#include <rte_string_fns.h>
#include "fips_validation.h"
+#include "fips_dev_self_test.h"
#define REQ_FILE_PATH_KEYWORD "req-file"
#define RSP_FILE_PATH_KEYWORD "rsp-file"
#define FOLDER_KEYWORD "path-is-folder"
#define CRYPTODEV_KEYWORD "cryptodev"
#define CRYPTODEV_ID_KEYWORD "cryptodev-id"
+#define CRYPTODEV_ST_KEYWORD "self-test"
+#define CRYPTODEV_BK_ID_KEYWORD "broken-test-id"
+#define CRYPTODEV_BK_DIR_KEY "broken-test-dir"
+#define CRYPTODEV_ENC_KEYWORD "enc"
+#define CRYPTODEV_DEC_KEYWORD "dec"
struct fips_test_vector vec;
struct fips_test_interim_info info;
uint32_t is_path_folder;
uint32_t dev_id;
struct rte_mempool *mpool;
+ struct rte_mempool *sess_mpool;
+ struct rte_mempool *sess_priv_mpool;
struct rte_mempool *op_pool;
struct rte_mbuf *mbuf;
struct rte_crypto_op *op;
struct rte_cryptodev_sym_session *sess;
+ uint32_t self_test;
+ struct fips_dev_broken_test_config *broken_test_config;
} env;
static int
cryptodev_fips_validate_app_int(void)
{
struct rte_cryptodev_config conf = {rte_socket_id(), 1};
- struct rte_cryptodev_qp_conf qp_conf = {128};
+ struct rte_cryptodev_qp_conf qp_conf = {128, NULL, NULL};
+ uint32_t sess_sz = rte_cryptodev_sym_get_private_session_size(
+ env.dev_id);
int ret;
+ if (env.self_test) {
+ ret = fips_dev_self_test(env.dev_id, env.broken_test_config);
+ if (ret < 0) {
+ struct rte_cryptodev *cryptodev =
+ rte_cryptodev_pmd_get_dev(env.dev_id);
+
+ rte_cryptodev_pmd_destroy(cryptodev);
+
+ return ret;
+ }
+ }
+
ret = rte_cryptodev_configure(env.dev_id, &conf);
if (ret < 0)
return ret;
return ret;
ret = rte_cryptodev_queue_pair_setup(env.dev_id, 0, &qp_conf,
- rte_socket_id(), env.mpool);
+ rte_socket_id());
if (ret < 0)
return ret;
ret = -ENOMEM;
+ env.sess_mpool = rte_cryptodev_sym_session_pool_create(
+ "FIPS_SESS_MEMPOOL", 16, 0, 0, 0, rte_socket_id());
+ if (!env.sess_mpool)
+ goto error_exit;
+
+ env.sess_priv_mpool = rte_mempool_create("FIPS_SESS_PRIV_MEMPOOL",
+ 16, sess_sz, 0, 0, NULL, NULL, NULL,
+ NULL, rte_socket_id(), 0);
+ if (!env.sess_priv_mpool)
+ goto error_exit;
+
env.op_pool = rte_crypto_op_pool_create(
"FIPS_OP_POOL",
RTE_CRYPTO_OP_TYPE_SYMMETRIC,
if (!env.op)
goto error_exit;
+ qp_conf.mp_session = env.sess_mpool;
+ qp_conf.mp_session_private = env.sess_priv_mpool;
+
+ ret = rte_cryptodev_queue_pair_setup(env.dev_id, 0, &qp_conf,
+ rte_socket_id());
+ if (ret < 0)
+ goto error_exit;
+
return 0;
error_exit:
+
rte_mempool_free(env.mpool);
+ if (env.sess_mpool)
+ rte_mempool_free(env.sess_mpool);
+ if (env.sess_priv_mpool)
+ rte_mempool_free(env.sess_priv_mpool);
if (env.op_pool)
rte_mempool_free(env.op_pool);
