From patchwork Sat Apr 16 19:25:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109757 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B1AC3A050A; Sat, 16 Apr 2022 21:25:50 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 865A5410E9; Sat, 16 Apr 2022 21:25:50 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 2C51A410E9 for ; Sat, 16 Apr 2022 21:25:48 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GIhiNv024978; Sat, 16 Apr 2022 12:25:47 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=0To448uhNoafd96EGMyDZRPADOgpI4TujKT0RPJNbI8=; b=VTxFdiH24OfcfD4+HFu1xJ8CWgKwvosS8HqcXrJVEYgzNlE0uHsF51O6DIiTUAl//23m +rdKqOWHOvXoBj6y2l9OHVaneLwXoPW8+hXvISR5IMJ1N9+HidnJtNDBg6yBWzAY37UE n5Ao5F2e1WFZBAECf36g6FPF932VwugWDS74ZxxwFFkQO89i5lO/inQhGiIEahVXaVVR jlCM1eZ8KGfg0bF0Sc88Wj0WQCbPb0/j8EUj24c6yhblNqAs5JcDGdi1KHXybqGrFK45 8VDzM6JXtuZ1CYUlRH68Yr1kw0OAEWmfPlFJFhfrvrBBsqFIZSaXWlFOCrkeijUaV0ri tQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3ffu5p90y3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:25:47 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 16 Apr 2022 12:25:45 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 16 Apr 2022 12:25:45 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id E8E1E3F707A; Sat, 16 Apr 2022 12:25:41 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , , Akhil Goyal Subject: [PATCH v4 01/10] app/test: add unit cases for inline IPsec offload Date: Sun, 17 Apr 2022 00:55:21 +0530 Message-ID: <20220416192530.173895-2-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: FLa_bu55oa_MpG8QkMwLka5vcPLFiUcO X-Proofpoint-ORIG-GUID: FLa_bu55oa_MpG8QkMwLka5vcPLFiUcO X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org A new test suite is added in test app to test inline IPsec protocol offload. In this patch, predefined vectors from Lookaside IPsec test are used to verify the IPsec functionality without the need of external traffic generators. The sent packet is loopbacked onto the same interface which is received and matched with the expected output. The test suite can be updated further with other functional test cases. In this patch encap only cases are added. The testsuite can be run using: RTE> inline_ipsec_autotest Signed-off-by: Akhil Goyal Signed-off-by: Nithin Dabilpuram --- MAINTAINERS | 2 +- app/test/meson.build | 1 + app/test/test_security_inline_proto.c | 881 ++++++++++++++++++ app/test/test_security_inline_proto_vectors.h | 20 + 4 files changed, 903 insertions(+), 1 deletion(-) create mode 100644 app/test/test_security_inline_proto.c create mode 100644 app/test/test_security_inline_proto_vectors.h diff --git a/MAINTAINERS b/MAINTAINERS index 15008c03bc..89affa08ff 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -440,7 +440,7 @@ M: Akhil Goyal T: git://dpdk.org/next/dpdk-next-crypto F: lib/security/ F: doc/guides/prog_guide/rte_security.rst -F: app/test/test_security.c +F: app/test/test_security* Compression API - EXPERIMENTAL M: Fan Zhang diff --git a/app/test/meson.build b/app/test/meson.build index 5fc1dd1b7b..39952c6c4f 100644 --- a/app/test/meson.build +++ b/app/test/meson.build @@ -125,6 +125,7 @@ test_sources = files( 'test_rwlock.c', 'test_sched.c', 'test_security.c', + 'test_security_inline_proto.c', 'test_service_cores.c', 'test_spinlock.c', 'test_stack.c', diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c new file mode 100644 index 0000000000..aeb5a57aca --- /dev/null +++ b/app/test/test_security_inline_proto.c @@ -0,0 +1,881 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2022 Marvell. + */ + + +#include +#include + +#include +#include +#include + +#include "test.h" +#include "test_security_inline_proto_vectors.h" + +#ifdef RTE_EXEC_ENV_WINDOWS +static int +test_inline_ipsec(void) +{ + printf("Inline ipsec not supported on Windows, skipping test\n"); + return TEST_SKIPPED; +} + +#else + +#define NB_ETHPORTS_USED 1 +#define MEMPOOL_CACHE_SIZE 32 +#define MAX_PKT_BURST 32 +#define RTE_TEST_RX_DESC_DEFAULT 1024 +#define RTE_TEST_TX_DESC_DEFAULT 1024 +#define RTE_PORT_ALL (~(uint16_t)0x0) + +#define RX_PTHRESH 8 /**< Default values of RX prefetch threshold reg. */ +#define RX_HTHRESH 8 /**< Default values of RX host threshold reg. */ +#define RX_WTHRESH 0 /**< Default values of RX write-back threshold reg. */ + +#define TX_PTHRESH 32 /**< Default values of TX prefetch threshold reg. */ +#define TX_HTHRESH 0 /**< Default values of TX host threshold reg. */ +#define TX_WTHRESH 0 /**< Default values of TX write-back threshold reg. */ + +#define MAX_TRAFFIC_BURST 2048 +#define NB_MBUF 10240 + +extern struct ipsec_test_data pkt_aes_128_gcm; +extern struct ipsec_test_data pkt_aes_192_gcm; +extern struct ipsec_test_data pkt_aes_256_gcm; +extern struct ipsec_test_data pkt_aes_128_gcm_frag; +extern struct ipsec_test_data pkt_aes_128_cbc_null; +extern struct ipsec_test_data pkt_null_aes_xcbc; +extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha384; +extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha512; + +static struct rte_mempool *mbufpool; +static struct rte_mempool *sess_pool; +static struct rte_mempool *sess_priv_pool; +/* ethernet addresses of ports */ +static struct rte_ether_addr ports_eth_addr[RTE_MAX_ETHPORTS]; + +static struct rte_eth_conf port_conf = { + .rxmode = { + .mq_mode = RTE_ETH_MQ_RX_NONE, + .split_hdr_size = 0, + .offloads = RTE_ETH_RX_OFFLOAD_CHECKSUM | + RTE_ETH_RX_OFFLOAD_SECURITY, + }, + .txmode = { + .mq_mode = RTE_ETH_MQ_TX_NONE, + .offloads = RTE_ETH_TX_OFFLOAD_SECURITY | + RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE, + }, + .lpbk_mode = 1, /* enable loopback */ +}; + +static struct rte_eth_rxconf rx_conf = { + .rx_thresh = { + .pthresh = RX_PTHRESH, + .hthresh = RX_HTHRESH, + .wthresh = RX_WTHRESH, + }, + .rx_free_thresh = 32, +}; + +static struct rte_eth_txconf tx_conf = { + .tx_thresh = { + .pthresh = TX_PTHRESH, + .hthresh = TX_HTHRESH, + .wthresh = TX_WTHRESH, + }, + .tx_free_thresh = 32, /* Use PMD default values */ + .tx_rs_thresh = 32, /* Use PMD default values */ +}; + +uint16_t port_id; + +static uint64_t link_mbps; + +static struct rte_flow *default_flow[RTE_MAX_ETHPORTS]; + +/* Create Inline IPsec session */ +static int +create_inline_ipsec_session(struct ipsec_test_data *sa, uint16_t portid, + struct rte_security_session **sess, struct rte_security_ctx **ctx, + uint32_t *ol_flags, const struct ipsec_test_flags *flags, + struct rte_security_session_conf *sess_conf) +{ + uint16_t src_v6[8] = {0x2607, 0xf8b0, 0x400c, 0x0c03, 0x0000, 0x0000, + 0x0000, 0x001a}; + uint16_t dst_v6[8] = {0x2001, 0x0470, 0xe5bf, 0xdead, 0x4957, 0x2174, + 0xe82c, 0x4887}; + uint32_t src_v4 = rte_cpu_to_be_32(RTE_IPV4(192, 168, 1, 2)); + uint32_t dst_v4 = rte_cpu_to_be_32(RTE_IPV4(192, 168, 1, 1)); + struct rte_security_capability_idx sec_cap_idx; + const struct rte_security_capability *sec_cap; + enum rte_security_ipsec_sa_direction dir; + struct rte_security_ctx *sec_ctx; + uint32_t verify; + int32_t ret = 0; + + sess_conf->action_type = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL; + sess_conf->protocol = RTE_SECURITY_PROTOCOL_IPSEC; + sess_conf->ipsec = sa->ipsec_xform; + + dir = sa->ipsec_xform.direction; + verify = flags->tunnel_hdr_verify; + + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) { + if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR) + src_v4 += 1; + else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR) + dst_v4 += 1; + } + + if (sa->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (sa->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + memcpy(&sess_conf->ipsec.tunnel.ipv4.src_ip, &src_v4, + sizeof(src_v4)); + memcpy(&sess_conf->ipsec.tunnel.ipv4.dst_ip, &dst_v4, + sizeof(dst_v4)); + + if (flags->df == TEST_IPSEC_SET_DF_0_INNER_1) + sess_conf->ipsec.tunnel.ipv4.df = 0; + + if (flags->df == TEST_IPSEC_SET_DF_1_INNER_0) + sess_conf->ipsec.tunnel.ipv4.df = 1; + + if (flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1) + sess_conf->ipsec.tunnel.ipv4.dscp = 0; + + if (flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) + sess_conf->ipsec.tunnel.ipv4.dscp = + TEST_IPSEC_DSCP_VAL; + } else { + if (flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1) + sess_conf->ipsec.tunnel.ipv6.dscp = 0; + + if (flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) + sess_conf->ipsec.tunnel.ipv6.dscp = + TEST_IPSEC_DSCP_VAL; + + memcpy(&sess_conf->ipsec.tunnel.ipv6.src_addr, &src_v6, + sizeof(src_v6)); + memcpy(&sess_conf->ipsec.tunnel.ipv6.dst_addr, &dst_v6, + sizeof(dst_v6)); + } + } + + /* Save SA as userdata for the security session. When + * the packet is received, this userdata will be + * retrieved using the metadata from the packet. + * + * The PMD is expected to set similar metadata for other + * operations, like rte_eth_event, which are tied to + * security session. In such cases, the userdata could + * be obtained to uniquely identify the security + * parameters denoted. + */ + + sess_conf->userdata = (void *) sa; + + sec_ctx = (struct rte_security_ctx *)rte_eth_dev_get_sec_ctx(portid); + if (sec_ctx == NULL) { + printf("Ethernet device doesn't support security features.\n"); + return TEST_SKIPPED; + } + + sec_cap_idx.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL; + sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC; + sec_cap_idx.ipsec.proto = sess_conf->ipsec.proto; + sec_cap_idx.ipsec.mode = sess_conf->ipsec.mode; + sec_cap_idx.ipsec.direction = sess_conf->ipsec.direction; + sec_cap = rte_security_capability_get(sec_ctx, &sec_cap_idx); + if (sec_cap == NULL) { + printf("No capabilities registered\n"); + return TEST_SKIPPED; + } + + if (sa->aead || sa->aes_gmac) + memcpy(&sess_conf->ipsec.salt, sa->salt.data, + RTE_MIN(sizeof(sess_conf->ipsec.salt), sa->salt.len)); + + /* Copy cipher session parameters */ + if (sa->aead) { + rte_memcpy(sess_conf->crypto_xform, &sa->xform.aead, + sizeof(struct rte_crypto_sym_xform)); + sess_conf->crypto_xform->aead.key.data = sa->key.data; + /* Verify crypto capabilities */ + if (test_ipsec_crypto_caps_aead_verify(sec_cap, + sess_conf->crypto_xform) != 0) { + RTE_LOG(INFO, USER1, + "Crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + } else { + if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + rte_memcpy(&sess_conf->crypto_xform->cipher, + &sa->xform.chain.cipher.cipher, + sizeof(struct rte_crypto_cipher_xform)); + + rte_memcpy(&sess_conf->crypto_xform->next->auth, + &sa->xform.chain.auth.auth, + sizeof(struct rte_crypto_auth_xform)); + sess_conf->crypto_xform->cipher.key.data = + sa->key.data; + sess_conf->crypto_xform->next->auth.key.data = + sa->auth_key.data; + /* Verify crypto capabilities */ + if (test_ipsec_crypto_caps_cipher_verify(sec_cap, + sess_conf->crypto_xform) != 0) { + RTE_LOG(INFO, USER1, + "Cipher crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + + if (test_ipsec_crypto_caps_auth_verify(sec_cap, + sess_conf->crypto_xform->next) != 0) { + RTE_LOG(INFO, USER1, + "Auth crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + } else { + rte_memcpy(&sess_conf->crypto_xform->next->cipher, + &sa->xform.chain.cipher.cipher, + sizeof(struct rte_crypto_cipher_xform)); + rte_memcpy(&sess_conf->crypto_xform->auth, + &sa->xform.chain.auth.auth, + sizeof(struct rte_crypto_auth_xform)); + sess_conf->crypto_xform->auth.key.data = + sa->auth_key.data; + sess_conf->crypto_xform->next->cipher.key.data = + sa->key.data; + + /* Verify crypto capabilities */ + if (test_ipsec_crypto_caps_cipher_verify(sec_cap, + sess_conf->crypto_xform->next) != 0) { + RTE_LOG(INFO, USER1, + "Cipher crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + + if (test_ipsec_crypto_caps_auth_verify(sec_cap, + sess_conf->crypto_xform) != 0) { + RTE_LOG(INFO, USER1, + "Auth crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + } + } + + if (test_ipsec_sec_caps_verify(&sess_conf->ipsec, sec_cap, false) != 0) + return TEST_SKIPPED; + + if ((sa->ipsec_xform.direction == + RTE_SECURITY_IPSEC_SA_DIR_EGRESS) && + (sa->ipsec_xform.options.iv_gen_disable == 1)) { + /* Set env variable when IV generation is disabled */ + char arr[128]; + int len = 0, j = 0; + int iv_len = (sa->aead || sa->aes_gmac) ? 8 : 16; + + for (; j < iv_len; j++) + len += snprintf(arr+len, sizeof(arr) - len, + "0x%x, ", sa->iv.data[j]); + setenv("ETH_SEC_IV_OVR", arr, 1); + } + + *sess = rte_security_session_create(sec_ctx, + sess_conf, sess_pool, sess_priv_pool); + if (*sess == NULL) { + printf("SEC Session init failed: err: %d\n", ret); + return TEST_FAILED; + } + + *ol_flags = sec_cap->ol_flags; + *ctx = sec_ctx; + + return 0; +} + +/* Check the link status of all ports in up to 3s, and print them finally */ +static void +check_all_ports_link_status(uint16_t port_num, uint32_t port_mask) +{ +#define CHECK_INTERVAL 100 /* 100ms */ +#define MAX_CHECK_TIME 30 /* 3s (30 * 100ms) in total */ + uint16_t portid; + uint8_t count, all_ports_up, print_flag = 0; + struct rte_eth_link link; + int ret; + char link_status[RTE_ETH_LINK_MAX_STR_LEN]; + + printf("Checking link statuses...