1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #include <rte_common.h>
6 #include <rte_cryptodev.h>
9 #include <rte_security.h>
13 #include "test_cryptodev_security_ipsec.h"
17 extern struct ipsec_test_data pkt_aes_256_gcm;
20 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
21 const struct rte_security_capability *sec_cap,
24 /* Verify security capabilities */
26 if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
28 RTE_LOG(INFO, USER1, "ESN is not supported\n");
32 if (ipsec_xform->options.udp_encap == 1 &&
33 sec_cap->ipsec.options.udp_encap == 0) {
35 RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
39 if (ipsec_xform->options.udp_ports_verify == 1 &&
40 sec_cap->ipsec.options.udp_ports_verify == 0) {
42 RTE_LOG(INFO, USER1, "UDP encapsulation ports "
43 "verification is not supported\n");
47 if (ipsec_xform->options.copy_dscp == 1 &&
48 sec_cap->ipsec.options.copy_dscp == 0) {
50 RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
54 if (ipsec_xform->options.copy_flabel == 1 &&
55 sec_cap->ipsec.options.copy_flabel == 0) {
57 RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
61 if (ipsec_xform->options.copy_df == 1 &&
62 sec_cap->ipsec.options.copy_df == 0) {
64 RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
68 if (ipsec_xform->options.dec_ttl == 1 &&
69 sec_cap->ipsec.options.dec_ttl == 0) {
71 RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
75 if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
77 RTE_LOG(INFO, USER1, "ECN is not supported\n");
81 if (ipsec_xform->options.stats == 1 &&
82 sec_cap->ipsec.options.stats == 0) {
84 RTE_LOG(INFO, USER1, "Stats is not supported\n");
88 if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) &&
89 (ipsec_xform->options.iv_gen_disable == 1) &&
90 (sec_cap->ipsec.options.iv_gen_disable != 1)) {
93 "Application provided IV is not supported\n");
97 if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
98 (ipsec_xform->options.tunnel_hdr_verify >
99 sec_cap->ipsec.options.tunnel_hdr_verify)) {
102 "Tunnel header verify is not supported\n");
110 test_ipsec_crypto_caps_aead_verify(
111 const struct rte_security_capability *sec_cap,
112 struct rte_crypto_sym_xform *aead)
114 const struct rte_cryptodev_symmetric_capability *sym_cap;
115 const struct rte_cryptodev_capabilities *crypto_cap;
118 while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
119 RTE_CRYPTO_OP_TYPE_UNDEFINED) {
120 if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
121 crypto_cap->sym.xform_type == aead->type &&
122 crypto_cap->sym.aead.algo == aead->aead.algo) {
123 sym_cap = &crypto_cap->sym;
124 if (rte_cryptodev_sym_capability_check_aead(sym_cap,
125 aead->aead.key.length,
126 aead->aead.digest_length,
127 aead->aead.aad_length,
128 aead->aead.iv.length) == 0)
137 test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
138 struct ipsec_test_data *td_in)
140 memcpy(td_in, td_out, sizeof(*td_in));
142 /* Populate output text of td_in with input text of td_out */
143 memcpy(td_in->output_text.data, td_out->input_text.data,
144 td_out->input_text.len);
145 td_in->output_text.len = td_out->input_text.len;
147 /* Populate input text of td_in with output text of td_out */
148 memcpy(td_in->input_text.data, td_out->output_text.data,
149 td_out->output_text.len);
150 td_in->input_text.len = td_out->output_text.len;
152 td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
155 td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
157 td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
158 td_in->xform.chain.cipher.cipher.op =
159 RTE_CRYPTO_CIPHER_OP_DECRYPT;
164 test_ipsec_td_prepare(const struct crypto_param *param1,
165 const struct crypto_param *param2,
166 const struct ipsec_test_flags *flags,
167 struct ipsec_test_data *td_array,
171 struct ipsec_test_data *td;
174 memset(td_array, 0, nb_td * sizeof(*td));
176 for (i = 0; i < nb_td; i++) {
178 /* Copy template for packet & key fields */
179 memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
181 /* Override fields based on param */
183 if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
188 td->xform.aead.aead.algo = param1->alg.aead;
189 td->xform.aead.aead.key.length = param1->key_length;
192 td->ipsec_xform.options.iv_gen_disable = 0;
194 if (flags->sa_expiry_pkts_soft)
195 td->ipsec_xform.life.packets_soft_limit =
196 IPSEC_TEST_PACKETS_MAX - 1;
199 RTE_SET_USED(param2);
203 test_ipsec_td_update(struct ipsec_test_data td_inb[],
204 const struct ipsec_test_data td_outb[],
206 const struct ipsec_test_flags *flags)
210 for (i = 0; i < nb_td; i++) {
211 memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
212 td_outb[i].input_text.len);
213 td_inb[i].output_text.len = td_outb->input_text.len;
215 if (flags->icv_corrupt) {
216 int icv_pos = td_inb[i].input_text.len - 4;
217 td_inb[i].input_text.data[icv_pos] += 1;
220 if (flags->sa_expiry_pkts_hard)
221 td_inb[i].ipsec_xform.life.packets_hard_limit =
222 IPSEC_TEST_PACKETS_MAX - 1;
224 if (flags->udp_encap)
225 td_inb[i].ipsec_xform.options.udp_encap = 1;
227 if (flags->udp_ports_verify)
228 td_inb[i].ipsec_xform.options.udp_ports_verify = 1;
230 td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
231 flags->tunnel_hdr_verify;
233 /* Clear outbound specific flags */
234 td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
239 test_ipsec_display_alg(const struct crypto_param *param1,
240 const struct crypto_param *param2)
