#include <rte_string_fns.h>
#include "fips_validation.h"
+#include "fips_dev_self_test.h"
#define REQ_FILE_PATH_KEYWORD "req-file"
#define RSP_FILE_PATH_KEYWORD "rsp-file"
#define FOLDER_KEYWORD "path-is-folder"
#define CRYPTODEV_KEYWORD "cryptodev"
#define CRYPTODEV_ID_KEYWORD "cryptodev-id"
+#define CRYPTODEV_ST_KEYWORD "self-test"
+#define CRYPTODEV_BK_ID_KEYWORD "broken-test-id"
+#define CRYPTODEV_BK_DIR_KEY "broken-test-dir"
+#define CRYPTODEV_ENC_KEYWORD "enc"
+#define CRYPTODEV_DEC_KEYWORD "dec"
struct fips_test_vector vec;
struct fips_test_interim_info info;
uint32_t is_path_folder;
uint32_t dev_id;
struct rte_mempool *mpool;
+ struct rte_mempool *sess_mpool;
+ struct rte_mempool *sess_priv_mpool;
struct rte_mempool *op_pool;
struct rte_mbuf *mbuf;
struct rte_crypto_op *op;
struct rte_cryptodev_sym_session *sess;
+ uint32_t self_test;
+ struct fips_dev_broken_test_config *broken_test_config;
} env;
static int
cryptodev_fips_validate_app_int(void)
{
struct rte_cryptodev_config conf = {rte_socket_id(), 1};
- struct rte_cryptodev_qp_conf qp_conf = {128};
+ struct rte_cryptodev_qp_conf qp_conf = {128, NULL, NULL};
+ uint32_t sess_sz = rte_cryptodev_sym_get_private_session_size(
+ env.dev_id);
int ret;
+ if (env.self_test) {
+ ret = fips_dev_self_test(env.dev_id, env.broken_test_config);
+ if (ret < 0) {
+ struct rte_cryptodev *cryptodev =
+ rte_cryptodev_pmd_get_dev(env.dev_id);
+
+ rte_cryptodev_pmd_destroy(cryptodev);
+
+ return ret;
+ }
+ }
+
ret = rte_cryptodev_configure(env.dev_id, &conf);
if (ret < 0)
return ret;
return ret;
ret = rte_cryptodev_queue_pair_setup(env.dev_id, 0, &qp_conf,
- rte_socket_id(), env.mpool);
+ rte_socket_id());
if (ret < 0)
return ret;
ret = -ENOMEM;
+ env.sess_mpool = rte_cryptodev_sym_session_pool_create(
+ "FIPS_SESS_MEMPOOL", 16, 0, 0, 0, rte_socket_id());
+ if (!env.sess_mpool)
+ goto error_exit;
+
+ env.sess_priv_mpool = rte_mempool_create("FIPS_SESS_PRIV_MEMPOOL",
+ 16, sess_sz, 0, 0, NULL, NULL, NULL,
+ NULL, rte_socket_id(), 0);
+ if (!env.sess_priv_mpool)
+ goto error_exit;
+
env.op_pool = rte_crypto_op_pool_create(
"FIPS_OP_POOL",
RTE_CRYPTO_OP_TYPE_SYMMETRIC,
if (!env.op)
goto error_exit;
+ qp_conf.mp_session = env.sess_mpool;
+ qp_conf.mp_session_private = env.sess_priv_mpool;
+
+ ret = rte_cryptodev_queue_pair_setup(env.dev_id, 0, &qp_conf,
+ rte_socket_id());
+ if (ret < 0)
+ goto error_exit;
+
return 0;
error_exit:
+
rte_mempool_free(env.mpool);
+ if (env.sess_mpool)
+ rte_mempool_free(env.sess_mpool);
+ if (env.sess_priv_mpool)
+ rte_mempool_free(env.sess_priv_mpool);
if (env.op_pool)
rte_mempool_free(env.op_pool);
rte_cryptodev_sym_session_clear(env.dev_id, env.sess);
rte_cryptodev_sym_session_free(env.sess);
rte_mempool_free(env.mpool);
+ rte_mempool_free(env.sess_mpool);
+ rte_mempool_free(env.sess_priv_mpool);
rte_mempool_free(env.op_pool);
}
" --%s: RESPONSE-FILE-PATH\n"
" --%s: indicating both paths are folders\n"
" --%s: CRYPTODEV-NAME\n"
- " --%s: CRYPTODEV-ID-NAME\n",
+ " --%s: CRYPTODEV-ID-NAME\n"
+ " --%s: self test indicator\n"
+ " --%s: self broken test ID\n"
+ " --%s: self broken test direction\n",