\n"); + fflush(stdout); + for (count = 0; count <= MAX_CHECK_TIME; count++) { + all_ports_up = 1; + for (portid = 0; portid < port_num; portid++) { + if ((port_mask & (1 << portid)) == 0) + continue; + memset(&link, 0, sizeof(link)); + ret = rte_eth_link_get_nowait(portid, &link); + if (ret < 0) { + all_ports_up = 0; + if (print_flag == 1) + printf("Port %u link get failed: %s\n", + portid, rte_strerror(-ret)); + continue; + } + + /* print link status if flag set */ + if (print_flag == 1) { + if (link.link_status && link_mbps == 0) + link_mbps = link.link_speed; + + rte_eth_link_to_str(link_status, + sizeof(link_status), &link); + printf("Port %d %s\n", portid, link_status); + continue; + } + /* clear all_ports_up flag if any link down */ + if (link.link_status == RTE_ETH_LINK_DOWN) { + all_ports_up = 0; + break; + } + } + /* after finally printing all link status, get out */ + if (print_flag == 1) + break; + + if (all_ports_up == 0) { + fflush(stdout); + rte_delay_ms(CHECK_INTERVAL); + } + + /* set the print_flag if all ports up or timeout */ + if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1)) + print_flag = 1; + } +} + +static void +print_ethaddr(const char *name, const struct rte_ether_addr *eth_addr) +{ + char buf[RTE_ETHER_ADDR_FMT_SIZE]; + rte_ether_format_addr(buf, RTE_ETHER_ADDR_FMT_SIZE, eth_addr); + printf("%s%s", name, buf); +} + +static void +copy_buf_to_pkt_segs(const uint8_t *buf, unsigned int len, + struct rte_mbuf *pkt, unsigned int offset) +{ + unsigned int copied = 0; + unsigned int copy_len; + struct rte_mbuf *seg; + void *seg_buf; + + seg = pkt; + while (offset >= seg->data_len) { + offset -= seg->data_len; + seg = seg->next; + } + copy_len = seg->data_len - offset; + seg_buf = rte_pktmbuf_mtod_offset(seg, char *, offset); + while (len > copy_len) { + rte_memcpy(seg_buf, buf + copied, (size_t) copy_len); + len -= copy_len; + copied += copy_len; + seg = seg->next; + seg_buf = rte_pktmbuf_mtod(seg, void *); + } + rte_memcpy(seg_buf, buf + copied, (size_t) len); +} + +static inline struct rte_mbuf * +init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len) +{ + struct rte_mbuf *pkt; + + pkt = rte_pktmbuf_alloc(mp); + if (pkt == NULL) + return NULL; + if (((data[0] & 0xF0) >> 4) == IPVERSION) { + rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN), + &dummy_ipv4_eth_hdr, RTE_ETHER_HDR_LEN); + pkt->l3_len = sizeof(struct rte_ipv4_hdr); + } else { + rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN), + &dummy_ipv6_eth_hdr, RTE_ETHER_HDR_LEN); + pkt->l3_len = sizeof(struct rte_ipv6_hdr); + } + pkt->l2_len = RTE_ETHER_HDR_LEN; + + if (pkt->buf_len > (len + RTE_ETHER_HDR_LEN)) + rte_memcpy(rte_pktmbuf_append(pkt, len), data, len); + else + copy_buf_to_pkt_segs(data, len, pkt, RTE_ETHER_HDR_LEN); + return pkt; +} + +static int +init_mempools(unsigned int nb_mbuf) +{ + struct rte_security_ctx *sec_ctx; + uint16_t nb_sess = 512; + uint32_t sess_sz; + char s[64]; + + if (mbufpool == NULL) { + snprintf(s, sizeof(s), "mbuf_pool"); + mbufpool = rte_pktmbuf_pool_create(s, nb_mbuf, + MEMPOOL_CACHE_SIZE, 0, + RTE_MBUF_DEFAULT_BUF_SIZE, SOCKET_ID_ANY); + if (mbufpool == NULL) { + printf("Cannot init mbuf pool\n"); + return TEST_FAILED; + } + printf("Allocated mbuf pool \n"); + } + + sec_ctx = rte_eth_dev_get_sec_ctx(port_id); + if (sec_ctx == NULL) { + printf("Device does not support Security ctx\n"); + return TEST_FAILED; + } + sess_sz = rte_security_session_get_size(sec_ctx); + if (sess_pool == NULL) { + snprintf(s, sizeof(s), "sess_pool"); + sess_pool = rte_mempool_create(s, nb_sess, sess_sz, + MEMPOOL_CACHE_SIZE, 0, + NULL, NULL, NULL, NULL, + SOCKET_ID_ANY, 0); + if (sess_pool == NULL) { + printf("Cannot init sess pool\n"); + return TEST_FAILED; + } + printf("Allocated sess pool\n"); + } + if (sess_priv_pool == NULL) { + snprintf(s, sizeof(s), "sess_priv_pool"); + sess_priv_pool = rte_mempool_create(s, nb_sess, sess_sz, + MEMPOOL_CACHE_SIZE, 0, + NULL, NULL, NULL, NULL, + SOCKET_ID_ANY, 0); + if (sess_priv_pool == NULL) { + printf("Cannot init sess_priv pool\n"); + return TEST_FAILED; + } + printf("Allocated sess_priv pool\n"); + } + + return 0; +} + +static void +create_default_flow(uint16_t portid) +{ + struct rte_flow_action action[2]; + struct rte_flow_item pattern[2]; + struct rte_flow_attr attr = {0}; + struct rte_flow_error err; + struct rte_flow *flow; + int ret; + + /* Add the default rte_flow to enable SECURITY for all ESP packets */ + + pattern[0].type = RTE_FLOW_ITEM_TYPE_ESP; + pattern[0].spec = NULL; + pattern[0].mask = NULL; + pattern[0].last = NULL; + pattern[1].type = RTE_FLOW_ITEM_TYPE_END; + + action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY; + action[0].conf = NULL; + action[1].type = RTE_FLOW_ACTION_TYPE_END; + action[1].conf = NULL; + + attr.ingress = 1; + + ret = rte_flow_validate(portid, &attr, pattern, action, &err); + if (ret) { + printf("\nValidate flow failed, ret = %d\n", ret); + return; + } + flow = rte_flow_create(portid, &attr, pattern, action, &err); + if (flow == NULL) { + printf("\nDefault flow rule create failed\n"); + return; + } + + default_flow[portid] = flow; +} + +static void +destroy_default_flow(uint16_t portid) +{ + struct rte_flow_error err; + int ret; + if (!default_flow[portid]) + return; + ret = rte_flow_destroy(portid, default_flow[portid], &err); + if (ret) { + printf("\nDefault flow rule destroy failed\n"); + return; + } + default_flow[portid] = NULL; +} + +struct rte_mbuf **tx_pkts_burst; +struct rte_mbuf **rx_pkts_burst; + +static int +test_ipsec_inline_proto_process(struct ipsec_test_data *td, + struct ipsec_test_data *res_d, + int nb_pkts, + bool silent, + const struct ipsec_test_flags *flags) +{ + struct rte_security_session_conf sess_conf = {0}; + struct rte_crypto_sym_xform cipher = {0}; + struct rte_crypto_sym_xform auth = {0}; + struct rte_crypto_sym_xform aead = {0}; + struct rte_security_session *ses; + struct rte_security_ctx *ctx; + int nb_rx = 0, nb_sent; + uint32_t ol_flags; + int i, j = 0, ret; + + memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts); + + if (td->aead) { + sess_conf.crypto_xform = &aead; + } else { + if (td->ipsec_xform.direction == + RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + sess_conf.crypto_xform = &cipher; + sess_conf.crypto_xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + sess_conf.crypto_xform->next = &auth; + sess_conf.crypto_xform->next->type = RTE_CRYPTO_SYM_XFORM_AUTH; + } else { + sess_conf.crypto_xform = &auth; + sess_conf.crypto_xform->type = RTE_CRYPTO_SYM_XFORM_AUTH; + sess_conf.crypto_xform->next = &cipher; + sess_conf.crypto_xform->next->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + } + } + + /* Create Inline IPsec session. */ + ret = create_inline_ipsec_session(td, port_id, &ses, &ctx, + &ol_flags, flags, &sess_conf); + if (ret) + return ret; + + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + create_default_flow(port_id); + + for (i = 0; i < nb_pkts; i++) { + tx_pkts_burst[i] = init_packet(mbufpool, td->input_text.data, + td->input_text.len); + if (tx_pkts_burst[i] == NULL) { + while (i--) + rte_pktmbuf_free(tx_pkts_burst[i]); + ret = TEST_FAILED; + goto out; + } + + if (test_ipsec_pkt_update(rte_pktmbuf_mtod_offset(tx_pkts_burst[i], + uint8_t *, RTE_ETHER_HDR_LEN), flags)) { + while (i--) + rte_pktmbuf_free(tx_pkts_burst[i]); + ret = TEST_FAILED; + goto out; + } + + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + if (ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) + rte_security_set_pkt_metadata(ctx, ses, + tx_pkts_burst[i], NULL); + tx_pkts_burst[i]->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD; + } + } + /* Send packet to ethdev for inline IPsec processing. */ + nb_sent = rte_eth_tx_burst(port_id, 0, tx_pkts_burst, nb_pkts); + if (nb_sent != nb_pkts) { + printf("\nUnable to TX %d packets", nb_pkts); + for ( ; nb_sent < nb_pkts; nb_sent++) + rte_pktmbuf_free(tx_pkts_burst[nb_sent]); + ret = TEST_FAILED; + goto out; + } + + rte_pause(); + + /* Receive back packet on loopback interface. */ + do { + rte_delay_ms(1); + nb_rx += rte_eth_rx_burst(port_id, 0, &rx_pkts_burst[nb_rx], + nb_sent - nb_rx); + if (nb_rx >= nb_sent) + break; + } while (j++ < 5 || nb_rx == 0); + + if (nb_rx != nb_sent) { + printf("\nUnable to RX all %d packets", nb_sent); + while(--nb_rx) + rte_pktmbuf_free(rx_pkts_burst[nb_rx]); + ret = TEST_FAILED; + goto out; + } + + for (i = 0; i < nb_rx; i++) { + rte_pktmbuf_adj(rx_pkts_burst[i], RTE_ETHER_HDR_LEN); + + ret = test_ipsec_post_process(rx_pkts_burst[i], td, + res_d, silent, flags); + if (ret != TEST_SUCCESS) { + for ( ; i < nb_rx; i++) + rte_pktmbuf_free(rx_pkts_burst[i]); + goto out; + } + + ret = test_ipsec_stats_verify(ctx, ses, flags, + td->ipsec_xform.direction); + if (ret != TEST_SUCCESS) { + for ( ; i < nb_rx; i++) + rte_pktmbuf_free(rx_pkts_burst[i]); + goto out; + } + + rte_pktmbuf_free(rx_pkts_burst[i]); + rx_pkts_burst[i] = NULL; + } + +out: + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + destroy_default_flow(port_id); + + /* Destroy session so that other cases can create the session again */ + rte_security_session_destroy(ctx, ses); + ses = NULL; + + return ret; +} + +static int +ut_setup_inline_ipsec(void) +{ + int ret; + + /* Start device */ + ret = rte_eth_dev_start(port_id); + if (ret < 0) { + printf("rte_eth_dev_start: err=%d, port=%d\n", + ret, port_id); + return ret; + } + /* always enable promiscuous */ + ret = rte_eth_promiscuous_enable(port_id); + if (ret != 0) { + printf("rte_eth_promiscuous_enable: err=%s, port=%d\n", + rte_strerror(-ret), port_id); + return ret; + } + + check_all_ports_link_status(1, RTE_PORT_ALL); + + return 0; +} + +static void +ut_teardown_inline_ipsec(void) +{ + uint16_t portid; + int ret; + + /* port tear down */ + RTE_ETH_FOREACH_DEV(portid) { + ret = rte_eth_dev_stop(portid); + if (ret != 0) + printf("rte_eth_dev_stop: err=%s, port=%u\n", + rte_strerror(-ret), portid); + } +} + +static int +inline_ipsec_testsuite_setup(void) +{ + uint16_t nb_rxd; + uint16_t nb_txd; + uint16_t nb_ports; + int ret; + uint16_t nb_rx_queue = 1, nb_tx_queue = 1; + + printf("Start inline IPsec test.\n"); + + nb_ports = rte_eth_dev_count_avail(); + if (nb_ports < NB_ETHPORTS_USED) { + printf("At least %u port(s) used for test\n", + NB_ETHPORTS_USED); + return -1; + } + + init_mempools(NB_MBUF); + + if (tx_pkts_burst == NULL) { + tx_pkts_burst = (struct rte_mbuf **)rte_calloc("tx_buff", + MAX_TRAFFIC_BURST, + sizeof(void *), + RTE_CACHE_LINE_SIZE); + if (!tx_pkts_burst) + return -1; + + rx_pkts_burst = (struct rte_mbuf **)rte_calloc("rx_buff", + MAX_TRAFFIC_BURST, + sizeof(void *), + RTE_CACHE_LINE_SIZE); + if (!rx_pkts_burst) + return -1; + } + + printf("Generate %d packets \n", MAX_TRAFFIC_BURST); + + nb_rxd = RTE_TEST_RX_DESC_DEFAULT; + nb_txd = RTE_TEST_TX_DESC_DEFAULT; + + /* configuring port 0 for the test is enough */ + port_id = 0; + /* port configure */ + ret = rte_eth_dev_configure(port_id, nb_rx_queue, + nb_tx_queue, &port_conf); + if (ret < 0) { + printf("Cannot configure device: err=%d, port=%d\n", + ret, port_id); + return ret; + } + ret = rte_eth_macaddr_get(port_id, &ports_eth_addr[port_id]); + if (ret < 0) { + printf("Cannot get mac address: err=%d, port=%d\n", + ret, port_id); + return ret; + } + printf("Port %u ", port_id); + print_ethaddr("Address:", &ports_eth_addr[port_id]); + printf("\n"); + + /* tx queue setup */ + ret = rte_eth_tx_queue_setup(port_id, 0, nb_txd, + SOCKET_ID_ANY, &tx_conf); + if (ret < 0) { + printf("rte_eth_tx_queue_setup: err=%d, port=%d\n", + ret, port_id); + return ret; + } + /* rx queue steup */ + ret = rte_eth_rx_queue_setup(port_id, 0, nb_rxd, SOCKET_ID_ANY, + &rx_conf, mbufpool); + if (ret < 0) { + printf("rte_eth_rx_queue_setup: err=%d, port=%d\n", + ret, port_id); + return ret; + } + test_ipsec_alg_list_populate(); + + return 0; +} + +static void +inline_ipsec_testsuite_teardown(void) +{ + uint16_t portid; + int ret; + + /* port tear down */ + RTE_ETH_FOREACH_DEV(portid) { + ret = rte_eth_dev_reset(portid); + if (ret != 0) + printf("rte_eth_dev_reset: err=%s, port=%u\n", + rte_strerror(-ret), port_id); + } +} + +static int +test_ipsec_inline_proto_known_vec(const void *test_data) +{ + struct ipsec_test_data td_outb; + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + memcpy(&td_outb, test_data, sizeof(td_outb)); + + if (td_outb.aead || + td_outb.xform.chain.cipher.cipher.algo != RTE_CRYPTO_CIPHER_NULL) { + /* Disable IV gen to be able to test with known vectors */ + td_outb.ipsec_xform.options.iv_gen_disable = 1; + } + + return test_ipsec_inline_proto_process(&td_outb, NULL, 1, + false, &flags); +} + +static struct unit_test_suite inline_ipsec_testsuite = { + .suite_name = "Inline IPsec Ethernet Device Unit Test Suite", + .setup = inline_ipsec_testsuite_setup, + .teardown = inline_ipsec_testsuite_teardown, + .unit_test_cases = { + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec, &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 192)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec, &pkt_aes_192_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 256)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec, &pkt_aes_256_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha256), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA384 [24B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha384), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA512 [32B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha512), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec, &pkt_aes_256_gcm_v6), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha256_v6), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 NULL AES-XCBC-MAC [12B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec, + &pkt_null_aes_xcbc), + + TEST_CASES_END() /**< NULL terminate unit test array */ + }, +}; + + +static int +test_inline_ipsec(void) +{ + return unit_test_suite_runner(&inline_ipsec_testsuite); +} + +#endif /* !RTE_EXEC_ENV_WINDOWS */ + +REGISTER_TEST_COMMAND(inline_ipsec_autotest, test_inline_ipsec); diff --git a/app/test/test_security_inline_proto_vectors.h b/app/test/test_security_inline_proto_vectors.h new file mode 100644 index 0000000000..d1074da36a --- /dev/null +++ b/app/test/test_security_inline_proto_vectors.h @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2022 Marvell. + */ +#ifndef _TEST_INLINE_IPSEC_REASSEMBLY_VECTORS_H_ +#define _TEST_INLINE_IPSEC_REASSEMBLY_VECTORS_H_ + +#include "test_cryptodev_security_ipsec.h" + +uint8_t dummy_ipv4_eth_hdr[] = { + /* ETH */ + 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0x08, 0x00, +}; +uint8_t dummy_ipv6_eth_hdr[] = { + /* ETH */ + 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, 0xf1, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0x86, 0xdd, +}; + +#endif From patchwork Sat Apr 16 19:25:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109758 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id ADE55A050A; Sat, 16 Apr 2022 21:25:58 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B1D944161A; Sat, 16 Apr 2022 21:25:53 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 999AD41155 for ; Sat, 16 Apr 2022 21:25:51 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GIkBTg028593; Sat, 16 Apr 2022 12:25:50 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=xJN3V4Mulq/Ri0rWW5r52f7g7dJKtyzaW7Tw+jiNzOY=; b=AEwmkSVF6GFyolDiCB2bie0kSP9WJemEY9vgsIqZktPEVXjyfk+VfFLdt3rniqAXwh9K q7pnCWbshp+xTS/PnREZq2EwU0QQrGk4pLyiMxnnXuxWbJvOqGc1ztepzSth585yZ6TF D6PCALgvagfjZfKiWuaNa+TomsQrPA3Hc43m6H7yP/uTyWxaBtbStZ8buanG0M+jWOVy