examples/fips_validation: support AES parsing

Added enablement for AES-CBC parser, to allow the
application to parser the aes request file and to validate all
test types supported.

Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
Reviewed-by: Akhil Goyal <akhil.goyal@nxp.com>

diff --git a/doc/guides/sample_app_ug/fips_validation.rst b/doc/guides/sample_app_ug/fips_validation.rst
index 9ca6ffe..05804fc 100644 (file)
--- a/doc/guides/sample_app_ug/fips_validation.rst
+++ b/doc/guides/sample_app_ug/fips_validation.rst
@@ -40,6 +40,7 @@ Limitations
   the ``.rsp`` files created by the FIPS application.
 
 * Supported test vectors
+    * AES-CBC (128,192,256) - GFSbox, KeySbox, MCT, MMT
 
 Application Information
 -----------------------

diff --git a/examples/fips_validation/Makefile b/examples/fips_validation/Makefile
index 59d56c7..1eb1bc5 100644 (file)
--- a/examples/fips_validation/Makefile
+++ b/examples/fips_validation/Makefile
@@ -6,6 +6,7 @@ APP = fips_validation
 
 # all source are stored in SRCS-y
 SRCS-y := fips_validation.c
+SRCS-y += fips_validation_aes.c
 SRCS-y += main.c
 
 # Build using pkg-config variables if possible

diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
index 58a3c1b..dba26d8 100644 (file)
--- a/examples/fips_validation/fips_validation.c
+++ b/examples/fips_validation/fips_validation.c
@@ -106,6 +106,12 @@ fips_test_parse_header(void)
                return ret;
 
        for (i = 0; i < info.nb_vec_lines; i++) {
+               if (strstr(info.vec[i], "AESVS")) {
+                       info.algo = FIPS_TEST_ALGO_AES;
+                       ret = parse_test_aes_init();
+                       if (ret < 0)
+                               return ret;
+               }
 
                tmp = strstr(info.vec[i], "# Config info for ");
                if (tmp != NULL) {

diff --git a/examples/fips_validation/fips_validation.h b/examples/fips_validation/fips_validation.h
index dd3bc09..e947de1 100644 (file)
--- a/examples/fips_validation/fips_validation.h
+++ b/examples/fips_validation/fips_validation.h
@@ -23,6 +23,7 @@
 #define FAX_FILE_PERFIX                "fax"
 
 enum fips_test_algorithms {
+               FIPS_TEST_ALGO_AES = 0,
                FIPS_TEST_ALGO_MAX
 };
 
@@ -77,6 +78,21 @@ struct fips_test_callback {
        struct fips_val *val;
 };
 
+enum fips_aesavs_test_types {
+       AESAVS_TYPE_GFXBOX = 1,
+       AESAVS_TYPE_KEYSBOX,
+       AESAVS_TYPE_VARKEY,
+       AESAVS_TYPE_VARTXT,
+       AESAVS_TYPE_MMT,
+       AESAVS_TYPE_MCT,
+};
+
+struct aesavs_interim_data {
+       enum fips_aesavs_test_types test_type;
+       uint32_t cipher_algo;
+       uint32_t key_len;
+};
+
 struct fips_test_interim_info {
        FILE *fp_rd;
        FILE *fp_wr;
@@ -87,6 +103,11 @@ struct fips_test_interim_info {
        uint32_t nb_vec_lines;
        char device_name[MAX_STRING_SIZE];
 
+       union {
+               struct aesavs_interim_data aes_data;
+
+       } interim_info;
+
        enum fips_test_op op;
 
        const struct fips_test_callback *callbacks;
@@ -116,6 +137,9 @@ fips_test_parse_one_case(void);
 void
 fips_test_write_one_case(void);
 
