[PATCH v4 0/2] tools: add acvp_tool

[PATCH v4 0/2] tools: add acvp_tool

[jspewock]

From: Jeremy Spewock <jspewock@iol.unh.edu>

v1: https://mails.dpdk.org/archives/ci/2022-January/001599.html
v2: https://mails.dpdk.org/archives/ci/2022-January/001611.html
v3: https://mails.dpdk.org/archives/ci/2022-February/001636.html
v4:
  * update tooling and documentation to match current implementation

Jeremy Spewock (2):
  tools: expanded coverage of acvp_tool default config file
  doc: updated out-of-date acvp_tool readme

 tools/acvp/README           | 76 ++++++++++++++++++++++++++++++++-----
 tools/acvp/acvp_config.json | 47 ++++++++++++++++++-----
 2 files changed, 105 insertions(+), 18 deletions(-)

-- 
2.39.2

[PATCH v4 1/2] tools: expanded coverage of acvp_tool default config file

[jspewock]

From: Jeremy Spewock <jspewock@iol.unh.edu>

this expands the default config file for the ACVP tools to allow for
coverage of more algorithms.

Signed-off-by: Jeremy Spewock <jspewock@iol.unh.edu>
---
 tools/acvp/acvp_config.json | 47 ++++++++++++++++++++++++++++++-------
 1 file changed, 38 insertions(+), 9 deletions(-)

diff --git a/tools/acvp/acvp_config.json b/tools/acvp/acvp_config.json
index 9339885..55c20bf 100644
--- a/tools/acvp/acvp_config.json
+++ b/tools/acvp/acvp_config.json
@@ -2,22 +2,51 @@
     "url": "https://demo.acvts.nist.gov",
     "algorithms": [
         {
-            "algorithm": "ACVP-AES-GCM",
+            "algorithm": "ACVP-TDES-CBC",
             "revision": "1.0",
+	    "keyingOption": [
+                1
+            ],
+	    "messageLength": [{"min": 0, "max": 65535, "increment": 1}],
+	    "capabilities": [
+		{
+		  "direction": ["gen", "ver"],
+		  "keyLen": [128],
+		  "msgLen": [
+			{
+			  "max": 65536,
+			  "min": 0,
+			  "increment": 256
+			}
+		  ],
+		  "macLen": [
+			{
+			  "min": 64,
+			  "max": 128,
+			  "increment": 8
+			}
+		  ]
+		}
+	    ],
             "direction": ["encrypt"],
             "keyLen": [128, 192, 256],
+	    "macLen": [
+    		{
+      		    "min": 80,
+      		    "max": 160,
+      		   "increment": 8
+    		}
+  	    ],
             "tagLen": [128],
             "aadLen": [0],
-            "ivGenMode": "8.2.2",
             "ivGen": "internal",
+	    "ivGenMode": "8.2.2",
             "ivLen": [96],
             "payloadLen": [
-                {
-                    "max": 65536,
-                    "min": 0,
-                    "increment": 256
-                }
-            ]
+                128
+            ],
+	    "overflowCounter": true,
+	    "incrementalCounter": true
         }
     ]
-}
\ No newline at end of file
+}
-- 
2.39.2

[PATCH v4 2/2] doc: updated out-of-date acvp_tool readme

[jspewock]

From: Jeremy Spewock <jspewock@iol.unh.edu>

this updates the readme to show current coverage of algorithms as well
as how to setup a proper environment and run tests.

Signed-off-by: Jeremy Spewock <jspewock@iol.unh.edu>
---
 tools/acvp/README | 76 +++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 67 insertions(+), 9 deletions(-)

diff --git a/tools/acvp/README b/tools/acvp/README
index 0cd3acc..23a1aef 100644
--- a/tools/acvp/README
+++ b/tools/acvp/README
@@ -3,23 +3,33 @@ in order to test different cryptographic implementations.
 
 It produces machine-readable output for parsing in a CI environment.
 
