From patchwork Sat Sep 25 15:35:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 99655 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5766CA0C47; Sat, 25 Sep 2021 17:36:14 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id F3D8D406FF; Sat, 25 Sep 2021 17:36:13 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 084244003C for ; Sat, 25 Sep 2021 17:36:11 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18PDQ9FS003440; Sat, 25 Sep 2021 08:36:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=DOH386djkTE1WrPrrjXDNsZSJypvNxRUO02bUS4Z3Wk=; b=P8WW2w5e5fFvBMbroK0yorvy9Ixlq0dGKsnknMy+bbR0oa0iwGrySlG1RY+9m0Y26NVJ LL2jI1IZPy/QDKl9Uvh53xzaiFNo5OpREFt7/UBCQl22XX9Fm/cI0d8SqByih2FcqdQH qjFRCryjyMrx4Uyue2XNdDszMHi4eZy0gm2mXt1g4Qxx9mO4ll/VQHBsQSDjKnyJ1SXM e9ZIQBRjtqLEHQI42AGtUmmzOlhN7113Pyt/0gANDO3hAvrgax4nDB9IKZVV1i5Sf8gY AYljN0TUOIHaXeVGGW+QNCE2jA3R3yV2QMWpA9cs10r0in8D7HHrGUkFgqw39WOwWIwE aQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 3ba14prp3v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 25 Sep 2021 08:36:10 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 25 Sep 2021 08:36:09 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 25 Sep 2021 08:36:09 -0700 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id B44403F7073; Sat, 25 Sep 2021 08:36:05 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Fan Zhang , "Konstantin Ananyev" CC: Anoob Joseph , Jerin Jacob , Archana Muniganti , Tejasree Kondoj , Hemant Agrawal , "Radu Nicolau" , Ciara Power , Gagandeep Singh , Date: Sat, 25 Sep 2021 21:05:28 +0530 Message-ID: <1632584132-289-2-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1632584132-289-1-git-send-email-anoobj@marvell.com> References: <1631884523-836-1-git-send-email-anoobj@marvell.com> <1632584132-289-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: 0RsiK1BjGWnRnazv7fqLVzr7M-iTcTx- X-Proofpoint-ORIG-GUID: 0RsiK1BjGWnRnazv7fqLVzr7M-iTcTx- X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-25_05,2021-09-24_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH v5 1/5] test/crypto: add lookaside IPsec cases X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Added test case for lookaside IPsec. Inbound known vector tests are added. Cipher list: AES-GCM 128, 192 & 256 Signed-off-by: Anoob Joseph Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal Acked-by: Ciara Power Acked-by: Hemant Agrawal --- app/test/meson.build | 1 + app/test/test.h | 6 + app/test/test_cryptodev.c | 236 +++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 212 ++++++++++++++ app/test/test_cryptodev_security_ipsec.h | 66 +++++ .../test_cryptodev_security_ipsec_test_vectors.h | 321 +++++++++++++++++++++ doc/guides/rel_notes/release_21_11.rst | 4 + 7 files changed, 846 insertions(+) create mode 100644 app/test/test_cryptodev_security_ipsec.c create mode 100644 app/test/test_cryptodev_security_ipsec.h create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h diff --git a/app/test/meson.build b/app/test/meson.build index a761168..f144d8b 100644 --- a/app/test/meson.build +++ b/app/test/meson.build @@ -38,6 +38,7 @@ test_sources = files( 'test_cryptodev.c', 'test_cryptodev_asym.c', 'test_cryptodev_blockcipher.c', + 'test_cryptodev_security_ipsec.c', 'test_cryptodev_security_pdcp.c', 'test_cycles.c', 'test_debug.c', diff --git a/app/test/test.h b/app/test/test.h index c3b2a87..7115edf 100644 --- a/app/test/test.h +++ b/app/test/test.h @@ -124,6 +124,12 @@ struct unit_test_case { #define TEST_CASE_WITH_DATA(setup, teardown, testcase, data) \ { setup, teardown, NULL, testcase, #testcase, 1, data } +#define TEST_CASE_NAMED_ST(name, setup, teardown, testcase) \ + { setup, teardown, NULL, testcase, name, 1, NULL } + +#define TEST_CASE_NAMED_WITH_DATA(name, setup, teardown, testcase, data) \ + { setup, teardown, NULL, testcase, name, 1, data } + #define TEST_CASE_DISABLED(fn) { NULL, NULL, fn, NULL, #fn, 0, NULL } #define TEST_CASE_ST_DISABLED(setup, teardown, testcase) \ diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index d19482c..f7d429b 