I902k1/Z6kfvt8kFYmjuuRrWJS705Xci1dd70AzjmefypwPQwGkK0q+YZCQub3iDopHu NCGZMt1yrJ+BrZKrISoWX4QhbLQ9yNu8cgfLcPKxNXJeReANSQ2y4VV1tT2tGjbtgm5l vA== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3ffu5p90y6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:25:50 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 16 Apr 2022 12:25:49 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 16 Apr 2022 12:25:49 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id C8D7B3F7076; Sat, 16 Apr 2022 12:25:45 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , , Akhil Goyal Subject: [PATCH v4 02/10] test/security: add inline inbound IPsec cases Date: Sun, 17 Apr 2022 00:55:22 +0530 Message-ID: <20220416192530.173895-3-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: -nvg4NAou6NDS5PODMh1bzykCN9GLGIA X-Proofpoint-ORIG-GUID: -nvg4NAou6NDS5PODMh1bzykCN9GLGIA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Added test cases for inline Inbound protocol offload verification with known test vectors from Lookaside mode. Signed-off-by: Akhil Goyal --- app/test/test_security_inline_proto.c | 65 +++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index aeb5a57aca..fc0525479c 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -818,6 +818,24 @@ test_ipsec_inline_proto_known_vec(const void *test_data) false, &flags); } +static int +test_ipsec_inline_proto_known_vec_inb(const void *test_data) +{ + const struct ipsec_test_data *td = test_data; + struct ipsec_test_flags flags; + struct ipsec_test_data td_inb; + + memset(&flags, 0, sizeof(flags)); + + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) + test_ipsec_td_in_from_out(td, &td_inb); + else + memcpy(&td_inb, td, sizeof(td_inb)); + + return test_ipsec_inline_proto_process(&td_inb, NULL, 1, false, &flags); +} + + static struct unit_test_suite inline_ipsec_testsuite = { .suite_name = "Inline IPsec Ethernet Device Unit Test Suite", .setup = inline_ipsec_testsuite_setup, @@ -864,6 +882,53 @@ static struct unit_test_suite inline_ipsec_testsuite = { ut_setup_inline_ipsec, ut_teardown_inline_ipsec, test_ipsec_inline_proto_known_vec, &pkt_null_aes_xcbc), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 192)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, &pkt_aes_192_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, &pkt_aes_256_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, &pkt_aes_128_cbc_null), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha256), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA384 [24B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha384), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA512 [32B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha512), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, &pkt_aes_256_gcm_v6), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha256_v6), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 NULL AES-XCBC-MAC [12B ICV])", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_inb, + &pkt_null_aes_xcbc), + + TEST_CASES_END() /**< NULL terminate unit test array */ }, From patchwork Sat Apr 16 19:25:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109759 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id A87AAA050A; Sat, 16 Apr 2022 21:26:04 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C97C140E25; Sat, 16 Apr 2022 21:25:57 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id A168340685 for ; Sat, 16 Apr 2022 21:25:55 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GIhiNw024978; Sat, 16 Apr 2022 12:25:54 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=bGxaY8C8a7BceNZVjVwq/cPTkhW9BzVGZyJYGEDmoWg=; b=bs8kUzh0gVgoYXFKHpASjInRk8xcX5jvXYWdnYyhAEBpL/AoeohitQlsblCdSWa1t9Fn 4g77ikUymlF8+cdUdrFqVuXDtN2Z0fNSNtP6rtouO+y8mEq6gFfSPtUmZYgjCEGSa77M ZUWtnk8dL7eJxX9PelQSs3EpB8qLU511dVbdLe3RT8Rle63bStLrNnWTPLp1KDEoDRJC xqTzQN8tXXW0smBCDxNHveBitm1JYSLFi6QBnOq/iB6omHCs30gbIYoP0Mf9uqzbGNxV aoW/n1ODa67dYREmpgNYriDJvO5s/lo/CRpLv4VqcrMjK4cYKwMbih84Y7ZRRiU2Q5mK ng== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3ffu5p90yb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:25:54 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 16 Apr 2022 12:25:53 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 16 Apr 2022 12:25:53 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id A70183F707A; Sat, 16 Apr 2022 12:25:49 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , , Akhil Goyal Subject: [PATCH v4 03/10] test/security: add combined mode inline IPsec cases Date: Sun, 17 Apr 2022 00:55:23 +0530 Message-ID: <20220416192530.173895-4-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: MZQ9HndjKIlIQf8-jJbLSkFViuJwfAwG X-Proofpoint-ORIG-GUID: MZQ9HndjKIlIQf8-jJbLSkFViuJwfAwG X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Added combined encap and decap test cases for various algorithm combinations Signed-off-by: Akhil Goyal --- app/test/test_security_inline_proto.c | 102 ++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index fc0525479c..890bc10115 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -661,6 +661,92 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, return ret; } +static int +test_ipsec_inline_proto_all(const struct ipsec_test_flags *flags) +{ + struct ipsec_test_data td_outb; + struct ipsec_test_data td_inb; + unsigned int i, nb_pkts = 1, pass_cnt = 0, fail_cnt = 0; + int ret; + + if (flags->iv_gen || flags->sa_expiry_pkts_soft || + flags->sa_expiry_pkts_hard) + nb_pkts = IPSEC_TEST_PACKETS_MAX; + + for (i = 0; i < RTE_DIM(alg_list); i++) { + test_ipsec_td_prepare(alg_list[i].param1, + alg_list[i].param2, + flags, &td_outb, 1); + + if (!td_outb.aead) { + enum rte_crypto_cipher_algorithm cipher_alg; + enum rte_crypto_auth_algorithm auth_alg; + + cipher_alg = td_outb.xform.chain.cipher.cipher.algo; + auth_alg = td_outb.xform.chain.auth.auth.algo; + + if (td_outb.aes_gmac && cipher_alg != RTE_CRYPTO_CIPHER_NULL) + continue; + + /* ICV is not applicable for NULL auth */ + if (flags->icv_corrupt && + auth_alg == RTE_CRYPTO_AUTH_NULL) + continue; + + /* IV is not applicable for NULL cipher */ + if (flags->iv_gen && + cipher_alg == RTE_CRYPTO_CIPHER_NULL) + continue; + } + + if (flags->udp_encap) + td_outb.ipsec_xform.options.udp_encap = 1; + + ret = test_ipsec_inline_proto_process(&td_outb, &td_inb, nb_pkts, + false, flags); + if (ret == TEST_SKIPPED) + continue; + + if (ret == TEST_FAILED) { + printf("\n TEST FAILED"); + test_ipsec_display_alg(alg_list[i].param1, + alg_list[i].param2); + fail_cnt++; + continue; + } + + test_ipsec_td_update(&td_inb, &td_outb, 1, flags); + + ret = test_ipsec_inline_proto_process(&td_inb, NULL, nb_pkts, + false, flags); + if (ret == TEST_SKIPPED) + continue; + + if (ret == TEST_FAILED) { + printf("\n TEST FAILED"); + test_ipsec_display_alg(alg_list[i].param1, + alg_list[i].param2); + fail_cnt++; + continue; + } + + if (flags->display_alg) + test_ipsec_display_alg(alg_list[i].param1, + alg_list[i].param2); + + pass_cnt++; + } + + printf("Tests passed: %d, failed: %d", pass_cnt, fail_cnt); + if (fail_cnt > 0) + return TEST_FAILED; + if (pass_cnt > 0) + return TEST_SUCCESS; + else + return TEST_SKIPPED; +} + + static int ut_setup_inline_ipsec(void) { @@ -835,6 +921,17 @@ test_ipsec_inline_proto_known_vec_inb(const void *test_data) return test_ipsec_inline_proto_process(&td_inb, NULL, 1, false, &flags); } +static int +test_ipsec_inline_proto_display_list(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.display_alg = true; + + return test_ipsec_inline_proto_all(&flags); +} static struct unit_test_suite inline_ipsec_testsuite = { .suite_name = "Inline IPsec Ethernet Device Unit Test Suite", @@ -928,6 +1025,11 @@ static struct unit_test_suite inline_ipsec_testsuite = { test_ipsec_inline_proto_known_vec_inb, &pkt_null_aes_xcbc), + TEST_CASE_NAMED_ST( + "Combined test alg list", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_display_list), + TEST_CASES_END() /**< NULL terminate unit test array */ From patchwork Sat Apr 16 19:25:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109760 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 43734A050A; Sat, 16 Apr 2022 21:26:10 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B9660427EC; Sat, 16 Apr 2022 21:26:01 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id C94DA427EC for ; Sat, 16 Apr 2022 21:25:59 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GHPPsH000488; Sat, 16 Apr 2022 12:25:59 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=RAO5ZyYUW5ZqJDw9U4nev0d2D9Z5Hcpj7uvm9plCXf4=; b=isTiWjo7E3r/k/xTuH7THeuae9lpwLzBgHxt4p5M7qxkuco0E7f9Bd0R3gEl9wEJLnZd j7ZrK6HpizAe+eqUqcgVSsG11y7bDXXQI4b8gJiMthbZH+CxKLavNZs9kCNRQpO2fSzm CyTc/fjwXckvx2lOlIpVm/vMK0ZBJaHANopD42yrrngwVn3sjc6cUWvam6Dba/tmb/Xm gD9ZXdm+yZL5v6kpER3ECP17ez7urg2niQlgnPqWK2IGuMSovdmf0tOPTaA5fENzLGCj Iw+2YBDCuEZGzTPgup9AI868o9jFEni0DAkQMqyBuvVqVM1ywZ03HE5YA2+xbKb2z+LQ gQ== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3ffu5p90ye-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:25:58 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 16 Apr 2022 12:25:57 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 16 Apr 2022 12:25:57 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id 86EBD3F7076; Sat, 16 Apr 2022 12:25:53 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , , Akhil Goyal Subject: [PATCH v4 04/10] test/security: add inline IPsec reassembly cases Date: Sun, 17 Apr 2022 00:55:24 +0530 Message-ID: <20220416192530.173895-5-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: yRBSEMz4SUQmxDcIaFlT4-i0kfog90jq X-Proofpoint-ORIG-GUID: yRBSEMz4SUQmxDcIaFlT4-i0kfog90jq X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Added unit test cases for IP reassembly of inline IPsec inbound scenarios. In these cases, known test vectors of fragments are first processed for inline outbound processing and then received back on loopback interface for inbound processing along with IP reassembly of the corresponding decrypted packets. The resultant plain text reassembled packet is compared with original unfragmented packet. In this patch, cases are added for 2/4/5 fragments for both IPv4 and IPv6 packets. A few negative test cases are also added like incomplete fragments, out of place fragments, duplicate fragments. Signed-off-by: Akhil Goyal --- app/test/test_security_inline_proto.c | 421 ++++++++++- app/test/test_security_inline_proto_vectors.h | 684 ++++++++++++++++++ 2 files changed, 1104 insertions(+), 1 deletion(-) diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index 890bc10115..9ddc3f7dd4 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -41,6 +41,9 @@ test_inline_ipsec(void) #define MAX_TRAFFIC_BURST 2048 #define NB_MBUF 10240 +#define ENCAP_DECAP_BURST_SZ 33 +#define APP_REASS_TIMEOUT 10 + extern struct ipsec_test_data pkt_aes_128_gcm; extern struct ipsec_test_data pkt_aes_192_gcm; extern struct ipsec_test_data pkt_aes_256_gcm; @@ -94,6 +97,8 @@ uint16_t port_id; static uint64_t link_mbps; +static int ip_reassembly_dynfield_offset = -1; + static struct rte_flow *default_flow[RTE_MAX_ETHPORTS]; /* Create Inline IPsec session */ @@ -528,6 +533,347 @@ destroy_default_flow(uint16_t portid) struct rte_mbuf **tx_pkts_burst; struct rte_mbuf **rx_pkts_burst; +static int +compare_pkt_data(struct rte_mbuf *m, uint8_t *ref, unsigned int tot_len) +{ + unsigned int len; + unsigned int nb_segs = m->nb_segs; + unsigned int matched = 0; + struct rte_mbuf *save = m; + + while (m) { + len = tot_len; + if (len > m->data_len) + len = m->data_len; + if (len != 0) { + if (memcmp(rte_pktmbuf_mtod(m, char *), + ref + matched, len)) { + printf("\n====Reassembly case failed: Data Mismatch"); + rte_hexdump(stdout, "Reassembled", + rte_pktmbuf_mtod(m, char *), + len); + rte_hexdump(stdout, "reference", + ref + matched, + len); + return TEST_FAILED; + } + } + tot_len -= len; + matched += len; + m = m->next; + } + + if (tot_len) { + printf("\n====Reassembly case failed: Data Missing %u", + tot_len); + printf("\n====nb_segs %u, tot_len %u", nb_segs, tot_len); + rte_pktmbuf_dump(stderr, save, -1); + return TEST_FAILED; + } + return TEST_SUCCESS; +} + +static inline bool +is_ip_reassembly_incomplete(struct rte_mbuf *mbuf) +{ + static uint64_t ip_reassembly_dynflag; + int ip_reassembly_dynflag_offset; + + if (ip_reassembly_dynflag == 0) { + ip_reassembly_dynflag_offset = rte_mbuf_dynflag_lookup( + RTE_MBUF_DYNFLAG_IP_REASSEMBLY_INCOMPLETE_NAME, NULL); + if (ip_reassembly_dynflag_offset < 0) + return false; + ip_reassembly_dynflag = RTE_BIT64(ip_reassembly_dynflag_offset); + } + + return (mbuf->ol_flags & ip_reassembly_dynflag) != 0; +} + +static void +free_mbuf(struct rte_mbuf *mbuf) +{ + rte_eth_ip_reassembly_dynfield_t dynfield; + + if (!mbuf) + return; + + if (!is_ip_reassembly_incomplete(mbuf)) { + rte_pktmbuf_free(mbuf); + } else { + if (ip_reassembly_dynfield_offset < 0) + return; + + while (mbuf) { + dynfield = *RTE_MBUF_DYNFIELD(mbuf, + ip_reassembly_dynfield_offset, + rte_eth_ip_reassembly_dynfield_t *); + rte_pktmbuf_free(mbuf); + mbuf = dynfield.next_frag; + } + } +} + + +static int +get_and_verify_incomplete_frags(struct rte_mbuf *mbuf, + struct reassembly_vector *vector) +{ + rte_eth_ip_reassembly_dynfield_t *dynfield[MAX_PKT_BURST]; + int j = 0, ret; + /** + * IP reassembly offload is incomplete, and fragments are listed in + * dynfield which can be reassembled in SW. + */ + printf("\nHW IP Reassembly is not complete; attempt SW IP Reassembly," + "\nMatching with original frags."); + + if (ip_reassembly_dynfield_offset < 0) + return -1; + + printf("\ncomparing frag: %d", j); + /* Skip Ethernet header comparison */ + rte_pktmbuf_adj(mbuf, RTE_ETHER_HDR_LEN); + ret = compare_pkt_data(mbuf, vector->frags[j]->data, + vector->frags[j]->len); + if (ret) + return ret; + j++; + dynfield[j] = RTE_MBUF_DYNFIELD(mbuf, ip_reassembly_dynfield_offset, + rte_eth_ip_reassembly_dynfield_t *); + printf("\ncomparing frag: %d", j); + /* Skip Ethernet header comparison */ + rte_pktmbuf_adj(dynfield[j]->next_frag, RTE_ETHER_HDR_LEN); + ret = compare_pkt_data(dynfield[j]->next_frag, vector->frags[j]->data, + vector->frags[j]->len); + if (ret) + return ret; + + while ((dynfield[j]->nb_frags > 