#define IV_LEN_MAX 16
+#ifndef IPVERSION
+#define IPVERSION 4
+#endif
+
struct crypto_param_comb alg_list[RTE_DIM(aead_list) +
(RTE_DIM(cipher_list) *
RTE_DIM(auth_list))];
+struct crypto_param_comb ah_alg_list[2 * (RTE_DIM(auth_list) - 1)];
+
static bool
is_valid_ipv4_pkt(const struct rte_ipv4_hdr *pkt)
{
}
}
+void
+test_ipsec_ah_alg_list_populate(void)
+{
+ unsigned long i, index = 0;
+
+ for (i = 1; i < RTE_DIM(auth_list); i++) {
+ ah_alg_list[index].param1 = &auth_list[i];
+ ah_alg_list[index].param2 = NULL;
+ index++;
+ }
+
+ for (i = 1; i < RTE_DIM(auth_list); i++) {
+ /* NULL cipher */
+ ah_alg_list[index].param1 = &cipher_list[0];
+
+ ah_alg_list[index].param2 = &auth_list[i];
+ index++;
+ }
+}
+
int
test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
const struct rte_security_capability *sec_cap,
return -ENOTSUP;
}
+ if (ipsec_xform->replay_win_sz > sec_cap->ipsec.replay_win_sz_max) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Replay window size is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
sizeof(*td));
td->aead = false;
- td->xform.chain.cipher.cipher.algo = param1->alg.cipher;
- td->xform.chain.cipher.cipher.key.length =
- param1->key_length;
- td->xform.chain.auth.auth.algo = param2->alg.auth;
- td->xform.chain.auth.auth.key.length =
- param2->key_length;
- td->xform.chain.auth.auth.digest_length =
- param2->digest_length;
+ if (param1->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ td->xform.chain.auth.auth.algo =
+ param1->alg.auth;
+ td->xform.chain.auth.auth.key.length =
+ param1->key_length;
+ td->xform.chain.auth.auth.digest_length =
+ param1->digest_length;
+ td->auth_only = true;
+
+ if (td->xform.chain.auth.auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ td->xform.chain.auth.auth.iv.length =
+ param1->iv_length;
+ td->aes_gmac = true;
+ }
+ } else {
+ td->xform.chain.cipher.cipher.algo =
+ param1->alg.cipher;
+ td->xform.chain.cipher.cipher.key.length =
+ param1->key_length;
+ td->xform.chain.cipher.cipher.iv.length =
+ param1->iv_length;
+ td->xform.chain.auth.auth.algo =
+ param2->alg.auth;
+ td->xform.chain.auth.auth.key.length =
+ param2->key_length;
+ td->xform.chain.auth.auth.digest_length =
+ param2->digest_length;
+
+ if (td->xform.chain.auth.auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+ td->xform.chain.auth.auth.iv.length =
+ param2->iv_length;
+ td->aes_gmac = true;
+ }
+ }
+ }
+
+ if (flags->ah) {
+ td->ipsec_xform.proto =
+ RTE_SECURITY_IPSEC_SA_PROTO_AH;
}
if (flags->iv_gen)
ip->hdr_checksum = rte_ipv4_cksum(ip);
}
+ if (flags->df == TEST_IPSEC_COPY_DF_INNER_0 ||
+ flags->df == TEST_IPSEC_COPY_DF_INNER_1)
+ td->ipsec_xform.options.copy_df = 1;
+
+ if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_0 ||
+ flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1)
+ td->ipsec_xform.options.copy_dscp = 1;
+
+ if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_0 ||
+ flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1)
+ td->ipsec_xform.options.copy_flabel = 1;
+
+ if (flags->dec_ttl_or_hop_limit)
+ td->ipsec_xform.options.dec_ttl = 1;
}
}
printf("\t%s [%d]",
rte_crypto_aead_algorithm_strings[param1->alg.aead],
param1->key_length * 8);
+ } else if (param1->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ printf("\t%s",
+ rte_crypto_auth_algorithm_strings[param1->alg.auth]);
+ if (param1->alg.auth != RTE_CRYPTO_AUTH_NULL)
+ printf(" [%dB ICV]", param1->digest_length);
} else {
printf("\t%s",
rte_crypto_cipher_algorithm_strings[param1->alg.cipher]);
return TEST_SUCCESS;
}
+static int
+test_ipsec_ttl_or_hop_decrement_verify(void *received, void *expected)
+{
+ struct rte_ipv4_hdr *iph4_ex, *iph4_re;
+ struct rte_ipv6_hdr *iph6_ex, *iph6_re;
+
+ if (is_ipv4(received) && is_ipv4(expected)) {
+ iph4_ex = expected;
+ iph4_re = received;
+ iph4_ex->time_to_live -= 1;
+ if (iph4_re->time_to_live != iph4_ex->time_to_live)
+ return TEST_FAILED;
+ } else if (!is_ipv4(received) && !is_ipv4(expected)) {
+ iph6_ex = expected;
+ iph6_re = received;
+ iph6_ex->hop_limits -= 1;
