[v4,10/10] test/security: add inline IPsec IPv6 flow label cases
Checks
Commit Message
From: Vamsi Attunuru <vattunuru@marvell.com>
Patch adds unit tests for IPv6 flow label set & copy
operations.
Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
---
app/test/test_cryptodev_security_ipsec.c | 35 ++++++++++-
app/test/test_cryptodev_security_ipsec.h | 10 +++
app/test/test_security_inline_proto.c | 79 ++++++++++++++++++++++++
3 files changed, 123 insertions(+), 1 deletion(-)
Comments
Hi Akhil, Vamsi,
Please add the same test cases in lookaside IPsec tests also. And please do update release notes.
Thanks,
Anoob
> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Sunday, April 17, 2022 12:56 AM
> To: dev@dpdk.org
> Cc: thomas@monjalon.net; david.marchand@redhat.com;
> hemant.agrawal@nxp.com; Anoob Joseph <anoobj@marvell.com>;
> konstantin.ananyev@intel.com; ciara.power@intel.com;
> ferruh.yigit@intel.com; andrew.rybchenko@oktetlabs.ru; Nithin Kumar
> Dabilpuram <ndabilpuram@marvell.com>; Vamsi Krishna Attunuru
> <vattunuru@marvell.com>
> Subject: [PATCH v4 10/10] test/security: add inline IPsec IPv6 flow label cases
>
> From: Vamsi Attunuru <vattunuru@marvell.com>
>
> Patch adds unit tests for IPv6 flow label set & copy operations.
>
> Signed-off-by: Vamsi Attunuru <vattunuru@marvell.com>
> ---
> app/test/test_cryptodev_security_ipsec.c | 35 ++++++++++-
> app/test/test_cryptodev_security_ipsec.h | 10 +++
> app/test/test_security_inline_proto.c | 79 ++++++++++++++++++++++++
> 3 files changed, 123 insertions(+), 1 deletion(-)
>
> diff --git a/app/test/test_cryptodev_security_ipsec.c
> b/app/test/test_cryptodev_security_ipsec.c
> index 14c6ba681f..408bd0bc82 100644
> --- a/app/test/test_cryptodev_security_ipsec.c
> +++ b/app/test/test_cryptodev_security_ipsec.c
> @@ -495,6 +495,10 @@ test_ipsec_td_prepare(const struct crypto_param
> *param1,
> flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1)
> td->ipsec_xform.options.copy_dscp = 1;
>
> + if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_0 ||
> + flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1)
> + td->ipsec_xform.options.copy_flabel = 1;
> +
> if (flags->dec_ttl_or_hop_limit)
> td->ipsec_xform.options.dec_ttl = 1;
> }
> @@ -933,6 +937,7 @@ test_ipsec_iph6_hdr_validate(const struct
> rte_ipv6_hdr *iph6,
> const struct ipsec_test_flags *flags) {
> uint32_t vtc_flow;
> + uint32_t flabel;
> uint8_t dscp;
>
> if (!is_valid_ipv6_pkt(iph6)) {
> @@ -959,6 +964,23 @@ test_ipsec_iph6_hdr_validate(const struct
> rte_ipv6_hdr *iph6,
> }
> }
>
> + flabel = vtc_flow & RTE_IPV6_HDR_FL_MASK;
> +
> + if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 ||
> + flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0) {
> + if (flabel != TEST_IPSEC_FLABEL_VAL) {
> + printf("FLABEL value is not matching [exp: %x, actual:
> %x]\n",
> + TEST_IPSEC_FLABEL_VAL, flabel);
> + return -1;
> + }
> + } else {
> + if (flabel != 0) {
> + printf("FLABEL value is set [exp: 0, actual: %x]\n",
> + flabel);
> + return -1;
> + }
> + }
> +
> return 0;
> }
>
> @@ -1159,7 +1181,11 @@ test_ipsec_pkt_update(uint8_t *pkt, const struct
> ipsec_test_flags *flags)
> if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
> flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1 ||
> flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_0 ||
> - flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) {
> + flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0 ||
> + flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 ||
