#define IV_LEN_MAX 16
-extern struct ipsec_test_data pkt_aes_256_gcm;
+struct crypto_param_comb alg_list[RTE_DIM(aead_list) +
+ (RTE_DIM(cipher_list) *
+ RTE_DIM(auth_list))];
+
+static bool
+is_valid_ipv4_pkt(const struct rte_ipv4_hdr *pkt)
+{
+ /* The IP version number must be 4 */
+ if (((pkt->version_ihl) >> 4) != 4)
+ return false;
+ /*
+ * The IP header length field must be large enough to hold the
+ * minimum length legal IP datagram (20 bytes = 5 words).
+ */
+ if ((pkt->version_ihl & 0xf) < 5)
+ return false;
+
+ /*
+ * The IP total length field must be large enough to hold the IP
+ * datagram header, whose length is specified in the IP header length
+ * field.
+ */
+ if (rte_cpu_to_be_16(pkt->total_length) < sizeof(struct rte_ipv4_hdr))
+ return false;
+
+ return true;
+}
+
+static bool
+is_valid_ipv6_pkt(const struct rte_ipv6_hdr *pkt)
+{
+ /* The IP version number must be 6 */
+ if ((rte_be_to_cpu_32((pkt->vtc_flow)) >> 28) != 6)
+ return false;
+
+ return true;
+}
+
+void
+test_ipsec_alg_list_populate(void)
+{
+ unsigned long i, j, index = 0;
+
+ for (i = 0; i < RTE_DIM(aead_list); i++) {
+ alg_list[index].param1 = &aead_list[i];
+ alg_list[index].param2 = NULL;
+ index++;
+ }
+
+ for (i = 0; i < RTE_DIM(cipher_list); i++) {
+ for (j = 0; j < RTE_DIM(auth_list); j++) {
+ alg_list[index].param1 = &cipher_list[i];
+ alg_list[index].param2 = &auth_list[j];
+ index++;
+ }
+ }
+}
int
test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
for (i = 0; i < nb_td; i++) {
td = &td_array[i];
- /* Copy template for packet & key fields */
- memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
- /* Override fields based on param */
+ /* Prepare fields based on param */
+
+ if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ /* Copy template for packet & key fields */
+ if (flags->ipv6)
+ memcpy(td, &pkt_aes_256_gcm_v6, sizeof(*td));
+ else
+ memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
- if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
td->aead = true;
- else
+ td->xform.aead.aead.algo = param1->alg.aead;
+ td->xform.aead.aead.key.length = param1->key_length;
+ } else {
+ /* Copy template for packet & key fields */
+ if (flags->ipv6)
+ memcpy(td, &pkt_aes_128_cbc_hmac_sha256_v6,
+ sizeof(*td));
+ else
+ memcpy(td, &pkt_aes_128_cbc_hmac_sha256,
+ sizeof(*td));
+
td->aead = false;
+ td->xform.chain.cipher.cipher.algo = param1->alg.cipher;
+ td->xform.chain.cipher.cipher.key.length =
+ param1->key_length;
+ td->xform.chain.auth.auth.algo = param2->alg.auth;
+ td->xform.chain.auth.auth.key.length =
+ param2->key_length;
+ td->xform.chain.auth.auth.digest_length =
+ param2->digest_length;
- td->xform.aead.aead.algo = param1->alg.aead;
- td->xform.aead.aead.key.length = param1->key_length;
+ }
if (flags->iv_gen)
td->ipsec_xform.options.iv_gen_disable = 0;
test_ipsec_csum_init(&td->input_text.data, false, true);
}
- }
+ if (flags->transport) {
+ td->ipsec_xform.mode =
+ RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT;
+ } else {
+ td->ipsec_xform.mode =
+ RTE_SECURITY_IPSEC_SA_MODE_TUNNEL;
+
+ if (flags->tunnel_ipv6)
+ td->ipsec_xform.tunnel.type =
+ RTE_SECURITY_IPSEC_TUNNEL_IPV6;
+ else
+ td->ipsec_xform.tunnel.type =
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4;
+ }
- RTE_SET_USED(param2);
+ if (flags->stats_success)
+ td->ipsec_xform.options.stats = 1;
+
+ if (flags->fragment) {
+ struct rte_ipv4_hdr *ip;
+ ip = (struct rte_ipv4_hdr *)&td->input_text.data;
+ ip->fragment_offset = 4;
+ ip->hdr_checksum = rte_ipv4_cksum(ip);