+ if (iph6_re->hop_limits != iph6_ex->hop_limits)
+ return TEST_FAILED;
+ } else {
+ printf("IP header version miss match\n");
+ return TEST_FAILED;
+ }
+
+ return TEST_SUCCESS;
+}
+
static int
test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
bool silent, const struct ipsec_test_flags *flags)
{
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+ uint8_t td_output_text[4096];
int ret;
/* For tests with status as error for test success, skip verification */
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
(flags->icv_corrupt ||
flags->sa_expiry_pkts_hard ||
- flags->tunnel_hdr_verify))
+ flags->tunnel_hdr_verify ||
+ td->ar_packet))
return TEST_SUCCESS;
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
return ret;
}
+ memcpy(td_output_text, td->output_text.data + skip, len);
- if (memcmp(output_text, td->output_text.data + skip, len)) {
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->dec_ttl_or_hop_limit) {
+ if (test_ipsec_ttl_or_hop_decrement_verify(output_text, td_output_text)) {
+ printf("Inner TTL/hop limit decrement test failed\n");
+ return TEST_FAILED;
+ }
+ }
+
+ if (test_ipsec_pkt_update(td_output_text, flags)) {
+ printf("Could not update expected vector");
+ return TEST_FAILED;
+ }
+
+ if (memcmp(output_text, td_output_text, len)) {
if (silent)
return TEST_FAILED;
printf("TestCase %s line %d: %s\n", __func__, __LINE__,
"output text not as expected\n");
- rte_hexdump(stdout, "expected", td->output_text.data + skip,
- len);
+ rte_hexdump(stdout, "expected", td_output_text, len);
rte_hexdump(stdout, "actual", output_text, len);
return TEST_FAILED;
}
return TEST_SUCCESS;
}
+static int
+test_ipsec_iph4_hdr_validate(const struct rte_ipv4_hdr *iph4,
+ const struct ipsec_test_flags *flags)
+{
+ uint8_t tos, dscp;
+ uint16_t f_off;
+
+ if (!is_valid_ipv4_pkt(iph4)) {
+ printf("Tunnel outer header is not IPv4\n");
+ return -1;
+ }
+
+ if (flags->ah && iph4->next_proto_id != IPPROTO_AH) {
+ printf("Tunnel outer header proto is not AH\n");
+ return -1;
+ }
+
+ f_off = rte_be_to_cpu_16(iph4->fragment_offset);
+ if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 ||
+ flags->df == TEST_IPSEC_SET_DF_1_INNER_0) {
+ if (!(f_off & RTE_IPV4_HDR_DF_FLAG)) {
+ printf("DF bit is not set\n");
+ return -1;
+ }
+ } else {
+ if (f_off & RTE_IPV4_HDR_DF_FLAG) {
+ printf("DF bit is set\n");
+ return -1;
+ }
+ }
+
+ tos = iph4->type_of_service;
+ dscp = (tos & RTE_IPV4_HDR_DSCP_MASK) >> 2;
+
+ if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+ flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) {
+ if (dscp != TEST_IPSEC_DSCP_VAL) {
+ printf("DSCP value is not matching [exp: %x, actual: %x]\n",
+ TEST_IPSEC_DSCP_VAL, dscp);
+ return -1;
+ }
+ } else {
+ if (dscp != 0) {
+ printf("DSCP value is set [exp: 0, actual: %x]\n",
+ dscp);
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+static int
+test_ipsec_iph6_hdr_validate(const struct rte_ipv6_hdr *iph6,
+ const struct ipsec_test_flags *flags)
+{
+ uint32_t vtc_flow;
+ uint32_t flabel;
+ uint8_t dscp;
+
+ if (!is_valid_ipv6_pkt(iph6)) {
+ printf("Tunnel outer header is not IPv6\n");
+ return -1;
+ }
+
+ vtc_flow = rte_be_to_cpu_32(iph6->vtc_flow);
+ dscp = (vtc_flow & RTE_IPV6_HDR_DSCP_MASK) >>
+ (RTE_IPV6_HDR_TC_SHIFT + 2);
+
+ if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+ flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) {
+ if (dscp != TEST_IPSEC_DSCP_VAL) {
+ printf("DSCP value is not matching [exp: %x, actual: %x]\n",
+ TEST_IPSEC_DSCP_VAL, dscp);
+ return -1;
+ }
+ } else {
+ if (dscp != 0) {
+ printf("DSCP value is set [exp: 0, actual: %x]\n",
+ dscp);
+ return -1;
+ }
+ }
+
+ flabel = vtc_flow & RTE_IPV6_HDR_FL_MASK;
+
+ if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 ||
+ flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0) {
+ if (flabel != TEST_IPSEC_FLABEL_VAL) {
+ printf("FLABEL value is not matching [exp: %x, actual: %x]\n",
+ TEST_IPSEC_FLABEL_VAL, flabel);
+ return -1;
+ }
+ } else {
+ if (flabel != 0) {
