[PATCH 00/21] Improvements and new test cases

[PATCH 00/21] Improvements and new test cases

[Aakash Sasidharan]

Adding new test cases and improvements to test application.

Aakash Sasidharan (7):
  test/security: enable AES-GCM in combined mode TLS
  test/security: add TLS 1.2 data walkthrough test
  test/security: add DTLS 1.2 data walkthrough test
  test/security: add TLS SG data walkthrough test
  test/security: add DTLS 1.2 anti-replay tests
  test/security: add more DTLS anti-replay window sz
  test/security: add out of place sgl test case for TLS 1.2

Akhil Goyal (2):
  test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors
  test/crypto: add TLS 1.3 vectors

Anoob Joseph (1):
  test/cryptodev: allow zero packet length buffers

Vidya Sagar Velumuri (11):
  test/security: unit test for TLS packet corruption
  test/security: unit test for custom content verification
  test/security: unit test to verify zero TLS records
  test/security: add unit tests for DTLS-1.2
  test/crypto: update verification of header
  test/crypto: update framework to verify tls-1.3
  test/crypto: test to verify hdr corruption in TLS
  test/crypto: test to verify custom content type in TLS
  test/crypto: test to verify zero len record in TLS
  test/crypto: unit tests to verify padding in TLS
  test/crypto: unit tests for padding in DTLS-1.2

 app/test/test_cryptodev.c                     | 975 ++++++++++++++++--
 app/test/test_cryptodev.h                     |  32 +-
 app/test/test_cryptodev_security_tls_record.c | 203 ++--
 app/test/test_cryptodev_security_tls_record.h |  77 +-
 ...yptodev_security_tls_record_test_vectors.h | 405 ++++++++
 app/test/test_security_proto.c                |  17 +
 app/test/test_security_proto.h                |   9 +
 7 files changed, 1539 insertions(+), 179 deletions(-)

-- 
2.25.1

[PATCH 01/21] test/security: enable AES-GCM in combined mode TLS

[Aakash Sasidharan]

Enable AES-GCM AEAD tests in combined mode TLS test suite.

Coverity issue: 414888
Fixes: 9157ccb8f876 ("test/crypto: verify TLS headers")

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 10 ++++++++--
 app/test/test_security_proto.h                |  3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index bcb2eba4ff..14a7a2511e 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -116,6 +116,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	} else {
 		mac_len = td->xform.aead.aead.digest_length;
+		roundup_len = 0;
 		exp_nonce_len = 8;
 	}
 
@@ -123,7 +124,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	case RTE_SECURITY_VERSION_TLS_1_2:
 	case RTE_SECURITY_VERSION_TLS_1_3:
 		hdr_len = sizeof(struct rte_tls_hdr);
-		min_padding = 1;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
@@ -139,7 +143,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 	/* Padding */
 	tls_pkt_size += min_padding;
-	tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+
+	if (roundup_len)
+		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
 	/* Explicit nonce */
 	tls_pkt_size += exp_nonce_len;
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index efa023b99d..5b92daa810 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -27,16 +27,19 @@ static const struct crypto_param aead_list[] = {
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 16,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 24,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 32,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
-- 
2.25.1

[PATCH 02/21] test/security: add TLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for TLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 90 +++++++++++++++++--
 app/test/test_cryptodev.h                     | 12 ++-
 app/test/test_cryptodev_security_tls_record.c | 25 ++++--
 app/test/test_cryptodev_security_tls_record.h | 41 ++++++++-
 app/test/test_security_proto.c                | 17 ++++
 app/test/test_security_proto.h                |  6 ++
 6 files changed, 171 insertions(+), 20 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index c61ae9cfcc..7c6c7d572c 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -858,6 +858,8 @@ ipsec_proto_testsuite_setup(void)
 static int
 tls_record_proto_testsuite_setup(void)
 {
+	test_sec_proto_pattern_generate();
+
 	return sec_proto_testsuite_setup(RTE_SECURITY_PROTOCOL_TLS_RECORD);
 }
 
@@ -11958,14 +11960,30 @@ test_tls_record_proto_known_vec_read(const void *test_data)
 static int
 test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 {
+	unsigned int i, nb_pkts = 1, pass_cnt = 0, payload_len, max_payload_len;
 	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
 	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
-	unsigned int i, nb_pkts = 1, pass_cnt = 0;
 	int ret;
 
+	switch (flags->tls_version) {
+	case RTE_SECURITY_VERSION_TLS_1_2:
+		max_payload_len = TLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_TLS_1_3:
+		max_payload_len = TLS_1_3_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_DTLS_1_2:
+		max_payload_len = DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	default:
+		max_payload_len = 0;
+	}
+
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts);
+					   td_outb, nb_pkts, payload_len);
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -11983,6 +12001,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_FAILED)
 			return TEST_FAILED;
 
+		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
+			goto again;
+
 		if (flags->display_alg)
 			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
 
@@ -11996,22 +12017,69 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 }
 
 static int
-test_tls_record_proto_display_list(void)
+test_tls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_display_list(void)
 {
 	struct tls_record_test_flags flags;
 
 	memset(&flags, 0, sizeof(flags));
 
 	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
 
 	return test_tls_record_proto_all(&flags);
 }
 
 static int
-test_tls_record_proto_sgl(void)
+test_tls_1_2_record_proto_sgl(void)
 {
 	struct tls_record_test_flags flags = {
-		.nb_segs_in_mbuf = 5
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_display_list(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_sgl(void)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
 	};
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct rte_cryptodev_info dev_info;
@@ -17081,11 +17149,15 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_tls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_tls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17182,11 +17254,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_dtls_1_2_record_proto_display_list),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_dtls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index f27d9697fd..e4e99d00c1 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -5,6 +5,9 @@
 #define TEST_CRYPTODEV_H_
 
 #include <rte_cryptodev.h>
+#ifdef RTE_LIB_SECURITY
+#include "test_security_proto.h"
+#endif
 
 #define HEX_DUMP 0
 
@@ -21,9 +24,16 @@
 #define DEFAULT_NUM_XFORMS              (2)
 #define NUM_MBUFS                       (8191)
 #define MBUF_CACHE_SIZE                 (256)
+
+#ifdef RTE_LIB_SECURITY
+#define MBUF_DATAPAYLOAD_SIZE		RTE_MAX((unsigned int)(4096 + DIGEST_BYTE_LENGTH_SHA512), \
+						TEST_SEC_CIPHERTEXT_MAX_LEN)
+#else
 #define MBUF_DATAPAYLOAD_SIZE		(4096 + DIGEST_BYTE_LENGTH_SHA512)
+#endif
+
 #define MBUF_SIZE			(sizeof(struct rte_mbuf) + \
-		RTE_PKTMBUF_HEADROOM + MBUF_DATAPAYLOAD_SIZE)
+					RTE_PKTMBUF_HEADROOM + MBUF_DATAPAYLOAD_SIZE)
 
 #define BYTE_LENGTH(x)				(x/8)
 /* HASH DIGEST LENGTHS */
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 14a7a2511e..3745c6a0d1 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -62,7 +62,8 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 void
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
-			   struct tls_record_test_data *td_array, int nb_td)
+			   struct tls_record_test_data *td_array,
+			   int nb_td, unsigned int data_len)
 {
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
@@ -76,7 +77,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -84,7 +88,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.aead.aead.digest_length = param1->digest_length;
 		} else {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
 
 			td->aead = false;
 			td->xform.chain.cipher.cipher.algo = param1->alg.cipher;
@@ -96,6 +103,11 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
+	if (flags->data_walkthrough) {
+		test_sec_proto_pattern_set(td->input_text.data, data_len);
+		td->input_text.len = data_len;
+	}
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
@@ -221,6 +233,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	return TEST_SUCCESS;
 }
+
 static int
 tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
 {
@@ -280,13 +293,13 @@ int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 			     struct tls_record_test_data *res_d, bool silent)
 {
+	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
-	uint8_t output_text[TLS_RECORD_MAX_LEN];
 	const struct rte_mbuf *seg;
 	const uint8_t *output;
 	int ret;
 
-	memset(output_text, 0, TLS_RECORD_MAX_LEN);
+	memset(output_text, 0, TEST_SEC_CIPHERTEXT_MAX_LEN);
 
 	/*
 	 * Actual data in packet might be less in error cases, hence take minimum of pkt_len and sum
@@ -300,7 +313,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	len = RTE_MIN(len, data_len);
-	TEST_ASSERT(len <= TLS_RECORD_MAX_LEN, "Invalid packet length: %u", len);
+	TEST_ASSERT(len <= TEST_SEC_CIPHERTEXT_MAX_LEN, "Invalid packet length: %u", len);
 
 	/* Copy mbuf payload to continuous buffer */
 	output = rte_pktmbuf_read(m, 0, len, output_text);
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 0bd83f88f0..14f73a5073 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -10,7 +10,37 @@
 
 #include "test_security_proto.h"
 
-#define TLS_RECORD_MAX_LEN 16384u
+/* TLS 1.2 Ciphertext length can be up to (2^14 + 2048 + 5 (TLS Header)) Bytes */
+#define TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN  (18437u)
+static_assert(TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.2 Plaintext length can be up to (2^14 + 1024) Bytes */
+#define TLS_1_2_RECORD_PLAINTEXT_MAX_LEN   (17408u)
+static_assert(TLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Ciphertext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN (18437u)
+static_assert(DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Plaintext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN  (17408u)
+static_assert(DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Ciphertext length can be up to (2^14 + 256 + 5 (TLS Header)) Bytes */
+#define TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN  (16645u)
+static_assert(TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Plaintext length can be up to 2^14 Bytes */
+#define TLS_1_3_RECORD_PLAINTEXT_MAX_LEN   (16384u)
+static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+#define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
 struct tls_record_test_data {
 	struct {
@@ -22,12 +52,12 @@ struct tls_record_test_data {
 	} auth_key;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} input_text;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} output_text;
 
@@ -56,6 +86,8 @@ struct tls_record_test_data {
 struct tls_record_test_flags {
 	bool display_alg;
 	int nb_segs_in_mbuf;
+	bool data_walkthrough;
+	enum rte_security_tls_version tls_version;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -89,7 +121,8 @@ void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_ou
 void test_tls_record_td_prepare(const struct crypto_param *param1,
 				const struct crypto_param *param2,
 				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td);
+				struct tls_record_test_data *td_array, int nb_td,
+				unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
diff --git a/app/test/test_security_proto.c b/app/test/test_security_proto.c
index d242c852af..cf40d5fc9a 100644
--- a/app/test/test_security_proto.c
+++ b/app/test/test_security_proto.c
@@ -13,6 +13,8 @@ struct crypto_param_comb sec_alg_list[RTE_DIM(aead_list) +
 
 struct crypto_param_comb sec_auth_only_alg_list[2 * (RTE_DIM(auth_list) - 1)];
 
+static uint8_t cleartext_pattern[TEST_SEC_CLEARTEXT_MAX_LEN];
+
 void
 test_sec_alg_list_populate(void)
 {
@@ -152,3 +154,18 @@ test_sec_alg_display(const struct crypto_param *param1, const struct crypto_para
 	}
 	printf("\n");
 }
+
+void
+test_sec_proto_pattern_generate(void)
+{
+	unsigned int i;
+
+	for (i = 0; i < TEST_SEC_CLEARTEXT_MAX_LEN; i++)
+		cleartext_pattern[i] = (i + 1) & 0xff;
+}
+
+void
+test_sec_proto_pattern_set(uint8_t *buf, int len)
+{
+	rte_memcpy(buf, cleartext_pattern, len);
+}
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index 5b92daa810..c737443081 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -8,6 +8,8 @@
 #include <rte_cryptodev.h>
 #include <rte_security.h>
 
+#define TEST_SEC_CLEARTEXT_MAX_LEN  (17408u)
+#define TEST_SEC_CIPHERTEXT_MAX_LEN (18437u)
 #define TEST_SEC_PKTS_MAX 32
 
 struct crypto_param {
@@ -186,4 +188,8 @@ int test_sec_crypto_caps_auth_verify(const struct rte_security_capability *sec_c
 
 void test_sec_alg_display(const struct crypto_param *param1, const struct crypto_param *param2);
 
+void test_sec_proto_pattern_generate(void);
+
+void test_sec_proto_pattern_set(uint8_t *buf, int len);
+
 #endif
-- 
2.25.1

[PATCH 03/21] test/security: add DTLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for DTLS 1.2

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  5 ++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 7c6c7d572c..20653beb03 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12061,6 +12061,19 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_display_list(void)
 {
@@ -17255,6 +17268,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 3745c6a0d1..92bcbff842 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -143,7 +143,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
-		min_padding = 0;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	default:
 		hdr_len = 0;
-- 
2.25.1

[PATCH 04/21] test/security: add TLS SG data walkthrough test

[Aakash Sasidharan]

Add multi segment packet data walkthrough test for TLS 1.2
and DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 42 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 20653beb03..5922c2162a 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11981,6 +11981,8 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+		if (flags->nb_segs_in_mbuf)
+			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -12061,6 +12063,32 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = tls_version,
+		.data_walkthrough = true
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -12106,6 +12134,12 @@ test_dtls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 #endif
 
 static int
@@ -17171,6 +17205,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17276,6 +17314,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 14f73a5073..34758fb0e1 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -85,7 +85,7 @@ struct tls_record_test_data {
 
 struct tls_record_test_flags {
 	bool display_alg;
-	int nb_segs_in_mbuf;
+	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 };
-- 
2.25.1

[PATCH 05/21] test/security: unit test for TLS packet corruption

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add test to verify the corrupted TLS packet header

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 27 +++++++++++++++++--
 app/test/test_cryptodev_security_tls_record.c |  4 +++
 app/test/test_cryptodev_security_tls_record.h |  1 +
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 5922c2162a..04737147e1 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12000,8 +12000,13 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
-			return TEST_FAILED;
+		if (flags->pkt_corruption) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+		} else {
+			if (ret == TEST_FAILED)
+				return TEST_FAILED;
+		}
 
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
@@ -12089,6 +12094,20 @@ test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
 }
 
+static int
+test_tls_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17209,6 +17228,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"TLS packet header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 92bcbff842..93ff7f36fa 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -185,6 +185,10 @@ test_tls_record_td_update(struct tls_record_test_data td_inb[],
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
 
+		/* Corrupt the content type in the TLS header of encrypted packet */
+		if (flags->pkt_corruption)
+			td_inb[i].input_text.data[0] = ~td_inb[i].input_text.data[0];
+
 		/* Clear outbound specific flags */
 		td_inb[i].tls_record_xform.options.iv_gen_disable = 0;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 34758fb0e1..5faa277740 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -88,6 +88,7 @@ struct tls_record_test_flags {
 	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
+	bool pkt_corruption;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH 06/21] test/security: unit test for custom content verification

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit test to verify the TLS header creation with
custom content type

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 19 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  3 +++
 app/test/test_cryptodev_security_tls_record.h |  9 +++++++++
 3 files changed, 31 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 04737147e1..bee40cd927 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -21,6 +21,7 @@
 #include <rte_ip.h>
 #include <rte_string_fns.h>
 #include <rte_tcp.h>
+#include <rte_tls.h>
 #include <rte_udp.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -12108,6 +12109,20 @@ test_tls_record_proto_corrupt_pkt(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17232,6 +17247,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 93ff7f36fa..9a2af259c9 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -108,6 +108,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->input_text.len = data_len;
 	}
 
+	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+		td->app_type = RTE_TLS_TYPE_MAX;
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 5faa277740..b707361fb6 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -42,6 +42,14 @@ static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
 
 #define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
+enum tls_record_test_content_type {
+	TLS_RECORD_TEST_CONTENT_TYPE_APP,
+	/* For verifying zero packet length */
+	TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	/* For verifying handling of custom content types */
+	TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+};
+
 struct tls_record_test_data {
 	struct {
 		uint8_t data[32];
@@ -89,6 +97,7 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
+	enum tls_record_test_content_type content_type;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH 07/21] test/cryptodev: allow zero packet length buffers

[Aakash Sasidharan]

From: Anoob Joseph <anoobj@marvell.com>

The function 'create_segmented_mbuf' is updated to support zero packet
length mbufs. This allows testing of zero packet length payload with TLS
record processing.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 app/test/test_cryptodev.h | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index e4e99d00c1..7d877ddfe5 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -192,15 +192,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 		int nb_segs, uint8_t pattern) {
 
 	struct rte_mbuf *m = NULL, *mbuf = NULL;
+	int size, t_len, data_len = 0;
 	uint8_t *dst;
-	int data_len = 0;
-	int i, size;
-	int t_len;
-
-	if (pkt_len < 1) {
-		printf("Packet size must be 1 or more (is %d)\n", pkt_len);
-		return NULL;
-	}
 
 	if (nb_segs < 1) {
 		printf("Number of segments must be 1 or more (is %d)\n",
@@ -212,17 +205,17 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 	size = pkt_len;
 
 	/* Create chained mbuf_src and fill it generated data */
-	for (i = 0; size > 0; i++) {
+	do {
 
 		m = rte_pktmbuf_alloc(mbuf_pool);
-		if (i == 0)
-			mbuf = m;
-
 		if (m == NULL) {
 			printf("Cannot create segment for source mbuf");
 			goto fail;
 		}
 
+		if (mbuf == NULL)
+			mbuf = m;
+
 		/* Make sure if tailroom is zeroed */
 		memset(m->buf_addr, pattern, m->buf_len);
 
@@ -239,7 +232,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 
 		size -= data_len;
 
-	}
+	} while (size > 0);
+
 	return mbuf;
 
 fail:
-- 
2.25.1

[PATCH 08/21] test/security: unit test to verify zero TLS records

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the zero len TLS records. Zero len packets are
allowed when content type is app data while zero packet length with
other content type (such as handshake) would result in an error.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 51 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c |  5 +-
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 3 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index bee40cd927..31f4c08d6a 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11984,6 +11984,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
 		if (flags->nb_segs_in_mbuf)
 			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
+
+		if (flags->zero_len)
+			payload_len = 0;
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -11992,8 +11995,16 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
+		if (flags->zero_len &&
+		    ((flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE))) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+			goto skip_decrypt;
+		} else if (ret == TEST_FAILED) {
 			return TEST_FAILED;
+		}
 
 		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
 
@@ -12009,6 +12020,7 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 				return TEST_FAILED;
 		}
 
+skip_decrypt:
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
 
@@ -12123,6 +12135,35 @@ test_tls_record_proto_custom_content_type(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17251,6 +17292,14 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 9a2af259c9..c5410a4c92 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -103,13 +103,15 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
-	if (flags->data_walkthrough) {
+	if (flags->data_walkthrough || flags->zero_len) {
 		test_sec_proto_pattern_set(td->input_text.data, data_len);
 		td->input_text.len = data_len;
 	}
 
 	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
 		td->app_type = RTE_TLS_TYPE_MAX;
+	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
 	tls_pkt_size = td->input_text.len;
 
@@ -232,6 +234,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	memcpy(&res_d->input_text.data, output_text, len);
 	res_d->input_text.len = len;
+	res_d->output_text.len = td->input_text.len;
 
 	res_d->tls_record_xform.type = RTE_SECURITY_TLS_SESS_TYPE_READ;
 	if (res_d->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index b707361fb6..e7ba31c449 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
 	enum tls_record_test_content_type content_type;
+	bool zero_len;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -140,5 +141,4 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 				 struct tls_record_test_data *res_d, bool silent);
-
 #endif
-- 
2.25.1

[PATCH 09/21] test/security: add unit tests for DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify
1. DTLS record with zero length
2. DTLS record with header corruption
3. DTLS record with content type as custom

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 77 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 31f4c08d6a..6e860b06b2 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12215,6 +12215,67 @@ test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
 }
 
+static int
+test_dtls_1_2_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 #endif
 
 static int
@@ -17409,6 +17470,22 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Packet corruption",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH 10/21] test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors for TLS 1.2 and DTLS 1.2 using algos
AES-256-CBC and HMAC-SHA384

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  19 ++
 app/test/test_cryptodev_security_tls_record.h |   2 +
 ...yptodev_security_tls_record_test_vectors.h | 200 ++++++++++++++++++
 3 files changed, 221 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 6e860b06b2..44dc99b088 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17273,6 +17273,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Write record known vector AES-256-CBC-SHA256",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17316,6 +17320,11 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17397,6 +17406,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17439,6 +17453,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index e7ba31c449..22572537ef 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -110,6 +110,7 @@ extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_null_cipher_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_chacha20_poly1305;
@@ -118,6 +119,7 @@ extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index f10f28bb96..27b07cd54a 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1129,6 +1129,107 @@ struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x1d, 0xe5, 0x19, 0x18, 0x57, 0xa0, 0xee, 0x79,
+			0x84, 0x61, 0x92, 0x9d, 0x3d, 0xce, 0x42, 0x92,
+			0x4a, 0x98, 0x23, 0x3b, 0xf8, 0xec, 0x29, 0x47,
+			0xb3, 0xae, 0x1f, 0x22, 0xd2, 0x8d, 0xbe, 0x2c,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0xf8, 0xbd, 0x28, 0xf9, 0x4a, 0xde, 0x1d, 0xde,
+			0x8c, 0xf5, 0xe9, 0x49, 0x34, 0x2a, 0x1a, 0xd0,
+			0x0d, 0xe3, 0x64, 0xb2, 0x54, 0xd6, 0xd6, 0x40,
+			0x90, 0x5d, 0x16, 0xc1, 0xf2, 0x77, 0x14, 0x90,
+			0xe6, 0xfa, 0xbc, 0x9d, 0xe2, 0x72, 0x12, 0xec,
+			0xb6, 0x05, 0xec, 0xdd, 0x1d, 0x23, 0xb3, 0x8e,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x44, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0xfe, 0xfd, 0x00, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x01, 0x00, 0x80,
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+			0x88, 0x41, 0xee, 0x5b, 0x32, 0x1e, 0x85, 0xaf,
+			0x33, 0x7b, 0x59, 0x8a, 0xe9, 0x41, 0x11, 0x6a,
+			0xbb, 0x7d, 0x16, 0x6c, 0xbb, 0x66, 0x5e, 0xf5,
+			0xfb, 0x5f, 0x03, 0xf9, 0x75, 0x7d, 0xb9, 0xff,
+			0x70, 0xc3, 0x4a, 0x19, 0xe5, 0x25, 0xa0, 0x5d,
+			0xad, 0x45, 0xef, 0xce, 0xd8, 0x2a, 0xde, 0xf0,
+			0x0c, 0xca, 0x1c, 0x6b, 0x5a, 0x31, 0x8f, 0x49,
+			0xff, 0x7d, 0xf3, 0x71, 0x15, 0x06, 0x07, 0x9d,
+			0x6a, 0x5f, 0x5c, 0xd8, 0x2a, 0xa5, 0x0e, 0x61,
+			0xde, 0x18, 0x6b, 0x7d, 0xc8, 0x74, 0x58, 0x18,
+			0xf1, 0xac, 0xde, 0xb9, 0x6d, 0x8a, 0x44, 0xad,
+			0x10, 0xf8, 0x63, 0x15, 0xcf, 0x25, 0x2f, 0x82,
+			0x2f, 0xda, 0x74, 0x45, 0x02, 0xda, 0x61, 0x3c,
+			0x2f, 0xf9, 0xa5, 0x92, 0x2a, 0x7c, 0x5e, 0x5d,
+		},
+		.len = 141,
+	},
+	.iv = {
+		.data = {
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_DTLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.dtls_1_2.epoch = 1,
+		.dtls_1_2.seq_no = 1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
@@ -1494,6 +1595,105 @@ struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x48, 0x70, 0xc7, 0x93, 0x77, 0xe3, 0x4c, 0x8c,
+			0x27, 0x00, 0x64, 0x06, 0x3e, 0xc6, 0x47, 0x64,
+			0xcc, 0xee, 0xa4, 0x9a, 0x1a, 0xe7, 0x3a, 0xc6,
+			0xef, 0xe5, 0xe6, 0x2c, 0x15, 0xe3, 0xac, 0x16,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0x23, 0x95, 0x84, 0x30, 0xaf, 0x2b, 0x07, 0xfe,
+			0x12, 0x83, 0x87, 0x28, 0x2b, 0x38, 0xb9, 0x02,
+			0xc0, 0x27, 0x59, 0x3e, 0xa7, 0xbd, 0xce, 0xcb,
+			0xe1, 0x8a, 0xe9, 0x43, 0x5d, 0xed, 0xb4, 0xf2,
+			0x11, 0x4d, 0x19, 0xbb, 0x0f, 0x1b, 0x76, 0x86,
+			0xfb, 0xb5, 0xda, 0xfd, 0x38, 0xfe, 0x7d, 0x02,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73,
+			0x20, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x80,
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+			0x1e, 0x5b, 0x1e, 0x50, 0x3e, 0x19, 0x25, 0x41,
+			0x35, 0xc7, 0x7c, 0x14, 0x99, 0x7b, 0x97, 0x80,
+			0x60, 0x9d, 0xf8, 0xf1, 0xac, 0x43, 0x7b, 0x5c,
+			0xb6, 0xe2, 0xc4, 0x8f, 0x3f, 0xd7, 0x1b, 0xd4,
+			0x61, 0x90, 0x40, 0xe3, 0xd5, 0x60, 0xac, 0xee,
+			0x62, 0x53, 0x1f, 0x1f, 0x75, 0xf6, 0x2c, 0xda,
+			0x1a, 0xed, 0x4a, 0x6a, 0x11, 0xeb, 0x9b, 0x1c,
+			0x39, 0x0d, 0x6e, 0x8a, 0xf8, 0x3d, 0x45, 0x08,
+			0x3e, 0x24, 0x17, 0x3e, 0xcf, 0x74, 0xcf, 0x6a,
+			0xcb, 0x37, 0xdf, 0x25, 0xc6, 0xa5, 0xe4, 0x1e,
+			0x53, 0x28, 0x71, 0xcf, 0xac, 0x1e, 0xad, 0x77,
+			0x8c, 0xfc, 0x80, 0x19, 0x9c, 0xcc, 0x00, 0x60,
+			0xc6, 0x82, 0xa0, 0xb8, 0x5e, 0x42, 0xd1, 0xff,
+			0x14, 0x0a, 0x92, 0x5c, 0xde, 0x8a, 0x15, 0x7a,
+		},
+		.len = 133,
+	},
+	.iv = {
+		.data = {
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_2.seq_no = 0x1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
-- 
2.25.1

[PATCH 11/21] test/security: add DTLS 1.2 anti-replay tests

[Aakash Sasidharan]

Add anti-replay test for DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 115 ++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 132 ++++++++++--------
 app/test/test_cryptodev_security_tls_record.h |  11 +-
 3 files changed, 188 insertions(+), 70 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 44dc99b088..44d749a501 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11827,6 +11827,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		.protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
 	};
 
+	if ((tls_record_xform.ver == RTE_SECURITY_VERSION_DTLS_1_2) &&
+	    (sess_type == RTE_SECURITY_TLS_SESS_TYPE_READ))
+		sess_conf.tls_record.dtls_1_2.ar_win_sz = flags->ar_win_size;
+
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
@@ -11851,6 +11855,17 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		return TEST_SKIPPED;
 
 	for (i = 0; i < nb_td; i++) {
+		if (flags->ar_win_size &&
+			(sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE)) {
+			sess_conf.tls_record.dtls_1_2.seq_no =
+				td[i].tls_record_xform.dtls_1_2.seq_no;
+			ret = rte_security_session_update(ctx, ut_params->sec_session, &sess_conf);
+			if (ret) {
+				printf("Could not update sequence number in session\n");
+				return TEST_SKIPPED;
+			}
+		}
+
 		/* Setup source mbuf payload */
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
@@ -11890,17 +11905,19 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_tls_record_status_check(ut_params->op);
+		ret = test_tls_record_status_check(ut_params->op, &td[i]);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
 		if (res_d != NULL)
 			res_d_tmp = &res_d[i];
 
-		ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp, silent);
-		if (ret != TEST_SUCCESS)
-			goto crypto_op_free;
-
+		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+							   silent);
+			if (ret != TEST_SUCCESS)
+				goto crypto_op_free;
+		}
 
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
@@ -12190,6 +12207,90 @@ test_dtls_1_2_record_proto_display_list(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_pkt_replay(const uint64_t seq_no[],
+		      bool replayed_pkt[], uint32_t nb_pkts,
+		      struct tls_record_test_flags *flags)
+{
+	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
+	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
+	unsigned int i, idx, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
+					   td_outb, nb_pkts, 0);
+
+		for (idx = 0; idx < nb_pkts; idx++)
+			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
+
+		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
+
+		for (idx = 0; idx < nb_pkts; idx++) {
+			td_inb[idx].tls_record_xform.dtls_1_2.ar_win_sz = flags->ar_win_size;
+			/* Set antireplay flag for packets to be dropped */
+			td_inb[idx].ar_packet = replayed_pkt[idx];
+		}
+
+		ret = test_tls_record_proto_process(td_inb, NULL, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay(void)
+{
+	struct tls_record_test_flags flags;
+	uint64_t winsz = 64, seq_no[5];
+	uint32_t nb_pkts = 5;
+	bool replayed_pkt[5];
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+	flags.ar_win_size = winsz;
+
+	/* 1. Advance the TOP of the window to WS * 2 */
+	seq_no[0] = winsz * 2;
+	/* 2. Test sequence number within the new window(WS + 1) */
+	seq_no[1] = winsz + 1;
+	/* 3. Test sequence number less than the window BOTTOM */
+	seq_no[2] = winsz;
+	/* 4. Test sequence number in the middle of the window */
+	seq_no[3] = winsz + (winsz / 2);
+	/* 5. Test replay of the packet in the middle of the window */
+	seq_no[4] = winsz + (winsz / 2);
+
+	replayed_pkt[0] = false;
+	replayed_pkt[1] = false;
+	replayed_pkt[2] = true;
+	replayed_pkt[3] = false;
+	replayed_pkt[4] = true;
+
+	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17505,6 +17606,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Zero len DTLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 64",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index c5410a4c92..907e043ddd 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -12,10 +12,21 @@
 #include "test_security_proto.h"
 
 int
-test_tls_record_status_check(struct rte_crypto_op *op)
+test_tls_record_status_check(struct rte_crypto_op *op,
+			     const struct tls_record_test_data *td)
 {
 	int ret = TEST_SUCCESS;
 
+	if ((td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_READ) &&
+	     td->ar_packet) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("Anti replay test case failed\n");
+			return TEST_FAILED;
+		} else {
+			return TEST_SUCCESS;
+		}
+	}
+
 	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS)
 		ret = TEST_FAILED;
 
@@ -101,81 +112,80 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.chain.auth.auth.key.length = param2->key_length;
 			td->xform.chain.auth.auth.digest_length = param2->digest_length;
 		}
-	}
-
-	if (flags->data_walkthrough || flags->zero_len) {
-		test_sec_proto_pattern_set(td->input_text.data, data_len);
-		td->input_text.len = data_len;
-	}
-
-	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
-		td->app_type = RTE_TLS_TYPE_MAX;
-	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
-		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
-	tls_pkt_size = td->input_text.len;
+		if (flags->data_walkthrough || flags->zero_len) {
+			test_sec_proto_pattern_set(td->input_text.data, data_len);
+			td->input_text.len = data_len;
+		}
 
-	if (!td->aead) {
-		mac_len = td->xform.chain.auth.auth.digest_length;
-		switch (td->xform.chain.cipher.cipher.algo) {
-		case RTE_CRYPTO_CIPHER_3DES_CBC:
-			roundup_len = 8;
+		if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+			td->app_type = RTE_TLS_TYPE_MAX;
+		else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+			td->app_type = RTE_TLS_TYPE_HANDSHAKE;
+
+		tls_pkt_size = td->input_text.len;
+
+		if (!td->aead) {
+			mac_len = td->xform.chain.auth.auth.digest_length;
+			switch (td->xform.chain.cipher.cipher.algo) {
+			case RTE_CRYPTO_CIPHER_3DES_CBC:
+				roundup_len = 8;
+				exp_nonce_len = 8;
+				break;
+			case RTE_CRYPTO_CIPHER_AES_CBC:
+				roundup_len = 16;
+				exp_nonce_len = 16;
+				break;
+			default:
+				roundup_len = 0;
+				exp_nonce_len = 0;
+				break;
+			}
+		} else {
+			mac_len = td->xform.aead.aead.digest_length;
+			roundup_len = 0;
 			exp_nonce_len = 8;
+		}
+
+		switch (td->tls_record_xform.ver) {
+		case RTE_SECURITY_VERSION_TLS_1_2:
+		case RTE_SECURITY_VERSION_TLS_1_3:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			roundup_len = 16;
-			exp_nonce_len = 16;
+		case RTE_SECURITY_VERSION_DTLS_1_2:
+			hdr_len = sizeof(struct rte_dtls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
 		default:
-			roundup_len = 0;
-			exp_nonce_len = 0;
+			hdr_len = 0;
+			min_padding = 0;
 			break;
 		}
-	} else {
-		mac_len = td->xform.aead.aead.digest_length;
-		roundup_len = 0;
-		exp_nonce_len = 8;
-	}
-
-	switch (td->tls_record_xform.ver) {
-	case RTE_SECURITY_VERSION_TLS_1_2:
-	case RTE_SECURITY_VERSION_TLS_1_3:
-		hdr_len = sizeof(struct rte_tls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	case RTE_SECURITY_VERSION_DTLS_1_2:
-		hdr_len = sizeof(struct rte_dtls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	default:
-		hdr_len = 0;
-		min_padding = 0;
-		break;
-	}
 
-	tls_pkt_size += mac_len;
+		tls_pkt_size += mac_len;
 
-	/* Padding */
-	tls_pkt_size += min_padding;
+		/* Padding */
+		tls_pkt_size += min_padding;
 
-	if (roundup_len)
-		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+		if (roundup_len)
+			tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
-	/* Explicit nonce */
-	tls_pkt_size += exp_nonce_len;
+		/* Explicit nonce */
+		tls_pkt_size += exp_nonce_len;
 
-	/* Add TLS header */
-	tls_pkt_size += hdr_len;
+		/* Add TLS header */
+		tls_pkt_size += hdr_len;
 
-	td->output_text.len = tls_pkt_size;
+		td->output_text.len = tls_pkt_size;
 
-	RTE_SET_USED(flags);
+	}
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 22572537ef..e706e38e46 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -89,16 +89,18 @@ struct tls_record_test_data {
 	struct rte_security_tls_record_xform tls_record_xform;
 	uint8_t app_type;
 	bool aead;
+	bool ar_packet;
 };
 
 struct tls_record_test_flags {
 	bool display_alg;
-	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
-	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
-	enum tls_record_test_content_type content_type;
 	bool zero_len;
+	uint8_t nb_segs_in_mbuf;
+	enum rte_security_tls_version tls_version;
+	enum tls_record_test_content_type content_type;
+	int ar_win_size;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -123,7 +125,8 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
-int test_tls_record_status_check(struct rte_crypto_op *op);
+int test_tls_record_status_check(struct rte_crypto_op *op,
+				 const struct tls_record_test_data *td);
 
 int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_record_xform,
 				    const struct rte_security_capability *sec_cap, bool silent);
-- 
2.25.1

[PATCH 12/21] test/security: add more DTLS anti-replay window sz

[Aakash Sasidharan]

Add anti-replay tests for window sizes 128, 256, 512, 1024,
2048 and 4096 window sizes in DTLS 1.2 suite.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c | 72 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 69 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 44d749a501..9b11f34767 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12259,12 +12259,12 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 }
 
 static int
-test_dtls_1_2_record_proto_antireplay(void)
+test_dtls_1_2_record_proto_antireplay(uint64_t winsz)
 {
 	struct tls_record_test_flags flags;
-	uint64_t winsz = 64, seq_no[5];
 	uint32_t nb_pkts = 5;
 	bool replayed_pkt[5];
+	uint64_t seq_no[5];
 
 	memset(&flags, 0, sizeof(flags));
 
@@ -12291,6 +12291,48 @@ test_dtls_1_2_record_proto_antireplay(void)
 	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
 }
 
+static int
+test_dtls_1_2_record_proto_antireplay64(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(64);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay128(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(128);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay256(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(256);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay512(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(512);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay1024(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(1024);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay2048(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(2048);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay4096(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(4096);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17609,7 +17651,31 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Antireplay with window size 64",
 			ut_setup_security, ut_teardown,
-			test_dtls_1_2_record_proto_antireplay),
+			test_dtls_1_2_record_proto_antireplay64),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 128",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay128),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 256",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay256),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 512",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay512),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 1024",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay1024),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 2048",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay2048),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 4096",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay4096),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH 13/21] test/crypto: update verification of header

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

In TLS 1.3, the version in the header would be TLS 1.2 and the content
type would be APP irrespective of the type of the payload.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 907e043ddd..498c4923e0 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -275,9 +275,9 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		hdr_len = sizeof(struct rte_tls_hdr);
 	} else if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
 		const struct rte_tls_hdr *hdr = (const struct rte_tls_hdr *)output_text;
-		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_3) {
+		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_2) {
 			printf("Incorrect header version [expected - %4x, received - %4x]\n",
-			       RTE_TLS_VERSION_1_3, rte_be_to_cpu_16(hdr->version));
+			       RTE_TLS_VERSION_1_2, rte_be_to_cpu_16(hdr->version));
 			return TEST_FAILED;
 		}
 		content_type = hdr->type;
@@ -297,10 +297,18 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		return TEST_FAILED;
 	}
 
