From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BBE65A0C56; Wed, 8 Sep 2021 09:28:13 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 7F3BC41130; Wed, 8 Sep 2021 09:28:08 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 0DC9141123 for ; Wed, 8 Sep 2021 09:28:06 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 1883l5t8016067; Wed, 8 Sep 2021 00:28:06 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=qVkos/jkefJ2dhEH4hxuFABGUe7oDmW1avqCZNW+5vg=; b=XoWAXaJ30fpwFfiv5nIOVTLGY2WrPZqfOXpBkgfdYR8uAjxRTBN14NTCBbxPik+2EQwW 2qrdfCw8v1L3t/2801g/r2ocvwr9SfVToXcFvk7mDVVgGySl7vWclnZTgkVvg4GLs4wu e64HJ9tivdt/3A0JbKvn+tPV4NHGE0ChDbw1OmTwc61jveV9rD6FCW2zBx8GSEVgfKzJ ypG5zXoqM1fl+l9BBCdAUk9zchySxN5kZeA7q/e+XNcI1pr7LqZWoDvUGMeNvRdJ1CO9 FT78a/3MjxdK857TaMLCYol6MwwzTXc+i1G4sD+8ZpM00vbDXWNt7M22Pab/6+7P2QPR kg== Received: from dc5-exch02.marvell.com ([199.233.59.182]) by mx0a-0016f401.pphosted.com with ESMTP id 3axcm7tffy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 08 Sep 2021 00:28:06 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 8 Sep 2021 00:28:04 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Wed, 8 Sep 2021 00:28:04 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 68AAD3F7095; Wed, 8 Sep 2021 00:28:00 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Wed, 8 Sep 2021 13:51:11 +0530 Message-ID: <20210908082111.27396-4-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210908082111.27396-1-ktejasree@marvell.com> References: <20210908082111.27396-1-ktejasree@marvell.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: 8Hb4h7-8gg0iNI6UVa0bzRWZDTFEUYn2 X-Proofpoint-ORIG-GUID: 8Hb4h7-8gg0iNI6UVa0bzRWZDTFEUYn2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-08_02,2021-09-07_02,2020-04-07_01 Subject: [dpdk-dev] [PATCH 3/3] test/crypto: add tunnel header verification tests X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add test cases to verify tunnel header in IPsec inbound. Signed-off-by: Tejasree Kondoj --- app/test/test_cryptodev.c | 45 ++++++++++++++++++- app/test/test_cryptodev_security_ipsec.c | 25 ++++++++++- app/test/test_cryptodev_security_ipsec.h | 1 + ...st_cryptodev_security_ipsec_test_vectors.h | 3 ++ 4 files changed, 71 insertions(+), 3 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index e513f38765..ab7b63f37f 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -8876,6 +8876,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], int salt_len, i, ret = TEST_SUCCESS; struct rte_security_ctx *ctx; uint8_t *input_text; + uint32_t verify; ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; @@ -8885,11 +8886,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], /* Copy IPsec xform */ memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform)); + dir = ipsec_xform.direction; + verify = flags->tunnel_hdr_verify; + + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) { + if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR) + src += 1; + else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR) + dst += 1; + } + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); - dir = ipsec_xform.direction; - ctx = rte_cryptodev_get_sec_ctx(dev_id); sec_cap_idx.action = ut_params->type; @@ -9181,6 +9190,30 @@ test_ipsec_proto_udp_encap(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR; + + return test_ipsec_proto_all(&flags); +} + static int test_PDCP_PROTO_all(void) { @@ -14124,6 +14157,14 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), + TEST_CASE_NAMED_ST( + "Tunnel dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_dst_addr_verify), + TEST_CASE_NAMED_ST( + "Tunnel src and dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_src_dst_addr_verify), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 046536cc9c..f040630655 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -86,6 +86,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xform->options.tunnel_hdr_verify > + sec_cap->ipsec.options.tunnel_hdr_verify)) { + if (!silent) + RTE_LOG(INFO, USER1, + "Tunnel header verify is not supported\n"); + return -ENOTSUP; + } + return 0; } @@ -207,6 +216,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; + td_inb[i].ipsec_xform.options.tunnel_hdr_verify = + flags->tunnel_hdr_verify; + /* Clear outbound specific flags */ td_inb[i].ipsec_xform.options.iv_gen_disable = 0; } @@ -292,7 +304,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, /* For tests with status as error for test success, skip verification */ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && (flags->icv_corrupt || - flags->sa_expiry_pkts_hard)) + flags->sa_expiry_pkts_hard || + flags->tunnel_hdr_verify)) return TEST_SUCCESS; if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && @@ -420,6 +433,16 @@ test_ipsec_status_check(struct rte_crypto_op *op, } } + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + flags->tunnel_hdr_verify) { + if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { + printf("Tunnel header verify test case failed\n"); + return TEST_FAILED; + } else { + return TEST_SUCCESS; + } + } + if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) { if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { printf("ICV corruption test case failed\n"); diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 18f3c64bb7..a65cb54eae 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -53,6 +53,7 @@ struct ipsec_test_flags { bool sa_expiry_pkts_hard; bool icv_corrupt; bool iv_gen; + uint32_t tunnel_hdr_verify; bool udp_encap; }; diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 38ea43d157..4e147ec19c 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -94,6 +94,7 @@ struct ipsec_test_data pkt_aes_128_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -190,6 +191,7 @@ struct ipsec_test_data pkt_aes_192_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -289,6 +291,7 @@ struct ipsec_test_data pkt_aes_256_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, -- 2.27.0