+ printf("FLABEL value is set [exp: 0, actual: %x]\n",
+ flabel);
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
int
test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
struct ipsec_test_data *res_d, bool silent,
printf("Transport packet is not IPv4\n");
return TEST_FAILED;
}
+
+ if (flags->ah && iph4->next_proto_id != IPPROTO_AH) {
+ printf("Transport IPv4 header proto is not AH\n");
+ return -1;
+ }
}
} else {
if (td->ipsec_xform.tunnel.type ==
RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
- if (is_valid_ipv4_pkt(iph4) == false) {
- printf("Tunnel outer header is not IPv4\n");
+ if (test_ipsec_iph4_hdr_validate(iph4, flags))
return TEST_FAILED;
- }
} else {
iph6 = (const struct rte_ipv6_hdr *)output_text;
- if (is_valid_ipv6_pkt(iph6) == false) {
- printf("Tunnel outer header is not IPv6\n");
+ if (test_ipsec_iph6_hdr_validate(iph6, flags))
return TEST_FAILED;
- }
}
}
}
}
int
-test_ipsec_status_check(struct rte_crypto_op *op,
+test_ipsec_status_check(const struct ipsec_test_data *td,
+ struct rte_crypto_op *op,
const struct ipsec_test_flags *flags,
enum rte_security_ipsec_sa_direction dir,
int pkt_num)
{
int ret = TEST_SUCCESS;
+ if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ td->ar_packet) {
+ if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+ printf("Anti replay test case failed\n");
+ return TEST_FAILED;
+ } else {
+ return TEST_SUCCESS;
+ }
+ }
+
if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
flags->sa_expiry_pkts_hard &&
pkt_num == IPSEC_TEST_PACKETS_MAX) {
return ret;
}
+
+int
+test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags)
+{
+ struct rte_ipv4_hdr *iph4;
+ struct rte_ipv6_hdr *iph6;
+ bool cksum_dirty = false;
+
+ iph4 = (struct rte_ipv4_hdr *)pkt;
+
+ if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 ||
+ flags->df == TEST_IPSEC_SET_DF_0_INNER_1 ||
+ flags->df == TEST_IPSEC_COPY_DF_INNER_0 ||
+ flags->df == TEST_IPSEC_SET_DF_1_INNER_0) {
+ uint16_t frag_off;
+
+ if (!is_ipv4(iph4)) {
+ printf("Invalid packet type\n");
+ return -1;
+ }
+
+ frag_off = rte_be_to_cpu_16(iph4->fragment_offset);
+
+ if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 ||
+ flags->df == TEST_IPSEC_SET_DF_0_INNER_1)
+ frag_off |= RTE_IPV4_HDR_DF_FLAG;
+ else
+ frag_off &= ~RTE_IPV4_HDR_DF_FLAG;
+
+ iph4->fragment_offset = rte_cpu_to_be_16(frag_off);
+ cksum_dirty = true;
+ }
+
+ if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+ flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1 ||
+ flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_0 ||
+ flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0 ||
+ flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 ||
+ flags->flabel == TEST_IPSEC_SET_FLABEL_0_INNER_1 ||
+ flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_0 ||
+ flags->flabel == TEST_IPSEC_SET_FLABEL_1_INNER_0) {
+
+ if (is_ipv4(iph4)) {
+ uint8_t tos;
+
+ tos = iph4->type_of_service;
+ if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+ flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
+ tos |= (RTE_IPV4_HDR_DSCP_MASK &
+ (TEST_IPSEC_DSCP_VAL << 2));
+ else
+ tos &= ~RTE_IPV4_HDR_DSCP_MASK;
+
+ iph4->type_of_service = tos;
+ cksum_dirty = true;
+ } else {
+ uint32_t vtc_flow;
+
+ iph6 = (struct rte_ipv6_hdr *)pkt;
+
+ vtc_flow = rte_be_to_cpu_32(iph6->vtc_flow);
+ if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+ flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
+ vtc_flow |= (RTE_IPV6_HDR_DSCP_MASK &
+ (TEST_IPSEC_DSCP_VAL << (RTE_IPV6_HDR_TC_SHIFT + 2)));
+ else
+ vtc_flow &= ~RTE_IPV6_HDR_DSCP_MASK;
+
+ if (flags->flabel == TEST_IPSEC_COPY_FLABEL_INNER_1 ||
+ flags->flabel == TEST_IPSEC_SET_FLABEL_0_INNER_1)
+ vtc_flow |= (RTE_IPV6_HDR_FL_MASK &
+ (TEST_IPSEC_FLABEL_VAL << RTE_IPV6_HDR_FL_SHIFT));
+ else
+ vtc_flow &= ~RTE_IPV6_HDR_FL_MASK;
+
+ iph6->vtc_flow = rte_cpu_to_be_32(vtc_flow);
+ }
+ }
+
+ if (cksum_dirty && is_ipv4(iph4)) {
+ iph4->hdr_checksum = 0;
+ iph4->hdr_checksum = rte_ipv4_cksum(iph4);
+ }
+
+ return 0;
+}
git.droids-corp.org / dpdk.git / blobdiff