app/test/test_security_inline_proto.c

   1 /* SPDX-License-Identifier: BSD-3-Clause
   2  * Copyright(C) 2022 Marvell.
   3  */
   4
   5
   6 #include <stdio.h>
   7 #include <inttypes.h>
   8
   9 #include <rte_ethdev.h>
  10 #include <rte_malloc.h>
  11 #include <rte_security.h>
  12
  13 #include "test.h"
  14 #include "test_security_inline_proto_vectors.h"
  15
  16 #ifdef RTE_EXEC_ENV_WINDOWS
  17 static int
  18 test_inline_ipsec(void)
  19 {
  20         printf("Inline ipsec not supported on Windows, skipping test\n");
  21         return TEST_SKIPPED;
  22 }
  23
  24 #else
  25
  26 #define NB_ETHPORTS_USED                1
  27 #define MEMPOOL_CACHE_SIZE              32
  28 #define MAX_PKT_BURST                   32
  29 #define RTE_TEST_RX_DESC_DEFAULT        1024
  30 #define RTE_TEST_TX_DESC_DEFAULT        1024
  31 #define RTE_PORT_ALL            (~(uint16_t)0x0)
  32
  33 #define RX_PTHRESH 8 /**< Default values of RX prefetch threshold reg. */
  34 #define RX_HTHRESH 8 /**< Default values of RX host threshold reg. */
  35 #define RX_WTHRESH 0 /**< Default values of RX write-back threshold reg. */
  36
  37 #define TX_PTHRESH 32 /**< Default values of TX prefetch threshold reg. */
  38 #define TX_HTHRESH 0  /**< Default values of TX host threshold reg. */
  39 #define TX_WTHRESH 0  /**< Default values of TX write-back threshold reg. */
  40
  41 #define MAX_TRAFFIC_BURST               2048
  42 #define NB_MBUF                         10240
  43
  44 #define ENCAP_DECAP_BURST_SZ            33
  45 #define APP_REASS_TIMEOUT               10
  46
  47 extern struct ipsec_test_data pkt_aes_128_gcm;
  48 extern struct ipsec_test_data pkt_aes_192_gcm;
  49 extern struct ipsec_test_data pkt_aes_256_gcm;
  50 extern struct ipsec_test_data pkt_aes_128_gcm_frag;
  51 extern struct ipsec_test_data pkt_aes_128_cbc_null;
  52 extern struct ipsec_test_data pkt_null_aes_xcbc;
  53 extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha384;
  54 extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha512;
  55
  56 static struct rte_mempool *mbufpool;
  57 static struct rte_mempool *sess_pool;
  58 static struct rte_mempool *sess_priv_pool;
  59 /* ethernet addresses of ports */
  60 static struct rte_ether_addr ports_eth_addr[RTE_MAX_ETHPORTS];
  61
  62 static struct rte_eth_conf port_conf = {
  63         .rxmode = {
  64                 .mq_mode = RTE_ETH_MQ_RX_NONE,
  65                 .split_hdr_size = 0,
  66                 .offloads = RTE_ETH_RX_OFFLOAD_CHECKSUM |
  67                             RTE_ETH_RX_OFFLOAD_SECURITY,
  68         },
  69         .txmode = {
  70                 .mq_mode = RTE_ETH_MQ_TX_NONE,
  71                 .offloads = RTE_ETH_TX_OFFLOAD_SECURITY |
  72                             RTE_ETH_TX_OFFLOAD_MBUF_FAST_FREE,
  73         },
  74         .lpbk_mode = 1,  /* enable loopback */
  75 };
  76
  77 static struct rte_eth_rxconf rx_conf = {
  78         .rx_thresh = {
  79                 .pthresh = RX_PTHRESH,
  80                 .hthresh = RX_HTHRESH,
  81                 .wthresh = RX_WTHRESH,
  82         },
  83         .rx_free_thresh = 32,
  84 };
  85
  86 static struct rte_eth_txconf tx_conf = {
  87         .tx_thresh = {
  88                 .pthresh = TX_PTHRESH,
  89                 .hthresh = TX_HTHRESH,
  90                 .wthresh = TX_WTHRESH,
  91         },
  92         .tx_free_thresh = 32, /* Use PMD default values */
  93         .tx_rs_thresh = 32, /* Use PMD default values */
  94 };
  95
  96 uint16_t port_id;
  97
  98 static uint64_t link_mbps;
  99
 100 static int ip_reassembly_dynfield_offset = -1;
 101
 102 static struct rte_flow *default_flow[RTE_MAX_ETHPORTS];
 103
 104 /* Create Inline IPsec session */
 105 static int
 106 create_inline_ipsec_session(struct ipsec_test_data *sa, uint16_t portid,
 107                 struct rte_security_session **sess, struct rte_security_ctx **ctx,
 108                 uint32_t *ol_flags, const struct ipsec_test_flags *flags,
 109                 struct rte_security_session_conf *sess_conf)
 110 {
 111         uint16_t src_v6[8] = {0x2607, 0xf8b0, 0x400c, 0x0c03, 0x0000, 0x0000,
 112                                 0x0000, 0x001a};
 113         uint16_t dst_v6[8] = {0x2001, 0x0470, 0xe5bf, 0xdead, 0x4957, 0x2174,
 114                                 0xe82c, 0x4887};
 115         uint32_t src_v4 = rte_cpu_to_be_32(RTE_IPV4(192, 168, 1, 2));
 116         uint32_t dst_v4 = rte_cpu_to_be_32(RTE_IPV4(192, 168, 1, 1));
 117         struct rte_security_capability_idx sec_cap_idx;
 118         const struct rte_security_capability *sec_cap;
 119         enum rte_security_ipsec_sa_direction dir;
 120         struct rte_security_ctx *sec_ctx;
 121         uint32_t verify;
 122
 123         sess_conf->action_type = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL;
 124         sess_conf->protocol = RTE_SECURITY_PROTOCOL_IPSEC;
 125         sess_conf->ipsec = sa->ipsec_xform;
 126
 127         dir = sa->ipsec_xform.direction;
 128         verify = flags->tunnel_hdr_verify;
 129
 130         if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) {
 131                 if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR)
 132                         src_v4 += 1;
 133                 else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR)
 134                         dst_v4 += 1;
 135         }
 136
 137         if (sa->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
 138                 if (sa->ipsec_xform.tunnel.type ==
 139                                 RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
 140                         memcpy(&sess_conf->ipsec.tunnel.ipv4.src_ip, &src_v4,
 141                                         sizeof(src_v4));
 142                         memcpy(&sess_conf->ipsec.tunnel.ipv4.dst_ip, &dst_v4,
 143                                         sizeof(dst_v4));
 144
 145                         if (flags->df == TEST_IPSEC_SET_DF_0_INNER_1)
 146                                 sess_conf->ipsec.tunnel.ipv4.df = 0;
 147
 148                         if (flags->df == TEST_IPSEC_SET_DF_1_INNER_0)
 149                                 sess_conf->ipsec.tunnel.ipv4.df = 1;
 150
 151                         if (flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
 152                                 sess_conf->ipsec.tunnel.ipv4.dscp = 0;
 153
 154                         if (flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0)
 155                                 sess_conf->ipsec.tunnel.ipv4.dscp =
 156                                                 TEST_IPSEC_DSCP_VAL;
 157                 } else {
 158                         if (flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
 159                                 sess_conf->ipsec.tunnel.ipv6.dscp = 0;
 160
 161                         if (flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0)
 162                                 sess_conf->ipsec.tunnel.ipv6.dscp =
 163                                                 TEST_IPSEC_DSCP_VAL;
 164
 165                         memcpy(&sess_conf->ipsec.tunnel.ipv6.src_addr, &src_v6,
 166                                         sizeof(src_v6));
 167                         memcpy(&sess_conf->ipsec.tunnel.ipv6.dst_addr, &dst_v6,
 168                                         sizeof(dst_v6));
 169                 }
 170         }
 171
 172         /* Save SA as userdata for the security session. When
 173          * the packet is received, this userdata will be
 174          * retrieved using the metadata from the packet.
