examples/fips_validation: add crypto FIPS application
authorMarko Kovacevic <marko.kovacevic@intel.com>
Fri, 2 Nov 2018 09:55:28 +0000 (09:55 +0000)
committerAkhil Goyal <akhil.goyal@nxp.com>
Fri, 2 Nov 2018 11:26:06 +0000 (12:26 +0100)
Added FIPS application into the examples to allow
users to use a simple sample app to validate
their systems and be able to get FIPS certification.

Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Reviewed-by: Akhil Goyal <akhil.goyal@nxp.com>
MAINTAINERS
doc/guides/rel_notes/release_18_11.rst
doc/guides/sample_app_ug/fips_validation.rst [new file with mode: 0644]
doc/guides/sample_app_ug/index.rst
examples/fips_validation/Makefile [new file with mode: 0644]
examples/fips_validation/fips_validation.c [new file with mode: 0644]
examples/fips_validation/fips_validation.h [new file with mode: 0644]
examples/fips_validation/main.c [new file with mode: 0644]
examples/fips_validation/meson.build [new file with mode: 0644]

index e60379d..19353ac 100644 (file)
@@ -1271,6 +1271,10 @@ F: doc/guides/sample_app_ug/ethtool.rst
 F: examples/exception_path/
 F: doc/guides/sample_app_ug/exception_path.rst
 
+M: Marko Kovacevic <marko.kovacevic@intel.com>
+F: examples/fips_validation/
+F: doc/guides/sample_app_ug/fips_validation.rst
+
 M: Ori Kam <orika@mellanox.com>
 F: examples/flow_filtering/
 F: doc/guides/sample_app_ug/flow_filtering.rst
index 11a2740..c60879c 100644 (file)
@@ -285,6 +285,12 @@ New Features
   this application doesn't need to launch dedicated worker threads for vhost
   enqueue/dequeue operations.
 
+* **Added cryptodev FIPS validation example application.**
+
+  Added an example application to parse and perform symmetric cryptography
+  computation to the NIST Cryptographic Algorithm Validation Program (CAVP)
+  test vectors.
+
 
 API Changes
 -----------
diff --git a/doc/guides/sample_app_ug/fips_validation.rst b/doc/guides/sample_app_ug/fips_validation.rst
new file mode 100644 (file)
index 0000000..9ca6ffe
--- /dev/null
@@ -0,0 +1,125 @@
+..  SPDX-License-Identifier: BSD-3-Clause
+    Copyright(c) 2018 Intel Corporation.
+
+Federal Information Processing Standards (FIPS) CryptoDev Validation
+====================================================================
+
+Overview
+--------
+
+Federal Information Processing Standards (FIPS) are publicly announced standards
+developed by the United States federal government for use in computer systems by
+non-military government agencies and government contractors.
+
+This application is used to parse and perform symmetric cryptography
+computation to the NIST Cryptographic Algorithm Validation Program (CAVP) test
+vectors.
+
+For an algorithm implementation to be listed on a cryptographic module
+validation certificate as an Approved security function, the algorithm
+implementation must meet all the requirements of FIPS 140-2 and must
+successfully complete the cryptographic algorithm validation process.
+
+Limitations
+-----------
+
+* Only NIST CAVP request files are parsed by this application.
+* The version of request file supported is ``CAVS 21.0``
+* If the header comment in a ``.req`` file does not contain a Algo tag
+  i.e ``AES,TDES,GCM`` you need to manually add it into the header comment for
+  example::
+
+      # VARIABLE KEY - KAT for CBC / # TDES VARIABLE KEY - KAT for CBC
+
+* The application does not supply the test vectors. The user is expected to
+  obtain the test vector files from `NIST
+  <https://csrc.nist.gov/projects/cryptographic-algorithm-validation-
+  program/block-ciphers>`_ website. To obtain the ``.req`` files you need to
+  email a person from the NIST website and pay for the ``.req`` files.
+  The ``.rsp`` files from the site can be used to validate and compare with
+  the ``.rsp`` files created by the FIPS application.
+
+* Supported test vectors
+
+Application Information
+-----------------------
+
+If a ``.req`` is used as the input file after the application is finished
+running it will generate a response file or ``.rsp``. Differences between the
+two files are, the ``.req`` file has missing information for instance if doing
+encryption you will not have the cipher text and that will be generated in the
+response file. Also if doing decryption it will not have the plain text until it
+finished the work and in the response file it will be added onto the end of each
+operation.
+
+The application can be run with a ``.rsp`` file and what the outcome of that
+will be is it will add a extra line in the generated ``.rsp`` which should be
+the same as the ``.rsp`` used to run the application, this is useful for
+validating if the application has done the operation correctly.
+
+
+Compiling the Application
+-------------------------
+
+* Compile Application
+
+    .. code-block:: console
+
+         make -C examples/fips_validation
+
+*  Run ``dos2unix`` on the request files
+
+    .. code-block:: console
+
+         dos2unix AES/req/*
+         dos2unix AES_GCM/req/*
+         dos2unix CCM/req/*
+         dos2unix CMAC/req/*
+         dos2unix HMAC/req/*
+         dos2unix TDES/req/*
+
+Running the Application
+-----------------------
+
+The application requires a number of command line options:
+
+    .. code-block:: console
+
+         ./fips_validation [EAL options]
+         -- --req-file FILE_PATH/FOLDER_PATH
+         --rsp-file FILE_PATH/FOLDER_PATH
+         [--cryptodev DEVICE_NAME] [--cryptodev-id ID] [--path-is-folder]
+
+where,
+  * req-file: The path of the request file or folder, separated by
+    ``path-is-folder`` option.