1) && + is_ip_reassembly_incomplete(dynfield[j]->next_frag)) { + j++; + dynfield[j] = RTE_MBUF_DYNFIELD(dynfield[j-1]->next_frag, + ip_reassembly_dynfield_offset, + rte_eth_ip_reassembly_dynfield_t *); + printf("\ncomparing frag: %d", j); + /* Skip Ethernet header comparison */ + rte_pktmbuf_adj(dynfield[j]->next_frag, RTE_ETHER_HDR_LEN); + ret = compare_pkt_data(dynfield[j]->next_frag, + vector->frags[j]->data, vector->frags[j]->len); + if (ret) + return ret; + } + return ret; +} + +static int +test_ipsec_with_reassembly(struct reassembly_vector *vector, + const struct ipsec_test_flags *flags) +{ + struct rte_security_session *out_ses[ENCAP_DECAP_BURST_SZ] = {0}; + struct rte_security_session *in_ses[ENCAP_DECAP_BURST_SZ] = {0}; + struct rte_eth_ip_reassembly_params reass_capa = {0}; + struct rte_security_session_conf sess_conf_out = {0}; + struct rte_security_session_conf sess_conf_in = {0}; + unsigned int nb_tx, burst_sz, nb_sent = 0; + struct rte_crypto_sym_xform cipher_out = {0}; + struct rte_crypto_sym_xform auth_out = {0}; + struct rte_crypto_sym_xform aead_out = {0}; + struct rte_crypto_sym_xform cipher_in = {0}; + struct rte_crypto_sym_xform auth_in = {0}; + struct rte_crypto_sym_xform aead_in = {0}; + struct ipsec_test_data sa_data = {0}; + struct rte_security_ctx *ctx; + unsigned int i, nb_rx = 0, j; + uint32_t ol_flags; + int ret = 0; + + burst_sz = vector->burst ? ENCAP_DECAP_BURST_SZ : 1; + nb_tx = vector->nb_frags * burst_sz; + + rte_eth_dev_stop(port_id); + if (ret != 0) { + printf("rte_eth_dev_stop: err=%s, port=%u\n", + rte_strerror(-ret), port_id); + return ret; + } + rte_eth_ip_reassembly_capability_get(port_id, &reass_capa); + if (reass_capa.max_frags < vector->nb_frags) + return TEST_SKIPPED; + if (reass_capa.timeout_ms > APP_REASS_TIMEOUT) { + reass_capa.timeout_ms = APP_REASS_TIMEOUT; + rte_eth_ip_reassembly_conf_set(port_id, &reass_capa); + } + + ret = rte_eth_dev_start(port_id); + if (ret < 0) { + printf("rte_eth_dev_start: err=%d, port=%d\n", + ret, port_id); + return ret; + } + + memset(tx_pkts_burst, 0, sizeof(tx_pkts_burst[0]) * nb_tx); + memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_tx); + + for (i = 0; i < nb_tx; i += vector->nb_frags) { + for (j = 0; j < vector->nb_frags; j++) { + tx_pkts_burst[i+j] = init_packet(mbufpool, + vector->frags[j]->data, + vector->frags[j]->len); + if (tx_pkts_burst[i+j] == NULL) { + ret = -1; + printf("\n packed init failed\n"); + goto out; + } + } + } + + for (i = 0; i < burst_sz; i++) { + memcpy(&sa_data, vector->sa_data, + sizeof(struct ipsec_test_data)); + /* Update SPI for every new SA */ + sa_data.ipsec_xform.spi += i; + sa_data.ipsec_xform.direction = + RTE_SECURITY_IPSEC_SA_DIR_EGRESS; + if (sa_data.aead) { + sess_conf_out.crypto_xform = &aead_out; + } else { + sess_conf_out.crypto_xform = &cipher_out; + sess_conf_out.crypto_xform->next = &auth_out; + } + + /* Create Inline IPsec outbound session. */ + ret = create_inline_ipsec_session(&sa_data, port_id, + &out_ses[i], &ctx, &ol_flags, flags, + &sess_conf_out); + if (ret) { + printf("\nInline outbound session create failed\n"); + goto out; + } + } + + j = 0; + for (i = 0; i < nb_tx; i++) { + if (ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) + rte_security_set_pkt_metadata(ctx, + out_ses[j], tx_pkts_burst[i], NULL); + tx_pkts_burst[i]->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD; + + /* Move to next SA after nb_frags */ + if ((i + 1) % vector->nb_frags == 0) + j++; + } + + for (i = 0; i < burst_sz; i++) { + memcpy(&sa_data, vector->sa_data, + sizeof(struct ipsec_test_data)); + /* Update SPI for every new SA */ + sa_data.ipsec_xform.spi += i; + sa_data.ipsec_xform.direction = + RTE_SECURITY_IPSEC_SA_DIR_INGRESS; + + if (sa_data.aead) { + sess_conf_in.crypto_xform = &aead_in; + } else { + sess_conf_in.crypto_xform = &auth_in; + sess_conf_in.crypto_xform->next = &cipher_in; + } + /* Create Inline IPsec inbound session. */ + ret = create_inline_ipsec_session(&sa_data, port_id, &in_ses[i], + &ctx, &ol_flags, flags, &sess_conf_in); + if (ret) { + printf("\nInline inbound session create failed\n"); + goto out; + } + } + + /* Retrieve reassembly dynfield offset if available */ + if (ip_reassembly_dynfield_offset < 0 && vector->nb_frags > 1) + ip_reassembly_dynfield_offset = rte_mbuf_dynfield_lookup( + RTE_MBUF_DYNFIELD_IP_REASSEMBLY_NAME, NULL); + + + create_default_flow(port_id); + + nb_sent = rte_eth_tx_burst(port_id, 0, tx_pkts_burst, nb_tx); + if (nb_sent != nb_tx) { + ret = -1; + printf("\nFailed to tx %u pkts", nb_tx); + goto out; + } + + rte_delay_ms(1); + + /* Retry few times before giving up */ + nb_rx = 0; + j = 0; + do { + nb_rx += rte_eth_rx_burst(port_id, 0, &rx_pkts_burst[nb_rx], + nb_tx - nb_rx); + j++; + if (nb_rx >= nb_tx) + break; + rte_delay_ms(1); + } while (j < 5 || !nb_rx); + + /* Check for minimum number of Rx packets expected */ + if ((vector->nb_frags == 1 && nb_rx != nb_tx) || + (vector->nb_frags > 1 && nb_rx < burst_sz)) { + printf("\nreceived less Rx pkts(%u) pkts\n", nb_rx); + ret = TEST_FAILED; + goto out; + } + + for (i = 0; i < nb_rx; i++) { + if (vector->nb_frags > 1 && + is_ip_reassembly_incomplete(rx_pkts_burst[i])) { + ret = get_and_verify_incomplete_frags(rx_pkts_burst[i], + vector); + if (ret != TEST_SUCCESS) + break; + continue; + } + + if (rx_pkts_burst[i]->ol_flags & + RTE_MBUF_F_RX_SEC_OFFLOAD_FAILED || + !(rx_pkts_burst[i]->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD)) { + printf("\nsecurity offload failed\n"); + ret = TEST_FAILED; + break; + } + + if (vector->full_pkt->len + RTE_ETHER_HDR_LEN != + rx_pkts_burst[i]->pkt_len) { + printf("\nreassembled/decrypted packet length mismatch\n"); + ret = TEST_FAILED; + break; + } + rte_pktmbuf_adj(rx_pkts_burst[i], RTE_ETHER_HDR_LEN); + ret = compare_pkt_data(rx_pkts_burst[i], + vector->full_pkt->data, + vector->full_pkt->len); + if (ret != TEST_SUCCESS) + break; + } + +out: + destroy_default_flow(port_id); + + /* Clear session data. */ + for (i = 0; i < burst_sz; i++) { + if (out_ses[i]) + rte_security_session_destroy(ctx, out_ses[i]); + if (in_ses[i]) + rte_security_session_destroy(ctx, in_ses[i]); + } + + for (i = nb_sent; i < nb_tx; i++) + free_mbuf(tx_pkts_burst[i]); + for (i = 0; i < nb_rx; i++) + free_mbuf(rx_pkts_burst[i]); + return ret; +} + static int test_ipsec_inline_proto_process(struct ipsec_test_data *td, struct ipsec_test_data *res_d, @@ -775,6 +1121,7 @@ ut_setup_inline_ipsec(void) static void ut_teardown_inline_ipsec(void) { + struct rte_eth_ip_reassembly_params reass_conf = {0}; uint16_t portid; int ret; @@ -784,6 +1131,9 @@ ut_teardown_inline_ipsec(void) if (ret != 0) printf("rte_eth_dev_stop: err=%s, port=%u\n", rte_strerror(-ret), portid); + + /* Clear reassembly configuration */ + rte_eth_ip_reassembly_conf_set(portid, &reass_conf); } } @@ -884,6 +1234,36 @@ inline_ipsec_testsuite_teardown(void) } } +static int +test_inline_ip_reassembly(const void *testdata) +{ + struct reassembly_vector reassembly_td = {0}; + const struct reassembly_vector *td = testdata; + struct ip_reassembly_test_packet full_pkt; + struct ip_reassembly_test_packet frags[MAX_FRAGS]; + struct ipsec_test_flags flags = {0}; + int i = 0; + + reassembly_td.sa_data = td->sa_data; + reassembly_td.nb_frags = td->nb_frags; + reassembly_td.burst = td->burst; + + memcpy(&full_pkt, td->full_pkt, + sizeof(struct ip_reassembly_test_packet)); + reassembly_td.full_pkt = &full_pkt; + + test_vector_payload_populate(reassembly_td.full_pkt, true); + for (; i < reassembly_td.nb_frags; i++) { + memcpy(&frags[i], td->frags[i], + sizeof(struct ip_reassembly_test_packet)); + reassembly_td.frags[i] = &frags[i]; + test_vector_payload_populate(reassembly_td.frags[i], + (i == 0) ? true : false); + } + + return test_ipsec_with_reassembly(&reassembly_td, &flags); +} + static int test_ipsec_inline_proto_known_vec(const void *test_data) { @@ -1030,7 +1410,46 @@ static struct unit_test_suite inline_ipsec_testsuite = { ut_setup_inline_ipsec, ut_teardown_inline_ipsec, test_ipsec_inline_proto_display_list), - + TEST_CASE_NAMED_WITH_DATA( + "IPv4 Reassembly with 2 fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv4_2frag_vector), + TEST_CASE_NAMED_WITH_DATA( + "IPv6 Reassembly with 2 fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv6_2frag_vector), + TEST_CASE_NAMED_WITH_DATA( + "IPv4 Reassembly with 4 fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv4_4frag_vector), + TEST_CASE_NAMED_WITH_DATA( + "IPv6 Reassembly with 4 fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv6_4frag_vector), + TEST_CASE_NAMED_WITH_DATA( + "IPv4 Reassembly with 5 fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv4_5frag_vector), + TEST_CASE_NAMED_WITH_DATA( + "IPv6 Reassembly with 5 fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv6_5frag_vector), + TEST_CASE_NAMED_WITH_DATA( + "IPv4 Reassembly with incomplete fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv4_incomplete_vector), + TEST_CASE_NAMED_WITH_DATA( + "IPv4 Reassembly with overlapping fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv4_overlap_vector), + TEST_CASE_NAMED_WITH_DATA( + "IPv4 Reassembly with out of order fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv4_out_of_order_vector), + TEST_CASE_NAMED_WITH_DATA( + "IPv4 Reassembly with burst of 4 fragments", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_inline_ip_reassembly, &ipv4_4frag_burst_vector), TEST_CASES_END() /**< NULL terminate unit test array */ }, diff --git a/app/test/test_security_inline_proto_vectors.h b/app/test/test_security_inline_proto_vectors.h index d1074da36a..c18965d80f 100644 --- a/app/test/test_security_inline_proto_vectors.h +++ b/app/test/test_security_inline_proto_vectors.h @@ -17,4 +17,688 @@ uint8_t dummy_ipv6_eth_hdr[] = { 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0x86, 0xdd, }; +#define MAX_FRAG_LEN 1500 +#define MAX_FRAGS 6 +#define MAX_PKT_LEN (MAX_FRAG_LEN * MAX_FRAGS) + +struct ip_reassembly_test_packet { + uint32_t len; + uint32_t l4_offset; + uint8_t data[MAX_PKT_LEN]; +}; + +struct reassembly_vector { + /* input/output text in struct ipsec_test_data are not used */ + struct ipsec_test_data *sa_data; + struct ip_reassembly_test_packet *full_pkt; + struct ip_reassembly_test_packet *frags[MAX_FRAGS]; + uint16_t nb_frags; + bool burst; +}; + +/* The source file includes below test vectors */ +/* IPv6: + * + * 1) pkt_ipv6_udp_p1 + * pkt_ipv6_udp_p1_f1 + * pkt_ipv6_udp_p1_f2 + * + * 2) pkt_ipv6_udp_p2 + * pkt_ipv6_udp_p2_f1 + * pkt_ipv6_udp_p2_f2 + * pkt_ipv6_udp_p2_f3 + * pkt_ipv6_udp_p2_f4 + * + * 3) pkt_ipv6_udp_p3 + * pkt_ipv6_udp_p3_f1 + * pkt_ipv6_udp_p3_f2 + * pkt_ipv6_udp_p3_f3 + * pkt_ipv6_udp_p3_f4 + * pkt_ipv6_udp_p3_f5 + */ + +/* IPv4: + * + * 1) pkt_ipv4_udp_p1 + * pkt_ipv4_udp_p1_f1 + * pkt_ipv4_udp_p1_f2 + * + * 2) pkt_ipv4_udp_p2 + * pkt_ipv4_udp_p2_f1 + * pkt_ipv4_udp_p2_f2 + * pkt_ipv4_udp_p2_f3 + * pkt_ipv4_udp_p2_f4 + * + * 3) pkt_ipv4_udp_p3 + * pkt_ipv4_udp_p3_f1 + * pkt_ipv4_udp_p3_f2 + * pkt_ipv4_udp_p3_f3 + * pkt_ipv4_udp_p3_f4 + * pkt_ipv4_udp_p3_f5 + */ + +struct ip_reassembly_test_packet pkt_ipv6_udp_p1 = { + .len = 1500, + .l4_offset = 40, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x05, 0xb4, 0x2C, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x05, 0xb4, 0x2b, 0xe8, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p1_f1 = { + .len = 1384, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x05, 0x40, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x00, 0x01, 0x5c, 0x92, 0xac, 0xf1, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x05, 0xb4, 0x2b, 0xe8, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p1_f2 = { + .len = 172, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x00, 0x84, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x05, 0x38, 0x5c, 0x92, 0xac, 0xf1, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p2 = { + .len = 4482, + .l4_offset = 40, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x11, 0x5a, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x11, 0x5a, 0x8a, 0x11, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p2_f1 = { + .len = 1384, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x05, 0x40, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x00, 0x01, 0x64, 0x6c, 0x68, 0x9f, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x11, 0x5a, 0x8a, 0x11, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p2_f2 = { + .len = 1384, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x05, 0x40, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x05, 0x39, 0x64, 0x6c, 0x68, 0x9f, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p2_f3 = { + .len = 1384, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x05, 0x40, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x0a, 0x71, 0x64, 0x6c, 0x68, 0x9f, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p2_f4 = { + .len = 482, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x01, 0xba, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x0f, 0xa8, 0x64, 0x6c, 0x68, 0x9f, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p3 = { + .len = 5782, + .l4_offset = 40, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x16, 0x6e, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x16, 0x6e, 0x2f, 0x99, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p3_f1 = { + .len = 1384, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x05, 0x40, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x00, 0x01, 0x65, 0xcf, 0x5a, 0xae, + + /* UDP */ + 0x80, 0x00, 0x27, 0x10, 0x16, 0x6e, 0x2f, 0x99, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p3_f2 = { + .len = 1384, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x05, 0x40, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x05, 0x39, 0x65, 0xcf, 0x5a, 0xae, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p3_f3 = { + .len = 1384, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x05, 0x40, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x0a, 0x71, 0x65, 0xcf, 0x5a, 0xae, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p3_f4 = { + .len = 1384, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x05, 0x40, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x0f, 0xa9, 0x65, 0xcf, 0x5a, 0xae, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv6_udp_p3_f5 = { + .len = 446, + .l4_offset = 48, + .data = { + /* IP */ + 0x60, 0x00, 0x00, 0x00, 0x01, 