242 if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
243 printf("\t%s [%d]\n",
244 rte_crypto_aead_algorithm_strings[param1->alg.aead],
247 RTE_SET_USED(param2);
251 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
255 if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
256 if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
257 if (td->ipsec_xform.tunnel.type ==
258 RTE_SECURITY_IPSEC_TUNNEL_IPV4)
259 len += sizeof(struct rte_ipv4_hdr);
261 len += sizeof(struct rte_ipv6_hdr);
269 test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
271 static uint8_t iv_queue[IV_LEN_MAX * IPSEC_TEST_PACKETS_MAX];
272 uint8_t *iv_tmp, *output_text = rte_pktmbuf_mtod(m, uint8_t *);
273 int i, iv_pos, iv_len;
277 iv_len = td->xform.aead.aead.iv.length - td->salt.len;
279 iv_len = td->xform.chain.cipher.cipher.iv.length;
281 iv_pos = test_ipsec_tunnel_hdr_len_get(td) + sizeof(struct rte_esp_hdr);
282 output_text += iv_pos;
284 TEST_ASSERT(iv_len <= IV_LEN_MAX, "IV length greater than supported");
286 /* Compare against previous values */
287 for (i = 0; i < index; i++) {
288 iv_tmp = &iv_queue[i * IV_LEN_MAX];
290 if (memcmp(output_text, iv_tmp, iv_len) == 0) {
291 printf("IV repeated");
296 /* Save IV for future comparisons */
298 iv_tmp = &iv_queue[index * IV_LEN_MAX];
299 memcpy(iv_tmp, output_text, iv_len);
302 if (index == IPSEC_TEST_PACKETS_MAX)
309 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
310 bool silent, const struct ipsec_test_flags *flags)
312 uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
313 uint32_t skip, len = rte_pktmbuf_pkt_len(m);
315 /* For tests with status as error for test success, skip verification */
316 if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
317 (flags->icv_corrupt ||
318 flags->sa_expiry_pkts_hard ||
319 flags->tunnel_hdr_verify))
322 if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
324 const struct rte_ipv4_hdr *iph4;
325 const struct rte_ipv6_hdr *iph6;
327 if (td->ipsec_xform.tunnel.type ==
328 RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
329 iph4 = (const struct rte_ipv4_hdr *)output_text;
330 if (iph4->next_proto_id != IPPROTO_UDP) {
331 printf("UDP header is not found\n");
335 iph6 = (const struct rte_ipv6_hdr *)output_text;
336 if (iph6->proto != IPPROTO_UDP) {
337 printf("UDP header is not found\n");
342 len -= sizeof(struct rte_udp_hdr);
343 output_text += sizeof(struct rte_udp_hdr);
346 if (len != td->output_text.len) {
347 printf("Output length (%d) not matching with expected (%d)\n",
348 len, td->output_text.len);
352 skip = test_ipsec_tunnel_hdr_len_get(td);
357 if (memcmp(output_text, td->output_text.data + skip, len)) {
361 printf("TestCase %s line %d: %s\n", __func__, __LINE__,
362 "output text not as expected\n");
364 rte_hexdump(stdout, "expected", td->output_text.data + skip,
366 rte_hexdump(stdout, "actual", output_text, len);
374 test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
375 struct ipsec_test_data *res_d)
377 uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
378 uint32_t len = rte_pktmbuf_pkt_len(m);
380 memcpy(res_d, td, sizeof(*res_d));
381 memcpy(res_d->input_text.data, output_text, len);
382 res_d->input_text.len = len;
384 res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
386 res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
388 printf("Only AEAD supported\n");
396 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
397 struct ipsec_test_data *res_d, bool silent,
398 const struct ipsec_test_flags *flags)
403 td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
404 ret = test_ipsec_iv_verify_push(m, td);
405 if (ret != TEST_SUCCESS)
410 * In case of known vector tests & all inbound tests, res_d provided
411 * would be NULL and output data need to be validated against expected.
412 * For inbound, output_text would be plain packet and for outbound
413 * output_text would IPsec packet. Validate by comparing against
416 * In case of combined mode tests, the output_text from outbound
417 * operation (ie, IPsec packet) would need to be inbound processed to
418 * obtain the plain text. Copy output_text to result data, 'res_d', so
419 * that inbound processing can be done.
423 return test_ipsec_td_verify(m, td, silent, flags);
425 return test_ipsec_res_d_prepare(m, td, res_d);
429 test_ipsec_status_check(struct rte_crypto_op *op,
430 const struct ipsec_test_flags *flags,
431 enum rte_security_ipsec_sa_direction dir,
434 int ret = TEST_SUCCESS;
436 if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
437 flags->sa_expiry_pkts_hard &&
438 pkt_num == IPSEC_TEST_PACKETS_MAX) {
439 if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
440 printf("SA hard expiry (pkts) test failed\n");
447 if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
448 flags->tunnel_hdr_verify) {
449 if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
450 printf("Tunnel header verify test case failed\n");
457 if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
458 if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
459 printf("ICV corruption test case failed\n");
463 if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
464 printf("Security op processing failed [pkt_num: %d]\n",
470 if (flags->sa_expiry_pkts_soft && pkt_num == IPSEC_TEST_PACKETS_MAX) {
471 if (!(op->aux_flags &
472 RTE_CRYPTO_OP_AUX_FLAGS_IPSEC_SOFT_EXPIRY)) {
473 printf("SA soft expiry (pkts) test failed\n");