+Supported Algorithms
+--------------------
+* AES-CBC
+* AES-CMAC
+* AES-GMAC
+* HMAC-SHA-1
+* TDES-CBC
+* AES-CTR
 
 Requirements
 ------------
 
-There are also packages you need to download from the requirements.txt file:
+There are also python packages you need to download from the requirements.txt file:
 * pyotp
 * requests
 
+Along with these, you will also need to install the `nasm` package using your local package manager.
+
 The tool expects that you have all the credential files from NIST:
 * Client certificate (usually a .cer file from NIST)
 * Key file for the certificate
 * Time-based one-time password seed file (usually a .txt file from NIST)
 
 The path to each file must be stored in an environment variable:
-$ACVP_SEED_FILE  =  Path to the TOTP seed .txt file    (given by NIST).
-$ACVP_CERT_FILE  =  Path to the client .cer/.crt file  (given by NIST).
-$ACVP_KEY_FILE   =  Path to the certificate key file   (generated by user).
+* $ACVP_SEED_FILE  =  Path to the TOTP seed .txt file    (given by NIST).
+* $ACVP_CERT_FILE  =  Path to the client .cer/.crt file  (given by NIST).
+* $ACVP_KEY_FILE   =  Path to the certificate key file   (generated by user).
 
 If you do not have the required files from NIST, you must email them
 to create demo credentials.
@@ -38,34 +48,82 @@ containing two keys: "url" and "algorithms"
 "url" must be the base URL string of the API you want to use.
 "algorithms" must be an array of algorithm objects as detailed in the
 ACVP API specification here:
-https://github.com/usnistgov/ACVP/wiki/ACVTS-End-User-Documentation
+https://github.com/usnistgov/ACVP/wiki/ACVTS-End-User-Documentation . In the case of the supported algorithms listed above, the only thing that will need to change in the config file is the `"algorithm"` field to match the name of the algorithm you would like to test.
+* In order to test AES-CTR you'll also have to remove the key `"ivGenMode"` 
 
 Now you can use the acvp_tool.py script to register a test session,
 upload the results, and download the verdict.
 
-
+In order to run the DPDK sample application, there are a few libraries which must be installed:
+* Intel IPSec Multi-buffer (v1.3)
+```
+git clone https://github.com/intel/intel-ipsec-mb.git
+cd intel-ipsec-mb
+git checkout v1.3
+make -j 4
+make install
+```
+* FIPS Object Module
+```
+curl -o openssl-fips-2.0.16.tar.gz https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz
+tar xvfm openssl-fips-2.0.16.tar.gz
+cd openssl-fips-2.0.16
+./config
+make
+make install
+```
+* OpenSSL library
+```
+curl -o openssl-1.0.2o.tar.gz https://www.openssl.org/source/openssl-1.0.2o.tar.gz
+export CFLAGS='-fPIC'
+tar xvfm openssl-1.0.2o.tar.gz
+cd openssl-1.0.2o
+./config shared fips
+make depend
+make
+```
 Usage
 -----
-
+### Interacting with ACVP API
 To see all options available, use the --help flag.
 
 First, register and download a new test session with the tool:
+
     acvp_tool.py --request $DOWNLOAD_PATH
-The file written to $DOWNLOAD_PATH will contain both the session information
-and the test vectors.
+The file written to $DOWNLOAD_PATH will contain both the session information and the test vectors.
 
 You should use the DPDK FIPS validation example application to test
 the vectors in this file. The example application will generate
 the result file which is uploaded back to the ACVP API.
 
 After running tests with the vector file, you can submit the result:
+
     acvp_tool.py --response $RESULT_PATH --upload
 where $RESULT_PATH is the path of the file containing the answers.
 
 Once you submit your results, you can do
+
     acvp_tool.py --response $RESULT_PATH --verdict $VERDICT_PATH
 where $VERDICT_PATH is where you want to save the verdict information.
 The verdict file will contain the result of each test case submitted.
 
 You can also combine the options:
+
     acvp_tool.py --response $RESULT_PATH --upload --verdict $VERDICT_PATH
+
+### Using the DPDK FIPS Validation Example Application
+First, you have to make sure that you configure DPDK to build the FIPS sample application before you compile with ninja
+```
+#inside dpdk/
+meson build --werror
+meson configure -Dexamples=fips_validation build
+sudo ninja -C build
+```
+Once this has finished, you can now run the sample application and validate the test vectors. In order to run this validation step, you have to supply a valid crypto device and either a `*.json` or `*.req` file with vectors for validation. You can use the virtual device `crypto_aesni_mb` provided by the Intel IPSec Multi-buffer library and pass the JSON file containing test vectors from the ACVP API using `--req-file`. 
+
+Example usage:
+    
+    #inside dpdk/
+    build/examples/dpdk-fips_validation --vdev crypto_aesni_mb -- --req-file aes-cbc-vectors.json --rsp-file aes-cbc-answers.rsp --cryptodev crypto_aesni_mb`
+
+The file path passed into `--rsp-file` will contain the validated vectors from the sample applications and can be passed to the ACVP API to receive a verdict on your results.
\ No newline at end of file
-- 
2.39.2

