test/crypto: add packet hard expiry cases

Add tests to validate packets hard expiry handling.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 1befbebb594a65e85b9c0d5d60af920a0938aa68..34b55a952e4ae368d6db045e0b741cfd41a07f92 100644 (file)
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9116,7 +9116,8 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
        int ret;
 
        if (flags->iv_gen ||
-           flags->sa_expiry_pkts_soft)
+           flags->sa_expiry_pkts_soft ||
+           flags->sa_expiry_pkts_hard)
                nb_pkts = IPSEC_TEST_PACKETS_MAX;
 
        for (i = 0; i < RTE_DIM(aead_list); i++) {
@@ -9192,6 +9193,18 @@ test_ipsec_proto_sa_exp_pkts_soft(const void *data __rte_unused)
        return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_proto_sa_exp_pkts_hard(const void *data __rte_unused)
+{
+       struct ipsec_test_flags flags;
+
+       memset(&flags, 0, sizeof(flags));
+
+       flags.sa_expiry_pkts_hard = true;
+
+       return test_ipsec_proto_all(&flags);
+}
+
 static int
 test_ipsec_proto_err_icv_corrupt(const void *data __rte_unused)
 {
@@ -14152,6 +14165,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
                        "SA expiry packets soft",
                        ut_setup_security, ut_teardown,
                        test_ipsec_proto_sa_exp_pkts_soft),
+               TEST_CASE_NAMED_ST(
+                       "SA expiry packets hard",
+                       ut_setup_security, ut_teardown,
+                       test_ipsec_proto_sa_exp_pkts_hard),
                TEST_CASE_NAMED_ST(
                        "Negative test: ICV corruption",
                        ut_setup_security, ut_teardown,

diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 56a44b503985ab130f82eca47fbae1ca2558606b..046536cc9c853abb0038365486c44bef6bed03b1 100644 (file)
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -200,6 +200,10 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
                        td_inb[i].input_text.data[icv_pos] += 1;
                }
 
+               if (flags->sa_expiry_pkts_hard)
+                       td_inb[i].ipsec_xform.life.packets_hard_limit =
+                                       IPSEC_TEST_PACKETS_MAX - 1;
+
                if (flags->udp_encap)
                        td_inb[i].ipsec_xform.options.udp_encap = 1;
 
@@ -285,9 +289,10 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
        uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
        uint32_t skip, len = rte_pktmbuf_pkt_len(m);
 
-       /* For negative tests, no need to do verification */
-       if (flags->icv_corrupt &&
-           td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+       /* For tests with status as error for test success, skip verification */
+       if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+           (flags->icv_corrupt ||
+            flags->sa_expiry_pkts_hard))
                return TEST_SUCCESS;
 
        if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -404,6 +409,17 @@ test_ipsec_status_check(struct rte_crypto_op *op,
 {
        int ret = TEST_SUCCESS;
 
+       if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
+           flags->sa_expiry_pkts_hard &&
+           pkt_num == IPSEC_TEST_PACKETS_MAX) {
+               if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+                       printf("SA hard expiry (pkts) test failed\n");
+                       return TEST_FAILED;
+               } else {
+                       return TEST_SUCCESS;
+               }
+       }
+
        if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) {
                if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
                        printf("ICV corruption test case failed\n");

diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index eed34765787933b6d3292fd6a3a56b894dbccca8..18f3c64bb7ec2f181aa8b817bc2b9c84fa68e577 100644 (file)
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -50,6 +50,7 @@ struct ipsec_test_data {
 struct ipsec_test_flags {
        bool display_alg;
        bool sa_expiry_pkts_soft;
+       bool sa_expiry_pkts_hard;
        bool icv_corrupt;
        bool iv_gen;
        bool udp_encap;

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index ae62df84c22c0aa43d8059f5d162d7f49574064e..afbe744ae52499d62ccf9604f99c4b1cb3c92851 100644 (file)
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -103,6 +103,7 @@ New Features
   * Added tests to verify IV generation.
   * Added tests to verify UDP encapsulation.
   * Added tests to validate packets soft expiry.
+  * Added tests to validate packets hard expiry.
 
 
 Removed Items