+
+  * rsp-file: The path that the response file or folder is stored. separated by
+    ``path-is-folder`` option.
+
+  * cryptodev: The name of the target DPDK Crypto device to be validated.
+
+  * cryptodev-id: The id of the target DPDK Crypto device to be validated.
+
+  * path-is-folder: If presented the application expects req-file and rsp-file
+    are folder paths.
+
+
+To run the application in linuxapp environment to test one AES FIPS test data
+file for crypto_aesni_mb PMD, issue the command:
+
+.. code-block:: console
+
+    $ ./fips_validation --vdev crypto_aesni_mb --
+    --req-file /PATH/TO/REQUEST/FILE.req --rsp-file ./PATH/TO/RESPONSE/FILE.rsp
+    --cryptodev crypto_aesni_mb
+
+To run the application in linuxapp environment to test all AES-GCM FIPS test
+data files in one folder for crypto_aesni_gcm PMD, issue the command:
+
+.. code-block:: console
+
+    $ ./fips_validation --vdev crypto_aesni_gcm0 --
+    --req-file /PATH/TO/REQUEST/FILE/FOLDER/
+    --rsp-file ./PATH/TO/RESPONSE/FILE/FOLDER/
+    --cryptodev-id 0 --path-is-folder
index 74b12af..b2455e0 100644 (file)
@@ -55,6 +55,7 @@ Sample Applications User Guides
     tep_termination
     ptpclient
     performance_thread
+    fips_validation
     ipsec_secgw
     bbdev_app
 
diff --git a/examples/fips_validation/Makefile b/examples/fips_validation/Makefile
new file mode 100644 (file)
index 0000000..59d56c7
--- /dev/null
@@ -0,0 +1,69 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright(c) 2018 Intel Corporation
+
+# binary name
+APP = fips_validation
+
+# all source are stored in SRCS-y
+SRCS-y := fips_validation.c
+SRCS-y += main.c
+
+# Build using pkg-config variables if possible
+$(shell pkg-config --exists libdpdk)
+ifeq ($(.SHELLSTATUS),0)
+
+all: shared
+.PHONY: shared static
+shared: build/$(APP)-shared
+       ln -sf $(APP)-shared build/$(APP)
+static: build/$(APP)-static
+       ln -sf $(APP)-static build/$(APP)
+
+PC_FILE := $(shell pkg-config --path libdpdk)
+CFLAGS += -O3 $(shell pkg-config --cflags libdpdk)
+LDFLAGS_SHARED = $(shell pkg-config --libs libdpdk)
+LDFLAGS_STATIC = -Wl,-Bstatic $(shell pkg-config --static --libs libdpdk)
+
+build/$(APP)-shared: $(SRCS-y) Makefile $(PC_FILE) | build
+       $(CC) $(CFLAGS) $(SRCS-y) -o $@ $(LDFLAGS) $(LDFLAGS_SHARED)
+
+build/$(APP)-static: $(SRCS-y) Makefile $(PC_FILE) | build
+       $(CC) $(CFLAGS) $(SRCS-y) -o $@ $(LDFLAGS) $(LDFLAGS_STATIC)
+
+build:
+       @mkdir -p $@
+
+.PHONY: clean
+clean:
+       rm -f build/$(APP) build/$(APP)-static build/$(APP)-shared
+       rmdir --ignore-fail-on-non-empty build
+
+else
+
+ifeq ($(RTE_SDK),)
+$(error "Please define RTE_SDK environment variable")
+endif
+
+# Default target, can be overridden by command line or environment
+RTE_TARGET ?= x86_64-native-linuxapp-gcc
+
+INC += $(sort $(wildcard *.h))
+
+include $(RTE_SDK)/mk/rte.vars.mk
+
+CFLAGS += $(WERROR_FLAGS)
+
+# workaround for a gcc bug with noreturn attribute
+# http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12603
+ifeq ($(CONFIG_RTE_TOOLCHAIN_GCC),y)
+CFLAGS_main.o += -Wno-return-type
+endif
+
+CFLAGS += -DALLOW_EXPERIMENTAL_API
+CFLAGS += -I$(SRCDIR)
+CFLAGS += -O3
+CFLAGS += $(WERROR_FLAGS)
+
+include $(RTE_SDK)/mk/rte.extapp.mk
+
+endif
diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
new file mode 100644 (file)
index 0000000..58a3c1b
--- /dev/null
@@ -0,0 +1,564 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <rte_string_fns.h>
+#include <rte_cryptodev.h>
+#include <rte_malloc.h>
+
+#include "fips_validation.h"
+
+#define skip_white_spaces(pos)                 \
+({                                             \
+       __typeof__(pos) _p = (pos);             \
+       for ( ; isspace(*_p); _p++)             \
+               ;                               \
+       _p;                                     \
+})
+
+static int
+get_file_line(void)
+{
+       FILE *fp = info.fp_rd;
+       char *line = info.one_line_text;
+       int ret;
+       uint32_t loc = 0;
+
+       memset(line, 0, MAX_LINE_CHAR);
+       while ((ret = fgetc(fp)) != EOF) {
+               char c = (char)ret;
+
+               if (loc >= MAX_LINE_CHAR - 1)
+                       return -ENOMEM;
+               if (c == '\n')
+                       break;
+               line[loc++] = c;
+       }
+
+       if (ret == EOF)
+               return -EOF;
+
+       return 0;
+}
+
+int
+fips_test_fetch_one_block(void)
+{
+       size_t size;
+       int ret = 0;
+       uint32_t i;
+
+       for (i = 0; i < info.nb_vec_lines; i++) {
+               free(info.vec[i]);
+               info.vec[i] = NULL;
+       }
+
+       i = 0;
+       do {
+               if (i >= MAX_LINE_PER_VECTOR) {
+                       ret = -ENOMEM;
+                       goto error_exit;
+               }
+
+               ret = get_file_line();
+               size = strlen(info.one_line_text);
+               if (size == 0)
+                       break;
+
+               info.vec[i] = calloc(1, size + 5);
