diff mbox series

[v5,3/5] test/crypto: add lookaside IPsec ICV corrupt test case

Message ID 1632584132-289-4-git-send-email-anoobj@marvell.com (mailing list archive)
State Accepted
Delegated to: akhil goyal
Headers show
Series Add lookaside IPsec tests | expand

Checks

Context Check Description
ci/checkpatch success coding style OK

Commit Message

Anoob Joseph Sept. 25, 2021, 3:35 p.m. UTC
From: Tejasree Kondoj <ktejasree@marvell.com>

Add negative test to validate IPsec inbound processing failure with ICV
corruption. The tests would first do IPsec encapsulation and corrupt
ICV of the generated IPsec packet. Then the packet is submitted to IPsec
outbound processing for decapsulation. Test case would validate that PMD
returns an error in such cases.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 app/test/test_cryptodev.c                | 16 ++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 30 ++++++++++++++++++++----------
 app/test/test_cryptodev_security_ipsec.h |  1 +
 doc/guides/rel_notes/release_21_11.rst   |  1 +
 4 files changed, 38 insertions(+), 10 deletions(-)
diff mbox series

Patch

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3eacc66..bfaca1d 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9130,6 +9130,18 @@  test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.icv_corrupt = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -14041,6 +14053,10 @@  static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Negative test: ICV corruption",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_err_icv_corrupt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index d08e093..aebbe66 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -175,9 +175,12 @@  test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
-	}
 
-	RTE_SET_USED(flags);
+		if (flags->icv_corrupt) {
+			int icv_pos = td_inb[i].input_text.len - 4;
+			td_inb[i].input_text.data[icv_pos] += 1;
+		}
+	}
 }
 
 void
@@ -217,6 +220,11 @@  test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
 
+	/* For negative tests, no need to do verification */
+	if (flags->icv_corrupt &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return TEST_SUCCESS;
+
 	if (len != td->output_text.len) {
 		printf("Output length (%d) not matching with expected (%d)\n",
 			len, td->output_text.len);
@@ -241,8 +249,6 @@  test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
-	RTE_SET_USED(flags);
-
 	return TEST_SUCCESS;
 }
 
@@ -299,13 +305,17 @@  test_ipsec_status_check(struct rte_crypto_op *op,
 {
 	int ret = TEST_SUCCESS;
 
-	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
-		printf("Security op processing failed\n");
-		ret = TEST_FAILED;
+	if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("ICV corruption test case failed\n");
+			ret = TEST_FAILED;
+		}
+	} else {
+		if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			printf("Security op processing failed\n");
+			ret = TEST_FAILED;
+		}
 	}
 
-	RTE_SET_USED(flags);
-	RTE_SET_USED(dir);
-
 	return ret;
 }
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index cbb3ee4..134fc3a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -49,6 +49,7 @@  struct ipsec_test_data {
 
 struct ipsec_test_flags {
 	bool display_alg;
+	bool icv_corrupt;
 };
 
 struct crypto_param {
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index cf0277d..8fc5844 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -90,6 +90,7 @@  New Features
 * **Added lookaside protocol (IPsec) tests in dpdk-test.**
 
   * Added known vector tests (AES-GCM 128, 192, 256).
+  * Added tests to verify error reporting with ICV corruption.
 
 
 Removed Items