From: Tejasree Kondoj <ktejasree@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>,
Declan Doherty <declan.doherty@intel.com>,
Fan Zhang <roy.fan.zhang@intel.com>,
"Pablo de Lara" <pablo.de.lara.guarch@intel.com>
Cc: Tejasree Kondoj <ktejasree@marvell.com>,
Anoob Joseph <anoobj@marvell.com>,
Ankur Dwivedi <adwivedi@marvell.com>,
Archana Muniganti <marchana@marvell.com>,
Hemant Agrawal <hemant.agrawal@nxp.com>,
Radu Nicolau <radu.nicolau@intel.com>,
Ciara Power <ciara.power@intel.com>,
"Gagandeep Singh" <g.singh@nxp.com>, <dev@dpdk.org>
Subject: [PATCH v2 2/2] test/cryptodev: add ESN and Antireplay tests
Date: Mon, 31 Jan 2022 22:13:57 +0530 [thread overview]
Message-ID: <20220131164357.19126-3-ktejasree@marvell.com> (raw)
In-Reply-To: <20220131164357.19126-1-ktejasree@marvell.com>
Adding test cases for IPsec ESN and Antireplay.
Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
app/test/test_cryptodev.c | 186 +++++++++++++++++-
app/test/test_cryptodev_security_ipsec.c | 23 ++-
app/test/test_cryptodev_security_ipsec.h | 6 +-
...st_cryptodev_security_ipsec_test_vectors.h | 1 +
doc/guides/rel_notes/release_22_03.rst | 5 +
5 files changed, 217 insertions(+), 4 deletions(-)
diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 47ad991c31..3536b65c52 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9292,6 +9292,18 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
return TEST_SKIPPED;
for (i = 0; i < nb_td; i++) {
+ if (flags->antireplay &&
+ (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) {
+ sess_conf.ipsec.esn.value = td[i].ipsec_xform.esn.value;
+ ret = rte_security_session_update(ctx,
+ ut_params->sec_session, &sess_conf);
+ if (ret) {
+ printf("Could not update sequence number in "
+ "session\n");
+ return TEST_SKIPPED;
+ }
+ }
+
/* Setup source mbuf payload */
ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool);
memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0,
@@ -9344,7 +9356,8 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
/* Process crypto operation */
process_crypto_request(dev_id, ut_params->op);
- ret = test_ipsec_status_check(ut_params->op, flags, dir, i + 1);
+ ret = test_ipsec_status_check(&td[i], ut_params->op, flags, dir,
+ i + 1);
if (ret != TEST_SUCCESS)
goto crypto_op_free;
@@ -9895,6 +9908,150 @@ test_ipsec_proto_ipv6_set_dscp_1_inner_0(const void *data __rte_unused)
return test_ipsec_proto_all(&flags);
}
+static int
+test_ipsec_pkt_replay(const void *test_data, const uint64_t esn[],
+ bool replayed_pkt[], uint32_t nb_pkts, bool esn_en,
+ uint64_t winsz)
+{
+ struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+ struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+ struct ipsec_test_flags flags;
+ uint32_t i = 0, ret = 0;
+
+ memset(&flags, 0, sizeof(flags));
+ flags.antireplay = true;
+
+ for (i = 0; i < nb_pkts; i++) {
+ memcpy(&td_outb[i], test_data, sizeof(td_outb[i]));
+ td_outb[i].ipsec_xform.options.iv_gen_disable = 1;
+ td_outb[i].ipsec_xform.replay_win_sz = winsz;
+ td_outb[i].ipsec_xform.options.esn = esn_en;
+ }
+
+ for (i = 0; i < nb_pkts; i++)
+ td_outb[i].ipsec_xform.esn.value = esn[i];
+
+ ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+ &flags);
+ if (ret != TEST_SUCCESS)
+ return ret;
+
+ test_ipsec_td_update(td_inb, td_outb, nb_pkts, &flags);
+
+ for (i = 0; i < nb_pkts; i++) {
+ td_inb[i].ipsec_xform.options.esn = esn_en;
+ /* Set antireplay flag for packets to be dropped */
+ td_inb[i].ar_packet = replayed_pkt[i];
+ }
+
+ ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+ &flags);
+
+ return ret;
+}
+
+static int
+test_ipsec_proto_pkt_antireplay(const void *test_data, uint64_t winsz)
+{
+
+ uint32_t nb_pkts = 5;
+ bool replayed_pkt[5];
+ uint64_t esn[5];
+
+ /* 1. Advance the TOP of the window to WS * 2 */
+ esn[0] = winsz * 2;
+ /* 2. Test sequence number within the new window(WS + 1) */
+ esn[1] = winsz + 1;
