DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH 21.11 0/3] Add lookaside IPsec tests
@ 2021-07-29 10:43 Anoob Joseph
  2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 1/3] test/crypto: add " Anoob Joseph
                   ` (3 more replies)
  0 siblings, 4 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-07-29 10:43 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev

Add lookaside IPsec functional tests. Known vector tests and
combined mode framework is added.

Known vector tests for outbound operations would use predefined IV and
sequence number as 1. So plain packet would get encrypted to generate the
IPsec packet. Tests would compare against known vector.

Known vector tests for inbound operation would generate test vectors by
reversing outbound known vectors. The input_text would become encrypted
packet and output_text would be the plain packet. Tests would then validate
the operation by comparing against plain packet.

Combined mode tests are used to test all IPsec features against all ciphers
supported by the hardware. The framework is introduced to avoid testing
with any specific algo, thereby making it mandatory to be supported. Also,
testing with all supported combinations will help with increasing coverage
as well.

Two test cases use combined mode,
1. Display algo coverage and basic in + out tests
2. Negative test for ICV corruption

Known vectors are based on
https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01

The vectors are updated to have sequence number as 1 & L4 checksum
computed correctly. And they have following properties,
1. ESP
2. Tunnel mode
3. IPv4
4. IPv4 tunnel

This series is targetted for DPDK 21.11.

Upcoming additions,
1. AES-CBC-SHA1-HMAC known vectors & combined mode
2. IPv6
3. UDP encapsulation
4. Transport
5. Mixed mode (IPv4-in-IPv6 etc, all combinations)

Tested with following PMDs
1. crypto_octeontx2
2. crypto_cn10k

Anoob Joseph (2):
  test/crypto: add lookaside IPsec tests
  test/crypto: add combined mode tests

Tejasree Kondoj (1):
  test/crypto: add lookaside IPsec ICV corrupt test case

 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 330 +++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 311 +++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           | 115 +++++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 ++++++++++++++++++++
 6 files changed, 1084 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH 21.11 1/3] test/crypto: add lookaside IPsec tests
  2021-07-29 10:43 [dpdk-dev] [PATCH 21.11 0/3] Add lookaside IPsec tests Anoob Joseph
@ 2021-07-29 10:43 ` Anoob Joseph
  2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 2/3] test/crypto: add combined mode tests Anoob Joseph
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-07-29 10:43 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev

Added test case for lookaside IPsec. Following tests are added,

1. Inbound known vector [AES-GCM 128, 192 & 256]
2. Outbound known vector [AES-GCM 128, 192 & 256]

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 250 ++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 202 +++++++++++++
 app/test/test_cryptodev_security_ipsec.h           |  66 +++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 +++++++++++++++++++++
 6 files changed, 846 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

diff --git a/app/test/meson.build b/app/test/meson.build
index 88aae44..4cfa022 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -31,6 +31,7 @@ test_sources = files(
         'test_cryptodev.c',
         'test_cryptodev_asym.c',
         'test_cryptodev_blockcipher.c',
+        'test_cryptodev_security_ipsec.c',
         'test_cryptodev_security_pdcp.c',
         'test_cycles.c',
         'test_debug.c',
diff --git a/app/test/test.h b/app/test/test.h
index c3b2a87..7115edf 100644
--- a/app/test/test.h
+++ b/app/test/test.h
@@ -124,6 +124,12 @@ struct unit_test_case {
 #define TEST_CASE_WITH_DATA(setup, teardown, testcase, data) \
 		{ setup, teardown, NULL, testcase, #testcase, 1, data }
 
+#define TEST_CASE_NAMED_ST(name, setup, teardown, testcase) \
+		{ setup, teardown, NULL, testcase, name, 1, NULL }
+
+#define TEST_CASE_NAMED_WITH_DATA(name, setup, teardown, testcase, data) \
+		{ setup, teardown, NULL, testcase, name, 1, data }
+
 #define TEST_CASE_DISABLED(fn) { NULL, NULL, fn, NULL, #fn, 0, NULL }
 
 #define TEST_CASE_ST_DISABLED(setup, teardown, testcase) \
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index ead8c6e..6e5bd69 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17,6 +17,7 @@
 #include <rte_crypto.h>
 #include <rte_cryptodev.h>
 #include <rte_cryptodev_pmd.h>
+#include <rte_ip.h>
 #include <rte_string_fns.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -42,6 +43,8 @@
 #include "test_cryptodev_hmac_test_vectors.h"
 #include "test_cryptodev_mixed_test_vectors.h"
 #ifdef RTE_LIB_SECURITY
+#include "test_cryptodev_security_ipsec.h"
+#include "test_cryptodev_security_ipsec_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_vectors.h"
 #include "test_cryptodev_security_pdcp_sdap_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_func.h"
@@ -128,6 +131,13 @@ test_AES_CBC_HMAC_SHA512_decrypt_perform(struct rte_cryptodev_sym_session *sess,
 		const uint8_t *digest,
 		const uint8_t *iv);
 
+static int
+security_proto_supported(enum rte_security_session_action_type action,
+	enum rte_security_session_protocol proto);
+
+static int
+dev_configure_and_start(uint64_t ff_disable);
+
 static struct rte_mbuf *
 setup_test_string(struct rte_mempool *mpool,
 		const char *string, size_t len, uint8_t blocksize)
@@ -757,6 +767,42 @@ crypto_gen_testsuite_setup(void)
 
 #ifdef RTE_LIB_SECURITY
 static int
+ipsec_proto_testsuite_setup(void)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec Proto "
+				"testsuite not met\n");
+		return TEST_SKIPPED;
+	}
+
+	/* Reconfigure to enable security */
+	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
+				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
+
+	/* Set action type */
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	if (security_proto_supported(
+			RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec Proto "
+				"test not met\n");
+		return TEST_SKIPPED;
+	}
+
+	/* Stop the device */
+	rte_cryptodev_stop(ts_params->valid_devs[0]);
+
+	return 0;
+}
+
+static int
 pdcp_proto_testsuite_setup(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -8814,6 +8860,177 @@ test_PDCP_SDAP_PROTO_decap_all(void)
 }
 
 static int
+test_ipsec_proto_process(const struct ipsec_test_data td[],
+			 struct ipsec_test_data res_d[],
+			 int nb_td,
+			 bool silent)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_security_capability_idx sec_cap_idx;
+	const struct rte_security_capability *sec_cap;
+	struct rte_security_ipsec_xform ipsec_xform;
+	uint8_t dev_id = ts_params->valid_devs[0];
+	enum rte_security_ipsec_sa_direction dir;
+	uint32_t src = RTE_IPV4(192, 168, 1, 0);
+	uint32_t dst = RTE_IPV4(192, 168, 1, 1);
+	int salt_len, i, ret = TEST_SUCCESS;
+	struct rte_security_ctx *ctx;
+	uint8_t *input_text;
+
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+	gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	/* Use first test data to create session */
+
+	/* Copy IPsec xform */
+	memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
+
+	memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
+	memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
+
+	dir = ipsec_xform.direction;
+
+	ctx = rte_cryptodev_get_sec_ctx(dev_id);
+
+	sec_cap_idx.action = ut_params->type;
+	sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC;
+	sec_cap_idx.ipsec.proto = ipsec_xform.proto;
+	sec_cap_idx.ipsec.mode = ipsec_xform.mode;
+	sec_cap_idx.ipsec.direction = ipsec_xform.direction;
+
+	sec_cap = rte_security_capability_get(ctx, &sec_cap_idx);
+	if (sec_cap == NULL)
+		return TEST_SKIPPED;
+
+	/* Copy cipher session parameters */
+	if (td[0].aead) {
+		memcpy(&ut_params->aead_xform, &td[0].xform.aead,
+		       sizeof(ut_params->aead_xform));
+		ut_params->aead_xform.aead.key.data = td[0].key.data;
+		ut_params->aead_xform.aead.iv.offset = IV_OFFSET;
+
+		/* Verify crypto capabilities */
+		if (test_ipsec_crypto_caps_aead_verify(
+				sec_cap,
+				&ut_params->aead_xform) != 0) {
+			if (!silent)
+				RTE_LOG(INFO, USER1,
+					"Crypto capabilities not supported\n");
+			return TEST_SKIPPED;
+		}
+	} else {
+		/* Only AEAD supported now */
+		return TEST_SKIPPED;
+	}
+
+	if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0)
+		return TEST_SKIPPED;
+
+	salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len);
+	memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len);
+
+	struct rte_security_session_conf sess_conf = {
+		.action_type = ut_params->type,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = ipsec_xform,
+		.crypto_xform = &ut_params->aead_xform,
+	};
+
+	/* Create security session */
+	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
+					ts_params->session_priv_mpool);
+
+	if (ut_params->sec_session == NULL)
+		return TEST_SKIPPED;
+
+	for (i = 0; i < nb_td; i++) {
+		/* Setup source mbuf payload */
+		ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool);
+		memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0,
+				rte_pktmbuf_tailroom(ut_params->ibuf));
+
+		input_text = (uint8_t *)rte_pktmbuf_append(ut_params->ibuf,
+				td[i].input_text.len);
+
+		memcpy(input_text, td[i].input_text.data,
+		       td[i].input_text.len);
+
+		/* Generate crypto op data structure */
+		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
+					RTE_CRYPTO_OP_TYPE_SYMMETRIC);
+		if (!ut_params->op) {
+			printf("TestCase %s line %d: %s\n",
+				__func__, __LINE__,
+				"failed to allocate crypto op");
+			ret = TEST_FAILED;
+			goto crypto_op_free;
+		}
+
+		/* Attach session to operation */
+		rte_security_attach_session(ut_params->op,
+					    ut_params->sec_session);
+
+		/* Set crypto operation mbufs */
+		ut_params->op->sym->m_src = ut_params->ibuf;
+		ut_params->op->sym->m_dst = NULL;
+
+		/* Copy IV at the end of the crypto operation for egress */
+		if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+			rte_memcpy(rte_crypto_op_ctod_offset(ut_params->op,
+				   uint8_t *, IV_OFFSET),
+				   td[i].iv.data,
+				   td[i].xform.aead.aead.iv.length);
+
+		/* Process crypto operation */
+		process_crypto_request(dev_id, ut_params->op);
+
+		ret = test_ipsec_status_check(ut_params->op, dir);
+		if (ret != TEST_SUCCESS)
+			goto crypto_op_free;
+
+		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
+					      &res_d[i], silent);
+
+		rte_crypto_op_free(ut_params->op);
+		ut_params->op = NULL;
+
+		rte_pktmbuf_free(ut_params->ibuf);
+		ut_params->ibuf = NULL;
+	}
+
+crypto_op_free:
+	rte_crypto_op_free(ut_params->op);
+	ut_params->op = NULL;
+
+	rte_pktmbuf_free(ut_params->ibuf);
+	ut_params->ibuf = NULL;
+
+	if (ut_params->sec_session)
+		rte_security_session_destroy(ctx, ut_params->sec_session);
+	ut_params->sec_session = NULL;
+
+	return ret;
+}
+
+static int
+test_ipsec_proto_known_vec(const void *test_data)
+{
+	return test_ipsec_proto_process(test_data, NULL, 1, false);
+}
+
+static int
+test_ipsec_proto_known_vec_inb(const void *td_outb)
+{
+	struct ipsec_test_data td_inb;
+
+	test_ipsec_td_in_from_out(td_outb, &td_inb);
+
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -13703,6 +13920,38 @@ static struct unit_test_suite end_testsuite = {
 };
 
 #ifdef RTE_LIB_SECURITY
+static struct unit_test_suite ipsec_proto_testsuite  = {
+	.suite_name = "IPsec Proto Unit Test Suite",
+	.setup = ipsec_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_192_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Outbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_192_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 static struct unit_test_suite pdcp_proto_testsuite  = {
 	.suite_name = "PDCP Proto Unit Test Suite",
 	.setup = pdcp_proto_testsuite_setup,
@@ -14489,6 +14738,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&cryptodev_negative_hmac_sha1_testsuite,
 		&cryptodev_gen_testsuite,
 #ifdef RTE_LIB_SECURITY
+		&ipsec_proto_testsuite,
 		&pdcp_proto_testsuite,
 		&docsis_proto_testsuite,
 #endif
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
new file mode 100644
index 0000000..789d39c
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -0,0 +1,202 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include <rte_common.h>
+#include <rte_cryptodev.h>
+#include <rte_ip.h>
+#include <rte_security.h>
+
+#include "test.h"
+#include "test_cryptodev_security_ipsec.h"
+
+int
+test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			   const struct rte_security_capability *sec_cap,
+			   bool silent)
+{
+	/* Verify security capabilities */
+
+	if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ESN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.udp_encap == 1 &&
+	    sec_cap->ipsec.options.udp_encap == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_dscp == 1 &&
+	    sec_cap->ipsec.options.copy_dscp == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_flabel == 1 &&
+	    sec_cap->ipsec.options.copy_flabel == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_df == 1 &&
+	    sec_cap->ipsec.options.copy_df == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.dec_ttl == 1 &&
+	    sec_cap->ipsec.options.dec_ttl == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ECN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.stats == 1 &&
+	    sec_cap->ipsec.options.stats == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Stats is not supported\n");
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
+int
+test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead)
+{
+	const struct rte_cryptodev_symmetric_capability *sym_cap;
+	const struct rte_cryptodev_capabilities *crypto_cap;
+	int j = 0;
+
+	while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
+			RTE_CRYPTO_OP_TYPE_UNDEFINED) {
+		if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+				crypto_cap->sym.xform_type == aead->type &&
+				crypto_cap->sym.aead.algo == aead->aead.algo) {
+			sym_cap = &crypto_cap->sym;
+			if (rte_cryptodev_sym_capability_check_aead(sym_cap,
+					aead->aead.key.length,
+					aead->aead.digest_length,
+					aead->aead.aad_length,
+					aead->aead.iv.length) == 0)
+				return 0;
+		}
+	}
+
+	return -ENOTSUP;
+}
+
+void
+test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			  struct ipsec_test_data *td_in)
+{
+	memcpy(td_in, td_out, sizeof(*td_in));
+
+	/* Populate output text of td_in with input text of td_out */
+	memcpy(td_in->output_text.data, td_out->input_text.data,
+	       td_out->input_text.len);
+	td_in->output_text.len = td_out->input_text.len;
+
+	/* Populate input text of td_in with output text of td_out */
+	memcpy(td_in->input_text.data, td_out->output_text.data,
+	       td_out->output_text.len);
+	td_in->input_text.len = td_out->output_text.len;
+
+	td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+
+	if (td_in->aead) {
+		td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
+		td_in->xform.chain.cipher.cipher.op =
+				RTE_CRYPTO_CIPHER_OP_DECRYPT;
+	}
+}
+
+static int
+test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		     bool silent)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t skip = 0, len = rte_pktmbuf_pkt_len(m);
+
+	if (len != td->output_text.len) {
+		printf("Output length (%d) not matching with expected (%d)\n",
+			len, td->output_text.len);
+		return TEST_FAILED;
+	}
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+			if (td->ipsec_xform.tunnel.type ==
+					RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+				skip += sizeof(struct rte_ipv4_hdr);
+			else
+				skip += sizeof(struct rte_ipv6_hdr);
+		}
+	}
+
+	len -= skip;
+	output_text += skip;
+
+	if (memcmp(output_text, td->output_text.data + skip, len)) {
+		if (silent)
+			return TEST_FAILED;
+
+		printf("TestCase %s line %d: %s\n", __func__, __LINE__,
+			"output text not as expected\n");
+
+		rte_hexdump(stdout, "expected", td->output_text.data + skip,
+			    len);
+		rte_hexdump(stdout, "actual", output_text, len);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
+
+int
+test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
+			struct ipsec_test_data *res_d, bool silent)
+{
+	/*
+	 * In case of known vector tests & all inbound tests, res_d provided
+	 * would be NULL and output data need to be validated against expected.
+	 * For inbound, output_text would be plain packet and for outbound
+	 * output_text would IPsec packet. Validate by comparing against
+	 * known vectors.
+	 */
+	RTE_SET_USED(res_d);
+	return test_ipsec_td_verify(m, td, silent);
+}
+
+int
+test_ipsec_status_check(struct rte_crypto_op *op,
+			enum rte_security_ipsec_sa_direction dir)
+{
+	int ret = TEST_SUCCESS;
+
+	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		printf("Security op processing failed\n");
+		ret = TEST_FAILED;
+	}
+
+	RTE_SET_USED(dir);
+
+	return ret;
+}
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
new file mode 100644
index 0000000..5f1b46d
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -0,0 +1,66 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+#define _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+
+#include <rte_cryptodev.h>
+#include <rte_security.h>
+
+struct ipsec_test_data {
+	struct {
+		uint8_t data[32];
+	} key;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} input_text;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} output_text;
+
+	struct {
+		uint8_t data[4];
+		unsigned int len;
+	} salt;
+
+	struct {
+		uint8_t data[16];
+	} iv;
+
+	struct rte_security_ipsec_xform ipsec_xform;
+
+	bool aead;
+
+	union {
+		struct {
+			struct rte_crypto_sym_xform cipher;
+			struct rte_crypto_sym_xform auth;
+		} chain;
+		struct rte_crypto_sym_xform aead;
+	} xform;
+};
+
+int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			       const struct rte_security_capability *sec_cap,
+			       bool silent);
+
+int test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead);
+
+void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			       struct ipsec_test_data *td_in);
+
+int test_ipsec_post_process(struct rte_mbuf *m,
+			    const struct ipsec_test_data *td,
+			    struct ipsec_test_data *res_d, bool silent);
+
+int test_ipsec_status_check(struct rte_crypto_op *op,
+			    enum rte_security_ipsec_sa_direction dir);
+
+#endif
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
new file mode 100644
index 0000000..ae9cd24
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -0,0 +1,321 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2021 Marvell
+ */
+
+#ifndef TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+#define TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+
+#include <rte_crypto.h>
+#include <rte_security.h>
+
+#include "test_cryptodev_security_ipsec.h"
+
+/*
+ * Known vectors
+ *
+ * AES-GCM vectors are based on :
+ * https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01
+ *
+ * Vectors are updated to have corrected L4 checksum and sequence number 1.
+ */
+
+struct ipsec_test_data pkt_aes_128_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x3e, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x11, 0x4d, 0xcc, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* UDP */
+			0x0a, 0x98, 0x00, 0x35, 0x00, 0x2a, 0x23, 0x43,
+			0xb2, 0xd0, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
+			0x00, 0x00, 0x00, 0x00, 0x03, 0x73, 0x69, 0x70,
+			0x09, 0x63, 0x79, 0x62, 0x65, 0x72, 0x63, 0x69,
+			0x74, 0x79, 0x02, 0x64, 0x6b, 0x00, 0x00, 0x01,
+			0x00, 0x01,
+		},
+		.len = 62,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x74, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x75, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xde, 0xb2, 0x2c, 0xd9, 0xb0, 0x7c, 0x72, 0xc1,
+			0x6e, 0x3a, 0x65, 0xbe, 0xeb, 0x8d, 0xf3, 0x04,
+			0xa5, 0xa5, 0x89, 0x7d, 0x33, 0xae, 0x53, 0x0f,
+			0x1b, 0xa7, 0x6d, 0x5d, 0x11, 0x4d, 0x2a, 0x5c,
+			0x3d, 0xe8, 0x18, 0x27, 0xc1, 0x0e, 0x9a, 0x4f,
+			0x51, 0x33, 0x0d, 0x0e, 0xec, 0x41, 0x66, 0x42,
+			0xcf, 0xbb, 0x85, 0xa5, 0xb4, 0x7e, 0x48, 0xa4,
+			0xec, 0x3b, 0x9b, 0xa9, 0x5d, 0x91, 0x8b, 0xd4,
+			0x29, 0xc7, 0x37, 0x57, 0x9f, 0xf1, 0x9e, 0x58,
+			0xcf, 0xfc, 0x60, 0x7a, 0x3b, 0xce, 0x89, 0x94,
+
+		},
+		.len = 116,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_192_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x28, 0xa4, 0xad, 0x40, 0x00,
+			0x40, 0x06, 0x78, 0x80, 0x0a, 0x01, 0x03, 0x8f,
+			0x0a, 0x01, 0x06, 0x12,
+
+			/* TCP */
+			0x80, 0x23, 0x06, 0xb8, 0xcb, 0x71, 0x26, 0x02,
+			0xdd, 0x6b, 0xb0, 0x3e, 0x50, 0x10, 0x16, 0xd0,
+			0x75, 0x67, 0x00, 0x01
+		},
+		.len = 40,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x60, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x89, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xa5, 0xb1, 0xf8, 0x06, 0x60, 0x29, 0xae, 0xa4,
+			0x0e, 0x59, 0x8b, 0x81, 0x22, 0xde, 0x02, 0x42,
+			0x09, 0x38, 0xb3, 0xab, 0x33, 0xf8, 0x28, 0xe6,
+			0x87, 0xb8, 0x85, 0x8b, 0x5b, 0xfb, 0xdb, 0xd0,
+			0x31, 0x5b, 0x27, 0x45, 0x21, 0x4b, 0xcc, 0x77,
+			0x82, 0xac, 0x91, 0x38, 0xf2, 0xbb, 0xbe, 0xe4,
+			0xcf, 0x03, 0x36, 0x89, 0xdd, 0x40, 0xd3, 0x6e,
+			0x54, 0x05, 0x22, 0x22,
+		},
+		.len = 96,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 24,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x30, 0x69, 0xa6, 0x40, 0x00,
+			0x80, 0x06, 0x26, 0x90, 0xc0, 0xa8, 0x01, 0x02,
+			0x93, 0x89, 0x15, 0x5e,
+
+			/* TCP */
+			0x0a, 0x9e, 0x00, 0x8b, 0x2d, 0xc5, 0x7e, 0xe0,
+			0x00, 0x00, 0x00, 0x00, 0x70, 0x02, 0x40, 0x00,
+			0x20, 0xbf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
+			0x01, 0x01, 0x04, 0x02,
+		},
+		.len = 48,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x68, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x81, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x4a, 0x2c, 0xbf, 0xe3, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+
+			/* Data */
+			0xff, 0x42, 0x5c, 0x9b, 0x72, 0x45, 0x99, 0xdf,
+			0x7a, 0x3b, 0xcd, 0x51, 0x01, 0x94, 0xe0, 0x0d,
+			0x6a, 0x78, 0x10, 0x7f, 0x1b, 0x0b, 0x1c, 0xbf,
+			0x06, 0xef, 0xae, 0x9d, 0x65, 0xa5, 0xd7, 0x63,
+			0x74, 0x8a, 0x63, 0x79, 0x85, 0x77, 0x1d, 0x34,
+			0x7f, 0x05, 0x45, 0x65, 0x9f, 0x14, 0xe9, 0x9d,
+			0xef, 0x84, 0x2d, 0x8b, 0x00, 0x14, 0x4a, 0x1f,
+			0xec, 0x6a, 0xdf, 0x0c, 0x9a, 0x92, 0x7f, 0xee,
+			0xa6, 0xc5, 0x11, 0x60,
+		},
+		.len = 104,
+	},
+	.salt = {
+		.data = {
+			0x11, 0x22, 0x33, 0x44
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0x4a2cbfe3,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH 21.11 2/3] test/crypto: add combined mode tests
  2021-07-29 10:43 [dpdk-dev] [PATCH 21.11 0/3] Add lookaside IPsec tests Anoob Joseph
  2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 1/3] test/crypto: add " Anoob Joseph
@ 2021-07-29 10:43 ` Anoob Joseph
  2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 3/3] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
  2021-08-11  9:45 ` [dpdk-dev] [PATCH v2 0/4] Add lookaside IPsec tests Anoob Joseph
  3 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-07-29 10:43 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Ankur Dwivedi, Tejasree Kondoj, dev

Add framework to test IPsec features with all supported
combinations of ciphers.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                |  74 +++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.c | 107 +++++++++++++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.h |  50 ++++++++++++++-
 3 files changed, 221 insertions(+), 10 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 6e5bd69..ad9f372 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8863,7 +8863,8 @@ static int
 test_ipsec_proto_process(const struct ipsec_test_data td[],
 			 struct ipsec_test_data res_d[],
 			 int nb_td,
-			 bool silent)
+			 bool silent,
+			 const struct ipsec_test_flags *flags)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct crypto_unittest_params *ut_params = &unittest_params;
@@ -8986,12 +8987,12 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_ipsec_status_check(ut_params->op, dir);
+		ret = test_ipsec_status_check(ut_params->op, flags, dir);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
 		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
-					      &res_d[i], silent);
+					      &res_d[i], silent, flags);
 
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
@@ -9017,17 +9018,76 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 static int
 test_ipsec_proto_known_vec(const void *test_data)
 {
-	return test_ipsec_proto_process(test_data, NULL, 1, false);
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	return test_ipsec_proto_process(test_data, NULL, 1, false, &flags);
 }
 
 static int
 test_ipsec_proto_known_vec_inb(const void *td_outb)
 {
+	struct ipsec_test_flags flags;
 	struct ipsec_test_data td_inb;
 
+	memset(&flags, 0, sizeof(flags));
+
 	test_ipsec_td_in_from_out(td_outb, &td_inb);
 
-	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags);
+}
+
+static int
+test_ipsec_proto_all(const struct ipsec_test_flags *flags)
+{
+	struct ipsec_test_data td_outb[1];
+	struct ipsec_test_data td_inb[1];
+	unsigned int i, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(aead_list); i++) {
+		test_ipsec_td_prepare(&aead_list[i],
+				      NULL,
+				      flags,
+				      td_outb,
+				      RTE_DIM(td_outb));
+
+		ret = test_ipsec_proto_process(td_outb, td_inb, 1, true, flags);
+		if (ret != TEST_SUCCESS)
+			continue;
+
+		test_ipsec_td_update(td_inb, td_outb, RTE_DIM(td_inb), flags);
+
+		ret = test_ipsec_proto_process(td_inb, NULL, 1, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_ipsec_display_alg(&aead_list[i], NULL);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_ipsec_proto_display_list(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+
+	return test_ipsec_proto_all(&flags);
 }
 
 static int
@@ -13948,6 +14008,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_ST(
+			"Combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_display_list),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 789d39c..5351556 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -10,6 +10,8 @@
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
 
+extern struct ipsec_test_data pkt_aes_256_gcm;
+
 int
 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			   const struct rte_security_capability *sec_cap,
@@ -128,9 +130,71 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 	}
 }
 
+void
+test_ipsec_td_prepare(const struct crypto_param *param1,
+		      const struct crypto_param *param2,
+		      const struct ipsec_test_flags *flags,
+		      struct ipsec_test_data *td_array,
+		      int nb_td)
+
+{
+	struct ipsec_test_data *td;
+	int i;
+
+	memset(td_array, 0, nb_td * sizeof(*td));
+
+	for (i = 0; i < nb_td; i++) {
+		td = &td_array[i];
+		/* Copy template for packet & key fields */
+		memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
+
+		/* Override fields based on param */
+
+		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+			td->aead = true;
+		else
+			td->aead = false;
+
+		td->xform.aead.aead.algo = param1->alg.aead;
+		td->xform.aead.aead.key.length = param1->key_length;
+	}
+
+	RTE_SET_USED(flags);
+	RTE_SET_USED(param2);
+}
+
+void
+test_ipsec_td_update(struct ipsec_test_data td_inb[],
+		     const struct ipsec_test_data td_outb[],
+		     int nb_td,
+		     const struct ipsec_test_flags *flags)
+{
+	int i;
+
+	for (i = 0; i < nb_td; i++) {
+		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
+		       td_outb[i].input_text.len);
+		td_inb[i].output_text.len = td_outb->input_text.len;
+	}
+
+	RTE_SET_USED(flags);
+}
+
+void
+test_ipsec_display_alg(const struct crypto_param *param1,
+		       const struct crypto_param *param2)
+{
+	if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		printf("\t%s [%d]\n",
+		       rte_crypto_aead_algorithm_strings[param1->alg.aead],
+		       param1->key_length);
+
+	RTE_SET_USED(param2);
+}
+
 static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
-		     bool silent)
+		     bool silent, const struct ipsec_test_flags *flags)
 {
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip = 0, len = rte_pktmbuf_pkt_len(m);
@@ -167,12 +231,37 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
+
+	return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		   struct ipsec_test_data *res_d)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t len = rte_pktmbuf_pkt_len(m);
+
+	memcpy(res_d, td, sizeof(*res_d));
+	memcpy(res_d->input_text.data, output_text, len);
+	res_d->input_text.len = len;
+
+	res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+	if (res_d->aead) {
+		res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		printf("Only AEAD supported\n");
+		return TEST_SKIPPED;
+	}
+
 	return TEST_SUCCESS;
 }
 
 int
 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
-			struct ipsec_test_data *res_d, bool silent)
+			struct ipsec_test_data *res_d, bool silent,
+			const struct ipsec_test_flags *flags)
 {
 	/*
 	 * In case of known vector tests & all inbound tests, res_d provided
@@ -180,13 +269,22 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	 * For inbound, output_text would be plain packet and for outbound
 	 * output_text would IPsec packet. Validate by comparing against
 	 * known vectors.
+	 *
+	 * In case of combined mode tests, the output_text from outbound
+	 * operation (ie, IPsec packet) would need to be inbound processed to
+	 * obtain the plain text. Copy output_text to result data, 'res_d', so
+	 * that inbound processing can be done.
 	 */
-	RTE_SET_USED(res_d);
-	return test_ipsec_td_verify(m, td, silent);
+
+	if (res_d == NULL)
+		return test_ipsec_td_verify(m, td, silent, flags);
+	else
+		return test_ipsec_res_d_prepare(m, td, res_d);
 }
 
 int
 test_ipsec_status_check(struct rte_crypto_op *op,
+			const struct ipsec_test_flags *flags,
 			enum rte_security_ipsec_sa_direction dir)
 {
 	int ret = TEST_SUCCESS;
@@ -196,6 +294,7 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 		ret = TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
 	RTE_SET_USED(dir);
 
 	return ret;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 5f1b46d..97f3f86 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -45,6 +45,38 @@ struct ipsec_test_data {
 	} xform;
 };
 
+struct ipsec_test_flags {
+	bool display_alg;
+};
+
+struct crypto_param {
+	enum rte_crypto_sym_xform_type type;
+	union {
+		enum rte_crypto_cipher_algorithm cipher;
+		enum rte_crypto_auth_algorithm auth;
+		enum rte_crypto_aead_algorithm aead;
+	} alg;
+	uint16_t key_length;
+};
+
+static const struct crypto_param aead_list[] = {
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 16,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 24,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 32
+	},
+};
+
 int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			       const struct rte_security_capability *sec_cap,
 			       bool silent);
@@ -56,11 +88,27 @@ int test_ipsec_crypto_caps_aead_verify(
 void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 			       struct ipsec_test_data *td_in);
 
+void test_ipsec_td_prepare(const struct crypto_param *param1,
+			   const struct crypto_param *param2,
+			   const struct ipsec_test_flags *flags,
+			   struct ipsec_test_data *td_array,
+			   int nb_td);
+
+void test_ipsec_td_update(struct ipsec_test_data td_inb[],
+			  const struct ipsec_test_data td_outb[],
+			  int nb_td,
+			  const struct ipsec_test_flags *flags);
+
+void test_ipsec_display_alg(const struct crypto_param *param1,
+			    const struct crypto_param *param2);
+
 int test_ipsec_post_process(struct rte_mbuf *m,
 			    const struct ipsec_test_data *td,
-			    struct ipsec_test_data *res_d, bool silent);
+			    struct ipsec_test_data *res_d, bool silent,
+			    const struct ipsec_test_flags *flags);
 
 int test_ipsec_status_check(struct rte_crypto_op *op,
+			    const struct ipsec_test_flags *flags,
 			    enum rte_security_ipsec_sa_direction dir);
 
 #endif
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH 21.11 3/3] test/crypto: add lookaside IPsec ICV corrupt test case
  2021-07-29 10:43 [dpdk-dev] [PATCH 21.11 0/3] Add lookaside IPsec tests Anoob Joseph
  2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 1/3] test/crypto: add " Anoob Joseph
  2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 2/3] test/crypto: add combined mode tests Anoob Joseph
@ 2021-07-29 10:43 ` Anoob Joseph
  2021-08-11  9:45 ` [dpdk-dev] [PATCH v2 0/4] Add lookaside IPsec tests Anoob Joseph
  3 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-07-29 10:43 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Ankur Dwivedi, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding lookaside IPsec ICV corrupt test case.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 16 ++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 30 ++++++++++++++++++++----------
 app/test/test_cryptodev_security_ipsec.h |  1 +
 3 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index ad9f372..e59849a 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9091,6 +9091,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.icv_corrupt = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -14012,6 +14024,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Negative test: ICV corruption",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_err_icv_corrupt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 5351556..331a8bf 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -175,9 +175,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
-	}
 
-	RTE_SET_USED(flags);
+		if (flags && flags->icv_corrupt) {
+			int icv_pos = td_inb[i].input_text.len - 4;
+			td_inb[i].input_text.data[icv_pos] += 1;
+		}
+	}
 }
 
 void
@@ -199,6 +202,11 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip = 0, len = rte_pktmbuf_pkt_len(m);
 
+	/* For negative tests, no need to do verification */
+	if (flags->icv_corrupt &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return TEST_SUCCESS;
+
 	if (len != td->output_text.len) {
 		printf("Output length (%d) not matching with expected (%d)\n",
 			len, td->output_text.len);
@@ -231,8 +239,6 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
-	RTE_SET_USED(flags);
-
 	return TEST_SUCCESS;
 }
 
@@ -289,13 +295,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 {
 	int ret = TEST_SUCCESS;
 
-	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
-		printf("Security op processing failed\n");
-		ret = TEST_FAILED;
+	if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("ICV corruption test case failed\n");
+			ret = TEST_FAILED;
+		}
+	} else {
+		if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			printf("Security op processing failed\n");
+			ret = TEST_FAILED;
+		}
 	}
 
-	RTE_SET_USED(flags);
-	RTE_SET_USED(dir);
-
 	return ret;
 }
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 97f3f86..717aab4 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -47,6 +47,7 @@ struct ipsec_test_data {
 
 struct ipsec_test_flags {
 	bool display_alg;
+	bool icv_corrupt;
 };
 
 struct crypto_param {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v2 0/4] Add lookaside IPsec tests
  2021-07-29 10:43 [dpdk-dev] [PATCH 21.11 0/3] Add lookaside IPsec tests Anoob Joseph
                   ` (2 preceding siblings ...)
  2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 3/3] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
@ 2021-08-11  9:45 ` Anoob Joseph
  2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 1/4] test/crypto: add " Anoob Joseph
                     ` (4 more replies)
  3 siblings, 5 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-08-11  9:45 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, dev

Add lookaside IPsec functional tests. Known vector tests and
combined mode framework is added.

