X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=examples%2Ffips_validation%2Fmain.c;h=b0de3d269a1e1ff92681aa64bdc15dbd9e14edcc;hb=d047310407a3511b1e2910c7ddf59d5049b202f6;hp=388068168dd6fbf4cf1ee3fd4bd1cc233afa0404;hpb=527cbf3d5ee380f49db828957de4ba75f71e4311;p=dpdk.git diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c index 388068168d..b0de3d269a 100644 --- a/examples/fips_validation/main.c +++ b/examples/fips_validation/main.c @@ -7,18 +7,34 @@ #include #include -#include +#include #include #include #include #include "fips_validation.h" - -#define REQ_FILE_PATH_KEYWORD "req-file" -#define RSP_FILE_PATH_KEYWORD "rsp-file" -#define FOLDER_KEYWORD "path-is-folder" -#define CRYPTODEV_KEYWORD "cryptodev" -#define CRYPTODEV_ID_KEYWORD "cryptodev-id" +#include "fips_dev_self_test.h" + +enum { +#define OPT_REQ_FILE_PATH "req-file" + OPT_REQ_FILE_PATH_NUM = 256, +#define OPT_RSP_FILE_PATH "rsp-file" + OPT_RSP_FILE_PATH_NUM, +#define OPT_MBUF_DATAROOM "mbuf-dataroom" + OPT_MBUF_DATAROOM_NUM, +#define OPT_FOLDER "path-is-folder" + OPT_FOLDER_NUM, +#define OPT_CRYPTODEV "cryptodev" + OPT_CRYPTODEV_NUM, +#define OPT_CRYPTODEV_ID "cryptodev-id" + OPT_CRYPTODEV_ID_NUM, +#define OPT_CRYPTODEV_ST "self-test" + OPT_CRYPTODEV_ST_NUM, +#define OPT_CRYPTODEV_BK_ID "broken-test-id" + OPT_CRYPTODEV_BK_ID_NUM, +#define OPT_CRYPTODEV_BK_DIR_KEY "broken-test-dir" + OPT_CRYPTODEV_BK_DIR_KEY_NUM, +}; struct fips_test_vector vec; struct fips_test_interim_info info; @@ -27,37 +43,76 @@ struct cryptodev_fips_validate_env { const char *req_path; const char *rsp_path; uint32_t is_path_folder; - uint32_t dev_id; + uint8_t dev_id; + uint8_t dev_support_sgl; + uint16_t mbuf_data_room; struct rte_mempool *mpool; + struct rte_mempool *sess_mpool; + struct rte_mempool *sess_priv_mpool; struct rte_mempool *op_pool; struct rte_mbuf *mbuf; + uint8_t *digest; + uint16_t digest_len; struct rte_crypto_op *op; struct rte_cryptodev_sym_session *sess; + uint16_t self_test; + struct fips_dev_broken_test_config *broken_test_config; } env; static int cryptodev_fips_validate_app_int(void) { - struct rte_cryptodev_config conf = {rte_socket_id(), 1}; - struct rte_cryptodev_qp_conf qp_conf = {128}; + struct rte_cryptodev_config conf = {rte_socket_id(), 1, 0}; + struct rte_cryptodev_qp_conf qp_conf = {128, NULL, NULL}; + struct rte_cryptodev_info dev_info; + uint32_t sess_sz = rte_cryptodev_sym_get_private_session_size( + env.dev_id); + uint32_t nb_mbufs = UINT16_MAX / env.mbuf_data_room + 1; int ret; + if (env.self_test) { + ret = fips_dev_self_test(env.dev_id, env.broken_test_config); + if (ret < 0) { + rte_cryptodev_close(env.dev_id); + + return ret; + } + } + ret = rte_cryptodev_configure(env.dev_id, &conf); if (ret < 0) return ret; - env.mpool = rte_pktmbuf_pool_create("FIPS_MEMPOOL", 128, 0, 0, - UINT16_MAX, rte_socket_id()); + rte_cryptodev_info_get(env.dev_id, &dev_info); + if (dev_info.feature_flags & RTE_CRYPTODEV_FF_IN_PLACE_SGL) + env.dev_support_sgl = 1; + else + env.dev_support_sgl = 0; + + env.mpool = rte_pktmbuf_pool_create("FIPS_MEMPOOL", nb_mbufs, + 0, 0, sizeof(struct rte_mbuf) + RTE_PKTMBUF_HEADROOM + + env.mbuf_data_room, rte_socket_id()); if (!env.mpool) return ret; ret = rte_cryptodev_queue_pair_setup(env.dev_id, 0, &qp_conf, - rte_socket_id(), env.mpool); + rte_socket_id()); if (ret < 0) return ret; ret = -ENOMEM; + env.sess_mpool = rte_cryptodev_sym_session_pool_create( + "FIPS_SESS_MEMPOOL", 16, 0, 0, 0, rte_socket_id()); + if (!env.sess_mpool) + goto error_exit; + + env.sess_priv_mpool = rte_mempool_create("FIPS_SESS_PRIV_MEMPOOL", + 16, sess_sz, 0, 0, NULL, NULL, NULL, + NULL, rte_socket_id(), 0); + if (!env.sess_priv_mpool) + goto error_exit; + env.op_pool = rte_crypto_op_pool_create( "FIPS_OP_POOL", RTE_CRYPTO_OP_TYPE_SYMMETRIC, @@ -67,18 +122,27 @@ cryptodev_fips_validate_app_int(void) if (!env.op_pool) goto error_exit; - env.mbuf = rte_pktmbuf_alloc(env.mpool); - if (!env.mbuf) - goto error_exit; - env.op = rte_crypto_op_alloc(env.op_pool, RTE_CRYPTO_OP_TYPE_SYMMETRIC); if (!env.op) goto error_exit; + qp_conf.mp_session = env.sess_mpool; + qp_conf.mp_session_private = env.sess_priv_mpool; + + ret = rte_cryptodev_queue_pair_setup(env.dev_id, 0, &qp_conf, + rte_socket_id()); + if (ret < 0) + goto error_exit; + return 0; error_exit: + rte_mempool_free(env.mpool); + if (env.sess_mpool) + rte_mempool_free(env.sess_mpool); + if (env.sess_priv_mpool) + rte_mempool_free(env.sess_priv_mpool); if (env.op_pool) rte_mempool_free(env.op_pool); @@ -93,6 +157,8 @@ cryptodev_fips_validate_app_uninit(void) rte_cryptodev_sym_session_clear(env.dev_id, env.sess); rte_cryptodev_sym_session_free(env.sess); rte_mempool_free(env.mpool); + rte_mempool_free(env.sess_mpool); + rte_mempool_free(env.sess_priv_mpool); rte_mempool_free(env.op_pool); } @@ -110,7 +176,7 @@ parse_cryptodev_arg(char *arg) return id; } - env.dev_id = (uint32_t)id; + env.dev_id = (uint8_t)id; return 0; } @@ -127,13 +193,13 @@ parse_cryptodev_id_arg(char *arg) } - if (!rte_cryptodev_pmd_is_valid_dev(cryptodev_id)) { + if (!rte_cryptodev_is_valid_dev(cryptodev_id)) { RTE_LOG(ERR, USER1, "Error %i: invalid cryptodev id %s\n", cryptodev_id, arg); return -1; } - env.dev_id = (uint32_t)cryptodev_id; + env.dev_id = (uint8_t)cryptodev_id; return 0; } @@ -141,14 +207,21 @@ parse_cryptodev_id_arg(char *arg) static void cryptodev_fips_validate_usage(const char *prgname) { + uint32_t def_mbuf_seg_size = DEF_MBUF_SEG_SIZE; printf("%s [EAL options] --\n" " --%s: REQUEST-FILE-PATH\n" " --%s: RESPONSE-FILE-PATH\n" " --%s: indicating both paths are folders\n" + " --%s: mbuf dataroom size (default %u bytes)\n" " --%s: CRYPTODEV-NAME\n" - " --%s: CRYPTODEV-ID-NAME\n", - prgname, REQ_FILE_PATH_KEYWORD, RSP_FILE_PATH_KEYWORD, - FOLDER_KEYWORD, CRYPTODEV_KEYWORD, CRYPTODEV_ID_KEYWORD); + " --%s: CRYPTODEV-ID-NAME\n" + " --%s: self test indicator\n" + " --%s: self broken test ID\n" + " --%s: self broken test direction\n", + prgname, OPT_REQ_FILE_PATH, OPT_RSP_FILE_PATH, + OPT_FOLDER, OPT_MBUF_DATAROOM, def_mbuf_seg_size, + OPT_CRYPTODEV, OPT_CRYPTODEV_ID, OPT_CRYPTODEV_ST, + OPT_CRYPTODEV_BK_ID, OPT_CRYPTODEV_BK_DIR_KEY); } static int @@ -159,56 +232,151 @@ cryptodev_fips_validate_parse_args(int argc, char **argv) char **argvopt; int option_index; struct option lgopts[] = { - {REQ_FILE_PATH_KEYWORD, required_argument, 0, 0}, - {RSP_FILE_PATH_KEYWORD, required_argument, 0, 0}, - {FOLDER_KEYWORD, no_argument, 0, 0}, - {CRYPTODEV_KEYWORD, required_argument, 0, 0}, - {CRYPTODEV_ID_KEYWORD, required_argument, 0, 0}, - {NULL, 0, 0, 0} + {OPT_REQ_FILE_PATH, required_argument, + NULL, OPT_REQ_FILE_PATH_NUM}, + {OPT_RSP_FILE_PATH, required_argument, + NULL, OPT_RSP_FILE_PATH_NUM}, + {OPT_FOLDER, no_argument, + NULL, OPT_FOLDER_NUM}, + {OPT_MBUF_DATAROOM, required_argument, + NULL, OPT_MBUF_DATAROOM_NUM}, + {OPT_CRYPTODEV, required_argument, + NULL, OPT_CRYPTODEV_NUM}, + {OPT_CRYPTODEV_ID, required_argument, + NULL, OPT_CRYPTODEV_ID_NUM}, + {OPT_CRYPTODEV_ST, no_argument, + NULL, OPT_CRYPTODEV_ST_NUM}, + {OPT_CRYPTODEV_BK_ID, required_argument, + NULL, OPT_CRYPTODEV_BK_ID_NUM}, + {OPT_CRYPTODEV_BK_DIR_KEY, required_argument, + NULL, OPT_CRYPTODEV_BK_DIR_KEY_NUM}, + {NULL, 0, 0, 0} }; argvopt = argv; + env.mbuf_data_room = DEF_MBUF_SEG_SIZE; + if (rte_cryptodev_count()) + env.dev_id = 0; + else { + cryptodev_fips_validate_usage(prgname); + return -EINVAL; + } + while ((opt = getopt_long(argc, argvopt, "s:", lgopts, &option_index)) != EOF) { switch (opt) { - case 0: - if (strcmp(lgopts[option_index].name, - REQ_FILE_PATH_KEYWORD) == 0) - env.req_path = optarg; - else if (strcmp(lgopts[option_index].name, - RSP_FILE_PATH_KEYWORD) == 0) - env.rsp_path = optarg; - else if (strcmp(lgopts[option_index].name, - FOLDER_KEYWORD) == 0) - env.is_path_folder = 1; - else if (strcmp(lgopts[option_index].name, - CRYPTODEV_KEYWORD) == 0) { - ret = parse_cryptodev_arg(optarg); - if (ret < 0) { - cryptodev_fips_validate_usage(prgname); - return -EINVAL; - } - } else if (strcmp(lgopts[option_index].name, - CRYPTODEV_ID_KEYWORD) == 0) { - ret = parse_cryptodev_id_arg(optarg); - if (ret < 0) { - cryptodev_fips_validate_usage(prgname); - return -EINVAL; - } - } else { + case OPT_REQ_FILE_PATH_NUM: + env.req_path = optarg; + break; + + case OPT_RSP_FILE_PATH_NUM: + env.rsp_path = optarg; + break; + + case OPT_FOLDER_NUM: + env.is_path_folder = 1; + break; + + case OPT_CRYPTODEV_NUM: + ret = parse_cryptodev_arg(optarg); + if (ret < 0) { + cryptodev_fips_validate_usage(prgname); + return -EINVAL; + } + break; + + case OPT_CRYPTODEV_ID_NUM: + ret = parse_cryptodev_id_arg(optarg); + if (ret < 0) { + cryptodev_fips_validate_usage(prgname); + return -EINVAL; + } + break; + + case OPT_CRYPTODEV_ST_NUM: + env.self_test = 1; + break; + + case OPT_CRYPTODEV_BK_ID_NUM: + if (!env.broken_test_config) { + env.broken_test_config = rte_malloc( + NULL, + sizeof(*env.broken_test_config), + 0); + if (!env.broken_test_config) + return -ENOMEM; + + env.broken_test_config->expect_fail_dir = + self_test_dir_enc_auth_gen; + } + + if (parser_read_uint32( + &env.broken_test_config->expect_fail_test_idx, + optarg) < 0) { + rte_free(env.broken_test_config); + cryptodev_fips_validate_usage(prgname); + return -EINVAL; + } + break; + + case OPT_CRYPTODEV_BK_DIR_KEY_NUM: + if (!env.broken_test_config) { + env.broken_test_config = rte_malloc( + NULL, + sizeof(*env.broken_test_config), + 0); + if (!env.broken_test_config) + return -ENOMEM; + + env.broken_test_config->expect_fail_test_idx = + 0; + } + + if (strcmp(optarg, "enc") == 0) + env.broken_test_config->expect_fail_dir = + self_test_dir_enc_auth_gen; + else if (strcmp(optarg, "dec") + == 0) + env.broken_test_config->expect_fail_dir = + self_test_dir_dec_auth_verify; + else { + rte_free(env.broken_test_config); cryptodev_fips_validate_usage(prgname); return -EINVAL; } break; + + + case OPT_MBUF_DATAROOM_NUM: + if (parser_read_uint16(&env.mbuf_data_room, + optarg) < 0) { + cryptodev_fips_validate_usage(prgname); + return -EINVAL; + } + + if (env.mbuf_data_room == 0) { + cryptodev_fips_validate_usage(prgname); + return -EINVAL; + } + break; + default: - return -1; + cryptodev_fips_validate_usage(prgname); + return -EINVAL; } } - if (env.req_path == NULL || env.rsp_path == NULL || - env.dev_id == UINT32_MAX) { + if ((env.req_path == NULL && env.rsp_path != NULL) || + (env.req_path != NULL && env.rsp_path == NULL)) { + RTE_LOG(ERR, USER1, "Missing req path or rsp path\n"); + cryptodev_fips_validate_usage(prgname); + return -EINVAL; + } + + if (env.req_path == NULL && env.self_test == 0) { + RTE_LOG(ERR, USER1, "--self-test must be set if req path is missing\n"); cryptodev_fips_validate_usage(prgname); return -EINVAL; } @@ -240,6 +408,11 @@ main(int argc, char *argv[]) return -1; } + if (env.req_path == NULL || env.rsp_path == NULL) { + printf("No request, exit.