1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #include <rte_common.h>
6 #include <rte_cryptodev.h>
8 #include <rte_security.h>
11 #include "test_cryptodev_security_ipsec.h"
13 extern struct ipsec_test_data pkt_aes_256_gcm;
16 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
17 const struct rte_security_capability *sec_cap,
20 /* Verify security capabilities */
22 if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
24 RTE_LOG(INFO, USER1, "ESN is not supported\n");
28 if (ipsec_xform->options.udp_encap == 1 &&
29 sec_cap->ipsec.options.udp_encap == 0) {
31 RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
35 if (ipsec_xform->options.copy_dscp == 1 &&
36 sec_cap->ipsec.options.copy_dscp == 0) {
38 RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
42 if (ipsec_xform->options.copy_flabel == 1 &&
43 sec_cap->ipsec.options.copy_flabel == 0) {
45 RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
49 if (ipsec_xform->options.copy_df == 1 &&
50 sec_cap->ipsec.options.copy_df == 0) {
52 RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
56 if (ipsec_xform->options.dec_ttl == 1 &&
57 sec_cap->ipsec.options.dec_ttl == 0) {
59 RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
63 if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
65 RTE_LOG(INFO, USER1, "ECN is not supported\n");
69 if (ipsec_xform->options.stats == 1 &&
70 sec_cap->ipsec.options.stats == 0) {
72 RTE_LOG(INFO, USER1, "Stats is not supported\n");
80 test_ipsec_crypto_caps_aead_verify(
81 const struct rte_security_capability *sec_cap,
82 struct rte_crypto_sym_xform *aead)
84 const struct rte_cryptodev_symmetric_capability *sym_cap;
85 const struct rte_cryptodev_capabilities *crypto_cap;
88 while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
89 RTE_CRYPTO_OP_TYPE_UNDEFINED) {
90 if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
91 crypto_cap->sym.xform_type == aead->type &&
92 crypto_cap->sym.aead.algo == aead->aead.algo) {
93 sym_cap = &crypto_cap->sym;
94 if (rte_cryptodev_sym_capability_check_aead(sym_cap,
95 aead->aead.key.length,
96 aead->aead.digest_length,
97 aead->aead.aad_length,
98 aead->aead.iv.length) == 0)
107 test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
108 struct ipsec_test_data *td_in)
110 memcpy(td_in, td_out, sizeof(*td_in));
112 /* Populate output text of td_in with input text of td_out */
113 memcpy(td_in->output_text.data, td_out->input_text.data,
114 td_out->input_text.len);
115 td_in->output_text.len = td_out->input_text.len;
117 /* Populate input text of td_in with output text of td_out */
118 memcpy(td_in->input_text.data, td_out->output_text.data,
119 td_out->output_text.len);
120 td_in->input_text.len = td_out->output_text.len;
122 td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
125 td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
127 td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
128 td_in->xform.chain.cipher.cipher.op =
129 RTE_CRYPTO_CIPHER_OP_DECRYPT;
134 test_ipsec_td_prepare(const struct crypto_param *param1,
135 const struct crypto_param *param2,
136 const struct ipsec_test_flags *flags,
137 struct ipsec_test_data *td_array,
141 struct ipsec_test_data *td;
144 memset(td_array, 0, nb_td * sizeof(*td));
146 for (i = 0; i < nb_td; i++) {
148 /* Copy template for packet & key fields */
149 memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
151 /* Override fields based on param */
153 if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
158 td->xform.aead.aead.algo = param1->alg.aead;
159 td->xform.aead.aead.key.length = param1->key_length;
163 RTE_SET_USED(param2);
167 test_ipsec_td_update(struct ipsec_test_data td_inb[],
168 const struct ipsec_test_data td_outb[],
170 const struct ipsec_test_flags *flags)
174 for (i = 0; i < nb_td; i++) {
175 memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
176 td_outb[i].input_text.len);
177 td_inb[i].output_text.len = td_outb->input_text.len;
184 test_ipsec_display_alg(const struct crypto_param *param1,
185 const struct crypto_param *param2)
187 if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
188 printf("\t%s [%d]\n",
189 rte_crypto_aead_algorithm_strings[param1->alg.aead],
192 RTE_SET_USED(param2);
196 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
200 if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
201 if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
202 if (td->ipsec_xform.tunnel.type ==
203 RTE_SECURITY_IPSEC_TUNNEL_IPV4)
204 len += sizeof(struct rte_ipv4_hdr);
206 len += sizeof(struct rte_ipv6_hdr);
214 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
215 bool silent, const struct ipsec_test_flags *flags)
217 uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
218 uint32_t skip, len = rte_pktmbuf_pkt_len(m);
220 if (len != td->output_text.len) {
221 printf("Output length (%d) not matching with expected (%d)\n",
222 len, td->output_text.len);
226 skip = test_ipsec_tunnel_hdr_len_get(td);
231 if (memcmp(output_text, td->output_text.data + skip, len)) {
235 printf("TestCase %s line %d: %s\n", __func__, __LINE__,
236 "output text not as expected\n");
238 rte_hexdump(stdout, "expected", td->output_text.data + skip,
240 rte_hexdump(stdout, "actual", output_text, len);
250 test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
251 struct ipsec_test_data *res_d)
253 uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
254 uint32_t len = rte_pktmbuf_pkt_len(m);
256 memcpy(res_d, td, sizeof(*res_d));
257 memcpy(res_d->input_text.data, output_text, len);
258 res_d->input_text.len = len;
260 res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
262 res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
264 printf("Only AEAD supported\n");
272 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
273 struct ipsec_test_data *res_d, bool silent,
274 const struct ipsec_test_flags *flags)
277 * In case of known vector tests & all inbound tests, res_d provided
278 * would be NULL and output data need to be validated against expected.
279 * For inbound, output_text would be plain packet and for outbound
280 * output_text would IPsec packet. Validate by comparing against
283 * In case of combined mode tests, the output_text from outbound
284 * operation (ie, IPsec packet) would need to be inbound processed to
285 * obtain the plain text. Copy output_text to result data, 'res_d', so
286 * that inbound processing can be done.
290 return test_ipsec_td_verify(m, td, silent, flags);
292 return test_ipsec_res_d_prepare(m, td, res_d);
296 test_ipsec_status_check(struct rte_crypto_op *op,
297 const struct ipsec_test_flags *flags,
298 enum rte_security_ipsec_sa_direction dir)
300 int ret = TEST_SUCCESS;
302 if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
303 printf("Security op processing failed\n");