 175          *
 176          * The PMD is expected to set similar metadata for other
 177          * operations, like rte_eth_event, which are tied to
 178          * security session. In such cases, the userdata could
 179          * be obtained to uniquely identify the security
 180          * parameters denoted.
 181          */
 182
 183         sess_conf->userdata = (void *) sa;
 184
 185         sec_ctx = (struct rte_security_ctx *)rte_eth_dev_get_sec_ctx(portid);
 186         if (sec_ctx == NULL) {
 187                 printf("Ethernet device doesn't support security features.\n");
 188                 return TEST_SKIPPED;
 189         }
 190
 191         sec_cap_idx.action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL;
 192         sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC;
 193         sec_cap_idx.ipsec.proto = sess_conf->ipsec.proto;
 194         sec_cap_idx.ipsec.mode = sess_conf->ipsec.mode;
 195         sec_cap_idx.ipsec.direction = sess_conf->ipsec.direction;
 196         sec_cap = rte_security_capability_get(sec_ctx, &sec_cap_idx);
 197         if (sec_cap == NULL) {
 198                 printf("No capabilities registered\n");
 199                 return TEST_SKIPPED;
 200         }
 201
 202         if (sa->aead || sa->aes_gmac)
 203                 memcpy(&sess_conf->ipsec.salt, sa->salt.data,
 204                         RTE_MIN(sizeof(sess_conf->ipsec.salt), sa->salt.len));
 205
 206         /* Copy cipher session parameters */
 207         if (sa->aead) {
 208                 rte_memcpy(sess_conf->crypto_xform, &sa->xform.aead,
 209                                 sizeof(struct rte_crypto_sym_xform));
 210                 sess_conf->crypto_xform->aead.key.data = sa->key.data;
 211                 /* Verify crypto capabilities */
 212                 if (test_ipsec_crypto_caps_aead_verify(sec_cap,
 213                                         sess_conf->crypto_xform) != 0) {
 214                         RTE_LOG(INFO, USER1,
 215                                 "Crypto capabilities not supported\n");
 216                         return TEST_SKIPPED;
 217                 }
 218         } else {
 219                 if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 220                         rte_memcpy(&sess_conf->crypto_xform->cipher,
 221                                         &sa->xform.chain.cipher.cipher,
 222                                         sizeof(struct rte_crypto_cipher_xform));
 223
 224                         rte_memcpy(&sess_conf->crypto_xform->next->auth,
 225                                         &sa->xform.chain.auth.auth,
 226                                         sizeof(struct rte_crypto_auth_xform));
 227                         sess_conf->crypto_xform->cipher.key.data =
 228                                                         sa->key.data;
 229                         sess_conf->crypto_xform->next->auth.key.data =
 230                                                         sa->auth_key.data;
 231                         /* Verify crypto capabilities */
 232                         if (test_ipsec_crypto_caps_cipher_verify(sec_cap,
 233                                         sess_conf->crypto_xform) != 0) {
 234                                 RTE_LOG(INFO, USER1,
 235                                         "Cipher crypto capabilities not supported\n");
 236                                 return TEST_SKIPPED;
 237                         }
 238
 239                         if (test_ipsec_crypto_caps_auth_verify(sec_cap,
 240                                         sess_conf->crypto_xform->next) != 0) {
 241                                 RTE_LOG(INFO, USER1,
 242                                         "Auth crypto capabilities not supported\n");
 243                                 return TEST_SKIPPED;
 244                         }
 245                 } else {
 246                         rte_memcpy(&sess_conf->crypto_xform->next->cipher,
 247                                         &sa->xform.chain.cipher.cipher,
 248                                         sizeof(struct rte_crypto_cipher_xform));
 249                         rte_memcpy(&sess_conf->crypto_xform->auth,
 250                                         &sa->xform.chain.auth.auth,
 251                                         sizeof(struct rte_crypto_auth_xform));
 252                         sess_conf->crypto_xform->auth.key.data =
 253                                                         sa->auth_key.data;
 254                         sess_conf->crypto_xform->next->cipher.key.data =
 255                                                         sa->key.data;
 256
 257                         /* Verify crypto capabilities */
 258                         if (test_ipsec_crypto_caps_cipher_verify(sec_cap,
 259                                         sess_conf->crypto_xform->next) != 0) {
 260                                 RTE_LOG(INFO, USER1,
 261                                         "Cipher crypto capabilities not supported\n");
 262                                 return TEST_SKIPPED;
 263                         }
 264
 265                         if (test_ipsec_crypto_caps_auth_verify(sec_cap,
 266                                         sess_conf->crypto_xform) != 0) {
 267                                 RTE_LOG(INFO, USER1,
 268                                         "Auth crypto capabilities not supported\n");
 269                                 return TEST_SKIPPED;
 270                         }
 271                 }
 272         }
 273
 274         if (test_ipsec_sec_caps_verify(&sess_conf->ipsec, sec_cap, false) != 0)
 275                 return TEST_SKIPPED;
 276
 277         if ((sa->ipsec_xform.direction ==
 278                         RTE_SECURITY_IPSEC_SA_DIR_EGRESS) &&
 279                         (sa->ipsec_xform.options.iv_gen_disable == 1)) {
 280                 /* Set env variable when IV generation is disabled */
 281                 char arr[128];
 282                 int len = 0, j = 0;
 283                 int iv_len = (sa->aead || sa->aes_gmac) ? 8 : 16;
 284
 285                 for (; j < iv_len; j++)
 286                         len += snprintf(arr+len, sizeof(arr) - len,
 287                                         "0x%x, ", sa->iv.data[j]);
 288                 setenv("ETH_SEC_IV_OVR", arr, 1);
 289         }
 290
 291         *sess = rte_security_session_create(sec_ctx,
 292                                 sess_conf, sess_pool, sess_priv_pool);
 293         if (*sess == NULL) {
 294                 printf("SEC Session init failed.\n");
 295                 return TEST_FAILED;
 296         }
 297
 298         *ol_flags = sec_cap->ol_flags;
 299         *ctx = sec_ctx;
 300
 301         return 0;
 302 }
 303
 304 /* Check the link status of all ports in up to 3s, and print them finally */
 305 static void
 306 check_all_ports_link_status(uint16_t port_num, uint32_t port_mask)
 307 {
 308 #define CHECK_INTERVAL 100 /* 100ms */
 309 #define MAX_CHECK_TIME 30 /* 3s (30 * 100ms) in total */
 310         uint16_t portid;
 311         uint8_t count, all_ports_up, print_flag = 0;
 312         struct rte_eth_link link;
 313         int ret;
 314         char link_status[RTE_ETH_LINK_MAX_STR_LEN];
 315
 316         printf("Checking link statuses...\n");
 317         fflush(stdout);
 318         for (count = 0; count <= MAX_CHECK_TIME; count++) {
 319                 all_ports_up = 1;
 320                 for (portid = 0; portid < port_num; portid++) {
 321                         if ((port_mask & (1 << portid)) == 0)
 322                                 continue;
 323                         memset(&link, 0, sizeof(link));
 324                         ret = rte_eth_link_get_nowait(portid, &link);
 325                         if (ret < 0) {
 326                                 all_ports_up = 0;
 327                                 if (print_flag == 1)
 328                                         printf("Port %u link get failed: %s\n",
 329                                                 portid, rte_strerror(-ret));
 330                                 continue;
 331                         }
 332
 333                         /* print link status if flag set */
 334                         if (print_flag == 1) {
 335                                 if (link.link_status && link_mbps == 0)
