* [PATCH 00/13] Add new cases to lookaside IPsec tests @ 2021-12-06 7:58 Anoob Joseph 2021-12-06 7:58 ` [PATCH 01/13] test/crypto: add IPsec aes-cbc known vectors Anoob Joseph ` (13 more replies) 0 siblings, 14 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Add new tests to lookaside IPsec tests. * Support for chained operations. * AES-CBC 128 NULL auth known vector tests. * AES-CBC 128 HMAC-SHA256 known vector tests. * AES-CBC 128 HMAC-SHA384 known vector tests. * AES-CBC 128 HMAC-SHA512 known vector tests. * NULL cipher AES-XCBC known vector tests. * Tunnel mode tests * IPv6 in IPv6 * IPv4 in IPv4 * IPv4 in IPv6 * IPv6 in IPv4 * IPv4 transport mode tests. * Security stats tests. * AES-CTR tests. * set/copy DF tests. Ankur Dwivedi (1): test/crypto: add security stats cases Anoob Joseph (5): test/crypto: add IPsec aes-cbc known vectors test/crypto: add chained operations in combined cases test/crypto: add transport mode cases test/crypto: add aes xcbc known vectors test/crypto: add copy and set DF cases Tejasree Kondoj (7): test/crypto: add IPsec AES-CBC-HMAC-SHA256 known vectors test/crypto: add IPv6 tunnel mode cases test/crypto: add IPsec HMAC-SHA384/512 known vectors test/crypto: add IPsec fragmented packet known vectors test/crypto: add lookaside IPsec AES-CTR known vectors test/crypto: add fragmented packet case test/crypto: skip null auth in ICV corrupt case app/test/test_cryptodev.c | 395 +++++++++- app/test/test_cryptodev_security_ipsec.c | 352 ++++++++- app/test/test_cryptodev_security_ipsec.h | 113 +++ .../test_cryptodev_security_ipsec_test_vectors.h | 828 +++++++++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 18 + 5 files changed, 1664 insertions(+), 42 deletions(-) -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 01/13] test/crypto: add IPsec aes-cbc known vectors 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 02/13] test/crypto: add IPsec AES-CBC-HMAC-SHA256 " Anoob Joseph ` (12 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Extend the framework to support chained operations and add AES-CBC 128 known vector tests. Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 62 ++++++++++-- app/test/test_cryptodev_security_ipsec.c | 51 ++++++++++ app/test/test_cryptodev_security_ipsec.h | 8 ++ .../test_cryptodev_security_ipsec_test_vectors.h | 110 +++++++++++++++++++++ 4 files changed, 222 insertions(+), 9 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 293f59b..1e4b690 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9191,23 +9191,59 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], return TEST_SKIPPED; } } else { - /* Only AEAD supported now */ - return TEST_SKIPPED; + memcpy(&ut_params->cipher_xform, &td[0].xform.chain.cipher, + sizeof(ut_params->cipher_xform)); + memcpy(&ut_params->auth_xform, &td[0].xform.chain.auth, + sizeof(ut_params->auth_xform)); + ut_params->cipher_xform.cipher.key.data = td[0].key.data; + ut_params->cipher_xform.cipher.iv.offset = IV_OFFSET; + ut_params->auth_xform.auth.key.data = td[0].key.data; + + /* Verify crypto capabilities */ + + if (test_ipsec_crypto_caps_cipher_verify( + sec_cap, + &ut_params->cipher_xform) != 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Cipher crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + + if (test_ipsec_crypto_caps_auth_verify( + sec_cap, + &ut_params->auth_xform) != 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Auth crypto capabilities not supported\n"); + return TEST_SKIPPED; + } } if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0) return TEST_SKIPPED; - salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len); - memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len); - struct rte_security_session_conf sess_conf = { .action_type = ut_params->type, .protocol = RTE_SECURITY_PROTOCOL_IPSEC, - .ipsec = ipsec_xform, - .crypto_xform = &ut_params->aead_xform, }; + if (td[0].aead) { + salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len); + memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len); + sess_conf.ipsec = ipsec_xform; + sess_conf.crypto_xform = &ut_params->aead_xform; + } else { + sess_conf.ipsec = ipsec_xform; + if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + sess_conf.crypto_xform = &ut_params->cipher_xform; + ut_params->cipher_xform.next = &ut_params->auth_xform; + } else { + sess_conf.crypto_xform = &ut_params->auth_xform; + ut_params->auth_xform.next = &ut_params->cipher_xform; + } + } + /* Create security session */ ut_params->sec_session = rte_security_session_create(ctx, &sess_conf, ts_params->session_mpool, @@ -9316,14 +9352,18 @@ test_ipsec_proto_known_vec(const void *test_data) } static int -test_ipsec_proto_known_vec_inb(const void *td_outb) +test_ipsec_proto_known_vec_inb(const void *test_data) { + const struct ipsec_test_data *td = test_data; struct ipsec_test_flags flags; struct ipsec_test_data td_inb; memset(&flags, 0, sizeof(flags)); - test_ipsec_td_in_from_out(td_outb, &td_inb); + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) + test_ipsec_td_in_from_out(td, &td_inb); + else + memcpy(&td_inb, td, sizeof(td_inb)); return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags); } @@ -14394,6 +14434,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_null), TEST_CASE_NAMED_ST( "Combined test alg list", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 4708803..45960bf 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -150,6 +150,57 @@ test_ipsec_crypto_caps_aead_verify( return -ENOTSUP; } +int +test_ipsec_crypto_caps_cipher_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *cipher) +{ + const struct rte_cryptodev_symmetric_capability *sym_cap; + const struct rte_cryptodev_capabilities *cap; + int j = 0; + + while ((cap = &sec_cap->crypto_capabilities[j++])->op != + RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + cap->sym.xform_type == cipher->type && + cap->sym.cipher.algo == cipher->cipher.algo) { + sym_cap = &cap->sym; + if (rte_cryptodev_sym_capability_check_cipher(sym_cap, + cipher->cipher.key.length, + cipher->cipher.iv.length) == 0) + return 0; + } + } + + return -ENOTSUP; +} + +int +test_ipsec_crypto_caps_auth_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *auth) +{ + const struct rte_cryptodev_symmetric_capability *sym_cap; + const struct rte_cryptodev_capabilities *cap; + int j = 0; + + while ((cap = &sec_cap->crypto_capabilities[j++])->op != + RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + cap->sym.xform_type == auth->type && + cap->sym.auth.algo == auth->auth.algo) { + sym_cap = &cap->sym; + if (rte_cryptodev_sym_capability_check_auth(sym_cap, + auth->auth.key.length, + auth->auth.digest_length, + auth->auth.iv.length) == 0) + return 0; + } + } + + return -ENOTSUP; +} + void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, struct ipsec_test_data *td_in) diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 7628d0c..91c6cd4 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -96,6 +96,14 @@ int test_ipsec_crypto_caps_aead_verify( const struct rte_security_capability *sec_cap, struct rte_crypto_sym_xform *aead); +int test_ipsec_crypto_caps_cipher_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *cipher); + +int test_ipsec_crypto_caps_auth_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *auth); + void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, struct ipsec_test_data *td_in); diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index bb95d00..bf831e9 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -324,4 +324,114 @@ struct ipsec_test_data pkt_aes_256_gcm = { }, }; +/* Known vectors for AES-CBC + * https://datatracker.ietf.org/doc/html/rfc3602#section-4 + */ + +struct ipsec_test_data pkt_aes_128_cbc_null = { + .key = { + .data = { + 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, + 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, + }, + }, + .input_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x8c, 0x00, 0x02, 0x00, 0x00, + 0x40, 0x32, 0x27, 0xbc, 0x00, 0x01, 0xa8, 0xc0, + 0x01, 0x01, 0xa8, 0xc0, + + /* ESP */ + 0x00, 0x00, 0x87, 0x65, 0x00, 0x00, 0x00, 0x02, + + /* IV */ + 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad, + 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37, + + /* Data */ + 0x77, 0x3b, 0x52, 0x41, 0xa4, 0xc4, 0x49, 0x22, + 0x5e, 0x4f, 0x3c, 0xe5, 0xed, 0x61, 0x1b, 0x0c, + 0x23, 0x7c, 0xa9, 0x6c, 0xf7, 0x4a, 0x93, 0x01, + 0x3c, 0x1b, 0x0e, 0xa1, 0xa0, 0xcf, 0x70, 0xf8, + 0xe4, 0xec, 0xae, 0xc7, 0x8a, 0xc5, 0x3a, 0xad, + 0x7a, 0x0f, 0x02, 0x2b, 0x85, 0x92, 0x43, 0xc6, + 0x47, 0x75, 0x2e, 0x94, 0xa8, 0x59, 0x35, 0x2b, + 0x8a, 0x4d, 0x4d, 0x2d, 0xec, 0xd1, 0x36, 0xe5, + 0xc1, 0x77, 0xf1, 0x32, 0xad, 0x3f, 0xbf, 0xb2, + 0x20, 0x1a, 0xc9, 0x90, 0x4c, 0x74, 0xee, 0x0a, + 0x10, 0x9e, 0x0c, 0xa1, 0xe4, 0xdf, 0xe9, 0xd5, + 0xa1, 0x00, 0xb8, 0x42, 0xf1, 0xc2, 0x2f, 0x0d, + }, + .len = 140, + }, + .output_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x54, 0x09, 0x04, 0x00, 0x00, + 0x40, 0x01, 0xf9, 0x88, 0xc0, 0xa8, 0x7b, 0x03, + 0xc0, 0xa8, 0x7b, 0xc8, + + /* ICMP */ + 0x08, 0x00, 0x9f, 0x76, 0xa9, 0x0a, 0x01, 0x00, + 0xb4, 0x9c, 0x08, 0x3d, 0x02, 0xa2, 0x04, 0x00, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0a, 0x04, + }, + .len = 84, + }, + .iv = { + .data = { + 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad, + 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37, + }, + }, + + .ipsec_xform = { + .spi = 0x8765, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_DECRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .algo = RTE_CRYPTO_AUTH_NULL, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 02/13] test/crypto: add IPsec AES-CBC-HMAC-SHA256 known vectors 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph 2021-12-06 7:58 ` [PATCH 01/13] test/crypto: add IPsec aes-cbc known vectors Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 03/13] test/crypto: add chained operations in combined cases Anoob Joseph ` (11 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Adding lookaside IPsec AES-CBC-HMAC-SHA256 test cases. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 12 ++- app/test/test_cryptodev_security_ipsec.h | 3 + .../test_cryptodev_security_ipsec_test_vectors.h | 109 +++++++++++++++++++++ 3 files changed, 123 insertions(+), 1 deletion(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 1e4b690..3fa618d 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9197,7 +9197,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], sizeof(ut_params->auth_xform)); ut_params->cipher_xform.cipher.key.data = td[0].key.data; ut_params->cipher_xform.cipher.iv.offset = IV_OFFSET; - ut_params->auth_xform.auth.key.data = td[0].key.data; + ut_params->auth_xform.auth.key.data = td[0].auth_key.data; /* Verify crypto capabilities */ @@ -14423,6 +14423,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { ut_setup_security, ut_teardown, test_ipsec_proto_known_vec, &pkt_aes_256_gcm), TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha256), + TEST_CASE_NAMED_WITH_DATA( "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm), @@ -14438,6 +14443,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_null), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha256), TEST_CASE_NAMED_ST( "Combined test alg list", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 91c6cd4..70a264a 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -14,6 +14,9 @@ struct ipsec_test_data { struct { uint8_t data[32]; } key; + struct { + uint8_t data[32]; + } auth_key; struct { uint8_t data[1024]; diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index bf831e9..16c88fe 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -434,4 +434,113 @@ struct ipsec_test_data pkt_aes_128_cbc_null = { }, }; +struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = { + .key = { + .data = { + 0x00, 0x04, 0x05, 0x01, 0x23, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0a, 0x0b, 0x0c, 0x0f, 0x00, 0x00, + }, + }, + .auth_key = { + .data = { + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x0a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x32, 0x00, 0x01, 0x00, 0x00, + 0x1f, 0x11, 0x17, 0x8b, 0xc0, 0xa8, 0x01, 0x6f, + 0xc0, 0xa8, 0x01, 0x70, + + /* UDP */ + 0x00, 0x09, 0x00, 0x09, 0x00, 0x1e, 0x00, 0x00, + 0xbe, 0x9b, 0xe9, 0x55, 0x00, 0x00, 0x00, 0x21, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + .len = 50, + }, + .output_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x7c, 0x00, 0x01, 0x00, 0x00, + 0x40, 0x32, 0x52, 0x4d, 0x14, 0x00, 0x00, 0x01, + 0x14, 0x00, 0x00, 0x02, + + /* ESP */ + 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, + + /* IV */ + 0x34, 0x12, 0x67, 0x45, 0xff, 0xff, 0x00, 0x00, + 0x20, 0xbf, 0xe8, 0x39, 0x00, 0x00, 0x00, 0x00, + + /* Data */ + 0x67, 0xb5, 0x46, 0x6e, 0x78, 0x17, 0xd3, 0x5a, + 0xac, 0x62, 0x62, 0x62, 0xb0, 0x57, 0x9b, 0x09, + 0x19, 0x4f, 0x06, 0x59, 0xc8, 0xb0, 0x30, 0x65, + 0x1f, 0x45, 0x57, 0x41, 0x72, 0x17, 0x28, 0xe9, + 0xad, 0x50, 0xbe, 0x44, 0x1d, 0x2d, 0x9a, 0xd0, + 0x48, 0x75, 0x0d, 0x1c, 0x8d, 0x24, 0xa8, 0x6f, + 0x6b, 0x24, 0xb6, 0x5d, 0x43, 0x1e, 0x55, 0xf0, + 0xf7, 0x14, 0x1f, 0xf2, 0x61, 0xd4, 0xe0, 0x30, + 0x16, 0xbe, 0x1b, 0x5c, 0xcc, 0xb7, 0x66, 0x1c, + 0x47, 0xad, 0x07, 0x6c, 0xd5, 0xcb, 0xce, 0x6c, + }, + .len = 124, + }, + .iv = { + .data = { + 0x34, 0x12, 0x67, 0x45, 0xff, 0xff, 0x00, 0x00, + 0x20, 0xbf, 0xe8, 0x39, 0x00, 0x00, 0x00, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_SHA256_HMAC, + .key.length = 32, + .digest_length = 16, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 03/13] test/crypto: add chained operations in combined cases 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph 2021-12-06 7:58 ` [PATCH 01/13] test/crypto: add IPsec aes-cbc known vectors Anoob Joseph 2021-12-06 7:58 ` [PATCH 02/13] test/crypto: add IPsec AES-CBC-HMAC-SHA256 " Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 04/13] test/crypto: add IPv6 tunnel mode cases Anoob Joseph ` (10 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Extend lookaside IPsec combined mode cases to cover chained operations also. Currently covering combinations of, Ciphers, 1. AES-128-CBC Auth, 1. NULL 2. SHA2-256 [16B ICV] Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 11 +++-- app/test/test_cryptodev_security_ipsec.c | 77 +++++++++++++++++++++++++------- app/test/test_cryptodev_security_ipsec.h | 36 +++++++++++++++ 3 files changed, 103 insertions(+), 21 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 3fa618d..2a7ede6 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -835,6 +835,8 @@ ipsec_proto_testsuite_setup(void) ret = TEST_SKIPPED; } + test_ipsec_alg_list_populate(); + /* * Stop the device. Device would be started again by individual test * case setup routine. @@ -9381,9 +9383,9 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) flags->sa_expiry_pkts_hard) nb_pkts = IPSEC_TEST_PACKETS_MAX; - for (i = 0; i < RTE_DIM(aead_list); i++) { - test_ipsec_td_prepare(&aead_list[i], - NULL, + for (i = 0; i < RTE_DIM(alg_list); i++) { + test_ipsec_td_prepare(alg_list[i].param1, + alg_list[i].param2, flags, td_outb, nb_pkts); @@ -9407,7 +9409,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) return TEST_FAILED; if (flags->display_alg) - test_ipsec_display_alg(&aead_list[i], NULL); + test_ipsec_display_alg(alg_list[i].param1, + alg_list[i].param2); pass_cnt++; } diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 45960bf..5f67dc0 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -15,7 +15,29 @@ #define IV_LEN_MAX 16 -extern struct ipsec_test_data pkt_aes_256_gcm; +struct crypto_param_comb alg_list[RTE_DIM(aead_list) + + (RTE_DIM(cipher_list) * + RTE_DIM(auth_list))]; + +void +test_ipsec_alg_list_populate(void) +{ + unsigned long i, j, index = 0; + + for (i = 0; i < RTE_DIM(aead_list); i++) { + alg_list[index].param1 = &aead_list[i]; + alg_list[index].param2 = NULL; + index++; + } + + for (i = 0; i < RTE_DIM(cipher_list); i++) { + for (j = 0; j < RTE_DIM(auth_list); j++) { + alg_list[index].param1 = &cipher_list[i]; + alg_list[index].param2 = &auth_list[j]; + index++; + } + } +} int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, @@ -293,18 +315,31 @@ test_ipsec_td_prepare(const struct crypto_param *param1, for (i = 0; i < nb_td; i++) { td = &td_array[i]; - /* Copy template for packet & key fields */ - memcpy(td, &pkt_aes_256_gcm, sizeof(*td)); - /* Override fields based on param */ + /* Prepare fields based on param */ + + if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + /* Copy template for packet & key fields */ + memcpy(td, &pkt_aes_256_gcm, sizeof(*td)); - if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) td->aead = true; - else + td->xform.aead.aead.algo = param1->alg.aead; + td->xform.aead.aead.key.length = param1->key_length; + } else { + /* Copy template for packet & key fields */ + memcpy(td, &pkt_aes_128_cbc_hmac_sha256, sizeof(*td)); + td->aead = false; + td->xform.chain.cipher.cipher.algo = param1->alg.cipher; + td->xform.chain.cipher.cipher.key.length = + param1->key_length; + td->xform.chain.auth.auth.algo = param2->alg.auth; + td->xform.chain.auth.auth.key.length = + param2->key_length; + td->xform.chain.auth.auth.digest_length = + param2->digest_length; - td->xform.aead.aead.algo = param1->alg.aead; - td->xform.aead.aead.key.length = param1->key_length; + } if (flags->iv_gen) td->ipsec_xform.options.iv_gen_disable = 0; @@ -324,8 +359,6 @@ test_ipsec_td_prepare(const struct crypto_param *param1, } } - - RTE_SET_USED(param2); } void @@ -374,12 +407,21 @@ void test_ipsec_display_alg(const struct crypto_param *param1, const struct crypto_param *param2) { - if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) - printf("\t%s [%d]\n", + if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + printf("\t%s [%d]", rte_crypto_aead_algorithm_strings[param1->alg.aead], - param1->key_length); - - RTE_SET_USED(param2); + param1->key_length * 8); + } else { + printf("\t%s", + rte_crypto_cipher_algorithm_strings[param1->alg.cipher]); + if (param1->alg.cipher != RTE_CRYPTO_CIPHER_NULL) + printf(" [%d]", param1->key_length * 8); + printf(" %s", + rte_crypto_auth_algorithm_strings[param2->alg.auth]); + if (param2->alg.auth != RTE_CRYPTO_AUTH_NULL) + printf(" [%dB ICV]", param2->digest_length); + } + printf("\n"); } static int @@ -631,8 +673,9 @@ test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td, if (res_d->aead) { res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT; } else { - printf("Only AEAD supported\n"); - return TEST_SKIPPED; + res_d->xform.chain.cipher.cipher.op = + RTE_CRYPTO_CIPHER_OP_DECRYPT; + res_d->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY; } return TEST_SUCCESS; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 70a264a..b1f0ff8 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -71,6 +71,7 @@ struct crypto_param { enum rte_crypto_aead_algorithm aead; } alg; uint16_t key_length; + uint16_t digest_length; }; static const struct crypto_param aead_list[] = { @@ -91,6 +92,41 @@ static const struct crypto_param aead_list[] = { }, }; +static const struct crypto_param cipher_list[] = { + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_AES_CBC, + .key_length = 16, + }, +}; + +static const struct crypto_param auth_list[] = { + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_NULL, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_SHA256_HMAC, + .key_length = 32, + .digest_length = 16, + }, +}; + +struct crypto_param_comb { + const struct crypto_param *param1; + const struct crypto_param *param2; +}; + +extern struct ipsec_test_data pkt_aes_256_gcm; +extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256; + +extern struct crypto_param_comb alg_list[RTE_DIM(aead_list) + + (RTE_DIM(cipher_list) * + RTE_DIM(auth_list))]; + +void test_ipsec_alg_list_populate(void); + int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, const struct rte_security_capability *sec_cap, bool silent); -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 04/13] test/crypto: add IPv6 tunnel mode cases 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (2 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 03/13] test/crypto: add chained operations in combined cases Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 05/13] test/crypto: add IPsec HMAC-SHA384/512 known vectors Anoob Joseph ` (9 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add IPv6 known vector and combined mode tests. Following modes are added: Tunnel IPv6 in IPv6 Tunnel IPv4 in IPv4 Tunnel IPv4 in IPv6 Tunnel IPv6 in IPv4 Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 102 ++++++++++- app/test/test_cryptodev_security_ipsec.c | 74 +++++++- app/test/test_cryptodev_security_ipsec.h | 4 + .../test_cryptodev_security_ipsec_test_vectors.h | 202 +++++++++++++++++++++ 4 files changed, 378 insertions(+), 4 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 2a7ede6..f2c677d 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9125,6 +9125,10 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], bool silent, const struct ipsec_test_flags *flags) { + uint16_t v6_src[8] = {0x2607, 0xf8b0, 0x400c, 0x0c03, 0x0000, 0x0000, + 0x0000, 0x001a}; + uint16_t v6_dst[8] = {0x2001, 0x0470, 0xe5bf, 0xdead, 0x4957, 0x2174, + 0xe82c, 0x4887}; struct crypto_testsuite_params *ts_params = &testsuite_params; struct crypto_unittest_params *ut_params = &unittest_params; struct rte_security_capability_idx sec_cap_idx; @@ -9158,8 +9162,16 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], dst += 1; } - memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); - memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); + memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); + } else { + memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src, + sizeof(v6_src)); + memcpy(&ipsec_xform.tunnel.ipv6.dst_addr, &v6_dst, + sizeof(v6_dst)); + } ctx = rte_cryptodev_get_sec_ctx(dev_id); @@ -9555,6 +9567,58 @@ test_ipsec_proto_inner_l4_csum(const void *data __rte_unused) } static int +test_ipsec_proto_tunnel_v4_in_v4(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = false; + flags.tunnel_ipv6 = false; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_v6_in_v6(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_v4_in_v6(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = false; + flags.tunnel_ipv6 = true; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_v6_in_v4(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = false; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14431,6 +14495,15 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec, &pkt_aes_128_cbc_hmac_sha256), TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, &pkt_aes_256_gcm_v6), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha256_v6), + TEST_CASE_NAMED_WITH_DATA( "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm), @@ -14451,6 +14524,15 @@ static struct unit_test_suite ipsec_proto_testsuite = { ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_hmac_sha256), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm_v6), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha256_v6), TEST_CASE_NAMED_ST( "Combined test alg list", ut_setup_security, ut_teardown, @@ -14495,6 +14577,22 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Inner L4 checksum", ut_setup_security, ut_teardown, test_ipsec_proto_inner_l4_csum), + TEST_CASE_NAMED_ST( + "Tunnel IPv4 in IPv4", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_v4_in_v4), + TEST_CASE_NAMED_ST( + "Tunnel IPv6 in IPv6", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_v6_in_v6), + TEST_CASE_NAMED_ST( + "Tunnel IPv4 in IPv6", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_v4_in_v6), + TEST_CASE_NAMED_ST( + "Tunnel IPv6 in IPv4", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_v6_in_v4), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 5f67dc0..12031d3 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -19,6 +19,40 @@ struct crypto_param_comb alg_list[RTE_DIM(aead_list) + (RTE_DIM(cipher_list) * RTE_DIM(auth_list))]; +static bool +is_valid_ipv4_pkt(const struct rte_ipv4_hdr *pkt) +{ + /* The IP version number must be 4 */ + if (((pkt->version_ihl) >> 4) != 4) + return false; + /* + * The IP header length field must be large enough to hold the + * minimum length legal IP datagram (20 bytes = 5 words). + */ + if ((pkt->version_ihl & 0xf) < 5) + return false; + + /* + * The IP total length field must be large enough to hold the IP + * datagram header, whose length is specified in the IP header length + * field. + */ + if (rte_cpu_to_be_16(pkt->total_length) < sizeof(struct rte_ipv4_hdr)) + return false; + + return true; +} + +static bool +is_valid_ipv6_pkt(const struct rte_ipv6_hdr *pkt) +{ + /* The IP version number must be 6 */ + if ((rte_be_to_cpu_32((pkt->vtc_flow)) >> 28) != 6) + return false; + + return true; +} + void test_ipsec_alg_list_populate(void) { @@ -320,14 +354,22 @@ test_ipsec_td_prepare(const struct crypto_param *param1, if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) { /* Copy template for packet & key fields */ - memcpy(td, &pkt_aes_256_gcm, sizeof(*td)); + if (flags->ipv6) + memcpy(td, &pkt_aes_256_gcm_v6, sizeof(*td)); + else + memcpy(td, &pkt_aes_256_gcm, sizeof(*td)); td->aead = true; td->xform.aead.aead.algo = param1->alg.aead; td->xform.aead.aead.key.length = param1->key_length; } else { /* Copy template for packet & key fields */ - memcpy(td, &pkt_aes_128_cbc_hmac_sha256, sizeof(*td)); + if (flags->ipv6) + memcpy(td, &pkt_aes_128_cbc_hmac_sha256_v6, + sizeof(*td)); + else + memcpy(td, &pkt_aes_128_cbc_hmac_sha256, + sizeof(*td)); td->aead = false; td->xform.chain.cipher.cipher.algo = param1->alg.cipher; @@ -358,6 +400,13 @@ test_ipsec_td_prepare(const struct crypto_param *param1, test_ipsec_csum_init(&td->input_text.data, false, true); } + if (flags->tunnel_ipv6) + td->ipsec_xform.tunnel.type = + RTE_SECURITY_IPSEC_TUNNEL_IPV6; + else + td->ipsec_xform.tunnel.type = + RTE_SECURITY_IPSEC_TUNNEL_IPV4; + } } @@ -686,6 +735,7 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, struct ipsec_test_data *res_d, bool silent, const struct ipsec_test_flags *flags) { + uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); int ret; if (flags->iv_gen && @@ -695,6 +745,26 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, return ret; } + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + const struct rte_ipv4_hdr *iph4; + const struct rte_ipv6_hdr *iph6; + + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + iph4 = (const struct rte_ipv4_hdr *)output_text; + if (is_valid_ipv4_pkt(iph4) == false) { + printf("Outer header is not IPv4\n"); + return TEST_FAILED; + } + } else { + iph6 = (const struct rte_ipv6_hdr *)output_text; + if (is_valid_ipv6_pkt(iph6) == false) { + printf("Outer header is not IPv6\n"); + return TEST_FAILED; + } + } + } + /* * In case of known vector tests & all inbound tests, res_d provided * would be NULL and output data need to be validated against expected. diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index b1f0ff8..69e81ae 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -61,6 +61,8 @@ struct ipsec_test_flags { bool udp_ports_verify; bool ip_csum; bool l4_csum; + bool ipv6; + bool tunnel_ipv6; }; struct crypto_param { @@ -119,7 +121,9 @@ struct crypto_param_comb { }; extern struct ipsec_test_data pkt_aes_256_gcm; +extern struct ipsec_test_data pkt_aes_256_gcm_v6; extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256; +extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6; extern struct crypto_param_comb alg_list[RTE_DIM(aead_list) + (RTE_DIM(cipher_list) * diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 16c88fe..04ccbf0 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -434,6 +434,103 @@ struct ipsec_test_data pkt_aes_128_cbc_null = { }, }; +struct ipsec_test_data pkt_aes_256_gcm_v6 = { + .key = { + .data = { + 0xde, 0x12, 0xbe, 0x56, 0xde, 0xad, 0xbe, 0xef, + 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, + 0x12, 0x78, 0xbe, 0x34, 0x01, 0x02, 0x03, 0x07, + 0xaa, 0xbb, 0xcc, 0xf1, 0x08, 0x07, 0x06, 0x05, + }, + }, + .input_text = { + .data = { + 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x38, + 0x26, 0x07, 0xf8, 0xb0, 0x40, 0x0c, 0x0c, 0x03, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, + 0x20, 0x01, 0x04, 0x70, 0xe5, 0xbf, 0xde, 0xad, + 0x49, 0x57, 0x21, 0x74, 0xe8, 0x2c, 0x48, 0x87, + 0x00, 0x19, 0xf9, 0xc7, 0x95, 0x63, 0x97, 0x9c, + 0x03, 0xa0, 0x88, 0x31, 0x80, 0x12, 0xa7, 0xd6, + 0x25, 0x83, 0x00, 0x00, 0x02, 0x04, 0x05, 0x6a, + 0x01, 0x01, 0x04, 0x02, 0x01, 0x03, 0x03, 0x07, + }, + .len = 72, + }, + .output_text = { + .data = { + 0x60, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x32, 0x40, + 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34, + 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x56, 0x78, + 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34, + 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x34, 0x56, + 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + 0xe7, 0xdf, 0xc4, 0x7e, 0x21, 0xbd, 0xec, 0x1b, + 0x74, 0x5a, 0xe4, 0x7e, 0x2e, 0x94, 0x21, 0x0a, + 0x9b, 0x0e, 0x59, 0xbe, 0x06, 0x2a, 0xda, 0xb8, + 0x6b, 0x48, 0x7f, 0x0b, 0x88, 0x3a, 0xa9, 0xfd, + 0x3c, 0xfe, 0x9f, 0xb1, 0x8c, 0x67, 0xd2, 0xf8, + 0xaf, 0xb5, 0xad, 0x16, 0xdb, 0xff, 0x8d, 0x50, + 0xd3, 0x48, 0xf5, 0x6c, 0x3c, 0x0c, 0x27, 0x34, + 0x2b, 0x65, 0xc8, 0xff, 0xeb, 0x5f, 0xb8, 0xff, + 0x12, 0x00, 0x1c, 0x9f, 0xb7, 0x85, 0xdd, 0x7d, + 0x40, 0x19, 0xcb, 0x18, 0xeb, 0x15, 0xc4, 0x88, + 0xe1, 0xc2, 0x91, 0xc7, 0xb1, 0x65, 0xc3, 0x27, + 0x16, 0x06, 0x8f, 0xf2, + }, + .len = 148, + }, + .salt = { + .data = { + 0x11, 0x22, 0x33, 0x44 + }, + .len = 4, + }, + + .iv = { + .data = { + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV6, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 32, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = { .key = { .data = { @@ -543,4 +640,109 @@ struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = { }, }; +struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6 = { + .key = { + .data = { + 0x00, 0x04, 0x05, 0x01, 0x23, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0a, 0x0b, 0x0c, 0x0f, 0x00, 0x00, + }, + }, + .auth_key = { + .data = { + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x0a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + }, + }, + .input_text = { + .data = { + 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x38, + 0x26, 0x07, 0xf8, 0xb0, 0x40, 0x0c, 0x0c, 0x03, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, + 0x20, 0x01, 0x04, 0x70, 0xe5, 0xbf, 0xde, 0xad, + 0x49, 0x57, 0x21, 0x74, 0xe8, 0x2c, 0x48, 0x87, + 0x00, 0x19, 0xf9, 0xc7, 0x95, 0x63, 0x97, 0x9c, + 0x03, 0xa0, 0x88, 0x31, 0x80, 0x12, 0xa7, 0xd6, + 0x25, 0x83, 0x00, 0x00, 0x02, 0x04, 0x05, 0x6a, + 0x01, 0x01, 0x04, 0x02, 0x01, 0x03, 0x03, 0x07, + }, + .len = 72, + }, + .output_text = { + .data = { + 0x60, 0x00, 0x00, 0x00, 0x00, 0x78, 0x32, 0x40, + 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34, + 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x56, 0x78, + 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34, + 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x34, 0x56, + 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + 0xf0, 0xc1, 0x05, 0x3c, 0x00, 0x00, 0x00, 0x00, + 0x1b, 0x1c, 0x98, 0x6e, 0x2a, 0xce, 0x61, 0xef, + 0xc1, 0xdd, 0x25, 0x96, 0x5c, 0xb1, 0xb0, 0x15, + 0x47, 0x25, 0xb7, 0x8b, 0x00, 0xb6, 0xbb, 0xe6, + 0x2e, 0x29, 0xcb, 0x4a, 0x94, 0x00, 0xf0, 0x73, + 0xdb, 0x14, 0x32, 0xd9, 0xa2, 0xdf, 0x22, 0x2f, + 0x52, 0x3e, 0x79, 0x77, 0xf3, 0x17, 0xaa, 0x40, + 0x1c, 0x57, 0x27, 0x12, 0x82, 0x44, 0x35, 0xb8, + 0x64, 0xe0, 0xaa, 0x5c, 0x10, 0xc7, 0x97, 0x35, + 0x9c, 0x6b, 0x1c, 0xf7, 0xe7, 0xbd, 0x83, 0x33, + 0x77, 0x48, 0x44, 0x7d, 0xa4, 0x13, 0x74, 0x3b, + 0x6a, 0x91, 0xd0, 0xd8, 0x7d, 0x41, 0x45, 0x23, + 0x5d, 0xc9, 0x2d, 0x08, 0x7a, 0xd8, 0x25, 0x8e, + }, + .len = 160, + }, + .iv = { + .data = { + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + 0xf0, 0xc1, 0x05, 0x3c, 0x00, 0x00, 0x00, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV6, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_SHA256_HMAC, + .key.length = 32, + .digest_length = 16, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 05/13] test/crypto: add IPsec HMAC-SHA384/512 known vectors 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (3 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 04/13] test/crypto: add IPv6 tunnel mode cases Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 06/13] test/crypto: add IPsec fragmented packet " Anoob Joseph ` (8 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add lookaside IPsec HMAC-SHA384/512 known vectors. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 20 ++ app/test/test_cryptodev_security_ipsec.h | 14 +- .../test_cryptodev_security_ipsec_test_vectors.h | 213 +++++++++++++++++++++ 3 files changed, 246 insertions(+), 1 deletion(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index f2c677d..cb335fc 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -14495,6 +14495,16 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec, &pkt_aes_128_cbc_hmac_sha256), TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA384 [24B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha384), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA512 [32B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha512), + TEST_CASE_NAMED_WITH_DATA( "Outbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec, &pkt_aes_256_gcm_v6), @@ -14525,6 +14535,16 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_hmac_sha256), TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA384 [24B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha384), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA512 [32B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha512), + TEST_CASE_NAMED_WITH_DATA( "Inbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm_v6), diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 69e81ae..d74eee7 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -15,7 +15,7 @@ struct ipsec_test_data { uint8_t data[32]; } key; struct { - uint8_t data[32]; + uint8_t data[64]; } auth_key; struct { @@ -113,6 +113,18 @@ static const struct crypto_param auth_list[] = { .key_length = 32, .digest_length = 16, }, + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_SHA384_HMAC, + .key_length = 48, + .digest_length = 24, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_SHA512_HMAC, + .key_length = 64, + .digest_length = 32, + }, }; struct crypto_param_comb { diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 04ccbf0..b8661f7 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -640,6 +640,219 @@ struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = { }, }; +struct ipsec_test_data pkt_aes_128_cbc_hmac_sha384 = { + .key = { + .data = { + 0x00, 0x04, 0x05, 0x01, 0x23, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0a, 0x0b, 0x0c, 0x0f, 0x00, 0x00, + }, + }, + .auth_key = { + .data = { + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x0a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x34, + 0x1a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x32, 0x00, 0x01, 0x00, 0x00, + 0x1f, 0x11, 0x17, 0x8b, 0xc0, 0xa8, 0x01, 0x6f, + 0xc0, 0xa8, 0x01, 0x70, + + /* UDP */ + 0x00, 0x09, 0x00, 0x09, 0x00, 0x1e, 0x00, 0x00, + 0xbe, 0x9b, 0xe9, 0x55, 0x00, 0x00, 0x00, 0x21, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + .len = 50, + }, + .output_text = { + .data = { + 0x45, 0x00, 0x00, 0x84, 0x00, 0x01, 0x00, 0x00, + 0x40, 0x32, 0x52, 0x45, 0x14, 0x00, 0x00, 0x01, + 0x14, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x34, + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x44, 0x24, 0xb9, 0xd8, + 0x0f, 0xbe, 0xa3, 0x3f, 0xc9, 0xc0, 0xa2, 0xcb, + 0xaa, 0xda, 0x3f, 0xc6, 0x0e, 0x88, 0x75, 0x96, + 0x25, 0x50, 0x07, 0x4d, 0x52, 0xf4, 0x75, 0xec, + 0xd8, 0xcd, 0xe4, 0xcf, 0x85, 0x9a, 0xbc, 0x9e, + 0x84, 0x0f, 0xbb, 0x83, 0x72, 0x0c, 0x7f, 0x58, + 0x02, 0x46, 0xeb, 0x86, 0x6e, 0xd1, 0xcf, 0x05, + 0x6a, 0xd1, 0xd2, 0xc6, 0xb5, 0x94, 0x09, 0x0a, + 0x3e, 0xdf, 0x09, 0xfb, 0x0a, 0xb7, 0xb4, 0x97, + 0x17, 0xf2, 0x20, 0xaf, 0xfa, 0x90, 0x92, 0x4d, + 0xe4, 0x0e, 0xef, 0x5a, 0xe8, 0x43, 0x46, 0xa8, + 0x5e, 0x3f, 0x52, 0x46, + }, + .len = 132, + }, + .iv = { + .data = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_SHA384_HMAC, + .key.length = 48, + .digest_length = 24, + }, + }, + }, +}; + +struct ipsec_test_data pkt_aes_128_cbc_hmac_sha512 = { + .key = { + .data = { + 0x00, 0x04, 0x05, 0x01, 0x23, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0a, 0x0b, 0x0c, 0x0f, 0x00, 0x00, + }, + }, + .auth_key = { + .data = { + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x0a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x34, + 0x1a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x32, 0x00, 0x01, 0x00, 0x00, + 0x1f, 0x11, 0x17, 0x8b, 0xc0, 0xa8, 0x01, 0x6f, + 0xc0, 0xa8, 0x01, 0x70, + + /* UDP */ + 0x00, 0x09, 0x00, 0x09, 0x00, 0x1e, 0x00, 0x00, + 0xbe, 0x9b, 0xe9, 0x55, 0x00, 0x00, 0x00, 0x21, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + .len = 50, + }, + .output_text = { + .data = { + 0x45, 0x00, 0x00, 0x8c, 0x00, 0x01, 0x00, 0x00, + 0x40, 0x32, 0x52, 0x3d, 0x14, 0x00, 0x00, 0x01, + 0x14, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x34, + 0x00, 0x00, 0x00, 0x01, 0x42, 0x32, 0x76, 0x65, + 0x45, 0x35, 0x24, 0x41, 0xf0, 0xc1, 0xb4, 0x40, + 0x00, 0x00, 0x00, 0x00, 0xd0, 0x32, 0x23, 0xf7, + 0xcd, 0x3d, 0xdb, 0xd5, 0x70, 0x19, 0x1b, 0xf5, + 0x8f, 0xeb, 0x98, 0x3d, 0x41, 0x5c, 0x28, 0xdd, + 0xfd, 0xcc, 0xdd, 0xa2, 0xeb, 0x43, 0x4c, 0x13, + 0x2d, 0xa1, 0x98, 0x87, 0x92, 0x3a, 0x1f, 0x67, + 0x20, 0x8d, 0x9e, 0x8e, 0x51, 0x21, 0x4c, 0xa9, + 0xff, 0xad, 0xfb, 0x5d, 0x57, 0xa3, 0x16, 0x91, + 0xaa, 0x75, 0xc7, 0x28, 0x42, 0x4e, 0x8f, 0x8e, + 0x84, 0x37, 0x94, 0x09, 0x74, 0xfa, 0x70, 0x0d, + 0xd1, 0x37, 0xe2, 0x7c, 0x54, 0xdd, 0x2e, 0xb4, + 0xf4, 0x54, 0x4b, 0x12, 0xe0, 0xaf, 0x4a, 0x0a, + 0x0b, 0x52, 0x57, 0x9d, 0x36, 0xdc, 0xac, 0x02, + 0xfb, 0x55, 0x34, 0x05, + }, + .len = 140, + }, + .iv = { + .data = { + 0x42, 0x32, 0x76, 0x65, 0x45, 0x35, 0x24, 0x41, + 0xf0, 0xc1, 0xb4, 0x40, 0x00, 0x00, 0x00, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_SHA512_HMAC, + .key.length = 64, + .digest_length = 32, + }, + }, + }, +}; + struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6 = { .key = { .data = { -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 06/13] test/crypto: add IPsec fragmented packet known vectors 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (4 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 05/13] test/crypto: add IPsec HMAC-SHA384/512 known vectors Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 07/13] test/crypto: add transport mode cases Anoob Joseph ` (7 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add fragmented plain packet known vector test case in IPsec outbound. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 22 +++++ app/test/test_cryptodev_security_ipsec.c | 10 ++ app/test/test_cryptodev_security_ipsec.h | 1 + .../test_cryptodev_security_ipsec_test_vectors.h | 104 +++++++++++++++++++++ 4 files changed, 137 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index cb335fc..1315687 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9383,6 +9383,23 @@ test_ipsec_proto_known_vec_inb(const void *test_data) } static int +test_ipsec_proto_known_vec_fragmented(const void *test_data) +{ + struct ipsec_test_data td_outb; + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + flags.fragment = true; + + memcpy(&td_outb, test_data, sizeof(td_outb)); + + /* Disable IV gen to be able to test with known vectors */ + td_outb.ipsec_xform.options.iv_gen_disable = 1; + + return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags); +} + +static int test_ipsec_proto_all(const struct ipsec_test_flags *flags) { struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX]; @@ -14514,6 +14531,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec, &pkt_aes_128_cbc_hmac_sha256_v6), TEST_CASE_NAMED_WITH_DATA( + "Outbound fragmented packet", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_fragmented, + &pkt_aes_128_gcm_frag), + TEST_CASE_NAMED_WITH_DATA( "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm), diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 12031d3..ccce63f 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -659,6 +659,16 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, return TEST_FAILED; } + if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) && + flags->fragment) { + const struct rte_ipv4_hdr *iph4; + iph4 = (const struct rte_ipv4_hdr *)output_text; + if (iph4->fragment_offset) { + printf("Output packet is fragmented"); + return TEST_FAILED; + } + } + skip = test_ipsec_tunnel_hdr_len_get(td); len -= skip; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index d74eee7..884a795 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -63,6 +63,7 @@ struct ipsec_test_flags { bool l4_csum; bool ipv6; bool tunnel_ipv6; + bool fragment; }; struct crypto_param { diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index b8661f7..b6d48ad 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -958,4 +958,108 @@ struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6 = { }, }; +struct ipsec_test_data pkt_aes_128_gcm_frag = { + .key = { + .data = { + 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, + 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, + }, + }, + .input_text = { + .data = { + 0x45, 0x00, 0x00, 0x6e, 0x00, 0x01, 0x00, 0x17, + 0x40, 0x06, 0xed, 0x48, 0xc6, 0x12, 0x00, 0x00, + 0xc6, 0x12, 0x01, 0x05, 0x00, 0x14, 0x00, 0x50, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x50, 0x00, 0x00, 0x00, 0x55, 0x05, 0x00, 0x00, + 0x00, 0x01, 0x02, 0x03, 0xf2, 0xf6, 0xe9, 0x21, + 0xf9, 0xf2, 0xf6, 0xe9, 0x21, 0xf9, 0xf2, 0xf6, + 0xe9, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + .len = 110, + }, + .output_text = { + .data = { + 0x45, 0x00, 0x00, 0xa4, 0x00, 0x01, 0x00, 0x00, + 0x40, 0x32, 0xf6, 0x0c, 0xc0, 0xa8, 0x01, 0x70, + 0xc0, 0xa8, 0x01, 0x5a, 0x00, 0x00, 0x00, 0x34, + 0x00, 0x00, 0x00, 0x01, 0x45, 0xad, 0xfe, 0x23, + 0x78, 0x56, 0x12, 0x00, 0x49, 0x26, 0xac, 0x4e, + 0x8d, 0xf3, 0x74, 0x26, 0x18, 0x3f, 0x65, 0x94, + 0x73, 0x2e, 0xe4, 0xcf, 0x84, 0x6d, 0x03, 0x8a, + 0x4c, 0xdd, 0x2d, 0xef, 0xcd, 0x9f, 0x84, 0x76, + 0x93, 0xe1, 0xee, 0x21, 0x92, 0x8b, 0xf7, 0x7a, + 0xb1, 0x6a, 0x7f, 0xd6, 0x10, 0x66, 0xdd, 0xa1, + 0x8b, 0x17, 0x56, 0x99, 0x9a, 0x40, 0xd0, 0x6b, + 0x2d, 0xe0, 0x55, 0x40, 0x2f, 0xb8, 0x38, 0xe3, + 0x08, 0x46, 0xe2, 0x69, 0xc9, 0xa1, 0x85, 0x9d, + 0x7b, 0xec, 0x33, 0x2a, 0x2d, 0x1d, 0x1f, 0x1a, + 0x9e, 0xf0, 0x1e, 0xc3, 0x33, 0x64, 0x35, 0x82, + 0xbb, 0xb5, 0x7a, 0x91, 0x2e, 0x8d, 0xd5, 0x5b, + 0x3a, 0xbe, 0x95, 0x94, 0xba, 0x40, 0x73, 0x4e, + 0xa4, 0x15, 0xe4, 0x4a, 0xf9, 0x14, 0x2c, 0x4f, + 0x63, 0x2e, 0x23, 0x6e, 0xeb, 0x06, 0xe7, 0x52, + 0xe1, 0xc7, 0x91, 0x7f, 0x19, 0xc0, 0x4a, 0xd2, + 0xd5, 0x3e, 0x84, 0xa8, + }, + .len = 164, + }, + .salt = { + .data = { + 0xde, 0xad, 0xbe, 0xef, + }, + .len = 4, + }, + + .iv = { + .data = { + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .options.ip_csum_enable = 0, + .options.l4_csum_enable = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 16, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 07/13] test/crypto: add transport mode cases 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (5 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 06/13] test/crypto: add IPsec fragmented packet " Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 08/13] test/crypto: add security stats cases Anoob Joseph ` (6 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Add transport mode tests with test cases for IPv4 packets. Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 39 ++++++++++++++---- app/test/test_cryptodev_security_ipsec.c | 71 +++++++++++++++++++++----------- app/test/test_cryptodev_security_ipsec.h | 1 + 3 files changed, 79 insertions(+), 32 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 1315687..f8f2660 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9162,15 +9162,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], dst += 1; } - if (td->ipsec_xform.tunnel.type == - RTE_SECURITY_IPSEC_TUNNEL_IPV4) { - memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); - memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); - } else { - memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src, - sizeof(v6_src)); - memcpy(&ipsec_xform.tunnel.ipv6.dst_addr, &v6_dst, - sizeof(v6_dst)); + if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, + sizeof(src)); + memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, + sizeof(dst)); + } else { + memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src, + sizeof(v6_src)); + memcpy(&ipsec_xform.tunnel.ipv6.dst_addr, &v6_dst, + sizeof(v6_dst)); + } } ctx = rte_cryptodev_get_sec_ctx(dev_id); @@ -9636,6 +9640,19 @@ test_ipsec_proto_tunnel_v6_in_v4(const void *data __rte_unused) } static int +test_ipsec_proto_transport_v4(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = false; + flags.transport = true; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14635,6 +14652,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Tunnel IPv6 in IPv4", ut_setup_security, ut_teardown, test_ipsec_proto_tunnel_v6_in_v4), + TEST_CASE_NAMED_ST( + "Transport IPv4", + ut_setup_security, ut_teardown, + test_ipsec_proto_transport_v4), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index ccce63f..029fdd3 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -400,12 +400,21 @@ test_ipsec_td_prepare(const struct crypto_param *param1, test_ipsec_csum_init(&td->input_text.data, false, true); } - if (flags->tunnel_ipv6) - td->ipsec_xform.tunnel.type = - RTE_SECURITY_IPSEC_TUNNEL_IPV6; - else - td->ipsec_xform.tunnel.type = - RTE_SECURITY_IPSEC_TUNNEL_IPV4; + if (flags->transport) { + td->ipsec_xform.mode = + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT; + } else { + td->ipsec_xform.mode = + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL; + + if (flags->tunnel_ipv6) + td->ipsec_xform.tunnel.type = + RTE_SECURITY_IPSEC_TUNNEL_IPV6; + else + td->ipsec_xform.tunnel.type = + RTE_SECURITY_IPSEC_TUNNEL_IPV4; + } + } } @@ -748,29 +757,45 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); int ret; - if (flags->iv_gen && - td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - ret = test_ipsec_iv_verify_push(m, td); - if (ret != TEST_SUCCESS) - return ret; - } - if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { const struct rte_ipv4_hdr *iph4; const struct rte_ipv6_hdr *iph6; - if (td->ipsec_xform.tunnel.type == - RTE_SECURITY_IPSEC_TUNNEL_IPV4) { - iph4 = (const struct rte_ipv4_hdr *)output_text; - if (is_valid_ipv4_pkt(iph4) == false) { - printf("Outer header is not IPv4\n"); - return TEST_FAILED; + if (flags->iv_gen) { + ret = test_ipsec_iv_verify_push(m, td); + if (ret != TEST_SUCCESS) + return ret; + } + + iph4 = (const struct rte_ipv4_hdr *)output_text; + + if (td->ipsec_xform.mode == + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) { + if (flags->ipv6) { + iph6 = (const struct rte_ipv6_hdr *)output_text; + if (is_valid_ipv6_pkt(iph6) == false) { + printf("Transport packet is not IPv6\n"); + return TEST_FAILED; + } + } else { + if (is_valid_ipv4_pkt(iph4) == false) { + printf("Transport packet is not IPv4\n"); + return TEST_FAILED; + } } } else { - iph6 = (const struct rte_ipv6_hdr *)output_text; - if (is_valid_ipv6_pkt(iph6) == false) { - printf("Outer header is not IPv6\n"); - return TEST_FAILED; + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + if (is_valid_ipv4_pkt(iph4) == false) { + printf("Tunnel outer header is not IPv4\n"); + return TEST_FAILED; + } + } else { + iph6 = (const struct rte_ipv6_hdr *)output_text; + if (is_valid_ipv6_pkt(iph6) == false) { + printf("Tunnel outer header is not IPv6\n"); + return TEST_FAILED; + } } } } diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 884a795..07d2453 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -63,6 +63,7 @@ struct ipsec_test_flags { bool l4_csum; bool ipv6; bool tunnel_ipv6; + bool transport; bool fragment; }; -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 08/13] test/crypto: add security stats cases 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (6 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 07/13] test/crypto: add transport mode cases Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 09/13] test/crypto: add lookaside IPsec AES-CTR known vectors Anoob Joseph ` (5 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Ankur Dwivedi, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Ankur Dwivedi <adwivedi@marvell.com> Adds security stats test cases in IPSEC protocol testsuite. Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com> --- app/test/test_cryptodev.c | 21 +++++++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 29 +++++++++++++++++++++++++++++ app/test/test_cryptodev_security_ipsec.h | 6 ++++++ 3 files changed, 56 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index f8f2660..34bc3e0 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9332,6 +9332,11 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], if (ret != TEST_SUCCESS) goto crypto_op_free; + ret = test_ipsec_stats_verify(ctx, ut_params->sec_session, + flags, dir); + if (ret != TEST_SUCCESS) + goto crypto_op_free; + rte_crypto_op_free(ut_params->op); ut_params->op = NULL; @@ -9653,6 +9658,18 @@ test_ipsec_proto_transport_v4(const void *data __rte_unused) } static int +test_ipsec_proto_stats(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.stats_success = true; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14656,6 +14673,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Transport IPv4", ut_setup_security, ut_teardown, test_ipsec_proto_transport_v4), + TEST_CASE_NAMED_ST( + "Statistics: success", + ut_setup_security, ut_teardown, + test_ipsec_proto_stats), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 029fdd3..6fa1d3d 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -415,6 +415,8 @@ test_ipsec_td_prepare(const struct crypto_param *param1, RTE_SECURITY_IPSEC_TUNNEL_IPV4; } + if (flags->stats_success) + td->ipsec_xform.options.stats = 1; } } @@ -871,3 +873,30 @@ test_ipsec_status_check(struct rte_crypto_op *op, return ret; } + +int +test_ipsec_stats_verify(struct rte_security_ctx *ctx, + struct rte_security_session *sess, + const struct ipsec_test_flags *flags, + enum rte_security_ipsec_sa_direction dir) +{ + struct rte_security_stats stats = {0}; + int ret = TEST_SUCCESS; + + if (flags->stats_success) { + if (rte_security_session_stats_get(ctx, sess, &stats) < 0) + return TEST_FAILED; + + if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + if (stats.ipsec.opackets != 1 || + stats.ipsec.oerrors != 0) + ret = TEST_FAILED; + } else { + if (stats.ipsec.ipackets != 1 || + stats.ipsec.ierrors != 0) + ret = TEST_FAILED; + } + } + + return ret; +} diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 07d2453..3565a8c 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -65,6 +65,7 @@ struct ipsec_test_flags { bool tunnel_ipv6; bool transport; bool fragment; + bool stats_success; }; struct crypto_param { @@ -188,4 +189,9 @@ int test_ipsec_status_check(struct rte_crypto_op *op, enum rte_security_ipsec_sa_direction dir, int pkt_num); +int test_ipsec_stats_verify(struct rte_security_ctx *ctx, + struct rte_security_session *sess, + const struct ipsec_test_flags *flags, + enum rte_security_ipsec_sa_direction dir); + #endif -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 09/13] test/crypto: add lookaside IPsec AES-CTR known vectors 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (7 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 08/13] test/crypto: add security stats cases Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 10/13] test/crypto: add fragmented packet case Anoob Joseph ` (4 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add known vectors for AES-CTR in lookaside IPsec mode. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev_security_ipsec.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 3565a8c..3376d08 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -103,6 +103,21 @@ static const struct crypto_param cipher_list[] = { .alg.cipher = RTE_CRYPTO_CIPHER_AES_CBC, .key_length = 16, }, + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, + .key_length = 16, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, + .key_length = 24, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, + .key_length = 32, + }, }; static const struct crypto_param auth_list[] = { -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 10/13] test/crypto: add fragmented packet case 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (8 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 09/13] test/crypto: add lookaside IPsec AES-CTR known vectors Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 11/13] test/crypto: skip null auth in ICV corrupt case Anoob Joseph ` (3 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add fragmented plain packet test case in combined mode. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 16 ++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 34bc3e0..744eb9f 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9670,6 +9670,18 @@ test_ipsec_proto_stats(const void *data __rte_unused) } static int +test_ipsec_proto_pkt_fragment(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.fragment = true; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14677,6 +14689,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Statistics: success", ut_setup_security, ut_teardown, test_ipsec_proto_stats), + TEST_CASE_NAMED_ST( + "Fragmented packet", + ut_setup_security, ut_teardown, + test_ipsec_proto_pkt_fragment), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 6fa1d3d..832f9d8 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -418,6 +418,13 @@ test_ipsec_td_prepare(const struct crypto_param *param1, if (flags->stats_success) td->ipsec_xform.options.stats = 1; + if (flags->fragment) { + struct rte_ipv4_hdr *ip; + ip = (struct rte_ipv4_hdr *)&td->input_text.data; + ip->fragment_offset = 4; + ip->hdr_checksum = rte_ipv4_cksum(ip); + } + } } -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 11/13] test/crypto: skip null auth in ICV corrupt case 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (9 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 10/13] test/crypto: add fragmented packet case Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 12/13] test/crypto: add aes xcbc known vectors Anoob Joseph ` (2 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Skipping NULL auth in ICV corruption test case. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 744eb9f..0f7885c 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9428,6 +9428,11 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) td_outb, nb_pkts); + if (flags->icv_corrupt && (td_outb->aead == false) && + (td_outb->xform.chain.auth.auth.algo == + RTE_CRYPTO_AUTH_NULL)) + continue; + ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true, flags); if (ret == TEST_SKIPPED) -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 12/13] test/crypto: add aes xcbc known vectors 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (10 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 11/13] test/crypto: skip null auth in ICV corrupt case Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 7:58 ` [PATCH 13/13] test/crypto: add copy and set DF cases Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Add known vector test cases for NULL cipher + AES-XCBC. Also add both algos to the combined mode list of algos. Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 38 +++++++-- app/test/test_cryptodev_security_ipsec.c | 2 + app/test/test_cryptodev_security_ipsec.h | 17 ++++ .../test_cryptodev_security_ipsec_test_vectors.h | 90 ++++++++++++++++++++++ 4 files changed, 141 insertions(+), 6 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 0f7885c..aa85a19 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9368,8 +9368,11 @@ test_ipsec_proto_known_vec(const void *test_data) memcpy(&td_outb, test_data, sizeof(td_outb)); - /* Disable IV gen to be able to test with known vectors */ - td_outb.ipsec_xform.options.iv_gen_disable = 1; + if (td_outb.aead || + td_outb.xform.chain.cipher.cipher.algo != RTE_CRYPTO_CIPHER_NULL) { + /* Disable IV gen to be able to test with known vectors */ + td_outb.ipsec_xform.options.iv_gen_disable = 1; + } return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags); } @@ -9428,10 +9431,23 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) td_outb, nb_pkts); - if (flags->icv_corrupt && (td_outb->aead == false) && - (td_outb->xform.chain.auth.auth.algo == - RTE_CRYPTO_AUTH_NULL)) - continue; + if (!td_outb->aead) { + enum rte_crypto_cipher_algorithm cipher_alg; + enum rte_crypto_auth_algorithm auth_alg; + + cipher_alg = td_outb->xform.chain.cipher.cipher.algo; + auth_alg = td_outb->xform.chain.auth.auth.algo; + + /* ICV is not applicable for NULL auth */ + if (flags->icv_corrupt && + auth_alg == RTE_CRYPTO_AUTH_NULL) + continue; + + /* IV is not applicable for NULL cipher */ + if (flags->iv_gen && + cipher_alg == RTE_CRYPTO_CIPHER_NULL) + continue; + } ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true, flags); @@ -14582,6 +14598,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec, &pkt_aes_128_cbc_hmac_sha256_v6), TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 NULL AES-XCBC-MAC [12B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_null_aes_xcbc), + TEST_CASE_NAMED_WITH_DATA( "Outbound fragmented packet", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_fragmented, @@ -14626,6 +14647,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_hmac_sha256_v6), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 NULL AES-XCBC-MAC [12B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_null_aes_xcbc), TEST_CASE_NAMED_ST( "Combined test alg list", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 832f9d8..94e5213 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -375,6 +375,8 @@ test_ipsec_td_prepare(const struct crypto_param *param1, td->xform.chain.cipher.cipher.algo = param1->alg.cipher; td->xform.chain.cipher.cipher.key.length = param1->key_length; + td->xform.chain.cipher.cipher.iv.length = + param1->iv_length; td->xform.chain.auth.auth.algo = param2->alg.auth; td->xform.chain.auth.auth.key.length = param2->key_length; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 3376d08..6e27eba 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -76,6 +76,7 @@ struct crypto_param { enum rte_crypto_aead_algorithm aead; } alg; uint16_t key_length; + uint16_t iv_length; uint16_t digest_length; }; @@ -100,23 +101,33 @@ static const struct crypto_param aead_list[] = { static const struct crypto_param cipher_list[] = { { .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_NULL, + .key_length = 0, + .iv_length = 0, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, .alg.cipher = RTE_CRYPTO_CIPHER_AES_CBC, .key_length = 16, + .iv_length = 16, }, { .type = RTE_CRYPTO_SYM_XFORM_CIPHER, .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, .key_length = 16, + .iv_length = 16, }, { .type = RTE_CRYPTO_SYM_XFORM_CIPHER, .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, .key_length = 24, + .iv_length = 16, }, { .type = RTE_CRYPTO_SYM_XFORM_CIPHER, .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, .key_length = 32, + .iv_length = 16, }, }; @@ -143,6 +154,12 @@ static const struct crypto_param auth_list[] = { .key_length = 64, .digest_length = 32, }, + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_AES_XCBC_MAC, + .key_length = 16, + .digest_length = 12, + }, }; struct crypto_param_comb { diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index b6d48ad..85cd6c5 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -1062,4 +1062,94 @@ struct ipsec_test_data pkt_aes_128_gcm_frag = { }, }; +struct ipsec_test_data pkt_null_aes_xcbc = { + .auth_key = { + .data = { + 0x61, 0x31, 0x62, 0x32, 0x63, 0x33, 0x64, 0x34, + 0x65, 0x35, 0x66, 0x36, 0x67, 0x37, 0x68, 0x38, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x2f, 0x49, 0x37, 0x00, 0x00, + 0x40, 0x11, 0x22, 0x84, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, 0x08, 0x00, 0x08, 0x00, + 0x00, 0x1b, 0x6d, 0x99, 0x58, 0x58, 0x58, 0x58, + 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, + 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, + }, + .len = 47, + }, + .output_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x5c, 0x06, 0x00, 0x00, 0x00, + 0x40, 0x32, 0x13, 0x6c, 0x0a, 0x00, 0x6f, 0x02, + 0x0a, 0x00, 0xde, 0x02, + + /* ESP */ + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, + + /* IP */ + 0x45, 0x00, 0x00, 0x2f, 0x49, 0x37, 0x00, 0x00, + 0x40, 0x11, 0x22, 0x84, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, 0x08, 0x00, 0x08, 0x00, + 0x00, 0x1b, 0x6d, 0x99, 0x58, 0x58, 0x58, 0x58, + 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, + 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, + + /* ESP trailer */ + 0x01, 0x02, 0x03, 0x03, 0x04, + + /* ICV */ + 0xf1, 0x52, 0x64, 0xd1, 0x9b, 0x62, 0x24, 0xdd, + 0xcc, 0x14, 0xf5, 0xc1, + }, + .len = 92, + }, + .ipsec_xform = { + .spi = 0x100, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .options.ip_csum_enable = 0, + .options.l4_csum_enable = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + .aead = false, + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_NULL, + .key.length = 0, + .iv.length = 0, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC, + .key.length = 16, + .digest_length = 12, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 13/13] test/crypto: add copy and set DF cases 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (11 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 12/13] test/crypto: add aes xcbc known vectors Anoob Joseph @ 2021-12-06 7:58 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 7:58 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Add test cases to verify copy DF and set DF options with lookaside IPsec offload. Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 75 ++++++++++++++++++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 71 ++++++++++++++++++++++++++++-- app/test/test_cryptodev_security_ipsec.h | 10 +++++ doc/guides/rel_notes/release_22_03.rst | 18 ++++++++ 4 files changed, 171 insertions(+), 3 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index aa85a19..aac17d1 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9169,6 +9169,13 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], sizeof(src)); memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); + + if (flags->df == TEST_IPSEC_SET_DF_0_INNER_1) + ipsec_xform.tunnel.ipv4.df = 0; + + if (flags->df == TEST_IPSEC_SET_DF_1_INNER_0) + ipsec_xform.tunnel.ipv4.df = 1; + } else { memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src, sizeof(v6_src)); @@ -9282,6 +9289,9 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], memcpy(input_text, td[i].input_text.data, td[i].input_text.len); + if (test_ipsec_pkt_update(input_text, flags)) + return TEST_FAILED; + /* Generate crypto op data structure */ ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool, RTE_CRYPTO_OP_TYPE_SYMMETRIC); @@ -9700,6 +9710,55 @@ test_ipsec_proto_pkt_fragment(const void *data __rte_unused) flags.fragment = true; return test_ipsec_proto_all(&flags); + +} + +static int +test_ipsec_proto_copy_df_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_COPY_DF_INNER_0; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_copy_df_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_COPY_DF_INNER_1; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_set_df_0_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_SET_DF_0_INNER_1; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_set_df_1_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_SET_DF_1_INNER_0; + + return test_ipsec_proto_all(&flags); } static int @@ -14724,6 +14783,22 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Fragmented packet", ut_setup_security, ut_teardown, test_ipsec_proto_pkt_fragment), + TEST_CASE_NAMED_ST( + "Tunnel header copy DF (inner 0)", + ut_setup_security, ut_teardown, + test_ipsec_proto_copy_df_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header copy DF (inner 1)", + ut_setup_security, ut_teardown, + test_ipsec_proto_copy_df_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header set DF 0 (inner 1)", + ut_setup_security, ut_teardown, + test_ipsec_proto_set_df_0_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header set DF 1 (inner 0)", + ut_setup_security, ut_teardown, + test_ipsec_proto_set_df_1_inner_0), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 94e5213..4f5f20c 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -427,6 +427,9 @@ test_ipsec_td_prepare(const struct crypto_param *param1, ip->hdr_checksum = rte_ipv4_cksum(ip); } + if (flags->df == TEST_IPSEC_COPY_DF_INNER_0 || + flags->df == TEST_IPSEC_COPY_DF_INNER_1) + td->ipsec_xform.options.copy_df = 1; } } @@ -640,6 +643,7 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, { uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); uint32_t skip, len = rte_pktmbuf_pkt_len(m); + uint8_t td_output_text[4096]; int ret; /* For tests with status as error for test success, skip verification */ @@ -720,16 +724,21 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, return ret; } + memcpy(td_output_text, td->output_text.data + skip, len); - if (memcmp(output_text, td->output_text.data + skip, len)) { + if (test_ipsec_pkt_update(td_output_text, flags)) { + printf("Could not update expected vector"); + return TEST_FAILED; + } + + if (memcmp(output_text, td_output_text, len)) { if (silent) return TEST_FAILED; printf("TestCase %s line %d: %s\n", __func__, __LINE__, "output text not as expected\n"); - rte_hexdump(stdout, "expected", td->output_text.data + skip, - len); + rte_hexdump(stdout, "expected", td_output_text, len); rte_hexdump(stdout, "actual", output_text, len); return TEST_FAILED; } @@ -797,10 +806,27 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, } else { if (td->ipsec_xform.tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + uint16_t f_off; + if (is_valid_ipv4_pkt(iph4) == false) { printf("Tunnel outer header is not IPv4\n"); return TEST_FAILED; } + + f_off = rte_be_to_cpu_16(iph4->fragment_offset); + + if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 || + flags->df == TEST_IPSEC_SET_DF_1_INNER_0) { + if (!(f_off & RTE_IPV4_HDR_DF_FLAG)) { + printf("DF bit is not set\n"); + return TEST_FAILED; + } + } else { + if ((f_off & RTE_IPV4_HDR_DF_FLAG)) { + printf("DF bit is set\n"); + return TEST_FAILED; + } + } } else { iph6 = (const struct rte_ipv6_hdr *)output_text; if (is_valid_ipv6_pkt(iph6) == false) { @@ -909,3 +935,42 @@ test_ipsec_stats_verify(struct rte_security_ctx *ctx, return ret; } + +int +test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags) +{ + struct rte_ipv4_hdr *iph4; + bool cksum_dirty = false; + uint16_t frag_off; + + iph4 = (struct rte_ipv4_hdr *)pkt; + + if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 || + flags->df == TEST_IPSEC_SET_DF_0_INNER_1 || + flags->df == TEST_IPSEC_COPY_DF_INNER_0 || + flags->df == TEST_IPSEC_SET_DF_1_INNER_0) { + + if (!is_ipv4(iph4)) { + printf("Invalid packet type"); + return -1; + } + + frag_off = rte_be_to_cpu_16(iph4->fragment_offset); + + if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 || + flags->df == TEST_IPSEC_SET_DF_0_INNER_1) + frag_off |= RTE_IPV4_HDR_DF_FLAG; + else + frag_off &= !RTE_IPV4_HDR_DF_FLAG; + + iph4->fragment_offset = rte_cpu_to_be_16(frag_off); + cksum_dirty = true; + } + + if (cksum_dirty && is_ipv4(iph4)) { + iph4->hdr_checksum = 0; + iph4->hdr_checksum = rte_ipv4_cksum(iph4); + } + + return 0; +} diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 6e27eba..12a9b77 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -50,6 +50,13 @@ struct ipsec_test_data { } xform; }; +enum df_flags { + TEST_IPSEC_COPY_DF_INNER_0 = 1, + TEST_IPSEC_COPY_DF_INNER_1, + TEST_IPSEC_SET_DF_0_INNER_1, + TEST_IPSEC_SET_DF_1_INNER_0, +}; + struct ipsec_test_flags { bool display_alg; bool sa_expiry_pkts_soft; @@ -66,6 +73,7 @@ struct ipsec_test_flags { bool transport; bool fragment; bool stats_success; + enum df_flags df; }; struct crypto_param { @@ -226,4 +234,6 @@ int test_ipsec_stats_verify(struct rte_security_ctx *ctx, const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir); +int test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags); + #endif diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 6d99d1e..0a29671 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -55,6 +55,24 @@ New Features Also, make sure to start the actual text at the margin. ======================================================= +* **Updated lookaside protocol (IPsec) tests in dpdk-test.** + + * Added support for chained operations. + * Added AES-CBC 128 NULL auth known vector tests. + * Added AES-CBC 128 HMAC-SHA256 known vector tests. + * Added AES-CBC 128 HMAC-SHA384 known vector tests. + * Added AES-CBC 128 HMAC-SHA512 known vector tests. + * Added NULL cipher AES-XCBC known vector tests. + * Added tunnel mode tests + * IPv6 in IPv6 + * IPv4 in IPv4 + * IPv4 in IPv6 + * IPv6 in IPv4 + * Added IPv4 transport mode tests. + * Added security stats tests. + * Added AES-CTR tests. + * Added set/copy DF tests. + Removed Items ------------- -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 00/13] Add new cases to lookaside IPsec tests 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (12 preceding siblings ...) 2021-12-06 7:58 ` [PATCH 13/13] test/crypto: add copy and set DF cases Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 01/13] test/crypto: add IPsec aes-cbc known vectors Anoob Joseph ` (13 more replies) 13 siblings, 14 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Add new tests to lookaside IPsec tests. * Support for chained operations. * AES-CBC 128 NULL auth known vector tests. * AES-CBC 128 HMAC-SHA256 known vector tests. * AES-CBC 128 HMAC-SHA384 known vector tests. * AES-CBC 128 HMAC-SHA512 known vector tests. * NULL cipher AES-XCBC known vector tests. * Tunnel mode tests * IPv6 in IPv6 * IPv4 in IPv4 * IPv4 in IPv6 * IPv6 in IPv4 * IPv4 transport mode tests. * Tunnel mode fragment packet tests. * Security stats tests. * AES-CTR tests. * set/copy DF tests. Changes in v2: - Moved release notes update to originating patch - Fixed build failure with last patch Ankur Dwivedi (1): test/crypto: add security stats cases Anoob Joseph (5): test/crypto: add IPsec aes-cbc known vectors test/crypto: add chained operations in combined cases test/crypto: add transport mode cases test/crypto: add aes xcbc known vectors test/crypto: add copy and set DF cases Tejasree Kondoj (7): test/crypto: add IPsec AES-CBC-HMAC-SHA256 known vectors test/crypto: add IPv6 tunnel mode cases test/crypto: add IPsec HMAC-SHA384/512 known vectors test/crypto: add IPsec fragmented packet known vectors test/crypto: add lookaside IPsec AES-CTR known vectors test/crypto: add fragmented packet case test/crypto: skip null auth in ICV corrupt case app/test/test_cryptodev.c | 395 +++++++++- app/test/test_cryptodev_security_ipsec.c | 352 ++++++++- app/test/test_cryptodev_security_ipsec.h | 113 +++ .../test_cryptodev_security_ipsec_test_vectors.h | 828 +++++++++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 19 + 5 files changed, 1665 insertions(+), 42 deletions(-) -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 01/13] test/crypto: add IPsec aes-cbc known vectors 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 02/13] test/crypto: add IPsec AES-CBC-HMAC-SHA256 " Anoob Joseph ` (12 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Extend the framework to support chained operations and add AES-CBC 128 known vector tests. Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 62 ++++++++++-- app/test/test_cryptodev_security_ipsec.c | 51 ++++++++++ app/test/test_cryptodev_security_ipsec.h | 8 ++ .../test_cryptodev_security_ipsec_test_vectors.h | 110 +++++++++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 4 + 5 files changed, 226 insertions(+), 9 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 10b48cd..6d94085 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9191,23 +9191,59 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], return TEST_SKIPPED; } } else { - /* Only AEAD supported now */ - return TEST_SKIPPED; + memcpy(&ut_params->cipher_xform, &td[0].xform.chain.cipher, + sizeof(ut_params->cipher_xform)); + memcpy(&ut_params->auth_xform, &td[0].xform.chain.auth, + sizeof(ut_params->auth_xform)); + ut_params->cipher_xform.cipher.key.data = td[0].key.data; + ut_params->cipher_xform.cipher.iv.offset = IV_OFFSET; + ut_params->auth_xform.auth.key.data = td[0].key.data; + + /* Verify crypto capabilities */ + + if (test_ipsec_crypto_caps_cipher_verify( + sec_cap, + &ut_params->cipher_xform) != 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Cipher crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + + if (test_ipsec_crypto_caps_auth_verify( + sec_cap, + &ut_params->auth_xform) != 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Auth crypto capabilities not supported\n"); + return TEST_SKIPPED; + } } if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0) return TEST_SKIPPED; - salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len); - memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len); - struct rte_security_session_conf sess_conf = { .action_type = ut_params->type, .protocol = RTE_SECURITY_PROTOCOL_IPSEC, - .ipsec = ipsec_xform, - .crypto_xform = &ut_params->aead_xform, }; + if (td[0].aead) { + salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len); + memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len); + sess_conf.ipsec = ipsec_xform; + sess_conf.crypto_xform = &ut_params->aead_xform; + } else { + sess_conf.ipsec = ipsec_xform; + if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + sess_conf.crypto_xform = &ut_params->cipher_xform; + ut_params->cipher_xform.next = &ut_params->auth_xform; + } else { + sess_conf.crypto_xform = &ut_params->auth_xform; + ut_params->auth_xform.next = &ut_params->cipher_xform; + } + } + /* Create security session */ ut_params->sec_session = rte_security_session_create(ctx, &sess_conf, ts_params->session_mpool, @@ -9316,14 +9352,18 @@ test_ipsec_proto_known_vec(const void *test_data) } static int -test_ipsec_proto_known_vec_inb(const void *td_outb) +test_ipsec_proto_known_vec_inb(const void *test_data) { + const struct ipsec_test_data *td = test_data; struct ipsec_test_flags flags; struct ipsec_test_data td_inb; memset(&flags, 0, sizeof(flags)); - test_ipsec_td_in_from_out(td_outb, &td_inb); + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) + test_ipsec_td_in_from_out(td, &td_inb); + else + memcpy(&td_inb, td, sizeof(td_inb)); return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags); } @@ -14394,6 +14434,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_null), TEST_CASE_NAMED_ST( "Combined test alg list", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 4708803..45960bf 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -150,6 +150,57 @@ test_ipsec_crypto_caps_aead_verify( return -ENOTSUP; } +int +test_ipsec_crypto_caps_cipher_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *cipher) +{ + const struct rte_cryptodev_symmetric_capability *sym_cap; + const struct rte_cryptodev_capabilities *cap; + int j = 0; + + while ((cap = &sec_cap->crypto_capabilities[j++])->op != + RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + cap->sym.xform_type == cipher->type && + cap->sym.cipher.algo == cipher->cipher.algo) { + sym_cap = &cap->sym; + if (rte_cryptodev_sym_capability_check_cipher(sym_cap, + cipher->cipher.key.length, + cipher->cipher.iv.length) == 0) + return 0; + } + } + + return -ENOTSUP; +} + +int +test_ipsec_crypto_caps_auth_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *auth) +{ + const struct rte_cryptodev_symmetric_capability *sym_cap; + const struct rte_cryptodev_capabilities *cap; + int j = 0; + + while ((cap = &sec_cap->crypto_capabilities[j++])->op != + RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + cap->sym.xform_type == auth->type && + cap->sym.auth.algo == auth->auth.algo) { + sym_cap = &cap->sym; + if (rte_cryptodev_sym_capability_check_auth(sym_cap, + auth->auth.key.length, + auth->auth.digest_length, + auth->auth.iv.length) == 0) + return 0; + } + } + + return -ENOTSUP; +} + void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, struct ipsec_test_data *td_in) diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 7628d0c..91c6cd4 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -96,6 +96,14 @@ int test_ipsec_crypto_caps_aead_verify( const struct rte_security_capability *sec_cap, struct rte_crypto_sym_xform *aead); +int test_ipsec_crypto_caps_cipher_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *cipher); + +int test_ipsec_crypto_caps_auth_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *auth); + void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, struct ipsec_test_data *td_in); diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index bb95d00..bf831e9 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -324,4 +324,114 @@ struct ipsec_test_data pkt_aes_256_gcm = { }, }; +/* Known vectors for AES-CBC + * https://datatracker.ietf.org/doc/html/rfc3602#section-4 + */ + +struct ipsec_test_data pkt_aes_128_cbc_null = { + .key = { + .data = { + 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, + 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, + }, + }, + .input_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x8c, 0x00, 0x02, 0x00, 0x00, + 0x40, 0x32, 0x27, 0xbc, 0x00, 0x01, 0xa8, 0xc0, + 0x01, 0x01, 0xa8, 0xc0, + + /* ESP */ + 0x00, 0x00, 0x87, 0x65, 0x00, 0x00, 0x00, 0x02, + + /* IV */ + 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad, + 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37, + + /* Data */ + 0x77, 0x3b, 0x52, 0x41, 0xa4, 0xc4, 0x49, 0x22, + 0x5e, 0x4f, 0x3c, 0xe5, 0xed, 0x61, 0x1b, 0x0c, + 0x23, 0x7c, 0xa9, 0x6c, 0xf7, 0x4a, 0x93, 0x01, + 0x3c, 0x1b, 0x0e, 0xa1, 0xa0, 0xcf, 0x70, 0xf8, + 0xe4, 0xec, 0xae, 0xc7, 0x8a, 0xc5, 0x3a, 0xad, + 0x7a, 0x0f, 0x02, 0x2b, 0x85, 0x92, 0x43, 0xc6, + 0x47, 0x75, 0x2e, 0x94, 0xa8, 0x59, 0x35, 0x2b, + 0x8a, 0x4d, 0x4d, 0x2d, 0xec, 0xd1, 0x36, 0xe5, + 0xc1, 0x77, 0xf1, 0x32, 0xad, 0x3f, 0xbf, 0xb2, + 0x20, 0x1a, 0xc9, 0x90, 0x4c, 0x74, 0xee, 0x0a, + 0x10, 0x9e, 0x0c, 0xa1, 0xe4, 0xdf, 0xe9, 0xd5, + 0xa1, 0x00, 0xb8, 0x42, 0xf1, 0xc2, 0x2f, 0x0d, + }, + .len = 140, + }, + .output_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x54, 0x09, 0x04, 0x00, 0x00, + 0x40, 0x01, 0xf9, 0x88, 0xc0, 0xa8, 0x7b, 0x03, + 0xc0, 0xa8, 0x7b, 0xc8, + + /* ICMP */ + 0x08, 0x00, 0x9f, 0x76, 0xa9, 0x0a, 0x01, 0x00, + 0xb4, 0x9c, 0x08, 0x3d, 0x02, 0xa2, 0x04, 0x00, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0a, 0x04, + }, + .len = 84, + }, + .iv = { + .data = { + 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad, + 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37, + }, + }, + + .ipsec_xform = { + .spi = 0x8765, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_DECRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .algo = RTE_CRYPTO_AUTH_NULL, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 6d99d1e..9fccddc 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -55,6 +55,10 @@ New Features Also, make sure to start the actual text at the margin. ======================================================= +* **Updated lookaside protocol (IPsec) tests in dpdk-test.** + + * Added AES-CBC 128 NULL auth known vector tests. + Removed Items ------------- -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 02/13] test/crypto: add IPsec AES-CBC-HMAC-SHA256 known vectors 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 01/13] test/crypto: add IPsec aes-cbc known vectors Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 03/13] test/crypto: add chained operations in combined cases Anoob Joseph ` (11 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Adding lookaside IPsec AES-CBC-HMAC-SHA256 test cases. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 12 ++- app/test/test_cryptodev_security_ipsec.h | 3 + .../test_cryptodev_security_ipsec_test_vectors.h | 109 +++++++++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 1 + 4 files changed, 124 insertions(+), 1 deletion(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 6d94085..c91b745 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9197,7 +9197,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], sizeof(ut_params->auth_xform)); ut_params->cipher_xform.cipher.key.data = td[0].key.data; ut_params->cipher_xform.cipher.iv.offset = IV_OFFSET; - ut_params->auth_xform.auth.key.data = td[0].key.data; + ut_params->auth_xform.auth.key.data = td[0].auth_key.data; /* Verify crypto capabilities */ @@ -14423,6 +14423,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { ut_setup_security, ut_teardown, test_ipsec_proto_known_vec, &pkt_aes_256_gcm), TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha256), + TEST_CASE_NAMED_WITH_DATA( "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm), @@ -14438,6 +14443,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_null), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha256), TEST_CASE_NAMED_ST( "Combined test alg list", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 91c6cd4..70a264a 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -14,6 +14,9 @@ struct ipsec_test_data { struct { uint8_t data[32]; } key; + struct { + uint8_t data[32]; + } auth_key; struct { uint8_t data[1024]; diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index bf831e9..16c88fe 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -434,4 +434,113 @@ struct ipsec_test_data pkt_aes_128_cbc_null = { }, }; +struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = { + .key = { + .data = { + 0x00, 0x04, 0x05, 0x01, 0x23, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0a, 0x0b, 0x0c, 0x0f, 0x00, 0x00, + }, + }, + .auth_key = { + .data = { + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x0a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x32, 0x00, 0x01, 0x00, 0x00, + 0x1f, 0x11, 0x17, 0x8b, 0xc0, 0xa8, 0x01, 0x6f, + 0xc0, 0xa8, 0x01, 0x70, + + /* UDP */ + 0x00, 0x09, 0x00, 0x09, 0x00, 0x1e, 0x00, 0x00, + 0xbe, 0x9b, 0xe9, 0x55, 0x00, 0x00, 0x00, 0x21, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + .len = 50, + }, + .output_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x7c, 0x00, 0x01, 0x00, 0x00, + 0x40, 0x32, 0x52, 0x4d, 0x14, 0x00, 0x00, 0x01, + 0x14, 0x00, 0x00, 0x02, + + /* ESP */ + 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, + + /* IV */ + 0x34, 0x12, 0x67, 0x45, 0xff, 0xff, 0x00, 0x00, + 0x20, 0xbf, 0xe8, 0x39, 0x00, 0x00, 0x00, 0x00, + + /* Data */ + 0x67, 0xb5, 0x46, 0x6e, 0x78, 0x17, 0xd3, 0x5a, + 0xac, 0x62, 0x62, 0x62, 0xb0, 0x57, 0x9b, 0x09, + 0x19, 0x4f, 0x06, 0x59, 0xc8, 0xb0, 0x30, 0x65, + 0x1f, 0x45, 0x57, 0x41, 0x72, 0x17, 0x28, 0xe9, + 0xad, 0x50, 0xbe, 0x44, 0x1d, 0x2d, 0x9a, 0xd0, + 0x48, 0x75, 0x0d, 0x1c, 0x8d, 0x24, 0xa8, 0x6f, + 0x6b, 0x24, 0xb6, 0x5d, 0x43, 0x1e, 0x55, 0xf0, + 0xf7, 0x14, 0x1f, 0xf2, 0x61, 0xd4, 0xe0, 0x30, + 0x16, 0xbe, 0x1b, 0x5c, 0xcc, 0xb7, 0x66, 0x1c, + 0x47, 0xad, 0x07, 0x6c, 0xd5, 0xcb, 0xce, 0x6c, + }, + .len = 124, + }, + .iv = { + .data = { + 0x34, 0x12, 0x67, 0x45, 0xff, 0xff, 0x00, 0x00, + 0x20, 0xbf, 0xe8, 0x39, 0x00, 0x00, 0x00, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_SHA256_HMAC, + .key.length = 32, + .digest_length = 16, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 9fccddc..83536ed 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -58,6 +58,7 @@ New Features * **Updated lookaside protocol (IPsec) tests in dpdk-test.** * Added AES-CBC 128 NULL auth known vector tests. + * Added AES-CBC 128 HMAC-SHA256 known vector tests. Removed Items -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 03/13] test/crypto: add chained operations in combined cases 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 01/13] test/crypto: add IPsec aes-cbc known vectors Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 02/13] test/crypto: add IPsec AES-CBC-HMAC-SHA256 " Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 04/13] test/crypto: add IPv6 tunnel mode cases Anoob Joseph ` (10 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Extend lookaside IPsec combined mode cases to cover chained operations also. Currently covering combinations of, Ciphers, 1. AES-128-CBC Auth, 1. NULL 2. SHA2-256 [16B ICV] Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 11 +++-- app/test/test_cryptodev_security_ipsec.c | 77 +++++++++++++++++++++++++------- app/test/test_cryptodev_security_ipsec.h | 36 +++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 1 + 4 files changed, 104 insertions(+), 21 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index c91b745..a307aec 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -835,6 +835,8 @@ ipsec_proto_testsuite_setup(void) ret = TEST_SKIPPED; } + test_ipsec_alg_list_populate(); + /* * Stop the device. Device would be started again by individual test * case setup routine. @@ -9381,9 +9383,9 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) flags->sa_expiry_pkts_hard) nb_pkts = IPSEC_TEST_PACKETS_MAX; - for (i = 0; i < RTE_DIM(aead_list); i++) { - test_ipsec_td_prepare(&aead_list[i], - NULL, + for (i = 0; i < RTE_DIM(alg_list); i++) { + test_ipsec_td_prepare(alg_list[i].param1, + alg_list[i].param2, flags, td_outb, nb_pkts); @@ -9407,7 +9409,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) return TEST_FAILED; if (flags->display_alg) - test_ipsec_display_alg(&aead_list[i], NULL); + test_ipsec_display_alg(alg_list[i].param1, + alg_list[i].param2); pass_cnt++; } diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 45960bf..5f67dc0 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -15,7 +15,29 @@ #define IV_LEN_MAX 16 -extern struct ipsec_test_data pkt_aes_256_gcm; +struct crypto_param_comb alg_list[RTE_DIM(aead_list) + + (RTE_DIM(cipher_list) * + RTE_DIM(auth_list))]; + +void +test_ipsec_alg_list_populate(void) +{ + unsigned long i, j, index = 0; + + for (i = 0; i < RTE_DIM(aead_list); i++) { + alg_list[index].param1 = &aead_list[i]; + alg_list[index].param2 = NULL; + index++; + } + + for (i = 0; i < RTE_DIM(cipher_list); i++) { + for (j = 0; j < RTE_DIM(auth_list); j++) { + alg_list[index].param1 = &cipher_list[i]; + alg_list[index].param2 = &auth_list[j]; + index++; + } + } +} int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, @@ -293,18 +315,31 @@ test_ipsec_td_prepare(const struct crypto_param *param1, for (i = 0; i < nb_td; i++) { td = &td_array[i]; - /* Copy template for packet & key fields */ - memcpy(td, &pkt_aes_256_gcm, sizeof(*td)); - /* Override fields based on param */ + /* Prepare fields based on param */ + + if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + /* Copy template for packet & key fields */ + memcpy(td, &pkt_aes_256_gcm, sizeof(*td)); - if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) td->aead = true; - else + td->xform.aead.aead.algo = param1->alg.aead; + td->xform.aead.aead.key.length = param1->key_length; + } else { + /* Copy template for packet & key fields */ + memcpy(td, &pkt_aes_128_cbc_hmac_sha256, sizeof(*td)); + td->aead = false; + td->xform.chain.cipher.cipher.algo = param1->alg.cipher; + td->xform.chain.cipher.cipher.key.length = + param1->key_length; + td->xform.chain.auth.auth.algo = param2->alg.auth; + td->xform.chain.auth.auth.key.length = + param2->key_length; + td->xform.chain.auth.auth.digest_length = + param2->digest_length; - td->xform.aead.aead.algo = param1->alg.aead; - td->xform.aead.aead.key.length = param1->key_length; + } if (flags->iv_gen) td->ipsec_xform.options.iv_gen_disable = 0; @@ -324,8 +359,6 @@ test_ipsec_td_prepare(const struct crypto_param *param1, } } - - RTE_SET_USED(param2); } void @@ -374,12 +407,21 @@ void test_ipsec_display_alg(const struct crypto_param *param1, const struct crypto_param *param2) { - if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) - printf("\t%s [%d]\n", + if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) { + printf("\t%s [%d]", rte_crypto_aead_algorithm_strings[param1->alg.aead], - param1->key_length); - - RTE_SET_USED(param2); + param1->key_length * 8); + } else { + printf("\t%s", + rte_crypto_cipher_algorithm_strings[param1->alg.cipher]); + if (param1->alg.cipher != RTE_CRYPTO_CIPHER_NULL) + printf(" [%d]", param1->key_length * 8); + printf(" %s", + rte_crypto_auth_algorithm_strings[param2->alg.auth]); + if (param2->alg.auth != RTE_CRYPTO_AUTH_NULL) + printf(" [%dB ICV]", param2->digest_length); + } + printf("\n"); } static int @@ -631,8 +673,9 @@ test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td, if (res_d->aead) { res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT; } else { - printf("Only AEAD supported\n"); - return TEST_SKIPPED; + res_d->xform.chain.cipher.cipher.op = + RTE_CRYPTO_CIPHER_OP_DECRYPT; + res_d->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY; } return TEST_SUCCESS; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 70a264a..b1f0ff8 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -71,6 +71,7 @@ struct crypto_param { enum rte_crypto_aead_algorithm aead; } alg; uint16_t key_length; + uint16_t digest_length; }; static const struct crypto_param aead_list[] = { @@ -91,6 +92,41 @@ static const struct crypto_param aead_list[] = { }, }; +static const struct crypto_param cipher_list[] = { + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_AES_CBC, + .key_length = 16, + }, +}; + +static const struct crypto_param auth_list[] = { + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_NULL, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_SHA256_HMAC, + .key_length = 32, + .digest_length = 16, + }, +}; + +struct crypto_param_comb { + const struct crypto_param *param1; + const struct crypto_param *param2; +}; + +extern struct ipsec_test_data pkt_aes_256_gcm; +extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256; + +extern struct crypto_param_comb alg_list[RTE_DIM(aead_list) + + (RTE_DIM(cipher_list) * + RTE_DIM(auth_list))]; + +void test_ipsec_alg_list_populate(void); + int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, const struct rte_security_capability *sec_cap, bool silent); diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 83536ed..62682d0 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -57,6 +57,7 @@ New Features * **Updated lookaside protocol (IPsec) tests in dpdk-test.** + * Added support for chained operations. * Added AES-CBC 128 NULL auth known vector tests. * Added AES-CBC 128 HMAC-SHA256 known vector tests. -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 04/13] test/crypto: add IPv6 tunnel mode cases 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (2 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 03/13] test/crypto: add chained operations in combined cases Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 05/13] test/crypto: add IPsec HMAC-SHA384/512 known vectors Anoob Joseph ` (9 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add IPv6 known vector and combined mode tests. Following modes are added: Tunnel IPv6 in IPv6 Tunnel IPv4 in IPv4 Tunnel IPv4 in IPv6 Tunnel IPv6 in IPv4 Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 102 ++++++++++- app/test/test_cryptodev_security_ipsec.c | 74 +++++++- app/test/test_cryptodev_security_ipsec.h | 4 + .../test_cryptodev_security_ipsec_test_vectors.h | 202 +++++++++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 5 + 5 files changed, 383 insertions(+), 4 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index a307aec..a64ed60 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9125,6 +9125,10 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], bool silent, const struct ipsec_test_flags *flags) { + uint16_t v6_src[8] = {0x2607, 0xf8b0, 0x400c, 0x0c03, 0x0000, 0x0000, + 0x0000, 0x001a}; + uint16_t v6_dst[8] = {0x2001, 0x0470, 0xe5bf, 0xdead, 0x4957, 0x2174, + 0xe82c, 0x4887}; struct crypto_testsuite_params *ts_params = &testsuite_params; struct crypto_unittest_params *ut_params = &unittest_params; struct rte_security_capability_idx sec_cap_idx; @@ -9158,8 +9162,16 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], dst += 1; } - memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); - memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); + memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); + } else { + memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src, + sizeof(v6_src)); + memcpy(&ipsec_xform.tunnel.ipv6.dst_addr, &v6_dst, + sizeof(v6_dst)); + } ctx = rte_cryptodev_get_sec_ctx(dev_id); @@ -9555,6 +9567,58 @@ test_ipsec_proto_inner_l4_csum(const void *data __rte_unused) } static int +test_ipsec_proto_tunnel_v4_in_v4(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = false; + flags.tunnel_ipv6 = false; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_v6_in_v6(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = true; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_v4_in_v6(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = false; + flags.tunnel_ipv6 = true; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_v6_in_v4(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = true; + flags.tunnel_ipv6 = false; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14431,6 +14495,15 