app/test/test_cryptodev_security_ipsec.c

   1 /* SPDX-License-Identifier: BSD-3-Clause
   2  * Copyright(C) 2021 Marvell.
   3  */
   4
   5 #include <rte_common.h>
   6 #include <rte_cryptodev.h>
   7 #include <rte_ip.h>
   8 #include <rte_security.h>
   9
  10 #include "test.h"
  11 #include "test_cryptodev_security_ipsec.h"
  12
  13 extern struct ipsec_test_data pkt_aes_256_gcm;
  14
  15 int
  16 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
  17                            const struct rte_security_capability *sec_cap,
  18                            bool silent)
  19 {
  20         /* Verify security capabilities */
  21
  22         if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
  23                 if (!silent)
  24                         RTE_LOG(INFO, USER1, "ESN is not supported\n");
  25                 return -ENOTSUP;
  26         }
  27
  28         if (ipsec_xform->options.udp_encap == 1 &&
  29             sec_cap->ipsec.options.udp_encap == 0) {
  30                 if (!silent)
  31                         RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
  32                 return -ENOTSUP;
  33         }
  34
  35         if (ipsec_xform->options.copy_dscp == 1 &&
  36             sec_cap->ipsec.options.copy_dscp == 0) {
  37                 if (!silent)
  38                         RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
  39                 return -ENOTSUP;
  40         }
  41
  42         if (ipsec_xform->options.copy_flabel == 1 &&
  43             sec_cap->ipsec.options.copy_flabel == 0) {
  44                 if (!silent)
  45                         RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
  46                 return -ENOTSUP;
  47         }
  48
  49         if (ipsec_xform->options.copy_df == 1 &&
  50             sec_cap->ipsec.options.copy_df == 0) {
  51                 if (!silent)
  52                         RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
  53                 return -ENOTSUP;
  54         }
  55
  56         if (ipsec_xform->options.dec_ttl == 1 &&
  57             sec_cap->ipsec.options.dec_ttl == 0) {
  58                 if (!silent)
  59                         RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
  60                 return -ENOTSUP;
  61         }
  62
  63         if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
  64                 if (!silent)
  65                         RTE_LOG(INFO, USER1, "ECN is not supported\n");
  66                 return -ENOTSUP;
  67         }
  68
  69         if (ipsec_xform->options.stats == 1 &&
  70             sec_cap->ipsec.options.stats == 0) {
  71                 if (!silent)
  72                         RTE_LOG(INFO, USER1, "Stats is not supported\n");
  73                 return -ENOTSUP;
  74         }
  75
  76         return 0;
  77 }
  78
  79 int
  80 test_ipsec_crypto_caps_aead_verify(
  81                 const struct rte_security_capability *sec_cap,
  82                 struct rte_crypto_sym_xform *aead)
  83 {
  84         const struct rte_cryptodev_symmetric_capability *sym_cap;
  85         const struct rte_cryptodev_capabilities *crypto_cap;
  86         int j = 0;
  87
  88         while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
  89                         RTE_CRYPTO_OP_TYPE_UNDEFINED) {
  90                 if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
  91                                 crypto_cap->sym.xform_type == aead->type &&
  92                                 crypto_cap->sym.aead.algo == aead->aead.algo) {
  93                         sym_cap = &crypto_cap->sym;
  94                         if (rte_cryptodev_sym_capability_check_aead(sym_cap,
  95                                         aead->aead.key.length,
  96                                         aead->aead.digest_length,
  97                                         aead->aead.aad_length,
  98                                         aead->aead.iv.length) == 0)
  99                                 return 0;
 100                 }
 101         }
 102
 103         return -ENOTSUP;
 104 }
 105
 106 void
 107 test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 108                           struct ipsec_test_data *td_in)
 109 {
 110         memcpy(td_in, td_out, sizeof(*td_in));
 111
 112         /* Populate output text of td_in with input text of td_out */
 113         memcpy(td_in->output_text.data, td_out->input_text.data,
 114                td_out->input_text.len);
 115         td_in->output_text.len = td_out->input_text.len;
 116
 117         /* Populate input text of td_in with output text of td_out */
 118         memcpy(td_in->input_text.data, td_out->output_text.data,
 119                td_out->output_text.len);
 120         td_in->input_text.len = td_out->output_text.len;
 121
 122         td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
 123
 124         if (td_in->aead) {
 125                 td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
 126         } else {
 127                 td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
 128                 td_in->xform.chain.cipher.cipher.op =
 129                                 RTE_CRYPTO_CIPHER_OP_DECRYPT;
 130         }
 131 }
 132
 133 void
 134 test_ipsec_td_prepare(const struct crypto_param *param1,
 135                       const struct crypto_param *param2,
 136                       const struct ipsec_test_flags *flags,
 137                       struct ipsec_test_data *td_array,
 138                       int nb_td)
 139
 140 {
 141         struct ipsec_test_data *td;
 142         int i;
 143
 144         memset(td_array, 0, nb_td * sizeof(*td));
 145
 146         for (i = 0; i < nb_td; i++) {
 147                 td = &td_array[i];
 148                 /* Copy template for packet & key fields */
 149                 memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