-	if (content_type != td->app_type) {
-		printf("Incorrect content type in packet [expected - %d, received - %d]\n",
-		       td->app_type, content_type);
-		return TEST_FAILED;
+	if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		if (content_type != RTE_TLS_TYPE_APPDATA) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
+	} else {
+		if (content_type != td->app_type) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
 	}
 
 	if (length != td->output_text.len - hdr_len) {
-- 
2.25.1

[PATCH 14/21] test/crypto: add TLS 1.3 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors and test suite for TLS 1.3
AES-128-GCM, AES-256-GCM and CHACHA20-POLY1305
vectors. The vectors are generated using gnuTLS
client server application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  35 +++
 app/test/test_cryptodev_security_tls_record.h |   3 +
 ...yptodev_security_tls_record_test_vectors.h | 205 ++++++++++++++++++
 3 files changed, 243 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 9b11f34767..70375cc6fa 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17680,6 +17680,40 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 	}
 };
 
+static struct unit_test_suite tls13_record_proto_testsuite  = {
+	.suite_name = "TLS 1.3 Record Protocol Unit Test Suite",
+	.setup = tls_record_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 #define ADD_UPLINK_TESTCASE(data)						\
 	TEST_CASE_NAMED_WITH_DATA(data.test_descr_uplink, ut_setup_security,	\
 	ut_teardown, test_docsis_proto_uplink, (const void *) &data),		\
@@ -18699,6 +18733,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&docsis_proto_testsuite,
 		&tls12_record_proto_testsuite,
 		&dtls12_record_proto_testsuite,
+		&tls13_record_proto_testsuite,
 #endif
 		&end_testsuite
 	};
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index e706e38e46..05bd7a9862 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -124,6 +124,9 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
+extern struct tls_record_test_data tls13_test_data_aes_128_gcm;
+extern struct tls_record_test_data tls13_test_data_aes_256_gcm;
+extern struct tls_record_test_data tls13_test_data_chacha20_poly1305;
 
 int test_tls_record_status_check(struct rte_crypto_op *op,
 				 const struct tls_record_test_data *td);
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index 27b07cd54a..8af17b07e5 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1781,4 +1781,209 @@ struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.app_type = 0x17,
 };
 
+/* TLS 1.3 AES-128-GCM */
+struct tls_record_test_data tls13_test_data_aes_128_gcm = {
+	.key = {
+		.data = {
+			0x03, 0x12, 0xf5, 0x86, 0xe4, 0xd0, 0x27, 0xc7,
+			0x47, 0x82, 0x44, 0xca, 0xd3, 0xce, 0x06, 0x6c,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0x52, 0xb5, 0x24, 0xce, 0x5c, 0x29, 0x0f, 0x0a,
+			0x3a, 0xc0, 0x60, 0xaf, 0xba, 0xe3, 0x0d, 0x28,
+			0x6c, 0xbb, 0x3e, 0x5f, 0xde, 0x4a, 0xcd, 0xf1,
+			0x30, 0x12, 0xa9, 0x42, 0x95, 0x55, 0xf5, 0x2c,
+			0xb7, 0xb6, 0x60, 0x82, 0xa2, 0x1d, 0x34, 0x33,
+			0x0a, 0xd7, 0x48, 0x40, 0xef, 0xab, 0x70, 0xa7,
+			0xb2, 0x58, 0x41, 0xdb, 0xf6, 0x37, 0xe4, 0x6d,
+			0xa3, 0x1e, 0xbf, 0x6f,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0x8d, 0x1f, 0xa0, 0x14, 0xc7, 0x66, 0x9f, 0x93,
+			0x74, 0x3f, 0x46, 0x52,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+/* TLS 1.3 AES-256-GCM */
+struct tls_record_test_data tls13_test_data_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xc9, 0xc2, 0xa2, 0x4c, 0x4e, 0x36, 0x19, 0x6e,
+			0xd8, 0xf5, 0xb9, 0x14, 0x30, 0xfc, 0xe0, 0xef,
+			0x29, 0xb0, 0x00, 0xd1, 0x2d, 0xfc, 0x5a, 0x76,
+			0x50, 0xf4, 0xf3, 0xb1, 0x82, 0x21, 0x57, 0x82,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0xc9, 0xb0, 0x44, 0x23, 0xd5, 0xe2, 0xbd, 0x1d,
+			0xf1, 0x96, 0x53, 0x2c, 0x8c, 0xe2, 0xa3, 0x00,
+			0x7b, 0x2a, 0xb1, 0xa1, 0xd6, 0x79, 0x58, 0xb5,
+			0x35, 0x1f, 0xbb, 0x98, 0x03, 0xe1, 0x82, 0xa2,
+			0x1e, 0x26, 0x81, 0xbe, 0x77, 0x65, 0xaf, 0x7d,
+			0x9f, 0x52, 0xec, 0x3a, 0x18, 0x2d, 0x36, 0xab,
+			0xdc, 0xa9, 0xfb, 0xd3, 0xa8, 0xd5, 0xbc, 0x98,
+			0xa4, 0xab, 0x70, 0xe9,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0xd4, 0x78, 0xf2, 0x90, 0x61, 0x5d, 0x8c, 0x63,
+			0x4b, 0xf4, 0x72, 0xf3,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+struct tls_record_test_data tls13_test_data_chacha20_poly1305 = {
+	.key = {
+		.data = {
+			0xec, 0x7d, 0x7a, 0x3f, 0x91, 0xdd, 0xb9, 0x70,
+			0x95, 0x3b, 0x99, 0xb0, 0xe7, 0x66, 0xda, 0xdc,
+			0x85, 0xbb, 0xfc, 0xc8, 0x50, 0xe9, 0x61, 0x88,
+			0xc8, 0x1e, 0xf0, 0x61, 0xb0, 0xcd, 0x6c, 0x3d,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x43, 0x48, 0x41, 0x43, 0x48, 0x41, 0x32, 0x30,
+			0x2d, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30,
+			0x35, 0x20, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
+			0x65, 0x20, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0xa,
+		},
+		.len = 49,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x42,
+			0x9a, 0xc1, 0xd9, 0x0e, 0xf9, 0x4c, 0x51, 0x8c,
+			0xb4, 0xa7, 0x54, 0x57, 0x56, 0xba, 0xbb, 0xf7,
+			0xd7, 0x1d, 0x49, 0x5a, 0x42, 0xd2, 0xab, 0x75,
+			0x3f, 0xb1, 0x5f, 0xb5, 0x2b, 0x2b, 0xa3, 0xc5,
+			0x61, 0x32, 0x7e, 0x62, 0x1e, 0xf5, 0x56, 0xff,
+			0x84, 0x8e, 0x9a, 0x99, 0x06, 0xba, 0x3b, 0xc0,
+			0x15, 0x4c, 0xf5, 0xb1, 0x5e, 0xcc, 0xff, 0x42,
+			0x79, 0x4b, 0xa9, 0x23, 0x16, 0x08, 0xc3, 0x9a,
+			0x52, 0x2a,
+		},
+		.len = 71,
+	},
+	.imp_nonce = {
+		.data = {
+			0x3c, 0x28, 0xa0, 0xb8, 0xf8, 0x74, 0x35, 0xfe,
+			0xd2, 0xa0, 0x31, 0x28,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
 #endif
-- 
2.25.1

[PATCH 15/21] test/crypto: update framework to verify tls-1.3

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Update the fields in preparation of test descriptor.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++---
 app/test/test_cryptodev_security_tls_record.c | 43 ++++++++++++-------
 app/test/test_cryptodev_security_tls_record.h | 10 ++---
 3 files changed, 43 insertions(+), 27 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 70375cc6fa..edcd67dabf 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11889,8 +11889,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		/* Copy IV in crypto operation when IV generation is disabled */
-		if (sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE &&
-		    tls_record_xform.options.iv_gen_disable == 1) {
+		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
+		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
+		    (tls_record_xform.options.iv_gen_disable == 1)) {
 			uint8_t *iv;
 			int len;
 
@@ -12005,8 +12006,10 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (flags->zero_len)
 			payload_len = 0;
 again:
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, payload_len);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, payload_len);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -12218,8 +12221,10 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 	int ret;
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, 0);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, 0);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		for (idx = 0; idx < nb_pkts; idx++)
 			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 498c4923e0..96d0a94731 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -70,7 +70,7 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 	}
 }
 
-void
+int
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
 			   struct tls_record_test_data *td_array,
@@ -79,6 +79,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
 
+	if ((flags->tls_version == RTE_SECURITY_VERSION_TLS_1_3) &&
+	    (param1->type != RTE_CRYPTO_SYM_XFORM_AEAD))
+		return TEST_SKIPPED;
+
 	memset(td_array, 0, nb_td * sizeof(*td));
 
 	for (i = 0; i < nb_td; i++) {
@@ -88,10 +92,17 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
-				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
-			else
+			switch (flags->tls_version) {
+			case RTE_SECURITY_VERSION_TLS_1_2:
 				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_DTLS_1_2:
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_TLS_1_3:
+				memcpy(td, &tls13_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			}
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -127,6 +138,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (!td->aead) {
 			mac_len = td->xform.chain.auth.auth.digest_length;
+			min_padding = 1;
 			switch (td->xform.chain.cipher.cipher.algo) {
 			case RTE_CRYPTO_CIPHER_3DES_CBC:
 				roundup_len = 8;
@@ -143,30 +155,28 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			}
 		} else {
 			mac_len = td->xform.aead.aead.digest_length;
+			min_padding = 0;
 			roundup_len = 0;
-			exp_nonce_len = 8;
+			if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3)
+				exp_nonce_len = 0;
+			else
+				exp_nonce_len = 8;
 		}
 
 		switch (td->tls_record_xform.ver) {
 		case RTE_SECURITY_VERSION_TLS_1_2:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			break;
 		case RTE_SECURITY_VERSION_TLS_1_3:
 			hdr_len = sizeof(struct rte_tls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
+			/* Add 1 byte for content type in packet */
+			tls_pkt_size += 1;
 			break;
 		case RTE_SECURITY_VERSION_DTLS_1_2:
 			hdr_len = sizeof(struct rte_dtls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
 			break;
 		default:
-			hdr_len = 0;
-			min_padding = 0;
-			break;
+			return TEST_SKIPPED;
 		}
 
 		tls_pkt_size += mac_len;
@@ -186,6 +196,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->output_text.len = tls_pkt_size;
 
 	}
+	return TEST_SUCCESS;
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 05bd7a9862..21d25c02bf 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -137,11 +137,11 @@ int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_re
 void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 					struct tls_record_test_data *td_in);
 
-void test_tls_record_td_prepare(const struct crypto_param *param1,
-				const struct crypto_param *param2,
-				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td,
-				unsigned int data_len);
+int test_tls_record_td_prepare(const struct crypto_param *param1,
+			       const struct crypto_param *param2,
+			       const struct tls_record_test_flags *flags,
+			       struct tls_record_test_data *td_array, int nb_td,
+			       unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
-- 
2.25.1

[PATCH 16/21] test/crypto: test to verify hdr corruption in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with header corruption.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index edcd67dabf..8cc4d9fee0 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12424,6 +12424,20 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_1_3_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17714,7 +17728,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"Read record known vector CHACHA20-POLY1305",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
-
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH 17/21] test/crypto: test to verify custom content type in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with content type as custom.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 8cc4d9fee0..d683c28af3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12438,6 +12438,21 @@ test_tls_1_3_record_proto_corrupt_pkt(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17732,6 +17747,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header with custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH 18/21] test/crypto: test to verify zero len record in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with zero length.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index d683c28af3..23a3773f33 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12453,6 +12453,37 @@ test_tls_1_3_record_proto_custom_content_type(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_3_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17751,6 +17782,14 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header with custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH 19/21] test/crypto: unit tests to verify padding in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for TLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 85 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 28 ++++--
 app/test/test_cryptodev_security_tls_record.h |  5 +-
 3 files changed, 109 insertions(+), 9 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 23a3773f33..dfee18c0e3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11834,6 +11834,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
+	if (flags->opt_padding)
+		tls_record_xform.options.extra_padding_enable = 1;
+
 	sess_conf.tls_record = tls_record_xform;
 
 	if (td[0].aead) {
@@ -11888,6 +11891,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->sym->m_dst = NULL;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
+		if (flags->opt_padding)
+			ut_params->op->aux_flags = flags->opt_padding;
+
 		/* Copy IV in crypto operation when IV generation is disabled */
 		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
 		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
@@ -11915,7 +11921,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
 			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
-							   silent);
+							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
 		}
@@ -12184,6 +12190,59 @@ test_tls_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_opt_padding(uint8_t padding, uint8_t num_segs,
+				  enum rte_security_tls_version tls_version)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = num_segs,
+		.tls_version = tls_version,
+		.opt_padding = padding
+	};
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 2, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17578,6 +17637,30 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Zero len TLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 96d0a94731..03d9efefc3 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -269,7 +269,8 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 }
 
 static int
-tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
+tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text,
+		      const struct tls_record_test_flags *flags)
 {
 	uint16_t length, hdr_len;
 	uint8_t content_type;
@@ -322,10 +323,22 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		}
 	}
 
-	if (length != td->output_text.len - hdr_len) {
-		printf("Incorrect packet length [expected - %d, received - %d]\n",
-		       td->output_text.len - hdr_len, length);
-		return TEST_FAILED;
+	if (!flags->opt_padding) {
+		if (length != td->output_text.len - hdr_len) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       td->output_text.len - hdr_len, length);
+			return TEST_FAILED;
+		}
+	} else {
+		int pad_len = (flags->opt_padding * 8) > 256 ? 256 : (flags->opt_padding * 8);
+		int expect_len = td->output_text.len - hdr_len + pad_len;
+
+		if (length - expect_len > 32) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       expect_len, length);
+			return TEST_FAILED;
+		}
+
 	}
 
 	return TEST_SUCCESS;
@@ -333,7 +346,8 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 
 int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-			     struct tls_record_test_data *res_d, bool silent)
+			     struct tls_record_test_data *res_d, bool silent,
+			     const struct tls_record_test_flags *flags)
 {
 	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
@@ -365,7 +379,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	if (td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) {
-		ret = tls_record_hdr_verify(td, output_text);
+		ret = tls_record_hdr_verify(td, output_text, flags);
 		if (ret != TEST_SUCCESS)
 			return ret;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 21d25c02bf..385064157a 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -97,7 +97,9 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	bool pkt_corruption;
 	bool zero_len;
+	bool padding_corruption;
 	uint8_t nb_segs_in_mbuf;
+	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
 	enum tls_record_test_content_type content_type;
 	int ar_win_size;
@@ -148,5 +150,6 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_flags *flags);
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-				 struct tls_record_test_data *res_d, bool silent);
+				 struct tls_record_test_data *res_d, bool silent,
+				 const struct tls_record_test_flags *flags);
 #endif
-- 
2.25.1

[PATCH 20/21] test/crypto: unit tests for padding in DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for DTLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 60 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index dfee18c0e3..2e564489e9 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12483,6 +12483,42 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 static int
 test_tls_1_3_record_proto_corrupt_pkt(void)
 {
@@ -17824,6 +17860,30 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Antireplay with window size 4096",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_antireplay4096),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH 21/21] test/security: add out of place sgl test case for TLS 1.2

[Aakash Sasidharan]

Add TLS 1.2 out-of-place multi-segmented packet test.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 52 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.h |  1 +
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 2e564489e9..92500f59ca 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11873,6 +11873,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
 		pktmbuf_write(ut_params->ibuf, 0, td[i].input_text.len, td[i].input_text.data);
+		if (flags->out_of_place)
+			ut_params->obuf = create_segmented_mbuf(ts_params->mbuf_pool,
+					td[i].output_text.len, nb_segs, 0);
+		else
+			ut_params->obuf = NULL;
 
 		/* Generate crypto op data structure */
 		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
@@ -11888,7 +11893,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		/* Set crypto operation mbufs */
 		ut_params->op->sym->m_src = ut_params->ibuf;
-		ut_params->op->sym->m_dst = NULL;
+		ut_params->op->sym->m_dst = ut_params->obuf;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		if (flags->opt_padding)
@@ -11920,7 +11925,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 			res_d_tmp = &res_d[i];
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
-			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+			struct rte_mbuf *buf = flags->out_of_place ? ut_params->obuf :
+						ut_params->ibuf;
+
+			ret = test_tls_record_post_process(buf, &td[i], res_d_tmp,
 							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
@@ -11929,6 +11937,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
 
+		if (flags->out_of_place) {
+			rte_pktmbuf_free(ut_params->obuf);
+			ut_params->obuf = NULL;
+		}
+
 		rte_pktmbuf_free(ut_params->ibuf);
 		ut_params->ibuf = NULL;
 	}
@@ -11937,6 +11950,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	rte_crypto_op_free(ut_params->op);
 	ut_params->op = NULL;
 
+	if (flags->out_of_place) {
+		rte_pktmbuf_free(ut_params->obuf);
+		ut_params->obuf = NULL;
+	}
+
 	rte_pktmbuf_free(ut_params->ibuf);
 	ut_params->ibuf = NULL;
 
@@ -12127,6 +12145,32 @@ test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_ver
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_oop(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.out_of_place = true,
+		.tls_version = tls_version
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_oop(void)
+{
+	return test_tls_record_proto_sgl_oop(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 {
@@ -17657,6 +17701,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode out of place",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_oop),
 		TEST_CASE_NAMED_ST(
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 385064157a..076568dbf2 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	bool pkt_corruption;
 	bool zero_len;
 	bool padding_corruption;
+	bool out_of_place;
 	uint8_t nb_segs_in_mbuf;
 	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
-- 
2.25.1

RE: [PATCH 00/21] Improvements and new test cases

[Anoob Joseph]

[-- Attachment #1: Type: text/plain, Size: 1955 bytes --]

> Subject: [PATCH 00/21] Improvements and new test cases
> 
> Adding new test cases and improvements to test application.
> 
> Aakash Sasidharan (7):
>   test/security: enable AES-GCM in combined mode TLS
>   test/security: add TLS 1.2 data walkthrough test
>   test/security: add DTLS 1.2 data walkthrough test
>   test/security: add TLS SG data walkthrough test
>   test/security: add DTLS 1.2 anti-replay tests
>   test/security: add more DTLS anti-replay window sz
>   test/security: add out of place sgl test case for TLS 1.2
> 
> Akhil Goyal (2):
>   test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors
>   test/crypto: add TLS 1.3 vectors
> 
> Anoob Joseph (1):
>   test/cryptodev: allow zero packet length buffers
> 
> Vidya Sagar Velumuri (11):
>   test/security: unit test for TLS packet corruption
>   test/security: unit test for custom content verification
>   test/security: unit test to verify zero TLS records
>   test/security: add unit tests for DTLS-1.2
>   test/crypto: update verification of header
>   test/crypto: update framework to verify tls-1.3
>   test/crypto: test to verify hdr corruption in TLS
>   test/crypto: test to verify custom content type in TLS
>   test/crypto: test to verify zero len record in TLS
>   test/crypto: unit tests to verify padding in TLS
>   test/crypto: unit tests for padding in DTLS-1.2
> 
>  app/test/test_cryptodev.c                     | 975 ++++++++++++++++--
>  app/test/test_cryptodev.h                     |  32 +-
>  app/test/test_cryptodev_security_tls_record.c | 203 ++--
> app/test/test_cryptodev_security_tls_record.h |  77 +-
> ...yptodev_security_tls_record_test_vectors.h | 405 ++++++++
>  app/test/test_security_proto.c                |  17 +
>  app/test/test_security_proto.h                |   9 +
>  7 files changed, 1539 insertions(+), 179 deletions(-)
> 
> --
> 2.25.1


Series Acked-by: Anoob Joseph <anoobj@marvell.com>



[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 13522 bytes --]

RE: [PATCH 21/21] test/security: add out of place sgl test case for TLS 1.2

[Akhil Goyal]

[-- Attachment #1: Type: text/plain, Size: 254 bytes --]

Recheck-request: iol-unit-arm64-testing

> Subject: [PATCH 21/21] test/security: add out of place sgl test case for TLS 1.2
> 
> Add TLS 1.2 out-of-place multi-segmented packet test.
> 
> Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>

[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 13068 bytes --]

[PATCH v2 00/21] Improvements and new test cases

[Aakash Sasidharan]

Adding new test cases and improvements to test application.

v2:
* Rebased.

Aakash Sasidharan (7):
  test/security: enable AES-GCM in combined mode TLS
  test/security: add TLS 1.2 data walkthrough test
  test/security: add DTLS 1.2 data walkthrough test
  test/security: add TLS SG data walkthrough test
  test/security: add DTLS 1.2 anti-replay tests
  test/security: add more DTLS anti-replay window sz
  test/security: add out of place sgl test case for TLS 1.2

Akhil Goyal (2):
  test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors
  test/crypto: add TLS 1.3 vectors

Anoob Joseph (1):
  test/cryptodev: allow zero packet length buffers

Vidya Sagar Velumuri (11):
  test/security: unit test for TLS packet corruption
  test/security: unit test for custom content verification
  test/security: unit test to verify zero TLS records
  test/security: add unit tests for DTLS-1.2
  test/crypto: update verification of header
  test/crypto: update framework to verify tls-1.3
  test/crypto: test to verify hdr corruption in TLS
  test/crypto: test to verify custom content type in TLS
  test/crypto: test to verify zero len record in TLS
  test/crypto: unit tests to verify padding in TLS
  test/crypto: unit tests for padding in DTLS-1.2

 app/test/test_cryptodev.c                     | 975 ++++++++++++++++--
 app/test/test_cryptodev.h                     |  32 +-
 app/test/test_cryptodev_security_tls_record.c | 203 ++--
 app/test/test_cryptodev_security_tls_record.h |  77 +-
 ...yptodev_security_tls_record_test_vectors.h | 405 ++++++++
 app/test/test_security_proto.c                |  17 +
 app/test/test_security_proto.h                |   9 +
 7 files changed, 1539 insertions(+), 179 deletions(-)

-- 
2.25.1

[PATCH v2 01/21] test/security: enable AES-GCM in combined mode TLS

[Aakash Sasidharan]

Enable AES-GCM AEAD tests in combined mode TLS test suite.

Coverity issue: 414888
Fixes: 9157ccb8f876 ("test/crypto: verify TLS headers")

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 10 ++++++++--
 app/test/test_security_proto.h                |  3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index bcb2eba4ff..14a7a2511e 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -116,6 +116,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	} else {
 		mac_len = td->xform.aead.aead.digest_length;
+		roundup_len = 0;
 		exp_nonce_len = 8;
 	}
 
@@ -123,7 +124,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	case RTE_SECURITY_VERSION_TLS_1_2:
 	case RTE_SECURITY_VERSION_TLS_1_3:
 		hdr_len = sizeof(struct rte_tls_hdr);
-		min_padding = 1;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
@@ -139,7 +143,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 	/* Padding */
 	tls_pkt_size += min_padding;
-	tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+
+	if (roundup_len)
+		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
 	/* Explicit nonce */
 	tls_pkt_size += exp_nonce_len;
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index efa023b99d..5b92daa810 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -27,16 +27,19 @@ static const struct crypto_param aead_list[] = {
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 16,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 24,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 32,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
-- 
2.25.1

[PATCH v2 02/21] test/security: add TLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for TLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 90 +++++++++++++++++--
 app/test/test_cryptodev.h                     | 12 ++-
 app/test/test_cryptodev_security_tls_record.c | 25 ++++--
 app/test/test_cryptodev_security_tls_record.h | 41 ++++++++-
 app/test/test_security_proto.c                | 17 ++++
 app/test/test_security_proto.h                |  6 ++
 6 files changed, 171 insertions(+), 20 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3b5e784022..c5837ccbdd 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -858,6 +858,8 @@ ipsec_proto_testsuite_setup(void)
 static int
 tls_record_proto_testsuite_setup(void)
 {
+	test_sec_proto_pattern_generate();
+
 	return sec_proto_testsuite_setup(RTE_SECURITY_PROTOCOL_TLS_RECORD);
 }
 
@@ -11958,14 +11960,30 @@ test_tls_record_proto_known_vec_read(const void *test_data)
 static int
 test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 {
+	unsigned int i, nb_pkts = 1, pass_cnt = 0, payload_len, max_payload_len;
 	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
 	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
-	unsigned int i, nb_pkts = 1, pass_cnt = 0;
 	int ret;
 
+	switch (flags->tls_version) {
+	case RTE_SECURITY_VERSION_TLS_1_2:
+		max_payload_len = TLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_TLS_1_3:
+		max_payload_len = TLS_1_3_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_DTLS_1_2:
+		max_payload_len = DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	default:
+		max_payload_len = 0;
+	}
+
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts);
+					   td_outb, nb_pkts, payload_len);
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -11983,6 +12001,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_FAILED)
 			return TEST_FAILED;
 
+		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
+			goto again;
+
 		if (flags->display_alg)
 			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
 
@@ -11996,22 +12017,69 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 }
 
 static int
-test_tls_record_proto_display_list(void)
+test_tls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_display_list(void)
 {
 	struct tls_record_test_flags flags;
 
 	memset(&flags, 0, sizeof(flags));
 
 	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
 
 	return test_tls_record_proto_all(&flags);
 }
 
 static int
-test_tls_record_proto_sgl(void)
+test_tls_1_2_record_proto_sgl(void)
 {
 	struct tls_record_test_flags flags = {
-		.nb_segs_in_mbuf = 5
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_display_list(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_sgl(void)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
 	};
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct rte_cryptodev_info dev_info;
@@ -17081,11 +17149,15 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_tls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_tls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17182,11 +17254,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_dtls_1_2_record_proto_display_list),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_dtls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index f27d9697fd..e4e99d00c1 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -5,6 +5,9 @@
 #define TEST_CRYPTODEV_H_
 
 #include <rte_cryptodev.h>
+#ifdef RTE_LIB_SECURITY
+#include "test_security_proto.h"
+#endif
 
 #define HEX_DUMP 0
 
@@ -21,9 +24,16 @@
 #define DEFAULT_NUM_XFORMS              (2)
 #define NUM_MBUFS                       (8191)
 #define MBUF_CACHE_SIZE                 (256)
+
+#ifdef RTE_LIB_SECURITY
+#define MBUF_DATAPAYLOAD_SIZE		RTE_MAX((unsigned int)(4096 + DIGEST_BYTE_LENGTH_SHA512), \
+						TEST_SEC_CIPHERTEXT_MAX_LEN)
+#else
 #define MBUF_DATAPAYLOAD_SIZE		(4096 + DIGEST_BYTE_LENGTH_SHA512)
+#endif
+
 #define MBUF_SIZE			(sizeof(struct rte_mbuf) + \
-		RTE_PKTMBUF_HEADROOM + MBUF_DATAPAYLOAD_SIZE)
+					RTE_PKTMBUF_HEADROOM + MBUF_DATAPAYLOAD_SIZE)
 
 #define BYTE_LENGTH(x)				(x/8)
 /* HASH DIGEST LENGTHS */
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 14a7a2511e..3745c6a0d1 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -62,7 +62,8 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 void
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
-			   struct tls_record_test_data *td_array, int nb_td)
+			   struct tls_record_test_data *td_array,
+			   int nb_td, unsigned int data_len)
 {
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
@@ -76,7 +77,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -84,7 +88,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.aead.aead.digest_length = param1->digest_length;
 		} else {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
 
 			td->aead = false;
 			td->xform.chain.cipher.cipher.algo = param1->alg.cipher;
@@ -96,6 +103,11 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
+	if (flags->data_walkthrough) {
+		test_sec_proto_pattern_set(td->input_text.data, data_len);
+		td->input_text.len = data_len;
+	}
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
@@ -221,6 +233,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	return TEST_SUCCESS;
 }
+
 static int
 tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
 {
@@ -280,13 +293,13 @@ int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 			     struct tls_record_test_data *res_d, bool silent)
 {
+	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
-	uint8_t output_text[TLS_RECORD_MAX_LEN];
 	const struct rte_mbuf *seg;
 	const uint8_t *output;
 	int ret;
 
-	memset(output_text, 0, TLS_RECORD_MAX_LEN);
+	memset(output_text, 0, TEST_SEC_CIPHERTEXT_MAX_LEN);
 
 	/*
 	 * Actual data in packet might be less in error cases, hence take minimum of pkt_len and sum
@@ -300,7 +313,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	len = RTE_MIN(len, data_len);
-	TEST_ASSERT(len <= TLS_RECORD_MAX_LEN, "Invalid packet length: %u", len);
+	TEST_ASSERT(len <= TEST_SEC_CIPHERTEXT_MAX_LEN, "Invalid packet length: %u", len);
 
 	/* Copy mbuf payload to continuous buffer */
 	output = rte_pktmbuf_read(m, 0, len, output_text);
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 0bd83f88f0..14f73a5073 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -10,7 +10,37 @@
 
 #include "test_security_proto.h"
 
-#define TLS_RECORD_MAX_LEN 16384u
+/* TLS 1.2 Ciphertext length can be up to (2^14 + 2048 + 5 (TLS Header)) Bytes */
+#define TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN  (18437u)
+static_assert(TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.2 Plaintext length can be up to (2^14 + 1024) Bytes */
+#define TLS_1_2_RECORD_PLAINTEXT_MAX_LEN   (17408u)
+static_assert(TLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Ciphertext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN (18437u)
+static_assert(DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Plaintext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN  (17408u)
+static_assert(DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Ciphertext length can be up to (2^14 + 256 + 5 (TLS Header)) Bytes */
+#define TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN  (16645u)
+static_assert(TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Plaintext length can be up to 2^14 Bytes */
+#define TLS_1_3_RECORD_PLAINTEXT_MAX_LEN   (16384u)
+static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+#define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
 struct tls_record_test_data {
 	struct {
@@ -22,12 +52,12 @@ struct tls_record_test_data {
 	} auth_key;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} input_text;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} output_text;
 
@@ -56,6 +86,8 @@ struct tls_record_test_data {
 struct tls_record_test_flags {
 	bool display_alg;
 	int nb_segs_in_mbuf;
+	bool data_walkthrough;
+	enum rte_security_tls_version tls_version;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -89,7 +121,8 @@ void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_ou
 void test_tls_record_td_prepare(const struct crypto_param *param1,
 				const struct crypto_param *param2,
 				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td);
+				struct tls_record_test_data *td_array, int nb_td,
+				unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
diff --git a/app/test/test_security_proto.c b/app/test/test_security_proto.c
index d242c852af..cf40d5fc9a 100644
--- a/app/test/test_security_proto.c
+++ b/app/test/test_security_proto.c
@@ -13,6 +13,8 @@ struct crypto_param_comb sec_alg_list[RTE_DIM(aead_list) +
 
 struct crypto_param_comb sec_auth_only_alg_list[2 * (RTE_DIM(auth_list) - 1)];
 
+static uint8_t cleartext_pattern[TEST_SEC_CLEARTEXT_MAX_LEN];
+
 void
 test_sec_alg_list_populate(void)
 {
@@ -152,3 +154,18 @@ test_sec_alg_display(const struct crypto_param *param1, const struct crypto_para
 	}
 	printf("\n");
 }
+
+void
+test_sec_proto_pattern_generate(void)
+{
+	unsigned int i;
+
+	for (i = 0; i < TEST_SEC_CLEARTEXT_MAX_LEN; i++)
+		cleartext_pattern[i] = (i + 1) & 0xff;
+}
+
+void
+test_sec_proto_pattern_set(uint8_t *buf, int len)
+{
+	rte_memcpy(buf, cleartext_pattern, len);
+}
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index 5b92daa810..c737443081 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -8,6 +8,8 @@
 #include <rte_cryptodev.h>
 #include <rte_security.h>
 
+#define TEST_SEC_CLEARTEXT_MAX_LEN  (17408u)
+#define TEST_SEC_CIPHERTEXT_MAX_LEN (18437u)
 #define TEST_SEC_PKTS_MAX 32
 
 struct crypto_param {
@@ -186,4 +188,8 @@ int test_sec_crypto_caps_auth_verify(const struct rte_security_capability *sec_c
 
 void test_sec_alg_display(const struct crypto_param *param1, const struct crypto_param *param2);
 
+void test_sec_proto_pattern_generate(void);
+
+void test_sec_proto_pattern_set(uint8_t *buf, int len);
+
 #endif
-- 
2.25.1

[PATCH v2 03/21] test/security: add DTLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for DTLS 1.2

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  5 ++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index c5837ccbdd..e0695e9eb3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12061,6 +12061,19 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_display_list(void)
 {
@@ -17255,6 +17268,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 3745c6a0d1..92bcbff842 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -143,7 +143,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
-		min_padding = 0;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	default:
 		hdr_len = 0;
-- 
2.25.1

[PATCH v2 04/21] test/security: add TLS SG data walkthrough test

[Aakash Sasidharan]

Add multi segment packet data walkthrough test for TLS 1.2
and DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 42 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index e0695e9eb3..3591c91130 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11981,6 +11981,8 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+		if (flags->nb_segs_in_mbuf)
+			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -12061,6 +12063,32 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = tls_version,
+		.data_walkthrough = true
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -12106,6 +12134,12 @@ test_dtls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 #endif
 
 static int
@@ -17171,6 +17205,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17276,6 +17314,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 14f73a5073..34758fb0e1 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -85,7 +85,7 @@ struct tls_record_test_data {
 
 struct tls_record_test_flags {
 	bool display_alg;
-	int nb_segs_in_mbuf;
+	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 };
-- 
2.25.1

[PATCH v2 05/21] test/security: unit test for TLS packet corruption

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add test to verify the corrupted TLS packet header

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 27 +++++++++++++++++--
 app/test/test_cryptodev_security_tls_record.c |  4 +++
 app/test/test_cryptodev_security_tls_record.h |  1 +
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3591c91130..324ef3c276 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12000,8 +12000,13 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
-			return TEST_FAILED;
+		if (flags->pkt_corruption) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+		} else {
+			if (ret == TEST_FAILED)
+				return TEST_FAILED;
+		}
 
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
@@ -12089,6 +12094,20 @@ test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
 }
 
+static int
+test_tls_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17209,6 +17228,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"TLS packet header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 92bcbff842..93ff7f36fa 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -185,6 +185,10 @@ test_tls_record_td_update(struct tls_record_test_data td_inb[],
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
 
+		/* Corrupt the content type in the TLS header of encrypted packet */
+		if (flags->pkt_corruption)
+			td_inb[i].input_text.data[0] = ~td_inb[i].input_text.data[0];
+
 		/* Clear outbound specific flags */
 		td_inb[i].tls_record_xform.options.iv_gen_disable = 0;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 34758fb0e1..5faa277740 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -88,6 +88,7 @@ struct tls_record_test_flags {
 	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
+	bool pkt_corruption;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH v2 06/21] test/security: unit test for custom content verification

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit test to verify the TLS header creation with
custom content type

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 19 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  3 +++
 app/test/test_cryptodev_security_tls_record.h |  9 +++++++++
 3 files changed, 31 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 324ef3c276..5cb878b9ba 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -21,6 +21,7 @@
 #include <rte_ip.h>
 #include <rte_string_fns.h>
 #include <rte_tcp.h>
+#include <rte_tls.h>
 #include <rte_udp.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -12108,6 +12109,20 @@ test_tls_record_proto_corrupt_pkt(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17232,6 +17247,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 93ff7f36fa..9a2af259c9 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -108,6 +108,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->input_text.len = data_len;
 	}
 
+	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+		td->app_type = RTE_TLS_TYPE_MAX;
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 5faa277740..b707361fb6 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -42,6 +42,14 @@ static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
 
 #define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
+enum tls_record_test_content_type {
+	TLS_RECORD_TEST_CONTENT_TYPE_APP,
+	/* For verifying zero packet length */
+	TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	/* For verifying handling of custom content types */
+	TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+};
+
 struct tls_record_test_data {
 	struct {
 		uint8_t data[32];
@@ -89,6 +97,7 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
+	enum tls_record_test_content_type content_type;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH v2 07/21] test/cryptodev: allow zero packet length buffers

[Aakash Sasidharan]

From: Anoob Joseph <anoobj@marvell.com>

The function 'create_segmented_mbuf' is updated to support zero packet
length mbufs. This allows testing of zero packet length payload with TLS
record processing.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 app/test/test_cryptodev.h | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index e4e99d00c1..7d877ddfe5 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -192,15 +192,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 		int nb_segs, uint8_t pattern) {
 
 	struct rte_mbuf *m = NULL, *mbuf = NULL;
+	int size, t_len, data_len = 0;
 	uint8_t *dst;
-	int data_len = 0;
-	int i, size;
-	int t_len;
-
-	if (pkt_len < 1) {
-		printf("Packet size must be 1 or more (is %d)\n", pkt_len);
-		return NULL;
-	}
 
 	if (nb_segs < 1) {
 		printf("Number of segments must be 1 or more (is %d)\n",
@@ -212,17 +205,17 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 	size = pkt_len;
 
 	/* Create chained mbuf_src and fill it generated data */
-	for (i = 0; size > 0; i++) {
+	do {
 
 		m = rte_pktmbuf_alloc(mbuf_pool);
-		if (i == 0)
-			mbuf = m;
-
 		if (m == NULL) {
 			printf("Cannot create segment for source mbuf");
 			goto fail;
 		}
 
+		if (mbuf == NULL)
+			mbuf = m;
+
 		/* Make sure if tailroom is zeroed */
 		memset(m->buf_addr, pattern, m->buf_len);
 
@@ -239,7 +232,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 
 		size -= data_len;
 
