+ printf("Success: %d, Failure: %d\n", size + all_err, -all_err);
+
+ return (all_err == TEST_SUCCESS) ? TEST_SUCCESS : TEST_FAILED;
+}
+
+static int
+test_ipsec_proto_process(const struct ipsec_test_data td[],
+ struct ipsec_test_data res_d[],
+ int nb_td,
+ bool silent,
+ const struct ipsec_test_flags *flags)
+{
+ uint16_t v6_src[8] = {0x2607, 0xf8b0, 0x400c, 0x0c03, 0x0000, 0x0000,
+ 0x0000, 0x001a};
+ uint16_t v6_dst[8] = {0x2001, 0x0470, 0xe5bf, 0xdead, 0x4957, 0x2174,
+ 0xe82c, 0x4887};
+ const struct rte_ipv4_hdr *ipv4 =
+ (const struct rte_ipv4_hdr *)td[0].output_text.data;
+ struct crypto_testsuite_params *ts_params = &testsuite_params;
+ struct crypto_unittest_params *ut_params = &unittest_params;
+ struct rte_security_capability_idx sec_cap_idx;
+ const struct rte_security_capability *sec_cap;
+ struct rte_security_ipsec_xform ipsec_xform;
+ uint8_t dev_id = ts_params->valid_devs[0];
+ enum rte_security_ipsec_sa_direction dir;
+ struct ipsec_test_data *res_d_tmp = NULL;
+ int salt_len, i, ret = TEST_SUCCESS;
+ struct rte_security_ctx *ctx;
+ uint8_t *input_text;
+ uint32_t src, dst;
+ uint32_t verify;
+
+ ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+ gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
+
+ /* Use first test data to create session */
+
+ /* Copy IPsec xform */
+ memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
+
+ dir = ipsec_xform.direction;
+ verify = flags->tunnel_hdr_verify;
+
+ memcpy(&src, &ipv4->src_addr, sizeof(ipv4->src_addr));
+ memcpy(&dst, &ipv4->dst_addr, sizeof(ipv4->dst_addr));
+
+ if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) {
+ if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR)
+ src += 1;
+ else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR)
+ dst += 1;
+ }
+
+ if (td->ipsec_xform.mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
+ if (td->ipsec_xform.tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src,
+ sizeof(src));
+ memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst,
+ sizeof(dst));
+
+ if (flags->df == TEST_IPSEC_SET_DF_0_INNER_1)
+ ipsec_xform.tunnel.ipv4.df = 0;
+
+ if (flags->df == TEST_IPSEC_SET_DF_1_INNER_0)
+ ipsec_xform.tunnel.ipv4.df = 1;
+
+ if (flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
+ ipsec_xform.tunnel.ipv4.dscp = 0;
+
+ if (flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0)
+ ipsec_xform.tunnel.ipv4.dscp =
+ TEST_IPSEC_DSCP_VAL;
+
+ } else {
+ if (flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
+ ipsec_xform.tunnel.ipv6.dscp = 0;
+
+ if (flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0)
+ ipsec_xform.tunnel.ipv6.dscp =
+ TEST_IPSEC_DSCP_VAL;
+
+ memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src,
+ sizeof(v6_src));
+ memcpy(&ipsec_xform.tunnel.ipv6.dst_addr, &v6_dst,
+ sizeof(v6_dst));
+ }
+ }
+
+ ctx = rte_cryptodev_get_sec_ctx(dev_id);
+
+ sec_cap_idx.action = ut_params->type;
+ sec_cap_idx.protocol = RTE_SECURITY_PROTOCOL_IPSEC;
+ sec_cap_idx.ipsec.proto = ipsec_xform.proto;
+ sec_cap_idx.ipsec.mode = ipsec_xform.mode;
+ sec_cap_idx.ipsec.direction = ipsec_xform.direction;
+
+ if (flags->udp_encap)
+ ipsec_xform.options.udp_encap = 1;
+
+ sec_cap = rte_security_capability_get(ctx, &sec_cap_idx);
+ if (sec_cap == NULL)
+ return TEST_SKIPPED;
+
+ /* Copy cipher session parameters */
+ if (td[0].aead) {
+ memcpy(&ut_params->aead_xform, &td[0].xform.aead,
+ sizeof(ut_params->aead_xform));
+ ut_params->aead_xform.aead.key.data = td[0].key.data;
+ ut_params->aead_xform.aead.iv.offset = IV_OFFSET;
+
+ /* Verify crypto capabilities */
+ if (test_ipsec_crypto_caps_aead_verify(