+               if (info.vec[i] == NULL)
+                       goto error_exit;
+
+               strlcpy(info.vec[i], info.one_line_text, size + 1);
+               i++;
+       } while (ret == 0);
+
+       info.nb_vec_lines = i;
+
+       return ret;
+
+error_exit:
+       for (i = 0; i < MAX_LINE_PER_VECTOR; i++)
+               if (info.vec[i] != NULL) {
+                       free(info.vec[i]);
+                       info.vec[i] = NULL;
+               }
+
+       info.nb_vec_lines = 0;
+
+       return -ENOMEM;
+}
+
+static int
+fips_test_parse_header(void)
+{
+       uint32_t i;
+       char *tmp;
+       int ret;
+       time_t t = time(NULL);
+       struct tm *tm_now = localtime(&t);
+
+       ret = fips_test_fetch_one_block();
+       if (ret < 0)
+               return ret;
+
+       for (i = 0; i < info.nb_vec_lines; i++) {
+
+               tmp = strstr(info.vec[i], "# Config info for ");
+               if (tmp != NULL) {
+                       fprintf(info.fp_wr, "%s%s\n", "# Config info for DPDK Cryptodev ",
+                                       info.device_name);
+                       continue;
+               }
+
+               tmp = strstr(info.vec[i], "#  HMAC information for ");
+               if (tmp != NULL) {
+                       fprintf(info.fp_wr, "%s%s\n", "#  HMAC information for "
+                               "DPDK Cryptodev ",
+                               info.device_name);
+                       continue;
+               }
+
+               tmp = strstr(info.vec[i], "# Config Info for : ");
+               if (tmp != NULL) {
+
+                       fprintf(info.fp_wr, "%s%s\n", "# Config Info for DPDK Cryptodev : ",
+                                       info.device_name);
+                       continue;
+               }
+
+               tmp = strstr(info.vec[i], "# information for ");
+               if (tmp != NULL) {
+
+                       char tmp_output[128] = {0};
+
+                       strlcpy(tmp_output, info.vec[i], tmp - info.vec[i] + 1);
+
+                       fprintf(info.fp_wr, "%s%s%s\n", tmp_output,
+                                       "information for DPDK Cryptodev ",
+                                       info.device_name);
+                       continue;
+               }
+
+               tmp = strstr(info.vec[i], " test information for ");
+               if (tmp != NULL) {
+                       char tmp_output[128] = {0};
+
+                       strlcpy(tmp_output, info.vec[i], tmp - info.vec[i] + 1);
+
+                       fprintf(info.fp_wr, "%s%s%s\n", tmp_output,
+                                       "test information for DPDK Cryptodev ",
+                                       info.device_name);
+                       continue;
+               }
+
+               if (i == info.nb_vec_lines - 1) {
+                       /** update the time as current time, write to file */
+                       fprintf(info.fp_wr, "%s%s\n", "# Generated on ",
+                                       asctime(tm_now));
+                       continue;
+               }
+
+               /* to this point, no field need to update,
+                *  only copy to rsp file
+                */
+               fprintf(info.fp_wr, "%s\n", info.vec[i]);
+       }
+
+       return 0;
+}
+
+static int
+parse_file_type(const char *path)
+{
+       const char *tmp = path + strlen(path) - 3;
+
+       if (strstr(tmp, REQ_FILE_PERFIX))
+               info.file_type = FIPS_TYPE_REQ;
+       else if (strstr(tmp, RSP_FILE_PERFIX))
+               info.file_type = FIPS_TYPE_RSP;
+       else if (strstr(path, FAX_FILE_PERFIX))
+               info.file_type = FIPS_TYPE_FAX;
+       else
+               return -EINVAL;
+
+       return 0;
+}
+
+int
+fips_test_init(const char *req_file_path, const char *rsp_file_path,
+               const char *device_name)
+{
+       if (strcmp(req_file_path, rsp_file_path) == 0) {
+               RTE_LOG(ERR, USER1, "File paths cannot be the same\n");
+               return -EINVAL;
+       }
+
+       fips_test_clear();
+
+       info.algo = FIPS_TEST_ALGO_MAX;
+       if (parse_file_type(req_file_path) < 0) {
+               RTE_LOG(ERR, USER1, "File %s type not supported\n",
+                               req_file_path);
+               return -EINVAL;
+       }
+
+       info.fp_rd = fopen(req_file_path, "r");
+       if (!info.fp_rd) {
+               RTE_LOG(ERR, USER1, "Cannot open file %s\n", req_file_path);
+               return -EINVAL;
+       }
+
+       info.fp_wr = fopen(rsp_file_path, "w");
+       if (!info.fp_wr) {
+               RTE_LOG(ERR, USER1, "Cannot open file %s\n", rsp_file_path);
+               return -EINVAL;
+       }
+
+       info.one_line_text = calloc(1, MAX_LINE_CHAR);
+       if (!info.one_line_text) {
+               RTE_LOG(ERR, USER1, "Insufficient memory\n");
+               return -ENOMEM;
+       }
+
+       strlcpy(info.device_name, device_name, sizeof(info.device_name));
+
