@@ -9125,6 +9125,10 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
bool silent,
const struct ipsec_test_flags *flags)
{
+ uint16_t v6_src[8] = {0x2607, 0xf8b0, 0x400c, 0x0c03, 0x0000, 0x0000,
+ 0x0000, 0x001a};
+ uint16_t v6_dst[8] = {0x2001, 0x0470, 0xe5bf, 0xdead, 0x4957, 0x2174,
+ 0xe82c, 0x4887};
struct crypto_testsuite_params *ts_params = &testsuite_params;
struct crypto_unittest_params *ut_params = &unittest_params;
struct rte_security_capability_idx sec_cap_idx;
@@ -9158,8 +9162,16 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
dst += 1;
}
- memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
- memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
+ if (td->ipsec_xform.tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src));
+ memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst));
+ } else {
+ memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src,
+ sizeof(v6_src));
+ memcpy(&ipsec_xform.tunnel.ipv6.dst_addr, &v6_dst,
+ sizeof(v6_dst));
+ }
ctx = rte_cryptodev_get_sec_ctx(dev_id);
@@ -9555,6 +9567,58 @@ test_ipsec_proto_inner_l4_csum(const void *data __rte_unused)
}
static int
+test_ipsec_proto_tunnel_v4_in_v4(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = false;
+ flags.tunnel_ipv6 = false;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_v6_in_v6(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_v4_in_v6(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = false;
+ flags.tunnel_ipv6 = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_tunnel_v6_in_v4(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ipv6 = true;
+ flags.tunnel_ipv6 = false;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
test_PDCP_PROTO_all(void)
{
struct crypto_testsuite_params *ts_params = &testsuite_params;
@@ -14431,6 +14495,15 @@ static struct unit_test_suite ipsec_proto_testsuite = {
test_ipsec_proto_known_vec,
&pkt_aes_128_cbc_hmac_sha256),
TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv6 AES-GCM 128)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec, &pkt_aes_256_gcm_v6),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Outbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec,
+ &pkt_aes_128_cbc_hmac_sha256_v6),
+ TEST_CASE_NAMED_WITH_DATA(
"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 128)",
ut_setup_security, ut_teardown,
test_ipsec_proto_known_vec_inb, &pkt_aes_128_gcm),
@@ -14451,6 +14524,15 @@ static struct unit_test_suite ipsec_proto_testsuite = {
ut_setup_security, ut_teardown,
test_ipsec_proto_known_vec_inb,
&pkt_aes_128_cbc_hmac_sha256),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Inbound known vector (ESP tunnel mode IPv6 AES-GCM 128)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm_v6),
+ TEST_CASE_NAMED_WITH_DATA(
+ "Inbound known vector (ESP tunnel mode IPv6 AES-CBC 128 HMAC-SHA256 [16B ICV])",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_known_vec_inb,
+ &pkt_aes_128_cbc_hmac_sha256_v6),
TEST_CASE_NAMED_ST(
"Combined test alg list",
ut_setup_security, ut_teardown,
@@ -14495,6 +14577,22 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Inner L4 checksum",
ut_setup_security, ut_teardown,
test_ipsec_proto_inner_l4_csum),
+ TEST_CASE_NAMED_ST(
+ "Tunnel IPv4 in IPv4",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_tunnel_v4_in_v4),
+ TEST_CASE_NAMED_ST(
+ "Tunnel IPv6 in IPv6",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_tunnel_v6_in_v6),
+ TEST_CASE_NAMED_ST(
+ "Tunnel IPv4 in IPv6",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_tunnel_v4_in_v6),
+ TEST_CASE_NAMED_ST(
+ "Tunnel IPv6 in IPv4",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_tunnel_v6_in_v4),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
@@ -19,6 +19,40 @@ struct crypto_param_comb alg_list[RTE_DIM(aead_list) +
(RTE_DIM(cipher_list) *
RTE_DIM(auth_list))];
+static bool
+is_valid_ipv4_pkt(const struct rte_ipv4_hdr *pkt)
+{
+ /* The IP version number must be 4 */
+ if (((pkt->version_ihl) >> 4) != 4)
+ return false;
+ /*
+ * The IP header length field must be large enough to hold the
+ * minimum length legal IP datagram (20 bytes = 5 words).
+ */
+ if ((pkt->version_ihl & 0xf) < 5)
+ return false;
+
+ /*
+ * The IP total length field must be large enough to hold the IP
+ * datagram header, whose length is specified in the IP header length
+ * field.
