app/test/test_cryptodev_security_ipsec.c

   1 /* SPDX-License-Identifier: BSD-3-Clause
   2  * Copyright(C) 2021 Marvell.
   3  */
   4
   5 #include <rte_common.h>
   6 #include <rte_cryptodev.h>
   7 #include <rte_esp.h>
   8 #include <rte_ip.h>
   9 #include <rte_security.h>
  10 #include <rte_udp.h>
  11
  12 #include "test.h"
  13 #include "test_cryptodev_security_ipsec.h"
  14
  15 #define IV_LEN_MAX 16
  16
  17 extern struct ipsec_test_data pkt_aes_256_gcm;
  18
  19 int
  20 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
  21                            const struct rte_security_capability *sec_cap,
  22                            bool silent)
  23 {
  24         /* Verify security capabilities */
  25
  26         if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
  27                 if (!silent)
  28                         RTE_LOG(INFO, USER1, "ESN is not supported\n");
  29                 return -ENOTSUP;
  30         }
  31
  32         if (ipsec_xform->options.udp_encap == 1 &&
  33             sec_cap->ipsec.options.udp_encap == 0) {
  34                 if (!silent)
  35                         RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
  36                 return -ENOTSUP;
  37         }
  38
  39         if (ipsec_xform->options.copy_dscp == 1 &&
  40             sec_cap->ipsec.options.copy_dscp == 0) {
  41                 if (!silent)
  42                         RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
  43                 return -ENOTSUP;
  44         }
  45
  46         if (ipsec_xform->options.copy_flabel == 1 &&
  47             sec_cap->ipsec.options.copy_flabel == 0) {
  48                 if (!silent)
  49                         RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
  50                 return -ENOTSUP;
  51         }
  52
  53         if (ipsec_xform->options.copy_df == 1 &&
  54             sec_cap->ipsec.options.copy_df == 0) {
  55                 if (!silent)
  56                         RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
  57                 return -ENOTSUP;
  58         }
  59
  60         if (ipsec_xform->options.dec_ttl == 1 &&
  61             sec_cap->ipsec.options.dec_ttl == 0) {
  62                 if (!silent)
  63                         RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
  64                 return -ENOTSUP;
  65         }
  66
  67         if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
  68                 if (!silent)
  69                         RTE_LOG(INFO, USER1, "ECN is not supported\n");
  70                 return -ENOTSUP;
  71         }
  72
  73         if (ipsec_xform->options.stats == 1 &&
  74             sec_cap->ipsec.options.stats == 0) {
  75                 if (!silent)
  76                         RTE_LOG(INFO, USER1, "Stats is not supported\n");
  77                 return -ENOTSUP;
  78         }
  79
  80         return 0;
  81 }
  82
  83 int
  84 test_ipsec_crypto_caps_aead_verify(
  85                 const struct rte_security_capability *sec_cap,
  86                 struct rte_crypto_sym_xform *aead)
  87 {
  88         const struct rte_cryptodev_symmetric_capability *sym_cap;
  89         const struct rte_cryptodev_capabilities *crypto_cap;
  90         int j = 0;
  91
  92         while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
  93                         RTE_CRYPTO_OP_TYPE_UNDEFINED) {
  94                 if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
  95                                 crypto_cap->sym.xform_type == aead->type &&
  96                                 crypto_cap->sym.aead.algo == aead->aead.algo) {
  97                         sym_cap = &crypto_cap->sym;
  98                         if (rte_cryptodev_sym_capability_check_aead(sym_cap,
  99                                         aead->aead.key.length,
 100                                         aead->aead.digest_length,
 101                                         aead->aead.aad_length,
 102                                         aead->aead.iv.length) == 0)
 103                                 return 0;
 104                 }
 105         }
 106
 107         return -ENOTSUP;
 108 }
 109
 110 void
 111 test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 112                           struct ipsec_test_data *td_in)
 113 {
 114         memcpy(td_in, td_out, sizeof(*td_in));
 115
 116         /* Populate output text of td_in with input text of td_out */
 117         memcpy(td_in->output_text.data, td_out->input_text.data,
 118                td_out->input_text.len);
 119         td_in->output_text.len = td_out->input_text.len;
 120
 121         /* Populate input text of td_in with output text of td_out */
 122         memcpy(td_in->input_text.data, td_out->output_text.data,
 123                td_out->output_text.len);
 124         td_in->input_text.len = td_out->output_text.len;
 125
 126         td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
 127
 128         if (td_in->aead) {
 129                 td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
 130         } else {
 131                 td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
