From patchwork Sat Sep 25 15:35:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 99655 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5766CA0C47; Sat, 25 Sep 2021 17:36:14 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id F3D8D406FF; Sat, 25 Sep 2021 17:36:13 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 084244003C for ; Sat, 25 Sep 2021 17:36:11 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18PDQ9FS003440; Sat, 25 Sep 2021 08:36:11 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=DOH386djkTE1WrPrrjXDNsZSJypvNxRUO02bUS4Z3Wk=; b=P8WW2w5e5fFvBMbroK0yorvy9Ixlq0dGKsnknMy+bbR0oa0iwGrySlG1RY+9m0Y26NVJ LL2jI1IZPy/QDKl9Uvh53xzaiFNo5OpREFt7/UBCQl22XX9Fm/cI0d8SqByih2FcqdQH qjFRCryjyMrx4Uyue2XNdDszMHi4eZy0gm2mXt1g4Qxx9mO4ll/VQHBsQSDjKnyJ1SXM e9ZIQBRjtqLEHQI42AGtUmmzOlhN7113Pyt/0gANDO3hAvrgax4nDB9IKZVV1i5Sf8gY AYljN0TUOIHaXeVGGW+QNCE2jA3R3yV2QMWpA9cs10r0in8D7HHrGUkFgqw39WOwWIwE aQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0a-0016f401.pphosted.com with ESMTP id 3ba14prp3v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 25 Sep 2021 08:36:10 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 25 Sep 2021 08:36:09 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 25 Sep 2021 08:36:09 -0700 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id B44403F7073; Sat, 25 Sep 2021 08:36:05 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Fan Zhang , "Konstantin Ananyev" CC: Anoob Joseph , Jerin Jacob , Archana Muniganti , Tejasree Kondoj , Hemant Agrawal , "Radu Nicolau" , Ciara Power , Gagandeep Singh , Date: Sat, 25 Sep 2021 21:05:28 +0530 Message-ID: <1632584132-289-2-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1632584132-289-1-git-send-email-anoobj@marvell.com> References: <1631884523-836-1-git-send-email-anoobj@marvell.com> <1632584132-289-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: 0RsiK1BjGWnRnazv7fqLVzr7M-iTcTx- X-Proofpoint-ORIG-GUID: 0RsiK1BjGWnRnazv7fqLVzr7M-iTcTx- X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-25_05,2021-09-24_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH v5 1/5] test/crypto: add lookaside IPsec cases X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Added test case for lookaside IPsec. Inbound known vector tests are added. Cipher list: AES-GCM 128, 192 & 256 Signed-off-by: Anoob Joseph Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal Acked-by: Ciara Power Acked-by: Hemant Agrawal --- app/test/meson.build | 1 + app/test/test.h | 6 + app/test/test_cryptodev.c | 236 +++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 212 ++++++++++++++ app/test/test_cryptodev_security_ipsec.h | 66 +++++ .../test_cryptodev_security_ipsec_test_vectors.h | 321 +++++++++++++++++++++ doc/guides/rel_notes/release_21_11.rst | 4 + 7 files changed, 846 insertions(+) create mode 100644 app/test/test_cryptodev_security_ipsec.c create mode 100644 app/test/test_cryptodev_security_ipsec.h create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h diff --git a/app/test/meson.build b/app/test/meson.build index a761168..f144d8b 100644 --- a/app/test/meson.build +++ b/app/test/meson.build @@ -38,6 +38,7 @@ test_sources = files( 'test_cryptodev.c', 'test_cryptodev_asym.c', 'test_cryptodev_blockcipher.c', + 'test_cryptodev_security_ipsec.c', 'test_cryptodev_security_pdcp.c', 'test_cycles.c', 'test_debug.c', diff --git a/app/test/test.h b/app/test/test.h index c3b2a87..7115edf 100644 --- a/app/test/test.h +++ b/app/test/test.h @@ -124,6 +124,12 @@ struct unit_test_case { #define TEST_CASE_WITH_DATA(setup, teardown, testcase, data) \ { setup, teardown, NULL, testcase, #testcase, 1, data } +#define TEST_CASE_NAMED_ST(name, setup, teardown, testcase) \ + { setup, teardown, NULL, testcase, name, 1, NULL } + +#define TEST_CASE_NAMED_WITH_DATA(name, setup, teardown, testcase, data) \ + { setup, teardown, NULL, testcase, name, 1, data } + #define TEST_CASE_DISABLED(fn) { NULL, NULL, fn, NULL, #fn, 0, NULL } #define TEST_CASE_ST_DISABLED(setup, teardown, testcase) \ diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index d19482c..f7d429b 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -16,6 +16,7 @@ #include #include +#include #include #ifdef RTE_CRYPTO_SCHEDULER @@ -41,6 +42,8 @@ #include "test_cryptodev_hmac_test_vectors.h" #include "test_cryptodev_mixed_test_vectors.h" #ifdef RTE_LIB_SECURITY +#include "test_cryptodev_security_ipsec.h" +#include "test_cryptodev_security_ipsec_test_vectors.h" #include "test_cryptodev_security_pdcp_test_vectors.h" #include "test_cryptodev_security_pdcp_sdap_test_vectors.h" #include "test_cryptodev_security_pdcp_test_func.h" @@ -123,6 +126,13 @@ test_AES_CBC_HMAC_SHA512_decrypt_perform(struct rte_cryptodev_sym_session *sess, const uint8_t *digest, const uint8_t *iv); +static int +security_proto_supported(enum rte_security_session_action_type action, + enum rte_security_session_protocol proto); + +static int +dev_configure_and_start(uint64_t ff_disable); + static struct rte_mbuf * setup_test_string(struct rte_mempool *mpool, const char *string, size_t len, uint8_t blocksize) @@ -753,6 +763,47 @@ crypto_gen_testsuite_setup(void) #ifdef RTE_LIB_SECURITY static int +ipsec_proto_testsuite_setup(void) +{ + struct crypto_testsuite_params *ts_params = &testsuite_params; + struct crypto_unittest_params *ut_params = &unittest_params; + struct rte_cryptodev_info dev_info; + int ret = 0; + + rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info); + + if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) { + RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec Proto " + "testsuite not met\n"); + return TEST_SKIPPED; + } + + /* Reconfigure to enable security */ + ret = dev_configure_and_start(0); + if (ret != TEST_SUCCESS) + return ret; + + /* Set action type */ + ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; + + if (security_proto_supported( + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, + RTE_SECURITY_PROTOCOL_IPSEC) < 0) { + RTE_LOG(INFO, USER1, "Capability requirements for IPsec Proto " + "test not met\n"); + ret = TEST_SKIPPED; + } + + /* + * Stop the device. Device would be started again by individual test + * case setup routine. + */ + rte_cryptodev_stop(ts_params->valid_devs[0]); + + return ret; +} + +static int pdcp_proto_testsuite_setup(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -8854,6 +8905,170 @@ test_PDCP_SDAP_PROTO_decap_all(void) } static int +test_ipsec_proto_process(const struct ipsec_test_data td[], + struct ipsec_test_data res_d[], + int nb_td, + bool silent) +{ + struct crypto_testsuite_params *ts_params = &testsuite_params; + struct crypto_unittest_params *ut_params = &unittest_params; + struct rte_security_capability_idx sec_cap_idx; + const struct rte_security_capability *sec_cap; + struct