0x96, 0x2c, 0x40, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x0d, 0x00, 0x00, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x02, 0x00, 0x00, 0x02, + 0x11, 0x00, 0x14, 0xe0, 0x65, 0xcf, 0x5a, 0xae, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p1 = { + .len = 1500, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x05, 0xdc, 0x00, 0x01, 0x00, 0x00, + 0x40, 0x11, 0x66, 0x0d, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x05, 0xc8, 0xb8, 0x4c, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p1_f1 = { + .len = 1420, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x05, 0x8c, 0x00, 0x01, 0x20, 0x00, + 0x40, 0x11, 0x46, 0x5d, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x05, 0xc8, 0xb8, 0x4c, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p1_f2 = { + .len = 100, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x64, 0x00, 0x01, 0x00, 0xaf, + 0x40, 0x11, 0x6a, 0xd6, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p2 = { + .len = 4482, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x11, 0x82, 0x00, 0x02, 0x00, 0x00, + 0x40, 0x11, 0x5a, 0x66, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x11, 0x6e, 0x16, 0x76, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p2_f1 = { + .len = 1420, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x05, 0x8c, 0x00, 0x02, 0x20, 0x00, + 0x40, 0x11, 0x46, 0x5c, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x11, 0x6e, 0x16, 0x76, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p2_f2 = { + .len = 1420, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x05, 0x8c, 0x00, 0x02, 0x20, 0xaf, + 0x40, 0x11, 0x45, 0xad, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p2_f3 = { + .len = 1420, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x05, 0x8c, 0x00, 0x02, 0x21, 0x5e, + 0x40, 0x11, 0x44, 0xfe, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p2_f4 = { + .len = 282, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x01, 0x1a, 0x00, 0x02, 0x02, 0x0d, + 0x40, 0x11, 0x68, 0xc1, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p3 = { + .len = 5782, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x16, 0x96, 0x00, 0x03, 0x00, 0x00, + 0x40, 0x11, 0x55, 0x51, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + + /* UDP */ + 0x08, 0x00, 0x27, 0x10, 0x16, 0x82, 0xbb, 0xfd, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p3_f1 = { + .len = 1420, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x05, 0x8c, 0x00, 0x03, 0x20, 0x00, + 0x40, 0x11, 0x46, 0x5b, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + + /* UDP */ + 0x80, 0x00, 0x27, 0x10, 0x16, 0x82, 0xbb, 0xfd, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p3_f2 = { + .len = 1420, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x05, 0x8c, 0x00, 0x03, 0x20, 0xaf, + 0x40, 0x11, 0x45, 0xac, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p3_f3 = { + .len = 1420, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x05, 0x8c, 0x00, 0x03, 0x21, 0x5e, + 0x40, 0x11, 0x44, 0xfd, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p3_f4 = { + .len = 1420, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x05, 0x8c, 0x00, 0x03, 0x22, 0x0d, + 0x40, 0x11, 0x44, 0x4e, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + }, +}; + +struct ip_reassembly_test_packet pkt_ipv4_udp_p3_f5 = { + .len = 182, + .l4_offset = 20, + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0xb6, 0x00, 0x03, 0x02, 0xbc, + 0x40, 0x11, 0x68, 0x75, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, + }, +}; + +static inline void +test_vector_payload_populate(struct ip_reassembly_test_packet *pkt, + bool first_frag) +{ + uint32_t i = pkt->l4_offset; + + /** + * For non-fragmented packets and first frag, skip 8 bytes from + * l4_offset for UDP header. + */ + if (first_frag) + i += 8; + + for (; i < pkt->len; i++) + pkt->data[i] = 0x58; +} + +struct ipsec_test_data conf_aes_128_gcm = { + .key = { + .data = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 + }, + }, + + .salt = { + .data = { + 0xca, 0xfe, 0xba, 0xbe + }, + .len = 4, + }, + + .iv = { + .data = { + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88 + }, + }, + + .ipsec_xform = { + .spi = 0xa5f8, + .salt = 0xbebafeca, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .options.ip_csum_enable = 0, + .options.l4_csum_enable = 0, + .options.ip_reassembly_en = 1, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 16, + .iv.length = 12, + .iv.offset = 0, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + +struct ipsec_test_data conf_aes_128_gcm_v6_tunnel = { + .key = { + .data = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 + }, + }, + + .salt = { + .data = { + 0xca, 0xfe, 0xba, 0xbe + }, + .len = 4, + }, + + .iv = { + .data = { + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88 + }, + }, + + .ipsec_xform = { + .spi = 0xa5f8, + .salt = 0xbebafeca, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .options.ip_csum_enable = 0, + .options.l4_csum_enable = 0, + .options.ip_reassembly_en = 1, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 16, + .iv.length = 12, + .iv.offset = 0, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + +const struct reassembly_vector ipv4_2frag_vector = { + .sa_data = &conf_aes_128_gcm, + .full_pkt = &pkt_ipv4_udp_p1, + .frags[0] = &pkt_ipv4_udp_p1_f1, + .frags[1] = &pkt_ipv4_udp_p1_f2, + .nb_frags = 2, + .burst = false, +}; + +const struct reassembly_vector ipv6_2frag_vector = { + .sa_data = &conf_aes_128_gcm_v6_tunnel, + .full_pkt = &pkt_ipv6_udp_p1, + .frags[0] = &pkt_ipv6_udp_p1_f1, + .frags[1] = &pkt_ipv6_udp_p1_f2, + .nb_frags = 2, + .burst = false, +}; + +const struct reassembly_vector ipv4_4frag_vector = { + .sa_data = &conf_aes_128_gcm, + .full_pkt = &pkt_ipv4_udp_p2, + .frags[0] = &pkt_ipv4_udp_p2_f1, + .frags[1] = &pkt_ipv4_udp_p2_f2, + .frags[2] = &pkt_ipv4_udp_p2_f3, + .frags[3] = &pkt_ipv4_udp_p2_f4, + .nb_frags = 4, + .burst = false, +}; + +const struct reassembly_vector ipv6_4frag_vector = { + .sa_data = &conf_aes_128_gcm_v6_tunnel, + .full_pkt = &pkt_ipv6_udp_p2, + .frags[0] = &pkt_ipv6_udp_p2_f1, + .frags[1] = &pkt_ipv6_udp_p2_f2, + .frags[2] = &pkt_ipv6_udp_p2_f3, + .frags[3] = &pkt_ipv6_udp_p2_f4, + .nb_frags = 4, + .burst = false, +}; +const struct reassembly_vector ipv4_5frag_vector = { + .sa_data = &conf_aes_128_gcm, + .full_pkt = &pkt_ipv4_udp_p3, + .frags[0] = &pkt_ipv4_udp_p3_f1, + .frags[1] = &pkt_ipv4_udp_p3_f2, + .frags[2] = &pkt_ipv4_udp_p3_f3, + .frags[3] = &pkt_ipv4_udp_p3_f4, + .frags[4] = &pkt_ipv4_udp_p3_f5, + .nb_frags = 5, + .burst = false, +}; +const struct reassembly_vector ipv6_5frag_vector = { + .sa_data = &conf_aes_128_gcm_v6_tunnel, + .full_pkt = &pkt_ipv6_udp_p3, + .frags[0] = &pkt_ipv6_udp_p3_f1, + .frags[1] = &pkt_ipv6_udp_p3_f2, + .frags[2] = &pkt_ipv6_udp_p3_f3, + .frags[3] = &pkt_ipv6_udp_p3_f4, + .frags[4] = &pkt_ipv6_udp_p3_f5, + .nb_frags = 5, + .burst = false, +}; +/* Negative test cases. */ +const struct reassembly_vector ipv4_incomplete_vector = { + .sa_data = &conf_aes_128_gcm, + .full_pkt = &pkt_ipv4_udp_p2, + .frags[0] = &pkt_ipv4_udp_p2_f1, + .frags[1] = &pkt_ipv4_udp_p2_f2, + .nb_frags = 2, + .burst = false, +}; +const struct reassembly_vector ipv4_overlap_vector = { + .sa_data = &conf_aes_128_gcm, + .full_pkt = &pkt_ipv4_udp_p1, + .frags[0] = &pkt_ipv4_udp_p1_f1, + .frags[1] = &pkt_ipv4_udp_p1_f1, /* Overlap */ + .frags[2] = &pkt_ipv4_udp_p1_f2, + .nb_frags = 3, + .burst = false, +}; +const struct reassembly_vector ipv4_out_of_order_vector = { + .sa_data = &conf_aes_128_gcm, + .full_pkt = &pkt_ipv4_udp_p2, + .frags[0] = &pkt_ipv4_udp_p2_f1, + .frags[1] = &pkt_ipv4_udp_p2_f3, + .frags[2] = &pkt_ipv4_udp_p2_f4, + .frags[3] = &pkt_ipv4_udp_p2_f2, /* out of order */ + .nb_frags = 4, + .burst = false, +}; +const struct reassembly_vector ipv4_4frag_burst_vector = { + .sa_data = &conf_aes_128_gcm, + .full_pkt = &pkt_ipv4_udp_p2, + .frags[0] = &pkt_ipv4_udp_p2_f1, + .frags[1] = &pkt_ipv4_udp_p2_f2, + .frags[2] = &pkt_ipv4_udp_p2_f3, + .frags[3] = &pkt_ipv4_udp_p2_f4, + .nb_frags = 4, + .burst = true, +}; + #endif From patchwork Sat Apr 16 19:25:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109761 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3FB78A050A; Sat, 16 Apr 2022 21:26:18 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 43CF2427F1; Sat, 16 Apr 2022 21:26:05 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 9303B427FC for ; Sat, 16 Apr 2022 21:26:03 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GIkBTi028593; Sat, 16 Apr 2022 12:26:02 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=AVB/qoZ57RK8orVEs03ONCOpdF0N/mpnOHk1b8c14vI=; b=hJ/ZFlMoz1AhkhPZhtpKfVDXnPkb5a8peokPpyr9Buta9pT6j2k0Bj7tos2u3rbaOntI KATlZFCt9mVe1HQYNri5esKadnhtLgUewy4NEIo69IgEIQ9zVWlcHHjqWekvw6BAuSMB vFku4MTDzCd3sax++iK2d6EhXXKPVhDJwF0Rvd55oI/8YxTqFlVl/Q6XiPqo/GgiX5E2 nzlVUCT/CSsoEbxkM5GYyt4Far5h9WAMAbsPKPLU/t/CeAl0tAAwEEwFlUZVdaXt+Rbf PNMeTTH6iEiFPRMPPODEcJPnxuqy5iaBWdOIUZR2SwaX3nRl6SeuyDXvqGoDIY+6yBQq 5g== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3ffu5p90yh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:26:02 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 16 Apr 2022 12:26:01 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Sat, 16 Apr 2022 12:26:01 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id A03513F7079; Sat, 16 Apr 2022 12:25:57 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , , Akhil Goyal Subject: [PATCH v4 05/10] test/security: add more inline IPsec functional cases Date: Sun, 17 Apr 2022 00:55:25 +0530 Message-ID: <20220416192530.173895-6-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: KT9qR2b6M2Dz5-IMoRwagraznRtn6Slv X-Proofpoint-ORIG-GUID: KT9qR2b6M2Dz5-IMoRwagraznRtn6Slv X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Added more inline IPsec functional verification cases. These cases do not have known vectors but are verified using encap + decap test for all the algo combinations. Signed-off-by: Akhil Goyal --- app/test/test_security_inline_proto.c | 517 ++++++++++++++++++++++++++ 1 file changed, 517 insertions(+) diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index 9ddc3f7dd4..209999d02c 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -1313,6 +1313,394 @@ test_ipsec_inline_proto_display_list(const void *data __rte_unused) return test_ipsec_inline_proto_all(&flags); } +static int +test_ipsec_inline_proto_udp_encap(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.udp_encap = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_udp_ports_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.udp_encap = true; + flags.udp_ports_verify = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_err_icv_corrupt(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.icv_corrupt = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_tunnel_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_inner_ip_csum(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ip_csum = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_inner_l4_csum(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.l4_csum = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_tunnel_v4_in_v4(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = false; + flags.tunnel_ipv6 = false; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_tunnel_v6_in_v6(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_tunnel_v4_in_v6(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = false; + flags.tunnel_ipv6 = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_tunnel_v6_in_v4(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = false; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_transport_v4(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = false; + flags.transport = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_transport_l4_csum(const void *data __rte_unused) +{ + struct ipsec_test_flags flags = { + .l4_csum = true, + .transport = true, + }; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_stats(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.stats_success = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_pkt_fragment(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.fragment = true; + + return test_ipsec_inline_proto_all(&flags); + +} + +static int +test_ipsec_inline_proto_copy_df_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_COPY_DF_INNER_0; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_copy_df_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_COPY_DF_INNER_1; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_set_df_0_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_SET_DF_0_INNER_1; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_set_df_1_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_SET_DF_1_INNER_0; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv4_copy_dscp_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_0; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv4_copy_dscp_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_1; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv4_set_dscp_0_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.dscp = TEST_IPSEC_SET_DSCP_0_INNER_1; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv4_set_dscp_1_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.dscp = TEST_IPSEC_SET_DSCP_1_INNER_0; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv6_copy_dscp_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_0; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv6_copy_dscp_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_1; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv6_set_dscp_0_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + flags.dscp = TEST_IPSEC_SET_DSCP_0_INNER_1; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv6_set_dscp_1_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + flags.dscp = TEST_IPSEC_SET_DSCP_1_INNER_0; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv4_ttl_decrement(const void *data __rte_unused) +{ + struct ipsec_test_flags flags = { + .dec_ttl_or_hop_limit = true + }; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv6_hop_limit_decrement(const void *data __rte_unused) +{ + struct ipsec_test_flags flags = { + .ipv6 = true, + .dec_ttl_or_hop_limit = true + }; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_iv_gen(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.iv_gen = true; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_known_vec_fragmented(const void *test_data) +{ + struct ipsec_test_data td_outb; + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + flags.fragment = true; + + memcpy(&td_outb, test_data, sizeof(td_outb)); + + /* Disable IV gen to be able to test with known vectors */ + td_outb.ipsec_xform.options.iv_gen_disable = 1; + + return test_ipsec_inline_proto_process(&td_outb, NULL, 1, false, + &flags); +} static struct unit_test_suite inline_ipsec_testsuite = { .suite_name = "Inline IPsec Ethernet Device Unit Test Suite", .setup = inline_ipsec_testsuite_setup, @@ -1359,6 +1747,13 @@ static struct unit_test_suite inline_ipsec_testsuite = { ut_setup_inline_ipsec, ut_teardown_inline_ipsec, test_ipsec_inline_proto_known_vec, &pkt_null_aes_xcbc), + + TEST_CASE_NAMED_WITH_DATA( + "Outbound fragmented packet", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_known_vec_fragmented, + &pkt_aes_128_gcm_frag), + TEST_CASE_NAMED_WITH_DATA( "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", ut_setup_inline_ipsec, ut_teardown_inline_ipsec, @@ -1410,6 +1805,128 @@ static struct unit_test_suite inline_ipsec_testsuite = { ut_setup_inline_ipsec, ut_teardown_inline_ipsec, test_ipsec_inline_proto_display_list), + TEST_CASE_NAMED_ST( + "UDP encapsulation", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_udp_encap), + TEST_CASE_NAMED_ST( + "UDP encapsulation ports verification test", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_udp_ports_verify), + TEST_CASE_NAMED_ST( + "Negative test: ICV corruption", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_err_icv_corrupt), + TEST_CASE_NAMED_ST( + "Tunnel dst addr verification", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_tunnel_dst_addr_verify), + TEST_CASE_NAMED_ST( + "Tunnel src and dst addr verification", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_tunnel_src_dst_addr_verify), + TEST_CASE_NAMED_ST( + "Inner IP checksum", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_inner_ip_csum), + TEST_CASE_NAMED_ST( + "Inner L4 checksum", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_inner_l4_csum), + TEST_CASE_NAMED_ST( + "Tunnel IPv4 in IPv4", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_tunnel_v4_in_v4), + TEST_CASE_NAMED_ST( + "Tunnel IPv6 in IPv6", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_tunnel_v6_in_v6), + TEST_CASE_NAMED_ST( + "Tunnel IPv4 in IPv6", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_tunnel_v4_in_v6), + TEST_CASE_NAMED_ST( + "Tunnel IPv6 in IPv4", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_tunnel_v6_in_v4), + TEST_CASE_NAMED_ST( + "Transport IPv4", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_transport_v4), + TEST_CASE_NAMED_ST( + "Transport l4 checksum", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_transport_l4_csum), + TEST_CASE_NAMED_ST( + "Statistics: success", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_stats), + TEST_CASE_NAMED_ST( + "Fragmented packet", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_pkt_fragment), + TEST_CASE_NAMED_ST( + "Tunnel header copy DF (inner 0)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_copy_df_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header copy DF (inner 1)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_copy_df_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header set DF 0 (inner 1)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_set_df_0_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header set DF 1 (inner 0)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_set_df_1_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header IPv4 copy DSCP (inner 0)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv4_copy_dscp_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header IPv4 copy DSCP (inner 1)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv4_copy_dscp_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header IPv4 set DSCP 0 (inner 1)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv4_set_dscp_0_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header IPv4 set DSCP 1 (inner 0)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv4_set_dscp_1_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header IPv6 copy DSCP (inner 0)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv6_copy_dscp_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header IPv6 copy DSCP (inner 1)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv6_copy_dscp_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header IPv6 set DSCP 0 (inner 1)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv6_set_dscp_0_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header IPv6 set DSCP 1 (inner 0)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv6_set_dscp_1_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header IPv4 decrement inner TTL", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv4_ttl_decrement), + TEST_CASE_NAMED_ST( + "Tunnel header IPv6 decrement inner hop limit", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv6_hop_limit_decrement), + TEST_CASE_NAMED_ST( + "IV generation", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_iv_gen), + + TEST_CASE_NAMED_WITH_DATA( "IPv4 Reassembly with 2 fragments", ut_setup_inline_ipsec, ut_teardown_inline_ipsec, From patchwork Sat Apr 16 19:25:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109762 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 1B0D1A050A; Sat, 16 Apr 2022 21:26:24 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 42265427FD; Sat, 16 Apr 2022 21:26:09 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id D9703427FE for ; Sat, 16 Apr 2022 21:26:07 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GIte6Y015484; Sat, 16 Apr 2022 12:26:07 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=nl5XwwAP0FkWp9X8mwSJtjLagKXMHe4Oiz0b9ucQnjw=; b=H+/k0xYdmcYZJqMnXVOxMjRMP54o3VUv9ecf71bTUIc8xMRm+Gp9aZfe/nJ4mE1O0eh4 b5p4rMpWFixRnjQudK+boRi+NTCx7vqtUjmePdvR2cKqVm/KunLEHLEomNhIrUjMiogB 6jAjVN6EeSNfL5a6/x4j5EXqCetw5NoBTUs/pex3PJviudyQcNDtxV4xXMp+/mOwF8JK 86tjVduhnymrFGVxUlecVoUxQ1sAuLKfpZ/eo3SqHddl7MjGkQtXNyGF2MLv4SCK00dp NNsMw8iCFAMQoz+KTnwqd6vBZpGo5VSccctrFd0G7SHrEgz7gAlRwWuANYamUQkwVjjT Xg== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3ffwanrrgt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:26:07 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 16 Apr 2022 12:26:04 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 16 Apr 2022 12:26:04 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id 7E6033F707A; Sat, 16 Apr 2022 12:26:01 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , , Akhil Goyal Subject: [PATCH v4 06/10] test/security: add ESN and anti-replay cases for inline Date: Sun, 17 Apr 2022 00:55:26 +0530 Message-ID: <20220416192530.173895-7-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: pA39Rr-3MtUKgVRAsnDZcmZ03uY9yjjR X-Proofpoint-ORIG-GUID: pA39Rr-3MtUKgVRAsnDZcmZ03uY9yjjR X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Added cases to test anti replay for inline IPsec processing with and without extended sequence number support. Signed-off-by: Akhil Goyal --- app/test/test_security_inline_proto.c | 308 ++++++++++++++++++++++++++ 1 file changed, 308 insertions(+) diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index 209999d02c..f8d6adc88f 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -1092,6 +1092,136 @@ test_ipsec_inline_proto_all(const struct ipsec_test_flags *flags) return TEST_SKIPPED; } +static int +test_ipsec_inline_proto_process_with_esn(struct ipsec_test_data td[], + struct ipsec_test_data res_d[], + int nb_pkts, + bool silent, + const struct ipsec_test_flags *flags) +{ + struct rte_security_session_conf sess_conf = {0}; + struct ipsec_test_data *res_d_tmp = NULL; + struct rte_crypto_sym_xform cipher = {0}; + struct rte_crypto_sym_xform auth = {0}; + struct rte_crypto_sym_xform aead = {0}; + struct rte_mbuf *rx_pkt = NULL; + struct rte_mbuf *tx_pkt = NULL; + int nb_rx, nb_sent; + struct rte_security_session *ses; + struct rte_security_ctx *ctx; + uint32_t ol_flags; + int i, ret; + + if (td[0].aead) { + sess_conf.crypto_xform = &aead; + } else { + if (td[0].ipsec_xform.direction == + RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + sess_conf.crypto_xform = &cipher; + sess_conf.crypto_xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + sess_conf.crypto_xform->next = &auth; + sess_conf.crypto_xform->next->type = RTE_CRYPTO_SYM_XFORM_AUTH; + } else { + sess_conf.crypto_xform = &auth; + sess_conf.crypto_xform->type = RTE_CRYPTO_SYM_XFORM_AUTH; + sess_conf.crypto_xform->next = &cipher; + sess_conf.crypto_xform->next->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + } + } + + /* Create Inline IPsec session. */ + ret = create_inline_ipsec_session(&td[0], port_id, &ses, &ctx, + &ol_flags, flags, &sess_conf); + if (ret) + return ret; + + if (td[0].ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + create_default_flow(port_id); + + for (i = 0; i < nb_pkts; i++) { + tx_pkt = init_packet(mbufpool, td[i].input_text.data, + td[i].input_text.len); + if (tx_pkt == NULL) { + ret = TEST_FAILED; + goto out; + } + + if (test_ipsec_pkt_update(rte_pktmbuf_mtod_offset(tx_pkt, + uint8_t *, RTE_ETHER_HDR_LEN), flags)) { + ret = TEST_FAILED; + goto out; + } + + if (td[i].ipsec_xform.direction == + RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + if (flags->antireplay) { + sess_conf.ipsec.esn.value = + td[i].ipsec_xform.esn.value; + ret = rte_security_session_update(ctx, ses, + &sess_conf); + if (ret) { + printf("Could not update ESN in session\n"); + rte_pktmbuf_free(tx_pkt); + goto out; + } + } + if (ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA) + rte_security_set_pkt_metadata(ctx, ses, + tx_pkt, NULL); + tx_pkt->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD; + } + /* Send packet to ethdev for inline IPsec processing. */ + nb_sent = rte_eth_tx_burst(port_id, 0, &tx_pkt, 1); + if (nb_sent != 1) { + printf("\nUnable to TX packets"); + rte_pktmbuf_free(tx_pkt); + ret = TEST_FAILED; + goto out; + } + + rte_pause(); + + /* Receive back packet on loopback interface. */ + do { + rte_delay_ms(1); + nb_rx = rte_eth_rx_burst(port_id, 0, &rx_pkt, 1); + } while (nb_rx == 0); + + rte_pktmbuf_adj(rx_pkt, RTE_ETHER_HDR_LEN); + + if (res_d != NULL) + res_d_tmp = &res_d[i]; + + ret = test_ipsec_post_process(rx_pkt, &td[i], + res_d_tmp, silent, flags); + if (ret != TEST_SUCCESS) { + rte_pktmbuf_free(rx_pkt); + goto out; + } + + ret = test_ipsec_stats_verify(ctx, ses, flags, + td->ipsec_xform.direction); + if (ret != TEST_SUCCESS) { + rte_pktmbuf_free(rx_pkt); + goto out; + } + + rte_pktmbuf_free(rx_pkt); + rx_pkt = NULL; + tx_pkt = NULL; + res_d_tmp = NULL; + } + +out: + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + destroy_default_flow(port_id); + + /* Destroy session so that other cases can create the session again */ + rte_security_session_destroy(ctx, ses); + ses = NULL; + + return ret; +} static int ut_setup_inline_ipsec(void) @@ -1701,6 +1831,153 @@ test_ipsec_inline_proto_known_vec_fragmented(const void *test_data) return test_ipsec_inline_proto_process(&td_outb, NULL, 1, false, &flags); } + +static int +test_ipsec_inline_pkt_replay(const void *test_data, const uint64_t esn[], + bool replayed_pkt[], uint32_t nb_pkts, bool esn_en, + uint64_t winsz) +{ + struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX]; + struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX]; + struct ipsec_test_flags flags; + uint32_t i, ret = 0; + + memset(&flags, 0, sizeof(flags)); + flags.antireplay = true; + + for (i = 0; i < nb_pkts; i++) { + memcpy(&td_outb[i], test_data, sizeof(td_outb)); + td_outb[i].ipsec_xform.options.iv_gen_disable = 1; + td_outb[i].ipsec_xform.replay_win_sz = winsz; + td_outb[i].ipsec_xform.options.esn = esn_en; + } + + for (i = 0; i < nb_pkts; i++) + td_outb[i].ipsec_xform.esn.value = esn[i]; + + ret = test_ipsec_inline_proto_process_with_esn(td_outb, td_inb, + nb_pkts, true, &flags); + if (ret != TEST_SUCCESS) + return ret; + + test_ipsec_td_update(td_inb, td_outb, nb_pkts, &flags); + + for (i = 0; i < nb_pkts; i++) { + td_inb[i].ipsec_xform.options.esn = esn_en; + /* Set antireplay flag for packets to be dropped */ + td_inb[i].ar_packet = replayed_pkt[i]; + } + + ret = test_ipsec_inline_proto_process_with_esn(td_inb, NULL, nb_pkts, + true, &flags); + + return ret; +} + +static int +test_ipsec_inline_proto_pkt_antireplay(const void *test_data, uint64_t winsz) +{ + + uint32_t nb_pkts = 5; + bool replayed_pkt[5]; + uint64_t esn[5]; + + /* 1. Advance the TOP of the window to WS * 2 */ + esn[0] = winsz * 2; + /* 2. Test sequence number within the new window(WS + 1) */ + esn[1] = winsz + 1; + /* 3. Test sequence number less than the window BOTTOM */ + esn[2] = winsz; + /* 4. Test sequence number in the middle of the window */ + esn[3] = winsz + (winsz / 2); + /* 5. Test replay of the packet in the middle of the window */ + esn[4] = winsz + (winsz / 2); + + replayed_pkt[0] = false; + replayed_pkt[1] = false; + replayed_pkt[2] = true; + replayed_pkt[3] = false; + replayed_pkt[4] = true; + + return test_ipsec_inline_pkt_replay(test_data, esn, replayed_pkt, + nb_pkts, false, winsz); +} + +static int +test_ipsec_inline_proto_pkt_antireplay1024(const void *test_data) +{ + return test_ipsec_inline_proto_pkt_antireplay(test_data, 1024); +} + +static int +test_ipsec_inline_proto_pkt_antireplay2048(const void *test_data) +{ + return test_ipsec_inline_proto_pkt_antireplay(test_data, 2048); +} + +static int +test_ipsec_inline_proto_pkt_antireplay4096(const void *test_data) +{ + return test_ipsec_inline_proto_pkt_antireplay(test_data, 4096); +} + +static int +test_ipsec_inline_proto_pkt_esn_antireplay(const void *test_data, uint64_t winsz) +{ + + uint32_t nb_pkts = 7; + bool replayed_pkt[7]; + uint64_t esn[7]; + + /* Set the initial sequence number */ + esn[0] = (uint64_t)(0xFFFFFFFF - winsz); + /* 1. Advance the TOP of the window to (1<<32 + WS/2) */ + esn[1] = (uint64_t)((1ULL << 32) + (winsz / 2)); + /* 2. Test sequence number within new window (1<<32 + WS/2 + 1) */ + esn[2] = (uint64_t)((1ULL << 32) - (winsz / 2) + 1); + /* 3. Test with sequence number within window (1<<32 - 1) */ + esn[3] = (uint64_t)((1ULL << 32) - 1); + /* 4. Test with sequence number within window (1<<32 - 1) */ + esn[4] = (uint64_t)(1ULL << 32); + /* 5. Test with duplicate sequence number within + * new window (1<<32 - 1) + */ + esn[5] = (uint64_t)((1ULL << 32) - 1); + /* 6. Test with duplicate sequence number within new window (1<<32) */ + esn[6] = (uint64_t)(1ULL << 32); + + replayed_pkt[0] = false; + replayed_pkt[1] = false; + replayed_pkt[2] = false; + replayed_pkt[3] = false; + replayed_pkt[4] = false; + replayed_pkt[5] = true; + replayed_pkt[6] = true; + + return test_ipsec_inline_pkt_replay(test_data, esn, replayed_pkt, nb_pkts, + true, winsz); +} + +static int +test_ipsec_inline_proto_pkt_esn_antireplay1024(const void *test_data) +{ + return test_ipsec_inline_proto_pkt_esn_antireplay(test_data, 1024); +} + +static int +test_ipsec_inline_proto_pkt_esn_antireplay2048(const void *test_data) +{ + return test_ipsec_inline_proto_pkt_esn_antireplay(test_data, 2048); +} + +static int +test_ipsec_inline_proto_pkt_esn_antireplay4096(const void *test_data) +{ + return test_ipsec_inline_proto_pkt_esn_antireplay(test_data, 4096); +} + + + static struct unit_test_suite inline_ipsec_testsuite = { .suite_name = "Inline IPsec Ethernet Device Unit Test Suite", .setup = inline_ipsec_testsuite_setup, @@ -1927,6 +2204,37 @@ static struct unit_test_suite inline_ipsec_testsuite = { test_ipsec_inline_proto_iv_gen), + TEST_CASE_NAMED_WITH_DATA( + "Antireplay with window size 1024", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_pkt_antireplay1024, + &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Antireplay with window size 2048", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_pkt_antireplay2048, + &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Antireplay with window size 4096", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_pkt_antireplay4096, + &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "ESN and Antireplay with window size 1024", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_pkt_esn_antireplay1024, + &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "ESN and Antireplay with window size 2048", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_pkt_esn_antireplay2048, + &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "ESN and Antireplay with window size 4096", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_pkt_esn_antireplay4096, + &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( "IPv4 Reassembly with 2 fragments", ut_setup_inline_ipsec, ut_teardown_inline_ipsec, From patchwork Sat Apr 16 19:25:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109763 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 086ACA050A; Sat, 16 Apr 2022 21:26:32 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 821A3427FB; Sat, 16 Apr 2022 21:26:12 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 91DE0427EB for ; Sat, 16 Apr 2022 21:26:11 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GIFAkj019557; Sat, 16 Apr 2022 12:26:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=1CzYaTkIWcv/qx1vKVhgZLSypRIoXO1sULw3zzRkdgA=; b=FnvvoqHRhzrG1/H5Zpl9O0wp3eikBa/yFnn94QxR/K5NeMb+XmdZWy8sLUcz9//B/NEl Aj8xfHxEZ8hluWdFlqkAv7DdfaJAEHzHQ0Gawpy6Q/8zcp4wwj1HOiIWwol6Qfp+Q0x+ znPiEbbkKq+bE6f7s4gIkU/o4qZKsvCiTeqM/P+r8k0WW6xTx0RSpgJbCK3kBEhy5rRq CE5efqb2CPPMR6LBWdNIx27zTlh9r8g/8my51iQhKSo4PLG3K90syUrKgPz7jriq/fo2 92sfgP7Z1um9NIxn3upttysCknVD2vYr7MV8CLRSYmt6IReqsOcTjybX0uFudyn8Aj5C 6A== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3ffwanrrh3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:26:10 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 16 Apr 2022 12:26:08 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Sat, 16 Apr 2022 12:26:08 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id 5C9C83F707D; Sat, 16 Apr 2022 12:26:05 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , Subject: [PATCH v4 07/10] ethdev: add IPsec SA expiry event subtypes Date: Sun, 17 Apr 2022 00:55:27 +0530 Message-ID: <20220416192530.173895-8-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: Mx4yvaYqbAdbnR_N1X_8xyzcwUUz-Lyy X-Proofpoint-ORIG-GUID: Mx4yvaYqbAdbnR_N1X_8xyzcwUUz-Lyy X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Vamsi Attunuru Patch adds new event subtypes for notifying expiry events upon reaching IPsec SA soft packet expiry and hard packet/byte expiry limits. Signed-off-by: Vamsi Attunuru --- lib/ethdev/rte_ethdev.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/ethdev/rte_ethdev.h b/lib/ethdev/rte_ethdev.h index 04cff8ee10..08819fe4ba 100644 --- a/lib/ethdev/rte_ethdev.h +++ b/lib/ethdev/rte_ethdev.h @@ -3828,6 +3828,12 @@ enum rte_eth_event_ipsec_subtype { RTE_ETH_EVENT_IPSEC_SA_TIME_EXPIRY, /** Soft byte expiry of SA */ RTE_ETH_EVENT_IPSEC_SA_BYTE_EXPIRY, + /** Soft packet expiry of SA */ + RTE_ETH_EVENT_IPSEC_SA_PKT_EXPIRY, + /** Hard byte expiry of SA */ + RTE_ETH_EVENT_IPSEC_SA_BYTE_HARD_EXPIRY, + /** Hard packet expiry of SA */ + RTE_ETH_EVENT_IPSEC_SA_PKT_HARD_EXPIRY, /** Max value of this enum */ RTE_ETH_EVENT_IPSEC_MAX }; @@ -3849,6 +3855,9 @@ struct rte_eth_event_ipsec_desc { * - @ref RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW * - @ref RTE_ETH_EVENT_IPSEC_SA_TIME_EXPIRY * - @ref RTE_ETH_EVENT_IPSEC_SA_BYTE_EXPIRY + * - @ref RTE_ETH_EVENT_IPSEC_SA_PKT_EXPIRY + * - @ref RTE_ETH_EVENT_IPSEC_SA_BYTE_HARD_EXPIRY + * - @ref RTE_ETH_EVENT_IPSEC_SA_PKT_HARD_EXPIRY * * @see struct rte_security_session_conf * From patchwork Sat Apr 16 19:25:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109764 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 41CCFA050A; Sat, 16 Apr 2022 21:26:39 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7D70F427EB; Sat, 16 Apr 2022 21:26:18 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 7318A41614 for ; Sat, 16 Apr 2022 21:26:16 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GJDhCm022470; Sat, 16 Apr 2022 12:26:15 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=MjXITm/1d+ThHtUWp1yVmqg9NX4oPd7lMHdt44nKP+M=; b=MoA4ZZWi5OwsFNQ15Vvg1US2AmetyoK+R3DAUIJQJvboxpw0/wL18F1593I0Fqzh4JRz L2C/vjuXRW0bVfDNbp9TETjCPmWt7yDeVUJiB8Tj4ZN0oYJnU3sH++HEY+zHLgec0NM+ PZ0E+l5Vh8jg4uyflGoSV3Zbe8YCtgKSH2yJOo1WnJ7uHQyHx0aLLomg1sd2Qq5I/FFD I8zCK8dk1fv0/KDaRazurr+DgG7B63e2qEY5k/k0ctLvluTTL05D8mgFlUnU3Jhdzshl i0wdaOp+Cqn8gild+atX4nUYmImUh3pL+wBsY2EbveEvUNGsNYvwzYH3oqcjxcjwjj0Z nw== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3ffwanrrh5-8 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:26:15 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 16 Apr 2022 12:26:12 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 16 Apr 2022 12:26:12 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id 099AF3F7079; Sat, 16 Apr 2022 12:26:08 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , Subject: [PATCH v4 08/10] test/security: add inline IPsec SA soft expiry cases Date: Sun, 17 Apr 2022 00:55:28 +0530 Message-ID: <20220416192530.173895-9-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: 3DSb927QTeZYyVfJQokakJGOj2mYt8vI X-Proofpoint-ORIG-GUID: 3DSb927QTeZYyVfJQokakJGOj2mYt8vI X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Vamsi Attunuru Patch adds unit tests for packet & byte soft expiry events. Signed-off-by: Vamsi Attunuru --- app/test/test_cryptodev_security_ipsec.h | 2 + app/test/test_security_inline_proto.c | 105 +++++++++++++++++- app/test/test_security_inline_proto_vectors.h | 6 + 3 files changed, 112 insertions(+), 1 deletion(-) diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 0d9b5b6e2e..418ab16ba6 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -77,6 +77,8 @@ struct ipsec_test_flags { bool display_alg; bool sa_expiry_pkts_soft; bool sa_expiry_pkts_hard; + bool sa_expiry_bytes_soft; + bool sa_expiry_bytes_hard; bool icv_corrupt; bool iv_gen; uint32_t tunnel_hdr_verify; diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index f8d6adc88f..5b111af53e 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -874,6 +874,62 @@ test_ipsec_with_reassembly(struct reassembly_vector *vector, return ret; } +static int +test_ipsec_inline_sa_exp_event_callback(uint16_t port_id, + enum rte_eth_event_type type, void *param, void *ret_param) +{ + struct sa_expiry_vector *vector = (struct sa_expiry_vector *)param; + struct rte_eth_event_ipsec_desc *event_desc = NULL; + + RTE_SET_USED(port_id); + + if (type != RTE_ETH_EVENT_IPSEC) + return -1; + + event_desc = ret_param; + if (event_desc == NULL) { + printf("Event descriptor not set\n"); + return -1; + } + vector->notify_event = true; + if (event_desc->metadata != (uint64_t)vector->sa_data) { + printf("Mismatch in event specific metadata\n"); + return -1; + } + if (event_desc->subtype == RTE_ETH_EVENT_IPSEC_SA_PKT_EXPIRY) { + vector->event = RTE_ETH_EVENT_IPSEC_SA_PKT_EXPIRY; + return 0; + } else if (event_desc->subtype == RTE_ETH_EVENT_IPSEC_SA_BYTE_EXPIRY) { + vector->event = RTE_ETH_EVENT_IPSEC_SA_BYTE_EXPIRY; + return 0; + } else if (event_desc->subtype >= RTE_ETH_EVENT_IPSEC_MAX) { + printf("Invalid IPsec event reported\n"); + return -1; + } + + return -1; +} + +static enum rte_eth_event_ipsec_subtype +test_ipsec_inline_setup_expiry_vector(struct sa_expiry_vector *vector, + const struct ipsec_test_flags *flags, + struct ipsec_test_data *tdata) +{ + enum rte_eth_event_ipsec_subtype event = RTE_ETH_EVENT_IPSEC_UNKNOWN; + + vector->event = RTE_ETH_EVENT_IPSEC_UNKNOWN; + vector->notify_event = false; + vector->sa_data = (void *)tdata; + if (flags->sa_expiry_pkts_soft) + event = RTE_ETH_EVENT_IPSEC_SA_PKT_EXPIRY; + else + event = RTE_ETH_EVENT_IPSEC_SA_BYTE_EXPIRY; + rte_eth_dev_callback_register(port_id, RTE_ETH_EVENT_IPSEC, + test_ipsec_inline_sa_exp_event_callback, vector); + + return event; +} + static int test_ipsec_inline_proto_process(struct ipsec_test_data *td, struct ipsec_test_data *res_d, @@ -881,10 +937,12 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, bool silent, const struct ipsec_test_flags *flags) { + enum rte_eth_event_ipsec_subtype event = RTE_ETH_EVENT_IPSEC_UNKNOWN; struct rte_security_session_conf sess_conf = {0}; struct rte_crypto_sym_xform cipher = {0}; struct rte_crypto_sym_xform auth = {0}; struct rte_crypto_sym_xform aead = {0}; + struct sa_expiry_vector vector = {0}; struct rte_security_session *ses; struct rte_security_ctx *ctx; int nb_rx = 0, nb_sent; @@ -893,6 +951,12 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts); + if (flags->sa_expiry_pkts_soft || flags->sa_expiry_bytes_soft) { + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return TEST_SUCCESS; + event = test_ipsec_inline_setup_expiry_vector(&vector, flags, td); + } + if (td->aead) { sess_conf.crypto_xform = &aead; } else { @@ -999,6 +1063,15 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, out: if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) destroy_default_flow(port_id); + if (flags->sa_expiry_pkts_soft || flags->sa_expiry_bytes_soft) { + if (vector.notify_event && (vector.event == event)) + ret = TEST_SUCCESS; + else + ret = TEST_FAILED; + + rte_eth_dev_callback_unregister(port_id, RTE_ETH_EVENT_IPSEC, + test_ipsec_inline_sa_exp_event_callback, &vector); + } /* Destroy session so that other cases can create the session again */ rte_security_session_destroy(ctx, ses); @@ -1016,6 +1089,7 @@ test_ipsec_inline_proto_all(const struct ipsec_test_flags *flags) int ret; if (flags->iv_gen || flags->sa_expiry_pkts_soft || + flags->sa_expiry_bytes_soft || flags->sa_expiry_pkts_hard) nb_pkts = IPSEC_TEST_PACKETS_MAX; @@ -1048,6 +1122,11 @@ test_ipsec_inline_proto_all(const struct ipsec_test_flags *flags) if (flags->udp_encap) td_outb.ipsec_xform.options.udp_encap = 1; + if (flags->sa_expiry_bytes_soft) + td_outb.ipsec_xform.life.bytes_soft_limit = + (((td_outb.output_text.len + RTE_ETHER_HDR_LEN) + * nb_pkts) >> 3) - 1; + ret = test_ipsec_inline_proto_process(&td_outb, &td_inb, nb_pkts, false, flags); if (ret == TEST_SKIPPED) @@ -1814,6 +1893,23 @@ test_ipsec_inline_proto_iv_gen(const void *data __rte_unused) return test_ipsec_inline_proto_all(&flags); } +static int +test_ipsec_inline_proto_sa_pkt_soft_expiry(const void *data __rte_unused) +{ + struct ipsec_test_flags flags = { + .sa_expiry_pkts_soft = true + }; + return test_ipsec_inline_proto_all(&flags); +} +static int +test_ipsec_inline_proto_sa_byte_soft_expiry(const void *data __rte_unused) +{ + struct ipsec_test_flags flags = { + .sa_expiry_bytes_soft = true + }; + return test_ipsec_inline_proto_all(&flags); +} + static int test_ipsec_inline_proto_known_vec_fragmented(const void *test_data) { @@ -2202,7 +2298,14 @@ static struct unit_test_suite inline_ipsec_testsuite = { "IV generation", ut_setup_inline_ipsec, ut_teardown_inline_ipsec, test_ipsec_inline_proto_iv_gen), - + TEST_CASE_NAMED_ST( + "SA soft expiry with packet limit", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_sa_pkt_soft_expiry), + TEST_CASE_NAMED_ST( + "SA soft expiry with byte limit", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_sa_byte_soft_expiry), TEST_CASE_NAMED_WITH_DATA( "Antireplay with window size 1024", diff --git a/app/test/test_security_inline_proto_vectors.h b/app/test/test_security_inline_proto_vectors.h index c18965d80f..003537e200 100644 --- a/app/test/test_security_inline_proto_vectors.h +++ b/app/test/test_security_inline_proto_vectors.h @@ -36,6 +36,12 @@ struct reassembly_vector { bool burst; }; +struct sa_expiry_vector { + struct ipsec_session_data *sa_data; + enum rte_eth_event_ipsec_subtype event; + bool notify_event; +}; + /* The source file includes below test vectors */ /* IPv6: * From patchwork Sat Apr 16 19:25:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109765 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id C5EC0A050A; Sat, 16 Apr 2022 21:26:43 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6B16E42808; Sat, 16 Apr 2022 21:26:19 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 42E9A40DFD for ; Sat, 16 Apr 2022 21:26:18 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GIhiNx024978; Sat, 16 Apr 2022 12:26:17 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=TJa9eh1/7RUMAwUPVIIUOcvkv1qHKh7uCh0G6xdoYWM=; b=WEEub1GzM1PybFEz+EaQbNN4sFMlD3O9F5VSAB4r7Ww66qDkUfcuB/S3+sJvtLf8K5bP