@@ -18,6 +18,8 @@
#include <rte_cryptodev.h>
#include <rte_ip.h>
#include <rte_string_fns.h>
+#include <rte_tcp.h>
+#include <rte_udp.h>
#ifdef RTE_CRYPTO_SCHEDULER
#include <rte_cryptodev_scheduler.h>
@@ -9275,6 +9277,30 @@ test_ipsec_proto_udp_ports_verify(const void *data __rte_unused)
return test_ipsec_proto_all(&flags);
}
+static int
+test_ipsec_proto_inner_ip_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ip_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_inner_l4_csum(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.l4_csum = true;
+
+ return test_ipsec_proto_all(&flags);
+}
+
static int
test_PDCP_PROTO_all(void)
{
@@ -14231,6 +14257,14 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Tunnel src and dst addr verification",
ut_setup_security, ut_teardown,
test_ipsec_proto_tunnel_src_dst_addr_verify),
+ TEST_CASE_NAMED_ST(
+ "Inner IP checksum",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_inner_ip_csum),
+ TEST_CASE_NAMED_ST(
+ "Inner L4 checksum",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_inner_l4_csum),
TEST_CASES_END() /**< NULL terminate unit test array */
}
};
@@ -7,6 +7,7 @@
#include <rte_esp.h>
#include <rte_ip.h>
#include <rte_security.h>
+#include <rte_tcp.h>
#include <rte_udp.h>
#include "test.h"
@@ -103,6 +104,22 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
return -ENOTSUP;
}
+ if (ipsec_xform->options.ip_csum_enable == 1 &&
+ sec_cap->ipsec.options.ip_csum_enable == 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Inner IP checksum is not supported\n");
+ return -ENOTSUP;
+ }
+
+ if (ipsec_xform->options.l4_csum_enable == 1 &&
+ sec_cap->ipsec.options.l4_csum_enable == 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Inner L4 checksum is not supported\n");
+ return -ENOTSUP;
+ }
+
return 0;
}
@@ -160,6 +177,56 @@ test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
}
}
+static bool
+is_ipv4(void *ip)
+{
+ struct rte_ipv4_hdr *ipv4 = ip;
+ uint8_t ip_ver;
+
+ ip_ver = (ipv4->version_ihl & 0xf0) >> RTE_IPV4_IHL_MULTIPLIER;
+ if (ip_ver == IPVERSION)
+ return true;
+ else
+ return false;
+}
+
+static void
+test_ipsec_csum_init(void *ip, bool l3, bool l4)
+{
+ struct rte_ipv4_hdr *ipv4;
+ struct rte_tcp_hdr *tcp;
+ struct rte_udp_hdr *udp;
+ uint8_t next_proto;
+ uint8_t size;
+
+ if (is_ipv4(ip)) {
+ ipv4 = ip;
+ size = sizeof(struct rte_ipv4_hdr);
+ next_proto = ipv4->next_proto_id;
+
+ if (l3)
+ ipv4->hdr_checksum = 0;
+ } else {
+ size = sizeof(struct rte_ipv6_hdr);
+ next_proto = ((struct rte_ipv6_hdr *)ip)->proto;
+ }
+
+ if (l4) {
+ switch (next_proto) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)RTE_PTR_ADD(ip, size);
+ tcp->cksum = 0;
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)RTE_PTR_ADD(ip, size);
+ udp->dgram_cksum = 0;
+ break;
+ default:
+ return;
+ }
+ }
+}
+
void
test_ipsec_td_prepare(const struct crypto_param *param1,
const struct crypto_param *param2,
@@ -194,6 +261,17 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
if (flags->sa_expiry_pkts_soft)
td->ipsec_xform.life.packets_soft_limit =
IPSEC_TEST_PACKETS_MAX - 1;
+
+ if (flags->ip_csum) {
+ td->ipsec_xform.options.ip_csum_enable = 1;
+ test_ipsec_csum_init(&td->input_text.data, true, false);
+ }
+
+ if (flags->l4_csum) {
+ td->ipsec_xform.options.l4_csum_enable = 1;
+ test_ipsec_csum_init(&td->input_text.data, false, true);
+ }
+
}
RTE_SET_USED(param2);
@@ -230,6 +308,12 @@ test_ipsec_td_update(struct ipsec_test_data td_inb[],
td_inb[i].ipsec_xform.options.tunnel_hdr_verify =