 336                                         link_mbps = link.link_speed;
 337
 338                                 rte_eth_link_to_str(link_status,
 339                                         sizeof(link_status), &link);
 340                                 printf("Port %d %s\n", portid, link_status);
 341                                 continue;
 342                         }
 343                         /* clear all_ports_up flag if any link down */
 344                         if (link.link_status == RTE_ETH_LINK_DOWN) {
 345                                 all_ports_up = 0;
 346                                 break;
 347                         }
 348                 }
 349                 /* after finally printing all link status, get out */
 350                 if (print_flag == 1)
 351                         break;
 352
 353                 if (all_ports_up == 0) {
 354                         fflush(stdout);
 355                         rte_delay_ms(CHECK_INTERVAL);
 356                 }
 357
 358                 /* set the print_flag if all ports up or timeout */
 359                 if (all_ports_up == 1 || count == (MAX_CHECK_TIME - 1))
 360                         print_flag = 1;
 361         }
 362 }
 363
 364 static void
 365 print_ethaddr(const char *name, const struct rte_ether_addr *eth_addr)
 366 {
 367         char buf[RTE_ETHER_ADDR_FMT_SIZE];
 368         rte_ether_format_addr(buf, RTE_ETHER_ADDR_FMT_SIZE, eth_addr);
 369         printf("%s%s", name, buf);
 370 }
 371
 372 static void
 373 copy_buf_to_pkt_segs(const uint8_t *buf, unsigned int len,
 374                      struct rte_mbuf *pkt, unsigned int offset)
 375 {
 376         unsigned int copied = 0;
 377         unsigned int copy_len;
 378         struct rte_mbuf *seg;
 379         void *seg_buf;
 380
 381         seg = pkt;
 382         while (offset >= seg->data_len) {
 383                 offset -= seg->data_len;
 384                 seg = seg->next;
 385         }
 386         copy_len = seg->data_len - offset;
 387         seg_buf = rte_pktmbuf_mtod_offset(seg, char *, offset);
 388         while (len > copy_len) {
 389                 rte_memcpy(seg_buf, buf + copied, (size_t) copy_len);
 390                 len -= copy_len;
 391                 copied += copy_len;
 392                 seg = seg->next;
 393                 seg_buf = rte_pktmbuf_mtod(seg, void *);
 394         }
 395         rte_memcpy(seg_buf, buf + copied, (size_t) len);
 396 }
 397
 398 static inline struct rte_mbuf *
 399 init_packet(struct rte_mempool *mp, const uint8_t *data, unsigned int len)
 400 {
 401         struct rte_mbuf *pkt;
 402
 403         pkt = rte_pktmbuf_alloc(mp);
 404         if (pkt == NULL)
 405                 return NULL;
 406         if (((data[0] & 0xF0) >> 4) == IPVERSION) {
 407                 rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN),
 408                                 &dummy_ipv4_eth_hdr, RTE_ETHER_HDR_LEN);
 409                 pkt->l3_len = sizeof(struct rte_ipv4_hdr);
 410         } else {
 411                 rte_memcpy(rte_pktmbuf_append(pkt, RTE_ETHER_HDR_LEN),
 412                                 &dummy_ipv6_eth_hdr, RTE_ETHER_HDR_LEN);
 413                 pkt->l3_len = sizeof(struct rte_ipv6_hdr);
 414         }
 415         pkt->l2_len = RTE_ETHER_HDR_LEN;
 416
 417         if (pkt->buf_len > (len + RTE_ETHER_HDR_LEN))
 418                 rte_memcpy(rte_pktmbuf_append(pkt, len), data, len);
 419         else
 420                 copy_buf_to_pkt_segs(data, len, pkt, RTE_ETHER_HDR_LEN);
 421         return pkt;
 422 }
 423
 424 static int
 425 init_mempools(unsigned int nb_mbuf)
 426 {
 427         struct rte_security_ctx *sec_ctx;
 428         uint16_t nb_sess = 512;
 429         uint32_t sess_sz;
 430         char s[64];
 431
 432         if (mbufpool == NULL) {
 433                 snprintf(s, sizeof(s), "mbuf_pool");
 434                 mbufpool = rte_pktmbuf_pool_create(s, nb_mbuf,
 435                                 MEMPOOL_CACHE_SIZE, 0,
 436                                 RTE_MBUF_DEFAULT_BUF_SIZE, SOCKET_ID_ANY);
 437                 if (mbufpool == NULL) {
 438                         printf("Cannot init mbuf pool\n");
 439                         return TEST_FAILED;
 440                 }
 441                 printf("Allocated mbuf pool\n");
 442         }
 443
 444         sec_ctx = rte_eth_dev_get_sec_ctx(port_id);
 445         if (sec_ctx == NULL) {
 446                 printf("Device does not support Security ctx\n");
 447                 return TEST_SKIPPED;
 448         }
 449         sess_sz = rte_security_session_get_size(sec_ctx);
 450         if (sess_pool == NULL) {
 451                 snprintf(s, sizeof(s), "sess_pool");
 452                 sess_pool = rte_mempool_create(s, nb_sess, sess_sz,
 453                                 MEMPOOL_CACHE_SIZE, 0,
 454                                 NULL, NULL, NULL, NULL,
 455                                 SOCKET_ID_ANY, 0);
 456                 if (sess_pool == NULL) {
 457                         printf("Cannot init sess pool\n");
 458                         return TEST_FAILED;
 459                 }
 460                 printf("Allocated sess pool\n");
 461         }
 462         if (sess_priv_pool == NULL) {
 463                 snprintf(s, sizeof(s), "sess_priv_pool");
 464                 sess_priv_pool = rte_mempool_create(s, nb_sess, sess_sz,
 465                                 MEMPOOL_CACHE_SIZE, 0,
 466                                 NULL, NULL, NULL, NULL,
 467                                 SOCKET_ID_ANY, 0);
 468                 if (sess_priv_pool == NULL) {
 469                         printf("Cannot init sess_priv pool\n");
 470                         return TEST_FAILED;
 471                 }
 472                 printf("Allocated sess_priv pool\n");
 473         }
 474
 475         return 0;
 476 }
 477
 478 static int
 479 create_default_flow(uint16_t portid)
 480 {
 481         struct rte_flow_action action[2];
 482         struct rte_flow_item pattern[2];
 483         struct rte_flow_attr attr = {0};
 484         struct rte_flow_error err;
 485         struct rte_flow *flow;
 486         int ret;
 487
 488         /* Add the default rte_flow to enable SECURITY for all ESP packets */
 489
 490         pattern[0].type = RTE_FLOW_ITEM_TYPE_ESP;
 491         pattern[0].spec = NULL;
 492         pattern[0].mask = NULL;
 493         pattern[0].last = NULL;
 494         pattern[1].type = RTE_FLOW_ITEM_TYPE_END;
 495
 496         action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
 497         action[0].conf = NULL;
 498         action[1].type = RTE_FLOW_ACTION_TYPE_END;
 499         action[1].conf = NULL;
 500
 501         attr.ingress = 1;
 502
 503         ret = rte_flow_validate(portid, &attr, pattern, action, &err);
 504         if (ret) {
 505                 printf("\nValidate flow failed, ret = %d\n", ret);
 506                 return -1;
 507         }
 508         flow = rte_flow_create(portid, &attr, pattern, action, &err);
 509         if (flow == NULL) {
 510                 printf("\nDefault flow rule create failed\n");
 511                 return -1;
 512         }
 513
 514         default_flow[portid] = flow;
 515
 516         return 0;
 517 }
 518
 519 static void
 520 destroy_default_flow(uint16_t portid)
 521 {
 522         struct rte_flow_error err;
 523         int ret;
 524
 525         if (!default_flow[portid])
 526                 return;
 527         ret = rte_flow_destroy(portid, default_flow[portid], &err);
 528         if (ret) {
 529                 printf("\nDefault flow rule destroy failed\n");
 530                 return;
 531         }
 532         default_flow[portid] = NULL;
 533 }
 534
 535 struct rte_mbuf **tx_pkts_burst;
 536 struct rte_mbuf **rx_pkts_burst;
 537
 538 static int
 539 compare_pkt_data(struct rte_mbuf *m, uint8_t *ref, unsigned int tot_len)
 540 {
 541         unsigned int len;
 542         unsigned int nb_segs = m->nb_segs;
 543         unsigned int matched = 0;
 544         struct rte_mbuf *save = m;
 545
 546         while (m) {
 547                 len = tot_len;
 548                 if (len > m->data_len)
 549                         len = m->data_len;
 550                 if (len != 0) {
 551                         if (memcmp(rte_pktmbuf_mtod(m, char *),
 552                                         ref + matched, len)) {
