From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8484DA0351; Mon, 31 Jan 2022 16:52:13 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1638F4121E; Mon, 31 Jan 2022 16:52:13 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 9C96D411E1 for ; Mon, 31 Jan 2022 16:52:11 +0100 (CET) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 20VE0XFU018867; Mon, 31 Jan 2022 07:52:09 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=HLpBgMk084fKvRMhffFXHwxb+JYtHyHOyWuA9NIriwE=; b=lKWdIvy1VeDY+zPC8MoUTjLjjJPjxRxQjjLoXiv23B00KnqQ9Y75DX5JxSH5Z+kTdpMp wcHzhljxaV090dvPyf6ELNheCO5qdtGXp94NOze/BYocfmDXcLxb1JZXa0VZ/nG52rnk LNHirLsWGpAHw0l5QfIoQZ7+7x2EU6ckV/no9Ny5unGRc6H4+up/D5308jnB1uisIb/v onQ106udlap7mRuKO4LIXYGlr/7b44AHwjCosymKVaUi4aKu2zl7hI2hSHxc9zyyTgdy kD4OYxKy1cmAlV2FfoFh/3zl4bk2TP2X3lhDYAXHtQA9CiW91fEOU/C9NoDzNGXDfiOR Xg== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com (PPS) with ESMTPS id 3dx1pa2e6g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 31 Jan 2022 07:52:09 -0800 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Mon, 31 Jan 2022 07:52:08 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Mon, 31 Jan 2022 07:52:08 -0800 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 7D7B63F7098; Mon, 31 Jan 2022 07:52:04 -0800 (PST) From: Tejasree Kondoj To: Akhil Goyal , Declan Doherty , Fan Zhang , "Pablo de Lara" CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Archana Muniganti , Hemant Agrawal , Radu Nicolau , Ciara Power , "Gagandeep Singh" , Subject: [PATCH v2 2/2] test/cryptodev: add ESN and Antireplay tests Date: Mon, 31 Jan 2022 22:13:57 +0530 Message-ID: <20220131164357.19126-3-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220131164357.19126-1-ktejasree@marvell.com> References: <20220131164357.19126-1-ktejasree@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-ORIG-GUID: HIMff1hbX-1xx2-xXlI_RpwxCUj9TynX X-Proofpoint-GUID: HIMff1hbX-1xx2-xXlI_RpwxCUj9TynX X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.816,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2022-01-31_07,2022-01-31_01,2021-12-02_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Adding test cases for IPsec ESN and Antireplay. Signed-off-by: Tejasree Kondoj --- app/test/test_cryptodev.c | 186 +++++++++++++++++- app/test/test_cryptodev_security_ipsec.c | 23 ++- app/test/test_cryptodev_security_ipsec.h | 6 +- ...st_cryptodev_security_ipsec_test_vectors.h | 1 + doc/guides/rel_notes/release_22_03.rst | 5 + 5 files changed, 217 insertions(+), 4 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 47ad991c31..3536b65c52 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9292,6 +9292,18 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], return TEST_SKIPPED; for (i = 0; i < nb_td; i++) { + if (flags->antireplay && + (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) { + sess_conf.ipsec.esn.value = td[i].ipsec_xform.esn.value; + ret = rte_security_session_update(ctx, + ut_params->sec_session, &sess_conf); + if (ret) { + printf("Could not update sequence number in " + "session\n"); + return TEST_SKIPPED; + } + } + /* Setup source mbuf payload */ ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool); memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0, @@ -9344,7 +9356,8 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], /* Process crypto operation */ process_crypto_request(dev_id, ut_params->op); - ret = test_ipsec_status_check(ut_params->op, flags, dir, i + 1); + ret = test_ipsec_status_check(&td[i], ut_params->op, flags, dir, + i + 1); if (ret != TEST_SUCCESS) goto crypto_op_free; @@ -9895,6 +9908,150 @@ test_ipsec_proto_ipv6_set_dscp_1_inner_0(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_pkt_replay(const void *test_data, const uint64_t esn[], + bool replayed_pkt[], uint32_t nb_pkts, bool esn_en, + uint64_t winsz) +{ + struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX]; + struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX]; + struct