test/crypto: add IPsec AES-CBC known vectors

Extend IPsec lookaside test framework to support chained operations and add AES-CBC 128 known vector tests. Signed-off-by: Anoob Joseph <anoobj@marvell.com> Acked-by: Akhil Goyal <gakhil@marvell.com>
2021-12-06 16:37:48 +05:30 · 2021-12-06 16:37:48 +05:30 · 67d2a1880b
commit 67d2a1880b
parent b0c6a0f1ee
4 changed files with 222 additions and 9 deletions
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@ -9191,23 +9191,59 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 			return TEST_SKIPPED;
 		}
 	} else {
-		/* Only AEAD supported now */
-		return TEST_SKIPPED;
+		memcpy(&ut_params->cipher_xform, &td[0].xform.chain.cipher,
+		       sizeof(ut_params->cipher_xform));
+		memcpy(&ut_params->auth_xform, &td[0].xform.chain.auth,
+		       sizeof(ut_params->auth_xform));
+		ut_params->cipher_xform.cipher.key.data = td[0].key.data;
+		ut_params->cipher_xform.cipher.iv.offset = IV_OFFSET;
+		ut_params->auth_xform.auth.key.data = td[0].key.data;
+
+		/* Verify crypto capabilities */
+
+		if (test_ipsec_crypto_caps_cipher_verify(
+				sec_cap,
+				&ut_params->cipher_xform) != 0) {
+			if (!silent)
+				RTE_LOG(INFO, USER1,
+					"Cipher crypto capabilities not supported\n");
+			return TEST_SKIPPED;
+		}
+
+		if (test_ipsec_crypto_caps_auth_verify(
+				sec_cap,
+				&ut_params->auth_xform) != 0) {
+			if (!silent)
+				RTE_LOG(INFO, USER1,
+					"Auth crypto capabilities not supported\n");
+			return TEST_SKIPPED;
+		}
 	}

 	if (test_ipsec_sec_caps_verify(&ipsec_xform, sec_cap, silent) != 0)
 		return TEST_SKIPPED;

-	salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len);
-	memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len);
-
 	struct rte_security_session_conf sess_conf = {
 		.action_type = ut_params->type,
 		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
-		.ipsec = ipsec_xform,
-		.crypto_xform = &ut_params->aead_xform,
 	};

+	if (td[0].aead) {
+		salt_len = RTE_MIN(sizeof(ipsec_xform.salt), td[0].salt.len);
+		memcpy(&ipsec_xform.salt, td[0].salt.data, salt_len);
+		sess_conf.ipsec = ipsec_xform;
+		sess_conf.crypto_xform = &ut_params->aead_xform;
+	} else {
+		sess_conf.ipsec = ipsec_xform;
+		if (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
+			sess_conf.crypto_xform = &ut_params->cipher_xform;
+			ut_params->cipher_xform.next = &ut_params->auth_xform;
+		} else {
+			sess_conf.crypto_xform = &ut_params->auth_xform;
+			ut_params->auth_xform.next = &ut_params->cipher_xform;
+		}
+	}
+
 	/* Create security session */
 	ut_params->sec_session = rte_security_session_create(ctx, &sess_conf,
 					ts_params->session_mpool,
@ -9316,14 +9352,18 @@ test_ipsec_proto_known_vec(const void *test_data)
 }

 static int
-test_ipsec_proto_known_vec_inb(const void *td_outb)
+test_ipsec_proto_known_vec_inb(const void *test_data)
 {
+	const struct ipsec_test_data *td = test_data;
 	struct ipsec_test_flags flags;
 	struct ipsec_test_data td_inb;

 	memset(&flags, 0, sizeof(flags));

-	test_ipsec_td_in_from_out(td_outb, &td_inb);
+	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)
+		test_ipsec_td_in_from_out(td, &td_inb);
+	else
+		memcpy(&td_inb, td, sizeof(td_inb));

 	return test_ipsec_proto_process(&td_inb, NULL, 1, false, &flags);
 }
@ -14394,6 +14434,10 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Inbound known vector (ESP tunnel mode IPv4 AES-GCM 256)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_known_vec_inb, &pkt_aes_256_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Inbound known vector (ESP tunnel mode IPv4 AES-CBC 128)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_known_vec_inb, &pkt_aes_128_cbc_null),
 		TEST_CASE_NAMED_ST(
 			"Combined test alg list",
 			ut_setup_security, ut_teardown,
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@ -150,6 +150,57 @@ test_ipsec_crypto_caps_aead_verify(
 	return -ENOTSUP;
 }

+int
+test_ipsec_crypto_caps_cipher_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *cipher)
+{
+	const struct rte_cryptodev_symmetric_capability *sym_cap;
+	const struct rte_cryptodev_capabilities *cap;
+	int j = 0;
+
+	while ((cap = &sec_cap->crypto_capabilities[j++])->op !=
+			RTE_CRYPTO_OP_TYPE_UNDEFINED) {
+		if (cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+				cap->sym.xform_type == cipher->type &&
+				cap->sym.cipher.algo == cipher->cipher.algo) {
+			sym_cap = &cap->sym;
+			if (rte_cryptodev_sym_capability_check_cipher(sym_cap,
+					cipher->cipher.key.length,
+					cipher->cipher.iv.length) == 0)
+				return 0;
+		}
+	}
+
+	return -ENOTSUP;
+}
+
+int
+test_ipsec_crypto_caps_auth_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *auth)
+{
+	const struct rte_cryptodev_symmetric_capability *sym_cap;
+	const struct rte_cryptodev_capabilities *cap;
+	int j = 0;
+
+	while ((cap = &sec_cap->crypto_capabilities[j++])->op !=
+			RTE_CRYPTO_OP_TYPE_UNDEFINED) {
+		if (cap->op == RTE_CRYPTO_OP_TYPE_SYMMETRIC &&
+				cap->sym.xform_type == auth->type &&
+				cap->sym.auth.algo == auth->auth.algo) {
+			sym_cap = &cap->sym;
+			if (rte_cryptodev_sym_capability_check_auth(sym_cap,
+					auth->auth.key.length,
+					auth->auth.digest_length,
+					auth->auth.iv.length) == 0)
+				return 0;
+		}
+	}
+
+	return -ENOTSUP;
+}
+
 void
 test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 			  struct ipsec_test_data *td_in)
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@ -96,6 +96,14 @@ int test_ipsec_crypto_caps_aead_verify(
 		const struct rte_security_capability *sec_cap,
 		struct rte_crypto_sym_xform *aead);