 553                                 printf("\n====Reassembly case failed: Data Mismatch");
 554                                 rte_hexdump(stdout, "Reassembled",
 555                                         rte_pktmbuf_mtod(m, char *),
 556                                         len);
 557                                 rte_hexdump(stdout, "reference",
 558                                         ref + matched,
 559                                         len);
 560                                 return TEST_FAILED;
 561                         }
 562                 }
 563                 tot_len -= len;
 564                 matched += len;
 565                 m = m->next;
 566         }
 567
 568         if (tot_len) {
 569                 printf("\n====Reassembly case failed: Data Missing %u",
 570                        tot_len);
 571                 printf("\n====nb_segs %u, tot_len %u", nb_segs, tot_len);
 572                 rte_pktmbuf_dump(stderr, save, -1);
 573                 return TEST_FAILED;
 574         }
 575         return TEST_SUCCESS;
 576 }
 577
 578 static inline bool
 579 is_ip_reassembly_incomplete(struct rte_mbuf *mbuf)
 580 {
 581         static uint64_t ip_reassembly_dynflag;
 582         int ip_reassembly_dynflag_offset;
 583
 584         if (ip_reassembly_dynflag == 0) {
 585                 ip_reassembly_dynflag_offset = rte_mbuf_dynflag_lookup(
 586                         RTE_MBUF_DYNFLAG_IP_REASSEMBLY_INCOMPLETE_NAME, NULL);
 587                 if (ip_reassembly_dynflag_offset < 0)
 588                         return false;
 589                 ip_reassembly_dynflag = RTE_BIT64(ip_reassembly_dynflag_offset);
 590         }
 591
 592         return (mbuf->ol_flags & ip_reassembly_dynflag) != 0;
 593 }
 594
 595 static void
 596 free_mbuf(struct rte_mbuf *mbuf)
 597 {
 598         rte_eth_ip_reassembly_dynfield_t dynfield;
 599
 600         if (!mbuf)
 601                 return;
 602
 603         if (!is_ip_reassembly_incomplete(mbuf)) {
 604                 rte_pktmbuf_free(mbuf);
 605         } else {
 606                 if (ip_reassembly_dynfield_offset < 0)
 607                         return;
 608
 609                 while (mbuf) {
 610                         dynfield = *RTE_MBUF_DYNFIELD(mbuf,
 611                                         ip_reassembly_dynfield_offset,
 612                                         rte_eth_ip_reassembly_dynfield_t *);
 613                         rte_pktmbuf_free(mbuf);
 614                         mbuf = dynfield.next_frag;
 615                 }
 616         }
 617 }
 618
 619
 620 static int
 621 get_and_verify_incomplete_frags(struct rte_mbuf *mbuf,
 622                                 struct reassembly_vector *vector)
 623 {
 624         rte_eth_ip_reassembly_dynfield_t *dynfield[MAX_PKT_BURST];
 625         int j = 0, ret;
 626         /**
 627          * IP reassembly offload is incomplete, and fragments are listed in
 628          * dynfield which can be reassembled in SW.
 629          */
 630         printf("\nHW IP Reassembly is not complete; attempt SW IP Reassembly,"
 631                 "\nMatching with original frags.");
 632
 633         if (ip_reassembly_dynfield_offset < 0)
 634                 return -1;
 635
 636         printf("\ncomparing frag: %d", j);
 637         /* Skip Ethernet header comparison */
 638         rte_pktmbuf_adj(mbuf, RTE_ETHER_HDR_LEN);
 639         ret = compare_pkt_data(mbuf, vector->frags[j]->data,
 640                                 vector->frags[j]->len);
 641         if (ret)
 642                 return ret;
 643         j++;
 644         dynfield[j] = RTE_MBUF_DYNFIELD(mbuf, ip_reassembly_dynfield_offset,
 645                                         rte_eth_ip_reassembly_dynfield_t *);
 646         printf("\ncomparing frag: %d", j);
 647         /* Skip Ethernet header comparison */
 648         rte_pktmbuf_adj(dynfield[j]->next_frag, RTE_ETHER_HDR_LEN);
 649         ret = compare_pkt_data(dynfield[j]->next_frag, vector->frags[j]->data,
 650                         vector->frags[j]->len);
 651         if (ret)
 652                 return ret;
 653
 654         while ((dynfield[j]->nb_frags > 1) &&
 655                         is_ip_reassembly_incomplete(dynfield[j]->next_frag)) {
 656                 j++;
 657                 dynfield[j] = RTE_MBUF_DYNFIELD(dynfield[j-1]->next_frag,
 658                                         ip_reassembly_dynfield_offset,
 659                                         rte_eth_ip_reassembly_dynfield_t *);
 660                 printf("\ncomparing frag: %d", j);
 661                 /* Skip Ethernet header comparison */
 662                 rte_pktmbuf_adj(dynfield[j]->next_frag, RTE_ETHER_HDR_LEN);
 663                 ret = compare_pkt_data(dynfield[j]->next_frag,
 664                                 vector->frags[j]->data, vector->frags[j]->len);
 665                 if (ret)
 666                         return ret;
 667         }
 668         return ret;
 669 }
 670
 671 static int
 672 test_ipsec_with_reassembly(struct reassembly_vector *vector,
 673                 const struct ipsec_test_flags *flags)
 674 {
 675         struct rte_security_session *out_ses[ENCAP_DECAP_BURST_SZ] = {0};
 676         struct rte_security_session *in_ses[ENCAP_DECAP_BURST_SZ] = {0};
 677         struct rte_eth_ip_reassembly_params reass_capa = {0};
 678         struct rte_security_session_conf sess_conf_out = {0};
 679         struct rte_security_session_conf sess_conf_in = {0};
 680         unsigned int nb_tx, burst_sz, nb_sent = 0;
 681         struct rte_crypto_sym_xform cipher_out = {0};
 682         struct rte_crypto_sym_xform auth_out = {0};
 683         struct rte_crypto_sym_xform aead_out = {0};
 684         struct rte_crypto_sym_xform cipher_in = {0};
 685         struct rte_crypto_sym_xform auth_in = {0};
 686         struct rte_crypto_sym_xform aead_in = {0};
 687         struct ipsec_test_data sa_data;
 688         struct rte_security_ctx *ctx;
 689         unsigned int i, nb_rx = 0, j;
 690         uint32_t ol_flags;
 691         int ret = 0;
 692
 693         burst_sz = vector->burst ? ENCAP_DECAP_BURST_SZ : 1;
 694         nb_tx = vector->nb_frags * burst_sz;
 695
 696         rte_eth_dev_stop(port_id);
 697         if (ret != 0) {
 698                 printf("rte_eth_dev_stop: err=%s, port=%u\n",
 699                                rte_strerror(-ret), port_id);
 700                 return ret;
 701         }
 702         rte_eth_ip_reassembly_capability_get(port_id, &reass_capa);
 703         if (reass_capa.max_frags < vector->nb_frags)
 704                 return TEST_SKIPPED;
 705         if (reass_capa.timeout_ms > APP_REASS_TIMEOUT) {
 706                 reass_capa.timeout_ms = APP_REASS_TIMEOUT;
 707                 rte_eth_ip_reassembly_conf_set(port_id, &reass_capa);
 708         }
 709
 710         ret = rte_eth_dev_start(port_id);
 711         if (ret < 0) {
 712                 printf("rte_eth_dev_start: err=%d, port=%d\n",
 713                         ret, port_id);
 714                 return ret;
 715         }
 716
 717         memset(tx_pkts_burst, 0, sizeof(tx_pkts_burst[0]) * nb_tx);
 718         memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_tx);
 719
 720         for (i = 0; i < nb_tx; i += vector->nb_frags) {
 721                 for (j = 0; j < vector->nb_frags; j++) {
 722                         tx_pkts_burst[i+j] = init_packet(mbufpool,
 723                                                 vector->frags[j]->data,
 724                                                 vector->frags[j]->len);
 725                         if (tx_pkts_burst[i+j] == NULL) {
 726                                 ret = -1;
 727                                 printf("\n packed init failed\n");
 728                                 goto out;
 729                         }
 730                 }
 731         }
 732
 733         for (i = 0; i < burst_sz; i++) {
 734                 memcpy(&sa_data, vector->sa_data,
 735                                 sizeof(struct ipsec_test_data));
 736                 /* Update SPI for every new SA */
 737                 sa_data.ipsec_xform.spi += i;
 738                 sa_data.ipsec_xform.direction =
 739                                         RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
 740                 if (sa_data.aead) {