Known vectors are outbound vectors based on
https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01

The vectors are updated to have sequence number as 1 & L4 checksum
computed correctly. And they have following properties,
1. ESP
2. Tunnel mode
3. IPv4
4. IPv4 tunnel

Known vector tests for inbound operation would generate test vectors by
reversing outbound known vectors. The input_text would become encrypted
packet and output_text would be the plain packet. Tests would then validate
the operation by comparing against plain packet.

Combined mode tests are used to test all IPsec features against all ciphers
supported by the PMD. The framework is introduced to avoid testing
with any specific algo, thereby making it mandatory to be supported. Also,
testing with all supported combinations will help with increasing coverage
as well.

Three test cases use combined mode,
1. Display algo coverage and basic in + out tests
2. Negative test for ICV corruption
3. IV generation

IV generation test case compares IV generated for a batch of packets and returns
failure if IV is repeated.

Upcoming additions,
1. AES-CBC-SHA1-HMAC known vectors & combined mode
2. IPv6
3. UDP encapsulation
4. Transport
5. Mixed mode (IPv4-in-IPv6 etc, all combinations)

Tested with following PMDs
1. crypto_octeontx2
2. crypto_cn10k

Changes in v2
- Dropped outbound known vector tests as lookaside protocol would require IV
  generated by PMD. The tests would be introduced with spec change to allow user
  to specify IV.
- Added IV generation tests
- Minor fixes in combined mode tests to handle multiple packets

Anoob Joseph (2):
  test/crypto: add lookaside IPsec tests
  test/crypto: add combined mode tests

Tejasree Kondoj (2):
  test/crypto: add lookaside IPsec ICV corrupt test case
  test/crypto: add IV gen tests

 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 331 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 373 +++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           | 118 +++++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 ++++++++++++++++++
 6 files changed, 1150 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v2 1/4] test/crypto: add lookaside IPsec tests
  2021-08-11  9:45 ` [dpdk-dev] [PATCH v2 0/4] Add lookaside IPsec tests Anoob Joseph
@ 2021-08-11  9:45   ` Anoob Joseph
  2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 2/4] test/crypto: add combined mode tests Anoob Joseph
                     ` (3 subsequent siblings)
  4 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-08-11  9:45 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, dev

Added test case for lookaside IPsec. Inbound known vector
tests are added.

Cipher list: AES-GCM 128, 192 & 256

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 231 +++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 212 ++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           |  66 +++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 +++++++++++++++++++++
 6 files changed, 837 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

diff --git a/app/test/meson.build b/app/test/meson.build
index a761168..f144d8b 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -38,6 +38,7 @@ test_sources = files(
         'test_cryptodev.c',
         'test_cryptodev_asym.c',
         'test_cryptodev_blockcipher.c',
+        'test_cryptodev_security_ipsec.c',
         'test_cryptodev_security_pdcp.c',
         'test_cycles.c',
         'test_debug.c',
diff --git a/app/test/test.h b/app/test/test.h
index c3b2a87..7115edf 100644
--- a/app/test/test.h
+++ b/app/test/test.h
@@ -124,6 +124,12 @@ struct unit_test_case {
 #define TEST_CASE_WITH_DATA(setup, teardown, testcase, data) \
 		{ setup, teardown, NULL, testcase, #testcase, 1, data }
 
+#define TEST_CASE_NAMED_ST(name, setup, teardown, testcase) \
+		{ setup, teardown, NULL, testcase, name, 1, NULL }
+
+#define TEST_CASE_NAMED_WITH_DATA(name, setup, teardown, testcase, data) \
+		{ setup, teardown, NULL, testcase, name, 1, data }
+
 #define TEST_CASE_DISABLED(fn) { NULL, NULL, fn, NULL, #fn, 0, NULL }
 
 #define TEST_CASE_ST_DISABLED(setup, teardown, testcase) \
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 9ad0b37..73923f1 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17,6 +17,7 @@
 #include <rte_crypto.h>
 #include <rte_cryptodev.h>
 #include <rte_cryptodev_pmd.h>
+#include <rte_ip.h>
 #include <rte_string_fns.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -42,6 +43,8 @@
 #include "test_cryptodev_hmac_test_vectors.h"
 #include "test_cryptodev_mixed_test_vectors.h"
 #ifdef RTE_LIB_SECURITY
+#include "test_cryptodev_security_ipsec.h"
+#include "test_cryptodev_security_ipsec_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_vectors.h"
 #include "test_cryptodev_security_pdcp_sdap_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_func.h"
@@ -124,6 +127,13 @@ test_AES_CBC_HMAC_SHA512_decrypt_perform(struct rte_cryptodev_sym_session *sess,
 		const uint8_t *digest,
 		const uint8_t *iv);
 
+static int
+security_proto_supported(enum rte_security_session_action_type action,
+	enum rte_security_session_protocol proto);
+
+static int
+dev_configure_and_start(uint64_t ff_disable);
+
 static struct rte_mbuf *
 setup_test_string(struct rte_mempool *mpool,
 		const char *string, size_t len, uint8_t blocksize)
@@ -754,6 +764,42 @@ crypto_gen_testsuite_setup(void)
 
 #ifdef RTE_LIB_SECURITY
 static int
+ipsec_proto_testsuite_setup(void)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec Proto "
+				"testsuite not met\n");
+		return TEST_SKIPPED;
+	}
+
+	/* Reconfigure to enable security */
+	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
+				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
+
+	/* Set action type */
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	if (security_proto_supported(
+			RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec Proto "
+				"test not met\n");
+		return TEST_SKIPPED;
+	}
+
+	/* Stop the device */
+	rte_cryptodev_stop(ts_params->valid_devs[0]);
+
+	return 0;
+}
+
+static int
 pdcp_proto_testsuite_setup(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -8811,6 +8857,170 @@ test_PDCP_SDAP_PROTO_decap_all(void)
 }
 
 static int
+test_ipsec_proto_process(const struct ipsec_test_data td[],
+			 struct ipsec_test_data res_d[],
+			 int nb_td,
+			 bool silent)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_security_capability_idx sec_cap_idx;
+	const struct rte_security_capability *sec_cap;
+	struct rte_security_ipsec_xform ipsec_xform;
+	uint8_t dev_id = ts_params->valid_devs[0];
+	enum rte_security_ipsec_sa_direction dir;
+	struct ipsec_test_data *res_d_tmp = NULL;
+	uint32_t src = RTE_IPV4(192, 168, 1, 0);
+	uint32_t dst = RTE_IPV4(192, 168, 1, 1);
+	int salt_len, i, ret = TEST_SUCCESS;
+	struct rte_security_ctx *ctx;
+	uint8_t *input_text;
+
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+	gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	/* Use first test data to create session */
+
+	/* Copy IPsec xform */
+	memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
+
+	memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
+	memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
+
+	dir = ipsec_xform.direction;
+
+	ctx = rte_cryptodev_get_sec_ctx(dev_id);
+
+	sec_cap_idx.action = ut_params->type;
+	sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC;
+	sec_cap_idx.ipsec.proto = ipsec_xform.proto;
+	sec_cap_idx.ipsec.mode = ipsec_xform.mode;
+	sec_cap_idx.ipsec.direction = ipsec_xform.direction;
+
+	sec_cap = rte_security_capability_get(ctx, &sec_cap_idx);
+	if (sec_cap == NULL)
+		return TEST_SKIPPED;
+
+	/* Copy cipher session parameters */
+	if (td[0].aead) {
+		memcpy(&ut_params->aead_xform, &td[0].xform.aead,
+		       sizeof(ut_params->aead_xform));
+		ut_params->aead_xform.aead.key.data = td[0].key.data;
+		ut_params->aead_xform.aead.iv.offset = IV_OFFSET;
+
+		/* Verify crypto capabilities */
+		if (test_ipsec_crypto_caps_aead_verify(
+				sec_cap,
+				&ut_params->aead_xform) != 0) {
+			if (!silent)
+				RTE_LOG(INFO, USER1,
+					"Crypto capabilities not supported\n");
+			return TEST_SKIPPED;
+		}
+	} else {
+		/* Only AEAD supported now */
+		return TEST_SKIPPED;
+	}
+
+	if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0)
+		return TEST_SKIPPED;
+
+	salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len);
+	memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len);
+
+	struct rte_security_session_conf sess_conf = {
+		.action_type = ut_params->type,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = ipsec_xform,
+		.crypto_xform = &ut_params->aead_xform,
+	};
+
+	/* Create security session */
+	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
+					ts_params->session_priv_mpool);
+
+	if (ut_params->sec_session == NULL)
+		return TEST_SKIPPED;
+
+	for (i = 0; i < nb_td; i++) {
+		/* Setup source mbuf payload */
+		ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool);
+		memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0,
+				rte_pktmbuf_tailroom(ut_params->ibuf));
+
+		input_text = (uint8_t *)rte_pktmbuf_append(ut_params->ibuf,
+				td[i].input_text.len);
+
+		memcpy(input_text, td[i].input_text.data,
+		       td[i].input_text.len);
+
+		/* Generate crypto op data structure */
+		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
+					RTE_CRYPTO_OP_TYPE_SYMMETRIC);
+		if (!ut_params->op) {
+			printf("TestCase %s line %d: %s\n",
+				__func__, __LINE__,
+				"failed to allocate crypto op");
+			ret = TEST_FAILED;
+			goto crypto_op_free;
+		}
+
+		/* Attach session to operation */
+		rte_security_attach_session(ut_params->op,
+					    ut_params->sec_session);
+
+		/* Set crypto operation mbufs */
+		ut_params->op->sym->m_src = ut_params->ibuf;
+		ut_params->op->sym->m_dst = NULL;
+
+		/* Process crypto operation */
+		process_crypto_request(dev_id, ut_params->op);
+
+		ret = test_ipsec_status_check(ut_params->op, dir);
+		if (ret != TEST_SUCCESS)
+			goto crypto_op_free;
+
+		if (res_d != NULL)
+			res_d_tmp = &res_d[i];
+
+		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
+					      res_d_tmp, silent);
+		if (ret != TEST_SUCCESS)
+			goto crypto_op_free;
+
+		rte_crypto_op_free(ut_params->op);
+		ut_params->op = NULL;
+
+		rte_pktmbuf_free(ut_params->ibuf);
+		ut_params->ibuf = NULL;
+	}
+
+crypto_op_free:
+	rte_crypto_op_free(ut_params->op);
+	ut_params->op = NULL;
+
+	rte_pktmbuf_free(ut_params->ibuf);
+	ut_params->ibuf = NULL;
+
+	if (ut_params->sec_session)
+		rte_security_session_destroy(ctx, ut_params->sec_session);
+	ut_params->sec_session = NULL;
+
+	return ret;
+}
+
+static int
+test_ipsec_proto_known_vec_inb(const void *td_outb)
+{
+	struct ipsec_test_data td_inb;
+
+	test_ipsec_td_in_from_out(td_outb, &td_inb);
+
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -13700,6 +13910,26 @@ static struct unit_test_suite end_testsuite = {
 };
 
 #ifdef RTE_LIB_SECURITY
+static struct unit_test_suite ipsec_proto_testsuite  = {
+	.suite_name = "IPsec Proto Unit Test Suite",
+	.setup = ipsec_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_192_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 static struct unit_test_suite pdcp_proto_testsuite  = {
 	.suite_name = "PDCP Proto Unit Test Suite",
 	.setup = pdcp_proto_testsuite_setup,
@@ -14486,6 +14716,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&cryptodev_negative_hmac_sha1_testsuite,
 		&cryptodev_gen_testsuite,
 #ifdef RTE_LIB_SECURITY
+		&ipsec_proto_testsuite,
 		&pdcp_proto_testsuite,
 		&docsis_proto_testsuite,
 #endif
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
new file mode 100644
index 0000000..2431fcb
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -0,0 +1,212 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include <rte_common.h>
+#include <rte_cryptodev.h>
+#include <rte_ip.h>
+#include <rte_security.h>
+
+#include "test.h"
+#include "test_cryptodev_security_ipsec.h"
+
+int
+test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			   const struct rte_security_capability *sec_cap,
+			   bool silent)
+{
+	/* Verify security capabilities */
+
+	if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ESN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.udp_encap == 1 &&
+	    sec_cap->ipsec.options.udp_encap == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_dscp == 1 &&
+	    sec_cap->ipsec.options.copy_dscp == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_flabel == 1 &&
+	    sec_cap->ipsec.options.copy_flabel == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_df == 1 &&
+	    sec_cap->ipsec.options.copy_df == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.dec_ttl == 1 &&
+	    sec_cap->ipsec.options.dec_ttl == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ECN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.stats == 1 &&
+	    sec_cap->ipsec.options.stats == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Stats is not supported\n");
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
+int
+test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead)
+{
+	const struct rte_cryptodev_symmetric_capability *sym_cap;
+	const struct rte_cryptodev_capabilities *crypto_cap;
+	int j = 0;
+
+	while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
+			RTE_CRYPTO_OP_TYPE_UNDEFINED) {
+		if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+				crypto_cap->sym.xform_type == aead->type &&
+				crypto_cap->sym.aead.algo == aead->aead.algo) {
+			sym_cap = &crypto_cap->sym;
+			if (rte_cryptodev_sym_capability_check_aead(sym_cap,
+					aead->aead.key.length,
+					aead->aead.digest_length,
+					aead->aead.aad_length,
+					aead->aead.iv.length) == 0)
+				return 0;
+		}
+	}
+
+	return -ENOTSUP;
+}
+
+void
+test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			  struct ipsec_test_data *td_in)
+{
+	memcpy(td_in, td_out, sizeof(*td_in));
+
+	/* Populate output text of td_in with input text of td_out */
+	memcpy(td_in->output_text.data, td_out->input_text.data,
+	       td_out->input_text.len);
+	td_in->output_text.len = td_out->input_text.len;
+
+	/* Populate input text of td_in with output text of td_out */
+	memcpy(td_in->input_text.data, td_out->output_text.data,
+	       td_out->output_text.len);
+	td_in->input_text.len = td_out->output_text.len;
+
+	td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+
+	if (td_in->aead) {
+		td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
+		td_in->xform.chain.cipher.cipher.op =
+				RTE_CRYPTO_CIPHER_OP_DECRYPT;
+	}
+}
+
+static int
+test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
+{
+	int len = 0;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+			if (td->ipsec_xform.tunnel.type ==
+					RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+				len += sizeof(struct rte_ipv4_hdr);
+			else
+				len += sizeof(struct rte_ipv6_hdr);
+		}
+	}
+
+	return len;
+}
+
+static int
+test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		     bool silent)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+
+	if (len != td->output_text.len) {
+		printf("Output length (%d) not matching with expected (%d)\n",
+			len, td->output_text.len);
+		return TEST_FAILED;
+	}
+
+	skip = test_ipsec_tunnel_hdr_len_get(td);
+
+	len -= skip;
+	output_text += skip;
+
+	if (memcmp(output_text, td->output_text.data + skip, len)) {
+		if (silent)
+			return TEST_FAILED;
+
+		printf("TestCase %s line %d: %s\n", __func__, __LINE__,
+			"output text not as expected\n");
+
+		rte_hexdump(stdout, "expected", td->output_text.data + skip,
+			    len);
+		rte_hexdump(stdout, "actual", output_text, len);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
+
+int
+test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
+			struct ipsec_test_data *res_d, bool silent)
+{
+	/*
+	 * In case of known vector tests & all inbound tests, res_d provided
+	 * would be NULL and output data need to be validated against expected.
+	 * For inbound, output_text would be plain packet and for outbound
+	 * output_text would IPsec packet. Validate by comparing against
+	 * known vectors.
+	 */
+	RTE_SET_USED(res_d);
+	return test_ipsec_td_verify(m, td, silent);
+}
+
+int
+test_ipsec_status_check(struct rte_crypto_op *op,
+			enum rte_security_ipsec_sa_direction dir)
+{
+	int ret = TEST_SUCCESS;
+
+	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		printf("Security op processing failed\n");
+		ret = TEST_FAILED;
+	}
+
+	RTE_SET_USED(dir);
+
+	return ret;
+}
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
new file mode 100644
index 0000000..5f1b46d
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -0,0 +1,66 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+#define _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+
+#include <rte_cryptodev.h>
+#include <rte_security.h>
+
+struct ipsec_test_data {
+	struct {
+		uint8_t data[32];
+	} key;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} input_text;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} output_text;
+
+	struct {
+		uint8_t data[4];
+		unsigned int len;
+	} salt;
+
+	struct {
+		uint8_t data[16];
+	} iv;
+
+	struct rte_security_ipsec_xform ipsec_xform;
+
+	bool aead;
+
+	union {
+		struct {
+			struct rte_crypto_sym_xform cipher;
+			struct rte_crypto_sym_xform auth;
+		} chain;
+		struct rte_crypto_sym_xform aead;
+	} xform;
+};
+
+int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			       const struct rte_security_capability *sec_cap,
+			       bool silent);
+
+int test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead);
+
+void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			       struct ipsec_test_data *td_in);
+
+int test_ipsec_post_process(struct rte_mbuf *m,
+			    const struct ipsec_test_data *td,
+			    struct ipsec_test_data *res_d, bool silent);
+
+int test_ipsec_status_check(struct rte_crypto_op *op,
+			    enum rte_security_ipsec_sa_direction dir);
+
+#endif
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
new file mode 100644
index 0000000..ae9cd24
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -0,0 +1,321 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2021 Marvell
+ */
+
+#ifndef TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+#define TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+
+#include <rte_crypto.h>
+#include <rte_security.h>
+
+#include "test_cryptodev_security_ipsec.h"
+
+/*
+ * Known vectors
+ *
+ * AES-GCM vectors are based on :
+ * https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01
+ *
+ * Vectors are updated to have corrected L4 checksum and sequence number 1.
+ */
+
+struct ipsec_test_data pkt_aes_128_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x3e, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x11, 0x4d, 0xcc, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* UDP */
+			0x0a, 0x98, 0x00, 0x35, 0x00, 0x2a, 0x23, 0x43,
+			0xb2, 0xd0, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
+			0x00, 0x00, 0x00, 0x00, 0x03, 0x73, 0x69, 0x70,
+			0x09, 0x63, 0x79, 0x62, 0x65, 0x72, 0x63, 0x69,
+			0x74, 0x79, 0x02, 0x64, 0x6b, 0x00, 0x00, 0x01,
+			0x00, 0x01,
+		},
+		.len = 62,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x74, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x75, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xde, 0xb2, 0x2c, 0xd9, 0xb0, 0x7c, 0x72, 0xc1,
+			0x6e, 0x3a, 0x65, 0xbe, 0xeb, 0x8d, 0xf3, 0x04,
+			0xa5, 0xa5, 0x89, 0x7d, 0x33, 0xae, 0x53, 0x0f,
+			0x1b, 0xa7, 0x6d, 0x5d, 0x11, 0x4d, 0x2a, 0x5c,
+			0x3d, 0xe8, 0x18, 0x27, 0xc1, 0x0e, 0x9a, 0x4f,
+			0x51, 0x33, 0x0d, 0x0e, 0xec, 0x41, 0x66, 0x42,
+			0xcf, 0xbb, 0x85, 0xa5, 0xb4, 0x7e, 0x48, 0xa4,
+			0xec, 0x3b, 0x9b, 0xa9, 0x5d, 0x91, 0x8b, 0xd4,
+			0x29, 0xc7, 0x37, 0x57, 0x9f, 0xf1, 0x9e, 0x58,
+			0xcf, 0xfc, 0x60, 0x7a, 0x3b, 0xce, 0x89, 0x94,
+
+		},
+		.len = 116,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_192_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x28, 0xa4, 0xad, 0x40, 0x00,
+			0x40, 0x06, 0x78, 0x80, 0x0a, 0x01, 0x03, 0x8f,
+			0x0a, 0x01, 0x06, 0x12,
+
+			/* TCP */
+			0x80, 0x23, 0x06, 0xb8, 0xcb, 0x71, 0x26, 0x02,
+			0xdd, 0x6b, 0xb0, 0x3e, 0x50, 0x10, 0x16, 0xd0,
+			0x75, 0x67, 0x00, 0x01
+		},
+		.len = 40,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x60, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x89, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xa5, 0xb1, 0xf8, 0x06, 0x60, 0x29, 0xae, 0xa4,
+			0x0e, 0x59, 0x8b, 0x81, 0x22, 0xde, 0x02, 0x42,
+			0x09, 0x38, 0xb3, 0xab, 0x33, 0xf8, 0x28, 0xe6,
+			0x87, 0xb8, 0x85, 0x8b, 0x5b, 0xfb, 0xdb, 0xd0,
+			0x31, 0x5b, 0x27, 0x45, 0x21, 0x4b, 0xcc, 0x77,
+			0x82, 0xac, 0x91, 0x38, 0xf2, 0xbb, 0xbe, 0xe4,
+			0xcf, 0x03, 0x36, 0x89, 0xdd, 0x40, 0xd3, 0x6e,
+			0x54, 0x05, 0x22, 0x22,
+		},
+		.len = 96,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 24,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x30, 0x69, 0xa6, 0x40, 0x00,
+			0x80, 0x06, 0x26, 0x90, 0xc0, 0xa8, 0x01, 0x02,
+			0x93, 0x89, 0x15, 0x5e,
+
+			/* TCP */
+			0x0a, 0x9e, 0x00, 0x8b, 0x2d, 0xc5, 0x7e, 0xe0,
+			0x00, 0x00, 0x00, 0x00, 0x70, 0x02, 0x40, 0x00,
+			0x20, 0xbf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
+			0x01, 0x01, 0x04, 0x02,
+		},
+		.len = 48,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x68, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x81, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x4a, 0x2c, 0xbf, 0xe3, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+
+			/* Data */
+			0xff, 0x42, 0x5c, 0x9b, 0x72, 0x45, 0x99, 0xdf,
+			0x7a, 0x3b, 0xcd, 0x51, 0x01, 0x94, 0xe0, 0x0d,
+			0x6a, 0x78, 0x10, 0x7f, 0x1b, 0x0b, 0x1c, 0xbf,
+			0x06, 0xef, 0xae, 0x9d, 0x65, 0xa5, 0xd7, 0x63,
+			0x74, 0x8a, 0x63, 0x79, 0x85, 0x77, 0x1d, 0x34,
+			0x7f, 0x05, 0x45, 0x65, 0x9f, 0x14, 0xe9, 0x9d,
+			0xef, 0x84, 0x2d, 0x8b, 0x00, 0x14, 0x4a, 0x1f,
+			0xec, 0x6a, 0xdf, 0x0c, 0x9a, 0x92, 0x7f, 0xee,
+			0xa6, 0xc5, 0x11, 0x60,
+		},
+		.len = 104,
+	},
+	.salt = {
+		.data = {
+			0x11, 0x22, 0x33, 0x44
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0x4a2cbfe3,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v2 2/4] test/crypto: add combined mode tests
  2021-08-11  9:45 ` [dpdk-dev] [PATCH v2 0/4] Add lookaside IPsec tests Anoob Joseph
  2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 1/4] test/crypto: add " Anoob Joseph
@ 2021-08-11  9:45   ` Anoob Joseph
  2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 3/4] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
                     ` (2 subsequent siblings)
  4 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-08-11  9:45 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, dev

Add framework to test IPsec features with all supported
combinations of ciphers.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                |  73 +++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.c | 107 +++++++++++++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.h |  52 ++++++++++++++-
 3 files changed, 223 insertions(+), 9 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 73923f1..d89307d 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8860,7 +8860,8 @@ static int
 test_ipsec_proto_process(const struct ipsec_test_data td[],
 			 struct ipsec_test_data res_d[],
 			 int nb_td,
-			 bool silent)
+			 bool silent,
+			 const struct ipsec_test_flags *flags)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct crypto_unittest_params *ut_params = &unittest_params;
@@ -8977,7 +8978,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_ipsec_status_check(ut_params->op, dir);
+		ret = test_ipsec_status_check(ut_params->op, flags, dir);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
@@ -8985,7 +8986,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 			res_d_tmp = &res_d[i];
 
 		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
-					      res_d_tmp, silent);
+					      res_d_tmp, silent, flags);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
@@ -9013,11 +9014,71 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 static int
 test_ipsec_proto_known_vec_inb(const void *td_outb)
 {
+	struct ipsec_test_flags flags;
 	struct ipsec_test_data td_inb;
 
+	memset(&flags, 0, sizeof(flags));
+
 	test_ipsec_td_in_from_out(td_outb, &td_inb);
 
-	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags);
+}
+
+static int
+test_ipsec_proto_all(const struct ipsec_test_flags *flags)
+{
+	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+	unsigned int i, nb_pkts = 1, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(aead_list); i++) {
+		test_ipsec_td_prepare(&aead_list[i],
+				      NULL,
+				      flags,
+				      td_outb,
+				      nb_pkts);
+
+		ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+					       flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
+
+		ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+					       flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_ipsec_display_alg(&aead_list[i], NULL);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_ipsec_proto_display_list(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+
+	return test_ipsec_proto_all(&flags);
 }
 
 static int
@@ -13926,6 +13987,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_ST(
+			"Combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_display_list),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 2431fcb..d08e093 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -10,6 +10,8 @@
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
 
+extern struct ipsec_test_data pkt_aes_256_gcm;
+
 int
 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			   const struct rte_security_capability *sec_cap,
@@ -128,6 +130,68 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 	}
 }
 
+void
+test_ipsec_td_prepare(const struct crypto_param *param1,
+		      const struct crypto_param *param2,
+		      const struct ipsec_test_flags *flags,
+		      struct ipsec_test_data *td_array,
+		      int nb_td)
+
+{
+	struct ipsec_test_data *td;
+	int i;
+
+	memset(td_array, 0, nb_td * sizeof(*td));
+
+	for (i = 0; i < nb_td; i++) {
+		td = &td_array[i];
+		/* Copy template for packet & key fields */
+		memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
+
+		/* Override fields based on param */
+
+		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+			td->aead = true;
+		else
+			td->aead = false;
+
+		td->xform.aead.aead.algo = param1->alg.aead;
+		td->xform.aead.aead.key.length = param1->key_length;
+	}
+
+	RTE_SET_USED(flags);
+	RTE_SET_USED(param2);
+}
+
+void
+test_ipsec_td_update(struct ipsec_test_data td_inb[],
+		     const struct ipsec_test_data td_outb[],
+		     int nb_td,
+		     const struct ipsec_test_flags *flags)
+{
+	int i;
+
+	for (i = 0; i < nb_td; i++) {
+		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
+		       td_outb[i].input_text.len);
+		td_inb[i].output_text.len = td_outb->input_text.len;
+	}
+
+	RTE_SET_USED(flags);
+}
+
+void
+test_ipsec_display_alg(const struct crypto_param *param1,
+		       const struct crypto_param *param2)
+{
+	if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		printf("\t%s [%d]\n",
+		       rte_crypto_aead_algorithm_strings[param1->alg.aead],
+		       param1->key_length);
+
+	RTE_SET_USED(param2);
+}
+
 static int
 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 {
@@ -148,7 +212,7 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 
 static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
-		     bool silent)
+		     bool silent, const struct ipsec_test_flags *flags)
 {
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
@@ -177,12 +241,37 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
+
+	return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		   struct ipsec_test_data *res_d)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t len = rte_pktmbuf_pkt_len(m);
+
+	memcpy(res_d, td, sizeof(*res_d));
+	memcpy(res_d->input_text.data, output_text, len);
+	res_d->input_text.len = len;
+
+	res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+	if (res_d->aead) {
+		res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		printf("Only AEAD supported\n");
+		return TEST_SKIPPED;
+	}
+
 	return TEST_SUCCESS;
 }
 
 int
 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
-			struct ipsec_test_data *res_d, bool silent)
+			struct ipsec_test_data *res_d, bool silent,
+			const struct ipsec_test_flags *flags)
 {
 	/*
 	 * In case of known vector tests & all inbound tests, res_d provided
@@ -190,13 +279,22 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	 * For inbound, output_text would be plain packet and for outbound
 	 * output_text would IPsec packet. Validate by comparing against
 	 * known vectors.
+	 *
+	 * In case of combined mode tests, the output_text from outbound
+	 * operation (ie, IPsec packet) would need to be inbound processed to
+	 * obtain the plain text. Copy output_text to result data, 'res_d', so
+	 * that inbound processing can be done.
 	 */
-	RTE_SET_USED(res_d);
-	return test_ipsec_td_verify(m, td, silent);
+
+	if (res_d == NULL)
+		return test_ipsec_td_verify(m, td, silent, flags);
+	else
+		return test_ipsec_res_d_prepare(m, td, res_d);
 }
 
 int
 test_ipsec_status_check(struct rte_crypto_op *op,
+			const struct ipsec_test_flags *flags,
 			enum rte_security_ipsec_sa_direction dir)
 {
 	int ret = TEST_SUCCESS;
@@ -206,6 +304,7 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 		ret = TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
 	RTE_SET_USED(dir);
 
 	return ret;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 5f1b46d..cbb3ee4 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -8,6 +8,8 @@
 #include <rte_cryptodev.h>
 #include <rte_security.h>
 
+#define IPSEC_TEST_PACKETS_MAX 32
+
 struct ipsec_test_data {
 	struct {
 		uint8_t data[32];
@@ -45,6 +47,38 @@ struct ipsec_test_data {
 	} xform;
 };
 
+struct ipsec_test_flags {
+	bool display_alg;
+};
+
+struct crypto_param {
+	enum rte_crypto_sym_xform_type type;
+	union {
+		enum rte_crypto_cipher_algorithm cipher;
+		enum rte_crypto_auth_algorithm auth;
+		enum rte_crypto_aead_algorithm aead;
+	} alg;
+	uint16_t key_length;
+};
+
+static const struct crypto_param aead_list[] = {
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 16,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 24,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 32
+	},
+};
+
 int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			       const struct rte_security_capability *sec_cap,
 			       bool silent);
@@ -56,11 +90,27 @@ int test_ipsec_crypto_caps_aead_verify(
 void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 			       struct ipsec_test_data *td_in);
 
+void test_ipsec_td_prepare(const struct crypto_param *param1,
+			   const struct crypto_param *param2,
+			   const struct ipsec_test_flags *flags,
+			   struct ipsec_test_data *td_array,
+			   int nb_td);
+
+void test_ipsec_td_update(struct ipsec_test_data td_inb[],
+			  const struct ipsec_test_data td_outb[],
+			  int nb_td,
+			  const struct ipsec_test_flags *flags);
+
+void test_ipsec_display_alg(const struct crypto_param *param1,
+			    const struct crypto_param *param2);
+
 int test_ipsec_post_process(struct rte_mbuf *m,
 			    const struct ipsec_test_data *td,
-			    struct ipsec_test_data *res_d, bool silent);
+			    struct ipsec_test_data *res_d, bool silent,
+			    const struct ipsec_test_flags *flags);
 
 int test_ipsec_status_check(struct rte_crypto_op *op,
+			    const struct ipsec_test_flags *flags,
 			    enum rte_security_ipsec_sa_direction dir);
 
 #endif
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v2 3/4] test/crypto: add lookaside IPsec ICV corrupt test case
  2021-08-11  9:45 ` [dpdk-dev] [PATCH v2 0/4] Add lookaside IPsec tests Anoob Joseph
  2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 1/4] test/crypto: add " Anoob Joseph
  2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 2/4] test/crypto: add combined mode tests Anoob Joseph
@ 2021-08-11  9:45   ` Anoob Joseph
  2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 4/4] test/crypto: add IV gen tests Anoob Joseph
  2021-09-03  4:46   ` [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests Anoob Joseph
  4 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-08-11  9:45 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding lookaside IPsec ICV corrupt test case.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 16 ++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 30 ++++++++++++++++++++----------
 app/test/test_cryptodev_security_ipsec.h |  1 +
 3 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index d89307d..488daed 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9082,6 +9082,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.icv_corrupt = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -13991,6 +14003,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Negative test: ICV corruption",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_err_icv_corrupt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index d08e093..aebbe66 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -175,9 +175,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
-	}
 
-	RTE_SET_USED(flags);
+		if (flags->icv_corrupt) {
+			int icv_pos = td_inb[i].input_text.len - 4;
+			td_inb[i].input_text.data[icv_pos] += 1;
+		}
+	}
 }
 
 void
@@ -217,6 +220,11 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
 
+	/* For negative tests, no need to do verification */
+	if (flags->icv_corrupt &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return TEST_SUCCESS;
+
 	if (len != td->output_text.len) {
 		printf("Output length (%d) not matching with expected (%d)\n",
 			len, td->output_text.len);
@@ -241,8 +249,6 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
-	RTE_SET_USED(flags);
-
 	return TEST_SUCCESS;
 }
 
@@ -299,13 +305,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 {
 	int ret = TEST_SUCCESS;
 
-	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
-		printf("Security op processing failed\n");
-		ret = TEST_FAILED;
+	if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("ICV corruption test case failed\n");
+			ret = TEST_FAILED;
+		}
+	} else {
+		if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			printf("Security op processing failed\n");
+			ret = TEST_FAILED;
+		}
 	}
 
-	RTE_SET_USED(flags);
-	RTE_SET_USED(dir);
-
 	return ret;
 }
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index cbb3ee4..134fc3a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -49,6 +49,7 @@ struct ipsec_test_data {
 
 struct ipsec_test_flags {
 	bool display_alg;
+	bool icv_corrupt;
 };
 
 struct crypto_param {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v2 4/4] test/crypto: add IV gen tests
  2021-08-11  9:45 ` [dpdk-dev] [PATCH v2 0/4] Add lookaside IPsec tests Anoob Joseph
                     ` (2 preceding siblings ...)
  2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 3/4] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
@ 2021-08-11  9:45   ` Anoob Joseph
  2021-09-03  4:46   ` [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests Anoob Joseph
  4 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-08-11  9:45 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Add test cases to verify IV generated by PMD.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 19 ++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 52 ++++++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h |  1 +
 3 files changed, 72 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 488daed..71e6c1a 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9032,6 +9032,9 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
 	unsigned int i, nb_pkts = 1, pass_cnt = 0;
 	int ret;
 
+	if (flags->iv_gen)
+		nb_pkts = IPSEC_TEST_PACKETS_MAX;
+
 	for (i = 0; i < RTE_DIM(aead_list); i++) {
 		test_ipsec_td_prepare(&aead_list[i],
 				      NULL,
@@ -9082,6 +9085,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_iv_gen(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.iv_gen = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
 {
 	struct ipsec_test_flags flags;
@@ -14004,6 +14019,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
 		TEST_CASE_NAMED_ST(
+			"IV generation",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_iv_gen),
+		TEST_CASE_NAMED_ST(
 			"Negative test: ICV corruption",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index aebbe66..78c7f3a 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -4,12 +4,15 @@
 
 #include <rte_common.h>
 #include <rte_cryptodev.h>
+#include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
 
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
 
+#define IV_LEN_MAX 16
+
 extern struct ipsec_test_data pkt_aes_256_gcm;
 
 int
@@ -214,6 +217,46 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 }
 
 static int
+test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
+{
+	static uint8_t iv_queue[IV_LEN_MAX * IPSEC_TEST_PACKETS_MAX];
+	uint8_t *iv_tmp, *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	int i, iv_pos, iv_len;
+	static int index;
+
+	if (td->aead)
+		iv_len = td->xform.aead.aead.iv.length - td->salt.len;
+	else
+		iv_len = td->xform.chain.cipher.cipher.iv.length;
+
+	iv_pos = test_ipsec_tunnel_hdr_len_get(td) + sizeof(struct rte_esp_hdr);
+	output_text += iv_pos;
+
+	TEST_ASSERT(iv_len <= IV_LEN_MAX, "IV length greater than supported");
+
+	/* Compare against previous values */
+	for (i = 0; i < index; i++) {
+		iv_tmp = &iv_queue[i * IV_LEN_MAX];
+
+		if (memcmp(output_text, iv_tmp, iv_len) == 0) {
+			printf("IV repeated");
+			return TEST_FAILED;
+		}
+	}
+
+	/* Save IV for future comparisons */
+
+	iv_tmp = &iv_queue[index * IV_LEN_MAX];
+	memcpy(iv_tmp, output_text, iv_len);
+	index++;
+
+	if (index == IPSEC_TEST_PACKETS_MAX)
+		index = 0;
+
+	return TEST_SUCCESS;
+}
+
+static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		     bool silent, const struct ipsec_test_flags *flags)
 {
@@ -279,6 +322,15 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 			struct ipsec_test_data *res_d, bool silent,
 			const struct ipsec_test_flags *flags)
 {
+	int ret;
+
+	if (flags->iv_gen &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		ret = test_ipsec_iv_verify_push(m, td);
+		if (ret != TEST_SUCCESS)
+			return ret;
+	}
+
 	/*
 	 * In case of known vector tests & all inbound tests, res_d provided
 	 * would be NULL and output data need to be validated against expected.
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 134fc3a..d2ec63f 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -50,6 +50,7 @@ struct ipsec_test_data {
 struct ipsec_test_flags {
 	bool display_alg;
 	bool icv_corrupt;
+	bool iv_gen;
 };
 
 struct crypto_param {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests
  2021-08-11  9:45 ` [dpdk-dev] [PATCH v2 0/4] Add lookaside IPsec tests Anoob Joseph
                     ` (3 preceding siblings ...)
  2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 4/4] test/crypto: add IV gen tests Anoob Joseph
@ 2021-09-03  4:46   ` Anoob Joseph
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 1/5] test/crypto: add " Anoob Joseph
                       ` (5 more replies)
  4 siblings, 6 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-03  4:46 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Add lookaside IPsec functional tests. Known vector tests and
combined mode framework is added.