rte_security_ipsec_xform ipsec_xform; + uint8_t dev_id = ts_params->valid_devs[0]; + enum rte_security_ipsec_sa_direction dir; + struct ipsec_test_data *res_d_tmp = NULL; + uint32_t src = RTE_IPV4(192, 168, 1, 0); + uint32_t dst = RTE_IPV4(192, 168, 1, 1); + int salt_len, i, ret = TEST_SUCCESS; + struct rte_security_ctx *ctx; + uint8_t *input_text; + + ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; + gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; + + /* Use first test data to create session */ + + /* Copy IPsec xform */ + memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform)); + + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); + memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); + + dir = ipsec_xform.direction; + + ctx = rte_cryptodev_get_sec_ctx(dev_id); + + sec_cap_idx.action = ut_params->type; + sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC; + sec_cap_idx.ipsec.proto = ipsec_xform.proto; + sec_cap_idx.ipsec.mode = ipsec_xform.mode; + sec_cap_idx.ipsec.direction = ipsec_xform.direction; + + sec_cap = rte_security_capability_get(ctx, &sec_cap_idx); + if (sec_cap == NULL) + return TEST_SKIPPED; + + /* Copy cipher session parameters */ + if (td[0].aead) { + memcpy(&ut_params->aead_xform, &td[0].xform.aead, + sizeof(ut_params->aead_xform)); + ut_params->aead_xform.aead.key.data = td[0].key.data; + ut_params->aead_xform.aead.iv.offset = IV_OFFSET; + + /* Verify crypto capabilities */ + if (test_ipsec_crypto_caps_aead_verify( + sec_cap, + &ut_params->aead_xform) != 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + } else { + /* Only AEAD supported now */ + return TEST_SKIPPED; + } + + if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0) + return TEST_SKIPPED; + + salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len); + memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len); + + struct rte_security_session_conf sess_conf = { + .action_type = ut_params->type, + .protocol = RTE_SECURITY_PROTOCOL_IPSEC, + .ipsec = ipsec_xform, + .crypto_xform = &ut_params->aead_xform, + }; + + /* Create security session */ + ut_params->sec_session = rte_security_session_create(ctx, &sess_conf, + ts_params->session_mpool, + ts_params->session_priv_mpool); + + if (ut_params->sec_session == NULL) + return TEST_SKIPPED; + + for (i = 0; i < nb_td; i++) { + /* Setup source mbuf payload */ + ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool); + memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0, + rte_pktmbuf_tailroom(ut_params->ibuf)); + + input_text = (uint8_t *)rte_pktmbuf_append(ut_params->ibuf, + td[i].input_text.len); + + memcpy(input_text, td[i].input_text.data, + td[i].input_text.len); + + /* Generate crypto op data structure */ + ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool, + RTE_CRYPTO_OP_TYPE_SYMMETRIC); + if (!ut_params->op) { + printf("TestCase %s line %d: %s\n", + __func__, __LINE__, + "failed to allocate crypto op"); + ret = TEST_FAILED; + goto crypto_op_free; + } + + /* Attach session to operation */ + rte_security_attach_session(ut_params->op, + ut_params->sec_session); + + /* Set crypto operation mbufs */ + ut_params->op->sym->m_src = ut_params->ibuf; + ut_params->op->sym->m_dst = NULL; + + /* Process crypto operation */ + process_crypto_request(dev_id, ut_params->op); + + ret = test_ipsec_status_check(ut_params->op, dir); + if (ret != TEST_SUCCESS) + goto crypto_op_free; + + if (res_d != NULL) + res_d_tmp = &res_d[i]; + + ret = test_ipsec_post_process(ut_params->ibuf, &td[i], + res_d_tmp, silent); + if (ret != TEST_SUCCESS) + goto crypto_op_free; + + rte_crypto_op_free(ut_params->op); + ut_params->op = NULL; + + rte_pktmbuf_free(ut_params->ibuf); + ut_params->ibuf = NULL; + } + +crypto_op_free: + rte_crypto_op_free(ut_params->op); + ut_params->op = NULL; + + rte_pktmbuf_free(ut_params->ibuf); + ut_params->ibuf = NULL; + + if (ut_params->sec_session) + rte_security_session_destroy(ctx, ut_params->sec_session); + ut_params->sec_session = NULL; + + return ret; +} + +static int +test_ipsec_proto_known_vec_inb(const void *td_outb) +{ + struct ipsec_test_data td_inb; + + test_ipsec_td_in_from_out(td_outb, &td_inb); + + return test_ipsec_proto_process(&td_inb, NULL, 1, false); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -13745,6 +13960,26 @@ static struct unit_test_suite end_testsuite = { }; #ifdef RTE_LIB_SECURITY +static struct unit_test_suite ipsec_proto_testsuite = { + .suite_name = "IPsec Proto Unit Test Suite", + .setup = ipsec_proto_testsuite_setup, + .unit_test_cases = { + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 192)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_192_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm), + TEST_CASES_END() /**< NULL terminate unit test array */ + } +}; + static struct unit_test_suite pdcp_proto_testsuite = { .suite_name = "PDCP Proto Unit Test Suite", .setup = pdcp_proto_testsuite_setup, @@ -14530,6 +14765,7 @@ run_cryptodev_testsuite(const char *pmd_name) &cryptodev_negative_hmac_sha1_testsuite, &cryptodev_gen_testsuite, #ifdef RTE_LIB_SECURITY + &ipsec_proto_testsuite, &pdcp_proto_testsuite, &docsis_proto_testsuite, #endif diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c new file mode 100644 index 0000000..2431fcb --- /dev/null +++ b/app/test/test_cryptodev_security_ipsec.c @@ -0,0 +1,212 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#include +#include +#include +#include + +#include "test.h" +#include "test_cryptodev_security_ipsec.h" + +int +test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, + const struct rte_security_capability *sec_cap, + bool silent) +{ + /* Verify security capabilities */ + + if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "ESN is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.udp_encap == 1 && + sec_cap->ipsec.options.udp_encap == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_dscp == 1 && + sec_cap->ipsec.options.copy_dscp == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_flabel == 1 && + sec_cap->ipsec.options.copy_flabel == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.copy_df == 1 && + sec_cap->ipsec.options.copy_df == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.dec_ttl == 1 && + sec_cap->ipsec.options.dec_ttl == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "ECN is not supported\n"); + return -ENOTSUP; + } + + if (ipsec_xform->options.stats == 1 && + sec_cap->ipsec.options.stats == 0) { + if (!silent) + RTE_LOG(INFO, USER1, "Stats is not supported\n"); + return -ENOTSUP; + } + + return 0; +} + +int +test_ipsec_crypto_caps_aead_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *aead) +{ + const struct rte_cryptodev_symmetric_capability *sym_cap; + const struct rte_cryptodev_capabilities *crypto_cap; + int j = 