+int
+parse_test_aes_init(void);
+
 int
 parser_read_uint8_hex(uint8_t *value, const char *p);
 

diff --git a/examples/fips_validation/fips_validation_aes.c b/examples/fips_validation/fips_validation_aes.c
new file mode 100644 (file)
index 0000000..f60b864
--- /dev/null
+++ b/examples/fips_validation/fips_validation_aes.c
@@ -0,0 +1,186 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#include <string.h>
+#include <time.h>
+#include <stdio.h>
+
+#include <rte_cryptodev.h>
+
+#include "fips_validation.h"
+
+#define MODE_STR       "AESVS"
+#define ALGO_STR       "test data for "
+#define OP_STR         "State"
+#define KEY_SIZE_STR   "Key Length : "
+
+
+#define COUNT_STR      "COUNT = "
+#define KEY_STR                "KEY = "
+#define IV_STR         "IV = "
+#define PT_STR         "PLAINTEXT = "
+#define CT_STR         "CIPHERTEXT = "
+
+#define OP_ENC_STR     "ENCRYPT"
+#define OP_DEC_STR     "DECRYPT"
+
+struct {
+       uint32_t type;
+       const char *desc;
+} aes_test_types[] = {
+               {AESAVS_TYPE_GFXBOX, "GFSbox"},
+               {AESAVS_TYPE_KEYSBOX, "KeySbox"},
+               {AESAVS_TYPE_VARKEY, "VarKey"},
+               {AESAVS_TYPE_VARTXT, "VarTxt"},
+               {AESAVS_TYPE_MMT, "MMT"},
+               {AESAVS_TYPE_MCT, "MCT"},
+};
+
+struct aes_test_algo {
+       const char *name;
+       enum rte_crypto_cipher_algorithm algo;
+} const algo_con[] = {
+               {"CBC", RTE_CRYPTO_CIPHER_AES_CBC},
+};
+
+static int
+parse_interim_enc_dec(const char *key,
+               __attribute__((__unused__)) char *text,
+               __attribute__((__unused__)) struct fips_val *val)
+{
+       if (strcmp(key, OP_ENC_STR) == 0)
+               info.op = FIPS_TEST_ENC_AUTH_GEN;
+       else if (strcmp(key, OP_DEC_STR) == 0)
+               info.op = FIPS_TEST_DEC_AUTH_VERIF;
+       else
+               return -1;
+
+       return 0;
+}
+
+struct fips_test_callback aes_tests_interim[] = {
+               {OP_ENC_STR, parse_interim_enc_dec, NULL},
+               {OP_DEC_STR, parse_interim_enc_dec, NULL},
+               {NULL, NULL, NULL} /**< end pointer */
+};
+
+struct fips_test_callback aes_tests_vectors[] = {
+               {KEY_STR, parse_uint8_hex_str, &vec.cipher_auth.key},
+               {IV_STR, parse_uint8_hex_str, &vec.iv},
+               {PT_STR, parse_uint8_hex_str, &vec.pt},
+               {CT_STR, parse_uint8_hex_str, &vec.ct},
+               {NULL, NULL, NULL} /**< end pointer */
+};
+
+struct fips_test_callback aes_tests_interim_vectors[] = {
+               {OP_ENC_STR, parse_interim_enc_dec, NULL},
+               {OP_DEC_STR, parse_interim_enc_dec, NULL},
+               {NULL, NULL, NULL} /**< end pointer */
+};
+
+struct fips_test_callback aes_writeback_callbacks[] = {
+               /** First element is used to pass COUNT string */
+               {COUNT_STR, NULL, NULL},
+               {IV_STR, writeback_hex_str, &vec.iv},
+               {KEY_STR, writeback_hex_str, &vec.cipher_auth.key},
+               {PT_STR, writeback_hex_str, &vec.pt},
+               {CT_STR, writeback_hex_str, &vec.ct},
+               {NULL, NULL, NULL} /**< end pointer */
+};
+
+static int
+parse_test_aes_writeback(struct fips_val *val)
+{
+       if (info.op == FIPS_TEST_ENC_AUTH_GEN)
+               fprintf(info.fp_wr, "%s", CT_STR);
+       else
+               fprintf(info.fp_wr, "%s", PT_STR);
+
+       parse_write_hex_str(val);
+
+       return 0;
+}
+
+static int
+rsp_test_aes_check(struct fips_val *val)
+{
+       struct fips_val *data;
+
+       if (info.op == FIPS_TEST_ENC_AUTH_GEN)
+               data = &vec.ct;
+       else
+               data = &vec.pt;
+
+       if (memcmp(val->val, data->val, val->len) == 0)
+               fprintf(info.fp_wr, "Success\n");
+       else
+               fprintf(info.fp_wr, "Failed\n");
+
+       return 0;
+}
+
+int
+parse_test_aes_init(void)
+{
+       char *tmp;
+       uint32_t i, j;
+
+       for (i = 0; i < info.nb_vec_lines; i++) {
+               char *line = info.vec[i];
+
+               tmp = strstr(line, MODE_STR);
+               if (tmp) {
+                       for (j = 0; j < RTE_DIM(aes_test_types); j++)
+                               if (strstr(line, aes_test_types[j].desc)) {
+                                       info.interim_info.aes_data.test_type =
+                                                       aes_test_types[j].type;
+                                       break;
+                               }
+
+                       if (j >= RTE_DIM(aes_test_types))
+                               return -EINVAL;
+
+                       tmp = strstr(line, ALGO_STR);
+                       if (!tmp)
+                               return -EINVAL;
+
+                       tmp += strlen(ALGO_STR);
+                       for (j = 0; j < RTE_DIM(algo_con); j++)
+                               if (strcmp(algo_con[j].name, tmp) == 0) {
+                                       info.interim_info.aes_data.cipher_algo =
+                                               (uint32_t)algo_con[j].algo;
+                                       break;
+                               }
+                       if (j >= RTE_DIM(algo_con))
+                               return -EINVAL;
+
+                       continue;
+               }
+
+               tmp = strstr(line, OP_STR);
+               if (tmp)
+                       continue;
+
+               tmp = strstr(line, KEY_SIZE_STR);
+               if (tmp) {
+                       tmp += strlen(KEY_SIZE_STR);
+                       if (parser_read_uint32
+                                       (&info.interim_info.aes_data.key_len,
+                                                       tmp) < 0)
+                               return -EINVAL;
+
+                       info.interim_info.aes_data.key_len /= 8;
+
+                       continue;
+               }
+       }
+
+       info.parse_writeback = parse_test_aes_writeback;
+       info.callbacks = aes_tests_vectors;
+       info.interim_callbacks = aes_tests_interim_vectors;
+       info.writeback_callbacks = aes_writeback_callbacks;
+       info.kat_check = rsp_test_aes_check;
+
+       return 0;
+}

diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
index 7083462..1f1ba99 100644 (file)
--- a/examples/fips_validation/main.c
+++ b/examples/fips_validation/main.c
@@ -329,6 +329,340 @@ exit:
 
 }
 
+#define IV_OFF (sizeof(struct rte_crypto_op) + sizeof(struct rte_crypto_sym_op))
+#define CRYPTODEV_FIPS_MAX_RETRIES     16
+
+typedef int (*fips_test_one_case_t)(void);
+typedef int (*fips_prepare_op_t)(void);
+typedef int (*fips_prepare_xform_t)(struct rte_crypto_sym_xform *);
+
+struct fips_test_ops {
+       fips_prepare_xform_t prepare_xform;
+       fips_prepare_op_t prepare_op;
+       fips_test_one_case_t test;
+} test_ops;
+
+static int
+prepare_cipher_op(void)
+{
+       struct rte_crypto_sym_op *sym = env.op->sym;
+       uint8_t *iv = rte_crypto_op_ctod_offset(env.op, uint8_t *, IV_OFF);
+
+       __rte_crypto_op_reset(env.op, RTE_CRYPTO_OP_TYPE_SYMMETRIC);
+       rte_pktmbuf_reset(env.mbuf);
+
+       sym->m_src = env.mbuf;
+       sym->cipher.data.offset = 0;
+
+       memcpy(iv, vec.iv.val, vec.iv.len);
+
+       if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
+               uint8_t *pt;
+
+               if (vec.pt.len > RTE_MBUF_MAX_NB_SEGS) {
+                       RTE_LOG(ERR, USER1, "PT len %u\n", vec.pt.len);
+                       return -EPERM;
+               }
+
+               pt = (uint8_t *)rte_pktmbuf_append(env.mbuf, vec.pt.len);
+
+               if (!pt) {
+                       RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n",
+                                       -ENOMEM);
+                       return -ENOMEM;
+               }
+
+               memcpy(pt, vec.pt.val, vec.pt.len);
+               sym->cipher.data.length = vec.pt.len;
+
+       } else {
+               uint8_t *ct;
+
+               if (vec.ct.len > RTE_MBUF_MAX_NB_SEGS) {
+                       RTE_LOG(ERR, USER1, "CT len %u\n", vec.ct.len);
+                       return -EPERM;
+               }
+
+               ct = (uint8_t *)rte_pktmbuf_append(env.mbuf, vec.ct.len);
+
+               if (!ct) {
+                       RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n",
+                                       -ENOMEM);
+                       return -ENOMEM;
+               }
+
+               memcpy(ct, vec.ct.val, vec.ct.len);
+               sym->cipher.data.length = vec.ct.len;
+       }
+
+       rte_crypto_op_attach_sym_session(env.op, env.sess);
+
+       return 0;
+}
+
+static int
+prepare_aes_xform(struct rte_crypto_sym_xform *xform)
+{
+       const struct rte_cryptodev_symmetric_capability *cap;
+       struct rte_cryptodev_sym_capability_idx cap_idx;
+       struct rte_crypto_cipher_xform *cipher_xform = &xform->cipher;
+
+       xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+
+       cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC;
+       cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ?
+                       RTE_CRYPTO_CIPHER_OP_ENCRYPT :
+                       RTE_CRYPTO_CIPHER_OP_DECRYPT;
+       cipher_xform->key.data = vec.cipher_auth.key.val;
+       cipher_xform->key.length = vec.cipher_auth.key.len;
+       cipher_xform->iv.length = vec.iv.len;
+       cipher_xform->iv.offset = IV_OFF;
+
+       cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_CBC;
+       cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+
+       cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx);
+       if (!cap) {
+               RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n",
+                               env.dev_id);
+               return -EINVAL;
+       }
+
+       if (rte_cryptodev_sym_capability_check_cipher(cap,
+                       cipher_xform->key.length,
+                       cipher_xform->iv.length) != 0) {