Known vectors are outbound vectors based on
https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01

The vectors are updated to have sequence number as 1 & L4 checksum
computed correctly. And they have following properties,
1. ESP
2. Tunnel mode
3. IPv4
4. IPv4 tunnel

Known vector tests for inbound operation would generate test vectors by
reversing outbound known vectors. The input_text would become encrypted
packet and output_text would be the plain packet. Tests would then validate
the operation by comparing against plain packet.

Combined mode tests are used to test all IPsec features against all ciphers
supported by the PMD. The framework is introduced to avoid testing
with any specific algo, thereby making it mandatory to be supported. Also,
testing with all supported combinations will help with increasing coverage
as well.

Four test cases use combined mode,
1. Display algo coverage and basic in + out tests
2. Negative test for ICV corruption
3. IV generation
4. UDP encapsulation

IV generation test case compares IV generated for a batch of packets and returns
failure if IV is repeated.

Upcoming additions,
1. AES-CBC-SHA1-HMAC known vectors & combined mode
2. IPv6
3. Transport
4. Mixed mode (IPv4-in-IPv6 etc, all combinations)

Tested with following PMDs
1. crypto_octeontx2
2. crypto_cn10k

Changes in v3
- Added UDP encapsulation tests

Changes in v2
- Dropped outbound known vector tests as lookaside protocol would require IV
  generated by PMD. The tests would be introduced with spec change to allow user
  to specify IV.
- Added IV generation tests
- Minor fixes in combined mode tests to handle multiple packets

Anoob Joseph (2):
  test/crypto: add lookaside IPsec tests
  test/crypto: add combined mode tests

Tejasree Kondoj (3):
  test/crypto: add lookaside IPsec ICV corrupt test case
  test/crypto: add IV gen tests
  test/crypto: add UDP encapsulation test cases

 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 350 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 401 +++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           | 119 ++++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 +++++++++++++++++
 6 files changed, 1198 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v3 1/5] test/crypto: add lookaside IPsec tests
  2021-09-03  4:46   ` [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests Anoob Joseph
@ 2021-09-03  4:46     ` Anoob Joseph
  2021-09-03  9:38       ` Power, Ciara
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 2/5] test/crypto: add combined mode tests Anoob Joseph
                       ` (4 subsequent siblings)
  5 siblings, 1 reply; 49+ messages in thread
From: Anoob Joseph @ 2021-09-03  4:46 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Added test case for lookaside IPsec. Inbound known vector
tests are added.

Cipher list: AES-GCM 128, 192 & 256

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 231 +++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 212 ++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           |  66 +++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 +++++++++++++++++++++
 6 files changed, 837 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

diff --git a/app/test/meson.build b/app/test/meson.build
index a761168..f144d8b 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -38,6 +38,7 @@ test_sources = files(
         'test_cryptodev.c',
         'test_cryptodev_asym.c',
         'test_cryptodev_blockcipher.c',
+        'test_cryptodev_security_ipsec.c',
         'test_cryptodev_security_pdcp.c',
         'test_cycles.c',
         'test_debug.c',
diff --git a/app/test/test.h b/app/test/test.h
index c3b2a87..7115edf 100644
--- a/app/test/test.h
+++ b/app/test/test.h
@@ -124,6 +124,12 @@ struct unit_test_case {
 #define TEST_CASE_WITH_DATA(setup, teardown, testcase, data) \
 		{ setup, teardown, NULL, testcase, #testcase, 1, data }
 
+#define TEST_CASE_NAMED_ST(name, setup, teardown, testcase) \
+		{ setup, teardown, NULL, testcase, name, 1, NULL }
+
+#define TEST_CASE_NAMED_WITH_DATA(name, setup, teardown, testcase, data) \
+		{ setup, teardown, NULL, testcase, name, 1, data }
+
 #define TEST_CASE_DISABLED(fn) { NULL, NULL, fn, NULL, #fn, 0, NULL }
 
 #define TEST_CASE_ST_DISABLED(setup, teardown, testcase) \
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 9ad0b37..73923f1 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17,6 +17,7 @@
 #include <rte_crypto.h>
 #include <rte_cryptodev.h>
 #include <rte_cryptodev_pmd.h>
+#include <rte_ip.h>
 #include <rte_string_fns.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -42,6 +43,8 @@
 #include "test_cryptodev_hmac_test_vectors.h"
 #include "test_cryptodev_mixed_test_vectors.h"
 #ifdef RTE_LIB_SECURITY
+#include "test_cryptodev_security_ipsec.h"
+#include "test_cryptodev_security_ipsec_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_vectors.h"
 #include "test_cryptodev_security_pdcp_sdap_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_func.h"
@@ -124,6 +127,13 @@ test_AES_CBC_HMAC_SHA512_decrypt_perform(struct rte_cryptodev_sym_session *sess,
 		const uint8_t *digest,
 		const uint8_t *iv);
 
+static int
+security_proto_supported(enum rte_security_session_action_type action,
+	enum rte_security_session_protocol proto);
+
+static int
+dev_configure_and_start(uint64_t ff_disable);
+
 static struct rte_mbuf *
 setup_test_string(struct rte_mempool *mpool,
 		const char *string, size_t len, uint8_t blocksize)
@@ -754,6 +764,42 @@ crypto_gen_testsuite_setup(void)
 
 #ifdef RTE_LIB_SECURITY
 static int
+ipsec_proto_testsuite_setup(void)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec Proto "
+				"testsuite not met\n");
+		return TEST_SKIPPED;
+	}
+
+	/* Reconfigure to enable security */
+	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
+				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
+
+	/* Set action type */
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	if (security_proto_supported(
+			RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec Proto "
+				"test not met\n");
+		return TEST_SKIPPED;
+	}
+
+	/* Stop the device */
+	rte_cryptodev_stop(ts_params->valid_devs[0]);
+
+	return 0;
+}
+
+static int
 pdcp_proto_testsuite_setup(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -8811,6 +8857,170 @@ test_PDCP_SDAP_PROTO_decap_all(void)
 }
 
 static int
+test_ipsec_proto_process(const struct ipsec_test_data td[],
+			 struct ipsec_test_data res_d[],
+			 int nb_td,
+			 bool silent)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_security_capability_idx sec_cap_idx;
+	const struct rte_security_capability *sec_cap;
+	struct rte_security_ipsec_xform ipsec_xform;
+	uint8_t dev_id = ts_params->valid_devs[0];
+	enum rte_security_ipsec_sa_direction dir;
+	struct ipsec_test_data *res_d_tmp = NULL;
+	uint32_t src = RTE_IPV4(192, 168, 1, 0);
+	uint32_t dst = RTE_IPV4(192, 168, 1, 1);
+	int salt_len, i, ret = TEST_SUCCESS;
+	struct rte_security_ctx *ctx;
+	uint8_t *input_text;
+
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+	gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	/* Use first test data to create session */
+
+	/* Copy IPsec xform */
+	memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
+
+	memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
+	memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
+
+	dir = ipsec_xform.direction;
+
+	ctx = rte_cryptodev_get_sec_ctx(dev_id);
+
+	sec_cap_idx.action = ut_params->type;
+	sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC;
+	sec_cap_idx.ipsec.proto = ipsec_xform.proto;
+	sec_cap_idx.ipsec.mode = ipsec_xform.mode;
+	sec_cap_idx.ipsec.direction = ipsec_xform.direction;
+
+	sec_cap = rte_security_capability_get(ctx, &sec_cap_idx);
+	if (sec_cap == NULL)
+		return TEST_SKIPPED;
+
+	/* Copy cipher session parameters */
+	if (td[0].aead) {
+		memcpy(&ut_params->aead_xform, &td[0].xform.aead,
+		       sizeof(ut_params->aead_xform));
+		ut_params->aead_xform.aead.key.data = td[0].key.data;
+		ut_params->aead_xform.aead.iv.offset = IV_OFFSET;
+
+		/* Verify crypto capabilities */
+		if (test_ipsec_crypto_caps_aead_verify(
+				sec_cap,
+				&ut_params->aead_xform) != 0) {
+			if (!silent)
+				RTE_LOG(INFO, USER1,
+					"Crypto capabilities not supported\n");
+			return TEST_SKIPPED;
+		}
+	} else {
+		/* Only AEAD supported now */
+		return TEST_SKIPPED;
+	}
+
+	if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0)
+		return TEST_SKIPPED;
+
+	salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len);
+	memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len);
+
+	struct rte_security_session_conf sess_conf = {
+		.action_type = ut_params->type,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = ipsec_xform,
+		.crypto_xform = &ut_params->aead_xform,
+	};
+
+	/* Create security session */
+	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
+					ts_params->session_priv_mpool);
+
+	if (ut_params->sec_session == NULL)
+		return TEST_SKIPPED;
+
+	for (i = 0; i < nb_td; i++) {
+		/* Setup source mbuf payload */
+		ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool);
+		memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0,
+				rte_pktmbuf_tailroom(ut_params->ibuf));
+
+		input_text = (uint8_t *)rte_pktmbuf_append(ut_params->ibuf,
+				td[i].input_text.len);
+
+		memcpy(input_text, td[i].input_text.data,
+		       td[i].input_text.len);
+
+		/* Generate crypto op data structure */
+		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
+					RTE_CRYPTO_OP_TYPE_SYMMETRIC);
+		if (!ut_params->op) {
+			printf("TestCase %s line %d: %s\n",
+				__func__, __LINE__,
+				"failed to allocate crypto op");
+			ret = TEST_FAILED;
+			goto crypto_op_free;
+		}
+
+		/* Attach session to operation */
+		rte_security_attach_session(ut_params->op,
+					    ut_params->sec_session);
+
+		/* Set crypto operation mbufs */
+		ut_params->op->sym->m_src = ut_params->ibuf;
+		ut_params->op->sym->m_dst = NULL;
+
+		/* Process crypto operation */
+		process_crypto_request(dev_id, ut_params->op);
+
+		ret = test_ipsec_status_check(ut_params->op, dir);
+		if (ret != TEST_SUCCESS)
+			goto crypto_op_free;
+
+		if (res_d != NULL)
+			res_d_tmp = &res_d[i];
+
+		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
+					      res_d_tmp, silent);
+		if (ret != TEST_SUCCESS)
+			goto crypto_op_free;
+
+		rte_crypto_op_free(ut_params->op);
+		ut_params->op = NULL;
+
+		rte_pktmbuf_free(ut_params->ibuf);
+		ut_params->ibuf = NULL;
+	}
+
+crypto_op_free:
+	rte_crypto_op_free(ut_params->op);
+	ut_params->op = NULL;
+
+	rte_pktmbuf_free(ut_params->ibuf);
+	ut_params->ibuf = NULL;
+
+	if (ut_params->sec_session)
+		rte_security_session_destroy(ctx, ut_params->sec_session);
+	ut_params->sec_session = NULL;
+
+	return ret;
+}
+
+static int
+test_ipsec_proto_known_vec_inb(const void *td_outb)
+{
+	struct ipsec_test_data td_inb;
+
+	test_ipsec_td_in_from_out(td_outb, &td_inb);
+
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -13700,6 +13910,26 @@ static struct unit_test_suite end_testsuite = {
 };
 
 #ifdef RTE_LIB_SECURITY
+static struct unit_test_suite ipsec_proto_testsuite  = {
+	.suite_name = "IPsec Proto Unit Test Suite",
+	.setup = ipsec_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_192_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 static struct unit_test_suite pdcp_proto_testsuite  = {
 	.suite_name = "PDCP Proto Unit Test Suite",
 	.setup = pdcp_proto_testsuite_setup,
@@ -14486,6 +14716,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&cryptodev_negative_hmac_sha1_testsuite,
 		&cryptodev_gen_testsuite,
 #ifdef RTE_LIB_SECURITY
+		&ipsec_proto_testsuite,
 		&pdcp_proto_testsuite,
 		&docsis_proto_testsuite,
 #endif
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
new file mode 100644
index 0000000..2431fcb
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -0,0 +1,212 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include <rte_common.h>
+#include <rte_cryptodev.h>
+#include <rte_ip.h>
+#include <rte_security.h>
+
+#include "test.h"
+#include "test_cryptodev_security_ipsec.h"
+
+int
+test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			   const struct rte_security_capability *sec_cap,
+			   bool silent)
+{
+	/* Verify security capabilities */
+
+	if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ESN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.udp_encap == 1 &&
+	    sec_cap->ipsec.options.udp_encap == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_dscp == 1 &&
+	    sec_cap->ipsec.options.copy_dscp == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_flabel == 1 &&
+	    sec_cap->ipsec.options.copy_flabel == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_df == 1 &&
+	    sec_cap->ipsec.options.copy_df == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.dec_ttl == 1 &&
+	    sec_cap->ipsec.options.dec_ttl == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ECN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.stats == 1 &&
+	    sec_cap->ipsec.options.stats == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Stats is not supported\n");
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
+int
+test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead)
+{
+	const struct rte_cryptodev_symmetric_capability *sym_cap;
+	const struct rte_cryptodev_capabilities *crypto_cap;
+	int j = 0;
+
+	while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
+			RTE_CRYPTO_OP_TYPE_UNDEFINED) {
+		if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+				crypto_cap->sym.xform_type == aead->type &&
+				crypto_cap->sym.aead.algo == aead->aead.algo) {
+			sym_cap = &crypto_cap->sym;
+			if (rte_cryptodev_sym_capability_check_aead(sym_cap,
+					aead->aead.key.length,
+					aead->aead.digest_length,
+					aead->aead.aad_length,
+					aead->aead.iv.length) == 0)
+				return 0;
+		}
+	}
+
+	return -ENOTSUP;
+}
+
+void
+test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			  struct ipsec_test_data *td_in)
+{
+	memcpy(td_in, td_out, sizeof(*td_in));
+
+	/* Populate output text of td_in with input text of td_out */
+	memcpy(td_in->output_text.data, td_out->input_text.data,
+	       td_out->input_text.len);
+	td_in->output_text.len = td_out->input_text.len;
+
+	/* Populate input text of td_in with output text of td_out */
+	memcpy(td_in->input_text.data, td_out->output_text.data,
+	       td_out->output_text.len);
+	td_in->input_text.len = td_out->output_text.len;
+
+	td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+
+	if (td_in->aead) {
+		td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
+		td_in->xform.chain.cipher.cipher.op =
+				RTE_CRYPTO_CIPHER_OP_DECRYPT;
+	}
+}
+
+static int
+test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
+{
+	int len = 0;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+			if (td->ipsec_xform.tunnel.type ==
+					RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+				len += sizeof(struct rte_ipv4_hdr);
+			else
+				len += sizeof(struct rte_ipv6_hdr);
+		}
+	}
+
+	return len;
+}
+
+static int
+test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		     bool silent)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+
+	if (len != td->output_text.len) {
+		printf("Output length (%d) not matching with expected (%d)\n",
+			len, td->output_text.len);
+		return TEST_FAILED;
+	}
+
+	skip = test_ipsec_tunnel_hdr_len_get(td);
+
+	len -= skip;
+	output_text += skip;
+
+	if (memcmp(output_text, td->output_text.data + skip, len)) {
+		if (silent)
+			return TEST_FAILED;
+
+		printf("TestCase %s line %d: %s\n", __func__, __LINE__,
+			"output text not as expected\n");
+
+		rte_hexdump(stdout, "expected", td->output_text.data + skip,
+			    len);
+		rte_hexdump(stdout, "actual", output_text, len);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
+
+int
+test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
+			struct ipsec_test_data *res_d, bool silent)
+{
+	/*
+	 * In case of known vector tests & all inbound tests, res_d provided
+	 * would be NULL and output data need to be validated against expected.
+	 * For inbound, output_text would be plain packet and for outbound
+	 * output_text would IPsec packet. Validate by comparing against
+	 * known vectors.
+	 */
+	RTE_SET_USED(res_d);
+	return test_ipsec_td_verify(m, td, silent);
+}
+
+int
+test_ipsec_status_check(struct rte_crypto_op *op,
+			enum rte_security_ipsec_sa_direction dir)
+{
+	int ret = TEST_SUCCESS;
+
+	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		printf("Security op processing failed\n");
+		ret = TEST_FAILED;
+	}
+
+	RTE_SET_USED(dir);
+
+	return ret;
+}
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
new file mode 100644
index 0000000..5f1b46d
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -0,0 +1,66 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+#define _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+
+#include <rte_cryptodev.h>
+#include <rte_security.h>
+
+struct ipsec_test_data {
+	struct {
+		uint8_t data[32];
+	} key;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} input_text;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} output_text;
+
+	struct {
+		uint8_t data[4];
+		unsigned int len;
+	} salt;
+
+	struct {
+		uint8_t data[16];
+	} iv;
+
+	struct rte_security_ipsec_xform ipsec_xform;
+
+	bool aead;
+
+	union {
+		struct {
+			struct rte_crypto_sym_xform cipher;
+			struct rte_crypto_sym_xform auth;
+		} chain;
+		struct rte_crypto_sym_xform aead;
+	} xform;
+};
+
+int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			       const struct rte_security_capability *sec_cap,
+			       bool silent);
+
+int test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead);
+
+void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			       struct ipsec_test_data *td_in);
+
+int test_ipsec_post_process(struct rte_mbuf *m,
+			    const struct ipsec_test_data *td,
+			    struct ipsec_test_data *res_d, bool silent);
+
+int test_ipsec_status_check(struct rte_crypto_op *op,
+			    enum rte_security_ipsec_sa_direction dir);
+
+#endif
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
new file mode 100644
index 0000000..ae9cd24
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -0,0 +1,321 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2021 Marvell
+ */
+
+#ifndef TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+#define TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+
+#include <rte_crypto.h>
+#include <rte_security.h>
+
+#include "test_cryptodev_security_ipsec.h"
+
+/*
+ * Known vectors
+ *
+ * AES-GCM vectors are based on :
+ * https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01
+ *
+ * Vectors are updated to have corrected L4 checksum and sequence number 1.
+ */
+
+struct ipsec_test_data pkt_aes_128_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x3e, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x11, 0x4d, 0xcc, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* UDP */
+			0x0a, 0x98, 0x00, 0x35, 0x00, 0x2a, 0x23, 0x43,
+			0xb2, 0xd0, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
+			0x00, 0x00, 0x00, 0x00, 0x03, 0x73, 0x69, 0x70,
+			0x09, 0x63, 0x79, 0x62, 0x65, 0x72, 0x63, 0x69,
+			0x74, 0x79, 0x02, 0x64, 0x6b, 0x00, 0x00, 0x01,
+			0x00, 0x01,
+		},
+		.len = 62,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x74, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x75, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xde, 0xb2, 0x2c, 0xd9, 0xb0, 0x7c, 0x72, 0xc1,
+			0x6e, 0x3a, 0x65, 0xbe, 0xeb, 0x8d, 0xf3, 0x04,
+			0xa5, 0xa5, 0x89, 0x7d, 0x33, 0xae, 0x53, 0x0f,
+			0x1b, 0xa7, 0x6d, 0x5d, 0x11, 0x4d, 0x2a, 0x5c,
+			0x3d, 0xe8, 0x18, 0x27, 0xc1, 0x0e, 0x9a, 0x4f,
+			0x51, 0x33, 0x0d, 0x0e, 0xec, 0x41, 0x66, 0x42,
+			0xcf, 0xbb, 0x85, 0xa5, 0xb4, 0x7e, 0x48, 0xa4,
+			0xec, 0x3b, 0x9b, 0xa9, 0x5d, 0x91, 0x8b, 0xd4,
+			0x29, 0xc7, 0x37, 0x57, 0x9f, 0xf1, 0x9e, 0x58,
+			0xcf, 0xfc, 0x60, 0x7a, 0x3b, 0xce, 0x89, 0x94,
+
+		},
+		.len = 116,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_192_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x28, 0xa4, 0xad, 0x40, 0x00,
+			0x40, 0x06, 0x78, 0x80, 0x0a, 0x01, 0x03, 0x8f,
+			0x0a, 0x01, 0x06, 0x12,
+
+			/* TCP */
+			0x80, 0x23, 0x06, 0xb8, 0xcb, 0x71, 0x26, 0x02,
+			0xdd, 0x6b, 0xb0, 0x3e, 0x50, 0x10, 0x16, 0xd0,
+			0x75, 0x67, 0x00, 0x01
+		},
+		.len = 40,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x60, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x89, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xa5, 0xb1, 0xf8, 0x06, 0x60, 0x29, 0xae, 0xa4,
+			0x0e, 0x59, 0x8b, 0x81, 0x22, 0xde, 0x02, 0x42,
+			0x09, 0x38, 0xb3, 0xab, 0x33, 0xf8, 0x28, 0xe6,
+			0x87, 0xb8, 0x85, 0x8b, 0x5b, 0xfb, 0xdb, 0xd0,
+			0x31, 0x5b, 0x27, 0x45, 0x21, 0x4b, 0xcc, 0x77,
+			0x82, 0xac, 0x91, 0x38, 0xf2, 0xbb, 0xbe, 0xe4,
+			0xcf, 0x03, 0x36, 0x89, 0xdd, 0x40, 0xd3, 0x6e,
+			0x54, 0x05, 0x22, 0x22,
+		},
+		.len = 96,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 24,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x30, 0x69, 0xa6, 0x40, 0x00,
+			0x80, 0x06, 0x26, 0x90, 0xc0, 0xa8, 0x01, 0x02,
+			0x93, 0x89, 0x15, 0x5e,
+
+			/* TCP */
+			0x0a, 0x9e, 0x00, 0x8b, 0x2d, 0xc5, 0x7e, 0xe0,
+			0x00, 0x00, 0x00, 0x00, 0x70, 0x02, 0x40, 0x00,
+			0x20, 0xbf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
+			0x01, 0x01, 0x04, 0x02,
+		},
+		.len = 48,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x68, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x81, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x4a, 0x2c, 0xbf, 0xe3, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+
+			/* Data */
+			0xff, 0x42, 0x5c, 0x9b, 0x72, 0x45, 0x99, 0xdf,
+			0x7a, 0x3b, 0xcd, 0x51, 0x01, 0x94, 0xe0, 0x0d,
+			0x6a, 0x78, 0x10, 0x7f, 0x1b, 0x0b, 0x1c, 0xbf,
+			0x06, 0xef, 0xae, 0x9d, 0x65, 0xa5, 0xd7, 0x63,
+			0x74, 0x8a, 0x63, 0x79, 0x85, 0x77, 0x1d, 0x34,
+			0x7f, 0x05, 0x45, 0x65, 0x9f, 0x14, 0xe9, 0x9d,
+			0xef, 0x84, 0x2d, 0x8b, 0x00, 0x14, 0x4a, 0x1f,
+			0xec, 0x6a, 0xdf, 0x0c, 0x9a, 0x92, 0x7f, 0xee,
+			0xa6, 0xc5, 0x11, 0x60,
+		},
+		.len = 104,
+	},
+	.salt = {
+		.data = {
+			0x11, 0x22, 0x33, 0x44
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0x4a2cbfe3,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v3 2/5] test/crypto: add combined mode tests
  2021-09-03  4:46   ` [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests Anoob Joseph
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 1/5] test/crypto: add " Anoob Joseph
@ 2021-09-03  4:46     ` Anoob Joseph
  2021-09-03  9:42       ` Power, Ciara
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
                       ` (3 subsequent siblings)
  5 siblings, 1 reply; 49+ messages in thread
From: Anoob Joseph @ 2021-09-03  4:46 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Add framework to test IPsec features with all supported
combinations of ciphers.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                |  73 +++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.c | 107 +++++++++++++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.h |  52 ++++++++++++++-
 3 files changed, 223 insertions(+), 9 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 73923f1..d89307d 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8860,7 +8860,8 @@ static int
 test_ipsec_proto_process(const struct ipsec_test_data td[],
 			 struct ipsec_test_data res_d[],
 			 int nb_td,
-			 bool silent)
+			 bool silent,
+			 const struct ipsec_test_flags *flags)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct crypto_unittest_params *ut_params = &unittest_params;
@@ -8977,7 +8978,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_ipsec_status_check(ut_params->op, dir);
+		ret = test_ipsec_status_check(ut_params->op, flags, dir);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
@@ -8985,7 +8986,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 			res_d_tmp = &res_d[i];
 
 		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
-					      res_d_tmp, silent);
+					      res_d_tmp, silent, flags);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
@@ -9013,11 +9014,71 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 static int
 test_ipsec_proto_known_vec_inb(const void *td_outb)
 {
+	struct ipsec_test_flags flags;
 	struct ipsec_test_data td_inb;
 
+	memset(&flags, 0, sizeof(flags));
+
 	test_ipsec_td_in_from_out(td_outb, &td_inb);
 
-	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags);
+}
+
+static int
+test_ipsec_proto_all(const struct ipsec_test_flags *flags)
+{
+	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+	unsigned int i, nb_pkts = 1, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(aead_list); i++) {
+		test_ipsec_td_prepare(&aead_list[i],
+				      NULL,
+				      flags,
+				      td_outb,
+				      nb_pkts);
+
+		ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+					       flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
+
+		ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+					       flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_ipsec_display_alg(&aead_list[i], NULL);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_ipsec_proto_display_list(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+
+	return test_ipsec_proto_all(&flags);
 }
 
 static int
@@ -13926,6 +13987,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_ST(
+			"Combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_display_list),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 2431fcb..d08e093 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -10,6 +10,8 @@
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
 
+extern struct ipsec_test_data pkt_aes_256_gcm;
+
 int
 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			   const struct rte_security_capability *sec_cap,
@@ -128,6 +130,68 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 	}
 }
 
+void
+test_ipsec_td_prepare(const struct crypto_param *param1,
+		      const struct crypto_param *param2,
+		      const struct ipsec_test_flags *flags,
+		      struct ipsec_test_data *td_array,
+		      int nb_td)
+
+{
+	struct ipsec_test_data *td;
+	int i;
+
+	memset(td_array, 0, nb_td * sizeof(*td));
+
+	for (i = 0; i < nb_td; i++) {
+		td = &td_array[i];
+		/* Copy template for packet & key fields */
+		memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
+
+		/* Override fields based on param */
+
+		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+			td->aead = true;
+		else
+			td->aead = false;
+
+		td->xform.aead.aead.algo = param1->alg.aead;
+		td->xform.aead.aead.key.length = param1->key_length;
+	}
+
+	RTE_SET_USED(flags);
+	RTE_SET_USED(param2);
+}
+
+void
+test_ipsec_td_update(struct ipsec_test_data td_inb[],
+		     const struct ipsec_test_data td_outb[],
+		     int nb_td,
+		     const struct ipsec_test_flags *flags)
+{
+	int i;
+
+	for (i = 0; i < nb_td; i++) {
+		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
+		       td_outb[i].input_text.len);
+		td_inb[i].output_text.len = td_outb->input_text.len;
+	}
+
+	RTE_SET_USED(flags);
+}
+
+void
+test_ipsec_display_alg(const struct crypto_param *param1,
+		       const struct crypto_param *param2)
+{
+	if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		printf("\t%s [%d]\n",
+		       rte_crypto_aead_algorithm_strings[param1->alg.aead],
+		       param1->key_length);
+
+	RTE_SET_USED(param2);
+}
+
 static int
 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 {
@@ -148,7 +212,7 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 
 static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
-		     bool silent)
+		     bool silent, const struct ipsec_test_flags *flags)
 {
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
@@ -177,12 +241,37 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
+
+	return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		   struct ipsec_test_data *res_d)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t len = rte_pktmbuf_pkt_len(m);
+
+	memcpy(res_d, td, sizeof(*res_d));
+	memcpy(res_d->input_text.data, output_text, len);
+	res_d->input_text.len = len;
+
+	res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+	if (res_d->aead) {
+		res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		printf("Only AEAD supported\n");
+		return TEST_SKIPPED;
+	}
+
 	return TEST_SUCCESS;
 }
 
 int
 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
-			struct ipsec_test_data *res_d, bool silent)
+			struct ipsec_test_data *res_d, bool silent,
+			const struct ipsec_test_flags *flags)
 {
 	/*
 	 * In case of known vector tests & all inbound tests, res_d provided
@@ -190,13 +279,22 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	 * For inbound, output_text would be plain packet and for outbound
 	 * output_text would IPsec packet. Validate by comparing against
 	 * known vectors.
+	 *
+	 * In case of combined mode tests, the output_text from outbound
+	 * operation (ie, IPsec packet) would need to be inbound processed to
+	 * obtain the plain text. Copy output_text to result data, 'res_d', so
+	 * that inbound processing can be done.
 	 */
-	RTE_SET_USED(res_d);
-	return test_ipsec_td_verify(m, td, silent);
+
+	if (res_d == NULL)
+		return test_ipsec_td_verify(m, td, silent, flags);
+	else
+		return test_ipsec_res_d_prepare(m, td, res_d);
 }
 
 int
 test_ipsec_status_check(struct rte_crypto_op *op,
+			const struct ipsec_test_flags *flags,
 			enum rte_security_ipsec_sa_direction dir)
 {
 	int ret = TEST_SUCCESS;
@@ -206,6 +304,7 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 		ret = TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
 	RTE_SET_USED(dir);
 
 	return ret;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 5f1b46d..cbb3ee4 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -8,6 +8,8 @@
 #include <rte_cryptodev.h>
 #include <rte_security.h>
 
+#define IPSEC_TEST_PACKETS_MAX 32
+
 struct ipsec_test_data {
 	struct {
 		uint8_t data[32];
@@ -45,6 +47,38 @@ struct ipsec_test_data {
 	} xform;
 };
 
+struct ipsec_test_flags {
+	bool display_alg;
+};
+
+struct crypto_param {
+	enum rte_crypto_sym_xform_type type;
+	union {
+		enum rte_crypto_cipher_algorithm cipher;
+		enum rte_crypto_auth_algorithm auth;
+		enum rte_crypto_aead_algorithm aead;
+	} alg;
+	uint16_t key_length;
+};
+
+static const struct crypto_param aead_list[] = {
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 16,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 24,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 32
+	},
+};
+
 int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			       const struct rte_security_capability *sec_cap,
 			       bool silent);
@@ -56,11 +90,27 @@ int test_ipsec_crypto_caps_aead_verify(
 void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 			       struct ipsec_test_data *td_in);
 
+void test_ipsec_td_prepare(const struct crypto_param *param1,
+			   const struct crypto_param *param2,
+			   const struct ipsec_test_flags *flags,
+			   struct ipsec_test_data *td_array,
+			   int nb_td);
+
+void test_ipsec_td_update(struct ipsec_test_data td_inb[],
+			  const struct ipsec_test_data td_outb[],
+			  int nb_td,
+			  const struct ipsec_test_flags *flags);
+
+void test_ipsec_display_alg(const struct crypto_param *param1,
+			    const struct crypto_param *param2);
+
 int test_ipsec_post_process(struct rte_mbuf *m,
 			    const struct ipsec_test_data *td,
-			    struct ipsec_test_data *res_d, bool silent);
+			    struct ipsec_test_data *res_d, bool silent,
+			    const struct ipsec_test_flags *flags);
 
 int test_ipsec_status_check(struct rte_crypto_op *op,
+			    const struct ipsec_test_flags *flags,
 			    enum rte_security_ipsec_sa_direction dir);
 