0; + + while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op != + RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + crypto_cap->sym.xform_type == aead->type && + crypto_cap->sym.aead.algo == aead->aead.algo) { + sym_cap = &crypto_cap->sym; + if (rte_cryptodev_sym_capability_check_aead(sym_cap, + aead->aead.key.length, + aead->aead.digest_length, + aead->aead.aad_length, + aead->aead.iv.length) == 0) + return 0; + } + } + + return -ENOTSUP; +} + +void +test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, + struct ipsec_test_data *td_in) +{ + memcpy(td_in, td_out, sizeof(*td_in)); + + /* Populate output text of td_in with input text of td_out */ + memcpy(td_in->output_text.data, td_out->input_text.data, + td_out->input_text.len); + td_in->output_text.len = td_out->input_text.len; + + /* Populate input text of td_in with output text of td_out */ + memcpy(td_in->input_text.data, td_out->output_text.data, + td_out->output_text.len); + td_in->input_text.len = td_out->output_text.len; + + td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS; + + if (td_in->aead) { + td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT; + } else { + td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY; + td_in->xform.chain.cipher.cipher.op = + RTE_CRYPTO_CIPHER_OP_DECRYPT; + } +} + +static int +test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td) +{ + int len = 0; + + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) + len += sizeof(struct rte_ipv4_hdr); + else + len += sizeof(struct rte_ipv6_hdr); + } + } + + return len; +} + +static int +test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, + bool silent) +{ + uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); + uint32_t skip, len = rte_pktmbuf_pkt_len(m); + + if (len != td->output_text.len) { + printf("Output length (%d) not matching with expected (%d)\n", + len, td->output_text.len); + return TEST_FAILED; + } + + skip = test_ipsec_tunnel_hdr_len_get(td); + + len -= skip; + output_text += skip; + + if (memcmp(output_text, td->output_text.data + skip, len)) { + if (silent) + return TEST_FAILED; + + printf("TestCase %s line %d: %s\n", __func__, __LINE__, + "output text not as expected\n"); + + rte_hexdump(stdout, "expected", td->output_text.data + skip, + len); + rte_hexdump(stdout, "actual", output_text, len); + return TEST_FAILED; + } + + return TEST_SUCCESS; +} + +int +test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, + struct ipsec_test_data *res_d, bool silent) +{ + /* + * In case of known vector tests & all inbound tests, res_d provided + * would be NULL and output data need to be validated against expected. + * For inbound, output_text would be plain packet and for outbound + * output_text would IPsec packet. Validate by comparing against + * known vectors. + */ + RTE_SET_USED(res_d); + return test_ipsec_td_verify(m, td, silent); +} + +int +test_ipsec_status_check(struct rte_crypto_op *op, + enum rte_security_ipsec_sa_direction dir) +{ + int ret = TEST_SUCCESS; + + if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { + printf("Security op processing failed\n"); + ret = TEST_FAILED; + } + + RTE_SET_USED(dir); + + return ret; +} diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h new file mode 100644 index 0000000..5f1b46d --- /dev/null +++ b/app/test/test_cryptodev_security_ipsec.h @@ -0,0 +1,66 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(C) 2021 Marvell. + */ + +#ifndef _TEST_CRYPTODEV_SECURITY_IPSEC_H_ +#define _TEST_CRYPTODEV_SECURITY_IPSEC_H_ + +#include +#include + +struct ipsec_test_data { + struct { + uint8_t data[32]; + } key; + + struct { + uint8_t data[1024]; + unsigned int len; + } input_text; + + struct { + uint8_t data[1024]; + unsigned int len; + } output_text; + + struct { + uint8_t data[4]; + unsigned int len; + } salt; + + struct { + uint8_t data[16]; + } iv; + + struct rte_security_ipsec_xform ipsec_xform; + + bool aead; + + union { + struct { + struct rte_crypto_sym_xform cipher; + struct rte_crypto_sym_xform auth; + } chain; + struct rte_crypto_sym_xform aead; + } xform; +}; + +int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, + const struct rte_security_capability *sec_cap, + bool silent); + +int test_ipsec_crypto_caps_aead_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *aead); + +void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, + struct ipsec_test_data *td_in); + +int test_ipsec_post_process(struct rte_mbuf *m, + const struct ipsec_test_data *td, + struct ipsec_test_data *res_d, bool silent); + +int test_ipsec_status_check(struct rte_crypto_op *op, + enum rte_security_ipsec_sa_direction dir); + +#endif diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h new file mode 100644 index 0000000..ae9cd24 --- /dev/null +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -0,0 +1,321 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2021 Marvell + */ + +#ifndef TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ +#define TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ + +#include +#include + +#include "test_cryptodev_security_ipsec.h" + +/* + * Known vectors + * + * AES-GCM vectors are based on : + * https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01 + * + * Vectors are updated to have corrected L4 checksum and sequence number 1. + */ + +struct ipsec_test_data pkt_aes_128_gcm = { + .key = { + .data = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x3e, 0x69, 0x8f, 0x00, 0x00, + 0x80, 0x11, 0x4d, 0xcc, 0xc0, 0xa8, 0x01, 0x02, + 0xc0, 0xa8, 0x01, 0x01, + + /* UDP */ + 0x0a, 0x98, 0x00, 0x35, 0x00, 0x2a, 0x23, 0x43, + 0xb2, 0xd0, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x03, 0x73, 0x69, 0x70, + 0x09, 0x63, 0x79, 0x62, 0x65, 0x72, 0x63, 0x69, + 0x74, 0x79, 0x02, 0x64, 0x6b, 0x00, 0x00, 0x01, + 0x00, 0x01, + }, + .len = 62, + }, + .output_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x74, 0x69, 0x8f, 0x00, 0x00, + 0x80, 0x32, 0x4d, 0x75, 0xc0, 0xa8, 0x01, 0x02, + 0xc0, 0xa8, 0x01, 0x01, + + /* ESP */ + 0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01, + + /* IV */ + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88, + + /* Data */ + 0xde, 0xb2, 0x2c, 0xd9, 0xb0, 0x7c, 0x72, 0xc1, + 0x6e, 0x3a, 0x65, 0xbe, 0xeb, 0x8d, 0xf3, 0x04, + 0xa5, 0xa5, 0x89, 0x7d, 0x33, 0xae, 0x53, 0x0f, + 0x1b, 0xa7, 0x6d, 0x5d, 0x11, 0x4d, 0x2a, 0x5c, + 0x3d, 0xe8, 0x18, 0x27, 0xc1, 0x0e, 0x9a, 0x4f, + 0x51, 0x33, 0x0d, 0x0e, 0xec, 0x41, 0x66, 0x42, + 0xcf, 0xbb, 0x85, 0xa5, 0xb4, 0x7e, 0x48, 0xa4, + 0xec, 0x3b, 0x9b, 0xa9, 0x5d, 0x91, 0x8b, 0xd4, + 0x29, 0xc7, 0x37, 0x57, 0x9f, 0xf1, 0x9e, 0x58, + 0xcf, 0xfc, 0x60, 0x7a, 0x3b, 0xce, 0x89, 0x94, + + }, + .len = 116, + }, + .salt = { + .data = { + 0xca, 0xfe, 0xba, 0xbe + }, + .len = 4, + }, + + .iv = { + .data = { + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88 + }, + }, + + .ipsec_xform = { + .spi = 0xa5f8, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .esn_soft_limit = 0, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 16, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + +struct ipsec_test_data pkt_aes_192_gcm = { + .key = { + .data = { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x28, 0xa4, 0xad, 0x40, 0x00, + 0x40, 0x06, 0x78, 0x80, 0x0a, 0x01, 0x03, 0x8f, + 0x0a, 0x01, 0x06, 0x12, + + /* TCP */ + 0x80, 0x23, 0x06, 0xb8, 0xcb, 0x71, 0x26, 0x02, + 0xdd, 0x6b, 0xb0, 0x3e, 0x50, 0x10, 0x16, 0xd0, + 0x75, 0x67, 0x00, 0x01 + }, + .len = 40, + }, + .output_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x60, 0x69, 0x8f, 0x00, 0x00, + 0x80, 0x32, 0x4d, 0x89, 0xc0, 0xa8, 0x01, 0x02, + 0xc0, 0xa8, 0x01, 0x01, + + /* ESP */ + 0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01, + + /* IV */ + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88, + + /* Data */ + 0xa5, 0xb1, 0xf8, 0x06, 0x60, 0x29, 0xae, 0xa4, + 0x0e, 0x59, 0x8b, 0x81, 0x22, 0xde, 0x02, 0x42, + 0x09, 0x38, 0xb3, 0xab, 0x33, 0xf8, 0x28, 0xe6, + 0x87, 0xb8, 0x85, 0x8b, 0x5b, 0xfb, 0xdb, 0xd0, + 0x31, 0x5b, 0x27, 0x45, 0x21, 0x4b, 0xcc, 0x77, + 0x82, 0xac, 0x91, 0x38, 0xf2, 0xbb, 0xbe, 0xe4, + 0xcf, 0x03, 0x36, 0x89, 0xdd, 0x40, 0xd3, 0x6e, + 0x54, 0x05, 0x22, 0x22, + }, + .len = 96, + }, + .salt = { + .data = { + 0xca, 0xfe, 0xba, 0xbe + }, + .len = 4, + }, + + .iv = { + .data = { + 0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88 + }, + }, + + .ipsec_xform = { + .spi = 0xa5f8, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .esn_soft_limit = 0, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 24, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + +struct ipsec_test_data pkt_aes_256_gcm = { + .key = { + .data = { + 0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23, + 0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab, + 0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23, + 0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x30, 0x69, 0xa6, 0x40, 0x00, + 0x80, 0x06, 0x26, 0x90, 0xc0, 0xa8, 0x01, 0x02, + 0x93, 0x89, 0x15, 0x5e, + + /* TCP */ + 0x0a, 0x9e, 0x00, 0x8b, 0x2d, 0xc5, 0x7e, 0xe0, + 0x00, 0x00, 0x00, 0x00, 0x70, 0x02, 0x40, 0x00, + 0x20, 0xbf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4, + 0x01, 0x01, 0x04, 0x02, + }, + .len = 48, + }, + .output_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x68, 0x69, 0x8f, 0x00, 0x00, + 0x80, 0x32, 0x4d, 0x81, 0xc0, 0xa8, 0x01, 0x02, + 0xc0, 0xa8, 0x01, 0x01, + + /* ESP */ + 0x4a, 0x2c, 0xbf, 0xe3, 0x00, 0x00, 0x00, 0x01, + + /* IV */ + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + + /* Data */ + 0xff, 0x42, 0x5c, 0x9b, 0x72, 0x45, 0x99, 0xdf, + 0x7a, 0x3b, 0xcd, 0x51, 0x01, 0x94, 0xe0, 0x0d, + 0x6a, 0x78, 0x10, 0x7f, 0x1b, 0x0b, 0x1c, 0xbf, + 0x06, 0xef, 0xae, 0x9d, 0x65, 0xa5, 0xd7, 0x63, + 0x74, 0x8a, 0x63, 0x79, 0x85, 0x77, 0x1d, 0x34, + 0x7f, 0x05, 0x45, 0x65, 0x9f, 0x14, 0xe9, 0x9d, + 0xef, 0x84, 0x2d, 0x8b, 0x00, 0x14, 0x4a, 0x1f, + 0xec, 0x6a, 0xdf, 0x0c, 0x9a, 0x92, 0x7f, 0xee, + 0xa6, 0xc5, 0x11, 0x60, + }, + .len = 104, + }, + .salt = { + .data = { + 0x11, 0x22, 0x33, 0x44 + }, + .len = 4, + }, + + .iv = { + .data = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08 + }, + }, + + .ipsec_xform = { + .spi = 0x4a2cbfe3, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .esn_soft_limit = 0, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 32, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + +#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 43d367b..cf0277d 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -87,6 +87,10 @@ New Features Added command-line options to specify total number of processes and current process ID. Each process owns subset of Rx and Tx queues. +* **Added lookaside protocol (IPsec) tests in dpdk-test.** + + * Added known vector tests (AES-GCM 128, 192, 256). + Removed Items ------------- From patchwork Sat Sep 25 15:35:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 99656 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 212B8A0C47; Sat, 25 Sep 2021 17:36:23 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8129640E32; Sat, 25 Sep 2021 17:36:18 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 2667B40E32 for ; Sat, 25 Sep 2021 17:36:17 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18PFLuct022192; Sat, 25 Sep 2021 08:36:16 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=AodK1wuMchPmxN7u8e5LepCj+XCek2DGXNq7T6MiSrQ=; b=LsOd5KicWHxPO4hKDoRhKnso6YIujVJjX/bNyh4S8dYnvb1IgBl5853eVEQ5poKylFrx CIIpONv1NwKM3O6HyIuaxYbADFxePmT20Hayn8Sw6Xw4LAh5hAE2nwxeggbNC06X2PcS FQkoLT26cC3sE2VV4WtyVEz9zIW4mrTuiVuaD28stnfcevgkf5Y/s4B0K2dfC351XhV9 raVs2HlVC3tcoSeZR2mGMw/mrfmxJ6gUP9vKMZwtnqo60dCDv/PGGqCnDajinC3607nz ZT4Ft0sGzpS5x/D+m0LWrYuJcbj8+oXpJVMEbC0tamIO+d/8QPxEk0xdBC1FNU0FBVk2 RQ== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 3ba14prp4k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 25 Sep 2021 08:36:16 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 25 Sep 2021 08:36:14 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 25 Sep 2021 08:36:14 -0700 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id E99E33F7073; Sat, 25 Sep 2021 08:36:10 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Fan Zhang , "Konstantin Ananyev" CC: Anoob Joseph , Jerin Jacob , Archana Muniganti , Tejasree Kondoj , Hemant Agrawal , "Radu Nicolau" , Ciara Power , Gagandeep Singh , Date: Sat, 25 Sep 2021 21:05:29 +0530 Message-ID: <1632584132-289-3-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1632584132-289-1-git-send-email-anoobj@marvell.com> References: <1631884523-836-1-git-send-email-anoobj@marvell.com> <1632584132-289-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: tqgwUKWCecFu6z2IgdAKzZBByo5hT13e X-Proofpoint-ORIG-GUID: tqgwUKWCecFu6z2IgdAKzZBByo5hT13e X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-25_05,2021-09-24_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH v5 2/5] test/crypto: add combined mode IPsec cases X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add framework to test IPsec features with all supported combinations of ciphers. Combined mode tests are used to test all IPsec features against all ciphers supported by the PMD. The framework is introduced to avoid testing with any specific algo, thereby making it mandatory to be supported. Also, testing with all supported combinations will help with increasing coverage as well. The tests would first do IPsec encapsulation and do sanity checks. Based on flags, packet would be updated or additional checks are done, followed by IPsec decapsulation. Since the encrypted packet is generated by the test, known vectors are not required. Signed-off-by: Anoob Joseph Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal Acked-by: Ciara Power --- app/test/test_cryptodev.c | 73 +++++++++++++++++++-- app/test/test_cryptodev_security_ipsec.c | 107 +++++++++++++++++++++++++++++-- app/test/test_cryptodev_security_ipsec.h | 52 ++++++++++++++- 3 files changed, 223 insertions(+), 9 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index f7d429b..3eacc66 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -8908,7 +8908,8 @@ static int test_ipsec_proto_process(const struct ipsec_test_data td[], struct ipsec_test_data res_d[], int nb_td, - bool silent) + bool silent, + const struct ipsec_test_flags *flags) { struct crypto_testsuite_params *ts_params = &testsuite_params; struct crypto_unittest_params *ut_params = &unittest_params; @@ -9025,7 +9026,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], /* Process crypto operation */ process_crypto_request(dev_id, ut_params->op); - ret = test_ipsec_status_check(ut_params->op, dir); + ret = test_ipsec_status_check(ut_params->op, flags, dir); if (ret != TEST_SUCCESS) goto crypto_op_free; @@ -9033,7 +9034,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], res_d_tmp = &res_d[i]; ret = test_ipsec_post_process(ut_params->ibuf, &td[i], - res_d_tmp, silent); + res_d_tmp, silent, flags); if (ret != TEST_SUCCESS) goto crypto_op_free; @@ -9061,11 +9062,71 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], static int test_ipsec_proto_known_vec_inb(const void *td_outb) { + struct ipsec_test_flags flags; struct ipsec_test_data td_inb; + memset(&flags, 0, sizeof(flags)); + test_ipsec_td_in_from_out(td_outb, &td_inb); - return test_ipsec_proto_process(&td_inb, NULL, 1, false); + return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags); +} + +static int +test_ipsec_proto_all(const struct ipsec_test_flags *flags) +{ + struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX]; + struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX]; + unsigned int i, nb_pkts = 1, pass_cnt = 0; + int ret; + + for (i = 0; i < RTE_DIM(aead_list); i++) { + test_ipsec_td_prepare(&aead_list[i], + NULL, + flags, + td_outb, + nb_pkts); + + ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true, + flags); + if (ret == TEST_SKIPPED) + continue; + + if (ret == TEST_FAILED) + return TEST_FAILED; + + test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags); + + ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true, + flags); + if (ret == TEST_SKIPPED) + continue; + + if (ret == TEST_FAILED) + return TEST_FAILED; + + if (flags->display_alg) + test_ipsec_display_alg(&aead_list[i], NULL); + + pass_cnt++; + } + + if (pass_cnt > 0) + return TEST_SUCCESS; + else + return TEST_SKIPPED; +} + +static int +test_ipsec_proto_display_list(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.display_alg = true; + + return test_ipsec_proto_all(&flags); } static int @@ -13976,6 +14037,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm), + TEST_CASE_NAMED_ST( + "Combined test alg list", + ut_setup_security, ut_teardown, + test_ipsec_proto_display_list), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 2431fcb..d08e093 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -10,6 +10,8 @@ #include "test.h" #include "test_cryptodev_security_ipsec.h" +extern struct ipsec_test_data pkt_aes_256_gcm; + int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, const struct rte_security_capability *sec_cap, @@ -128,6 +130,68 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, } } +void +test_ipsec_td_prepare(const struct crypto_param *param1, + const struct crypto_param *param2, + const struct ipsec_test_flags *flags, + struct ipsec_test_data *td_array, + int nb_td) + +{ + struct ipsec_test_data *td; + int i; + + memset(td_array, 0, nb_td * sizeof(*td)); + + for (i = 0; i < nb_td; i++) { + td = &td_array[i]; + /* Copy template for packet & key fields */ + memcpy(td, &pkt_aes_256_gcm, sizeof(*td)); + + /* Override fields based on param */ + + if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) + td->aead = true; + else + td->aead = false; + + td->xform.aead.aead.algo = param1->alg.aead; + td->xform.aead.aead.key.length = param1->key_length; + } + + RTE_SET_USED(flags); + RTE_SET_USED(param2); +} + +void +test_ipsec_td_update(struct ipsec_test_data td_inb[], + const struct ipsec_test_data td_outb[], + int nb_td, + const struct ipsec_test_flags *flags) +{ + int i; + + for (i = 0; i < nb_td; i++) { + memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data, + td_outb[i].input_text.len); + td_inb[i].output_text.len = td_outb->input_text.len; + } + + RTE_SET_USED(flags); +} + +void +test_ipsec_display_alg(const struct crypto_param *param1, + const struct crypto_param *param2) +{ + if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) + printf("\t%s [%d]\n", + rte_crypto_aead_algorithm_strings[param1->alg.aead], + param1->key_length); + + RTE_SET_USED(param2); +} + static int test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td) { @@ -148,7 +212,7 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td) static int test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, - bool silent) + bool silent, const struct ipsec_test_flags *flags) { uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); uint32_t skip, len = rte_pktmbuf_pkt_len(m); @@ -177,12 +241,37 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, return TEST_FAILED; } + RTE_SET_USED(flags); + + return TEST_SUCCESS; +} + +static int +test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td, + struct ipsec_test_data *res_d) +{ + uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); + uint32_t len = rte_pktmbuf_pkt_len(m); + + memcpy(res_d, td, sizeof(*res_d)); + memcpy(res_d->input_text.data, output_text, len); + res_d->input_text.len = len; + + res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS; + if (res_d->aead) { + res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT; + } else { + printf("Only AEAD supported\n"); + return TEST_SKIPPED; + } + return TEST_SUCCESS; } int test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, - struct ipsec_test_data *res_d, bool silent) + struct ipsec_test_data *res_d, bool silent, + const struct ipsec_test_flags *flags) { /* * In case of known vector tests & all inbound tests, res_d provided @@ -190,13 +279,22 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, * For inbound, output_text would be plain packet and for outbound * output_text would IPsec packet. Validate by comparing against * known vectors. + * + * In case of combined mode tests, the output_text from outbound + * operation (ie, IPsec packet) would need to be inbound processed to + * obtain the plain text. Copy output_text to result data, 'res_d', so + * that inbound processing can be done. */ - RTE_SET_USED(res_d); - return test_ipsec_td_verify(m, td, silent); + + if (res_d == NULL) + return test_ipsec_td_verify(m, td, silent, flags); + else + return test_ipsec_res_d_prepare(m, td, res_d); } int test_ipsec_status_check(struct rte_crypto_op *op, + const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir) { int ret = TEST_SUCCESS; @@ -206,6 +304,7 @@ test_ipsec_status_check(struct rte_crypto_op *op, ret = TEST_FAILED; } + RTE_SET_USED(flags); RTE_SET_USED(dir); return ret; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 5f1b46d..cbb3ee4 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -8,6 +8,8 @@ #include #include +#define IPSEC_TEST_PACKETS_MAX 32 + struct ipsec_test_data { struct { uint8_t data[32]; @@ -45,6 +47,38 @@ struct ipsec_test_data { } xform; }; +struct ipsec_test_flags { + bool display_alg; +}; + +struct crypto_param { + enum rte_crypto_sym_xform_type type; + union { + enum rte_crypto_cipher_algorithm cipher; + enum rte_crypto_auth_algorithm auth; + enum rte_crypto_aead_algorithm aead; + } alg; + uint16_t key_length; +}; + +static const struct crypto_param aead_list[] = { + { + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .alg.aead = RTE_CRYPTO_AEAD_AES_GCM, + .key_length = 16, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .alg.aead = RTE_CRYPTO_AEAD_AES_GCM, + .key_length = 24, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .alg.aead = RTE_CRYPTO_AEAD_AES_GCM, + .key_length = 32 + }, +}; + int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, const struct rte_security_capability *sec_cap, bool silent); @@ -56,11 +90,27 @@ int test_ipsec_crypto_caps_aead_verify( void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, struct ipsec_test_data *td_in); +void test_ipsec_td_prepare(const struct crypto_param *param1, + const struct crypto_param *param2, + const struct ipsec_test_flags *flags, + struct ipsec_test_data *td_array, + int nb_td); + +void test_ipsec_td_update(struct ipsec_test_data td_inb[], + const struct ipsec_test_data td_outb[], + int nb_td, + const struct ipsec_test_flags *flags); + +void test_ipsec_display_alg(const struct crypto_param *param1, + const struct crypto_param *param2); + int test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, - struct ipsec_test_data *res_d, bool silent); + struct ipsec_test_data *res_d, bool silent, + const struct ipsec_test_flags *flags); int test_ipsec_status_check(struct rte_crypto_op *op, + const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir); #endif From patchwork Sat Sep 25 15:35:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 99657 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id DB00FA0C45; Sat, 25 Sep 2021 17:36:29 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8E6284014D; Sat, 25 Sep 2021 17:36:23 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id 64E4B4003C for ; Sat, 25 Sep 2021 17:36:22 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18PDJmgh002792; Sat, 25 Sep 2021 08:36:21 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=wYKKFEG59IJzirLScZ0ogqsND207vcQbikzAk/BB4P4=; b=XFUDdUwJx2l/ry3FtQMl/e0/BJx8LUExYL0zZqMapNInJn/NTbLBGE9ThbYqh0kZnu58 x8eoXZ+bI8cXyvusTKfsg4tQsje1yGf221zK0RrIfvchspTUhvGQ6Pb7IORQTb17ksuH SWONoIiFoMbZND+0IFRUPrryqmnXVpcyt7XBGeoI/lcHUk1TEdDDaOB1I68yIGiZmgkY Y/OkJTqZHa6zXSWv9jofLDcLtIZdt0HlSS8Z8e7Gmq1DpR1wk1G+yYxQeoFkce7ZZzXj tBkB2IwcyUzmtJWCNRMGOq7ncvrEsek7A6kWI3W+QdWKwlF1f8ofuL4gqxS/7XnIHyBd 5Q== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 3ba39m8d7m-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 25 Sep 2021 08:36:21 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 25 Sep 2021 08:36:20 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 25 Sep 2021 08:36:20 -0700 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id 27DFA3F7091; Sat, 25 Sep 2021 08:36:15 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Fan Zhang , "Konstantin Ananyev" CC: Tejasree Kondoj , Jerin Jacob , Archana Muniganti , Hemant Agrawal , Radu Nicolau , Ciara Power , Gagandeep Singh , , Anoob Joseph Date: Sat, 25 Sep 2021 21:05:30 +0530 Message-ID: <1632584132-289-4-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1632584132-289-1-git-send-email-anoobj@marvell.com> References: <1631884523-836-1-git-send-email-anoobj@marvell.com> <1632584132-289-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: yrpQF_ljHYCw9nx20lvrcry6uQUS7mMU X-Proofpoint-ORIG-GUID: yrpQF_ljHYCw9nx20lvrcry6uQUS7mMU X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-25_05,2021-09-24_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH v5 3/5] test/crypto: add lookaside IPsec ICV corrupt test case X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Tejasree Kondoj Add negative test to validate IPsec inbound processing failure with ICV corruption. The tests would first do IPsec encapsulation and corrupt ICV of the generated IPsec packet. Then the packet is submitted to IPsec outbound processing for decapsulation. Test case would validate that PMD returns an error in such cases. Signed-off-by: Anoob Joseph Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal Acked-by: Ciara Power Acked-by: Hemant Agrawal --- app/test/test_cryptodev.c | 16 ++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 30 ++++++++++++++++++++---------- app/test/test_cryptodev_security_ipsec.h | 1 + doc/guides/rel_notes/release_21_11.rst | 1 + 4 files changed, 38 insertions(+), 10 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 3eacc66..bfaca1d 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9130,6 +9130,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused) } static int +test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.icv_corrupt = true; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14041,6 +14053,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Combined test alg list", ut_setup_security, ut_teardown, test_ipsec_proto_display_list), + TEST_CASE_NAMED_ST( + "Negative test: ICV corruption", + ut_setup_security, ut_teardown, + test_ipsec_proto_err_icv_corrupt), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index d08e093..aebbe66 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -175,9 +175,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data, td_outb[i].input_text.len); td_inb[i].output_text.len = td_outb->input_text.len; - } - RTE_SET_USED(flags); + if (flags->icv_corrupt) { + int icv_pos = td_inb[i].input_text.len - 4; + td_inb[i].input_text.data[icv_pos] += 1; + } + } } void @@ -217,6 +220,11 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); uint32_t skip, len = rte_pktmbuf_pkt_len(m); + /* For negative tests, no need to do verification */ + if (flags->icv_corrupt && + td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) + return TEST_SUCCESS; + if (len != td->output_text.len) { printf("Output