> + flags->flabel == TEST_IPSEC_SET_FLABEL_0_INNER_1 ||
> + flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_0 ||
> + flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0) {
>
> if (is_ipv4(iph4)) {
> uint8_t tos;
> @@ -1187,6 +1213,13 @@ test_ipsec_pkt_update(uint8_t *pkt, const struct
> ipsec_test_flags *flags)
> else
> vtc_flow &= ~RTE_IPV6_HDR_DSCP_MASK;
>
> + if (flags->flabel ==
> TEST_IPSEC_COPY_FLABEL_INNER_1 ||
> + flags->flabel ==
> TEST_IPSEC_SET_FLABEL_0_INNER_1)
> + vtc_flow |= (RTE_IPV6_HDR_FL_MASK &
> + (TEST_IPSEC_FLABEL_VAL <<
> RTE_IPV6_HDR_FL_SHIFT));
> + else
> + vtc_flow &= ~RTE_IPV6_HDR_FL_MASK;
> +
> iph6->vtc_flow = rte_cpu_to_be_32(vtc_flow);
> }
> }
> diff --git a/app/test/test_cryptodev_security_ipsec.h
> b/app/test/test_cryptodev_security_ipsec.h
> index 418ab16ba6..9a3c021dd8 100644
> --- a/app/test/test_cryptodev_security_ipsec.h
> +++ b/app/test/test_cryptodev_security_ipsec.h
> @@ -73,6 +73,15 @@ enum dscp_flags {
> TEST_IPSEC_SET_DSCP_1_INNER_0,
> };
>
> +#define TEST_IPSEC_FLABEL_VAL 0x1234
> +
> +enum flabel_flags {
> + TEST_IPSEC_COPY_FLABEL_INNER_0 = 1,
> + TEST_IPSEC_COPY_FLABEL_INNER_1,
> + TEST_IPSEC_SET_FLABEL_0_INNER_1,
> + TEST_IPSEC_SET_FLABEL_1_INNER_0,
> +};
> +
> struct ipsec_test_flags {
> bool display_alg;
> bool sa_expiry_pkts_soft;
> @@ -94,6 +103,7 @@ struct ipsec_test_flags {
> bool antireplay;
> enum df_flags df;
> enum dscp_flags dscp;
> + enum flabel_flags flabel;
> bool dec_ttl_or_hop_limit;
> bool ah;
> };
> diff --git a/app/test/test_security_inline_proto.c
> b/app/test/test_security_inline_proto.c
> index 15f08a2d6c..16fe164f77 100644
> --- a/app/test/test_security_inline_proto.c
> +++ b/app/test/test_security_inline_proto.c
> @@ -163,6 +163,13 @@ create_inline_ipsec_session(struct ipsec_test_data
> *sa, uint16_t portid,
> sess_conf->ipsec.tunnel.ipv6.dscp =
> TEST_IPSEC_DSCP_VAL;
>
> + if (flags->flabel ==
> TEST_IPSEC_SET_FLABEL_0_INNER_1)
> + sess_conf->ipsec.tunnel.ipv6.flabel = 0;
> +
> + if (flags->flabel ==
> TEST_IPSEC_SET_FLABEL_1_INNER_0)
> + sess_conf->ipsec.tunnel.ipv6.flabel =
> + TEST_IPSEC_FLABEL_VAL;
> +
> memcpy(&sess_conf->ipsec.tunnel.ipv6.src_addr,
> &src_v6,
> sizeof(src_v6));
> memcpy(&sess_conf->ipsec.tunnel.ipv6.dst_addr,
> &dst_v6, @@ -1883,6 +1890,62 @@
> test_ipsec_inline_proto_ipv6_set_dscp_1_inner_0(const void *data
> __rte_unused)
> return test_ipsec_inline_proto_all(&flags);
> }
>
> +static int
> +test_ipsec_inline_proto_ipv6_copy_flabel_inner_0(const void *data
> +__rte_unused) {
> + struct ipsec_test_flags flags;
> +
> + memset(&flags, 0, sizeof(flags));
> +
> + flags.ipv6 = true;
> + flags.tunnel_ipv6 = true;
> + flags.flabel = TEST_IPSEC_COPY_FLABEL_INNER_0;
> +
> + return test_ipsec_inline_proto_all(&flags);
> +}
> +
> +static int
> +test_ipsec_inline_proto_ipv6_copy_flabel_inner_1(const void *data
> +__rte_unused) {
> + struct ipsec_test_flags flags;
> +
> + memset(&flags, 0, sizeof(flags));
> +
> + flags.ipv6 = true;
> + flags.tunnel_ipv6 = true;
> + flags.flabel = TEST_IPSEC_COPY_FLABEL_INNER_1;
> +
> + return test_ipsec_inline_proto_all(&flags);
> +}
> +
> +static int
> +test_ipsec_inline_proto_ipv6_set_flabel_0_inner_1(const void *data
> +__rte_unused) {
> + struct ipsec_test_flags flags;
> +
> + memset(&flags, 0, sizeof(flags));
> +
> + flags.ipv6 = true;
> + flags.tunnel_ipv6 = true;
> + flags.flabel = TEST_IPSEC_SET_FLABEL_0_INNER_1;
> +
> + return test_ipsec_inline_proto_all(&flags);
> +}
> +
> +static int