 132                 td_in->xform.chain.cipher.cipher.op =
 133                                 RTE_CRYPTO_CIPHER_OP_DECRYPT;
 134         }
 135 }
 136
 137 void
 138 test_ipsec_td_prepare(const struct crypto_param *param1,
 139                       const struct crypto_param *param2,
 140                       const struct ipsec_test_flags *flags,
 141                       struct ipsec_test_data *td_array,
 142                       int nb_td)
 143
 144 {
 145         struct ipsec_test_data *td;
 146         int i;
 147
 148         memset(td_array, 0, nb_td * sizeof(*td));
 149
 150         for (i = 0; i < nb_td; i++) {
 151                 td = &td_array[i];
 152                 /* Copy template for packet & key fields */
 153                 memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
 154
 155                 /* Override fields based on param */
 156
 157                 if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 158                         td->aead = true;
 159                 else
 160                         td->aead = false;
 161
 162                 td->xform.aead.aead.algo = param1->alg.aead;
 163                 td->xform.aead.aead.key.length = param1->key_length;
 164         }
 165
 166         RTE_SET_USED(flags);
 167         RTE_SET_USED(param2);
 168 }
 169
 170 void
 171 test_ipsec_td_update(struct ipsec_test_data td_inb[],
 172                      const struct ipsec_test_data td_outb[],
 173                      int nb_td,
 174                      const struct ipsec_test_flags *flags)
 175 {
 176         int i;
 177
 178         for (i = 0; i < nb_td; i++) {
 179                 memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
 180                        td_outb[i].input_text.len);
 181                 td_inb[i].output_text.len = td_outb->input_text.len;
 182
 183                 if (flags->icv_corrupt) {
 184                         int icv_pos = td_inb[i].input_text.len - 4;
 185                         td_inb[i].input_text.data[icv_pos] += 1;
 186                 }
 187
 188                 if (flags->udp_encap)
 189                         td_inb[i].ipsec_xform.options.udp_encap = 1;
 190         }
 191 }
 192
 193 void
 194 test_ipsec_display_alg(const struct crypto_param *param1,
 195                        const struct crypto_param *param2)
 196 {
 197         if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 198                 printf("\t%s [%d]\n",
 199                        rte_crypto_aead_algorithm_strings[param1->alg.aead],
 200                        param1->key_length);
 201
 202         RTE_SET_USED(param2);
 203 }
 204
 205 static int
 206 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 207 {
 208         int len = 0;
 209
 210         if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 211                 if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
 212                         if (td->ipsec_xform.tunnel.type ==
 213                                         RTE_SECURITY_IPSEC_TUNNEL_IPV4)
 214                                 len += sizeof(struct rte_ipv4_hdr);
 215                         else
 216                                 len += sizeof(struct rte_ipv6_hdr);
 217                 }
 218         }
 219
 220         return len;
 221 }
 222
 223 static int
 224 test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
 225 {
 226         static uint8_t iv_queue[IV_LEN_MAX * IPSEC_TEST_PACKETS_MAX];
 227         uint8_t *iv_tmp, *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 228         int i, iv_pos, iv_len;
 229         static int index;
 230
 231         if (td->aead)
 232                 iv_len = td->xform.aead.aead.iv.length - td->salt.len;
 233         else
 234                 iv_len = td->xform.chain.cipher.cipher.iv.length;
 235
 236         iv_pos = test_ipsec_tunnel_hdr_len_get(td) + sizeof(struct rte_esp_hdr);
 237         output_text += iv_pos;
 238
 239         TEST_ASSERT(iv_len <= IV_LEN_MAX, "IV length greater than supported");
 240
 241         /* Compare against previous values */
 242         for (i = 0; i < index; i++) {
 243                 iv_tmp = &iv_queue[i * IV_LEN_MAX];
 244
 245                 if (memcmp(output_text, iv_tmp, iv_len) == 0) {
 246                         printf("IV repeated");
 247                         return TEST_FAILED;
 248                 }
 249         }
 250
 251         /* Save IV for future comparisons */
 252
 253         iv_tmp = &iv_queue[index * IV_LEN_MAX];
 254         memcpy(iv_tmp, output_text, iv_len);
 255         index++;
 256
 257         if (index == IPSEC_TEST_PACKETS_MAX)
 258                 index = 0;
 259
 260         return TEST_SUCCESS;
 261 }
 262
 263 static int
 264 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 265                      bool silent, const struct ipsec_test_flags *flags)
 266 {
 267         uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 268         uint32_t skip, len = rte_pktmbuf_pkt_len(m);
 269
 270         /* For negative tests, no need to do verification */
 271         if (flags->icv_corrupt &&
 272             td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
 273                 return TEST_SUCCESS;