-	}
+	} while (size > 0);
+
 	return mbuf;
 
 fail:
-- 
2.25.1

[PATCH v2 08/21] test/security: unit test to verify zero TLS records

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the zero len TLS records. Zero len packets are
allowed when content type is app data while zero packet length with
other content type (such as handshake) would result in an error.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 51 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c |  5 +-
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 3 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 5cb878b9ba..fa63b9743f 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11984,6 +11984,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
 		if (flags->nb_segs_in_mbuf)
 			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
+
+		if (flags->zero_len)
+			payload_len = 0;
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -11992,8 +11995,16 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
+		if (flags->zero_len &&
+		    ((flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE))) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+			goto skip_decrypt;
+		} else if (ret == TEST_FAILED) {
 			return TEST_FAILED;
+		}
 
 		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
 
@@ -12009,6 +12020,7 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 				return TEST_FAILED;
 		}
 
+skip_decrypt:
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
 
@@ -12123,6 +12135,35 @@ test_tls_record_proto_custom_content_type(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17251,6 +17292,14 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 9a2af259c9..c5410a4c92 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -103,13 +103,15 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
-	if (flags->data_walkthrough) {
+	if (flags->data_walkthrough || flags->zero_len) {
 		test_sec_proto_pattern_set(td->input_text.data, data_len);
 		td->input_text.len = data_len;
 	}
 
 	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
 		td->app_type = RTE_TLS_TYPE_MAX;
+	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
 	tls_pkt_size = td->input_text.len;
 
@@ -232,6 +234,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	memcpy(&res_d->input_text.data, output_text, len);
 	res_d->input_text.len = len;
+	res_d->output_text.len = td->input_text.len;
 
 	res_d->tls_record_xform.type = RTE_SECURITY_TLS_SESS_TYPE_READ;
 	if (res_d->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index b707361fb6..e7ba31c449 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
 	enum tls_record_test_content_type content_type;
+	bool zero_len;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -140,5 +141,4 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 				 struct tls_record_test_data *res_d, bool silent);
-
 #endif
-- 
2.25.1

[PATCH v2 09/21] test/security: add unit tests for DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify
1. DTLS record with zero length
2. DTLS record with header corruption
3. DTLS record with content type as custom

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 77 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fa63b9743f..72e7fe3769 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12215,6 +12215,67 @@ test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
 }
 
+static int
+test_dtls_1_2_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 #endif
 
 static int
@@ -17409,6 +17470,22 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Packet corruption",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v2 10/21] test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors for TLS 1.2 and DTLS 1.2 using algos
AES-256-CBC and HMAC-SHA384

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  19 ++
 app/test/test_cryptodev_security_tls_record.h |   2 +
 ...yptodev_security_tls_record_test_vectors.h | 200 ++++++++++++++++++
 3 files changed, 221 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 72e7fe3769..95f2377d4d 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17273,6 +17273,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Write record known vector AES-256-CBC-SHA256",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17316,6 +17320,11 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17397,6 +17406,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17439,6 +17453,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index e7ba31c449..22572537ef 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -110,6 +110,7 @@ extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_null_cipher_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_chacha20_poly1305;
@@ -118,6 +119,7 @@ extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index f10f28bb96..27b07cd54a 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1129,6 +1129,107 @@ struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x1d, 0xe5, 0x19, 0x18, 0x57, 0xa0, 0xee, 0x79,
+			0x84, 0x61, 0x92, 0x9d, 0x3d, 0xce, 0x42, 0x92,
+			0x4a, 0x98, 0x23, 0x3b, 0xf8, 0xec, 0x29, 0x47,
+			0xb3, 0xae, 0x1f, 0x22, 0xd2, 0x8d, 0xbe, 0x2c,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0xf8, 0xbd, 0x28, 0xf9, 0x4a, 0xde, 0x1d, 0xde,
+			0x8c, 0xf5, 0xe9, 0x49, 0x34, 0x2a, 0x1a, 0xd0,
+			0x0d, 0xe3, 0x64, 0xb2, 0x54, 0xd6, 0xd6, 0x40,
+			0x90, 0x5d, 0x16, 0xc1, 0xf2, 0x77, 0x14, 0x90,
+			0xe6, 0xfa, 0xbc, 0x9d, 0xe2, 0x72, 0x12, 0xec,
+			0xb6, 0x05, 0xec, 0xdd, 0x1d, 0x23, 0xb3, 0x8e,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x44, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0xfe, 0xfd, 0x00, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x01, 0x00, 0x80,
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+			0x88, 0x41, 0xee, 0x5b, 0x32, 0x1e, 0x85, 0xaf,
+			0x33, 0x7b, 0x59, 0x8a, 0xe9, 0x41, 0x11, 0x6a,
+			0xbb, 0x7d, 0x16, 0x6c, 0xbb, 0x66, 0x5e, 0xf5,
+			0xfb, 0x5f, 0x03, 0xf9, 0x75, 0x7d, 0xb9, 0xff,
+			0x70, 0xc3, 0x4a, 0x19, 0xe5, 0x25, 0xa0, 0x5d,
+			0xad, 0x45, 0xef, 0xce, 0xd8, 0x2a, 0xde, 0xf0,
+			0x0c, 0xca, 0x1c, 0x6b, 0x5a, 0x31, 0x8f, 0x49,
+			0xff, 0x7d, 0xf3, 0x71, 0x15, 0x06, 0x07, 0x9d,
+			0x6a, 0x5f, 0x5c, 0xd8, 0x2a, 0xa5, 0x0e, 0x61,
+			0xde, 0x18, 0x6b, 0x7d, 0xc8, 0x74, 0x58, 0x18,
+			0xf1, 0xac, 0xde, 0xb9, 0x6d, 0x8a, 0x44, 0xad,
+			0x10, 0xf8, 0x63, 0x15, 0xcf, 0x25, 0x2f, 0x82,
+			0x2f, 0xda, 0x74, 0x45, 0x02, 0xda, 0x61, 0x3c,
+			0x2f, 0xf9, 0xa5, 0x92, 0x2a, 0x7c, 0x5e, 0x5d,
+		},
+		.len = 141,
+	},
+	.iv = {
+		.data = {
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_DTLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.dtls_1_2.epoch = 1,
+		.dtls_1_2.seq_no = 1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
@@ -1494,6 +1595,105 @@ struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x48, 0x70, 0xc7, 0x93, 0x77, 0xe3, 0x4c, 0x8c,
+			0x27, 0x00, 0x64, 0x06, 0x3e, 0xc6, 0x47, 0x64,
+			0xcc, 0xee, 0xa4, 0x9a, 0x1a, 0xe7, 0x3a, 0xc6,
+			0xef, 0xe5, 0xe6, 0x2c, 0x15, 0xe3, 0xac, 0x16,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0x23, 0x95, 0x84, 0x30, 0xaf, 0x2b, 0x07, 0xfe,
+			0x12, 0x83, 0x87, 0x28, 0x2b, 0x38, 0xb9, 0x02,
+			0xc0, 0x27, 0x59, 0x3e, 0xa7, 0xbd, 0xce, 0xcb,
+			0xe1, 0x8a, 0xe9, 0x43, 0x5d, 0xed, 0xb4, 0xf2,
+			0x11, 0x4d, 0x19, 0xbb, 0x0f, 0x1b, 0x76, 0x86,
+			0xfb, 0xb5, 0xda, 0xfd, 0x38, 0xfe, 0x7d, 0x02,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73,
+			0x20, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x80,
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+			0x1e, 0x5b, 0x1e, 0x50, 0x3e, 0x19, 0x25, 0x41,
+			0x35, 0xc7, 0x7c, 0x14, 0x99, 0x7b, 0x97, 0x80,
+			0x60, 0x9d, 0xf8, 0xf1, 0xac, 0x43, 0x7b, 0x5c,
+			0xb6, 0xe2, 0xc4, 0x8f, 0x3f, 0xd7, 0x1b, 0xd4,
+			0x61, 0x90, 0x40, 0xe3, 0xd5, 0x60, 0xac, 0xee,
+			0x62, 0x53, 0x1f, 0x1f, 0x75, 0xf6, 0x2c, 0xda,
+			0x1a, 0xed, 0x4a, 0x6a, 0x11, 0xeb, 0x9b, 0x1c,
+			0x39, 0x0d, 0x6e, 0x8a, 0xf8, 0x3d, 0x45, 0x08,
+			0x3e, 0x24, 0x17, 0x3e, 0xcf, 0x74, 0xcf, 0x6a,
+			0xcb, 0x37, 0xdf, 0x25, 0xc6, 0xa5, 0xe4, 0x1e,
+			0x53, 0x28, 0x71, 0xcf, 0xac, 0x1e, 0xad, 0x77,
+			0x8c, 0xfc, 0x80, 0x19, 0x9c, 0xcc, 0x00, 0x60,
+			0xc6, 0x82, 0xa0, 0xb8, 0x5e, 0x42, 0xd1, 0xff,
+			0x14, 0x0a, 0x92, 0x5c, 0xde, 0x8a, 0x15, 0x7a,
+		},
+		.len = 133,
+	},
+	.iv = {
+		.data = {
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_2.seq_no = 0x1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
-- 
2.25.1

[PATCH v2 11/21] test/security: add DTLS 1.2 anti-replay tests

[Aakash Sasidharan]

Add anti-replay test for DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 115 ++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 132 ++++++++++--------
 app/test/test_cryptodev_security_tls_record.h |  11 +-
 3 files changed, 188 insertions(+), 70 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 95f2377d4d..904bad39d3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11827,6 +11827,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		.protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
 	};
 
+	if ((tls_record_xform.ver == RTE_SECURITY_VERSION_DTLS_1_2) &&
+	    (sess_type == RTE_SECURITY_TLS_SESS_TYPE_READ))
+		sess_conf.tls_record.dtls_1_2.ar_win_sz = flags->ar_win_size;
+
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
@@ -11851,6 +11855,17 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		return TEST_SKIPPED;
 
 	for (i = 0; i < nb_td; i++) {
+		if (flags->ar_win_size &&
+			(sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE)) {
+			sess_conf.tls_record.dtls_1_2.seq_no =
+				td[i].tls_record_xform.dtls_1_2.seq_no;
+			ret = rte_security_session_update(ctx, ut_params->sec_session, &sess_conf);
+			if (ret) {
+				printf("Could not update sequence number in session\n");
+				return TEST_SKIPPED;
+			}
+		}
+
 		/* Setup source mbuf payload */
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
@@ -11890,17 +11905,19 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_tls_record_status_check(ut_params->op);
+		ret = test_tls_record_status_check(ut_params->op, &td[i]);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
 		if (res_d != NULL)
 			res_d_tmp = &res_d[i];
 
-		ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp, silent);
-		if (ret != TEST_SUCCESS)
-			goto crypto_op_free;
-
+		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+							   silent);
+			if (ret != TEST_SUCCESS)
+				goto crypto_op_free;
+		}
 
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
@@ -12190,6 +12207,90 @@ test_dtls_1_2_record_proto_display_list(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_pkt_replay(const uint64_t seq_no[],
+		      bool replayed_pkt[], uint32_t nb_pkts,
+		      struct tls_record_test_flags *flags)
+{
+	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
+	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
+	unsigned int i, idx, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
+					   td_outb, nb_pkts, 0);
+
+		for (idx = 0; idx < nb_pkts; idx++)
+			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
+
+		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
+
+		for (idx = 0; idx < nb_pkts; idx++) {
+			td_inb[idx].tls_record_xform.dtls_1_2.ar_win_sz = flags->ar_win_size;
+			/* Set antireplay flag for packets to be dropped */
+			td_inb[idx].ar_packet = replayed_pkt[idx];
+		}
+
+		ret = test_tls_record_proto_process(td_inb, NULL, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay(void)
+{
+	struct tls_record_test_flags flags;
+	uint64_t winsz = 64, seq_no[5];
+	uint32_t nb_pkts = 5;
+	bool replayed_pkt[5];
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+	flags.ar_win_size = winsz;
+
+	/* 1. Advance the TOP of the window to WS * 2 */
+	seq_no[0] = winsz * 2;
+	/* 2. Test sequence number within the new window(WS + 1) */
+	seq_no[1] = winsz + 1;
+	/* 3. Test sequence number less than the window BOTTOM */
+	seq_no[2] = winsz;
+	/* 4. Test sequence number in the middle of the window */
+	seq_no[3] = winsz + (winsz / 2);
+	/* 5. Test replay of the packet in the middle of the window */
+	seq_no[4] = winsz + (winsz / 2);
+
+	replayed_pkt[0] = false;
+	replayed_pkt[1] = false;
+	replayed_pkt[2] = true;
+	replayed_pkt[3] = false;
+	replayed_pkt[4] = true;
+
+	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17505,6 +17606,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Zero len DTLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 64",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index c5410a4c92..907e043ddd 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -12,10 +12,21 @@
 #include "test_security_proto.h"
 
 int
-test_tls_record_status_check(struct rte_crypto_op *op)
+test_tls_record_status_check(struct rte_crypto_op *op,
+			     const struct tls_record_test_data *td)
 {
 	int ret = TEST_SUCCESS;
 
+	if ((td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_READ) &&
+	     td->ar_packet) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("Anti replay test case failed\n");
+			return TEST_FAILED;
+		} else {
+			return TEST_SUCCESS;
+		}
+	}
+
 	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS)
 		ret = TEST_FAILED;
 
@@ -101,81 +112,80 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.chain.auth.auth.key.length = param2->key_length;
 			td->xform.chain.auth.auth.digest_length = param2->digest_length;
 		}
-	}
-
-	if (flags->data_walkthrough || flags->zero_len) {
-		test_sec_proto_pattern_set(td->input_text.data, data_len);
-		td->input_text.len = data_len;
-	}
-
-	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
-		td->app_type = RTE_TLS_TYPE_MAX;
-	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
-		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
-	tls_pkt_size = td->input_text.len;
+		if (flags->data_walkthrough || flags->zero_len) {
+			test_sec_proto_pattern_set(td->input_text.data, data_len);
+			td->input_text.len = data_len;
+		}
 
-	if (!td->aead) {
-		mac_len = td->xform.chain.auth.auth.digest_length;
-		switch (td->xform.chain.cipher.cipher.algo) {
-		case RTE_CRYPTO_CIPHER_3DES_CBC:
-			roundup_len = 8;
+		if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+			td->app_type = RTE_TLS_TYPE_MAX;
+		else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+			td->app_type = RTE_TLS_TYPE_HANDSHAKE;
+
+		tls_pkt_size = td->input_text.len;
+
+		if (!td->aead) {
+			mac_len = td->xform.chain.auth.auth.digest_length;
+			switch (td->xform.chain.cipher.cipher.algo) {
+			case RTE_CRYPTO_CIPHER_3DES_CBC:
+				roundup_len = 8;
+				exp_nonce_len = 8;
+				break;
+			case RTE_CRYPTO_CIPHER_AES_CBC:
+				roundup_len = 16;
+				exp_nonce_len = 16;
+				break;
+			default:
+				roundup_len = 0;
+				exp_nonce_len = 0;
+				break;
+			}
+		} else {
+			mac_len = td->xform.aead.aead.digest_length;
+			roundup_len = 0;
 			exp_nonce_len = 8;
+		}
+
+		switch (td->tls_record_xform.ver) {
+		case RTE_SECURITY_VERSION_TLS_1_2:
+		case RTE_SECURITY_VERSION_TLS_1_3:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			roundup_len = 16;
-			exp_nonce_len = 16;
+		case RTE_SECURITY_VERSION_DTLS_1_2:
+			hdr_len = sizeof(struct rte_dtls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
 		default:
-			roundup_len = 0;
-			exp_nonce_len = 0;
+			hdr_len = 0;
+			min_padding = 0;
 			break;
 		}
-	} else {
-		mac_len = td->xform.aead.aead.digest_length;
-		roundup_len = 0;
-		exp_nonce_len = 8;
-	}
-
-	switch (td->tls_record_xform.ver) {
-	case RTE_SECURITY_VERSION_TLS_1_2:
-	case RTE_SECURITY_VERSION_TLS_1_3:
-		hdr_len = sizeof(struct rte_tls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	case RTE_SECURITY_VERSION_DTLS_1_2:
-		hdr_len = sizeof(struct rte_dtls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	default:
-		hdr_len = 0;
-		min_padding = 0;
-		break;
-	}
 
-	tls_pkt_size += mac_len;
+		tls_pkt_size += mac_len;
 
-	/* Padding */
-	tls_pkt_size += min_padding;
+		/* Padding */
+		tls_pkt_size += min_padding;
 
-	if (roundup_len)
-		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+		if (roundup_len)
+			tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
-	/* Explicit nonce */
-	tls_pkt_size += exp_nonce_len;
+		/* Explicit nonce */
+		tls_pkt_size += exp_nonce_len;
 
-	/* Add TLS header */
-	tls_pkt_size += hdr_len;
+		/* Add TLS header */
+		tls_pkt_size += hdr_len;
 
-	td->output_text.len = tls_pkt_size;
+		td->output_text.len = tls_pkt_size;
 
-	RTE_SET_USED(flags);
+	}
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 22572537ef..e706e38e46 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -89,16 +89,18 @@ struct tls_record_test_data {
 	struct rte_security_tls_record_xform tls_record_xform;
 	uint8_t app_type;
 	bool aead;
+	bool ar_packet;
 };
 
 struct tls_record_test_flags {
 	bool display_alg;
-	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
-	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
-	enum tls_record_test_content_type content_type;
 	bool zero_len;
+	uint8_t nb_segs_in_mbuf;
+	enum rte_security_tls_version tls_version;
+	enum tls_record_test_content_type content_type;
+	int ar_win_size;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -123,7 +125,8 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
-int test_tls_record_status_check(struct rte_crypto_op *op);
+int test_tls_record_status_check(struct rte_crypto_op *op,
+				 const struct tls_record_test_data *td);
 
 int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_record_xform,
 				    const struct rte_security_capability *sec_cap, bool silent);
-- 
2.25.1

[PATCH v2 12/21] test/security: add more DTLS anti-replay window sz

[Aakash Sasidharan]

Add anti-replay tests for window sizes 128, 256, 512, 1024,
2048 and 4096 window sizes in DTLS 1.2 suite.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c | 72 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 69 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 904bad39d3..72d91d23a2 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12259,12 +12259,12 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 }
 
 static int
-test_dtls_1_2_record_proto_antireplay(void)
+test_dtls_1_2_record_proto_antireplay(uint64_t winsz)
 {
 	struct tls_record_test_flags flags;
-	uint64_t winsz = 64, seq_no[5];
 	uint32_t nb_pkts = 5;
 	bool replayed_pkt[5];
+	uint64_t seq_no[5];
 
 	memset(&flags, 0, sizeof(flags));
 
@@ -12291,6 +12291,48 @@ test_dtls_1_2_record_proto_antireplay(void)
 	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
 }
 
+static int
+test_dtls_1_2_record_proto_antireplay64(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(64);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay128(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(128);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay256(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(256);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay512(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(512);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay1024(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(1024);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay2048(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(2048);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay4096(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(4096);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17609,7 +17651,31 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Antireplay with window size 64",
 			ut_setup_security, ut_teardown,
-			test_dtls_1_2_record_proto_antireplay),
+			test_dtls_1_2_record_proto_antireplay64),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 128",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay128),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 256",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay256),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 512",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay512),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 1024",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay1024),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 2048",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay2048),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 4096",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay4096),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v2 13/21] test/crypto: update verification of header

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

In TLS 1.3, the version in the header would be TLS 1.2 and the content
type would be APP irrespective of the type of the payload.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 907e043ddd..498c4923e0 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -275,9 +275,9 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		hdr_len = sizeof(struct rte_tls_hdr);
 	} else if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
 		const struct rte_tls_hdr *hdr = (const struct rte_tls_hdr *)output_text;
-		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_3) {
+		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_2) {
 			printf("Incorrect header version [expected - %4x, received - %4x]\n",
-			       RTE_TLS_VERSION_1_3, rte_be_to_cpu_16(hdr->version));
+			       RTE_TLS_VERSION_1_2, rte_be_to_cpu_16(hdr->version));
 			return TEST_FAILED;
 		}
 		content_type = hdr->type;
@@ -297,10 +297,18 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		return TEST_FAILED;
 	}
 
-	if (content_type != td->app_type) {
-		printf("Incorrect content type in packet [expected - %d, received - %d]\n",
-		       td->app_type, content_type);
-		return TEST_FAILED;
+	if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		if (content_type != RTE_TLS_TYPE_APPDATA) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
+	} else {
+		if (content_type != td->app_type) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
 	}
 
 	if (length != td->output_text.len - hdr_len) {
-- 
2.25.1

[PATCH v2 14/21] test/crypto: add TLS 1.3 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors and test suite for TLS 1.3
AES-128-GCM, AES-256-GCM and CHACHA20-POLY1305
vectors. The vectors are generated using gnuTLS
client server application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  35 +++
 app/test/test_cryptodev_security_tls_record.h |   3 +
 ...yptodev_security_tls_record_test_vectors.h | 205 ++++++++++++++++++
 3 files changed, 243 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 72d91d23a2..aa9fffe50e 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17680,6 +17680,40 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 	}
 };
 
+static struct unit_test_suite tls13_record_proto_testsuite  = {
+	.suite_name = "TLS 1.3 Record Protocol Unit Test Suite",
+	.setup = tls_record_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 #define ADD_UPLINK_TESTCASE(data)						\
 	TEST_CASE_NAMED_WITH_DATA(data.test_descr_uplink, ut_setup_security,	\
 	ut_teardown, test_docsis_proto_uplink, (const void *) &data),		\
@@ -18699,6 +18733,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&docsis_proto_testsuite,
 		&tls12_record_proto_testsuite,
 		&dtls12_record_proto_testsuite,
+		&tls13_record_proto_testsuite,
 #endif
 		&end_testsuite
 	};
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index e706e38e46..05bd7a9862 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -124,6 +124,9 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
+extern struct tls_record_test_data tls13_test_data_aes_128_gcm;
+extern struct tls_record_test_data tls13_test_data_aes_256_gcm;
+extern struct tls_record_test_data tls13_test_data_chacha20_poly1305;
 
 int test_tls_record_status_check(struct rte_crypto_op *op,
 				 const struct tls_record_test_data *td);
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index 27b07cd54a..8af17b07e5 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1781,4 +1781,209 @@ struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.app_type = 0x17,
 };
 
+/* TLS 1.3 AES-128-GCM */
+struct tls_record_test_data tls13_test_data_aes_128_gcm = {
+	.key = {
+		.data = {
+			0x03, 0x12, 0xf5, 0x86, 0xe4, 0xd0, 0x27, 0xc7,
+			0x47, 0x82, 0x44, 0xca, 0xd3, 0xce, 0x06, 0x6c,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0x52, 0xb5, 0x24, 0xce, 0x5c, 0x29, 0x0f, 0x0a,
+			0x3a, 0xc0, 0x60, 0xaf, 0xba, 0xe3, 0x0d, 0x28,
+			0x6c, 0xbb, 0x3e, 0x5f, 0xde, 0x4a, 0xcd, 0xf1,
+			0x30, 0x12, 0xa9, 0x42, 0x95, 0x55, 0xf5, 0x2c,
+			0xb7, 0xb6, 0x60, 0x82, 0xa2, 0x1d, 0x34, 0x33,
+			0x0a, 0xd7, 0x48, 0x40, 0xef, 0xab, 0x70, 0xa7,
+			0xb2, 0x58, 0x41, 0xdb, 0xf6, 0x37, 0xe4, 0x6d,
+			0xa3, 0x1e, 0xbf, 0x6f,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0x8d, 0x1f, 0xa0, 0x14, 0xc7, 0x66, 0x9f, 0x93,
+			0x74, 0x3f, 0x46, 0x52,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+/* TLS 1.3 AES-256-GCM */
+struct tls_record_test_data tls13_test_data_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xc9, 0xc2, 0xa2, 0x4c, 0x4e, 0x36, 0x19, 0x6e,
+			0xd8, 0xf5, 0xb9, 0x14, 0x30, 0xfc, 0xe0, 0xef,
+			0x29, 0xb0, 0x00, 0xd1, 0x2d, 0xfc, 0x5a, 0x76,
+			0x50, 0xf4, 0xf3, 0xb1, 0x82, 0x21, 0x57, 0x82,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0xc9, 0xb0, 0x44, 0x23, 0xd5, 0xe2, 0xbd, 0x1d,
+			0xf1, 0x96, 0x53, 0x2c, 0x8c, 0xe2, 0xa3, 0x00,
+			0x7b, 0x2a, 0xb1, 0xa1, 0xd6, 0x79, 0x58, 0xb5,
+			0x35, 0x1f, 0xbb, 0x98, 0x03, 0xe1, 0x82, 0xa2,
+			0x1e, 0x26, 0x81, 0xbe, 0x77, 0x65, 0xaf, 0x7d,
+			0x9f, 0x52, 0xec, 0x3a, 0x18, 0x2d, 0x36, 0xab,
+			0xdc, 0xa9, 0xfb, 0xd3, 0xa8, 0xd5, 0xbc, 0x98,
+			0xa4, 0xab, 0x70, 0xe9,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0xd4, 0x78, 0xf2, 0x90, 0x61, 0x5d, 0x8c, 0x63,
+			0x4b, 0xf4, 0x72, 0xf3,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+struct tls_record_test_data tls13_test_data_chacha20_poly1305 = {
+	.key = {
+		.data = {
+			0xec, 0x7d, 0x7a, 0x3f, 0x91, 0xdd, 0xb9, 0x70,
+			0x95, 0x3b, 0x99, 0xb0, 0xe7, 0x66, 0xda, 0xdc,
+			0x85, 0xbb, 0xfc, 0xc8, 0x50, 0xe9, 0x61, 0x88,
+			0xc8, 0x1e, 0xf0, 0x61, 0xb0, 0xcd, 0x6c, 0x3d,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x43, 0x48, 0x41, 0x43, 0x48, 0x41, 0x32, 0x30,
+			0x2d, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30,
+			0x35, 0x20, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
+			0x65, 0x20, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0xa,
+		},
+		.len = 49,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x42,
+			0x9a, 0xc1, 0xd9, 0x0e, 0xf9, 0x4c, 0x51, 0x8c,
+			0xb4, 0xa7, 0x54, 0x57, 0x56, 0xba, 0xbb, 0xf7,
+			0xd7, 0x1d, 0x49, 0x5a, 0x42, 0xd2, 0xab, 0x75,
+			0x3f, 0xb1, 0x5f, 0xb5, 0x2b, 0x2b, 0xa3, 0xc5,
+			0x61, 0x32, 0x7e, 0x62, 0x1e, 0xf5, 0x56, 0xff,
+			0x84, 0x8e, 0x9a, 0x99, 0x06, 0xba, 0x3b, 0xc0,
+			0x15, 0x4c, 0xf5, 0xb1, 0x5e, 0xcc, 0xff, 0x42,
+			0x79, 0x4b, 0xa9, 0x23, 0x16, 0x08, 0xc3, 0x9a,
+			0x52, 0x2a,
+		},
+		.len = 71,
+	},
+	.imp_nonce = {
+		.data = {
+			0x3c, 0x28, 0xa0, 0xb8, 0xf8, 0x74, 0x35, 0xfe,
+			0xd2, 0xa0, 0x31, 0x28,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
 #endif
-- 
2.25.1

[PATCH v2 15/21] test/crypto: update framework to verify tls-1.3

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Update the fields in preparation of test descriptor.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++---
 app/test/test_cryptodev_security_tls_record.c | 43 ++++++++++++-------
 app/test/test_cryptodev_security_tls_record.h | 10 ++---
 3 files changed, 43 insertions(+), 27 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index aa9fffe50e..25777c1b1f 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11889,8 +11889,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		/* Copy IV in crypto operation when IV generation is disabled */
-		if (sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE &&
-		    tls_record_xform.options.iv_gen_disable == 1) {
+		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
+		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
+		    (tls_record_xform.options.iv_gen_disable == 1)) {
 			uint8_t *iv;
 			int len;
 
@@ -12005,8 +12006,10 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (flags->zero_len)
 			payload_len = 0;
 again:
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, payload_len);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, payload_len);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -12218,8 +12221,10 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 	int ret;
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, 0);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, 0);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		for (idx = 0; idx < nb_pkts; idx++)
 			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 498c4923e0..96d0a94731 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -70,7 +70,7 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 	}
 }
 
-void
+int
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
 			   struct tls_record_test_data *td_array,
@@ -79,6 +79,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
 
+	if ((flags->tls_version == RTE_SECURITY_VERSION_TLS_1_3) &&
+	    (param1->type != RTE_CRYPTO_SYM_XFORM_AEAD))
+		return TEST_SKIPPED;
+
 	memset(td_array, 0, nb_td * sizeof(*td));
 
 	for (i = 0; i < nb_td; i++) {
@@ -88,10 +92,17 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
-				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
-			else
+			switch (flags->tls_version) {
+			case RTE_SECURITY_VERSION_TLS_1_2:
 				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_DTLS_1_2:
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_TLS_1_3:
+				memcpy(td, &tls13_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			}
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -127,6 +138,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (!td->aead) {
 			mac_len = td->xform.chain.auth.auth.digest_length;
+			min_padding = 1;
 			switch (td->xform.chain.cipher.cipher.algo) {
 			case RTE_CRYPTO_CIPHER_3DES_CBC:
 				roundup_len = 8;
@@ -143,30 +155,28 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			}
 		} else {
 			mac_len = td->xform.aead.aead.digest_length;
+			min_padding = 0;
 			roundup_len = 0;
-			exp_nonce_len = 8;
+			if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3)
+				exp_nonce_len = 0;
+			else
+				exp_nonce_len = 8;
 		}
 
 		switch (td->tls_record_xform.ver) {
 		case RTE_SECURITY_VERSION_TLS_1_2:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			break;
 		case RTE_SECURITY_VERSION_TLS_1_3:
 			hdr_len = sizeof(struct rte_tls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
+			/* Add 1 byte for content type in packet */
+			tls_pkt_size += 1;
 			break;
 		case RTE_SECURITY_VERSION_DTLS_1_2:
 			hdr_len = sizeof(struct rte_dtls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
 			break;
 		default:
-			hdr_len = 0;
-			min_padding = 0;
-			break;
+			return TEST_SKIPPED;
 		}
 
 		tls_pkt_size += mac_len;
@@ -186,6 +196,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->output_text.len = tls_pkt_size;
 
 	}
+	return TEST_SUCCESS;
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 05bd7a9862..21d25c02bf 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -137,11 +137,11 @@ int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_re
 void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 					struct tls_record_test_data *td_in);
 
-void test_tls_record_td_prepare(const struct crypto_param *param1,
-				const struct crypto_param *param2,
-				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td,
-				unsigned int data_len);
+int test_tls_record_td_prepare(const struct crypto_param *param1,
+			       const struct crypto_param *param2,
+			       const struct tls_record_test_flags *flags,
+			       struct tls_record_test_data *td_array, int nb_td,
+			       unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
-- 
2.25.1

[PATCH v2 16/21] test/crypto: test to verify hdr corruption in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with header corruption.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 25777c1b1f..9f0a737913 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12424,6 +12424,20 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_1_3_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17714,7 +17728,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"Read record known vector CHACHA20-POLY1305",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
-
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v2 17/21] test/crypto: test to verify custom content type in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with content type as custom.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 9f0a737913..fe4fcfbfdb 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12438,6 +12438,21 @@ test_tls_1_3_record_proto_corrupt_pkt(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17732,6 +17747,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header with custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v2 18/21] test/crypto: test to verify zero len record in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with zero length.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fe4fcfbfdb..8ad5033f32 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12453,6 +12453,37 @@ test_tls_1_3_record_proto_custom_content_type(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_3_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17751,6 +17782,14 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header with custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v2 19/21] test/crypto: unit tests to verify padding in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for TLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 85 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 28 ++++--
 app/test/test_cryptodev_security_tls_record.h |  5 +-
 3 files changed, 109 insertions(+), 9 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 8ad5033f32..a324c1607b 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11834,6 +11834,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
+	if (flags->opt_padding)
+		tls_record_xform.options.extra_padding_enable = 1;
+
 	sess_conf.tls_record = tls_record_xform;
 
 	if (td[0].aead) {
@@ -11888,6 +11891,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->sym->m_dst = NULL;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
+		if (flags->opt_padding)
+			ut_params->op->aux_flags = flags->opt_padding;
+
 		/* Copy IV in crypto operation when IV generation is disabled */
 		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
 		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
@@ -11915,7 +11921,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
 			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
-							   silent);
+							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
 		}
@@ -12184,6 +12190,59 @@ test_tls_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_opt_padding(uint8_t padding, uint8_t num_segs,
+				  enum rte_security_tls_version tls_version)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = num_segs,
+		.tls_version = tls_version,
+		.opt_padding = padding
+	};
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 2, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17578,6 +17637,30 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Zero len TLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 96d0a94731..03d9efefc3 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -269,7 +269,8 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 }
 
 static int
-tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
+tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text,
+		      const struct tls_record_test_flags *flags)
 {
 	uint16_t length, hdr_len;
 	uint8_t content_type;
@@ -322,10 +323,22 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		}
 	}
 
-	if (length != td->output_text.len - hdr_len) {
-		printf("Incorrect packet length [expected - %d, received - %d]\n",
-		       td->output_text.len - hdr_len, length);
-		return TEST_FAILED;
+	if (!flags->opt_padding) {
+		if (length != td->output_text.len - hdr_len) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       td->output_text.len - hdr_len, length);
+			return TEST_FAILED;
+		}
+	} else {
+		int pad_len = (flags->opt_padding * 8) > 256 ? 256 : (flags->opt_padding * 8);
+		int expect_len = td->output_text.len - hdr_len + pad_len;
+
+		if (length - expect_len > 32) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       expect_len, length);
+			return TEST_FAILED;
+		}
+
 	}
 
 	return TEST_SUCCESS;
@@ -333,7 +346,8 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 
 int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-			     struct tls_record_test_data *res_d, bool silent)
+			     struct tls_record_test_data *res_d, bool silent,
+			     const struct tls_record_test_flags *flags)
 {
 	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
@@ -365,7 +379,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	if (td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) {
-		ret = tls_record_hdr_verify(td, output_text);
+		ret = tls_record_hdr_verify(td, output_text, flags);
 		if (ret != TEST_SUCCESS)
 			return ret;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 21d25c02bf..385064157a 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -97,7 +97,9 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	bool pkt_corruption;
 	bool zero_len;
+	bool padding_corruption;
 	uint8_t nb_segs_in_mbuf;
+	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
 	enum tls_record_test_content_type content_type;
 	int ar_win_size;
@@ -148,5 +150,6 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_flags *flags);
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-				 struct tls_record_test_data *res_d, bool silent);
+				 struct tls_record_test_data *res_d, bool silent,
+				 const struct tls_record_test_flags *flags);
 #endif
-- 
2.25.1

[PATCH v2 20/21] test/crypto: unit tests for padding in DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for DTLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 60 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index a324c1607b..572740cbf9 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12483,6 +12483,42 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 static int
 test_tls_1_3_record_proto_corrupt_pkt(void)
 {
@@ -17824,6 +17860,30 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Antireplay with window size 4096",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_antireplay4096),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v2 21/21] test/security: add out of place sgl test case for TLS 1.2

[Aakash Sasidharan]

Add TLS 1.2 out-of-place multi-segmented packet test.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 52 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.h |  1 +
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 572740cbf9..1703ebccf1 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11873,6 +11873,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
 		pktmbuf_write(ut_params->ibuf, 0, td[i].input_text.len, td[i].input_text.data);
+		if (flags->out_of_place)
+			ut_params->obuf = create_segmented_mbuf(ts_params->mbuf_pool,
+					td[i].output_text.len, nb_segs, 0);
+		else
+			ut_params->obuf = NULL;
 
 		/* Generate crypto op data structure */
 		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
@@ -11888,7 +11893,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		/* Set crypto operation mbufs */
 		ut_params->op->sym->m_src = ut_params->ibuf;
-		ut_params->op->sym->m_dst = NULL;
+		ut_params->op->sym->m_dst = ut_params->obuf;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		if (flags->opt_padding)
@@ -11920,7 +11925,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 			res_d_tmp = &res_d[i];
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
-			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+			struct rte_mbuf *buf = flags->out_of_place ? ut_params->obuf :
+						ut_params->ibuf;
+
+			ret = test_tls_record_post_process(buf, &td[i], res_d_tmp,
 							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
@@ -11929,6 +11937,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
 
+		if (flags->out_of_place) {
+			rte_pktmbuf_free(ut_params->obuf);
+			ut_params->obuf = NULL;
+		}
+
 		rte_pktmbuf_free(ut_params->ibuf);
 		ut_params->ibuf = NULL;
 	}
@@ -11937,6 +11950,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	rte_crypto_op_free(ut_params->op);
 	ut_params->op = NULL;
 
+	if (flags->out_of_place) {
+		rte_pktmbuf_free(ut_params->obuf);
+		ut_params->obuf = NULL;
+	}
+
 	rte_pktmbuf_free(ut_params->ibuf);
 	ut_params->ibuf = NULL;
 
@@ -12127,6 +12145,32 @@ test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_ver
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_oop(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.out_of_place = true,
+		.tls_version = tls_version
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_oop(void)
+{
+	return test_tls_record_proto_sgl_oop(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 {
@@ -17657,6 +17701,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode out of place",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_oop),
 		TEST_CASE_NAMED_ST(
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 385064157a..076568dbf2 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	bool pkt_corruption;
 	bool zero_len;
 	bool padding_corruption;
+	bool out_of_place;
 	uint8_t nb_segs_in_mbuf;
 	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
-- 
2.25.1

[PATCH v3 00/21] Improvements and new test cases

[Aakash Sasidharan]

v3:
* Set max packet length for data walkthrough tests to 8k.

v2:
* Rebased.