+ }
+
+ }
}
void
test_ipsec_display_alg(const struct crypto_param *param1,
const struct crypto_param *param2)
{
- if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD)
- printf("\t%s [%d]\n",
+ if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
+ printf("\t%s [%d]",
rte_crypto_aead_algorithm_strings[param1->alg.aead],
- param1->key_length);
-
- RTE_SET_USED(param2);
+ param1->key_length * 8);
+ } else {
+ printf("\t%s",
+ rte_crypto_cipher_algorithm_strings[param1->alg.cipher]);
+ if (param1->alg.cipher != RTE_CRYPTO_CIPHER_NULL)
+ printf(" [%d]", param1->key_length * 8);
+ printf(" %s",
+ rte_crypto_auth_algorithm_strings[param2->alg.auth]);
+ if (param2->alg.auth != RTE_CRYPTO_AUTH_NULL)
+ printf(" [%dB ICV]", param2->digest_length);
+ }
+ printf("\n");
}
static int
return TEST_FAILED;
}
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) &&
+ flags->fragment) {
+ const struct rte_ipv4_hdr *iph4;
+ iph4 = (const struct rte_ipv4_hdr *)output_text;
+ if (iph4->fragment_offset) {
+ printf("Output packet is fragmented");
+ return TEST_FAILED;
+ }
+ }
+
skip = test_ipsec_tunnel_hdr_len_get(td);
len -= skip;
if (res_d->aead) {
res_d->xform.aead.aead.op = RTE_CRYPTO_AEAD_OP_DECRYPT;
} else {
- printf("Only AEAD supported\n");
- return TEST_SKIPPED;
+ res_d->xform.chain.cipher.cipher.op =
+ RTE_CRYPTO_CIPHER_OP_DECRYPT;
+ res_d->xform.chain.auth.auth.op = RTE_CRYPTO_AUTH_OP_VERIFY;
}
return TEST_SUCCESS;
struct ipsec_test_data *res_d, bool silent,
const struct ipsec_test_flags *flags)
{
+ uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
int ret;
- if (flags->iv_gen &&
- td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
- ret = test_ipsec_iv_verify_push(m, td);
- if (ret != TEST_SUCCESS)
- return ret;
+ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ const struct rte_ipv4_hdr *iph4;
+ const struct rte_ipv6_hdr *iph6;
+
+ if (flags->iv_gen) {
+ ret = test_ipsec_iv_verify_push(m, td);
+ if (ret != TEST_SUCCESS)
+ return ret;
+ }
+
+ iph4 = (const struct rte_ipv4_hdr *)output_text;
+
+ if (td->ipsec_xform.mode ==
+ RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) {
+ if (flags->ipv6) {
+ iph6 = (const struct rte_ipv6_hdr *)output_text;
+ if (is_valid_ipv6_pkt(iph6) == false) {
+ printf("Transport packet is not IPv6\n");
+ return TEST_FAILED;
+ }
+ } else {
+ if (is_valid_ipv4_pkt(iph4) == false) {
+ printf("Transport packet is not IPv4\n");
+ return TEST_FAILED;
+ }
+ }
+ } else {
+ if (td->ipsec_xform.tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ if (is_valid_ipv4_pkt(iph4) == false) {
+ printf("Tunnel outer header is not IPv4\n");
+ return TEST_FAILED;
+ }
+ } else {
+ iph6 = (const struct rte_ipv6_hdr *)output_text;
+ if (is_valid_ipv6_pkt(iph6) == false) {
+ printf("Tunnel outer header is not IPv6\n");
+ return TEST_FAILED;
+ }
+ }
+ }
}
/*
return ret;
}
+
+int
+test_ipsec_stats_verify(struct rte_security_ctx *ctx,
+ struct rte_security_session *sess,
+ const struct ipsec_test_flags *flags,
+ enum rte_security_ipsec_sa_direction dir)
+{
+ struct rte_security_stats stats = {0};
+ int ret = TEST_SUCCESS;
+
+ if (flags->stats_success) {
+ if (rte_security_session_stats_get(ctx, sess, &stats) < 0)
+ return TEST_FAILED;
+
+ if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ if (stats.ipsec.opackets != 1 ||
+ stats.ipsec.oerrors != 0)
+ ret = TEST_FAILED;
+ } else {
+ if (stats.ipsec.ipackets != 1 ||
+ stats.ipsec.ierrors != 0)
+ ret = TEST_FAILED;
+ }
+ }
+
+ return ret;
+}
git.droids-corp.org / dpdk.git / blobdiff