+ sec_cap,
+ &ut_params->aead_xform) != 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Crypto capabilities not supported\n");
+ return TEST_SKIPPED;
+ }
+ } else if (td[0].auth_only) {
+ memcpy(&ut_params->auth_xform, &td[0].xform.chain.auth,
+ sizeof(ut_params->auth_xform));
+ ut_params->auth_xform.auth.key.data = td[0].auth_key.data;
+
+ if (test_ipsec_crypto_caps_auth_verify(
+ sec_cap,
+ &ut_params->auth_xform) != 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Auth crypto capabilities not supported\n");
+ return TEST_SKIPPED;
+ }
+ } else {
+ memcpy(&ut_params->cipher_xform, &td[0].xform.chain.cipher,
+ sizeof(ut_params->cipher_xform));
+ memcpy(&ut_params->auth_xform, &td[0].xform.chain.auth,
+ sizeof(ut_params->auth_xform));
+ ut_params->cipher_xform.cipher.key.data = td[0].key.data;
+ ut_params->cipher_xform.cipher.iv.offset = IV_OFFSET;
+ ut_params->auth_xform.auth.key.data = td[0].auth_key.data;
+
+ /* Verify crypto capabilities */
+
+ if (test_ipsec_crypto_caps_cipher_verify(
+ sec_cap,
+ &ut_params->cipher_xform) != 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Cipher crypto capabilities not supported\n");
+ return TEST_SKIPPED;
+ }
+
+ if (test_ipsec_crypto_caps_auth_verify(
+ sec_cap,
+ &ut_params->auth_xform) != 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Auth crypto capabilities not supported\n");
+ return TEST_SKIPPED;
+ }
+ }
+
+ if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0)
+ return TEST_SKIPPED;
+
+ struct rte_security_session_conf sess_conf = {
+ .action_type = ut_params->type,
+ .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+ };
+
+ if (td[0].aead || td[0].aes_gmac) {
+ salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len);
+ memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len);
+ }
+
+ if (td[0].aead) {
+ sess_conf.ipsec = ipsec_xform;
+ sess_conf.crypto_xform = &ut_params->aead_xform;
+ } else if (td[0].auth_only) {
+ sess_conf.ipsec = ipsec_xform;
+ sess_conf.crypto_xform = &ut_params->auth_xform;
+ } else {
+ sess_conf.ipsec = ipsec_xform;
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ sess_conf.crypto_xform = &ut_params->cipher_xform;
+ ut_params->cipher_xform.next = &ut_params->auth_xform;
+ } else {
+ sess_conf.crypto_xform = &ut_params->auth_xform;
+ ut_params->auth_xform.next = &ut_params->cipher_xform;
+ }
+ }
+
+ /* Create security session */
+ ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
+ ts_params->session_mpool,
+ ts_params->session_priv_mpool);
+
+ if (ut_params->sec_session == NULL)
+ return TEST_SKIPPED;
+
+ for (i = 0; i < nb_td; i++) {
+ if (flags->antireplay &&
+ (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) {
+ sess_conf.ipsec.esn.value = td[i].ipsec_xform.esn.value;
+ ret = rte_security_session_update(ctx,
+ ut_params->sec_session, &sess_conf);
+ if (ret) {
+ printf("Could not update sequence number in "
+ "session\n");
+ return TEST_SKIPPED;
+ }
+ }
+
+ /* Setup source mbuf payload */
+ ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool);
+ memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0,
+ rte_pktmbuf_tailroom(ut_params->ibuf));
+
+ input_text = (uint8_t *)rte_pktmbuf_append(ut_params->ibuf,
+ td[i].input_text.len);
+
+ memcpy(input_text, td[i].input_text.data,
+ td[i].input_text.len);
+
+ if (test_ipsec_pkt_update(input_text, flags))
+ return TEST_FAILED;
+
+ /* Generate crypto op data structure */
+ ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool,
+ RTE_CRYPTO_OP_TYPE_SYMMETRIC);
+ if (!ut_params->op) {
+ printf("TestCase %s line %d: %s\n",
+ __func__, __LINE__,