 150
 151                 /* Override fields based on param */
 152
 153                 if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 154                         td->aead = true;
 155                 else
 156                         td->aead = false;
 157
 158                 td->xform.aead.aead.algo = param1->alg.aead;
 159                 td->xform.aead.aead.key.length = param1->key_length;
 160         }
 161
 162         RTE_SET_USED(flags);
 163         RTE_SET_USED(param2);
 164 }
 165
 166 void
 167 test_ipsec_td_update(struct ipsec_test_data td_inb[],
 168                      const struct ipsec_test_data td_outb[],
 169                      int nb_td,
 170                      const struct ipsec_test_flags *flags)
 171 {
 172         int i;
 173
 174         for (i = 0; i < nb_td; i++) {
 175                 memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
 176                        td_outb[i].input_text.len);
 177                 td_inb[i].output_text.len = td_outb->input_text.len;
 178         }
 179
 180         RTE_SET_USED(flags);
 181 }
 182
 183 void
 184 test_ipsec_display_alg(const struct crypto_param *param1,
 185                        const struct crypto_param *param2)
 186 {
 187         if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 188                 printf("\t%s [%d]\n",
 189                        rte_crypto_aead_algorithm_strings[param1->alg.aead],
 190                        param1->key_length);
 191
 192         RTE_SET_USED(param2);
 193 }
 194
 195 static int
 196 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 197 {
 198         int len = 0;
 199
 200         if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 201                 if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
 202                         if (td->ipsec_xform.tunnel.type ==
 203                                         RTE_SECURITY_IPSEC_TUNNEL_IPV4)
 204                                 len += sizeof(struct rte_ipv4_hdr);
 205                         else
 206                                 len += sizeof(struct rte_ipv6_hdr);
 207                 }
 208         }
 209
 210         return len;
 211 }
 212
 213 static int
 214 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 215                      bool silent, const struct ipsec_test_flags *flags)
 216 {
 217         uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 218         uint32_t skip, len = rte_pktmbuf_pkt_len(m);
 219
 220         if (len != td->output_text.len) {
 221                 printf("Output length (%d) not matching with expected (%d)\n",
 222                         len, td->output_text.len);
 223                 return TEST_FAILED;
 224         }
 225
 226         skip = test_ipsec_tunnel_hdr_len_get(td);
 227
 228         len -= skip;
 229         output_text += skip;
 230
 231         if (memcmp(output_text, td->output_text.data + skip, len)) {
 232                 if (silent)
 233                         return TEST_FAILED;
 234
 235                 printf("TestCase %s line %d: %s\n", __func__, __LINE__,
 236                         "output text not as expected\n");
 237
 238                 rte_hexdump(stdout, "expected", td->output_text.data + skip,
 239                             len);
 240                 rte_hexdump(stdout, "actual", output_text, len);
 241                 return TEST_FAILED;
 242         }
 243
 244         RTE_SET_USED(flags);
 245
 246         return TEST_SUCCESS;
 247 }
 248
 249 static int
 250 test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
 251                    struct ipsec_test_data *res_d)
 252 {
 253         uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 254         uint32_t len = rte_pktmbuf_pkt_len(m);
 255
 256         memcpy(res_d, td, sizeof(*res_d));
 257         memcpy(res_d->input_text.data, output_text, len);
 258         res_d->input_text.len = len;
 259
 260         res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
 261         if (res_d->aead) {
 262                 res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
 263         } else {
 264                 printf("Only AEAD supported\n");
 265                 return TEST_SKIPPED;
 266         }
 267
 268         return TEST_SUCCESS;
 269 }
 270
 271 int
 272 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 273                         struct ipsec_test_data *res_d, bool silent,
 274                         const struct ipsec_test_flags *flags)
 275 {
 276         /*
 277          * In case of known vector tests & all inbound tests, res_d provided
 278          * would be NULL and output data need to be validated against expected.
 279          * For inbound, output_text would be plain packet and for outbound
 280          * output_text would IPsec packet. Validate by comparing against
 281          * known vectors.
 282          *
 283          * In case of combined mode tests, the output_text from outbound
 284          * operation (ie, IPsec packet) would need to be inbound processed to
 285          * obtain the plain text. Copy output_text to result data, 'res_d', so
 286          * that inbound processing can be done.
 287          */
 288
 289         if (res_d == NULL)
 290                 return test_ipsec_td_verify(m, td, silent, flags);
 291         else
 292                 return test_ipsec_res_d_prepare(m, td, res_d);
 293 }
 294
 295 int
 296 test_ipsec_status_check(struct rte_crypto_op *op,
 297                         const struct ipsec_test_flags *flags,
 298                         enum rte_security_ipsec_sa_direction dir)
 299 {
 300         int ret = TEST_SUCCESS;
 301
 302         if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
 303                 printf("Security op processing failed\n");
 304                 ret = TEST_FAILED;
 305         }
 306
 307         RTE_SET_USED(flags);
 308         RTE_SET_USED(dir);
 309
 310         return ret;
 311 }