rte_cryptodev_sym_session_clear(env.dev_id, env.sess);
rte_cryptodev_sym_session_free(env.sess);
rte_mempool_free(env.mpool);
+ rte_mempool_free(env.sess_mpool);
+ rte_mempool_free(env.sess_priv_mpool);
rte_mempool_free(env.op_pool);
}
" --%s: RESPONSE-FILE-PATH\n"
" --%s: indicating both paths are folders\n"
" --%s: CRYPTODEV-NAME\n"
- " --%s: CRYPTODEV-ID-NAME\n",
+ " --%s: CRYPTODEV-ID-NAME\n"
+ " --%s: self test indicator\n"
+ " --%s: self broken test ID\n"
+ " --%s: self broken test direction\n",
prgname, REQ_FILE_PATH_KEYWORD, RSP_FILE_PATH_KEYWORD,
- FOLDER_KEYWORD, CRYPTODEV_KEYWORD, CRYPTODEV_ID_KEYWORD);
+ FOLDER_KEYWORD, CRYPTODEV_KEYWORD, CRYPTODEV_ID_KEYWORD,
+ CRYPTODEV_ST_KEYWORD, CRYPTODEV_BK_ID_KEYWORD,
+ CRYPTODEV_BK_DIR_KEY);
}
static int
{FOLDER_KEYWORD, no_argument, 0, 0},
{CRYPTODEV_KEYWORD, required_argument, 0, 0},
{CRYPTODEV_ID_KEYWORD, required_argument, 0, 0},
+ {CRYPTODEV_ST_KEYWORD, no_argument, 0, 0},
+ {CRYPTODEV_BK_ID_KEYWORD, required_argument, 0, 0},
+ {CRYPTODEV_BK_DIR_KEY, required_argument, 0, 0},
{NULL, 0, 0, 0}
};
cryptodev_fips_validate_usage(prgname);
return -EINVAL;
}
+ } else if (strcmp(lgopts[option_index].name,
+ CRYPTODEV_ST_KEYWORD) == 0) {
+ env.self_test = 1;
+ } else if (strcmp(lgopts[option_index].name,
+ CRYPTODEV_BK_ID_KEYWORD) == 0) {
+ if (!env.broken_test_config) {
+ env.broken_test_config = rte_malloc(
+ NULL,
+ sizeof(*env.broken_test_config),
+ 0);
+ if (!env.broken_test_config)
+ return -ENOMEM;
+
+ env.broken_test_config->expect_fail_dir =
+ self_test_dir_enc_auth_gen;
+ }
+
+ if (parser_read_uint32(
+ &env.broken_test_config->expect_fail_test_idx,
+ optarg) < 0) {
+ rte_free(env.broken_test_config);
+ cryptodev_fips_validate_usage(prgname);
+ return -EINVAL;
+ }
+ } else if (strcmp(lgopts[option_index].name,
+ CRYPTODEV_BK_DIR_KEY) == 0) {
+ if (!env.broken_test_config) {
+ env.broken_test_config = rte_malloc(
+ NULL,
+ sizeof(*env.broken_test_config),
+ 0);
+ if (!env.broken_test_config)
+ return -ENOMEM;
+
+ env.broken_test_config->
+ expect_fail_test_idx = 0;
+ }
+
+ if (strcmp(optarg, CRYPTODEV_ENC_KEYWORD) == 0)
+ env.broken_test_config->expect_fail_dir =
+ self_test_dir_enc_auth_gen;
+ else if (strcmp(optarg, CRYPTODEV_DEC_KEYWORD)
+ == 0)
+ env.broken_test_config->expect_fail_dir =
+ self_test_dir_dec_auth_verify;
+ else {
+ rte_free(env.broken_test_config);
+ cryptodev_fips_validate_usage(prgname);
+ return -EINVAL;
+ }
} else {
cryptodev_fips_validate_usage(prgname);
return -EINVAL;
}
rte_crypto_op_attach_sym_session(env.op, env.sess);
+
+ return 0;
}
static int
__rte_crypto_op_reset(env.op, RTE_CRYPTO_OP_TYPE_SYMMETRIC);
rte_pktmbuf_reset(env.mbuf);