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec, &pkt_aes_128_cbc_hmac_sha256), TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, &pkt_aes_256_gcm_v6), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha256_v6), + TEST_CASE_NAMED_WITH_DATA( "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm), @@ -14451,6 +14524,15 @@ static struct unit_test_suite ipsec_proto_testsuite = { ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_hmac_sha256), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm_v6), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha256_v6), TEST_CASE_NAMED_ST( "Combined test alg list", ut_setup_security, ut_teardown, @@ -14495,6 +14577,22 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Inner L4 checksum", ut_setup_security, ut_teardown, test_ipsec_proto_inner_l4_csum), + TEST_CASE_NAMED_ST( + "Tunnel IPv4 in IPv4", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_v4_in_v4), + TEST_CASE_NAMED_ST( + "Tunnel IPv6 in IPv6", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_v6_in_v6), + TEST_CASE_NAMED_ST( + "Tunnel IPv4 in IPv6", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_v4_in_v6), + TEST_CASE_NAMED_ST( + "Tunnel IPv6 in IPv4", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_v6_in_v4), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 5f67dc0..12031d3 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -19,6 +19,40 @@ struct crypto_param_comb alg_list[RTE_DIM(aead_list) + (RTE_DIM(cipher_list) * RTE_DIM(auth_list))]; +static bool +is_valid_ipv4_pkt(const struct rte_ipv4_hdr *pkt) +{ + /* The IP version number must be 4 */ + if (((pkt->version_ihl) >> 4) != 4) + return false; + /* + * The IP header length field must be large enough to hold the + * minimum length legal IP datagram (20 bytes = 5 words). + */ + if ((pkt->version_ihl & 0xf) < 5) + return false; + + /* + * The IP total length field must be large enough to hold the IP + * datagram header, whose length is specified in the IP header length + * field. + */ + if (rte_cpu_to_be_16(pkt->total_length) < sizeof(struct rte_ipv4_hdr)) + return false; + + return true; +} + +static bool +is_valid_ipv6_pkt(const struct rte_ipv6_hdr *pkt) +{ + /* The IP version number must be 6 */ + if ((rte_be_to_cpu_32((pkt->vtc_flow)) >> 28) != 6) + return false; + + return true; +} + void test_ipsec_alg_list_populate(void) { @@ -320,14 +354,22 @@ test_ipsec_td_prepare(const struct crypto_param *param1, if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) { /* Copy template for packet & key fields */ - memcpy(td, &pkt_aes_256_gcm, sizeof(*td)); + if (flags->ipv6) + memcpy(td, &pkt_aes_256_gcm_v6, sizeof(*td)); + else + memcpy(td, &pkt_aes_256_gcm, sizeof(*td)); td->aead = true; td->xform.aead.aead.algo = param1->alg.aead; td->xform.aead.aead.key.length = param1->key_length; } else { /* Copy template for packet & key fields */ - memcpy(td, &pkt_aes_128_cbc_hmac_sha256, sizeof(*td)); + if (flags->ipv6) + memcpy(td, &pkt_aes_128_cbc_hmac_sha256_v6, + sizeof(*td)); + else + memcpy(td, &pkt_aes_128_cbc_hmac_sha256, + sizeof(*td)); td->aead = false; td->xform.chain.cipher.cipher.algo = param1->alg.cipher; @@ -358,6 +400,13 @@ test_ipsec_td_prepare(const struct crypto_param *param1, test_ipsec_csum_init(&td->input_text.data, false, true); } + if (flags->tunnel_ipv6) + td->ipsec_xform.tunnel.type = + RTE_SECURITY_IPSEC_TUNNEL_IPV6; + else + td->ipsec_xform.tunnel.type = + RTE_SECURITY_IPSEC_TUNNEL_IPV4; + } } @@ -686,6 +735,7 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, struct ipsec_test_data *res_d, bool silent, const struct ipsec_test_flags *flags) { + uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); int ret; if (flags->iv_gen && @@ -695,6 +745,26 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, return ret; } + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + const struct rte_ipv4_hdr *iph4; + const struct rte_ipv6_hdr *iph6; + + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + iph4 = (const struct rte_ipv4_hdr *)output_text; + if (is_valid_ipv4_pkt(iph4) == false) { + printf("Outer header is not IPv4\n"); + return TEST_FAILED; + } + } else { + iph6 = (const struct rte_ipv6_hdr *)output_text; + if (is_valid_ipv6_pkt(iph6) == false) { + printf("Outer header is not IPv6\n"); + return TEST_FAILED; + } + } + } + /* * In case of known vector tests & all inbound tests, res_d provided * would be NULL and output data need to be validated against expected. diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index b1f0ff8..69e81ae 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -61,6 +61,8 @@ struct ipsec_test_flags { bool udp_ports_verify; bool ip_csum; bool l4_csum; + bool ipv6; + bool tunnel_ipv6; }; struct crypto_param { @@ -119,7 +121,9 @@ struct crypto_param_comb { }; extern struct ipsec_test_data pkt_aes_256_gcm; +extern struct ipsec_test_data pkt_aes_256_gcm_v6; extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256; +extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6; extern struct crypto_param_comb alg_list[RTE_DIM(aead_list) + (RTE_DIM(cipher_list) * diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 16c88fe..04ccbf0 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -434,6 +434,103 @@ struct ipsec_test_data pkt_aes_128_cbc_null = { }, }; +struct ipsec_test_data pkt_aes_256_gcm_v6 = { + .key = { + .data = { + 0xde, 0x12, 0xbe, 0x56, 0xde, 0xad, 0xbe, 0xef, + 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, + 0x12, 0x78, 0xbe, 0x34, 0x01, 0x02, 0x03, 0x07, + 0xaa, 0xbb, 0xcc, 0xf1, 0x08, 0x07, 0x06, 0x05, + }, + }, + .input_text = { + .data = { + 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x38, + 0x26, 0x07, 0xf8, 0xb0, 0x40, 0x0c, 0x0c, 0x03, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, + 0x20, 0x01, 0x04, 0x70, 0xe5, 0xbf, 0xde, 0xad, + 0x49, 0x57, 0x21, 0x74, 0xe8, 0x2c, 0x48, 0x87, + 0x00, 0x19, 0xf9, 0xc7, 0x95, 0x63, 0x97, 0x9c, + 0x03, 0xa0, 0x88, 0x31, 0x80, 0x12, 0xa7, 0xd6, + 0x25, 0x83, 0x00, 0x00, 0x02, 0x04, 0x05, 0x6a, + 0x01, 0x01, 0x04, 0x02, 0x01, 0x03, 0x03, 0x07, + }, + .len = 72, + }, + .output_text = { + .data = { + 0x60, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x32, 0x40, + 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34, + 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x56, 0x78, + 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34, + 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x34, 0x56, + 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + 0xe7, 0xdf, 0xc4, 0x7e, 0x21, 0xbd, 0xec, 0x1b, + 0x74, 0x5a, 0xe4, 0x7e, 0x2e, 0x94, 0x21, 0x0a, + 0x9b, 0x0e, 0x59, 0xbe, 0x06, 0x2a, 0xda, 0xb8, + 0x6b, 0x48, 0x7f, 0x0b, 0x88, 0x3a, 0xa9, 0xfd, + 0x3c, 0xfe, 0x9f, 0xb1, 0x8c, 0x67, 0xd2, 0xf8, + 0xaf, 0xb5, 0xad, 0x16, 0xdb, 0xff, 0x8d, 0x50, + 0xd3, 0x48, 0xf5, 0x6c, 0x3c, 0x0c, 0x27, 0x34, + 0x2b, 0x65, 0xc8, 0xff, 0xeb, 0x5f, 0xb8, 0xff, + 0x12, 0x00, 0x1c, 0x9f, 0xb7, 0x85, 0xdd, 0x7d, + 0x40, 0x19, 0xcb, 0x18, 0xeb, 0x15, 0xc4, 0x88, + 0xe1, 0xc2, 0x91, 0xc7, 0xb1, 0x65, 0xc3, 0x27, + 0x16, 0x06, 0x8f, 0xf2, + }, + .len = 148, + }, + .salt = { + .data = { + 0x11, 0x22, 0x33, 0x44 + }, + .len = 4, + }, + + .iv = { + .data = { + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV6, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 32, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = { .key = { .data = { @@ -543,4 +640,109 @@ struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = { }, }; +struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6 = { + .key = { + .data = { + 0x00, 0x04, 0x05, 0x01, 0x23, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0a, 0x0b, 0x0c, 0x0f, 0x00, 0x00, + }, + }, + .auth_key = { + .data = { + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x0a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + }, + }, + .input_text = { + .data = { + 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x38, + 0x26, 0x07, 0xf8, 0xb0, 0x40, 0x0c, 0x0c, 0x03, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, + 0x20, 0x01, 0x04, 0x70, 0xe5, 0xbf, 0xde, 0xad, + 0x49, 0x57, 0x21, 0x74, 0xe8, 0x2c, 0x48, 0x87, + 0x00, 0x19, 0xf9, 0xc7, 0x95, 0x63, 0x97, 0x9c, + 0x03, 0xa0, 0x88, 0x31, 0x80, 0x12, 0xa7, 0xd6, + 0x25, 0x83, 0x00, 0x00, 0x02, 0x04, 0x05, 0x6a, + 0x01, 0x01, 0x04, 0x02, 0x01, 0x03, 0x03, 0x07, + }, + .len = 72, + }, + .output_text = { + .data = { + 0x60, 0x00, 0x00, 0x00, 0x00, 0x78, 0x32, 0x40, + 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34, + 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x56, 0x78, + 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34, + 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x34, 0x56, + 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01, + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + 0xf0, 0xc1, 0x05, 0x3c, 0x00, 0x00, 0x00, 0x00, + 0x1b, 0x1c, 0x98, 0x6e, 0x2a, 0xce, 0x61, 0xef, + 0xc1, 0xdd, 0x25, 0x96, 0x5c, 0xb1, 0xb0, 0x15, + 0x47, 0x25, 0xb7, 0x8b, 0x00, 0xb6, 0xbb, 0xe6, + 0x2e, 0x29, 0xcb, 0x4a, 0x94, 0x00, 0xf0, 0x73, + 0xdb, 0x14, 0x32, 0xd9, 0xa2, 0xdf, 0x22, 0x2f, + 0x52, 0x3e, 0x79, 0x77, 0xf3, 0x17, 0xaa, 0x40, + 0x1c, 0x57, 0x27, 0x12, 0x82, 0x44, 0x35, 0xb8, + 0x64, 0xe0, 0xaa, 0x5c, 0x10, 0xc7, 0x97, 0x35, + 0x9c, 0x6b, 0x1c, 0xf7, 0xe7, 0xbd, 0x83, 0x33, + 0x77, 0x48, 0x44, 0x7d, 0xa4, 0x13, 0x74, 0x3b, + 0x6a, 0x91, 0xd0, 0xd8, 0x7d, 0x41, 0x45, 0x23, + 0x5d, 0xc9, 0x2d, 0x08, 0x7a, 0xd8, 0x25, 0x8e, + }, + .len = 160, + }, + .iv = { + .data = { + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + 0xf0, 0xc1, 0x05, 0x3c, 0x00, 0x00, 0x00, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV6, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_SHA256_HMAC, + .key.length = 32, + .digest_length = 16, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 62682d0..42f3a3c 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -60,6 +60,11 @@ New Features * Added support for chained operations. * Added AES-CBC 128 NULL auth known vector tests. * Added AES-CBC 128 HMAC-SHA256 known vector tests. + * Added tunnel mode tests + * IPv6 in IPv6 + * IPv4 in IPv4 + * IPv4 in IPv6 + * IPv6 in IPv4 Removed Items -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 05/13] test/crypto: add IPsec HMAC-SHA384/512 known vectors 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (3 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 04/13] test/crypto: add IPv6 tunnel mode cases Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 06/13] test/crypto: add IPsec fragmented packet " Anoob Joseph ` (8 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add lookaside IPsec HMAC-SHA384/512 known vectors. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 20 ++ app/test/test_cryptodev_security_ipsec.h | 14 +- .../test_cryptodev_security_ipsec_test_vectors.h | 213 +++++++++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 2 + 4 files changed, 248 insertions(+), 1 deletion(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index a64ed60..0f74984 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -14495,6 +14495,16 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec, &pkt_aes_128_cbc_hmac_sha256), TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA384 [24B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha384), + TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA512 [32B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_aes_128_cbc_hmac_sha512), + TEST_CASE_NAMED_WITH_DATA( "Outbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec, &pkt_aes_256_gcm_v6), @@ -14525,6 +14535,16 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_hmac_sha256), TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA384 [24B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha384), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA512 [32B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_aes_128_cbc_hmac_sha512), + TEST_CASE_NAMED_WITH_DATA( "Inbound known vector (ESP tunnel mode IPv6 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm_v6), diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 69e81ae..d74eee7 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -15,7 +15,7 @@ struct ipsec_test_data { uint8_t data[32]; } key; struct { - uint8_t data[32]; + uint8_t data[64]; } auth_key; struct { @@ -113,6 +113,18 @@ static const struct crypto_param auth_list[] = { .key_length = 32, .digest_length = 16, }, + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_SHA384_HMAC, + .key_length = 48, + .digest_length = 24, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_SHA512_HMAC, + .key_length = 64, + .digest_length = 32, + }, }; struct crypto_param_comb { diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 04ccbf0..b8661f7 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -640,6 +640,219 @@ struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = { }, }; +struct ipsec_test_data pkt_aes_128_cbc_hmac_sha384 = { + .key = { + .data = { + 0x00, 0x04, 0x05, 0x01, 0x23, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0a, 0x0b, 0x0c, 0x0f, 0x00, 0x00, + }, + }, + .auth_key = { + .data = { + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x0a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x34, + 0x1a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x32, 0x00, 0x01, 0x00, 0x00, + 0x1f, 0x11, 0x17, 0x8b, 0xc0, 0xa8, 0x01, 0x6f, + 0xc0, 0xa8, 0x01, 0x70, + + /* UDP */ + 0x00, 0x09, 0x00, 0x09, 0x00, 0x1e, 0x00, 0x00, + 0xbe, 0x9b, 0xe9, 0x55, 0x00, 0x00, 0x00, 0x21, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + .len = 50, + }, + .output_text = { + .data = { + 0x45, 0x00, 0x00, 0x84, 0x00, 0x01, 0x00, 0x00, + 0x40, 0x32, 0x52, 0x45, 0x14, 0x00, 0x00, 0x01, + 0x14, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x34, + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x44, 0x24, 0xb9, 0xd8, + 0x0f, 0xbe, 0xa3, 0x3f, 0xc9, 0xc0, 0xa2, 0xcb, + 0xaa, 0xda, 0x3f, 0xc6, 0x0e, 0x88, 0x75, 0x96, + 0x25, 0x50, 0x07, 0x4d, 0x52, 0xf4, 0x75, 0xec, + 0xd8, 0xcd, 0xe4, 0xcf, 0x85, 0x9a, 0xbc, 0x9e, + 0x84, 0x0f, 0xbb, 0x83, 0x72, 0x0c, 0x7f, 0x58, + 0x02, 0x46, 0xeb, 0x86, 0x6e, 0xd1, 0xcf, 0x05, + 0x6a, 0xd1, 0xd2, 0xc6, 0xb5, 0x94, 0x09, 0x0a, + 0x3e, 0xdf, 0x09, 0xfb, 0x0a, 0xb7, 0xb4, 0x97, + 0x17, 0xf2, 0x20, 0xaf, 0xfa, 0x90, 0x92, 0x4d, + 0xe4, 0x0e, 0xef, 0x5a, 0xe8, 0x43, 0x46, 0xa8, + 0x5e, 0x3f, 0x52, 0x46, + }, + .len = 132, + }, + .iv = { + .data = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_SHA384_HMAC, + .key.length = 48, + .digest_length = 24, + }, + }, + }, +}; + +struct ipsec_test_data pkt_aes_128_cbc_hmac_sha512 = { + .key = { + .data = { + 0x00, 0x04, 0x05, 0x01, 0x23, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x0a, 0x0b, 0x0c, 0x0f, 0x00, 0x00, + }, + }, + .auth_key = { + .data = { + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04, + 0x0a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00, + 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, + 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x34, + 0x1a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x32, 0x00, 0x01, 0x00, 0x00, + 0x1f, 0x11, 0x17, 0x8b, 0xc0, 0xa8, 0x01, 0x6f, + 0xc0, 0xa8, 0x01, 0x70, + + /* UDP */ + 0x00, 0x09, 0x00, 0x09, 0x00, 0x1e, 0x00, 0x00, + 0xbe, 0x9b, 0xe9, 0x55, 0x00, 0x00, 0x00, 0x21, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + .len = 50, + }, + .output_text = { + .data = { + 0x45, 0x00, 0x00, 0x8c, 0x00, 0x01, 0x00, 0x00, + 0x40, 0x32, 0x52, 0x3d, 0x14, 0x00, 0x00, 0x01, + 0x14, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x34, + 0x00, 0x00, 0x00, 0x01, 0x42, 0x32, 0x76, 0x65, + 0x45, 0x35, 0x24, 0x41, 0xf0, 0xc1, 0xb4, 0x40, + 0x00, 0x00, 0x00, 0x00, 0xd0, 0x32, 0x23, 0xf7, + 0xcd, 0x3d, 0xdb, 0xd5, 0x70, 0x19, 0x1b, 0xf5, + 0x8f, 0xeb, 0x98, 0x3d, 0x41, 0x5c, 0x28, 0xdd, + 0xfd, 0xcc, 0xdd, 0xa2, 0xeb, 0x43, 0x4c, 0x13, + 0x2d, 0xa1, 0x98, 0x87, 0x92, 0x3a, 0x1f, 0x67, + 0x20, 0x8d, 0x9e, 0x8e, 0x51, 0x21, 0x4c, 0xa9, + 0xff, 0xad, 0xfb, 0x5d, 0x57, 0xa3, 0x16, 0x91, + 0xaa, 0x75, 0xc7, 0x28, 0x42, 0x4e, 0x8f, 0x8e, + 0x84, 0x37, 0x94, 0x09, 0x74, 0xfa, 0x70, 0x0d, + 0xd1, 0x37, 0xe2, 0x7c, 0x54, 0xdd, 0x2e, 0xb4, + 0xf4, 0x54, 0x4b, 0x12, 0xe0, 0xaf, 0x4a, 0x0a, + 0x0b, 0x52, 0x57, 0x9d, 0x36, 0xdc, 0xac, 0x02, + 0xfb, 0x55, 0x34, 0x05, + }, + .len = 140, + }, + .iv = { + .data = { + 0x42, 0x32, 0x76, 0x65, 0x45, 0x35, 0x24, 0x41, + 0xf0, 0xc1, 0xb4, 0x40, 0x00, 0x00, 0x00, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_SHA512_HMAC, + .key.length = 64, + .digest_length = 32, + }, + }, + }, +}; + struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6 = { .key = { .data = { diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 42f3a3c..65e348f 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -60,6 +60,8 @@ New Features * Added support for chained operations. * Added AES-CBC 128 NULL auth known vector tests. * Added AES-CBC 128 HMAC-SHA256 known vector tests. + * Added AES-CBC 128 HMAC-SHA384 known vector tests. + * Added AES-CBC 128 HMAC-SHA512 known vector tests. * Added tunnel mode tests * IPv6 in IPv6 * IPv4 in IPv4 -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 06/13] test/crypto: add IPsec fragmented packet known vectors 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (4 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 05/13] test/crypto: add IPsec HMAC-SHA384/512 known vectors Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 07/13] test/crypto: add transport mode cases Anoob Joseph ` (7 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add fragmented plain packet known vector test case in IPsec outbound. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 22 +++++ app/test/test_cryptodev_security_ipsec.c | 10 ++ app/test/test_cryptodev_security_ipsec.h | 1 + .../test_cryptodev_security_ipsec_test_vectors.h | 104 +++++++++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 1 + 5 files changed, 138 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 0f74984..e2bbabf 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9383,6 +9383,23 @@ test_ipsec_proto_known_vec_inb(const void *test_data) } static int +test_ipsec_proto_known_vec_fragmented(const void *test_data) +{ + struct ipsec_test_data td_outb; + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + flags.fragment = true; + + memcpy(&td_outb, test_data, sizeof(td_outb)); + + /* Disable IV gen to be able to test with known vectors */ + td_outb.ipsec_xform.options.iv_gen_disable = 1; + + return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags); +} + +static int test_ipsec_proto_all(const struct ipsec_test_flags *flags) { struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX]; @@ -14514,6 +14531,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec, &pkt_aes_128_cbc_hmac_sha256_v6), TEST_CASE_NAMED_WITH_DATA( + "Outbound fragmented packet", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_fragmented, + &pkt_aes_128_gcm_frag), + TEST_CASE_NAMED_WITH_DATA( "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm), diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 12031d3..ccce63f 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -659,6 +659,16 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, return TEST_FAILED; } + if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) && + flags->fragment) { + const struct rte_ipv4_hdr *iph4; + iph4 = (const struct rte_ipv4_hdr *)output_text; + if (iph4->fragment_offset) { + printf("Output packet is fragmented"); + return TEST_FAILED; + } + } + skip = test_ipsec_tunnel_hdr_len_get(td); len -= skip; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index d74eee7..884a795 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -63,6 +63,7 @@ struct ipsec_test_flags { bool l4_csum; bool ipv6; bool tunnel_ipv6; + bool fragment; }; struct crypto_param { diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index b8661f7..b6d48ad 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -958,4 +958,108 @@ struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6 = { }, }; +struct ipsec_test_data pkt_aes_128_gcm_frag = { + .key = { + .data = { + 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, + 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef, + }, + }, + .input_text = { + .data = { + 0x45, 0x00, 0x00, 0x6e, 0x00, 0x01, 0x00, 0x17, + 0x40, 0x06, 0xed, 0x48, 0xc6, 0x12, 0x00, 0x00, + 0xc6, 0x12, 0x01, 0x05, 0x00, 0x14, 0x00, 0x50, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x50, 0x00, 0x00, 0x00, 0x55, 0x05, 0x00, 0x00, + 0x00, 0x01, 0x02, 0x03, 0xf2, 0xf6, 0xe9, 0x21, + 0xf9, 0xf2, 0xf6, 0xe9, 0x21, 0xf9, 0xf2, 0xf6, + 0xe9, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }, + .len = 110, + }, + .output_text = { + .data = { + 0x45, 0x00, 0x00, 0xa4, 0x00, 0x01, 0x00, 0x00, + 0x40, 0x32, 0xf6, 0x0c, 0xc0, 0xa8, 0x01, 0x70, + 0xc0, 0xa8, 0x01, 0x5a, 0x00, 0x00, 0x00, 0x34, + 0x00, 0x00, 0x00, 0x01, 0x45, 0xad, 0xfe, 0x23, + 0x78, 0x56, 0x12, 0x00, 0x49, 0x26, 0xac, 0x4e, + 0x8d, 0xf3, 0x74, 0x26, 0x18, 0x3f, 0x65, 0x94, + 0x73, 0x2e, 0xe4, 0xcf, 0x84, 0x6d, 0x03, 0x8a, + 0x4c, 0xdd, 0x2d, 0xef, 0xcd, 0x9f, 0x84, 0x76, + 0x93, 0xe1, 0xee, 0x21, 0x92, 0x8b, 0xf7, 0x7a, + 0xb1, 0x6a, 0x7f, 0xd6, 0x10, 0x66, 0xdd, 0xa1, + 0x8b, 0x17, 0x56, 0x99, 0x9a, 0x40, 0xd0, 0x6b, + 0x2d, 0xe0, 0x55, 0x40, 0x2f, 0xb8, 0x38, 0xe3, + 0x08, 0x46, 0xe2, 0x69, 0xc9, 0xa1, 0x85, 0x9d, + 0x7b, 0xec, 0x33, 0x2a, 0x2d, 0x1d, 0x1f, 0x1a, + 0x9e, 0xf0, 0x1e, 0xc3, 0x33, 0x64, 0x35, 0x82, + 0xbb, 0xb5, 0x7a, 0x91, 0x2e, 0x8d, 0xd5, 0x5b, + 0x3a, 0xbe, 0x95, 0x94, 0xba, 0x40, 0x73, 0x4e, + 0xa4, 0x15, 0xe4, 0x4a, 0xf9, 0x14, 0x2c, 0x4f, + 0x63, 0x2e, 0x23, 0x6e, 0xeb, 0x06, 0xe7, 0x52, + 0xe1, 0xc7, 0x91, 0x7f, 0x19, 0xc0, 0x4a, 0xd2, + 0xd5, 0x3e, 0x84, 0xa8, + }, + .len = 164, + }, + .salt = { + .data = { + 0xde, 0xad, 0xbe, 0xef, + }, + .len = 4, + }, + + .iv = { + .data = { + 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00, + }, + }, + + .ipsec_xform = { + .spi = 52, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .options.ip_csum_enable = 0, + .options.l4_csum_enable = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = true, + + .xform = { + .aead = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AEAD, + .aead = { + .op = RTE_CRYPTO_AEAD_OP_ENCRYPT, + .algo = RTE_CRYPTO_AEAD_AES_GCM, + .key.length = 16, + .iv.length = 12, + .iv.offset = IV_OFFSET, + .digest_length = 16, + .aad_length = 12, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 65e348f..0562547 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -67,6 +67,7 @@ New Features * IPv4 in IPv4 * IPv4 in IPv6 * IPv6 in IPv4 + * Added tunnel mode fragment packet tests. Removed Items -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 07/13] test/crypto: add transport mode cases 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (5 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 06/13] test/crypto: add IPsec fragmented packet " Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 08/13] test/crypto: add security stats cases Anoob Joseph ` (6 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Add transport mode tests with test cases for IPv4 packets. Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 39 ++++++++++++++---- app/test/test_cryptodev_security_ipsec.c | 71 +++++++++++++++++++++----------- app/test/test_cryptodev_security_ipsec.h | 1 + doc/guides/rel_notes/release_22_03.rst | 1 + 4 files changed, 80 insertions(+), 32 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index e2bbabf..f470d5c 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9162,15 +9162,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], dst += 1; } - if (td->ipsec_xform.tunnel.type == - RTE_SECURITY_IPSEC_TUNNEL_IPV4) { - memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); - memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); - } else { - memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src, - sizeof(v6_src)); - memcpy(&ipsec_xform.tunnel.ipv6.dst_addr, &v6_dst, - sizeof(v6_dst)); + if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, + sizeof(src)); + memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, + sizeof(dst)); + } else { + memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src, + sizeof(v6_src)); + memcpy(&ipsec_xform.tunnel.ipv6.dst_addr, &v6_dst, + sizeof(v6_dst)); + } } ctx = rte_cryptodev_get_sec_ctx(dev_id); @@ -9636,6 +9640,19 @@ test_ipsec_proto_tunnel_v6_in_v4(const void *data __rte_unused) } static int +test_ipsec_proto_transport_v4(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.ipv6 = false; + flags.transport = true; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14635,6 +14652,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Tunnel IPv6 in IPv4", ut_setup_security, ut_teardown, test_ipsec_proto_tunnel_v6_in_v4), + TEST_CASE_NAMED_ST( + "Transport IPv4", + ut_setup_security, ut_teardown, + test_ipsec_proto_transport_v4), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index ccce63f..029fdd3 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -400,12 +400,21 @@ test_ipsec_td_prepare(const struct crypto_param *param1, test_ipsec_csum_init(&td->input_text.data, false, true); } - if (flags->tunnel_ipv6) - td->ipsec_xform.tunnel.type = - RTE_SECURITY_IPSEC_TUNNEL_IPV6; - else - td->ipsec_xform.tunnel.type = - RTE_SECURITY_IPSEC_TUNNEL_IPV4; + if (flags->transport) { + td->ipsec_xform.mode = + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT; + } else { + td->ipsec_xform.mode = + RTE_SECURITY_IPSEC_SA_MODE_TUNNEL; + + if (flags->tunnel_ipv6) + td->ipsec_xform.tunnel.type = + RTE_SECURITY_IPSEC_TUNNEL_IPV6; + else + td->ipsec_xform.tunnel.type = + RTE_SECURITY_IPSEC_TUNNEL_IPV4; + } + } } @@ -748,29 +757,45 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); int ret; - if (flags->iv_gen && - td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { - ret = test_ipsec_iv_verify_push(m, td); - if (ret != TEST_SUCCESS) - return ret; - } - if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { const struct rte_ipv4_hdr *iph4; const struct rte_ipv6_hdr *iph6; - if (td->ipsec_xform.tunnel.type == - RTE_SECURITY_IPSEC_TUNNEL_IPV4) { - iph4 = (const struct rte_ipv4_hdr *)output_text; - if (is_valid_ipv4_pkt(iph4) == false) { - printf("Outer header is not IPv4\n"); - return TEST_FAILED; + if (flags->iv_gen) { + ret = test_ipsec_iv_verify_push(m, td); + if (ret != TEST_SUCCESS) + return ret; + } + + iph4 = (const struct rte_ipv4_hdr *)output_text; + + if (td->ipsec_xform.mode == + RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) { + if (flags->ipv6) { + iph6 = (const struct rte_ipv6_hdr *)output_text; + if (is_valid_ipv6_pkt(iph6) == false) { + printf("Transport packet is not IPv6\n"); + return TEST_FAILED; + } + } else { + if (is_valid_ipv4_pkt(iph4) == false) { + printf("Transport packet is not IPv4\n"); + return TEST_FAILED; + } } } else { - iph6 = (const struct rte_ipv6_hdr *)output_text; - if (is_valid_ipv6_pkt(iph6) == false) { - printf("Outer header is not IPv6\n"); - return TEST_FAILED; + if (td->ipsec_xform.tunnel.type == + RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + if (is_valid_ipv4_pkt(iph4) == false) { + printf("Tunnel outer header is not IPv4\n"); + return TEST_FAILED; + } + } else { + iph6 = (const struct rte_ipv6_hdr *)output_text; + if (is_valid_ipv6_pkt(iph6) == false) { + printf("Tunnel outer header is not IPv6\n"); + return TEST_FAILED; + } } } } diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 884a795..07d2453 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -63,6 +63,7 @@ struct ipsec_test_flags { bool l4_csum; bool ipv6; bool tunnel_ipv6; + bool transport; bool fragment; }; diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 0562547..58e9690 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -67,6 +67,7 @@ New Features * IPv4 in IPv4 * IPv4 in IPv6 * IPv6 in IPv4 + * Added IPv4 transport mode tests. * Added tunnel mode fragment packet tests. -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 08/13] test/crypto: add security stats cases 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (6 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 07/13] test/crypto: add transport mode cases Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 09/13] test/crypto: add lookaside IPsec AES-CTR known vectors Anoob Joseph ` (5 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Ankur Dwivedi, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Ankur Dwivedi <adwivedi@marvell.com> Adds security stats test cases in IPSEC protocol testsuite. Signed-off-by: Ankur Dwivedi <adwivedi@marvell.com> --- app/test/test_cryptodev.c | 21 +++++++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 29 +++++++++++++++++++++++++++++ app/test/test_cryptodev_security_ipsec.h | 6 ++++++ doc/guides/rel_notes/release_22_03.rst | 1 + 4 files changed, 57 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index f470d5c..d5902dd 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9332,6 +9332,11 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], if (ret != TEST_SUCCESS) goto crypto_op_free; + ret = test_ipsec_stats_verify(ctx, ut_params->sec_session, + flags, dir); + if (ret != TEST_SUCCESS) + goto crypto_op_free; + rte_crypto_op_free(ut_params->op); ut_params->op = NULL; @@ -9653,6 +9658,18 @@ test_ipsec_proto_transport_v4(const void *data __rte_unused) } static int +test_ipsec_proto_stats(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.stats_success = true; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14656,6 +14673,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Transport IPv4", ut_setup_security, ut_teardown, test_ipsec_proto_transport_v4), + TEST_CASE_NAMED_ST( + "Statistics: success", + ut_setup_security, ut_teardown, + test_ipsec_proto_stats), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 029fdd3..6fa1d3d 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -415,6 +415,8 @@ test_ipsec_td_prepare(const struct crypto_param *param1, RTE_SECURITY_IPSEC_TUNNEL_IPV4; } + if (flags->stats_success) + td->ipsec_xform.options.stats = 1; } } @@ -871,3 +873,30 @@ test_ipsec_status_check(struct rte_crypto_op *op, return ret; } + +int +test_ipsec_stats_verify(struct rte_security_ctx *ctx, + struct rte_security_session *sess, + const struct ipsec_test_flags *flags, + enum rte_security_ipsec_sa_direction dir) +{ + struct rte_security_stats stats = {0}; + int ret = TEST_SUCCESS; + + if (flags->stats_success) { + if (rte_security_session_stats_get(ctx, sess, &stats) < 0) + return TEST_FAILED; + + if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + if (stats.ipsec.opackets != 1 || + stats.ipsec.oerrors != 0) + ret = TEST_FAILED; + } else { + if (stats.ipsec.ipackets != 1 || + stats.ipsec.ierrors != 0) + ret = TEST_FAILED; + } + } + + return ret; +} diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 07d2453..3565a8c 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -65,6 +65,7 @@ struct ipsec_test_flags { bool tunnel_ipv6; bool transport; bool fragment; + bool stats_success; }; struct crypto_param { @@ -188,4 +189,9 @@ int test_ipsec_status_check(struct rte_crypto_op *op, enum rte_security_ipsec_sa_direction dir, int pkt_num); +int test_ipsec_stats_verify(struct rte_security_ctx *ctx, + struct rte_security_session *sess, + const struct ipsec_test_flags *flags, + enum rte_security_ipsec_sa_direction dir); + #endif diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 58e9690..f15f738 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -69,6 +69,7 @@ New Features * IPv6 in IPv4 * Added IPv4 transport mode tests. * Added tunnel mode fragment packet tests. + * Added security stats tests. Removed Items -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 09/13] test/crypto: add lookaside IPsec AES-CTR known vectors 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (7 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 08/13] test/crypto: add security stats cases Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 10/13] test/crypto: add fragmented packet case Anoob Joseph ` (4 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add known vectors for AES-CTR in lookaside IPsec mode. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev_security_ipsec.h | 15 +++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 1 + 2 files changed, 16 insertions(+) diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 3565a8c..3376d08 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -103,6 +103,21 @@ static const struct crypto_param cipher_list[] = { .alg.cipher = RTE_CRYPTO_CIPHER_AES_CBC, .key_length = 16, }, + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, + .key_length = 16, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, + .key_length = 24, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, + .key_length = 32, + }, }; static const struct crypto_param auth_list[] = { diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index f15f738..db5ec20 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -70,6 +70,7 @@ New Features * Added IPv4 transport mode tests. * Added tunnel mode fragment packet tests. * Added security stats tests. + * Added AES-CTR tests. Removed Items -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 10/13] test/crypto: add fragmented packet case 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (8 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 09/13] test/crypto: add lookaside IPsec AES-CTR known vectors Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 11/13] test/crypto: skip null auth in ICV corrupt case Anoob Joseph ` (3 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Add fragmented plain packet test case in combined mode. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 16 ++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index d5902dd..9a8cced 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9670,6 +9670,18 @@ test_ipsec_proto_stats(const void *data __rte_unused) } static int +test_ipsec_proto_pkt_fragment(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.fragment = true; + + return test_ipsec_proto_all(&flags); +} + +static int test_PDCP_PROTO_all(void) { struct crypto_testsuite_params *ts_params = &testsuite_params; @@ -14677,6 +14689,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Statistics: success", ut_setup_security, ut_teardown, test_ipsec_proto_stats), + TEST_CASE_NAMED_ST( + "Fragmented packet", + ut_setup_security, ut_teardown, + test_ipsec_proto_pkt_fragment), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 6fa1d3d..832f9d8 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -418,6 +418,13 @@ test_ipsec_td_prepare(const struct crypto_param *param1, if (flags->stats_success) td->ipsec_xform.options.stats = 1; + if (flags->fragment) { + struct rte_ipv4_hdr *ip; + ip = (struct rte_ipv4_hdr *)&td->input_text.data; + ip->fragment_offset = 4; + ip->hdr_checksum = rte_ipv4_cksum(ip); + } + } } -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 11/13] test/crypto: skip null auth in ICV corrupt case 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (9 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 10/13] test/crypto: add fragmented packet case Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 12/13] test/crypto: add aes xcbc known vectors Anoob Joseph ` (2 subsequent siblings) 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Tejasree Kondoj, Jerin Jacob, Archana Muniganti, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev From: Tejasree Kondoj <ktejasree@marvell.com> Skipping NULL auth in ICV corruption test case. Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com> --- app/test/test_cryptodev.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 9a8cced..0ab4ca7 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9428,6 +9428,11 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) td_outb, nb_pkts); + if (flags->icv_corrupt && (td_outb->aead == false) && + (td_outb->xform.chain.auth.auth.algo == + RTE_CRYPTO_AUTH_NULL)) + continue; + ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true, flags); if (ret == TEST_SKIPPED) -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 12/13] test/crypto: add aes xcbc known vectors 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (10 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 11/13] test/crypto: skip null auth in ICV corrupt case Anoob Joseph @ 2021-12-06 11:07 ` Anoob Joseph 2021-12-06 11:08 ` [PATCH v2 13/13] test/crypto: add copy and set DF cases Anoob Joseph 2022-01-21 11:02 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Akhil Goyal 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:07 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Add known vector test cases for NULL cipher + AES-XCBC. Also add both algos to the combined mode list of algos. Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 38 +++++++-- app/test/test_cryptodev_security_ipsec.c | 2 + app/test/test_cryptodev_security_ipsec.h | 17 ++++ .../test_cryptodev_security_ipsec_test_vectors.h | 90 ++++++++++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 1 + 5 files changed, 142 insertions(+), 6 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 0ab4ca7..203b4a4 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9368,8 +9368,11 @@ test_ipsec_proto_known_vec(const void *test_data) memcpy(&td_outb, test_data, sizeof(td_outb)); - /* Disable IV gen to be able to test with known vectors */ - td_outb.ipsec_xform.options.iv_gen_disable = 1; + if (td_outb.aead || + td_outb.xform.chain.cipher.cipher.algo != RTE_CRYPTO_CIPHER_NULL) { + /* Disable IV gen to be able to test with known vectors */ + td_outb.ipsec_xform.options.iv_gen_disable = 1; + } return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags); } @@ -9428,10 +9431,23 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags) td_outb, nb_pkts); - if (flags->icv_corrupt && (td_outb->aead == false) && - (td_outb->xform.chain.auth.auth.algo == - RTE_CRYPTO_AUTH_NULL)) - continue; + if (!td_outb->aead) { + enum rte_crypto_cipher_algorithm cipher_alg; + enum rte_crypto_auth_algorithm auth_alg; + + cipher_alg = td_outb->xform.chain.cipher.cipher.algo; + auth_alg = td_outb->xform.chain.auth.auth.algo; + + /* ICV is not applicable for NULL auth */ + if (flags->icv_corrupt && + auth_alg == RTE_CRYPTO_AUTH_NULL) + continue; + + /* IV is not applicable for NULL cipher */ + if (flags->iv_gen && + cipher_alg == RTE_CRYPTO_CIPHER_NULL) + continue; + } ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true, flags); @@ -14582,6 +14598,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { test_ipsec_proto_known_vec, &pkt_aes_128_cbc_hmac_sha256_v6), TEST_CASE_NAMED_WITH_DATA( + "Outbound known vector (ESP tunnel mode IPv4 NULL AES-XCBC-MAC [12B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec, + &pkt_null_aes_xcbc), + TEST_CASE_NAMED_WITH_DATA( "Outbound fragmented packet", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_fragmented, @@ -14626,6 +14647,11 @@ static struct unit_test_suite ipsec_proto_testsuite = { ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_hmac_sha256_v6), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 NULL AES-XCBC-MAC [12B ICV])", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, + &pkt_null_aes_xcbc), TEST_CASE_NAMED_ST( "Combined test alg list", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 832f9d8..94e5213 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -375,6 +375,8 @@ test_ipsec_td_prepare(const struct crypto_param *param1, td->xform.chain.cipher.cipher.algo = param1->alg.cipher; td->xform.chain.cipher.cipher.key.length = param1->key_length; + td->xform.chain.cipher.cipher.iv.length = + param1->iv_length; td->xform.chain.auth.auth.algo = param2->alg.auth; td->xform.chain.auth.auth.key.length = param2->key_length; diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 3376d08..6e27eba 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -76,6 +76,7 @@ struct crypto_param { enum rte_crypto_aead_algorithm aead; } alg; uint16_t key_length; + uint16_t iv_length; uint16_t digest_length; }; @@ -100,23 +101,33 @@ static const struct crypto_param aead_list[] = { static const struct crypto_param cipher_list[] = { { .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .alg.cipher = RTE_CRYPTO_CIPHER_NULL, + .key_length = 0, + .iv_length = 0, + }, + { + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, .alg.cipher = RTE_CRYPTO_CIPHER_AES_CBC, .key_length = 16, + .iv_length = 16, }, { .type = RTE_CRYPTO_SYM_XFORM_CIPHER, .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, .key_length = 16, + .iv_length = 16, }, { .type = RTE_CRYPTO_SYM_XFORM_CIPHER, .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, .key_length = 24, + .iv_length = 16, }, { .type = RTE_CRYPTO_SYM_XFORM_CIPHER, .alg.cipher = RTE_CRYPTO_CIPHER_AES_CTR, .key_length = 32, + .iv_length = 16, }, }; @@ -143,6 +154,12 @@ static const struct crypto_param auth_list[] = { .key_length = 64, .digest_length = 32, }, + { + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .alg.auth = RTE_CRYPTO_AUTH_AES_XCBC_MAC, + .key_length = 16, + .digest_length = 12, + }, }; struct crypto_param_comb { diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index b6d48ad..85cd6c5 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -1062,4 +1062,94 @@ struct ipsec_test_data pkt_aes_128_gcm_frag = { }, }; +struct ipsec_test_data pkt_null_aes_xcbc = { + .auth_key = { + .data = { + 0x61, 0x31, 0x62, 0x32, 0x63, 0x33, 0x64, 0x34, + 0x65, 0x35, 0x66, 0x36, 0x67, 0x37, 0x68, 0x38, + }, + }, + .input_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x2f, 0x49, 0x37, 0x00, 0x00, + 0x40, 0x11, 0x22, 0x84, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, 0x08, 0x00, 0x08, 0x00, + 0x00, 0x1b, 0x6d, 0x99, 0x58, 0x58, 0x58, 0x58, + 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, + 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, + }, + .len = 47, + }, + .output_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x5c, 0x06, 0x00, 0x00, 0x00, + 0x40, 0x32, 0x13, 0x6c, 0x0a, 0x00, 0x6f, 0x02, + 0x0a, 0x00, 0xde, 0x02, + + /* ESP */ + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, + + /* IP */ + 0x45, 0x00, 0x00, 0x2f, 0x49, 0x37, 0x00, 0x00, + 0x40, 0x11, 0x22, 0x84, 0x0d, 0x00, 0x00, 0x02, + 0x02, 0x00, 0x00, 0x02, 0x08, 0x00, 0x08, 0x00, + 0x00, 0x1b, 0x6d, 0x99, 0x58, 0x58, 0x58, 0x58, + 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, + 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, + + /* ESP trailer */ + 0x01, 0x02, 0x03, 0x03, 0x04, + + /* ICV */ + 0xf1, 0x52, 0x64, 0xd1, 0x9b, 0x62, 0x24, 0xdd, + 0xcc, 0x14, 0xf5, 0xc1, + }, + .len = 92, + }, + .ipsec_xform = { + .spi = 0x100, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .options.ip_csum_enable = 0, + .options.l4_csum_enable = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + .aead = false, + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT, + .algo = RTE_CRYPTO_CIPHER_NULL, + .key.length = 0, + .iv.length = 0, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .op = RTE_CRYPTO_AUTH_OP_GENERATE, + .algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC, + .key.length = 16, + .digest_length = 12, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index db5ec20..a7d0e53 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -62,6 +62,7 @@ New Features * Added AES-CBC 128 HMAC-SHA256 known vector tests. * Added AES-CBC 128 HMAC-SHA384 known vector tests. * Added AES-CBC 128 HMAC-SHA512 known vector tests. + * Added NULL cipher AES-XCBC known vector tests. * Added tunnel mode tests * IPv6 in IPv6 * IPv4 in IPv4 -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH v2 13/13] test/crypto: add copy and set DF cases 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (11 preceding siblings ...) 2021-12-06 11:07 ` [PATCH v2 12/13] test/crypto: add aes xcbc known vectors Anoob Joseph @ 2021-12-06 11:08 ` Anoob Joseph 2022-01-21 11:02 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Akhil Goyal 13 siblings, 0 replies; 29+ messages in thread From: Anoob Joseph @ 2021-12-06 11:08 UTC (permalink / raw) To: Akhil Goyal, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev Add test cases to verify copy DF and set DF options with lookaside IPsec offload. Signed-off-by: Anoob Joseph <anoobj@marvell.com> --- app/test/test_cryptodev.c | 75 ++++++++++++++++++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 71 ++++++++++++++++++++++++++++-- app/test/test_cryptodev_security_ipsec.h | 10 +++++ doc/guides/rel_notes/release_22_03.rst | 1 + 4 files changed, 154 insertions(+), 3 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 203b4a4..f808719 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9169,6 +9169,13 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], sizeof(src)); memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); + + if (flags->df == TEST_IPSEC_SET_DF_0_INNER_1) + ipsec_xform.tunnel.ipv4.df = 0; + + if (flags->df == TEST_IPSEC_SET_DF_1_INNER_0) + ipsec_xform.tunnel.ipv4.df = 1; + } else { memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src, sizeof(v6_src)); @@ -9282,6 +9289,9 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], memcpy(input_text, td[i].input_text.data, td[i].input_text.len); + if (test_ipsec_pkt_update(input_text, flags)) + return TEST_FAILED; + /* Generate crypto op data structure */ ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool, RTE_CRYPTO_OP_TYPE_SYMMETRIC); @@ -9700,6 +9710,55 @@ test_ipsec_proto_pkt_fragment(const void *data __rte_unused) flags.fragment = true; return test_ipsec_proto_all(&flags); + +} + +static int +test_ipsec_proto_copy_df_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_COPY_DF_INNER_0; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_copy_df_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_COPY_DF_INNER_1; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_set_df_0_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_SET_DF_0_INNER_1; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_set_df_1_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_SET_DF_1_INNER_0; + + return test_ipsec_proto_all(&flags); } static int @@ -14724,6 +14783,22 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Fragmented packet", ut_setup_security, ut_teardown, test_ipsec_proto_pkt_fragment), + TEST_CASE_NAMED_ST( + "Tunnel header copy DF (inner 0)", + ut_setup_security, ut_teardown, + test_ipsec_proto_copy_df_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header copy DF (inner 1)", + ut_setup_security, ut_teardown, + test_ipsec_proto_copy_df_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header set DF 0 (inner 1)", + ut_setup_security, ut_teardown, + test_ipsec_proto_set_df_0_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header set DF 1 (inner 0)", + ut_setup_security, ut_teardown, + test_ipsec_proto_set_df_1_inner_0), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 94e5213..e662ea2 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -427,6 +427,9 @@ test_ipsec_td_prepare(const struct crypto_param *param1, ip->hdr_checksum = rte_ipv4_cksum(ip); } + if (flags->df == TEST_IPSEC_COPY_DF_INNER_0 || + flags->df == TEST_IPSEC_COPY_DF_INNER_1) + td->ipsec_xform.options.copy_df = 1; } } @@ -640,6 +643,7 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, { uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); uint32_t skip, len = rte_pktmbuf_pkt_len(m); + uint8_t td_output_text[4096]; int ret; /* For tests with status as error for test success, skip verification */ @@ -720,16 +724,21 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, return ret; } + memcpy(td_output_text, td->output_text.data + skip, len); - if (memcmp(output_text, td->output_text.data + skip, len)) { + if (test_ipsec_pkt_update(td_output_text, flags)) { + printf("Could not update expected vector"); + return TEST_FAILED; + } + + if (memcmp(output_text, td_output_text, len)) { if (silent) return TEST_FAILED; printf("TestCase %s line %d: %s\n", __func__, __LINE__, "output text not as expected\n"); - rte_hexdump(stdout, "expected", td->output_text.data + skip, - len); + rte_hexdump(stdout, "expected", td_output_text, len); rte_hexdump(stdout, "actual", output_text, len); return TEST_FAILED; } @@ -797,10 +806,27 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, } else { if (td->ipsec_xform.tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + uint16_t f_off; + if (is_valid_ipv4_pkt(iph4) == false) { printf("Tunnel outer header is not IPv4\n"); return TEST_FAILED; } + + f_off = rte_be_to_cpu_16(iph4->fragment_offset); + + if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 || + flags->df == TEST_IPSEC_SET_DF_1_INNER_0) { + if (!(f_off & RTE_IPV4_HDR_DF_FLAG)) { + printf("DF bit is not set\n"); + return TEST_FAILED; + } + } else { + if ((f_off & RTE_IPV4_HDR_DF_FLAG)) { + printf("DF bit is set\n"); + return TEST_FAILED; + } + } } else { iph6 = (const struct rte_ipv6_hdr *)output_text; if (is_valid_ipv6_pkt(iph6) == false) { @@ -909,3 +935,42 @@ test_ipsec_stats_verify(struct rte_security_ctx *ctx, return ret; } + +int +test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags) +{ + struct rte_ipv4_hdr *iph4; + bool cksum_dirty = false; + uint16_t frag_off; + + iph4 = (struct rte_ipv4_hdr *)pkt; + + if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 || + flags->df == TEST_IPSEC_SET_DF_0_INNER_1 || + flags->df == TEST_IPSEC_COPY_DF_INNER_0 || + flags->df == TEST_IPSEC_SET_DF_1_INNER_0) { + + if (!is_ipv4(iph4)) { + printf("Invalid packet type"); + return -1; + } + + frag_off = rte_be_to_cpu_16(iph4->fragment_offset); + + if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 || + flags->df == TEST_IPSEC_SET_DF_0_INNER_1) + frag_off |= RTE_IPV4_HDR_DF_FLAG; + else + frag_off &= ~RTE_IPV4_HDR_DF_FLAG; + + iph4->fragment_offset = rte_cpu_to_be_16(frag_off); + cksum_dirty = true; + } + + if (cksum_dirty && is_ipv4(iph4)) { + iph4->hdr_checksum = 0; + iph4->hdr_checksum = rte_ipv4_cksum(iph4); + } + + return 0; +} diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 6e27eba..12a9b77 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -50,6 +50,13 @@ struct ipsec_test_data { } xform; }; +enum df_flags { + TEST_IPSEC_COPY_DF_INNER_0 = 1, + TEST_IPSEC_COPY_DF_INNER_1, + TEST_IPSEC_SET_DF_0_INNER_1, + TEST_IPSEC_SET_DF_1_INNER_0, +}; + struct ipsec_test_flags { bool display_alg; bool sa_expiry_pkts_soft; @@ -66,6 +73,7 @@ struct ipsec_test_flags { bool transport; bool fragment; bool stats_success; + enum df_flags df; }; struct crypto_param { @@ -226,4 +234,6 @@ int test_ipsec_stats_verify(struct rte_security_ctx *ctx, const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir); +int test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags); + #endif diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index a7d0e53..1c6b846 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -72,6 +72,7 @@ New Features * Added tunnel mode fragment packet tests. * Added security stats tests. * Added AES-CTR tests. + * Added set/copy DF tests. Removed Items -- 2.7.4 ^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: [PATCH v2 00/13] Add new cases to lookaside IPsec tests 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph ` (12 preceding siblings ...) 2021-12-06 11:08 ` [PATCH v2 13/13] test/crypto: add copy and set DF cases Anoob Joseph @ 2022-01-21 11:02 ` Akhil Goyal 13 siblings, 0 replies; 29+ messages in thread From: Akhil Goyal @ 2022-01-21 11:02 UTC (permalink / raw) To: Anoob Joseph, Declan Doherty, Fan Zhang, Pablo de Lara Cc: Anoob Joseph, Jerin Jacob Kollanukkaran, Archana Muniganti, Tejasree Kondoj, Hemant Agrawal, Radu Nicolau, Ciara Power, Gagandeep Singh, dev > Add new tests to lookaside IPsec tests. > > * Support for chained operations. > * AES-CBC 128 NULL auth known vector tests. > * AES-CBC 128 HMAC-SHA256 known vector tests. > * AES-CBC 128 HMAC-SHA384 known vector tests. > * AES-CBC 128 HMAC-SHA512 known vector tests. > * NULL cipher AES-XCBC known vector tests. > * Tunnel mode tests > * IPv6 in IPv6 > * IPv4 in IPv4 > * IPv4 in IPv6 > * IPv6 in IPv4 > * IPv4 transport mode tests. > * Tunnel mode fragment packet tests. > * Security stats tests. > * AES-CTR tests. > * set/copy DF tests. > > Changes in v2: > - Moved release notes update to originating patch > - Fixed build failure with last patch > > Ankur Dwivedi (1): > test/crypto: add security stats cases > > Anoob Joseph (5): > test/crypto: add IPsec aes-cbc known vectors > test/crypto: add chained operations in combined cases > test/crypto: add transport mode cases > test/crypto: add aes xcbc known vectors > test/crypto: add copy and set DF cases > > Tejasree Kondoj (7): > test/crypto: add IPsec AES-CBC-HMAC-SHA256 known vectors > test/crypto: add IPv6 tunnel mode cases > test/crypto: add IPsec HMAC-SHA384/512 known vectors > test/crypto: add IPsec fragmented packet known vectors > test/crypto: add lookaside IPsec AES-CTR known vectors > test/crypto: add fragmented packet case > test/crypto: skip null auth in ICV corrupt case > > app/test/test_cryptodev.c | 395 +++++++++- > app/test/test_cryptodev_security_ipsec.c | 352 ++++++++- > app/test/test_cryptodev_security_ipsec.h | 113 +++ > .../test_cryptodev_security_ipsec_test_vectors.h | 828 > +++++++++++++++++++++ > doc/guides/rel_notes/release_22_03.rst | 19 + > 5 files changed, 1665 insertions(+), 42 deletions(-) > Series Acked-by: Akhil Goyal <gakhil@marvell.com> Applied to dpdk-next-crypto ^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2022-01-21 11:03 UTC | newest] Thread overview: 29+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-12-06 7:58 [PATCH 00/13] Add new cases to lookaside IPsec tests Anoob Joseph 2021-12-06 7:58 ` [PATCH 01/13] test/crypto: add IPsec aes-cbc known vectors Anoob Joseph 2021-12-06 7:58 ` [PATCH 02/13] test/crypto: add IPsec AES-CBC-HMAC-SHA256 " Anoob Joseph 2021-12-06 7:58 ` [PATCH 03/13] test/crypto: add chained operations in combined cases Anoob Joseph 2021-12-06 7:58 ` [PATCH 04/13] test/crypto: add IPv6 tunnel mode cases Anoob Joseph 2021-12-06 7:58 ` [PATCH 05/13] test/crypto: add IPsec HMAC-SHA384/512 known vectors Anoob Joseph 2021-12-06 7:58 ` [PATCH 06/13] test/crypto: add IPsec fragmented packet " Anoob Joseph 2021-12-06 7:58 ` [PATCH 07/13] test/crypto: add transport mode cases Anoob Joseph 2021-12-06 7:58 ` [PATCH 08/13] test/crypto: add security stats cases Anoob Joseph 2021-12-06 7:58 ` [PATCH 09/13] test/crypto: add lookaside IPsec AES-CTR known vectors Anoob Joseph 2021-12-06 7:58 ` [PATCH 10/13] test/crypto: add fragmented packet case Anoob Joseph 2021-12-06 7:58 ` [PATCH 11/13] test/crypto: skip null auth in ICV corrupt case Anoob Joseph 2021-12-06 7:58 ` [PATCH 12/13] test/crypto: add aes xcbc known vectors Anoob Joseph 2021-12-06 7:58 ` [PATCH 13/13] test/crypto: add copy and set DF cases Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 01/13] test/crypto: add IPsec aes-cbc known vectors Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 02/13] test/crypto: add IPsec AES-CBC-HMAC-SHA256 " Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 03/13] test/crypto: add chained operations in combined cases Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 04/13] test/crypto: add IPv6 tunnel mode cases Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 05/13] test/crypto: add IPsec HMAC-SHA384/512 known vectors Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 06/13] test/crypto: add IPsec fragmented packet " Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 07/13] test/crypto: add transport mode cases Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 08/13] test/crypto: add security stats cases Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 09/13] test/crypto: add lookaside IPsec AES-CTR known vectors Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 10/13] test/crypto: add fragmented packet case Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 11/13] test/crypto: skip null auth in ICV corrupt case Anoob Joseph 2021-12-06 11:07 ` [PATCH v2 12/13] test/crypto: add aes xcbc known vectors Anoob Joseph 2021-12-06 11:08 ` [PATCH v2 13/13] test/crypto: add copy and set DF cases Anoob Joseph 2022-01-21 11:02 ` [PATCH v2 00/13] Add new cases to lookaside IPsec tests Akhil Goyal
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).