From cd255ccf57647830bfdda8d760dad833f019b76a Mon Sep 17 00:00:00 2001 From: Marko Kovacevic Date: Fri, 2 Nov 2018 09:55:29 +0000 Subject: [PATCH] examples/fips_validation: support AES parsing Added enablement for AES-CBC parser, to allow the application to parser the aes request file and to validate all test types supported. Signed-off-by: Marko Kovacevic Signed-off-by: Fan Zhang Acked-by: Arek Kusztal Reviewed-by: Akhil Goyal --- doc/guides/sample_app_ug/fips_validation.rst | 1 + examples/fips_validation/Makefile | 1 + examples/fips_validation/fips_validation.c | 6 + examples/fips_validation/fips_validation.h | 24 ++ .../fips_validation/fips_validation_aes.c | 186 ++++++++++ examples/fips_validation/main.c | 346 +++++++++++++++++- examples/fips_validation/meson.build | 1 + 7 files changed, 564 insertions(+), 1 deletion(-) create mode 100644 examples/fips_validation/fips_validation_aes.c diff --git a/doc/guides/sample_app_ug/fips_validation.rst b/doc/guides/sample_app_ug/fips_validation.rst index 9ca6ffe721..05804fcd3c 100644 --- a/doc/guides/sample_app_ug/fips_validation.rst +++ b/doc/guides/sample_app_ug/fips_validation.rst @@ -40,6 +40,7 @@ Limitations the ``.rsp`` files created by the FIPS application. * Supported test vectors + * AES-CBC (128,192,256) - GFSbox, KeySbox, MCT, MMT Application Information ----------------------- diff --git a/examples/fips_validation/Makefile b/examples/fips_validation/Makefile index 59d56c79da..1eb1bc5c71 100644 --- a/examples/fips_validation/Makefile +++ b/examples/fips_validation/Makefile @@ -6,6 +6,7 @@ APP = fips_validation # all source are stored in SRCS-y SRCS-y := fips_validation.c +SRCS-y += fips_validation_aes.c SRCS-y += main.c # Build using pkg-config variables if possible diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c index 58a3c1b60a..dba26d8b9d 100644 --- a/examples/fips_validation/fips_validation.c +++ b/examples/fips_validation/fips_validation.c @@ -106,6 +106,12 @@ fips_test_parse_header(void) return ret; for (i = 0; i < info.nb_vec_lines; i++) { + if (strstr(info.vec[i], "AESVS")) { + info.algo = FIPS_TEST_ALGO_AES; + ret = parse_test_aes_init(); + if (ret < 0) + return ret; + } tmp = strstr(info.vec[i], "# Config info for "); if (tmp != NULL) { diff --git a/examples/fips_validation/fips_validation.h b/examples/fips_validation/fips_validation.h index dd3bc09a63..e947de1f9a 100644 --- a/examples/fips_validation/fips_validation.h +++ b/examples/fips_validation/fips_validation.h @@ -23,6 +23,7 @@ #define FAX_FILE_PERFIX "fax" enum fips_test_algorithms { + FIPS_TEST_ALGO_AES = 0, FIPS_TEST_ALGO_MAX }; @@ -77,6 +78,21 @@ struct fips_test_callback { struct fips_val *val; }; +enum fips_aesavs_test_types { + AESAVS_TYPE_GFXBOX = 1, + AESAVS_TYPE_KEYSBOX, + AESAVS_TYPE_VARKEY, + AESAVS_TYPE_VARTXT, + AESAVS_TYPE_MMT, + AESAVS_TYPE_MCT, +}; + +struct aesavs_interim_data { + enum fips_aesavs_test_types test_type; + uint32_t cipher_algo; + uint32_t key_len; +}; + struct fips_test_interim_info { FILE *fp_rd; FILE *fp_wr; @@ -87,6 +103,11 @@ struct fips_test_interim_info { uint32_t nb_vec_lines; char device_name[MAX_STRING_SIZE]; + union { + struct aesavs_interim_data aes_data; + + } interim_info; + enum fips_test_op op; const struct