mirror of
https://github.com/torvalds/linux.git
synced 2026-04-26 10:32:25 -04:00
3aa9b9a165
Small cleanup and test extension to probe the bpf_crypto_{encrypt,decrypt}()
kfunc when a bad dst buffer is passed in to assert that an error is returned.
Also, encrypt_sanity() and skb_crypto_setup() were explicit to set the global
status variable to zero before any test, so do the same for decrypt_sanity().
Do not explicitly zero the on-stack err before bpf_crypto_ctx_create() given
the kfunc is expected to do it internally for the success case.
Before kernel fix:
# ./vmtest.sh -- ./test_progs -t crypto
[...]
[ 1.531200] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.533388] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
#87/1 crypto_basic/crypto_release:OK
#87/2 crypto_basic/crypto_acquire:OK
#87 crypto_basic:OK
test_crypto_sanity:PASS:skel open 0 nsec
test_crypto_sanity:PASS:ip netns add crypto_sanity_ns 0 nsec
test_crypto_sanity:PASS:ip -net crypto_sanity_ns -6 addr add face::1/128 dev lo nodad 0 nsec
test_crypto_sanity:PASS:ip -net crypto_sanity_ns link set dev lo up 0 nsec
test_crypto_sanity:PASS:open_netns 0 nsec
test_crypto_sanity:PASS:AF_ALG init fail 0 nsec
test_crypto_sanity:PASS:if_nametoindex lo 0 nsec
test_crypto_sanity:PASS:skb_crypto_setup fd 0 nsec
test_crypto_sanity:PASS:skb_crypto_setup 0 nsec
test_crypto_sanity:PASS:skb_crypto_setup retval 0 nsec
test_crypto_sanity:PASS:skb_crypto_setup status 0 nsec
test_crypto_sanity:PASS:create qdisc hook 0 nsec
test_crypto_sanity:PASS:make_sockaddr 0 nsec
test_crypto_sanity:PASS:attach encrypt filter 0 nsec
test_crypto_sanity:PASS:encrypt socket 0 nsec
test_crypto_sanity:PASS:encrypt send 0 nsec
test_crypto_sanity:FAIL:encrypt status unexpected error: -5 (errno 95)
#88 crypto_sanity:FAIL
Summary: 1/2 PASSED, 0 SKIPPED, 1 FAILED
After kernel fix:
# ./vmtest.sh -- ./test_progs -t crypto
[...]
[ 1.540963] bpf_testmod: loading out-of-tree module taints kernel.
[ 1.542404] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
#87/1 crypto_basic/crypto_release:OK
#87/2 crypto_basic/crypto_acquire:OK
#87 crypto_basic:OK
#88 crypto_sanity:OK
Summary: 2/2 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://lore.kernel.org/r/20250829143657.318524-2-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
180 lines
3.8 KiB
C
180 lines
3.8 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
|
|
|
|
#include "vmlinux.h"
|
|
#include "bpf_tracing_net.h"
|
|
#include <bpf/bpf_helpers.h>
|
|
#include <bpf/bpf_endian.h>
|
|
#include <bpf/bpf_tracing.h>
|
|
#include "bpf_misc.h"
|
|
#include "bpf_kfuncs.h"
|
|
#include "crypto_common.h"
|
|
|
|
unsigned char key[256] = {};
|
|
u16 udp_test_port = 7777;
|
|
u32 authsize, key_len;
|
|
char algo[128] = {};
|
|
char dst[16] = {}, dst_bad[8] = {};
|
|
int status;
|
|
|
|
static int skb_dynptr_validate(struct __sk_buff *skb, struct bpf_dynptr *psrc)
|
|
{
|
|
struct ipv6hdr ip6h;
|
|
struct udphdr udph;
|
|
u32 offset;
|
|
|
|
if (skb->protocol != __bpf_constant_htons(ETH_P_IPV6))
|
|
return -1;
|
|
|
|
if (bpf_skb_load_bytes(skb, ETH_HLEN, &ip6h, sizeof(ip6h)))
|
|
return -1;
|
|
|
|
if (ip6h.nexthdr != IPPROTO_UDP)
|
|
return -1;
|
|
|
|
if (bpf_skb_load_bytes(skb, ETH_HLEN + sizeof(ip6h), &udph, sizeof(udph)))
|
|
return -1;
|
|
|
|
if (udph.dest != __bpf_htons(udp_test_port))
