[dpdk-dev] [PATCH 00/12] FIPS improvements

[dpdk-dev] [PATCH 00/12] FIPS improvements

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Added support for ECB mode in TDES and AES.
Fixed some bugs in TDES and AES-GCM.

Michael Shamis (12):
  examples/fips: added support for SHA algorithm in FIPS tests
  examples/fips: added support for TDES ECB mode in FIPS tests
  examples/fips: added support AES ECB mode in FIPS tests
  examples/fips: fix bad return code in fips_test_parse_header()
  examples/fips: AES-GCM vectors will use aead structure
  examples/fips: set initial IV in AES-GCM if configured only salt value
  examples/fips: keep digest after crypto text
  examples/fips: AES-GCM decryption vectors fix
  examples/fips: fix KEY and PT output prints for TDES mode
  examples/fips: supported IV, PT and CT init for TDES ECB mode
  examples/fips: algorithm definition by folder if it's not in file
  examples/fips: erroneous overwrite of PLAINTEXT after DECRYPT

 examples/fips_validation/fips_validation.c    |  92 ++++++--
 examples/fips_validation/fips_validation.h    |   7 +
 .../fips_validation/fips_validation_aes.c     |   1 +
 .../fips_validation/fips_validation_gcm.c     |  39 +++-
 .../fips_validation/fips_validation_tdes.c    |   7 +
 examples/fips_validation/main.c               | 204 +++++++++++++++---
 6 files changed, 301 insertions(+), 49 deletions(-)

-- 
2.23.0

[dpdk-dev] [PATCH 01/12] examples/fips: added support for SHA algorithm in FIPS tests

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index 8d43b267e..80fd482a1 100644
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -145,11 +145,13 @@ fips_test_parse_header(void)
 				if (ret < 0)
 					return 0;
 			} else if (strstr(info.vec[i], "SHA-")) {
-				algo_parsed = 1;
-				info.algo = FIPS_TEST_ALGO_SHA;
-				ret = parse_test_sha_init();
-				if (ret < 0)
-					return ret;
+				if (info.algo != FIPS_TEST_ALGO_HMAC) {
+					algo_parsed = 1;
+					info.algo = FIPS_TEST_ALGO_SHA;
+					ret = parse_test_sha_init();
+					if (ret < 0)
+						return ret;
+				}
 			}
 		}
 
-- 
2.23.0

[dpdk-dev] [PATCH 02/12] examples/fips: added support for TDES ECB mode in FIPS tests

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c    |  1 +
 examples/fips_validation/fips_validation.h    |  7 +++++
 .../fips_validation/fips_validation_tdes.c    |  7 +++++
 examples/fips_validation/main.c               | 27 ++++++++++++++++---
 4 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index 80fd482a1..fe3bcc386 100644
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -259,6 +259,7 @@ fips_test_init(const char *req_file_path, const char *rsp_file_path,
 
 	fips_test_clear();
 
+	strcpy(info.file_name, req_file_path);
 	info.algo = FIPS_TEST_ALGO_MAX;
 	if (parse_file_type(req_file_path) < 0) {
 		RTE_LOG(ERR, USER1, "File %s type not supported\n",
diff --git a/examples/fips_validation/fips_validation.h b/examples/fips_validation/fips_validation.h
index b604db9ec..d487fb005 100644
--- a/examples/fips_validation/fips_validation.h
+++ b/examples/fips_validation/fips_validation.h
@@ -105,6 +105,11 @@ enum fips_tdes_test_types {
 	TDES_MMT /* Multi block Message Test */
 };
 
+enum fips_tdes_test_mode {
+	TDES_MODE_CBC = 0,
+	TDES_MODE_ECB
+};
+
 enum fips_ccm_test_types {
 	CCM_VADT	= 1, /* Variable Associated Data Test */
 	CCM_VPT,		 /* Variable Payload Test */
@@ -130,6 +135,7 @@ struct hmac_interim_data {
 
 struct tdes_interim_data {
 	enum fips_tdes_test_types test_type;
+	enum fips_tdes_test_mode test_mode;
 	uint32_t nb_keys;
 };
 
@@ -156,6 +162,7 @@ struct fips_test_interim_info {
 	char *vec[MAX_LINE_PER_VECTOR];
 	uint32_t nb_vec_lines;
 	char device_name[MAX_STRING_SIZE];
+	char file_name[MAX_STRING_SIZE];
 
 	union {
 		struct aesavs_interim_data aes_data;
diff --git a/examples/fips_validation/fips_validation_tdes.c b/examples/fips_validation/fips_validation_tdes.c
index 15ee434e1..d7f4d58b0 100644
--- a/examples/fips_validation/fips_validation_tdes.c
+++ b/examples/fips_validation/fips_validation_tdes.c
@@ -12,6 +12,7 @@
 
 #define NEW_LINE_STR	"#"
 #define TEST_TYPE_KEY	" for CBC"
+#define TEST_TYPE_ECB_KEY	" for ECB"
 #define TEST_CBCI_KEY	" for CBCI"
 
 #define ENC_STR		"[ENCRYPT]"
@@ -250,6 +251,12 @@ parse_test_tdes_init(void)
 			if (strstr(line, test_types[j].desc)) {
 				info.interim_info.tdes_data.test_type =
 						test_types[j].type;
+				if (strstr(line, TEST_TYPE_ECB_KEY))
+					info.interim_info.tdes_data.test_mode =
+						TDES_MODE_ECB;
+				else
+					info.interim_info.tdes_data.test_mode =
+						TDES_MODE_CBC;
 				break;
 			}
 	}
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 813534068..7a379bc99 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -689,16 +689,24 @@ prepare_tdes_xform(struct rte_crypto_sym_xform *xform)
 
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
-	cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC;
+	if (info.interim_info.tdes_data.test_mode == TDES_MODE_CBC)
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC;
+	else
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_ECB;
 	cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
 			RTE_CRYPTO_CIPHER_OP_ENCRYPT :
 			RTE_CRYPTO_CIPHER_OP_DECRYPT;
 	cipher_xform->key.data = vec.cipher_auth.key.val;
 	cipher_xform->key.length = vec.cipher_auth.key.len;
-	cipher_xform->iv.length = vec.iv.len;
-	cipher_xform->iv.offset = IV_OFF;
 
-	cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_3DES_CBC;
+	if (cipher_xform->algo == RTE_CRYPTO_CIPHER_3DES_CBC) {
+		cipher_xform->iv.length = vec.iv.len;
+		cipher_xform->iv.offset = IV_OFF;
+	} else {
+		cipher_xform->iv.length = 0;
+		cipher_xform->iv.offset = 0;
+	}
+	cap_idx.algo.cipher = cipher_xform->algo;
 	cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
 	cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
@@ -1387,6 +1395,17 @@ init_test_ops(void)
 			test_ops.test = fips_generic_test;
 		break;
 	default:
+		if (strstr(info.file_name, "TECB") ||
+				strstr(info.file_name, "TCBC")) {
+			info.algo = FIPS_TEST_ALGO_TDES;
+			test_ops.prepare_op = prepare_cipher_op;
+			test_ops.prepare_xform	= prepare_tdes_xform;
+			if (info.interim_info.tdes_data.test_type == TDES_MCT)
+				test_ops.test = fips_mct_tdes_test;
+			else
+				test_ops.test = fips_generic_test;
+			break;
+		}
 		return -1;
 	}
 
-- 
2.23.0

[dpdk-dev] [PATCH 03/12] examples/fips: added support AES ECB mode in FIPS tests

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 .../fips_validation/fips_validation_aes.c     |  1 +
 examples/fips_validation/main.c               | 96 +++++++++++++++++--
 2 files changed, 91 insertions(+), 6 deletions(-)

diff --git a/examples/fips_validation/fips_validation_aes.c b/examples/fips_validation/fips_validation_aes.c
index 8cbc158eb..010a82627 100644
--- a/examples/fips_validation/fips_validation_aes.c
+++ b/examples/fips_validation/fips_validation_aes.c
@@ -44,6 +44,7 @@ struct aes_test_algo {
 	enum rte_crypto_cipher_algorithm algo;
 } const algo_con[] = {
 		{"CBC", RTE_CRYPTO_CIPHER_AES_CBC},
+		{"ECB", RTE_CRYPTO_CIPHER_AES_ECB},
 };
 
 static int
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 7a379bc99..c83763b13 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -649,16 +649,24 @@ prepare_aes_xform(struct rte_crypto_sym_xform *xform)
 
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
-	cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC;
+	if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC;
+	else
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_ECB;
+
 	cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
 			RTE_CRYPTO_CIPHER_OP_ENCRYPT :
 			RTE_CRYPTO_CIPHER_OP_DECRYPT;
 	cipher_xform->key.data = vec.cipher_auth.key.val;
 	cipher_xform->key.length = vec.cipher_auth.key.len;
-	cipher_xform->iv.length = vec.iv.len;
-	cipher_xform->iv.offset = IV_OFF;
-
-	cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_CBC;
+	if (cipher_xform->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		cipher_xform->iv.length = vec.iv.len;
+		cipher_xform->iv.offset = IV_OFF;
+	} else {
+		cipher_xform->iv.length = 0;
+		cipher_xform->iv.offset = 0;
+	}
+	cap_idx.algo.cipher = cipher_xform->algo;
 	cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
 	cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
@@ -1059,7 +1067,6 @@ fips_mct_tdes_test(void)
 					fprintf(info.fp_wr, "Bypass\n");
 					return 0;
 				}
-
 				return ret;
 			}
 
@@ -1160,6 +1167,80 @@ fips_mct_tdes_test(void)
 	return 0;
 }
 
+static int
+fips_mct_aes_ecb_test(void)
+{
+#define AES_BLOCK_SIZE	16
+#define AES_EXTERN_ITER	100
+#define AES_INTERN_ITER	1000
+	struct fips_val val, val_key;
+	uint8_t prev_out[AES_BLOCK_SIZE] = {0};
+	uint32_t i, j, k;
+	int ret;
+
+	for (i = 0; i < AES_EXTERN_ITER; i++) {
+		if (i != 0)
+			update_info_vec(i);
+
+		fips_test_write_one_case();
+
+		for (j = 0; j < AES_INTERN_ITER; j++) {
+			ret = fips_run_test();
+			if (ret < 0) {
+				if (ret == -EPERM) {
+					fprintf(info.fp_wr, "Bypass\n");
+					return 0;
+				}
+
+				return ret;
+			}
+
+			get_writeback_data(&val);
+
+			if (info.op == FIPS_TEST_ENC_AUTH_GEN)
+				memcpy(vec.pt.val, val.val, AES_BLOCK_SIZE);
+			else
+				memcpy(vec.ct.val, val.val, AES_BLOCK_SIZE);
+
+			if (j == AES_INTERN_ITER - 1)
+				continue;
+
+			memcpy(prev_out, val.val, AES_BLOCK_SIZE);
+		}
+
+		info.parse_writeback(&val);
+		fprintf(info.fp_wr, "\n");
+
+		if (i == AES_EXTERN_ITER - 1)
+			continue;
+
+		/** update key */
+		memcpy(&val_key, &vec.cipher_auth.key, sizeof(val_key));
+		for (k = 0; k < vec.cipher_auth.key.len; k++) {
+			switch (vec.cipher_auth.key.len) {
+			case 16:
+				val_key.val[k] ^= val.val[k];
+				break;
+			case 24:
+				if (k < 8)
+					val_key.val[k] ^= prev_out[k + 8];
+				else
+					val_key.val[k] ^= val.val[k - 8];
+				break;
+			case 32:
+				if (k < 16)
+					val_key.val[k] ^= prev_out[k];
+				else
+					val_key.val[k] ^= val.val[k - 16];
+				break;
+			default:
+				return -1;
+			}
+		}
+	}
+
+	return 0;
+}
 static int
 fips_mct_aes_test(void)
 {
@@ -1172,6 +1253,9 @@ fips_mct_aes_test(void)
 	uint32_t i, j, k;
 	int ret;
 
+	if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_ECB)
+		return fips_mct_aes_ecb_test();
+
 	for (i = 0; i < AES_EXTERN_ITER; i++) {
 		if (i != 0)
 			update_info_vec(i);
-- 
2.23.0

[dpdk-dev] [PATCH 04/12] examples/fips: fix bad return code in fips_test_parse_header()

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Returning correct error value by fips_test_parse_header()
allows graceful exit of fips application.