prgname, REQ_FILE_PATH_KEYWORD, RSP_FILE_PATH_KEYWORD,
- FOLDER_KEYWORD, CRYPTODEV_KEYWORD, CRYPTODEV_ID_KEYWORD);
+ FOLDER_KEYWORD, CRYPTODEV_KEYWORD, CRYPTODEV_ID_KEYWORD,
+ CRYPTODEV_ST_KEYWORD, CRYPTODEV_BK_ID_KEYWORD,
+ CRYPTODEV_BK_DIR_KEY);
}
static int
{FOLDER_KEYWORD, no_argument, 0, 0},
{CRYPTODEV_KEYWORD, required_argument, 0, 0},
{CRYPTODEV_ID_KEYWORD, required_argument, 0, 0},
+ {CRYPTODEV_ST_KEYWORD, no_argument, 0, 0},
+ {CRYPTODEV_BK_ID_KEYWORD, required_argument, 0, 0},
+ {CRYPTODEV_BK_DIR_KEY, required_argument, 0, 0},
{NULL, 0, 0, 0}
};
cryptodev_fips_validate_usage(prgname);
return -EINVAL;
}
+ } else if (strcmp(lgopts[option_index].name,
+ CRYPTODEV_ST_KEYWORD) == 0) {
+ env.self_test = 1;
+ } else if (strcmp(lgopts[option_index].name,
+ CRYPTODEV_BK_ID_KEYWORD) == 0) {
+ if (!env.broken_test_config) {
+ env.broken_test_config = rte_malloc(
+ NULL,
+ sizeof(*env.broken_test_config),
+ 0);
+ if (!env.broken_test_config)
+ return -ENOMEM;
+
+ env.broken_test_config->expect_fail_dir =
+ self_test_dir_enc_auth_gen;
+ }
+
+ if (parser_read_uint32(
+ &env.broken_test_config->expect_fail_test_idx,
+ optarg) < 0) {
+ rte_free(env.broken_test_config);
+ cryptodev_fips_validate_usage(prgname);
+ return -EINVAL;
+ }
+ } else if (strcmp(lgopts[option_index].name,
+ CRYPTODEV_BK_DIR_KEY) == 0) {
+ if (!env.broken_test_config) {
+ env.broken_test_config = rte_malloc(
+ NULL,
+ sizeof(*env.broken_test_config),
+ 0);
+ if (!env.broken_test_config)
+ return -ENOMEM;
+
+ env.broken_test_config->
+ expect_fail_test_idx = 0;
+ }
+
+ if (strcmp(optarg, CRYPTODEV_ENC_KEYWORD) == 0)
+ env.broken_test_config->expect_fail_dir =
+ self_test_dir_enc_auth_gen;
+ else if (strcmp(optarg, CRYPTODEV_DEC_KEYWORD)
+ == 0)
+ env.broken_test_config->expect_fail_dir =
+ self_test_dir_dec_auth_verify;
+ else {
+ rte_free(env.broken_test_config);
+ cryptodev_fips_validate_usage(prgname);
+ return -EINVAL;
+ }
} else {
cryptodev_fips_validate_usage(prgname);
return -EINVAL;
return 0;
}
+static int
+prepare_sha_xform(struct rte_crypto_sym_xform *xform)
+{
+ const struct rte_cryptodev_symmetric_capability *cap;
+ struct rte_cryptodev_sym_capability_idx cap_idx;
+ struct rte_crypto_auth_xform *auth_xform = &xform->auth;
+
+ xform->type = RTE_CRYPTO_SYM_XFORM_AUTH;
+
+ auth_xform->algo = info.interim_info.sha_data.algo;
+ auth_xform->op = RTE_CRYPTO_AUTH_OP_GENERATE;
+ auth_xform->digest_length = vec.cipher_auth.digest.len;
+
+ cap_idx.algo.auth = auth_xform->algo;
+ cap_idx.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+
+ cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
+ if (!cap) {
+ RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n",
+ env.dev_id);
+ return -EINVAL;
+ }
+
+ if (rte_cryptodev_sym_capability_check_auth(cap,
+ auth_xform->key.length,
+ auth_xform->digest_length, 0) != 0) {
+ RTE_LOG(ERR, USER1, "PMD %s key length %u digest length %u\n",
+ info.device_name, auth_xform->key.length,
+ auth_xform->digest_length);
+ return -EPERM;
+ }
+
+ return 0;
+}
+
static void
get_writeback_data(struct fips_val *val)
{
if (ret < 0)
return ret;
- env.sess = rte_cryptodev_sym_session_create(env.mpool);