+ "failed to allocate crypto op");
+ ret = TEST_FAILED;
+ goto crypto_op_free;
+ }
+
+ /* Attach session to operation */
+ rte_security_attach_session(ut_params->op,
+ ut_params->sec_session);
+
+ /* Set crypto operation mbufs */
+ ut_params->op->sym->m_src = ut_params->ibuf;
+ ut_params->op->sym->m_dst = NULL;
+
+ /* Copy IV in crypto operation when IV generation is disabled */
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
+ ipsec_xform.options.iv_gen_disable == 1) {
+ uint8_t *iv = rte_crypto_op_ctod_offset(ut_params->op,
+ uint8_t *,
+ IV_OFFSET);
+ int len;
+
+ if (td[i].aead)
+ len = td[i].xform.aead.aead.iv.length;
+ else if (td[i].aes_gmac)
+ len = td[i].xform.chain.auth.auth.iv.length;
+ else
+ len = td[i].xform.chain.cipher.cipher.iv.length;
+
+ memcpy(iv, td[i].iv.data, len);
+ }
+
+ /* Process crypto operation */
+ process_crypto_request(dev_id, ut_params->op);
+
+ ret = test_ipsec_status_check(&td[i], ut_params->op, flags, dir,
+ i + 1);
+ if (ret != TEST_SUCCESS)
+ goto crypto_op_free;
+
+ if (res_d != NULL)
+ res_d_tmp = &res_d[i];
+
+ ret = test_ipsec_post_process(ut_params->ibuf, &td[i],
+ res_d_tmp, silent, flags);
+ if (ret != TEST_SUCCESS)
+ goto crypto_op_free;
+
+ ret = test_ipsec_stats_verify(ctx, ut_params->sec_session,
+ flags, dir);
+ if (ret != TEST_SUCCESS)
+ goto crypto_op_free;
+
+ rte_crypto_op_free(ut_params->op);
+ ut_params->op = NULL;
+
+ rte_pktmbuf_free(ut_params->ibuf);
+ ut_params->ibuf = NULL;
+ }
+
+crypto_op_free:
+ rte_crypto_op_free(ut_params->op);
+ ut_params->op = NULL;
+
+ rte_pktmbuf_free(ut_params->ibuf);
+ ut_params->ibuf = NULL;
+
+ if (ut_params->sec_session)
+ rte_security_session_destroy(ctx, ut_params->sec_session);
+ ut_params->sec_session = NULL;
+
+ return ret;
+}
+
+static int
+test_ipsec_proto_known_vec(const void *test_data)
+{
+ struct ipsec_test_data td_outb;
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ memcpy(&td_outb, test_data, sizeof(td_outb));
+
+ if (td_outb.aes_gmac || td_outb.aead ||
+ ((td_outb.ipsec_xform.proto != RTE_SECURITY_IPSEC_SA_PROTO_AH) &&
+ (td_outb.xform.chain.cipher.cipher.algo != RTE_CRYPTO_CIPHER_NULL))) {
+ /* Disable IV gen to be able to test with known vectors */
+ td_outb.ipsec_xform.options.iv_gen_disable = 1;
+ }
+
+ return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags);
+}
+
+static int
+test_ipsec_proto_known_vec_inb(const void *test_data)
+{
+ const struct ipsec_test_data *td = test_data;
+ struct ipsec_test_flags flags;
+ struct ipsec_test_data td_inb;
+
+ memset(&flags, 0, sizeof(flags));
+
+ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+ test_ipsec_td_in_from_out(td, &td_inb);
+ else
+ memcpy(&td_inb, td, sizeof(td_inb));
+
+ return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags);
+}
+
+static int
+test_ipsec_proto_known_vec_fragmented(const void *test_data)
+{
+ struct ipsec_test_data td_outb;
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+ flags.fragment = true;
+
+ memcpy(&td_outb, test_data, sizeof(td_outb));
+
+ /* Disable IV gen to be able to test with known vectors */
+ td_outb.ipsec_xform.options.iv_gen_disable = 1;
+
+ return test_ipsec_proto_process(&td_outb, NULL, 1, false, &flags);
+}
+
+static int
+test_ipsec_proto_all(const struct ipsec_test_flags *flags)
+{
+ struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+ struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+ unsigned int i, nb_pkts = 1, pass_cnt = 0;
+ int ret;
+
+ if (flags->iv_gen ||
+ flags->sa_expiry_pkts_soft ||
+ flags->sa_expiry_pkts_hard)
+ nb_pkts = IPSEC_TEST_PACKETS_MAX;
+