 #endif
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v3 3/5] test/crypto: add lookaside IPsec ICV corrupt test case
  2021-09-03  4:46   ` [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests Anoob Joseph
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 1/5] test/crypto: add " Anoob Joseph
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 2/5] test/crypto: add combined mode tests Anoob Joseph
@ 2021-09-03  4:46     ` Anoob Joseph
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 4/5] test/crypto: add IV gen tests Anoob Joseph
                       ` (2 subsequent siblings)
  5 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-03  4:46 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding lookaside IPsec ICV corrupt test case.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 16 ++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 30 ++++++++++++++++++++----------
 app/test/test_cryptodev_security_ipsec.h |  1 +
 3 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index d89307d..488daed 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9082,6 +9082,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.icv_corrupt = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -13991,6 +14003,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Negative test: ICV corruption",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_err_icv_corrupt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index d08e093..aebbe66 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -175,9 +175,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
-	}
 
-	RTE_SET_USED(flags);
+		if (flags->icv_corrupt) {
+			int icv_pos = td_inb[i].input_text.len - 4;
+			td_inb[i].input_text.data[icv_pos] += 1;
+		}
+	}
 }
 
 void
@@ -217,6 +220,11 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
 
+	/* For negative tests, no need to do verification */
+	if (flags->icv_corrupt &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return TEST_SUCCESS;
+
 	if (len != td->output_text.len) {
 		printf("Output length (%d) not matching with expected (%d)\n",
 			len, td->output_text.len);
@@ -241,8 +249,6 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
-	RTE_SET_USED(flags);
-
 	return TEST_SUCCESS;
 }
 
@@ -299,13 +305,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 {
 	int ret = TEST_SUCCESS;
 
-	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
-		printf("Security op processing failed\n");
-		ret = TEST_FAILED;
+	if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("ICV corruption test case failed\n");
+			ret = TEST_FAILED;
+		}
+	} else {
+		if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			printf("Security op processing failed\n");
+			ret = TEST_FAILED;
+		}
 	}
 
-	RTE_SET_USED(flags);
-	RTE_SET_USED(dir);
-
 	return ret;
 }
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index cbb3ee4..134fc3a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -49,6 +49,7 @@ struct ipsec_test_data {
 
 struct ipsec_test_flags {
 	bool display_alg;
+	bool icv_corrupt;
 };
 
 struct crypto_param {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v3 4/5] test/crypto: add IV gen tests
  2021-09-03  4:46   ` [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests Anoob Joseph
                       ` (2 preceding siblings ...)
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
@ 2021-09-03  4:46     ` Anoob Joseph
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 5/5] test/crypto: add UDP encapsulation test cases Anoob Joseph
  2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
  5 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-03  4:46 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Add test cases to verify IV generated by PMD.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 19 ++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 52 ++++++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h |  1 +
 3 files changed, 72 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 488daed..71e6c1a 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9032,6 +9032,9 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
 	unsigned int i, nb_pkts = 1, pass_cnt = 0;
 	int ret;
 
+	if (flags->iv_gen)
+		nb_pkts = IPSEC_TEST_PACKETS_MAX;
+
 	for (i = 0; i < RTE_DIM(aead_list); i++) {
 		test_ipsec_td_prepare(&aead_list[i],
 				      NULL,
@@ -9082,6 +9085,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_iv_gen(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.iv_gen = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
 {
 	struct ipsec_test_flags flags;
@@ -14004,6 +14019,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
 		TEST_CASE_NAMED_ST(
+			"IV generation",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_iv_gen),
+		TEST_CASE_NAMED_ST(
 			"Negative test: ICV corruption",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index aebbe66..78c7f3a 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -4,12 +4,15 @@
 
 #include <rte_common.h>
 #include <rte_cryptodev.h>
+#include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
 
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
 
+#define IV_LEN_MAX 16
+
 extern struct ipsec_test_data pkt_aes_256_gcm;
 
 int
@@ -214,6 +217,46 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 }
 
 static int
+test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
+{
+	static uint8_t iv_queue[IV_LEN_MAX * IPSEC_TEST_PACKETS_MAX];
+	uint8_t *iv_tmp, *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	int i, iv_pos, iv_len;
+	static int index;
+
+	if (td->aead)
+		iv_len = td->xform.aead.aead.iv.length - td->salt.len;
+	else
+		iv_len = td->xform.chain.cipher.cipher.iv.length;
+
+	iv_pos = test_ipsec_tunnel_hdr_len_get(td) + sizeof(struct rte_esp_hdr);
+	output_text += iv_pos;
+
+	TEST_ASSERT(iv_len <= IV_LEN_MAX, "IV length greater than supported");
+
+	/* Compare against previous values */
+	for (i = 0; i < index; i++) {
+		iv_tmp = &iv_queue[i * IV_LEN_MAX];
+
+		if (memcmp(output_text, iv_tmp, iv_len) == 0) {
+			printf("IV repeated");
+			return TEST_FAILED;
+		}
+	}
+
+	/* Save IV for future comparisons */
+
+	iv_tmp = &iv_queue[index * IV_LEN_MAX];
+	memcpy(iv_tmp, output_text, iv_len);
+	index++;
+
+	if (index == IPSEC_TEST_PACKETS_MAX)
+		index = 0;
+
+	return TEST_SUCCESS;
+}
+
+static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		     bool silent, const struct ipsec_test_flags *flags)
 {
@@ -279,6 +322,15 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 			struct ipsec_test_data *res_d, bool silent,
 			const struct ipsec_test_flags *flags)
 {
+	int ret;
+
+	if (flags->iv_gen &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		ret = test_ipsec_iv_verify_push(m, td);
+		if (ret != TEST_SUCCESS)
+			return ret;
+	}
+
 	/*
 	 * In case of known vector tests & all inbound tests, res_d provided
 	 * would be NULL and output data need to be validated against expected.
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 134fc3a..d2ec63f 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -50,6 +50,7 @@ struct ipsec_test_data {
 struct ipsec_test_flags {
 	bool display_alg;
 	bool icv_corrupt;
+	bool iv_gen;
 };
 
 struct crypto_param {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v3 5/5] test/crypto: add UDP encapsulation test cases
  2021-09-03  4:46   ` [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests Anoob Joseph
                       ` (3 preceding siblings ...)
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 4/5] test/crypto: add IV gen tests Anoob Joseph
@ 2021-09-03  4:46     ` Anoob Joseph
  2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
  5 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-03  4:46 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding UDP encapsulation test cases.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 19 +++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 28 ++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h |  1 +
 3 files changed, 48 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 71e6c1a..b7c5270 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8898,6 +8898,9 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 	sec_cap_idx.ipsec.mode = ipsec_xform.mode;
 	sec_cap_idx.ipsec.direction = ipsec_xform.direction;
 
+	if (flags->udp_encap)
+		ipsec_xform.options.udp_encap = 1;
+
 	sec_cap = rte_security_capability_get(ctx, &sec_cap_idx);
 	if (sec_cap == NULL)
 		return TEST_SKIPPED;
@@ -9109,6 +9112,18 @@ test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_udp_encap(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.udp_encap = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -14023,6 +14038,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_iv_gen),
 		TEST_CASE_NAMED_ST(
+			"UDP encapsulation",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_udp_encap),
+		TEST_CASE_NAMED_ST(
 			"Negative test: ICV corruption",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 78c7f3a..5b54996 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -7,6 +7,7 @@
 #include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
+#include <rte_udp.h>
 
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
@@ -183,6 +184,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 			int icv_pos = td_inb[i].input_text.len - 4;
 			td_inb[i].input_text.data[icv_pos] += 1;
 		}
+
+		if (flags->udp_encap)
+			td_inb[i].ipsec_xform.options.udp_encap = 1;
 	}
 }
 
@@ -268,6 +272,30 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
 		return TEST_SUCCESS;
 
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	   flags->udp_encap) {
+		const struct rte_ipv4_hdr *iph4;
+		const struct rte_ipv6_hdr *iph6;
+
+		if (td->ipsec_xform.tunnel.type ==
+				RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+			iph4 = (const struct rte_ipv4_hdr *)output_text;
+			if (iph4->next_proto_id != IPPROTO_UDP) {
+				printf("UDP header is not found\n");
+				return TEST_FAILED;
+			}
+		} else {
+			iph6 = (const struct rte_ipv6_hdr *)output_text;
+			if (iph6->proto != IPPROTO_UDP) {
+				printf("UDP header is not found\n");
+				return TEST_FAILED;
+			}
+		}
+
+		len -= sizeof(struct rte_udp_hdr);
+		output_text += sizeof(struct rte_udp_hdr);
+	}
+
 	if (len != td->output_text.len) {
 		printf("Output length (%d) not matching with expected (%d)\n",
 			len, td->output_text.len);
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index d2ec63f..e1645f4 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -51,6 +51,7 @@ struct ipsec_test_flags {
 	bool display_alg;
 	bool icv_corrupt;
 	bool iv_gen;
+	bool udp_encap;
 };
 
 struct crypto_param {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v3 1/5] test/crypto: add lookaside IPsec tests
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 1/5] test/crypto: add " Anoob Joseph
@ 2021-09-03  9:38       ` Power, Ciara
  2021-09-03  9:46         ` Anoob Joseph
  0 siblings, 1 reply; 49+ messages in thread
From: Power, Ciara @ 2021-09-03  9:38 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal,
	Nicolau, Radu, Gagandeep Singh, dev

Hi Anoob,

Left some comments/questions inline.

Thanks,
Ciara

>-----Original Message-----
>From: Anoob Joseph <anoobj@marvell.com>
>Sent: Friday 3 September 2021 05:47
>To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
>Ananyev, Konstantin <konstantin.ananyev@intel.com>
>Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob <jerinj@marvell.com>;
>Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
><ktejasree@marvell.com>; Hemant Agrawal <hemant.agrawal@nxp.com>;
>Nicolau, Radu <radu.nicolau@intel.com>; Power, Ciara
><ciara.power@intel.com>; Gagandeep Singh <g.singh@nxp.com>; dev@dpdk.org
>Subject: [PATCH v3 1/5] test/crypto: add lookaside IPsec tests
>
>Added test case for lookaside IPsec. Inbound known vector tests are added.
>
>Cipher list: AES-GCM 128, 192 & 256
>
>Signed-off-by: Anoob Joseph <anoobj@marvell.com>
>Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>---
<snip>

> #ifdef RTE_LIB_SECURITY
> static int
>+ipsec_proto_testsuite_setup(void)
>+{
>+	struct crypto_testsuite_params *ts_params = &testsuite_params;
>+	struct crypto_unittest_params *ut_params = &unittest_params;
>+	struct rte_cryptodev_info dev_info;
>+
>+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
>+
>+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
>+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec
>Proto "
>+				"testsuite not met\n");
>+		return TEST_SKIPPED;
>+	}
>+
>+	/* Reconfigure to enable security */
>+	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
>+				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
>+

Just a question on this - each testcase uses ut_setup_security which in turn calls dev_configure_and_start,
Is the configuration resulting from this call just being redone when the first testcase runs?

>+	/* Set action type */
>+	ut_params->type =
>RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
>+
>+	if (security_proto_supported(
>+			RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
>+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
>+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec Proto
>"
>+				"test not met\n");
>+		return TEST_SKIPPED;

If the test is skipped here, the device is not stopped, which I believe would cause problems for the next testsuite setup configuring the device.

>+	}
>+
>+	/* Stop the device */
>+	rte_cryptodev_stop(ts_params->valid_devs[0]);
>+
>+	return 0;
>+}



^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v3 2/5] test/crypto: add combined mode tests
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 2/5] test/crypto: add combined mode tests Anoob Joseph
@ 2021-09-03  9:42       ` Power, Ciara
  2021-09-03 10:04         ` Anoob Joseph
  0 siblings, 1 reply; 49+ messages in thread
From: Power, Ciara @ 2021-09-03  9:42 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal,
	Nicolau, Radu, Gagandeep Singh, dev

Hi Anoob, 

>-----Original Message-----
>From: Anoob Joseph <anoobj@marvell.com>
>Sent: Friday 3 September 2021 05:47
>To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
>Ananyev, Konstantin <konstantin.ananyev@intel.com>
>Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob <jerinj@marvell.com>;
>Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
><ktejasree@marvell.com>; Hemant Agrawal <hemant.agrawal@nxp.com>;
>Nicolau, Radu <radu.nicolau@intel.com>; Power, Ciara
><ciara.power@intel.com>; Gagandeep Singh <g.singh@nxp.com>; dev@dpdk.org
>Subject: [PATCH v3 2/5] test/crypto: add combined mode tests
>
>Add framework to test IPsec features with all supported combinations of ciphers.
>
>Signed-off-by: Anoob Joseph <anoobj@marvell.com>
>Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>---
<snip>

>+static int
>+test_ipsec_proto_all(const struct ipsec_test_flags *flags) {
>+	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
>+	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
>+	unsigned int i, nb_pkts = 1, pass_cnt = 0;
>+	int ret;
>+

Is this testcase actually running multiple testcases under the hood?
I wonder could it be suited to use a sub-testsuite structure to bring the testcase results up to the top level, as done with cryptodev blockcipher tests.
Have you considered this approach?

Thanks,
Ciara

>+	for (i = 0; i < RTE_DIM(aead_list); i++) {
>+		test_ipsec_td_prepare(&aead_list[i],
>+				      NULL,
>+				      flags,
>+				      td_outb,
>+				      nb_pkts);
>+
>+		ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
>+					       flags);
>+		if (ret == TEST_SKIPPED)
>+			continue;
>+
>+		if (ret == TEST_FAILED)
>+			return TEST_FAILED;
>+
>+		test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
>+
>+		ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
>+					       flags);
>+		if (ret == TEST_SKIPPED)
>+			continue;
>+
>+		if (ret == TEST_FAILED)
>+			return TEST_FAILED;
>+
>+		if (flags->display_alg)
>+			test_ipsec_display_alg(&aead_list[i], NULL);
>+
>+		pass_cnt++;
>+	}
>+
>+	if (pass_cnt > 0)
>+		return TEST_SUCCESS;
>+	else
>+		return TEST_SKIPPED;
>+}
>+
<snip>

^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v3 1/5] test/crypto: add lookaside IPsec tests
  2021-09-03  9:38       ` Power, Ciara
@ 2021-09-03  9:46         ` Anoob Joseph
  0 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-03  9:46 UTC (permalink / raw)
  To: Power, Ciara, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Nicolau, Radu, Gagandeep Singh, dev

Hi Ciara,

Thanks for the review. Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Power, Ciara <ciara.power@intel.com>
> Sent: Friday, September 3, 2021 3:09 PM
> To: Anoob Joseph <anoobj@marvell.com>; Akhil Goyal
> <gakhil@marvell.com>; Doherty, Declan <declan.doherty@intel.com>;
> Zhang, Roy Fan <roy.fan.zhang@intel.com>; Ananyev, Konstantin
> <konstantin.ananyev@intel.com>
> Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
> <marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>;
> Hemant Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu
> <radu.nicolau@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v3 1/5] test/crypto: add lookaside IPsec tests
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Anoob,
> 
> Left some comments/questions inline.
> 
> Thanks,
> Ciara
> 
> >-----Original Message-----
> >From: Anoob Joseph <anoobj@marvell.com>
> >Sent: Friday 3 September 2021 05:47
> >To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
> ><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
> >Ananyev, Konstantin <konstantin.ananyev@intel.com>
> >Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob
> ><jerinj@marvell.com>; Archana Muniganti <marchana@marvell.com>;
> >Tejasree Kondoj <ktejasree@marvell.com>; Hemant Agrawal
> ><hemant.agrawal@nxp.com>; Nicolau, Radu <radu.nicolau@intel.com>;
> >Power, Ciara <ciara.power@intel.com>; Gagandeep Singh
> ><g.singh@nxp.com>; dev@dpdk.org
> >Subject: [PATCH v3 1/5] test/crypto: add lookaside IPsec tests
> >
> >Added test case for lookaside IPsec. Inbound known vector tests are
> added.
> >
> >Cipher list: AES-GCM 128, 192 & 256
> >
> >Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> >Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> >---
> <snip>
> 
> > #ifdef RTE_LIB_SECURITY
> > static int
> >+ipsec_proto_testsuite_setup(void)
> >+{
> >+	struct crypto_testsuite_params *ts_params = &testsuite_params;
> >+	struct crypto_unittest_params *ut_params = &unittest_params;
> >+	struct rte_cryptodev_info dev_info;
> >+
> >+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
> >+
> >+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
> >+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec
> >Proto "
> >+				"testsuite not met\n");
> >+		return TEST_SKIPPED;
> >+	}
> >+
> >+	/* Reconfigure to enable security */
> >+
> 	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPT
> O |
> >+
> 	RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
> >+
> 
> Just a question on this - each testcase uses ut_setup_security which in turn
> calls dev_configure_and_start, Is the configuration resulting from this call
> just being redone when the first testcase runs?

[Anoob] The tests prior to this test suite can have SECURITY disabled (which is the case currently). And in that case, rte_security_capabalities_get() would be returning a NULL (since the device won't be having SECURITY feature enabled). I was addressing this aspect by reconfiguring with SECURITY enabled. 

> 
> >+	/* Set action type */
> >+	ut_params->type =
> >RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
> >+
> >+	if (security_proto_supported(
> >+
> 	RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> >+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
> >+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec
> Proto
> >"
> >+				"test not met\n");
> >+		return TEST_SKIPPED;
> 
> If the test is skipped here, the device is not stopped, which I believe would
> cause problems for the next testsuite setup configuring the device.

[Anoob] Missed this. Thanks for pointing out. 

> 
> >+	}
> >+
> >+	/* Stop the device */
> >+	rte_cryptodev_stop(ts_params->valid_devs[0]);
> >+
> >+	return 0;
> >+}
> 


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v3 2/5] test/crypto: add combined mode tests
  2021-09-03  9:42       ` Power, Ciara
@ 2021-09-03 10:04         ` Anoob Joseph
  2021-09-03 15:04           ` Power, Ciara
  0 siblings, 1 reply; 49+ messages in thread
From: Anoob Joseph @ 2021-09-03 10:04 UTC (permalink / raw)
  To: Power, Ciara, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Nicolau, Radu, Gagandeep Singh, dev

Hi Ciara,

Please see inline.

Thanks,
Anoob

> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Anoob,
> 
> >-----Original Message-----
> >From: Anoob Joseph <anoobj@marvell.com>
> >Sent: Friday 3 September 2021 05:47
> >To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
> ><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
> >Ananyev, Konstantin <konstantin.ananyev@intel.com>
> >Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob
> ><jerinj@marvell.com>; Archana Muniganti <marchana@marvell.com>;
> >Tejasree Kondoj <ktejasree@marvell.com>; Hemant Agrawal
> ><hemant.agrawal@nxp.com>; Nicolau, Radu <radu.nicolau@intel.com>;
> >Power, Ciara <ciara.power@intel.com>; Gagandeep Singh
> ><g.singh@nxp.com>; dev@dpdk.org
> >Subject: [PATCH v3 2/5] test/crypto: add combined mode tests
> >
> >Add framework to test IPsec features with all supported combinations of
> ciphers.
> >
> >Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> >Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> >---
> <snip>
> 
> >+static int
> >+test_ipsec_proto_all(const struct ipsec_test_flags *flags) {
> >+	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
> >+	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
> >+	unsigned int i, nb_pkts = 1, pass_cnt = 0;
> >+	int ret;
> >+
> 
> Is this testcase actually running multiple testcases under the hood?
> I wonder could it be suited to use a sub-testsuite structure to bring the
> testcase results up to the top level, as done with cryptodev blockcipher tests.
> Have you considered this approach?

[Anoob] The idea behind this framework is to test an IPsec feature (like UDP encapsulation) without tying it to any specific algorithm. So what this does is, it loops over a list of possible combinations and then runs the test for each combination. The test would be like this,

1. Do outbound processing to generate encrypted packet
2. Basic checks or validation as required for the test (for example, with UDP encapsulation, we would validate UDP hdr in the processed packet).
3. Any manipulations required (like for ICV corruption negative test)
4. Do inbound processing to get decrypted packet
5. Validate results based on the type of test (ICV corruption would give expect an error while normal tests would have the operation return original plain text packet)

It's actually the array (aead_list) and this loop which initiates the test to be run for all algos. And, since we are not having static vectors for each test case, this approach seemed more straightforward. Do you think sub-testsuite makes more sense here?
 
> 
> Thanks,
> Ciara
> 
> >+	for (i = 0; i < RTE_DIM(aead_list); i++) {
> >+		test_ipsec_td_prepare(&aead_list[i],
> >+				      NULL,
> >+				      flags,
> >+				      td_outb,
> >+				      nb_pkts);
> >+
> >+		ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts,
> true,
> >+					       flags);
> >+		if (ret == TEST_SKIPPED)
> >+			continue;
> >+
> >+		if (ret == TEST_FAILED)
> >+			return TEST_FAILED;
> >+
> >+		test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
> >+
> >+		ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
> >+					       flags);
> >+		if (ret == TEST_SKIPPED)
> >+			continue;
> >+
> >+		if (ret == TEST_FAILED)
> >+			return TEST_FAILED;
> >+
> >+		if (flags->display_alg)
> >+			test_ipsec_display_alg(&aead_list[i], NULL);
> >+
> >+		pass_cnt++;
> >+	}
> >+
> >+	if (pass_cnt > 0)
> >+		return TEST_SUCCESS;
> >+	else
> >+		return TEST_SKIPPED;
> >+}
> >+
> <snip>

^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v3 2/5] test/crypto: add combined mode tests
  2021-09-03 10:04         ` Anoob Joseph
@ 2021-09-03 15:04           ` Power, Ciara
  2021-09-03 16:14             ` Anoob Joseph
  0 siblings, 1 reply; 49+ messages in thread
From: Power, Ciara @ 2021-09-03 15:04 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Nicolau, Radu, Gagandeep Singh, dev

Hi Anoob,


>-----Original Message-----
>From: Anoob Joseph <anoobj@marvell.com>
>Sent: Friday 3 September 2021 11:05
>To: Power, Ciara <ciara.power@intel.com>; Akhil Goyal <gakhil@marvell.com>;
>Doherty, Declan <declan.doherty@intel.com>; Zhang, Roy Fan
><roy.fan.zhang@intel.com>; Ananyev, Konstantin
><konstantin.ananyev@intel.com>
>Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
><marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>; Hemant
>Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu <radu.nicolau@intel.com>;
>Gagandeep Singh <g.singh@nxp.com>; dev@dpdk.org
>Subject: RE: [PATCH v3 2/5] test/crypto: add combined mode tests
>
>Hi Ciara,
>
>Please see inline.
>
>Thanks,
>Anoob
>
>>
>> External Email
>>
>> ----------------------------------------------------------------------
>> Hi Anoob,
>>
>> >-----Original Message-----
>> >From: Anoob Joseph <anoobj@marvell.com>
>> >Sent: Friday 3 September 2021 05:47
>> >To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
>> ><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
>> >Ananyev, Konstantin <konstantin.ananyev@intel.com>
>> >Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob
>> ><jerinj@marvell.com>; Archana Muniganti <marchana@marvell.com>;
>> >Tejasree Kondoj <ktejasree@marvell.com>; Hemant Agrawal
>> ><hemant.agrawal@nxp.com>; Nicolau, Radu <radu.nicolau@intel.com>;
>> >Power, Ciara <ciara.power@intel.com>; Gagandeep Singh
>> ><g.singh@nxp.com>; dev@dpdk.org
>> >Subject: [PATCH v3 2/5] test/crypto: add combined mode tests
>> >
>> >Add framework to test IPsec features with all supported combinations
>> >of
>> ciphers.
>> >
>> >Signed-off-by: Anoob Joseph <anoobj@marvell.com>
>> >Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>> >---
>> <snip>
>>
>> >+static int
>> >+test_ipsec_proto_all(const struct ipsec_test_flags *flags) {
>> >+	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
>> >+	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
>> >+	unsigned int i, nb_pkts = 1, pass_cnt = 0;
>> >+	int ret;
>> >+
>>
>> Is this testcase actually running multiple testcases under the hood?
>> I wonder could it be suited to use a sub-testsuite structure to bring
>> the testcase results up to the top level, as done with cryptodev blockcipher
>tests.
>> Have you considered this approach?
>
>[Anoob] The idea behind this framework is to test an IPsec feature (like UDP
>encapsulation) without tying it to any specific algorithm. So what this does is, it
>loops over a list of possible combinations and then runs the test for each
>combination. The test would be like this,
>
>1. Do outbound processing to generate encrypted packet 2. Basic checks or
>validation as required for the test (for example, with UDP encapsulation, we
>would validate UDP hdr in the processed packet).
>3. Any manipulations required (like for ICV corruption negative test) 4. Do
>inbound processing to get decrypted packet 5. Validate results based on the type
>of test (ICV corruption would give expect an error while normal tests would have
>the operation return original plain text packet)
>
>It's actually the array (aead_list) and this loop which initiates the test to be run for
>all algos. And, since we are not having static vectors for each test case, this
>approach seemed more straightforward. Do you think sub-testsuite makes more
>sense here?
>

Thanks for the explanation.
I still think having each test reporting its individual result to the top level provides more clarity when running tests,
rather than having multiple tests being run under the disguise of one, and reporting one result.

Even without the sub-testsuite approach, I wonder could something such as the following be more descriptive when looking at results?

static struct unit_test_suite ipsec_proto_testsuite  = {
	.suite_name = "IPsec Proto Unit Test Suite",
	.setup = ipsec_proto_testsuite_setup,
	.unit_test_cases = {
		< Inbound known vector test cases as before >
		
		TEST_CASE_NAMED_WITH_DATA(
			"Combination test (AES-GCM 128)",
			ut_setup_security, ut_teardown,
			test_ipsec_proto_display_list, &aead_list[0]),
		TEST_CASE_NAMED_WITH_DATA(
			"Combination test (AES-GCM 192)",
			ut_setup_security, ut_teardown,
			test_ipsec_proto_display_list, &aead_list[1]),
		TEST_CASE_NAMED_WITH_DATA(
			"Combination test (AES-GCM 256)",
			ut_setup_security, ut_teardown,
			test_ipsec_proto_display_list, &aead_list[2]),

		TEST_CASE_NAMED_WITH_DATA(
			"IV Generation (AES-GCM 128)",
			ut_setup_security, ut_teardown,
			test_ipsec_proto_iv_gen, &aead_list[0]),

		etc.
}

static int
test_ipsec_proto_display_list(const void *data)
{
	struct ipsec_test_flags flags;

	memset(&flags, 0, sizeof(flags));

	flags.display_alg = true;

	return test_ipsec_proto(&flags, (const struct crypto_param *)data);
}

static int
test_ipsec_proto(const struct ipsec_test_flags *flags, const struct crypto_param *data)
{
	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
	unsigned int i, nb_pkts = 1, pass_cnt = 0;
	int ret;

	if (flags->iv_gen)
		nb_pkts = IPSEC_TEST_PACKETS_MAX;

	
	test_ipsec_td_prepare(&data,
				      NULL,
				      flags,
				      td_outb,
				      nb_pkts);

< the rest of the function as before but without the loop, using data instead of looping aead values >


Thanks,
Ciara

>>
>> Thanks,
>> Ciara
>>
>> >+	for (i = 0; i < RTE_DIM(aead_list); i++) {
>> >+		test_ipsec_td_prepare(&aead_list[i],
>> >+				      NULL,
>> >+				      flags,
>> >+				      td_outb,
>> >+				      nb_pkts);
>> >+
>> >+		ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts,
>> true,
>> >+					       flags);
>> >+		if (ret == TEST_SKIPPED)
>> >+			continue;
>> >+
>> >+		if (ret == TEST_FAILED)
>> >+			return TEST_FAILED;
>> >+
>> >+		test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
>> >+
>> >+		ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
>> >+					       flags);
>> >+		if (ret == TEST_SKIPPED)
>> >+			continue;
>> >+
>> >+		if (ret == TEST_FAILED)
>> >+			return TEST_FAILED;
>> >+
>> >+		if (flags->display_alg)
>> >+			test_ipsec_display_alg(&aead_list[i], NULL);
>> >+
>> >+		pass_cnt++;
>> >+	}
>> >+
>> >+	if (pass_cnt > 0)
>> >+		return TEST_SUCCESS;
>> >+	else
>> >+		return TEST_SKIPPED;
>> >+}
>> >+
>> <snip>

^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v3 2/5] test/crypto: add combined mode tests
  2021-09-03 15:04           ` Power, Ciara
@ 2021-09-03 16:14             ` Anoob Joseph
  0 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-03 16:14 UTC (permalink / raw)
  To: Power, Ciara, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Nicolau, Radu, Gagandeep Singh, dev

HI Ciara,

Please see inline.

Thanks,
Anoob

> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Anoob,
> 
> 
> >-----Original Message-----
> >From: Anoob Joseph <anoobj@marvell.com>
> >Sent: Friday 3 September 2021 11:05
> >To: Power, Ciara <ciara.power@intel.com>; Akhil Goyal
> ><gakhil@marvell.com>; Doherty, Declan <declan.doherty@intel.com>;
> >Zhang, Roy Fan <roy.fan.zhang@intel.com>; Ananyev, Konstantin
> ><konstantin.ananyev@intel.com>
> >Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
> ><marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>;
> Hemant
> >Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu
> ><radu.nicolau@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
> >dev@dpdk.org
> >Subject: RE: [PATCH v3 2/5] test/crypto: add combined mode tests
> >
> >Hi Ciara,
> >
> >Please see inline.
> >
> >Thanks,
> >Anoob
> >
> >>
> >> External Email
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> Hi Anoob,
> >>
> >> >-----Original Message-----
> >> >From: Anoob Joseph <anoobj@marvell.com>
> >> >Sent: Friday 3 September 2021 05:47
> >> >To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
> >> ><declan.doherty@intel.com>; Zhang, Roy Fan
> >> ><roy.fan.zhang@intel.com>; Ananyev, Konstantin
> >> ><konstantin.ananyev@intel.com>
> >> >Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob
> >> ><jerinj@marvell.com>; Archana Muniganti <marchana@marvell.com>;
> >> >Tejasree Kondoj <ktejasree@marvell.com>; Hemant Agrawal
> >> ><hemant.agrawal@nxp.com>; Nicolau, Radu <radu.nicolau@intel.com>;
> >> >Power, Ciara <ciara.power@intel.com>; Gagandeep Singh
> >> ><g.singh@nxp.com>; dev@dpdk.org
> >> >Subject: [PATCH v3 2/5] test/crypto: add combined mode tests
> >> >
> >> >Add framework to test IPsec features with all supported combinations
> >> >of
> >> ciphers.
> >> >
> >> >Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> >> >Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> >> >---
> >> <snip>
> >>
> >> >+static int
> >> >+test_ipsec_proto_all(const struct ipsec_test_flags *flags) {
> >> >+	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
> >> >+	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
> >> >+	unsigned int i, nb_pkts = 1, pass_cnt = 0;
> >> >+	int ret;
> >> >+
> >>
> >> Is this testcase actually running multiple testcases under the hood?
> >> I wonder could it be suited to use a sub-testsuite structure to bring
> >> the testcase results up to the top level, as done with cryptodev
> >> blockcipher
> >tests.
> >> Have you considered this approach?
> >
> >[Anoob] The idea behind this framework is to test an IPsec feature
> >(like UDP
> >encapsulation) without tying it to any specific algorithm. So what this
> >does is, it loops over a list of possible combinations and then runs
> >the test for each combination. The test would be like this,
> >
> >1. Do outbound processing to generate encrypted packet 2. Basic checks
> >or validation as required for the test (for example, with UDP
> >encapsulation, we would validate UDP hdr in the processed packet).
> >3. Any manipulations required (like for ICV corruption negative test)
> >4. Do inbound processing to get decrypted packet 5. Validate results
> >based on the type of test (ICV corruption would give expect an error
> >while normal tests would have the operation return original plain text
> >packet)
> >
> >It's actually the array (aead_list) and this loop which initiates the
> >test to be run for all algos. And, since we are not having static
> >vectors for each test case, this approach seemed more straightforward.
> >Do you think sub-testsuite makes more sense here?
> >
> 
> Thanks for the explanation.
> I still think having each test reporting its individual result to the top level
> provides more clarity when running tests, rather than having multiple tests
> being run under the disguise of one, and reporting one result.
> 
> Even without the sub-testsuite approach, I wonder could something such as
> the following be more descriptive when looking at results?
> 
> static struct unit_test_suite ipsec_proto_testsuite  = {
> 	.suite_name = "IPsec Proto Unit Test Suite",
> 	.setup = ipsec_proto_testsuite_setup,
> 	.unit_test_cases = {
> 		< Inbound known vector test cases as before >
> 
> 		TEST_CASE_NAMED_WITH_DATA(
> 			"Combination test (AES-GCM 128)",
> 			ut_setup_security, ut_teardown,
> 			test_ipsec_proto_display_list, &aead_list[0]),
> 		TEST_CASE_NAMED_WITH_DATA(
> 			"Combination test (AES-GCM 192)",
> 			ut_setup_security, ut_teardown,
> 			test_ipsec_proto_display_list, &aead_list[1]),
> 		TEST_CASE_NAMED_WITH_DATA(
> 			"Combination test (AES-GCM 256)",
> 			ut_setup_security, ut_teardown,
> 			test_ipsec_proto_display_list, &aead_list[2]),
> 
> 		TEST_CASE_NAMED_WITH_DATA(
> 			"IV Generation (AES-GCM 128)",
> 			ut_setup_security, ut_teardown,
> 			test_ipsec_proto_iv_gen, &aead_list[0]),
> 
> 		etc.
> }
> 
> static int
> test_ipsec_proto_display_list(const void *data) {
> 	struct ipsec_test_flags flags;
> 
> 	memset(&flags, 0, sizeof(flags));
> 
> 	flags.display_alg = true;
> 
> 	return test_ipsec_proto(&flags, (const struct crypto_param *)data); }
> 
> static int
> test_ipsec_proto(const struct ipsec_test_flags *flags, const struct
> crypto_param *data) {
> 	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
> 	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
> 	unsigned int i, nb_pkts = 1, pass_cnt = 0;
> 	int ret;
> 
> 	if (flags->iv_gen)
> 		nb_pkts = IPSEC_TEST_PACKETS_MAX;
> 
> 
> 	test_ipsec_td_prepare(&data,
> 				      NULL,
> 				      flags,
> 				      td_outb,
> 				      nb_pkts);
> 
> < the rest of the function as before but without the loop, using data instead
> of looping aead values >

[Anoob] Your suggestion is to not have the loop walk through `aead_list` but instead let the list be defined by test-suite, right?

I agree regarding result reporting part. Squashing all results into one may not be the most desired. But then I didn't want to bombard with large number of prints from IPsec tests, either.

