[dpdk-test-report] |WARNING| pw98271-98273 [PATCH] [3/3] test/crypto: add tunnel header verification tests

[dpdklab@iol.unh.edu]

[-- Attachment #1: Type: text/plain, Size: 7366 bytes --]

Test-Label: iol-testing
Test-Status: WARNING
http://dpdk.org/patch/98271

_apply patch failure_

Submitter: Tejasree Kondoj <ktejasree@marvell.com>
Date: Wednesday, September 08 2021 08:21:11 
Applied on: CommitID:b344eb5d941a7522ff27b6b7b5419f68c3fea9a0
Apply patch set 98271-98273 failed:

Checking patch doc/guides/rel_notes/release_21_11.rst...
error: while searching for:
    soft and hard SA expiry limits. Limits can be either in units of packets or
    bytes.


Known Issues
------------

error: patch failed: doc/guides/rel_notes/release_21_11.rst:136
Checking patch lib/security/rte_security.h...
error: while searching for:
	 * by the PMD.
	 */
	uint32_t iv_gen_disable : 1;
};

/** IPSec security association direction */

error: patch failed: lib/security/rte_security.h:195
Applying patch doc/guides/rel_notes/release_21_11.rst with 1 reject...
Rejected hunk #1.
Applying patch lib/security/rte_security.h with 1 reject...
Hunk #1 applied cleanly.
Rejected hunk #2.
diff a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst	(rejected hunks)
@@ -136,6 +136,11 @@ ABI Changes
     soft and hard SA expiry limits. Limits can be either in units of packets or
     bytes.
 
+* security: add IPsec SA option to configure tunnel header verification
+
+  * Added SA option to indicate whether outer header verification need to be
+    done as part of inbound IPsec processing.
+
 
 Known Issues
 ------------
diff a/lib/security/rte_security.h b/lib/security/rte_security.h	(rejected hunks)
@@ -195,6 +203,15 @@ struct rte_security_ipsec_sa_options {
 	 * by the PMD.
 	 */
 	uint32_t iv_gen_disable : 1;
+
+	/** Verify tunnel header in inbound
+	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
+	 *   IP address.
+	 *
+	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
+	 *   source and destination IP addresses.
+	 */
+	uint32_t tunnel_hdr_verify : 2;
 };
 
 /** IPSec security association direction */
Checking patch drivers/common/cnxk/cnxk_security.c...
Hunk #1 succeeded at 117 (offset -82 lines).
Hunk #2 succeeded at 202 (offset -83 lines).
Checking patch drivers/common/cnxk/roc_ie_ot.h...
Hunk #1 succeeded at 203 (offset 23 lines).
Checking patch drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c...
error: while searching for:
#ifdef LA_IPSEC_DEBUG
		sec_cap->ipsec.options.iv_gen_disable = 1;
#endif
	}
}


error: patch failed: drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c:920
Applied patch drivers/common/cnxk/cnxk_security.c cleanly.
Applied patch drivers/common/cnxk/roc_ie_ot.h cleanly.
Applying patch drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c with 1 reject...
Rejected hunk #1.
diff a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c	(rejected hunks)
@@ -920,6 +920,10 @@ cn10k_sec_caps_update(struct rte_security_capability *sec_cap)
 #ifdef LA_IPSEC_DEBUG
 		sec_cap->ipsec.options.iv_gen_disable = 1;
 #endif
+	} else {
+		if (sec_cap->ipsec.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
+			sec_cap->ipsec.options.tunnel_hdr_verify =
+				RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
 	}
 }
 
Checking patch app/test/test_cryptodev.c...
error: while searching for:
	int salt_len, i, ret = TEST_SUCCESS;
	struct rte_security_ctx *ctx;
	uint8_t *input_text;

	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
	gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;

error: patch failed: app/test/test_cryptodev.c:8876
error: while searching for:
	/* Copy IPsec xform */
	memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));

	memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
	memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));

	dir = ipsec_xform.direction;

	ctx = rte_cryptodev_get_sec_ctx(dev_id);

	sec_cap_idx.action = ut_params->type;

error: patch failed: app/test/test_cryptodev.c:8885
error: while searching for:
	return test_ipsec_proto_all(&flags);
}

static int
test_PDCP_PROTO_all(void)
{

error: patch failed: app/test/test_cryptodev.c:9181
error: while searching for:
			"Negative test: ICV corruption",
			ut_setup_security, ut_teardown,
			test_ipsec_proto_err_icv_corrupt),
		TEST_CASES_END() /**< NULL terminate unit test array */
	}
};

error: patch failed: app/test/test_cryptodev.c:14124
Checking patch app/test/test_cryptodev_security_ipsec.c...
error: app/test/test_cryptodev_security_ipsec.c: does not exist in index
Checking patch app/test/test_cryptodev_security_ipsec.h...
error: app/test/test_cryptodev_security_ipsec.h: does not exist in index
Checking patch app/test/test_cryptodev_security_ipsec_test_vectors.h...
error: app/test/test_cryptodev_security_ipsec_test_vectors.h: does not exist in index
Applying patch app/test/test_cryptodev.c with 4 rejects...
Rejected hunk #1.
Rejected hunk #2.
Rejected hunk #3.
Rejected hunk #4.
diff a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c	(rejected hunks)
@@ -8876,6 +8876,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 	int salt_len, i, ret = TEST_SUCCESS;
 	struct rte_security_ctx *ctx;
 	uint8_t *input_text;
+	uint32_t verify;
 
 	ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
 	gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
@@ -8885,11 +8886,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 	/* Copy IPsec xform */
 	memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
 
+	dir = ipsec_xform.direction;
+	verify = flags->tunnel_hdr_verify;
+
+	if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) {
+		if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR)
+			src += 1;
+		else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR)
+			dst += 1;
+	}
+
 	memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
 	memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
 
-	dir = ipsec_xform.direction;
-
 	ctx = rte_cryptodev_get_sec_ctx(dev_id);
 
 	sec_cap_idx.action = ut_params->type;
@@ -9181,6 +9190,30 @@ test_ipsec_proto_udp_encap(const void *data __rte_unused)
 	return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR;
+
+	return test_ipsec_proto_all(&flags);
+}
+
 static int
 test_PDCP_PROTO_all(void)
 {
@@ -14124,6 +14157,14 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Negative test: ICV corruption",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_err_icv_corrupt),
+		TEST_CASE_NAMED_ST(
+			"Tunnel dst addr verification",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_tunnel_dst_addr_verify),
+		TEST_CASE_NAMED_ST(
+			"Tunnel src and dst addr verification",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_tunnel_src_dst_addr_verify),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };

https://lab.dpdk.org/results/dashboard/patchsets/18616/

UNH-IOL DPDK Community Lab