+ for (i = 0; i < RTE_DIM(alg_list); i++) {
+ test_ipsec_td_prepare(alg_list[i].param1,
+ alg_list[i].param2,
+ flags,
+ td_outb,
+ nb_pkts);
+
+ if (!td_outb->aead) {
+ enum rte_crypto_cipher_algorithm cipher_alg;
+ enum rte_crypto_auth_algorithm auth_alg;
+
+ cipher_alg = td_outb->xform.chain.cipher.cipher.algo;
+ auth_alg = td_outb->xform.chain.auth.auth.algo;
+
+ if (td_outb->aes_gmac && cipher_alg != RTE_CRYPTO_CIPHER_NULL)
+ continue;
+
+ /* ICV is not applicable for NULL auth */
+ if (flags->icv_corrupt &&
+ auth_alg == RTE_CRYPTO_AUTH_NULL)
+ continue;
+
+ /* IV is not applicable for NULL cipher */
+ if (flags->iv_gen &&
+ cipher_alg == RTE_CRYPTO_CIPHER_NULL)
+ continue;
+ }
+
+ ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+ flags);
+ if (ret == TEST_SKIPPED)
+ continue;
+
+ if (ret == TEST_FAILED)
+ return TEST_FAILED;
+
+ test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
+
+ ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+ flags);
+ if (ret == TEST_SKIPPED)
+ continue;
+
+ if (ret == TEST_FAILED)
+ return TEST_FAILED;
+
+ if (flags->display_alg)
+ test_ipsec_display_alg(alg_list[i].param1,
+ alg_list[i].param2);
+
+ pass_cnt++;
+ }
+
+ if (pass_cnt > 0)
+ return TEST_SUCCESS;
+ else
+ return TEST_SKIPPED;
+}
+
+static int
+test_ipsec_ah_proto_all(const struct ipsec_test_flags *flags)
+{
+ struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+ struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+ unsigned int i, nb_pkts = 1, pass_cnt = 0;
+ int ret;
+
+ for (i = 0; i < RTE_DIM(ah_alg_list); i++) {
+ test_ipsec_td_prepare(ah_alg_list[i].param1,
+ ah_alg_list[i].param2,
+ flags,
+ td_outb,
+ nb_pkts);
+
+ ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+ flags);
+ if (ret == TEST_SKIPPED)
+ continue;
+
+ if (ret == TEST_FAILED)
+ return TEST_FAILED;
+
+ test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
+
+ ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+ flags);
+ if (ret == TEST_SKIPPED)
+ continue;
+
+ if (ret == TEST_FAILED)
+ return TEST_FAILED;
+
+ if (flags->display_alg)
+ test_ipsec_display_alg(ah_alg_list[i].param1,
+ ah_alg_list[i].param2);
+
+ pass_cnt++;
+ }
+
+ if (pass_cnt > 0)
+ return TEST_SUCCESS;
+ else
+ return TEST_SKIPPED;
+}
+
+static int
+test_ipsec_proto_display_list(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.display_alg = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ah_tunnel_ipv4(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ah = true;
+ flags.display_alg = true;
+
+ return test_ipsec_ah_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ah_transport_ipv4(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ah = true;
+ flags.transport = true;
+
+ return test_ipsec_ah_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_iv_gen(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.iv_gen = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_sa_exp_pkts_soft(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.sa_expiry_pkts_soft = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_sa_exp_pkts_hard(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.sa_expiry_pkts_hard = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.icv_corrupt = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_udp_encap(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.udp_encap = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.udp_encap = true;
+ flags.udp_ports_verify = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_inner_ip_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ip_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_inner_l4_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.l4_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_v4_in_v4(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = false;