e+rDBc0WCgzC3/XLmksvALg285IsQJSE+s0vSdz3aIhjKmX5Itk8xovzkmLSpR2XsD/w kmIaO1Nzo6iaEY7hxZvByjEKLVmZ7HuqqXYDis9gEKRunK4HqWPPB3niD/MRrX2w4CKk depO/jZHytPu7a4ubUwGHjdH9JsYcWhExvx4V13a0/FS0vpPZ3+1IhURlp6XWZBU8H6/ BM3xaeMDikYkfaSnovKHf5gDepYO+U7vnCceC1QLs5CKU43L0Ct1ImkGRxyh/9KVk67I tg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3ffu5p9103-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:26:17 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 16 Apr 2022 12:26:15 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 16 Apr 2022 12:26:15 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id A17C93F707A; Sat, 16 Apr 2022 12:26:12 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , Subject: [PATCH v4 09/10] test/security: add inline IPsec SA hard expiry cases Date: Sun, 17 Apr 2022 00:55:29 +0530 Message-ID: <20220416192530.173895-10-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: erxwhDXz9BIbUxsnjTTpIm8F-mhTC9Tk X-Proofpoint-ORIG-GUID: erxwhDXz9BIbUxsnjTTpIm8F-mhTC9Tk X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Vamsi Attunuru Patch adds hard expiry unit tests for both packet and byte limits. Signed-off-by: Vamsi Attunuru --- app/test/test_security_inline_proto.c | 71 +++++++++++++++++++++++---- 1 file changed, 61 insertions(+), 10 deletions(-) diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index 5b111af53e..15f08a2d6c 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -896,18 +896,25 @@ test_ipsec_inline_sa_exp_event_callback(uint16_t port_id, printf("Mismatch in event specific metadata\n"); return -1; } - if (event_desc->subtype == RTE_ETH_EVENT_IPSEC_SA_PKT_EXPIRY) { + switch (event_desc->subtype) { + case RTE_ETH_EVENT_IPSEC_SA_PKT_EXPIRY: vector->event = RTE_ETH_EVENT_IPSEC_SA_PKT_EXPIRY; - return 0; - } else if (event_desc->subtype == RTE_ETH_EVENT_IPSEC_SA_BYTE_EXPIRY) { + break; + case RTE_ETH_EVENT_IPSEC_SA_BYTE_EXPIRY: vector->event = RTE_ETH_EVENT_IPSEC_SA_BYTE_EXPIRY; - return 0; - } else if (event_desc->subtype >= RTE_ETH_EVENT_IPSEC_MAX) { + break; + case RTE_ETH_EVENT_IPSEC_SA_PKT_HARD_EXPIRY: + vector->event = RTE_ETH_EVENT_IPSEC_SA_PKT_HARD_EXPIRY; + break; + case RTE_ETH_EVENT_IPSEC_SA_BYTE_HARD_EXPIRY: + vector->event = RTE_ETH_EVENT_IPSEC_SA_BYTE_HARD_EXPIRY; + break; + default: printf("Invalid IPsec event reported\n"); return -1; } - return -1; + return 0; } static enum rte_eth_event_ipsec_subtype @@ -922,8 +929,12 @@ test_ipsec_inline_setup_expiry_vector(struct sa_expiry_vector *vector, vector->sa_data = (void *)tdata; if (flags->sa_expiry_pkts_soft) event = RTE_ETH_EVENT_IPSEC_SA_PKT_EXPIRY; - else + else if (flags->sa_expiry_bytes_soft) event = RTE_ETH_EVENT_IPSEC_SA_BYTE_EXPIRY; + else if (flags->sa_expiry_pkts_hard) + event = RTE_ETH_EVENT_IPSEC_SA_PKT_HARD_EXPIRY; + else + event = RTE_ETH_EVENT_IPSEC_SA_BYTE_HARD_EXPIRY; rte_eth_dev_callback_register(port_id, RTE_ETH_EVENT_IPSEC, test_ipsec_inline_sa_exp_event_callback, vector); @@ -951,7 +962,8 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts); - if (flags->sa_expiry_pkts_soft || flags->sa_expiry_bytes_soft) { + if (flags->sa_expiry_pkts_soft || flags->sa_expiry_bytes_soft || + flags->sa_expiry_pkts_hard || flags->sa_expiry_bytes_hard) { if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) return TEST_SUCCESS; event = test_ipsec_inline_setup_expiry_vector(&vector, flags, td); @@ -1029,7 +1041,9 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, break; } while (j++ < 5 || nb_rx == 0); - if (nb_rx != nb_sent) { + if (!flags->sa_expiry_pkts_hard && + !flags->sa_expiry_bytes_hard && + (nb_rx != nb_sent)) { printf("\nUnable to RX all %d packets", nb_sent); while(--nb_rx) rte_pktmbuf_free(rx_pkts_burst[nb_rx]); @@ -1063,7 +1077,8 @@ test_ipsec_inline_proto_process(struct ipsec_test_data *td, out: if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) destroy_default_flow(port_id); - if (flags->sa_expiry_pkts_soft || flags->sa_expiry_bytes_soft) { + if (flags->sa_expiry_pkts_soft || flags->sa_expiry_bytes_soft || + flags->sa_expiry_pkts_hard || flags->sa_expiry_bytes_hard) { if (vector.notify_event && (vector.event == event)) ret = TEST_SUCCESS; else @@ -1090,6 +1105,7 @@ test_ipsec_inline_proto_all(const struct ipsec_test_flags *flags) if (flags->iv_gen || flags->sa_expiry_pkts_soft || flags->sa_expiry_bytes_soft || + flags->sa_expiry_bytes_hard || flags->sa_expiry_pkts_hard) nb_pkts = IPSEC_TEST_PACKETS_MAX; @@ -1126,6 +1142,13 @@ test_ipsec_inline_proto_all(const struct ipsec_test_flags *flags) td_outb.ipsec_xform.life.bytes_soft_limit = (((td_outb.output_text.len + RTE_ETHER_HDR_LEN) * nb_pkts) >> 3) - 1; + if (flags->sa_expiry_pkts_hard) + td_outb.ipsec_xform.life.packets_hard_limit = + IPSEC_TEST_PACKETS_MAX - 1; + if (flags->sa_expiry_bytes_hard) + td_outb.ipsec_xform.life.bytes_hard_limit = + (((td_outb.output_text.len + RTE_ETHER_HDR_LEN) + * nb_pkts) >> 3) - 1; ret = test_ipsec_inline_proto_process(&td_outb, &td_inb, nb_pkts, false, flags); @@ -1910,6 +1933,26 @@ test_ipsec_inline_proto_sa_byte_soft_expiry(const void *data __rte_unused) return test_ipsec_inline_proto_all(&flags); } +static int +test_ipsec_inline_proto_sa_pkt_hard_expiry(const void *data __rte_unused) +{ + struct ipsec_test_flags flags = { + .sa_expiry_pkts_hard = true + }; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_sa_byte_hard_expiry(const void *data __rte_unused) +{ + struct ipsec_test_flags flags = { + .sa_expiry_bytes_hard = true + }; + + return test_ipsec_inline_proto_all(&flags); +} + static int test_ipsec_inline_proto_known_vec_fragmented(const void *test_data) { @@ -2306,6 +2349,14 @@ static struct unit_test_suite inline_ipsec_testsuite = { "SA soft expiry with byte limit", ut_setup_inline_ipsec, ut_teardown_inline_ipsec, test_ipsec_inline_proto_sa_byte_soft_expiry), + TEST_CASE_NAMED_ST( + "SA hard expiry with packet limit", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_sa_pkt_hard_expiry), + TEST_CASE_NAMED_ST( + "SA hard expiry with byte limit", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_sa_byte_hard_expiry), TEST_CASE_NAMED_WITH_DATA( "Antireplay with window size 1024", From patchwork Sat Apr 16 19:25:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Akhil Goyal X-Patchwork-Id: 109766 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 01F18A050A; Sat, 16 Apr 2022 21:26:50 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 5E61D4280B; Sat, 16 Apr 2022 21:26:23 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 04D424280B for ; Sat, 16 Apr 2022 21:26:21 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 23GIrJMq016143; Sat, 16 Apr 2022 12:26:21 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=Vvex0tdAYVGfVoDOaVXP0/Af+Pu777hV8T8eK6JkoO8=; b=Tdy9t6jKSSDA8BsxpZ8vW3qo3vmwK9cb/s6E0X2ekhxbDKZvov9AzVizURZkpQqUN1Gp V+lLZBNk3WRqeq2Am1fhZLwCSYlRJQC8ZirdZD/EKx34JJjMk2MtcTLTUE4ipTUw37uG /VdPnG6yL+jWcuvsiswlg58qHC/TAFnTng+mwTIcKn780qKUzKas0+igacxcAYgBTOLz gU6HgH2QYsZicQfHihavAGLOHtYtAoLco+qJm3VFaG4u5jVi5uNx+jMheMCxqIm/oDHi Z8m9jQVi5m3ZkiawOKR6k6YN7b19Vd2kOO0hT8vlDsH/AOU6xiHN/g+Eqx59AipZqeAP lg== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3ffu5p910b-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 16 Apr 2022 12:26:21 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 16 Apr 2022 12:26:19 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Sat, 16 Apr 2022 12:26:19 -0700 Received: from localhost.localdomain (unknown [10.28.48.55]) by maili.marvell.com (Postfix) with ESMTP id 44D253F7085; Sat, 16 Apr 2022 12:26:16 -0700 (PDT) From: Akhil Goyal To: CC: , , , , , , , , , Subject: [PATCH v4 10/10] test/security: add inline IPsec IPv6 flow label cases Date: Sun, 17 Apr 2022 00:55:30 +0530 Message-ID: <20220416192530.173895-11-gakhil@marvell.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220416192530.173895-1-gakhil@marvell.com> References: <20220217172341.607360-1-gakhil@marvell.com> <20220416192530.173895-1-gakhil@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: z58JB2Y00PX55DC1G-ieE_mCtNnAzMl3 X-Proofpoint-ORIG-GUID: z58JB2Y00PX55DC1G-ieE_mCtNnAzMl3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-16_08,2022-04-15_01,2022-02-23_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Vamsi Attunuru Patch adds unit tests for IPv6 flow label set & copy operations. Signed-off-by: Vamsi Attunuru --- app/test/test_cryptodev_security_ipsec.c | 35 ++++++++++- app/test/test_cryptodev_security_ipsec.h | 10 +++ app/test/test_security_inline_proto.c | 79 ++++++++++++++++++++++++ 3 files changed, 123 insertions(+), 1 deletion(-) diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 14c6ba681f..408bd0bc82 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -495,6 +495,10 @@ test_ipsec_td_prepare(const struct crypto_param *param1, flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1) td->ipsec_xform.options.copy_dscp = 1; + if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_0 || + flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1) + td->ipsec_xform.options.copy_flabel = 1; + if (flags->dec_ttl_or_hop_limit) td->ipsec_xform.options.dec_ttl = 1; } @@ -933,6 +937,7 @@ test_ipsec_iph6_hdr_validate(const struct rte_ipv6_hdr *iph6, const struct ipsec_test_flags *flags) { uint32_t vtc_flow; + uint32_t flabel; uint8_t dscp; if (!is_valid_ipv6_pkt(iph6)) { @@ -959,6 +964,23 @@ test_ipsec_iph6_hdr_validate(const struct rte_ipv6_hdr *iph6, } } + flabel = vtc_flow & RTE_IPV6_HDR_FL_MASK; + + if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 || + flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0) { + if (flabel != TEST_IPSEC_FLABEL_VAL) { + printf("FLABEL value is not matching [exp: %x, actual: %x]\n", + TEST_IPSEC_FLABEL_VAL, flabel); + return -1; + } + } else { + if (flabel != 0) { + printf("FLABEL value is set [exp: 0, actual: %x]\n", + flabel); + return -1; + } + } + return 0; } @@ -1159,7 +1181,11 @@ test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags) if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 || flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1 || flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_0 || - flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) { + flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0 || + flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 || + flags->flabel == TEST_IPSEC_SET_FLABEL_0_INNER_1 || + flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_0 || + flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0) { if (is_ipv4(iph4)) { uint8_t tos; @@ -1187,6 +1213,13 @@ test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags) else vtc_flow &= ~RTE_IPV6_HDR_DSCP_MASK; + if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 || + flags->flabel == TEST_IPSEC_SET_FLABEL_0_INNER_1) + vtc_flow |= (RTE_IPV6_HDR_FL_MASK & + (TEST_IPSEC_FLABEL_VAL << RTE_IPV6_HDR_FL_SHIFT)); + else + vtc_flow &= ~RTE_IPV6_HDR_FL_MASK; + iph6->vtc_flow = rte_cpu_to_be_32(vtc_flow); } } diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 418ab16ba6..9a3c021dd8 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -73,6 +73,15 @@ enum dscp_flags { TEST_IPSEC_SET_DSCP_1_INNER_0, }; +#define TEST_IPSEC_FLABEL_VAL 0x1234 + +enum flabel_flags { + TEST_IPSEC_COPY_FLABEL_INNER_0 = 1, + TEST_IPSEC_COPY_FLABEL_INNER_1, + TEST_IPSEC_SET_FLABEL_0_INNER_1, + TEST_IPSEC_SET_FLABEL_1_INNER_0, +}; + struct ipsec_test_flags { bool display_alg; bool sa_expiry_pkts_soft; @@ -94,6 +103,7 @@ struct ipsec_test_flags { bool antireplay; enum df_flags df; enum dscp_flags dscp; + enum flabel_flags flabel; bool dec_ttl_or_hop_limit; bool ah; }; diff --git a/app/test/test_security_inline_proto.c b/app/test/test_security_inline_proto.c index 15f08a2d6c..16fe164f77 100644 --- a/app/test/test_security_inline_proto.c +++ b/app/test/test_security_inline_proto.c @@ -163,6 +163,13 @@ create_inline_ipsec_session(struct ipsec_test_data *sa, uint16_t portid, sess_conf->ipsec.tunnel.ipv6.dscp = TEST_IPSEC_DSCP_VAL; + if (flags->flabel == TEST_IPSEC_SET_FLABEL_0_INNER_1) + sess_conf->ipsec.tunnel.ipv6.flabel = 0; + + if (flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0) + sess_conf->ipsec.tunnel.ipv6.flabel = + TEST_IPSEC_FLABEL_VAL; + memcpy(&sess_conf->ipsec.tunnel.ipv6.src_addr, &src_v6, sizeof(src_v6)); memcpy(&sess_conf->ipsec.tunnel.ipv6.dst_addr, &dst_v6, @@ -1883,6 +1890,62 @@ test_ipsec_inline_proto_ipv6_set_dscp_1_inner_0(const void *data __rte_unused) return test_ipsec_inline_proto_all(&flags); } +static int +test_ipsec_inline_proto_ipv6_copy_flabel_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + flags.flabel = TEST_IPSEC_COPY_FLABEL_INNER_0; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv6_copy_flabel_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + flags.flabel = TEST_IPSEC_COPY_FLABEL_INNER_1; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv6_set_flabel_0_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + flags.flabel = TEST_IPSEC_SET_FLABEL_0_INNER_1; + + return test_ipsec_inline_proto_all(&flags); +} + +static int +test_ipsec_inline_proto_ipv6_set_flabel_1_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + flags.flabel = TEST_IPSEC_SET_FLABEL_1_INNER_0; + + return test_ipsec_inline_proto_all(&flags); +} + static int test_ipsec_inline_proto_ipv4_ttl_decrement(const void *data __rte_unused) { @@ -2329,6 +2392,22 @@ static struct unit_test_suite inline_ipsec_testsuite = { "Tunnel header IPv6 set DSCP 1 (inner 0)", ut_setup_inline_ipsec, ut_teardown_inline_ipsec, test_ipsec_inline_proto_ipv6_set_dscp_1_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header IPv6 copy FLABEL (inner 0)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv6_copy_flabel_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header IPv6 copy FLABEL (inner 1)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv6_copy_flabel_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header IPv6 set FLABEL 0 (inner 1)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv6_set_flabel_0_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header IPv6 set FLABEL 1 (inner 0)", + ut_setup_inline_ipsec, ut_teardown_inline_ipsec, + test_ipsec_inline_proto_ipv6_set_flabel_1_inner_0), TEST_CASE_NAMED_ST( "Tunnel header IPv4 decrement inner TTL", ut_setup_inline_ipsec, ut_teardown_inline_ipsec,