The only issue I see is with a long list of tests. We are actually preparing chained mode tests which would have combinations. Like, if we have AES-CBC & 3DES-CBC supported as ciphers and NULL, SHA1, SHA2 as auth supported, then we are talking about 6 combinations. And currently we have the following tests,

1. ICV corruption
2. IV generation
3. UDP encapsulation

In pipeline (submitted with proposals)
1. Soft expiry
2. Hard expiry
3. IP hdr verify
4. UDP port verify

And if we consider some of the more fundamental tests that we would add like
1. AH
2. Transport
3. Tunnel (IPv4 in IPv4)
4. Tunnel (IPv4 in IPv6)
5. Tunnel (IPv6 in IPv4)
6. Tunnel (IPv6 in IPv6)

Each of the above would become more like test suite on its own and then we would have the list just duplicated for each kind of feature test. But then, let me check an alternate approach. More like,

1. Let the common test suite setup function set flags etc to denote the IPsec feature (be it ICV corruption or UDP encap)
2. The list of tests (cipher combinations) would be common for all feature tests. 

Would something like this work?

^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests
  2021-09-03  4:46   ` [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests Anoob Joseph
                       ` (4 preceding siblings ...)
  2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 5/5] test/crypto: add UDP encapsulation test cases Anoob Joseph
@ 2021-09-17 13:15     ` Anoob Joseph
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 1/5] test/crypto: add " Anoob Joseph
                         ` (6 more replies)
  5 siblings, 7 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-17 13:15 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Add lookaside IPsec functional tests. Known vector tests and
combined mode framework is added.

Known vectors are outbound vectors based on
https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01

The vectors are updated to have sequence number as 1 & L4 checksum
computed correctly. And they have following properties,
1. ESP
2. Tunnel mode
3. IPv4
4. IPv4 tunnel

Known vector tests for inbound operation would generate test vectors by
reversing outbound known vectors. The input_text would become encrypted
packet and output_text would be the plain packet. Tests would then validate
the operation by comparing against plain packet.

Combined mode tests are used to test all IPsec features against all ciphers
supported by the PMD. The framework is introduced to avoid testing
with any specific algo, thereby making it mandatory to be supported. Also,
testing with all supported combinations will help with increasing coverage
as well.

Four test cases use combined mode,
1. Display algo coverage and basic in + out tests
2. Negative test for ICV corruption
3. IV generation
4. UDP encapsulation

IV generation test case compares IV generated for a batch of packets and returns
failure if IV is repeated.

Upcoming additions,
1. AES-CBC-SHA1-HMAC known vectors & combined mode
2. IPv6
3. Transport
4. Mixed mode (IPv4-in-IPv6 etc, all combinations)

Tested with following PMDs
1. crypto_octeontx2
2. crypto_cn10k
3. crypto_cn9k

Changes in v4:
- Fixed lack of device stop in case capability check fails (comment from Ciara)
- Rebased and updated release notes

Changes in v3
- Added UDP encapsulation tests

Changes in v2
- Dropped outbound known vector tests as lookaside protocol would require IV
  generated by PMD. The tests would be introduced with spec change to allow user
  to specify IV.
- Added IV generation tests
- Minor fixes in combined mode tests to handle multiple packets

Anoob Joseph (2):
  test/crypto: add lookaside IPsec tests
  test/crypto: add combined mode tests

Tejasree Kondoj (3):
  test/crypto: add lookaside IPsec ICV corrupt test case
  test/crypto: add IV gen tests
  test/crypto: add UDP encapsulation test cases

 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 351 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 401 +++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           | 119 ++++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 +++++++++++++++++
 doc/guides/rel_notes/release_21_11.rst             |   7 +
 7 files changed, 1206 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
  2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
@ 2021-09-17 13:15       ` Anoob Joseph
  2021-09-21 16:08         ` Akhil Goyal
                           ` (2 more replies)
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 2/5] test/crypto: add combined mode tests Anoob Joseph
                         ` (5 subsequent siblings)
  6 siblings, 3 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-17 13:15 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Added test case for lookaside IPsec. Inbound known vector
tests are added.

Cipher list: AES-GCM 128, 192 & 256

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>

---
 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 232 +++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 212 ++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           |  66 +++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 +++++++++++++++++++++
 6 files changed, 838 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

diff --git a/app/test/meson.build b/app/test/meson.build
index a761168..f144d8b 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -38,6 +38,7 @@ test_sources = files(
         'test_cryptodev.c',
         'test_cryptodev_asym.c',
         'test_cryptodev_blockcipher.c',
+        'test_cryptodev_security_ipsec.c',
         'test_cryptodev_security_pdcp.c',
         'test_cycles.c',
         'test_debug.c',
diff --git a/app/test/test.h b/app/test/test.h
index c3b2a87..7115edf 100644
--- a/app/test/test.h
+++ b/app/test/test.h
@@ -124,6 +124,12 @@ struct unit_test_case {
 #define TEST_CASE_WITH_DATA(setup, teardown, testcase, data) \
 		{ setup, teardown, NULL, testcase, #testcase, 1, data }
 
+#define TEST_CASE_NAMED_ST(name, setup, teardown, testcase) \
+		{ setup, teardown, NULL, testcase, name, 1, NULL }
+
+#define TEST_CASE_NAMED_WITH_DATA(name, setup, teardown, testcase, data) \
+		{ setup, teardown, NULL, testcase, name, 1, data }
+
 #define TEST_CASE_DISABLED(fn) { NULL, NULL, fn, NULL, #fn, 0, NULL }
 
 #define TEST_CASE_ST_DISABLED(setup, teardown, testcase) \
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 16d770a..9c7875c 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -16,6 +16,7 @@
 
 #include <rte_crypto.h>
 #include <rte_cryptodev.h>
+#include <rte_ip.h>
 #include <rte_string_fns.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -41,6 +42,8 @@
 #include "test_cryptodev_hmac_test_vectors.h"
 #include "test_cryptodev_mixed_test_vectors.h"
 #ifdef RTE_LIB_SECURITY
+#include "test_cryptodev_security_ipsec.h"
+#include "test_cryptodev_security_ipsec_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_vectors.h"
 #include "test_cryptodev_security_pdcp_sdap_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_func.h"
@@ -123,6 +126,13 @@ test_AES_CBC_HMAC_SHA512_decrypt_perform(struct rte_cryptodev_sym_session *sess,
 		const uint8_t *digest,
 		const uint8_t *iv);
 
+static int
+security_proto_supported(enum rte_security_session_action_type action,
+	enum rte_security_session_protocol proto);
+
+static int
+dev_configure_and_start(uint64_t ff_disable);
+
 static struct rte_mbuf *
 setup_test_string(struct rte_mempool *mpool,
 		const char *string, size_t len, uint8_t blocksize)
@@ -753,6 +763,43 @@ crypto_gen_testsuite_setup(void)
 
 #ifdef RTE_LIB_SECURITY
 static int
+ipsec_proto_testsuite_setup(void)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_cryptodev_info dev_info;
+	int ret = 0;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec Proto "
+				"testsuite not met\n");
+		return TEST_SKIPPED;
+	}
+
+	/* Reconfigure to enable security */
+	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO |
+				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
+
+	/* Set action type */
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	if (security_proto_supported(
+			RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec Proto "
+				"test not met\n");
+		ret = TEST_SKIPPED;
+	}
+
+	/* Stop the device */
+	rte_cryptodev_stop(ts_params->valid_devs[0]);
+
+	return ret;
+}
+
+static int
 pdcp_proto_testsuite_setup(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -8854,6 +8901,170 @@ test_PDCP_SDAP_PROTO_decap_all(void)
 }
 
 static int
+test_ipsec_proto_process(const struct ipsec_test_data td[],
+			 struct ipsec_test_data res_d[],
+			 int nb_td,
+			 bool silent)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_security_capability_idx sec_cap_idx;
+	const struct rte_security_capability *sec_cap;
+	struct rte_security_ipsec_xform ipsec_xform;
+	uint8_t dev_id = ts_params->valid_devs[0];
+	enum rte_security_ipsec_sa_direction dir;
+	struct ipsec_test_data *res_d_tmp = NULL;
+	uint32_t src = RTE_IPV4(192, 168, 1, 0);
+	uint32_t dst = RTE_IPV4(192, 168, 1, 1);
+	int salt_len, i, ret = TEST_SUCCESS;
+	struct rte_security_ctx *ctx;
+	uint8_t *input_text;
+
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+	gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	/* Use first test data to create session */
+
+	/* Copy IPsec xform */
+	memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
+
+	memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
+	memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
+
+	dir = ipsec_xform.direction;
+
+	ctx = rte_cryptodev_get_sec_ctx(dev_id);
+
+	sec_cap_idx.action = ut_params->type;
+	sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC;
+	sec_cap_idx.ipsec.proto = ipsec_xform.proto;
+	sec_cap_idx.ipsec.mode = ipsec_xform.mode;
+	sec_cap_idx.ipsec.direction = ipsec_xform.direction;
+
+	sec_cap = rte_security_capability_get(ctx, &sec_cap_idx);
+	if (sec_cap == NULL)
+		return TEST_SKIPPED;
+
+	/* Copy cipher session parameters */
+	if (td[0].aead) {
+		memcpy(&ut_params->aead_xform, &td[0].xform.aead,
+		       sizeof(ut_params->aead_xform));
+		ut_params->aead_xform.aead.key.data = td[0].key.data;
+		ut_params->aead_xform.aead.iv.offset = IV_OFFSET;
+
+		/* Verify crypto capabilities */
+		if (test_ipsec_crypto_caps_aead_verify(
+				sec_cap,
+				&ut_params->aead_xform) != 0) {
+			if (!silent)
+				RTE_LOG(INFO, USER1,
+					"Crypto capabilities not supported\n");
+			return TEST_SKIPPED;
+		}
+	} else {
+		/* Only AEAD supported now */
+		return TEST_SKIPPED;
+	}
+
+	if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0)
+		return TEST_SKIPPED;
+
+	salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len);
+	memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len);
+
+	struct rte_security_session_conf sess_conf = {
+		.action_type = ut_params->type,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = ipsec_xform,
+		.crypto_xform = &ut_params->aead_xform,
+	};
+
+	/* Create security session */
+	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
+					ts_params->session_priv_mpool);
+
+	if (ut_params->sec_session == NULL)
+		return TEST_SKIPPED;
+
+	for (i = 0; i < nb_td; i++) {
+		/* Setup source mbuf payload */
+		ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool);
+		memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0,
+				rte_pktmbuf_tailroom(ut_params->ibuf));
+
+		input_text = (uint8_t *)rte_pktmbuf_append(ut_params->ibuf,
+				td[i].input_text.len);
+
+		memcpy(input_text, td[i].input_text.data,
+		       td[i].input_text.len);
+
+		/* Generate crypto op data structure */
+		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
+					RTE_CRYPTO_OP_TYPE_SYMMETRIC);
+		if (!ut_params->op) {
+			printf("TestCase %s line %d: %s\n",
+				__func__, __LINE__,
+				"failed to allocate crypto op");
+			ret = TEST_FAILED;
+			goto crypto_op_free;
+		}
+
+		/* Attach session to operation */
+		rte_security_attach_session(ut_params->op,
+					    ut_params->sec_session);
+
+		/* Set crypto operation mbufs */
+		ut_params->op->sym->m_src = ut_params->ibuf;
+		ut_params->op->sym->m_dst = NULL;
+
+		/* Process crypto operation */
+		process_crypto_request(dev_id, ut_params->op);
+
+		ret = test_ipsec_status_check(ut_params->op, dir);
+		if (ret != TEST_SUCCESS)
+			goto crypto_op_free;
+
+		if (res_d != NULL)
+			res_d_tmp = &res_d[i];
+
+		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
+					      res_d_tmp, silent);
+		if (ret != TEST_SUCCESS)
+			goto crypto_op_free;
+
+		rte_crypto_op_free(ut_params->op);
+		ut_params->op = NULL;
+
+		rte_pktmbuf_free(ut_params->ibuf);
+		ut_params->ibuf = NULL;
+	}
+
+crypto_op_free:
+	rte_crypto_op_free(ut_params->op);
+	ut_params->op = NULL;
+
+	rte_pktmbuf_free(ut_params->ibuf);
+	ut_params->ibuf = NULL;
+
+	if (ut_params->sec_session)
+		rte_security_session_destroy(ctx, ut_params->sec_session);
+	ut_params->sec_session = NULL;
+
+	return ret;
+}
+
+static int
+test_ipsec_proto_known_vec_inb(const void *td_outb)
+{
+	struct ipsec_test_data td_inb;
+
+	test_ipsec_td_in_from_out(td_outb, &td_inb);
+
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -13744,6 +13955,26 @@ static struct unit_test_suite end_testsuite = {
 };
 
 #ifdef RTE_LIB_SECURITY
+static struct unit_test_suite ipsec_proto_testsuite  = {
+	.suite_name = "IPsec Proto Unit Test Suite",
+	.setup = ipsec_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_192_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 static struct unit_test_suite pdcp_proto_testsuite  = {
 	.suite_name = "PDCP Proto Unit Test Suite",
 	.setup = pdcp_proto_testsuite_setup,
@@ -14534,6 +14765,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&cryptodev_negative_hmac_sha1_testsuite,
 		&cryptodev_gen_testsuite,
 #ifdef RTE_LIB_SECURITY
+		&ipsec_proto_testsuite,
 		&pdcp_proto_testsuite,
 		&docsis_proto_testsuite,
 #endif
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
new file mode 100644
index 0000000..2431fcb
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -0,0 +1,212 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include <rte_common.h>
+#include <rte_cryptodev.h>
+#include <rte_ip.h>
+#include <rte_security.h>
+
+#include "test.h"
+#include "test_cryptodev_security_ipsec.h"
+
+int
+test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			   const struct rte_security_capability *sec_cap,
+			   bool silent)
+{
+	/* Verify security capabilities */
+
+	if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ESN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.udp_encap == 1 &&
+	    sec_cap->ipsec.options.udp_encap == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_dscp == 1 &&
+	    sec_cap->ipsec.options.copy_dscp == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_flabel == 1 &&
+	    sec_cap->ipsec.options.copy_flabel == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_df == 1 &&
+	    sec_cap->ipsec.options.copy_df == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.dec_ttl == 1 &&
+	    sec_cap->ipsec.options.dec_ttl == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ECN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.stats == 1 &&
+	    sec_cap->ipsec.options.stats == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Stats is not supported\n");
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
+int
+test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead)
+{
+	const struct rte_cryptodev_symmetric_capability *sym_cap;
+	const struct rte_cryptodev_capabilities *crypto_cap;
+	int j = 0;
+
+	while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
+			RTE_CRYPTO_OP_TYPE_UNDEFINED) {
+		if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+				crypto_cap->sym.xform_type == aead->type &&
+				crypto_cap->sym.aead.algo == aead->aead.algo) {
+			sym_cap = &crypto_cap->sym;
+			if (rte_cryptodev_sym_capability_check_aead(sym_cap,
+					aead->aead.key.length,
+					aead->aead.digest_length,
+					aead->aead.aad_length,
+					aead->aead.iv.length) == 0)
+				return 0;
+		}
+	}
+
+	return -ENOTSUP;
+}
+
+void
+test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			  struct ipsec_test_data *td_in)
+{
+	memcpy(td_in, td_out, sizeof(*td_in));
+
+	/* Populate output text of td_in with input text of td_out */
+	memcpy(td_in->output_text.data, td_out->input_text.data,
+	       td_out->input_text.len);
+	td_in->output_text.len = td_out->input_text.len;
+
+	/* Populate input text of td_in with output text of td_out */
+	memcpy(td_in->input_text.data, td_out->output_text.data,
+	       td_out->output_text.len);
+	td_in->input_text.len = td_out->output_text.len;
+
+	td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+
+	if (td_in->aead) {
+		td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
+		td_in->xform.chain.cipher.cipher.op =
+				RTE_CRYPTO_CIPHER_OP_DECRYPT;
+	}
+}
+
+static int
+test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
+{
+	int len = 0;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+			if (td->ipsec_xform.tunnel.type ==
+					RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+				len += sizeof(struct rte_ipv4_hdr);
+			else
+				len += sizeof(struct rte_ipv6_hdr);
+		}
+	}
+
+	return len;
+}
+
+static int
+test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		     bool silent)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+
+	if (len != td->output_text.len) {
+		printf("Output length (%d) not matching with expected (%d)\n",
+			len, td->output_text.len);
+		return TEST_FAILED;
+	}
+
+	skip = test_ipsec_tunnel_hdr_len_get(td);
+
+	len -= skip;
+	output_text += skip;
+
+	if (memcmp(output_text, td->output_text.data + skip, len)) {
+		if (silent)
+			return TEST_FAILED;
+
+		printf("TestCase %s line %d: %s\n", __func__, __LINE__,
+			"output text not as expected\n");
+
+		rte_hexdump(stdout, "expected", td->output_text.data + skip,
+			    len);
+		rte_hexdump(stdout, "actual", output_text, len);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
+
+int
+test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
+			struct ipsec_test_data *res_d, bool silent)
+{
+	/*
+	 * In case of known vector tests & all inbound tests, res_d provided
+	 * would be NULL and output data need to be validated against expected.
+	 * For inbound, output_text would be plain packet and for outbound
+	 * output_text would IPsec packet. Validate by comparing against
+	 * known vectors.
+	 */
+	RTE_SET_USED(res_d);
+	return test_ipsec_td_verify(m, td, silent);
+}
+
+int
+test_ipsec_status_check(struct rte_crypto_op *op,
+			enum rte_security_ipsec_sa_direction dir)
+{
+	int ret = TEST_SUCCESS;
+
+	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		printf("Security op processing failed\n");
+		ret = TEST_FAILED;
+	}
+
+	RTE_SET_USED(dir);
+
+	return ret;
+}
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
new file mode 100644
index 0000000..5f1b46d
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -0,0 +1,66 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+#define _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+
+#include <rte_cryptodev.h>
+#include <rte_security.h>
+
+struct ipsec_test_data {
+	struct {
+		uint8_t data[32];
+	} key;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} input_text;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} output_text;
+
+	struct {
+		uint8_t data[4];
+		unsigned int len;
+	} salt;
+
+	struct {
+		uint8_t data[16];
+	} iv;
+
+	struct rte_security_ipsec_xform ipsec_xform;
+
+	bool aead;
+
+	union {
+		struct {
+			struct rte_crypto_sym_xform cipher;
+			struct rte_crypto_sym_xform auth;
+		} chain;
+		struct rte_crypto_sym_xform aead;
+	} xform;
+};
+
+int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			       const struct rte_security_capability *sec_cap,
+			       bool silent);
+
+int test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead);
+
+void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			       struct ipsec_test_data *td_in);
+
+int test_ipsec_post_process(struct rte_mbuf *m,
+			    const struct ipsec_test_data *td,
+			    struct ipsec_test_data *res_d, bool silent);
+
+int test_ipsec_status_check(struct rte_crypto_op *op,
+			    enum rte_security_ipsec_sa_direction dir);
+
+#endif
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
new file mode 100644
index 0000000..ae9cd24
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -0,0 +1,321 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2021 Marvell
+ */
+
+#ifndef TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+#define TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+
+#include <rte_crypto.h>
+#include <rte_security.h>
+
+#include "test_cryptodev_security_ipsec.h"
+
+/*
+ * Known vectors
+ *
+ * AES-GCM vectors are based on :
+ * https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01
+ *
+ * Vectors are updated to have corrected L4 checksum and sequence number 1.
+ */
+
+struct ipsec_test_data pkt_aes_128_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x3e, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x11, 0x4d, 0xcc, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* UDP */
+			0x0a, 0x98, 0x00, 0x35, 0x00, 0x2a, 0x23, 0x43,
+			0xb2, 0xd0, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
+			0x00, 0x00, 0x00, 0x00, 0x03, 0x73, 0x69, 0x70,
+			0x09, 0x63, 0x79, 0x62, 0x65, 0x72, 0x63, 0x69,
+			0x74, 0x79, 0x02, 0x64, 0x6b, 0x00, 0x00, 0x01,
+			0x00, 0x01,
+		},
+		.len = 62,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x74, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x75, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xde, 0xb2, 0x2c, 0xd9, 0xb0, 0x7c, 0x72, 0xc1,
+			0x6e, 0x3a, 0x65, 0xbe, 0xeb, 0x8d, 0xf3, 0x04,
+			0xa5, 0xa5, 0x89, 0x7d, 0x33, 0xae, 0x53, 0x0f,
+			0x1b, 0xa7, 0x6d, 0x5d, 0x11, 0x4d, 0x2a, 0x5c,
+			0x3d, 0xe8, 0x18, 0x27, 0xc1, 0x0e, 0x9a, 0x4f,
+			0x51, 0x33, 0x0d, 0x0e, 0xec, 0x41, 0x66, 0x42,
+			0xcf, 0xbb, 0x85, 0xa5, 0xb4, 0x7e, 0x48, 0xa4,
+			0xec, 0x3b, 0x9b, 0xa9, 0x5d, 0x91, 0x8b, 0xd4,
+			0x29, 0xc7, 0x37, 0x57, 0x9f, 0xf1, 0x9e, 0x58,
+			0xcf, 0xfc, 0x60, 0x7a, 0x3b, 0xce, 0x89, 0x94,
+
+		},
+		.len = 116,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_192_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x28, 0xa4, 0xad, 0x40, 0x00,
+			0x40, 0x06, 0x78, 0x80, 0x0a, 0x01, 0x03, 0x8f,
+			0x0a, 0x01, 0x06, 0x12,
+
+			/* TCP */
+			0x80, 0x23, 0x06, 0xb8, 0xcb, 0x71, 0x26, 0x02,
+			0xdd, 0x6b, 0xb0, 0x3e, 0x50, 0x10, 0x16, 0xd0,
+			0x75, 0x67, 0x00, 0x01
+		},
+		.len = 40,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x60, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x89, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xa5, 0xb1, 0xf8, 0x06, 0x60, 0x29, 0xae, 0xa4,
+			0x0e, 0x59, 0x8b, 0x81, 0x22, 0xde, 0x02, 0x42,
+			0x09, 0x38, 0xb3, 0xab, 0x33, 0xf8, 0x28, 0xe6,
+			0x87, 0xb8, 0x85, 0x8b, 0x5b, 0xfb, 0xdb, 0xd0,
+			0x31, 0x5b, 0x27, 0x45, 0x21, 0x4b, 0xcc, 0x77,
+			0x82, 0xac, 0x91, 0x38, 0xf2, 0xbb, 0xbe, 0xe4,
+			0xcf, 0x03, 0x36, 0x89, 0xdd, 0x40, 0xd3, 0x6e,
+			0x54, 0x05, 0x22, 0x22,
+		},
+		.len = 96,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 24,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x30, 0x69, 0xa6, 0x40, 0x00,
+			0x80, 0x06, 0x26, 0x90, 0xc0, 0xa8, 0x01, 0x02,
+			0x93, 0x89, 0x15, 0x5e,
+
+			/* TCP */
+			0x0a, 0x9e, 0x00, 0x8b, 0x2d, 0xc5, 0x7e, 0xe0,
+			0x00, 0x00, 0x00, 0x00, 0x70, 0x02, 0x40, 0x00,
+			0x20, 0xbf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
+			0x01, 0x01, 0x04, 0x02,
+		},
+		.len = 48,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x68, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x81, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x4a, 0x2c, 0xbf, 0xe3, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+
+			/* Data */
+			0xff, 0x42, 0x5c, 0x9b, 0x72, 0x45, 0x99, 0xdf,
+			0x7a, 0x3b, 0xcd, 0x51, 0x01, 0x94, 0xe0, 0x0d,
+			0x6a, 0x78, 0x10, 0x7f, 0x1b, 0x0b, 0x1c, 0xbf,
+			0x06, 0xef, 0xae, 0x9d, 0x65, 0xa5, 0xd7, 0x63,
+			0x74, 0x8a, 0x63, 0x79, 0x85, 0x77, 0x1d, 0x34,
+			0x7f, 0x05, 0x45, 0x65, 0x9f, 0x14, 0xe9, 0x9d,
+			0xef, 0x84, 0x2d, 0x8b, 0x00, 0x14, 0x4a, 0x1f,
+			0xec, 0x6a, 0xdf, 0x0c, 0x9a, 0x92, 0x7f, 0xee,
+			0xa6, 0xc5, 0x11, 0x60,
+		},
+		.len = 104,
+	},
+	.salt = {
+		.data = {
+			0x11, 0x22, 0x33, 0x44
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0x4a2cbfe3,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v4 2/5] test/crypto: add combined mode tests
  2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 1/5] test/crypto: add " Anoob Joseph
@ 2021-09-17 13:15       ` Anoob Joseph
  2021-09-21 16:22         ` Akhil Goyal
  2021-09-24  7:23         ` Hemant Agrawal
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
                         ` (4 subsequent siblings)
  6 siblings, 2 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-17 13:15 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Add framework to test IPsec features with all supported
combinations of ciphers.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>

---
 app/test/test_cryptodev.c                |  73 +++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.c | 107 +++++++++++++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.h |  52 ++++++++++++++-
 3 files changed, 223 insertions(+), 9 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 9c7875c..7fd246e 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8904,7 +8904,8 @@ static int
 test_ipsec_proto_process(const struct ipsec_test_data td[],
 			 struct ipsec_test_data res_d[],
 			 int nb_td,
-			 bool silent)
+			 bool silent,
+			 const struct ipsec_test_flags *flags)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct crypto_unittest_params *ut_params = &unittest_params;
@@ -9021,7 +9022,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_ipsec_status_check(ut_params->op, dir);
+		ret = test_ipsec_status_check(ut_params->op, flags, dir);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
@@ -9029,7 +9030,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 			res_d_tmp = &res_d[i];
 
 		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
-					      res_d_tmp, silent);
+					      res_d_tmp, silent, flags);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
@@ -9057,11 +9058,71 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 static int
 test_ipsec_proto_known_vec_inb(const void *td_outb)
 {
+	struct ipsec_test_flags flags;
 	struct ipsec_test_data td_inb;
 
+	memset(&flags, 0, sizeof(flags));
+
 	test_ipsec_td_in_from_out(td_outb, &td_inb);
 
-	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags);
+}
+
+static int
+test_ipsec_proto_all(const struct ipsec_test_flags *flags)
+{
+	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+	unsigned int i, nb_pkts = 1, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(aead_list); i++) {
+		test_ipsec_td_prepare(&aead_list[i],
+				      NULL,
+				      flags,
+				      td_outb,
+				      nb_pkts);
+
+		ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+					       flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
+
+		ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+					       flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_ipsec_display_alg(&aead_list[i], NULL);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_ipsec_proto_display_list(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+
+	return test_ipsec_proto_all(&flags);
 }
 
 static int
@@ -13971,6 +14032,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_ST(
+			"Combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_display_list),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 2431fcb..d08e093 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -10,6 +10,8 @@
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
 
+extern struct ipsec_test_data pkt_aes_256_gcm;
+
 int
 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			   const struct rte_security_capability *sec_cap,
@@ -128,6 +130,68 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 	}
 }
 
+void
+test_ipsec_td_prepare(const struct crypto_param *param1,
+		      const struct crypto_param *param2,
+		      const struct ipsec_test_flags *flags,
+		      struct ipsec_test_data *td_array,
+		      int nb_td)
+
+{
+	struct ipsec_test_data *td;
+	int i;
+
+	memset(td_array, 0, nb_td * sizeof(*td));
+
+	for (i = 0; i < nb_td; i++) {
+		td = &td_array[i];
+		/* Copy template for packet & key fields */
+		memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
+
+		/* Override fields based on param */
+
+		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+			td->aead = true;
+		else
+			td->aead = false;
+
+		td->xform.aead.aead.algo = param1->alg.aead;
+		td->xform.aead.aead.key.length = param1->key_length;
+	}
+
+	RTE_SET_USED(flags);
+	RTE_SET_USED(param2);
+}
+
+void
+test_ipsec_td_update(struct ipsec_test_data td_inb[],
+		     const struct ipsec_test_data td_outb[],
+		     int nb_td,
+		     const struct ipsec_test_flags *flags)
+{
+	int i;
+
+	for (i = 0; i < nb_td; i++) {
+		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
+		       td_outb[i].input_text.len);
+		td_inb[i].output_text.len = td_outb->input_text.len;
+	}
+
+	RTE_SET_USED(flags);
+}
+
+void
+test_ipsec_display_alg(const struct crypto_param *param1,
+		       const struct crypto_param *param2)
+{
+	if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		printf("\t%s [%d]\n",
+		       rte_crypto_aead_algorithm_strings[param1->alg.aead],
+		       param1->key_length);
+
+	RTE_SET_USED(param2);
+}
+
 static int
 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 {
@@ -148,7 +212,7 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 
 static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
-		     bool silent)
+		     bool silent, const struct ipsec_test_flags *flags)
 {
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
@@ -177,12 +241,37 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
+
+	return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		   struct ipsec_test_data *res_d)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t len = rte_pktmbuf_pkt_len(m);
+
+	memcpy(res_d, td, sizeof(*res_d));
+	memcpy(res_d->input_text.data, output_text, len);
+	res_d->input_text.len = len;
+
+	res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+	if (res_d->aead) {
+		res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		printf("Only AEAD supported\n");
+		return TEST_SKIPPED;
+	}
+
 	return TEST_SUCCESS;
 }
 
 int
 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
-			struct ipsec_test_data *res_d, bool silent)
+			struct ipsec_test_data *res_d, bool silent,
+			const struct ipsec_test_flags *flags)
 {
 	/*
 	 * In case of known vector tests & all inbound tests, res_d provided
@@ -190,13 +279,22 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	 * For inbound, output_text would be plain packet and for outbound
 	 * output_text would IPsec packet. Validate by comparing against
 	 * known vectors.
+	 *
+	 * In case of combined mode tests, the output_text from outbound
+	 * operation (ie, IPsec packet) would need to be inbound processed to
+	 * obtain the plain text. Copy output_text to result data, 'res_d', so
+	 * that inbound processing can be done.
 	 */
-	RTE_SET_USED(res_d);
-	return test_ipsec_td_verify(m, td, silent);
+
+	if (res_d == NULL)
+		return test_ipsec_td_verify(m, td, silent, flags);
+	else
+		return test_ipsec_res_d_prepare(m, td, res_d);
 }
 
 int
 test_ipsec_status_check(struct rte_crypto_op *op,
+			const struct ipsec_test_flags *flags,
 			enum rte_security_ipsec_sa_direction dir)
 {
 	int ret = TEST_SUCCESS;
@@ -206,6 +304,7 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 		ret = TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
 	RTE_SET_USED(dir);
 
 	return ret;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 5f1b46d..cbb3ee4 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -8,6 +8,8 @@
 #include <rte_cryptodev.h>
 #include <rte_security.h>
 
+#define IPSEC_TEST_PACKETS_MAX 32
+
 struct ipsec_test_data {
 	struct {
 		uint8_t data[32];
@@ -45,6 +47,38 @@ struct ipsec_test_data {
 	} xform;
 };
 
+struct ipsec_test_flags {
+	bool display_alg;
+};
+
+struct crypto_param {
+	enum rte_crypto_sym_xform_type type;
+	union {
+		enum rte_crypto_cipher_algorithm cipher;
+		enum rte_crypto_auth_algorithm auth;
+		enum rte_crypto_aead_algorithm aead;
+	} alg;
+	uint16_t key_length;
+};
+
+static const struct crypto_param aead_list[] = {
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 16,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 24,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 32
+	},
+};
+
 int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			       const struct rte_security_capability *sec_cap,
 			       bool silent);
@@ -56,11 +90,27 @@ int test_ipsec_crypto_caps_aead_verify(
 void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 			       struct ipsec_test_data *td_in);
 
+void test_ipsec_td_prepare(const struct crypto_param *param1,
+			   const struct crypto_param *param2,
+			   const struct ipsec_test_flags *flags,
+			   struct ipsec_test_data *td_array,
+			   int nb_td);
+
+void test_ipsec_td_update(struct ipsec_test_data td_inb[],
+			  const struct ipsec_test_data td_outb[],
+			  int nb_td,
+			  const struct ipsec_test_flags *flags);
+
+void test_ipsec_display_alg(const struct crypto_param *param1,
+			    const struct crypto_param *param2);
+
 int test_ipsec_post_process(struct rte_mbuf *m,
 			    const struct ipsec_test_data *td,
-			    struct ipsec_test_data *res_d, bool silent);
+			    struct ipsec_test_data *res_d, bool silent,
+			    const struct ipsec_test_flags *flags);
 
 int test_ipsec_status_check(struct rte_crypto_op *op,
+			    const struct ipsec_test_flags *flags,
 			    enum rte_security_ipsec_sa_direction dir);
 
 #endif
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v4 3/5] test/crypto: add lookaside IPsec ICV corrupt test case
  2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 1/5] test/crypto: add " Anoob Joseph
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 2/5] test/crypto: add combined mode tests Anoob Joseph
@ 2021-09-17 13:15       ` Anoob Joseph
  2021-09-21 16:25         ` Akhil Goyal
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 4/5] test/crypto: add IV gen tests Anoob Joseph
                         ` (3 subsequent siblings)
  6 siblings, 1 reply; 49+ messages in thread
From: Anoob Joseph @ 2021-09-17 13:15 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding lookaside IPsec ICV corrupt test case.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>

---
 app/test/test_cryptodev.c                | 16 ++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 30 ++++++++++++++++++++----------
 app/test/test_cryptodev_security_ipsec.h |  1 +
 3 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 7fd246e..19694f8 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9126,6 +9126,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.icv_corrupt = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -14036,6 +14048,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Negative test: ICV corruption",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_err_icv_corrupt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index d08e093..aebbe66 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -175,9 +175,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
-	}
 
-	RTE_SET_USED(flags);
+		if (flags->icv_corrupt) {
+			int icv_pos = td_inb[i].input_text.len - 4;
+			td_inb[i].input_text.data[icv_pos] += 1;
+		}
+	}
 }
 
 void
@@ -217,6 +220,11 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
 
+	/* For negative tests, no need to do verification */
+	if (flags->icv_corrupt &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return TEST_SUCCESS;
+
 	if (len != td->output_text.len) {
 		printf("Output length (%d) not matching with expected (%d)\n",
 			len, td->output_text.len);
@@ -241,8 +249,6 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
-	RTE_SET_USED(flags);
-
 	return TEST_SUCCESS;
 }
 
@@ -299,13 +305,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 {
 	int ret = TEST_SUCCESS;
 
-	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
-		printf("Security op processing failed\n");
-		ret = TEST_FAILED;
+	if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("ICV corruption test case failed\n");
+			ret = TEST_FAILED;
+		}
+	} else {
+		if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			printf("Security op processing failed\n");
+			ret = TEST_FAILED;
+		}
 	}
 
