app/test/test_cryptodev_security_ipsec.c

   1 /* SPDX-License-Identifier: BSD-3-Clause
   2  * Copyright(C) 2021 Marvell.
   3  */
   4
   5 #include <rte_common.h>
   6 #include <rte_cryptodev.h>
   7 #include <rte_esp.h>
   8 #include <rte_ip.h>
   9 #include <rte_security.h>
  10
  11 #include "test.h"
  12 #include "test_cryptodev_security_ipsec.h"
  13
  14 #define IV_LEN_MAX 16
  15
  16 extern struct ipsec_test_data pkt_aes_256_gcm;
  17
  18 int
  19 test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
  20                            const struct rte_security_capability *sec_cap,
  21                            bool silent)
  22 {
  23         /* Verify security capabilities */
  24
  25         if (ipsec_xform->options.esn == 1 && sec_cap->ipsec.options.esn == 0) {
  26                 if (!silent)
  27                         RTE_LOG(INFO, USER1, "ESN is not supported\n");
  28                 return -ENOTSUP;
  29         }
  30
  31         if (ipsec_xform->options.udp_encap == 1 &&
  32             sec_cap->ipsec.options.udp_encap == 0) {
  33                 if (!silent)
  34                         RTE_LOG(INFO, USER1, "UDP encapsulation is not supported\n");
  35                 return -ENOTSUP;
  36         }
  37
  38         if (ipsec_xform->options.copy_dscp == 1 &&
  39             sec_cap->ipsec.options.copy_dscp == 0) {
  40                 if (!silent)
  41                         RTE_LOG(INFO, USER1, "Copy DSCP is not supported\n");
  42                 return -ENOTSUP;
  43         }
  44
  45         if (ipsec_xform->options.copy_flabel == 1 &&
  46             sec_cap->ipsec.options.copy_flabel == 0) {
  47                 if (!silent)
  48                         RTE_LOG(INFO, USER1, "Copy Flow Label is not supported\n");
  49                 return -ENOTSUP;
  50         }
  51
  52         if (ipsec_xform->options.copy_df == 1 &&
  53             sec_cap->ipsec.options.copy_df == 0) {
  54                 if (!silent)
  55                         RTE_LOG(INFO, USER1, "Copy DP bit is not supported\n");
  56                 return -ENOTSUP;
  57         }
  58
  59         if (ipsec_xform->options.dec_ttl == 1 &&
  60             sec_cap->ipsec.options.dec_ttl == 0) {
  61                 if (!silent)
  62                         RTE_LOG(INFO, USER1, "Decrement TTL is not supported\n");
  63                 return -ENOTSUP;
  64         }
  65
  66         if (ipsec_xform->options.ecn == 1 && sec_cap->ipsec.options.ecn == 0) {
  67                 if (!silent)
  68                         RTE_LOG(INFO, USER1, "ECN is not supported\n");
  69                 return -ENOTSUP;
  70         }
  71
  72         if (ipsec_xform->options.stats == 1 &&
  73             sec_cap->ipsec.options.stats == 0) {
  74                 if (!silent)
  75                         RTE_LOG(INFO, USER1, "Stats is not supported\n");
  76                 return -ENOTSUP;
  77         }
  78
  79         return 0;
  80 }
  81
  82 int
  83 test_ipsec_crypto_caps_aead_verify(
  84                 const struct rte_security_capability *sec_cap,
  85                 struct rte_crypto_sym_xform *aead)
  86 {
  87         const struct rte_cryptodev_symmetric_capability *sym_cap;
  88         const struct rte_cryptodev_capabilities *crypto_cap;
  89         int j = 0;
  90
  91         while ((crypto_cap = &sec_cap->crypto_capabilities[j++])->op !=
  92                         RTE_CRYPTO_OP_TYPE_UNDEFINED) {
  93                 if (crypto_cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
  94                                 crypto_cap->sym.xform_type == aead->type &&
  95                                 crypto_cap->sym.aead.algo == aead->aead.algo) {
  96                         sym_cap = &crypto_cap->sym;
  97                         if (rte_cryptodev_sym_capability_check_aead(sym_cap,
  98                                         aead->aead.key.length,
  99                                         aead->aead.digest_length,
 100                                         aead->aead.aad_length,
 101                                         aead->aead.iv.length) == 0)
 102                                 return 0;
 103                 }
 104         }
 105
 106         return -ENOTSUP;
 107 }
 108
 109 void
 110 test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 111                           struct ipsec_test_data *td_in)
 112 {
 113         memcpy(td_in, td_out, sizeof(*td_in));
 114
 115         /* Populate output text of td_in with input text of td_out */
 116         memcpy(td_in->output_text.data, td_out->input_text.data,
 117                td_out->input_text.len);
 118         td_in->output_text.len = td_out->input_text.len;
 119
 120         /* Populate input text of td_in with output text of td_out */
 121         memcpy(td_in->input_text.data, td_out->output_text.data,
 122                td_out->output_text.len);
 123         td_in->input_text.len = td_out->output_text.len;
 124
 125         td_in->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
 126
 127         if (td_in->aead) {
 128                 td_in->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
 129         } else {
 130                 td_in->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
 131                 td_in->xform.chain.cipher.cipher.op =
 132                                 RTE_CRYPTO_CIPHER_OP_DECRYPT;
 133         }
 134 }
 135
 136 void
 137 test_ipsec_td_prepare(const struct crypto_param *param1,
 138                       const struct crypto_param *param2,
 139                       const struct ipsec_test_flags *flags,
 140                       struct ipsec_test_data *td_array,
 141                       int nb_td)
 142
 143 {
 144         struct ipsec_test_data *td;
 145         int i;
 146
 147         memset(td_array, 0, nb_td * sizeof(*td));
 148
 149         for (i = 0; i < nb_td; i++) {
 150                 td = &td_array[i];
 151                 /* Copy template for packet & key fields */
 152                 memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
 153
 154                 /* Override fields based on param */
 155
 156                 if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 157                         td->aead = true;
 158                 else
 159                         td->aead = false;
 160
 161                 td->xform.aead.aead.algo = param1->alg.aead;
 162                 td->xform.aead.aead.key.length = param1->key_length;
 163         }
 164
 165         RTE_SET_USED(flags);
 166         RTE_SET_USED(param2);
 167 }
 168
 169 void
 170 test_ipsec_td_update(struct ipsec_test_data td_inb[],
 171                      const struct ipsec_test_data td_outb[],
 172                      int nb_td,
 173                      const struct ipsec_test_flags *flags)
 174 {
 175         int i;
 176
 177         for (i = 0; i < nb_td; i++) {
 178                 memcpy(td_inb[i].output_text.data, td_outb[i].input_text.data,
 179                        td_outb[i].input_text.len);
 180                 td_inb[i].output_text.len = td_outb->input_text.len;
 181
 182                 if (flags->icv_corrupt) {
 183                         int icv_pos = td_inb[i].input_text.len - 4;
 184                         td_inb[i].input_text.data[icv_pos] += 1;
 185                 }
 186         }
 187 }
 188
 189 void
 190 test_ipsec_display_alg(const struct crypto_param *param1,
 191                        const struct crypto_param *param2)
 192 {
 193         if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 194                 printf("\t%s [%d]\n",
 195                        rte_crypto_aead_algorithm_strings[param1->alg.aead],
 196                        param1->key_length);
 197
 198         RTE_SET_USED(param2);
 199 }
 200
 201 static int
 202 test_ipsec_tunnel_hdr_len_get(const struct ipsec_test_data *td)
 203 {
 204         int len = 0;
 205
 206         if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 207                 if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
 208                         if (td->ipsec_xform.tunnel.type ==
 209                                         RTE_SECURITY_IPSEC_TUNNEL_IPV4)
 210                                 len += sizeof(struct rte_ipv4_hdr);
 211                         else
 212                                 len += sizeof(struct rte_ipv6_hdr);
 213                 }
 214         }
 215
 216         return len;
 217 }
 218
 219 static int
 220 test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
 221 {
 222         static uint8_t iv_queue[IV_LEN_MAX * IPSEC_TEST_PACKETS_MAX];
 223         uint8_t *iv_tmp, *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 224         int i, iv_pos, iv_len;
 225         static int index;
 226
 227         if (td->aead)
 228                 iv_len = td->xform.aead.aead.iv.length - td->salt.len;
 229         else
 230                 iv_len = td->xform.chain.cipher.cipher.iv.length;
 231
 232         iv_pos = test_ipsec_tunnel_hdr_len_get(td) + sizeof(struct rte_esp_hdr);
 233         output_text += iv_pos;
 234
 235         TEST_ASSERT(iv_len <= IV_LEN_MAX, "IV length greater than supported");
 236
 237         /* Compare against previous values */
 238         for (i = 0; i < index; i++) {
 239                 iv_tmp = &iv_queue[i * IV_LEN_MAX];
 240
 241                 if (memcmp(output_text, iv_tmp, iv_len) == 0) {
 242                         printf("IV repeated");
 243                         return TEST_FAILED;
 244                 }
 245         }
 246
 247         /* Save IV for future comparisons */
