X-Git-Url: http://git.droids-corp.org/?p=dpdk.git;a=blobdiff_plain;f=examples%2Ffips_validation%2Fmain.c;h=08a1b9c6dcc3bb2c5dbd809642a6a01d8bb448ff;hp=8135340689379c4d31fba15476c904eb428d83f3;hb=d659460a17afa28d4c7a37d492df47ab3ac542c7;hpb=c9030ae382eb942485dfa4e7657b4953bc77b2a9 diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c index 8135340689..08a1b9c6dc 100644 --- a/examples/fips_validation/main.c +++ b/examples/fips_validation/main.c @@ -315,8 +315,21 @@ cryptodev_fips_validate_parse_args(int argc, char **argv) } } - if (env.req_path == NULL || env.rsp_path == NULL || - env.dev_id == UINT32_MAX) { + if (env.dev_id == UINT32_MAX) { + RTE_LOG(ERR, USER1, "No device specified\n"); + cryptodev_fips_validate_usage(prgname); + return -EINVAL; + } + + if ((env.req_path == NULL && env.rsp_path != NULL) || + (env.req_path != NULL && env.rsp_path == NULL)) { + RTE_LOG(ERR, USER1, "Missing req path or rsp path\n"); + cryptodev_fips_validate_usage(prgname); + return -EINVAL; + } + + if (env.req_path == NULL && env.self_test == 0) { + RTE_LOG(ERR, USER1, "--self-test must be set if req path is missing\n"); cryptodev_fips_validate_usage(prgname); return -EINVAL; } @@ -348,6 +361,11 @@ main(int argc, char *argv[]) return -1; } + if (env.req_path == NULL || env.rsp_path == NULL) { + printf("No request, exit.\n"); + goto exit; + } + if (!env.is_path_folder) { printf("Processing file %s... ", env.req_path); @@ -512,6 +530,7 @@ static int prepare_auth_op(void) { struct rte_crypto_sym_op *sym = env.op->sym; + uint8_t *pt; __rte_crypto_op_reset(env.op, RTE_CRYPTO_OP_TYPE_SYMMETRIC); rte_pktmbuf_reset(env.mbuf); @@ -519,52 +538,25 @@ prepare_auth_op(void) sym->m_src = env.mbuf; sym->auth.data.offset = 0; - if (info.op == FIPS_TEST_ENC_AUTH_GEN) { - uint8_t *pt; - - if (vec.pt.len > RTE_MBUF_MAX_NB_SEGS) { - RTE_LOG(ERR, USER1, "PT len %u\n", vec.pt.len); - return -EPERM; - } - - pt = (uint8_t *)rte_pktmbuf_append(env.mbuf, vec.pt.len + - vec.cipher_auth.digest.len); - - if (!pt) { - RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n", - -ENOMEM); - return -ENOMEM; - } - - memcpy(pt, vec.pt.val, vec.pt.len); - sym->auth.data.length = vec.pt.len; - sym->auth.digest.data = pt + vec.pt.len; - sym->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset( - env.mbuf, vec.pt.len); - - } else { - uint8_t *ct; + pt = (uint8_t *)rte_pktmbuf_append(env.mbuf, vec.pt.len + + vec.cipher_auth.digest.len); - if (vec.ct.len > RTE_MBUF_MAX_NB_SEGS) { - RTE_LOG(ERR, USER1, "CT len %u\n", vec.ct.len); - return -EPERM; - } + if (!pt) { + RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n", + -ENOMEM); + return -ENOMEM; + } - ct = (uint8_t *)rte_pktmbuf_append(env.mbuf, - vec.ct.len + vec.cipher_auth.digest.len); + sym->auth.data.length = vec.pt.len; + sym->auth.digest.data = pt + vec.pt.len; + sym->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset( + env.mbuf, vec.pt.len); - if (!ct) { - RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n", - -ENOMEM); - return -ENOMEM; - } + memcpy(pt, vec.pt.val, vec.pt.len); - memcpy(ct, vec.ct.val, vec.ct.len); - sym->auth.data.length = vec.ct.len; - sym->auth.digest.data = vec.cipher_auth.digest.val; - sym->auth.digest.phys_addr = rte_malloc_virt2iova( - sym->auth.digest.data); - } + if (info.op == FIPS_TEST_DEC_AUTH_VERIF) + memcpy(pt + vec.pt.len, vec.cipher_auth.digest.val, + vec.cipher_auth.digest.len); rte_crypto_op_attach_sym_session(env.op, env.sess); @@ -649,16 +641,24 @@ prepare_aes_xform(struct rte_crypto_sym_xform *xform) xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; - cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC; + if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC) + cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC; + else + cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_ECB; + cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? RTE_CRYPTO_CIPHER_OP_ENCRYPT : RTE_CRYPTO_CIPHER_OP_DECRYPT; cipher_xform->key.data = vec.cipher_auth.key.val; cipher_xform->key.length = vec.cipher_auth.key.len; - cipher_xform->iv.length = vec.iv.len; - cipher_xform->iv.offset = IV_OFF; - - cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_CBC; + if (cipher_xform->algo == RTE_CRYPTO_CIPHER_AES_CBC) { + cipher_xform->iv.length = vec.iv.len; + cipher_xform->iv.offset = IV_OFF; + } else { + cipher_xform->iv.length = 0; + cipher_xform->iv.offset = 0; + } + cap_idx.algo.cipher = cipher_xform->algo; cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER; cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); @@ -689,16 +689,24 @@ prepare_tdes_xform(struct rte_crypto_sym_xform *xform) xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; - cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC; + if (info.interim_info.tdes_data.test_mode == TDES_MODE_CBC) + cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC; + else + cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_ECB; cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? RTE_CRYPTO_CIPHER_OP_ENCRYPT : RTE_CRYPTO_CIPHER_OP_DECRYPT; cipher_xform->key.data = vec.cipher_auth.key.val; cipher_xform->key.length = vec.cipher_auth.key.len; - cipher_xform->iv.length = vec.iv.len; - cipher_xform->iv.offset = IV_OFF; - cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_3DES_CBC; + if (cipher_xform->algo == RTE_CRYPTO_CIPHER_3DES_CBC) { + cipher_xform->iv.length = vec.iv.len; + cipher_xform->iv.offset = IV_OFF; + } else { + cipher_xform->iv.length = 0; + cipher_xform->iv.offset = 0; + } + cap_idx.algo.cipher = cipher_xform->algo; cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER; cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); @@ -922,6 +930,46 @@ prepare_sha_xform(struct rte_crypto_sym_xform *xform) return 0; } +static int +prepare_xts_xform(struct rte_crypto_sym_xform *xform) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + struct rte_crypto_cipher_xform *cipher_xform = &xform->cipher; + + xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + + cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_XTS; + cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? + RTE_CRYPTO_CIPHER_OP_ENCRYPT : + RTE_CRYPTO_CIPHER_OP_DECRYPT; + cipher_xform->key.data = vec.cipher_auth.key.val; + cipher_xform->key.length = vec.cipher_auth.key.len; + cipher_xform->iv.length = vec.iv.len; + cipher_xform->iv.offset = IV_OFF; + + cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_XTS; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER; + + cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); + if (!cap) { + RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", + env.dev_id); + return -EINVAL; + } + + if (rte_cryptodev_sym_capability_check_cipher(cap, + cipher_xform->key.length, + cipher_xform->iv.length) != 0) { + RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n", + info.device_name, cipher_xform->key.length, + cipher_xform->iv.length); + return -EPERM; + } + + return 0; +} + static void get_writeback_data(struct fips_val *val) { @@ -1037,9 +1085,13 @@ fips_mct_tdes_test(void) uint8_t prev_in[TDES_BLOCK_SIZE] = {0}; uint32_t i, j, k; int ret; + int test_mode = info.interim_info.tdes_data.test_mode; for (i = 0; i < TDES_EXTERN_ITER; i++) { - if (i != 0) + if (i == 0) { + if (!(strstr(info.vec[0], "COUNT"))) + fprintf(info.fp_wr, "%s%u\n", "COUNT = ", 0); + } else update_info_vec(i); fips_test_write_one_case(); @@ -1051,7 +1103,6 @@ fips_mct_tdes_test(void) fprintf(info.fp_wr, "Bypass\n"); return 0; } - return ret; } @@ -1064,25 +1115,50 @@ fips_mct_tdes_test(void) memcpy(prev_out, val.val, TDES_BLOCK_SIZE); if (info.op == FIPS_TEST_ENC_AUTH_GEN) { - memcpy(vec.pt.val, vec.iv.val, - TDES_BLOCK_SIZE); - memcpy(vec.iv.val, val.val, - TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.pt.val, val.val, + TDES_BLOCK_SIZE); + } else { + memcpy(vec.pt.val, vec.iv.val, + TDES_BLOCK_SIZE); + memcpy(vec.iv.val, val.val, + TDES_BLOCK_SIZE); + } + } else { - memcpy(vec.iv.val, vec.ct.val, - TDES_BLOCK_SIZE); - memcpy(vec.ct.val, val.val, - TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.ct.val, val.val, + TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, vec.ct.val, + TDES_BLOCK_SIZE); + memcpy(vec.ct.val, val.val, + TDES_BLOCK_SIZE); + } } continue; } if (info.op == FIPS_TEST_ENC_AUTH_GEN) { - memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE); - memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.pt.val, val.val, + TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, val.val, + TDES_BLOCK_SIZE); + memcpy(vec.pt.val, prev_out, + TDES_BLOCK_SIZE); + } } else { - memcpy(vec.iv.val, vec.ct.val, TDES_BLOCK_SIZE); - memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.ct.val, val.val, + TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, vec.ct.val, + TDES_BLOCK_SIZE); + memcpy(vec.ct.val, val.val, + TDES_BLOCK_SIZE); + } } if (j == TDES_INTERN_ITER - 1) @@ -1141,17 +1217,99 @@ fips_mct_tdes_test(void) val_key.val[k] : (val_key.val[k] ^ 0x1); if (info.op == FIPS_TEST_ENC_AUTH_GEN) { - memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE); - memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.pt.val, val.val, TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE); + memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE); + } } else { - memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE); - memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE); + memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE); + } } } return 0; } +static int +fips_mct_aes_ecb_test(void) +{ +#define AES_BLOCK_SIZE 16 +#define AES_EXTERN_ITER 100 +#define AES_INTERN_ITER 1000 + struct fips_val val, val_key; + uint8_t prev_out[AES_BLOCK_SIZE] = {0}; + uint32_t i, j, k; + int ret; + + for (i = 0; i < AES_EXTERN_ITER; i++) { + if (i != 0) + update_info_vec(i); + + fips_test_write_one_case(); + + for (j = 0; j < AES_INTERN_ITER; j++) { + ret = fips_run_test(); + if (ret < 0) { + if (ret == -EPERM) { + fprintf(info.fp_wr, "Bypass\n"); + return 0; + } + + return ret; + } + + get_writeback_data(&val); + + if (info.op == FIPS_TEST_ENC_AUTH_GEN) + memcpy(vec.pt.val, val.val, AES_BLOCK_SIZE); + else + memcpy(vec.ct.val, val.val, AES_BLOCK_SIZE); + + if (j == AES_INTERN_ITER - 1) + continue; + + memcpy(prev_out, val.val, AES_BLOCK_SIZE); + } + + info.parse_writeback(&val); + fprintf(info.fp_wr, "\n"); + + if (i == AES_EXTERN_ITER - 1) + continue; + + /** update key */ + memcpy(&val_key, &vec.cipher_auth.key, sizeof(val_key)); + for (k = 0; k < vec.cipher_auth.key.len; k++) { + switch (vec.cipher_auth.key.len) { + case 16: + val_key.val[k] ^= val.val[k]; + break; + case 24: + if (k < 8) + val_key.val[k] ^= prev_out[k + 8]; + else + val_key.val[k] ^= val.val[k - 8]; + break; + case 32: + if (k < 16) + val_key.val[k] ^= prev_out[k]; + else + val_key.val[k] ^= val.val[k - 16]; + break; + default: + return -1; + } + } + } + + return 0; +} static int fips_mct_aes_test(void) { @@ -1164,6 +1322,9 @@ fips_mct_aes_test(void) uint32_t i, j, k; int ret; + if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_ECB) + return fips_mct_aes_ecb_test(); + for (i = 0; i < AES_EXTERN_ITER; i++) { if (i != 0) update_info_vec(i); @@ -1386,7 +1547,23 @@ init_test_ops(void) else test_ops.test = fips_generic_test; break; + case FIPS_TEST_ALGO_AES_XTS: + test_ops.prepare_op = prepare_cipher_op; + test_ops.prepare_xform = prepare_xts_xform; + test_ops.test = fips_generic_test; + break; default: + if (strstr(info.file_name, "TECB") || + strstr(info.file_name, "TCBC")) { + info.algo = FIPS_TEST_ALGO_TDES; + test_ops.prepare_op = prepare_cipher_op; + test_ops.prepare_xform = prepare_tdes_xform; + if (info.interim_info.tdes_data.test_type == TDES_MCT) + test_ops.test = fips_mct_tdes_test; + else + test_ops.test = fips_generic_test; + break; + } return -1; }