@@ -845,6 +845,7 @@ ipsec_proto_testsuite_setup(void)
}
test_ipsec_alg_list_populate();
+ test_ipsec_ah_alg_list_populate();
/*
* Stop the device. Device would be started again by individual test
@@ -9238,6 +9239,19 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
"Crypto capabilities not supported\n");
return TEST_SKIPPED;
}
+ } else if (td[0].auth_only) {
+ memcpy(&ut_params->auth_xform, &td[0].xform.chain.auth,
+ sizeof(ut_params->auth_xform));
+ ut_params->auth_xform.auth.key.data = td[0].auth_key.data;
+
+ if (test_ipsec_crypto_caps_auth_verify(
+ sec_cap,
+ &ut_params->auth_xform) != 0) {
+ if (!silent)
+ RTE_LOG(INFO, USER1,
+ "Auth crypto capabilities not supported\n");
+ return TEST_SKIPPED;
+ }
} else {
memcpy(&ut_params->cipher_xform, &td[0].xform.chain.cipher,
sizeof(ut_params->cipher_xform));
@@ -9281,6 +9295,9 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len);
sess_conf.ipsec = ipsec_xform;
sess_conf.crypto_xform = &ut_params->aead_xform;
+ } else if (td[0].auth_only) {
+ sess_conf.ipsec = ipsec_xform;
+ sess_conf.crypto_xform = &ut_params->auth_xform;
} else {
sess_conf.ipsec = ipsec_xform;
if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
@@ -9526,6 +9543,52 @@ test_ipsec_proto_all(const struct ipsec_test_flags *flags)
return TEST_SKIPPED;
}
+static int
+test_ipsec_ah_proto_all(const struct ipsec_test_flags *flags)
+{
+ struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+ struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+ unsigned int i, nb_pkts = 1, pass_cnt = 0;
+ int ret;
+
+ for (i = 0; i < RTE_DIM(ah_alg_list); i++) {
+ test_ipsec_td_prepare(ah_alg_list[i].param1,
+ ah_alg_list[i].param2,
+ flags,
+ td_outb,
+ nb_pkts);
+
+ ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+ flags);
+ if (ret == TEST_SKIPPED)
+ continue;
+
+ if (ret == TEST_FAILED)
+ return TEST_FAILED;
+
+ test_ipsec_td_update(td_inb, td_outb, nb_pkts, flags);
+
+ ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+ flags);
+ if (ret == TEST_SKIPPED)
+ continue;
+
+ if (ret == TEST_FAILED)
+ return TEST_FAILED;
+
+ if (flags->display_alg)
+ test_ipsec_display_alg(ah_alg_list[i].param1,
+ ah_alg_list[i].param2);
+
+ pass_cnt++;
+ }
+
+ if (pass_cnt > 0)
+ return TEST_SUCCESS;
+ else
+ return TEST_SKIPPED;
+}
+
static int
test_ipsec_proto_display_list(const void *data __rte_unused)
{
@@ -9538,6 +9601,32 @@ test_ipsec_proto_display_list(const void *data __rte_unused)
return test_ipsec_proto_all(&flags);
}
+static int
+test_ipsec_proto_ah_tunnel_ipv4(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ah = true;
+ flags.display_alg = true;
+
+ return test_ipsec_ah_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ah_transport_ipv4(const void *data __rte_unused)
+{
+ struct ipsec_test_flags flags;
+
+ memset(&flags, 0, sizeof(flags));
+
+ flags.ah = true;
+ flags.transport = true;
+
+ return test_ipsec_ah_proto_all(&flags);
+}
+
static int
test_ipsec_proto_iv_gen(const void *data __rte_unused)
{
@@ -15047,6 +15136,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Combined test alg list",
ut_setup_security, ut_teardown,
test_ipsec_proto_display_list),
+ TEST_CASE_NAMED_ST(
+ "Combined test alg list (AH)",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_ah_tunnel_ipv4),
TEST_CASE_NAMED_ST(
"IV generation",
ut_setup_security, ut_teardown,
@@ -15107,6 +15200,10 @@ static struct unit_test_suite ipsec_proto_testsuite = {
"Transport IPv4",
ut_setup_security, ut_teardown,
test_ipsec_proto_transport_v4),
+ TEST_CASE_NAMED_ST(
+ "AH transport IPv4",
+ ut_setup_security, ut_teardown,
+ test_ipsec_proto_ah_transport_ipv4),
TEST_CASE_NAMED_ST(
"Transport l4 checksum",
ut_setup_security, ut_teardown,
@@ -21,6 +21,8 @@ struct crypto_param_comb alg_list[RTE_DIM(aead_list) +
(RTE_DIM(cipher_list) *
RTE_DIM(auth_list))];
+struct crypto_param_comb ah_alg_list[2 * (RTE_DIM(auth_list) - 1)];
+
static bool
is_valid_ipv4_pkt(const struct rte_ipv4_hdr *pkt)
{
@@ -75,6 +77,26 @@ test_ipsec_alg_list_populate(void)