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index fe3bcc386..91e6d48e7 100644
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -125,13 +125,13 @@ fips_test_parse_header(void)
 				info.algo = FIPS_TEST_ALGO_AES_CMAC;
 				ret = parse_test_cmac_init();
 				if (ret < 0)
-					return 0;
+					return ret;
 			} else if (strstr(info.vec[i], "CCM")) {
 				algo_parsed = 1;
 				info.algo = FIPS_TEST_ALGO_AES_CCM;
 				ret = parse_test_ccm_init();
 				if (ret < 0)
-					return 0;
+					return ret;
 			} else if (strstr(info.vec[i], "HMAC")) {
 				algo_parsed = 1;
 				info.algo = FIPS_TEST_ALGO_HMAC;
@@ -143,7 +143,7 @@ fips_test_parse_header(void)
 				info.algo = FIPS_TEST_ALGO_TDES;
 				ret = parse_test_tdes_init();
 				if (ret < 0)
-					return 0;
+					return ret;
 			} else if (strstr(info.vec[i], "SHA-")) {
 				if (info.algo != FIPS_TEST_ALGO_HMAC) {
 					algo_parsed = 1;
-- 
2.23.0

[dpdk-dev] [PATCH 05/12] examples/fips: AES-GCM vectors will use aead structure

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Before the fix AES-GCM vectores were defined by cipher_auth
structure but handled by aead structure and that leads to
FIPS test failure.

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation_gcm.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/examples/fips_validation/fips_validation_gcm.c b/examples/fips_validation/fips_validation_gcm.c
index 0509b101a..ea48ddf70 100644
--- a/examples/fips_validation/fips_validation_gcm.c
+++ b/examples/fips_validation/fips_validation_gcm.c
@@ -34,29 +34,29 @@
 #define NEG_TEST_STR	"FAIL"
 
 struct fips_test_callback gcm_dec_vectors[] = {
-		{KEY_STR, parse_uint8_known_len_hex_str, &vec.cipher_auth.key},
+		{KEY_STR, parse_uint8_known_len_hex_str, &vec.aead.key},
 		{IV_STR, parse_uint8_known_len_hex_str, &vec.iv},
 		{CT_STR, parse_uint8_known_len_hex_str, &vec.ct},
-		{AAD_STR, parse_uint8_known_len_hex_str, &vec.cipher_auth.aad},
+		{AAD_STR, parse_uint8_known_len_hex_str, &vec.aead.aad},
 		{TAG_STR, parse_uint8_known_len_hex_str,
-				&vec.cipher_auth.digest},
+				&vec.aead.digest},
 		{NULL, NULL, NULL} /**< end pointer */
 };
 struct fips_test_callback gcm_interim_vectors[] = {
-		{KEYLEN_STR, parser_read_uint32_bit_val, &vec.cipher_auth.key},
+		{KEYLEN_STR, parser_read_uint32_bit_val, &vec.aead.key},
 		{IVLEN_STR, parser_read_uint32_bit_val, &vec.iv},
 		{PTLEN_STR, parser_read_uint32_bit_val, &vec.pt},
-		{AADLEN_STR, parser_read_uint32_bit_val, &vec.cipher_auth.aad},
+		{AADLEN_STR, parser_read_uint32_bit_val, &vec.aead.aad},
 		{TAGLEN_STR, parser_read_uint32_bit_val,
-				&vec.cipher_auth.digest},
+				&vec.aead.digest},
 		{NULL, NULL, NULL} /**< end pointer */
 };
 
 struct fips_test_callback gcm_enc_vectors[] = {
-		{KEY_STR, parse_uint8_known_len_hex_str, &vec.cipher_auth.key},
+		{KEY_STR, parse_uint8_known_len_hex_str, &vec.aead.key},
 		{IV_STR, parse_uint8_known_len_hex_str, &vec.iv},
 		{PT_STR, parse_uint8_known_len_hex_str, &vec.pt},
-		{AAD_STR, parse_uint8_known_len_hex_str, &vec.cipher_auth.aad},
+		{AAD_STR, parse_uint8_known_len_hex_str, &vec.aead.aad},
 		{NULL, NULL, NULL} /**< end pointer */
 };
 
-- 
2.23.0

[dpdk-dev] [PATCH 06/12] examples/fips: set initial IV in AES-GCM if configured only salt value

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Configurated AES-GCM IV may include only salt value which length
is 12B. In this case driver should set second part of IV to
initial value = 0x1.

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/main.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index c83763b13..895bfa7d8 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -25,6 +25,7 @@
 #define CRYPTODEV_BK_DIR_KEY	"broken-test-dir"
 #define CRYPTODEV_ENC_KEYWORD	"enc"
 #define CRYPTODEV_DEC_KEYWORD	"dec"
+#define IV_SALT_LEN 12
 
 struct fips_test_vector vec;
 struct fips_test_interim_info info;
@@ -580,10 +581,16 @@ prepare_aead_op(void)
 	__rte_crypto_op_reset(env.op, RTE_CRYPTO_OP_TYPE_SYMMETRIC);
 	rte_pktmbuf_reset(env.mbuf);
 
-	if (info.algo == FIPS_TEST_ALGO_AES_CCM)
+	if (info.algo == FIPS_TEST_ALGO_AES_CCM) {
 		memcpy(iv + 1, vec.iv.val, vec.iv.len);
-	else
+	} else {
 		memcpy(iv, vec.iv.val, vec.iv.len);
+		/* Set initial IV if specified only salt IV value */
+		if (vec.iv.len == IV_SALT_LEN) {
+			memset(&iv[vec.iv.len], 0, 4);
+			iv[vec.iv.len + 3] = 1;
+		}
+	}
 
 	sym->m_src = env.mbuf;
 	sym->aead.data.offset = 0;
-- 
2.23.0

[dpdk-dev] [PATCH 07/12] examples/fips: keep digest after crypto text

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Fix of GCM FIPS bug: ICV was not copied after the crypto text
in decryption operation so SAM failed to check authentication
in GCM mode.

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/main.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 895bfa7d8..1d621f60a 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -636,6 +636,10 @@ prepare_aead_op(void)
 		}
 
 		memcpy(ct, vec.ct.val, vec.ct.len);
+
+		/* keep digest after crypto text */
+		memcpy(ct + vec.ct.len, vec.aead.digest.val,
+			vec.aead.digest.len);
 		sym->aead.data.length = vec.ct.len;
 		sym->aead.digest.data = vec.aead.digest.val;
 		sym->aead.digest.phys_addr = rte_malloc_virt2iova(
-- 
2.23.0

[dpdk-dev] [PATCH 08/12] examples/fips: AES-GCM decryption vectors fix

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

AES-GCM CAVS vectors for decryption set PTlen (plain text length)
but provide crypto text and application expected CTlen to be not
null. Now we assign PTlen to CTlen in decryption scenario and
it allows to application to handle AES-GCM decryption vectors.

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 .../fips_validation/fips_validation_gcm.c     | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/examples/fips_validation/fips_validation_gcm.c b/examples/fips_validation/fips_validation_gcm.c
index ea48ddf70..f68b4ea82 100644
--- a/examples/fips_validation/fips_validation_gcm.c
+++ b/examples/fips_validation/fips_validation_gcm.c
@@ -33,10 +33,15 @@
 
 #define NEG_TEST_STR	"FAIL"
 
+static int
+parse_uint8_known_len_hex_str_dec(const char *key,
+						char *src,
+						struct fips_val *val);
+
 struct fips_test_callback gcm_dec_vectors[] = {
 		{KEY_STR, parse_uint8_known_len_hex_str, &vec.aead.key},
 		{IV_STR, parse_uint8_known_len_hex_str, &vec.iv},
-		{CT_STR, parse_uint8_known_len_hex_str, &vec.ct},
+		{CT_STR, parse_uint8_known_len_hex_str_dec, &vec.ct},
 		{AAD_STR, parse_uint8_known_len_hex_str, &vec.aead.aad},
 		{TAG_STR, parse_uint8_known_len_hex_str,
 				&vec.aead.digest},
@@ -123,3 +128,19 @@ parse_test_gcm_init(void)
 
 	return 0;
 }
+
+static int
+parse_uint8_known_len_hex_str_dec(const char *key,
+						char *src,
+						struct fips_val *val)
+{
+	/* AES-GCM CAVS vectors for decryption set PTlen (plain text length)
+	 * but provide crypto text.
+	 * In order to compensate the behavior we assign PTlen to CTlen
+	 * (crypto text length) which is used for calculations
+	 */
+	if (info.op == FIPS_TEST_DEC_AUTH_VERIF)
+		vec.ct.len = vec.pt.len;
+
+	return parse_uint8_known_len_hex_str(key, src, val);
+}
-- 
2.23.0

[dpdk-dev] [PATCH 09/12] examples/fips: fix KEY and PT output prints for TDES mode

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index 91e6d48e7..ba513672e 100644
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -11,6 +11,10 @@
 
 #include "fips_validation.h"
 
+#define COUNT0_STR	"COUNT = 0  "
+#define KEY_STR		"KEY"
+#define NK_STR		"NumKey"
+
 #define skip_white_spaces(pos)			\
 ({						\
 	__typeof__(pos) _p = (pos);		\
@@ -68,6 +72,22 @@ fips_test_fetch_one_block(void)
 		if (size == 0)
 			break;
 
+		/* if first line is KEY-line then insert COUNT-line */
+		if (i == 0) {
+			if (strstr(info.one_line_text, KEY_STR)) {
+				info.vec[0] = calloc(1, sizeof(COUNT0_STR));
+				strlcpy(info.vec[0],
+						COUNT0_STR,
+						sizeof(COUNT0_STR));
+				i = 1;
+				info.nb_vec_lines = 1;
+			}
+		}
+
+		/* don't copy NumKey-line */
+		if (strstr(info.one_line_text, NK_STR))
+			break;
+
 		info.vec[i] = calloc(1, size + 5);
 		if (info.vec[i] == NULL)
 			goto error_exit;
-- 
2.23.0

[dpdk-dev] [PATCH 10/12] examples/fips: supported IV, PT and CT init for TDES ECB mode