> +test_ipsec_inline_proto_ipv6_set_flabel_1_inner_0(const void *data
> +__rte_unused) {
> + struct ipsec_test_flags flags;
> +
> + memset(&flags, 0, sizeof(flags));
> +
> + flags.ipv6 = true;
> + flags.tunnel_ipv6 = true;
> + flags.flabel = TEST_IPSEC_SET_FLABEL_1_INNER_0;
> +
> + return test_ipsec_inline_proto_all(&flags);
> +}
> +
> static int
> test_ipsec_inline_proto_ipv4_ttl_decrement(const void *data
> __rte_unused) { @@ -2329,6 +2392,22 @@ static struct unit_test_suite
> inline_ipsec_testsuite = {
> "Tunnel header IPv6 set DSCP 1 (inner 0)",
> ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
> test_ipsec_inline_proto_ipv6_set_dscp_1_inner_0),
> + TEST_CASE_NAMED_ST(
> + "Tunnel header IPv6 copy FLABEL (inner 0)",
> + ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
> + test_ipsec_inline_proto_ipv6_copy_flabel_inner_0),
> + TEST_CASE_NAMED_ST(
> + "Tunnel header IPv6 copy FLABEL (inner 1)",
> + ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
> + test_ipsec_inline_proto_ipv6_copy_flabel_inner_1),
> + TEST_CASE_NAMED_ST(
> + "Tunnel header IPv6 set FLABEL 0 (inner 1)",
> + ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
> +
> test_ipsec_inline_proto_ipv6_set_flabel_0_inner_1),
> + TEST_CASE_NAMED_ST(
> + "Tunnel header IPv6 set FLABEL 1 (inner 0)",
> + ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
> +
> test_ipsec_inline_proto_ipv6_set_flabel_1_inner_0),
> TEST_CASE_NAMED_ST(
> "Tunnel header IPv4 decrement inner TTL",
> ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
> --
> 2.25.1
Hi Anoob,
> Hi Akhil, Vamsi,
>
> Please add the same test cases in lookaside IPsec tests also. And please do
> update release notes.
>
I was planning to send it as a separate patchset.
@@ -495,6 +495,10 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1)
td->ipsec_xform.options.copy_dscp = 1;
+ if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_0 ||
+ flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1)
+ td->ipsec_xform.options.copy_flabel = 1;
+
if (flags->dec_ttl_or_hop_limit)
td->ipsec_xform.options.dec_ttl = 1;
}
@@ -933,6 +937,7 @@ test_ipsec_iph6_hdr_validate(const struct rte_ipv6_hdr *iph6,
const struct ipsec_test_flags *flags)
{
uint32_t vtc_flow;
+ uint32_t flabel;
uint8_t dscp;
if (!is_valid_ipv6_pkt(iph6)) {
@@ -959,6 +964,23 @@ test_ipsec_iph6_hdr_validate(const struct rte_ipv6_hdr *iph6,
}
}
+ flabel = vtc_flow & RTE_IPV6_HDR_FL_MASK;
+
+ if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 ||
+ flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0) {
+ if (flabel != TEST_IPSEC_FLABEL_VAL) {
+ printf("FLABEL value is not matching [exp: %x, actual: %x]\n",
+ TEST_IPSEC_FLABEL_VAL, flabel);
+ return -1;
+ }
+ } else {
+ if (flabel != 0) {
+ printf("FLABEL value is set [exp: 0, actual: %x]\n",
+ flabel);
+ return -1;
+ }
+ }
+
return 0;
}
@@ -1159,7 +1181,11 @@ test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags)
if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1 ||
flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_0 ||
- flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) {
+ flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0 ||
+ flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 ||
+ flags->flabel == TEST_IPSEC_SET_FLABEL_0_INNER_1 ||
+ flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_0 ||
+ flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0) {
if (is_ipv4(iph4)) {
uint8_t tos;
@@ -1187,6 +1213,13 @@ test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags)