Aakash Sasidharan (7):
  test/security: enable AES-GCM in combined mode TLS
  test/security: add TLS 1.2 data walkthrough test
  test/security: add DTLS 1.2 data walkthrough test
  test/security: add TLS SG data walkthrough test
  test/security: add DTLS 1.2 anti-replay tests
  test/security: add more DTLS anti-replay window sz
  test/security: add out of place sgl test case for TLS 1.2

Akhil Goyal (2):
  test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors
  test/crypto: add TLS 1.3 vectors

Anoob Joseph (1):
  test/cryptodev: allow zero packet length buffers

Vidya Sagar Velumuri (11):
  test/security: unit test for TLS packet corruption
  test/security: unit test for custom content verification
  test/security: unit test to verify zero TLS records
  test/security: add unit tests for DTLS-1.2
  test/crypto: update verification of header
  test/crypto: update framework to verify tls-1.3
  test/crypto: test to verify hdr corruption in TLS
  test/crypto: test to verify custom content type in TLS
  test/crypto: test to verify zero len record in TLS
  test/crypto: unit tests to verify padding in TLS
  test/crypto: unit tests for padding in DTLS-1.2

 app/test/test_cryptodev.c                     | 975 ++++++++++++++++--
 app/test/test_cryptodev.h                     |  32 +-
 app/test/test_cryptodev_security_tls_record.c | 203 ++--
 app/test/test_cryptodev_security_tls_record.h |  77 +-
 ...yptodev_security_tls_record_test_vectors.h | 405 ++++++++
 app/test/test_security_proto.c                |  17 +
 app/test/test_security_proto.h                |   9 +
 7 files changed, 1539 insertions(+), 179 deletions(-)

-- 
2.25.1

[PATCH v3 01/21] test/security: enable AES-GCM in combined mode TLS

[Aakash Sasidharan]

Enable AES-GCM AEAD tests in combined mode TLS test suite.

Coverity issue: 414888
Fixes: 9157ccb8f876 ("test/crypto: verify TLS headers")

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 10 ++++++++--
 app/test/test_security_proto.h                |  3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index bcb2eba4ff..14a7a2511e 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -116,6 +116,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	} else {
 		mac_len = td->xform.aead.aead.digest_length;
+		roundup_len = 0;
 		exp_nonce_len = 8;
 	}
 
@@ -123,7 +124,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	case RTE_SECURITY_VERSION_TLS_1_2:
 	case RTE_SECURITY_VERSION_TLS_1_3:
 		hdr_len = sizeof(struct rte_tls_hdr);
-		min_padding = 1;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
@@ -139,7 +143,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 	/* Padding */
 	tls_pkt_size += min_padding;
-	tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+
+	if (roundup_len)
+		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
 	/* Explicit nonce */
 	tls_pkt_size += exp_nonce_len;
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index efa023b99d..5b92daa810 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -27,16 +27,19 @@ static const struct crypto_param aead_list[] = {
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 16,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 24,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 32,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
-- 
2.25.1

[PATCH v3 02/21] test/security: add TLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for TLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 90 +++++++++++++++++--
 app/test/test_cryptodev.h                     | 12 ++-
 app/test/test_cryptodev_security_tls_record.c | 25 ++++--
 app/test/test_cryptodev_security_tls_record.h | 41 ++++++++-
 app/test/test_security_proto.c                | 17 ++++
 app/test/test_security_proto.h                |  6 ++
 6 files changed, 171 insertions(+), 20 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3b5e784022..c5837ccbdd 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -858,6 +858,8 @@ ipsec_proto_testsuite_setup(void)
 static int
 tls_record_proto_testsuite_setup(void)
 {
+	test_sec_proto_pattern_generate();
+
 	return sec_proto_testsuite_setup(RTE_SECURITY_PROTOCOL_TLS_RECORD);
 }
 
@@ -11958,14 +11960,30 @@ test_tls_record_proto_known_vec_read(const void *test_data)
 static int
 test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 {
+	unsigned int i, nb_pkts = 1, pass_cnt = 0, payload_len, max_payload_len;
 	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
 	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
-	unsigned int i, nb_pkts = 1, pass_cnt = 0;
 	int ret;
 
+	switch (flags->tls_version) {
+	case RTE_SECURITY_VERSION_TLS_1_2:
+		max_payload_len = TLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_TLS_1_3:
+		max_payload_len = TLS_1_3_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_DTLS_1_2:
+		max_payload_len = DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	default:
+		max_payload_len = 0;
+	}
+
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts);
+					   td_outb, nb_pkts, payload_len);
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -11983,6 +12001,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_FAILED)
 			return TEST_FAILED;
 
+		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
+			goto again;
+
 		if (flags->display_alg)
 			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
 
@@ -11996,22 +12017,69 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 }
 
 static int
-test_tls_record_proto_display_list(void)
+test_tls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_display_list(void)
 {
 	struct tls_record_test_flags flags;
 
 	memset(&flags, 0, sizeof(flags));
 
 	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
 
 	return test_tls_record_proto_all(&flags);
 }
 
 static int
-test_tls_record_proto_sgl(void)
+test_tls_1_2_record_proto_sgl(void)
 {
 	struct tls_record_test_flags flags = {
-		.nb_segs_in_mbuf = 5
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_display_list(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_sgl(void)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
 	};
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct rte_cryptodev_info dev_info;
@@ -17081,11 +17149,15 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_tls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_tls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17182,11 +17254,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_dtls_1_2_record_proto_display_list),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_dtls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index f27d9697fd..e4e99d00c1 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -5,6 +5,9 @@
 #define TEST_CRYPTODEV_H_
 
 #include <rte_cryptodev.h>
+#ifdef RTE_LIB_SECURITY
+#include "test_security_proto.h"
+#endif
 
 #define HEX_DUMP 0
 
@@ -21,9 +24,16 @@
 #define DEFAULT_NUM_XFORMS              (2)
 #define NUM_MBUFS                       (8191)
 #define MBUF_CACHE_SIZE                 (256)
+
+#ifdef RTE_LIB_SECURITY
+#define MBUF_DATAPAYLOAD_SIZE		RTE_MAX((unsigned int)(4096 + DIGEST_BYTE_LENGTH_SHA512), \
+						TEST_SEC_CIPHERTEXT_MAX_LEN)
+#else
 #define MBUF_DATAPAYLOAD_SIZE		(4096 + DIGEST_BYTE_LENGTH_SHA512)
+#endif
+
 #define MBUF_SIZE			(sizeof(struct rte_mbuf) + \
-		RTE_PKTMBUF_HEADROOM + MBUF_DATAPAYLOAD_SIZE)
+					RTE_PKTMBUF_HEADROOM + MBUF_DATAPAYLOAD_SIZE)
 
 #define BYTE_LENGTH(x)				(x/8)
 /* HASH DIGEST LENGTHS */
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 14a7a2511e..3745c6a0d1 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -62,7 +62,8 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 void
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
-			   struct tls_record_test_data *td_array, int nb_td)
+			   struct tls_record_test_data *td_array,
+			   int nb_td, unsigned int data_len)
 {
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
@@ -76,7 +77,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -84,7 +88,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.aead.aead.digest_length = param1->digest_length;
 		} else {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
 
 			td->aead = false;
 			td->xform.chain.cipher.cipher.algo = param1->alg.cipher;
@@ -96,6 +103,11 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
+	if (flags->data_walkthrough) {
+		test_sec_proto_pattern_set(td->input_text.data, data_len);
+		td->input_text.len = data_len;
+	}
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
@@ -221,6 +233,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	return TEST_SUCCESS;
 }
+
 static int
 tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
 {
@@ -280,13 +293,13 @@ int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 			     struct tls_record_test_data *res_d, bool silent)
 {
+	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
-	uint8_t output_text[TLS_RECORD_MAX_LEN];
 	const struct rte_mbuf *seg;
 	const uint8_t *output;
 	int ret;
 
-	memset(output_text, 0, TLS_RECORD_MAX_LEN);
+	memset(output_text, 0, TEST_SEC_CIPHERTEXT_MAX_LEN);
 
 	/*
 	 * Actual data in packet might be less in error cases, hence take minimum of pkt_len and sum
@@ -300,7 +313,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	len = RTE_MIN(len, data_len);
-	TEST_ASSERT(len <= TLS_RECORD_MAX_LEN, "Invalid packet length: %u", len);
+	TEST_ASSERT(len <= TEST_SEC_CIPHERTEXT_MAX_LEN, "Invalid packet length: %u", len);
 
 	/* Copy mbuf payload to continuous buffer */
 	output = rte_pktmbuf_read(m, 0, len, output_text);
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 0bd83f88f0..80b1c58d03 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -10,7 +10,37 @@
 
 #include "test_security_proto.h"
 
-#define TLS_RECORD_MAX_LEN 16384u
+/* TLS 1.2 Ciphertext length can be up to (2^14 + 2048 + 5 (TLS Header)) Bytes */
+#define TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN  (9216u)
+static_assert(TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.2 Plaintext length can be up to (2^14 + 1024) Bytes */
+#define TLS_1_2_RECORD_PLAINTEXT_MAX_LEN   (8192u)
+static_assert(TLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Ciphertext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN (9216u)
+static_assert(DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Plaintext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN  (8192u)
+static_assert(DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Ciphertext length can be up to (2^14 + 256 + 5 (TLS Header)) Bytes */
+#define TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN  (9216u)
+static_assert(TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Plaintext length can be up to 2^14 Bytes */
+#define TLS_1_3_RECORD_PLAINTEXT_MAX_LEN   (8192u)
+static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+#define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
 struct tls_record_test_data {
 	struct {
@@ -22,12 +52,12 @@ struct tls_record_test_data {
 	} auth_key;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} input_text;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} output_text;
 
@@ -56,6 +86,8 @@ struct tls_record_test_data {
 struct tls_record_test_flags {
 	bool display_alg;
 	int nb_segs_in_mbuf;
+	bool data_walkthrough;
+	enum rte_security_tls_version tls_version;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -89,7 +121,8 @@ void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_ou
 void test_tls_record_td_prepare(const struct crypto_param *param1,
 				const struct crypto_param *param2,
 				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td);
+				struct tls_record_test_data *td_array, int nb_td,
+				unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
diff --git a/app/test/test_security_proto.c b/app/test/test_security_proto.c
index d242c852af..cf40d5fc9a 100644
--- a/app/test/test_security_proto.c
+++ b/app/test/test_security_proto.c
@@ -13,6 +13,8 @@ struct crypto_param_comb sec_alg_list[RTE_DIM(aead_list) +
 
 struct crypto_param_comb sec_auth_only_alg_list[2 * (RTE_DIM(auth_list) - 1)];
 
+static uint8_t cleartext_pattern[TEST_SEC_CLEARTEXT_MAX_LEN];
+
 void
 test_sec_alg_list_populate(void)
 {
@@ -152,3 +154,18 @@ test_sec_alg_display(const struct crypto_param *param1, const struct crypto_para
 	}
 	printf("\n");
 }
+
+void
+test_sec_proto_pattern_generate(void)
+{
+	unsigned int i;
+
+	for (i = 0; i < TEST_SEC_CLEARTEXT_MAX_LEN; i++)
+		cleartext_pattern[i] = (i + 1) & 0xff;
+}
+
+void
+test_sec_proto_pattern_set(uint8_t *buf, int len)
+{
+	rte_memcpy(buf, cleartext_pattern, len);
+}
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index 5b92daa810..22a298e6ca 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -8,6 +8,8 @@
 #include <rte_cryptodev.h>
 #include <rte_security.h>
 
+#define TEST_SEC_CLEARTEXT_MAX_LEN  (8192u)
+#define TEST_SEC_CIPHERTEXT_MAX_LEN (9216u)
 #define TEST_SEC_PKTS_MAX 32
 
 struct crypto_param {
@@ -186,4 +188,8 @@ int test_sec_crypto_caps_auth_verify(const struct rte_security_capability *sec_c
 
 void test_sec_alg_display(const struct crypto_param *param1, const struct crypto_param *param2);
 
+void test_sec_proto_pattern_generate(void);
+
+void test_sec_proto_pattern_set(uint8_t *buf, int len);
+
 #endif
-- 
2.25.1

[PATCH v3 03/21] test/security: add DTLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for DTLS 1.2

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  5 ++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index c5837ccbdd..e0695e9eb3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12061,6 +12061,19 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_display_list(void)
 {
@@ -17255,6 +17268,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 3745c6a0d1..92bcbff842 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -143,7 +143,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
-		min_padding = 0;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	default:
 		hdr_len = 0;
-- 
2.25.1

[PATCH v3 04/21] test/security: add TLS SG data walkthrough test

[Aakash Sasidharan]

Add multi segment packet data walkthrough test for TLS 1.2
and DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 42 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index e0695e9eb3..3591c91130 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11981,6 +11981,8 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+		if (flags->nb_segs_in_mbuf)
+			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -12061,6 +12063,32 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = tls_version,
+		.data_walkthrough = true
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -12106,6 +12134,12 @@ test_dtls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 #endif
 
 static int
@@ -17171,6 +17205,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17276,6 +17314,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 80b1c58d03..c36e6b35c1 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -85,7 +85,7 @@ struct tls_record_test_data {
 
 struct tls_record_test_flags {
 	bool display_alg;
-	int nb_segs_in_mbuf;
+	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 };
-- 
2.25.1

[PATCH v3 05/21] test/security: unit test for TLS packet corruption

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add test to verify the corrupted TLS packet header

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 27 +++++++++++++++++--
 app/test/test_cryptodev_security_tls_record.c |  4 +++
 app/test/test_cryptodev_security_tls_record.h |  1 +
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3591c91130..324ef3c276 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12000,8 +12000,13 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
-			return TEST_FAILED;
+		if (flags->pkt_corruption) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+		} else {
+			if (ret == TEST_FAILED)
+				return TEST_FAILED;
+		}
 
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
@@ -12089,6 +12094,20 @@ test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
 }
 
+static int
+test_tls_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17209,6 +17228,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"TLS packet header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 92bcbff842..93ff7f36fa 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -185,6 +185,10 @@ test_tls_record_td_update(struct tls_record_test_data td_inb[],
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
 
+		/* Corrupt the content type in the TLS header of encrypted packet */
+		if (flags->pkt_corruption)
+			td_inb[i].input_text.data[0] = ~td_inb[i].input_text.data[0];
+
 		/* Clear outbound specific flags */
 		td_inb[i].tls_record_xform.options.iv_gen_disable = 0;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index c36e6b35c1..bdc3488935 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -88,6 +88,7 @@ struct tls_record_test_flags {
 	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
+	bool pkt_corruption;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH v3 06/21] test/security: unit test for custom content verification

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit test to verify the TLS header creation with
custom content type

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 19 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  3 +++
 app/test/test_cryptodev_security_tls_record.h |  9 +++++++++
 3 files changed, 31 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 324ef3c276..5cb878b9ba 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -21,6 +21,7 @@
 #include <rte_ip.h>
 #include <rte_string_fns.h>
 #include <rte_tcp.h>
+#include <rte_tls.h>
 #include <rte_udp.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -12108,6 +12109,20 @@ test_tls_record_proto_corrupt_pkt(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17232,6 +17247,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 93ff7f36fa..9a2af259c9 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -108,6 +108,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->input_text.len = data_len;
 	}
 
+	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+		td->app_type = RTE_TLS_TYPE_MAX;
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index bdc3488935..d6c74ce54c 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -42,6 +42,14 @@ static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
 
 #define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
+enum tls_record_test_content_type {
+	TLS_RECORD_TEST_CONTENT_TYPE_APP,
+	/* For verifying zero packet length */
+	TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	/* For verifying handling of custom content types */
+	TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+};
+
 struct tls_record_test_data {
 	struct {
 		uint8_t data[32];
@@ -89,6 +97,7 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
+	enum tls_record_test_content_type content_type;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH v3 07/21] test/cryptodev: allow zero packet length buffers

[Aakash Sasidharan]

From: Anoob Joseph <anoobj@marvell.com>

The function 'create_segmented_mbuf' is updated to support zero packet
length mbufs. This allows testing of zero packet length payload with TLS
record processing.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 app/test/test_cryptodev.h | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index e4e99d00c1..7d877ddfe5 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -192,15 +192,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 		int nb_segs, uint8_t pattern) {
 
 	struct rte_mbuf *m = NULL, *mbuf = NULL;
+	int size, t_len, data_len = 0;
 	uint8_t *dst;
-	int data_len = 0;
-	int i, size;
-	int t_len;
-
-	if (pkt_len < 1) {
-		printf("Packet size must be 1 or more (is %d)\n", pkt_len);
-		return NULL;
-	}
 
 	if (nb_segs < 1) {
 		printf("Number of segments must be 1 or more (is %d)\n",
@@ -212,17 +205,17 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 	size = pkt_len;
 
 	/* Create chained mbuf_src and fill it generated data */
-	for (i = 0; size > 0; i++) {
+	do {
 
 		m = rte_pktmbuf_alloc(mbuf_pool);
-		if (i == 0)
-			mbuf = m;
-
 		if (m == NULL) {
 			printf("Cannot create segment for source mbuf");
 			goto fail;
 		}
 
+		if (mbuf == NULL)
+			mbuf = m;
+
 		/* Make sure if tailroom is zeroed */
 		memset(m->buf_addr, pattern, m->buf_len);
 
@@ -239,7 +232,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 
 		size -= data_len;
 
-	}
+	} while (size > 0);
+
 	return mbuf;
 
 fail:
-- 
2.25.1

[PATCH v3 08/21] test/security: unit test to verify zero TLS records

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the zero len TLS records. Zero len packets are
allowed when content type is app data while zero packet length with
other content type (such as handshake) would result in an error.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 51 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c |  5 +-
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 3 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 5cb878b9ba..fa63b9743f 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11984,6 +11984,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
 		if (flags->nb_segs_in_mbuf)
 			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
+
+		if (flags->zero_len)
+			payload_len = 0;
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -11992,8 +11995,16 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
+		if (flags->zero_len &&
+		    ((flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE))) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+			goto skip_decrypt;
+		} else if (ret == TEST_FAILED) {
 			return TEST_FAILED;
+		}
 
 		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
 
@@ -12009,6 +12020,7 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 				return TEST_FAILED;
 		}
 
+skip_decrypt:
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
 
@@ -12123,6 +12135,35 @@ test_tls_record_proto_custom_content_type(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17251,6 +17292,14 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 9a2af259c9..c5410a4c92 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -103,13 +103,15 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
-	if (flags->data_walkthrough) {
+	if (flags->data_walkthrough || flags->zero_len) {
 		test_sec_proto_pattern_set(td->input_text.data, data_len);
 		td->input_text.len = data_len;
 	}
 
 	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
 		td->app_type = RTE_TLS_TYPE_MAX;
+	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
 	tls_pkt_size = td->input_text.len;
 
@@ -232,6 +234,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	memcpy(&res_d->input_text.data, output_text, len);
 	res_d->input_text.len = len;
+	res_d->output_text.len = td->input_text.len;
 
 	res_d->tls_record_xform.type = RTE_SECURITY_TLS_SESS_TYPE_READ;
 	if (res_d->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index d6c74ce54c..102fbc1e69 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
 	enum tls_record_test_content_type content_type;
+	bool zero_len;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -140,5 +141,4 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 				 struct tls_record_test_data *res_d, bool silent);
-
 #endif
-- 
2.25.1

[PATCH v3 09/21] test/security: add unit tests for DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify
1. DTLS record with zero length
2. DTLS record with header corruption
3. DTLS record with content type as custom

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 77 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fa63b9743f..72e7fe3769 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12215,6 +12215,67 @@ test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
 }
 
+static int
+test_dtls_1_2_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 #endif
 
 static int
@@ -17409,6 +17470,22 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Packet corruption",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v3 10/21] test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors for TLS 1.2 and DTLS 1.2 using algos
AES-256-CBC and HMAC-SHA384

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  19 ++
 app/test/test_cryptodev_security_tls_record.h |   2 +
 ...yptodev_security_tls_record_test_vectors.h | 200 ++++++++++++++++++
 3 files changed, 221 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 72e7fe3769..95f2377d4d 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17273,6 +17273,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Write record known vector AES-256-CBC-SHA256",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17316,6 +17320,11 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17397,6 +17406,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17439,6 +17453,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 102fbc1e69..b43d8a16f2 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -110,6 +110,7 @@ extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_null_cipher_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_chacha20_poly1305;
@@ -118,6 +119,7 @@ extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index f10f28bb96..27b07cd54a 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1129,6 +1129,107 @@ struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x1d, 0xe5, 0x19, 0x18, 0x57, 0xa0, 0xee, 0x79,
+			0x84, 0x61, 0x92, 0x9d, 0x3d, 0xce, 0x42, 0x92,
+			0x4a, 0x98, 0x23, 0x3b, 0xf8, 0xec, 0x29, 0x47,
+			0xb3, 0xae, 0x1f, 0x22, 0xd2, 0x8d, 0xbe, 0x2c,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0xf8, 0xbd, 0x28, 0xf9, 0x4a, 0xde, 0x1d, 0xde,
+			0x8c, 0xf5, 0xe9, 0x49, 0x34, 0x2a, 0x1a, 0xd0,
+			0x0d, 0xe3, 0x64, 0xb2, 0x54, 0xd6, 0xd6, 0x40,
+			0x90, 0x5d, 0x16, 0xc1, 0xf2, 0x77, 0x14, 0x90,
+			0xe6, 0xfa, 0xbc, 0x9d, 0xe2, 0x72, 0x12, 0xec,
+			0xb6, 0x05, 0xec, 0xdd, 0x1d, 0x23, 0xb3, 0x8e,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x44, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0xfe, 0xfd, 0x00, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x01, 0x00, 0x80,
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+			0x88, 0x41, 0xee, 0x5b, 0x32, 0x1e, 0x85, 0xaf,
+			0x33, 0x7b, 0x59, 0x8a, 0xe9, 0x41, 0x11, 0x6a,
+			0xbb, 0x7d, 0x16, 0x6c, 0xbb, 0x66, 0x5e, 0xf5,
+			0xfb, 0x5f, 0x03, 0xf9, 0x75, 0x7d, 0xb9, 0xff,
+			0x70, 0xc3, 0x4a, 0x19, 0xe5, 0x25, 0xa0, 0x5d,
+			0xad, 0x45, 0xef, 0xce, 0xd8, 0x2a, 0xde, 0xf0,
+			0x0c, 0xca, 0x1c, 0x6b, 0x5a, 0x31, 0x8f, 0x49,
+			0xff, 0x7d, 0xf3, 0x71, 0x15, 0x06, 0x07, 0x9d,
+			0x6a, 0x5f, 0x5c, 0xd8, 0x2a, 0xa5, 0x0e, 0x61,
+			0xde, 0x18, 0x6b, 0x7d, 0xc8, 0x74, 0x58, 0x18,
+			0xf1, 0xac, 0xde, 0xb9, 0x6d, 0x8a, 0x44, 0xad,
+			0x10, 0xf8, 0x63, 0x15, 0xcf, 0x25, 0x2f, 0x82,
+			0x2f, 0xda, 0x74, 0x45, 0x02, 0xda, 0x61, 0x3c,
+			0x2f, 0xf9, 0xa5, 0x92, 0x2a, 0x7c, 0x5e, 0x5d,
+		},
+		.len = 141,
+	},
+	.iv = {
+		.data = {
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_DTLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.dtls_1_2.epoch = 1,
+		.dtls_1_2.seq_no = 1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
@@ -1494,6 +1595,105 @@ struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x48, 0x70, 0xc7, 0x93, 0x77, 0xe3, 0x4c, 0x8c,
+			0x27, 0x00, 0x64, 0x06, 0x3e, 0xc6, 0x47, 0x64,
+			0xcc, 0xee, 0xa4, 0x9a, 0x1a, 0xe7, 0x3a, 0xc6,
+			0xef, 0xe5, 0xe6, 0x2c, 0x15, 0xe3, 0xac, 0x16,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0x23, 0x95, 0x84, 0x30, 0xaf, 0x2b, 0x07, 0xfe,
+			0x12, 0x83, 0x87, 0x28, 0x2b, 0x38, 0xb9, 0x02,
+			0xc0, 0x27, 0x59, 0x3e, 0xa7, 0xbd, 0xce, 0xcb,
+			0xe1, 0x8a, 0xe9, 0x43, 0x5d, 0xed, 0xb4, 0xf2,
+			0x11, 0x4d, 0x19, 0xbb, 0x0f, 0x1b, 0x76, 0x86,
+			0xfb, 0xb5, 0xda, 0xfd, 0x38, 0xfe, 0x7d, 0x02,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73,
+			0x20, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x80,
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+			0x1e, 0x5b, 0x1e, 0x50, 0x3e, 0x19, 0x25, 0x41,
+			0x35, 0xc7, 0x7c, 0x14, 0x99, 0x7b, 0x97, 0x80,
+			0x60, 0x9d, 0xf8, 0xf1, 0xac, 0x43, 0x7b, 0x5c,
+			0xb6, 0xe2, 0xc4, 0x8f, 0x3f, 0xd7, 0x1b, 0xd4,
+			0x61, 0x90, 0x40, 0xe3, 0xd5, 0x60, 0xac, 0xee,
+			0x62, 0x53, 0x1f, 0x1f, 0x75, 0xf6, 0x2c, 0xda,
+			0x1a, 0xed, 0x4a, 0x6a, 0x11, 0xeb, 0x9b, 0x1c,
+			0x39, 0x0d, 0x6e, 0x8a, 0xf8, 0x3d, 0x45, 0x08,
+			0x3e, 0x24, 0x17, 0x3e, 0xcf, 0x74, 0xcf, 0x6a,
+			0xcb, 0x37, 0xdf, 0x25, 0xc6, 0xa5, 0xe4, 0x1e,
+			0x53, 0x28, 0x71, 0xcf, 0xac, 0x1e, 0xad, 0x77,
+			0x8c, 0xfc, 0x80, 0x19, 0x9c, 0xcc, 0x00, 0x60,
+			0xc6, 0x82, 0xa0, 0xb8, 0x5e, 0x42, 0xd1, 0xff,
+			0x14, 0x0a, 0x92, 0x5c, 0xde, 0x8a, 0x15, 0x7a,
+		},
+		.len = 133,
+	},
+	.iv = {
+		.data = {
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_2.seq_no = 0x1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
-- 
2.25.1

[PATCH v3 11/21] test/security: add DTLS 1.2 anti-replay tests

[Aakash Sasidharan]

Add anti-replay test for DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 115 ++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 132 ++++++++++--------
 app/test/test_cryptodev_security_tls_record.h |  11 +-
 3 files changed, 188 insertions(+), 70 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 95f2377d4d..904bad39d3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11827,6 +11827,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		.protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
 	};
 
+	if ((tls_record_xform.ver == RTE_SECURITY_VERSION_DTLS_1_2) &&
+	    (sess_type == RTE_SECURITY_TLS_SESS_TYPE_READ))
+		sess_conf.tls_record.dtls_1_2.ar_win_sz = flags->ar_win_size;
+
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
@@ -11851,6 +11855,17 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		return TEST_SKIPPED;
 
 	for (i = 0; i < nb_td; i++) {
+		if (flags->ar_win_size &&
+			(sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE)) {
+			sess_conf.tls_record.dtls_1_2.seq_no =
+				td[i].tls_record_xform.dtls_1_2.seq_no;
+			ret = rte_security_session_update(ctx, ut_params->sec_session, &sess_conf);
+			if (ret) {
+				printf("Could not update sequence number in session\n");
+				return TEST_SKIPPED;
+			}
+		}
+
 		/* Setup source mbuf payload */
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
@@ -11890,17 +11905,19 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_tls_record_status_check(ut_params->op);
+		ret = test_tls_record_status_check(ut_params->op, &td[i]);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
 		if (res_d != NULL)
 			res_d_tmp = &res_d[i];
 
-		ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp, silent);
-		if (ret != TEST_SUCCESS)
-			goto crypto_op_free;
-
+		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+							   silent);
+			if (ret != TEST_SUCCESS)
+				goto crypto_op_free;
+		}
 
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
@@ -12190,6 +12207,90 @@ test_dtls_1_2_record_proto_display_list(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_pkt_replay(const uint64_t seq_no[],
+		      bool replayed_pkt[], uint32_t nb_pkts,
+		      struct tls_record_test_flags *flags)
+{
+	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
+	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
+	unsigned int i, idx, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
+					   td_outb, nb_pkts, 0);
+
+		for (idx = 0; idx < nb_pkts; idx++)
+			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
+
+		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
+
+		for (idx = 0; idx < nb_pkts; idx++) {
+			td_inb[idx].tls_record_xform.dtls_1_2.ar_win_sz = flags->ar_win_size;
+			/* Set antireplay flag for packets to be dropped */
+			td_inb[idx].ar_packet = replayed_pkt[idx];
+		}
+
+		ret = test_tls_record_proto_process(td_inb, NULL, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay(void)
+{
+	struct tls_record_test_flags flags;
+	uint64_t winsz = 64, seq_no[5];
+	uint32_t nb_pkts = 5;
+	bool replayed_pkt[5];
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+	flags.ar_win_size = winsz;
+
+	/* 1. Advance the TOP of the window to WS * 2 */
+	seq_no[0] = winsz * 2;
+	/* 2. Test sequence number within the new window(WS + 1) */
+	seq_no[1] = winsz + 1;
+	/* 3. Test sequence number less than the window BOTTOM */
+	seq_no[2] = winsz;
+	/* 4. Test sequence number in the middle of the window */
+	seq_no[3] = winsz + (winsz / 2);
+	/* 5. Test replay of the packet in the middle of the window */
+	seq_no[4] = winsz + (winsz / 2);
+
+	replayed_pkt[0] = false;
+	replayed_pkt[1] = false;
+	replayed_pkt[2] = true;
+	replayed_pkt[3] = false;
+	replayed_pkt[4] = true;
+
+	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17505,6 +17606,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Zero len DTLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 64",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index c5410a4c92..907e043ddd 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -12,10 +12,21 @@
 #include "test_security_proto.h"
 
 int
-test_tls_record_status_check(struct rte_crypto_op *op)
+test_tls_record_status_check(struct rte_crypto_op *op,
+			     const struct tls_record_test_data *td)
 {
 	int ret = TEST_SUCCESS;
 
+	if ((td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_READ) &&
+	     td->ar_packet) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("Anti replay test case failed\n");
+			return TEST_FAILED;
+		} else {
+			return TEST_SUCCESS;
+		}
+	}
+
 	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS)
 		ret = TEST_FAILED;
 
@@ -101,81 +112,80 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.chain.auth.auth.key.length = param2->key_length;
 			td->xform.chain.auth.auth.digest_length = param2->digest_length;
 		}
-	}
-
-	if (flags->data_walkthrough || flags->zero_len) {
-		test_sec_proto_pattern_set(td->input_text.data, data_len);
-		td->input_text.len = data_len;
-	}
-
-	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
-		td->app_type = RTE_TLS_TYPE_MAX;
-	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
-		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
-	tls_pkt_size = td->input_text.len;
+		if (flags->data_walkthrough || flags->zero_len) {
+			test_sec_proto_pattern_set(td->input_text.data, data_len);
+			td->input_text.len = data_len;
+		}
 
-	if (!td->aead) {
-		mac_len = td->xform.chain.auth.auth.digest_length;
-		switch (td->xform.chain.cipher.cipher.algo) {
-		case RTE_CRYPTO_CIPHER_3DES_CBC:
-			roundup_len = 8;
+		if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+			td->app_type = RTE_TLS_TYPE_MAX;
+		else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+			td->app_type = RTE_TLS_TYPE_HANDSHAKE;
+
+		tls_pkt_size = td->input_text.len;
+
+		if (!td->aead) {
+			mac_len = td->xform.chain.auth.auth.digest_length;
+			switch (td->xform.chain.cipher.cipher.algo) {
+			case RTE_CRYPTO_CIPHER_3DES_CBC:
+				roundup_len = 8;
+				exp_nonce_len = 8;
+				break;
+			case RTE_CRYPTO_CIPHER_AES_CBC:
+				roundup_len = 16;
+				exp_nonce_len = 16;
+				break;
+			default:
+				roundup_len = 0;
+				exp_nonce_len = 0;
+				break;
+			}
+		} else {
+			mac_len = td->xform.aead.aead.digest_length;
+			roundup_len = 0;
 			exp_nonce_len = 8;
+		}
+
+		switch (td->tls_record_xform.ver) {
+		case RTE_SECURITY_VERSION_TLS_1_2:
+		case RTE_SECURITY_VERSION_TLS_1_3:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			roundup_len = 16;
-			exp_nonce_len = 16;
+		case RTE_SECURITY_VERSION_DTLS_1_2:
+			hdr_len = sizeof(struct rte_dtls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
 		default:
-			roundup_len = 0;
-			exp_nonce_len = 0;
+			hdr_len = 0;
+			min_padding = 0;
 			break;
 		}
-	} else {
-		mac_len = td->xform.aead.aead.digest_length;
-		roundup_len = 0;
-		exp_nonce_len = 8;
-	}
-
-	switch (td->tls_record_xform.ver) {
-	case RTE_SECURITY_VERSION_TLS_1_2:
-	case RTE_SECURITY_VERSION_TLS_1_3:
-		hdr_len = sizeof(struct rte_tls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	case RTE_SECURITY_VERSION_DTLS_1_2:
-		hdr_len = sizeof(struct rte_dtls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	default:
-		hdr_len = 0;
-		min_padding = 0;
-		break;
-	}
 
-	tls_pkt_size += mac_len;
+		tls_pkt_size += mac_len;
 
-	/* Padding */
-	tls_pkt_size += min_padding;
+		/* Padding */
+		tls_pkt_size += min_padding;
 
-	if (roundup_len)
-		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+		if (roundup_len)
+			tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
-	/* Explicit nonce */
-	tls_pkt_size += exp_nonce_len;
+		/* Explicit nonce */
+		tls_pkt_size += exp_nonce_len;
 
-	/* Add TLS header */
-	tls_pkt_size += hdr_len;
+		/* Add TLS header */
+		tls_pkt_size += hdr_len;
 
-	td->output_text.len = tls_pkt_size;
+		td->output_text.len = tls_pkt_size;
 
-	RTE_SET_USED(flags);
+	}
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index b43d8a16f2..f69f95824b 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -89,16 +89,18 @@ struct tls_record_test_data {
 	struct rte_security_tls_record_xform tls_record_xform;
 	uint8_t app_type;
 	bool aead;
+	bool ar_packet;
 };
 
 struct tls_record_test_flags {
 	bool display_alg;
-	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
-	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
-	enum tls_record_test_content_type content_type;
 	bool zero_len;
+	uint8_t nb_segs_in_mbuf;
+	enum rte_security_tls_version tls_version;
+	enum tls_record_test_content_type content_type;
+	int ar_win_size;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -123,7 +125,8 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
-int test_tls_record_status_check(struct rte_crypto_op *op);
+int test_tls_record_status_check(struct rte_crypto_op *op,
+				 const struct tls_record_test_data *td);
 
 int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_record_xform,
 				    const struct rte_security_capability *sec_cap, bool silent);
-- 
2.25.1

[PATCH v3 12/21] test/security: add more DTLS anti-replay window sz

[Aakash Sasidharan]

Add anti-replay tests for window sizes 128, 256, 512, 1024,
2048 and 4096 window sizes in DTLS 1.2 suite.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c | 72 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 69 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 904bad39d3..72d91d23a2 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12259,12 +12259,12 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 }
 
 static int
-test_dtls_1_2_record_proto_antireplay(void)
+test_dtls_1_2_record_proto_antireplay(uint64_t winsz)
 {
 	struct tls_record_test_flags flags;
-	uint64_t winsz = 64, seq_no[5];
 	uint32_t nb_pkts = 5;
 	bool replayed_pkt[5];
+	uint64_t seq_no[5];
 
 	memset(&flags, 0, sizeof(flags));
 
@@ -12291,6 +12291,48 @@ test_dtls_1_2_record_proto_antireplay(void)
 	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
 }
 
+static int
+test_dtls_1_2_record_proto_antireplay64(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(64);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay128(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(128);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay256(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(256);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay512(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(512);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay1024(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(1024);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay2048(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(2048);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay4096(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(4096);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17609,7 +17651,31 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Antireplay with window size 64",
 			ut_setup_security, ut_teardown,
-			test_dtls_1_2_record_proto_antireplay),
+			test_dtls_1_2_record_proto_antireplay64),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 128",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay128),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 256",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay256),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 512",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay512),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 1024",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay1024),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 2048",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay2048),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 4096",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay4096),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v3 13/21] test/crypto: update verification of header

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

In TLS 1.3, the version in the header would be TLS 1.2 and the content
type would be APP irrespective of the type of the payload.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 907e043ddd..498c4923e0 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -275,9 +275,9 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		hdr_len = sizeof(struct rte_tls_hdr);
 	} else if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
 		const struct rte_tls_hdr *hdr = (const struct rte_tls_hdr *)output_text;
-		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_3) {
+		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_2) {
 			printf("Incorrect header version [expected - %4x, received - %4x]\n",
-			       RTE_TLS_VERSION_1_3, rte_be_to_cpu_16(hdr->version));
+			       RTE_TLS_VERSION_1_2, rte_be_to_cpu_16(hdr->version));
 			return TEST_FAILED;
 		}
 		content_type = hdr->type;
@@ -297,10 +297,18 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		return TEST_FAILED;
 	}
 
