test/crypto: add tunnel header verification cases
authorTejasree Kondoj <ktejasree@marvell.com>
Tue, 28 Sep 2021 12:07:41 +0000 (17:37 +0530)
committerAkhil Goyal <gakhil@marvell.com>
Tue, 28 Sep 2021 15:57:39 +0000 (17:57 +0200)
Added test cases to verify tunnel header in IPsec inbound.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>
app/test/test_cryptodev.c
app/test/test_cryptodev_security_ipsec.c
app/test/test_cryptodev_security_ipsec.h
app/test/test_cryptodev_security_ipsec_test_vectors.h
doc/guides/rel_notes/release_21_11.rst

index 34b55a9..665d19c 100644 (file)
@@ -8924,6 +8924,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
        int salt_len, i, ret = TEST_SUCCESS;
        struct rte_security_ctx *ctx;
        uint8_t *input_text;
+       uint32_t verify;
 
        ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
        gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL;
@@ -8933,11 +8934,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
        /* Copy IPsec xform */
        memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform));
 
+       dir = ipsec_xform.direction;
+       verify = flags->tunnel_hdr_verify;
+
+       if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) {
+               if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR)
+                       src += 1;
+               else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR)
+                       dst += 1;
+       }
+
        memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
        memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
 
-       dir = ipsec_xform.direction;
-
        ctx = rte_cryptodev_get_sec_ctx(dev_id);
 
        sec_cap_idx.action = ut_params->type;
@@ -9229,6 +9238,30 @@ test_ipsec_proto_udp_encap(const void *data __rte_unused)
        return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused)
+{
+       struct ipsec_test_flags flags;
+
+       memset(&flags, 0, sizeof(flags));
+
+       flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR;
+
+       return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused)
+{
+       struct ipsec_test_flags flags;
+
+       memset(&flags, 0, sizeof(flags));
+
+       flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR;
+
+       return test_ipsec_proto_all(&flags);
+}
+
 static int
 test_PDCP_PROTO_all(void)
 {
@@ -14173,6 +14206,14 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
                        "Negative test: ICV corruption",
                        ut_setup_security, ut_teardown,
                        test_ipsec_proto_err_icv_corrupt),
+               TEST_CASE_NAMED_ST(
+                       "Tunnel dst addr verification",
+                       ut_setup_security, ut_teardown,
+                       test_ipsec_proto_tunnel_dst_addr_verify),
+               TEST_CASE_NAMED_ST(
+                       "Tunnel src and dst addr verification",
+                       ut_setup_security, ut_teardown,
+                       test_ipsec_proto_tunnel_src_dst_addr_verify),
                TEST_CASES_END() /**< NULL terminate unit test array */
        }
 };
index 046536c..f040630 100644 (file)
@@ -86,6 +86,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
                return -ENOTSUP;
        }
 
+       if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+           (ipsec_xform->options.tunnel_hdr_verify >
+           sec_cap->ipsec.options.tunnel_hdr_verify)) {
+               if (!silent)
+                       RTE_LOG(INFO, USER1,
+                               "Tunnel header verify is not supported\n");
+               return -ENOTSUP;
+       }
+
        return 0;
 }
 
@@ -207,6 +216,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
                if (flags->udp_encap)
                        td_inb[i].ipsec_xform.options.udp_encap = 1;
 
+               td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
+                       flags->tunnel_hdr_verify;
+
                /* Clear outbound specific flags */
                td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
        }
@@ -292,7 +304,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
        /* For tests with status as error for test success, skip verification */
        if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
            (flags->icv_corrupt ||
-            flags->sa_expiry_pkts_hard))
+            flags->sa_expiry_pkts_hard ||
+            flags->tunnel_hdr_verify))
                return TEST_SUCCESS;
 
        if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -420,6 +433,16 @@ test_ipsec_status_check(struct rte_crypto_op *op,
                }
        }
 
+       if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+           flags->tunnel_hdr_verify) {
+               if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+                       printf("Tunnel header verify test case failed\n");
+                       return TEST_FAILED;
+               } else {
+                       return TEST_SUCCESS;
+               }
+       }
+
        if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
                if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
                        printf("ICV corruption test case failed\n");
index 18f3c64..a65cb54 100644 (file)
@@ -53,6 +53,7 @@ struct ipsec_test_flags {
        bool sa_expiry_pkts_hard;
        bool icv_corrupt;
        bool iv_gen;
+       uint32_t tunnel_hdr_verify;
        bool udp_encap;
 };
 
index 38ea43d..4e147ec 100644 (file)
@@ -94,6 +94,7 @@ struct ipsec_test_data pkt_aes_128_gcm = {
                .options.dec_ttl = 0,
                .options.ecn = 0,
                .options.stats = 0,
+               .options.tunnel_hdr_verify = 0,
                .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
                .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
                .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -190,6 +191,7 @@ struct ipsec_test_data pkt_aes_192_gcm = {
                .options.dec_ttl = 0,
                .options.ecn = 0,
                .options.stats = 0,
+               .options.tunnel_hdr_verify = 0,
                .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
                .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
                .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -289,6 +291,7 @@ struct ipsec_test_data pkt_aes_256_gcm = {
                .options.dec_ttl = 0,
                .options.ecn = 0,
                .options.stats = 0,
+               .options.tunnel_hdr_verify = 0,
                .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
                .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
                .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
index 22e5a06..f85dc99 100644 (file)
@@ -104,6 +104,7 @@ New Features
   * Added tests to verify UDP encapsulation.
   * Added tests to validate packets soft expiry.
   * Added tests to validate packets hard expiry.
+  * Added tests to verify tunnel header verification in IPsec inbound.
 
 
 Removed Items