diff mbox series

[11/14] test/crypto: add verification of TLS headers

Message ID	20231207130216.140-12-anoobj@marvell.com (mailing list archive)
State	Accepted, archived
Delegated to:	akhil goyal
Headers	From: Anoob Joseph <anoobj@marvell.com> To: Akhil Goyal <gakhil@marvell.com>, Jerin Jacob <jerinj@marvell.com> CC: Harry van Haaren <harry.van.haaren@intel.com>, Hemant Agrawal <hemant.agrawal@nxp.com>, Konstantin Ananyev <konstantin.v.ananyev@yandex.ru>, <dev@dpdk.org>, Vidya Sagar Velumuri <vvelumuri@marvell.com> Subject: [PATCH 11/14] test/crypto: add verification of TLS headers Date: Thu, 7 Dec 2023 18:32:13 +0530 Message-ID: <20231207130216.140-12-anoobj@marvell.com> In-Reply-To: <20231207130216.140-1-anoobj@marvell.com> References: <20231207130216.140-1-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: list Errors-To: dev-bounces@dpdk.org
Series	Add TLS record test suite \| [00/14] Add TLS record test suite [01/14] test/crypto: move security caps checks to separate file [02/14] test/crypto: move algorithm list to common [03/14] test/crypto: move algorithm display routines to common [04/14] test/security: add sha1-hmac to auth list [05/14] test/crypto: move algorithm framework to common [06/14] test/crypto: add TLS record tests [07/14] test/crypto: add AES-GCM 128 TLS 1.2 vector [08/14] test/crypto: add TLS1.2 vectors [09/14] test/crypto: add TLS1.2/DTLS1.2 AES-128/256-GCM vectors [10/14] test/crypto: add combined mode cases [11/14] test/crypto: add verification of TLS headers [12/14] test/security: add more algos to combined tests [13/14] test/security: add TLS 1.2 and DTLS 1.2 vectors [14/14] test/crypto: add multi segmented cases

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK

Commit Message

Anoob Joseph Dec. 7, 2023, 1:02 p.m. UTC

  Add verification of TLS headers in protocol offload tests.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 118 +++++++++++++++++-
 1 file changed, 117 insertions(+), 1 deletion(-)

diff mbox series

Patch

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 6f106050c2..bcb2eba4ff 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -3,6 +3,8 @@ 
  */
 
 #include <rte_crypto.h>
+#include <rte_dtls.h>
+#include <rte_tls.h>
 
 #include "test.h"
 #include "test_cryptodev_security_tls_record.h"
@@ -62,8 +64,8 @@  test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			   const struct tls_record_test_flags *flags,
 			   struct tls_record_test_data *td_array, int nb_td)
 {
+	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
-	int i;
 
 	memset(td_array, 0, nb_td * sizeof(*td));
 
@@ -94,6 +96,59 @@  test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
+	tls_pkt_size = td->input_text.len;
+
+	if (!td->aead) {
+		mac_len = td->xform.chain.auth.auth.digest_length;
+		switch (td->xform.chain.cipher.cipher.algo) {
+		case RTE_CRYPTO_CIPHER_3DES_CBC:
+			roundup_len = 8;
+			exp_nonce_len = 8;
+			break;
+		case RTE_CRYPTO_CIPHER_AES_CBC:
+			roundup_len = 16;
+			exp_nonce_len = 16;
+			break;
+		default:
+			roundup_len = 0;
+			exp_nonce_len = 0;
+			break;
+		}
+	} else {
+		mac_len = td->xform.aead.aead.digest_length;
+		exp_nonce_len = 8;
+	}
+
+	switch (td->tls_record_xform.ver) {
+	case RTE_SECURITY_VERSION_TLS_1_2:
+	case RTE_SECURITY_VERSION_TLS_1_3:
+		hdr_len = sizeof(struct rte_tls_hdr);
+		min_padding = 1;
+		break;
+	case RTE_SECURITY_VERSION_DTLS_1_2:
+		hdr_len = sizeof(struct rte_dtls_hdr);
+		min_padding = 0;
+		break;
+	default:
+		hdr_len = 0;
+		min_padding = 0;
+		break;
+	}
+
+	tls_pkt_size += mac_len;
+
+	/* Padding */
+	tls_pkt_size += min_padding;
+	tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+
+	/* Explicit nonce */
+	tls_pkt_size += exp_nonce_len;
+
+	/* Add TLS header */
+	tls_pkt_size += hdr_len;
+
+	td->output_text.len = tls_pkt_size;
+
 	RTE_SET_USED(flags);
 }
 
@@ -160,6 +215,60 @@  test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	return TEST_SUCCESS;
 }
+static int
+tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
+{
+	uint16_t length, hdr_len;
+	uint8_t content_type;
+
+	if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_2) {
+		const struct rte_tls_hdr *hdr = (const struct rte_tls_hdr *)output_text;
+		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_2) {
+			printf("Incorrect header version [expected - %4x, received - %4x]\n",
+			       RTE_TLS_VERSION_1_2, rte_be_to_cpu_16(hdr->version));
+			return TEST_FAILED;
+		}
+		content_type = hdr->type;
+		length = rte_be_to_cpu_16(hdr->length);
+		hdr_len = sizeof(struct rte_tls_hdr);
+	} else if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		const struct rte_tls_hdr *hdr = (const struct rte_tls_hdr *)output_text;
+		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_3) {
+			printf("Incorrect header version [expected - %4x, received - %4x]\n",
+			       RTE_TLS_VERSION_1_3, rte_be_to_cpu_16(hdr->version));
+			return TEST_FAILED;
+		}
+		content_type = hdr->type;
+		length = rte_be_to_cpu_16(hdr->length);
+		hdr_len = sizeof(struct rte_tls_hdr);
+	} else if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_DTLS_1_2) {
+		const struct rte_dtls_hdr *hdr = (const struct rte_dtls_hdr *)output_text;
+		if (rte_be_to_cpu_16(hdr->version) != RTE_DTLS_VERSION_1_2) {
+			printf("Incorrect header version [expected - %4x, received - %4x]\n",
+			       RTE_DTLS_VERSION_1_2, rte_be_to_cpu_16(hdr->version));
+			return TEST_FAILED;
+		}
+		content_type = hdr->type;
+		length = rte_be_to_cpu_16(hdr->length);
+		hdr_len = sizeof(struct rte_dtls_hdr);
+	} else {
+		return TEST_FAILED;
+	}
+
+	if (content_type != td->app_type) {
+		printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+		       td->app_type, content_type);
+		return TEST_FAILED;
+	}
+
+	if (length != td->output_text.len - hdr_len) {
+		printf("Incorrect packet length [expected - %d, received - %d]\n",
+		       td->output_text.len - hdr_len, length);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
 
 int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
@@ -169,6 +278,7 @@  test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	uint8_t output_text[TLS_RECORD_MAX_LEN];
 	const struct rte_mbuf *seg;
 	const uint8_t *output;
+	int ret;
 
 	memset(output_text, 0, TLS_RECORD_MAX_LEN);
 
@@ -193,6 +303,12 @@  test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 		memcpy(output_text, output, len);
 	}
 
+	if (td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) {
+		ret = tls_record_hdr_verify(td, output_text);
+		if (ret != TEST_SUCCESS)
+			return ret;
+	}
+
 	/*
 	 * In case of known vector tests & all record read (decrypt) tests, res_d provided would be
 	 * NULL and output data need to be validated against expected. For record read (decrypt),