From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 37FF1A034F; Mon, 6 Dec 2021 12:08:21 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6B75641169; Mon, 6 Dec 2021 12:08:20 +0100 (CET) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id A4B5041168 for ; Mon, 6 Dec 2021 12:08:18 +0100 (CET) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 1B62JwkH001881; Mon, 6 Dec 2021 03:08:18 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=XKRLXpr3TkbEZO5Fe3jGTVwKXftipNvtREFA9EcbboQ=; b=h7fm1aDfeyhVhk5b4DbLnqCzZtjMprilbOnG9v47PMm+QcSnUz506XAhVSDIWPxCFx8L czCx4I4ylDPFkuqvg2uAJv2B087cW0QbyKr18IYPmjvqhztn24ANjWD5w/oCcLEXCo1x loltvSFbkfINocwr9FEwtNbdvusqa2Yb0tcw0d0ThCxsRn0q8nS37CSlW5bwTt+CXiVy BGMHRf0DZPJg6JUMl5vHQieCg0NmSwym6aFpqmoi0BVlV/hGkTo1IppMQP14rRTQ7cGH 2pG9f7MxNj25N5K1hx+TVH99Z5JbuDseu9H0IqvcgeAKxg7HXhYGMUovVIOseajV0VJT LA== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3cs9muhft0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 06 Dec 2021 03:08:17 -0800 Received: from DC5-EXCH02.marvell.com (10.69.176.39) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Mon, 6 Dec 2021 03:08:15 -0800 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Mon, 6 Dec 2021 03:08:15 -0800 Received: from HY-LT1002.marvell.com (HY-LT1002.marvell.com [10.28.176.218]) by maili.marvell.com (Postfix) with ESMTP id 139D43F704A; Mon, 6 Dec 2021 03:08:11 -0800 (PST) From: Anoob Joseph To: Akhil Goyal , Declan Doherty , Fan Zhang , "Pablo de Lara" CC: Anoob Joseph , Jerin Jacob , Archana Muniganti , Tejasree Kondoj , Hemant Agrawal , "Radu Nicolau" , Ciara Power , Gagandeep Singh , Subject: [PATCH v2 01/13] test/crypto: add IPsec aes-cbc known vectors Date: Mon, 6 Dec 2021 16:37:48 +0530 Message-ID: <1638788880-650-2-git-send-email-anoobj@marvell.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1638788880-650-1-git-send-email-anoobj@marvell.com> References: <1638777528-553-1-git-send-email-anoobj@marvell.com> <1638788880-650-1-git-send-email-anoobj@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: 1ooo_ZpUwZ4f8T1Gpc9Qt3NunyApiKNw X-Proofpoint-ORIG-GUID: 1ooo_ZpUwZ4f8T1Gpc9Qt3NunyApiKNw X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.11.62.513 definitions=2021-12-06_04,2021-12-06_01,2021-12-02_01 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Extend the framework to support chained operations and add AES-CBC 128 known vector tests. Signed-off-by: Anoob Joseph --- app/test/test_cryptodev.c | 62 ++++++++++-- app/test/test_cryptodev_security_ipsec.c | 51 ++++++++++ app/test/test_cryptodev_security_ipsec.h | 8 ++ .../test_cryptodev_security_ipsec_test_vectors.h | 110 +++++++++++++++++++++ doc/guides/rel_notes/release_22_03.rst | 4 + 5 files changed, 226 insertions(+), 9 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 10b48cd..6d94085 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9191,23 +9191,59 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], return TEST_SKIPPED; } } else { - /* Only AEAD supported now */ - return TEST_SKIPPED; + memcpy(&ut_params->cipher_xform, &td[0].xform.chain.cipher, + sizeof(ut_params->cipher_xform)); + memcpy(&ut_params->auth_xform, &td[0].xform.chain.auth, + sizeof(ut_params->auth_xform)); + ut_params->cipher_xform.cipher.key.data = td[0].key.data; + ut_params->cipher_xform.cipher.iv.offset = IV_OFFSET; + ut_params->auth_xform.auth.key.data = td[0].key.data; + + /* Verify crypto capabilities */ + + if (test_ipsec_crypto_caps_cipher_verify( + sec_cap, + &ut_params->cipher_xform) != 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Cipher crypto capabilities not supported\n"); + return TEST_SKIPPED; + } + + if (test_ipsec_crypto_caps_auth_verify( + sec_cap, + &ut_params->auth_xform) != 0) { + if (!silent) + RTE_LOG(INFO, USER1, + "Auth crypto capabilities not supported\n"); + return TEST_SKIPPED; + } } if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0) return TEST_SKIPPED; - salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len); - memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len); - struct rte_security_session_conf sess_conf = { .action_type = ut_params->type, .protocol = RTE_SECURITY_PROTOCOL_IPSEC, - .ipsec = ipsec_xform, - .crypto_xform = &ut_params->aead_xform, }; + if (td[0].aead) { + salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len); + memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len); + sess_conf.ipsec = ipsec_xform; + sess_conf.crypto_xform = &ut_params->aead_xform; + } else { + sess_conf.ipsec = ipsec_xform; + if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) { + sess_conf.crypto_xform = &ut_params->cipher_xform; + ut_params->cipher_xform.next = &ut_params->auth_xform; + } else { + sess_conf.crypto_xform = &ut_params->auth_xform; + ut_params->auth_xform.next = &ut_params->cipher_xform; + } + } + /* Create security session */ ut_params->sec_session = rte_security_session_create(ctx, &sess_conf, ts_params->session_mpool, @@ -9316,14 +9352,18 @@ test_ipsec_proto_known_vec(const void *test_data) } static int -test_ipsec_proto_known_vec_inb(const void *td_outb) +test_ipsec_proto_known_vec_inb(const void *test_data) { + const struct ipsec_test_data *td = test_data; struct ipsec_test_flags flags; struct ipsec_test_data td_inb; memset(&flags, 0, sizeof(flags)); - test_ipsec_td_in_from_out(td_outb, &td_inb); + if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) + test_ipsec_td_in_from_out(td, &td_inb); + else + memcpy(&td_inb, td, sizeof(td_inb)); return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags); } @@ -14394,6 +14434,10 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)", ut_setup_security, ut_teardown, test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm), + TEST_CASE_NAMED_WITH_DATA( + "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128)", + ut_setup_security, ut_teardown, + test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_null), TEST_CASE_NAMED_ST( "Combined test alg list", ut_setup_security, ut_teardown, diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 4708803..45960bf 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -150,6 +150,57 @@ test_ipsec_crypto_caps_aead_verify( return -ENOTSUP; } +int +test_ipsec_crypto_caps_cipher_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *cipher) +{ + const struct rte_cryptodev_symmetric_capability *sym_cap; + const struct rte_cryptodev_capabilities *cap; + int j = 0; + + while ((cap = &sec_cap->crypto_capabilities[j++])->op != + RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + cap->sym.xform_type == cipher->type && + cap->sym.cipher.algo == cipher->cipher.algo) { + sym_cap = &cap->sym; + if (rte_cryptodev_sym_capability_check_cipher(sym_cap, + cipher->cipher.key.length, + cipher->cipher.iv.length) == 0) + return 0; + } + } + + return -ENOTSUP; +} + +int +test_ipsec_crypto_caps_auth_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *auth) +{ + const struct rte_cryptodev_symmetric_capability *sym_cap; + const struct rte_cryptodev_capabilities *cap; + int j = 0; + + while ((cap = &sec_cap->crypto_capabilities[j++])->op != + RTE_CRYPTO_OP_TYPE_UNDEFINED) { + if (cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC && + cap->sym.xform_type == auth->type && + cap->sym.auth.algo == auth->auth.algo) { + sym_cap = &cap->sym; + if (rte_cryptodev_sym_capability_check_auth(sym_cap, + auth->auth.key.length, + auth->auth.digest_length, + auth->auth.iv.length) == 0) + return 0; + } + } + + return -ENOTSUP; +} + void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, struct ipsec_test_data *td_in) diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 7628d0c..91c6cd4 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -96,6 +96,14 @@ int test_ipsec_crypto_caps_aead_verify( const struct rte_security_capability *sec_cap, struct rte_crypto_sym_xform *aead); +int test_ipsec_crypto_caps_cipher_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *cipher); + +int test_ipsec_crypto_caps_auth_verify( + const struct rte_security_capability *sec_cap, + struct rte_crypto_sym_xform *auth); + void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out, struct ipsec_test_data *td_in); diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index bb95d00..bf831e9 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -324,4 +324,114 @@ struct ipsec_test_data pkt_aes_256_gcm = { }, }; +/* Known vectors for AES-CBC + * https://datatracker.ietf.org/doc/html/rfc3602#section-4 + */ + +struct ipsec_test_data pkt_aes_128_cbc_null = { + .key = { + .data = { + 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, + 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, + }, + }, + .input_text = { + .data = { + /* IP - outer header */ + 0x45, 0x00, 0x00, 0x8c, 0x00, 0x02, 0x00, 0x00, + 0x40, 0x32, 0x27, 0xbc, 0x00, 0x01, 0xa8, 0xc0, + 0x01, 0x01, 0xa8, 0xc0, + + /* ESP */ + 0x00, 0x00, 0x87, 0x65, 0x00, 0x00, 0x00, 0x02, + + /* IV */ + 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad, + 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37, + + /* Data */ + 0x77, 0x3b, 0x52, 0x41, 0xa4, 0xc4, 0x49, 0x22, + 0x5e, 0x4f, 0x3c, 0xe5, 0xed, 0x61, 0x1b, 0x0c, + 0x23, 0x7c, 0xa9, 0x6c, 0xf7, 0x4a, 0x93, 0x01, + 0x3c, 0x1b, 0x0e, 0xa1, 0xa0, 0xcf, 0x70, 0xf8, + 0xe4, 0xec, 0xae, 0xc7, 0x8a, 0xc5, 0x3a, 0xad, + 0x7a, 0x0f, 0x02, 0x2b, 0x85, 0x92, 0x43, 0xc6, + 0x47, 0x75, 0x2e, 0x94, 0xa8, 0x59, 0x35, 0x2b, + 0x8a, 0x4d, 0x4d, 0x2d, 0xec, 0xd1, 0x36, 0xe5, + 0xc1, 0x77, 0xf1, 0x32, 0xad, 0x3f, 0xbf, 0xb2, + 0x20, 0x1a, 0xc9, 0x90, 0x4c, 0x74, 0xee, 0x0a, + 0x10, 0x9e, 0x0c, 0xa1, 0xe4, 0xdf, 0xe9, 0xd5, + 0xa1, 0x00, 0xb8, 0x42, 0xf1, 0xc2, 0x2f, 0x0d, + }, + .len = 140, + }, + .output_text = { + .data = { + /* IP */ + 0x45, 0x00, 0x00, 0x54, 0x09, 0x04, 0x00, 0x00, + 0x40, 0x01, 0xf9, 0x88, 0xc0, 0xa8, 0x7b, 0x03, + 0xc0, 0xa8, 0x7b, 0xc8, + + /* ICMP */ + 0x08, 0x00, 0x9f, 0x76, 0xa9, 0x0a, 0x01, 0x00, + 0xb4, 0x9c, 0x08, 0x3d, 0x02, 0xa2, 0x04, 0x00, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0a, 0x04, + }, + .len = 84, + }, + .iv = { + .data = { + 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad, + 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37, + }, + }, + + .ipsec_xform = { + .spi = 0x8765, + .options.esn = 0, + .options.udp_encap = 0, + .options.copy_dscp = 0, + .options.copy_flabel = 0, + .options.copy_df = 0, + .options.dec_ttl = 0, + .options.ecn = 0, + .options.stats = 0, + .options.tunnel_hdr_verify = 0, + .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, + .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, + .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, + .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4, + .replay_win_sz = 0, + }, + + .aead = false, + + .xform = { + .chain.cipher = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_CIPHER, + .cipher = { + .op = RTE_CRYPTO_CIPHER_OP_DECRYPT, + .algo = RTE_CRYPTO_CIPHER_AES_CBC, + .key.length = 16, + .iv.length = 16, + }, + }, + .chain.auth = { + .next = NULL, + .type = RTE_CRYPTO_SYM_XFORM_AUTH, + .auth = { + .algo = RTE_CRYPTO_AUTH_NULL, + }, + }, + }, +}; + #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */ diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst index 6d99d1e..9fccddc 100644 --- a/doc/guides/rel_notes/release_22_03.rst +++ b/doc/guides/rel_notes/release_22_03.rst @@ -55,6 +55,10 @@ New Features Also, make sure to start the actual text at the margin. ======================================================= +* **Updated lookaside protocol (IPsec) tests in dpdk-test.** + + * Added AES-CBC 128 NULL auth known vector tests. + Removed Items ------------- -- 2.7.4