 741                         sess_conf_out.crypto_xform = &aead_out;
 742                 } else {
 743                         sess_conf_out.crypto_xform = &cipher_out;
 744                         sess_conf_out.crypto_xform->next = &auth_out;
 745                 }
 746
 747                 /* Create Inline IPsec outbound session. */
 748                 ret = create_inline_ipsec_session(&sa_data, port_id,
 749                                 &out_ses[i], &ctx, &ol_flags, flags,
 750                                 &sess_conf_out);
 751                 if (ret) {
 752                         printf("\nInline outbound session create failed\n");
 753                         goto out;
 754                 }
 755         }
 756
 757         j = 0;
 758         for (i = 0; i < nb_tx; i++) {
 759                 if (ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
 760                         rte_security_set_pkt_metadata(ctx,
 761                                 out_ses[j], tx_pkts_burst[i], NULL);
 762                 tx_pkts_burst[i]->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
 763
 764                 /* Move to next SA after nb_frags */
 765                 if ((i + 1) % vector->nb_frags == 0)
 766                         j++;
 767         }
 768
 769         for (i = 0; i < burst_sz; i++) {
 770                 memcpy(&sa_data, vector->sa_data,
 771                                 sizeof(struct ipsec_test_data));
 772                 /* Update SPI for every new SA */
 773                 sa_data.ipsec_xform.spi += i;
 774                 sa_data.ipsec_xform.direction =
 775                                         RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
 776
 777                 if (sa_data.aead) {
 778                         sess_conf_in.crypto_xform = &aead_in;
 779                 } else {
 780                         sess_conf_in.crypto_xform = &auth_in;
 781                         sess_conf_in.crypto_xform->next = &cipher_in;
 782                 }
 783                 /* Create Inline IPsec inbound session. */
 784                 ret = create_inline_ipsec_session(&sa_data, port_id, &in_ses[i],
 785                                 &ctx, &ol_flags, flags, &sess_conf_in);
 786                 if (ret) {
 787                         printf("\nInline inbound session create failed\n");
 788                         goto out;
 789                 }
 790         }
 791
 792         /* Retrieve reassembly dynfield offset if available */
 793         if (ip_reassembly_dynfield_offset < 0 && vector->nb_frags > 1)
 794                 ip_reassembly_dynfield_offset = rte_mbuf_dynfield_lookup(
 795                                 RTE_MBUF_DYNFIELD_IP_REASSEMBLY_NAME, NULL);
 796
 797
 798         ret = create_default_flow(port_id);
 799         if (ret)
 800                 goto out;
 801
 802         nb_sent = rte_eth_tx_burst(port_id, 0, tx_pkts_burst, nb_tx);
 803         if (nb_sent != nb_tx) {
 804                 ret = -1;
 805                 printf("\nFailed to tx %u pkts", nb_tx);
 806                 goto out;
 807         }
 808
 809         rte_delay_ms(1);
 810
 811         /* Retry few times before giving up */
 812         nb_rx = 0;
 813         j = 0;
 814         do {
 815                 nb_rx += rte_eth_rx_burst(port_id, 0, &rx_pkts_burst[nb_rx],
 816                                           nb_tx - nb_rx);
 817                 j++;
 818                 if (nb_rx >= nb_tx)
 819                         break;
 820                 rte_delay_ms(1);
 821         } while (j < 5 || !nb_rx);
 822
 823         /* Check for minimum number of Rx packets expected */
 824         if ((vector->nb_frags == 1 && nb_rx != nb_tx) ||
 825             (vector->nb_frags > 1 && nb_rx < burst_sz)) {
 826                 printf("\nreceived less Rx pkts(%u) pkts\n", nb_rx);
 827                 ret = TEST_FAILED;
 828                 goto out;
 829         }
 830
 831         for (i = 0; i < nb_rx; i++) {
 832                 if (vector->nb_frags > 1 &&
 833                     is_ip_reassembly_incomplete(rx_pkts_burst[i])) {
 834                         ret = get_and_verify_incomplete_frags(rx_pkts_burst[i],
 835                                                               vector);
 836                         if (ret != TEST_SUCCESS)
 837                                 break;
 838                         continue;
 839                 }
 840
 841                 if (rx_pkts_burst[i]->ol_flags &
 842                     RTE_MBUF_F_RX_SEC_OFFLOAD_FAILED ||
 843                     !(rx_pkts_burst[i]->ol_flags & RTE_MBUF_F_RX_SEC_OFFLOAD)) {
 844                         printf("\nsecurity offload failed\n");
 845                         ret = TEST_FAILED;
 846                         break;
 847                 }
 848
 849                 if (vector->full_pkt->len + RTE_ETHER_HDR_LEN !=
 850                                 rx_pkts_burst[i]->pkt_len) {
 851                         printf("\nreassembled/decrypted packet length mismatch\n");
 852                         ret = TEST_FAILED;
 853                         break;
 854                 }
 855                 rte_pktmbuf_adj(rx_pkts_burst[i], RTE_ETHER_HDR_LEN);
 856                 ret = compare_pkt_data(rx_pkts_burst[i],
 857                                        vector->full_pkt->data,
 858                                        vector->full_pkt->len);
 859                 if (ret != TEST_SUCCESS)
 860                         break;
 861         }
 862
 863 out:
 864         destroy_default_flow(port_id);
 865
 866         /* Clear session data. */
 867         for (i = 0; i < burst_sz; i++) {
 868                 if (out_ses[i])
 869                         rte_security_session_destroy(ctx, out_ses[i]);
 870                 if (in_ses[i])
 871                         rte_security_session_destroy(ctx, in_ses[i]);
 872         }
 873
 874         for (i = nb_sent; i < nb_tx; i++)
 875                 free_mbuf(tx_pkts_burst[i]);
 876         for (i = 0; i < nb_rx; i++)
 877                 free_mbuf(rx_pkts_burst[i]);
 878         return ret;
 879 }
 880
 881 static int
 882 test_ipsec_inline_proto_process(struct ipsec_test_data *td,
 883                 struct ipsec_test_data *res_d,
 884                 int nb_pkts,
 885                 bool silent,
 886                 const struct ipsec_test_flags *flags)
 887 {
 888         struct rte_security_session_conf sess_conf = {0};
 889         struct rte_crypto_sym_xform cipher = {0};
 890         struct rte_crypto_sym_xform auth = {0};
 891         struct rte_crypto_sym_xform aead = {0};
 892         struct rte_security_session *ses;
 893         struct rte_security_ctx *ctx;
 894         int nb_rx = 0, nb_sent;
 895         uint32_t ol_flags;
 896         int i, j = 0, ret;
 897
 898         memset(rx_pkts_burst, 0, sizeof(rx_pkts_burst[0]) * nb_pkts);
 899
 900         if (td->aead) {
 901                 sess_conf.crypto_xform = &aead;
 902         } else {
 903                 if (td->ipsec_xform.direction ==
 904                                 RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 905                         sess_conf.crypto_xform = &cipher;
 906                         sess_conf.crypto_xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 907                         sess_conf.crypto_xform->next = &auth;
 908                         sess_conf.crypto_xform->next->type = RTE_CRYPTO_SYM_XFORM_AUTH;
 909                 } else {
 910                         sess_conf.crypto_xform = &auth;
 911                         sess_conf.crypto_xform->type = RTE_CRYPTO_SYM_XFORM_AUTH;
 912                         sess_conf.crypto_xform->next = &cipher;
 913                         sess_conf.crypto_xform->next->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
 914                 }
 915         }
 916
 917         /* Create Inline IPsec session. */
 918         ret = create_inline_ipsec_session(td, port_id, &ses, &ctx,
 919                                           &ol_flags, flags, &sess_conf);
 920         if (ret)
 921                 return ret;
 922
 923         if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
 924                 ret = create_default_flow(port_id);
 925                 if (ret)
 926                         goto out;
 927         }
 928         for (i = 0; i < nb_pkts; i++) {