+ */
+ if (rte_cpu_to_be_16(pkt->total_length) < sizeof(struct rte_ipv4_hdr))
+ return false;
+
+ return true;
+}
+
+static bool
+is_valid_ipv6_pkt(const struct rte_ipv6_hdr *pkt)
+{
+ /* The IP version number must be 6 */
+ if ((rte_be_to_cpu_32((pkt->vtc_flow)) >> 28) != 6)
+ return false;
+
+ return true;
+}
+
void
test_ipsec_alg_list_populate(void)
{
@@ -320,14 +354,22 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
if (param1->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
/* Copy template for packet & key fields */
- memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
+ if (flags->ipv6)
+ memcpy(td, &pkt_aes_256_gcm_v6, sizeof(*td));
+ else
+ memcpy(td, &pkt_aes_256_gcm, sizeof(*td));
td->aead = true;
td->xform.aead.aead.algo = param1->alg.aead;
td->xform.aead.aead.key.length = param1->key_length;
} else {
/* Copy template for packet & key fields */
- memcpy(td, &pkt_aes_128_cbc_hmac_sha256, sizeof(*td));
+ if (flags->ipv6)
+ memcpy(td, &pkt_aes_128_cbc_hmac_sha256_v6,
+ sizeof(*td));
+ else
+ memcpy(td, &pkt_aes_128_cbc_hmac_sha256,
+ sizeof(*td));
td->aead = false;
td->xform.chain.cipher.cipher.algo = param1->alg.cipher;
@@ -358,6 +400,13 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
test_ipsec_csum_init(&td->input_text.data, false, true);
}
+ if (flags->tunnel_ipv6)
+ td->ipsec_xform.tunnel.type =
+ RTE_SECURITY_IPSEC_TUNNEL_IPV6;
+ else
+ td->ipsec_xform.tunnel.type =
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4;
+
}
}
@@ -686,6 +735,7 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
struct ipsec_test_data *res_d, bool silent,
const struct ipsec_test_flags *flags)
{
+ uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
int ret;
if (flags->iv_gen &&
@@ -695,6 +745,26 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
return ret;
}
+ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+ const struct rte_ipv4_hdr *iph4;
+ const struct rte_ipv6_hdr *iph6;
+
+ if (td->ipsec_xform.tunnel.type ==
+ RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
+ iph4 = (const struct rte_ipv4_hdr *)output_text;
+ if (is_valid_ipv4_pkt(iph4) == false) {
+ printf("Outer header is not IPv4\n");
+ return TEST_FAILED;
+ }
+ } else {
+ iph6 = (const struct rte_ipv6_hdr *)output_text;
+ if (is_valid_ipv6_pkt(iph6) == false) {
+ printf("Outer header is not IPv6\n");
+ return TEST_FAILED;
+ }
+ }
+ }
+
/*
* In case of known vector tests & all inbound tests, res_d provided
* would be NULL and output data need to be validated against expected.
@@ -61,6 +61,8 @@ struct ipsec_test_flags {
bool udp_ports_verify;
bool ip_csum;
bool l4_csum;
+ bool ipv6;
+ bool tunnel_ipv6;
};
struct crypto_param {
@@ -119,7 +121,9 @@ struct crypto_param_comb {
};
extern struct ipsec_test_data pkt_aes_256_gcm;
+extern struct ipsec_test_data pkt_aes_256_gcm_v6;
extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256;
+extern struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6;
extern struct crypto_param_comb alg_list[RTE_DIM(aead_list) +
(RTE_DIM(cipher_list) *