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -16,6 +16,7 @@ #include #include +#include #include #ifdef RTE_CRYPTO_SCHEDULER @@ -41,6 +42,8 @@ #include "test_cryptodev_hmac_test_vectors.h" #include "test_cryptodev_mixed_test_vectors.h" #ifdef RTE_LIB_SECURITY +#include "test_cryptodev_security_ipsec.h" +#include "test_cryptodev_security_ipsec_test_vectors.h" #include "test_cryptodev_security_pdcp_test_vectors.h" #include "test_cryptodev_security_pdcp_sdap_test_vectors.h" #include "test_cryptodev_security_pdcp_test_func.h" @@ -123,6 +126,13 @@ test_AES_CBC_HMAC_SHA512_decrypt_perform(struct rte_cryptodev_sym_session *sess, const uint8_t *digest, const uint8_t *iv); +static int +security_proto_supported(enum rte_security_session_action_type action, + enum rte_security_session_protocol proto); + +static int +dev_configure_and_start(uint64_t ff_disable); + static struct rte_mbuf * setup_test_string(struct rte_mempool *mpool, const char *string, size_t len, uint8_t blocksize) @@ -753,6 +763,47 @@ crypto_gen_testsuite_setup(void) #ifdef RTE_LIB_SECURITY static int +ipsec_proto_testsuite_setup(void) +{ + struct crypto_testsuite_params *ts_params = &testsuite_params; + struct crypto_unittest_params *ut_params = &unittest_params; + struct rte_cryptodev_info dev_info; + int ret = 0; + + rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info); + + if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) { + RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec Proto " + "testsuite not met\n"); + return TEST_SKIPPED; + } + + /* Reconfigure to enable security */ + ret = dev_configure_and_start(0); + if (ret != TEST_SUCCESS) + return ret; + + /* Set action type */ + ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; + + if (security_proto_supported( + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + RTE_SECURITY_PROTOCOL_IPSEC) < 0) { + RTE_LOG(INFO, USER1, "Capability requirements for IPsec Proto " + "test not met\n"); + ret = TEST_SKIPPED; + } + + /* + * Stop the device. Device would be started again by individual test + * case setup routine. + */ + rte_cryptodev_stop(ts_params->valid_devs[0]); + + return ret; +} + +static int pdcp_proto_testsuite_setup(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -8854,6 +8905,170 @@ test_PDCP_SDAP_PROTO_decap_all(void) } static int +test_ipsec_proto_process(const struct ipsec_test_data td[], + struct ipsec_test_data res_d[], + int nb_td, + bool silent) +{ + struct crypto_testsuite_params *ts_params = &testsuite_params; + struct crypto_unittest_params *ut_params = &unittest_params; + struct rte_security_capability_idx sec_cap_idx; + const struct rte_security_capability *sec_cap; + struct rte_security_ipsec_xform ipsec_xform; + uint8_t dev_id = ts_params->valid_devs[0]; + enum rte_security_ipsec_sa_direction dir; + struct ipsec_test_data *res_d_tmp = NULL; + uint32_t src = RTE_IPV4(192, 168, 1, 0); + uint32_t dst = RTE_IPV4(192, 168, 1, 1); + int salt_len, i, ret = TEST_SUCCESS; + struct rte_security_ctx *ctx; + uint8_t *input_text; + + ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; + gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; + + /* Use first test data to create session */ + + /* Copy IPsec xform */ + memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform)); + + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); + memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); + + dir = ipsec_xform.direction; + + ctx = rte_cryptodev_get_sec_ctx(dev_id); + + sec_cap_idx.action = ut_params->type; + sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC; + sec_cap_idx.ipsec.proto = ipsec_xform.proto; + sec_cap_idx.ipsec.mode = ipsec_xform.mode; + sec_cap_idx.ipsec.direction = ipsec_xform.direction; + + sec_cap = rte_security_capability_get(ctx, &sec_cap_idx); + if (sec_cap == NULL) + return TEST_SKIPPED; + + /* Copy cipher session parameters */ + if (td[0].aead) { + memcpy(&ut_params->aead_xform, &td[0].xform.aead, + sizeof(ut_params->aead_xform)); + ut_params->aead_xform.aead.key.data = td[0].key.data; + ut_params->aead_xform.aead.iv.offset = IV_OFFSET; + + /* Verify crypto capabilities */ + if (test_ipsec_crypto_caps_aead_verify( + sec_cap, + &ut_params->aead_xform) != 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + } else { + /* Only AEAD supported now */ + return TEST_SKIPPED; + } + + if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0) + return TEST_SKIPPED; + + salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len); + memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len); + + struct rte_security_session_conf sess_conf = { + .action_type = ut_params->type, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = ipsec_xform, + .crypto_xform = &ut_params->aead_xform, + }; + + /* Create security session */ + ut_params->sec_session = rte_security_session_create(ctx, &sess_conf, + ts_params->session_mpool, + ts_params->session_priv_mpool); + + if (ut_params->sec_session == NULL) + return TEST_SKIPPED; + + for (i = 0; i < nb_td; i++) { + /* Setup source mbuf payload */ + ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool); + memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0, + rte_pktmbuf_tailroom(ut_params->ibuf)); + + input_text = (uint8_t *)rte_pktmbuf_append(ut_params->ibuf, + td[i].input_text.len); + + memcpy(input_text, td[i].input_text.data, + td[i].input_text.len); + + /* Generate crypto op data structure */ + ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool, + RTE_CRYPTO_OP_TYPE_SYMMETRIC); + if (!ut_params->op) { + printf("TestCase %s line %d: %s\n", + __func__, __LINE__, + "failed to allocate crypto op"); + ret = TEST_FAILED; + goto crypto_op_free; + } + + /* Attach session to operation */ + rte_security_attach_session(ut_params->op, + ut_params->sec_session); + + /* Set crypto operation mbufs */ + ut_params->op->sym->m_src = ut_params->ibuf; + ut_params->op->sym->m_dst = NULL; + + /* Process crypto operation */ + process_crypto_request(dev_id, ut_params->op); + + ret = test_ipsec_status_check(ut_params->op, dir); + if (ret != TEST_SUCCESS) + goto crypto_op_free; + + if (res_d != NULL) + res_d_tmp = &res_d[i]; + + ret = test_ipsec_post_process(ut_params->ibuf, &td[i], + res_d_tmp, silent); + if (ret != TEST_SUCCESS) + goto crypto_op_free; + + rte_crypto_op_free(ut_params->op); + ut_params->op = NULL; + + rte_pktmbuf_free(ut_params->ibuf); + ut_params->ibuf = NULL; + } + +crypto_op_free: + rte_crypto_op_free(ut_params->op); + ut_params->op = NULL; + + rte_pktmbuf_free(ut_params->ibuf); + ut_params->ibuf = NULL; + + if (ut_params->sec_session) + rte_security_session_destroy(ctx, ut_params->sec_session); + ut_params->sec_session = NULL; + + return ret; +} + +static int +test_ipsec_proto_known_vec_inb(const void *td_outb) +{ + struct ipsec_test_data td_inb; + + test_ipsec_td_in_from_out(td_outb, &td_inb); + + return test_ipsec_proto_process(&td_inb, NULL, 1, false); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -13745,6 +13960,26 @@ static struct unit_test_suite end_testsuite = { }; #ifdef RTE_LIB_SECURITY +static struct unit_test_suite ipsec_proto_testsuite = { + .suite_name = "IPsec Proto Unit Test Suite", + .setup = ipsec_proto_testsuite_setup, + .unit_test_cases = { + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 192)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_192_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm), + TEST_CASES_END() /**< NULL terminate unit test array */ + } +}; + static struct unit_test_suite pdcp_proto_testsuite = { .suite_name = "PDCP Proto Unit Test Suite", .setup = pdcp_proto_testsuite_setup, @@ -14530,6 +14765,7 @@ run_cryptodev_testsuite(const char *pmd_name) &cryptodev_negative_hmac_sha1_testsuite, &cryptodev_gen_testsuite, #ifdef RTE_LIB_SECURITY + &ipsec_proto_testsuite, &pdcp_proto_testsuite, &docsis_proto_testsuite, #endif diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c new file mode 100644 index 0000000..2431fcb --- /dev/null +++ b/app/test/test_cryptodev_security_ipsec.c @@ -0,0 +1,212 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include +#include +#include +#include + +#include "test.h" +#include "test_cryptodev_security_ipsec.h" + +int +test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, + const struct rte_security_capability *sec_cap, + bool silent) +{ + /* Verify security capabilities */ + + if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "ESN is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.udp_encap == 1 && + sec_cap->ipsec.options.udp_encap == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_dscp == 1 && + sec_cap->ipsec.options.copy_dscp == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_flabel == 1 && + sec_cap->ipsec.options.copy_flabel == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_df == 1 && + sec_cap->ipsec.options.copy_df == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.dec_ttl == 1 && + sec_cap->ipsec.options.dec_ttl == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "ECN is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.stats == 1 && + sec_cap->ipsec.options.stats == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Stats is not supported\n"); + return -ENOTSUP; + } + + return 0; +} + +int +test_ipsec_crypto_caps_aead_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *aead) +{ + const struct rte_cryptodev_symmetric_capability *sym_cap; + const struct rte_cryptodev_capabilities *crypto_cap; + int j = 0; + + while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op != + RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + crypto_cap->sym.xform_type == aead->type && + crypto_cap->sym.aead.algo == aead->aead.algo) { + sym_cap = &crypto_cap->sym; + if (rte_cryptodev_sym_capability_check_aead(sym_cap, + aead->aead.key.length, + aead->aead.digest_length, + aead->aead.aad_length, + aead->aead.iv.length) == 0) + return 0; + } + } + + return -ENOTSUP; +} + +void +test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, + struct ipsec_test_data *td_in) +{ + memcpy(td_in, td_out, sizeof(*td_in)); + + /* Populate output text of td_in with input text of td_out */ + memcpy(td_in->output_text.data, td_out->input_text.data, + td_out->input_text.len); + td_in->output_text.len = td_out->input_text.len; + + /* Populate input text of td_in with output text of td_out */ + memcpy(td_in->input_text.data, td_out->output_text.data, + td_out->output_text.len); + td_in->input_text.len = td_out->output_text.len; + + td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS; + + if (td_in->aead) { + td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT; + } else { + td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY; + td_in->xform.chain.cipher.cipher.op = + RTE_CRYPTO_CIPHER_OP_DECRYPT; + } +} + +static int +test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td) +{ + int len = 0; + + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) + len += sizeof(struct rte_ipv4_hdr); + else + len += sizeof(struct rte_ipv6_hdr); + } + } + + return len; +} + +static int +test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, + bool silent) +{ + uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); + uint32_t skip, len = rte_pktmbuf_pkt_len(m); + + if (len != td->output_text.len) { + printf("Output length (%d) not matching with expected (%d)\n", + len, td->output_text.len); + return TEST_FAILED; + } + + skip = test_ipsec_tunnel_hdr_len_get(td); + + len -= skip; + output_text += skip; + + if (memcmp(output_text, td->output_text.data + skip, len)) { + if (silent) + return TEST_FAILED; + + printf("TestCase %s line %d: %s\n", __func__, __LINE__, + "output text not as expected\n"); + + rte_hexdump(stdout, "expected", td->output_text.data + skip, + len); + rte_hexdump(stdout, "actual", output_text, len); + return TEST_FAILED; + } + + return TEST_SUCCESS; +} + +int +test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, + struct ipsec_test_data *res_d, bool silent) +{ + /* + * In case of known vector tests & all inbound tests, res_d provided + * would be NULL and output data need to be validated against expected. + * For