length (%d) not matching with expected (%d)\n", len, td->output_text.len); @@ -241,8 +249,6 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, return TEST_FAILED; } - RTE_SET_USED(flags); - return TEST_SUCCESS; } @@ -299,13 +305,17 @@ test_ipsec_status_check(struct rte_crypto_op *op, { int ret = TEST_SUCCESS; - if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { - printf("Security op processing failed\n"); - ret = TEST_FAILED; + if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) { + if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { + printf("ICV corruption test case failed\n"); + ret = TEST_FAILED; + } + } else { + if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { + printf("Security op processing failed\n"); + ret = TEST_FAILED; + } } - RTE_SET_USED(flags); - RTE_SET_USED(dir); - return ret; } diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index cbb3ee4..134fc3a 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -49,6 +49,7 @@ struct ipsec_test_data { struct ipsec_test_flags { bool display_alg; + bool icv_corrupt; }; struct crypto_param { diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index cf0277d..8fc5844 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -90,6 +90,7 @@ New Features * **Added lookaside protocol (IPsec) tests in dpdk-test.** * Added known vector tests (AES-GCM 128, 192, 256). + * Added tests to verify error reporting with ICV corruption. Removed Items From patchwork Sat Sep 25 15:35:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 99658 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2ECA7A0C45; Sat, 25 Sep 2021 17:36:36 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id B4016410ED; Sat, 25 Sep 2021 17:36:28 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 8F5DF410ED for ; Sat, 25 Sep 2021 17:36:27 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18PDQ9FX003440; Sat, 25 Sep 2021 08:36:26 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=yAF2YMCLrx2HcX+VfVf7sltZPUeTAX96xmvEs3Qz7/0=; b=BGVwTZejO8D1rfgtmWhnO5F+TZnafccUu7qBlSKwHsRVdCvnuULdRk14F+cGLmr1jyx1 WaAghAmt2cJ3cnsjHJc4kCnSdoLUgl4XltIStgOObHBEhISuYSUl1iC02uQPzl7rGkT/ 9z7Xqr0P5oDSIRLS5GJARQWRpDI1rotVgVtc7R15QSMGHkorhJJuBF0Xz1pc2X3QAsLg Hm4NzuTuK58UBa9LhN5Otbf679Px3CCvynTbuq7cIJJqvgIj/2ZVhLYhSPmmGy8nYoqs thLC0K0JVp60PVyHFdqNM3T+C7tn0h4sffb8G55e+jb0CjVn/ZTFux8ihCpjHx33LtK/ jQ== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 3ba14prp5r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 25 Sep 2021 08:36:26 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 25 Sep 2021 08:36:25 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 25 Sep 2021 08:36:25 -0700 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id 58B503F7086; Sat, 25 Sep 2021 08:36:21 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Fan Zhang , "Konstantin Ananyev" CC: Tejasree Kondoj , Jerin Jacob , Archana Muniganti , Hemant Agrawal , Radu Nicolau , Ciara Power , Gagandeep Singh , , Anoob Joseph Date: Sat, 25 Sep 2021 21:05:31 +0530 Message-ID: <1632584132-289-5-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1632584132-289-1-git-send-email-anoobj@marvell.com> References: <1631884523-836-1-git-send-email-anoobj@marvell.com> <1632584132-289-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: mxRpvSveXx6MtzBohmnsC5V8L3hc6TrB X-Proofpoint-ORIG-GUID: mxRpvSveXx6MtzBohmnsC5V8L3hc6TrB X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-25_05,2021-09-24_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH v5 4/5] test/crypto: add IV gen cases for IPsec X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Tejasree Kondoj Added cases to verify IV generated by PMD for lookaside IPsec. The tests compare IV generated for a batch of packets and ensures that IV is not getting repeated in the batch. Signed-off-by: Anoob Joseph Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal Acked-by: Ciara Power --- app/test/test_cryptodev.c | 19 ++++++++++++ app/test/test_cryptodev_security_ipsec.c | 52 ++++++++++++++++++++++++++++++++ app/test/test_cryptodev_security_ipsec.h | 1 + doc/guides/rel_notes/release_21_11.rst | 1 + 4 files changed, 73 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index bfaca1d..956541e 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9080,6 +9080,9 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) unsigned int i, nb_pkts = 1, pass_cnt = 0; int ret; + if (flags->iv_gen) + nb_pkts = IPSEC_TEST_PACKETS_MAX; + for (i = 0; i < RTE_DIM(aead_list); i++) { test_ipsec_td_prepare(&aead_list[i], NULL, @@ -9130,6 +9133,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused) } static int +test_ipsec_proto_iv_gen(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.iv_gen = true; + + return test_ipsec_proto_all(&flags); +} + +static int test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused) { struct ipsec_test_flags flags; @@ -14054,6 +14069,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { ut_setup_security, ut_teardown, test_ipsec_proto_display_list), TEST_CASE_NAMED_ST( + "IV generation", + ut_setup_security, ut_teardown, + test_ipsec_proto_iv_gen), + TEST_CASE_NAMED_ST( "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index aebbe66..78c7f3a 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -4,12 +4,15 @@ #include #include +#include #include #include #include "test.h" #include "test_cryptodev_security_ipsec.h" +#define IV_LEN_MAX 16 + extern struct ipsec_test_data pkt_aes_256_gcm; int @@ -214,6 +217,46 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td) } static int +test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td) +{ + static uint8_t iv_queue[IV_LEN_MAX * IPSEC_TEST_PACKETS_MAX]; + uint8_t *iv_tmp, *output_text = rte_pktmbuf_mtod(m, uint8_t *); + int i, iv_pos, iv_len; + static int index; + + if (td->aead) + iv_len = td->xform.aead.aead.iv.length - td->salt.len; + else + iv_len = td->xform.chain.cipher.cipher.iv.length; + + iv_pos = test_ipsec_tunnel_hdr_len_get(td) + sizeof(struct rte_esp_hdr); + output_text += iv_pos; + + TEST_ASSERT(iv_len <= IV_LEN_MAX, "IV length greater than supported"); + + /* Compare against previous values */ + for (i = 0; i < index; i++) { + iv_tmp = &iv_queue[i * IV_LEN_MAX]; + + if (memcmp(output_text, iv_tmp, iv_len) == 0) { + printf("IV repeated"); + return TEST_FAILED; + } + } + + /* Save IV for future comparisons */ + + iv_tmp = &iv_queue[index * IV_LEN_MAX]; + memcpy(iv_tmp, output_text, iv_len); + index++; + + if (index == IPSEC_TEST_PACKETS_MAX) + index = 0; + + return TEST_SUCCESS; +} + +static int test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, bool silent, const struct ipsec_test_flags *flags) { @@ -279,6 +322,15 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, struct ipsec_test_data *res_d, bool silent, const