+               RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n",
+                               info.device_name, cipher_xform->key.length,
+                               cipher_xform->iv.length);
+               return -EPERM;
+       }
+
+       return 0;
+}
+
+static void
+get_writeback_data(struct fips_val *val)
+{
+       val->val = rte_pktmbuf_mtod(env.mbuf, uint8_t *);
+       val->len = rte_pktmbuf_pkt_len(env.mbuf);
+}
+
+static int
+fips_run_test(void)
+{
+       struct rte_crypto_sym_xform xform = {0};
+       uint16_t n_deqd;
+       int ret;
+
+       ret = test_ops.prepare_xform(&xform);
+       if (ret < 0)
+               return ret;
+
+       env.sess = rte_cryptodev_sym_session_create(env.mpool);
+       if (!env.sess)
+               return -ENOMEM;
+
+       ret = rte_cryptodev_sym_session_init(env.dev_id,
+                       env.sess, &xform, env.mpool);
+       if (ret < 0) {
+               RTE_LOG(ERR, USER1, "Error %i: Init session\n",
+                               ret);
+               return ret;
+       }
+
+       ret = test_ops.prepare_op();
+       if (ret < 0) {
+               RTE_LOG(ERR, USER1, "Error %i: Prepare op\n",
+                               ret);
+               return ret;
+       }
+
+       if (rte_cryptodev_enqueue_burst(env.dev_id, 0, &env.op, 1) < 1) {
+               RTE_LOG(ERR, USER1, "Error: Failed enqueue\n");
+               return ret;
+       }
+
+       do {
+               struct rte_crypto_op *deqd_op;
+
+               n_deqd = rte_cryptodev_dequeue_burst(env.dev_id, 0, &deqd_op,
+                               1);
+       } while (n_deqd == 0);
+
+       vec.status = env.op->status;
+
+       rte_cryptodev_sym_session_clear(env.dev_id, env.sess);
+       rte_cryptodev_sym_session_free(env.sess);
+       env.sess = NULL;
+
+       return ret;
+}
+
+static int
+fips_generic_test(void)
+{
+       struct fips_val val;
+       int ret;
+
+       fips_test_write_one_case();
+
+       ret = fips_run_test();
+       if (ret < 0) {
+               if (ret == -EPERM) {
+                       fprintf(info.fp_wr, "Bypass\n\n");
+                       return 0;
+               }
+
+               return ret;
+       }
+
+       get_writeback_data(&val);
+
+       switch (info.file_type) {
+       case FIPS_TYPE_REQ:
+       case FIPS_TYPE_RSP:
+               if (info.parse_writeback == NULL)
+                       return -EPERM;
+               ret = info.parse_writeback(&val);
+               if (ret < 0)
+                       return ret;
+               break;
+       case FIPS_TYPE_FAX:
+               if (info.kat_check == NULL)
+                       return -EPERM;
+               ret = info.kat_check(&val);
+               if (ret < 0)
+                       return ret;
+               break;
+       }
+
+       fprintf(info.fp_wr, "\n");
+
+       return 0;
+}
+
+static int
+fips_mct_aes_test(void)
+{
+#define AES_BLOCK_SIZE 16
+#define AES_EXTERN_ITER        100
+#define AES_INTERN_ITER        1000
+       struct fips_val val, val_key;
+       uint8_t prev_out[AES_BLOCK_SIZE] = {0};
+       uint8_t prev_in[AES_BLOCK_SIZE] = {0};
+       uint32_t i, j, k;
+       int ret;
+
+       for (i = 0; i < AES_EXTERN_ITER; i++) {
+               if (i != 0)
+                       update_info_vec(i);
+
+               fips_test_write_one_case();
+
+               for (j = 0; j < AES_INTERN_ITER; j++) {
+                       ret = fips_run_test();
+                       if (ret < 0) {
+                               if (ret == -EPERM) {
+                                       fprintf(info.fp_wr, "Bypass\n");
+                                       return 0;
+                               }
+
+                               return ret;
+                       }
+