-	RTE_SET_USED(flags);
-	RTE_SET_USED(dir);
-
 	return ret;
 }
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index cbb3ee4..134fc3a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -49,6 +49,7 @@ struct ipsec_test_data {
 
 struct ipsec_test_flags {
 	bool display_alg;
+	bool icv_corrupt;
 };
 
 struct crypto_param {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v4 4/5] test/crypto: add IV gen tests
  2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
                         ` (2 preceding siblings ...)
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
@ 2021-09-17 13:15       ` Anoob Joseph
  2021-09-21 16:31         ` Akhil Goyal
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 5/5] test/crypto: add UDP encapsulation test cases Anoob Joseph
                         ` (2 subsequent siblings)
  6 siblings, 1 reply; 49+ messages in thread
From: Anoob Joseph @ 2021-09-17 13:15 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Add test cases to verify IV generated by PMD.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 19 ++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 52 ++++++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h |  1 +
 3 files changed, 72 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 19694f8..0422ff3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9076,6 +9076,9 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
 	unsigned int i, nb_pkts = 1, pass_cnt = 0;
 	int ret;
 
+	if (flags->iv_gen)
+		nb_pkts = IPSEC_TEST_PACKETS_MAX;
+
 	for (i = 0; i < RTE_DIM(aead_list); i++) {
 		test_ipsec_td_prepare(&aead_list[i],
 				      NULL,
@@ -9126,6 +9129,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_iv_gen(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.iv_gen = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
 {
 	struct ipsec_test_flags flags;
@@ -14049,6 +14064,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
 		TEST_CASE_NAMED_ST(
+			"IV generation",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_iv_gen),
+		TEST_CASE_NAMED_ST(
 			"Negative test: ICV corruption",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index aebbe66..78c7f3a 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -4,12 +4,15 @@
 
 #include <rte_common.h>
 #include <rte_cryptodev.h>
+#include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
 
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
 
+#define IV_LEN_MAX 16
+
 extern struct ipsec_test_data pkt_aes_256_gcm;
 
 int
@@ -214,6 +217,46 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 }
 
 static int
+test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
+{
+	static uint8_t iv_queue[IV_LEN_MAX * IPSEC_TEST_PACKETS_MAX];
+	uint8_t *iv_tmp, *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	int i, iv_pos, iv_len;
+	static int index;
+
+	if (td->aead)
+		iv_len = td->xform.aead.aead.iv.length - td->salt.len;
+	else
+		iv_len = td->xform.chain.cipher.cipher.iv.length;
+
+	iv_pos = test_ipsec_tunnel_hdr_len_get(td) + sizeof(struct rte_esp_hdr);
+	output_text += iv_pos;
+
+	TEST_ASSERT(iv_len <= IV_LEN_MAX, "IV length greater than supported");
+
+	/* Compare against previous values */
+	for (i = 0; i < index; i++) {
+		iv_tmp = &iv_queue[i * IV_LEN_MAX];
+
+		if (memcmp(output_text, iv_tmp, iv_len) == 0) {
+			printf("IV repeated");
+			return TEST_FAILED;
+		}
+	}
+
+	/* Save IV for future comparisons */
+
+	iv_tmp = &iv_queue[index * IV_LEN_MAX];
+	memcpy(iv_tmp, output_text, iv_len);
+	index++;
+
+	if (index == IPSEC_TEST_PACKETS_MAX)
+		index = 0;
+
+	return TEST_SUCCESS;
+}
+
+static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		     bool silent, const struct ipsec_test_flags *flags)
 {
@@ -279,6 +322,15 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 			struct ipsec_test_data *res_d, bool silent,
 			const struct ipsec_test_flags *flags)
 {
+	int ret;
+
+	if (flags->iv_gen &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		ret = test_ipsec_iv_verify_push(m, td);
+		if (ret != TEST_SUCCESS)
+			return ret;
+	}
+
 	/*
 	 * In case of known vector tests & all inbound tests, res_d provided
 	 * would be NULL and output data need to be validated against expected.
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 134fc3a..d2ec63f 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -50,6 +50,7 @@ struct ipsec_test_data {
 struct ipsec_test_flags {
 	bool display_alg;
 	bool icv_corrupt;
+	bool iv_gen;
 };
 
 struct crypto_param {
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v4 5/5] test/crypto: add UDP encapsulation test cases
  2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
                         ` (3 preceding siblings ...)
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 4/5] test/crypto: add IV gen tests Anoob Joseph
@ 2021-09-17 13:15       ` Anoob Joseph
  2021-09-21 16:35         ` Akhil Goyal
  2021-09-23 13:34       ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Power, Ciara
  2021-09-25 15:35       ` [dpdk-dev] [PATCH v5 " Anoob Joseph
  6 siblings, 1 reply; 49+ messages in thread
From: Anoob Joseph @ 2021-09-17 13:15 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev

From: Tejasree Kondoj <ktejasree@marvell.com>

Adding UDP encapsulation test cases.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                | 19 +++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 28 ++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h |  1 +
 doc/guides/rel_notes/release_21_11.rst   |  7 +++++++
 4 files changed, 55 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 0422ff3..b05e2ef 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8942,6 +8942,9 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 	sec_cap_idx.ipsec.mode = ipsec_xform.mode;
 	sec_cap_idx.ipsec.direction = ipsec_xform.direction;
 
+	if (flags->udp_encap)
+		ipsec_xform.options.udp_encap = 1;
+
 	sec_cap = rte_security_capability_get(ctx, &sec_cap_idx);
 	if (sec_cap == NULL)
 		return TEST_SKIPPED;
@@ -9153,6 +9156,18 @@ test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_udp_encap(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.udp_encap = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -14068,6 +14083,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_iv_gen),
 		TEST_CASE_NAMED_ST(
+			"UDP encapsulation",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_udp_encap),
+		TEST_CASE_NAMED_ST(
 			"Negative test: ICV corruption",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 78c7f3a..5b54996 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -7,6 +7,7 @@
 #include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
+#include <rte_udp.h>
 
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
@@ -183,6 +184,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 			int icv_pos = td_inb[i].input_text.len - 4;
 			td_inb[i].input_text.data[icv_pos] += 1;
 		}
+
+		if (flags->udp_encap)
+			td_inb[i].ipsec_xform.options.udp_encap = 1;
 	}
 }
 
@@ -268,6 +272,30 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
 		return TEST_SUCCESS;
 
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	   flags->udp_encap) {
+		const struct rte_ipv4_hdr *iph4;
+		const struct rte_ipv6_hdr *iph6;
+
+		if (td->ipsec_xform.tunnel.type ==
+				RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+			iph4 = (const struct rte_ipv4_hdr *)output_text;
+			if (iph4->next_proto_id != IPPROTO_UDP) {
+				printf("UDP header is not found\n");
+				return TEST_FAILED;
+			}
+		} else {
+			iph6 = (const struct rte_ipv6_hdr *)output_text;
+			if (iph6->proto != IPPROTO_UDP) {
+				printf("UDP header is not found\n");
+				return TEST_FAILED;
+			}
+		}
+
+		len -= sizeof(struct rte_udp_hdr);
+		output_text += sizeof(struct rte_udp_hdr);
+	}
+
 	if (len != td->output_text.len) {
 		printf("Output length (%d) not matching with expected (%d)\n",
 			len, td->output_text.len);
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index d2ec63f..e1645f4 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -51,6 +51,7 @@ struct ipsec_test_flags {
 	bool display_alg;
 	bool icv_corrupt;
 	bool iv_gen;
+	bool udp_encap;
 };
 
 struct crypto_param {
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 43d367b..30c9ccf 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -87,6 +87,13 @@ New Features
   Added command-line options to specify total number of processes and
   current process ID. Each process owns subset of Rx and Tx queues.
 
+* **Added lookaside protocol (IPsec) tests in dpdk-test.**
+
+  * Added known vector tests (AES-GCM 128, 192, 256).
+  * Added tests to verify error reporting with ICV corruption.
+  * Added tests to verify IV generation.
+  * Added tests to verify UDP encapsulation.
+
 
 Removed Items
 -------------
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 1/5] test/crypto: add " Anoob Joseph
@ 2021-09-21 16:08         ` Akhil Goyal
  2021-09-23  4:48           ` Anoob Joseph
  2021-09-23 10:39         ` Power, Ciara
  2021-09-24  8:42         ` Hemant Agrawal
  2 siblings, 1 reply; 49+ messages in thread
From: Akhil Goyal @ 2021-09-21 16:08 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev, Ciara Power
  Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Archana Muniganti,
	Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Gagandeep Singh,
	dev

Hi Anoob,
Few minor comments, Please see inline.
Apart from that,
Acked-by: Akhil Goyal <gakhil@marvell.com>
> 
Update title as 
Test/crypto: add lookaside IPsec cases.

> +static int
> +security_proto_supported(enum rte_security_session_action_type action,
> +	enum rte_security_session_protocol proto);
> +
> +static int
> +dev_configure_and_start(uint64_t ff_disable);
> +

Do we really need to forward declare?

>  static struct rte_mbuf *
>  setup_test_string(struct rte_mempool *mpool,
>  		const char *string, size_t len, uint8_t blocksize)
> @@ -753,6 +763,43 @@ crypto_gen_testsuite_setup(void)
> 
>  #ifdef RTE_LIB_SECURITY
>  static int
> +ipsec_proto_testsuite_setup(void)
> +{
> +	struct crypto_testsuite_params *ts_params = &testsuite_params;
> +	struct crypto_unittest_params *ut_params = &unittest_params;
> +	struct rte_cryptodev_info dev_info;
> +	int ret = 0;
> +
> +	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
> +
> +	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
> +		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec
> Proto "
> +				"testsuite not met\n");
> +		return TEST_SKIPPED;
> +	}
> +
> +	/* Reconfigure to enable security */

Update comment like 
/*Reconfigure to enable security and disable crypto */
BTW, shouldn't this be dev_configure_and_start(0)
Why is sym and asym disabled here?

> +	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO
> |
> +				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);

Return value not taken care here.


> +
> +	/* Set action type */
> +	ut_params->type =
> RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
> +
> +	if (security_proto_supported(
> +
> 	RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> +			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
> +		RTE_LOG(INFO, USER1, "Capability requirements for IPsec
> Proto "
> +				"test not met\n");
> +		ret = TEST_SKIPPED;
> +	}
> +
> +	/* Stop the device */
> +	rte_cryptodev_stop(ts_params->valid_devs[0]);

Add a comment that the device will be started again in ut_setup_security()

> +
> +		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
> +					      res_d_tmp, silent);
> +		if (ret != TEST_SUCCESS)
> +			goto crypto_op_free;
> +
> +		rte_crypto_op_free(ut_params->op);
> +		ut_params->op = NULL;
> +
> +		rte_pktmbuf_free(ut_params->ibuf);
> +		ut_params->ibuf = NULL;
> +	}
> +
> +crypto_op_free:
> +	rte_crypto_op_free(ut_params->op);
> +	ut_params->op = NULL;
> +
> +	rte_pktmbuf_free(ut_params->ibuf);
> +	ut_params->ibuf = NULL;
> +

Above four lines are getting executed again in the success cases.


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 2/5] test/crypto: add combined mode tests
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 2/5] test/crypto: add combined mode tests Anoob Joseph
@ 2021-09-21 16:22         ` Akhil Goyal
  2021-09-24  7:23         ` Hemant Agrawal
  1 sibling, 0 replies; 49+ messages in thread
From: Akhil Goyal @ 2021-09-21 16:22 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Archana Muniganti,
	Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power,
	Gagandeep Singh, dev

> Subject: [PATCH v4 2/5] test/crypto: add combined mode tests

Title: test/crypto: add combined mode IPSec  cases
> 

In description explain the meaning of combined mode.
Also mention that the encap and decap are done one after the other,
Hence known test vectors are not required.

Apart from that,
Acked-by: Akhil Goyal <gakhil@marvell.com>

> Add framework to test IPsec features with all supported
> combinations of ciphers.
> 
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> 


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 3/5] test/crypto: add lookaside IPsec ICV corrupt test case
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
@ 2021-09-21 16:25         ` Akhil Goyal
  2021-09-24  8:43           ` Hemant Agrawal
  0 siblings, 1 reply; 49+ messages in thread
From: Akhil Goyal @ 2021-09-21 16:25 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob Kollanukkaran, Archana Muniganti,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev,
	Anoob Joseph

> Subject: [PATCH v4 3/5] test/crypto: add lookaside IPsec ICV corrupt test case
> 
> From: Tejasree Kondoj <ktejasree@marvell.com>
> 
> Adding lookaside IPsec ICV corrupt test case.
Please elaborate the test case a bit more.
There is no documentation for the test cases, we can
Atleast add appropriate description.

Apart from that,
Acked-by: Akhil Goyal <gakhil@marvell.com>

> 
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> 

^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 4/5] test/crypto: add IV gen tests
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 4/5] test/crypto: add IV gen tests Anoob Joseph
@ 2021-09-21 16:31         ` Akhil Goyal
  0 siblings, 0 replies; 49+ messages in thread
From: Akhil Goyal @ 2021-09-21 16:31 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob Kollanukkaran, Archana Muniganti,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev,
	Anoob Joseph

> Subject: [PATCH v4 4/5] test/crypto: add IV gen tests
> 
> From: Tejasree Kondoj <ktejasree@marvell.com>
> 
> Add test cases to verify IV generated by PMD.

Title and description of the patch do not specify that
This is for lookaside IPSec.
Title: test/crypto: add IV gen cases for IPsec

Description:
Added cases to verify the IV generated by PMD
for lookaside IPsec use case.

It can also be mentioned that encap and decap are done
One after the other so that known test vector is not required.

Apart from that,
Acked-by: Akhil Goyal <gakhil@marvell.com>

> 
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---

^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 5/5] test/crypto: add UDP encapsulation test cases
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 5/5] test/crypto: add UDP encapsulation test cases Anoob Joseph
@ 2021-09-21 16:35         ` Akhil Goyal
  0 siblings, 0 replies; 49+ messages in thread
From: Akhil Goyal @ 2021-09-21 16:35 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob Kollanukkaran, Archana Muniganti,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

> Subject: [PATCH v4 5/5] test/crypto: add UDP encapsulation test cases

Test/crypto: add UDP encapsulated IPSec cases
> 
> From: Tejasree Kondoj <ktejasree@marvell.com>
> 
> Adding UDP encapsulation test cases.
Elaborate the description as well

Apart from that,
Acked-by: Akhil Goyal <gakhil@marvell.com>
> 
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---


> +* **Added lookaside protocol (IPsec) tests in dpdk-test.**
> +
> +  * Added known vector tests (AES-GCM 128, 192, 256).
> +  * Added tests to verify error reporting with ICV corruption.
> +  * Added tests to verify IV generation.
> +  * Added tests to verify UDP encapsulation.
> +
If each case is added as a separate bullet in release notes,
Then each of them should be added in the corresponding patch.

^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
  2021-09-21 16:08         ` Akhil Goyal
@ 2021-09-23  4:48           ` Anoob Joseph
  0 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-23  4:48 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev, Ciara Power
  Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Gagandeep Singh, dev

Hi Akhil,

Thanks for the review. Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Akhil Goyal <gakhil@marvell.com>
> Sent: Tuesday, September 21, 2021 9:38 PM
> To: Anoob Joseph <anoobj@marvell.com>; Declan Doherty
> <declan.doherty@intel.com>; Fan Zhang <roy.fan.zhang@intel.com>;
> Konstantin Ananyev <konstantin.ananyev@intel.com>; Ciara Power
> <ciara.power@intel.com>
> Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob Kollanukkaran
> <jerinj@marvell.com>; Archana Muniganti <marchana@marvell.com>;
> Tejasree Kondoj <ktejasree@marvell.com>; Hemant Agrawal
> <hemant.agrawal@nxp.com>; Radu Nicolau <radu.nicolau@intel.com>;
> Gagandeep Singh <g.singh@nxp.com>; dev@dpdk.org
> Subject: RE: [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
> 
> Hi Anoob,
> Few minor comments, Please see inline.
> Apart from that,
> Acked-by: Akhil Goyal <gakhil@marvell.com>
> >
> Update title as
> Test/crypto: add lookaside IPsec cases.

[Anoob] Will update so in v5
 
> 
> > +static int
> > +security_proto_supported(enum rte_security_session_action_type
> action,
> > +	enum rte_security_session_protocol proto);
> > +
> > +static int
> > +dev_configure_and_start(uint64_t ff_disable);
> > +
> 
> Do we really need to forward declare?

[Anoob] I've kept 'ipsec_proto_testsuite_setup' close to other rte_security test suite setups. The function, dev_configure_and_start() is defined later but I need to use it to enable SECURITY before doing capability check. Only other option is to move around code.
 
> 
> >  static struct rte_mbuf *
> >  setup_test_string(struct rte_mempool *mpool,
> >  		const char *string, size_t len, uint8_t blocksize) @@ -753,6
> > +763,43 @@ crypto_gen_testsuite_setup(void)
> >
> >  #ifdef RTE_LIB_SECURITY
> >  static int
> > +ipsec_proto_testsuite_setup(void)
> > +{
> > +	struct crypto_testsuite_params *ts_params = &testsuite_params;
> > +	struct crypto_unittest_params *ut_params = &unittest_params;
> > +	struct rte_cryptodev_info dev_info;
> > +	int ret = 0;
> > +
> > +	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
> > +
> > +	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
> > +		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec
> > Proto "
> > +				"testsuite not met\n");
> > +		return TEST_SKIPPED;
> > +	}
> > +
> > +	/* Reconfigure to enable security */
> 
> Update comment like
> /*Reconfigure to enable security and disable crypto */ BTW, shouldn't this be
> dev_configure_and_start(0) Why is sym and asym disabled here?

[Anoob] Will update the comments in v5. Sym & asym are not required for security tests. But then, I can keep ff_disable as 0. It won't affect anything.
 
> 
> > +
> 	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPT
> O
> > |
> > +
> 	RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
> 
> Return value not taken care here.

[Anoob] Will fix in v5.
 
> 
> 
> > +
> > +	/* Set action type */
> > +	ut_params->type =
> > RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
> > +
> > +	if (security_proto_supported(
> > +
> > 	RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> > +			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
> > +		RTE_LOG(INFO, USER1, "Capability requirements for IPsec
> > Proto "
> > +				"test not met\n");
> > +		ret = TEST_SKIPPED;
> > +	}
> > +
> > +	/* Stop the device */
> > +	rte_cryptodev_stop(ts_params->valid_devs[0]);
> 
> Add a comment that the device will be started again in ut_setup_security()

[Anoob] Will update so in v5.
 
> 
> > +
> > +		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
> > +					      res_d_tmp, silent);
> > +		if (ret != TEST_SUCCESS)
> > +			goto crypto_op_free;
> > +
> > +		rte_crypto_op_free(ut_params->op);
> > +		ut_params->op = NULL;
> > +
> > +		rte_pktmbuf_free(ut_params->ibuf);
> > +		ut_params->ibuf = NULL;
> > +	}
> > +
> > +crypto_op_free:
> > +	rte_crypto_op_free(ut_params->op);
> > +	ut_params->op = NULL;
> > +
> > +	rte_pktmbuf_free(ut_params->ibuf);
> > +	ut_params->ibuf = NULL;
> > +
> 
> Above four lines are getting executed again in the success cases.

[Anoob] rte_crypto_op_free() has a NULL check. So executing this for success cases is alright. I believe UT already does it this way for certain cases. If you check PDCP test cases, it has a free in the test case and there would be one free in ut_teardown() also.

^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 1/5] test/crypto: add " Anoob Joseph
  2021-09-21 16:08         ` Akhil Goyal
@ 2021-09-23 10:39         ` Power, Ciara
  2021-09-23 11:08           ` Anoob Joseph
  2021-09-24  8:42         ` Hemant Agrawal
  2 siblings, 1 reply; 49+ messages in thread
From: Power, Ciara @ 2021-09-23 10:39 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal,
	Nicolau, Radu, Gagandeep Singh, dev

Hi Anoob,

One comment inline.

Thanks,
Ciara

>-----Original Message-----
>From: Anoob Joseph <anoobj@marvell.com>
>Sent: Friday 17 September 2021 14:15
>To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
>Ananyev, Konstantin <konstantin.ananyev@intel.com>
>Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob <jerinj@marvell.com>;
>Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
><ktejasree@marvell.com>; Hemant Agrawal <hemant.agrawal@nxp.com>;
>Nicolau, Radu <radu.nicolau@intel.com>; Power, Ciara
><ciara.power@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
>dev@dpdk.org
>Subject: [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
>
>Added test case for lookaside IPsec. Inbound known vector tests are added.
>
>Cipher list: AES-GCM 128, 192 & 256
>
>Signed-off-by: Anoob Joseph <anoobj@marvell.com>
>Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>
>---
> app/test/meson.build                               |   1 +
> app/test/test.h                                    |   6 +
> app/test/test_cryptodev.c                          | 232 +++++++++++++++
> app/test/test_cryptodev_security_ipsec.c           | 212 ++++++++++++++
> app/test/test_cryptodev_security_ipsec.h           |  66 +++++
> .../test_cryptodev_security_ipsec_test_vectors.h   | 321
>+++++++++++++++++++++
<snip>

> #ifdef RTE_LIB_SECURITY
> static int
>+ipsec_proto_testsuite_setup(void)
>+{
>+	struct crypto_testsuite_params *ts_params = &testsuite_params;
>+	struct crypto_unittest_params *ut_params = &unittest_params;
>+	struct rte_cryptodev_info dev_info;
>+	int ret = 0;
>+
>+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
>+
>+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
>+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec
>Proto "
>+				"testsuite not met\n");
>+		return TEST_SKIPPED;
>+	}
>+
>+	/* Reconfigure to enable security */
>+	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO
>|
>+				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
>+
>+	/* Set action type */
>+	ut_params->type =
>RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
>+
>+	if (security_proto_supported(
>+
>	RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
>+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
>+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec
>Proto "
>+				"test not met\n");
>+		ret = TEST_SKIPPED;

The device still needs to be stopped here I believe if capabilities not met.

>+	}
>+
>+	/* Stop the device */
>+	rte_cryptodev_stop(ts_params->valid_devs[0]);
>+
>+	return ret;
>+}
>+


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
  2021-09-23 10:39         ` Power, Ciara
@ 2021-09-23 11:08           ` Anoob Joseph
  2021-09-23 11:26             ` Power, Ciara
  0 siblings, 1 reply; 49+ messages in thread
From: Anoob Joseph @ 2021-09-23 11:08 UTC (permalink / raw)
  To: Power, Ciara, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Nicolau, Radu, Gagandeep Singh, dev

Hi Ciara,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Power, Ciara <ciara.power@intel.com>
> Sent: Thursday, September 23, 2021 4:09 PM
> To: Anoob Joseph <anoobj@marvell.com>; Akhil Goyal <gakhil@marvell.com>;
> Doherty, Declan <declan.doherty@intel.com>; Zhang, Roy Fan
> <roy.fan.zhang@intel.com>; Ananyev, Konstantin
> <konstantin.ananyev@intel.com>
> Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
> <marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>; Hemant
> Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu
> <radu.nicolau@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Anoob,
> 
> One comment inline.
> 
> Thanks,
> Ciara
> 
> >-----Original Message-----
> >From: Anoob Joseph <anoobj@marvell.com>
> >Sent: Friday 17 September 2021 14:15
> >To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
> ><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
> >Ananyev, Konstantin <konstantin.ananyev@intel.com>
> >Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob
> ><jerinj@marvell.com>; Archana Muniganti <marchana@marvell.com>;
> >Tejasree Kondoj <ktejasree@marvell.com>; Hemant Agrawal
> ><hemant.agrawal@nxp.com>; Nicolau, Radu <radu.nicolau@intel.com>;
> >Power, Ciara <ciara.power@intel.com>; Gagandeep Singh
> ><g.singh@nxp.com>; dev@dpdk.org
> >Subject: [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
> >
> >Added test case for lookaside IPsec. Inbound known vector tests are added.
> >
> >Cipher list: AES-GCM 128, 192 & 256
> >
> >Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> >Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> >
> >---
> > app/test/meson.build                               |   1 +
> > app/test/test.h                                    |   6 +
> > app/test/test_cryptodev.c                          | 232 +++++++++++++++
> > app/test/test_cryptodev_security_ipsec.c           | 212 ++++++++++++++
> > app/test/test_cryptodev_security_ipsec.h           |  66 +++++
> > .../test_cryptodev_security_ipsec_test_vectors.h   | 321
> >+++++++++++++++++++++
> <snip>
> 
> > #ifdef RTE_LIB_SECURITY
> > static int
> >+ipsec_proto_testsuite_setup(void)
> >+{
> >+	struct crypto_testsuite_params *ts_params = &testsuite_params;
> >+	struct crypto_unittest_params *ut_params = &unittest_params;
> >+	struct rte_cryptodev_info dev_info;
> >+	int ret = 0;
> >+
> >+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
> >+
> >+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
> >+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec
> >Proto "
> >+				"testsuite not met\n");
> >+		return TEST_SKIPPED;
> >+	}
> >+
> >+	/* Reconfigure to enable security */
> >+	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO
> >|
> >+				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
> >+
> >+	/* Set action type */
> >+	ut_params->type =
> >RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
> >+
> >+	if (security_proto_supported(
> >+
> >	RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> >+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
> >+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec
> >Proto "
> >+				"test not met\n");
> >+		ret = TEST_SKIPPED;
> 
> The device still needs to be stopped here I believe if capabilities not met.

[Anoob] Here we are just setting return value. Function returns below only (after stopping device). 
 
> 
> >+	}
> >+
> >+	/* Stop the device */
> >+	rte_cryptodev_stop(ts_params->valid_devs[0]);
> >+
> >+	return ret;
> >+}
> >+


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
  2021-09-23 11:08           ` Anoob Joseph
@ 2021-09-23 11:26             ` Power, Ciara
  2021-09-23 11:30               ` Anoob Joseph
  0 siblings, 1 reply; 49+ messages in thread
From: Power, Ciara @ 2021-09-23 11:26 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Nicolau, Radu, Gagandeep Singh, dev

Hi Anoob,


>-----Original Message-----
>From: Anoob Joseph <anoobj@marvell.com>
>Sent: Thursday 23 September 2021 12:09
>To: Power, Ciara <ciara.power@intel.com>; Akhil Goyal
><gakhil@marvell.com>; Doherty, Declan <declan.doherty@intel.com>; Zhang,
>Roy Fan <roy.fan.zhang@intel.com>; Ananyev, Konstantin
><konstantin.ananyev@intel.com>
>Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
><marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>;
>Hemant Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu
><radu.nicolau@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
>dev@dpdk.org
>Subject: RE: [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
>
>Hi Ciara,
>
>Please see inline.
>
>Thanks,
>Anoob
>
>> -----Original Message-----
>> From: Power, Ciara <ciara.power@intel.com>
>> Sent: Thursday, September 23, 2021 4:09 PM
>> To: Anoob Joseph <anoobj@marvell.com>; Akhil Goyal
>> <gakhil@marvell.com>; Doherty, Declan <declan.doherty@intel.com>;
>> Zhang, Roy Fan <roy.fan.zhang@intel.com>; Ananyev, Konstantin
>> <konstantin.ananyev@intel.com>
>> Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
>> <marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>;
>> Hemant Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu
>> <radu.nicolau@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
>> dev@dpdk.org
>> Subject: [EXT] RE: [PATCH v4 1/5] test/crypto: add lookaside IPsec
>> tests
>>
>> External Email
>>
>> ----------------------------------------------------------------------
>> Hi Anoob,
>>
>> One comment inline.
>>
>> Thanks,
>> Ciara
>>
>> >-----Original Message-----
>> >From: Anoob Joseph <anoobj@marvell.com>
>> >Sent: Friday 17 September 2021 14:15
>> >To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
>> ><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
>> >Ananyev, Konstantin <konstantin.ananyev@intel.com>
>> >Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob
>> ><jerinj@marvell.com>; Archana Muniganti <marchana@marvell.com>;
>> >Tejasree Kondoj <ktejasree@marvell.com>; Hemant Agrawal
>> ><hemant.agrawal@nxp.com>; Nicolau, Radu <radu.nicolau@intel.com>;
>> >Power, Ciara <ciara.power@intel.com>; Gagandeep Singh
>> ><g.singh@nxp.com>; dev@dpdk.org
>> >Subject: [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
>> >
>> >Added test case for lookaside IPsec. Inbound known vector tests are
>added.
>> >
>> >Cipher list: AES-GCM 128, 192 & 256
>> >
>> >Signed-off-by: Anoob Joseph <anoobj@marvell.com>
>> >Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>> >
>> >---
>> > app/test/meson.build                               |   1 +
>> > app/test/test.h                                    |   6 +
>> > app/test/test_cryptodev.c                          | 232 +++++++++++++++
>> > app/test/test_cryptodev_security_ipsec.c           | 212 ++++++++++++++
>> > app/test/test_cryptodev_security_ipsec.h           |  66 +++++
>> > .../test_cryptodev_security_ipsec_test_vectors.h   | 321
>> >+++++++++++++++++++++
>> <snip>
>>
>> > #ifdef RTE_LIB_SECURITY
>> > static int
>> >+ipsec_proto_testsuite_setup(void)
>> >+{
>> >+	struct crypto_testsuite_params *ts_params = &testsuite_params;
>> >+	struct crypto_unittest_params *ut_params = &unittest_params;
>> >+	struct rte_cryptodev_info dev_info;
>> >+	int ret = 0;
>> >+
>> >+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
>> >+
>> >+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
>> >+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec
>> >Proto "
>> >+				"testsuite not met\n");
>> >+		return TEST_SKIPPED;
>> >+	}
>> >+
>> >+	/* Reconfigure to enable security */
>> >+	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO
>> >|
>> >+				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
>> >+
>> >+	/* Set action type */
>> >+	ut_params->type =
>> >RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
>> >+
>> >+	if (security_proto_supported(
>> >+
>> >	RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
>> >+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
>> >+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec
>> >Proto "
>> >+				"test not met\n");
>> >+		ret = TEST_SKIPPED;
>>
>> The device still needs to be stopped here I believe if capabilities not met.
>
>[Anoob] Here we are just setting return value. Function returns below only
>(after stopping device).
>

Apologies, yes I missed that. Thanks!

>>
>> >+	}
>> >+
>> >+	/* Stop the device */
>> >+	rte_cryptodev_stop(ts_params->valid_devs[0]);
>> >+
>> >+	return ret;
>> >+}
>> >+


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
  2021-09-23 11:26             ` Power, Ciara
@ 2021-09-23 11:30               ` Anoob Joseph
  0 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-23 11:30 UTC (permalink / raw)
  To: Power, Ciara, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Nicolau, Radu, Gagandeep Singh, dev

Hi Ciara,

I'm planning to send next version addressing Akhil's comments. Can you review and ack patches if you don't have further comments?