+       if (fips_test_parse_header() < 0) {
+               RTE_LOG(ERR, USER1, "Failed parsing header\n");
+               return -1;
+       }
+
+       return 0;
+}
+
+void
+fips_test_clear(void)
+{
+       if (info.fp_rd)
+               fclose(info.fp_rd);
+       if (info.fp_wr)
+               fclose(info.fp_wr);
+       if (info.one_line_text)
+               free(info.one_line_text);
+       if (info.nb_vec_lines) {
+               uint32_t i;
+
+               for (i = 0; i < info.nb_vec_lines; i++)
+                       free(info.vec[i]);
+       }
+
+       memset(&info, 0, sizeof(info));
+}
+
+int
+fips_test_parse_one_case(void)
+{
+       uint32_t i, j = 0;
+       uint32_t is_interim = 0;
+       int ret;
+
+       if (info.interim_callbacks) {
+               for (i = 0; i < info.nb_vec_lines; i++) {
+                       for (j = 0; info.interim_callbacks[j].key != NULL; j++)
+                               if (strstr(info.vec[i],
+                                       info.interim_callbacks[j].key)) {
+                                       is_interim = 1;
+
+                                       ret = info.interim_callbacks[j].cb(
+                                               info.interim_callbacks[j].key,
+                                               info.vec[i],
+                                               info.interim_callbacks[j].val);
+                                       if (ret < 0)
+                                               return ret;
+                               }
+               }
+       }
+
+       if (is_interim) {
+               for (i = 0; i < info.nb_vec_lines; i++)
+                       fprintf(info.fp_wr, "%s\n", info.vec[i]);
+               fprintf(info.fp_wr, "\n");
+               return 1;
+       }
+
+       for (i = 0; i < info.nb_vec_lines; i++) {
+               for (j = 0; info.callbacks[j].key != NULL; j++)
+                       if (strstr(info.vec[i], info.callbacks[j].key)) {
+                               ret = info.callbacks[j].cb(
+                                       info.callbacks[j].key,
+                                       info.vec[i], info.callbacks[j].val);
+                               if (ret < 0)
+                                       return ret;
+                               break;
+                       }
+       }
+
+       return 0;
+}
+
+void
+fips_test_write_one_case(void)
+{
+       uint32_t i;
+
+       for (i = 0; i < info.nb_vec_lines; i++)
+               fprintf(info.fp_wr, "%s\n", info.vec[i]);
+}
+
+static int
+parser_read_uint64_hex(uint64_t *value, const char *p)
+{
+       char *next;
+       uint64_t val;
+
+       p = skip_white_spaces(p);
+
+       val = strtoul(p, &next, 16);
+       if (p == next)
+               return -EINVAL;
+
+       p = skip_white_spaces(next);
+       if (*p != '\0')
+               return -EINVAL;
+
+       *value = val;
+       return 0;
+}
+
+int
+parser_read_uint8_hex(uint8_t *value, const char *p)
+{
+       uint64_t val = 0;
+       int ret = parser_read_uint64_hex(&val, p);
+
+       if (ret < 0)
+               return ret;
+
+       if (val > UINT8_MAX)
+               return -ERANGE;
+
+       *value = val;
+       return 0;
+}
+
+int
+parse_uint8_known_len_hex_str(const char *key, char *src, struct fips_val *val)
+{
+       struct fips_val tmp_val = {0};
+       uint32_t len = val->len;
+       int ret;
+
+       if (len == 0) {
+               if (val->val != NULL) {
+                       rte_free(val->val);
+                       val->val = NULL;
+               }
+
+               return 0;
+       }
+
+       ret = parse_uint8_hex_str(key, src, &tmp_val);
+       if (ret < 0)
+               return ret;
+
+       if (tmp_val.len == val->len) {
+               val->val = tmp_val.val;
+               return 0;
+       }
+
+       if (tmp_val.len < val->len) {
+               rte_free(tmp_val.val);
+               return -EINVAL;
+       }
+
+       val->val = rte_zmalloc(NULL, val->len, 0);
+       if (!val->val) {
+               rte_free(tmp_val.val);
+               memset(val, 0, sizeof(*val));
+               return -ENOMEM;
+       }
+
+       memcpy(val->val, tmp_val.val, val->len);
+       rte_free(tmp_val.val);
+
+       return 0;
+}
+
+int
+parse_uint8_hex_str(const char *key, char *src, struct fips_val *val)
+{
+       uint32_t len, j;
+
+       src += strlen(key);
+
+       len = strlen(src) / 2;
+
+       if (val->val) {
+               rte_free(val->val);
+               val->val = NULL;
+       }
+
+       val->val = rte_zmalloc(NULL, len, 0);
+       if (!val->val)
+               return -ENOMEM;
+
+       for (j = 0; j < len; j++) {
+               char byte[3] = {src[j * 2], src[j * 2 + 1], '\0'};
+
+               if (parser_read_uint8_hex(&val->val[j], byte) < 0) {
+                       rte_free(val->val);
+                       memset(val, 0, sizeof(*val));
+                       return -EINVAL;
+               }
+       }
+
+       val->len = len;