- memcpy(iv, vec.iv.val, vec.iv.len);
+ if (info.algo == FIPS_TEST_ALGO_AES_CCM)
+ memcpy(iv + 1, vec.iv.val, vec.iv.len);
+ else
+ memcpy(iv, vec.iv.val, vec.iv.len);
sym->m_src = env.mbuf;
sym->aead.data.offset = 0;
}
rte_crypto_op_attach_sym_session(env.op, env.sess);
+
+ return 0;
}
static int
return 0;
}
+static int
+prepare_cmac_xform(struct rte_crypto_sym_xform *xform)
+{
+ const struct rte_cryptodev_symmetric_capability *cap;
+ struct rte_cryptodev_sym_capability_idx cap_idx;
+ struct rte_crypto_auth_xform *auth_xform = &xform->auth;
+
+ xform->type = RTE_CRYPTO_SYM_XFORM_AUTH;
+
+ auth_xform->algo = RTE_CRYPTO_AUTH_AES_CMAC;
+ auth_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
+ RTE_CRYPTO_AUTH_OP_GENERATE : RTE_CRYPTO_AUTH_OP_VERIFY;
+ auth_xform->digest_length = vec.cipher_auth.digest.len;
+ auth_xform->key.data = vec.cipher_auth.key.val;
+ auth_xform->key.length = vec.cipher_auth.key.len;
+
+ cap_idx.algo.auth = auth_xform->algo;
+ cap_idx.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+
+ cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
+ if (!cap) {
+ RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n",
+ env.dev_id);
+ return -EINVAL;
+ }
+
+ if (rte_cryptodev_sym_capability_check_auth(cap,
+ auth_xform->key.length,
+ auth_xform->digest_length, 0) != 0) {
+ RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n",
+ info.device_name, auth_xform->key.length,
+ auth_xform->digest_length);
+ return -EPERM;
+ }
+
+ return 0;
+}
+
+static int
+prepare_ccm_xform(struct rte_crypto_sym_xform *xform)
+{
+ const struct rte_cryptodev_symmetric_capability *cap;
+ struct rte_cryptodev_sym_capability_idx cap_idx;
+ struct rte_crypto_aead_xform *aead_xform = &xform->aead;
+
+ xform->type = RTE_CRYPTO_SYM_XFORM_AEAD;
+
+ aead_xform->algo = RTE_CRYPTO_AEAD_AES_CCM;
+ aead_xform->aad_length = vec.aead.aad.len;
+ aead_xform->digest_length = vec.aead.digest.len;
+ aead_xform->iv.offset = IV_OFF;
+ aead_xform->iv.length = vec.iv.len;
+ aead_xform->key.data = vec.aead.key.val;
+ aead_xform->key.length = vec.aead.key.len;
+ aead_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
+ RTE_CRYPTO_AEAD_OP_ENCRYPT :
+ RTE_CRYPTO_AEAD_OP_DECRYPT;
+
+ cap_idx.algo.aead = aead_xform->algo;
+ cap_idx.type = RTE_CRYPTO_SYM_XFORM_AEAD;
+
+ cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
+ if (!cap) {
+ RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n",
+ env.dev_id);
+ return -EINVAL;
+ }
+
+ if (rte_cryptodev_sym_capability_check_aead(cap,
+ aead_xform->key.length,
+ aead_xform->digest_length, aead_xform->aad_length,
+ aead_xform->iv.length) != 0) {
+ RTE_LOG(ERR, USER1,