\n"); + goto exit; + } + if (!env.is_path_folder) { printf("Processing file %s... ", env.req_path); @@ -325,6 +498,9 @@ exit: fips_test_clear(); cryptodev_fips_validate_app_uninit(); + /* clean up the EAL */ + rte_eal_cleanup(); + return ret; } @@ -332,155 +508,556 @@ exit: #define IV_OFF (sizeof(struct rte_crypto_op) + sizeof(struct rte_crypto_sym_op)) #define CRYPTODEV_FIPS_MAX_RETRIES 16 -typedef int (*fips_test_one_case_t)(void); -typedef int (*fips_prepare_op_t)(void); -typedef int (*fips_prepare_xform_t)(struct rte_crypto_sym_xform *); - -struct fips_test_ops { - fips_prepare_xform_t prepare_xform; - fips_prepare_op_t prepare_op; - fips_test_one_case_t test; -} test_ops; +struct fips_test_ops test_ops; static int -prepare_cipher_op(void) +prepare_data_mbufs(struct fips_val *val) { - struct rte_crypto_sym_op *sym = env.op->sym; - uint8_t *iv = rte_crypto_op_ctod_offset(env.op, uint8_t *, IV_OFF); - - __rte_crypto_op_reset(env.op, RTE_CRYPTO_OP_TYPE_SYMMETRIC); - rte_pktmbuf_reset(env.mbuf); + struct rte_mbuf *m, *head = 0; + uint8_t *src = val->val; + uint32_t total_len = val->len; + uint16_t nb_seg; + int ret = 0; - sym->m_src = env.mbuf; - sym->cipher.data.offset = 0; + if (env.mbuf) + rte_pktmbuf_free(env.mbuf); - memcpy(iv, vec.iv.val, vec.iv.len); + if (total_len > RTE_MBUF_MAX_NB_SEGS) { + RTE_LOG(ERR, USER1, "Data len %u too big\n", total_len); + return -EPERM; + } - if (info.op == FIPS_TEST_ENC_AUTH_GEN) { - uint8_t *pt; + nb_seg = total_len / env.mbuf_data_room; + if (total_len % env.mbuf_data_room) + nb_seg++; - if (vec.pt.len > RTE_MBUF_MAX_NB_SEGS) { - RTE_LOG(ERR, USER1, "PT len %u\n", vec.pt.len); - return -EPERM; - } + m = rte_pktmbuf_alloc(env.mpool); + if (!m) { + RTE_LOG(ERR, USER1, "Error %i: Not enough mbuf\n", + -ENOMEM); + return -ENOMEM; + } + head = m; - pt = (uint8_t *)rte_pktmbuf_append(env.mbuf, vec.pt.len); + while (nb_seg) { + uint16_t len = RTE_MIN(total_len, env.mbuf_data_room); + uint8_t *dst = (uint8_t *)rte_pktmbuf_append(m, len); - if (!pt) { + if (!dst) { RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n", -ENOMEM); - return -ENOMEM; + ret = -ENOMEM; + goto error_exit; } - memcpy(pt, vec.pt.val, vec.pt.len); - sym->cipher.data.length = vec.pt.len; - - } else { - uint8_t *ct; + memcpy(dst, src, len); - if (vec.ct.len > RTE_MBUF_MAX_NB_SEGS) { - RTE_LOG(ERR, USER1, "CT len %u\n", vec.ct.len); - return -EPERM; + if (head != m) { + ret = rte_pktmbuf_chain(head, m); + if (ret) { + rte_pktmbuf_free(m); + RTE_LOG(ERR, USER1, "Error %i: SGL build\n", + ret); + goto error_exit; + } } + total_len -= len; - ct = (uint8_t *)rte_pktmbuf_append(env.mbuf, vec.ct.len); + if (total_len) { + if (!env.dev_support_sgl) { + RTE_LOG(ERR, USER1, "SGL not supported\n"); + ret = -EPERM; + goto error_exit; + } - if (!ct) { - RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n", - -ENOMEM); - return -ENOMEM; - } + m = rte_pktmbuf_alloc(env.mpool); + if (!m) { + RTE_LOG(ERR, USER1, "Error %i: No memory\n", + -ENOMEM); + goto error_exit; + } + } else + break; + + src += len; + nb_seg--; + } + + if (total_len) { + RTE_LOG(ERR, USER1, "Error %i: Failed to store all data\n", + -ENOMEM); + goto error_exit; + } + + env.mbuf = head; + + return 0; + +error_exit: + if (head) + rte_pktmbuf_free(head); + return ret; +} + +static int +prepare_cipher_op(void) +{ + struct rte_crypto_sym_op *sym = env.op->sym; + uint8_t *iv = rte_crypto_op_ctod_offset(env.op, uint8_t *, IV_OFF); + int ret; + + __rte_crypto_op_reset(env.op, RTE_CRYPTO_OP_TYPE_SYMMETRIC); + + memcpy(iv, vec.iv.val, vec.iv.len); + + if (info.op == FIPS_TEST_ENC_AUTH_GEN) { + ret = prepare_data_mbufs(&vec.pt); + if (ret < 0) + return ret; + + sym->cipher.data.length = vec.pt.len; + } else { + ret = prepare_data_mbufs(&vec.ct); + if (ret < 0) + return ret; - memcpy(ct, vec.ct.val, vec.ct.len); sym->cipher.data.length = vec.ct.len; } rte_crypto_op_attach_sym_session(env.op, env.sess); + sym->m_src = env.mbuf; + sym->cipher.data.offset = 0; + return 0; } -static int +int prepare_auth_op(void) { struct rte_crypto_sym_op *sym = env.op->sym; + int ret; __rte_crypto_op_reset(env.op, RTE_CRYPTO_OP_TYPE_SYMMETRIC); - rte_pktmbuf_reset(env.mbuf); + + if (vec.iv.len) { + uint8_t *iv = rte_crypto_op_ctod_offset(env.op, uint8_t *, + IV_OFF); + memset(iv, 0, vec.iv.len); + if (vec.iv.val) + memcpy(iv, vec.iv.val, vec.iv.len); + } + + ret = prepare_data_mbufs(&vec.pt); + if (ret < 0) + return ret; + + if (env.digest) + rte_free(env.digest); + + env.digest = rte_zmalloc(NULL, vec.cipher_auth.digest.len, + RTE_CACHE_LINE_SIZE); + if (!env.digest) { + RTE_LOG(ERR, USER1, "Not enough memory\n"); + return -ENOMEM; + } + env.digest_len = vec.cipher_auth.digest.len; sym->m_src = env.mbuf; sym->auth.data.offset = 0; + sym->auth.data.length = vec.pt.len; + sym->auth.digest.data = env.digest; + sym->auth.digest.phys_addr = rte_malloc_virt2iova(env.digest); - if (info.op == FIPS_TEST_ENC_AUTH_GEN) { - uint8_t *pt; + if (info.op == FIPS_TEST_DEC_AUTH_VERIF) + memcpy(env.digest, vec.cipher_auth.digest.val, + vec.cipher_auth.digest.len); - if (vec.pt.len > RTE_MBUF_MAX_NB_SEGS) { - RTE_LOG(ERR, USER1, "PT len %u\n", vec.pt.len); - return -EPERM; - } + rte_crypto_op_attach_sym_session(env.op, env.sess); - pt = (uint8_t *)rte_pktmbuf_append(env.mbuf, vec.pt.len + - vec.cipher_auth.digest.len); + return 0; +} - if (!pt) { - RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n", - -ENOMEM); +int +prepare_aead_op(void) +{ + struct