+ env.sess = rte_cryptodev_sym_session_create(env.sess_mpool);
if (!env.sess)
return -ENOMEM;
ret = rte_cryptodev_sym_session_init(env.dev_id,
- env.sess, &xform, env.mpool);
+ env.sess, &xform, env.sess_priv_mpool);
if (ret < 0) {
RTE_LOG(ERR, USER1, "Error %i: Init session\n",
ret);
#define TDES_EXTERN_ITER 400
#define TDES_INTERN_ITER 10000
struct fips_val val, val_key;
- uint8_t prev_out[TDES_BLOCK_SIZE];
- uint8_t prev_prev_out[TDES_BLOCK_SIZE];
- uint8_t prev_in[TDES_BLOCK_SIZE];
+ uint8_t prev_out[TDES_BLOCK_SIZE] = {0};
+ uint8_t prev_prev_out[TDES_BLOCK_SIZE] = {0};
+ uint8_t prev_in[TDES_BLOCK_SIZE] = {0};
uint32_t i, j, k;
int ret;
return 0;
}
+static int
+fips_mct_sha_test(void)
+{
+#define SHA_EXTERN_ITER 100
+#define SHA_INTERN_ITER 1000
+#define SHA_MD_BLOCK 3
+ struct fips_val val, md[SHA_MD_BLOCK];
+ char temp[MAX_DIGEST_SIZE*2];
+ int ret;
+ uint32_t i, j;
+
+ val.val = rte_malloc(NULL, (MAX_DIGEST_SIZE*SHA_MD_BLOCK), 0);
+ for (i = 0; i < SHA_MD_BLOCK; i++)
+ md[i].val = rte_malloc(NULL, (MAX_DIGEST_SIZE*2), 0);
+
+ rte_free(vec.pt.val);
+ vec.pt.val = rte_malloc(NULL, (MAX_DIGEST_SIZE*SHA_MD_BLOCK), 0);
+
+ fips_test_write_one_case();
+ fprintf(info.fp_wr, "\n");
+
+ for (j = 0; j < SHA_EXTERN_ITER; j++) {
+
+ memcpy(md[0].val, vec.cipher_auth.digest.val,
+ vec.cipher_auth.digest.len);
+ md[0].len = vec.cipher_auth.digest.len;
+ memcpy(md[1].val, vec.cipher_auth.digest.val,
+ vec.cipher_auth.digest.len);
+ md[1].len = vec.cipher_auth.digest.len;
+ memcpy(md[2].val, vec.cipher_auth.digest.val,
+ vec.cipher_auth.digest.len);
+ md[2].len = vec.cipher_auth.digest.len;
+
+ for (i = 0; i < (SHA_INTERN_ITER); i++) {
+
+ memcpy(vec.pt.val, md[0].val,
+ (size_t)md[0].len);
+ memcpy((vec.pt.val + md[0].len), md[1].val,
+ (size_t)md[1].len);
+ memcpy((vec.pt.val + md[0].len + md[1].len),
+ md[2].val,
+ (size_t)md[2].len);
+ vec.pt.len = md[0].len + md[1].len + md[2].len;
+
+ ret = fips_run_test();
+ if (ret < 0) {
+ if (ret == -EPERM) {
+ fprintf(info.fp_wr, "Bypass\n\n");
+ return 0;
+ }
+ return ret;
+ }
+
+ get_writeback_data(&val);
+
+ memcpy(md[0].val, md[1].val, md[1].len);
+ md[0].len = md[1].len;
+ memcpy(md[1].val, md[2].val, md[2].len);
+ md[1].len = md[2].len;
+
+ memcpy(md[2].val, (val.val + vec.pt.len),
+ vec.cipher_auth.digest.len);
+ md[2].len = vec.cipher_auth.digest.len;
+ }
+
+ memcpy(vec.cipher_auth.digest.val, md[2].val, md[2].len);
+ vec.cipher_auth.digest.len = md[2].len;
+
+ fprintf(info.fp_wr, "COUNT = %u\n", j);
+
+ writeback_hex_str("", temp, &vec.cipher_auth.digest);
+
+ fprintf(info.fp_wr, "MD = %s\n\n", temp);
+ }
+
+ for (i = 0; i < (SHA_MD_BLOCK); i++)
+ rte_free(md[i].val);
+
+ rte_free(vec.pt.val);
+
+ return 0;
+}
+
+
static int
init_test_ops(void)
{
test_ops.prepare_xform = prepare_ccm_xform;
test_ops.test = fips_generic_test;
break;
+ case FIPS_TEST_ALGO_SHA:
+ test_ops.prepare_op = prepare_auth_op;
+ test_ops.prepare_xform = prepare_sha_xform;
+ if (info.interim_info.sha_data.test_type == SHA_MCT)
+ test_ops.test = fips_mct_sha_test;
+ else
+ test_ops.test = fips_generic_test;
+ break;
default:
return -1;
}