bpf: working crypto of first 16 bytes, sans correct checksum

hack3ric · Sep 29, 2024 · ab0ae07 · ab0ae07
1 parent a819a3d
commit ab0ae07
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/bpf/egress.c b/bpf/egress.c
@@ -6,6 +6,7 @@
 #include "common/checksum.h"
 #include "common/defs.h"
 #include "common/try.h"
+#include "kmod/crypto.h"
 #include "kmod/csum-hack.h"
 #include "main.h"
 
@@ -113,6 +114,7 @@ int egress_handler(struct __sk_buff* skb) {
   __u32 random = bpf_get_prandom_u32();
 
   bpf_spin_lock(&conn->lock);
+  bool conn_has_crypto = !!conn->crypto;
   if (likely(conn->state == CONN_ESTABLISHED)) {
     seq = conn->seq;
     ack_seq = conn->ack_seq;
@@ -174,6 +176,21 @@ int egress_handler(struct __sk_buff* skb) {
     ipv6->nexthdr = IPPROTO_TCP;
   }
 
+  if (payload_len >= 16) {
+    struct mimic_crypto_state* crypto = NULL;
+    if (!conn_has_crypto) {
+      __u8 key[32] = {};
+      crypto = try_p_shot(mimic_crypto_state_create());
+      mimic_crypto_set_key(crypto, key, sizeof(key));
+    } else {
+      crypto = try_p_shot(bpf_kptr_xchg(&conn->crypto, crypto));
+    }
+    __u8 iv[16] = {};
+    mimic_encrypt_wg_header(skb, ip_end + sizeof(*udp), iv, sizeof(iv), crypto);
+    crypto = bpf_kptr_xchg(&conn->crypto, crypto);
+    if (crypto) mimic_crypto_state_release(crypto);
+  }
+
   __be32 csum_diff = 0;
   try_tc(mangle_data(skb, ip_end + sizeof(*udp), &csum_diff, conn->padding_len));
   decl_shot(struct tcphdr, tcp, ip_end, skb);

diff --git a/bpf/ingress.c b/bpf/ingress.c
@@ -6,6 +6,7 @@
 #include "common/checksum.h"
 #include "common/defs.h"
 #include "common/try.h"
+#include "kmod/crypto.h"
 #include "main.h"
 
 // Move back n bytes, shrink socket buffer and restore data.
@@ -184,6 +185,8 @@ int ingress_handler(struct xdp_md* xdp) {
 
   bpf_spin_lock(&conn->lock);
 
+  bool conn_has_crypto = !!conn->crypto;
+
   // Incoming traffic == activity
   conn->retry_tstamp = conn->reset_tstamp = tstamp;
 
@@ -329,6 +332,21 @@ int ingress_handler(struct xdp_md* xdp) {
   decl_drop(struct udphdr, udp, ip_end, xdp);
   csum += u32_fold(ntohl(csum_diff));
 
+  if (tcp_payload_len >= 16) {
+    struct mimic_crypto_state* crypto = NULL;
+    if (!conn_has_crypto) {
+      __u8 key[32] = {};
+      crypto = try_p_shot(mimic_crypto_state_create2());
+      mimic_crypto_set_key2(crypto, key, sizeof(key));
+    } else {
+      crypto = try_p_shot(bpf_kptr_xchg(&conn->crypto, crypto));
+    }
+    __u8 iv[16] = {};
+    mimic_decrypt_wg_header(xdp, ip_end + sizeof(*udp), iv, sizeof(iv), crypto);
+    crypto = bpf_kptr_xchg(&conn->crypto, crypto);
+    if (crypto) mimic_crypto_state_release2(crypto);
+  }
+
   __u16 udp_len = ip_payload_len - reserve_len;
   udp->len = htons(udp_len);
 

diff --git a/common/defs.h b/common/defs.h
@@ -6,6 +6,7 @@
 #include "bpf/vmlinux.h"
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_endian.h>
+#include "kmod/crypto.h"
 // clang-format on
 #else
 #include <linux/bpf.h>
@@ -270,6 +271,12 @@ struct connection {
 
   __u64 retry_tstamp, reset_tstamp, stale_tstamp;
   __u64 pktbuf;
+
+#ifdef _MIMIC_BPF
+  struct mimic_crypto_state __kptr* crypto;
+#else
+  __u64 crypto_ptr;
+#endif
 };
 
 static __always_inline struct connection conn_init(struct filter_settings* settings, __u64 tstamp) {