|
|
return -1;
|
|
|
|
offset = ETH_HLEN + sizeof(ip6h) + sizeof(udph);
|
|
if (skb->len < offset + 16)
|
|
return -1;
|
|
|
|
/* let's make sure that 16 bytes of payload are in the linear part of skb */
|
|
bpf_skb_pull_data(skb, offset + 16);
|
|
bpf_dynptr_from_skb(skb, 0, psrc);
|
|
bpf_dynptr_adjust(psrc, offset, offset + 16);
|
|
|
|
return 0;
|
|
}
|
|
|
|
SEC("syscall")
|
|
int skb_crypto_setup(void *ctx)
|
|
{
|
|
struct bpf_crypto_params params = {
|
|
.type = "skcipher",
|
|
.key_len = key_len,
|
|
.authsize = authsize,
|
|
};
|
|
struct bpf_crypto_ctx *cctx;
|
|
int err;
|
|
|
|
status = 0;
|
|
if (key_len > 256) {
|
|
status = -EINVAL;
|
|
return 0;
|
|
}
|
|
|
|
__builtin_memcpy(¶ms.algo, algo, sizeof(algo));
|
|
__builtin_memcpy(¶ms.key, key, sizeof(key));
|
|
|
|
cctx = bpf_crypto_ctx_create(¶ms, sizeof(params), &err);
|
|
if (!cctx) {
|
|
status = err;
|
|
return 0;
|
|
}
|
|
|
|
err = crypto_ctx_insert(cctx);
|
|
if (err && err != -EEXIST)
|
|
status = err;
|
|
return 0;
|
|
}
|
|
|
|
SEC("tc")
|
|
int decrypt_sanity(struct __sk_buff *skb)
|
|
{
|
|
struct __crypto_ctx_value *v;
|
|
struct bpf_crypto_ctx *ctx;
|
|
struct bpf_dynptr psrc, pdst;
|
|
int err;
|
|
|
|
status = 0;
|
|
err = skb_dynptr_validate(skb, &psrc);
|
|
if (err < 0) {
|
|
status = err;
|
|
return TC_ACT_SHOT;
|
|
}
|
|
|
|
v = crypto_ctx_value_lookup();
|
|
if (!v) {
|
|
status = -ENOENT;
|
|
return TC_ACT_SHOT;
|
|
}
|
|
|
|
ctx = v->ctx;
|
|
if (!ctx) {
|
|
status = -ENOENT;
|
|
return TC_ACT_SHOT;
|
|
}
|
|
|
|
/* Check also bad case where the dst buffer is smaller than the
|
|
* skb's linear section.
|
|
*/
|
|
bpf_dynptr_from_mem(dst_bad, sizeof(dst_bad), 0, &pdst);
|
|
status = bpf_crypto_decrypt(ctx, &psrc, &pdst, NULL);
|
|
if (!status)
|
|
status = -EIO;
|
|
if (status != -EINVAL)
|
|
goto err;
|
|
|
|
/* dst is a global variable to make testing part easier to check.
|
|
* In real production code, a percpu map should be used to store
|
|
* the result.
|
|
*/
|
|
bpf_dynptr_from_mem(dst, sizeof(dst), 0, &pdst);
|
|
status = bpf_crypto_decrypt(ctx, &psrc, &pdst, NULL);
|
|
err:
|
|
return TC_ACT_SHOT;
|
|
}
|
|
|
|
SEC("tc")
|
|
int encrypt_sanity(struct __sk_buff *skb)
|
|
{
|
|
struct __crypto_ctx_value *v;
|
|
struct bpf_crypto_ctx *ctx;
|
|
struct bpf_dynptr psrc, pdst;
|
|
int err;
|
|
|
|
status = 0;
|
|
err = skb_dynptr_validate(skb, &psrc);
|
|
if (err < 0) {
|
|
status = err;
|
|
return TC_ACT_SHOT;
|
|
}
|
|
|
|
v = crypto_ctx_value_lookup();
|
|
if (!v) {
|
|
status = -ENOENT;
|
|
return TC_ACT_SHOT;
|
|
}
|
|
|
|
ctx = v->ctx;
|
|
if (!ctx) {
|
|
status = -ENOENT;
|
|
return TC_ACT_SHOT;
|
|
}
|
|
|
|
/* Check also bad case where the dst buffer is smaller than the
|
|
* skb's linear section.
|
|
*/
|
|
bpf_dynptr_from_mem(dst_bad, sizeof(dst_bad), 0, &pdst);
|
|
status = bpf_crypto_encrypt(ctx, &psrc, &pdst, NULL);
|
|
if (!status)
|
|
status = -EIO;
|
|
if (status != -EINVAL)
|
|
goto err;
|
|
|
|
/* dst is a global variable to make testing part easier to check.
|
|
* In real production code, a percpu map should be used to store
|
|
* the result.
|
|
*/
|
|
bpf_dynptr_from_mem(dst, sizeof(dst), 0, &pdst);
|
|
status = bpf_crypto_encrypt(ctx, &psrc, &pdst, NULL);
|
|
err:
|
|
return TC_ACT_SHOT;
|
|
}
|
|
|
|
char __license[] SEC("license") = "GPL";
|