+ flags.tunnel_ipv6 = false;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_v6_in_v6(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_v4_in_v6(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = false;
+ flags.tunnel_ipv6 = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_v6_in_v4(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = false;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_transport_v4(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = false;
+ flags.transport = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_transport_l4_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags = {
+ .l4_csum = true,
+ .transport = true,
+ };
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_stats(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.stats_success = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_pkt_fragment(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.fragment = true;
+
+ return test_ipsec_proto_all(&flags);
+
+}
+
+static int
+test_ipsec_proto_copy_df_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.df = TEST_IPSEC_COPY_DF_INNER_0;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_copy_df_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.df = TEST_IPSEC_COPY_DF_INNER_1;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_set_df_0_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.df = TEST_IPSEC_SET_DF_0_INNER_1;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_set_df_1_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.df = TEST_IPSEC_SET_DF_1_INNER_0;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv4_copy_dscp_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_0;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv4_copy_dscp_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_1;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv4_set_dscp_0_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ if (gbl_driver_id == rte_cryptodev_driver_id_get(
+ RTE_STR(CRYPTODEV_NAME_CN9K_PMD)))
+ return TEST_SKIPPED;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.dscp = TEST_IPSEC_SET_DSCP_0_INNER_1;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv4_set_dscp_1_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ if (gbl_driver_id == rte_cryptodev_driver_id_get(
+ RTE_STR(CRYPTODEV_NAME_CN9K_PMD)))
+ return TEST_SKIPPED;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.dscp = TEST_IPSEC_SET_DSCP_1_INNER_0;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv6_copy_dscp_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+ flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_0;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv6_copy_dscp_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+ flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_1;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv6_set_dscp_0_inner_1(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ if (gbl_driver_id == rte_cryptodev_driver_id_get(
+ RTE_STR(CRYPTODEV_NAME_CN9K_PMD)))
+ return TEST_SKIPPED;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+ flags.dscp = TEST_IPSEC_SET_DSCP_0_INNER_1;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv6_set_dscp_1_inner_0(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ if (gbl_driver_id == rte_cryptodev_driver_id_get(
+ RTE_STR(CRYPTODEV_NAME_CN9K_PMD)))