}
}
+void
+test_ipsec_ah_alg_list_populate(void)
+{
+ unsigned long i, index = 0;
+
+ for (i = 1; i < RTE_DIM(auth_list); i++) {
+ ah_alg_list[index].param1 = &auth_list[i];
+ ah_alg_list[index].param2 = NULL;
+ index++;
+ }
+
+ for (i = 1; i < RTE_DIM(auth_list); i++) {
+ /* NULL cipher */
+ ah_alg_list[index].param1 = &cipher_list[0];
+
+ ah_alg_list[index].param2 = &auth_list[i];
+ index++;
+ }
+}
+
int
test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
const struct rte_security_capability *sec_cap,
@@ -381,17 +403,34 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
sizeof(*td));
td->aead = false;
- td->xform.chain.cipher.cipher.algo = param1->alg.cipher;
- td->xform.chain.cipher.cipher.key.length =
- param1->key_length;
- td->xform.chain.cipher.cipher.iv.length =
- param1->iv_length;
- td->xform.chain.auth.auth.algo = param2->alg.auth;
- td->xform.chain.auth.auth.key.length =
- param2->key_length;
- td->xform.chain.auth.auth.digest_length =
- param2->digest_length;
+ if (param1->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ td->xform.chain.auth.auth.algo =
+ param1->alg.auth;
+ td->xform.chain.auth.auth.key.length =
+ param1->key_length;
+ td->xform.chain.auth.auth.digest_length =
+ param1->digest_length;
+ td->auth_only = true;
+ } else {
+ td->xform.chain.cipher.cipher.algo =
+ param1->alg.cipher;
+ td->xform.chain.cipher.cipher.key.length =
+ param1->key_length;
+ td->xform.chain.cipher.cipher.iv.length =
+ param1->iv_length;
+ td->xform.chain.auth.auth.algo =
+ param2->alg.auth;
+ td->xform.chain.auth.auth.key.length =
+ param2->key_length;
+ td->xform.chain.auth.auth.digest_length =
+ param2->digest_length;
+ }
+ }
+
+ if (flags->ah) {
+ td->ipsec_xform.proto =
+ RTE_SECURITY_IPSEC_SA_PROTO_AH;
}
if (flags->iv_gen)
@@ -499,6 +538,11 @@ test_ipsec_display_alg(const struct crypto_param *param1,
printf("\t%s [%d]",
rte_crypto_aead_algorithm_strings[param1->alg.aead],
param1->key_length * 8);
+ } else if (param1->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+ printf("\t%s",
+ rte_crypto_auth_algorithm_strings[param1->alg.auth]);
+ if (param1->alg.auth != RTE_CRYPTO_AUTH_NULL)
+ printf(" [%dB ICV]", param1->digest_length);
} else {
printf("\t%s",
rte_crypto_cipher_algorithm_strings[param1->alg.cipher]);
@@ -832,6 +876,11 @@ test_ipsec_iph4_hdr_validate(const struct rte_ipv4_hdr *iph4,
return -1;
}
+ if (flags->ah && iph4->next_proto_id != IPPROTO_AH) {
+ printf("Tunnel outer header proto is not AH\n");
+ return -1;
+ }
+
f_off = rte_be_to_cpu_16(iph4->fragment_offset);
if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 ||
flags->df == TEST_IPSEC_SET_DF_1_INNER_0) {
@@ -934,6 +983,11 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
printf("Transport packet is not IPv4\n");
return TEST_FAILED;
}
+
+ if (flags->ah && iph4->next_proto_id != IPPROTO_AH) {
+ printf("Transport IPv4 header proto is not AH\n");
+ return -1;
+ }
}
} else {
if (td->ipsec_xform.tunnel.type ==
@@ -40,6 +40,9 @@ struct ipsec_test_data {
struct rte_security_ipsec_xform ipsec_xform;
bool aead;
+
+ bool auth_only;
+
/* Antireplay packet */
bool ar_packet;
@@ -88,6 +91,7 @@ struct ipsec_test_flags {
enum df_flags df;
enum dscp_flags dscp;
bool dec_ttl_or_hop_limit;
+ bool ah;
};
struct crypto_param {
@@ -198,8 +202,12 @@ extern struct crypto_param_comb alg_list[RTE_DIM(aead_list) +
(RTE_DIM(cipher_list) *
RTE_DIM(auth_list))];
+extern struct crypto_param_comb ah_alg_list[2 * (RTE_DIM(auth_list) - 1)];
+
void test_ipsec_alg_list_populate(void);
+void test_ipsec_ah_alg_list_populate(void);
+
int test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
const struct rte_security_capability *sec_cap,
bool silent);
@@ -190,6 +190,9 @@ New Features
Crypto producer mode helps to measure performance of OP_NEW and OP_FORWARD
modes of event crypto adapter.
+* **Updated lookaside protocol (IPsec) tests in dpdk-test.**
+
+ * Added tests to verify IPSec AH in combined mode.
Removed Items
-------------