@@ -434,6 +434,103 @@ struct ipsec_test_data pkt_aes_128_cbc_null = {
},
};
+struct ipsec_test_data pkt_aes_256_gcm_v6 = {
+ .key = {
+ .data = {
+ 0xde, 0x12, 0xbe, 0x56, 0xde, 0xad, 0xbe, 0xef,
+ 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad, 0xbe, 0xef,
+ 0x12, 0x78, 0xbe, 0x34, 0x01, 0x02, 0x03, 0x07,
+ 0xaa, 0xbb, 0xcc, 0xf1, 0x08, 0x07, 0x06, 0x05,
+ },
+ },
+ .input_text = {
+ .data = {
+ 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x38,
+ 0x26, 0x07, 0xf8, 0xb0, 0x40, 0x0c, 0x0c, 0x03,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a,
+ 0x20, 0x01, 0x04, 0x70, 0xe5, 0xbf, 0xde, 0xad,
+ 0x49, 0x57, 0x21, 0x74, 0xe8, 0x2c, 0x48, 0x87,
+ 0x00, 0x19, 0xf9, 0xc7, 0x95, 0x63, 0x97, 0x9c,
+ 0x03, 0xa0, 0x88, 0x31, 0x80, 0x12, 0xa7, 0xd6,
+ 0x25, 0x83, 0x00, 0x00, 0x02, 0x04, 0x05, 0x6a,
+ 0x01, 0x01, 0x04, 0x02, 0x01, 0x03, 0x03, 0x07,
+ },
+ .len = 72,
+ },
+ .output_text = {
+ .data = {
+ 0x60, 0x00, 0x00, 0x00, 0x00, 0x6c, 0x32, 0x40,
+ 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34,
+ 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x56, 0x78,
+ 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34,
+ 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x34, 0x56,
+ 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01,
+ 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00,
+ 0xe7, 0xdf, 0xc4, 0x7e, 0x21, 0xbd, 0xec, 0x1b,
+ 0x74, 0x5a, 0xe4, 0x7e, 0x2e, 0x94, 0x21, 0x0a,
+ 0x9b, 0x0e, 0x59, 0xbe, 0x06, 0x2a, 0xda, 0xb8,
+ 0x6b, 0x48, 0x7f, 0x0b, 0x88, 0x3a, 0xa9, 0xfd,
+ 0x3c, 0xfe, 0x9f, 0xb1, 0x8c, 0x67, 0xd2, 0xf8,
+ 0xaf, 0xb5, 0xad, 0x16, 0xdb, 0xff, 0x8d, 0x50,
+ 0xd3, 0x48, 0xf5, 0x6c, 0x3c, 0x0c, 0x27, 0x34,
+ 0x2b, 0x65, 0xc8, 0xff, 0xeb, 0x5f, 0xb8, 0xff,
+ 0x12, 0x00, 0x1c, 0x9f, 0xb7, 0x85, 0xdd, 0x7d,
+ 0x40, 0x19, 0xcb, 0x18, 0xeb, 0x15, 0xc4, 0x88,
+ 0xe1, 0xc2, 0x91, 0xc7, 0xb1, 0x65, 0xc3, 0x27,
+ 0x16, 0x06, 0x8f, 0xf2,
+ },
+ .len = 148,
+ },
+ .salt = {
+ .data = {
+ 0x11, 0x22, 0x33, 0x44
+ },
+ .len = 4,
+ },
+
+ .iv = {
+ .data = {
+ 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00,
+ },
+ },
+
+ .ipsec_xform = {
+ .spi = 52,
+ .options.esn = 0,
+ .options.udp_encap = 0,
+ .options.copy_dscp = 0,
+ .options.copy_flabel = 0,
+ .options.copy_df = 0,
+ .options.dec_ttl = 0,
+ .options.ecn = 0,
+ .options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+ .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV6,
+ .replay_win_sz = 0,
+ },
+
+ .aead = true,
+
+ .xform = {
+ .aead = {
+ .next = NULL,
+ .type = RTE_CRYPTO_SYM_XFORM_AEAD,
+ .aead = {
+ .op = RTE_CRYPTO_AEAD_OP_ENCRYPT,
+ .algo = RTE_CRYPTO_AEAD_AES_GCM,
+ .key.length = 32,
+ .iv.length = 12,
+ .iv.offset = IV_OFFSET,
+ .digest_length = 16,
+ .aad_length = 12,
+ },
+ },
+ },
+};
+
struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = {
.key = {
.data = {
@@ -543,4 +640,109 @@ struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256 = {
},
};
+struct ipsec_test_data pkt_aes_128_cbc_hmac_sha256_v6 = {
+ .key = {
+ .data = {