+ return TEST_SKIPPED;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+ flags.dscp = TEST_IPSEC_SET_DSCP_1_INNER_0;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_pkt_replay(const void *test_data, const uint64_t esn[],
+ bool replayed_pkt[], uint32_t nb_pkts, bool esn_en,
+ uint64_t winsz)
+{
+ struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+ struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+ struct ipsec_test_flags flags;
+ uint32_t i = 0, ret = 0;
+
+ memset(&flags, 0, sizeof(flags));
+ flags.antireplay = true;
+
+ for (i = 0; i < nb_pkts; i++) {
+ memcpy(&td_outb[i], test_data, sizeof(td_outb[i]));
+ td_outb[i].ipsec_xform.options.iv_gen_disable = 1;
+ td_outb[i].ipsec_xform.replay_win_sz = winsz;
+ td_outb[i].ipsec_xform.options.esn = esn_en;
+ }
+
+ for (i = 0; i < nb_pkts; i++)
+ td_outb[i].ipsec_xform.esn.value = esn[i];
+
+ ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+ &flags);
+ if (ret != TEST_SUCCESS)
+ return ret;
+
+ test_ipsec_td_update(td_inb, td_outb, nb_pkts, &flags);
+
+ for (i = 0; i < nb_pkts; i++) {
+ td_inb[i].ipsec_xform.options.esn = esn_en;
+ /* Set antireplay flag for packets to be dropped */
+ td_inb[i].ar_packet = replayed_pkt[i];
+ }
+
+ ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+ &flags);
+
+ return ret;
+}
+
+static int
+test_ipsec_proto_pkt_antireplay(const void *test_data, uint64_t winsz)
+{
+
+ uint32_t nb_pkts = 5;
+ bool replayed_pkt[5];
+ uint64_t esn[5];
+
+ /* 1. Advance the TOP of the window to WS * 2 */
+ esn[0] = winsz * 2;
+ /* 2. Test sequence number within the new window(WS + 1) */
+ esn[1] = winsz + 1;
+ /* 3. Test sequence number less than the window BOTTOM */
+ esn[2] = winsz;
+ /* 4. Test sequence number in the middle of the window */
+ esn[3] = winsz + (winsz / 2);
+ /* 5. Test replay of the packet in the middle of the window */
+ esn[4] = winsz + (winsz / 2);
+
+ replayed_pkt[0] = false;
+ replayed_pkt[1] = false;
+ replayed_pkt[2] = true;
+ replayed_pkt[3] = false;
+ replayed_pkt[4] = true;
+
+ return test_ipsec_pkt_replay(test_data, esn, replayed_pkt, nb_pkts,
+ false, winsz);
+}
+
+static int
+test_ipsec_proto_pkt_antireplay1024(const void *test_data)
+{
+ return test_ipsec_proto_pkt_antireplay(test_data, 1024);
+}
+
+static int
+test_ipsec_proto_pkt_antireplay2048(const void *test_data)
+{
+ return test_ipsec_proto_pkt_antireplay(test_data, 2048);
+}
+
+static int
+test_ipsec_proto_pkt_antireplay4096(const void *test_data)
+{
+ return test_ipsec_proto_pkt_antireplay(test_data, 4096);
+}
+
+static int
+test_ipsec_proto_pkt_esn_antireplay(const void *test_data, uint64_t winsz)
+{
+
+ uint32_t nb_pkts = 7;
+ bool replayed_pkt[7];
+ uint64_t esn[7];
+
+ /* Set the initial sequence number */
+ esn[0] = (uint64_t)(0xFFFFFFFF - winsz);
+ /* 1. Advance the TOP of the window to (1<<32 + WS/2) */
+ esn[1] = (uint64_t)((1ULL << 32) + (winsz / 2));
+ /* 2. Test sequence number within new window (1<<32 + WS/2 + 1) */
+ esn[2] = (uint64_t)((1ULL << 32) - (winsz / 2) + 1);
+ /* 3. Test with sequence number within window (1<<32 - 1) */
+ esn[3] = (uint64_t)((1ULL << 32) - 1);
+ /* 4. Test with sequence number within window (1<<32 - 1) */
+ esn[4] = (uint64_t)(1ULL << 32);
+ /* 5. Test with duplicate sequence number within
+ * new window (1<<32 - 1)
+ */
+ esn[5] = (uint64_t)((1ULL << 32) - 1);
+ /* 6. Test with duplicate sequence number within new window (1<<32) */
+ esn[6] = (uint64_t)(1ULL << 32);
+
+ replayed_pkt[0] = false;
+ replayed_pkt[1] = false;
+ replayed_pkt[2] = false;
+ replayed_pkt[3] = false;
+ replayed_pkt[4] = false;
+ replayed_pkt[5] = true;
+ replayed_pkt[6] = true;