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/main.c | 66 +++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 16 deletions(-)

diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 1d621f60a..3eda0f554 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -1064,6 +1064,7 @@ fips_mct_tdes_test(void)
 	uint8_t prev_in[TDES_BLOCK_SIZE] = {0};
 	uint32_t i, j, k;
 	int ret;
+	int test_mode = info.interim_info.tdes_data.test_mode;
 
 	for (i = 0; i < TDES_EXTERN_ITER; i++) {
 		if (i != 0)
@@ -1090,25 +1091,50 @@ fips_mct_tdes_test(void)
 				memcpy(prev_out, val.val, TDES_BLOCK_SIZE);
 
 				if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-					memcpy(vec.pt.val, vec.iv.val,
-							TDES_BLOCK_SIZE);
-					memcpy(vec.iv.val, val.val,
-							TDES_BLOCK_SIZE);
+					if (test_mode == TDES_MODE_ECB) {
+						memcpy(vec.pt.val, val.val,
+							   TDES_BLOCK_SIZE);
+					} else {
+						memcpy(vec.pt.val, vec.iv.val,
+							   TDES_BLOCK_SIZE);
+						memcpy(vec.iv.val, val.val,
+							   TDES_BLOCK_SIZE);
+					}
+
 				} else {
-					memcpy(vec.iv.val, vec.ct.val,
-							TDES_BLOCK_SIZE);
-					memcpy(vec.ct.val, val.val,
-							TDES_BLOCK_SIZE);
+					if (test_mode == TDES_MODE_ECB) {
+						memcpy(vec.ct.val, val.val,
+							   TDES_BLOCK_SIZE);
+					} else {
+						memcpy(vec.iv.val, vec.ct.val,
+							   TDES_BLOCK_SIZE);
+						memcpy(vec.ct.val, val.val,
+							   TDES_BLOCK_SIZE);
+					}
 				}
 				continue;
 			}
 
 			if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-				memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
-				memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+				if (test_mode == TDES_MODE_ECB) {
+					memcpy(vec.pt.val, val.val,
+						   TDES_BLOCK_SIZE);
+				} else {
+					memcpy(vec.iv.val, val.val,
+						   TDES_BLOCK_SIZE);
+					memcpy(vec.pt.val, prev_out,
+						   TDES_BLOCK_SIZE);
+				}
 			} else {
-				memcpy(vec.iv.val, vec.ct.val, TDES_BLOCK_SIZE);
-				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+				if (test_mode == TDES_MODE_ECB) {
+					memcpy(vec.ct.val, val.val,
+						   TDES_BLOCK_SIZE);
+				} else {
+					memcpy(vec.iv.val, vec.ct.val,
+						   TDES_BLOCK_SIZE);
+					memcpy(vec.ct.val, val.val,
+						   TDES_BLOCK_SIZE);
+				}
 			}
 
 			if (j == TDES_INTERN_ITER - 1)
@@ -1167,11 +1193,19 @@ fips_mct_tdes_test(void)
 					val_key.val[k] : (val_key.val[k] ^ 0x1);
 
 		if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-			memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
-			memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+			if (test_mode == TDES_MODE_ECB) {
+				memcpy(vec.pt.val, val.val, TDES_BLOCK_SIZE);
+			} else {
+				memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
+				memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+			}
 		} else {
-			memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE);
-			memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			if (test_mode == TDES_MODE_ECB) {
+				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			} else {
+				memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE);
+				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			}
 		}
 	}
 
-- 
2.23.0

[dpdk-dev] [PATCH 11/12] examples/fips: algorithm definition by folder if it's not in file

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

In order to find algorithm used the folder name if it is
not defined within the file.

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index ba513672e..fcc0c985d 100644
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -248,6 +248,48 @@ fips_test_parse_header(void)
 		fprintf(info.fp_wr, "%s\n", info.vec[i]);
 	}
 
+	/* use folder name if algorithm is not found yet*/
+	if (info.algo == FIPS_TEST_ALGO_MAX) {
+		if (strstr(info.file_name, "AESVS")) {
+			info.algo = FIPS_TEST_ALGO_AES;
+			ret = parse_test_aes_init();
+			if (ret < 0)
+				return ret;
+		} else if (strstr(info.file_name, "GCM")) {
+			info.algo = FIPS_TEST_ALGO_AES_GCM;
+			ret = parse_test_gcm_init();
+			if (ret < 0)
+				return ret;
+		} else if (strstr(info.file_name, "CMAC")) {
+			info.algo = FIPS_TEST_ALGO_AES_CMAC;
+			ret = parse_test_cmac_init();
+			if (ret < 0)
+				return ret;
+		} else if (strstr(info.file_name, "CCM")) {
+			info.algo = FIPS_TEST_ALGO_AES_CCM;
+			ret = parse_test_ccm_init();
+			if (ret < 0)
+				return ret;
+		} else if (strstr(info.file_name, "HMAC")) {
+			info.algo = FIPS_TEST_ALGO_HMAC;
+			ret = parse_test_hmac_init();
+			if (ret < 0)
+				return ret;
+		} else if (strstr(info.file_name, "TDES")) {
+			info.algo = FIPS_TEST_ALGO_TDES;
+			ret = parse_test_tdes_init();
+			if (ret < 0)
+				return ret;
+		} else if (strstr(info.file_name, "SHA-")) {
+			if (info.algo != FIPS_TEST_ALGO_HMAC) {
+				info.algo = FIPS_TEST_ALGO_SHA;
+				ret = parse_test_sha_init();
+				if (ret < 0)
+					return ret;
+			}
+		}
+	}
+
 	return 0;
 }
 
-- 
2.23.0

[dpdk-dev] [PATCH 12/12] examples/fips: erroneous overwrite of PLAINTEXT after DECRYPT

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

fix erroneous overwrite of PLAINTEXT-line after [DECRYPT] tag

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index fcc0c985d..4d0f240b8 100644
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -401,10 +401,13 @@ fips_test_parse_one_case(void)
 	}
 
 	if (is_interim) {
-		for (i = 0; i < info.nb_vec_lines; i++)
-			fprintf(info.fp_wr, "%s\n", info.vec[i]);
-		fprintf(info.fp_wr, "\n");
-		return 1;
+		if (!(strstr(info.vec[0], "DECRYPT") &&
+			  info.nb_vec_lines > 1)) {
+			for (i = 0; i < info.nb_vec_lines; i++)
+				fprintf(info.fp_wr, "%s\n", info.vec[i]);
+			fprintf(info.fp_wr, "\n");
+			return 1;
+		}
 	}
 
 	for (i = 0; i < info.nb_vec_lines; i++) {
-- 
2.23.0

Re: [dpdk-dev] [PATCH 04/12] examples/fips: fix bad return code in fips_test_parse_header()

[Akhil Goyal]

Hi Michael,

Title should be " examples/fips_validation: fix bad return value "

> 
> Returning correct error value by fips_test_parse_header()
> allows graceful exit of fips application.

Please add a fixes line here and cc stable.

It would be good if you can separate out the fixes from this patchset which add some functionality.

-Akhil

> 
> Signed-off-by: Michael Shamis <michaelsh@marvell.com>
> ---
>  examples/fips_validation/fips_validation.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/examples/fips_validation/fips_validation.c
> b/examples/fips_validation/fips_validation.c
> index fe3bcc386..91e6d48e7 100644
> --- a/examples/fips_validation/fips_validation.c
> +++ b/examples/fips_validation/fips_validation.c
> @@ -125,13 +125,13 @@ fips_test_parse_header(void)
>  				info.algo = FIPS_TEST_ALGO_AES_CMAC;
>  				ret = parse_test_cmac_init();
>  				if (ret < 0)
> -					return 0;
> +					return ret;
>  			} else if (strstr(info.vec[i], "CCM")) {
>  				algo_parsed = 1;
>  				info.algo = FIPS_TEST_ALGO_AES_CCM;
>  				ret = parse_test_ccm_init();
>  				if (ret < 0)
> -					return 0;
> +					return ret;
>  			} else if (strstr(info.vec[i], "HMAC")) {
>  				algo_parsed = 1;
>  				info.algo = FIPS_TEST_ALGO_HMAC;
> @@ -143,7 +143,7 @@ fips_test_parse_header(void)
>  				info.algo = FIPS_TEST_ALGO_TDES;
>  				ret = parse_test_tdes_init();
>  				if (ret < 0)
> -					return 0;
> +					return ret;
>  			} else if (strstr(info.vec[i], "SHA-")) {
>  				if (info.algo != FIPS_TEST_ALGO_HMAC) {
>  					algo_parsed = 1;
> --
> 2.23.0

Re: [dpdk-dev] [PATCH 00/12] FIPS improvements

[Akhil Goyal]

Hi Michael,

Please try to improve descriptions and patch titles as per the suggestions given below.
There are many patches which are fixes. Are the eligible for backport to stable branches?
The support which is getting added, is it eligible for documentation update for the application.

-Akhil

> 
> Added support for ECB mode in TDES and AES.
> Fixed some bugs in TDES and AES-GCM.
> 
> Michael Shamis (12):
>   examples/fips: added support for SHA algorithm in FIPS tests
examples/fips_validation: support SHA

>   examples/fips: added support for TDES ECB mode in FIPS tests
examples/fips_validation: support TDES ECB

>   examples/fips: added support AES ECB mode in FIPS tests
examples/fips_validation: support AES ECB

>   examples/fips: fix bad return code in fips_test_parse_header()
examples/fips_validation: fix bad return value
Can be a separate patch from this set. Also send to stable.

>   examples/fips: AES-GCM vectors will use aead structure
examples/fips_validation: use AEAD based structs for AES-GCM
rather it is a fix and should be sent to stable and the title would be 
examples/fips_validation: fix structs used for AES-GCM

>   examples/fips: set initial IV in AES-GCM if configured only salt value
examples/fips_validation: initialize IV for AES-GCM

>   examples/fips: keep digest after crypto text
examples/fips_validation: move digest after cipher text

>   examples/fips: AES-GCM decryption vectors fix
examples/fips_validation: fix AES-GCM decryption vector
Add fixes line and cc stable. Can be a separate patchset for fixes.

>   examples/fips: fix KEY and PT output prints for TDES mode
Does not have a patch description and title does not look to justify the patch.

>   examples/fips: supported IV, PT and CT init for TDES ECB mode
Again there is no patch description and title is pretty long. Try to make it short.

>   examples/fips: algorithm definition by folder if it's not in file
examples/fips_validation: improve algo parsing logic
update description text to elaborate the need for this logic

>   examples/fips: erroneous overwrite of PLAINTEXT after DECRYPT
examples/fips_validation: fix plain text overwrite
send to stable and add fixes line.

> 
>  examples/fips_validation/fips_validation.c    |  92 ++++++--
>  examples/fips_validation/fips_validation.h    |   7 +
>  .../fips_validation/fips_validation_aes.c     |   1 +
>  .../fips_validation/fips_validation_gcm.c     |  39 +++-
>  .../fips_validation/fips_validation_tdes.c    |   7 +
>  examples/fips_validation/main.c               | 204 +++++++++++++++---
>  6 files changed, 301 insertions(+), 49 deletions(-)
> 
> --
> 2.23.0

Re: [dpdk-dev] [PATCH 00/12] FIPS improvements

[Michael Shamis]

Hi Akhil,

I send 2 patch sets: one for new functionality support and another one for fixes.
One patch was sent separately from both of the sets according to your requirement:

>>   examples/fips: fix bad return code in fips_test_parse_header()
>examples/fips_validation: fix bad return value Can be a separate patch from this set. Also send to stable.

Please instruct me how to send the patches to stable.

Thanks,
Michael

-----Original Message-----
From: Akhil Goyal <akhil.goyal@nxp.com> 
Sent: Wednesday, September 4, 2019 1:14 PM
To: Michael Shamis <michaelsh@marvell.com>; marko.kovacevic@intel.com
Cc: dev@dpdk.org; Liron Himi <lironh@marvell.com>
Subject: [EXT] RE: [dpdk-dev] [PATCH 00/12] FIPS improvements

External Email

----------------------------------------------------------------------
Hi Michael,

Please try to improve descriptions and patch titles as per the suggestions given below.
There are many patches which are fixes. Are the eligible for backport to stable branches?
The support which is getting added, is it eligible for documentation update for the application.