-	if (content_type != td->app_type) {
-		printf("Incorrect content type in packet [expected - %d, received - %d]\n",
-		       td->app_type, content_type);
-		return TEST_FAILED;
+	if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		if (content_type != RTE_TLS_TYPE_APPDATA) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
+	} else {
+		if (content_type != td->app_type) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
 	}
 
 	if (length != td->output_text.len - hdr_len) {
-- 
2.25.1

[PATCH v3 14/21] test/crypto: add TLS 1.3 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors and test suite for TLS 1.3
AES-128-GCM, AES-256-GCM and CHACHA20-POLY1305
vectors. The vectors are generated using gnuTLS
client server application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  35 +++
 app/test/test_cryptodev_security_tls_record.h |   3 +
 ...yptodev_security_tls_record_test_vectors.h | 205 ++++++++++++++++++
 3 files changed, 243 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 72d91d23a2..aa9fffe50e 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17680,6 +17680,40 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 	}
 };
 
+static struct unit_test_suite tls13_record_proto_testsuite  = {
+	.suite_name = "TLS 1.3 Record Protocol Unit Test Suite",
+	.setup = tls_record_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 #define ADD_UPLINK_TESTCASE(data)						\
 	TEST_CASE_NAMED_WITH_DATA(data.test_descr_uplink, ut_setup_security,	\
 	ut_teardown, test_docsis_proto_uplink, (const void *) &data),		\
@@ -18699,6 +18733,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&docsis_proto_testsuite,
 		&tls12_record_proto_testsuite,
 		&dtls12_record_proto_testsuite,
+		&tls13_record_proto_testsuite,
 #endif
 		&end_testsuite
 	};
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index f69f95824b..3d714b3574 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -124,6 +124,9 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
+extern struct tls_record_test_data tls13_test_data_aes_128_gcm;
+extern struct tls_record_test_data tls13_test_data_aes_256_gcm;
+extern struct tls_record_test_data tls13_test_data_chacha20_poly1305;
 
 int test_tls_record_status_check(struct rte_crypto_op *op,
 				 const struct tls_record_test_data *td);
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index 27b07cd54a..8af17b07e5 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1781,4 +1781,209 @@ struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.app_type = 0x17,
 };
 
+/* TLS 1.3 AES-128-GCM */
+struct tls_record_test_data tls13_test_data_aes_128_gcm = {
+	.key = {
+		.data = {
+			0x03, 0x12, 0xf5, 0x86, 0xe4, 0xd0, 0x27, 0xc7,
+			0x47, 0x82, 0x44, 0xca, 0xd3, 0xce, 0x06, 0x6c,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0x52, 0xb5, 0x24, 0xce, 0x5c, 0x29, 0x0f, 0x0a,
+			0x3a, 0xc0, 0x60, 0xaf, 0xba, 0xe3, 0x0d, 0x28,
+			0x6c, 0xbb, 0x3e, 0x5f, 0xde, 0x4a, 0xcd, 0xf1,
+			0x30, 0x12, 0xa9, 0x42, 0x95, 0x55, 0xf5, 0x2c,
+			0xb7, 0xb6, 0x60, 0x82, 0xa2, 0x1d, 0x34, 0x33,
+			0x0a, 0xd7, 0x48, 0x40, 0xef, 0xab, 0x70, 0xa7,
+			0xb2, 0x58, 0x41, 0xdb, 0xf6, 0x37, 0xe4, 0x6d,
+			0xa3, 0x1e, 0xbf, 0x6f,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0x8d, 0x1f, 0xa0, 0x14, 0xc7, 0x66, 0x9f, 0x93,
+			0x74, 0x3f, 0x46, 0x52,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+/* TLS 1.3 AES-256-GCM */
+struct tls_record_test_data tls13_test_data_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xc9, 0xc2, 0xa2, 0x4c, 0x4e, 0x36, 0x19, 0x6e,
+			0xd8, 0xf5, 0xb9, 0x14, 0x30, 0xfc, 0xe0, 0xef,
+			0x29, 0xb0, 0x00, 0xd1, 0x2d, 0xfc, 0x5a, 0x76,
+			0x50, 0xf4, 0xf3, 0xb1, 0x82, 0x21, 0x57, 0x82,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0xc9, 0xb0, 0x44, 0x23, 0xd5, 0xe2, 0xbd, 0x1d,
+			0xf1, 0x96, 0x53, 0x2c, 0x8c, 0xe2, 0xa3, 0x00,
+			0x7b, 0x2a, 0xb1, 0xa1, 0xd6, 0x79, 0x58, 0xb5,
+			0x35, 0x1f, 0xbb, 0x98, 0x03, 0xe1, 0x82, 0xa2,
+			0x1e, 0x26, 0x81, 0xbe, 0x77, 0x65, 0xaf, 0x7d,
+			0x9f, 0x52, 0xec, 0x3a, 0x18, 0x2d, 0x36, 0xab,
+			0xdc, 0xa9, 0xfb, 0xd3, 0xa8, 0xd5, 0xbc, 0x98,
+			0xa4, 0xab, 0x70, 0xe9,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0xd4, 0x78, 0xf2, 0x90, 0x61, 0x5d, 0x8c, 0x63,
+			0x4b, 0xf4, 0x72, 0xf3,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+struct tls_record_test_data tls13_test_data_chacha20_poly1305 = {
+	.key = {
+		.data = {
+			0xec, 0x7d, 0x7a, 0x3f, 0x91, 0xdd, 0xb9, 0x70,
+			0x95, 0x3b, 0x99, 0xb0, 0xe7, 0x66, 0xda, 0xdc,
+			0x85, 0xbb, 0xfc, 0xc8, 0x50, 0xe9, 0x61, 0x88,
+			0xc8, 0x1e, 0xf0, 0x61, 0xb0, 0xcd, 0x6c, 0x3d,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x43, 0x48, 0x41, 0x43, 0x48, 0x41, 0x32, 0x30,
+			0x2d, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30,
+			0x35, 0x20, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
+			0x65, 0x20, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0xa,
+		},
+		.len = 49,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x42,
+			0x9a, 0xc1, 0xd9, 0x0e, 0xf9, 0x4c, 0x51, 0x8c,
+			0xb4, 0xa7, 0x54, 0x57, 0x56, 0xba, 0xbb, 0xf7,
+			0xd7, 0x1d, 0x49, 0x5a, 0x42, 0xd2, 0xab, 0x75,
+			0x3f, 0xb1, 0x5f, 0xb5, 0x2b, 0x2b, 0xa3, 0xc5,
+			0x61, 0x32, 0x7e, 0x62, 0x1e, 0xf5, 0x56, 0xff,
+			0x84, 0x8e, 0x9a, 0x99, 0x06, 0xba, 0x3b, 0xc0,
+			0x15, 0x4c, 0xf5, 0xb1, 0x5e, 0xcc, 0xff, 0x42,
+			0x79, 0x4b, 0xa9, 0x23, 0x16, 0x08, 0xc3, 0x9a,
+			0x52, 0x2a,
+		},
+		.len = 71,
+	},
+	.imp_nonce = {
+		.data = {
+			0x3c, 0x28, 0xa0, 0xb8, 0xf8, 0x74, 0x35, 0xfe,
+			0xd2, 0xa0, 0x31, 0x28,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
 #endif
-- 
2.25.1

[PATCH v3 15/21] test/crypto: update framework to verify tls-1.3

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Update the fields in preparation of test descriptor.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++---
 app/test/test_cryptodev_security_tls_record.c | 43 ++++++++++++-------
 app/test/test_cryptodev_security_tls_record.h | 10 ++---
 3 files changed, 43 insertions(+), 27 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index aa9fffe50e..25777c1b1f 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11889,8 +11889,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		/* Copy IV in crypto operation when IV generation is disabled */
-		if (sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE &&
-		    tls_record_xform.options.iv_gen_disable == 1) {
+		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
+		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
+		    (tls_record_xform.options.iv_gen_disable == 1)) {
 			uint8_t *iv;
 			int len;
 
@@ -12005,8 +12006,10 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (flags->zero_len)
 			payload_len = 0;
 again:
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, payload_len);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, payload_len);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -12218,8 +12221,10 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 	int ret;
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, 0);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, 0);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		for (idx = 0; idx < nb_pkts; idx++)
 			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 498c4923e0..96d0a94731 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -70,7 +70,7 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 	}
 }
 
-void
+int
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
 			   struct tls_record_test_data *td_array,
@@ -79,6 +79,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
 
+	if ((flags->tls_version == RTE_SECURITY_VERSION_TLS_1_3) &&
+	    (param1->type != RTE_CRYPTO_SYM_XFORM_AEAD))
+		return TEST_SKIPPED;
+
 	memset(td_array, 0, nb_td * sizeof(*td));
 
 	for (i = 0; i < nb_td; i++) {
@@ -88,10 +92,17 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
-				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
-			else
+			switch (flags->tls_version) {
+			case RTE_SECURITY_VERSION_TLS_1_2:
 				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_DTLS_1_2:
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_TLS_1_3:
+				memcpy(td, &tls13_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			}
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -127,6 +138,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (!td->aead) {
 			mac_len = td->xform.chain.auth.auth.digest_length;
+			min_padding = 1;
 			switch (td->xform.chain.cipher.cipher.algo) {
 			case RTE_CRYPTO_CIPHER_3DES_CBC:
 				roundup_len = 8;
@@ -143,30 +155,28 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			}
 		} else {
 			mac_len = td->xform.aead.aead.digest_length;
+			min_padding = 0;
 			roundup_len = 0;
-			exp_nonce_len = 8;
+			if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3)
+				exp_nonce_len = 0;
+			else
+				exp_nonce_len = 8;
 		}
 
 		switch (td->tls_record_xform.ver) {
 		case RTE_SECURITY_VERSION_TLS_1_2:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			break;
 		case RTE_SECURITY_VERSION_TLS_1_3:
 			hdr_len = sizeof(struct rte_tls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
+			/* Add 1 byte for content type in packet */
+			tls_pkt_size += 1;
 			break;
 		case RTE_SECURITY_VERSION_DTLS_1_2:
 			hdr_len = sizeof(struct rte_dtls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
 			break;
 		default:
-			hdr_len = 0;
-			min_padding = 0;
-			break;
+			return TEST_SKIPPED;
 		}
 
 		tls_pkt_size += mac_len;
@@ -186,6 +196,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->output_text.len = tls_pkt_size;
 
 	}
+	return TEST_SUCCESS;
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 3d714b3574..20a7d347a0 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -137,11 +137,11 @@ int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_re
 void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 					struct tls_record_test_data *td_in);
 
-void test_tls_record_td_prepare(const struct crypto_param *param1,
-				const struct crypto_param *param2,
-				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td,
-				unsigned int data_len);
+int test_tls_record_td_prepare(const struct crypto_param *param1,
+			       const struct crypto_param *param2,
+			       const struct tls_record_test_flags *flags,
+			       struct tls_record_test_data *td_array, int nb_td,
+			       unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
-- 
2.25.1

[PATCH v3 16/21] test/crypto: test to verify hdr corruption in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with header corruption.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 25777c1b1f..9f0a737913 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12424,6 +12424,20 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_1_3_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17714,7 +17728,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"Read record known vector CHACHA20-POLY1305",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
-
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v3 17/21] test/crypto: test to verify custom content type in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with content type as custom.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 9f0a737913..fe4fcfbfdb 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12438,6 +12438,21 @@ test_tls_1_3_record_proto_corrupt_pkt(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17732,6 +17747,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header with custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v3 18/21] test/crypto: test to verify zero len record in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with zero length.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fe4fcfbfdb..8ad5033f32 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12453,6 +12453,37 @@ test_tls_1_3_record_proto_custom_content_type(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_3_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17751,6 +17782,14 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header with custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v3 19/21] test/crypto: unit tests to verify padding in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for TLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 85 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 28 ++++--
 app/test/test_cryptodev_security_tls_record.h |  5 +-
 3 files changed, 109 insertions(+), 9 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 8ad5033f32..a324c1607b 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11834,6 +11834,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
+	if (flags->opt_padding)
+		tls_record_xform.options.extra_padding_enable = 1;
+
 	sess_conf.tls_record = tls_record_xform;
 
 	if (td[0].aead) {
@@ -11888,6 +11891,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->sym->m_dst = NULL;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
+		if (flags->opt_padding)
+			ut_params->op->aux_flags = flags->opt_padding;
+
 		/* Copy IV in crypto operation when IV generation is disabled */
 		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
 		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
@@ -11915,7 +11921,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
 			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
-							   silent);
+							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
 		}
@@ -12184,6 +12190,59 @@ test_tls_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_opt_padding(uint8_t padding, uint8_t num_segs,
+				  enum rte_security_tls_version tls_version)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = num_segs,
+		.tls_version = tls_version,
+		.opt_padding = padding
+	};
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 2, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17578,6 +17637,30 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Zero len TLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 96d0a94731..03d9efefc3 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -269,7 +269,8 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 }
 
 static int
-tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
+tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text,
+		      const struct tls_record_test_flags *flags)
 {
 	uint16_t length, hdr_len;
 	uint8_t content_type;
@@ -322,10 +323,22 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		}
 	}
 
-	if (length != td->output_text.len - hdr_len) {
-		printf("Incorrect packet length [expected - %d, received - %d]\n",
-		       td->output_text.len - hdr_len, length);
-		return TEST_FAILED;
+	if (!flags->opt_padding) {
+		if (length != td->output_text.len - hdr_len) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       td->output_text.len - hdr_len, length);
+			return TEST_FAILED;
+		}
+	} else {
+		int pad_len = (flags->opt_padding * 8) > 256 ? 256 : (flags->opt_padding * 8);
+		int expect_len = td->output_text.len - hdr_len + pad_len;
+
+		if (length - expect_len > 32) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       expect_len, length);
+			return TEST_FAILED;
+		}
+
 	}
 
 	return TEST_SUCCESS;
@@ -333,7 +346,8 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 
 int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-			     struct tls_record_test_data *res_d, bool silent)
+			     struct tls_record_test_data *res_d, bool silent,
+			     const struct tls_record_test_flags *flags)
 {
 	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
@@ -365,7 +379,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	if (td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) {
-		ret = tls_record_hdr_verify(td, output_text);
+		ret = tls_record_hdr_verify(td, output_text, flags);
 		if (ret != TEST_SUCCESS)
 			return ret;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 20a7d347a0..b31c38af06 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -97,7 +97,9 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	bool pkt_corruption;
 	bool zero_len;
+	bool padding_corruption;
 	uint8_t nb_segs_in_mbuf;
+	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
 	enum tls_record_test_content_type content_type;
 	int ar_win_size;
@@ -148,5 +150,6 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_flags *flags);
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-				 struct tls_record_test_data *res_d, bool silent);
+				 struct tls_record_test_data *res_d, bool silent,
+				 const struct tls_record_test_flags *flags);
 #endif
-- 
2.25.1

[PATCH v3 20/21] test/crypto: unit tests for padding in DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for DTLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 60 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index a324c1607b..572740cbf9 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12483,6 +12483,42 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 static int
 test_tls_1_3_record_proto_corrupt_pkt(void)
 {
@@ -17824,6 +17860,30 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Antireplay with window size 4096",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_antireplay4096),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v3 21/21] test/security: add out of place sgl test case for TLS 1.2

[Aakash Sasidharan]

Add TLS 1.2 out-of-place multi-segmented packet test.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 52 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.h |  1 +
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 572740cbf9..1703ebccf1 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11873,6 +11873,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
 		pktmbuf_write(ut_params->ibuf, 0, td[i].input_text.len, td[i].input_text.data);
+		if (flags->out_of_place)
+			ut_params->obuf = create_segmented_mbuf(ts_params->mbuf_pool,
+					td[i].output_text.len, nb_segs, 0);
+		else
+			ut_params->obuf = NULL;
 
 		/* Generate crypto op data structure */
 		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
@@ -11888,7 +11893,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		/* Set crypto operation mbufs */
 		ut_params->op->sym->m_src = ut_params->ibuf;
-		ut_params->op->sym->m_dst = NULL;
+		ut_params->op->sym->m_dst = ut_params->obuf;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		if (flags->opt_padding)
@@ -11920,7 +11925,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 			res_d_tmp = &res_d[i];
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
-			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+			struct rte_mbuf *buf = flags->out_of_place ? ut_params->obuf :
+						ut_params->ibuf;
+
+			ret = test_tls_record_post_process(buf, &td[i], res_d_tmp,
 							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
@@ -11929,6 +11937,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
 
+		if (flags->out_of_place) {
+			rte_pktmbuf_free(ut_params->obuf);
+			ut_params->obuf = NULL;
+		}
+
 		rte_pktmbuf_free(ut_params->ibuf);
 		ut_params->ibuf = NULL;
 	}
@@ -11937,6 +11950,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	rte_crypto_op_free(ut_params->op);
 	ut_params->op = NULL;
 
+	if (flags->out_of_place) {
+		rte_pktmbuf_free(ut_params->obuf);
+		ut_params->obuf = NULL;
+	}
+
 	rte_pktmbuf_free(ut_params->ibuf);
 	ut_params->ibuf = NULL;
 
@@ -12127,6 +12145,32 @@ test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_ver
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_oop(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.out_of_place = true,
+		.tls_version = tls_version
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_oop(void)
+{
+	return test_tls_record_proto_sgl_oop(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 {
@@ -17657,6 +17701,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode out of place",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_oop),
 		TEST_CASE_NAMED_ST(
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index b31c38af06..e788d36b7a 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	bool pkt_corruption;
 	bool zero_len;
 	bool padding_corruption;
+	bool out_of_place;
 	uint8_t nb_segs_in_mbuf;
 	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
-- 
2.25.1

[PATCH v4 00/21] Improvements and new test cases

[Aakash Sasidharan]

v4:
* Set max ciphertext length for data walkthrough tests to 4k.

v3:
* Set max packet length for data walkthrough tests to 8k.

v2:
* Rebased.

Aakash Sasidharan (7):
  test/security: enable AES-GCM in combined mode TLS
  test/security: add TLS 1.2 data walkthrough test
  test/security: add DTLS 1.2 data walkthrough test
  test/security: add TLS SG data walkthrough test
  test/security: add DTLS 1.2 anti-replay tests
  test/security: add more DTLS anti-replay window sz
  test/security: add out of place sgl test case for TLS 1.2

Akhil Goyal (2):
  test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors
  test/crypto: add TLS 1.3 vectors

Anoob Joseph (1):
  test/cryptodev: allow zero packet length buffers

Vidya Sagar Velumuri (11):
  test/security: unit test for TLS packet corruption
  test/security: unit test for custom content verification
  test/security: unit test to verify zero TLS records
  test/security: add unit tests for DTLS-1.2
  test/crypto: update verification of header
  test/crypto: update framework to verify tls-1.3
  test/crypto: test to verify hdr corruption in TLS
  test/crypto: test to verify custom content type in TLS
  test/crypto: test to verify zero len record in TLS
  test/crypto: unit tests to verify padding in TLS
  test/crypto: unit tests for padding in DTLS-1.2

 app/test/test_cryptodev.c                     | 975 ++++++++++++++++--
 app/test/test_cryptodev.h                     |  32 +-
 app/test/test_cryptodev_security_tls_record.c | 203 ++--
 app/test/test_cryptodev_security_tls_record.h |  77 +-
 ...yptodev_security_tls_record_test_vectors.h | 405 ++++++++
 app/test/test_security_proto.c                |  17 +
 app/test/test_security_proto.h                |   9 +
 7 files changed, 1539 insertions(+), 179 deletions(-)

-- 
2.25.1

[PATCH v4 01/21] test/security: enable AES-GCM in combined mode TLS

[Aakash Sasidharan]

Enable AES-GCM AEAD tests in combined mode TLS test suite.

Coverity issue: 414888
Fixes: 9157ccb8f876 ("test/crypto: verify TLS headers")

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 10 ++++++++--
 app/test/test_security_proto.h                |  3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index bcb2eba4ff..14a7a2511e 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -116,6 +116,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	} else {
 		mac_len = td->xform.aead.aead.digest_length;
+		roundup_len = 0;
 		exp_nonce_len = 8;
 	}
 
@@ -123,7 +124,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	case RTE_SECURITY_VERSION_TLS_1_2:
 	case RTE_SECURITY_VERSION_TLS_1_3:
 		hdr_len = sizeof(struct rte_tls_hdr);
-		min_padding = 1;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
@@ -139,7 +143,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 	/* Padding */
 	tls_pkt_size += min_padding;
-	tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+
+	if (roundup_len)
+		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
 	/* Explicit nonce */
 	tls_pkt_size += exp_nonce_len;
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index efa023b99d..5b92daa810 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -27,16 +27,19 @@ static const struct crypto_param aead_list[] = {
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 16,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 24,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 32,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
-- 
2.25.1

[PATCH v4 02/21] test/security: add TLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for TLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 90 +++++++++++++++++--
 app/test/test_cryptodev.h                     | 12 ++-
 app/test/test_cryptodev_security_tls_record.c | 25 ++++--
 app/test/test_cryptodev_security_tls_record.h | 41 ++++++++-
 app/test/test_security_proto.c                | 17 ++++
 app/test/test_security_proto.h                |  6 ++
 6 files changed, 171 insertions(+), 20 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3b5e784022..c5837ccbdd 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -858,6 +858,8 @@ ipsec_proto_testsuite_setup(void)
 static int
 tls_record_proto_testsuite_setup(void)
 {
+	test_sec_proto_pattern_generate();
+
 	return sec_proto_testsuite_setup(RTE_SECURITY_PROTOCOL_TLS_RECORD);
 }
 
@@ -11958,14 +11960,30 @@ test_tls_record_proto_known_vec_read(const void *test_data)
 static int
 test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 {
+	unsigned int i, nb_pkts = 1, pass_cnt = 0, payload_len, max_payload_len;
 	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
 	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
-	unsigned int i, nb_pkts = 1, pass_cnt = 0;
 	int ret;
 
+	switch (flags->tls_version) {
+	case RTE_SECURITY_VERSION_TLS_1_2:
+		max_payload_len = TLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_TLS_1_3:
+		max_payload_len = TLS_1_3_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_DTLS_1_2:
+		max_payload_len = DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	default:
+		max_payload_len = 0;
+	}
+
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts);
+					   td_outb, nb_pkts, payload_len);
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -11983,6 +12001,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_FAILED)
 			return TEST_FAILED;
 
+		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
+			goto again;
+
 		if (flags->display_alg)
 			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
 
@@ -11996,22 +12017,69 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 }
 
 static int
-test_tls_record_proto_display_list(void)
+test_tls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_display_list(void)
 {
 	struct tls_record_test_flags flags;
 
 	memset(&flags, 0, sizeof(flags));
 
 	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
 
 	return test_tls_record_proto_all(&flags);
 }
 
 static int
-test_tls_record_proto_sgl(void)
+test_tls_1_2_record_proto_sgl(void)
 {
 	struct tls_record_test_flags flags = {
-		.nb_segs_in_mbuf = 5
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_display_list(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_sgl(void)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
 	};
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct rte_cryptodev_info dev_info;
@@ -17081,11 +17149,15 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_tls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_tls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17182,11 +17254,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_dtls_1_2_record_proto_display_list),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_dtls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index f27d9697fd..e4e99d00c1 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -5,6 +5,9 @@
 #define TEST_CRYPTODEV_H_
 
 #include <rte_cryptodev.h>
+#ifdef RTE_LIB_SECURITY
+#include "test_security_proto.h"
+#endif
 
 #define HEX_DUMP 0
 
@@ -21,9 +24,16 @@
 #define DEFAULT_NUM_XFORMS              (2)
 #define NUM_MBUFS                       (8191)
 #define MBUF_CACHE_SIZE                 (256)
+
+#ifdef RTE_LIB_SECURITY
+#define MBUF_DATAPAYLOAD_SIZE		RTE_MAX((unsigned int)(4096 + DIGEST_BYTE_LENGTH_SHA512), \
+						TEST_SEC_CIPHERTEXT_MAX_LEN)
+#else
 #define MBUF_DATAPAYLOAD_SIZE		(4096 + DIGEST_BYTE_LENGTH_SHA512)
+#endif
+
 #define MBUF_SIZE			(sizeof(struct rte_mbuf) + \
-		RTE_PKTMBUF_HEADROOM + MBUF_DATAPAYLOAD_SIZE)
+					RTE_PKTMBUF_HEADROOM + MBUF_DATAPAYLOAD_SIZE)
 
 #define BYTE_LENGTH(x)				(x/8)
 /* HASH DIGEST LENGTHS */
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 14a7a2511e..3745c6a0d1 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -62,7 +62,8 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 void
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
-			   struct tls_record_test_data *td_array, int nb_td)
+			   struct tls_record_test_data *td_array,
+			   int nb_td, unsigned int data_len)
 {
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
@@ -76,7 +77,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -84,7 +88,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.aead.aead.digest_length = param1->digest_length;
 		} else {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
 
 			td->aead = false;
 			td->xform.chain.cipher.cipher.algo = param1->alg.cipher;
@@ -96,6 +103,11 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
+	if (flags->data_walkthrough) {
+		test_sec_proto_pattern_set(td->input_text.data, data_len);
+		td->input_text.len = data_len;
+	}
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
@@ -221,6 +233,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	return TEST_SUCCESS;
 }
+
 static int
 tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
 {
@@ -280,13 +293,13 @@ int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 			     struct tls_record_test_data *res_d, bool silent)
 {
+	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
-	uint8_t output_text[TLS_RECORD_MAX_LEN];
 	const struct rte_mbuf *seg;
 	const uint8_t *output;
 	int ret;
 
-	memset(output_text, 0, TLS_RECORD_MAX_LEN);
+	memset(output_text, 0, TEST_SEC_CIPHERTEXT_MAX_LEN);
 
 	/*
 	 * Actual data in packet might be less in error cases, hence take minimum of pkt_len and sum
@@ -300,7 +313,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	len = RTE_MIN(len, data_len);
-	TEST_ASSERT(len <= TLS_RECORD_MAX_LEN, "Invalid packet length: %u", len);
+	TEST_ASSERT(len <= TEST_SEC_CIPHERTEXT_MAX_LEN, "Invalid packet length: %u", len);
 
 	/* Copy mbuf payload to continuous buffer */
 	output = rte_pktmbuf_read(m, 0, len, output_text);
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 0bd83f88f0..56d9d11962 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -10,7 +10,37 @@
 
 #include "test_security_proto.h"
 
-#define TLS_RECORD_MAX_LEN 16384u
+/* TLS 1.2 Ciphertext length can be up to (2^14 + 2048 + 5 (TLS Header)) Bytes */
+#define TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN  (4096u)
+static_assert(TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.2 Plaintext length can be up to (2^14 + 1024) Bytes */
+#define TLS_1_2_RECORD_PLAINTEXT_MAX_LEN   (3072u)
+static_assert(TLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Ciphertext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN (4096u)
+static_assert(DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Plaintext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN  (3072u)
+static_assert(DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Ciphertext length can be up to (2^14 + 256 + 5 (TLS Header)) Bytes */
+#define TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN  (4096u)
+static_assert(TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Plaintext length can be up to 2^14 Bytes */
+#define TLS_1_3_RECORD_PLAINTEXT_MAX_LEN   (3072u)
+static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+#define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
 struct tls_record_test_data {
 	struct {
@@ -22,12 +52,12 @@ struct tls_record_test_data {
 	} auth_key;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} input_text;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} output_text;
 
@@ -56,6 +86,8 @@ struct tls_record_test_data {
 struct tls_record_test_flags {
 	bool display_alg;
 	int nb_segs_in_mbuf;
+	bool data_walkthrough;
+	enum rte_security_tls_version tls_version;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -89,7 +121,8 @@ void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_ou
 void test_tls_record_td_prepare(const struct crypto_param *param1,
 				const struct crypto_param *param2,
 				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td);
+				struct tls_record_test_data *td_array, int nb_td,
+				unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
diff --git a/app/test/test_security_proto.c b/app/test/test_security_proto.c
index d242c852af..cf40d5fc9a 100644
--- a/app/test/test_security_proto.c
+++ b/app/test/test_security_proto.c
@@ -13,6 +13,8 @@ struct crypto_param_comb sec_alg_list[RTE_DIM(aead_list) +
 
 struct crypto_param_comb sec_auth_only_alg_list[2 * (RTE_DIM(auth_list) - 1)];
 
+static uint8_t cleartext_pattern[TEST_SEC_CLEARTEXT_MAX_LEN];
+
 void
 test_sec_alg_list_populate(void)
 {
@@ -152,3 +154,18 @@ test_sec_alg_display(const struct crypto_param *param1, const struct crypto_para
 	}
 	printf("\n");
 }
+
+void
+test_sec_proto_pattern_generate(void)
+{
+	unsigned int i;
+
+	for (i = 0; i < TEST_SEC_CLEARTEXT_MAX_LEN; i++)
+		cleartext_pattern[i] = (i + 1) & 0xff;
+}
+
+void
+test_sec_proto_pattern_set(uint8_t *buf, int len)
+{
+	rte_memcpy(buf, cleartext_pattern, len);
+}
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index 5b92daa810..05992eee94 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -8,6 +8,8 @@
 #include <rte_cryptodev.h>
 #include <rte_security.h>
 
+#define TEST_SEC_CLEARTEXT_MAX_LEN  (3072u)
+#define TEST_SEC_CIPHERTEXT_MAX_LEN (4096u)
 #define TEST_SEC_PKTS_MAX 32
 
 struct crypto_param {
@@ -186,4 +188,8 @@ int test_sec_crypto_caps_auth_verify(const struct rte_security_capability *sec_c
 
 void test_sec_alg_display(const struct crypto_param *param1, const struct crypto_param *param2);
 
+void test_sec_proto_pattern_generate(void);
+
+void test_sec_proto_pattern_set(uint8_t *buf, int len);
+
 #endif
-- 
2.25.1

[PATCH v4 03/21] test/security: add DTLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for DTLS 1.2

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  5 ++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index c5837ccbdd..e0695e9eb3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12061,6 +12061,19 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_display_list(void)
 {
@@ -17255,6 +17268,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 3745c6a0d1..92bcbff842 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -143,7 +143,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
-		min_padding = 0;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	default:
 		hdr_len = 0;
-- 
2.25.1

[PATCH v4 04/21] test/security: add TLS SG data walkthrough test

[Aakash Sasidharan]

Add multi segment packet data walkthrough test for TLS 1.2
and DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 42 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index e0695e9eb3..3591c91130 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11981,6 +11981,8 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+		if (flags->nb_segs_in_mbuf)
+			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -12061,6 +12063,32 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = tls_version,
+		.data_walkthrough = true
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -12106,6 +12134,12 @@ test_dtls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 #endif
 
 static int
@@ -17171,6 +17205,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17276,6 +17314,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 56d9d11962..a6c537b35a 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -85,7 +85,7 @@ struct tls_record_test_data {
 
 struct tls_record_test_flags {
 	bool display_alg;
-	int nb_segs_in_mbuf;
+	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 };
-- 
2.25.1

[PATCH v4 05/21] test/security: unit test for TLS packet corruption

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add test to verify the corrupted TLS packet header

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 27 +++++++++++++++++--
 app/test/test_cryptodev_security_tls_record.c |  4 +++
 app/test/test_cryptodev_security_tls_record.h |  1 +
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3591c91130..324ef3c276 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12000,8 +12000,13 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
-			return TEST_FAILED;
+		if (flags->pkt_corruption) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+		} else {
+			if (ret == TEST_FAILED)
+				return TEST_FAILED;
+		}
 
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
@@ -12089,6 +12094,20 @@ test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
 }
 
+static int
+test_tls_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17209,6 +17228,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"TLS packet header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 92bcbff842..93ff7f36fa 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -185,6 +185,10 @@ test_tls_record_td_update(struct tls_record_test_data td_inb[],
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
 
+		/* Corrupt the content type in the TLS header of encrypted packet */
+		if (flags->pkt_corruption)
+			td_inb[i].input_text.data[0] = ~td_inb[i].input_text.data[0];
+
 		/* Clear outbound specific flags */
 		td_inb[i].tls_record_xform.options.iv_gen_disable = 0;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index a6c537b35a..a7c0ca87bf 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -88,6 +88,7 @@ struct tls_record_test_flags {
 	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
+	bool pkt_corruption;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH v4 06/21] test/security: unit test for custom content verification

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit test to verify the TLS header creation with
custom content type

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 19 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  3 +++
 app/test/test_cryptodev_security_tls_record.h |  9 +++++++++
 3 files changed, 31 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 324ef3c276..5cb878b9ba 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -21,6 +21,7 @@
 #include <rte_ip.h>
 #include <rte_string_fns.h>
 #include <rte_tcp.h>
+#include <rte_tls.h>
 #include <rte_udp.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -12108,6 +12109,20 @@ test_tls_record_proto_corrupt_pkt(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17232,6 +17247,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 93ff7f36fa..9a2af259c9 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -108,6 +108,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->input_text.len = data_len;
 	}
 
+	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+		td->app_type = RTE_TLS_TYPE_MAX;
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index a7c0ca87bf..73719063a8 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -42,6 +42,14 @@ static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
 
 #define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
+enum tls_record_test_content_type {
+	TLS_RECORD_TEST_CONTENT_TYPE_APP,
+	/* For verifying zero packet length */
+	TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	/* For verifying handling of custom content types */
+	TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+};
+
 struct tls_record_test_data {
 	struct {
 		uint8_t data[32];
@@ -89,6 +97,7 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
+	enum tls_record_test_content_type content_type;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH v4 07/21] test/cryptodev: allow zero packet length buffers

[Aakash Sasidharan]

From: Anoob Joseph <anoobj@marvell.com>

The function 'create_segmented_mbuf' is updated to support zero packet
length mbufs. This allows testing of zero packet length payload with TLS
record processing.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 app/test/test_cryptodev.h | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index e4e99d00c1..7d877ddfe5 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -192,15 +192,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 		int nb_segs, uint8_t pattern) {
 
 	struct rte_mbuf *m = NULL, *mbuf = NULL;
+	int size, t_len, data_len = 0;
 	uint8_t *dst;
-	int data_len = 0;
-	int i, size;
-	int t_len;
-
-	if (pkt_len < 1) {
-		printf("Packet size must be 1 or more (is %d)\n", pkt_len);
-		return NULL;
-	}
 
 	if (nb_segs < 1) {
 		printf("Number of segments must be 1 or more (is %d)\n",
@@ -212,17 +205,17 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 	size = pkt_len;
 
 	/* Create chained mbuf_src and fill it generated data */
-	for (i = 0; size > 0; i++) {
+	do {
 
 		m = rte_pktmbuf_alloc(mbuf_pool);
-		if (i == 0)
-			mbuf = m;
-
 		if (m == NULL) {
 			printf("Cannot create segment for source mbuf");
 			goto fail;
 		}
 
+		if (mbuf == NULL)
+			mbuf = m;
+
 		/* Make sure if tailroom is zeroed */
 		memset(m->buf_addr, pattern, m->buf_len);
 
@@ -239,7 +232,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 
 		size -= data_len;
 
-	}
+	} while (size > 0);
+
 	return mbuf;
 
 fail:
-- 
2.25.1

[PATCH v4 08/21] test/security: unit test to verify zero TLS records

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the zero len TLS records. Zero len packets are
allowed when content type is app data while zero packet length with
other content type (such as handshake) would result in an error.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 51 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c |  5 +-
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 3 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 5cb878b9ba..fa63b9743f 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11984,6 +11984,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
 		if (flags->nb_segs_in_mbuf)
 			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
+
+		if (flags->zero_len)
+			payload_len = 0;
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -11992,8 +11995,16 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
+		if (flags->zero_len &&
+		    ((flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE))) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+			goto skip_decrypt;
+		} else if (ret == TEST_FAILED) {
 			return TEST_FAILED;
+		}
 
 		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
 
@@ -12009,6 +12020,7 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 				return TEST_FAILED;
 		}
 
+skip_decrypt:
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
 
@@ -12123,6 +12135,35 @@ test_tls_record_proto_custom_content_type(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17251,6 +17292,14 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 9a2af259c9..c5410a4c92 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -103,13 +103,15 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
-	if (flags->data_walkthrough) {
+	if (flags->data_walkthrough || flags->zero_len) {
 		test_sec_proto_pattern_set(td->input_text.data, data_len);
 		td->input_text.len = data_len;
 	}
 
 	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
 		td->app_type = RTE_TLS_TYPE_MAX;
+	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
 	tls_pkt_size = td->input_text.len;
 
@@ -232,6 +234,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	memcpy(&res_d->input_text.data, output_text, len);
 	res_d->input_text.len = len;
+	res_d->output_text.len = td->input_text.len;
 
 	res_d->tls_record_xform.type = RTE_SECURITY_TLS_SESS_TYPE_READ;
 	if (res_d->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 73719063a8..300f3f08b5 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
 	enum tls_record_test_content_type content_type;
+	bool zero_len;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -140,5 +141,4 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 				 struct tls_record_test_data *res_d, bool silent);
-
 #endif
-- 
2.25.1

[PATCH v4 09/21] test/security: add unit tests for DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify
1. DTLS record with zero length
2. DTLS record with header corruption
3. DTLS record with content type as custom

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 77 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fa63b9743f..72e7fe3769 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12215,6 +12215,67 @@ test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
 }
 
+static int
+test_dtls_1_2_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 #endif
 
 static int
@@ -17409,6 +17470,22 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Packet corruption",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v4 10/21] test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors for TLS 1.2 and DTLS 1.2 using algos
AES-256-CBC and HMAC-SHA384