Thanks,
Anoob

> -----Original Message-----
> From: Power, Ciara <ciara.power@intel.com>
> Sent: Thursday, September 23, 2021 4:57 PM
> To: Anoob Joseph <anoobj@marvell.com>; Akhil Goyal <gakhil@marvell.com>;
> Doherty, Declan <declan.doherty@intel.com>; Zhang, Roy Fan
> <roy.fan.zhang@intel.com>; Ananyev, Konstantin
> <konstantin.ananyev@intel.com>
> Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
> <marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>; Hemant
> Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu
> <radu.nicolau@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
> dev@dpdk.org
> Subject: [EXT] RE: [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Anoob,
> 
> 
> >-----Original Message-----
> >From: Anoob Joseph <anoobj@marvell.com>
> >Sent: Thursday 23 September 2021 12:09
> >To: Power, Ciara <ciara.power@intel.com>; Akhil Goyal
> ><gakhil@marvell.com>; Doherty, Declan <declan.doherty@intel.com>;
> >Zhang, Roy Fan <roy.fan.zhang@intel.com>; Ananyev, Konstantin
> ><konstantin.ananyev@intel.com>
> >Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
> ><marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>;
> Hemant
> >Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu
> ><radu.nicolau@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
> >dev@dpdk.org
> >Subject: RE: [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
> >
> >Hi Ciara,
> >
> >Please see inline.
> >
> >Thanks,
> >Anoob
> >
> >> -----Original Message-----
> >> From: Power, Ciara <ciara.power@intel.com>
> >> Sent: Thursday, September 23, 2021 4:09 PM
> >> To: Anoob Joseph <anoobj@marvell.com>; Akhil Goyal
> >> <gakhil@marvell.com>; Doherty, Declan <declan.doherty@intel.com>;
> >> Zhang, Roy Fan <roy.fan.zhang@intel.com>; Ananyev, Konstantin
> >> <konstantin.ananyev@intel.com>
> >> Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
> >> <marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>;
> >> Hemant Agrawal <hemant.agrawal@nxp.com>; Nicolau, Radu
> >> <radu.nicolau@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
> >> dev@dpdk.org
> >> Subject: [EXT] RE: [PATCH v4 1/5] test/crypto: add lookaside IPsec
> >> tests
> >>
> >> External Email
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> Hi Anoob,
> >>
> >> One comment inline.
> >>
> >> Thanks,
> >> Ciara
> >>
> >> >-----Original Message-----
> >> >From: Anoob Joseph <anoobj@marvell.com>
> >> >Sent: Friday 17 September 2021 14:15
> >> >To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
> >> ><declan.doherty@intel.com>; Zhang, Roy Fan
> >> ><roy.fan.zhang@intel.com>; Ananyev, Konstantin
> >> ><konstantin.ananyev@intel.com>
> >> >Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob
> >> ><jerinj@marvell.com>; Archana Muniganti <marchana@marvell.com>;
> >> >Tejasree Kondoj <ktejasree@marvell.com>; Hemant Agrawal
> >> ><hemant.agrawal@nxp.com>; Nicolau, Radu <radu.nicolau@intel.com>;
> >> >Power, Ciara <ciara.power@intel.com>; Gagandeep Singh
> >> ><g.singh@nxp.com>; dev@dpdk.org
> >> >Subject: [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
> >> >
> >> >Added test case for lookaside IPsec. Inbound known vector tests are
> >added.
> >> >
> >> >Cipher list: AES-GCM 128, 192 & 256
> >> >
> >> >Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> >> >Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> >> >
> >> >---
> >> > app/test/meson.build                               |   1 +
> >> > app/test/test.h                                    |   6 +
> >> > app/test/test_cryptodev.c                          | 232 +++++++++++++++
> >> > app/test/test_cryptodev_security_ipsec.c           | 212 ++++++++++++++
> >> > app/test/test_cryptodev_security_ipsec.h           |  66 +++++
> >> > .../test_cryptodev_security_ipsec_test_vectors.h   | 321
> >> >+++++++++++++++++++++
> >> <snip>
> >>
> >> > #ifdef RTE_LIB_SECURITY
> >> > static int
> >> >+ipsec_proto_testsuite_setup(void)
> >> >+{
> >> >+	struct crypto_testsuite_params *ts_params = &testsuite_params;
> >> >+	struct crypto_unittest_params *ut_params = &unittest_params;
> >> >+	struct rte_cryptodev_info dev_info;
> >> >+	int ret = 0;
> >> >+
> >> >+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
> >> >+
> >> >+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
> >> >+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec
> >> >Proto "
> >> >+				"testsuite not met\n");
> >> >+		return TEST_SKIPPED;
> >> >+	}
> >> >+
> >> >+	/* Reconfigure to enable security */
> >> >+	dev_configure_and_start(RTE_CRYPTODEV_FF_SYMMETRIC_CRYPTO
> >> >|
> >> >+				RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO);
> >> >+
> >> >+	/* Set action type */
> >> >+	ut_params->type =
> >> >RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
> >> >+
> >> >+	if (security_proto_supported(
> >> >+
> >> >	RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> >> >+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
> >> >+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec
> >> >Proto "
> >> >+				"test not met\n");
> >> >+		ret = TEST_SKIPPED;
> >>
> >> The device still needs to be stopped here I believe if capabilities not met.
> >
> >[Anoob] Here we are just setting return value. Function returns below
> >only (after stopping device).
> >
> 
> Apologies, yes I missed that. Thanks!
> 
> >>
> >> >+	}
> >> >+
> >> >+	/* Stop the device */
> >> >+	rte_cryptodev_stop(ts_params->valid_devs[0]);
> >> >+
> >> >+	return ret;
> >> >+}
> >> >+


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests
  2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
                         ` (4 preceding siblings ...)
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 5/5] test/crypto: add UDP encapsulation test cases Anoob Joseph
@ 2021-09-23 13:34       ` Power, Ciara
  2021-09-25 15:35       ` [dpdk-dev] [PATCH v5 " Anoob Joseph
  6 siblings, 0 replies; 49+ messages in thread
From: Power, Ciara @ 2021-09-23 13:34 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Doherty, Declan, Zhang, Roy Fan,
	Ananyev, Konstantin
  Cc: Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal,
	Nicolau, Radu, Gagandeep Singh, dev

Hi Anoob,

>-----Original Message-----
>From: Anoob Joseph <anoobj@marvell.com>
>Sent: Friday 17 September 2021 14:15
>To: Akhil Goyal <gakhil@marvell.com>; Doherty, Declan
><declan.doherty@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>;
>Ananyev, Konstantin <konstantin.ananyev@intel.com>
>Cc: Anoob Joseph <anoobj@marvell.com>; Jerin Jacob <jerinj@marvell.com>;
>Archana Muniganti <marchana@marvell.com>; Tejasree Kondoj
><ktejasree@marvell.com>; Hemant Agrawal <hemant.agrawal@nxp.com>;
>Nicolau, Radu <radu.nicolau@intel.com>; Power, Ciara
><ciara.power@intel.com>; Gagandeep Singh <g.singh@nxp.com>;
>dev@dpdk.org
>Subject: [PATCH v4 0/5] Add lookaside IPsec tests
>
>Add lookaside IPsec functional tests. Known vector tests and combined mode
>framework is added.
>
>Known vectors are outbound vectors based on
>https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01
>
>The vectors are updated to have sequence number as 1 & L4 checksum
>computed correctly. And they have following properties, 1. ESP 2. Tunnel
>mode 3. IPv4 4. IPv4 tunnel
>
>Known vector tests for inbound operation would generate test vectors by
>reversing outbound known vectors. The input_text would become encrypted
>packet and output_text would be the plain packet. Tests would then validate
>the operation by comparing against plain packet.
>
>Combined mode tests are used to test all IPsec features against all ciphers
>supported by the PMD. The framework is introduced to avoid testing with any
>specific algo, thereby making it mandatory to be supported. Also, testing with
>all supported combinations will help with increasing coverage as well.
>
>Four test cases use combined mode,
>1. Display algo coverage and basic in + out tests 2. Negative test for ICV
>corruption 3. IV generation 4. UDP encapsulation
>
>IV generation test case compares IV generated for a batch of packets and
>returns failure if IV is repeated.
>
>Upcoming additions,
>1. AES-CBC-SHA1-HMAC known vectors & combined mode 2. IPv6 3. Transport
>4. Mixed mode (IPv4-in-IPv6 etc, all combinations)
>
>Tested with following PMDs
>1. crypto_octeontx2
>2. crypto_cn10k
>3. crypto_cn9k
>
>Changes in v4:
>- Fixed lack of device stop in case capability check fails (comment from Ciara)
>- Rebased and updated release notes
>
>Changes in v3
>- Added UDP encapsulation tests
>
>Changes in v2
>- Dropped outbound known vector tests as lookaside protocol would require
>IV
>  generated by PMD. The tests would be introduced with spec change to allow
>user
>  to specify IV.
>- Added IV generation tests
>- Minor fixes in combined mode tests to handle multiple packets
>
>Anoob Joseph (2):
>  test/crypto: add lookaside IPsec tests
>  test/crypto: add combined mode tests
>
>Tejasree Kondoj (3):
>  test/crypto: add lookaside IPsec ICV corrupt test case
>  test/crypto: add IV gen tests
>  test/crypto: add UDP encapsulation test cases
>
> app/test/meson.build                               |   1 +
> app/test/test.h                                    |   6 +
> app/test/test_cryptodev.c                          | 351 ++++++++++++++++++
> app/test/test_cryptodev_security_ipsec.c           | 401
>+++++++++++++++++++++
> app/test/test_cryptodev_security_ipsec.h           | 119 ++++++
> .../test_cryptodev_security_ipsec_test_vectors.h   | 321
>+++++++++++++++++
> doc/guides/rel_notes/release_21_11.rst             |   7 +
> 7 files changed, 1206 insertions(+)
> create mode 100644 app/test/test_cryptodev_security_ipsec.c
> create mode 100644 app/test/test_cryptodev_security_ipsec.h
> create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h
>
>--
>2.7.4

For the series from a crypto test framework point of view,

Acked-by: Ciara Power <ciara.power@intel.com>


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 2/5] test/crypto: add combined mode tests
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 2/5] test/crypto: add combined mode tests Anoob Joseph
  2021-09-21 16:22         ` Akhil Goyal
@ 2021-09-24  7:23         ` Hemant Agrawal
  2021-09-24  8:12           ` [dpdk-dev] [EXT] " Anoob Joseph
  1 sibling, 1 reply; 49+ messages in thread
From: Hemant Agrawal @ 2021-09-24  7:23 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev

HI Anoob,

On 9/17/2021 6:45 PM, Anoob Joseph wrote:
> Add framework to test IPsec features with all supported
> combinations of ciphers.
>
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
>
> ---
>   app/test/test_cryptodev.c                |  73 +++++++++++++++++++--
>   app/test/test_cryptodev_security_ipsec.c | 107 +++++++++++++++++++++++++++++--
>   app/test/test_cryptodev_security_ipsec.h |  52 ++++++++++++++-
>   3 files changed, 223 insertions(+), 9 deletions(-)
>
> diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
> index 9c7875c..7fd246e 100644
> --- a/app/test/test_cryptodev.c
> +++ b/app/test/test_cryptodev.c
> @@ -8904,7 +8904,8 @@ static int
>   test_ipsec_proto_process(const struct ipsec_test_data td[],
>   			 struct ipsec_test_data res_d[],
>   			 int nb_td,
> -			 bool silent)
> +			 bool silent,
> +			 const struct ipsec_test_flags *flags)
>   {
>   	struct crypto_testsuite_params *ts_params = &testsuite_params;
>   	struct crypto_unittest_params *ut_params = &unittest_params;
> @@ -9021,7 +9022,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
>   		/* Process crypto operation */
>   		process_crypto_request(dev_id, ut_params->op);
>   
> -		ret = test_ipsec_status_check(ut_params->op, dir);
> +		ret = test_ipsec_status_check(ut_params->op, flags, dir);
>   		if (ret != TEST_SUCCESS)
>   			goto crypto_op_free;
>   
> @@ -9029,7 +9030,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
>   			res_d_tmp = &res_d[i];
>   
>   		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
> -					      res_d_tmp, silent);
> +					      res_d_tmp, silent, flags);
>   		if (ret != TEST_SUCCESS)
>   			goto crypto_op_free;
>   
> @@ -9057,11 +9058,71 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
>   static int
>   test_ipsec_proto_known_vec_inb(const void *td_outb)
>   {
> +	struct ipsec_test_flags flags;
>   	struct ipsec_test_data td_inb;
>   
> +	memset(&flags, 0, sizeof(flags));
> +
>   	test_ipsec_td_in_from_out(td_outb, &td_inb);
>   
> -	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
> +	return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags);

In most places, you have hardcoded this silent flag - this is for debug 
prints.

Will you please driver it from some macro or variable or log-level, 
where it can be changed easily.



^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [EXT] Re: [PATCH v4 2/5] test/crypto: add combined mode tests
  2021-09-24  7:23         ` Hemant Agrawal
@ 2021-09-24  8:12           ` Anoob Joseph
  0 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-24  8:12 UTC (permalink / raw)
  To: hemant.agrawal, Akhil Goyal, Declan Doherty, Fan Zhang,
	Konstantin Ananyev
  Cc: Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Hi Hemant,

Please see inline.

Thanks,
Anoob

> -----Original Message-----
> From: Hemant Agrawal <hemant.agrawal@oss.nxp.com>
> Sent: Friday, September 24, 2021 12:54 PM
> To: Anoob Joseph <anoobj@marvell.com>; Akhil Goyal <gakhil@marvell.com>;
> Declan Doherty <declan.doherty@intel.com>; Fan Zhang
> <roy.fan.zhang@intel.com>; Konstantin Ananyev
> <konstantin.ananyev@intel.com>
> Cc: Jerin Jacob Kollanukkaran <jerinj@marvell.com>; Archana Muniganti
> <marchana@marvell.com>; Tejasree Kondoj <ktejasree@marvell.com>; Hemant
> Agrawal <hemant.agrawal@nxp.com>; Radu Nicolau
> <radu.nicolau@intel.com>; Ciara Power <ciara.power@intel.com>; Gagandeep
> Singh <g.singh@nxp.com>; dev@dpdk.org
> Subject: [EXT] Re: [dpdk-dev] [PATCH v4 2/5] test/crypto: add combined mode
> tests
> 
> External Email
> 
> ----------------------------------------------------------------------
> HI Anoob,
> 
> On 9/17/2021 6:45 PM, Anoob Joseph wrote:
> > Add framework to test IPsec features with all supported combinations
> > of ciphers.
> >
> > Signed-off-by: Anoob Joseph <anoobj@marvell.com>
> > Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> >
> > ---
> >   app/test/test_cryptodev.c                |  73 +++++++++++++++++++--
> >   app/test/test_cryptodev_security_ipsec.c | 107
> +++++++++++++++++++++++++++++--
> >   app/test/test_cryptodev_security_ipsec.h |  52 ++++++++++++++-
> >   3 files changed, 223 insertions(+), 9 deletions(-)
> >
> > diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
> > index 9c7875c..7fd246e 100644
> > --- a/app/test/test_cryptodev.c
> > +++ b/app/test/test_cryptodev.c
> > @@ -8904,7 +8904,8 @@ static int
> >   test_ipsec_proto_process(const struct ipsec_test_data td[],
> >   			 struct ipsec_test_data res_d[],
> >   			 int nb_td,
> > -			 bool silent)
> > +			 bool silent,
> > +			 const struct ipsec_test_flags *flags)
> >   {
> >   	struct crypto_testsuite_params *ts_params = &testsuite_params;
> >   	struct crypto_unittest_params *ut_params = &unittest_params; @@
> > -9021,7 +9022,7 @@ test_ipsec_proto_process(const struct ipsec_test_data
> td[],
> >   		/* Process crypto operation */
> >   		process_crypto_request(dev_id, ut_params->op);
> >
> > -		ret = test_ipsec_status_check(ut_params->op, dir);
> > +		ret = test_ipsec_status_check(ut_params->op, flags, dir);
> >   		if (ret != TEST_SUCCESS)
> >   			goto crypto_op_free;
> >
> > @@ -9029,7 +9030,7 @@ test_ipsec_proto_process(const struct
> ipsec_test_data td[],
> >   			res_d_tmp = &res_d[i];
> >
> >   		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
> > -					      res_d_tmp, silent);
> > +					      res_d_tmp, silent, flags);
> >   		if (ret != TEST_SUCCESS)
> >   			goto crypto_op_free;
> >
> > @@ -9057,11 +9058,71 @@ test_ipsec_proto_process(const struct
> ipsec_test_data td[],
> >   static int
> >   test_ipsec_proto_known_vec_inb(const void *td_outb)
> >   {
> > +	struct ipsec_test_flags flags;
> >   	struct ipsec_test_data td_inb;
> >
> > +	memset(&flags, 0, sizeof(flags));
> > +
> >   	test_ipsec_td_in_from_out(td_outb, &td_inb);
> >
> > -	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
> > +	return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags);
> 
> In most places, you have hardcoded this silent flag - this is for debug prints.
> 
> Will you please driver it from some macro or variable or log-level, where it can
> be changed easily.
> 

[Anoob] Currently, for known vector tests, we have "silent" set as false to have more verbose output by default. For combined mode, since we attempt multiple ciphers, there would be lot of prints. Hence we kept "silent" flag as true to disable prints for such cases. The idea is, if a developer wants to quickly analyze one combined mode test case, he can do so by changing silent flag for just that. Enabling it universally could dump more info than desired. 

Making it a global flag would mean, we would have same kind of prints with known vector & combined mode (which attempts combinations). Do you think a global setting is better? If yes, what do you recommend? A custom flag or RTE_LOG?

^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 1/5] test/crypto: add lookaside IPsec tests
  2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 1/5] test/crypto: add " Anoob Joseph
  2021-09-21 16:08         ` Akhil Goyal
  2021-09-23 10:39         ` Power, Ciara
@ 2021-09-24  8:42         ` Hemant Agrawal
  2 siblings, 0 replies; 49+ messages in thread
From: Hemant Agrawal @ 2021-09-24  8:42 UTC (permalink / raw)
  To: Anoob Joseph, Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>



^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v4 3/5] test/crypto: add lookaside IPsec ICV corrupt test case
  2021-09-21 16:25         ` Akhil Goyal
@ 2021-09-24  8:43           ` Hemant Agrawal
  0 siblings, 0 replies; 49+ messages in thread
From: Hemant Agrawal @ 2021-09-24  8:43 UTC (permalink / raw)
  To: Akhil Goyal, Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob Kollanukkaran, Archana Muniganti,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>



^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v5 0/5] Add lookaside IPsec tests
  2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
                         ` (5 preceding siblings ...)
  2021-09-23 13:34       ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Power, Ciara
@ 2021-09-25 15:35       ` Anoob Joseph
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 1/5] test/crypto: add lookaside IPsec cases Anoob Joseph
                           ` (5 more replies)
  6 siblings, 6 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-25 15:35 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Add lookaside IPsec functional tests. Known vector tests and
combined mode framework is added.

Known vectors are outbound vectors based on
https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01

The vectors are updated to have sequence number as 1 & L4 checksum
computed correctly. And they have following properties,
1. ESP
2. Tunnel mode
3. IPv4
4. IPv4 tunnel

Known vector tests for inbound operation would generate test vectors by
reversing outbound known vectors. The input_text would become encrypted
packet and output_text would be the plain packet. Tests would then validate
the operation by comparing against plain packet.

Combined mode tests are used to test all IPsec features against all ciphers
supported by the PMD. The framework is introduced to avoid testing
with any specific algo, thereby making it mandatory to be supported. Also,
testing with all supported combinations will help with increasing coverage
as well.

Four test cases use combined mode,
1. Display algo coverage and basic in + out tests
2. Negative test for ICV corruption
3. IV generation
4. UDP encapsulation

IV generation test case compares IV generated for a batch of packets and returns
failure if IV is repeated.

Upcoming additions,
1. AES-CBC-SHA1-HMAC known vectors & combined mode
2. IPv6
3. Transport
4. Mixed mode (IPv4-in-IPv6 etc, all combinations)

Tested with following PMDs
1. crypto_octeontx2
2. crypto_cn10k
3. crypto_cn9k

Changes in v5:
- Fixed lack of return check with dev_configure_and_start() (comment from Akhil)
- Adjusted patch title and description (comment from Akhil)

Changes in v4:
- Fixed lack of device stop in case capability check fails (comment from Ciara)
- Rebased and updated release notes

Changes in v3
- Added UDP encapsulation tests

Changes in v2
- Dropped outbound known vector tests as lookaside protocol would require IV
  generated by PMD. The tests would be introduced with spec change to allow user
  to specify IV.
- Added IV generation tests
- Minor fixes in combined mode tests to handle multiple packets

Anoob Joseph (2):
  test/crypto: add lookaside IPsec cases
  test/crypto: add combined mode IPsec cases

Tejasree Kondoj (3):
  test/crypto: add lookaside IPsec ICV corrupt test case
  test/crypto: add IV gen cases for IPsec
  test/crypto: add UDP encapsulated IPsec test cases

 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 355 ++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 401 +++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           | 119 ++++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 +++++++++++++++++
 doc/guides/rel_notes/release_21_11.rst             |   7 +
 7 files changed, 1210 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v5 1/5] test/crypto: add lookaside IPsec cases
  2021-09-25 15:35       ` [dpdk-dev] [PATCH v5 " Anoob Joseph
@ 2021-09-25 15:35         ` Anoob Joseph
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 2/5] test/crypto: add combined mode " Anoob Joseph
                           ` (4 subsequent siblings)
  5 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-25 15:35 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Added test case for lookaside IPsec. Inbound known vector
tests are added.

Cipher list: AES-GCM 128, 192 & 256

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 app/test/meson.build                               |   1 +
 app/test/test.h                                    |   6 +
 app/test/test_cryptodev.c                          | 236 +++++++++++++++
 app/test/test_cryptodev_security_ipsec.c           | 212 ++++++++++++++
 app/test/test_cryptodev_security_ipsec.h           |  66 +++++
 .../test_cryptodev_security_ipsec_test_vectors.h   | 321 +++++++++++++++++++++
 doc/guides/rel_notes/release_21_11.rst             |   4 +
 7 files changed, 846 insertions(+)
 create mode 100644 app/test/test_cryptodev_security_ipsec.c
 create mode 100644 app/test/test_cryptodev_security_ipsec.h
 create mode 100644 app/test/test_cryptodev_security_ipsec_test_vectors.h

diff --git a/app/test/meson.build b/app/test/meson.build
index a761168..f144d8b 100644
--- a/app/test/meson.build
+++ b/app/test/meson.build
@@ -38,6 +38,7 @@ test_sources = files(
         'test_cryptodev.c',
         'test_cryptodev_asym.c',
         'test_cryptodev_blockcipher.c',
+        'test_cryptodev_security_ipsec.c',
         'test_cryptodev_security_pdcp.c',
         'test_cycles.c',
         'test_debug.c',
diff --git a/app/test/test.h b/app/test/test.h
index c3b2a87..7115edf 100644
--- a/app/test/test.h
+++ b/app/test/test.h
@@ -124,6 +124,12 @@ struct unit_test_case {
 #define TEST_CASE_WITH_DATA(setup, teardown, testcase, data) \
 		{ setup, teardown, NULL, testcase, #testcase, 1, data }
 
+#define TEST_CASE_NAMED_ST(name, setup, teardown, testcase) \
+		{ setup, teardown, NULL, testcase, name, 1, NULL }
+
+#define TEST_CASE_NAMED_WITH_DATA(name, setup, teardown, testcase, data) \
+		{ setup, teardown, NULL, testcase, name, 1, data }
+
 #define TEST_CASE_DISABLED(fn) { NULL, NULL, fn, NULL, #fn, 0, NULL }
 
 #define TEST_CASE_ST_DISABLED(setup, teardown, testcase) \
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index d19482c..f7d429b 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -16,6 +16,7 @@
 
 #include <rte_crypto.h>
 #include <rte_cryptodev.h>
+#include <rte_ip.h>
 #include <rte_string_fns.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -41,6 +42,8 @@
 #include "test_cryptodev_hmac_test_vectors.h"
 #include "test_cryptodev_mixed_test_vectors.h"
 #ifdef RTE_LIB_SECURITY
+#include "test_cryptodev_security_ipsec.h"
+#include "test_cryptodev_security_ipsec_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_vectors.h"
 #include "test_cryptodev_security_pdcp_sdap_test_vectors.h"
 #include "test_cryptodev_security_pdcp_test_func.h"
@@ -123,6 +126,13 @@ test_AES_CBC_HMAC_SHA512_decrypt_perform(struct rte_cryptodev_sym_session *sess,
 		const uint8_t *digest,
 		const uint8_t *iv);
 
+static int
+security_proto_supported(enum rte_security_session_action_type action,
+	enum rte_security_session_protocol proto);
+
+static int
+dev_configure_and_start(uint64_t ff_disable);
+
 static struct rte_mbuf *
 setup_test_string(struct rte_mempool *mpool,
 		const char *string, size_t len, uint8_t blocksize)
@@ -753,6 +763,47 @@ crypto_gen_testsuite_setup(void)
 
 #ifdef RTE_LIB_SECURITY
 static int
+ipsec_proto_testsuite_setup(void)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_cryptodev_info dev_info;
+	int ret = 0;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_SECURITY)) {
+		RTE_LOG(INFO, USER1, "Feature flag requirements for IPsec Proto "
+				"testsuite not met\n");
+		return TEST_SKIPPED;
+	}
+
+	/* Reconfigure to enable security */
+	ret = dev_configure_and_start(0);
+	if (ret != TEST_SUCCESS)
+		return ret;
+
+	/* Set action type */
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	if (security_proto_supported(
+			RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+			RTE_SECURITY_PROTOCOL_IPSEC) < 0) {
+		RTE_LOG(INFO, USER1, "Capability requirements for IPsec Proto "
+				"test not met\n");
+		ret = TEST_SKIPPED;
+	}
+
+	/*
+	 * Stop the device. Device would be started again by individual test
+	 * case setup routine.
+	 */
+	rte_cryptodev_stop(ts_params->valid_devs[0]);
+
+	return ret;
+}
+
+static int
 pdcp_proto_testsuite_setup(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -8854,6 +8905,170 @@ test_PDCP_SDAP_PROTO_decap_all(void)
 }
 
 static int
+test_ipsec_proto_process(const struct ipsec_test_data td[],
+			 struct ipsec_test_data res_d[],
+			 int nb_td,
+			 bool silent)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct crypto_unittest_params *ut_params = &unittest_params;
+	struct rte_security_capability_idx sec_cap_idx;
+	const struct rte_security_capability *sec_cap;
+	struct rte_security_ipsec_xform ipsec_xform;
+	uint8_t dev_id = ts_params->valid_devs[0];
+	enum rte_security_ipsec_sa_direction dir;
+	struct ipsec_test_data *res_d_tmp = NULL;
+	uint32_t src = RTE_IPV4(192, 168, 1, 0);
+	uint32_t dst = RTE_IPV4(192, 168, 1, 1);
+	int salt_len, i, ret = TEST_SUCCESS;
+	struct rte_security_ctx *ctx;
+	uint8_t *input_text;
+
+	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+	gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+	/* Use first test data to create session */
+
+	/* Copy IPsec xform */
+	memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
+
+	memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
+	memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
+
+	dir = ipsec_xform.direction;
+
+	ctx = rte_cryptodev_get_sec_ctx(dev_id);
+
+	sec_cap_idx.action = ut_params->type;
+	sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC;
+	sec_cap_idx.ipsec.proto = ipsec_xform.proto;
+	sec_cap_idx.ipsec.mode = ipsec_xform.mode;
+	sec_cap_idx.ipsec.direction = ipsec_xform.direction;
+
+	sec_cap = rte_security_capability_get(ctx, &sec_cap_idx);
+	if (sec_cap == NULL)
+		return TEST_SKIPPED;
+
+	/* Copy cipher session parameters */
+	if (td[0].aead) {
+		memcpy(&ut_params->aead_xform, &td[0].xform.aead,
+		       sizeof(ut_params->aead_xform));
+		ut_params->aead_xform.aead.key.data = td[0].key.data;
+		ut_params->aead_xform.aead.iv.offset = IV_OFFSET;
+
+		/* Verify crypto capabilities */
+		if (test_ipsec_crypto_caps_aead_verify(
+				sec_cap,
+				&ut_params->aead_xform) != 0) {
+			if (!silent)
+				RTE_LOG(INFO, USER1,
+					"Crypto capabilities not supported\n");
+			return TEST_SKIPPED;
+		}
+	} else {
+		/* Only AEAD supported now */
+		return TEST_SKIPPED;
+	}
+
+	if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0)
+		return TEST_SKIPPED;
+
+	salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len);
+	memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len);
+
+	struct rte_security_session_conf sess_conf = {
+		.action_type = ut_params->type,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		.ipsec = ipsec_xform,
+		.crypto_xform = &ut_params->aead_xform,
+	};
+
+	/* Create security session */
+	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+					ts_params->session_mpool,
+					ts_params->session_priv_mpool);
+
+	if (ut_params->sec_session == NULL)
+		return TEST_SKIPPED;
+
+	for (i = 0; i < nb_td; i++) {
+		/* Setup source mbuf payload */
+		ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool);
+		memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0,
+				rte_pktmbuf_tailroom(ut_params->ibuf));
+
+		input_text = (uint8_t *)rte_pktmbuf_append(ut_params->ibuf,
+				td[i].input_text.len);
+
+		memcpy(input_text, td[i].input_text.data,
+		       td[i].input_text.len);
+
+		/* Generate crypto op data structure */
+		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
+					RTE_CRYPTO_OP_TYPE_SYMMETRIC);
+		if (!ut_params->op) {
+			printf("TestCase %s line %d: %s\n",
+				__func__, __LINE__,
+				"failed to allocate crypto op");
+			ret = TEST_FAILED;
+			goto crypto_op_free;
+		}
+
+		/* Attach session to operation */
+		rte_security_attach_session(ut_params->op,
+					    ut_params->sec_session);
+
+		/* Set crypto operation mbufs */
+		ut_params->op->sym->m_src = ut_params->ibuf;
+		ut_params->op->sym->m_dst = NULL;
+
+		/* Process crypto operation */
+		process_crypto_request(dev_id, ut_params->op);
+
+		ret = test_ipsec_status_check(ut_params->op, dir);
+		if (ret != TEST_SUCCESS)
+			goto crypto_op_free;
+
+		if (res_d != NULL)
+			res_d_tmp = &res_d[i];
+
+		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
+					      res_d_tmp, silent);
+		if (ret != TEST_SUCCESS)
+			goto crypto_op_free;
+
+		rte_crypto_op_free(ut_params->op);
+		ut_params->op = NULL;
+
+		rte_pktmbuf_free(ut_params->ibuf);
+		ut_params->ibuf = NULL;
+	}
+
+crypto_op_free:
+	rte_crypto_op_free(ut_params->op);
+	ut_params->op = NULL;
+
+	rte_pktmbuf_free(ut_params->ibuf);
+	ut_params->ibuf = NULL;
+
+	if (ut_params->sec_session)
+		rte_security_session_destroy(ctx, ut_params->sec_session);
+	ut_params->sec_session = NULL;
+
+	return ret;
+}
+
+static int
+test_ipsec_proto_known_vec_inb(const void *td_outb)
+{
+	struct ipsec_test_data td_inb;
+
+	test_ipsec_td_in_from_out(td_outb, &td_inb);
+
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -13745,6 +13960,26 @@ static struct unit_test_suite end_testsuite = {
 };
 