else
vtc_flow &= ~RTE_IPV6_HDR_DSCP_MASK;
+ if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 ||
+ flags->flabel == TEST_IPSEC_SET_FLABEL_0_INNER_1)
+ vtc_flow |= (RTE_IPV6_HDR_FL_MASK &
+ (TEST_IPSEC_FLABEL_VAL << RTE_IPV6_HDR_FL_SHIFT));
+ else
+ vtc_flow &= ~RTE_IPV6_HDR_FL_MASK;
+
iph6->vtc_flow = rte_cpu_to_be_32(vtc_flow);
}
}
@@ -73,6 +73,15 @@ enum dscp_flags {
TEST_IPSEC_SET_DSCP_1_INNER_0,
};
+#define TEST_IPSEC_FLABEL_VAL 0x1234
+
+enum flabel_flags {
+ TEST_IPSEC_COPY_FLABEL_INNER_0 = 1,
+ TEST_IPSEC_COPY_FLABEL_INNER_1,
+ TEST_IPSEC_SET_FLABEL_0_INNER_1,
+ TEST_IPSEC_SET_FLABEL_1_INNER_0,
+};
+
struct ipsec_test_flags {
bool display_alg;
bool sa_expiry_pkts_soft;
@@ -94,6 +103,7 @@ struct ipsec_test_flags {
bool antireplay;
enum df_flags df;
enum dscp_flags dscp;
+ enum flabel_flags flabel;
bool dec_ttl_or_hop_limit;
bool ah;
};
@@ -163,6 +163,13 @@ create_inline_ipsec_session(struct ipsec_test_data *sa, uint16_t portid,
sess_conf->ipsec.tunnel.ipv6.dscp =
TEST_IPSEC_DSCP_VAL;
+ if (flags->flabel == TEST_IPSEC_SET_FLABEL_0_INNER_1)
+ sess_conf->ipsec.tunnel.ipv6.flabel = 0;
+
+ if (flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0)
+ sess_conf->ipsec.tunnel.ipv6.flabel =
+ TEST_IPSEC_FLABEL_VAL;
+
memcpy(&sess_conf->ipsec.tunnel.ipv6.src_addr, &src_v6,
sizeof(src_v6));
memcpy(&sess_conf->ipsec.tunnel.ipv6.dst_addr, &dst_v6,
@@ -1883,6 +1890,62 @@ test_ipsec_inline_proto_ipv6_set_dscp_1_inner_0(const void *data __rte_unused)
return test_ipsec_inline_proto_all(&flags);
}
+static int
+test_ipsec_inline_proto_ipv6_copy_flabel_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+ flags.flabel = TEST_IPSEC_COPY_FLABEL_INNER_0;
+
+ return test_ipsec_inline_proto_all(&flags);
+}
+
+static int
+test_ipsec_inline_proto_ipv6_copy_flabel_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+ flags.flabel = TEST_IPSEC_COPY_FLABEL_INNER_1;
+
+ return test_ipsec_inline_proto_all(&flags);
+}
+
+static int
+test_ipsec_inline_proto_ipv6_set_flabel_0_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+ flags.flabel = TEST_IPSEC_SET_FLABEL_0_INNER_1;
+
+ return test_ipsec_inline_proto_all(&flags);
+}
+
+static int
+test_ipsec_inline_proto_ipv6_set_flabel_1_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+ flags.flabel = TEST_IPSEC_SET_FLABEL_1_INNER_0;
+
+ return test_ipsec_inline_proto_all(&flags);
+}
+
static int
test_ipsec_inline_proto_ipv4_ttl_decrement(const void *data __rte_unused)
{
@@ -2329,6 +2392,22 @@ static struct unit_test_suite inline_ipsec_testsuite = {
"Tunnel header IPv6 set DSCP 1 (inner 0)",
ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
test_ipsec_inline_proto_ipv6_set_dscp_1_inner_0),
+ TEST_CASE_NAMED_ST(
+ "Tunnel header IPv6 copy FLABEL (inner 0)",
+ ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
+ test_ipsec_inline_proto_ipv6_copy_flabel_inner_0),
+ TEST_CASE_NAMED_ST(
+ "Tunnel header IPv6 copy FLABEL (inner 1)",
+ ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
+ test_ipsec_inline_proto_ipv6_copy_flabel_inner_1),
+ TEST_CASE_NAMED_ST(
+ "Tunnel header IPv6 set FLABEL 0 (inner 1)",
+ ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
+ test_ipsec_inline_proto_ipv6_set_flabel_0_inner_1),
+ TEST_CASE_NAMED_ST(
+ "Tunnel header IPv6 set FLABEL 1 (inner 0)",
+ ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
+ test_ipsec_inline_proto_ipv6_set_flabel_1_inner_0),
TEST_CASE_NAMED_ST(
"Tunnel header IPv4 decrement inner TTL",
ut_setup_inline_ipsec, ut_teardown_inline_ipsec,