len = 16; 116 skel->bss->authsize = 0; 117 udp_test_port = skel->data->udp_test_port; 118 memcpy(skel->bss->key, crypto_key, sizeof(crypto_key)); 119 snprintf(skel->bss->algo, 128, "%s", algo); 120 pfd = bpf_program__fd(skel->progs.skb_crypto_setup); 121 if (!ASSERT_GT(pfd, 0, "skb_crypto_setup fd")) 122 goto fail; 123 124 err = bpf_prog_test_run_opts(pfd, &opts); 125 if (!ASSERT_OK(err, "skb_crypto_setup") || 126 !ASSERT_OK(opts.retval, "skb_crypto_setup retval")) 127 goto fail; 128 129 if (!ASSERT_OK(skel->bss->status, "skb_crypto_setup status")) 130 goto fail; 131 132 err = bpf_tc_hook_create(&qdisc_hook); 133 if (!ASSERT_OK(err, "create qdisc hook")) 134 goto fail; 135 136 addrlen = sizeof(addr); 137 err = make_sockaddr(AF_INET6, IPV6_IFACE_ADDR, udp_test_port, 138 (void *)&addr, &addrlen); 139 if (!ASSERT_OK(err, "make_sockaddr")) 140 goto fail; 141 142 tc_attach_enc.prog_fd = bpf_program__fd(skel->progs.encrypt_sanity); 143 err = bpf_tc_attach(&qdisc_hook, &tc_attach_enc); 144 if (!ASSERT_OK(err, "attach encrypt filter")) 145 goto fail; 146 147 sockfd = socket(AF_INET6, SOCK_DGRAM, 0); 148 if (!ASSERT_NEQ(sockfd, -1, "encrypt socket")) 149 goto fail; 150 err = sendto(sockfd, plain_text, sizeof(plain_text), 0, (void *)&addr, addrlen); 151 close(sockfd); 152 if (!ASSERT_EQ(err, sizeof(plain_text), "encrypt send")) 153 goto fail; 154 155 do_crypt_afalg(plain_text, afalg_dst, sizeof(afalg_dst), true); 156 157 if (!ASSERT_OK(skel->bss->status, "encrypt status")) 158 goto fail; 159 if (!ASSERT_STRNEQ(skel->bss->dst, afalg_dst, sizeof(afalg_dst), "encrypt AF_ALG")) 160 goto fail; 161 162 tc_attach_enc.flags = tc_attach_enc.prog_fd = tc_attach_enc.prog_id = 0; 163 err = bpf_tc_detach(&qdisc_hook, &tc_attach_enc); 164 if (!ASSERT_OK(err, "bpf_tc_detach encrypt")) 165 goto fail; 166 167 tc_attach_dec.prog_fd = bpf_program__fd(skel->progs.decrypt_sanity); 168 err = bpf_tc_attach(&qdisc_hook, &tc_attach_dec); 169 if (!ASSERT_OK(err, "attach decrypt filter")) 170 goto fail; 171 172 sockfd = socket(AF_INET6, SOCK_DGRAM, 0); 173 if (!ASSERT_NEQ(sockfd, -1, "decrypt socket")) 174 goto fail; 175 err = sendto(sockfd, afalg_dst, sizeof(afalg_dst), 0, (void *)&addr, addrlen); 176 close(sockfd); 177 if (!ASSERT_EQ(err, sizeof(afalg_dst), "decrypt send")) 178 goto fail; 179 180 do_crypt_afalg(afalg_dst, afalg_plain, sizeof(afalg_plain), false); 181 182 if (!ASSERT_OK(skel->bss->status, "decrypt status")) 183 goto fail; 184 if (!ASSERT_STRNEQ(skel->bss->dst, afalg_plain, sizeof(afalg_plain), "decrypt AF_ALG")) 185 goto fail; 186 187 tc_attach_dec.flags = tc_attach_dec.prog_fd = tc_attach_dec.prog_id = 0; 188 err = bpf_tc_detach(&qdisc_hook, &tc_attach_dec); 189 ASSERT_OK(err, "bpf_tc_detach decrypt"); 190 191 fail: 192 close_netns(nstoken); 193 deinit_afalg(); 194 SYS_NOFAIL("ip netns del " NS_TEST " &> /dev/null"); 195 crypto_sanity__destroy(skel); 196 } 197