 929                 tx_pkts_burst[i] = init_packet(mbufpool, td->input_text.data,
 930                                                 td->input_text.len);
 931                 if (tx_pkts_burst[i] == NULL) {
 932                         while (i--)
 933                                 rte_pktmbuf_free(tx_pkts_burst[i]);
 934                         ret = TEST_FAILED;
 935                         goto out;
 936                 }
 937
 938                 if (test_ipsec_pkt_update(rte_pktmbuf_mtod_offset(tx_pkts_burst[i],
 939                                         uint8_t *, RTE_ETHER_HDR_LEN), flags)) {
 940                         while (i--)
 941                                 rte_pktmbuf_free(tx_pkts_burst[i]);
 942                         ret = TEST_FAILED;
 943                         goto out;
 944                 }
 945
 946                 if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 947                         if (ol_flags & RTE_SECURITY_TX_OLOAD_NEED_MDATA)
 948                                 rte_security_set_pkt_metadata(ctx, ses,
 949                                                 tx_pkts_burst[i], NULL);
 950                         tx_pkts_burst[i]->ol_flags |= RTE_MBUF_F_TX_SEC_OFFLOAD;
 951                 }
 952         }
 953         /* Send packet to ethdev for inline IPsec processing. */
 954         nb_sent = rte_eth_tx_burst(port_id, 0, tx_pkts_burst, nb_pkts);
 955         if (nb_sent != nb_pkts) {
 956                 printf("\nUnable to TX %d packets", nb_pkts);
 957                 for ( ; nb_sent < nb_pkts; nb_sent++)
 958                         rte_pktmbuf_free(tx_pkts_burst[nb_sent]);
 959                 ret = TEST_FAILED;
 960                 goto out;
 961         }
 962
 963         rte_pause();
 964
 965         /* Receive back packet on loopback interface. */
 966         do {
 967                 rte_delay_ms(1);
 968                 nb_rx += rte_eth_rx_burst(port_id, 0, &rx_pkts_burst[nb_rx],
 969                                 nb_sent - nb_rx);
 970                 if (nb_rx >= nb_sent)
 971                         break;
 972         } while (j++ < 5 || nb_rx == 0);
 973
 974         if (nb_rx != nb_sent) {
 975                 printf("\nUnable to RX all %d packets", nb_sent);
 976                 while (--nb_rx)
 977                         rte_pktmbuf_free(rx_pkts_burst[nb_rx]);
 978                 ret = TEST_FAILED;
 979                 goto out;
 980         }
 981
 982         for (i = 0; i < nb_rx; i++) {
 983                 rte_pktmbuf_adj(rx_pkts_burst[i], RTE_ETHER_HDR_LEN);
 984
 985                 ret = test_ipsec_post_process(rx_pkts_burst[i], td,
 986                                               res_d, silent, flags);
 987                 if (ret != TEST_SUCCESS) {
 988                         for ( ; i < nb_rx; i++)
 989                                 rte_pktmbuf_free(rx_pkts_burst[i]);
 990                         goto out;
 991                 }
 992
 993                 ret = test_ipsec_stats_verify(ctx, ses, flags,
 994                                         td->ipsec_xform.direction);
 995                 if (ret != TEST_SUCCESS) {
 996                         for ( ; i < nb_rx; i++)
 997                                 rte_pktmbuf_free(rx_pkts_burst[i]);
 998                         goto out;
 999                 }
1000
1001                 rte_pktmbuf_free(rx_pkts_burst[i]);
1002                 rx_pkts_burst[i] = NULL;
1003         }
1004
1005 out:
1006         if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
1007                 destroy_default_flow(port_id);
1008
1009         /* Destroy session so that other cases can create the session again */
1010         rte_security_session_destroy(ctx, ses);
1011         ses = NULL;
1012
1013         return ret;
1014 }
1015
1016 static int
1017 test_ipsec_inline_proto_all(const struct ipsec_test_flags *flags)
1018 {
1019         struct ipsec_test_data td_outb;
1020         struct ipsec_test_data td_inb;
1021         unsigned int i, nb_pkts = 1, pass_cnt = 0, fail_cnt = 0;
1022         int ret;
1023
1024         if (flags->iv_gen || flags->sa_expiry_pkts_soft ||
1025                         flags->sa_expiry_pkts_hard)
1026                 nb_pkts = IPSEC_TEST_PACKETS_MAX;
1027
1028         for (i = 0; i < RTE_DIM(alg_list); i++) {
1029                 test_ipsec_td_prepare(alg_list[i].param1,
1030                                       alg_list[i].param2,
1031                                       flags, &td_outb, 1);
1032
1033                 if (!td_outb.aead) {
1034                         enum rte_crypto_cipher_algorithm cipher_alg;
1035                         enum rte_crypto_auth_algorithm auth_alg;
1036
1037                         cipher_alg = td_outb.xform.chain.cipher.cipher.algo;
1038                         auth_alg = td_outb.xform.chain.auth.auth.algo;
1039
1040                         if (td_outb.aes_gmac && cipher_alg != RTE_CRYPTO_CIPHER_NULL)
1041                                 continue;
1042
1043                         /* ICV is not applicable for NULL auth */
1044                         if (flags->icv_corrupt &&
1045                             auth_alg == RTE_CRYPTO_AUTH_NULL)
1046                                 continue;
1047
1048                         /* IV is not applicable for NULL cipher */
1049                         if (flags->iv_gen &&
1050                             cipher_alg == RTE_CRYPTO_CIPHER_NULL)
1051                                 continue;
1052                 }
1053
1054                 if (flags->udp_encap)
1055                         td_outb.ipsec_xform.options.udp_encap = 1;
1056
1057                 ret = test_ipsec_inline_proto_process(&td_outb, &td_inb, nb_pkts,
1058                                                 false, flags);
1059                 if (ret == TEST_SKIPPED)
1060                         continue;
1061
1062                 if (ret == TEST_FAILED) {
1063                         printf("\n TEST FAILED");
1064                         test_ipsec_display_alg(alg_list[i].param1,
1065                                                alg_list[i].param2);
1066                         fail_cnt++;
1067                         continue;
1068                 }
1069
1070                 test_ipsec_td_update(&td_inb, &td_outb, 1, flags);
1071
1072                 ret = test_ipsec_inline_proto_process(&td_inb, NULL, nb_pkts,
1073                                                 false, flags);
1074                 if (ret == TEST_SKIPPED)
1075                         continue;
1076
1077                 if (ret == TEST_FAILED) {
1078                         printf("\n TEST FAILED");
1079                         test_ipsec_display_alg(alg_list[i].param1,
1080                                                alg_list[i].param2);
1081                         fail_cnt++;
1082                         continue;
1083                 }
1084
1085                 if (flags->display_alg)
1086                         test_ipsec_display_alg(alg_list[i].param1,
1087                                                alg_list[i].param2);
1088
1089                 pass_cnt++;
1090         }
1091
1092         printf("Tests passed: %d, failed: %d", pass_cnt, fail_cnt);
1093         if (fail_cnt > 0)
1094                 return TEST_FAILED;
1095         if (pass_cnt > 0)
1096                 return TEST_SUCCESS;
1097         else
1098                 return TEST_SKIPPED;
1099 }
1100
1101
1102 static int
1103 ut_setup_inline_ipsec(void)
1104 {
1105         int ret;
1106
1107         /* Start device */
1108         ret = rte_eth_dev_start(port_id);
1109         if (ret < 0) {
1110                 printf("rte_eth_dev_start: err=%d, port=%d\n",
1111                         ret, port_id);
1112                 return ret;
1113         }
1114         /* always enable promiscuous */
1115         ret = rte_eth_promiscuous_enable(port_id);
1116         if (ret != 0) {
1117                 printf("rte_eth_promiscuous_enable: err=%s, port=%d\n",
1118                         rte_strerror(-ret), port_id);
1119                 return ret;
1120         }
1121
1122         check_all_ports_link_status(1, RTE_PORT_ALL);
1123
1124         return 0;
1125 }
1126
1127 static void
1128 ut_teardown_inline_ipsec(void)
1129 {
1130         struct rte_eth_ip_reassembly_params reass_conf = {0};
1131         uint16_t portid;
1132         int ret;
1133