rte_crypto_sym_op *sym = env.op->sym; + uint8_t *iv = rte_crypto_op_ctod_offset(env.op, uint8_t *, IV_OFF); + int ret; + + __rte_crypto_op_reset(env.op, RTE_CRYPTO_OP_TYPE_SYMMETRIC); + + if (info.algo == FIPS_TEST_ALGO_AES_CCM) + iv++; + + if (vec.iv.val) + memcpy(iv, vec.iv.val, vec.iv.len); + else + /* if REQ file has iv length but not data, default as all 0 */ + memset(iv, 0, vec.iv.len); + + if (info.op == FIPS_TEST_ENC_AUTH_GEN) { + ret = prepare_data_mbufs(&vec.pt); + if (ret < 0) + return ret; + + if (env.digest) + rte_free(env.digest); + env.digest = rte_zmalloc(NULL, vec.aead.digest.len, + RTE_CACHE_LINE_SIZE); + if (!env.digest) { + RTE_LOG(ERR, USER1, "Not enough memory\n"); return -ENOMEM; } + env.digest_len = vec.cipher_auth.digest.len; + + sym->aead.data.length = vec.pt.len; + sym->aead.digest.data = env.digest; + sym->aead.digest.phys_addr = rte_malloc_virt2iova(env.digest); + } else { + ret = prepare_data_mbufs(&vec.ct); + if (ret < 0) + return ret; + + sym->aead.data.length = vec.ct.len; + sym->aead.digest.data = vec.aead.digest.val; + sym->aead.digest.phys_addr = rte_malloc_virt2iova( + sym->aead.digest.data); + } + + sym->m_src = env.mbuf; + sym->aead.data.offset = 0; + sym->aead.aad.data = vec.aead.aad.val; + sym->aead.aad.phys_addr = rte_malloc_virt2iova(sym->aead.aad.data); + + rte_crypto_op_attach_sym_session(env.op, env.sess); + + return 0; +} + +static int +prepare_aes_xform(struct rte_crypto_sym_xform *xform) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + struct rte_crypto_cipher_xform *cipher_xform = &xform->cipher; + + xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + + if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_CBC) + cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC; + else + cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_ECB; + + cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? + RTE_CRYPTO_CIPHER_OP_ENCRYPT : + RTE_CRYPTO_CIPHER_OP_DECRYPT; + cipher_xform->key.data = vec.cipher_auth.key.val; + cipher_xform->key.length = vec.cipher_auth.key.len; + if (cipher_xform->algo == RTE_CRYPTO_CIPHER_AES_CBC) { + cipher_xform->iv.length = vec.iv.len; + cipher_xform->iv.offset = IV_OFF; + } else { + cipher_xform->iv.length = 0; + cipher_xform->iv.offset = 0; + } + cap_idx.algo.cipher = cipher_xform->algo; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER; + + cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); + if (!cap) { + RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", + env.dev_id); + return -EINVAL; + } + + if (rte_cryptodev_sym_capability_check_cipher(cap, + cipher_xform->key.length, + cipher_xform->iv.length) != 0) { + RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n", + info.device_name, cipher_xform->key.length, + cipher_xform->iv.length); + return -EPERM; + } + + return 0; +} + +static int +prepare_tdes_xform(struct rte_crypto_sym_xform *xform) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + struct rte_crypto_cipher_xform *cipher_xform = &xform->cipher; + + xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + + if (info.interim_info.tdes_data.test_mode == TDES_MODE_CBC) + cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC; + else + cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_ECB; + cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? + RTE_CRYPTO_CIPHER_OP_ENCRYPT : + RTE_CRYPTO_CIPHER_OP_DECRYPT; + cipher_xform->key.data = vec.cipher_auth.key.val; + cipher_xform->key.length = vec.cipher_auth.key.len; + + if (cipher_xform->algo == RTE_CRYPTO_CIPHER_3DES_CBC) { + cipher_xform->iv.length = vec.iv.len; + cipher_xform->iv.offset = IV_OFF; + } else { + cipher_xform->iv.length = 0; + cipher_xform->iv.offset = 0; + } + cap_idx.algo.cipher = cipher_xform->algo; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER; + + cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); + if (!cap) { + RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", + env.dev_id); + return -EINVAL; + } + + if (rte_cryptodev_sym_capability_check_cipher(cap, + cipher_xform->key.length, + cipher_xform->iv.length) != 0) { + RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n", + info.device_name, cipher_xform->key.length, + cipher_xform->iv.length); + return -EPERM; + } + + return 0; +} + +static int +prepare_hmac_xform(struct rte_crypto_sym_xform *xform) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + struct rte_crypto_auth_xform *auth_xform = &xform->auth; + + xform->type = RTE_CRYPTO_SYM_XFORM_AUTH; + + auth_xform->algo = info.interim_info.hmac_data.algo; + auth_xform->op = RTE_CRYPTO_AUTH_OP_GENERATE; + auth_xform->digest_length = vec.cipher_auth.digest.len; + auth_xform->key.data = vec.cipher_auth.key.val; + auth_xform->key.length = vec.cipher_auth.key.len; + + cap_idx.algo.auth = auth_xform->algo; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_AUTH; + + cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); + if (!cap) { + RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", + env.dev_id); + return -EINVAL; + } + + if (rte_cryptodev_sym_capability_check_auth(cap, + auth_xform->key.length, + auth_xform->digest_length, 0) != 0) { + RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n", + info.device_name, auth_xform->key.length, + auth_xform->digest_length); + return -EPERM; + } + + return 0; +} + +int +prepare_gcm_xform(struct rte_crypto_sym_xform *xform) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + struct