 248
 249         iv_tmp = &iv_queue[index * IV_LEN_MAX];
 250         memcpy(iv_tmp, output_text, iv_len);
 251         index++;
 252
 253         if (index == IPSEC_TEST_PACKETS_MAX)
 254                 index = 0;
 255
 256         return TEST_SUCCESS;
 257 }
 258
 259 static int
 260 test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 261                      bool silent, const struct ipsec_test_flags *flags)
 262 {
 263         uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 264         uint32_t skip, len = rte_pktmbuf_pkt_len(m);
 265
 266         /* For negative tests, no need to do verification */
 267         if (flags->icv_corrupt &&
 268             td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
 269                 return TEST_SUCCESS;
 270
 271         if (len != td->output_text.len) {
 272                 printf("Output length (%d) not matching with expected (%d)\n",
 273                         len, td->output_text.len);
 274                 return TEST_FAILED;
 275         }
 276
 277         skip = test_ipsec_tunnel_hdr_len_get(td);
 278
 279         len -= skip;
 280         output_text += skip;
 281
 282         if (memcmp(output_text, td->output_text.data + skip, len)) {
 283                 if (silent)
 284                         return TEST_FAILED;
 285
 286                 printf("TestCase %s line %d: %s\n", __func__, __LINE__,
 287                         "output text not as expected\n");
 288
 289                 rte_hexdump(stdout, "expected", td->output_text.data + skip,
 290                             len);
 291                 rte_hexdump(stdout, "actual", output_text, len);
 292                 return TEST_FAILED;
 293         }
 294
 295         return TEST_SUCCESS;
 296 }
 297
 298 static int
 299 test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
 300                    struct ipsec_test_data *res_d)
 301 {
 302         uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
 303         uint32_t len = rte_pktmbuf_pkt_len(m);
 304
 305         memcpy(res_d, td, sizeof(*res_d));
 306         memcpy(res_d->input_text.data, output_text, len);
 307         res_d->input_text.len = len;
 308
 309         res_d->ipsec_xform.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
 310         if (res_d->aead) {
 311                 res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
 312         } else {
 313                 printf("Only AEAD supported\n");
 314                 return TEST_SKIPPED;
 315         }
 316
 317         return TEST_SUCCESS;
 318 }
 319
 320 int
 321 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 322                         struct ipsec_test_data *res_d, bool silent,
 323                         const struct ipsec_test_flags *flags)
 324 {
 325         int ret;
 326
 327         if (flags->iv_gen &&
 328             td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 329                 ret = test_ipsec_iv_verify_push(m, td);
 330                 if (ret != TEST_SUCCESS)
 331                         return ret;
 332         }
 333
 334         /*
 335          * In case of known vector tests & all inbound tests, res_d provided
 336          * would be NULL and output data need to be validated against expected.
 337          * For inbound, output_text would be plain packet and for outbound
 338          * output_text would IPsec packet. Validate by comparing against
 339          * known vectors.
 340          *
 341          * In case of combined mode tests, the output_text from outbound
 342          * operation (ie, IPsec packet) would need to be inbound processed to
 343          * obtain the plain text. Copy output_text to result data, 'res_d', so
 344          * that inbound processing can be done.
 345          */
 346
 347         if (res_d == NULL)
 348                 return test_ipsec_td_verify(m, td, silent, flags);
 349         else
 350                 return test_ipsec_res_d_prepare(m, td, res_d);
 351 }
 352
 353 int
 354 test_ipsec_status_check(struct rte_crypto_op *op,
 355                         const struct ipsec_test_flags *flags,
 356                         enum rte_security_ipsec_sa_direction dir)
 357 {
 358         int ret = TEST_SUCCESS;
 359
 360         if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
 361                 if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
 362                         printf("ICV corruption test case failed\n");
 363                         ret = TEST_FAILED;
 364                 }
 365         } else {
 366                 if (op->status != RTE_CRYPTO_OP_STATUS_SUCCESS) {
 367                         printf("Security op processing failed\n");
 368                         ret = TEST_FAILED;
 369                 }
 370         }
 371
 372         return ret;
 373 }