+ /* 3. Test sequence number less than the window BOTTOM */
+ esn[2] = winsz;
+ /* 4. Test sequence number in the middle of the window */
+ esn[3] = winsz + (winsz / 2);
+ /* 5. Test replay of the packet in the middle of the window */
+ esn[4] = winsz + (winsz / 2);
+
+ replayed_pkt[0] = false;
+ replayed_pkt[1] = false;
+ replayed_pkt[2] = true;
+ replayed_pkt[3] = false;
+ replayed_pkt[4] = true;
+
+ return test_ipsec_pkt_replay(test_data, esn, replayed_pkt, nb_pkts,
+ false, winsz);
+}
+
+static int
+test_ipsec_proto_pkt_antireplay1024(const void *test_data)
+{
+ return test_ipsec_proto_pkt_antireplay(test_data, 1024);
+}
+
+static int
+test_ipsec_proto_pkt_antireplay2048(const void *test_data)
+{
+ return test_ipsec_proto_pkt_antireplay(test_data, 2048);
+}
+
+static int
+test_ipsec_proto_pkt_antireplay4096(const void *test_data)
+{
+ return test_ipsec_proto_pkt_antireplay(test_data, 4096);
+}
+
+static int
+test_ipsec_proto_pkt_esn_antireplay(const void *test_data, uint64_t winsz)
+{
+
+ uint32_t nb_pkts = 7;
+ bool replayed_pkt[7];
+ uint64_t esn[7];
+
+ /* Set the initial sequence number */
+ esn[0] = (uint64_t)(0xFFFFFFFF - winsz);
+ /* 1. Advance the TOP of the window to (1<<32 + WS/2) */
+ esn[1] = (uint64_t)((1ULL << 32) + (winsz / 2));
+ /* 2. Test sequence number within new window (1<<32 + WS/2 + 1) */
+ esn[2] = (uint64_t)((1ULL << 32) - (winsz / 2) + 1);
+ /* 3. Test with sequence number within window (1<<32 - 1) */
+ esn[3] = (uint64_t)((1ULL << 32) - 1);
+ /* 4. Test with sequence number within window (1<<32 - 1) */
+ esn[4] = (uint64_t)(1ULL << 32);
+ /* 5. Test with duplicate sequence number within
+ * new window (1<<32 - 1)
+ */
+ esn[5] = (uint64_t)((1ULL << 32) - 1);
+ /* 6. Test with duplicate sequence number within new window (1<<32) */
+ esn[6] = (uint64_t)(1ULL << 32);
+
+ replayed_pkt[0] = false;
+ replayed_pkt[1] = false;
+ replayed_pkt[2] = false;
+ replayed_pkt[3] = false;
+ replayed_pkt[4] = false;
+ replayed_pkt[5] = true;
+ replayed_pkt[6] = true;
+
+ return test_ipsec_pkt_replay(test_data, esn, replayed_pkt, nb_pkts,
+ true, winsz);
+}
+
+static int
+test_ipsec_proto_pkt_esn_antireplay1024(const void *test_data)
+{
+ return test_ipsec_proto_pkt_esn_antireplay(test_data, 1024);
+}
+
+static int
+test_ipsec_proto_pkt_esn_antireplay2048(const void *test_data)
+{
+ return test_ipsec_proto_pkt_esn_antireplay(test_data, 2048);
+}
+
+static int
+test_ipsec_proto_pkt_esn_antireplay4096(const void *test_data)
+{
+ return test_ipsec_proto_pkt_esn_antireplay(test_data, 4096);
+}
+
static int
test_PDCP_PROTO_all(void)
{
@@ -14965,6 +15122,33 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Tunnel header IPv6 set DSCP 1 (inner 0)",
ut_setup_security, ut_teardown,
test_ipsec_proto_ipv6_set_dscp_1_inner_0),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Antireplay with window size 1024",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_pkt_antireplay1024, &pkt_aes_128_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Antireplay with window size 2048",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_pkt_antireplay2048, &pkt_aes_128_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Antireplay with window size 4096",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_pkt_antireplay4096, &pkt_aes_128_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "ESN and Antireplay with window size 1024",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_pkt_esn_antireplay1024,
+ &pkt_aes_128_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "ESN and Antireplay with window size 2048",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_pkt_esn_antireplay2048,
+ &pkt_aes_128_gcm),
+ TEST_CASE_NAMED_WITH_DATA(
+ "ESN and Antireplay with window size 4096",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_pkt_esn_antireplay4096,