rte_crypto_aead_xform *aead_xform = &xform->aead; + + xform->type = RTE_CRYPTO_SYM_XFORM_AEAD; + + aead_xform->algo = RTE_CRYPTO_AEAD_AES_GCM; + aead_xform->aad_length = vec.aead.aad.len; + aead_xform->digest_length = vec.aead.digest.len; + aead_xform->iv.offset = IV_OFF; + aead_xform->iv.length = vec.iv.len; + aead_xform->key.data = vec.aead.key.val; + aead_xform->key.length = vec.aead.key.len; + aead_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? + RTE_CRYPTO_AEAD_OP_ENCRYPT : + RTE_CRYPTO_AEAD_OP_DECRYPT; + + cap_idx.algo.aead = aead_xform->algo; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_AEAD; + + cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); + if (!cap) { + RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", + env.dev_id); + return -EINVAL; + } + + if (rte_cryptodev_sym_capability_check_aead(cap, + aead_xform->key.length, + aead_xform->digest_length, aead_xform->aad_length, + aead_xform->iv.length) != 0) { + RTE_LOG(ERR, USER1, + "PMD %s key_len %u tag_len %u aad_len %u iv_len %u\n", + info.device_name, aead_xform->key.length, + aead_xform->digest_length, + aead_xform->aad_length, + aead_xform->iv.length); + return -EPERM; + } + + return 0; +} + +int +prepare_gmac_xform(struct rte_crypto_sym_xform *xform) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + struct rte_crypto_auth_xform *auth_xform = &xform->auth; + + xform->type = RTE_CRYPTO_SYM_XFORM_AUTH; + + auth_xform->algo = RTE_CRYPTO_AUTH_AES_GMAC; + auth_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? + RTE_CRYPTO_AUTH_OP_GENERATE : + RTE_CRYPTO_AUTH_OP_VERIFY; + auth_xform->iv.offset = IV_OFF; + auth_xform->iv.length = vec.iv.len; + auth_xform->digest_length = vec.aead.digest.len; + auth_xform->key.data = vec.aead.key.val; + auth_xform->key.length = vec.aead.key.len; + + cap_idx.algo.auth = auth_xform->algo; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_AUTH; + + cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); + if (!cap) { + RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", + env.dev_id); + return -EINVAL; + } + + if (rte_cryptodev_sym_capability_check_auth(cap, + auth_xform->key.length, + auth_xform->digest_length, + auth_xform->iv.length) != 0) { + + RTE_LOG(ERR, USER1, + "PMD %s key length %u Digest length %u IV length %u\n", + info.device_name, auth_xform->key.length, + auth_xform->digest_length, + auth_xform->iv.length); + return -EPERM; + } + + return 0; +} + +static int +prepare_cmac_xform(struct rte_crypto_sym_xform *xform) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + struct rte_crypto_auth_xform *auth_xform = &xform->auth; + + xform->type = RTE_CRYPTO_SYM_XFORM_AUTH; + + auth_xform->algo = RTE_CRYPTO_AUTH_AES_CMAC; + auth_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? + RTE_CRYPTO_AUTH_OP_GENERATE : RTE_CRYPTO_AUTH_OP_VERIFY; + auth_xform->digest_length = vec.cipher_auth.digest.len; + auth_xform->key.data = vec.cipher_auth.key.val; + auth_xform->key.length = vec.cipher_auth.key.len; + + cap_idx.algo.auth = auth_xform->algo; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_AUTH; + + cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); + if (!cap) { + RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", + env.dev_id); + return -EINVAL; + } + + if (rte_cryptodev_sym_capability_check_auth(cap, + auth_xform->key.length, + auth_xform->digest_length, 0) != 0) { + RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n", + info.device_name, auth_xform->key.length, + auth_xform->digest_length); + return -EPERM; + } - memcpy(pt, vec.pt.val, vec.pt.len); - sym->auth.data.length = vec.pt.len; - sym->auth.digest.data = pt + vec.pt.len; - sym->auth.digest.phys_addr = rte_pktmbuf_mtophys_offset( - env.mbuf, vec.pt.len); + return 0; +} - } else { - uint8_t *ct; +static int +prepare_ccm_xform(struct rte_crypto_sym_xform *xform) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + struct rte_crypto_aead_xform *aead_xform = &xform->aead; - if (vec.ct.len > RTE_MBUF_MAX_NB_SEGS) { - RTE_LOG(ERR, USER1, "CT len %u\n", vec.ct.len); - return -EPERM; - } + xform->type = RTE_CRYPTO_SYM_XFORM_AEAD; - ct = (uint8_t *)rte_pktmbuf_append(env.mbuf, - vec.ct.len + vec.cipher_auth.digest.len); + aead_xform->algo = RTE_CRYPTO_AEAD_AES_CCM; + aead_xform->aad_length = vec.aead.aad.len; + aead_xform->digest_length = vec.aead.digest.len; + aead_xform->iv.offset = IV_OFF; + aead_xform->iv.length = vec.iv.len; + aead_xform->key.data = vec.aead.key.val; + aead_xform->key.length = vec.aead.key.len; + aead_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? + RTE_CRYPTO_AEAD_OP_ENCRYPT : + RTE_CRYPTO_AEAD_OP_DECRYPT; - if (!ct) { - RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n", - -ENOMEM); - return -ENOMEM; - } + cap_idx.algo.aead = aead_xform->algo; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_AEAD; + + cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); + if (!cap) { + RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", + env.dev_id); + return -EINVAL; + } - memcpy(ct, vec.ct.val, vec.ct.len); - sym->auth.data.length = vec.ct.len; - sym->auth.digest.data = vec.cipher_auth.digest.val; - sym->auth.digest.phys_addr = rte_malloc_virt2iova( - sym->auth.digest.data); + if (rte_cryptodev_sym_capability_check_aead(cap, + aead_xform->key.length, + aead_xform->digest_length, aead_xform->aad_length, + aead_xform->iv.length) != 0) { + RTE_LOG(ERR, USER1, + "PMD %s key_len %u tag_len %u aad_len %u iv_len %u\n", + info.device_name, aead_xform->key.length, + aead_xform->digest_length, + aead_xform->aad_length, + aead_xform->iv.length); + return -EPERM; } - rte_crypto_op_attach_sym_session(env.op, env.sess); + return 0; } static int -prepare_aes_xform(struct rte_crypto_sym_xform *xform) +prepare_sha_xform(struct rte_crypto_sym_xform *xform) { const struct rte_cryptodev_symmetric_capability *cap; struct rte_cryptodev_sym_capability_idx cap_idx; - struct rte_crypto_cipher_xform *cipher_xform = &xform->cipher; + struct rte_crypto_auth_xform *auth_xform = &xform->auth; - xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + xform->type = RTE_CRYPTO_SYM_XFORM_AUTH; - cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC; - cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? - RTE_CRYPTO_CIPHER_OP_ENCRYPT : - RTE_CRYPTO_CIPHER_OP_DECRYPT; - cipher_xform->key.data = vec.cipher_auth.key.val; - cipher_xform->key.length = vec.cipher_auth.key.len; - cipher_xform->iv.length = vec.iv.len; - cipher_xform->iv.offset = IV_OFF; + auth_xform->algo = info.interim_info.sha_data.algo; + auth_xform->op = RTE_CRYPTO_AUTH_OP_GENERATE; + auth_xform->digest_length = vec.cipher_auth.digest.len; - cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_CBC; - cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER; + cap_idx.algo.auth = auth_xform->algo; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_AUTH; cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); if (!cap) { @@ -489,12 +1066,12 @@ prepare_aes_xform(struct rte_crypto_sym_xform *xform) return -EINVAL; } - if (rte_cryptodev_sym_capability_check_cipher(cap, - cipher_xform->key.length, - cipher_xform->iv.length) != 0) { - RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n", - info.device_name, cipher_xform->key.length, - cipher_xform->iv.length); + if (rte_cryptodev_sym_capability_check_auth(cap, + auth_xform->key.length, + auth_xform->digest_length, 0) != 0) { + RTE_LOG(ERR, USER1, "PMD %s key length %u digest length %u\n", + info.device_name, auth_xform->key.length, + auth_xform->digest_length); return -EPERM; } @@ -502,7 +1079,7 @@ prepare_aes_xform(struct rte_crypto_sym_xform *xform) } static int -prepare_tdes_xform(struct rte_crypto_sym_xform *xform) +prepare_xts_xform(struct rte_crypto_sym_xform *xform) { const struct rte_cryptodev_symmetric_capability *cap; struct rte_cryptodev_sym_capability_idx cap_idx; @@ -510,7 +1087,7 @@ prepare_tdes_xform(struct rte_crypto_sym_xform *xform) xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; - cipher_xform->algo = RTE_CRYPTO_CIPHER_3DES_CBC; + cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_XTS; cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? RTE_CRYPTO_CIPHER_OP_ENCRYPT : RTE_CRYPTO_CIPHER_OP_DECRYPT; @@ -519,7 +1096,7 @@ prepare_tdes_xform(struct rte_crypto_sym_xform *xform) cipher_xform->iv.length = vec.iv.len; cipher_xform->iv.offset = IV_OFF; - cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_3DES_CBC; + cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_XTS; cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER; cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); @@ -542,47 +1119,48 @@ prepare_tdes_xform(struct rte_crypto_sym_xform *xform) } static int -prepare_hmac_xform(struct rte_crypto_sym_xform *xform) +get_writeback_data(struct fips_val *val) { - const struct rte_cryptodev_symmetric_capability *cap; - struct rte_cryptodev_sym_capability_idx cap_idx; - struct rte_crypto_auth_xform *auth_xform = &xform->auth; - - xform->type = RTE_CRYPTO_SYM_XFORM_AUTH; + struct rte_mbuf *m = env.mbuf; + uint16_t data_len = rte_pktmbuf_pkt_len(m); + uint16_t total_len = data_len + env.digest_len; + uint8_t *src, *dst, *wb_data; + + /* in case val is reused for MCT test, try to free the buffer first */ + if (val->val) { + free(val->val); + val->val = NULL; + } - auth_xform->algo = info.interim_info.hmac_data.algo; - auth_xform->op = RTE_CRYPTO_AUTH_OP_GENERATE; - auth_xform->digest_length = vec.cipher_auth.digest.len; - auth_xform->key.data = vec.cipher_auth.key.val; - auth_xform->key.length = vec.cipher_auth.key.len; + wb_data = dst = calloc(1, total_len); + if (!dst) { + RTE_LOG(ERR, USER1, "Error %i: Not enough memory\n", -ENOMEM); + return -ENOMEM; + } - cap_idx.algo.auth = auth_xform->algo; - cap_idx.type = RTE_CRYPTO_SYM_XFORM_AUTH; + while (m && data_len) { + uint16_t seg_len = RTE_MIN(rte_pktmbuf_data_len(m), data_len); - cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); - if (!cap) { - RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", - env.dev_id); - return -EINVAL; + src = rte_pktmbuf_mtod(m, uint8_t *); + memcpy(dst, src, seg_len); + m = m->next; + data_len -= seg_len; + dst += seg_len; } - if (rte_cryptodev_sym_capability_check_auth(cap, - auth_xform->key.length, - auth_xform->digest_length, 0) != 0) { - RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n", - info.device_name, auth_xform->key.length, - auth_xform->digest_length); - return -EPERM; + if (data_len) { + RTE_LOG(ERR, USER1, "Error -1: write back data\n"); + free(wb_data); + return -1; } - return 0; -} + if (env.digest) + memcpy(dst, env.digest, env.digest_len); -static void -get_writeback_data(struct fips_val *val) -{ - val->val = rte_pktmbuf_mtod(env.mbuf, uint8_t *); - val->len = rte_pktmbuf_pkt_len(env.mbuf); + val->val = wb_data; + val->len = total_len; + + return 0; } static int @@ -596,28 +1174,29 @@ fips_run_test(void) if (ret < 0) return ret; - env.sess = rte_cryptodev_sym_session_create(env.mpool); + env.sess = rte_cryptodev_sym_session_create(env.sess_mpool); if (!env.sess) return -ENOMEM; ret = rte_cryptodev_sym_session_init(env.dev_id, - env.sess, &xform, env.mpool); + env.sess, &xform, env.sess_priv_mpool); if (ret < 0) { RTE_LOG(ERR, USER1, "Error %i: Init session\n", ret); - return ret; + goto exit; } ret = test_ops.prepare_op(); if (ret < 0) { RTE_LOG(ERR, USER1, "Error %i: Prepare op\n", ret); - return ret; + goto exit; } if (rte_cryptodev_enqueue_burst(env.dev_id, 0, &env.op, 1) < 1) { RTE_LOG(ERR, USER1, "Error: Failed enqueue\n"); - return ret; + ret = -1; + goto exit; } do { @@ -629,6 +1208,7 @@ fips_run_test(void) vec.status = env.op->status; +exit: rte_cryptodev_sym_session_clear(env.dev_id, env.sess); rte_cryptodev_sym_session_free(env.sess); env.sess = NULL; @@ -639,14 +1219,14 @@ fips_run_test(void) static int fips_generic_test(void) { - struct fips_val val; + struct fips_val val = {NULL, 0}; int ret; fips_test_write_one_case(); ret = fips_run_test(); if (ret < 0) { - if (ret == -EPERM) { + if (ret == -EPERM || ret == -ENOTSUP) { fprintf(info.fp_wr, "Bypass\n\n"); return 0; } @@ -654,7 +1234,9 @@ fips_generic_test(void) return ret; } - get_writeback_data(&val); + ret = get_writeback_data(&val); + if (ret < 0) + return ret; switch (info.file_type) { case FIPS_TYPE_REQ: @@ -675,6 +1257,7 @@ fips_generic_test(void) } fprintf(info.fp_wr, "\n"); + free(val.val); return 0; } @@ -685,14 +1268,20 @@ fips_mct_tdes_test(void) #define TDES_BLOCK_SIZE 8 #define TDES_EXTERN_ITER 400 #define TDES_INTERN_ITER 10000 - struct fips_val val, val_key; - uint8_t prev_out[TDES_BLOCK_SIZE]; - uint8_t prev_prev_out[TDES_BLOCK_SIZE]; - uint8_t prev_in[TDES_BLOCK_SIZE]; + struct fips_val val = {NULL, 0}, val_key; + uint8_t prev_out[TDES_BLOCK_SIZE] = {0}; + uint8_t prev_prev_out[TDES_BLOCK_SIZE] = {0}; + uint8_t prev_in[TDES_BLOCK_SIZE] = {0}; uint32_t i, j, k; int ret; + int test_mode = info.interim_info.tdes_data.test_mode; for (i = 0; i < TDES_EXTERN_ITER; i++) { + if ((i == 0) && (info.version == 21.4f)) { + if (!(strstr(info.vec[0], "COUNT"))) + fprintf(info.fp_wr, "%s%u\n", "COUNT = ", 0); + } + if (i != 0) update_info_vec(i); @@ -705,11 +1294,12 @@ fips_mct_tdes_test(void) fprintf(info.fp_wr, "Bypass\n"); return 0; } - return ret; } - get_writeback_data(&val); + ret = get_writeback_data(&val); + if (ret < 0) + return ret; if (info.op == FIPS_TEST_DEC_AUTH_VERIF) memcpy(prev_in, vec.ct.val, TDES_BLOCK_SIZE); @@ -718,25 +1308,50 @@ fips_mct_tdes_test(void) memcpy(prev_out, val.val, TDES_BLOCK_SIZE); if (info.op == FIPS_TEST_ENC_AUTH_GEN) { - memcpy(vec.pt.val, vec.iv.val, - TDES_BLOCK_SIZE); - memcpy(vec.iv.val, val.val, - TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.pt.val, val.val, + TDES_BLOCK_SIZE); + } else { + memcpy(vec.pt.val, vec.iv.val, + TDES_BLOCK_SIZE); + memcpy(vec.iv.val, val.val, + TDES_BLOCK_SIZE); + } + } else { - memcpy(vec.iv.val, vec.ct.val, - TDES_BLOCK_SIZE); - memcpy(vec.ct.val, val.val, - TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.ct.val, val.val, + TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, vec.ct.val, + TDES_BLOCK_SIZE); + memcpy(vec.ct.val, val.val, + TDES_BLOCK_SIZE); + } } continue; } if (info.op == FIPS_TEST_ENC_AUTH_GEN) { - memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE); - memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.pt.val, val.val, + TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, val.val, + TDES_BLOCK_SIZE); + memcpy(vec.pt.val, prev_out, + TDES_BLOCK_SIZE); + } } else { - memcpy(vec.iv.val, vec.ct.val, TDES_BLOCK_SIZE); - memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.ct.val, val.val, + TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, vec.ct.val, + TDES_BLOCK_SIZE); + memcpy(vec.ct.val, val.val, + TDES_BLOCK_SIZE); + } } if (j == TDES_INTERN_ITER - 1) @@ -795,29 +1410,122 @@ fips_mct_tdes_test(void) val_key.val[k] : (val_key.val[k] ^ 0x1); if (info.op == FIPS_TEST_ENC_AUTH_GEN) { - memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE); - memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.pt.val, val.val, TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, val.val, TDES_BLOCK_SIZE); + memcpy(vec.pt.val, prev_out, TDES_BLOCK_SIZE); + } } else { - memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE); - memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE); + if (test_mode == TDES_MODE_ECB) { + memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, prev_out, TDES_BLOCK_SIZE); + memcpy(vec.ct.val, val.val, TDES_BLOCK_SIZE); + } } } + if (val.val) + free(val.val); + return 0; } +static int +fips_mct_aes_ecb_test(void) +{ +#define AES_BLOCK_SIZE 16 +#define AES_EXTERN_ITER 100 +#define AES_INTERN_ITER 1000 + struct fips_val val = {NULL, 0}, val_key; + uint8_t prev_out[AES_BLOCK_SIZE] = {0}; + uint32_t i, j, k; + int ret; + + for (i = 0; i < AES_EXTERN_ITER; i++) { + if (i != 0) + update_info_vec(i); + + fips_test_write_one_case(); + + for (j = 0; j < AES_INTERN_ITER; j++) { + ret = fips_run_test(); + if (ret < 0) { + if (ret == -EPERM) { + fprintf(info.fp_wr, "Bypass\n"); + return 0; + } + + return ret; + } + + ret = get_writeback_data(&val); + if (ret < 0) + return ret; + + if (info.op == FIPS_TEST_ENC_AUTH_GEN) + memcpy(vec.pt.val, val.val, AES_BLOCK_SIZE); + else + memcpy(vec.ct.val, val.val, AES_BLOCK_SIZE); + + if (j == AES_INTERN_ITER - 1) + continue; + + memcpy(prev_out, val.val, AES_BLOCK_SIZE); + } + + info.parse_writeback(&val); + fprintf(info.fp_wr, "\n"); + + if (i == AES_EXTERN_ITER - 1) + continue; + + /** update key */ + memcpy(&val_key, &vec.cipher_auth.key, sizeof(val_key)); + for (k = 0; k < vec.cipher_auth.key.len; k++) { + switch (vec.cipher_auth.key.len) { + case 16: + val_key.val[k] ^= val.val[k]; + break; + case 24: + if (k < 8) + val_key.val[k] ^= prev_out[k + 8]; + else + val_key.val[k] ^= val.val[k - 8]; + break; + case 32: + if (k < 16) + val_key.val[k] ^= prev_out[k]; + else + val_key.val[k] ^= val.val[k - 16]; + break; + default: + return -1; + } + } + } + + if (val.val) + free(val.val); + + return 0; +} static int fips_mct_aes_test(void) { #define AES_BLOCK_SIZE 16 #define AES_EXTERN_ITER 100 #define AES_INTERN_ITER 1000 - struct fips_val val, val_key; + struct fips_val val = {NULL, 0}, val_key; uint8_t prev_out[AES_BLOCK_SIZE] = {0}; uint8_t prev_in[AES_BLOCK_SIZE] = {0}; uint32_t i, j, k; int ret; + if (info.interim_info.aes_data.cipher_algo == RTE_CRYPTO_CIPHER_AES_ECB) + return fips_mct_aes_ecb_test(); + for (i = 0; i < AES_EXTERN_ITER; i++) { if (i != 0) update_info_vec(i); @@ -835,7 +1543,9 @@ fips_mct_aes_test(void) return ret; } - get_writeback_data(&val); + ret = get_writeback_data(&val); + if (ret < 0) + return ret; if (info.op == FIPS_TEST_DEC_AUTH_VERIF) memcpy(prev_in, vec.ct.val, AES_BLOCK_SIZE); @@ -905,9 +1615,100 @@ fips_mct_aes_test(void) memcpy(vec.iv.val, val.val, AES_BLOCK_SIZE); } + if (val.val) + free(val.val); + + return 0; +} + +static int +fips_mct_sha_test(void) +{ +#define SHA_EXTERN_ITER 100 +#define SHA_INTERN_ITER 1000 +#define SHA_MD_BLOCK 3 + struct fips_val val = {NULL, 0}, md[SHA_MD_BLOCK]; + char temp[MAX_DIGEST_SIZE*2]; + int ret; + uint32_t i, j; + + for (i = 0; i < SHA_MD_BLOCK; i++) + md[i].val = rte_malloc(NULL, (MAX_DIGEST_SIZE*2), 0); + + rte_free(vec.pt.val); + vec.pt.val = rte_malloc(NULL, (MAX_DIGEST_SIZE*SHA_MD_BLOCK), 0); + + fips_test_write_one_case(); + fprintf(info.fp_wr, "\n"); + + for (j = 0; j < SHA_EXTERN_ITER; j++) { + + memcpy(md[0].val, vec.cipher_auth.digest.val, + vec.cipher_auth.digest.len); + md[0].len = vec.cipher_auth.digest.len; + memcpy(md[1].val, vec.cipher_auth.digest.val, + vec.cipher_auth.digest.len); + md[1].len = vec.cipher_auth.digest.len; + memcpy(md[2].val, vec.cipher_auth.digest.val, + vec.cipher_auth.digest.len); + md[2].len = vec.cipher_auth.digest.len; + + for (i = 0; i < (SHA_INTERN_ITER); i++) { + + memcpy(vec.pt.val, md[0].val, + (size_t)md[0].len); + memcpy((vec.pt.val + md[0].len), md[1].val, + (size_t)md[1].len); + memcpy((vec.pt.val + md[0].len + md[1].len), + md[2].val, + (size_t)md[2].len); + vec.pt.len = md[0].len + md[1].len + md[2].len; + + ret = fips_run_test(); + if (ret < 0) { + if (ret == -EPERM || ret == -ENOTSUP) { + fprintf(info.fp_wr, "Bypass\n\n"); + return 0; + } + return ret; + } + + ret = get_writeback_data(&val); + if (ret < 0) + return ret; + + memcpy(md[0].val, md[1].val, md[1].len); + md[0].len = md[1].len; + memcpy(md[1].val, md[2].val, md[2].len); + md[1].len = md[2].len; + + memcpy(md[2].val, (val.val + vec.pt.len), + vec.cipher_auth.digest.len); + md[2].len = vec.cipher_auth.digest.len; + } + + memcpy(vec.cipher_auth.digest.val, md[2].val, md[2].len); + vec.cipher_auth.digest.len = md[2].len; + + fprintf(info.fp_wr, "COUNT = %u\n", j); + + writeback_hex_str("", temp, &vec.cipher_auth.digest); + + fprintf(info.fp_wr, "MD = %s\n\n", temp); + } + + for (i = 0; i < (SHA_MD_BLOCK); i++) + rte_free(md[i].val); + + rte_free(vec.pt.val); + + if (val.val) + free(val.val); + return 0; } + static int init_test_ops(void) { @@ -933,8 +1734,46 @@ init_test_ops(void) else test_ops.test = fips_generic_test; break; - + case FIPS_TEST_ALGO_AES_GCM: + test_ops.prepare_op = prepare_aead_op; + test_ops.prepare_xform = prepare_gcm_xform; + test_ops.test = fips_generic_test; + break; + case FIPS_TEST_ALGO_AES_CMAC: + test_ops.prepare_op = prepare_auth_op; + test_ops.prepare_xform = prepare_cmac_xform; + test_ops.test = fips_generic_test; + break; + case FIPS_TEST_ALGO_AES_CCM: + test_ops.prepare_op = prepare_aead_op; + test_ops.prepare_xform = prepare_ccm_xform; + test_ops.test = fips_generic_test; + break; + case FIPS_TEST_ALGO_SHA: + test_ops.prepare_op = prepare_auth_op; + test_ops.prepare_xform = prepare_sha_xform; + if (info.interim_info.sha_data.test_type == SHA_MCT) + test_ops.test = fips_mct_sha_test; + else + test_ops.test = fips_generic_test; + break; + case FIPS_TEST_ALGO_AES_XTS: + test_ops.prepare_op = prepare_cipher_op; + test_ops.prepare_xform = prepare_xts_xform; + test_ops.test = fips_generic_test; + break; default: + if (strstr(info.file_name, "TECB") || + strstr(info.file_name, "TCBC")) { + info.algo = FIPS_TEST_ALGO_TDES; + test_ops.prepare_op = prepare_cipher_op; + test_ops.prepare_xform = prepare_tdes_xform; + if (info.interim_info.tdes_data.test_type == TDES_MCT) + test_ops.test = fips_mct_tdes_test; + else + test_ops.test = fips_generic_test; + break; + } return -1; } @@ -957,7 +1796,6 @@ fips_test_one_file(void) { int fetch_ret = 0, ret; - ret = init_test_ops(); if (ret < 0) { RTE_LOG(ERR, USER1, "Error %i: Init test op\n", ret); @@ -1005,6 +1843,12 @@ error_one_case: fips_test_clear(); - return ret; + if (env.digest) { + rte_free(env.digest); + env.digest = NULL; + } + if (env.mbuf) + rte_pktmbuf_free(env.mbuf); + return ret; }