+
+       return 0;
+}
+
+int
+parser_read_uint32_val(const char *key, char *src, struct fips_val *val)
+{
+       char *data = src + strlen(key);
+       size_t data_len = strlen(data);
+       int ret;
+
+       if (data[data_len - 1] == ']') {
+               char *tmp_data = calloc(1, data_len + 1);
+
+               if (tmp_data == NULL)
+                       return -ENOMEM;
+
+               strlcpy(tmp_data, data, data_len);
+
+               ret = parser_read_uint32(&val->len, tmp_data);
+
+               free(tmp_data);
+       } else
+               ret = parser_read_uint32(&val->len, data);
+
+       return ret;
+}
+
+int
+parser_read_uint32_bit_val(const char *key, char *src, struct fips_val *val)
+{
+       int ret;
+
+       ret = parser_read_uint32_val(key, src, val);
+
+       if (ret < 0)
+               return ret;
+
+       val->len /= 8;
+
+       return 0;
+}
+
+int
+writeback_hex_str(const char *key, char *dst, struct fips_val *val)
+{
+       char *str = dst;
+       uint32_t len;
+
+       str += strlen(key);
+
+       for (len = 0; len < val->len; len++)
+               snprintf(str + len * 2, 255, "%02x", val->val[len]);
+
+       return 0;
+}
+
+static int
+parser_read_uint64(uint64_t *value, const char *p)
+{
+       char *next;
+       uint64_t val;
+
+       p = skip_white_spaces(p);
+       if (!isdigit(*p))
+               return -EINVAL;
+
+       val = strtoul(p, &next, 10);
+       if (p == next)
+               return -EINVAL;
+
+       p = next;
+       switch (*p) {
+       case 'T':
+               val *= 1024ULL;
+               /* fall through */
+       case 'G':
+               val *= 1024ULL;
+               /* fall through */
+       case 'M':
+               val *= 1024ULL;
+               /* fall through */
+       case 'k':
+       case 'K':
+               val *= 1024ULL;
+               p++;
+               break;
+       }
+
+       p = skip_white_spaces(p);
+       if (*p != '\0')
+               return -EINVAL;
+
+       *value = val;
+       return 0;
+}
+
+int
+parser_read_uint32(uint32_t *value, char *p)
+{
+       uint64_t val = 0;
+       int ret = parser_read_uint64(&val, p);
+
+       if (ret < 0)
+               return ret;
+
+       if (val > UINT32_MAX)
+               return -EINVAL;
+
+       *value = val;
+       return 0;
+}
+
+void
+parse_write_hex_str(struct fips_val *src)
+{
+       writeback_hex_str("", info.one_line_text, src);
+
+       fprintf(info.fp_wr, "%s\n", info.one_line_text);
+}
+
+int
+update_info_vec(uint32_t count)
+{
+       const struct fips_test_callback *cb;
+       uint32_t i, j;
+
+       if (!info.writeback_callbacks)
+               return -1;
+
+       cb = &info.writeback_callbacks[0];
+
+       snprintf(info.vec[0], strlen(info.vec[0]) + 4, "%s%u", cb->key, count);
+
+       for (i = 1; i < info.nb_vec_lines; i++) {
+               for (j = 1; info.writeback_callbacks[j].key != NULL; j++) {
+                       cb = &info.writeback_callbacks[j];
+                       if (strstr(info.vec[i], cb->key)) {
+                               cb->cb(cb->key, info.vec[i], cb->val);
+                               break;
+                       }
+               }
+       }
+
+       return 0;
+}
diff --git a/examples/fips_validation/fips_validation.h b/examples/fips_validation/fips_validation.h
new file mode 100644 (file)
index 0000000..dd3bc09
--- /dev/null
@@ -0,0 +1,149 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#ifndef _FIPS_VALIDATION_H_
+#define _FIPS_VALIDATION_H_
+
+#define FIPS_PARSE_ERR(fmt, args)                                      \
+       RTE_LOG(ERR, USER1, "FIPS parse error" ## fmt ## "\n", ## args)
+
+#define ERR_MSG_SIZE           128
+#define MAX_CASE_LINE          15
+#define MAX_LINE_CHAR          204800 /*< max number of characters per line */
+#define MAX_NB_TESTS           10240
+#define MAX_BUF_SIZE           2048
+#define MAX_STRING_SIZE                64
+
+#define POSITIVE_TEST          0
+#define NEGATIVE_TEST          -1
+
+#define REQ_FILE_PERFIX                "req"
+#define RSP_FILE_PERFIX                "rsp"
+#define FAX_FILE_PERFIX                "fax"
+
+enum fips_test_algorithms {
+               FIPS_TEST_ALGO_MAX
+};
+
+enum file_types {
+       FIPS_TYPE_REQ = 1,
+       FIPS_TYPE_FAX,
+       FIPS_TYPE_RSP
+};
+
+enum fips_test_op {
+       FIPS_TEST_ENC_AUTH_GEN = 1,
+       FIPS_TEST_DEC_AUTH_VERIF,
+};
+
+#define MAX_LINE_PER_VECTOR            16
+
+struct fips_val {
+       uint8_t *val;
+       uint32_t len;
+};
+
+struct fips_test_vector {
+       union {
+               struct {
+                       struct fips_val key;
+                       struct fips_val digest;
+                       struct fips_val auth_aad;
+                       struct fips_val aad;
+               } cipher_auth;
+               struct {
+                       struct fips_val key;
+                       struct fips_val digest;
+                       struct fips_val aad;
+               } aead;
+       };
+
+       struct fips_val pt;
+       struct fips_val ct;
+       struct fips_val iv;
+
+       enum rte_crypto_op_status status;
+};
+
+typedef int (*post_prcess_t)(struct fips_val *val);
+
+typedef int (*parse_callback_t)(const char *key, char *text,
+               struct fips_val *val);
+
+struct fips_test_callback {
+       const char *key;
+       parse_callback_t cb;
+       struct fips_val *val;
+};
+
+struct fips_test_interim_info {
+       FILE *fp_rd;
+       FILE *fp_wr;
+       enum file_types file_type;
+       enum fips_test_algorithms algo;
+       char *one_line_text;
+       char *vec[MAX_LINE_PER_VECTOR];
+       uint32_t nb_vec_lines;
+       char device_name[MAX_STRING_SIZE];
+
+       enum fips_test_op op;
+
+       const struct fips_test_callback *callbacks;
+       const struct fips_test_callback *interim_callbacks;
+       const struct fips_test_callback *writeback_callbacks;
+
+       post_prcess_t parse_writeback;
+       post_prcess_t kat_check;
+};
+
+extern struct fips_test_vector vec;
+extern struct fips_test_interim_info info;
+
+int
+fips_test_init(const char *req_file_path, const char *rsp_file_path,
+               const char *device_name);
+
+void
+fips_test_clear(void);
+
+int
+fips_test_fetch_one_block(void);
+
+int
+fips_test_parse_one_case(void);
+
+void
+fips_test_write_one_case(void);
+
+int
+parser_read_uint8_hex(uint8_t *value, const char *p);
+
+int
+parse_uint8_hex_str(const char *key, char *src, struct fips_val *val);
+
+int
+parse_uint8_known_len_hex_str(const char *key, char *src, struct fips_val *val);
+
+int
+parser_read_uint32_val(const char *key, char *src, struct fips_val *val);
+
+int
+parser_read_uint32_bit_val(const char *key, char *src, struct fips_val *val);
+
+int
+parser_read_uint32(uint32_t *value, char *p);
+
+int
+parser_read_uint32_val(const char *key, char *src, struct fips_val *val);
+
+int
+writeback_hex_str(const char *key, char *dst, struct fips_val *val);
+
+void
+parse_write_hex_str(struct fips_val *src);
+
+int
+update_info_vec(uint32_t count);
+
+#endif
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
new file mode 100644 (file)
index 0000000..7083462
--- /dev/null
@@ -0,0 +1,388 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#include <sys/stat.h>
+#include <getopt.h>
+#include <dirent.h>
+
+#include <rte_cryptodev.h>
+#include <rte_cryptodev_pmd.h>
+#include <rte_mempool.h>
+#include <rte_mbuf.h>
+#include <rte_string_fns.h>
+
+#include "fips_validation.h"
+
+#define REQ_FILE_PATH_KEYWORD  "req-file"
+#define RSP_FILE_PATH_KEYWORD  "rsp-file"
+#define FOLDER_KEYWORD         "path-is-folder"
+#define CRYPTODEV_KEYWORD      "cryptodev"
+#define CRYPTODEV_ID_KEYWORD   "cryptodev-id"
+
+struct fips_test_vector vec;
+struct fips_test_interim_info info;
+
+struct cryptodev_fips_validate_env {
+       const char *req_path;
+       const char *rsp_path;
+       uint32_t is_path_folder;
+       uint32_t dev_id;
+       struct rte_mempool *mpool;
+       struct rte_mempool *op_pool;
+       struct rte_mbuf *mbuf;
+       struct rte_crypto_op *op;
+       struct rte_cryptodev_sym_session *sess;
+} env;
+
+static int
+cryptodev_fips_validate_app_int(void)
+{
+       struct rte_cryptodev_config conf = {rte_socket_id(), 1};
+       struct rte_cryptodev_qp_conf qp_conf = {128};
+       int ret;
+
+       ret = rte_cryptodev_configure(env.dev_id, &conf);
+       if (ret < 0)
+               return ret;
+
+       env.mpool = rte_pktmbuf_pool_create("FIPS_MEMPOOL", 128, 0, 0,
+                       UINT16_MAX, rte_socket_id());
+       if (!env.mpool)
+               return ret;
+
+       ret = rte_cryptodev_queue_pair_setup(env.dev_id, 0, &qp_conf,
+                       rte_socket_id(), env.mpool);
+       if (ret < 0)
+               return ret;
+
+       ret = -ENOMEM;
+
+       env.op_pool = rte_crypto_op_pool_create(
+                       "FIPS_OP_POOL",
+                       RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+                       1, 0,
+                       16,
+                       rte_socket_id());
+       if (!env.op_pool)
+               goto error_exit;
+
+       env.mbuf = rte_pktmbuf_alloc(env.mpool);
+       if (!env.mbuf)
+               goto error_exit;
+
+       env.op = rte_crypto_op_alloc(env.op_pool, RTE_CRYPTO_OP_TYPE_SYMMETRIC);
+       if (!env.op)
+               goto error_exit;
+
+       return 0;
+
+error_exit:
+       rte_mempool_free(env.mpool);
+       if (env.op_pool)
+               rte_mempool_free(env.op_pool);
+
+       return ret;
+}
+
+static void
+cryptodev_fips_validate_app_uninit(void)
+{
+       rte_pktmbuf_free(env.mbuf);
+       rte_crypto_op_free(env.op);
+       rte_cryptodev_sym_session_clear(env.dev_id, env.sess);
+       rte_cryptodev_sym_session_free(env.sess);
+       rte_mempool_free(env.mpool);
+       rte_mempool_free(env.op_pool);
+}
+
+static int
+fips_test_one_file(void);
+
+static int
+parse_cryptodev_arg(char *arg)
+{
+       int id = rte_cryptodev_get_dev_id(arg);