fips_test_callback *callbacks; @@ -116,6 +137,9 @@ fips_test_parse_one_case(void); void fips_test_write_one_case(void); +int +parse_test_aes_init(void); + int parser_read_uint8_hex(uint8_t *value, const char *p); diff --git a/examples/fips_validation/fips_validation_aes.c b/examples/fips_validation/fips_validation_aes.c new file mode 100644 index 0000000000..f60b864c7b --- /dev/null +++ b/examples/fips_validation/fips_validation_aes.c @@ -0,0 +1,186 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2018 Intel Corporation + */ + +#include +#include +#include + +#include + +#include "fips_validation.h" + +#define MODE_STR "AESVS" +#define ALGO_STR "test data for " +#define OP_STR "State" +#define KEY_SIZE_STR "Key Length : " + + +#define COUNT_STR "COUNT = " +#define KEY_STR "KEY = " +#define IV_STR "IV = " +#define PT_STR "PLAINTEXT = " +#define CT_STR "CIPHERTEXT = " + +#define OP_ENC_STR "ENCRYPT" +#define OP_DEC_STR "DECRYPT" + +struct { + uint32_t type; + const char *desc; +} aes_test_types[] = { + {AESAVS_TYPE_GFXBOX, "GFSbox"}, + {AESAVS_TYPE_KEYSBOX, "KeySbox"}, + {AESAVS_TYPE_VARKEY, "VarKey"}, + {AESAVS_TYPE_VARTXT, "VarTxt"}, + {AESAVS_TYPE_MMT, "MMT"}, + {AESAVS_TYPE_MCT, "MCT"}, +}; + +struct aes_test_algo { + const char *name; + enum rte_crypto_cipher_algorithm algo; +} const algo_con[] = { + {"CBC", RTE_CRYPTO_CIPHER_AES_CBC}, +}; + +static int +parse_interim_enc_dec(const char *key, + __attribute__((__unused__)) char *text, + __attribute__((__unused__)) struct fips_val *val) +{ + if (strcmp(key, OP_ENC_STR) == 0) + info.op = FIPS_TEST_ENC_AUTH_GEN; + else if (strcmp(key, OP_DEC_STR) == 0) + info.op = FIPS_TEST_DEC_AUTH_VERIF; + else + return -1; + + return 0; +} + +struct fips_test_callback aes_tests_interim[] = { + {OP_ENC_STR, parse_interim_enc_dec, NULL}, + {OP_DEC_STR, parse_interim_enc_dec, NULL}, + {NULL, NULL, NULL} /**< end pointer */ +}; + +struct fips_test_callback aes_tests_vectors[] = { + {KEY_STR, parse_uint8_hex_str, &vec.cipher_auth.key}, + {IV_STR, parse_uint8_hex_str, &vec.iv}, + {PT_STR, parse_uint8_hex_str, &vec.pt}, + {CT_STR, parse_uint8_hex_str, &vec.ct}, + {NULL, NULL, NULL} /**< end pointer */ +}; + +struct fips_test_callback aes_tests_interim_vectors[] = { + {OP_ENC_STR, parse_interim_enc_dec, NULL}, + {OP_DEC_STR, parse_interim_enc_dec, NULL}, + {NULL, NULL, NULL} /**< end pointer */ +}; + +struct fips_test_callback aes_writeback_callbacks[] = { + /** First element is used to pass COUNT string */ + {COUNT_STR, NULL, NULL}, + {IV_STR, writeback_hex_str, &vec.iv}, + {KEY_STR, writeback_hex_str, &vec.cipher_auth.key}, + {PT_STR, writeback_hex_str, &vec.pt}, + {CT_STR, writeback_hex_str, &vec.ct}, + {NULL, NULL, NULL} /**< end pointer */ +}; + +static int +parse_test_aes_writeback(struct fips_val *val) +{ + if (info.op == FIPS_TEST_ENC_AUTH_GEN) + fprintf(info.fp_wr, "%s", CT_STR); + else + fprintf(info.fp_wr, "%s", PT_STR); + + parse_write_hex_str(val); + + return 0; +} + +static int +rsp_test_aes_check(struct fips_val *val) +{ + struct fips_val *data; + + if (info.op == FIPS_TEST_ENC_AUTH_GEN) + data = &vec.ct; + else + data = &vec.pt; + + if (memcmp(val->val, data->val, val->len) == 0) + fprintf(info.fp_wr, "Success\n"); + else + fprintf(info.fp_wr, "Failed\n"); + + return 