+                       get_writeback_data(&val);
+
+                       if (info.op == FIPS_TEST_DEC_AUTH_VERIF)
+                               memcpy(prev_in, vec.ct.val, AES_BLOCK_SIZE);
+
+                       if (j == 0) {
+                               memcpy(prev_out, val.val, AES_BLOCK_SIZE);
+
+                               if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
+                                       memcpy(vec.pt.val, vec.iv.val,
+                                                       AES_BLOCK_SIZE);
+                                       memcpy(vec.iv.val, val.val,
+                                                       AES_BLOCK_SIZE);
+                               } else {
+                                       memcpy(vec.ct.val, vec.iv.val,
+                                                       AES_BLOCK_SIZE);
+                                       memcpy(vec.iv.val, prev_in,
+                                                       AES_BLOCK_SIZE);
+                               }
+                               continue;
+                       }
+
+                       if (info.op == FIPS_TEST_ENC_AUTH_GEN) {
+                               memcpy(vec.iv.val, val.val, AES_BLOCK_SIZE);
+                               memcpy(vec.pt.val, prev_out, AES_BLOCK_SIZE);
+                       } else {
+                               memcpy(vec.iv.val, prev_in, AES_BLOCK_SIZE);
+                               memcpy(vec.ct.val, prev_out, AES_BLOCK_SIZE);
+                       }
+
+                       if (j == AES_INTERN_ITER - 1)
+                               continue;
+
+                       memcpy(prev_out, val.val, AES_BLOCK_SIZE);
+               }
+
+               info.parse_writeback(&val);
+               fprintf(info.fp_wr, "\n");
+
+               if (i == AES_EXTERN_ITER - 1)
+                       continue;
+
+               /** update key */
+               memcpy(&val_key, &vec.cipher_auth.key, sizeof(val_key));
+               for (k = 0; k < vec.cipher_auth.key.len; k++) {
+                       switch (vec.cipher_auth.key.len) {
+                       case 16:
+                               val_key.val[k] ^= val.val[k];
+                               break;
+                       case 24:
+                               if (k < 8)
+                                       val_key.val[k] ^= prev_out[k + 8];
+                               else
+                                       val_key.val[k] ^= val.val[k - 8];
+                               break;
+                       case 32:
+                               if (k < 16)
+                                       val_key.val[k] ^= prev_out[k];
+                               else
+                                       val_key.val[k] ^= val.val[k - 16];
+                               break;
+                       default:
+                               return -1;
+                       }
+               }
+
+               if (info.op == FIPS_TEST_DEC_AUTH_VERIF)
+                       memcpy(vec.iv.val, val.val, AES_BLOCK_SIZE);
+       }
+
+       return 0;
+}
+
+static int
+init_test_ops(void)
+{
+       switch (info.algo) {
+       case FIPS_TEST_ALGO_AES:
+               test_ops.prepare_op = prepare_cipher_op;
+               test_ops.prepare_xform  = prepare_aes_xform;
+               if (info.interim_info.aes_data.test_type == AESAVS_TYPE_MCT)
+                       test_ops.test = fips_mct_aes_test;
+               else
+                       test_ops.test = fips_generic_test;
+               break;
+
+       default:
+               return -1;
+       }
+
+       return 0;
+}
+
 static void
 print_test_block(void)
 {
@@ -345,7 +679,14 @@ fips_test_one_file(void)
 {
        int fetch_ret = 0, ret;
 