+ "PMD %s key_len %u tag_len %u aad_len %u iv_len %u\n",
+ info.device_name, aead_xform->key.length,
+ aead_xform->digest_length,
+ aead_xform->aad_length,
+ aead_xform->iv.length);
+ return -EPERM;
+ }
+
+ return 0;
+}
+
+static int
+prepare_sha_xform(struct rte_crypto_sym_xform *xform)
+{
+ const struct rte_cryptodev_symmetric_capability *cap;
+ struct rte_cryptodev_sym_capability_idx cap_idx;
+ struct rte_crypto_auth_xform *auth_xform = &xform->auth;
+
+ xform->type = RTE_CRYPTO_SYM_XFORM_AUTH;
+
+ auth_xform->algo = info.interim_info.sha_data.algo;
+ auth_xform->op = RTE_CRYPTO_AUTH_OP_GENERATE;
+ auth_xform->digest_length = vec.cipher_auth.digest.len;
+
+ cap_idx.algo.auth = auth_xform->algo;
+ cap_idx.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+
+ cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
+ if (!cap) {
+ RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n",
+ env.dev_id);
+ return -EINVAL;
+ }
+
+ if (rte_cryptodev_sym_capability_check_auth(cap,
+ auth_xform->key.length,
+ auth_xform->digest_length, 0) != 0) {
+ RTE_LOG(ERR, USER1, "PMD %s key length %u digest length %u\n",
+ info.device_name, auth_xform->key.length,
+ auth_xform->digest_length);
+ return -EPERM;
+ }
+
+ return 0;
+}
+
static void
get_writeback_data(struct fips_val *val)
{
if (ret < 0)
return ret;
- env.sess = rte_cryptodev_sym_session_create(env.mpool);
+ env.sess = rte_cryptodev_sym_session_create(env.sess_mpool);
if (!env.sess)
return -ENOMEM;
ret = rte_cryptodev_sym_session_init(env.dev_id,
- env.sess, &xform, env.mpool);
+ env.sess, &xform, env.sess_priv_mpool);
if (ret < 0) {
RTE_LOG(ERR, USER1, "Error %i: Init session\n",
ret);
- return ret;
+ goto exit;
}
ret = test_ops.prepare_op();
if (ret < 0) {
RTE_LOG(ERR, USER1, "Error %i: Prepare op\n",
ret);
- return ret;
+ goto exit;
}
if (rte_cryptodev_enqueue_burst(env.dev_id, 0, &env.op, 1) < 1) {
RTE_LOG(ERR, USER1, "Error: Failed enqueue\n");
- return ret;
+ ret = -1;
+ goto exit;
}
do {
vec.status = env.op->status;
+exit:
rte_cryptodev_sym_session_clear(env.dev_id, env.sess);
rte_cryptodev_sym_session_free(env.sess);
env.sess = NULL;
#define TDES_EXTERN_ITER 400
#define TDES_INTERN_ITER 10000
struct fips_val val, val_key;
- uint8_t prev_out[TDES_BLOCK_SIZE];
- uint8_t prev_prev_out[TDES_BLOCK_SIZE];
- uint8_t prev_in[TDES_BLOCK_SIZE];
+ uint8_t prev_out[TDES_BLOCK_SIZE] = {0};
+ uint8_t prev_prev_out[TDES_BLOCK_SIZE] = {0};
+ uint8_t prev_in[TDES_BLOCK_SIZE] = {0};
uint32_t i, j, k;
int ret;
return 0;
}
+static int
+fips_mct_sha_test(void)
+{
+#define SHA_EXTERN_ITER 100
+#define SHA_INTERN_ITER 1000
+#define SHA_MD_BLOCK 3
