1// SPDX-License-Identifier: GPL-2.0
  2/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
  3
  4#include <sys/types.h>
  5#include <sys/socket.h>
  6#include <net/if.h>
  7#include <linux/if_alg.h>
  8
  9#include "test_progs.h"
 10#include "network_helpers.h"
 11#include "crypto_sanity.skel.h"
 12#include "crypto_basic.skel.h"
 13
 14#define NS_TEST "crypto_sanity_ns"
 15#define IPV6_IFACE_ADDR "face::1"
 16static const unsigned char crypto_key[] = "testtest12345678";
 17static const char plain_text[] = "stringtoencrypt0";
 18static int opfd = -1, tfmfd = -1;
 19static const char algo[] = "ecb(aes)";
 20static int init_afalg(void)
 21{
 22	struct sockaddr_alg sa = {
 23		.salg_family = AF_ALG,
 24		.salg_type = "skcipher",
 25		.salg_name = "ecb(aes)"
 26	};
 27
 28	tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
 29	if (tfmfd == -1)
 30		return errno;
 31	if (bind(tfmfd, (struct sockaddr *)&sa, sizeof(sa)) == -1)
 32		return errno;
 33	if (setsockopt(tfmfd, SOL_ALG, ALG_SET_KEY, crypto_key, 16) == -1)
 34		return errno;
 35	opfd = accept(tfmfd, NULL, 0);
 36	if (opfd == -1)
 37		return errno;
 38	return 0;
 39}
 40
 41static void deinit_afalg(void)
 42{
 43	if (tfmfd != -1)
 44		close(tfmfd);
 45	if (opfd != -1)
 46		close(opfd);
 47}
 48
 49static void do_crypt_afalg(const void *src, void *dst, int size, bool encrypt)
 50{
 51	struct msghdr msg = {};
 52	struct cmsghdr *cmsg;
 53	char cbuf[CMSG_SPACE(4)] = {0};
 54	struct iovec iov;
 55
 56	msg.msg_control = cbuf;
 57	msg.msg_controllen = sizeof(cbuf);
 58
 59	cmsg = CMSG_FIRSTHDR(&msg);
 60	cmsg->cmsg_level = SOL_ALG;
 61	cmsg->cmsg_type = ALG_SET_OP;
 62	cmsg->cmsg_len = CMSG_LEN(4);
 63	*(__u32 *)CMSG_DATA(cmsg) = encrypt ? ALG_OP_ENCRYPT : ALG_OP_DECRYPT;
 64
 65	iov.iov_base = (char *)src;
 66	iov.iov_len = size;
 67
 68	msg.msg_iov = &iov;
 69	msg.msg_iovlen = 1;
 70
 71	sendmsg(opfd, &msg, 0);
 72	read(opfd, dst, size);
 73}
 74
 75void test_crypto_basic(void)
 76{
 77	RUN_TESTS(crypto_basic);
 78}
 79
 80void test_crypto_sanity(void)
 81{
 82	LIBBPF_OPTS(bpf_tc_hook, qdisc_hook, .attach_point = BPF_TC_EGRESS);
 83	LIBBPF_OPTS(bpf_tc_opts, tc_attach_enc);
 84	LIBBPF_OPTS(bpf_tc_opts, tc_attach_dec);
 85	LIBBPF_OPTS(bpf_test_run_opts, opts);
 86	struct nstoken *nstoken = NULL;
 87	struct crypto_sanity *skel;
 88	char afalg_plain[16] = {0};
 89	char afalg_dst[16] = {0};
 90	struct sockaddr_in6 addr;
 91	int sockfd, err, pfd;
 92	socklen_t addrlen;
 93	u16 udp_test_port;
 94
 95	skel = crypto_sanity__open_and_load();
 96	if (!ASSERT_OK_PTR(skel, "skel open"))
 97		return;
 98
 99	SYS(fail, "ip netns add %s", NS_TEST);
100	SYS(fail, "ip -net %s -6 addr add %s/128 dev lo nodad", NS_TEST, IPV6_IFACE_ADDR);
101	SYS(fail, "ip -net %s link set dev lo up", NS_TEST);
102
103	nstoken = open_netns(NS_TEST);
104	if (!ASSERT_OK_PTR(nstoken, "open_netns"))
105		goto fail;
106
107	err = init_afalg();
108	if (!ASSERT_OK(err, "AF_ALG init fail"))
109		goto fail;
110
111	qdisc_hook.ifindex = if_nametoindex("lo");