ipsec_test_flags flags; + uint32_t i = 0, ret = 0; + + memset(&flags, 0, sizeof(flags)); + flags.antireplay = true; + + for (i = 0; i < nb_pkts; i++) { + memcpy(&td_outb[i], test_data, sizeof(td_outb[i])); + td_outb[i].ipsec_xform.options.iv_gen_disable = 1; + td_outb[i].ipsec_xform.replay_win_sz = winsz; + td_outb[i].ipsec_xform.options.esn = esn_en; + } + + for (i = 0; i < nb_pkts; i++) + td_outb[i].ipsec_xform.esn.value = esn[i]; + + ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true, + &flags); + if (ret != TEST_SUCCESS) + return ret; + + test_ipsec_td_update(td_inb, td_outb, nb_pkts, &flags); + + for (i = 0; i < nb_pkts; i++) { + td_inb[i].ipsec_xform.options.esn = esn_en; + /* Set antireplay flag for packets to be dropped */ + td_inb[i].ar_packet = replayed_pkt[i]; + } + + ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true, + &flags); + + return ret; +} + +static int +test_ipsec_proto_pkt_antireplay(const void *test_data, uint64_t winsz) +{ + + uint32_t nb_pkts = 5; + bool replayed_pkt[5]; + uint64_t esn[5]; + + /* 1. Advance the TOP of the window to WS * 2 */ + esn[0] = winsz * 2; + /* 2. Test sequence number within the new window(WS + 1) */ + esn[1] = winsz + 1; + /* 3. Test sequence number less than the window BOTTOM */ + esn[2] = winsz; + /* 4. Test sequence number in the middle of the window */ + esn[3] = winsz + (winsz / 2); + /* 5. Test replay of the packet in the middle of the window */ + esn[4] = winsz + (winsz / 2); + + replayed_pkt[0] = false; + replayed_pkt[1] = false; + replayed_pkt[2] = true; + replayed_pkt[3] = false; + replayed_pkt[4] = true; + + return test_ipsec_pkt_replay(test_data, esn, replayed_pkt, nb_pkts, + false, winsz); +} + +static int +test_ipsec_proto_pkt_antireplay1024(const void *test_data) +{ + return test_ipsec_proto_pkt_antireplay(test_data, 1024); +} + +static int +test_ipsec_proto_pkt_antireplay2048(const void *test_data) +{ + return test_ipsec_proto_pkt_antireplay(test_data, 2048); +} + +static int +test_ipsec_proto_pkt_antireplay4096(const void *test_data) +{ + return test_ipsec_proto_pkt_antireplay(test_data, 4096); +} + +static int +test_ipsec_proto_pkt_esn_antireplay(const void *test_data, uint64_t winsz) +{ + + uint32_t nb_pkts = 7; + bool replayed_pkt[7]; + uint64_t esn[7]; + + /* Set the initial sequence number */ + esn[0] = (uint64_t)(0xFFFFFFFF - winsz); + /* 1. Advance the TOP of the window to (1<<32 + WS/2) */ + esn[1] = (uint64_t)((1ULL << 32) + (winsz / 2)); + /* 2. Test sequence number within new window (1<<32 + WS/2 + 1) */ + esn[2] = (uint64_t)((1ULL << 32) - (winsz / 2) + 1); + /* 3. Test with sequence number within window (1<<32 - 1) */ + esn[3] = (uint64_t)((1ULL << 32) - 1); + /* 4. Test with sequence number within window (1<<32 - 1) */ + esn[4] = (uint64_t)(1ULL << 32); + /* 5. Test with duplicate sequence number within + * new window (1<<32 - 1) + */ + esn[5] = (uint64_t)((1ULL << 32) - 1); + /* 6. Test with duplicate sequence number within new window (1<<32) */ + esn[6] = (uint64_t)(1ULL << 32); + + replayed_pkt[0] = false; + replayed_pkt[1] = false; + replayed_pkt[2] = false; + replayed_pkt[3] = false; + replayed_pkt[4] = false; + replayed_pkt[5] = true; + replayed_pkt[6] = true; + + return test_ipsec_pkt_replay(test_data, esn, replayed_pkt, nb_pkts, + true, winsz); +} + +static int +test_ipsec_proto_pkt_esn_antireplay1024(const void *test_data) +{ + return test_ipsec_proto_pkt_esn_antireplay(test_data, 1024); +} + +static int +test_ipsec_proto_pkt_esn_antireplay2048(const void *test_data) +{ + return test_ipsec_proto_pkt_esn_antireplay(test_data, 2048); +} + +static int +test_ipsec_proto_pkt_esn_antireplay4096(const void *test_data) +{ + return test_ipsec_proto_pkt_esn_antireplay(test_data, 4096); +} + static int test_PDCP_PROTO_all(void) { @@ -14965,6 +15122,33 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Tunnel header IPv6 set DSCP 1 (inner 