struct ipsec_test_flags *flags) { + int ret; + + if (flags->iv_gen && + td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + ret = test_ipsec_iv_verify_push(m, td); + if (ret != TEST_SUCCESS) + return ret; + } + /* * In case of known vector tests & all inbound tests, res_d provided * would be NULL and output data need to be validated against expected. diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 134fc3a..d2ec63f 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -50,6 +50,7 @@ struct ipsec_test_data { struct ipsec_test_flags { bool display_alg; bool icv_corrupt; + bool iv_gen; }; struct crypto_param { diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index 8fc5844..cda0a92 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -91,6 +91,7 @@ New Features * Added known vector tests (AES-GCM 128, 192, 256). * Added tests to verify error reporting with ICV corruption. + * Added tests to verify IV generation. Removed Items From patchwork Sat Sep 25 15:35:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anoob Joseph X-Patchwork-Id: 99659 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id CD75DA0C45; Sat, 25 Sep 2021 17:36:43 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 3F93A410F6; Sat, 25 Sep 2021 17:36:35 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id EB6B540DFD for ; Sat, 25 Sep 2021 17:36:32 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18PEvYuk023188; Sat, 25 Sep 2021 08:36:32 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=c1rPCkKjzOVvVl+/Um/r7sqlYfpe7v6utT256dlOQdc=; b=g8d7L9FhB1z5OQwfWRaOjV2hU3zUOfkysAd40TdwtZ5PKbGvaLGso9mK5P/U68ElUFxK Ru7EW/mTScMLiGaPuZW0F6hrLHHJW9Fdxc1h/vzUWJwVnAYsguMBcuqdUC6o5rlcKI9b 6miWRQRAhRiHa7B3eJGEGDZweUeHWEVESjuMtVHczaDMnuBAU7Rw4GvAhhTLWkYGTHjW 4uGNsbvmiGmsAUj4h47gpMCHfklrRaivxDs/zd7B8Hmfm7A57ceUunOUUWldioTUU/A1 7mik1Z6aLcGUUMQFR1lyrfK7xZ5gqqu13Cl9jPzo79YE+ynsCKSb68OP5JpvHMNZOzFK lw== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com with ESMTP id 3ba39m8d8g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 25 Sep 2021 08:36:32 -0700 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sat, 25 Sep 2021 08:36:30 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Sat, 25 Sep 2021 08:36:30 -0700 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id 8B6213F7077; Sat, 25 Sep 2021 08:36:26 -0700 (PDT) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Fan Zhang , "Konstantin Ananyev" CC: Tejasree Kondoj , Jerin Jacob , Archana Muniganti , Hemant Agrawal , Radu Nicolau , Ciara Power , Gagandeep Singh , , Anoob Joseph Date: Sat, 25 Sep 2021 21:05:32 +0530 Message-ID: <1632584132-289-6-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1632584132-289-1-git-send-email-anoobj@marvell.com> References: <1631884523-836-1-git-send-email-anoobj@marvell.com> <1632584132-289-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 X-Proofpoint-GUID: E4obpIlQd9HppQaWt7jq98l00rYY2nrh X-Proofpoint-ORIG-GUID: E4obpIlQd9HppQaWt7jq98l00rYY2nrh X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-25_05,2021-09-24_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH v5 5/5] test/crypto: add UDP encapsulated IPsec test cases X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Tejasree Kondoj Add tests to verify UDP encapsulation with IPsec. The tests have IPsec packets generated from plain packets and verifies that UDP header is added. Subsequently, the packets are decapsulated and then resultant packet is verified by comparing against original packet. Signed-off-by: Anoob Joseph Signed-off-by: Tejasree Kondoj Acked-by: Akhil Goyal Acked-by: Ciara Power --- app/test/test_cryptodev.c | 19 +++++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 28 ++++++++++++++++++++++++++++ app/test/test_cryptodev_security_ipsec.h | 1 + doc/guides/rel_notes/release_21_11.rst | 1 + 4 files changed, 49 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 956541e..bc2490b 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -8946,6 +8946,9 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], sec_cap_idx.ipsec.mode = ipsec_xform.mode; sec_cap_idx.ipsec.direction = ipsec_xform.direction; + if (flags->udp_encap) + ipsec_xform.options.udp_encap = 1; + sec_cap = rte_security_capability_get(ctx, &sec_cap_idx); if (sec_cap == NULL) return TEST_SKIPPED; @@ -9157,6 +9160,18 @@ test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused) } static int +test_ipsec_proto_udp_encap(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.udp_encap = true; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14073,6 +14088,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { ut_setup_security, ut_teardown, test_ipsec_proto_iv_gen), TEST_CASE_NAMED_ST( + "UDP encapsulation", + ut_setup_security, ut_teardown, + test_ipsec_proto_udp_encap), + TEST_CASE_NAMED_ST( "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 78c7f3a..5b54996 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -7,6 +7,7 @@ #include #include #include +#include #include "test.h" #include "test_cryptodev_security_ipsec.h" @@ -183,6 +184,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], int icv_pos = td_inb[i].input_text.len - 4; td_inb[i].input_text.data[icv_pos] += 1; } + + if (flags->udp_encap) + td_inb[i].ipsec_xform.options.udp_encap = 1; } } @@ -268,6 +272,30 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) return TEST_SUCCESS; + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && + flags->udp_encap) { + const struct rte_ipv4_hdr *iph4; + const struct rte_ipv6_hdr *iph6; + + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + iph4 = (const struct rte_ipv4_hdr *)output_text; + if (iph4->next_proto_id != IPPROTO_UDP) { + printf("UDP header is not found\n"); + return TEST_FAILED; + } + } else { + iph6 = (const struct rte_ipv6_hdr *)output_text; + if (iph6->proto != IPPROTO_UDP) { + printf("UDP header is not found\n"); + return TEST_FAILED; + } + } + + len -= sizeof(struct rte_udp_hdr); + output_text += sizeof(struct rte_udp_hdr); + } + if (len != td->output_text.len) { printf("Output length (%d) not matching with expected (%d)\n", len, td->output_text.len); diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index d2ec63f..e1645f4 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -51,6 +51,7 @@ struct ipsec_test_flags { bool display_alg; bool icv_corrupt; bool iv_gen; + bool udp_encap; }; struct crypto_param { diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst index cda0a92..30c9ccf 100644 --- a/doc/guides/rel_notes/release_21_11.rst +++ b/doc/guides/rel_notes/release_21_11.rst @@ -92,6 +92,7 @@ New Features * Added known vector tests (AES-GCM 128, 192, 256). * Added tests to verify error reporting with ICV corruption. * Added tests to verify IV generation. + * Added tests to verify UDP encapsulation. Removed Items