1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #include <rte_common.h>
6 #include <rte_cryptodev.h>
8 #include <rte_security.h>
11 #include "test_cryptodev_security_ipsec.h"
14 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
15 const struct rte_security_capability *sec_cap,
18 /* Verify security capabilities */
20 if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
22 RTE_LOG(INFO, USER1, "ESN is not supported\n");
26 if (ipsec_xform->options.udp_encap == 1 &&
27 sec_cap->ipsec.options.udp_encap == 0) {
29 RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
33 if (ipsec_xform->options.copy_dscp == 1 &&
34 sec_cap->ipsec.options.copy_dscp == 0) {
36 RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
40 if (ipsec_xform->options.copy_flabel == 1 &&
41 sec_cap->ipsec.options.copy_flabel == 0) {
43 RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
47 if (ipsec_xform->options.copy_df == 1 &&
48 sec_cap->ipsec.options.copy_df == 0) {
50 RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
54 if (ipsec_xform->options.dec_ttl == 1 &&
55 sec_cap->ipsec.options.dec_ttl == 0) {
57 RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
61 if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
63 RTE_LOG(INFO, USER1, "ECN is not supported\n");
67 if (ipsec_xform->options.stats == 1 &&
68 sec_cap->ipsec.options.stats == 0) {
70 RTE_LOG(INFO, USER1, "Stats is not supported\n");
78 test_ipsec_crypto_caps_aead_verify(
79 const struct rte_security_capability *sec_cap,
80 struct rte_crypto_sym_xform *aead)
82 const struct rte_cryptodev_symmetric_capability *sym_cap;
83 const struct rte_cryptodev_capabilities *crypto_cap;
86 while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
87 RTE_CRYPTO_OP_TYPE_UNDEFINED) {
88 if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
89 crypto_cap->sym.xform_type == aead->type &&
90 crypto_cap->sym.aead.algo == aead->aead.algo) {
91 sym_cap = &crypto_cap->sym;
92 if (rte_cryptodev_sym_capability_check_aead(sym_cap,
93 aead->aead.key.length,
94 aead->aead.digest_length,
95 aead->aead.aad_length,
96 aead->aead.iv.length) == 0)
105 test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
106 struct ipsec_test_data *td_in)
108 memcpy(td_in, td_out, sizeof(*td_in));
110 /* Populate output text of td_in with input text of td_out */
111 memcpy(td_in->output_text.data, td_out->input_text.data,
112 td_out->input_text.len);
113 td_in->output_text.len = td_out->input_text.len;
115 /* Populate input text of td_in with output text of td_out */
116 memcpy(td_in->input_text.data, td_out->output_text.data,
117 td_out->output_text.len);
118 td_in->input_text.len = td_out->output_text.len;
120 td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
123 td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
125 td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
126 td_in->xform.chain.cipher.cipher.op =
127 RTE_CRYPTO_CIPHER_OP_DECRYPT;
132 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
136 if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
137 if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
138 if (td->ipsec_xform.tunnel.type ==
139 RTE_SECURITY_IPSEC_TUNNEL_IPV4)
140 len += sizeof(struct rte_ipv4_hdr);
142 len += sizeof(struct rte_ipv6_hdr);
150 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
153 uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
154 uint32_t skip, len = rte_pktmbuf_pkt_len(m);
156 if (len != td->output_text.len) {
157 printf("Output length (%d) not matching with expected (%d)\n",
158 len, td->output_text.len);
162 skip = test_ipsec_tunnel_hdr_len_get(td);
167 if (memcmp(output_text, td->output_text.data + skip, len)) {
171 printf("TestCase %s line %d: %s\n", __func__, __LINE__,
172 "output text not as expected\n");
174 rte_hexdump(stdout, "expected", td->output_text.data + skip,
176 rte_hexdump(stdout, "actual", output_text, len);
184 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
185 struct ipsec_test_data *res_d, bool silent)
188 * In case of known vector tests & all inbound tests, res_d provided
189 * would be NULL and output data need to be validated against expected.
190 * For inbound, output_text would be plain packet and for outbound
191 * output_text would IPsec packet. Validate by comparing against
195 return test_ipsec_td_verify(m, td, silent);
199 test_ipsec_status_check(struct rte_crypto_op *op,
200 enum rte_security_ipsec_sa_direction dir)
202 int ret = TEST_SUCCESS;
204 if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
205 printf("Security op processing failed\n");