-       while (fetch_ret == 0) {
+
+       ret = init_test_ops();
+       if (ret < 0) {
+               RTE_LOG(ERR, USER1, "Error %i: Init test op\n", ret);
+               return ret;
+       }
+
+       while (ret >= 0 && fetch_ret == 0) {
                fetch_ret = fips_test_fetch_one_block();
                if (fetch_ret < 0) {
                        RTE_LOG(ERR, USER1, "Error %i: Fetch block\n",
@@ -365,6 +706,7 @@ fips_test_one_file(void)
                ret = fips_test_parse_one_case();
                switch (ret) {
                case 0:
+                       ret = test_ops.test();
                        if (ret == 0)
                                break;
                        RTE_LOG(ERR, USER1, "Error %i: test block\n",
@@ -385,4 +727,6 @@ error_one_case:
 
        fips_test_clear();
 
+       return ret;
+
 }

diff --git a/examples/fips_validation/meson.build b/examples/fips_validation/meson.build
index cceed4f..fb20541 100644 (file)
--- a/examples/fips_validation/meson.build
+++ b/examples/fips_validation/meson.build
@@ -9,6 +9,7 @@
 deps += ['cryptodev']
 allow_experimental_apis = true
 sources = files(
+       'fips_validation_aes.c',
        'fips_validation.c',
        'main.c'
 )