 #ifdef RTE_LIB_SECURITY
+static struct unit_test_suite ipsec_proto_testsuite  = {
+	.suite_name = "IPsec Proto Unit Test Suite",
+	.setup = ipsec_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_192_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 static struct unit_test_suite pdcp_proto_testsuite  = {
 	.suite_name = "PDCP Proto Unit Test Suite",
 	.setup = pdcp_proto_testsuite_setup,
@@ -14530,6 +14765,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&cryptodev_negative_hmac_sha1_testsuite,
 		&cryptodev_gen_testsuite,
 #ifdef RTE_LIB_SECURITY
+		&ipsec_proto_testsuite,
 		&pdcp_proto_testsuite,
 		&docsis_proto_testsuite,
 #endif
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
new file mode 100644
index 0000000..2431fcb
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -0,0 +1,212 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#include <rte_common.h>
+#include <rte_cryptodev.h>
+#include <rte_ip.h>
+#include <rte_security.h>
+
+#include "test.h"
+#include "test_cryptodev_security_ipsec.h"
+
+int
+test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			   const struct rte_security_capability *sec_cap,
+			   bool silent)
+{
+	/* Verify security capabilities */
+
+	if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ESN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.udp_encap == 1 &&
+	    sec_cap->ipsec.options.udp_encap == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_dscp == 1 &&
+	    sec_cap->ipsec.options.copy_dscp == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_flabel == 1 &&
+	    sec_cap->ipsec.options.copy_flabel == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.copy_df == 1 &&
+	    sec_cap->ipsec.options.copy_df == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.dec_ttl == 1 &&
+	    sec_cap->ipsec.options.dec_ttl == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "ECN is not supported\n");
+		return -ENOTSUP;
+	}
+
+	if (ipsec_xform->options.stats == 1 &&
+	    sec_cap->ipsec.options.stats == 0) {
+		if (!silent)
+			RTE_LOG(INFO, USER1, "Stats is not supported\n");
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
+int
+test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead)
+{
+	const struct rte_cryptodev_symmetric_capability *sym_cap;
+	const struct rte_cryptodev_capabilities *crypto_cap;
+	int j = 0;
+
+	while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
+			RTE_CRYPTO_OP_TYPE_UNDEFINED) {
+		if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+				crypto_cap->sym.xform_type == aead->type &&
+				crypto_cap->sym.aead.algo == aead->aead.algo) {
+			sym_cap = &crypto_cap->sym;
+			if (rte_cryptodev_sym_capability_check_aead(sym_cap,
+					aead->aead.key.length,
+					aead->aead.digest_length,
+					aead->aead.aad_length,
+					aead->aead.iv.length) == 0)
+				return 0;
+		}
+	}
+
+	return -ENOTSUP;
+}
+
+void
+test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			  struct ipsec_test_data *td_in)
+{
+	memcpy(td_in, td_out, sizeof(*td_in));
+
+	/* Populate output text of td_in with input text of td_out */
+	memcpy(td_in->output_text.data, td_out->input_text.data,
+	       td_out->input_text.len);
+	td_in->output_text.len = td_out->input_text.len;
+
+	/* Populate input text of td_in with output text of td_out */
+	memcpy(td_in->input_text.data, td_out->output_text.data,
+	       td_out->output_text.len);
+	td_in->input_text.len = td_out->output_text.len;
+
+	td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+
+	if (td_in->aead) {
+		td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
+		td_in->xform.chain.cipher.cipher.op =
+				RTE_CRYPTO_CIPHER_OP_DECRYPT;
+	}
+}
+
+static int
+test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
+{
+	int len = 0;
+
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+			if (td->ipsec_xform.tunnel.type ==
+					RTE_SECURITY_IPSEC_TUNNEL_IPV4)
+				len += sizeof(struct rte_ipv4_hdr);
+			else
+				len += sizeof(struct rte_ipv6_hdr);
+		}
+	}
+
+	return len;
+}
+
+static int
+test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		     bool silent)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+
+	if (len != td->output_text.len) {
+		printf("Output length (%d) not matching with expected (%d)\n",
+			len, td->output_text.len);
+		return TEST_FAILED;
+	}
+
+	skip = test_ipsec_tunnel_hdr_len_get(td);
+
+	len -= skip;
+	output_text += skip;
+
+	if (memcmp(output_text, td->output_text.data + skip, len)) {
+		if (silent)
+			return TEST_FAILED;
+
+		printf("TestCase %s line %d: %s\n", __func__, __LINE__,
+			"output text not as expected\n");
+
+		rte_hexdump(stdout, "expected", td->output_text.data + skip,
+			    len);
+		rte_hexdump(stdout, "actual", output_text, len);
+		return TEST_FAILED;
+	}
+
+	return TEST_SUCCESS;
+}
+
+int
+test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
+			struct ipsec_test_data *res_d, bool silent)
+{
+	/*
+	 * In case of known vector tests & all inbound tests, res_d provided
+	 * would be NULL and output data need to be validated against expected.
+	 * For inbound, output_text would be plain packet and for outbound
+	 * output_text would IPsec packet. Validate by comparing against
+	 * known vectors.
+	 */
+	RTE_SET_USED(res_d);
+	return test_ipsec_td_verify(m, td, silent);
+}
+
+int
+test_ipsec_status_check(struct rte_crypto_op *op,
+			enum rte_security_ipsec_sa_direction dir)
+{
+	int ret = TEST_SUCCESS;
+
+	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+		printf("Security op processing failed\n");
+		ret = TEST_FAILED;
+	}
+
+	RTE_SET_USED(dir);
+
+	return ret;
+}
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
new file mode 100644
index 0000000..5f1b46d
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -0,0 +1,66 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(C) 2021 Marvell.
+ */
+
+#ifndef _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+#define _TEST_CRYPTODEV_SECURITY_IPSEC_H_
+
+#include <rte_cryptodev.h>
+#include <rte_security.h>
+
+struct ipsec_test_data {
+	struct {
+		uint8_t data[32];
+	} key;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} input_text;
+
+	struct {
+		uint8_t data[1024];
+		unsigned int len;
+	} output_text;
+
+	struct {
+		uint8_t data[4];
+		unsigned int len;
+	} salt;
+
+	struct {
+		uint8_t data[16];
+	} iv;
+
+	struct rte_security_ipsec_xform ipsec_xform;
+
+	bool aead;
+
+	union {
+		struct {
+			struct rte_crypto_sym_xform cipher;
+			struct rte_crypto_sym_xform auth;
+		} chain;
+		struct rte_crypto_sym_xform aead;
+	} xform;
+};
+
+int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
+			       const struct rte_security_capability *sec_cap,
+			       bool silent);
+
+int test_ipsec_crypto_caps_aead_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *aead);
+
+void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
+			       struct ipsec_test_data *td_in);
+
+int test_ipsec_post_process(struct rte_mbuf *m,
+			    const struct ipsec_test_data *td,
+			    struct ipsec_test_data *res_d, bool silent);
+
+int test_ipsec_status_check(struct rte_crypto_op *op,
+			    enum rte_security_ipsec_sa_direction dir);
+
+#endif
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
new file mode 100644
index 0000000..ae9cd24
--- /dev/null
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -0,0 +1,321 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2021 Marvell
+ */
+
+#ifndef TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+#define TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_
+
+#include <rte_crypto.h>
+#include <rte_security.h>
+
+#include "test_cryptodev_security_ipsec.h"
+
+/*
+ * Known vectors
+ *
+ * AES-GCM vectors are based on :
+ * https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01
+ *
+ * Vectors are updated to have corrected L4 checksum and sequence number 1.
+ */
+
+struct ipsec_test_data pkt_aes_128_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x3e, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x11, 0x4d, 0xcc, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* UDP */
+			0x0a, 0x98, 0x00, 0x35, 0x00, 0x2a, 0x23, 0x43,
+			0xb2, 0xd0, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
+			0x00, 0x00, 0x00, 0x00, 0x03, 0x73, 0x69, 0x70,
+			0x09, 0x63, 0x79, 0x62, 0x65, 0x72, 0x63, 0x69,
+			0x74, 0x79, 0x02, 0x64, 0x6b, 0x00, 0x00, 0x01,
+			0x00, 0x01,
+		},
+		.len = 62,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x74, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x75, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xde, 0xb2, 0x2c, 0xd9, 0xb0, 0x7c, 0x72, 0xc1,
+			0x6e, 0x3a, 0x65, 0xbe, 0xeb, 0x8d, 0xf3, 0x04,
+			0xa5, 0xa5, 0x89, 0x7d, 0x33, 0xae, 0x53, 0x0f,
+			0x1b, 0xa7, 0x6d, 0x5d, 0x11, 0x4d, 0x2a, 0x5c,
+			0x3d, 0xe8, 0x18, 0x27, 0xc1, 0x0e, 0x9a, 0x4f,
+			0x51, 0x33, 0x0d, 0x0e, 0xec, 0x41, 0x66, 0x42,
+			0xcf, 0xbb, 0x85, 0xa5, 0xb4, 0x7e, 0x48, 0xa4,
+			0xec, 0x3b, 0x9b, 0xa9, 0x5d, 0x91, 0x8b, 0xd4,
+			0x29, 0xc7, 0x37, 0x57, 0x9f, 0xf1, 0x9e, 0x58,
+			0xcf, 0xfc, 0x60, 0x7a, 0x3b, 0xce, 0x89, 0x94,
+
+		},
+		.len = 116,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_192_gcm = {
+	.key = {
+		.data = {
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+			0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+			0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x28, 0xa4, 0xad, 0x40, 0x00,
+			0x40, 0x06, 0x78, 0x80, 0x0a, 0x01, 0x03, 0x8f,
+			0x0a, 0x01, 0x06, 0x12,
+
+			/* TCP */
+			0x80, 0x23, 0x06, 0xb8, 0xcb, 0x71, 0x26, 0x02,
+			0xdd, 0x6b, 0xb0, 0x3e, 0x50, 0x10, 0x16, 0xd0,
+			0x75, 0x67, 0x00, 0x01
+		},
+		.len = 40,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x60, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x89, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x00, 0x00, 0xa5, 0xf8, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88,
+
+			/* Data */
+			0xa5, 0xb1, 0xf8, 0x06, 0x60, 0x29, 0xae, 0xa4,
+			0x0e, 0x59, 0x8b, 0x81, 0x22, 0xde, 0x02, 0x42,
+			0x09, 0x38, 0xb3, 0xab, 0x33, 0xf8, 0x28, 0xe6,
+			0x87, 0xb8, 0x85, 0x8b, 0x5b, 0xfb, 0xdb, 0xd0,
+			0x31, 0x5b, 0x27, 0x45, 0x21, 0x4b, 0xcc, 0x77,
+			0x82, 0xac, 0x91, 0x38, 0xf2, 0xbb, 0xbe, 0xe4,
+			0xcf, 0x03, 0x36, 0x89, 0xdd, 0x40, 0xd3, 0x6e,
+			0x54, 0x05, 0x22, 0x22,
+		},
+		.len = 96,
+	},
+	.salt = {
+		.data = {
+			0xca, 0xfe, 0xba, 0xbe
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0xfa, 0xce, 0xdb, 0xad, 0xde, 0xca, 0xf8, 0x88
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0xa5f8,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 24,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+struct ipsec_test_data pkt_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+			0xab, 0xbc, 0xcd, 0xde, 0xf0, 0x01, 0x12, 0x23,
+			0x34, 0x45, 0x56, 0x67, 0x78, 0x89, 0x9a, 0xab,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x30, 0x69, 0xa6, 0x40, 0x00,
+			0x80, 0x06, 0x26, 0x90, 0xc0, 0xa8, 0x01, 0x02,
+			0x93, 0x89, 0x15, 0x5e,
+
+			/* TCP */
+			0x0a, 0x9e, 0x00, 0x8b, 0x2d, 0xc5, 0x7e, 0xe0,
+			0x00, 0x00, 0x00, 0x00, 0x70, 0x02, 0x40, 0x00,
+			0x20, 0xbf, 0x00, 0x00, 0x02, 0x04, 0x05, 0xb4,
+			0x01, 0x01, 0x04, 0x02,
+		},
+		.len = 48,
+	},
+	.output_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x68, 0x69, 0x8f, 0x00, 0x00,
+			0x80, 0x32, 0x4d, 0x81, 0xc0, 0xa8, 0x01, 0x02,
+			0xc0, 0xa8, 0x01, 0x01,
+
+			/* ESP */
+			0x4a, 0x2c, 0xbf, 0xe3, 0x00, 0x00, 0x00, 0x01,
+
+			/* IV */
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+
+			/* Data */
+			0xff, 0x42, 0x5c, 0x9b, 0x72, 0x45, 0x99, 0xdf,
+			0x7a, 0x3b, 0xcd, 0x51, 0x01, 0x94, 0xe0, 0x0d,
+			0x6a, 0x78, 0x10, 0x7f, 0x1b, 0x0b, 0x1c, 0xbf,
+			0x06, 0xef, 0xae, 0x9d, 0x65, 0xa5, 0xd7, 0x63,
+			0x74, 0x8a, 0x63, 0x79, 0x85, 0x77, 0x1d, 0x34,
+			0x7f, 0x05, 0x45, 0x65, 0x9f, 0x14, 0xe9, 0x9d,
+			0xef, 0x84, 0x2d, 0x8b, 0x00, 0x14, 0x4a, 0x1f,
+			0xec, 0x6a, 0xdf, 0x0c, 0x9a, 0x92, 0x7f, 0xee,
+			0xa6, 0xc5, 0x11, 0x60,
+		},
+		.len = 104,
+	},
+	.salt = {
+		.data = {
+			0x11, 0x22, 0x33, 0x44
+		},
+		.len = 4,
+	},
+
+	.iv = {
+		.data = {
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0x4a2cbfe3,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.esn_soft_limit = 0,
+		.replay_win_sz = 0,
+	},
+
+	.aead = true,
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 12,
+				.iv.offset = IV_OFFSET,
+				.digest_length = 16,
+				.aad_length = 12,
+			},
+		},
+	},
+};
+
+#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 43d367b..cf0277d 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -87,6 +87,10 @@ New Features
   Added command-line options to specify total number of processes and
   current process ID. Each process owns subset of Rx and Tx queues.
 
+* **Added lookaside protocol (IPsec) tests in dpdk-test.**
+
+  * Added known vector tests (AES-GCM 128, 192, 256).
+
 
 Removed Items
 -------------
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v5 2/5] test/crypto: add combined mode IPsec cases
  2021-09-25 15:35       ` [dpdk-dev] [PATCH v5 " Anoob Joseph
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 1/5] test/crypto: add lookaside IPsec cases Anoob Joseph
@ 2021-09-25 15:35         ` Anoob Joseph
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
                           ` (3 subsequent siblings)
  5 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-25 15:35 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj,
	Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev

Add framework to test IPsec features with all supported
combinations of ciphers.

Combined mode tests are used to test all IPsec features against all
ciphers supported by the PMD. The framework is introduced to avoid
testing with any specific algo, thereby making it mandatory to be
supported. Also, testing with all supported combinations will help with
increasing coverage as well.

The tests would first do IPsec encapsulation and do sanity checks. Based
on flags, packet would be updated or additional checks are done,
followed by IPsec decapsulation. Since the encrypted packet is generated
by the test, known vectors are not required.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>

---
 app/test/test_cryptodev.c                |  73 +++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.c | 107 +++++++++++++++++++++++++++++--
 app/test/test_cryptodev_security_ipsec.h |  52 ++++++++++++++-
 3 files changed, 223 insertions(+), 9 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index f7d429b..3eacc66 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8908,7 +8908,8 @@ static int
 test_ipsec_proto_process(const struct ipsec_test_data td[],
 			 struct ipsec_test_data res_d[],
 			 int nb_td,
-			 bool silent)
+			 bool silent,
+			 const struct ipsec_test_flags *flags)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct crypto_unittest_params *ut_params = &unittest_params;
@@ -9025,7 +9026,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_ipsec_status_check(ut_params->op, dir);
+		ret = test_ipsec_status_check(ut_params->op, flags, dir);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
@@ -9033,7 +9034,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 			res_d_tmp = &res_d[i];
 
 		ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
-					      res_d_tmp, silent);
+					      res_d_tmp, silent, flags);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
@@ -9061,11 +9062,71 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 static int
 test_ipsec_proto_known_vec_inb(const void *td_outb)
 {
+	struct ipsec_test_flags flags;
 	struct ipsec_test_data td_inb;
 
+	memset(&flags, 0, sizeof(flags));
+
 	test_ipsec_td_in_from_out(td_outb, &td_inb);
 
-	return test_ipsec_proto_process(&td_inb, NULL, 1, false);
+	return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags);
+}
+
+static int
+test_ipsec_proto_all(const struct ipsec_test_flags *flags)
+{
+	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+	unsigned int i, nb_pkts = 1, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(aead_list); i++) {
+		test_ipsec_td_prepare(&aead_list[i],
+				      NULL,
+				      flags,
+				      td_outb,
+				      nb_pkts);
+
+		ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+					       flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
+
+		ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+					       flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_ipsec_display_alg(&aead_list[i], NULL);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_ipsec_proto_display_list(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+
+	return test_ipsec_proto_all(&flags);
 }
 
 static int
@@ -13976,6 +14037,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_ST(
+			"Combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_display_list),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 2431fcb..d08e093 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -10,6 +10,8 @@
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
 
+extern struct ipsec_test_data pkt_aes_256_gcm;
+
 int
 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			   const struct rte_security_capability *sec_cap,
@@ -128,6 +130,68 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 	}
 }
 
+void
+test_ipsec_td_prepare(const struct crypto_param *param1,
+		      const struct crypto_param *param2,
+		      const struct ipsec_test_flags *flags,
+		      struct ipsec_test_data *td_array,
+		      int nb_td)
+
+{
+	struct ipsec_test_data *td;
+	int i;
+
+	memset(td_array, 0, nb_td * sizeof(*td));
+
+	for (i = 0; i < nb_td; i++) {
+		td = &td_array[i];
+		/* Copy template for packet & key fields */
+		memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
+
+		/* Override fields based on param */
+
+		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+			td->aead = true;
+		else
+			td->aead = false;
+
+		td->xform.aead.aead.algo = param1->alg.aead;
+		td->xform.aead.aead.key.length = param1->key_length;
+	}
+
+	RTE_SET_USED(flags);
+	RTE_SET_USED(param2);
+}
+
+void
+test_ipsec_td_update(struct ipsec_test_data td_inb[],
+		     const struct ipsec_test_data td_outb[],
+		     int nb_td,
+		     const struct ipsec_test_flags *flags)
+{
+	int i;
+
+	for (i = 0; i < nb_td; i++) {
+		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
+		       td_outb[i].input_text.len);
+		td_inb[i].output_text.len = td_outb->input_text.len;
+	}
+
+	RTE_SET_USED(flags);
+}
+
+void
+test_ipsec_display_alg(const struct crypto_param *param1,
+		       const struct crypto_param *param2)
+{
+	if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+		printf("\t%s [%d]\n",
+		       rte_crypto_aead_algorithm_strings[param1->alg.aead],
+		       param1->key_length);
+
+	RTE_SET_USED(param2);
+}
+
 static int
 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 {
@@ -148,7 +212,7 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 
 static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
-		     bool silent)
+		     bool silent, const struct ipsec_test_flags *flags)
 {
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
@@ -177,12 +241,37 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
+
+	return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
+		   struct ipsec_test_data *res_d)
+{
+	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	uint32_t len = rte_pktmbuf_pkt_len(m);
+
+	memcpy(res_d, td, sizeof(*res_d));
+	memcpy(res_d->input_text.data, output_text, len);
+	res_d->input_text.len = len;
+
+	res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
+	if (res_d->aead) {
+		res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
+	} else {
+		printf("Only AEAD supported\n");
+		return TEST_SKIPPED;
+	}
+
 	return TEST_SUCCESS;
 }
 
 int
 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
-			struct ipsec_test_data *res_d, bool silent)
+			struct ipsec_test_data *res_d, bool silent,
+			const struct ipsec_test_flags *flags)
 {
 	/*
 	 * In case of known vector tests & all inbound tests, res_d provided
@@ -190,13 +279,22 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	 * For inbound, output_text would be plain packet and for outbound
 	 * output_text would IPsec packet. Validate by comparing against
 	 * known vectors.
+	 *
+	 * In case of combined mode tests, the output_text from outbound
+	 * operation (ie, IPsec packet) would need to be inbound processed to
+	 * obtain the plain text. Copy output_text to result data, 'res_d', so
+	 * that inbound processing can be done.
 	 */
-	RTE_SET_USED(res_d);
-	return test_ipsec_td_verify(m, td, silent);
+
+	if (res_d == NULL)
+		return test_ipsec_td_verify(m, td, silent, flags);
+	else
+		return test_ipsec_res_d_prepare(m, td, res_d);
 }
 
 int
 test_ipsec_status_check(struct rte_crypto_op *op,
+			const struct ipsec_test_flags *flags,
 			enum rte_security_ipsec_sa_direction dir)
 {
 	int ret = TEST_SUCCESS;
@@ -206,6 +304,7 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 		ret = TEST_FAILED;
 	}
 
+	RTE_SET_USED(flags);
 	RTE_SET_USED(dir);
 
 	return ret;
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 5f1b46d..cbb3ee4 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -8,6 +8,8 @@
 #include <rte_cryptodev.h>
 #include <rte_security.h>
 
+#define IPSEC_TEST_PACKETS_MAX 32
+
 struct ipsec_test_data {
 	struct {
 		uint8_t data[32];
@@ -45,6 +47,38 @@ struct ipsec_test_data {
 	} xform;
 };
 
+struct ipsec_test_flags {
+	bool display_alg;
+};
+
+struct crypto_param {
+	enum rte_crypto_sym_xform_type type;
+	union {
+		enum rte_crypto_cipher_algorithm cipher;
+		enum rte_crypto_auth_algorithm auth;
+		enum rte_crypto_aead_algorithm aead;
+	} alg;
+	uint16_t key_length;
+};
+
+static const struct crypto_param aead_list[] = {
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 16,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 24,
+	},
+	{
+		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
+		.key_length = 32
+	},
+};
+
 int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 			       const struct rte_security_capability *sec_cap,
 			       bool silent);
@@ -56,11 +90,27 @@ int test_ipsec_crypto_caps_aead_verify(
 void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 			       struct ipsec_test_data *td_in);
 
+void test_ipsec_td_prepare(const struct crypto_param *param1,
+			   const struct crypto_param *param2,
+			   const struct ipsec_test_flags *flags,
+			   struct ipsec_test_data *td_array,
+			   int nb_td);
+
+void test_ipsec_td_update(struct ipsec_test_data td_inb[],
+			  const struct ipsec_test_data td_outb[],
+			  int nb_td,
+			  const struct ipsec_test_flags *flags);
+
+void test_ipsec_display_alg(const struct crypto_param *param1,
+			    const struct crypto_param *param2);
+
 int test_ipsec_post_process(struct rte_mbuf *m,
 			    const struct ipsec_test_data *td,
-			    struct ipsec_test_data *res_d, bool silent);
+			    struct ipsec_test_data *res_d, bool silent,
+			    const struct ipsec_test_flags *flags);
 
 int test_ipsec_status_check(struct rte_crypto_op *op,
+			    const struct ipsec_test_flags *flags,
 			    enum rte_security_ipsec_sa_direction dir);
 
 #endif
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v5 3/5] test/crypto: add lookaside IPsec ICV corrupt test case
  2021-09-25 15:35       ` [dpdk-dev] [PATCH v5 " Anoob Joseph
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 1/5] test/crypto: add lookaside IPsec cases Anoob Joseph
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 2/5] test/crypto: add combined mode " Anoob Joseph
@ 2021-09-25 15:35         ` Anoob Joseph
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 4/5] test/crypto: add IV gen cases for IPsec Anoob Joseph
                           ` (2 subsequent siblings)
  5 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-25 15:35 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Add negative test to validate IPsec inbound processing failure with ICV
corruption. The tests would first do IPsec encapsulation and corrupt
ICV of the generated IPsec packet. Then the packet is submitted to IPsec
outbound processing for decapsulation. Test case would validate that PMD
returns an error in such cases.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
---
 app/test/test_cryptodev.c                | 16 ++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 30 ++++++++++++++++++++----------
 app/test/test_cryptodev_security_ipsec.h |  1 +
 doc/guides/rel_notes/release_21_11.rst   |  1 +
 4 files changed, 38 insertions(+), 10 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3eacc66..bfaca1d 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9130,6 +9130,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.icv_corrupt = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -14041,6 +14053,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Negative test: ICV corruption",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_err_icv_corrupt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index d08e093..aebbe66 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -175,9 +175,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 		memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
-	}
 
-	RTE_SET_USED(flags);
+		if (flags->icv_corrupt) {
+			int icv_pos = td_inb[i].input_text.len - 4;
+			td_inb[i].input_text.data[icv_pos] += 1;
+		}
+	}
 }
 
 void
@@ -217,6 +220,11 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 	uint32_t skip, len = rte_pktmbuf_pkt_len(m);
 
+	/* For negative tests, no need to do verification */
+	if (flags->icv_corrupt &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+		return TEST_SUCCESS;
+
 	if (len != td->output_text.len) {
 		printf("Output length (%d) not matching with expected (%d)\n",
 			len, td->output_text.len);
@@ -241,8 +249,6 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		return TEST_FAILED;
 	}
 
-	RTE_SET_USED(flags);
-
 	return TEST_SUCCESS;
 }
 
@@ -299,13 +305,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 {
 	int ret = TEST_SUCCESS;
 
-	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
-		printf("Security op processing failed\n");
-		ret = TEST_FAILED;
+	if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("ICV corruption test case failed\n");
+			ret = TEST_FAILED;
+		}
+	} else {
+		if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			printf("Security op processing failed\n");
+			ret = TEST_FAILED;
+		}
 	}
 
-	RTE_SET_USED(flags);
-	RTE_SET_USED(dir);
-
 	return ret;
 }
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index cbb3ee4..134fc3a 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -49,6 +49,7 @@ struct ipsec_test_data {
 
 struct ipsec_test_flags {
 	bool display_alg;
+	bool icv_corrupt;
 };
 
 struct crypto_param {
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index cf0277d..8fc5844 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -90,6 +90,7 @@ New Features
 * **Added lookaside protocol (IPsec) tests in dpdk-test.**
 
   * Added known vector tests (AES-GCM 128, 192, 256).
+  * Added tests to verify error reporting with ICV corruption.
 
 
 Removed Items
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v5 4/5] test/crypto: add IV gen cases for IPsec
  2021-09-25 15:35       ` [dpdk-dev] [PATCH v5 " Anoob Joseph
                           ` (2 preceding siblings ...)
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
@ 2021-09-25 15:35         ` Anoob Joseph
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 5/5] test/crypto: add UDP encapsulated IPsec test cases Anoob Joseph
  2021-09-28  7:49         ` [dpdk-dev] [PATCH v5 0/5] Add lookaside IPsec tests Akhil Goyal
  5 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-25 15:35 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Added cases to verify IV generated by PMD for lookaside IPsec.

The tests compare IV generated for a batch of packets and ensures that
IV is not getting repeated in the batch.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>

---
 app/test/test_cryptodev.c                | 19 ++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 52 ++++++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h |  1 +
 doc/guides/rel_notes/release_21_11.rst   |  1 +
 4 files changed, 73 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index bfaca1d..956541e 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9080,6 +9080,9 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
 	unsigned int i, nb_pkts = 1, pass_cnt = 0;
 	int ret;
 
+	if (flags->iv_gen)
+		nb_pkts = IPSEC_TEST_PACKETS_MAX;
+
 	for (i = 0; i < RTE_DIM(aead_list); i++) {
 		test_ipsec_td_prepare(&aead_list[i],
 				      NULL,
@@ -9130,6 +9133,18 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_iv_gen(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.iv_gen = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
 {
 	struct ipsec_test_flags flags;
@@ -14054,6 +14069,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_display_list),
 		TEST_CASE_NAMED_ST(
+			"IV generation",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_iv_gen),
+		TEST_CASE_NAMED_ST(
 			"Negative test: ICV corruption",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index aebbe66..78c7f3a 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -4,12 +4,15 @@
 
 #include <rte_common.h>
 #include <rte_cryptodev.h>
+#include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
 
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
 
+#define IV_LEN_MAX 16
+
 extern struct ipsec_test_data pkt_aes_256_gcm;
 
 int
@@ -214,6 +217,46 @@ test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 }
 
 static int
+test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
+{
+	static uint8_t iv_queue[IV_LEN_MAX * IPSEC_TEST_PACKETS_MAX];
+	uint8_t *iv_tmp, *output_text = rte_pktmbuf_mtod(m, uint8_t *);
+	int i, iv_pos, iv_len;
+	static int index;
+
+	if (td->aead)
+		iv_len = td->xform.aead.aead.iv.length - td->salt.len;
+	else
+		iv_len = td->xform.chain.cipher.cipher.iv.length;
+
+	iv_pos = test_ipsec_tunnel_hdr_len_get(td) + sizeof(struct rte_esp_hdr);
+	output_text += iv_pos;
+
+	TEST_ASSERT(iv_len <= IV_LEN_MAX, "IV length greater than supported");
+
+	/* Compare against previous values */
+	for (i = 0; i < index; i++) {
+		iv_tmp = &iv_queue[i * IV_LEN_MAX];
+
+		if (memcmp(output_text, iv_tmp, iv_len) == 0) {
+			printf("IV repeated");
+			return TEST_FAILED;
+		}
+	}
+
+	/* Save IV for future comparisons */
+
+	iv_tmp = &iv_queue[index * IV_LEN_MAX];
+	memcpy(iv_tmp, output_text, iv_len);
+	index++;
+
+	if (index == IPSEC_TEST_PACKETS_MAX)
+		index = 0;
+
+	return TEST_SUCCESS;
+}
+
+static int
 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		     bool silent, const struct ipsec_test_flags *flags)
 {
@@ -279,6 +322,15 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 			struct ipsec_test_data *res_d, bool silent,
 			const struct ipsec_test_flags *flags)
 {
+	int ret;
+
+	if (flags->iv_gen &&
+	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+		ret = test_ipsec_iv_verify_push(m, td);
+		if (ret != TEST_SUCCESS)
+			return ret;
+	}
+
 	/*
 	 * In case of known vector tests & all inbound tests, res_d provided
 	 * would be NULL and output data need to be validated against expected.
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 134fc3a..d2ec63f 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -50,6 +50,7 @@ struct ipsec_test_data {
 struct ipsec_test_flags {
 	bool display_alg;
 	bool icv_corrupt;
+	bool iv_gen;
 };
 
 struct crypto_param {
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 8fc5844..cda0a92 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -91,6 +91,7 @@ New Features
 
   * Added known vector tests (AES-GCM 128, 192, 256).
   * Added tests to verify error reporting with ICV corruption.
+  * Added tests to verify IV generation.
 
 
 Removed Items
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* [dpdk-dev] [PATCH v5 5/5] test/crypto: add UDP encapsulated IPsec test cases
  2021-09-25 15:35       ` [dpdk-dev] [PATCH v5 " Anoob Joseph
                           ` (3 preceding siblings ...)
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 4/5] test/crypto: add IV gen cases for IPsec Anoob Joseph
@ 2021-09-25 15:35         ` Anoob Joseph
  2021-09-28  7:49         ` [dpdk-dev] [PATCH v5 0/5] Add lookaside IPsec tests Akhil Goyal
  5 siblings, 0 replies; 49+ messages in thread
From: Anoob Joseph @ 2021-09-25 15:35 UTC (permalink / raw)
  To: Akhil Goyal, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal,
	Radu Nicolau, Ciara Power, Gagandeep Singh, dev, Anoob Joseph

From: Tejasree Kondoj <ktejasree@marvell.com>

Add tests to verify UDP encapsulation with IPsec. The tests have IPsec
packets generated from plain packets and verifies that UDP header is
added. Subsequently, the packets are decapsulated and then resultant
packet is verified by comparing against original packet.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
Acked-by: Ciara Power <ciara.power@intel.com>

---
 app/test/test_cryptodev.c                | 19 +++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 28 ++++++++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.h |  1 +
 doc/guides/rel_notes/release_21_11.rst   |  1 +
 4 files changed, 49 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 956541e..bc2490b 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -8946,6 +8946,9 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 	sec_cap_idx.ipsec.mode = ipsec_xform.mode;
 	sec_cap_idx.ipsec.direction = ipsec_xform.direction;
 
+	if (flags->udp_encap)
+		ipsec_xform.options.udp_encap = 1;
+
 	sec_cap = rte_security_capability_get(ctx, &sec_cap_idx);
 	if (sec_cap == NULL)
 		return TEST_SKIPPED;
@@ -9157,6 +9160,18 @@ test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
 }
 
 static int
+test_ipsec_proto_udp_encap(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.udp_encap = true;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
 test_PDCP_PROTO_all(void)
 {
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -14073,6 +14088,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_iv_gen),
 		TEST_CASE_NAMED_ST(
+			"UDP encapsulation",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_udp_encap),
+		TEST_CASE_NAMED_ST(
 			"Negative test: ICV corruption",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_err_icv_corrupt),
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 78c7f3a..5b54996 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -7,6 +7,7 @@
 #include <rte_esp.h>
 #include <rte_ip.h>
 #include <rte_security.h>
+#include <rte_udp.h>
 
 #include "test.h"
 #include "test_cryptodev_security_ipsec.h"
@@ -183,6 +184,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
 			int icv_pos = td_inb[i].input_text.len - 4;
 			td_inb[i].input_text.data[icv_pos] += 1;
 		}
+
+		if (flags->udp_encap)
+			td_inb[i].ipsec_xform.options.udp_encap = 1;
 	}
 }
 
@@ -268,6 +272,30 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	    td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
 		return TEST_SUCCESS;
 
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+	   flags->udp_encap) {
+		const struct rte_ipv4_hdr *iph4;
+		const struct rte_ipv6_hdr *iph6;
+
+		if (td->ipsec_xform.tunnel.type ==
+				RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+			iph4 = (const struct rte_ipv4_hdr *)output_text;
+			if (iph4->next_proto_id != IPPROTO_UDP) {
+				printf("UDP header is not found\n");
+				return TEST_FAILED;
+			}
+		} else {
+			iph6 = (const struct rte_ipv6_hdr *)output_text;
+			if (iph6->proto != IPPROTO_UDP) {
+				printf("UDP header is not found\n");
+				return TEST_FAILED;
+			}
+		}
+
+		len -= sizeof(struct rte_udp_hdr);
+		output_text += sizeof(struct rte_udp_hdr);
+	}
+
 	if (len != td->output_text.len) {
 		printf("Output length (%d) not matching with expected (%d)\n",
 			len, td->output_text.len);
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index d2ec63f..e1645f4 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -51,6 +51,7 @@ struct ipsec_test_flags {
 	bool display_alg;
 	bool icv_corrupt;
 	bool iv_gen;
+	bool udp_encap;
 };
 
 struct crypto_param {
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index cda0a92..30c9ccf 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -92,6 +92,7 @@ New Features
   * Added known vector tests (AES-GCM 128, 192, 256).
   * Added tests to verify error reporting with ICV corruption.
   * Added tests to verify IV generation.
+  * Added tests to verify UDP encapsulation.
 
 
 Removed Items
-- 
2.7.4


^ permalink raw reply	[flat|nested] 49+ messages in thread

* Re: [dpdk-dev] [PATCH v5 0/5] Add lookaside IPsec tests
  2021-09-25 15:35       ` [dpdk-dev] [PATCH v5 " Anoob Joseph
                           ` (4 preceding siblings ...)
  2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 5/5] test/crypto: add UDP encapsulated IPsec test cases Anoob Joseph
@ 2021-09-28  7:49         ` Akhil Goyal
  5 siblings, 0 replies; 49+ messages in thread
From: Akhil Goyal @ 2021-09-28  7:49 UTC (permalink / raw)
  To: Anoob Joseph, Declan Doherty, Fan Zhang, Konstantin Ananyev
  Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Archana Muniganti,
	Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power,
	Gagandeep Singh, dev

> Add lookaside IPsec functional tests. Known vector tests and
> combined mode framework is added.
> 
> Known vectors are outbound vectors based on
> https://datatracker.ietf.org/doc/html/draft-mcgrew-gcm-test-01
> 
> The vectors are updated to have sequence number as 1 & L4 checksum
> computed correctly. And they have following properties,
> 1. ESP
> 2. Tunnel mode
> 3. IPv4
> 4. IPv4 tunnel
> 
> Known vector tests for inbound operation would generate test vectors by
> reversing outbound known vectors. The input_text would become encrypted
> packet and output_text would be the plain packet. Tests would then validate
> the operation by comparing against plain packet.
> 
> Combined mode tests are used to test all IPsec features against all ciphers
> supported by the PMD. The framework is introduced to avoid testing
> with any specific algo, thereby making it mandatory to be supported. Also,
> testing with all supported combinations will help with increasing coverage
> as well.
> 
> Four test cases use combined mode,
> 1. Display algo coverage and basic in + out tests
> 2. Negative test for ICV corruption
> 3. IV generation
> 4. UDP encapsulation
> 
> IV generation test case compares IV generated for a batch of packets and
> returns
> failure if IV is repeated.
> 
> Upcoming additions,
> 1. AES-CBC-SHA1-HMAC known vectors & combined mode
> 2. IPv6
> 3. Transport
> 4. Mixed mode (IPv4-in-IPv6 etc, all combinations)
> 
> Tested with following PMDs
> 1. crypto_octeontx2
> 2. crypto_cn10k
> 3. crypto_cn9k
> 
> Changes in v5:
> - Fixed lack of return check with dev_configure_and_start() (comment from
> Akhil)
> - Adjusted patch title and description (comment from Akhil)
> 
Applied to dpdk-next-crypto

Thanks.

^ permalink raw reply	[flat|nested] 49+ messages in thread

end of thread, other threads:[~2021-09-28  7:49 UTC | newest]

Thread overview: 49+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-29 10:43 [dpdk-dev] [PATCH 21.11 0/3] Add lookaside IPsec tests Anoob Joseph
2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 1/3] test/crypto: add " Anoob Joseph
2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 2/3] test/crypto: add combined mode tests Anoob Joseph
2021-07-29 10:43 ` [dpdk-dev] [PATCH 21.11 3/3] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
2021-08-11  9:45 ` [dpdk-dev] [PATCH v2 0/4] Add lookaside IPsec tests Anoob Joseph
2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 1/4] test/crypto: add " Anoob Joseph
2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 2/4] test/crypto: add combined mode tests Anoob Joseph
2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 3/4] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
2021-08-11  9:45   ` [dpdk-dev] [PATCH v2 4/4] test/crypto: add IV gen tests Anoob Joseph
2021-09-03  4:46   ` [dpdk-dev] [PATCH v3 0/5] Add lookaside IPsec tests Anoob Joseph
2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 1/5] test/crypto: add " Anoob Joseph
2021-09-03  9:38       ` Power, Ciara
2021-09-03  9:46         ` Anoob Joseph
2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 2/5] test/crypto: add combined mode tests Anoob Joseph
2021-09-03  9:42       ` Power, Ciara
2021-09-03 10:04         ` Anoob Joseph
2021-09-03 15:04           ` Power, Ciara
2021-09-03 16:14             ` Anoob Joseph
2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 4/5] test/crypto: add IV gen tests Anoob Joseph
2021-09-03  4:46     ` [dpdk-dev] [PATCH v3 5/5] test/crypto: add UDP encapsulation test cases Anoob Joseph
2021-09-17 13:15     ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Anoob Joseph
2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 1/5] test/crypto: add " Anoob Joseph
2021-09-21 16:08         ` Akhil Goyal
2021-09-23  4:48           ` Anoob Joseph
2021-09-23 10:39         ` Power, Ciara
2021-09-23 11:08           ` Anoob Joseph
2021-09-23 11:26             ` Power, Ciara
2021-09-23 11:30               ` Anoob Joseph
2021-09-24  8:42         ` Hemant Agrawal
2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 2/5] test/crypto: add combined mode tests Anoob Joseph
2021-09-21 16:22         ` Akhil Goyal
2021-09-24  7:23         ` Hemant Agrawal
2021-09-24  8:12           ` [dpdk-dev] [EXT] " Anoob Joseph
2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
2021-09-21 16:25         ` Akhil Goyal
2021-09-24  8:43           ` Hemant Agrawal
2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 4/5] test/crypto: add IV gen tests Anoob Joseph
2021-09-21 16:31         ` Akhil Goyal
2021-09-17 13:15       ` [dpdk-dev] [PATCH v4 5/5] test/crypto: add UDP encapsulation test cases Anoob Joseph
2021-09-21 16:35         ` Akhil Goyal
2021-09-23 13:34       ` [dpdk-dev] [PATCH v4 0/5] Add lookaside IPsec tests Power, Ciara
2021-09-25 15:35       ` [dpdk-dev] [PATCH v5 " Anoob Joseph
2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 1/5] test/crypto: add lookaside IPsec cases Anoob Joseph
2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 2/5] test/crypto: add combined mode " Anoob Joseph
2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 3/5] test/crypto: add lookaside IPsec ICV corrupt test case Anoob Joseph
2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 4/5] test/crypto: add IV gen cases for IPsec Anoob Joseph
2021-09-25 15:35         ` [dpdk-dev] [PATCH v5 5/5] test/crypto: add UDP encapsulated IPsec test cases Anoob Joseph
2021-09-28  7:49         ` [dpdk-dev] [PATCH v5 0/5] Add lookaside IPsec tests Akhil Goyal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).