1134         /* port tear down */
1135         RTE_ETH_FOREACH_DEV(portid) {
1136                 ret = rte_eth_dev_stop(portid);
1137                 if (ret != 0)
1138                         printf("rte_eth_dev_stop: err=%s, port=%u\n",
1139                                rte_strerror(-ret), portid);
1140
1141                 /* Clear reassembly configuration */
1142                 rte_eth_ip_reassembly_conf_set(portid, &reass_conf);
1143         }
1144 }
1145
1146 static int
1147 inline_ipsec_testsuite_setup(void)
1148 {
1149         uint16_t nb_rxd;
1150         uint16_t nb_txd;
1151         uint16_t nb_ports;
1152         int ret;
1153         uint16_t nb_rx_queue = 1, nb_tx_queue = 1;
1154
1155         printf("Start inline IPsec test.\n");
1156
1157         nb_ports = rte_eth_dev_count_avail();
1158         if (nb_ports < NB_ETHPORTS_USED) {
1159                 printf("At least %u port(s) used for test\n",
1160                        NB_ETHPORTS_USED);
1161                 return TEST_SKIPPED;
1162         }
1163
1164         ret = init_mempools(NB_MBUF);
1165         if (ret)
1166                 return ret;
1167
1168         if (tx_pkts_burst == NULL) {
1169                 tx_pkts_burst = (struct rte_mbuf **)rte_calloc("tx_buff",
1170                                           MAX_TRAFFIC_BURST,
1171                                           sizeof(void *),
1172                                           RTE_CACHE_LINE_SIZE);
1173                 if (!tx_pkts_burst)
1174                         return TEST_FAILED;
1175
1176                 rx_pkts_burst = (struct rte_mbuf **)rte_calloc("rx_buff",
1177                                           MAX_TRAFFIC_BURST,
1178                                           sizeof(void *),
1179                                           RTE_CACHE_LINE_SIZE);
1180                 if (!rx_pkts_burst)
1181                         return TEST_FAILED;
1182         }
1183
1184         printf("Generate %d packets\n", MAX_TRAFFIC_BURST);
1185
1186         nb_rxd = RTE_TEST_RX_DESC_DEFAULT;
1187         nb_txd = RTE_TEST_TX_DESC_DEFAULT;
1188
1189         /* configuring port 0 for the test is enough */
1190         port_id = 0;
1191         /* port configure */
1192         ret = rte_eth_dev_configure(port_id, nb_rx_queue,
1193                                     nb_tx_queue, &port_conf);
1194         if (ret < 0) {
1195                 printf("Cannot configure device: err=%d, port=%d\n",
1196                          ret, port_id);
1197                 return ret;
1198         }
1199         ret = rte_eth_macaddr_get(port_id, &ports_eth_addr[port_id]);
1200         if (ret < 0) {
1201                 printf("Cannot get mac address: err=%d, port=%d\n",
1202                          ret, port_id);
1203                 return ret;
1204         }
1205         printf("Port %u ", port_id);
1206         print_ethaddr("Address:", &ports_eth_addr[port_id]);
1207         printf("\n");
1208
1209         /* tx queue setup */
1210         ret = rte_eth_tx_queue_setup(port_id, 0, nb_txd,
1211                                      SOCKET_ID_ANY, &tx_conf);
1212         if (ret < 0) {
1213                 printf("rte_eth_tx_queue_setup: err=%d, port=%d\n",
1214                                 ret, port_id);
1215                 return ret;
1216         }
1217         /* rx queue steup */
1218         ret = rte_eth_rx_queue_setup(port_id, 0, nb_rxd, SOCKET_ID_ANY,
1219                                      &rx_conf, mbufpool);
1220         if (ret < 0) {
1221                 printf("rte_eth_rx_queue_setup: err=%d, port=%d\n",
1222                                 ret, port_id);
1223                 return ret;
1224         }
1225         test_ipsec_alg_list_populate();
1226
1227         return 0;
1228 }
1229
1230 static void
1231 inline_ipsec_testsuite_teardown(void)
1232 {
1233         uint16_t portid;
1234         int ret;
1235
1236         /* port tear down */
1237         RTE_ETH_FOREACH_DEV(portid) {
1238                 ret = rte_eth_dev_reset(portid);
1239                 if (ret != 0)
1240                         printf("rte_eth_dev_reset: err=%s, port=%u\n",
1241                                rte_strerror(-ret), port_id);
1242         }
1243 }
1244
1245 static int
1246 test_inline_ip_reassembly(const void *testdata)
1247 {
1248         struct reassembly_vector reassembly_td = {0};
1249         const struct reassembly_vector *td = testdata;
1250         struct ip_reassembly_test_packet full_pkt;
1251         struct ip_reassembly_test_packet frags[MAX_FRAGS];
1252         struct ipsec_test_flags flags = {0};
1253         int i = 0;
1254
1255         reassembly_td.sa_data = td->sa_data;
1256         reassembly_td.nb_frags = td->nb_frags;
1257         reassembly_td.burst = td->burst;
1258
1259         memcpy(&full_pkt, td->full_pkt,
1260                         sizeof(struct ip_reassembly_test_packet));
1261         reassembly_td.full_pkt = &full_pkt;
1262
1263         test_vector_payload_populate(reassembly_td.full_pkt, true);
1264         for (; i < reassembly_td.nb_frags; i++) {
1265                 memcpy(&frags[i], td->frags[i],
1266                         sizeof(struct ip_reassembly_test_packet));
1267                 reassembly_td.frags[i] = &frags[i];
1268                 test_vector_payload_populate(reassembly_td.frags[i],
1269                                 (i == 0) ? true : false);
1270         }
1271
1272         return test_ipsec_with_reassembly(&reassembly_td, &flags);
1273 }
1274
1275 static int
1276 test_ipsec_inline_proto_known_vec(const void *test_data)
1277 {
1278         struct ipsec_test_data td_outb;
1279         struct ipsec_test_flags flags;
1280
1281         memset(&flags, 0, sizeof(flags));
1282
1283         memcpy(&td_outb, test_data, sizeof(td_outb));
1284
1285         if (td_outb.aead ||
1286             td_outb.xform.chain.cipher.cipher.algo != RTE_CRYPTO_CIPHER_NULL) {
1287                 /* Disable IV gen to be able to test with known vectors */
1288                 td_outb.ipsec_xform.options.iv_gen_disable = 1;
1289         }
1290
1291         return test_ipsec_inline_proto_process(&td_outb, NULL, 1,
1292                                 false, &flags);
1293 }
1294
1295 static int
1296 test_ipsec_inline_proto_known_vec_inb(const void *test_data)
1297 {
1298         const struct ipsec_test_data *td = test_data;
1299         struct ipsec_test_flags flags;
1300         struct ipsec_test_data td_inb;
1301
1302         memset(&flags, 0, sizeof(flags));
1303
1304         if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
1305                 test_ipsec_td_in_from_out(td, &td_inb);
1306         else
1307                 memcpy(&td_inb, td, sizeof(td_inb));
1308
1309         return test_ipsec_inline_proto_process(&td_inb, NULL, 1, false, &flags);
1310 }
1311
1312 static int
1313 test_ipsec_inline_proto_display_list(const void *data __rte_unused)
1314 {
1315         struct ipsec_test_flags flags;
1316
1317         memset(&flags, 0, sizeof(flags));
1318
1319         flags.display_alg = true;
1320
1321         return test_ipsec_inline_proto_all(&flags);
1322 }
1323
1324 static struct unit_test_suite inline_ipsec_testsuite  = {
1325         .suite_name = "Inline IPsec Ethernet Device Unit Test Suite",
1326         .setup = inline_ipsec_testsuite_setup,
1327         .teardown = inline_ipsec_testsuite_teardown,
1328         .unit_test_cases = {
1329                 TEST_CASE_NAMED_WITH_DATA(
1330                         "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
1331                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1332                         test_ipsec_inline_proto_known_vec, &pkt_aes_128_gcm),
1333                 TEST_CASE_NAMED_WITH_DATA(
1334                         "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
1335                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1336                         test_ipsec_inline_proto_known_vec, &pkt_aes_192_gcm),
1337                 TEST_CASE_NAMED_WITH_DATA(
1338                         "Outbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
1339                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1340                         test_ipsec_inline_proto_known_vec, &pkt_aes_256_gcm),
1341                 TEST_CASE_NAMED_WITH_DATA(
1342                         "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA256 [16B ICV])",