RE: [PATCH v4 0/2] tools: add acvp_tool

[Ali Alnubani]

> -----Original Message-----
> From: jspewock@iol.unh.edu <jspewock@iol.unh.edu>
> Sent: Tuesday, March 14, 2023 10:18 PM
> To: ci@dpdk.org
> Cc: Jeremy Spewock <jspewock@iol.unh.edu>
> Subject: [PATCH v4 0/2] tools: add acvp_tool
> 
> From: Jeremy Spewock <jspewock@iol.unh.edu>
> 
> v1: https://mails.dpdk.org/archives/ci/2022-January/001599.html
> v2: https://mails.dpdk.org/archives/ci/2022-January/001611.html
> v3: https://mails.dpdk.org/archives/ci/2022-February/001636.html
> v4:
>   * update tooling and documentation to match current implementation
> 

Hi Jeremy,

Branched already sent a v4 (https://mails.dpdk.org/archives/ci/2022-April/001702.html).
As the original patchset wasn't merged yet, a better approach should be to squash your changes into v4's commits, and then resend as v5 detailing the changes you made.

You can apply v4's patches and find their message-ids from this thread: https://inbox.dpdk.org/ci/20220418133610.10835-1-blo@iol.unh.edu/.

$ wget -O- https://inbox.dpdk.org/ci/20220418133610.10835-2-blo@iol.unh.edu/raw | git am
$ wget -O- https://inbox.dpdk.org/ci/20220418133610.10835-3-blo@iol.unh.edu/raw | git am
$ wget -O- https://inbox.dpdk.org/ci/20220418133610.10835-4-blo@iol.unh.edu/raw | git am
$ wget -O- https://inbox.dpdk.org/ci/20220418133610.10835-5-blo@iol.unh.edu/raw | git am

Regards,
Ali

RE: [PATCH v4 0/2] tools: add acvp_tool

[Ali Alnubani]

> -----Original Message-----
> From: Ali Alnubani
> Sent: Wednesday, March 15, 2023 10:50 AM
> To: 'jspewock@iol.unh.edu' <jspewock@iol.unh.edu>; ci@dpdk.org
> Subject: RE: [PATCH v4 0/2] tools: add acvp_tool
> 
> > -----Original Message-----
> > From: jspewock@iol.unh.edu <jspewock@iol.unh.edu>
> > Sent: Tuesday, March 14, 2023 10:18 PM
> > To: ci@dpdk.org
> > Cc: Jeremy Spewock <jspewock@iol.unh.edu>
> > Subject: [PATCH v4 0/2] tools: add acvp_tool
> >
> > From: Jeremy Spewock <jspewock@iol.unh.edu>
> >
> > v1: https://mails.dpdk.org/archives/ci/2022-January/001599.html
> > v2: https://mails.dpdk.org/archives/ci/2022-January/001611.html
> > v3: https://mails.dpdk.org/archives/ci/2022-February/001636.html
> > v4:
> >   * update tooling and documentation to match current implementation
> >
> 
> Hi Jeremy,
> 
> Branched already sent a v4 (https://mails.dpdk.org/archives/ci/2022-
> April/001702.html).

Sorry, meant Brandon.

> As the original patchset wasn't merged yet, a better approach should be to
> squash your changes into v4's commits, and then resend as v5 detailing the
> changes you made.
> 
> You can apply v4's patches and find their message-ids from this thread:
> https://inbox.dpdk.org/ci/20220418133610.10835-1-blo@iol.unh.edu/.
> 
> $ wget -O- https://inbox.dpdk.org/ci/20220418133610.10835-2-
> blo@iol.unh.edu/raw | git am
> $ wget -O- https://inbox.dpdk.org/ci/20220418133610.10835-3-
> blo@iol.unh.edu/raw | git am
> $ wget -O- https://inbox.dpdk.org/ci/20220418133610.10835-4-
> blo@iol.unh.edu/raw | git am
> $ wget -O- https://inbox.dpdk.org/ci/20220418133610.10835-5-
> blo@iol.unh.edu/raw | git am
> 
> Regards,
> Ali