0; +} + +int +parse_test_aes_init(void) +{ + char *tmp; + uint32_t i, j; + + for (i = 0; i < info.nb_vec_lines; i++) { + char *line = info.vec[i]; + + tmp = strstr(line, MODE_STR); + if (tmp) { + for (j = 0; j < RTE_DIM(aes_test_types); j++) + if (strstr(line, aes_test_types[j].desc)) { + info.interim_info.aes_data.test_type = + aes_test_types[j].type; + break; + } + + if (j >= RTE_DIM(aes_test_types)) + return -EINVAL; + + tmp = strstr(line, ALGO_STR); + if (!tmp) + return -EINVAL; + + tmp += strlen(ALGO_STR); + for (j = 0; j < RTE_DIM(algo_con); j++) + if (strcmp(algo_con[j].name, tmp) == 0) { + info.interim_info.aes_data.cipher_algo = + (uint32_t)algo_con[j].algo; + break; + } + if (j >= RTE_DIM(algo_con)) + return -EINVAL; + + continue; + } + + tmp = strstr(line, OP_STR); + if (tmp) + continue; + + tmp = strstr(line, KEY_SIZE_STR); + if (tmp) { + tmp += strlen(KEY_SIZE_STR); + if (parser_read_uint32 + (&info.interim_info.aes_data.key_len, + tmp) < 0) + return -EINVAL; + + info.interim_info.aes_data.key_len /= 8; + + continue; + } + } + + info.parse_writeback = parse_test_aes_writeback; + info.callbacks = aes_tests_vectors; + info.interim_callbacks = aes_tests_interim_vectors; + info.writeback_callbacks = aes_writeback_callbacks; + info.kat_check = rsp_test_aes_check; + + return 0; +} diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c index 7083462f0c..1f1ba999fb 100644 --- a/examples/fips_validation/main.c +++ b/examples/fips_validation/main.c @@ -329,6 +329,340 @@ exit: } +#define IV_OFF (sizeof(struct rte_crypto_op) + sizeof(struct rte_crypto_sym_op)) +#define CRYPTODEV_FIPS_MAX_RETRIES 16 + +typedef int (*fips_test_one_case_t)(void); +typedef int (*fips_prepare_op_t)(void); +typedef int (*fips_prepare_xform_t)(struct rte_crypto_sym_xform *); + +struct fips_test_ops { + fips_prepare_xform_t prepare_xform; + fips_prepare_op_t prepare_op; + fips_test_one_case_t test; +} test_ops; + +static int +prepare_cipher_op(void) +{ + struct rte_crypto_sym_op *sym = env.op->sym; + uint8_t *iv = rte_crypto_op_ctod_offset(env.op, uint8_t *, IV_OFF); + + __rte_crypto_op_reset(env.op, RTE_CRYPTO_OP_TYPE_SYMMETRIC); + rte_pktmbuf_reset(env.mbuf); + + sym->m_src = env.mbuf; + sym->cipher.data.offset = 0; + + memcpy(iv, vec.iv.val, vec.iv.len); + + if (info.op == FIPS_TEST_ENC_AUTH_GEN) { + uint8_t *pt; + + if (vec.pt.len > RTE_MBUF_MAX_NB_SEGS) { + RTE_LOG(ERR, USER1, "PT len %u\n", vec.pt.len); + return -EPERM; + } + + pt = (uint8_t *)rte_pktmbuf_append(env.mbuf, vec.pt.len); + + if (!pt) { + RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n", + -ENOMEM); + return -ENOMEM; + } + + memcpy(pt, vec.pt.val, vec.pt.len); + sym->cipher.data.length = vec.pt.len; + + } else { + uint8_t *ct; + + if (vec.ct.len > RTE_MBUF_MAX_NB_SEGS) { + RTE_LOG(ERR, USER1, "CT len %u\n", vec.ct.len); + return -EPERM; + } + + ct = (uint8_t *)rte_pktmbuf_append(env.mbuf, vec.ct.len); + + if (!ct) { + RTE_LOG(ERR, USER1, "Error %i: MBUF too small\n", + -ENOMEM); + return -ENOMEM; + } + + memcpy(ct, vec.ct.val, vec.ct.len); + sym->cipher.data.length = vec.ct.len; + } + + rte_crypto_op_attach_sym_session(env.op, env.sess); + + return 0; +} + +static int +prepare_aes_xform(struct rte_crypto_sym_xform *xform) +{ + const struct rte_cryptodev_symmetric_capability *cap; + struct rte_cryptodev_sym_capability_idx cap_idx; + struct rte_crypto_cipher_xform *cipher_xform = &xform->cipher; + + xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; + + cipher_xform->algo = RTE_CRYPTO_CIPHER_AES_CBC; + cipher_xform->op = (info.op == FIPS_TEST_ENC_AUTH_GEN) ? + RTE_CRYPTO_CIPHER_OP_ENCRYPT : + RTE_CRYPTO_CIPHER_OP_DECRYPT; + cipher_xform->key.data = vec.cipher_auth.key.val; + cipher_xform->key.length = vec.cipher_auth.key.len; + cipher_xform->iv.length = vec.iv.len; + cipher_xform->iv.offset = IV_OFF; + + cap_idx.algo.cipher = RTE_CRYPTO_CIPHER_AES_CBC; + cap_idx.type = RTE_CRYPTO_SYM_XFORM_CIPHER; + + cap = rte_cryptodev_sym_capability_get(env.dev_id, &cap_idx); + if (!cap) { + RTE_LOG(ERR, USER1, "Failed to get capability for cdev %u\n", + env.dev_id); + return -EINVAL; + } + + if (rte_cryptodev_sym_capability_check_cipher(cap, + cipher_xform->key.length, + cipher_xform->iv.length) != 0) { + RTE_LOG(ERR, USER1, "PMD %s key length %u IV length %u\n", + info.device_name, cipher_xform->key.length, + cipher_xform->iv.length); + return -EPERM; + } + + return 0; +} + +static void +get_writeback_data(struct fips_val *val) +{ + val->val = rte_pktmbuf_mtod(env.mbuf, uint8_t *); + val->len = rte_pktmbuf_pkt_len(env.mbuf); +} + +static int +fips_run_test(void) +{ + struct rte_crypto_sym_xform xform = {0}; + uint16_t n_deqd; + int ret; + + ret = test_ops.prepare_xform(&xform); + if (ret < 0) + return ret; + + env.sess = rte_cryptodev_sym_session_create(env.mpool); + if (!env.sess) + return -ENOMEM; + + ret = rte_cryptodev_sym_session_init(env.dev_id, + env.sess, &xform, env.mpool); + if (ret < 0) { + RTE_LOG(ERR, USER1, "Error %i: Init session\n", + ret); + return ret; + } + + ret = test_ops.prepare_op(); + if (ret < 0) { + RTE_LOG(ERR, USER1, "Error %i: Prepare op\n", + ret); + return ret; + } + + if (rte_cryptodev_enqueue_burst(env.dev_id, 0, &env.op, 1) < 1) { + RTE_LOG(ERR, USER1, "Error: Failed enqueue\n"); + return ret; + } + + do { + struct rte_crypto_op *deqd_op; + + n_deqd = rte_cryptodev_dequeue_burst(env.dev_id, 0, &deqd_op, + 1); + } while (n_deqd == 0); + + vec.status = env.op->status; + + rte_cryptodev_sym_session_clear(env.dev_id, env.sess); + rte_cryptodev_sym_session_free(env.sess); + env.sess = NULL; + + return ret; +} + +static int +fips_generic_test(void) +{ + struct fips_val val; + int ret; + + fips_test_write_one_case(); + + ret = fips_run_test(); + if (ret < 0) { + if (ret == -EPERM) { + fprintf(info.fp_wr, "Bypass\n\n"); + return 0; + } + + return ret; + } + + get_writeback_data(&val); + + switch (info.file_type) { + case FIPS_TYPE_REQ: + case FIPS_TYPE_RSP: + if (info.parse_writeback == NULL) + return -EPERM; + ret = info.parse_writeback(&val); + if (ret < 0) + return ret; + break; + case FIPS_TYPE_FAX: + if (info.kat_check == NULL) + return -EPERM; + ret = info.kat_check(&val); + if (ret < 0) + return ret; + break; + } + + fprintf(info.fp_wr, "\n"); + + return 0; +} + +static int +fips_mct_aes_test(void) +{ +#define AES_BLOCK_SIZE 16 +#define AES_EXTERN_ITER 100 +#define AES_INTERN_ITER 1000 + struct fips_val val, val_key; + uint8_t prev_out[AES_BLOCK_SIZE] = {0}; + uint8_t prev_in[AES_BLOCK_SIZE] = {0}; + uint32_t