flags->tunnel_hdr_verify;
+ if (flags->ip_csum)
+ td_inb[i].ipsec_xform.options.ip_csum_enable = 1;
+
+ if (flags->l4_csum)
+ td_inb[i].ipsec_xform.options.l4_csum_enable = 1;
+
/* Clear outbound specific flags */
td_inb[i].ipsec_xform.options.iv_gen_disable = 0;
}
@@ -305,12 +389,96 @@ test_ipsec_iv_verify_push(struct rte_mbuf *m, const struct ipsec_test_data *td)
return TEST_SUCCESS;
}
+static int
+test_ipsec_l3_csum_verify(struct rte_mbuf *m)
+{
+ uint16_t actual_cksum, expected_cksum;
+ struct rte_ipv4_hdr *ip;
+
+ ip = rte_pktmbuf_mtod(m, struct rte_ipv4_hdr *);
+
+ if (!is_ipv4((void *)ip))
+ return TEST_SKIPPED;
+
+ actual_cksum = ip->hdr_checksum;
+
+ ip->hdr_checksum = 0;
+
+ expected_cksum = rte_ipv4_cksum(ip);
+
+ if (actual_cksum != expected_cksum)
+ return TEST_FAILED;
+
+ return TEST_SUCCESS;
+}
+
+static int
+test_ipsec_l4_csum_verify(struct rte_mbuf *m)
+{
+ uint16_t actual_cksum = 0, expected_cksum = 0;
+ struct rte_ipv4_hdr *ipv4;
+ struct rte_ipv6_hdr *ipv6;
+ struct rte_tcp_hdr *tcp;
+ struct rte_udp_hdr *udp;
+ void *ip, *l4;
+
+ ip = rte_pktmbuf_mtod(m, void *);
+
+ if (is_ipv4(ip)) {
+ ipv4 = ip;
+ l4 = RTE_PTR_ADD(ipv4, sizeof(struct rte_ipv4_hdr));
+
+ switch (ipv4->next_proto_id) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)l4;
+ actual_cksum = tcp->cksum;
+ tcp->cksum = 0;
+ expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)l4;
+ actual_cksum = udp->dgram_cksum;
+ udp->dgram_cksum = 0;
+ expected_cksum = rte_ipv4_udptcp_cksum(ipv4, l4);
+ break;
+ default:
+ break;
+ }
+ } else {
+ ipv6 = ip;
+ l4 = RTE_PTR_ADD(ipv6, sizeof(struct rte_ipv6_hdr));
+
+ switch (ipv6->proto) {
+ case IPPROTO_TCP:
+ tcp = (struct rte_tcp_hdr *)l4;
+ actual_cksum = tcp->cksum;
+ tcp->cksum = 0;
+ expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+ break;
+ case IPPROTO_UDP:
+ udp = (struct rte_udp_hdr *)l4;
+ actual_cksum = udp->dgram_cksum;
+ udp->dgram_cksum = 0;
+ expected_cksum = rte_ipv6_udptcp_cksum(ipv6, l4);
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (actual_cksum != expected_cksum)
+ return TEST_FAILED;
+
+ return TEST_SUCCESS;
+}
+
static int
test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
bool silent, const struct ipsec_test_flags *flags)
{
uint8_t *output_text = rte_pktmbuf_mtod(m, uint8_t *);
uint32_t skip, len = rte_pktmbuf_pkt_len(m);
+ int ret;
/* For tests with status as error for test success, skip verification */
if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
@@ -354,6 +522,33 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
len -= skip;
output_text += skip;
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->ip_csum) {
+ if (m->ol_flags & PKT_RX_IP_CKSUM_GOOD)
+ ret = test_ipsec_l3_csum_verify(m);
+ else
+ ret = TEST_FAILED;
+
+ if (ret == TEST_FAILED)
+ printf("Inner IP checksum test failed\n");
+
+ return ret;
+ }
+
+ if ((td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+ flags->l4_csum) {
+ if (m->ol_flags & PKT_RX_L4_CKSUM_GOOD)
+ ret = test_ipsec_l4_csum_verify(m);
+ else
+ ret = TEST_FAILED;
+
+ if (ret == TEST_FAILED)
+ printf("Inner L4 checksum test failed\n");
+
+ return ret;
+ }
+
+
if (memcmp(output_text, td->output_text.data + skip, len)) {
if (silent)
return TEST_FAILED;
@@ -56,6 +56,8 @@ struct ipsec_test_flags {
uint32_t tunnel_hdr_verify;
bool udp_encap;
bool udp_ports_verify;
+ bool ip_csum;
+ bool l4_csum;
};
struct crypto_param {