+ struct fips_val val, md[SHA_MD_BLOCK];
+ char temp[MAX_DIGEST_SIZE*2];
+ int ret;
+ uint32_t i, j;
+
+ val.val = rte_malloc(NULL, (MAX_DIGEST_SIZE*SHA_MD_BLOCK), 0);
+ for (i = 0; i < SHA_MD_BLOCK; i++)
+ md[i].val = rte_malloc(NULL, (MAX_DIGEST_SIZE*2), 0);
+
+ rte_free(vec.pt.val);
+ vec.pt.val = rte_malloc(NULL, (MAX_DIGEST_SIZE*SHA_MD_BLOCK), 0);
+
+ fips_test_write_one_case();
+ fprintf(info.fp_wr, "\n");
+
+ for (j = 0; j < SHA_EXTERN_ITER; j++) {
+
+ memcpy(md[0].val, vec.cipher_auth.digest.val,
+ vec.cipher_auth.digest.len);
+ md[0].len = vec.cipher_auth.digest.len;
+ memcpy(md[1].val, vec.cipher_auth.digest.val,
+ vec.cipher_auth.digest.len);
+ md[1].len = vec.cipher_auth.digest.len;
+ memcpy(md[2].val, vec.cipher_auth.digest.val,
+ vec.cipher_auth.digest.len);
+ md[2].len = vec.cipher_auth.digest.len;
+
+ for (i = 0; i < (SHA_INTERN_ITER); i++) {
+
+ memcpy(vec.pt.val, md[0].val,
+ (size_t)md[0].len);
+ memcpy((vec.pt.val + md[0].len), md[1].val,
+ (size_t)md[1].len);
+ memcpy((vec.pt.val + md[0].len + md[1].len),
+ md[2].val,
+ (size_t)md[2].len);
+ vec.pt.len = md[0].len + md[1].len + md[2].len;
+
+ ret = fips_run_test();
+ if (ret < 0) {
+ if (ret == -EPERM) {
+ fprintf(info.fp_wr, "Bypass\n\n");
+ return 0;
+ }
+ return ret;
+ }
+
+ get_writeback_data(&val);
+
+ memcpy(md[0].val, md[1].val, md[1].len);
+ md[0].len = md[1].len;
+ memcpy(md[1].val, md[2].val, md[2].len);
+ md[1].len = md[2].len;
+
+ memcpy(md[2].val, (val.val + vec.pt.len),
+ vec.cipher_auth.digest.len);
+ md[2].len = vec.cipher_auth.digest.len;
+ }
+
+ memcpy(vec.cipher_auth.digest.val, md[2].val, md[2].len);
+ vec.cipher_auth.digest.len = md[2].len;
+
+ fprintf(info.fp_wr, "COUNT = %u\n", j);
+
+ writeback_hex_str("", temp, &vec.cipher_auth.digest);
+
+ fprintf(info.fp_wr, "MD = %s\n\n", temp);
+ }
+
+ for (i = 0; i < (SHA_MD_BLOCK); i++)
+ rte_free(md[i].val);
+
+ rte_free(vec.pt.val);
+
+ return 0;
+}
+
+
static int
init_test_ops(void)
{
test_ops.prepare_xform = prepare_gcm_xform;
test_ops.test = fips_generic_test;
break;
+ case FIPS_TEST_ALGO_AES_CMAC:
+ test_ops.prepare_op = prepare_auth_op;
+ test_ops.prepare_xform = prepare_cmac_xform;
+ test_ops.test = fips_generic_test;
+ break;
+ case FIPS_TEST_ALGO_AES_CCM:
+ test_ops.prepare_op = prepare_aead_op;
+ test_ops.prepare_xform = prepare_ccm_xform;
+ test_ops.test = fips_generic_test;
+ break;
+ case FIPS_TEST_ALGO_SHA:
+ test_ops.prepare_op = prepare_auth_op;
+ test_ops.prepare_xform = prepare_sha_xform;
+ if (info.interim_info.sha_data.test_type == SHA_MCT)
+ test_ops.test = fips_mct_sha_test;
+ else
+ test_ops.test = fips_generic_test;
+ break;
default:
return -1;
}