i, j, k; + int ret; + + for (i = 0; i < AES_EXTERN_ITER; i++) { + if (i != 0) + update_info_vec(i); + + fips_test_write_one_case(); + + for (j = 0; j < AES_INTERN_ITER; j++) { + ret = fips_run_test(); + if (ret < 0) { + if (ret == -EPERM) { + fprintf(info.fp_wr, "Bypass\n"); + return 0; + } + + return ret; + } + + get_writeback_data(&val); + + if (info.op == FIPS_TEST_DEC_AUTH_VERIF) + memcpy(prev_in, vec.ct.val, AES_BLOCK_SIZE); + + if (j == 0) { + memcpy(prev_out, val.val, AES_BLOCK_SIZE); + + if (info.op == FIPS_TEST_ENC_AUTH_GEN) { + memcpy(vec.pt.val, vec.iv.val, + AES_BLOCK_SIZE); + memcpy(vec.iv.val, val.val, + AES_BLOCK_SIZE); + } else { + memcpy(vec.ct.val, vec.iv.val, + AES_BLOCK_SIZE); + memcpy(vec.iv.val, prev_in, + AES_BLOCK_SIZE); + } + continue; + } + + if (info.op == FIPS_TEST_ENC_AUTH_GEN) { + memcpy(vec.iv.val, val.val, AES_BLOCK_SIZE); + memcpy(vec.pt.val, prev_out, AES_BLOCK_SIZE); + } else { + memcpy(vec.iv.val, prev_in, AES_BLOCK_SIZE); + memcpy(vec.ct.val, prev_out, AES_BLOCK_SIZE); + } + + if (j == AES_INTERN_ITER - 1) + continue; + + memcpy(prev_out, val.val, AES_BLOCK_SIZE); + } + + info.parse_writeback(&val); + fprintf(info.fp_wr, "\n"); + + if (i == AES_EXTERN_ITER - 1) + continue; + + /** update key */ + memcpy(&val_key, &vec.cipher_auth.key, sizeof(val_key)); + for (k = 0; k < vec.cipher_auth.key.len; k++) { + switch (vec.cipher_auth.key.len) { + case 16: + val_key.val[k] ^= val.val[k]; + break; + case 24: + if (k < 8) + val_key.val[k] ^= prev_out[k + 8]; + else + val_key.val[k] ^= val.val[k - 8]; + break; + case 32: + if (k < 16) + val_key.val[k] ^= prev_out[k]; + else + val_key.val[k] ^= val.val[k - 16]; + break; + default: + return -1; + } + } + + if (info.op == FIPS_TEST_DEC_AUTH_VERIF) + memcpy(vec.iv.val, val.val, AES_BLOCK_SIZE); + } + + return 0; +} + +static int +init_test_ops(void) +{ + switch (info.algo) { + case FIPS_TEST_ALGO_AES: + test_ops.prepare_op = prepare_cipher_op; + test_ops.prepare_xform = prepare_aes_xform; + if (info.interim_info.aes_data.test_type == AESAVS_TYPE_MCT) + test_ops.test = fips_mct_aes_test; + else + test_ops.test = fips_generic_test; + break; + + default: + return -1; + } + + return 0; +} + static void print_test_block(void) { @@ -345,7 +679,14 @@ fips_test_one_file(void) { int fetch_ret = 0, ret; - while (fetch_ret == 0) { + + ret = init_test_ops(); + if (ret < 0) { + RTE_LOG(ERR, USER1, "Error %i: Init test op\n", ret); + return ret; + } + + while (ret >= 0 && fetch_ret == 0) { fetch_ret = fips_test_fetch_one_block(); if (fetch_ret < 0) { RTE_LOG(ERR, USER1, "Error %i: Fetch block\n", @@ -365,6 +706,7 @@ fips_test_one_file(void) ret = fips_test_parse_one_case(); switch (ret) { case 0: + ret = test_ops.test(); if (ret == 0) break; RTE_LOG(ERR, USER1, "Error %i: test block\n", @@ -385,4 +727,6 @@ error_one_case: fips_test_clear(); + return ret; + } diff --git a/examples/fips_validation/meson.build b/examples/fips_validation/meson.build index cceed4f930..fb205413c8 100644 --- a/examples/fips_validation/meson.build +++ b/examples/fips_validation/meson.build @@ -9,6 +9,7 @@ deps += ['cryptodev'] allow_experimental_apis = true sources = files( + 'fips_validation_aes.c', 'fips_validation.c', 'main.c' ) -- 2.20.1