+
+       if (id < 0) {
+               RTE_LOG(ERR, USER1, "Error %i: invalid cryptodev name %s\n",
+                               id, arg);
+               return id;
+       }
+
+       env.dev_id = (uint32_t)id;
+
+       return 0;
+}
+
+static int
+parse_cryptodev_id_arg(char *arg)
+{
+       uint32_t cryptodev_id;
+
+       if (parser_read_uint32(&cryptodev_id, arg) < 0) {
+               RTE_LOG(ERR, USER1, "Error %i: invalid cryptodev id %s\n",
+                               -EINVAL, arg);
+               return -1;
+       }
+
+
+       if (!rte_cryptodev_pmd_is_valid_dev(cryptodev_id)) {
+               RTE_LOG(ERR, USER1, "Error %i: invalid cryptodev id %s\n",
+                               cryptodev_id, arg);
+               return -1;
+       }
+
+       env.dev_id = (uint32_t)cryptodev_id;
+
+       return 0;
+}
+
+static void
+cryptodev_fips_validate_usage(const char *prgname)
+{
+       printf("%s [EAL options] --\n"
+               "  --%s: REQUEST-FILE-PATH\n"
+               "  --%s: RESPONSE-FILE-PATH\n"
+               "  --%s: indicating both paths are folders\n"
+               "  --%s: CRYPTODEV-NAME\n"
+               "  --%s: CRYPTODEV-ID-NAME\n",
+               prgname, REQ_FILE_PATH_KEYWORD, RSP_FILE_PATH_KEYWORD,
+               FOLDER_KEYWORD, CRYPTODEV_KEYWORD, CRYPTODEV_ID_KEYWORD);
+}
+
+static int
+cryptodev_fips_validate_parse_args(int argc, char **argv)
+{
+       int opt, ret;
+       char *prgname = argv[0];
+       char **argvopt;
+       int option_index;
+       struct option lgopts[] = {
+                       {REQ_FILE_PATH_KEYWORD, required_argument, 0, 0},
+                       {RSP_FILE_PATH_KEYWORD, required_argument, 0, 0},
+                       {FOLDER_KEYWORD, no_argument, 0, 0},
+                       {CRYPTODEV_KEYWORD, required_argument, 0, 0},
+                       {CRYPTODEV_ID_KEYWORD, required_argument, 0, 0},
+                       {NULL, 0, 0, 0}
+       };
+
+       argvopt = argv;
+
+       while ((opt = getopt_long(argc, argvopt, "s:",
+                                 lgopts, &option_index)) != EOF) {
+
+               switch (opt) {
+               case 0:
+                       if (strcmp(lgopts[option_index].name,
+                                       REQ_FILE_PATH_KEYWORD) == 0)
+                               env.req_path = optarg;
+                       else if (strcmp(lgopts[option_index].name,
+                                       RSP_FILE_PATH_KEYWORD) == 0)
+                               env.rsp_path = optarg;
+                       else if (strcmp(lgopts[option_index].name,
+                                       FOLDER_KEYWORD) == 0)
+                               env.is_path_folder = 1;
+                       else if (strcmp(lgopts[option_index].name,
+                                       CRYPTODEV_KEYWORD) == 0) {
+                               ret = parse_cryptodev_arg(optarg);
+                               if (ret < 0) {
+                                       cryptodev_fips_validate_usage(prgname);
+                                       return -EINVAL;
+                               }
+                       } else if (strcmp(lgopts[option_index].name,
+                                       CRYPTODEV_ID_KEYWORD) == 0) {
+                               ret = parse_cryptodev_id_arg(optarg);
+                               if (ret < 0) {
+                                       cryptodev_fips_validate_usage(prgname);
+                                       return -EINVAL;
+                               }
+                       } else {
+                               cryptodev_fips_validate_usage(prgname);
+                               return -EINVAL;
+                       }
+                       break;
+               default:
+                       return -1;
+               }
+       }
+
+       if (env.req_path == NULL || env.rsp_path == NULL ||
+                       env.dev_id == UINT32_MAX) {
+               cryptodev_fips_validate_usage(prgname);
+               return -EINVAL;
+       }
+
+       return 0;
+}
+
+int
+main(int argc, char *argv[])
+{
+       int ret;
+
+       ret = rte_eal_init(argc, argv);
+       if (ret < 0) {
+               RTE_LOG(ERR, USER1, "Error %i: Failed init\n", ret);
+               return -1;
+       }
+
+       argc -= ret;
+       argv += ret;
+
+       ret = cryptodev_fips_validate_parse_args(argc, argv);
+       if (ret < 0)
+               rte_exit(EXIT_FAILURE, "Failed to parse arguments!\n");
+
+       ret = cryptodev_fips_validate_app_int();
+       if (ret < 0) {
+               RTE_LOG(ERR, USER1, "Error %i: Failed init\n", ret);
+               return -1;
+       }
+
+       if (!env.is_path_folder) {
+               printf("Processing file %s... ", env.req_path);
+
+               ret = fips_test_init(env.req_path, env.rsp_path,
+                       rte_cryptodev_name_get(env.dev_id));
+               if (ret < 0) {
