mbox series

[v4,0/5] Add lookaside IPsec tests

Message ID 1631884523-836-1-git-send-email-anoobj@marvell.com (mailing list archive)
Headers
Series Add lookaside IPsec tests |

Message

Anoob Joseph Sept. 17, 2021, 1:15 p.m. UTC 
  Add lookaside IPsec functional tests. Known vector tests and
combined mode framework is added.

Known vectors are outbound vectors based on
https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01

The vectors are updated to have sequence number as 1 & L4 checksum
computed correctly. And they have following properties,
1. ESP
2. Tunnel mode
3. IPv4
4. IPv4 tunnel

Known vector tests for inbound operation would generate test vectors by
reversing outbound known vectors. The input_text would become encrypted
packet and output_text would be the plain packet. Tests would then validate
the operation by comparing against plain packet.

Combined mode tests are used to test all IPsec features against all ciphers
supported by the PMD. The framework is introduced to avoid testing
with any specific algo, thereby making it mandatory to be supported. Also,
testing with all supported combinations will help with increasing coverage
as well.

Four test cases use combined mode,
1. Display algo coverage and basic in + out tests
2. Negative test for ICV corruption
3. IV generation
4. UDP encapsulation

IV generation test case compares IV generated for a batch of packets and returns
failure if IV is repeated.

Upcoming additions,
1. AES-CBC-SHA1-HMAC known vectors & combined mode
2. IPv6
3. Transport
4. Mixed mode (IPv4-in-IPv6 etc, all combinations)

Tested with following PMDs
1. crypto_octeontx2
2. crypto_cn10k
3. crypto_cn9k

Changes in v4:
- Fixed lack of device stop in case capability check fails (comment from Ciara)
- Rebased and updated release notes

Changes in v3
- Added UDP encapsulation tests

Changes in v2
- Dropped outbound known vector tests as lookaside protocol would require IV
  generated by PMD. The tests would be introduced with spec change to allow user
  to specify IV.
- Added IV generation tests
- Minor fixes in combined mode tests to handle multiple packets

Anoob Joseph (2):
  test/crypto: add lookaside IPsec tests
  test/crypto: add combined mode tests

Tejasree Kondoj (3):
  test/crypto: add lookaside IPsec ICV corrupt test case
  test/crypto: add IV gen tests
  test/crypto: add UDP encapsulation test cases

 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 351 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 401 +++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           | 119 ++++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 +++++++++++++++++
 doc/guides/rel_notes/release_21_11.rst             |   7 +
 7 files changed, 1206 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

Comments

Power, Ciara Sept. 23, 2021, 1:34 p.m. UTC | #1 
Hi Anoob,

>-----Original Message-----
>From: Anoob Joseph <anoobj@marvell.com>
>Sent: Friday 17 September 2021 14:15
>To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
>Ananyev, Konstantin <konstantin.ananyev@intel.com>
>Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob <jerinj@marvell.com>;
>Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
><ktejasree@marvell.com>; Hemant Agrawal <hemant.agrawal@nxp.com>;
>Nicolau, Radu <radu.nicolau@intel.com>; Power, Ciara
><ciara.power@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
>dev@dpdk.org
>Subject: [PATCH v4 0/5] Add lookaside IPsec tests
>
>Add lookaside IPsec functional tests. Known vector tests and combined mode
>framework is added.
>
>Known vectors are outbound vectors based on
>https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01
>
>The vectors are updated to have sequence number as 1 & L4 checksum
>computed correctly. And they have following properties, 1. ESP 2. Tunnel
>mode 3. IPv4 4. IPv4 tunnel
>
>Known vector tests for inbound operation would generate test vectors by
>reversing outbound known vectors. The input_text would become encrypted
>packet and output_text would be the plain packet. Tests would then validate
>the operation by comparing against plain packet.
>
>Combined mode tests are used to test all IPsec features against all ciphers
>supported by the PMD. The framework is introduced to avoid testing with any
>specific algo, thereby making it mandatory to be supported. Also, testing with
>all supported combinations will help with increasing coverage as well.
>
>Four test cases use combined mode,
>1. Display algo coverage and basic in + out tests 2. Negative test for ICV
>corruption 3. IV generation 4. UDP encapsulation
>
>IV generation test case compares IV generated for a batch of packets and
>returns failure if IV is repeated.
>
>Upcoming additions,
>1. AES-CBC-SHA1-HMAC known vectors & combined mode 2. IPv6 3. Transport
>4. Mixed mode (IPv4-in-IPv6 etc, all combinations)
>
>Tested with following PMDs
>1. crypto_octeontx2
>2. crypto_cn10k
>3. crypto_cn9k
>
>Changes in v4:
>- Fixed lack of device stop in case capability check fails (comment from Ciara)
>- Rebased and updated release notes
>
>Changes in v3
>- Added UDP encapsulation tests
>
>Changes in v2
>- Dropped outbound known vector tests as lookaside protocol would require
>IV
>  generated by PMD. The tests would be introduced with spec change to allow
>user
>  to specify IV.
>- Added IV generation tests
>- Minor fixes in combined mode tests to handle multiple packets
>
>Anoob Joseph (2):
>  test/crypto: add lookaside IPsec tests
>  test/crypto: add combined mode tests
>
>Tejasree Kondoj (3):
>  test/crypto: add lookaside IPsec ICV corrupt test case
>  test/crypto: add IV gen tests
>  test/crypto: add UDP encapsulation test cases
>
> app/test/meson.build                               |   1 +
> app/test/test.h                                    |   6 +
> app/test/test_cryptodev.c                          | 351 ++++++++++++++++++
> app/test/test_cryptodev_security_ipsec.c           | 401
>+++++++++++++++++++++
> app/test/test_cryptodev_security_ipsec.h           | 119 ++++++
> .../test_cryptodev_security_ipsec_test_vectors.h   | 321
>+++++++++++++++++
> doc/guides/rel_notes/release_21_11.rst             |   7 +
> 7 files changed, 1206 insertions(+)
> create mode 100644 app/test/test_cryptodev_security_ipsec.c
> create mode 100644 app/test/test_cryptodev_security_ipsec.h
> create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h
>
>--
>2.7.4

For the series from a crypto test framework point of view,

Acked-by: Ciara Power <ciara.power@intel.com>