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  19 ++
 app/test/test_cryptodev_security_tls_record.h |   2 +
 ...yptodev_security_tls_record_test_vectors.h | 200 ++++++++++++++++++
 3 files changed, 221 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 72e7fe3769..95f2377d4d 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17273,6 +17273,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Write record known vector AES-256-CBC-SHA256",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17316,6 +17320,11 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17397,6 +17406,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17439,6 +17453,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 300f3f08b5..68e243b842 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -110,6 +110,7 @@ extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_null_cipher_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_chacha20_poly1305;
@@ -118,6 +119,7 @@ extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index f10f28bb96..27b07cd54a 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1129,6 +1129,107 @@ struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x1d, 0xe5, 0x19, 0x18, 0x57, 0xa0, 0xee, 0x79,
+			0x84, 0x61, 0x92, 0x9d, 0x3d, 0xce, 0x42, 0x92,
+			0x4a, 0x98, 0x23, 0x3b, 0xf8, 0xec, 0x29, 0x47,
+			0xb3, 0xae, 0x1f, 0x22, 0xd2, 0x8d, 0xbe, 0x2c,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0xf8, 0xbd, 0x28, 0xf9, 0x4a, 0xde, 0x1d, 0xde,
+			0x8c, 0xf5, 0xe9, 0x49, 0x34, 0x2a, 0x1a, 0xd0,
+			0x0d, 0xe3, 0x64, 0xb2, 0x54, 0xd6, 0xd6, 0x40,
+			0x90, 0x5d, 0x16, 0xc1, 0xf2, 0x77, 0x14, 0x90,
+			0xe6, 0xfa, 0xbc, 0x9d, 0xe2, 0x72, 0x12, 0xec,
+			0xb6, 0x05, 0xec, 0xdd, 0x1d, 0x23, 0xb3, 0x8e,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x44, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0xfe, 0xfd, 0x00, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x01, 0x00, 0x80,
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+			0x88, 0x41, 0xee, 0x5b, 0x32, 0x1e, 0x85, 0xaf,
+			0x33, 0x7b, 0x59, 0x8a, 0xe9, 0x41, 0x11, 0x6a,
+			0xbb, 0x7d, 0x16, 0x6c, 0xbb, 0x66, 0x5e, 0xf5,
+			0xfb, 0x5f, 0x03, 0xf9, 0x75, 0x7d, 0xb9, 0xff,
+			0x70, 0xc3, 0x4a, 0x19, 0xe5, 0x25, 0xa0, 0x5d,
+			0xad, 0x45, 0xef, 0xce, 0xd8, 0x2a, 0xde, 0xf0,
+			0x0c, 0xca, 0x1c, 0x6b, 0x5a, 0x31, 0x8f, 0x49,
+			0xff, 0x7d, 0xf3, 0x71, 0x15, 0x06, 0x07, 0x9d,
+			0x6a, 0x5f, 0x5c, 0xd8, 0x2a, 0xa5, 0x0e, 0x61,
+			0xde, 0x18, 0x6b, 0x7d, 0xc8, 0x74, 0x58, 0x18,
+			0xf1, 0xac, 0xde, 0xb9, 0x6d, 0x8a, 0x44, 0xad,
+			0x10, 0xf8, 0x63, 0x15, 0xcf, 0x25, 0x2f, 0x82,
+			0x2f, 0xda, 0x74, 0x45, 0x02, 0xda, 0x61, 0x3c,
+			0x2f, 0xf9, 0xa5, 0x92, 0x2a, 0x7c, 0x5e, 0x5d,
+		},
+		.len = 141,
+	},
+	.iv = {
+		.data = {
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_DTLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.dtls_1_2.epoch = 1,
+		.dtls_1_2.seq_no = 1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
@@ -1494,6 +1595,105 @@ struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x48, 0x70, 0xc7, 0x93, 0x77, 0xe3, 0x4c, 0x8c,
+			0x27, 0x00, 0x64, 0x06, 0x3e, 0xc6, 0x47, 0x64,
+			0xcc, 0xee, 0xa4, 0x9a, 0x1a, 0xe7, 0x3a, 0xc6,
+			0xef, 0xe5, 0xe6, 0x2c, 0x15, 0xe3, 0xac, 0x16,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0x23, 0x95, 0x84, 0x30, 0xaf, 0x2b, 0x07, 0xfe,
+			0x12, 0x83, 0x87, 0x28, 0x2b, 0x38, 0xb9, 0x02,
+			0xc0, 0x27, 0x59, 0x3e, 0xa7, 0xbd, 0xce, 0xcb,
+			0xe1, 0x8a, 0xe9, 0x43, 0x5d, 0xed, 0xb4, 0xf2,
+			0x11, 0x4d, 0x19, 0xbb, 0x0f, 0x1b, 0x76, 0x86,
+			0xfb, 0xb5, 0xda, 0xfd, 0x38, 0xfe, 0x7d, 0x02,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73,
+			0x20, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x80,
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+			0x1e, 0x5b, 0x1e, 0x50, 0x3e, 0x19, 0x25, 0x41,
+			0x35, 0xc7, 0x7c, 0x14, 0x99, 0x7b, 0x97, 0x80,
+			0x60, 0x9d, 0xf8, 0xf1, 0xac, 0x43, 0x7b, 0x5c,
+			0xb6, 0xe2, 0xc4, 0x8f, 0x3f, 0xd7, 0x1b, 0xd4,
+			0x61, 0x90, 0x40, 0xe3, 0xd5, 0x60, 0xac, 0xee,
+			0x62, 0x53, 0x1f, 0x1f, 0x75, 0xf6, 0x2c, 0xda,
+			0x1a, 0xed, 0x4a, 0x6a, 0x11, 0xeb, 0x9b, 0x1c,
+			0x39, 0x0d, 0x6e, 0x8a, 0xf8, 0x3d, 0x45, 0x08,
+			0x3e, 0x24, 0x17, 0x3e, 0xcf, 0x74, 0xcf, 0x6a,
+			0xcb, 0x37, 0xdf, 0x25, 0xc6, 0xa5, 0xe4, 0x1e,
+			0x53, 0x28, 0x71, 0xcf, 0xac, 0x1e, 0xad, 0x77,
+			0x8c, 0xfc, 0x80, 0x19, 0x9c, 0xcc, 0x00, 0x60,
+			0xc6, 0x82, 0xa0, 0xb8, 0x5e, 0x42, 0xd1, 0xff,
+			0x14, 0x0a, 0x92, 0x5c, 0xde, 0x8a, 0x15, 0x7a,
+		},
+		.len = 133,
+	},
+	.iv = {
+		.data = {
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_2.seq_no = 0x1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
-- 
2.25.1

[PATCH v4 11/21] test/security: add DTLS 1.2 anti-replay tests

[Aakash Sasidharan]

Add anti-replay test for DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 115 ++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 132 ++++++++++--------
 app/test/test_cryptodev_security_tls_record.h |  11 +-
 3 files changed, 188 insertions(+), 70 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 95f2377d4d..904bad39d3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11827,6 +11827,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		.protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
 	};
 
+	if ((tls_record_xform.ver == RTE_SECURITY_VERSION_DTLS_1_2) &&
+	    (sess_type == RTE_SECURITY_TLS_SESS_TYPE_READ))
+		sess_conf.tls_record.dtls_1_2.ar_win_sz = flags->ar_win_size;
+
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
@@ -11851,6 +11855,17 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		return TEST_SKIPPED;
 
 	for (i = 0; i < nb_td; i++) {
+		if (flags->ar_win_size &&
+			(sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE)) {
+			sess_conf.tls_record.dtls_1_2.seq_no =
+				td[i].tls_record_xform.dtls_1_2.seq_no;
+			ret = rte_security_session_update(ctx, ut_params->sec_session, &sess_conf);
+			if (ret) {
+				printf("Could not update sequence number in session\n");
+				return TEST_SKIPPED;
+			}
+		}
+
 		/* Setup source mbuf payload */
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
@@ -11890,17 +11905,19 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_tls_record_status_check(ut_params->op);
+		ret = test_tls_record_status_check(ut_params->op, &td[i]);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
 		if (res_d != NULL)
 			res_d_tmp = &res_d[i];
 
-		ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp, silent);
-		if (ret != TEST_SUCCESS)
-			goto crypto_op_free;
-
+		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+							   silent);
+			if (ret != TEST_SUCCESS)
+				goto crypto_op_free;
+		}
 
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
@@ -12190,6 +12207,90 @@ test_dtls_1_2_record_proto_display_list(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_pkt_replay(const uint64_t seq_no[],
+		      bool replayed_pkt[], uint32_t nb_pkts,
+		      struct tls_record_test_flags *flags)
+{
+	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
+	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
+	unsigned int i, idx, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
+					   td_outb, nb_pkts, 0);
+
+		for (idx = 0; idx < nb_pkts; idx++)
+			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
+
+		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
+
+		for (idx = 0; idx < nb_pkts; idx++) {
+			td_inb[idx].tls_record_xform.dtls_1_2.ar_win_sz = flags->ar_win_size;
+			/* Set antireplay flag for packets to be dropped */
+			td_inb[idx].ar_packet = replayed_pkt[idx];
+		}
+
+		ret = test_tls_record_proto_process(td_inb, NULL, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay(void)
+{
+	struct tls_record_test_flags flags;
+	uint64_t winsz = 64, seq_no[5];
+	uint32_t nb_pkts = 5;
+	bool replayed_pkt[5];
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+	flags.ar_win_size = winsz;
+
+	/* 1. Advance the TOP of the window to WS * 2 */
+	seq_no[0] = winsz * 2;
+	/* 2. Test sequence number within the new window(WS + 1) */
+	seq_no[1] = winsz + 1;
+	/* 3. Test sequence number less than the window BOTTOM */
+	seq_no[2] = winsz;
+	/* 4. Test sequence number in the middle of the window */
+	seq_no[3] = winsz + (winsz / 2);
+	/* 5. Test replay of the packet in the middle of the window */
+	seq_no[4] = winsz + (winsz / 2);
+
+	replayed_pkt[0] = false;
+	replayed_pkt[1] = false;
+	replayed_pkt[2] = true;
+	replayed_pkt[3] = false;
+	replayed_pkt[4] = true;
+
+	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17505,6 +17606,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Zero len DTLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 64",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index c5410a4c92..907e043ddd 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -12,10 +12,21 @@
 #include "test_security_proto.h"
 
 int
-test_tls_record_status_check(struct rte_crypto_op *op)
+test_tls_record_status_check(struct rte_crypto_op *op,
+			     const struct tls_record_test_data *td)
 {
 	int ret = TEST_SUCCESS;
 
+	if ((td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_READ) &&
+	     td->ar_packet) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("Anti replay test case failed\n");
+			return TEST_FAILED;
+		} else {
+			return TEST_SUCCESS;
+		}
+	}
+
 	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS)
 		ret = TEST_FAILED;
 
@@ -101,81 +112,80 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.chain.auth.auth.key.length = param2->key_length;
 			td->xform.chain.auth.auth.digest_length = param2->digest_length;
 		}
-	}
-
-	if (flags->data_walkthrough || flags->zero_len) {
-		test_sec_proto_pattern_set(td->input_text.data, data_len);
-		td->input_text.len = data_len;
-	}
-
-	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
-		td->app_type = RTE_TLS_TYPE_MAX;
-	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
-		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
-	tls_pkt_size = td->input_text.len;
+		if (flags->data_walkthrough || flags->zero_len) {
+			test_sec_proto_pattern_set(td->input_text.data, data_len);
+			td->input_text.len = data_len;
+		}
 
-	if (!td->aead) {
-		mac_len = td->xform.chain.auth.auth.digest_length;
-		switch (td->xform.chain.cipher.cipher.algo) {
-		case RTE_CRYPTO_CIPHER_3DES_CBC:
-			roundup_len = 8;
+		if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+			td->app_type = RTE_TLS_TYPE_MAX;
+		else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+			td->app_type = RTE_TLS_TYPE_HANDSHAKE;
+
+		tls_pkt_size = td->input_text.len;
+
+		if (!td->aead) {
+			mac_len = td->xform.chain.auth.auth.digest_length;
+			switch (td->xform.chain.cipher.cipher.algo) {
+			case RTE_CRYPTO_CIPHER_3DES_CBC:
+				roundup_len = 8;
+				exp_nonce_len = 8;
+				break;
+			case RTE_CRYPTO_CIPHER_AES_CBC:
+				roundup_len = 16;
+				exp_nonce_len = 16;
+				break;
+			default:
+				roundup_len = 0;
+				exp_nonce_len = 0;
+				break;
+			}
+		} else {
+			mac_len = td->xform.aead.aead.digest_length;
+			roundup_len = 0;
 			exp_nonce_len = 8;
+		}
+
+		switch (td->tls_record_xform.ver) {
+		case RTE_SECURITY_VERSION_TLS_1_2:
+		case RTE_SECURITY_VERSION_TLS_1_3:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			roundup_len = 16;
-			exp_nonce_len = 16;
+		case RTE_SECURITY_VERSION_DTLS_1_2:
+			hdr_len = sizeof(struct rte_dtls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
 		default:
-			roundup_len = 0;
-			exp_nonce_len = 0;
+			hdr_len = 0;
+			min_padding = 0;
 			break;
 		}
-	} else {
-		mac_len = td->xform.aead.aead.digest_length;
-		roundup_len = 0;
-		exp_nonce_len = 8;
-	}
-
-	switch (td->tls_record_xform.ver) {
-	case RTE_SECURITY_VERSION_TLS_1_2:
-	case RTE_SECURITY_VERSION_TLS_1_3:
-		hdr_len = sizeof(struct rte_tls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	case RTE_SECURITY_VERSION_DTLS_1_2:
-		hdr_len = sizeof(struct rte_dtls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	default:
-		hdr_len = 0;
-		min_padding = 0;
-		break;
-	}
 
-	tls_pkt_size += mac_len;
+		tls_pkt_size += mac_len;
 
-	/* Padding */
-	tls_pkt_size += min_padding;
+		/* Padding */
+		tls_pkt_size += min_padding;
 
-	if (roundup_len)
-		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+		if (roundup_len)
+			tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
-	/* Explicit nonce */
-	tls_pkt_size += exp_nonce_len;
+		/* Explicit nonce */
+		tls_pkt_size += exp_nonce_len;
 
-	/* Add TLS header */
-	tls_pkt_size += hdr_len;
+		/* Add TLS header */
+		tls_pkt_size += hdr_len;
 
-	td->output_text.len = tls_pkt_size;
+		td->output_text.len = tls_pkt_size;
 
-	RTE_SET_USED(flags);
+	}
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 68e243b842..efb16aed7d 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -89,16 +89,18 @@ struct tls_record_test_data {
 	struct rte_security_tls_record_xform tls_record_xform;
 	uint8_t app_type;
 	bool aead;
+	bool ar_packet;
 };
 
 struct tls_record_test_flags {
 	bool display_alg;
-	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
-	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
-	enum tls_record_test_content_type content_type;
 	bool zero_len;
+	uint8_t nb_segs_in_mbuf;
+	enum rte_security_tls_version tls_version;
+	enum tls_record_test_content_type content_type;
+	int ar_win_size;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -123,7 +125,8 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
-int test_tls_record_status_check(struct rte_crypto_op *op);
+int test_tls_record_status_check(struct rte_crypto_op *op,
+				 const struct tls_record_test_data *td);
 
 int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_record_xform,
 				    const struct rte_security_capability *sec_cap, bool silent);
-- 
2.25.1

[PATCH v4 12/21] test/security: add more DTLS anti-replay window sz

[Aakash Sasidharan]

Add anti-replay tests for window sizes 128, 256, 512, 1024,
2048 and 4096 window sizes in DTLS 1.2 suite.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c | 72 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 69 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 904bad39d3..72d91d23a2 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12259,12 +12259,12 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 }
 
 static int
-test_dtls_1_2_record_proto_antireplay(void)
+test_dtls_1_2_record_proto_antireplay(uint64_t winsz)
 {
 	struct tls_record_test_flags flags;
-	uint64_t winsz = 64, seq_no[5];
 	uint32_t nb_pkts = 5;
 	bool replayed_pkt[5];
+	uint64_t seq_no[5];
 
 	memset(&flags, 0, sizeof(flags));
 
@@ -12291,6 +12291,48 @@ test_dtls_1_2_record_proto_antireplay(void)
 	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
 }
 
+static int
+test_dtls_1_2_record_proto_antireplay64(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(64);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay128(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(128);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay256(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(256);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay512(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(512);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay1024(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(1024);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay2048(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(2048);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay4096(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(4096);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17609,7 +17651,31 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Antireplay with window size 64",
 			ut_setup_security, ut_teardown,
-			test_dtls_1_2_record_proto_antireplay),
+			test_dtls_1_2_record_proto_antireplay64),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 128",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay128),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 256",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay256),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 512",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay512),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 1024",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay1024),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 2048",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay2048),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 4096",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay4096),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v4 13/21] test/crypto: update verification of header

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

In TLS 1.3, the version in the header would be TLS 1.2 and the content
type would be APP irrespective of the type of the payload.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 907e043ddd..498c4923e0 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -275,9 +275,9 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		hdr_len = sizeof(struct rte_tls_hdr);
 	} else if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
 		const struct rte_tls_hdr *hdr = (const struct rte_tls_hdr *)output_text;
-		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_3) {
+		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_2) {
 			printf("Incorrect header version [expected - %4x, received - %4x]\n",
-			       RTE_TLS_VERSION_1_3, rte_be_to_cpu_16(hdr->version));
+			       RTE_TLS_VERSION_1_2, rte_be_to_cpu_16(hdr->version));
 			return TEST_FAILED;
 		}
 		content_type = hdr->type;
@@ -297,10 +297,18 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		return TEST_FAILED;
 	}
 
-	if (content_type != td->app_type) {
-		printf("Incorrect content type in packet [expected - %d, received - %d]\n",
-		       td->app_type, content_type);
-		return TEST_FAILED;
+	if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		if (content_type != RTE_TLS_TYPE_APPDATA) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
+	} else {
+		if (content_type != td->app_type) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
 	}
 
 	if (length != td->output_text.len - hdr_len) {
-- 
2.25.1

[PATCH v4 14/21] test/crypto: add TLS 1.3 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors and test suite for TLS 1.3
AES-128-GCM, AES-256-GCM and CHACHA20-POLY1305
vectors. The vectors are generated using gnuTLS
client server application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  35 +++
 app/test/test_cryptodev_security_tls_record.h |   3 +
 ...yptodev_security_tls_record_test_vectors.h | 205 ++++++++++++++++++
 3 files changed, 243 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 72d91d23a2..aa9fffe50e 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17680,6 +17680,40 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 	}
 };
 
+static struct unit_test_suite tls13_record_proto_testsuite  = {
+	.suite_name = "TLS 1.3 Record Protocol Unit Test Suite",
+	.setup = tls_record_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 #define ADD_UPLINK_TESTCASE(data)						\
 	TEST_CASE_NAMED_WITH_DATA(data.test_descr_uplink, ut_setup_security,	\
 	ut_teardown, test_docsis_proto_uplink, (const void *) &data),		\
@@ -18699,6 +18733,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&docsis_proto_testsuite,
 		&tls12_record_proto_testsuite,
 		&dtls12_record_proto_testsuite,
+		&tls13_record_proto_testsuite,
 #endif
 		&end_testsuite
 	};
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index efb16aed7d..9fbc64605d 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -124,6 +124,9 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
+extern struct tls_record_test_data tls13_test_data_aes_128_gcm;
+extern struct tls_record_test_data tls13_test_data_aes_256_gcm;
+extern struct tls_record_test_data tls13_test_data_chacha20_poly1305;
 
 int test_tls_record_status_check(struct rte_crypto_op *op,
 				 const struct tls_record_test_data *td);
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index 27b07cd54a..8af17b07e5 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1781,4 +1781,209 @@ struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.app_type = 0x17,
 };
 
+/* TLS 1.3 AES-128-GCM */
+struct tls_record_test_data tls13_test_data_aes_128_gcm = {
+	.key = {
+		.data = {
+			0x03, 0x12, 0xf5, 0x86, 0xe4, 0xd0, 0x27, 0xc7,
+			0x47, 0x82, 0x44, 0xca, 0xd3, 0xce, 0x06, 0x6c,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0x52, 0xb5, 0x24, 0xce, 0x5c, 0x29, 0x0f, 0x0a,
+			0x3a, 0xc0, 0x60, 0xaf, 0xba, 0xe3, 0x0d, 0x28,
+			0x6c, 0xbb, 0x3e, 0x5f, 0xde, 0x4a, 0xcd, 0xf1,
+			0x30, 0x12, 0xa9, 0x42, 0x95, 0x55, 0xf5, 0x2c,
+			0xb7, 0xb6, 0x60, 0x82, 0xa2, 0x1d, 0x34, 0x33,
+			0x0a, 0xd7, 0x48, 0x40, 0xef, 0xab, 0x70, 0xa7,
+			0xb2, 0x58, 0x41, 0xdb, 0xf6, 0x37, 0xe4, 0x6d,
+			0xa3, 0x1e, 0xbf, 0x6f,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0x8d, 0x1f, 0xa0, 0x14, 0xc7, 0x66, 0x9f, 0x93,
+			0x74, 0x3f, 0x46, 0x52,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+/* TLS 1.3 AES-256-GCM */
+struct tls_record_test_data tls13_test_data_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xc9, 0xc2, 0xa2, 0x4c, 0x4e, 0x36, 0x19, 0x6e,
+			0xd8, 0xf5, 0xb9, 0x14, 0x30, 0xfc, 0xe0, 0xef,
+			0x29, 0xb0, 0x00, 0xd1, 0x2d, 0xfc, 0x5a, 0x76,
+			0x50, 0xf4, 0xf3, 0xb1, 0x82, 0x21, 0x57, 0x82,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0xc9, 0xb0, 0x44, 0x23, 0xd5, 0xe2, 0xbd, 0x1d,
+			0xf1, 0x96, 0x53, 0x2c, 0x8c, 0xe2, 0xa3, 0x00,
+			0x7b, 0x2a, 0xb1, 0xa1, 0xd6, 0x79, 0x58, 0xb5,
+			0x35, 0x1f, 0xbb, 0x98, 0x03, 0xe1, 0x82, 0xa2,
+			0x1e, 0x26, 0x81, 0xbe, 0x77, 0x65, 0xaf, 0x7d,
+			0x9f, 0x52, 0xec, 0x3a, 0x18, 0x2d, 0x36, 0xab,
+			0xdc, 0xa9, 0xfb, 0xd3, 0xa8, 0xd5, 0xbc, 0x98,
+			0xa4, 0xab, 0x70, 0xe9,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0xd4, 0x78, 0xf2, 0x90, 0x61, 0x5d, 0x8c, 0x63,
+			0x4b, 0xf4, 0x72, 0xf3,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+struct tls_record_test_data tls13_test_data_chacha20_poly1305 = {
+	.key = {
+		.data = {
+			0xec, 0x7d, 0x7a, 0x3f, 0x91, 0xdd, 0xb9, 0x70,
+			0x95, 0x3b, 0x99, 0xb0, 0xe7, 0x66, 0xda, 0xdc,
+			0x85, 0xbb, 0xfc, 0xc8, 0x50, 0xe9, 0x61, 0x88,
+			0xc8, 0x1e, 0xf0, 0x61, 0xb0, 0xcd, 0x6c, 0x3d,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x43, 0x48, 0x41, 0x43, 0x48, 0x41, 0x32, 0x30,
+			0x2d, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30,
+			0x35, 0x20, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
+			0x65, 0x20, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0xa,
+		},
+		.len = 49,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x42,
+			0x9a, 0xc1, 0xd9, 0x0e, 0xf9, 0x4c, 0x51, 0x8c,
+			0xb4, 0xa7, 0x54, 0x57, 0x56, 0xba, 0xbb, 0xf7,
+			0xd7, 0x1d, 0x49, 0x5a, 0x42, 0xd2, 0xab, 0x75,
+			0x3f, 0xb1, 0x5f, 0xb5, 0x2b, 0x2b, 0xa3, 0xc5,
+			0x61, 0x32, 0x7e, 0x62, 0x1e, 0xf5, 0x56, 0xff,
+			0x84, 0x8e, 0x9a, 0x99, 0x06, 0xba, 0x3b, 0xc0,
+			0x15, 0x4c, 0xf5, 0xb1, 0x5e, 0xcc, 0xff, 0x42,
+			0x79, 0x4b, 0xa9, 0x23, 0x16, 0x08, 0xc3, 0x9a,
+			0x52, 0x2a,
+		},
+		.len = 71,
+	},
+	.imp_nonce = {
+		.data = {
+			0x3c, 0x28, 0xa0, 0xb8, 0xf8, 0x74, 0x35, 0xfe,
+			0xd2, 0xa0, 0x31, 0x28,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
 #endif
-- 
2.25.1

[PATCH v4 15/21] test/crypto: update framework to verify tls-1.3

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Update the fields in preparation of test descriptor.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++---
 app/test/test_cryptodev_security_tls_record.c | 43 ++++++++++++-------
 app/test/test_cryptodev_security_tls_record.h | 10 ++---
 3 files changed, 43 insertions(+), 27 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index aa9fffe50e..25777c1b1f 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11889,8 +11889,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		/* Copy IV in crypto operation when IV generation is disabled */
-		if (sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE &&
-		    tls_record_xform.options.iv_gen_disable == 1) {
+		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
+		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
+		    (tls_record_xform.options.iv_gen_disable == 1)) {
 			uint8_t *iv;
 			int len;
 
@@ -12005,8 +12006,10 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (flags->zero_len)
 			payload_len = 0;
 again:
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, payload_len);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, payload_len);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -12218,8 +12221,10 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 	int ret;
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, 0);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, 0);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		for (idx = 0; idx < nb_pkts; idx++)
 			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 498c4923e0..96d0a94731 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -70,7 +70,7 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 	}
 }
 
-void
+int
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
 			   struct tls_record_test_data *td_array,
@@ -79,6 +79,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
 
+	if ((flags->tls_version == RTE_SECURITY_VERSION_TLS_1_3) &&
+	    (param1->type != RTE_CRYPTO_SYM_XFORM_AEAD))
+		return TEST_SKIPPED;
+
 	memset(td_array, 0, nb_td * sizeof(*td));
 
 	for (i = 0; i < nb_td; i++) {
@@ -88,10 +92,17 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
-				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
-			else
+			switch (flags->tls_version) {
+			case RTE_SECURITY_VERSION_TLS_1_2:
 				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_DTLS_1_2:
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_TLS_1_3:
+				memcpy(td, &tls13_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			}
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -127,6 +138,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (!td->aead) {
 			mac_len = td->xform.chain.auth.auth.digest_length;
+			min_padding = 1;
 			switch (td->xform.chain.cipher.cipher.algo) {
 			case RTE_CRYPTO_CIPHER_3DES_CBC:
 				roundup_len = 8;
@@ -143,30 +155,28 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			}
 		} else {
 			mac_len = td->xform.aead.aead.digest_length;
+			min_padding = 0;
 			roundup_len = 0;
-			exp_nonce_len = 8;
+			if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3)
+				exp_nonce_len = 0;
+			else
+				exp_nonce_len = 8;
 		}
 
 		switch (td->tls_record_xform.ver) {
 		case RTE_SECURITY_VERSION_TLS_1_2:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			break;
 		case RTE_SECURITY_VERSION_TLS_1_3:
 			hdr_len = sizeof(struct rte_tls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
+			/* Add 1 byte for content type in packet */
+			tls_pkt_size += 1;
 			break;
 		case RTE_SECURITY_VERSION_DTLS_1_2:
 			hdr_len = sizeof(struct rte_dtls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
 			break;
 		default:
-			hdr_len = 0;
-			min_padding = 0;
-			break;
+			return TEST_SKIPPED;
 		}
 
 		tls_pkt_size += mac_len;
@@ -186,6 +196,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->output_text.len = tls_pkt_size;
 
 	}
+	return TEST_SUCCESS;
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 9fbc64605d..0138770fac 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -137,11 +137,11 @@ int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_re
 void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 					struct tls_record_test_data *td_in);
 
-void test_tls_record_td_prepare(const struct crypto_param *param1,
-				const struct crypto_param *param2,
-				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td,
-				unsigned int data_len);
+int test_tls_record_td_prepare(const struct crypto_param *param1,
+			       const struct crypto_param *param2,
+			       const struct tls_record_test_flags *flags,
+			       struct tls_record_test_data *td_array, int nb_td,
+			       unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
-- 
2.25.1

[PATCH v4 16/21] test/crypto: test to verify hdr corruption in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with header corruption.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 25777c1b1f..9f0a737913 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12424,6 +12424,20 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_1_3_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17714,7 +17728,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"Read record known vector CHACHA20-POLY1305",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
-
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v4 17/21] test/crypto: test to verify custom content type in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with content type as custom.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 9f0a737913..fe4fcfbfdb 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12438,6 +12438,21 @@ test_tls_1_3_record_proto_corrupt_pkt(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17732,6 +17747,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header with custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v4 18/21] test/crypto: test to verify zero len record in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with zero length.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fe4fcfbfdb..8ad5033f32 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12453,6 +12453,37 @@ test_tls_1_3_record_proto_custom_content_type(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_3_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17751,6 +17782,14 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header with custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v4 19/21] test/crypto: unit tests to verify padding in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for TLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 85 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 28 ++++--
 app/test/test_cryptodev_security_tls_record.h |  5 +-
 3 files changed, 109 insertions(+), 9 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 8ad5033f32..a324c1607b 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11834,6 +11834,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
+	if (flags->opt_padding)
+		tls_record_xform.options.extra_padding_enable = 1;
+
 	sess_conf.tls_record = tls_record_xform;
 
 	if (td[0].aead) {
@@ -11888,6 +11891,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->sym->m_dst = NULL;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
+		if (flags->opt_padding)
+			ut_params->op->aux_flags = flags->opt_padding;
+
 		/* Copy IV in crypto operation when IV generation is disabled */
 		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
 		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
@@ -11915,7 +11921,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
 			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
-							   silent);
+							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
 		}
@@ -12184,6 +12190,59 @@ test_tls_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_opt_padding(uint8_t padding, uint8_t num_segs,
+				  enum rte_security_tls_version tls_version)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = num_segs,
+		.tls_version = tls_version,
+		.opt_padding = padding
+	};
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 2, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17578,6 +17637,30 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Zero len TLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 96d0a94731..03d9efefc3 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -269,7 +269,8 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 }
 
 static int
-tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
+tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text,
+		      const struct tls_record_test_flags *flags)
 {
 	uint16_t length, hdr_len;
 	uint8_t content_type;
@@ -322,10 +323,22 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		}
 	}
 
-	if (length != td->output_text.len - hdr_len) {
-		printf("Incorrect packet length [expected - %d, received - %d]\n",
-		       td->output_text.len - hdr_len, length);
-		return TEST_FAILED;
+	if (!flags->opt_padding) {
+		if (length != td->output_text.len - hdr_len) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       td->output_text.len - hdr_len, length);
+			return TEST_FAILED;
+		}
+	} else {
+		int pad_len = (flags->opt_padding * 8) > 256 ? 256 : (flags->opt_padding * 8);
+		int expect_len = td->output_text.len - hdr_len + pad_len;
+
+		if (length - expect_len > 32) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       expect_len, length);
+			return TEST_FAILED;
+		}
+
 	}
 
 	return TEST_SUCCESS;
@@ -333,7 +346,8 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 
 int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-			     struct tls_record_test_data *res_d, bool silent)
+			     struct tls_record_test_data *res_d, bool silent,
+			     const struct tls_record_test_flags *flags)
 {
 	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
@@ -365,7 +379,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	if (td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) {
-		ret = tls_record_hdr_verify(td, output_text);
+		ret = tls_record_hdr_verify(td, output_text, flags);
 		if (ret != TEST_SUCCESS)
 			return ret;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 0138770fac..a7c38218ae 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -97,7 +97,9 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	bool pkt_corruption;
 	bool zero_len;
+	bool padding_corruption;
 	uint8_t nb_segs_in_mbuf;
+	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
 	enum tls_record_test_content_type content_type;
 	int ar_win_size;
@@ -148,5 +150,6 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_flags *flags);
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-				 struct tls_record_test_data *res_d, bool silent);
+				 struct tls_record_test_data *res_d, bool silent,
+				 const struct tls_record_test_flags *flags);
 #endif
-- 
2.25.1

[PATCH v4 20/21] test/crypto: unit tests for padding in DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for DTLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 60 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index a324c1607b..572740cbf9 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12483,6 +12483,42 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 static int
 test_tls_1_3_record_proto_corrupt_pkt(void)
 {
@@ -17824,6 +17860,30 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Antireplay with window size 4096",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_antireplay4096),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v4 21/21] test/security: add out of place sgl test case for TLS 1.2

[Aakash Sasidharan]

Add TLS 1.2 out-of-place multi-segmented packet test.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 52 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.h |  1 +
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 572740cbf9..1703ebccf1 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11873,6 +11873,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
 		pktmbuf_write(ut_params->ibuf, 0, td[i].input_text.len, td[i].input_text.data);
+		if (flags->out_of_place)
+			ut_params->obuf = create_segmented_mbuf(ts_params->mbuf_pool,
+					td[i].output_text.len, nb_segs, 0);
+		else
+			ut_params->obuf = NULL;
 
 		/* Generate crypto op data structure */
 		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
@@ -11888,7 +11893,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		/* Set crypto operation mbufs */
 		ut_params->op->sym->m_src = ut_params->ibuf;
-		ut_params->op->sym->m_dst = NULL;
+		ut_params->op->sym->m_dst = ut_params->obuf;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		if (flags->opt_padding)
@@ -11920,7 +11925,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 			res_d_tmp = &res_d[i];
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
-			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+			struct rte_mbuf *buf = flags->out_of_place ? ut_params->obuf :
+						ut_params->ibuf;
+
+			ret = test_tls_record_post_process(buf, &td[i], res_d_tmp,
 							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
@@ -11929,6 +11937,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
 
+		if (flags->out_of_place) {
+			rte_pktmbuf_free(ut_params->obuf);
+			ut_params->obuf = NULL;
+		}
+
 		rte_pktmbuf_free(ut_params->ibuf);
 		ut_params->ibuf = NULL;
 	}
@@ -11937,6 +11950,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	rte_crypto_op_free(ut_params->op);
 	ut_params->op = NULL;
 
+	if (flags->out_of_place) {
+		rte_pktmbuf_free(ut_params->obuf);
+		ut_params->obuf = NULL;
+	}
+
 	rte_pktmbuf_free(ut_params->ibuf);
 	ut_params->ibuf = NULL;
 
@@ -12127,6 +12145,32 @@ test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_ver
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_oop(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.out_of_place = true,
+		.tls_version = tls_version
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_oop(void)
+{
+	return test_tls_record_proto_sgl_oop(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 {
@@ -17657,6 +17701,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode out of place",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_oop),
 		TEST_CASE_NAMED_ST(
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index a7c38218ae..18a90c6ff6 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	bool pkt_corruption;
 	bool zero_len;
 	bool padding_corruption;
+	bool out_of_place;
 	uint8_t nb_segs_in_mbuf;
 	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
-- 
2.25.1

[PATCH v5 00/21] Improvements and new test cases

[Aakash Sasidharan]

v5:
* Define TEST_SEC_CIPHERTEXT_MAX_LEN based on existing
  MBUF_DATAPAYLOAD_SIZE macro.

v4:
* Set max ciphertext length for data walkthrough tests to 4k.

v3:
* Set max packet length for data walkthrough tests to 8k.

v2:
* Rebased.

Aakash Sasidharan (7):
  test/security: enable AES-GCM in combined mode TLS
  test/security: add TLS 1.2 data walkthrough test
  test/security: add DTLS 1.2 data walkthrough test
  test/security: add TLS SG data walkthrough test
  test/security: add DTLS 1.2 anti-replay tests
  test/security: add more DTLS anti-replay window sz
  test/security: add out of place sgl test case for TLS 1.2

Akhil Goyal (2):
  test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors
  test/crypto: add TLS 1.3 vectors

Anoob Joseph (1):
  test/cryptodev: allow zero packet length buffers

Vidya Sagar Velumuri (11):
  test/security: unit test for TLS packet corruption
  test/security: unit test for custom content verification
  test/security: unit test to verify zero TLS records
  test/security: add unit tests for DTLS-1.2
  test/crypto: update verification of header
  test/crypto: update framework to verify tls-1.3
  test/crypto: test to verify hdr corruption in TLS
  test/crypto: test to verify custom content type in TLS
  test/crypto: test to verify zero len record in TLS
  test/crypto: unit tests to verify padding in TLS
  test/crypto: unit tests for padding in DTLS-1.2

 app/test/test_cryptodev.c                     | 975 ++++++++++++++++--
 app/test/test_cryptodev.h                     |  20 +-
 app/test/test_cryptodev_security_tls_record.c | 203 ++--
 app/test/test_cryptodev_security_tls_record.h |  77 +-
 ...yptodev_security_tls_record_test_vectors.h | 405 ++++++++
 app/test/test_security_proto.c                |  17 +
 app/test/test_security_proto.h                |  11 +
 7 files changed, 1530 insertions(+), 178 deletions(-)

-- 
2.25.1

[PATCH v5 01/21] test/security: enable AES-GCM in combined mode TLS

[Aakash Sasidharan]

Enable AES-GCM AEAD tests in combined mode TLS test suite.