inbound, output_text would be plain packet and for outbound + * output_text would IPsec packet. Validate by comparing against + * known vectors. + */ + RTE_SET_USED(res_d); + return test_ipsec_td_verify(m, td, silent); +} + +int +test_ipsec_status_check(struct rte_crypto_op *op, + enum rte_security_ipsec_sa_direction dir) +{ + int ret = TEST_SUCCESS; + + if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { + printf("Security op processing failed\n"); + ret = TEST_FAILED; + } + + RTE_SET_USED(dir); + + return ret; +} diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h new file mode 100644 index 0000000..5f1b46d --- /dev/null +++ b/app/test/test_cryptodev_security_ipsec.h @@ -0,0 +1,66 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef _TEST_CRYPTODEV_SECURITY_IPSEC_H_ +#define _TEST_CRYPTODEV_SECURITY_IPSEC_H_ + +#include +#include + +struct ipsec_test_data { + struct { + uint8_t data[32]; + } key; + + struct { + uint8_t data[1024]; + unsigned int len; + } input_text; + + struct { + uint8_t data[1024]; + unsigned int len; + } output_text; + + struct { + uint8_t data[4]; + unsigned int len; + } salt; + + struct { + uint8_t data[16]; + } iv; + + struct rte_security_ipsec_xform ipsec_xform; + + bool aead; + + union { + struct { + struct rte_crypto_sym_xform cipher; + struct rte_crypto_sym_xform auth; + } chain; + struct rte_crypto_sym_xform aead; + } xform; +}; + +int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, + const struct rte_security_capability *sec_cap, + bool silent); + +int test_ipsec_crypto_caps_aead_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *aead); + +void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, + struct ipsec_test_data *td_in); + +int test_ipsec_post_process(struct rte_mbuf *m, + const struct ipsec_test_data *td, + struct ipsec_test_data *res_d, bool silent); + +int test_ipsec_status_check(struct rte_crypto_op *op, + enum rte_security_ipsec_sa_direction dir); + +#endif diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h new file mode 100644 index 0000000..ae9cd24 --- /dev/null +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -0,0 +1,321 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2021 Marvell + */ + +#ifndef TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ +#define TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ + +#include +#include + +#include "test_cryptodev_security_ipsec.h" + +/* + * Known vectors + * + * AES-GCM vectors are based on : + * https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01 + * + * Vectors are updated to have corrected L4 checksum and sequence number 1. + */ + +struct ipsec_test_data pkt_aes_128_gcm = { + .key = { + .data = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x3e, 0x69, 0x8f, 0x00, 0x00, + 0x80, 0x11, 0x4d, 0xcc, 0xc0, 0xa8, 0x01, 0x02, + 0xc0, 0xa8, 0x01, 0x01, + + /* UDP */ + 0x0a, 0x98, 0x00, 0x35, 0x00, 0x2a, 0x23, 0x43, + 0xb2, 0xd0, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x03, 0x73, 0x69, 0x70, + 0x09, 0x63, 0x79, 0x62, 0x65, 0x72, 0x63, 0x69, + 0x74, 0x79, 0x02, 0x64, 0x6b, 0x00, 0x00, 0x01, + 0x00, 0x01, + }, + .len = 62, + }, + .output_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x74, 0x69, 0x8f, 0x00, 0x00, + 0x80, 0x32, 0x4d, 0x75, 0xc0, 0xa8, 0x01, 0x02, + 0xc0, 0xa8, 0x01, 0x01, + + /* ESP */ + 0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01, + + /* IV */ + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88, + + /* Data */ + 0xde, 0xb2, 0x2c, 0xd9, 0xb0, 0x7c, 0x72, 0xc1, + 0x6e, 0x3a, 0x65, 0xbe, 0xeb, 0x8d, 0xf3, 0x04, + 0xa5, 0xa5, 0x89, 0x7d, 0x33, 0xae, 0x53, 0x0f, + 0x1b, 0xa7, 0x6d, 0x5d, 0x11, 0x4d, 0x2a, 0x5c, + 0x3d, 0xe8, 0x18, 0x27, 0xc1, 0x0e, 0x9a, 0x4f, + 0x51, 0x33, 0x0d, 0x0e, 0xec, 0x41, 0x66, 0x42, + 0xcf, 0xbb, 0x85, 0xa5, 0xb4, 0x7e, 0x48, 0xa4, + 0xec, 0x3b, 0x9b, 0xa9, 0x5d, 0x91, 0x8b, 0xd4, + 0x29, 0xc7, 0x37, 0x57, 0x9f, 0xf1, 0x9e, 0x58, + 0xcf, 0xfc, 0x60, 0x7a, 0x3b, 0xce, 0x89, 0x94, + + }, + .len = 116, + }, + .salt = { + .data = { + 0xca, 0xfe, 0xba, 0xbe + }, + .len = 4, + }, + + .iv = { + .data = { + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88 + }, + }, + + .ipsec_xform = { + .spi = 0xa5f8, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .esn_soft_limit = 0, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 16, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + +struct ipsec_test_data pkt_aes_192_gcm = { + .key = { + .data = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x28, 0xa4, 0xad, 0x40, 0x00, + 0x40, 0x06, 0x78, 0x80, 0x0a, 0x01, 0x03, 0x8f, + 0x0a, 0x01, 0x06, 0x12, + + /* TCP */ + 0x80, 0x23, 0x06, 0xb8, 0xcb, 0x71, 0x26, 0x02, + 0xdd, 0x6b, 0xb0, 0x3e, 0x50, 0x10, 0x16, 0xd0, + 0x75, 0x67, 0x00, 0x01 + }, + .len = 40, + }, + .output_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x60, 0x69, 0x8f, 0x00, 0x00, + 0x80, 0x32, 0x4d, 0x89, 0xc0, 0xa8, 0x01, 0x02, + 0xc0, 0xa8, 0x01, 0x01, + + /* ESP */ + 0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01, + + /* IV */ + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88, + + /* Data */ + 0xa5, 0xb1, 0xf8, 0x06, 0x60, 0x29, 0xae, 0xa4, + 0x0e, 0x59, 0x8b, 0x81, 0x22, 0xde, 0x02, 0x42, + 0x09, 0x38, 0xb3, 0xab, 0x33, 0xf8, 0x28, 0xe6, + 0x87, 0xb8, 0x85, 0x8b, 0x5b, 0xfb, 0xdb, 0xd0, + 0x31, 0x5b, 0x27, 0x45, 0x21, 0x4b, 0xcc, 0x77, + 0x82, 0xac, 0x91, 0x38, 0xf2, 0xbb, 0xbe, 0xe4, + 0xcf, 0x03, 0x36, 0x89, 0xdd, 0x40, 0xd3, 0x6e, + 0x54, 0x05, 0x22, 0x22, + }, + .len = 96, + }, + .salt = { + .data = { + 0xca, 0xfe, 0xba, 0xbe + }, + .len = 4, + }, + + .iv = { + .data = { + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88 + }, + }, + + .ipsec_xform = { + .spi = 0xa5f8, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .esn_soft_limit = 0, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 24, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + +struct ipsec_test_data pkt_aes_256_gcm = { + .key = { + .data = { + 0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23, + 0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab, + 0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23, + 0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x30, 0x69, 0xa6, 0x40, 0x00, + 0x80, 0x06, 0x26, 0x90, 0xc0, 0xa8, 0x01, 0x02, + 0x93, 0x89, 0x15, 0x5e, + + /* TCP */ + 0x0a, 0x9e, 0x00, 0x8b, 0x2d, 0xc5, 0x7e, 0xe0, + 0x00, 0x00, 0x00, 0x00, 0x70, 0x02, 0x40, 0x00, + 0x20, 0xbf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, + 0x01, 0x01, 0x04, 0x02, + }, + .len = 48, + }, + .output_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x68, 0x69, 0x8f, 0x00, 0x00, + 0x80, 0x32, 0x4d, 0x81, 0xc0, 0xa8, 0x01, 0x02, + 0xc0, 0xa8, 0x01, 0x01, + + /* ESP */ + 0x4a, 0x2c, 0xbf, 0xe3, 0x00, 0x00, 0x00, 0x01, + + /* IV */ + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + + /* Data */ + 0xff, 0x42, 0x5c, 0x9b, 0x72, 0x45, 0x99, 0xdf, + 0x7a, 0x3b, 0xcd, 0x51, 0x01, 0x94, 0xe0, 0x0d, + 0x6a, 0x78, 0x10, 0x7f, 0x1b, 0x0b, 0x1c, 0xbf, + 0x06, 0xef, 0xae, 0x9d, 0x65, 0xa5, 0xd7, 0x63, + 0x74, 0x8a, 0x63, 0x79, 0x85, 0x77, 0x1d, 0x34, + 0x7f, 0x05, 0x45, 0x65, 0x9f, 0x14, 0xe9, 0x9d, + 0xef, 0x84, 0x2d, 0x8b, 0x00, 0x14, 0x4a, 0x1f, + 0xec, 0x6a, 0xdf, 0x0c, 0x9a, 0x92, 0x7f, 0xee, + 0xa6, 0xc5, 0x11, 0x60, + }, + .len = 104, + }, + .salt = { + .data = { + 0x11, 0x22, 0x33, 0x44 + }, + .len = 4, + }, + + .iv = { + .data = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 + }, + }, + + .ipsec_xform = { + .spi = 0x4a2cbfe3, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .esn_soft_limit = 0, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 32, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + +#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 43d367b..cf0277d 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -87,6 +87,10 @@ New Features Added command-line options to specify total number of processes and current process ID. Each process owns subset of Rx and Tx queues. +* **Added lookaside protocol (IPsec) tests in dpdk-test.** + + * Added known vector tests (AES-GCM 128, 192, 256). + Removed Items -------------