+ 0x00, 0x04, 0x05, 0x01, 0x23, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x0a, 0x0b, 0x0c, 0x0f, 0x00, 0x00,
+ },
+ },
+ .auth_key = {
+ .data = {
+ 0xde, 0x34, 0x56, 0x00, 0x00, 0x00, 0x78, 0x00,
+ 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+ 0x10, 0x30, 0x40, 0x00, 0x01, 0x02, 0x03, 0x04,
+ 0x0a, 0x0b, 0x0c, 0x0d, 0x05, 0x06, 0x07, 0x08,
+ },
+ },
+ .input_text = {
+ .data = {
+ 0x60, 0x00, 0x00, 0x00, 0x00, 0x20, 0x06, 0x38,
+ 0x26, 0x07, 0xf8, 0xb0, 0x40, 0x0c, 0x0c, 0x03,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a,
+ 0x20, 0x01, 0x04, 0x70, 0xe5, 0xbf, 0xde, 0xad,
+ 0x49, 0x57, 0x21, 0x74, 0xe8, 0x2c, 0x48, 0x87,
+ 0x00, 0x19, 0xf9, 0xc7, 0x95, 0x63, 0x97, 0x9c,
+ 0x03, 0xa0, 0x88, 0x31, 0x80, 0x12, 0xa7, 0xd6,
+ 0x25, 0x83, 0x00, 0x00, 0x02, 0x04, 0x05, 0x6a,
+ 0x01, 0x01, 0x04, 0x02, 0x01, 0x03, 0x03, 0x07,
+ },
+ .len = 72,
+ },
+ .output_text = {
+ .data = {
+ 0x60, 0x00, 0x00, 0x00, 0x00, 0x78, 0x32, 0x40,
+ 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34,
+ 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x56, 0x78,
+ 0x12, 0x34, 0x12, 0x21, 0x17, 0x45, 0x11, 0x34,
+ 0x11, 0xfc, 0x89, 0x71, 0xdf, 0x22, 0x34, 0x56,
+ 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x01,
+ 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00,
+ 0xf0, 0xc1, 0x05, 0x3c, 0x00, 0x00, 0x00, 0x00,
+ 0x1b, 0x1c, 0x98, 0x6e, 0x2a, 0xce, 0x61, 0xef,
+ 0xc1, 0xdd, 0x25, 0x96, 0x5c, 0xb1, 0xb0, 0x15,
+ 0x47, 0x25, 0xb7, 0x8b, 0x00, 0xb6, 0xbb, 0xe6,
+ 0x2e, 0x29, 0xcb, 0x4a, 0x94, 0x00, 0xf0, 0x73,
+ 0xdb, 0x14, 0x32, 0xd9, 0xa2, 0xdf, 0x22, 0x2f,
+ 0x52, 0x3e, 0x79, 0x77, 0xf3, 0x17, 0xaa, 0x40,
+ 0x1c, 0x57, 0x27, 0x12, 0x82, 0x44, 0x35, 0xb8,
+ 0x64, 0xe0, 0xaa, 0x5c, 0x10, 0xc7, 0x97, 0x35,
+ 0x9c, 0x6b, 0x1c, 0xf7, 0xe7, 0xbd, 0x83, 0x33,
+ 0x77, 0x48, 0x44, 0x7d, 0xa4, 0x13, 0x74, 0x3b,
+ 0x6a, 0x91, 0xd0, 0xd8, 0x7d, 0x41, 0x45, 0x23,
+ 0x5d, 0xc9, 0x2d, 0x08, 0x7a, 0xd8, 0x25, 0x8e,
+ },
+ .len = 160,
+ },
+ .iv = {
+ .data = {
+ 0x45, 0xad, 0xfe, 0x23, 0x78, 0x56, 0x12, 0x00,
+ 0xf0, 0xc1, 0x05, 0x3c, 0x00, 0x00, 0x00, 0x00,
+ },
+ },
+
+ .ipsec_xform = {
+ .spi = 52,
+ .options.esn = 0,
+ .options.udp_encap = 0,
+ .options.copy_dscp = 0,
+ .options.copy_flabel = 0,
+ .options.copy_df = 0,
+ .options.dec_ttl = 0,
+ .options.ecn = 0,
+ .options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+ .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV6,
+ .replay_win_sz = 0,
+ },
+
+ .aead = false,
+
+ .xform = {
+ .chain.cipher = {
+ .next = NULL,
+ .type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ .cipher = {
+ .op = RTE_CRYPTO_CIPHER_OP_ENCRYPT,
+ .algo = RTE_CRYPTO_CIPHER_AES_CBC,
+ .key.length = 16,
+ .iv.length = 16,
+ },
+ },
+ .chain.auth = {
+ .next = NULL,
+ .type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ .auth = {
+ .op = RTE_CRYPTO_AUTH_OP_GENERATE,
+ .algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
+ .key.length = 32,
+ .digest_length = 16,
+ },
+ },
+ },
+};
+
#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */