From e2cbb384505596fa833909c60c31f669ad413ba0 Mon Sep 17 00:00:00 2001 From: Anoob Joseph Date: Mon, 6 Dec 2021 16:38:00 +0530 Subject: [PATCH] test/crypto: add copy/set DF cases in IPsec Add test cases to verify copy DF and set DF options with lookaside IPsec offload. Signed-off-by: Anoob Joseph Acked-by: Akhil Goyal --- app/test/test_cryptodev.c | 75 ++++++++++++++++++++++++ app/test/test_cryptodev_security_ipsec.c | 71 +++++++++++++++++++++- app/test/test_cryptodev_security_ipsec.h | 10 ++++ 3 files changed, 153 insertions(+), 3 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 7704cc2261..ec4a61bdf9 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -9169,6 +9169,13 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], sizeof(src)); memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); + + if (flags->df == TEST_IPSEC_SET_DF_0_INNER_1) + ipsec_xform.tunnel.ipv4.df = 0; + + if (flags->df == TEST_IPSEC_SET_DF_1_INNER_0) + ipsec_xform.tunnel.ipv4.df = 1; + } else { memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src, sizeof(v6_src)); @@ -9282,6 +9289,9 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], memcpy(input_text, td[i].input_text.data, td[i].input_text.len); + if (test_ipsec_pkt_update(input_text, flags)) + return TEST_FAILED; + /* Generate crypto op data structure */ ut_params->op = rte_crypto_op_alloc(ts_params->op_mpool, RTE_CRYPTO_OP_TYPE_SYMMETRIC); @@ -9699,6 +9709,55 @@ test_ipsec_proto_pkt_fragment(const void *data __rte_unused) flags.fragment = true; + return test_ipsec_proto_all(&flags); + +} + +static int +test_ipsec_proto_copy_df_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_COPY_DF_INNER_0; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_copy_df_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_COPY_DF_INNER_1; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_set_df_0_inner_1(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_SET_DF_0_INNER_1; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_set_df_1_inner_0(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.df = TEST_IPSEC_SET_DF_1_INNER_0; + return test_ipsec_proto_all(&flags); } @@ -14724,6 +14783,22 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Fragmented packet", ut_setup_security, ut_teardown, test_ipsec_proto_pkt_fragment), + TEST_CASE_NAMED_ST( + "Tunnel header copy DF (inner 0)", + ut_setup_security, ut_teardown, + test_ipsec_proto_copy_df_inner_0), + TEST_CASE_NAMED_ST( + "Tunnel header copy DF (inner 1)", + ut_setup_security, ut_teardown, + test_ipsec_proto_copy_df_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header set DF 0 (inner 1)", + ut_setup_security, ut_teardown, + test_ipsec_proto_set_df_0_inner_1), + TEST_CASE_NAMED_ST( + "Tunnel header set DF 1 (inner 0)", + ut_setup_security, ut_teardown, + test_ipsec_proto_set_df_1_inner_0), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 94e5213c89..e662ea279f 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -427,6 +427,9 @@ test_ipsec_td_prepare(const struct crypto_param *param1, ip->hdr_checksum = rte_ipv4_cksum(ip); } + if (flags->df == TEST_IPSEC_COPY_DF_INNER_0 || + flags->df == TEST_IPSEC_COPY_DF_INNER_1) + td->ipsec_xform.options.copy_df = 1; } } @@ -640,6 +643,7 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, { uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *); uint32_t skip, len = rte_pktmbuf_pkt_len(m); + uint8_t td_output_text[4096]; int ret; /* For tests with status as error for test success, skip verification */ @@ -720,16 +724,21 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, return ret; } + memcpy(td_output_text, td->output_text.data + skip, len); - if (memcmp(output_text, td->output_text.data + skip, len)) { + if (test_ipsec_pkt_update(td_output_text, flags)) { + printf("Could not update expected vector"); + return TEST_FAILED; + } + + if (memcmp(output_text, td_output_text, len)) { if (silent) return TEST_FAILED; printf("TestCase %s line %d: %s\n", __func__, __LINE__, "output text not as expected\n"); - rte_hexdump(stdout, "expected", td->output_text.data + skip, - len); + rte_hexdump(stdout, "expected", td_output_text, len); rte_hexdump(stdout, "actual", output_text, len); return TEST_FAILED; } @@ -797,10 +806,27 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td, } else { if (td->ipsec_xform.tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { + uint16_t f_off; + if (is_valid_ipv4_pkt(iph4) == false) { printf("Tunnel outer header is not IPv4\n"); return TEST_FAILED; } + + f_off = rte_be_to_cpu_16(iph4->fragment_offset); + + if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 || + flags->df == TEST_IPSEC_SET_DF_1_INNER_0) { + if (!(f_off & RTE_IPV4_HDR_DF_FLAG)) { + printf("DF bit is not set\n"); + return TEST_FAILED; + } + } else { + if ((f_off & RTE_IPV4_HDR_DF_FLAG)) { + printf("DF bit is set\n"); + return TEST_FAILED; + } + } } else { iph6 = (const struct rte_ipv6_hdr *)output_text; if (is_valid_ipv6_pkt(iph6) == false) { @@ -909,3 +935,42 @@ test_ipsec_stats_verify(struct rte_security_ctx *ctx, return ret; } + +int +test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags) +{ + struct rte_ipv4_hdr *iph4; + bool cksum_dirty = false; + uint16_t frag_off; + + iph4 = (struct rte_ipv4_hdr *)pkt; + + if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 || + flags->df == TEST_IPSEC_SET_DF_0_INNER_1 || + flags->df == TEST_IPSEC_COPY_DF_INNER_0 || + flags->df == TEST_IPSEC_SET_DF_1_INNER_0) { + + if (!is_ipv4(iph4)) { + printf("Invalid packet type"); + return -1; + } + + frag_off = rte_be_to_cpu_16(iph4->fragment_offset); + + if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 || + flags->df == TEST_IPSEC_SET_DF_0_INNER_1) + frag_off |= RTE_IPV4_HDR_DF_FLAG; + else + frag_off &= ~RTE_IPV4_HDR_DF_FLAG; + + iph4->fragment_offset = rte_cpu_to_be_16(frag_off); + cksum_dirty = true; + } + + if (cksum_dirty && is_ipv4(iph4)) { + iph4->hdr_checksum = 0; + iph4->hdr_checksum = rte_ipv4_cksum(iph4); + } + + return 0; +} diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 6e27eba804..12a9b77c55 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -50,6 +50,13 @@ struct ipsec_test_data { } xform; }; +enum df_flags { + TEST_IPSEC_COPY_DF_INNER_0 = 1, + TEST_IPSEC_COPY_DF_INNER_1, + TEST_IPSEC_SET_DF_0_INNER_1, + TEST_IPSEC_SET_DF_1_INNER_0, +}; + struct ipsec_test_flags { bool display_alg; bool sa_expiry_pkts_soft; @@ -66,6 +73,7 @@ struct ipsec_test_flags { bool transport; bool fragment; bool stats_success; + enum df_flags df; }; struct crypto_param { @@ -226,4 +234,6 @@ int test_ipsec_stats_verify(struct rte_security_ctx *ctx, const struct ipsec_test_flags *flags, enum rte_security_ipsec_sa_direction dir); +int test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags); + #endif -- 2.20.1