 274
 275         if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
 276            flags->udp_encap) {
 277                 const struct rte_ipv4_hdr *iph4;
 278                 const struct rte_ipv6_hdr *iph6;
 279
 280                 if (td->ipsec_xform.tunnel.type ==
 281                                 RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
 282                         iph4 = (const struct rte_ipv4_hdr *)output_text;
 283                         if (iph4->next_proto_id != IPPROTO_UDP) {
 284                                 printf("UDP header is not found\n");
 285                                 return TEST_FAILED;
 286                         }
 287                 } else {
 288                         iph6 = (const struct rte_ipv6_hdr *)output_text;
 289                         if (iph6->proto != IPPROTO_UDP) {
 290                                 printf("UDP header is not found\n");
 291                                 return TEST_FAILED;
 292                         }
 293                 }
 294
 295                 len -= sizeof(struct rte_udp_hdr);
 296                 output_text += sizeof(struct rte_udp_hdr);
 297         }
 298
 299         if (len != td->output_text.len) {
 300                 printf("Output length (%d) not matching with expected (%d)\n",
 301                         len, td->output_text.len);
 302                 return TEST_FAILED;
 303         }
 304
 305         skip = test_ipsec_tunnel_hdr_len_get(td);
 306
 307         len -= skip;
 308         output_text += skip;
 309
 310         if (memcmp(output_text, td->output_text.data + skip, len)) {
 311                 if (silent)
 312                         return TEST_FAILED;
 313
 314                 printf("TestCase %s line %d: %s\n", __func__, __LINE__,
 315                         "output text not as expected\n");
 316
 317                 rte_hexdump(stdout, "expected", td->output_text.data + skip,
 318                             len);
 319                 rte_hexdump(stdout, "actual", output_text, len);
 320                 return TEST_FAILED;
 321         }
 322
 323         return TEST_SUCCESS;
 324 }
 325
 326 static int
 327 test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
 328                    struct ipsec_test_data *res_d)
 329 {
 330         uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 331         uint32_t len = rte_pktmbuf_pkt_len(m);
 332
 333         memcpy(res_d, td, sizeof(*res_d));
 334         memcpy(res_d->input_text.data, output_text, len);
 335         res_d->input_text.len = len;
 336
 337         res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
 338         if (res_d->aead) {
 339                 res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
 340         } else {
 341                 printf("Only AEAD supported\n");
 342                 return TEST_SKIPPED;
 343         }
 344
 345         return TEST_SUCCESS;
 346 }
 347
 348 int
 349 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 350                         struct ipsec_test_data *res_d, bool silent,
 351                         const struct ipsec_test_flags *flags)
 352 {
 353         int ret;
 354
 355         if (flags->iv_gen &&
 356             td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 357                 ret = test_ipsec_iv_verify_push(m, td);
 358                 if (ret != TEST_SUCCESS)
 359                         return ret;
 360         }
 361
 362         /*
 363          * In case of known vector tests & all inbound tests, res_d provided
 364          * would be NULL and output data need to be validated against expected.
 365          * For inbound, output_text would be plain packet and for outbound
 366          * output_text would IPsec packet. Validate by comparing against
 367          * known vectors.
 368          *
 369          * In case of combined mode tests, the output_text from outbound
 370          * operation (ie, IPsec packet) would need to be inbound processed to
 371          * obtain the plain text. Copy output_text to result data, 'res_d', so
 372          * that inbound processing can be done.
 373          */
 374
 375         if (res_d == NULL)
 376                 return test_ipsec_td_verify(m, td, silent, flags);
 377         else
 378                 return test_ipsec_res_d_prepare(m, td, res_d);
 379 }
 380
 381 int
 382 test_ipsec_status_check(struct rte_crypto_op *op,
 383                         const struct ipsec_test_flags *flags,
 384                         enum rte_security_ipsec_sa_direction dir)
 385 {
 386         int ret = TEST_SUCCESS;
 387
 388         if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
 389                 if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
 390                         printf("ICV corruption test case failed\n");
 391                         ret = TEST_FAILED;
 392                 }
 393         } else {
 394                 if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
 395                         printf("Security op processing failed\n");
 396                         ret = TEST_FAILED;
 397                 }
 398         }
 399
 400         return ret;
 401 }