+                       RTE_LOG(ERR, USER1, "Error %i: Failed test %s\n",
+                                       ret, env.req_path);
+                       goto exit;
+               }
+
+
+               ret = fips_test_one_file();
+               if (ret < 0) {
+                       RTE_LOG(ERR, USER1, "Error %i: Failed test %s\n",
+                                       ret, env.req_path);
+                       goto exit;
+               }
+
+               printf("Done\n");
+
+       } else {
+               struct dirent *dir;
+               DIR *d_req, *d_rsp;
+               char req_path[1024];
+               char rsp_path[1024];
+
+               d_req = opendir(env.req_path);
+               if (!d_req) {
+                       RTE_LOG(ERR, USER1, "Error %i: Path %s not exist\n",
+                                       -EINVAL, env.req_path);
+                       goto exit;
+               }
+
+               d_rsp = opendir(env.rsp_path);
+               if (!d_rsp) {
+                       ret = mkdir(env.rsp_path, 0700);
+                       if (ret == 0)
+                               d_rsp = opendir(env.rsp_path);
+                       else {
+                               RTE_LOG(ERR, USER1, "Error %i: Invalid %s\n",
+                                               -EINVAL, env.rsp_path);
+                               goto exit;
+                       }
+               }
+               closedir(d_rsp);
+
+               while ((dir = readdir(d_req)) != NULL) {
+                       if (strstr(dir->d_name, "req") == NULL)
+                               continue;
+
+                       snprintf(req_path, 1023, "%s/%s", env.req_path,
+                                       dir->d_name);
+                       snprintf(rsp_path, 1023, "%s/%s", env.rsp_path,
+                                       dir->d_name);
+                       strlcpy(strstr(rsp_path, "req"), "rsp", 4);
+
+                       printf("Processing file %s... ", req_path);
+
+                       ret = fips_test_init(req_path, rsp_path,
+                       rte_cryptodev_name_get(env.dev_id));
+                       if (ret < 0) {
+                               RTE_LOG(ERR, USER1, "Error %i: Failed test %s\n",
+                                               ret, req_path);
+                               break;
+                       }
+
+                       ret = fips_test_one_file();
+                       if (ret < 0) {
+                               RTE_LOG(ERR, USER1, "Error %i: Failed test %s\n",
+                                               ret, req_path);
+                               break;
+                       }
+
+                       printf("Done\n");
+               }
+
+               closedir(d_req);
+       }
+
+
+exit:
+       fips_test_clear();
+       cryptodev_fips_validate_app_uninit();
+
+       return ret;
+
+}
+
+static void
+print_test_block(void)
+{
+       uint32_t i;
+
+       for (i = 0; i < info.nb_vec_lines; i++)
+               printf("%s\n", info.vec[i]);
+
+       printf("\n");
+}
+
+static int
+fips_test_one_file(void)
+{
+       int fetch_ret = 0, ret;
+
+       while (fetch_ret == 0) {
+               fetch_ret = fips_test_fetch_one_block();
+               if (fetch_ret < 0) {
+                       RTE_LOG(ERR, USER1, "Error %i: Fetch block\n",
+                                       fetch_ret);
+                       ret = fetch_ret;
+                       goto error_one_case;
+               }
+
+               if (info.nb_vec_lines == 0) {
+                       if (fetch_ret == -EOF)
+                               break;
+
+                       fprintf(info.fp_wr, "\n");
+                       continue;
+               }
+
+               ret = fips_test_parse_one_case();
+               switch (ret) {
+               case 0:
+                       if (ret == 0)
+                               break;
+                       RTE_LOG(ERR, USER1, "Error %i: test block\n",
+                                       ret);
+                       goto error_one_case;
+               case 1:
+                       break;
+               default:
+                       RTE_LOG(ERR, USER1, "Error %i: Parse block\n",
+                                       ret);
+                       goto error_one_case;
+               }
+
+               continue;
+error_one_case:
+               print_test_block();
+       }
+
+       fips_test_clear();
+
+}
diff --git a/examples/fips_validation/meson.build b/examples/fips_validation/meson.build
new file mode 100644 (file)
index 0000000..cceed4f
--- /dev/null
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright(c) 2018 Intel Corporation
+
+# meson file, for building this example as part of a main DPDK build.
+#
+# To build this example as a standalone application with an already-installed
+# DPDK instance, use 'make'
+
+deps += ['cryptodev']
+allow_experimental_apis = true
+sources = files(
+       'fips_validation.c',
+       'main.c'
+)