0)", ut_setup_security, ut_teardown, test_ipsec_proto_ipv6_set_dscp_1_inner_0), + TEST_CASE_NAMED_WITH_DATA( + "Antireplay with window size 1024", + ut_setup_security, ut_teardown, + test_ipsec_proto_pkt_antireplay1024, &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Antireplay with window size 2048", + ut_setup_security, ut_teardown, + test_ipsec_proto_pkt_antireplay2048, &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Antireplay with window size 4096", + ut_setup_security, ut_teardown, + test_ipsec_proto_pkt_antireplay4096, &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "ESN and Antireplay with window size 1024", + ut_setup_security, ut_teardown, + test_ipsec_proto_pkt_esn_antireplay1024, + &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "ESN and Antireplay with window size 2048", + ut_setup_security, ut_teardown, + test_ipsec_proto_pkt_esn_antireplay2048, + &pkt_aes_128_gcm), + TEST_CASE_NAMED_WITH_DATA( + "ESN and Antireplay with window size 4096", + ut_setup_security, ut_teardown, + test_ipsec_proto_pkt_esn_antireplay4096, + &pkt_aes_128_gcm), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 54f59c7f79..eb775eb08a 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -176,6 +176,13 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if (ipsec_xform->replay_win_sz > sec_cap->ipsec.replay_win_sz_max) { + if (!silent) + RTE_LOG(INFO, USER1, + "Replay window size is not supported\n"); + return -ENOTSUP; + } + return 0; } @@ -654,7 +661,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && (flags->icv_corrupt || flags->sa_expiry_pkts_hard || - flags->tunnel_hdr_verify)) + flags->tunnel_hdr_verify || + td->ar_packet)) return TEST_SUCCESS; if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && @@ -921,13 +929,24 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, } int -test_ipsec_status_check(struct rte_crypto_op *op, +test_ipsec_status_check(const struct ipsec_test_data *td, + struct rte_crypto_op *op, const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir, int pkt_num) { int ret = TEST_SUCCESS; + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + td->ar_packet) { + if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { + printf("Anti replay test case failed\n"); + return TEST_FAILED; + } else { + return TEST_SUCCESS; + } + } + if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->sa_expiry_pkts_hard && pkt_num == IPSEC_TEST_PACKETS_MAX) { diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index c4ecfafca6..a15c1d3015 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -40,6 +40,8 @@ struct ipsec_test_data { struct rte_security_ipsec_xform ipsec_xform; bool aead; + /* Antireplay packet */ + bool ar_packet; union { struct { @@ -82,6 +84,7 @@ struct ipsec_test_flags { bool transport; bool fragment; bool stats_success; + bool antireplay; enum df_flags df; enum dscp_flags dscp; }; @@ -234,7 +237,8 @@ int test_ipsec_post_process(struct rte_mbuf *m, struct ipsec_test_data *res_d, bool silent, const struct ipsec_test_flags *flags); -int test_ipsec_status_check(struct rte_crypto_op *op, +int test_ipsec_status_check(const struct ipsec_test_data *td, + struct rte_crypto_op *op, const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir, int pkt_num); diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 85cd6c51a8..fe2fd855df 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -102,6 +102,7 @@ struct ipsec_test_data pkt_aes_128_gcm = { .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, .replay_win_sz = 0, + .esn.low = 1, }, .aead = true, diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 3bc0630c7c..60598432c3 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -69,6 +69,11 @@ New Features The new API ``rte_event_eth_rx_adapter_event_port_get()`` was added. +* **Updated lookaside protocol (IPsec) tests in dpdk-test.** + + * Added test cases to verify copy and set DSCP with IPv4 and IPv6 tunnels. + * Added ESN and anti-replay support. + Removed Items ------------- -- 2.27.0