@@ -95,6 +95,8 @@ struct ipsec_test_data pkt_aes_128_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -192,6 +194,8 @@ struct ipsec_test_data pkt_aes_192_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -292,6 +296,8 @@ struct ipsec_test_data pkt_aes_256_gcm = {
.options.ecn = 0,
.options.stats = 0,
.options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
@@ -318,4 +324,116 @@ struct ipsec_test_data pkt_aes_256_gcm = {
},
};
+/* Known vectors for AES-CBC
+ * https://datatracker.ietf.org/doc/html/rfc3602#section-4
+ */
+
+struct ipsec_test_data pkt_aes_128_cbc_null = {
+ .key = {
+ .data = {
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+ },
+ },
+ .input_text = {
+ .data = {
+ /* IP - outer header */
+ 0x45, 0x00, 0x00, 0x8c, 0x00, 0x02, 0x00, 0x00,
+ 0x40, 0x32, 0x27, 0xbc, 0x00, 0x01, 0xa8, 0xc0,
+ 0x01, 0x01, 0xa8, 0xc0,
+
+ /* ESP */
+ 0x00, 0x00, 0x87, 0x65, 0x00, 0x00, 0x00, 0x02,
+
+ /* IV */
+ 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad,
+ 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37,
+
+ /* Data */
+ 0x77, 0x3b, 0x52, 0x41, 0xa4, 0xc4, 0x49, 0x22,
+ 0x5e, 0x4f, 0x3c, 0xe5, 0xed, 0x61, 0x1b, 0x0c,
+ 0x23, 0x7c, 0xa9, 0x6c, 0xf7, 0x4a, 0x93, 0x01,
+ 0x3c, 0x1b, 0x0e, 0xa1, 0xa0, 0xcf, 0x70, 0xf8,
+ 0xe4, 0xec, 0xae, 0xc7, 0x8a, 0xc5, 0x3a, 0xad,
+ 0x7a, 0x0f, 0x02, 0x2b, 0x85, 0x92, 0x43, 0xc6,
+ 0x47, 0x75, 0x2e, 0x94, 0xa8, 0x59, 0x35, 0x2b,
+ 0x8a, 0x4d, 0x4d, 0x2d, 0xec, 0xd1, 0x36, 0xe5,
+ 0xc1, 0x77, 0xf1, 0x32, 0xad, 0x3f, 0xbf, 0xb2,
+ 0x20, 0x1a, 0xc9, 0x90, 0x4c, 0x74, 0xee, 0x0a,
+ 0x10, 0x9e, 0x0c, 0xa1, 0xe4, 0xdf, 0xe9, 0xd5,
+ 0xa1, 0x00, 0xb8, 0x42, 0xf1, 0xc2, 0x2f, 0x0d,
+ },
+ .len = 140,
+ },
+ .output_text = {
+ .data = {
+ /* IP */
+ 0x45, 0x00, 0x00, 0x54, 0x09, 0x04, 0x00, 0x00,
+ 0x40, 0x01, 0xf9, 0x88, 0xc0, 0xa8, 0x7b, 0x03,
+ 0xc0, 0xa8, 0x7b, 0xc8,
+
+ /* ICMP */
+ 0x08, 0x00, 0x9f, 0x76, 0xa9, 0x0a, 0x01, 0x00,
+ 0xb4, 0x9c, 0x08, 0x3d, 0x02, 0xa2, 0x04, 0x00,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+ 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09, 0x0a, 0x0a, 0x04,
+ },
+ .len = 84,
+ },
+ .iv = {
+ .data = {
+ 0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad,
+ 0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37,
+ },
+ },
+
+ .ipsec_xform = {
+ .spi = 0x8765,
+ .options.esn = 0,
+ .options.udp_encap = 0,
+ .options.copy_dscp = 0,
+ .options.copy_flabel = 0,
+ .options.copy_df = 0,
+ .options.dec_ttl = 0,
+ .options.ecn = 0,
+ .options.stats = 0,
+ .options.tunnel_hdr_verify = 0,
+ .options.ip_csum_enable = 0,
+ .options.l4_csum_enable = 0,
+ .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+ .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+ .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+ .tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+ .replay_win_sz = 0,
+ },
+
+ .aead = false,
+
+ .xform = {
+ .chain.cipher = {
+ .next = NULL,
+ .type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+ .cipher = {
+ .op = RTE_CRYPTO_CIPHER_OP_DECRYPT,
+ .algo = RTE_CRYPTO_CIPHER_AES_CBC,
+ .key.length = 16,
+ .iv.length = 16,
+ },
+ },
+ .chain.auth = {
+ .next = NULL,
+ .type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ .auth = {
+ .algo = RTE_CRYPTO_AUTH_NULL,
+ },
+ },
+ },
+};
+
#endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */
@@ -106,6 +106,7 @@ New Features
* Added tests to validate packets soft expiry.
* Added tests to validate packets hard expiry.
* Added tests to verify tunnel header verification in IPsec inbound.
+ * Added tests to verify inner checksum.
Removed Items