1343                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1344                         test_ipsec_inline_proto_known_vec,
1345                         &pkt_aes_128_cbc_hmac_sha256),
1346                 TEST_CASE_NAMED_WITH_DATA(
1347                         "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA384 [24B ICV])",
1348                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1349                         test_ipsec_inline_proto_known_vec,
1350                         &pkt_aes_128_cbc_hmac_sha384),
1351                 TEST_CASE_NAMED_WITH_DATA(
1352                         "Outbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA512 [32B ICV])",
1353                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1354                         test_ipsec_inline_proto_known_vec,
1355                         &pkt_aes_128_cbc_hmac_sha512),
1356                 TEST_CASE_NAMED_WITH_DATA(
1357                         "Outbound known vector (ESP tunnel mode IPv6 AES-GCM 128)",
1358                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1359                         test_ipsec_inline_proto_known_vec, &pkt_aes_256_gcm_v6),
1360                 TEST_CASE_NAMED_WITH_DATA(
1361                         "Outbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])",
1362                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1363                         test_ipsec_inline_proto_known_vec,
1364                         &pkt_aes_128_cbc_hmac_sha256_v6),
1365                 TEST_CASE_NAMED_WITH_DATA(
1366                         "Outbound known vector (ESP tunnel mode IPv4 NULL AES-XCBC-MAC [12B ICV])",
1367                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1368                         test_ipsec_inline_proto_known_vec,
1369                         &pkt_null_aes_xcbc),
1370                 TEST_CASE_NAMED_WITH_DATA(
1371                         "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
1372                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1373                         test_ipsec_inline_proto_known_vec_inb, &pkt_aes_128_gcm),
1374                 TEST_CASE_NAMED_WITH_DATA(
1375                         "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 192)",
1376                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1377                         test_ipsec_inline_proto_known_vec_inb, &pkt_aes_192_gcm),
1378                 TEST_CASE_NAMED_WITH_DATA(
1379                         "Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
1380                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1381                         test_ipsec_inline_proto_known_vec_inb, &pkt_aes_256_gcm),
1382                 TEST_CASE_NAMED_WITH_DATA(
1383                         "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128)",
1384                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1385                         test_ipsec_inline_proto_known_vec_inb, &pkt_aes_128_cbc_null),
1386                 TEST_CASE_NAMED_WITH_DATA(
1387                         "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA256 [16B ICV])",
1388                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1389                         test_ipsec_inline_proto_known_vec_inb,
1390                         &pkt_aes_128_cbc_hmac_sha256),
1391                 TEST_CASE_NAMED_WITH_DATA(
1392                         "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA384 [24B ICV])",
1393                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1394                         test_ipsec_inline_proto_known_vec_inb,
1395                         &pkt_aes_128_cbc_hmac_sha384),
1396                 TEST_CASE_NAMED_WITH_DATA(
1397                         "Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128 HMAC-SHA512 [32B ICV])",
1398                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1399                         test_ipsec_inline_proto_known_vec_inb,
1400                         &pkt_aes_128_cbc_hmac_sha512),
1401                 TEST_CASE_NAMED_WITH_DATA(
1402                         "Inbound known vector (ESP tunnel mode IPv6 AES-GCM 128)",
1403                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1404                         test_ipsec_inline_proto_known_vec_inb, &pkt_aes_256_gcm_v6),
1405                 TEST_CASE_NAMED_WITH_DATA(
1406                         "Inbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])",
1407                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1408                         test_ipsec_inline_proto_known_vec_inb,
1409                         &pkt_aes_128_cbc_hmac_sha256_v6),
1410                 TEST_CASE_NAMED_WITH_DATA(
1411                         "Inbound known vector (ESP tunnel mode IPv4 NULL AES-XCBC-MAC [12B ICV])",
1412                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1413                         test_ipsec_inline_proto_known_vec_inb,
1414                         &pkt_null_aes_xcbc),
1415
1416                 TEST_CASE_NAMED_ST(
1417                         "Combined test alg list",
1418                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1419                         test_ipsec_inline_proto_display_list),
1420
1421                 TEST_CASE_NAMED_WITH_DATA(
1422                         "IPv4 Reassembly with 2 fragments",
1423                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1424                         test_inline_ip_reassembly, &ipv4_2frag_vector),
1425                 TEST_CASE_NAMED_WITH_DATA(
1426                         "IPv6 Reassembly with 2 fragments",
1427                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1428                         test_inline_ip_reassembly, &ipv6_2frag_vector),
1429                 TEST_CASE_NAMED_WITH_DATA(
1430                         "IPv4 Reassembly with 4 fragments",
1431                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1432                         test_inline_ip_reassembly, &ipv4_4frag_vector),
1433                 TEST_CASE_NAMED_WITH_DATA(
1434                         "IPv6 Reassembly with 4 fragments",
1435                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1436                         test_inline_ip_reassembly, &ipv6_4frag_vector),
1437                 TEST_CASE_NAMED_WITH_DATA(
1438                         "IPv4 Reassembly with 5 fragments",
1439                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1440                         test_inline_ip_reassembly, &ipv4_5frag_vector),
1441                 TEST_CASE_NAMED_WITH_DATA(
1442                         "IPv6 Reassembly with 5 fragments",
1443                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1444                         test_inline_ip_reassembly, &ipv6_5frag_vector),
1445                 TEST_CASE_NAMED_WITH_DATA(
1446                         "IPv4 Reassembly with incomplete fragments",
1447                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1448                         test_inline_ip_reassembly, &ipv4_incomplete_vector),
1449                 TEST_CASE_NAMED_WITH_DATA(
1450                         "IPv4 Reassembly with overlapping fragments",
1451                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1452                         test_inline_ip_reassembly, &ipv4_overlap_vector),
1453                 TEST_CASE_NAMED_WITH_DATA(
1454                         "IPv4 Reassembly with out of order fragments",
1455                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1456                         test_inline_ip_reassembly, &ipv4_out_of_order_vector),
1457                 TEST_CASE_NAMED_WITH_DATA(
1458                         "IPv4 Reassembly with burst of 4 fragments",
1459                         ut_setup_inline_ipsec, ut_teardown_inline_ipsec,
1460                         test_inline_ip_reassembly, &ipv4_4frag_burst_vector),
1461
1462                 TEST_CASES_END() /**< NULL terminate unit test array */
1463         },
1464 };
1465
1466
1467 static int
1468 test_inline_ipsec(void)
1469 {
1470         return unit_test_suite_runner(&inline_ipsec_testsuite);
1471 }
1472
1473 #endif /* !RTE_EXEC_ENV_WINDOWS */
1474
1475 REGISTER_TEST_COMMAND(inline_ipsec_autotest, test_inline_ipsec);