+ &pkt_aes_128_gcm),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 54f59c7f79..eb775eb08a 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -176,6 +176,13 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if (ipsec_xform->replay_win_sz > sec_cap->ipsec.replay_win_sz_max) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Replay window size is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
@@ -654,7 +661,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
(flags->icv_corrupt ||
flags->sa_expiry_pkts_hard ||
- flags->tunnel_hdr_verify))
+ flags->tunnel_hdr_verify ||
+ td->ar_packet))
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -921,13 +929,24 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
}
int
-test_ipsec_status_check(struct rte_crypto_op *op,
+test_ipsec_status_check(const struct ipsec_test_data *td,
+ struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
enum rte_security_ipsec_sa_direction dir,
int pkt_num)
{
int ret = TEST_SUCCESS;
+ if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ td->ar_packet) {
+ if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+ printf("Anti replay test case failed\n");
+ return TEST_FAILED;
+ } else {
+ return TEST_SUCCESS;
+ }
+ }
+
if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
flags->sa_expiry_pkts_hard &&
pkt_num == IPSEC_TEST_PACKETS_MAX) {
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index c4ecfafca6..a15c1d3015 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -40,6 +40,8 @@ struct ipsec_test_data {
struct rte_security_ipsec_xform ipsec_xform;
bool aead;
+ /* Antireplay packet */
+ bool ar_packet;
union {
struct {
@@ -82,6 +84,7 @@ struct ipsec_test_flags {
bool transport;
bool fragment;
bool stats_success;
+ bool antireplay;
enum df_flags df;
enum dscp_flags dscp;
};
@@ -234,7 +237,8 @@ int test_ipsec_post_process(struct rte_mbuf *m,
struct ipsec_test_data *res_d, bool silent,
const struct ipsec_test_flags *flags);
-int test_ipsec_status_check(struct rte_crypto_op *op,
+int test_ipsec_status_check(const struct ipsec_test_data *td,
+ struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
enum rte_security_ipsec_sa_direction dir,
int pkt_num);
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 85cd6c51a8..fe2fd855df 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -102,6 +102,7 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
.replay_win_sz = 0,
+ .esn.low = 1,
},
.aead = true,
diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst
index 3bc0630c7c..60598432c3 100644
--- a/doc/guides/rel_notes/release_22_03.rst
+++ b/doc/guides/rel_notes/release_22_03.rst
@@ -69,6 +69,11 @@ New Features
The new API ``rte_event_eth_rx_adapter_event_port_get()`` was added.
+* **Updated lookaside protocol (IPsec) tests in dpdk-test.**
+
+ * Added test cases to verify copy and set DSCP with IPv4 and IPv6 tunnels.
+ * Added ESN and anti-replay support.
+
Removed Items
-------------
--
2.27.0
next prev parent reply other threads:[~2022-01-31 15:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-31 16:43 [PATCH v2 0/2] Adding new cases to lookaside IPsec tests Tejasree Kondoj
2022-01-31 16:43 ` [PATCH v2 1/2] test/crypto: add copy and set DSCP cases Tejasree Kondoj
2022-02-17 18:07 ` Akhil Goyal
2022-01-31 16:43 ` Tejasree Kondoj [this message]
2022-02-17 18:07 ` [PATCH v2 2/2] test/cryptodev: add ESN and Antireplay tests Akhil Goyal
2022-02-17 18:17 ` [PATCH v2 0/2] Adding new cases to lookaside IPsec tests Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220131164357.19126-3-ktejasree@marvell.com \
--to=ktejasree@marvell.com \
--cc=adwivedi@marvell.com \
--cc=anoobj@marvell.com \
--cc=ciara.power@intel.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=g.singh@nxp.com \
--cc=gakhil@marvell.com \
--cc=hemant.agrawal@nxp.com \
--cc=marchana@marvell.com \
--cc=pablo.de.lara.guarch@intel.com \
--cc=radu.nicolau@intel.com \
--cc=roy.fan.zhang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).