Coverity issue: 414888
Fixes: 9157ccb8f876 ("test/crypto: verify TLS headers")

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 10 ++++++++--
 app/test/test_security_proto.h                |  3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index bcb2eba4ff..14a7a2511e 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -116,6 +116,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	} else {
 		mac_len = td->xform.aead.aead.digest_length;
+		roundup_len = 0;
 		exp_nonce_len = 8;
 	}
 
@@ -123,7 +124,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	case RTE_SECURITY_VERSION_TLS_1_2:
 	case RTE_SECURITY_VERSION_TLS_1_3:
 		hdr_len = sizeof(struct rte_tls_hdr);
-		min_padding = 1;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
@@ -139,7 +143,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 	/* Padding */
 	tls_pkt_size += min_padding;
-	tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+
+	if (roundup_len)
+		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
 	/* Explicit nonce */
 	tls_pkt_size += exp_nonce_len;
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index efa023b99d..5b92daa810 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -27,16 +27,19 @@ static const struct crypto_param aead_list[] = {
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead =  RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 16,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 24,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
 		.alg.aead = RTE_CRYPTO_AEAD_AES_GCM,
 		.key_length = 32,
+		.digest_length = 16,
 	},
 	{
 		.type = RTE_CRYPTO_SYM_XFORM_AEAD,
-- 
2.25.1

[PATCH v5 02/21] test/security: add TLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for TLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 90 +++++++++++++++++--
 app/test/test_cryptodev_security_tls_record.c | 25 ++++--
 app/test/test_cryptodev_security_tls_record.h | 41 ++++++++-
 app/test/test_security_proto.c                | 17 ++++
 app/test/test_security_proto.h                |  8 ++
 5 files changed, 162 insertions(+), 19 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3b5e784022..c5837ccbdd 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -858,6 +858,8 @@ ipsec_proto_testsuite_setup(void)
 static int
 tls_record_proto_testsuite_setup(void)
 {
+	test_sec_proto_pattern_generate();
+
 	return sec_proto_testsuite_setup(RTE_SECURITY_PROTOCOL_TLS_RECORD);
 }
 
@@ -11958,14 +11960,30 @@ test_tls_record_proto_known_vec_read(const void *test_data)
 static int
 test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 {
+	unsigned int i, nb_pkts = 1, pass_cnt = 0, payload_len, max_payload_len;
 	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
 	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
-	unsigned int i, nb_pkts = 1, pass_cnt = 0;
 	int ret;
 
+	switch (flags->tls_version) {
+	case RTE_SECURITY_VERSION_TLS_1_2:
+		max_payload_len = TLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_TLS_1_3:
+		max_payload_len = TLS_1_3_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	case RTE_SECURITY_VERSION_DTLS_1_2:
+		max_payload_len = DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN;
+		break;
+	default:
+		max_payload_len = 0;
+	}
+
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts);
+					   td_outb, nb_pkts, payload_len);
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -11983,6 +12001,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_FAILED)
 			return TEST_FAILED;
 
+		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
+			goto again;
+
 		if (flags->display_alg)
 			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
 
@@ -11996,22 +12017,69 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 }
 
 static int
-test_tls_record_proto_display_list(void)
+test_tls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_display_list(void)
 {
 	struct tls_record_test_flags flags;
 
 	memset(&flags, 0, sizeof(flags));
 
 	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_TLS_1_2;
 
 	return test_tls_record_proto_all(&flags);
 }
 
 static int
-test_tls_record_proto_sgl(void)
+test_tls_1_2_record_proto_sgl(void)
 {
 	struct tls_record_test_flags flags = {
-		.nb_segs_in_mbuf = 5
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_display_list(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.display_alg = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_sgl(void)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
 	};
 	struct crypto_testsuite_params *ts_params = &testsuite_params;
 	struct rte_cryptodev_info dev_info;
@@ -17081,11 +17149,15 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_tls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_tls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17182,11 +17254,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_display_list),
+			test_dtls_1_2_record_proto_display_list),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
-			test_tls_record_proto_sgl),
+			test_dtls_1_2_record_proto_sgl),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 14a7a2511e..3745c6a0d1 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -62,7 +62,8 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 void
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
-			   struct tls_record_test_data *td_array, int nb_td)
+			   struct tls_record_test_data *td_array,
+			   int nb_td, unsigned int data_len)
 {
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
@@ -76,7 +77,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -84,7 +88,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.aead.aead.digest_length = param1->digest_length;
 		} else {
 			/* Copy template for packet & key fields */
-			memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
+				memcpy(td, &dtls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
+			else
+				memcpy(td, &tls_test_data_aes_128_cbc_sha1_hmac, sizeof(*td));
 
 			td->aead = false;
 			td->xform.chain.cipher.cipher.algo = param1->alg.cipher;
@@ -96,6 +103,11 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
+	if (flags->data_walkthrough) {
+		test_sec_proto_pattern_set(td->input_text.data, data_len);
+		td->input_text.len = data_len;
+	}
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
@@ -221,6 +233,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	return TEST_SUCCESS;
 }
+
 static int
 tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
 {
@@ -280,13 +293,13 @@ int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 			     struct tls_record_test_data *res_d, bool silent)
 {
+	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
-	uint8_t output_text[TLS_RECORD_MAX_LEN];
 	const struct rte_mbuf *seg;
 	const uint8_t *output;
 	int ret;
 
-	memset(output_text, 0, TLS_RECORD_MAX_LEN);
+	memset(output_text, 0, TEST_SEC_CIPHERTEXT_MAX_LEN);
 
 	/*
 	 * Actual data in packet might be less in error cases, hence take minimum of pkt_len and sum
@@ -300,7 +313,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	len = RTE_MIN(len, data_len);
-	TEST_ASSERT(len <= TLS_RECORD_MAX_LEN, "Invalid packet length: %u", len);
+	TEST_ASSERT(len <= TEST_SEC_CIPHERTEXT_MAX_LEN, "Invalid packet length: %u", len);
 
 	/* Copy mbuf payload to continuous buffer */
 	output = rte_pktmbuf_read(m, 0, len, output_text);
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 0bd83f88f0..56d9d11962 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -10,7 +10,37 @@
 
 #include "test_security_proto.h"
 
-#define TLS_RECORD_MAX_LEN 16384u
+/* TLS 1.2 Ciphertext length can be up to (2^14 + 2048 + 5 (TLS Header)) Bytes */
+#define TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN  (4096u)
+static_assert(TLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.2 Plaintext length can be up to (2^14 + 1024) Bytes */
+#define TLS_1_2_RECORD_PLAINTEXT_MAX_LEN   (3072u)
+static_assert(TLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Ciphertext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN (4096u)
+static_assert(DTLS_1_2_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* DTLS 1.2 Plaintext length is similar to TLS 1.2 */
+#define DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN  (3072u)
+static_assert(DTLS_1_2_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Ciphertext length can be up to (2^14 + 256 + 5 (TLS Header)) Bytes */
+#define TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN  (4096u)
+static_assert(TLS_1_3_RECORD_CIPHERTEXT_MAX_LEN <= TEST_SEC_CIPHERTEXT_MAX_LEN,
+	      "TEST_SEC_CIPHERTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+/* TLS 1.3 Plaintext length can be up to 2^14 Bytes */
+#define TLS_1_3_RECORD_PLAINTEXT_MAX_LEN   (3072u)
+static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
+	      "TEST_SEC_CLEARTEXT_MAX_LEN should be at least RECORD MAX LEN!");
+
+#define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
 struct tls_record_test_data {
 	struct {
@@ -22,12 +52,12 @@ struct tls_record_test_data {
 	} auth_key;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} input_text;
 
 	struct {
-		uint8_t data[TLS_RECORD_MAX_LEN];
+		uint8_t data[TEST_SEC_CIPHERTEXT_MAX_LEN];
 		unsigned int len;
 	} output_text;
 
@@ -56,6 +86,8 @@ struct tls_record_test_data {
 struct tls_record_test_flags {
 	bool display_alg;
 	int nb_segs_in_mbuf;
+	bool data_walkthrough;
+	enum rte_security_tls_version tls_version;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -89,7 +121,8 @@ void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_ou
 void test_tls_record_td_prepare(const struct crypto_param *param1,
 				const struct crypto_param *param2,
 				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td);
+				struct tls_record_test_data *td_array, int nb_td,
+				unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
diff --git a/app/test/test_security_proto.c b/app/test/test_security_proto.c
index d242c852af..cf40d5fc9a 100644
--- a/app/test/test_security_proto.c
+++ b/app/test/test_security_proto.c
@@ -13,6 +13,8 @@ struct crypto_param_comb sec_alg_list[RTE_DIM(aead_list) +
 
 struct crypto_param_comb sec_auth_only_alg_list[2 * (RTE_DIM(auth_list) - 1)];
 
+static uint8_t cleartext_pattern[TEST_SEC_CLEARTEXT_MAX_LEN];
+
 void
 test_sec_alg_list_populate(void)
 {
@@ -152,3 +154,18 @@ test_sec_alg_display(const struct crypto_param *param1, const struct crypto_para
 	}
 	printf("\n");
 }
+
+void
+test_sec_proto_pattern_generate(void)
+{
+	unsigned int i;
+
+	for (i = 0; i < TEST_SEC_CLEARTEXT_MAX_LEN; i++)
+		cleartext_pattern[i] = (i + 1) & 0xff;
+}
+
+void
+test_sec_proto_pattern_set(uint8_t *buf, int len)
+{
+	rte_memcpy(buf, cleartext_pattern, len);
+}
diff --git a/app/test/test_security_proto.h b/app/test/test_security_proto.h
index 5b92daa810..7eb815604a 100644
--- a/app/test/test_security_proto.h
+++ b/app/test/test_security_proto.h
@@ -8,6 +8,10 @@
 #include <rte_cryptodev.h>
 #include <rte_security.h>
 
+#include "test_cryptodev.h"
+
+#define TEST_SEC_CLEARTEXT_MAX_LEN  (MBUF_DATAPAYLOAD_SIZE - 1024)
+#define TEST_SEC_CIPHERTEXT_MAX_LEN (MBUF_DATAPAYLOAD_SIZE)
 #define TEST_SEC_PKTS_MAX 32
 
 struct crypto_param {
@@ -186,4 +190,8 @@ int test_sec_crypto_caps_auth_verify(const struct rte_security_capability *sec_c
 
 void test_sec_alg_display(const struct crypto_param *param1, const struct crypto_param *param2);
 
+void test_sec_proto_pattern_generate(void);
+
+void test_sec_proto_pattern_set(uint8_t *buf, int len);
+
 #endif
-- 
2.25.1

[PATCH v5 03/21] test/security: add DTLS 1.2 data walkthrough test

[Aakash Sasidharan]

Add data walkthrough test for DTLS 1.2

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  5 ++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index c5837ccbdd..e0695e9eb3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12061,6 +12061,19 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_data_walkthrough(void)
+{
+	struct tls_record_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.data_walkthrough = true;
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_display_list(void)
 {
@@ -17255,6 +17268,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_display_list),
+		TEST_CASE_NAMED_ST(
+			"Data walkthrough combined test alg list",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_data_walkthrough),
 		TEST_CASE_NAMED_ST(
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 3745c6a0d1..92bcbff842 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -143,7 +143,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		break;
 	case RTE_SECURITY_VERSION_DTLS_1_2:
 		hdr_len = sizeof(struct rte_dtls_hdr);
-		min_padding = 0;
+		if (td->aead)
+			min_padding = 0;
+		else
+			min_padding = 1;
 		break;
 	default:
 		hdr_len = 0;
-- 
2.25.1

[PATCH v5 04/21] test/security: add TLS SG data walkthrough test

[Aakash Sasidharan]

Add multi segment packet data walkthrough test for TLS 1.2
and DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 42 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index e0695e9eb3..3591c91130 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11981,6 +11981,8 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
+		if (flags->nb_segs_in_mbuf)
+			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -12061,6 +12063,32 @@ test_tls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.tls_version = tls_version,
+		.data_walkthrough = true
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -12106,6 +12134,12 @@ test_dtls_1_2_record_proto_sgl(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
+{
+	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 #endif
 
 static int
@@ -17171,6 +17205,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
@@ -17276,6 +17314,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode data walkthrough",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sgl_data_walkthrough),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 56d9d11962..a6c537b35a 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -85,7 +85,7 @@ struct tls_record_test_data {
 
 struct tls_record_test_flags {
 	bool display_alg;
-	int nb_segs_in_mbuf;
+	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 };
-- 
2.25.1

[PATCH v5 05/21] test/security: unit test for TLS packet corruption

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add test to verify the corrupted TLS packet header

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 27 +++++++++++++++++--
 app/test/test_cryptodev_security_tls_record.c |  4 +++
 app/test/test_cryptodev_security_tls_record.h |  1 +
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 3591c91130..324ef3c276 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12000,8 +12000,13 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
-			return TEST_FAILED;
+		if (flags->pkt_corruption) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+		} else {
+			if (ret == TEST_FAILED)
+				return TEST_FAILED;
+		}
 
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
@@ -12089,6 +12094,20 @@ test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_TLS_1_2);
 }
 
+static int
+test_tls_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17209,6 +17228,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"TLS packet header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 92bcbff842..93ff7f36fa 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -185,6 +185,10 @@ test_tls_record_td_update(struct tls_record_test_data td_inb[],
 		       td_outb[i].input_text.len);
 		td_inb[i].output_text.len = td_outb->input_text.len;
 
+		/* Corrupt the content type in the TLS header of encrypted packet */
+		if (flags->pkt_corruption)
+			td_inb[i].input_text.data[0] = ~td_inb[i].input_text.data[0];
+
 		/* Clear outbound specific flags */
 		td_inb[i].tls_record_xform.options.iv_gen_disable = 0;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index a6c537b35a..a7c0ca87bf 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -88,6 +88,7 @@ struct tls_record_test_flags {
 	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
+	bool pkt_corruption;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH v5 06/21] test/security: unit test for custom content verification

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit test to verify the TLS header creation with
custom content type

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 19 +++++++++++++++++++
 app/test/test_cryptodev_security_tls_record.c |  3 +++
 app/test/test_cryptodev_security_tls_record.h |  9 +++++++++
 3 files changed, 31 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 324ef3c276..5cb878b9ba 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -21,6 +21,7 @@
 #include <rte_ip.h>
 #include <rte_string_fns.h>
 #include <rte_tcp.h>
+#include <rte_tls.h>
 #include <rte_udp.h>
 
 #ifdef RTE_CRYPTO_SCHEDULER
@@ -12108,6 +12109,20 @@ test_tls_record_proto_corrupt_pkt(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17232,6 +17247,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 93ff7f36fa..9a2af259c9 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -108,6 +108,9 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->input_text.len = data_len;
 	}
 
+	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+		td->app_type = RTE_TLS_TYPE_MAX;
+
 	tls_pkt_size = td->input_text.len;
 
 	if (!td->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index a7c0ca87bf..73719063a8 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -42,6 +42,14 @@ static_assert(TLS_1_3_RECORD_PLAINTEXT_MAX_LEN <= TEST_SEC_CLEARTEXT_MAX_LEN,
 
 #define TLS_RECORD_PLAINTEXT_MIN_LEN       (1u)
 
+enum tls_record_test_content_type {
+	TLS_RECORD_TEST_CONTENT_TYPE_APP,
+	/* For verifying zero packet length */
+	TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	/* For verifying handling of custom content types */
+	TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+};
+
 struct tls_record_test_data {
 	struct {
 		uint8_t data[32];
@@ -89,6 +97,7 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
+	enum tls_record_test_content_type content_type;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
-- 
2.25.1

[PATCH v5 07/21] test/cryptodev: allow zero packet length buffers

[Aakash Sasidharan]

From: Anoob Joseph <anoobj@marvell.com>

The function 'create_segmented_mbuf' is updated to support zero packet
length mbufs. This allows testing of zero packet length payload with TLS
record processing.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 app/test/test_cryptodev.h | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/app/test/test_cryptodev.h b/app/test/test_cryptodev.h
index f27d9697fd..fd9ea0dd81 100644
--- a/app/test/test_cryptodev.h
+++ b/app/test/test_cryptodev.h
@@ -182,15 +182,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 		int nb_segs, uint8_t pattern) {
 
 	struct rte_mbuf *m = NULL, *mbuf = NULL;
+	int size, t_len, data_len = 0;
 	uint8_t *dst;
-	int data_len = 0;
-	int i, size;
-	int t_len;
-
-	if (pkt_len < 1) {
-		printf("Packet size must be 1 or more (is %d)\n", pkt_len);
-		return NULL;
-	}
 
 	if (nb_segs < 1) {
 		printf("Number of segments must be 1 or more (is %d)\n",
@@ -202,17 +195,17 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 	size = pkt_len;
 
 	/* Create chained mbuf_src and fill it generated data */
-	for (i = 0; size > 0; i++) {
+	do {
 
 		m = rte_pktmbuf_alloc(mbuf_pool);
-		if (i == 0)
-			mbuf = m;
-
 		if (m == NULL) {
 			printf("Cannot create segment for source mbuf");
 			goto fail;
 		}
 
+		if (mbuf == NULL)
+			mbuf = m;
+
 		/* Make sure if tailroom is zeroed */
 		memset(m->buf_addr, pattern, m->buf_len);
 
@@ -229,7 +222,8 @@ create_segmented_mbuf(struct rte_mempool *mbuf_pool, int pkt_len,
 
 		size -= data_len;
 
-	}
+	} while (size > 0);
+
 	return mbuf;
 
 fail:
-- 
2.25.1

[PATCH v5 08/21] test/security: unit test to verify zero TLS records

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the zero len TLS records. Zero len packets are
allowed when content type is app data while zero packet length with
other content type (such as handshake) would result in an error.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 51 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c |  5 +-
 app/test/test_cryptodev_security_tls_record.h |  2 +-
 3 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 5cb878b9ba..fa63b9743f 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11984,6 +11984,9 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		payload_len = TLS_RECORD_PLAINTEXT_MIN_LEN;
 		if (flags->nb_segs_in_mbuf)
 			payload_len = RTE_MAX(payload_len, flags->nb_segs_in_mbuf);
+
+		if (flags->zero_len)
+			payload_len = 0;
 again:
 		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
 					   td_outb, nb_pkts, payload_len);
@@ -11992,8 +11995,16 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (ret == TEST_SKIPPED)
 			continue;
 
-		if (ret == TEST_FAILED)
+		if (flags->zero_len &&
+		    ((flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE) ||
+		    (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE))) {
+			if (ret == TEST_SUCCESS)
+				return TEST_FAILED;
+			goto skip_decrypt;
+		} else if (ret == TEST_FAILED) {
 			return TEST_FAILED;
+		}
 
 		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
 
@@ -12009,6 +12020,7 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 				return TEST_FAILED;
 		}
 
+skip_decrypt:
 		if (flags->data_walkthrough && (++payload_len <= max_payload_len))
 			goto again;
 
@@ -12123,6 +12135,35 @@ test_tls_record_proto_custom_content_type(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17251,6 +17292,14 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len TLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 9a2af259c9..c5410a4c92 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -103,13 +103,15 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		}
 	}
 
-	if (flags->data_walkthrough) {
+	if (flags->data_walkthrough || flags->zero_len) {
 		test_sec_proto_pattern_set(td->input_text.data, data_len);
 		td->input_text.len = data_len;
 	}
 
 	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
 		td->app_type = RTE_TLS_TYPE_MAX;
+	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
 	tls_pkt_size = td->input_text.len;
 
@@ -232,6 +234,7 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 
 	memcpy(&res_d->input_text.data, output_text, len);
 	res_d->input_text.len = len;
+	res_d->output_text.len = td->input_text.len;
 
 	res_d->tls_record_xform.type = RTE_SECURITY_TLS_SESS_TYPE_READ;
 	if (res_d->aead) {
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 73719063a8..300f3f08b5 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
 	enum tls_record_test_content_type content_type;
+	bool zero_len;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -140,5 +141,4 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
 				 struct tls_record_test_data *res_d, bool silent);
-
 #endif
-- 
2.25.1

[PATCH v5 09/21] test/security: add unit tests for DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify
1. DTLS record with zero length
2. DTLS record with header corruption
3. DTLS record with content type as custom

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 77 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fa63b9743f..72e7fe3769 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12215,6 +12215,67 @@ test_dtls_1_2_record_proto_sgl_data_walkthrough(void)
 	return test_tls_record_proto_sgl_data_walkthrough(RTE_SECURITY_VERSION_DTLS_1_2);
 }
 
+static int
+test_dtls_1_2_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_dtls_1_2_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_DTLS_1_2
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
 #endif
 
 static int
@@ -17409,6 +17470,22 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Packet corruption",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"Custom content type",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as app",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"Zero len DTLS record with content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v5 10/21] test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors for TLS 1.2 and DTLS 1.2 using algos
AES-256-CBC and HMAC-SHA384

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  19 ++
 app/test/test_cryptodev_security_tls_record.h |   2 +
 ...yptodev_security_tls_record_test_vectors.h | 200 ++++++++++++++++++
 3 files changed, 221 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 72e7fe3769..95f2377d4d 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17273,6 +17273,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Write record known vector AES-256-CBC-SHA256",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17316,6 +17320,11 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&tls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&tls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17397,6 +17406,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Write record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
@@ -17439,6 +17453,11 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read,
 			&dtls_test_data_aes_256_cbc_sha256_hmac),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-256-CBC-SHA384",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read,
+			&dtls_test_data_aes_256_cbc_sha384_hmac),
 		TEST_CASE_NAMED_WITH_DATA(
 			"Read record known vector 3DES-CBC-SHA1-HMAC",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 300f3f08b5..68e243b842 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -110,6 +110,7 @@ extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_null_cipher_sha1_hmac;
 extern struct tls_record_test_data tls_test_data_chacha20_poly1305;
@@ -118,6 +119,7 @@ extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_128_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
+extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index f10f28bb96..27b07cd54a 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1129,6 +1129,107 @@ struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x1d, 0xe5, 0x19, 0x18, 0x57, 0xa0, 0xee, 0x79,
+			0x84, 0x61, 0x92, 0x9d, 0x3d, 0xce, 0x42, 0x92,
+			0x4a, 0x98, 0x23, 0x3b, 0xf8, 0xec, 0x29, 0x47,
+			0xb3, 0xae, 0x1f, 0x22, 0xd2, 0x8d, 0xbe, 0x2c,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0xf8, 0xbd, 0x28, 0xf9, 0x4a, 0xde, 0x1d, 0xde,
+			0x8c, 0xf5, 0xe9, 0x49, 0x34, 0x2a, 0x1a, 0xd0,
+			0x0d, 0xe3, 0x64, 0xb2, 0x54, 0xd6, 0xd6, 0x40,
+			0x90, 0x5d, 0x16, 0xc1, 0xf2, 0x77, 0x14, 0x90,
+			0xe6, 0xfa, 0xbc, 0x9d, 0xe2, 0x72, 0x12, 0xec,
+			0xb6, 0x05, 0xec, 0xdd, 0x1d, 0x23, 0xb3, 0x8e,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x44, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0xfe, 0xfd, 0x00, 0x01, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x01, 0x00, 0x80,
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+			0x88, 0x41, 0xee, 0x5b, 0x32, 0x1e, 0x85, 0xaf,
+			0x33, 0x7b, 0x59, 0x8a, 0xe9, 0x41, 0x11, 0x6a,
+			0xbb, 0x7d, 0x16, 0x6c, 0xbb, 0x66, 0x5e, 0xf5,
+			0xfb, 0x5f, 0x03, 0xf9, 0x75, 0x7d, 0xb9, 0xff,
+			0x70, 0xc3, 0x4a, 0x19, 0xe5, 0x25, 0xa0, 0x5d,
+			0xad, 0x45, 0xef, 0xce, 0xd8, 0x2a, 0xde, 0xf0,
+			0x0c, 0xca, 0x1c, 0x6b, 0x5a, 0x31, 0x8f, 0x49,
+			0xff, 0x7d, 0xf3, 0x71, 0x15, 0x06, 0x07, 0x9d,
+			0x6a, 0x5f, 0x5c, 0xd8, 0x2a, 0xa5, 0x0e, 0x61,
+			0xde, 0x18, 0x6b, 0x7d, 0xc8, 0x74, 0x58, 0x18,
+			0xf1, 0xac, 0xde, 0xb9, 0x6d, 0x8a, 0x44, 0xad,
+			0x10, 0xf8, 0x63, 0x15, 0xcf, 0x25, 0x2f, 0x82,
+			0x2f, 0xda, 0x74, 0x45, 0x02, 0xda, 0x61, 0x3c,
+			0x2f, 0xf9, 0xa5, 0x92, 0x2a, 0x7c, 0x5e, 0x5d,
+		},
+		.len = 141,
+	},
+	.iv = {
+		.data = {
+			0x63, 0xe2, 0x70, 0xce, 0x45, 0x93, 0x18, 0xa3,
+			0xa6, 0xd6, 0xf5, 0x50, 0x9f, 0x07, 0x9d, 0xab,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_DTLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.dtls_1_2.epoch = 1,
+		.dtls_1_2.seq_no = 1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
@@ -1494,6 +1595,105 @@ struct tls_record_test_data tls_test_data_aes_256_cbc_sha256_hmac = {
 	.app_type = 0x17,
 };
 
+struct tls_record_test_data tls_test_data_aes_256_cbc_sha384_hmac = {
+	.key = {
+		.data = {
+			0x48, 0x70, 0xc7, 0x93, 0x77, 0xe3, 0x4c, 0x8c,
+			0x27, 0x00, 0x64, 0x06, 0x3e, 0xc6, 0x47, 0x64,
+			0xcc, 0xee, 0xa4, 0x9a, 0x1a, 0xe7, 0x3a, 0xc6,
+			0xef, 0xe5, 0xe6, 0x2c, 0x15, 0xe3, 0xac, 0x16,
+		},
+	},
+	.auth_key = {
+		.data = {
+			0x23, 0x95, 0x84, 0x30, 0xaf, 0x2b, 0x07, 0xfe,
+			0x12, 0x83, 0x87, 0x28, 0x2b, 0x38, 0xb9, 0x02,
+			0xc0, 0x27, 0x59, 0x3e, 0xa7, 0xbd, 0xce, 0xcb,
+			0xe1, 0x8a, 0xe9, 0x43, 0x5d, 0xed, 0xb4, 0xf2,
+			0x11, 0x4d, 0x19, 0xbb, 0x0f, 0x1b, 0x76, 0x86,
+			0xfb, 0xb5, 0xda, 0xfd, 0x38, 0xfe, 0x7d, 0x02,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* actual plain text */
+			0x20, 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73,
+			0x20, 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x32,
+			0x20, 0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36,
+			0x2d, 0x43, 0x42, 0x43, 0x20, 0x53, 0x48, 0x41,
+			0x33, 0x38, 0x34, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0x0a,
+		},
+		.len = 51,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x80,
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+			0x1e, 0x5b, 0x1e, 0x50, 0x3e, 0x19, 0x25, 0x41,
+			0x35, 0xc7, 0x7c, 0x14, 0x99, 0x7b, 0x97, 0x80,
+			0x60, 0x9d, 0xf8, 0xf1, 0xac, 0x43, 0x7b, 0x5c,
+			0xb6, 0xe2, 0xc4, 0x8f, 0x3f, 0xd7, 0x1b, 0xd4,
+			0x61, 0x90, 0x40, 0xe3, 0xd5, 0x60, 0xac, 0xee,
+			0x62, 0x53, 0x1f, 0x1f, 0x75, 0xf6, 0x2c, 0xda,
+			0x1a, 0xed, 0x4a, 0x6a, 0x11, 0xeb, 0x9b, 0x1c,
+			0x39, 0x0d, 0x6e, 0x8a, 0xf8, 0x3d, 0x45, 0x08,
+			0x3e, 0x24, 0x17, 0x3e, 0xcf, 0x74, 0xcf, 0x6a,
+			0xcb, 0x37, 0xdf, 0x25, 0xc6, 0xa5, 0xe4, 0x1e,
+			0x53, 0x28, 0x71, 0xcf, 0xac, 0x1e, 0xad, 0x77,
+			0x8c, 0xfc, 0x80, 0x19, 0x9c, 0xcc, 0x00, 0x60,
+			0xc6, 0x82, 0xa0, 0xb8, 0x5e, 0x42, 0xd1, 0xff,
+			0x14, 0x0a, 0x92, 0x5c, 0xde, 0x8a, 0x15, 0x7a,
+		},
+		.len = 133,
+	},
+	.iv = {
+		.data = {
+			0xc4, 0x90, 0xd7, 0x74, 0x5e, 0x26, 0xc8, 0x43,
+			0x12, 0x45, 0x48, 0xc1, 0x0f, 0xb1, 0x18, 0xd8,
+		},
+	},
+
+	.xform = {
+		.chain = {
+			.auth = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+				.auth = {
+					.op = RTE_CRYPTO_AUTH_OP_GENERATE,
+					.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+					.key.length = 48,
+					.iv.length = 0,
+					.iv.offset = 0,
+					.digest_length = 48,
+				},
+			},
+			.cipher = {
+				.next = NULL,
+				.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+				.cipher = {
+					.op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+					.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+					.key.length = 32,
+					.iv.length = 16,
+					.iv.offset = IV_OFFSET,
+				},
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_2,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_2.seq_no = 0x1,
+	},
+
+	.aead = false,
+	.app_type = 0x17,
+};
+
 struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.key = {
 		.data = {
-- 
2.25.1

[PATCH v5 11/21] test/security: add DTLS 1.2 anti-replay tests

[Aakash Sasidharan]

Add anti-replay test for DTLS 1.2.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 115 ++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 132 ++++++++++--------
 app/test/test_cryptodev_security_tls_record.h |  11 +-
 3 files changed, 188 insertions(+), 70 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 95f2377d4d..904bad39d3 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11827,6 +11827,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		.protocol = RTE_SECURITY_PROTOCOL_TLS_RECORD,
 	};
 
+	if ((tls_record_xform.ver == RTE_SECURITY_VERSION_DTLS_1_2) &&
+	    (sess_type == RTE_SECURITY_TLS_SESS_TYPE_READ))
+		sess_conf.tls_record.dtls_1_2.ar_win_sz = flags->ar_win_size;
+
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
@@ -11851,6 +11855,17 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		return TEST_SKIPPED;
 
 	for (i = 0; i < nb_td; i++) {
+		if (flags->ar_win_size &&
+			(sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE)) {
+			sess_conf.tls_record.dtls_1_2.seq_no =
+				td[i].tls_record_xform.dtls_1_2.seq_no;
+			ret = rte_security_session_update(ctx, ut_params->sec_session, &sess_conf);
+			if (ret) {
+				printf("Could not update sequence number in session\n");
+				return TEST_SKIPPED;
+			}
+		}
+
 		/* Setup source mbuf payload */
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
@@ -11890,17 +11905,19 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_tls_record_status_check(ut_params->op);
+		ret = test_tls_record_status_check(ut_params->op, &td[i]);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
 		if (res_d != NULL)
 			res_d_tmp = &res_d[i];
 
-		ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp, silent);
-		if (ret != TEST_SUCCESS)
-			goto crypto_op_free;
-
+		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
+			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+							   silent);
+			if (ret != TEST_SUCCESS)
+				goto crypto_op_free;
+		}
 
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
@@ -12190,6 +12207,90 @@ test_dtls_1_2_record_proto_display_list(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_pkt_replay(const uint64_t seq_no[],
+		      bool replayed_pkt[], uint32_t nb_pkts,
+		      struct tls_record_test_flags *flags)
+{
+	struct tls_record_test_data td_outb[TEST_SEC_PKTS_MAX];
+	struct tls_record_test_data td_inb[TEST_SEC_PKTS_MAX];
+	unsigned int i, idx, pass_cnt = 0;
+	int ret;
+
+	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
+		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
+					   td_outb, nb_pkts, 0);
+
+		for (idx = 0; idx < nb_pkts; idx++)
+			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
+
+		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		test_tls_record_td_update(td_inb, td_outb, nb_pkts, flags);
+
+		for (idx = 0; idx < nb_pkts; idx++) {
+			td_inb[idx].tls_record_xform.dtls_1_2.ar_win_sz = flags->ar_win_size;
+			/* Set antireplay flag for packets to be dropped */
+			td_inb[idx].ar_packet = replayed_pkt[idx];
+		}
+
+		ret = test_tls_record_proto_process(td_inb, NULL, nb_pkts, true, flags);
+		if (ret == TEST_SKIPPED)
+			continue;
+
+		if (ret == TEST_FAILED)
+			return TEST_FAILED;
+
+		if (flags->display_alg)
+			test_sec_alg_display(sec_alg_list[i].param1, sec_alg_list[i].param2);
+
+		pass_cnt++;
+	}
+
+	if (pass_cnt > 0)
+		return TEST_SUCCESS;
+	else
+		return TEST_SKIPPED;
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay(void)
+{
+	struct tls_record_test_flags flags;
+	uint64_t winsz = 64, seq_no[5];
+	uint32_t nb_pkts = 5;
+	bool replayed_pkt[5];
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.tls_version = RTE_SECURITY_VERSION_DTLS_1_2;
+	flags.ar_win_size = winsz;
+
+	/* 1. Advance the TOP of the window to WS * 2 */
+	seq_no[0] = winsz * 2;
+	/* 2. Test sequence number within the new window(WS + 1) */
+	seq_no[1] = winsz + 1;
+	/* 3. Test sequence number less than the window BOTTOM */
+	seq_no[2] = winsz;
+	/* 4. Test sequence number in the middle of the window */
+	seq_no[3] = winsz + (winsz / 2);
+	/* 5. Test replay of the packet in the middle of the window */
+	seq_no[4] = winsz + (winsz / 2);
+
+	replayed_pkt[0] = false;
+	replayed_pkt[1] = false;
+	replayed_pkt[2] = true;
+	replayed_pkt[3] = false;
+	replayed_pkt[4] = true;
+
+	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17505,6 +17606,10 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Zero len DTLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 64",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index c5410a4c92..907e043ddd 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -12,10 +12,21 @@
 #include "test_security_proto.h"
 
 int
-test_tls_record_status_check(struct rte_crypto_op *op)
+test_tls_record_status_check(struct rte_crypto_op *op,
+			     const struct tls_record_test_data *td)
 {
 	int ret = TEST_SUCCESS;
 
+	if ((td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_READ) &&
+	     td->ar_packet) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("Anti replay test case failed\n");
+			return TEST_FAILED;
+		} else {
+			return TEST_SUCCESS;
+		}
+	}
+
 	if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS)
 		ret = TEST_FAILED;
 
@@ -101,81 +112,80 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			td->xform.chain.auth.auth.key.length = param2->key_length;
 			td->xform.chain.auth.auth.digest_length = param2->digest_length;
 		}
-	}
-
-	if (flags->data_walkthrough || flags->zero_len) {
-		test_sec_proto_pattern_set(td->input_text.data, data_len);
-		td->input_text.len = data_len;
-	}
-
-	if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
-		td->app_type = RTE_TLS_TYPE_MAX;
-	else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
-		td->app_type = RTE_TLS_TYPE_HANDSHAKE;
 
-	tls_pkt_size = td->input_text.len;
+		if (flags->data_walkthrough || flags->zero_len) {
+			test_sec_proto_pattern_set(td->input_text.data, data_len);
+			td->input_text.len = data_len;
+		}
 
-	if (!td->aead) {
-		mac_len = td->xform.chain.auth.auth.digest_length;
-		switch (td->xform.chain.cipher.cipher.algo) {
-		case RTE_CRYPTO_CIPHER_3DES_CBC:
-			roundup_len = 8;
+		if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM)
+			td->app_type = RTE_TLS_TYPE_MAX;
+		else if (flags->content_type == TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE)
+			td->app_type = RTE_TLS_TYPE_HANDSHAKE;
+
+		tls_pkt_size = td->input_text.len;
+
+		if (!td->aead) {
+			mac_len = td->xform.chain.auth.auth.digest_length;
+			switch (td->xform.chain.cipher.cipher.algo) {
+			case RTE_CRYPTO_CIPHER_3DES_CBC:
+				roundup_len = 8;
+				exp_nonce_len = 8;
+				break;
+			case RTE_CRYPTO_CIPHER_AES_CBC:
+				roundup_len = 16;
+				exp_nonce_len = 16;
+				break;
+			default:
+				roundup_len = 0;
+				exp_nonce_len = 0;
+				break;
+			}
+		} else {
+			mac_len = td->xform.aead.aead.digest_length;
+			roundup_len = 0;
 			exp_nonce_len = 8;
+		}
+
+		switch (td->tls_record_xform.ver) {
+		case RTE_SECURITY_VERSION_TLS_1_2:
+		case RTE_SECURITY_VERSION_TLS_1_3:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
-		case RTE_CRYPTO_CIPHER_AES_CBC:
-			roundup_len = 16;
-			exp_nonce_len = 16;
+		case RTE_SECURITY_VERSION_DTLS_1_2:
+			hdr_len = sizeof(struct rte_dtls_hdr);
+			if (td->aead)
+				min_padding = 0;
+			else
+				min_padding = 1;
 			break;
 		default:
-			roundup_len = 0;
-			exp_nonce_len = 0;
+			hdr_len = 0;
+			min_padding = 0;
 			break;
 		}
-	} else {
-		mac_len = td->xform.aead.aead.digest_length;
-		roundup_len = 0;
-		exp_nonce_len = 8;
-	}
-
-	switch (td->tls_record_xform.ver) {
-	case RTE_SECURITY_VERSION_TLS_1_2:
-	case RTE_SECURITY_VERSION_TLS_1_3:
-		hdr_len = sizeof(struct rte_tls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	case RTE_SECURITY_VERSION_DTLS_1_2:
-		hdr_len = sizeof(struct rte_dtls_hdr);
-		if (td->aead)
-			min_padding = 0;
-		else
-			min_padding = 1;
-		break;
-	default:
-		hdr_len = 0;
-		min_padding = 0;
-		break;
-	}
 