112	if (!ASSERT_GT(qdisc_hook.ifindex, 0, "if_nametoindex lo"))
113		goto fail;
114
115	skel->bss->key_len = 16;
116	skel->bss->authsize = 0;
117	udp_test_port = skel->data->udp_test_port;
118	memcpy(skel->bss->key, crypto_key, sizeof(crypto_key));
119	snprintf(skel->bss->algo, 128, "%s", algo);
120	pfd = bpf_program__fd(skel->progs.skb_crypto_setup);
121	if (!ASSERT_GT(pfd, 0, "skb_crypto_setup fd"))
122		goto fail;
123
124	err = bpf_prog_test_run_opts(pfd, &opts);
125	if (!ASSERT_OK(err, "skb_crypto_setup") ||
126	    !ASSERT_OK(opts.retval, "skb_crypto_setup retval"))
127		goto fail;
128
129	if (!ASSERT_OK(skel->bss->status, "skb_crypto_setup status"))
130		goto fail;
131
132	err = bpf_tc_hook_create(&qdisc_hook);
133	if (!ASSERT_OK(err, "create qdisc hook"))
134		goto fail;
135
136	addrlen = sizeof(addr);
137	err = make_sockaddr(AF_INET6, IPV6_IFACE_ADDR, udp_test_port,
138			    (void *)&addr, &addrlen);
139	if (!ASSERT_OK(err, "make_sockaddr"))
140		goto fail;
141
142	tc_attach_enc.prog_fd = bpf_program__fd(skel->progs.encrypt_sanity);
143	err = bpf_tc_attach(&qdisc_hook, &tc_attach_enc);
144	if (!ASSERT_OK(err, "attach encrypt filter"))
145		goto fail;
146
147	sockfd = socket(AF_INET6, SOCK_DGRAM, 0);
148	if (!ASSERT_NEQ(sockfd, -1, "encrypt socket"))
149		goto fail;
150	err = sendto(sockfd, plain_text, sizeof(plain_text), 0, (void *)&addr, addrlen);
151	close(sockfd);
152	if (!ASSERT_EQ(err, sizeof(plain_text), "encrypt send"))
153		goto fail;
154
155	do_crypt_afalg(plain_text, afalg_dst, sizeof(afalg_dst), true);
156
157	if (!ASSERT_OK(skel->bss->status, "encrypt status"))
158		goto fail;
159	if (!ASSERT_STRNEQ(skel->bss->dst, afalg_dst, sizeof(afalg_dst), "encrypt AF_ALG"))
160		goto fail;
161
162	tc_attach_enc.flags = tc_attach_enc.prog_fd = tc_attach_enc.prog_id = 0;
163	err = bpf_tc_detach(&qdisc_hook, &tc_attach_enc);
164	if (!ASSERT_OK(err, "bpf_tc_detach encrypt"))
165		goto fail;
166
167	tc_attach_dec.prog_fd = bpf_program__fd(skel->progs.decrypt_sanity);
168	err = bpf_tc_attach(&qdisc_hook, &tc_attach_dec);
169	if (!ASSERT_OK(err, "attach decrypt filter"))
170		goto fail;
171
172	sockfd = socket(AF_INET6, SOCK_DGRAM, 0);
173	if (!ASSERT_NEQ(sockfd, -1, "decrypt socket"))
174		goto fail;
175	err = sendto(sockfd, afalg_dst, sizeof(afalg_dst), 0, (void *)&addr, addrlen);
176	close(sockfd);
177	if (!ASSERT_EQ(err, sizeof(afalg_dst), "decrypt send"))
178		goto fail;
179
180	do_crypt_afalg(afalg_dst, afalg_plain, sizeof(afalg_plain), false);
181
182	if (!ASSERT_OK(skel->bss->status, "decrypt status"))
183		goto fail;
184	if (!ASSERT_STRNEQ(skel->bss->dst, afalg_plain, sizeof(afalg_plain), "decrypt AF_ALG"))
185		goto fail;
186
187	tc_attach_dec.flags = tc_attach_dec.prog_fd = tc_attach_dec.prog_id = 0;
188	err = bpf_tc_detach(&qdisc_hook, &tc_attach_dec);
189	ASSERT_OK(err, "bpf_tc_detach decrypt");
190
191fail:
192	close_netns(nstoken);
193	deinit_afalg();
194	SYS_NOFAIL("ip netns del " NS_TEST " &> /dev/null");
195	crypto_sanity__destroy(skel);
196}