From patchwork Tue Sep 28 12:07:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tejasree Kondoj X-Patchwork-Id: 99903 X-Patchwork-Delegate: gakhil@marvell.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BBF15A0032; Tue, 28 Sep 2021 13:14:25 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 72A5F410FE; Tue, 28 Sep 2021 13:14:21 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by mails.dpdk.org (Postfix) with ESMTP id A9681410FE for ; Tue, 28 Sep 2021 13:14:19 +0200 (CEST) Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18SAF4ct019479; Tue, 28 Sep 2021 04:14:19 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type; s=pfpt0220; bh=FDB4BfAUgHi7gc6sLEhn0JQ+aRAHQUKkzEC9DwXyVtk=; b=iS3dmubxQ6JA9iXGRsHEtdmJF1ZKi+PX8LbMQjpIJLfB2DS8PlHTwd/Rvfqe/F0W6hqR ZcizgVLgsj+q2O7B38iG1DdguGM5azHVpzq1dIUjqoofcBbnK68n1HCU7scjO5xOBiVU PP4U9CksZ2IHezdLKauHzBeoyjgXeyySzb6HXOZXMM6Dfu0RvJKduQbjxV/1XpXb3FN/ oI9ExQPeRTrkVfvJ7qBOTdSA5mITyuPlokHzzEc1ECLbLfp1Stq7qYVeLo1ygOTQKtK+ kGpBGXObAPqNmy5netehDKoQPWp8XGnqxg6W3VrR7z5XTgXcBhDm4A4yxgZQBCEHrDAy sQ== Received: from dc5-exch01.marvell.com ([199.233.59.181]) by mx0b-0016f401.pphosted.com with ESMTP id 3bc14pr6jb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Sep 2021 04:14:18 -0700 Received: from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Tue, 28 Sep 2021 04:14:15 -0700 Received: from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.18 via Frontend Transport; Tue, 28 Sep 2021 04:14:15 -0700 Received: from hyd1554T5810.caveonetworks.com.com (unknown [10.29.57.11]) by maili.marvell.com (Postfix) with ESMTP id 881C33F7098; Tue, 28 Sep 2021 04:14:11 -0700 (PDT) From: Tejasree Kondoj To: Akhil Goyal , Radu Nicolau , Declan Doherty CC: Tejasree Kondoj , Anoob Joseph , Ankur Dwivedi , Jerin Jacob , Konstantin Ananyev , Ciara Power , Hemant Agrawal , Gagandeep Singh , Fan Zhang , Archana Muniganti , Date: Tue, 28 Sep 2021 17:37:41 +0530 Message-ID: <20210928120741.16674-4-ktejasree@marvell.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210928120741.16674-1-ktejasree@marvell.com> References: <20210928120741.16674-1-ktejasree@marvell.com> MIME-Version: 1.0 X-Proofpoint-ORIG-GUID: Bkt2z0b2MC4k9yNu5xfeVTeuCtUTBqzZ X-Proofpoint-GUID: Bkt2z0b2MC4k9yNu5xfeVTeuCtUTBqzZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-28_05,2021-09-28_01,2020-04-07_01 Subject: [dpdk-dev] [PATCH v2 3/3] test/crypto: add tunnel header verification tests X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Add test cases to verify tunnel header in IPsec inbound. Signed-off-by: Tejasree Kondoj --- app/test/test_cryptodev.c | 45 ++++++++++++++++++- app/test/test_cryptodev_security_ipsec.c | 25 ++++++++++- app/test/test_cryptodev_security_ipsec.h | 1 + ...st_cryptodev_security_ipsec_test_vectors.h | 3 ++ 4 files changed, 71 insertions(+), 3 deletions(-) diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c index 34b55a952e..665d19c0a4 100644 --- a/app/test/test_cryptodev.c +++ b/app/test/test_cryptodev.c @@ -8924,6 +8924,7 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], int salt_len, i, ret = TEST_SUCCESS; struct rte_security_ctx *ctx; uint8_t *input_text; + uint32_t verify; ut_params->type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; gbl_action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL; @@ -8933,11 +8934,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[], /* Copy IPsec xform */ memcpy(&ipsec_xform, &td[0].ipsec_xform, sizeof(ipsec_xform)); + dir = ipsec_xform.direction; + verify = flags->tunnel_hdr_verify; + + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && verify) { + if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR) + src += 1; + else if (verify == RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR) + dst += 1; + } + memcpy(&ipsec_xform.tunnel.ipv4.src_ip, &src, sizeof(src)); memcpy(&ipsec_xform.tunnel.ipv4.dst_ip, &dst, sizeof(dst)); - dir = ipsec_xform.direction; - ctx = rte_cryptodev_get_sec_ctx(dev_id); sec_cap_idx.action = ut_params->type; @@ -9229,6 +9238,30 @@ test_ipsec_proto_udp_encap(const void *data __rte_unused) return test_ipsec_proto_all(&flags); } +static int +test_ipsec_proto_tunnel_src_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR; + + return test_ipsec_proto_all(&flags); +} + +static int +test_ipsec_proto_tunnel_dst_addr_verify(const void *data __rte_unused) +{ + struct ipsec_test_flags flags; + + memset(&flags, 0, sizeof(flags)); + + flags.tunnel_hdr_verify = RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR; + + return test_ipsec_proto_all(&flags); +} + static int test_PDCP_PROTO_all(void) { @@ -14173,6 +14206,14 @@ static struct unit_test_suite ipsec_proto_testsuite = { "Negative test: ICV corruption", ut_setup_security, ut_teardown, test_ipsec_proto_err_icv_corrupt), + TEST_CASE_NAMED_ST( + "Tunnel dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_dst_addr_verify), + TEST_CASE_NAMED_ST( + "Tunnel src and dst addr verification", + ut_setup_security, ut_teardown, + test_ipsec_proto_tunnel_src_dst_addr_verify), TEST_CASES_END() /**< NULL terminate unit test array */ } }; diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c index 046536cc9c..f040630655 100644 --- a/app/test/test_cryptodev_security_ipsec.c +++ b/app/test/test_cryptodev_security_ipsec.c @@ -86,6 +86,15 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform, return -ENOTSUP; } + if ((ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + (ipsec_xform->options.tunnel_hdr_verify > + sec_cap->ipsec.options.tunnel_hdr_verify)) { + if (!silent) + RTE_LOG(INFO, USER1, + "Tunnel header verify is not supported\n"); + return -ENOTSUP; + } + return 0; } @@ -207,6 +216,9 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[], if (flags->udp_encap) td_inb[i].ipsec_xform.options.udp_encap = 1; + td_inb[i].ipsec_xform.options.tunnel_hdr_verify = + flags->tunnel_hdr_verify; + /* Clear outbound specific flags */ td_inb[i].ipsec_xform.options.iv_gen_disable = 0; } @@ -292,7 +304,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td, /* For tests with status as error for test success, skip verification */ if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && (flags->icv_corrupt || - flags->sa_expiry_pkts_hard)) + flags->sa_expiry_pkts_hard || + flags->tunnel_hdr_verify)) return TEST_SUCCESS; if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && @@ -420,6 +433,16 @@ test_ipsec_status_check(struct rte_crypto_op *op, } } + if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && + flags->tunnel_hdr_verify) { + if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { + printf("Tunnel header verify test case failed\n"); + return TEST_FAILED; + } else { + return TEST_SUCCESS; + } + } + if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && flags->icv_corrupt) { if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) { printf("ICV corruption test case failed\n"); diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h index 18f3c64bb7..a65cb54eae 100644 --- a/app/test/test_cryptodev_security_ipsec.h +++ b/app/test/test_cryptodev_security_ipsec.h @@ -53,6 +53,7 @@ struct ipsec_test_flags { bool sa_expiry_pkts_hard; bool icv_corrupt; bool iv_gen; + uint32_t tunnel_hdr_verify; bool udp_encap; }; diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h index 38ea43d157..4e147ec19c 100644 --- a/app/test/test_cryptodev_security_ipsec_test_vectors.h +++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h @@ -94,6 +94,7 @@ struct ipsec_test_data pkt_aes_128_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -190,6 +191,7 @@ struct ipsec_test_data pkt_aes_192_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, @@ -289,6 +291,7 @@ struct ipsec_test_data pkt_aes_256_gcm = { .options.dec_ttl = 0, .options.ecn = 0, .options.stats = 0, + .options.tunnel_hdr_verify = 0, .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,