-Akhil

> 
> Added support for ECB mode in TDES and AES.
> Fixed some bugs in TDES and AES-GCM.
> 
> Michael Shamis (12):
>   examples/fips: added support for SHA algorithm in FIPS tests
examples/fips_validation: support SHA

>   examples/fips: added support for TDES ECB mode in FIPS tests
examples/fips_validation: support TDES ECB

>   examples/fips: added support AES ECB mode in FIPS tests
examples/fips_validation: support AES ECB

>   examples/fips: fix bad return code in fips_test_parse_header()
examples/fips_validation: fix bad return value Can be a separate patch from this set. Also send to stable.

>   examples/fips: AES-GCM vectors will use aead structure
examples/fips_validation: use AEAD based structs for AES-GCM rather it is a fix and should be sent to stable and the title would be
examples/fips_validation: fix structs used for AES-GCM

>   examples/fips: set initial IV in AES-GCM if configured only salt 
> value
examples/fips_validation: initialize IV for AES-GCM

>   examples/fips: keep digest after crypto text
examples/fips_validation: move digest after cipher text

>   examples/fips: AES-GCM decryption vectors fix
examples/fips_validation: fix AES-GCM decryption vector Add fixes line and cc stable. Can be a separate patchset for fixes.

>   examples/fips: fix KEY and PT output prints for TDES mode
Does not have a patch description and title does not look to justify the patch.

>   examples/fips: supported IV, PT and CT init for TDES ECB mode
Again there is no patch description and title is pretty long. Try to make it short.

>   examples/fips: algorithm definition by folder if it's not in file
examples/fips_validation: improve algo parsing logic update description text to elaborate the need for this logic

>   examples/fips: erroneous overwrite of PLAINTEXT after DECRYPT
examples/fips_validation: fix plain text overwrite send to stable and add fixes line.

> 
>  examples/fips_validation/fips_validation.c    |  92 ++++++--
>  examples/fips_validation/fips_validation.h    |   7 +
>  .../fips_validation/fips_validation_aes.c     |   1 +
>  .../fips_validation/fips_validation_gcm.c     |  39 +++-
>  .../fips_validation/fips_validation_tdes.c    |   7 +
>  examples/fips_validation/main.c               | 204 +++++++++++++++---
>  6 files changed, 301 insertions(+), 49 deletions(-)
> 
> --
> 2.23.0

Re: [dpdk-dev] [PATCH 00/12] FIPS improvements

[Akhil Goyal]

> 
> Hi Akhil,
> 
> I send 2 patch sets: one for new functionality support and another one for fixes.
> One patch was sent separately from both of the sets according to your
> requirement:

Ok will have a look.
Thanks.
> 
> >>   examples/fips: fix bad return code in fips_test_parse_header()
> >examples/fips_validation: fix bad return value Can be a separate patch from
> this set. Also send to stable.
> 
> Please instruct me how to send the patches to stable.
You just need to cc stable@dpdk.org and add this in the commit message as well below the fixes line.
You can check the git log for reference for the fixes.

I will do this when I will apply the patch.
You can take care of this in future.

Thanks,
Akhil
> 
> Thanks,
> Michael
> 
> -----Original Message-----
> From: Akhil Goyal <akhil.goyal@nxp.com>
> Sent: Wednesday, September 4, 2019 1:14 PM
> To: Michael Shamis <michaelsh@marvell.com>; marko.kovacevic@intel.com
> Cc: dev@dpdk.org; Liron Himi <lironh@marvell.com>
> Subject: [EXT] RE: [dpdk-dev] [PATCH 00/12] FIPS improvements
> 
> External Email
> 
> ----------------------------------------------------------------------
> Hi Michael,
> 
> Please try to improve descriptions and patch titles as per the suggestions given
> below.
> There are many patches which are fixes. Are the eligible for backport to stable
> branches?
> The support which is getting added, is it eligible for documentation update for
> the application.
> 
> -Akhil
> 
> >
> > Added support for ECB mode in TDES and AES.
> > Fixed some bugs in TDES and AES-GCM.
> >
> > Michael Shamis (12):
> >   examples/fips: added support for SHA algorithm in FIPS tests
> examples/fips_validation: support SHA
> 
> >   examples/fips: added support for TDES ECB mode in FIPS tests
> examples/fips_validation: support TDES ECB
> 
> >   examples/fips: added support AES ECB mode in FIPS tests
> examples/fips_validation: support AES ECB
> 
> >   examples/fips: fix bad return code in fips_test_parse_header()
> examples/fips_validation: fix bad return value Can be a separate patch from this
> set. Also send to stable.
> 
> >   examples/fips: AES-GCM vectors will use aead structure
> examples/fips_validation: use AEAD based structs for AES-GCM rather it is a fix
> and should be sent to stable and the title would be
> examples/fips_validation: fix structs used for AES-GCM
> 
> >   examples/fips: set initial IV in AES-GCM if configured only salt
> > value
> examples/fips_validation: initialize IV for AES-GCM
> 
> >   examples/fips: keep digest after crypto text
> examples/fips_validation: move digest after cipher text
> 
> >   examples/fips: AES-GCM decryption vectors fix
> examples/fips_validation: fix AES-GCM decryption vector Add fixes line and cc
> stable. Can be a separate patchset for fixes.
> 
> >   examples/fips: fix KEY and PT output prints for TDES mode
> Does not have a patch description and title does not look to justify the patch.
> 
> >   examples/fips: supported IV, PT and CT init for TDES ECB mode
> Again there is no patch description and title is pretty long. Try to make it short.
> 
> >   examples/fips: algorithm definition by folder if it's not in file
> examples/fips_validation: improve algo parsing logic update description text to
> elaborate the need for this logic
> 
> >   examples/fips: erroneous overwrite of PLAINTEXT after DECRYPT
> examples/fips_validation: fix plain text overwrite send to stable and add fixes
> line.
> 
> >
> >  examples/fips_validation/fips_validation.c    |  92 ++++++--
> >  examples/fips_validation/fips_validation.h    |   7 +
> >  .../fips_validation/fips_validation_aes.c     |   1 +
> >  .../fips_validation/fips_validation_gcm.c     |  39 +++-
> >  .../fips_validation/fips_validation_tdes.c    |   7 +
> >  examples/fips_validation/main.c               | 204 +++++++++++++++---
> >  6 files changed, 301 insertions(+), 49 deletions(-)
> >
> > --
> > 2.23.0

[dpdk-dev] [PATCH v2 0/3] Support ECB for AES and TDES

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Michael Shamis (3):
  examples/fips_validation: added support for TDES ECB
  examples/fips_validation: added support AES ECB
  examples/fips_validation: separated init for TDES ECB and CBC

 examples/fips_validation/fips_validation.c    |   1 +
 examples/fips_validation/fips_validation.h    |   7 +
 .../fips_validation/fips_validation_aes.c     |   1 +
 .../fips_validation/fips_validation_tdes.c    |   7 +
 examples/fips_validation/main.c               | 189 +++++++++++++++---
 5 files changed, 179 insertions(+), 26 deletions(-)

-- 
2.23.0

[dpdk-dev] [PATCH v2 1/3] examples/fips_validation: added support for TDES ECB

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c    |  1 +
 examples/fips_validation/fips_validation.h    |  7 +++++
 .../fips_validation/fips_validation_tdes.c    |  7 +++++
 examples/fips_validation/main.c               | 27 ++++++++++++++++---
 4 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index 8d43b267e..07ffa62e9 100644
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -257,6 +257,7 @@ fips_test_init(const char *req_file_path, const char *rsp_file_path,
 
 	fips_test_clear();
 
+	strcpy(info.file_name, req_file_path);
 	info.algo = FIPS_TEST_ALGO_MAX;
 	if (parse_file_type(req_file_path) < 0) {
 		RTE_LOG(ERR, USER1, "File %s type not supported\n",
diff --git a/examples/fips_validation/fips_validation.h b/examples/fips_validation/fips_validation.h
index b604db9ec..d487fb005 100644
--- a/examples/fips_validation/fips_validation.h
+++ b/examples/fips_validation/fips_validation.h
@@ -105,6 +105,11 @@ enum fips_tdes_test_types {
 	TDES_MMT /* Multi block Message Test */
 };
 
+enum fips_tdes_test_mode {
+	TDES_MODE_CBC = 0,
+	TDES_MODE_ECB
+};
+
 enum fips_ccm_test_types {
 	CCM_VADT	= 1, /* Variable Associated Data Test */
 	CCM_VPT,		 /* Variable Payload Test */
@@ -130,6 +135,7 @@ struct hmac_interim_data {
 
 struct tdes_interim_data {
 	enum fips_tdes_test_types test_type;
+	enum fips_tdes_test_mode test_mode;
 	uint32_t nb_keys;
 };
 
@@ -156,6 +162,7 @@ struct fips_test_interim_info {
 	char *vec[MAX_LINE_PER_VECTOR];
 	uint32_t nb_vec_lines;
 	char device_name[MAX_STRING_SIZE];
+	char file_name[MAX_STRING_SIZE];
 
 	union {
 		struct aesavs_interim_data aes_data;
diff --git a/examples/fips_validation/fips_validation_tdes.c b/examples/fips_validation/fips_validation_tdes.c
index 15ee434e1..d7f4d58b0 100644
--- a/examples/fips_validation/fips_validation_tdes.c
+++ b/examples/fips_validation/fips_validation_tdes.c
@@ -12,6 +12,7 @@
 
 #define NEW_LINE_STR	"#"
 #define TEST_TYPE_KEY	" for CBC"
+#define TEST_TYPE_ECB_KEY	" for ECB"
 #define TEST_CBCI_KEY	" for CBCI"
 
 #define ENC_STR		"[ENCRYPT]"
@@ -250,6 +251,12 @@ parse_test_tdes_init(void)
 			if (strstr(line, test_types[j].desc)) {
 				info.interim_info.tdes_data.test_type =
 						test_types[j].type;
+				if (strstr(line, TEST_TYPE_ECB_KEY))
+					info.interim_info.tdes_data.test_mode =
+						TDES_MODE_ECB;
+				else
+					info.interim_info.tdes_data.test_mode =
+						TDES_MODE_CBC;
 				break;
 			}
 	}
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 813534068..7a379bc99 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -689,16 +689,24 @@ prepare_tdes_xform(struct rte_crypto_sym_xform *xform)
 
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
-	cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC;
+	if (info.interim_info.tdes_data.test_mode == TDES_MODE_CBC)
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC;
+	else
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_ECB;
 	cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
 			RTE_CRYPTO_CIPHER_OP_ENCRYPT :
 			RTE_CRYPTO_CIPHER_OP_DECRYPT;
 	cipher_xform->key.data = vec.cipher_auth.key.val;
 	cipher_xform->key.length = vec.cipher_auth.key.len;
-	cipher_xform->iv.length = vec.iv.len;
-	cipher_xform->iv.offset = IV_OFF;
 
-	cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_3DES_CBC;
+	if (cipher_xform->algo == RTE_CRYPTO_CIPHER_3DES_CBC) {
+		cipher_xform->iv.length = vec.iv.len;
+		cipher_xform->iv.offset = IV_OFF;
+	} else {
+		cipher_xform->iv.length = 0;
+		cipher_xform->iv.offset = 0;
+	}
+	cap_idx.algo.cipher = cipher_xform->algo;
 	cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
 	cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
@@ -1387,6 +1395,17 @@ init_test_ops(void)
 			test_ops.test = fips_generic_test;
 		break;
 	default:
+		if (strstr(info.file_name, "TECB") ||
+				strstr(info.file_name, "TCBC")) {
+			info.algo = FIPS_TEST_ALGO_TDES;
+			test_ops.prepare_op = prepare_cipher_op;
+			test_ops.prepare_xform	= prepare_tdes_xform;
+			if (info.interim_info.tdes_data.test_type == TDES_MCT)
+				test_ops.test = fips_mct_tdes_test;
+			else
+				test_ops.test = fips_generic_test;
+			break;
+		}
 		return -1;
 	}
 
-- 
2.23.0

[dpdk-dev] [PATCH v2 2/3] examples/fips_validation: added support AES ECB

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 .../fips_validation/fips_validation_aes.c     |  1 +
 examples/fips_validation/main.c               | 96 +++++++++++++++++--
 2 files changed, 91 insertions(+), 6 deletions(-)

diff --git a/examples/fips_validation/fips_validation_aes.c b/examples/fips_validation/fips_validation_aes.c
index 8cbc158eb..010a82627 100644
--- a/examples/fips_validation/fips_validation_aes.c
+++ b/examples/fips_validation/fips_validation_aes.c
@@ -44,6 +44,7 @@ struct aes_test_algo {
 	enum rte_crypto_cipher_algorithm algo;
 } const algo_con[] = {
 		{"CBC", RTE_CRYPTO_CIPHER_AES_CBC},
+		{"ECB", RTE_CRYPTO_CIPHER_AES_ECB},
 };
 
 static int
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 7a379bc99..c83763b13 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -649,16 +649,24 @@ prepare_aes_xform(struct rte_crypto_sym_xform *xform)
 
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
-	cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC;
+	if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC;
+	else
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_ECB;
+
 	cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
 			RTE_CRYPTO_CIPHER_OP_ENCRYPT :
 			RTE_CRYPTO_CIPHER_OP_DECRYPT;
 	cipher_xform->key.data = vec.cipher_auth.key.val;
 	cipher_xform->key.length = vec.cipher_auth.key.len;
-	cipher_xform->iv.length = vec.iv.len;
-	cipher_xform->iv.offset = IV_OFF;
-
-	cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_CBC;
+	if (cipher_xform->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		cipher_xform->iv.length = vec.iv.len;
+		cipher_xform->iv.offset = IV_OFF;
+	} else {
+		cipher_xform->iv.length = 0;
+		cipher_xform->iv.offset = 0;
+	}
+	cap_idx.algo.cipher = cipher_xform->algo;
 	cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
 	cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
@@ -1059,7 +1067,6 @@ fips_mct_tdes_test(void)
 					fprintf(info.fp_wr, "Bypass\n");
 					return 0;
 				}
-
 				return ret;
 			}
 
@@ -1160,6 +1167,80 @@ fips_mct_tdes_test(void)
 	return 0;
 }
 
+static int
+fips_mct_aes_ecb_test(void)
+{
+#define AES_BLOCK_SIZE	16
+#define AES_EXTERN_ITER	100
+#define AES_INTERN_ITER	1000
+	struct fips_val val, val_key;
+	uint8_t prev_out[AES_BLOCK_SIZE] = {0};
+	uint32_t i, j, k;
+	int ret;
+
+	for (i = 0; i < AES_EXTERN_ITER; i++) {
+		if (i != 0)
+			update_info_vec(i);
+
+		fips_test_write_one_case();
+
+		for (j = 0; j < AES_INTERN_ITER; j++) {
+			ret = fips_run_test();
+			if (ret < 0) {
+				if (ret == -EPERM) {
+					fprintf(info.fp_wr, "Bypass\n");
+					return 0;
+				}
+
+				return ret;
+			}
+
+			get_writeback_data(&val);
+
+			if (info.op == FIPS_TEST_ENC_AUTH_GEN)
+				memcpy(vec.pt.val, val.val, AES_BLOCK_SIZE);
+			else
+				memcpy(vec.ct.val, val.val, AES_BLOCK_SIZE);
+
+			if (j == AES_INTERN_ITER - 1)
+				continue;
+
+			memcpy(prev_out, val.val, AES_BLOCK_SIZE);
+		}
+
+		info.parse_writeback(&val);
+		fprintf(info.fp_wr, "\n");
+
+		if (i == AES_EXTERN_ITER - 1)
+			continue;
+
+		/** update key */
+		memcpy(&val_key, &vec.cipher_auth.key, sizeof(val_key));
+		for (k = 0; k < vec.cipher_auth.key.len; k++) {
+			switch (vec.cipher_auth.key.len) {
+			case 16:
+				val_key.val[k] ^= val.val[k];
+				break;
+			case 24:
+				if (k < 8)
+					val_key.val[k] ^= prev_out[k + 8];
+				else
+					val_key.val[k] ^= val.val[k - 8];
+				break;
+			case 32:
+				if (k < 16)
+					val_key.val[k] ^= prev_out[k];
+				else
+					val_key.val[k] ^= val.val[k - 16];
+				break;
+			default:
+				return -1;
+			}
+		}
+	}
+
+	return 0;
+}
 static int
 fips_mct_aes_test(void)
 {
@@ -1172,6 +1253,9 @@ fips_mct_aes_test(void)
 	uint32_t i, j, k;
 	int ret;
 
+	if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_ECB)
+		return fips_mct_aes_ecb_test();
+
 	for (i = 0; i < AES_EXTERN_ITER; i++) {
 		if (i != 0)
 			update_info_vec(i);
-- 
2.23.0

[dpdk-dev] [PATCH v2 3/3] examples/fips_validation: separated init for TDES ECB and CBC

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

TDES: IV, PT and CT are initiated according to ECB or CBC
cipher mode now

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/main.c | 66 +++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 16 deletions(-)

diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index c83763b13..f8694ef96 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -1053,6 +1053,7 @@ fips_mct_tdes_test(void)
 	uint8_t prev_in[TDES_BLOCK_SIZE] = {0};
 	uint32_t i, j, k;
 	int ret;
+	int test_mode = info.interim_info.tdes_data.test_mode;
 
 	for (i = 0; i < TDES_EXTERN_ITER; i++) {
 		if (i != 0)
@@ -1079,25 +1080,50 @@ fips_mct_tdes_test(void)
 				memcpy(prev_out, val.val, TDES_BLOCK_SIZE);
 
 				if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-					memcpy(vec.pt.val, vec.iv.val,
-							TDES_BLOCK_SIZE);
-					memcpy(vec.iv.val, val.val,
-							TDES_BLOCK_SIZE);
+					if (test_mode == TDES_MODE_ECB) {
+						memcpy(vec.pt.val, val.val,
+							   TDES_BLOCK_SIZE);
+					} else {
+						memcpy(vec.pt.val, vec.iv.val,
+							   TDES_BLOCK_SIZE);
+						memcpy(vec.iv.val, val.val,
+							   TDES_BLOCK_SIZE);
+					}
+
 				} else {
-					memcpy(vec.iv.val, vec.ct.val,
-							TDES_BLOCK_SIZE);
-					memcpy(vec.ct.val, val.val,
-							TDES_BLOCK_SIZE);
+					if (test_mode == TDES_MODE_ECB) {
+						memcpy(vec.ct.val, val.val,
+							   TDES_BLOCK_SIZE);
+					} else {
+						memcpy(vec.iv.val, vec.ct.val,
+							   TDES_BLOCK_SIZE);
+						memcpy(vec.ct.val, val.val,
+							   TDES_BLOCK_SIZE);
+					}
 				}
 				continue;
 			}
 
 			if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-				memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
-				memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+				if (test_mode == TDES_MODE_ECB) {
+					memcpy(vec.pt.val, val.val,
+						   TDES_BLOCK_SIZE);
+				} else {
+					memcpy(vec.iv.val, val.val,
+						   TDES_BLOCK_SIZE);
+					memcpy(vec.pt.val, prev_out,
+						   TDES_BLOCK_SIZE);
+				}
 			} else {
-				memcpy(vec.iv.val, vec.ct.val, TDES_BLOCK_SIZE);
-				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+				if (test_mode == TDES_MODE_ECB) {
+					memcpy(vec.ct.val, val.val,
+						   TDES_BLOCK_SIZE);
+				} else {
+					memcpy(vec.iv.val, vec.ct.val,
+						   TDES_BLOCK_SIZE);
+					memcpy(vec.ct.val, val.val,
+						   TDES_BLOCK_SIZE);
+				}
 			}
 
 			if (j == TDES_INTERN_ITER - 1)
@@ -1156,11 +1182,19 @@ fips_mct_tdes_test(void)
 					val_key.val[k] : (val_key.val[k] ^ 0x1);
 
 		if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-			memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
-			memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+			if (test_mode == TDES_MODE_ECB) {
+				memcpy(vec.pt.val, val.val, TDES_BLOCK_SIZE);
+			} else {
+				memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
+				memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+			}
 		} else {
-			memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE);
-			memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			if (test_mode == TDES_MODE_ECB) {
+				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			} else {
+				memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE);
+				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			}
 		}
 	}
 
-- 
2.23.0

Re: [dpdk-dev] [PATCH v3 0/3] support ECB for AES and TDES

[Akhil Goyal]

Please specify change log

> -----Original Message-----
> From: michaelsh@marvell.com <michaelsh@marvell.com>
> Sent: Tuesday, October 1, 2019 4:03 PM
> To: Akhil Goyal <akhil.goyal@nxp.com>
> Cc: marko.kovacevic@intel.com; lironh@marvell.com; dev@dpdk.org;
> michaelsh@marvell.com
> Subject: [PATCH v3 0/3] support ECB for AES and TDES
> 
> From: Michael Shamis <michaelsh@marvell.com>
> 
> Michael Shamis (3):
>   examples/fips_validation: add TDES ECB support
>   examples/fips_validation: add AES ECB support
>   examples/fips_validation: separate ECB and CBC
> 
>  examples/fips_validation/fips_validation.c    |   1 +
>  examples/fips_validation/fips_validation.h    |   7 +
>  .../fips_validation/fips_validation_aes.c     |   1 +
>  .../fips_validation/fips_validation_tdes.c    |   7 +
>  examples/fips_validation/main.c               | 189 +++++++++++++++---
>  5 files changed, 179 insertions(+), 26 deletions(-)
> 
> --
> 2.23.0

[dpdk-dev] [PATCH v3 0/3] support ECB for AES and TDES

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Michael Shamis (3):
  examples/fips_validation: add TDES ECB support
  examples/fips_validation: add AES ECB support
  examples/fips_validation: separate ECB and CBC

 examples/fips_validation/fips_validation.c    |   1 +
 examples/fips_validation/fips_validation.h    |   7 +
 .../fips_validation/fips_validation_aes.c     |   1 +
 .../fips_validation/fips_validation_tdes.c    |   7 +
 examples/fips_validation/main.c               | 189 +++++++++++++++---
 5 files changed, 179 insertions(+), 26 deletions(-)

-- 
2.23.0

[dpdk-dev] [PATCH v3 1/3] examples/fips_validation: add TDES ECB support

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c    |  1 +
 examples/fips_validation/fips_validation.h    |  7 +++++
 .../fips_validation/fips_validation_tdes.c    |  7 +++++
 examples/fips_validation/main.c               | 27 ++++++++++++++++---
 4 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index 8d43b267e..07ffa62e9 100644
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -257,6 +257,7 @@ fips_test_init(const char *req_file_path, const char *rsp_file_path,
 
 	fips_test_clear();
 
+	strcpy(info.file_name, req_file_path);
 	info.algo = FIPS_TEST_ALGO_MAX;
 	if (parse_file_type(req_file_path) < 0) {
 		RTE_LOG(ERR, USER1, "File %s type not supported\n",
diff --git a/examples/fips_validation/fips_validation.h b/examples/fips_validation/fips_validation.h
index b604db9ec..d487fb005 100644
--- a/examples/fips_validation/fips_validation.h
+++ b/examples/fips_validation/fips_validation.h
@@ -105,6 +105,11 @@ enum fips_tdes_test_types {
 	TDES_MMT /* Multi block Message Test */
 };
 
+enum fips_tdes_test_mode {
+	TDES_MODE_CBC = 0,
+	TDES_MODE_ECB
+};
+
 enum fips_ccm_test_types {
 	CCM_VADT	= 1, /* Variable Associated Data Test */
 	CCM_VPT,		 /* Variable Payload Test */
@@ -130,6 +135,7 @@ struct hmac_interim_data {
 
 struct tdes_interim_data {
 	enum fips_tdes_test_types test_type;
+	enum fips_tdes_test_mode test_mode;
 	uint32_t nb_keys;
 };
 
@@ -156,6 +162,7 @@ struct fips_test_interim_info {
 	char *vec[MAX_LINE_PER_VECTOR];
 	uint32_t nb_vec_lines;
 	char device_name[MAX_STRING_SIZE];
+	char file_name[MAX_STRING_SIZE];
 
 	union {
 		struct aesavs_interim_data aes_data;
diff --git a/examples/fips_validation/fips_validation_tdes.c b/examples/fips_validation/fips_validation_tdes.c
index 2b262c9a0..5b6737643 100644
--- a/examples/fips_validation/fips_validation_tdes.c
+++ b/examples/fips_validation/fips_validation_tdes.c
@@ -12,6 +12,7 @@
 
 #define NEW_LINE_STR	"#"
 #define TEST_TYPE_KEY	" for CBC"
+#define TEST_TYPE_ECB_KEY	" for ECB"
 #define TEST_CBCI_KEY	" for CBCI"
 
 #define ENC_STR		"[ENCRYPT]"
@@ -252,6 +253,12 @@ parse_test_tdes_init(void)
 			if (strstr(line, test_types[j].desc)) {
 				info.interim_info.tdes_data.test_type =
 						test_types[j].type;
+				if (strstr(line, TEST_TYPE_ECB_KEY))
+					info.interim_info.tdes_data.test_mode =
+						TDES_MODE_ECB;
+				else
+					info.interim_info.tdes_data.test_mode =
+						TDES_MODE_CBC;
 				break;
 			}
 	}
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 813534068..7a379bc99 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -689,16 +689,24 @@ prepare_tdes_xform(struct rte_crypto_sym_xform *xform)
 
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
-	cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC;
+	if (info.interim_info.tdes_data.test_mode == TDES_MODE_CBC)
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC;
+	else
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_ECB;
 	cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
 			RTE_CRYPTO_CIPHER_OP_ENCRYPT :
 			RTE_CRYPTO_CIPHER_OP_DECRYPT;
 	cipher_xform->key.data = vec.cipher_auth.key.val;
 	cipher_xform->key.length = vec.cipher_auth.key.len;
-	cipher_xform->iv.length = vec.iv.len;
-	cipher_xform->iv.offset = IV_OFF;
 
-	cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_3DES_CBC;
+	if (cipher_xform->algo == RTE_CRYPTO_CIPHER_3DES_CBC) {
+		cipher_xform->iv.length = vec.iv.len;
+		cipher_xform->iv.offset = IV_OFF;
+	} else {
+		cipher_xform->iv.length = 0;
+		cipher_xform->iv.offset = 0;
+	}
+	cap_idx.algo.cipher = cipher_xform->algo;
 	cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
 	cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
@@ -1387,6 +1395,17 @@ init_test_ops(void)
 			test_ops.test = fips_generic_test;
 		break;
 	default:
+		if (strstr(info.file_name, "TECB") ||
+				strstr(info.file_name, "TCBC")) {
+			info.algo = FIPS_TEST_ALGO_TDES;
+			test_ops.prepare_op = prepare_cipher_op;
+			test_ops.prepare_xform	= prepare_tdes_xform;
+			if (info.interim_info.tdes_data.test_type == TDES_MCT)
+				test_ops.test = fips_mct_tdes_test;
+			else
+				test_ops.test = fips_generic_test;
+			break;
+		}
 		return -1;
 	}
 
-- 
2.23.0

[dpdk-dev] [PATCH v3 2/3] examples/fips_validation: add AES ECB support

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 .../fips_validation/fips_validation_aes.c     |  1 +
 examples/fips_validation/main.c               | 96 +++++++++++++++++--
 2 files changed, 91 insertions(+), 6 deletions(-)

diff --git a/examples/fips_validation/fips_validation_aes.c b/examples/fips_validation/fips_validation_aes.c
index 8cbc158eb..010a82627 100644
--- a/examples/fips_validation/fips_validation_aes.c
+++ b/examples/fips_validation/fips_validation_aes.c
@@ -44,6 +44,7 @@ struct aes_test_algo {
 	enum rte_crypto_cipher_algorithm algo;
 } const algo_con[] = {
 		{"CBC", RTE_CRYPTO_CIPHER_AES_CBC},
+		{"ECB", RTE_CRYPTO_CIPHER_AES_ECB},
 };
 
 static int
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 7a379bc99..c83763b13 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -649,16 +649,24 @@ prepare_aes_xform(struct rte_crypto_sym_xform *xform)
 
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
-	cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC;
+	if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC;
+	else
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_ECB;
+
 	cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
 			RTE_CRYPTO_CIPHER_OP_ENCRYPT :
 			RTE_CRYPTO_CIPHER_OP_DECRYPT;
 	cipher_xform->key.data = vec.cipher_auth.key.val;
 	cipher_xform->key.length = vec.cipher_auth.key.len;
-	cipher_xform->iv.length = vec.iv.len;
-	cipher_xform->iv.offset = IV_OFF;
-
-	cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_CBC;
+	if (cipher_xform->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		cipher_xform->iv.length = vec.iv.len;
+		cipher_xform->iv.offset = IV_OFF;
+	} else {
+		cipher_xform->iv.length = 0;
+		cipher_xform->iv.offset = 0;
+	}
+	cap_idx.algo.cipher = cipher_xform->algo;
 	cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
 	cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
@@ -1059,7 +1067,6 @@ fips_mct_tdes_test(void)
 					fprintf(info.fp_wr, "Bypass\n");
 					return 0;
 				}
-
 				return ret;
 			}
 
@@ -1160,6 +1167,80 @@ fips_mct_tdes_test(void)
 	return 0;
 }
 
+static int
+fips_mct_aes_ecb_test(void)
+{
+#define AES_BLOCK_SIZE	16
+#define AES_EXTERN_ITER	100
+#define AES_INTERN_ITER	1000
+	struct fips_val val, val_key;
+	uint8_t prev_out[AES_BLOCK_SIZE] = {0};
+	uint32_t i, j, k;
+	int ret;
+
+	for (i = 0; i < AES_EXTERN_ITER; i++) {
+		if (i != 0)
+			update_info_vec(i);
+
+		fips_test_write_one_case();
+
+		for (j = 0; j < AES_INTERN_ITER; j++) {
+			ret = fips_run_test();
+			if (ret < 0) {
+				if (ret == -EPERM) {
+					fprintf(info.fp_wr, "Bypass\n");
+					return 0;
+				}
+
+				return ret;
+			}
+
+			get_writeback_data(&val);
+
+			if (info.op == FIPS_TEST_ENC_AUTH_GEN)
+				memcpy(vec.pt.val, val.val, AES_BLOCK_SIZE);
+			else
+				memcpy(vec.ct.val, val.val, AES_BLOCK_SIZE);
+
+			if (j == AES_INTERN_ITER - 1)
+				continue;
+
+			memcpy(prev_out, val.val, AES_BLOCK_SIZE);
+		}
+
+		info.parse_writeback(&val);
+		fprintf(info.fp_wr, "\n");
+
+		if (i == AES_EXTERN_ITER - 1)
+			continue;
+
+		/** update key */
+		memcpy(&val_key, &vec.cipher_auth.key, sizeof(val_key));
+		for (k = 0; k < vec.cipher_auth.key.len; k++) {
+			switch (vec.cipher_auth.key.len) {
+			case 16:
+				val_key.val[k] ^= val.val[k];
+				break;
+			case 24:
+				if (k < 8)
+					val_key.val[k] ^= prev_out[k + 8];
+				else
+					val_key.val[k] ^= val.val[k - 8];
+				break;
+			case 32:
+				if (k < 16)
+					val_key.val[k] ^= prev_out[k];
+				else
+					val_key.val[k] ^= val.val[k - 16];
+				break;
+			default:
+				return -1;
+			}
+		}
+	}
+
+	return 0;
+}
 static int
 fips_mct_aes_test(void)
 {
@@ -1172,6 +1253,9 @@ fips_mct_aes_test(void)
 	uint32_t i, j, k;
 	int ret;
 
+	if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_ECB)
+		return fips_mct_aes_ecb_test();
+
 	for (i = 0; i < AES_EXTERN_ITER; i++) {
 		if (i != 0)
 			update_info_vec(i);
-- 
2.23.0

[dpdk-dev] [PATCH v3 3/3] examples/fips_validation: separate ECB and CBC

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Separate initialization of IV, PT and CT according to TDES
ECB and CBC crypto modes

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/main.c | 66 +++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 16 deletions(-)

diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index c83763b13..f8694ef96 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -1053,6 +1053,7 @@ fips_mct_tdes_test(void)
 	uint8_t prev_in[TDES_BLOCK_SIZE] = {0};
 	uint32_t i, j, k;
 	int ret;
+	int test_mode = info.interim_info.tdes_data.test_mode;
 
 	for (i = 0; i < TDES_EXTERN_ITER; i++) {
 		if (i != 0)
@@ -1079,25 +1080,50 @@ fips_mct_tdes_test(void)
 				memcpy(prev_out, val.val, TDES_BLOCK_SIZE);
 
 				if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-					memcpy(vec.pt.val, vec.iv.val,
-							TDES_BLOCK_SIZE);
-					memcpy(vec.iv.val, val.val,
-							TDES_BLOCK_SIZE);
+					if (test_mode == TDES_MODE_ECB) {
+						memcpy(vec.pt.val, val.val,
+							   TDES_BLOCK_SIZE);
+					} else {
+						memcpy(vec.pt.val, vec.iv.val,
+							   TDES_BLOCK_SIZE);
+						memcpy(vec.iv.val, val.val,
+							   TDES_BLOCK_SIZE);
+					}
+
 				} else {
-					memcpy(vec.iv.val, vec.ct.val,
-							TDES_BLOCK_SIZE);
-					memcpy(vec.ct.val, val.val,
-							TDES_BLOCK_SIZE);
+					if (test_mode == TDES_MODE_ECB) {
+						memcpy(vec.ct.val, val.val,
+							   TDES_BLOCK_SIZE);
+					} else {
+						memcpy(vec.iv.val, vec.ct.val,
+							   TDES_BLOCK_SIZE);
+						memcpy(vec.ct.val, val.val,
+							   TDES_BLOCK_SIZE);
+					}
 				}
 				continue;
 			}
 
 			if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-				memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
-				memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+				if (test_mode == TDES_MODE_ECB) {
+					memcpy(vec.pt.val, val.val,
+						   TDES_BLOCK_SIZE);
+				} else {
+					memcpy(vec.iv.val, val.val,
+						   TDES_BLOCK_SIZE);
+					memcpy(vec.pt.val, prev_out,
+						   TDES_BLOCK_SIZE);
+				}
 			} else {
-				memcpy(vec.iv.val, vec.ct.val, TDES_BLOCK_SIZE);
-				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+				if (test_mode == TDES_MODE_ECB) {
+					memcpy(vec.ct.val, val.val,
+						   TDES_BLOCK_SIZE);
+				} else {
+					memcpy(vec.iv.val, vec.ct.val,
+						   TDES_BLOCK_SIZE);
+					memcpy(vec.ct.val, val.val,
+						   TDES_BLOCK_SIZE);
+				}
 			}
 
 			if (j == TDES_INTERN_ITER - 1)
@@ -1156,11 +1182,19 @@ fips_mct_tdes_test(void)
 					val_key.val[k] : (val_key.val[k] ^ 0x1);
 
 		if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-			memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
-			memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+			if (test_mode == TDES_MODE_ECB) {
+				memcpy(vec.pt.val, val.val, TDES_BLOCK_SIZE);
+			} else {
+				memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
+				memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+			}
 		} else {
-			memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE);
-			memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			if (test_mode == TDES_MODE_ECB) {
+				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			} else {
+				memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE);
+				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			}
 		}
 	}
 
-- 
2.23.0

[dpdk-dev] [PATCH v3 0/3] support ECB for AES and TDES

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

v3:
Changed patch names to comply DPDK contributing
requirements
v2:
fips_validation-separation-between-HMAC-SHA.patch
has been moved to fix patch
 
Michael Shamis (3):
  examples/fips_validation: add TDES ECB support
  examples/fips_validation: add AES ECB support
  examples/fips_validation: separate ECB and CBC

 examples/fips_validation/fips_validation.c    |   1 +
 examples/fips_validation/fips_validation.h    |   7 +
 .../fips_validation/fips_validation_aes.c     |   1 +
 .../fips_validation/fips_validation_tdes.c    |   7 +
 examples/fips_validation/main.c               | 189 +++++++++++++++---
 5 files changed, 179 insertions(+), 26 deletions(-)

-- 
2.23.0

[dpdk-dev] [PATCH v3 1/3] examples/fips_validation: add TDES ECB support

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c    |  1 +
 examples/fips_validation/fips_validation.h    |  7 +++++
 .../fips_validation/fips_validation_tdes.c    |  7 +++++
 examples/fips_validation/main.c               | 27 ++++++++++++++++---
 4 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index 8d43b267e..07ffa62e9 100644
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -257,6 +257,7 @@ fips_test_init(const char *req_file_path, const char *rsp_file_path,
 
 	fips_test_clear();
 
+	strcpy(info.file_name, req_file_path);
 	info.algo = FIPS_TEST_ALGO_MAX;
 	if (parse_file_type(req_file_path) < 0) {
 		RTE_LOG(ERR, USER1, "File %s type not supported\n",
diff --git a/examples/fips_validation/fips_validation.h b/examples/fips_validation/fips_validation.h
index b604db9ec..d487fb005 100644
--- a/examples/fips_validation/fips_validation.h
+++ b/examples/fips_validation/fips_validation.h
@@ -105,6 +105,11 @@ enum fips_tdes_test_types {
 	TDES_MMT /* Multi block Message Test */
 };
 
+enum fips_tdes_test_mode {
+	TDES_MODE_CBC = 0,
+	TDES_MODE_ECB
+};
+
 enum fips_ccm_test_types {
 	CCM_VADT	= 1, /* Variable Associated Data Test */
 	CCM_VPT,		 /* Variable Payload Test */
@@ -130,6 +135,7 @@ struct hmac_interim_data {
 
 struct tdes_interim_data {
 	enum fips_tdes_test_types test_type;
+	enum fips_tdes_test_mode test_mode;
 	uint32_t nb_keys;
 };
 
@@ -156,6 +162,7 @@ struct fips_test_interim_info {
 	char *vec[MAX_LINE_PER_VECTOR];
 	uint32_t nb_vec_lines;
 	char device_name[MAX_STRING_SIZE];
+	char file_name[MAX_STRING_SIZE];
 
 	union {
 		struct aesavs_interim_data aes_data;
diff --git a/examples/fips_validation/fips_validation_tdes.c b/examples/fips_validation/fips_validation_tdes.c
index 2b262c9a0..5b6737643 100644
--- a/examples/fips_validation/fips_validation_tdes.c
+++ b/examples/fips_validation/fips_validation_tdes.c
@@ -12,6 +12,7 @@
 
 #define NEW_LINE_STR	"#"
 #define TEST_TYPE_KEY	" for CBC"
+#define TEST_TYPE_ECB_KEY	" for ECB"
 #define TEST_CBCI_KEY	" for CBCI"
 
 #define ENC_STR		"[ENCRYPT]"
@@ -252,6 +253,12 @@ parse_test_tdes_init(void)
 			if (strstr(line, test_types[j].desc)) {
 				info.interim_info.tdes_data.test_type =
 						test_types[j].type;
+				if (strstr(line, TEST_TYPE_ECB_KEY))
+					info.interim_info.tdes_data.test_mode =
+						TDES_MODE_ECB;
+				else
+					info.interim_info.tdes_data.test_mode =
+						TDES_MODE_CBC;
 				break;
 			}
 	}
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 813534068..7a379bc99 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -689,16 +689,24 @@ prepare_tdes_xform(struct rte_crypto_sym_xform *xform)
 
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
-	cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC;
+	if (info.interim_info.tdes_data.test_mode == TDES_MODE_CBC)
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC;
+	else
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_ECB;
 	cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
 			RTE_CRYPTO_CIPHER_OP_ENCRYPT :
 			RTE_CRYPTO_CIPHER_OP_DECRYPT;
 	cipher_xform->key.data = vec.cipher_auth.key.val;
 	cipher_xform->key.length = vec.cipher_auth.key.len;
-	cipher_xform->iv.length = vec.iv.len;
-	cipher_xform->iv.offset = IV_OFF;
 
-	cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_3DES_CBC;
+	if (cipher_xform->algo == RTE_CRYPTO_CIPHER_3DES_CBC) {
+		cipher_xform->iv.length = vec.iv.len;
+		cipher_xform->iv.offset = IV_OFF;
+	} else {
+		cipher_xform->iv.length = 0;
+		cipher_xform->iv.offset = 0;
+	}
+	cap_idx.algo.cipher = cipher_xform->algo;
 	cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
 	cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
@@ -1387,6 +1395,17 @@ init_test_ops(void)
 			test_ops.test = fips_generic_test;
 		break;
 	default:
+		if (strstr(info.file_name, "TECB") ||
+				strstr(info.file_name, "TCBC")) {
+			info.algo = FIPS_TEST_ALGO_TDES;
+			test_ops.prepare_op = prepare_cipher_op;
+			test_ops.prepare_xform	= prepare_tdes_xform;
+			if (info.interim_info.tdes_data.test_type == TDES_MCT)
+				test_ops.test = fips_mct_tdes_test;
+			else
+				test_ops.test = fips_generic_test;
+			break;
+		}
 		return -1;
 	}
 
-- 
2.23.0

[dpdk-dev] [PATCH v3 2/3] examples/fips_validation: add AES ECB support

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 .../fips_validation/fips_validation_aes.c     |  1 +
 examples/fips_validation/main.c               | 96 +++++++++++++++++--
 2 files changed, 91 insertions(+), 6 deletions(-)

diff --git a/examples/fips_validation/fips_validation_aes.c b/examples/fips_validation/fips_validation_aes.c
index 8cbc158eb..010a82627 100644
--- a/examples/fips_validation/fips_validation_aes.c
+++ b/examples/fips_validation/fips_validation_aes.c
@@ -44,6 +44,7 @@ struct aes_test_algo {
 	enum rte_crypto_cipher_algorithm algo;
 } const algo_con[] = {
 		{"CBC", RTE_CRYPTO_CIPHER_AES_CBC},
+		{"ECB", RTE_CRYPTO_CIPHER_AES_ECB},
 };
 
 static int
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 7a379bc99..c83763b13 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -649,16 +649,24 @@ prepare_aes_xform(struct rte_crypto_sym_xform *xform)
 
 	xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
-	cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC;
+	if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC)
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC;
+	else
+		cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_ECB;
+
 	cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
 			RTE_CRYPTO_CIPHER_OP_ENCRYPT :
 			RTE_CRYPTO_CIPHER_OP_DECRYPT;
 	cipher_xform->key.data = vec.cipher_auth.key.val;
 	cipher_xform->key.length = vec.cipher_auth.key.len;
-	cipher_xform->iv.length = vec.iv.len;
-	cipher_xform->iv.offset = IV_OFF;
-
-	cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_CBC;
+	if (cipher_xform->algo == RTE_CRYPTO_CIPHER_AES_CBC) {
+		cipher_xform->iv.length = vec.iv.len;
+		cipher_xform->iv.offset = IV_OFF;
+	} else {
+		cipher_xform->iv.length = 0;
+		cipher_xform->iv.offset = 0;
+	}
+	cap_idx.algo.cipher = cipher_xform->algo;
 	cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 
 	cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
@@ -1059,7 +1067,6 @@ fips_mct_tdes_test(void)
 					fprintf(info.fp_wr, "Bypass\n");
 					return 0;
 				}
-
 				return ret;
 			}
 
@@ -1160,6 +1167,80 @@ fips_mct_tdes_test(void)
 	return 0;
 }
 
+static int
+fips_mct_aes_ecb_test(void)
+{
+#define AES_BLOCK_SIZE	16
+#define AES_EXTERN_ITER	100
+#define AES_INTERN_ITER	1000
+	struct fips_val val, val_key;
+	uint8_t prev_out[AES_BLOCK_SIZE] = {0};
+	uint32_t i, j, k;
+	int ret;
+
+	for (i = 0; i < AES_EXTERN_ITER; i++) {
+		if (i != 0)
+			update_info_vec(i);
+
+		fips_test_write_one_case();
+
+		for (j = 0; j < AES_INTERN_ITER; j++) {
+			ret = fips_run_test();
+			if (ret < 0) {
+				if (ret == -EPERM) {
+					fprintf(info.fp_wr, "Bypass\n");
+					return 0;
+				}
+
+				return ret;
+			}
+
+			get_writeback_data(&val);
+
+			if (info.op == FIPS_TEST_ENC_AUTH_GEN)
+				memcpy(vec.pt.val, val.val, AES_BLOCK_SIZE);
+			else
+				memcpy(vec.ct.val, val.val, AES_BLOCK_SIZE);
+
+			if (j == AES_INTERN_ITER - 1)
+				continue;
+
+			memcpy(prev_out, val.val, AES_BLOCK_SIZE);
+		}
+
+		info.parse_writeback(&val);
+		fprintf(info.fp_wr, "\n");
+
+		if (i == AES_EXTERN_ITER - 1)
+			continue;
+
+		/** update key */
+		memcpy(&val_key, &vec.cipher_auth.key, sizeof(val_key));
+		for (k = 0; k < vec.cipher_auth.key.len; k++) {
+			switch (vec.cipher_auth.key.len) {
+			case 16:
+				val_key.val[k] ^= val.val[k];
+				break;
+			case 24:
+				if (k < 8)
+					val_key.val[k] ^= prev_out[k + 8];
+				else
+					val_key.val[k] ^= val.val[k - 8];
+				break;
+			case 32:
+				if (k < 16)
+					val_key.val[k] ^= prev_out[k];
+				else
+					val_key.val[k] ^= val.val[k - 16];
+				break;
+			default:
+				return -1;
+			}
+		}
+	}
+
+	return 0;
+}
 static int
 fips_mct_aes_test(void)
 {
@@ -1172,6 +1253,9 @@ fips_mct_aes_test(void)
 	uint32_t i, j, k;
 	int ret;
 