-	tls_pkt_size += mac_len;
+		tls_pkt_size += mac_len;
 
-	/* Padding */
-	tls_pkt_size += min_padding;
+		/* Padding */
+		tls_pkt_size += min_padding;
 
-	if (roundup_len)
-		tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
+		if (roundup_len)
+			tls_pkt_size = RTE_ALIGN_MUL_CEIL(tls_pkt_size, roundup_len);
 
-	/* Explicit nonce */
-	tls_pkt_size += exp_nonce_len;
+		/* Explicit nonce */
+		tls_pkt_size += exp_nonce_len;
 
-	/* Add TLS header */
-	tls_pkt_size += hdr_len;
+		/* Add TLS header */
+		tls_pkt_size += hdr_len;
 
-	td->output_text.len = tls_pkt_size;
+		td->output_text.len = tls_pkt_size;
 
-	RTE_SET_USED(flags);
+	}
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 68e243b842..efb16aed7d 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -89,16 +89,18 @@ struct tls_record_test_data {
 	struct rte_security_tls_record_xform tls_record_xform;
 	uint8_t app_type;
 	bool aead;
+	bool ar_packet;
 };
 
 struct tls_record_test_flags {
 	bool display_alg;
-	uint8_t nb_segs_in_mbuf;
 	bool data_walkthrough;
-	enum rte_security_tls_version tls_version;
 	bool pkt_corruption;
-	enum tls_record_test_content_type content_type;
 	bool zero_len;
+	uint8_t nb_segs_in_mbuf;
+	enum rte_security_tls_version tls_version;
+	enum tls_record_test_content_type content_type;
+	int ar_win_size;
 };
 
 extern struct tls_record_test_data tls_test_data_aes_128_gcm_v1;
@@ -123,7 +125,8 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
 
-int test_tls_record_status_check(struct rte_crypto_op *op);
+int test_tls_record_status_check(struct rte_crypto_op *op,
+				 const struct tls_record_test_data *td);
 
 int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_record_xform,
 				    const struct rte_security_capability *sec_cap, bool silent);
-- 
2.25.1

[PATCH v5 12/21] test/security: add more DTLS anti-replay window sz

[Aakash Sasidharan]

Add anti-replay tests for window sizes 128, 256, 512, 1024,
2048 and 4096 window sizes in DTLS 1.2 suite.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c | 72 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 69 insertions(+), 3 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 904bad39d3..72d91d23a2 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12259,12 +12259,12 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 }
 
 static int
-test_dtls_1_2_record_proto_antireplay(void)
+test_dtls_1_2_record_proto_antireplay(uint64_t winsz)
 {
 	struct tls_record_test_flags flags;
-	uint64_t winsz = 64, seq_no[5];
 	uint32_t nb_pkts = 5;
 	bool replayed_pkt[5];
+	uint64_t seq_no[5];
 
 	memset(&flags, 0, sizeof(flags));
 
@@ -12291,6 +12291,48 @@ test_dtls_1_2_record_proto_antireplay(void)
 	return test_dtls_pkt_replay(seq_no, replayed_pkt, nb_pkts, &flags);
 }
 
+static int
+test_dtls_1_2_record_proto_antireplay64(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(64);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay128(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(128);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay256(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(256);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay512(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(512);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay1024(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(1024);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay2048(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(2048);
+}
+
+static int
+test_dtls_1_2_record_proto_antireplay4096(void)
+{
+	return test_dtls_1_2_record_proto_antireplay(4096);
+}
+
 static int
 test_dtls_1_2_record_proto_sgl(void)
 {
@@ -17609,7 +17651,31 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 		TEST_CASE_NAMED_ST(
 			"Antireplay with window size 64",
 			ut_setup_security, ut_teardown,
-			test_dtls_1_2_record_proto_antireplay),
+			test_dtls_1_2_record_proto_antireplay64),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 128",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay128),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 256",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay256),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 512",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay512),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 1024",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay1024),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 2048",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay2048),
+		TEST_CASE_NAMED_ST(
+			"Antireplay with window size 4096",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_antireplay4096),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v5 13/21] test/crypto: update verification of header

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

In TLS 1.3, the version in the header would be TLS 1.2 and the content
type would be APP irrespective of the type of the payload.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev_security_tls_record.c | 20 +++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 907e043ddd..498c4923e0 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -275,9 +275,9 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		hdr_len = sizeof(struct rte_tls_hdr);
 	} else if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
 		const struct rte_tls_hdr *hdr = (const struct rte_tls_hdr *)output_text;
-		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_3) {
+		if (rte_be_to_cpu_16(hdr->version) != RTE_TLS_VERSION_1_2) {
 			printf("Incorrect header version [expected - %4x, received - %4x]\n",
-			       RTE_TLS_VERSION_1_3, rte_be_to_cpu_16(hdr->version));
+			       RTE_TLS_VERSION_1_2, rte_be_to_cpu_16(hdr->version));
 			return TEST_FAILED;
 		}
 		content_type = hdr->type;
@@ -297,10 +297,18 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		return TEST_FAILED;
 	}
 
-	if (content_type != td->app_type) {
-		printf("Incorrect content type in packet [expected - %d, received - %d]\n",
-		       td->app_type, content_type);
-		return TEST_FAILED;
+	if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3) {
+		if (content_type != RTE_TLS_TYPE_APPDATA) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
+	} else {
+		if (content_type != td->app_type) {
+			printf("Incorrect content type in packet [expected - %d, received - %d]\n",
+			       td->app_type, content_type);
+			return TEST_FAILED;
+		}
 	}
 
 	if (length != td->output_text.len - hdr_len) {
-- 
2.25.1

[PATCH v5 14/21] test/crypto: add TLS 1.3 vectors

[Aakash Sasidharan]

From: Akhil Goyal <gakhil@marvell.com>

Added vectors and test suite for TLS 1.3
AES-128-GCM, AES-256-GCM and CHACHA20-POLY1305
vectors. The vectors are generated using gnuTLS
client server application.

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
 app/test/test_cryptodev.c                     |  35 +++
 app/test/test_cryptodev_security_tls_record.h |   3 +
 ...yptodev_security_tls_record_test_vectors.h | 205 ++++++++++++++++++
 3 files changed, 243 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 72d91d23a2..aa9fffe50e 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -17680,6 +17680,40 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 	}
 };
 
+static struct unit_test_suite tls13_record_proto_testsuite  = {
+	.suite_name = "TLS 1.3 Record Protocol Unit Test Suite",
+	.setup = tls_record_proto_testsuite_setup,
+	.unit_test_cases = {
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Write record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-128",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector AES-GCM-256",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Read record known vector CHACHA20-POLY1305",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
+
+		TEST_CASES_END() /**< NULL terminate unit test array */
+	}
+};
+
 #define ADD_UPLINK_TESTCASE(data)						\
 	TEST_CASE_NAMED_WITH_DATA(data.test_descr_uplink, ut_setup_security,	\
 	ut_teardown, test_docsis_proto_uplink, (const void *) &data),		\
@@ -18699,6 +18733,7 @@ run_cryptodev_testsuite(const char *pmd_name)
 		&docsis_proto_testsuite,
 		&tls12_record_proto_testsuite,
 		&dtls12_record_proto_testsuite,
+		&tls13_record_proto_testsuite,
 #endif
 		&end_testsuite
 	};
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index efb16aed7d..9fbc64605d 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -124,6 +124,9 @@ extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha256_hmac;
 extern struct tls_record_test_data dtls_test_data_aes_256_cbc_sha384_hmac;
 extern struct tls_record_test_data dtls_test_data_3des_cbc_sha1_hmac;
 extern struct tls_record_test_data dtls_test_data_null_cipher_sha1_hmac;
+extern struct tls_record_test_data tls13_test_data_aes_128_gcm;
+extern struct tls_record_test_data tls13_test_data_aes_256_gcm;
+extern struct tls_record_test_data tls13_test_data_chacha20_poly1305;
 
 int test_tls_record_status_check(struct rte_crypto_op *op,
 				 const struct tls_record_test_data *td);
diff --git a/app/test/test_cryptodev_security_tls_record_test_vectors.h b/app/test/test_cryptodev_security_tls_record_test_vectors.h
index 27b07cd54a..8af17b07e5 100644
--- a/app/test/test_cryptodev_security_tls_record_test_vectors.h
+++ b/app/test/test_cryptodev_security_tls_record_test_vectors.h
@@ -1781,4 +1781,209 @@ struct tls_record_test_data tls_test_data_3des_cbc_sha1_hmac = {
 	.app_type = 0x17,
 };
 
+/* TLS 1.3 AES-128-GCM */
+struct tls_record_test_data tls13_test_data_aes_128_gcm = {
+	.key = {
+		.data = {
+			0x03, 0x12, 0xf5, 0x86, 0xe4, 0xd0, 0x27, 0xc7,
+			0x47, 0x82, 0x44, 0xca, 0xd3, 0xce, 0x06, 0x6c,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x31, 0x32, 0x38, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0x52, 0xb5, 0x24, 0xce, 0x5c, 0x29, 0x0f, 0x0a,
+			0x3a, 0xc0, 0x60, 0xaf, 0xba, 0xe3, 0x0d, 0x28,
+			0x6c, 0xbb, 0x3e, 0x5f, 0xde, 0x4a, 0xcd, 0xf1,
+			0x30, 0x12, 0xa9, 0x42, 0x95, 0x55, 0xf5, 0x2c,
+			0xb7, 0xb6, 0x60, 0x82, 0xa2, 0x1d, 0x34, 0x33,
+			0x0a, 0xd7, 0x48, 0x40, 0xef, 0xab, 0x70, 0xa7,
+			0xb2, 0x58, 0x41, 0xdb, 0xf6, 0x37, 0xe4, 0x6d,
+			0xa3, 0x1e, 0xbf, 0x6f,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0x8d, 0x1f, 0xa0, 0x14, 0xc7, 0x66, 0x9f, 0x93,
+			0x74, 0x3f, 0x46, 0x52,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 16,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+/* TLS 1.3 AES-256-GCM */
+struct tls_record_test_data tls13_test_data_aes_256_gcm = {
+	.key = {
+		.data = {
+			0xc9, 0xc2, 0xa2, 0x4c, 0x4e, 0x36, 0x19, 0x6e,
+			0xd8, 0xf5, 0xb9, 0x14, 0x30, 0xfc, 0xe0, 0xef,
+			0x29, 0xb0, 0x00, 0xd1, 0x2d, 0xfc, 0x5a, 0x76,
+			0x50, 0xf4, 0xf3, 0xb1, 0x82, 0x21, 0x57, 0x82,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x41, 0x45, 0x53, 0x2d, 0x32, 0x35, 0x36, 0x2d,
+			0x47, 0x43, 0x4d, 0x20, 0x65, 0x78, 0x61, 0x6d,
+			0x70, 0x6c, 0x65, 0x20, 0x76, 0x65, 0x63, 0x74,
+			0x6f, 0x72, 0xa,
+		},
+		.len = 43,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x3c,
+			0xc9, 0xb0, 0x44, 0x23, 0xd5, 0xe2, 0xbd, 0x1d,
+			0xf1, 0x96, 0x53, 0x2c, 0x8c, 0xe2, 0xa3, 0x00,
+			0x7b, 0x2a, 0xb1, 0xa1, 0xd6, 0x79, 0x58, 0xb5,
+			0x35, 0x1f, 0xbb, 0x98, 0x03, 0xe1, 0x82, 0xa2,
+			0x1e, 0x26, 0x81, 0xbe, 0x77, 0x65, 0xaf, 0x7d,
+			0x9f, 0x52, 0xec, 0x3a, 0x18, 0x2d, 0x36, 0xab,
+			0xdc, 0xa9, 0xfb, 0xd3, 0xa8, 0xd5, 0xbc, 0x98,
+			0xa4, 0xab, 0x70, 0xe9,
+		},
+		.len = 65,
+	},
+	.imp_nonce = {
+		.data = {
+			0xd4, 0x78, 0xf2, 0x90, 0x61, 0x5d, 0x8c, 0x63,
+			0x4b, 0xf4, 0x72, 0xf3,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
+struct tls_record_test_data tls13_test_data_chacha20_poly1305 = {
+	.key = {
+		.data = {
+			0xec, 0x7d, 0x7a, 0x3f, 0x91, 0xdd, 0xb9, 0x70,
+			0x95, 0x3b, 0x99, 0xb0, 0xe7, 0x66, 0xda, 0xdc,
+			0x85, 0xbb, 0xfc, 0xc8, 0x50, 0xe9, 0x61, 0x88,
+			0xc8, 0x1e, 0xf0, 0x61, 0xb0, 0xcd, 0x6c, 0x3d,
+		},
+	},
+	.input_text = {
+		.data = {
+			0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+			0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, 0x33, 0x20,
+			0x43, 0x48, 0x41, 0x43, 0x48, 0x41, 0x32, 0x30,
+			0x2d, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30,
+			0x35, 0x20, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c,
+			0x65, 0x20, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0xa,
+		},
+		.len = 49,
+	},
+	.output_text = {
+		.data = {
+			0x17, 0x03, 0x03, 0x00, 0x42,
+			0x9a, 0xc1, 0xd9, 0x0e, 0xf9, 0x4c, 0x51, 0x8c,
+			0xb4, 0xa7, 0x54, 0x57, 0x56, 0xba, 0xbb, 0xf7,
+			0xd7, 0x1d, 0x49, 0x5a, 0x42, 0xd2, 0xab, 0x75,
+			0x3f, 0xb1, 0x5f, 0xb5, 0x2b, 0x2b, 0xa3, 0xc5,
+			0x61, 0x32, 0x7e, 0x62, 0x1e, 0xf5, 0x56, 0xff,
+			0x84, 0x8e, 0x9a, 0x99, 0x06, 0xba, 0x3b, 0xc0,
+			0x15, 0x4c, 0xf5, 0xb1, 0x5e, 0xcc, 0xff, 0x42,
+			0x79, 0x4b, 0xa9, 0x23, 0x16, 0x08, 0xc3, 0x9a,
+			0x52, 0x2a,
+		},
+		.len = 71,
+	},
+	.imp_nonce = {
+		.data = {
+			0x3c, 0x28, 0xa0, 0xb8, 0xf8, 0x74, 0x35, 0xfe,
+			0xd2, 0xa0, 0x31, 0x28,
+		},
+		.len = 12,
+	},
+
+	.xform = {
+		.aead = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			.aead = {
+				.op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+				.algo = RTE_CRYPTO_AEAD_CHACHA20_POLY1305,
+				.key.length = 32,
+				.iv.length = 0,
+				.iv.offset = 0,
+				.digest_length = 16,
+				.aad_length = 5,
+			},
+		},
+	},
+
+	.tls_record_xform = {
+		.ver = RTE_SECURITY_VERSION_TLS_1_3,
+		.type = RTE_SECURITY_TLS_SESS_TYPE_WRITE,
+		.tls_1_3.seq_no = 0x0,
+	},
+
+	.aead = true,
+	.app_type = 0x17,
+};
+
 #endif
-- 
2.25.1

[PATCH v5 15/21] test/crypto: update framework to verify tls-1.3

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Update the fields in preparation of test descriptor.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 17 +++++---
 app/test/test_cryptodev_security_tls_record.c | 43 ++++++++++++-------
 app/test/test_cryptodev_security_tls_record.h | 10 ++---
 3 files changed, 43 insertions(+), 27 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index aa9fffe50e..25777c1b1f 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11889,8 +11889,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		/* Copy IV in crypto operation when IV generation is disabled */
-		if (sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE &&
-		    tls_record_xform.options.iv_gen_disable == 1) {
+		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
+		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
+		    (tls_record_xform.options.iv_gen_disable == 1)) {
 			uint8_t *iv;
 			int len;
 
@@ -12005,8 +12006,10 @@ test_tls_record_proto_all(const struct tls_record_test_flags *flags)
 		if (flags->zero_len)
 			payload_len = 0;
 again:
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, payload_len);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, payload_len);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		ret = test_tls_record_proto_process(td_outb, td_inb, nb_pkts, true, flags);
 		if (ret == TEST_SKIPPED)
@@ -12218,8 +12221,10 @@ test_dtls_pkt_replay(const uint64_t seq_no[],
 	int ret;
 
 	for (i = 0; i < RTE_DIM(sec_alg_list); i++) {
-		test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2, flags,
-					   td_outb, nb_pkts, 0);
+		ret = test_tls_record_td_prepare(sec_alg_list[i].param1, sec_alg_list[i].param2,
+						 flags, td_outb, nb_pkts, 0);
+		if (ret == TEST_SKIPPED)
+			continue;
 
 		for (idx = 0; idx < nb_pkts; idx++)
 			td_outb[idx].tls_record_xform.dtls_1_2.seq_no = seq_no[idx];
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 498c4923e0..96d0a94731 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -70,7 +70,7 @@ test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 	}
 }
 
-void
+int
 test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypto_param *param2,
 			   const struct tls_record_test_flags *flags,
 			   struct tls_record_test_data *td_array,
@@ -79,6 +79,10 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 	int i, min_padding, hdr_len, tls_pkt_size, mac_len = 0, exp_nonce_len = 0, roundup_len = 0;
 	struct tls_record_test_data *td = NULL;
 
+	if ((flags->tls_version == RTE_SECURITY_VERSION_TLS_1_3) &&
+	    (param1->type != RTE_CRYPTO_SYM_XFORM_AEAD))
+		return TEST_SKIPPED;
+
 	memset(td_array, 0, nb_td * sizeof(*td));
 
 	for (i = 0; i < nb_td; i++) {
@@ -88,10 +92,17 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 			/* Copy template for packet & key fields */
-			if (flags->tls_version == RTE_SECURITY_VERSION_DTLS_1_2)
-				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
-			else
+			switch (flags->tls_version) {
+			case RTE_SECURITY_VERSION_TLS_1_2:
 				memcpy(td, &tls_test_data_aes_128_gcm_v1, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_DTLS_1_2:
+				memcpy(td, &dtls_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			case RTE_SECURITY_VERSION_TLS_1_3:
+				memcpy(td, &tls13_test_data_aes_128_gcm, sizeof(*td));
+				break;
+			}
 
 			td->aead = true;
 			td->xform.aead.aead.algo = param1->alg.aead;
@@ -127,6 +138,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 
 		if (!td->aead) {
 			mac_len = td->xform.chain.auth.auth.digest_length;
+			min_padding = 1;
 			switch (td->xform.chain.cipher.cipher.algo) {
 			case RTE_CRYPTO_CIPHER_3DES_CBC:
 				roundup_len = 8;
@@ -143,30 +155,28 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 			}
 		} else {
 			mac_len = td->xform.aead.aead.digest_length;
+			min_padding = 0;
 			roundup_len = 0;
-			exp_nonce_len = 8;
+			if (td->tls_record_xform.ver == RTE_SECURITY_VERSION_TLS_1_3)
+				exp_nonce_len = 0;
+			else
+				exp_nonce_len = 8;
 		}
 
 		switch (td->tls_record_xform.ver) {
 		case RTE_SECURITY_VERSION_TLS_1_2:
+			hdr_len = sizeof(struct rte_tls_hdr);
+			break;
 		case RTE_SECURITY_VERSION_TLS_1_3:
 			hdr_len = sizeof(struct rte_tls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
+			/* Add 1 byte for content type in packet */
+			tls_pkt_size += 1;
 			break;
 		case RTE_SECURITY_VERSION_DTLS_1_2:
 			hdr_len = sizeof(struct rte_dtls_hdr);
-			if (td->aead)
-				min_padding = 0;
-			else
-				min_padding = 1;
 			break;
 		default:
-			hdr_len = 0;
-			min_padding = 0;
-			break;
+			return TEST_SKIPPED;
 		}
 
 		tls_pkt_size += mac_len;
@@ -186,6 +196,7 @@ test_tls_record_td_prepare(const struct crypto_param *param1, const struct crypt
 		td->output_text.len = tls_pkt_size;
 
 	}
+	return TEST_SUCCESS;
 }
 
 void
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 9fbc64605d..0138770fac 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -137,11 +137,11 @@ int test_tls_record_sec_caps_verify(struct rte_security_tls_record_xform *tls_re
 void test_tls_record_td_read_from_write(const struct tls_record_test_data *td_out,
 					struct tls_record_test_data *td_in);
 
-void test_tls_record_td_prepare(const struct crypto_param *param1,
-				const struct crypto_param *param2,
-				const struct tls_record_test_flags *flags,
-				struct tls_record_test_data *td_array, int nb_td,
-				unsigned int data_len);
+int test_tls_record_td_prepare(const struct crypto_param *param1,
+			       const struct crypto_param *param2,
+			       const struct tls_record_test_flags *flags,
+			       struct tls_record_test_data *td_array, int nb_td,
+			       unsigned int data_len);
 
 void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_data td_outb[], int nb_td,
-- 
2.25.1

[PATCH v5 16/21] test/crypto: test to verify hdr corruption in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with header corruption.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 25777c1b1f..9f0a737913 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12424,6 +12424,20 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_1_3_record_proto_corrupt_pkt(void)
+{
+	struct tls_record_test_flags flags = {
+		.pkt_corruption = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17714,7 +17728,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"Read record known vector CHACHA20-POLY1305",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_known_vec_read, &tls13_test_data_chacha20_poly1305),
-
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header corruption",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_corrupt_pkt),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v5 17/21] test/crypto: test to verify custom content type in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with content type as custom.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 9f0a737913..fe4fcfbfdb 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12438,6 +12438,21 @@ test_tls_1_3_record_proto_corrupt_pkt(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_custom_content_type(void)
+{
+	struct tls_record_test_flags flags = {
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_CUSTOM,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17732,6 +17747,10 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header corruption",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_corrupt_pkt),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record header with custom content type",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_custom_content_type),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v5 18/21] test/crypto: test to verify zero len record in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify TLS-1.3 record with zero length.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index fe4fcfbfdb..8ad5033f32 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12453,6 +12453,37 @@ test_tls_1_3_record_proto_custom_content_type(void)
 
 	return test_tls_record_proto_all(&flags);
 }
+
+static int
+test_tls_1_3_record_proto_zero_len(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_3_record_proto_zero_len_non_app(void)
+{
+	struct tls_record_test_flags flags = {
+		.zero_len = 1,
+		.content_type = TLS_RECORD_TEST_CONTENT_TYPE_HANDSHAKE,
+		.tls_version = RTE_SECURITY_VERSION_TLS_1_3
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
 #endif
 
 static int
@@ -17751,6 +17782,14 @@ static struct unit_test_suite tls13_record_proto_testsuite  = {
 			"TLS-1.3 record header with custom content type",
 			ut_setup_security, ut_teardown,
 			test_tls_1_3_record_proto_custom_content_type),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as app",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len),
+		TEST_CASE_NAMED_ST(
+			"TLS-1.3 record with zero len and content type as ctrl",
+			ut_setup_security, ut_teardown,
+			test_tls_1_3_record_proto_zero_len_non_app),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v5 19/21] test/crypto: unit tests to verify padding in TLS

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for TLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c                     | 85 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.c | 28 ++++--
 app/test/test_cryptodev_security_tls_record.h |  5 +-
 3 files changed, 109 insertions(+), 9 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 8ad5033f32..a324c1607b 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11834,6 +11834,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	if (td[0].aead)
 		test_tls_record_imp_nonce_update(&td[0], &tls_record_xform);
 
+	if (flags->opt_padding)
+		tls_record_xform.options.extra_padding_enable = 1;
+
 	sess_conf.tls_record = tls_record_xform;
 
 	if (td[0].aead) {
@@ -11888,6 +11891,9 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->op->sym->m_dst = NULL;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
+		if (flags->opt_padding)
+			ut_params->op->aux_flags = flags->opt_padding;
+
 		/* Copy IV in crypto operation when IV generation is disabled */
 		if ((sess_type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) &&
 		    (tls_record_xform.ver != RTE_SECURITY_VERSION_TLS_1_3) &&
@@ -11915,7 +11921,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
 			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
-							   silent);
+							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
 		}
@@ -12184,6 +12190,59 @@ test_tls_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_opt_padding(uint8_t padding, uint8_t num_segs,
+				  enum rte_security_tls_version tls_version)
+{
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = num_segs,
+		.tls_version = tls_version,
+		.opt_padding = padding
+	};
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 2, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
+static int
+test_tls_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_dtls_1_2_record_proto_data_walkthrough(void)
 {
@@ -17578,6 +17637,30 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Zero len TLS record with content type as ctrl",
 			ut_setup_security, ut_teardown,
 			test_tls_record_proto_zero_len_non_app),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"TLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_tls_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_tls_record.c b/app/test/test_cryptodev_security_tls_record.c
index 96d0a94731..03d9efefc3 100644
--- a/app/test/test_cryptodev_security_tls_record.c
+++ b/app/test/test_cryptodev_security_tls_record.c
@@ -269,7 +269,8 @@ test_tls_record_res_d_prepare(const uint8_t *output_text, uint32_t len,
 }
 
 static int
-tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text)
+tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *output_text,
+		      const struct tls_record_test_flags *flags)
 {
 	uint16_t length, hdr_len;
 	uint8_t content_type;
@@ -322,10 +323,22 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 		}
 	}
 
-	if (length != td->output_text.len - hdr_len) {
-		printf("Incorrect packet length [expected - %d, received - %d]\n",
-		       td->output_text.len - hdr_len, length);
-		return TEST_FAILED;
+	if (!flags->opt_padding) {
+		if (length != td->output_text.len - hdr_len) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       td->output_text.len - hdr_len, length);
+			return TEST_FAILED;
+		}
+	} else {
+		int pad_len = (flags->opt_padding * 8) > 256 ? 256 : (flags->opt_padding * 8);
+		int expect_len = td->output_text.len - hdr_len + pad_len;
+
+		if (length - expect_len > 32) {
+			printf("Incorrect packet length [expected - %d, received - %d]\n",
+			       expect_len, length);
+			return TEST_FAILED;
+		}
+
 	}
 
 	return TEST_SUCCESS;
@@ -333,7 +346,8 @@ tls_record_hdr_verify(const struct tls_record_test_data *td, const uint8_t *outp
 
 int
 test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-			     struct tls_record_test_data *res_d, bool silent)
+			     struct tls_record_test_data *res_d, bool silent,
+			     const struct tls_record_test_flags *flags)
 {
 	uint8_t output_text[TEST_SEC_CIPHERTEXT_MAX_LEN];
 	uint32_t len = rte_pktmbuf_pkt_len(m), data_len;
@@ -365,7 +379,7 @@ test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_t
 	}
 
 	if (td->tls_record_xform.type == RTE_SECURITY_TLS_SESS_TYPE_WRITE) {
-		ret = tls_record_hdr_verify(td, output_text);
+		ret = tls_record_hdr_verify(td, output_text, flags);
 		if (ret != TEST_SUCCESS)
 			return ret;
 	}
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index 0138770fac..a7c38218ae 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -97,7 +97,9 @@ struct tls_record_test_flags {
 	bool data_walkthrough;
 	bool pkt_corruption;
 	bool zero_len;
+	bool padding_corruption;
 	uint8_t nb_segs_in_mbuf;
+	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
 	enum tls_record_test_content_type content_type;
 	int ar_win_size;
@@ -148,5 +150,6 @@ void test_tls_record_td_update(struct tls_record_test_data td_inb[],
 			       const struct tls_record_test_flags *flags);
 
 int test_tls_record_post_process(const struct rte_mbuf *m, const struct tls_record_test_data *td,
-				 struct tls_record_test_data *res_d, bool silent);
+				 struct tls_record_test_data *res_d, bool silent,
+				 const struct tls_record_test_flags *flags);
 #endif
-- 
2.25.1

[PATCH v5 20/21] test/crypto: unit tests for padding in DTLS-1.2

[Aakash Sasidharan]

From: Vidya Sagar Velumuri <vvelumuri@marvell.com>

Add unit tests to verify the padding for DTLS-1.2.

Signed-off-by: Vidya Sagar Velumuri <vvelumuri@marvell.com>
---
 app/test/test_cryptodev.c | 60 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index a324c1607b..572740cbf9 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -12483,6 +12483,42 @@ test_dtls_1_2_record_proto_zero_len_non_app(void)
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_dtls_1_2_record_proto_dm_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_dm_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(25, 0, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding(void)
+{
+	return test_tls_record_proto_opt_padding(1, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_1(void)
+{
+	return test_tls_record_proto_opt_padding(8, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_2(void)
+{
+	return test_tls_record_proto_opt_padding(8, 5, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
+static int
+test_dtls_1_2_record_proto_sg_opt_padding_max(void)
+{
+	return test_tls_record_proto_opt_padding(33, 4, RTE_SECURITY_VERSION_DTLS_1_2);
+}
+
 static int
 test_tls_1_3_record_proto_corrupt_pkt(void)
 {
@@ -17824,6 +17860,30 @@ static struct unit_test_suite dtls12_record_proto_testsuite  = {
 			"Antireplay with window size 4096",
 			ut_setup_security, ut_teardown,
 			test_dtls_1_2_record_proto_antireplay4096),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record DM mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_dm_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding < 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_1),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > 2 blocks",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_2),
+		TEST_CASE_NAMED_ST(
+			"DTLS record SG mode with optional padding > max range",
+			ut_setup_security, ut_teardown,
+			test_dtls_1_2_record_proto_sg_opt_padding_max),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
-- 
2.25.1

[PATCH v5 21/21] test/security: add out of place sgl test case for TLS 1.2

[Aakash Sasidharan]

Add TLS 1.2 out-of-place multi-segmented packet test.

Signed-off-by: Aakash Sasidharan <asasidharan@marvell.com>
---
 app/test/test_cryptodev.c                     | 52 ++++++++++++++++++-
 app/test/test_cryptodev_security_tls_record.h |  1 +
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 572740cbf9..1703ebccf1 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -11873,6 +11873,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		ut_params->ibuf = create_segmented_mbuf(ts_params->mbuf_pool, td[i].input_text.len,
 				nb_segs, 0);
 		pktmbuf_write(ut_params->ibuf, 0, td[i].input_text.len, td[i].input_text.data);
+		if (flags->out_of_place)
+			ut_params->obuf = create_segmented_mbuf(ts_params->mbuf_pool,
+					td[i].output_text.len, nb_segs, 0);
+		else
+			ut_params->obuf = NULL;
 
 		/* Generate crypto op data structure */
 		ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
@@ -11888,7 +11893,7 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 
 		/* Set crypto operation mbufs */
 		ut_params->op->sym->m_src = ut_params->ibuf;
-		ut_params->op->sym->m_dst = NULL;
+		ut_params->op->sym->m_dst = ut_params->obuf;
 		ut_params->op->param1.tls_record.content_type = td[i].app_type;
 
 		if (flags->opt_padding)
@@ -11920,7 +11925,10 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 			res_d_tmp = &res_d[i];
 
 		if (ut_params->op->status == RTE_CRYPTO_OP_STATUS_SUCCESS) {
-			ret = test_tls_record_post_process(ut_params->ibuf, &td[i], res_d_tmp,
+			struct rte_mbuf *buf = flags->out_of_place ? ut_params->obuf :
+						ut_params->ibuf;
+
+			ret = test_tls_record_post_process(buf, &td[i], res_d_tmp,
 							   silent, flags);
 			if (ret != TEST_SUCCESS)
 				goto crypto_op_free;
@@ -11929,6 +11937,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 		rte_crypto_op_free(ut_params->op);
 		ut_params->op = NULL;
 
+		if (flags->out_of_place) {
+			rte_pktmbuf_free(ut_params->obuf);
+			ut_params->obuf = NULL;
+		}
+
 		rte_pktmbuf_free(ut_params->ibuf);
 		ut_params->ibuf = NULL;
 	}
@@ -11937,6 +11950,11 @@ test_tls_record_proto_process(const struct tls_record_test_data td[],
 	rte_crypto_op_free(ut_params->op);
 	ut_params->op = NULL;
 
+	if (flags->out_of_place) {
+		rte_pktmbuf_free(ut_params->obuf);
+		ut_params->obuf = NULL;
+	}
+
 	rte_pktmbuf_free(ut_params->ibuf);
 	ut_params->ibuf = NULL;
 
@@ -12127,6 +12145,32 @@ test_tls_record_proto_sgl_data_walkthrough(enum rte_security_tls_version tls_ver
 	return test_tls_record_proto_all(&flags);
 }
 
+static int
+test_tls_record_proto_sgl_oop(enum rte_security_tls_version tls_version)
+{
+	struct tls_record_test_flags flags = {
+		.nb_segs_in_mbuf = 5,
+		.out_of_place = true,
+		.tls_version = tls_version
+	};
+	struct crypto_testsuite_params *ts_params = &testsuite_params;
+	struct rte_cryptodev_info dev_info;
+
+	rte_cryptodev_info_get(ts_params->valid_devs[0], &dev_info);
+	if (!(dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL)) {
+		printf("Device doesn't support in-place scatter-gather. Test Skipped.\n");
+		return TEST_SKIPPED;
+	}
+
+	return test_tls_record_proto_all(&flags);
+}
+
+static int
+test_tls_1_2_record_proto_sgl_oop(void)
+{
+	return test_tls_record_proto_sgl_oop(RTE_SECURITY_VERSION_TLS_1_2);
+}
+
 static int
 test_tls_1_2_record_proto_sgl_data_walkthrough(void)
 {
@@ -17657,6 +17701,10 @@ static struct unit_test_suite tls12_record_proto_testsuite  = {
 			"Multi-segmented mode data walkthrough",
 			ut_setup_security, ut_teardown,
 			test_tls_1_2_record_proto_sgl_data_walkthrough),
+		TEST_CASE_NAMED_ST(
+			"Multi-segmented mode out of place",
+			ut_setup_security, ut_teardown,
+			test_tls_1_2_record_proto_sgl_oop),
 		TEST_CASE_NAMED_ST(
 			"TLS packet header corruption",
 			ut_setup_security, ut_teardown,
diff --git a/app/test/test_cryptodev_security_tls_record.h b/app/test/test_cryptodev_security_tls_record.h
index a7c38218ae..18a90c6ff6 100644
--- a/app/test/test_cryptodev_security_tls_record.h
+++ b/app/test/test_cryptodev_security_tls_record.h
@@ -98,6 +98,7 @@ struct tls_record_test_flags {
 	bool pkt_corruption;
 	bool zero_len;
 	bool padding_corruption;
+	bool out_of_place;
 	uint8_t nb_segs_in_mbuf;
 	uint8_t opt_padding;
 	enum rte_security_tls_version tls_version;
-- 
2.25.1

RE: [PATCH v5 00/21] Improvements and new test cases

[Akhil Goyal]

[-- Attachment #1: Type: text/plain, Size: 2270 bytes --]

> Subject: [PATCH v5 00/21] Improvements and new test cases
> 
> v5:
> * Define TEST_SEC_CIPHERTEXT_MAX_LEN based on existing
>   MBUF_DATAPAYLOAD_SIZE macro.
> 
> v4:
> * Set max ciphertext length for data walkthrough tests to 4k.
> 
> v3:
> * Set max packet length for data walkthrough tests to 8k.
> 
> v2:
> * Rebased.
> 
> Aakash Sasidharan (7):
>   test/security: enable AES-GCM in combined mode TLS
>   test/security: add TLS 1.2 data walkthrough test
>   test/security: add DTLS 1.2 data walkthrough test
>   test/security: add TLS SG data walkthrough test
>   test/security: add DTLS 1.2 anti-replay tests
>   test/security: add more DTLS anti-replay window sz
>   test/security: add out of place sgl test case for TLS 1.2
> 
> Akhil Goyal (2):
>   test/security: add TLS/DTLS 1.2 AES-256-SHA384 vectors
>   test/crypto: add TLS 1.3 vectors
> 
> Anoob Joseph (1):
>   test/cryptodev: allow zero packet length buffers
> 
> Vidya Sagar Velumuri (11):
>   test/security: unit test for TLS packet corruption
>   test/security: unit test for custom content verification
>   test/security: unit test to verify zero TLS records
>   test/security: add unit tests for DTLS-1.2
>   test/crypto: update verification of header
>   test/crypto: update framework to verify tls-1.3
>   test/crypto: test to verify hdr corruption in TLS
>   test/crypto: test to verify custom content type in TLS
>   test/crypto: test to verify zero len record in TLS
>   test/crypto: unit tests to verify padding in TLS
>   test/crypto: unit tests for padding in DTLS-1.2
> 
>  app/test/test_cryptodev.c                     | 975 ++++++++++++++++--
>  app/test/test_cryptodev.h                     |  20 +-
>  app/test/test_cryptodev_security_tls_record.c | 203 ++--
>  app/test/test_cryptodev_security_tls_record.h |  77 +-
>  ...yptodev_security_tls_record_test_vectors.h | 405 ++++++++
>  app/test/test_security_proto.c                |  17 +
>  app/test/test_security_proto.h                |  11 +
>  7 files changed, 1530 insertions(+), 178 deletions(-)
> 
Series Acked-by: Akhil Goyal <gakhil@marvell.com>

Updated patch title to test/crypto for all patches as these tests are part of crypto suite.

Applied to dpdk-next-crypto

[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 13829 bytes --]

Re: [PATCH v5 00/21] Improvements and new test cases

[Patrick Robb]

Recheck-request: iol-unit-arm64-testing

Even though ipsec update is postponed to a later release, I'm putting
in rechecks for all series that have fails for the arm crypto tests
now that we are building from SECLIB-IPSEC-2024.03.12.