+	if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_ECB)
+		return fips_mct_aes_ecb_test();
+
 	for (i = 0; i < AES_EXTERN_ITER; i++) {
 		if (i != 0)
 			update_info_vec(i);
-- 
2.23.0

[dpdk-dev] [PATCH v3 3/3] examples/fips_validation: separate ECB and CBC

[michaelsh]

From: Michael Shamis <michaelsh@marvell.com>

Separate initialization of IV, PT and CT according to TDES
ECB and CBC crypto modes

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/main.c | 66 +++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 16 deletions(-)

diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index c83763b13..f8694ef96 100644
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -1053,6 +1053,7 @@ fips_mct_tdes_test(void)
 	uint8_t prev_in[TDES_BLOCK_SIZE] = {0};
 	uint32_t i, j, k;
 	int ret;
+	int test_mode = info.interim_info.tdes_data.test_mode;
 
 	for (i = 0; i < TDES_EXTERN_ITER; i++) {
 		if (i != 0)
@@ -1079,25 +1080,50 @@ fips_mct_tdes_test(void)
 				memcpy(prev_out, val.val, TDES_BLOCK_SIZE);
 
 				if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-					memcpy(vec.pt.val, vec.iv.val,
-							TDES_BLOCK_SIZE);
-					memcpy(vec.iv.val, val.val,
-							TDES_BLOCK_SIZE);
+					if (test_mode == TDES_MODE_ECB) {
+						memcpy(vec.pt.val, val.val,
+							   TDES_BLOCK_SIZE);
+					} else {
+						memcpy(vec.pt.val, vec.iv.val,
+							   TDES_BLOCK_SIZE);
+						memcpy(vec.iv.val, val.val,
+							   TDES_BLOCK_SIZE);
+					}
+
 				} else {
-					memcpy(vec.iv.val, vec.ct.val,
-							TDES_BLOCK_SIZE);
-					memcpy(vec.ct.val, val.val,
-							TDES_BLOCK_SIZE);
+					if (test_mode == TDES_MODE_ECB) {
+						memcpy(vec.ct.val, val.val,
+							   TDES_BLOCK_SIZE);
+					} else {
+						memcpy(vec.iv.val, vec.ct.val,
+							   TDES_BLOCK_SIZE);
+						memcpy(vec.ct.val, val.val,
+							   TDES_BLOCK_SIZE);
+					}
 				}
 				continue;
 			}
 
 			if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-				memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
-				memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+				if (test_mode == TDES_MODE_ECB) {
+					memcpy(vec.pt.val, val.val,
+						   TDES_BLOCK_SIZE);
+				} else {
+					memcpy(vec.iv.val, val.val,
+						   TDES_BLOCK_SIZE);
+					memcpy(vec.pt.val, prev_out,
+						   TDES_BLOCK_SIZE);
+				}
 			} else {
-				memcpy(vec.iv.val, vec.ct.val, TDES_BLOCK_SIZE);
-				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+				if (test_mode == TDES_MODE_ECB) {
+					memcpy(vec.ct.val, val.val,
+						   TDES_BLOCK_SIZE);
+				} else {
+					memcpy(vec.iv.val, vec.ct.val,
+						   TDES_BLOCK_SIZE);
+					memcpy(vec.ct.val, val.val,
+						   TDES_BLOCK_SIZE);
+				}
 			}
 
 			if (j == TDES_INTERN_ITER - 1)
@@ -1156,11 +1182,19 @@ fips_mct_tdes_test(void)
 					val_key.val[k] : (val_key.val[k] ^ 0x1);
 
 		if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
-			memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
-			memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+			if (test_mode == TDES_MODE_ECB) {
+				memcpy(vec.pt.val, val.val, TDES_BLOCK_SIZE);
+			} else {
+				memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE);
+				memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE);
+			}
 		} else {
-			memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE);
-			memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			if (test_mode == TDES_MODE_ECB) {
+				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			} else {
+				memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE);
+				memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE);
+			}
 		}
 	}
 
-- 
2.23.0

Re: [dpdk-dev] [PATCH v3 0/3] support ECB for AES and TDES

[Akhil Goyal]

Hi Marko,

Could you please review this series.

Regards,
Akhil

> -----Original Message-----
> From: michaelsh@marvell.com <michaelsh@marvell.com>
> Sent: Tuesday, October 1, 2019 4:53 PM
> To: Akhil Goyal <akhil.goyal@nxp.com>
> Cc: dev@dpdk.org; marko.kovacevic@intel.com; lironh@marvell.com;
> michaelsh@marvell.com
> Subject: [PATCH v3 0/3] support ECB for AES and TDES
> 
> From: Michael Shamis <michaelsh@marvell.com>
> 
> v3:
> Changed patch names to comply DPDK contributing
> requirements
> v2:
> fips_validation-separation-between-HMAC-SHA.patch
> has been moved to fix patch
> 
> Michael Shamis (3):
>   examples/fips_validation: add TDES ECB support
>   examples/fips_validation: add AES ECB support
>   examples/fips_validation: separate ECB and CBC
> 
>  examples/fips_validation/fips_validation.c    |   1 +
>  examples/fips_validation/fips_validation.h    |   7 +
>  .../fips_validation/fips_validation_aes.c     |   1 +
>  .../fips_validation/fips_validation_tdes.c    |   7 +
>  examples/fips_validation/main.c               | 189 +++++++++++++++---
>  5 files changed, 179 insertions(+), 26 deletions(-)
> 
> --
> 2.23.0

Re: [dpdk-dev] [PATCH v3 0/3] support ECB for AES and TDES

[Akhil Goyal]

Hi Marko,

A kind reminder.
We are approaching RC1 date. Could you please review this series?

Regards,
Akhil
> -----Original Message-----
> From: Akhil Goyal
> Sent: Friday, October 4, 2019 4:04 PM
> To: marko.kovacevic@intel.com
> Cc: dev@dpdk.org; lironh@marvell.com; michaelsh@marvell.com
> Subject: RE: [PATCH v3 0/3] support ECB for AES and TDES
> 
> Hi Marko,
> 
> Could you please review this series.
> 
> Regards,
> Akhil
> 
> > -----Original Message-----
> > From: michaelsh@marvell.com <michaelsh@marvell.com>
> > Sent: Tuesday, October 1, 2019 4:53 PM
> > To: Akhil Goyal <akhil.goyal@nxp.com>
> > Cc: dev@dpdk.org; marko.kovacevic@intel.com; lironh@marvell.com;
> > michaelsh@marvell.com
> > Subject: [PATCH v3 0/3] support ECB for AES and TDES
> >
> > From: Michael Shamis <michaelsh@marvell.com>
> >
> > v3:
> > Changed patch names to comply DPDK contributing
> > requirements
> > v2:
> > fips_validation-separation-between-HMAC-SHA.patch
> > has been moved to fix patch
> >
> > Michael Shamis (3):
> >   examples/fips_validation: add TDES ECB support
> >   examples/fips_validation: add AES ECB support
> >   examples/fips_validation: separate ECB and CBC
> >
> >  examples/fips_validation/fips_validation.c    |   1 +
> >  examples/fips_validation/fips_validation.h    |   7 +
> >  .../fips_validation/fips_validation_aes.c     |   1 +
> >  .../fips_validation/fips_validation_tdes.c    |   7 +
> >  examples/fips_validation/main.c               | 189 +++++++++++++++---
> >  5 files changed, 179 insertions(+), 26 deletions(-)
> >
> > --
> > 2.23.0

Re: [dpdk-dev] [PATCH v3 1/3] examples/fips_validation: add TDES ECB support

[Kovacevic, Marko]

Subject: [PATCH v3 1/3] examples/fips_validation: add TDES ECB support

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/fips_validation.c    |  1 +
 examples/fips_validation/fips_validation.h    |  7 +++++
 .../fips_validation/fips_validation_tdes.c    |  7 +++++
 examples/fips_validation/main.c               | 27 ++++++++++++++++---
 4 files changed, 38 insertions(+), 4 deletions(-)

Reviewed-by: Marko Kovacevic <marko.kovacevic@intel.com>

Re: [dpdk-dev] [PATCH v3 2/3] examples/fips_validation: add AES ECB support

[Kovacevic, Marko]

Subject: [PATCH v3 2/3] examples/fips_validation: add AES ECB support

From: Michael Shamis <michaelsh@marvell.com>

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 .../fips_validation/fips_validation_aes.c     |  1 +
 examples/fips_validation/main.c               | 96 +++++++++++++++++--
 2 files changed, 91 insertions(+), 6 deletions(-)

Reviewed-by: Marko Kovacevic <marko.kovacevic@intel.com>

Re: [dpdk-dev] [PATCH v3 3/3] examples/fips_validation: separate ECB and CBC

[Kovacevic, Marko]

Subject: [PATCH v3 3/3] examples/fips_validation: separate ECB and CBC

From: Michael Shamis <michaelsh@marvell.com>

Separate initialization of IV, PT and CT according to TDES ECB and CBC crypto modes

Signed-off-by: Michael Shamis <michaelsh@marvell.com>
---
 examples/fips_validation/main.c | 66 +++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 16 deletions(-)

Reviewed-by: Marko Kovacevic <marko.kovacevic@intel.com>

Re: [dpdk-dev] [PATCH v3 0/3] support ECB for AES and TDES

[Akhil Goyal]

> > > -----Original Message-----
> > > From: michaelsh@marvell.com <michaelsh@marvell.com>
> > > Sent: Tuesday, October 1, 2019 4:53 PM
> > > To: Akhil Goyal <akhil.goyal@nxp.com>
> > > Cc: dev@dpdk.org; marko.kovacevic@intel.com; lironh@marvell.com;
> > > michaelsh@marvell.com
> > > Subject: [PATCH v3 0/3] support ECB for AES and TDES
> > >
> > > From: Michael Shamis <michaelsh@marvell.com>
> > >
> > > v3:
> > > Changed patch names to comply DPDK contributing
> > > requirements
> > > v2:
> > > fips_validation-separation-between-HMAC-SHA.patch
> > > has been moved to fix patch
> > >
> > > Michael Shamis (3):
> > >   examples/fips_validation: add TDES ECB support
> > >   examples/fips_validation: add AES ECB support
> > >   examples/fips_validation: separate ECB and CBC
> > >
> > >  examples/fips_validation/fips_validation.c    |   1 +
> > >  examples/fips_validation/fips_validation.h    |   7 +
> > >  .../fips_validation/fips_validation_aes.c     |   1 +
> > >  .../fips_validation/fips_validation_tdes.c    |   7 +
> > >  examples/fips_validation/main.c               | 189 +++++++++++++++---
> > >  5 files changed, 179 insertions(+), 26 deletions(-)
> > >
> > > --
> > > 2.23.0
Applied to dpdk-next-crypto

Thanks.