+int test_ipsec_crypto_caps_cipher_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *cipher);
+
+int test_ipsec_crypto_caps_auth_verify(
+		const struct rte_security_capability *sec_cap,
+		struct rte_crypto_sym_xform *auth);
+
 void test_ipsec_td_in_from_out(const struct ipsec_test_data *td_out,
 			       struct ipsec_test_data *td_in);

--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@ -324,4 +324,114 @@ struct ipsec_test_data pkt_aes_256_gcm = {
 	},
 };

+/* Known vectors for AES-CBC
+ * https://datatracker.ietf.org/doc/html/rfc3602#section-4
+ */
+
+struct ipsec_test_data pkt_aes_128_cbc_null = {
+	.key = {
+		.data = {
+			0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+			0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+		},
+	},
+	.input_text = {
+		.data = {
+			/* IP - outer header */
+			0x45, 0x00, 0x00, 0x8c, 0x00, 0x02, 0x00, 0x00,
+			0x40, 0x32, 0x27, 0xbc, 0x00, 0x01, 0xa8, 0xc0,
+			0x01, 0x01, 0xa8, 0xc0,
+
+			/* ESP */
+			0x00, 0x00, 0x87, 0x65,	0x00, 0x00, 0x00, 0x02,
+
+			/* IV */
+			0xf4, 0xe7, 0x65, 0x24,	0x4f, 0x64, 0x07, 0xad,
+			0xf1, 0x3d, 0xc1, 0x38,	0x0f, 0x67, 0x3f, 0x37,
+
+			/* Data */
+			0x77, 0x3b, 0x52, 0x41,	0xa4, 0xc4, 0x49, 0x22,
+			0x5e, 0x4f, 0x3c, 0xe5, 0xed, 0x61, 0x1b, 0x0c,
+			0x23, 0x7c, 0xa9, 0x6c, 0xf7, 0x4a, 0x93, 0x01,
+			0x3c, 0x1b, 0x0e, 0xa1, 0xa0, 0xcf, 0x70, 0xf8,
+			0xe4, 0xec, 0xae, 0xc7, 0x8a, 0xc5, 0x3a, 0xad,
+			0x7a, 0x0f, 0x02, 0x2b, 0x85, 0x92, 0x43, 0xc6,
+			0x47, 0x75, 0x2e, 0x94, 0xa8, 0x59, 0x35, 0x2b,
+			0x8a, 0x4d, 0x4d, 0x2d, 0xec, 0xd1, 0x36, 0xe5,
+			0xc1, 0x77, 0xf1, 0x32,	0xad, 0x3f, 0xbf, 0xb2,
+			0x20, 0x1a, 0xc9, 0x90,	0x4c, 0x74, 0xee, 0x0a,
+			0x10, 0x9e, 0x0c, 0xa1,	0xe4, 0xdf, 0xe9, 0xd5,
+			0xa1, 0x00, 0xb8, 0x42,	0xf1, 0xc2, 0x2f, 0x0d,
+		},
+		.len = 140,
+	},
+	.output_text = {
+		.data = {
+			/* IP */
+			0x45, 0x00, 0x00, 0x54, 0x09, 0x04, 0x00, 0x00,
+			0x40, 0x01, 0xf9, 0x88, 0xc0, 0xa8, 0x7b, 0x03,
+			0xc0, 0xa8, 0x7b, 0xc8,
+
+			/* ICMP */
+			0x08, 0x00, 0x9f, 0x76,	0xa9, 0x0a, 0x01, 0x00,
+			0xb4, 0x9c, 0x08, 0x3d,	0x02, 0xa2, 0x04, 0x00,
+			0x08, 0x09, 0x0a, 0x0b,	0x0c, 0x0d, 0x0e, 0x0f,
+			0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+			0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+			0x20, 0x21, 0x22, 0x23,	0x24, 0x25, 0x26, 0x27,
+			0x28, 0x29, 0x2a, 0x2b,	0x2c, 0x2d, 0x2e, 0x2f,
+			0x30, 0x31, 0x32, 0x33,	0x34, 0x35, 0x36, 0x37,
+			0x01, 0x02, 0x03, 0x04,	0x05, 0x06, 0x07, 0x08,
+			0x09, 0x0a, 0x0a, 0x04,
+		},
+		.len = 84,
+	},
+	.iv = {
+		.data = {
+			0xf4, 0xe7, 0x65, 0x24, 0x4f, 0x64, 0x07, 0xad,
+			0xf1, 0x3d, 0xc1, 0x38, 0x0f, 0x67, 0x3f, 0x37,
+		},
+	},
+
+	.ipsec_xform = {
+		.spi = 0x8765,
+		.options.esn = 0,
+		.options.udp_encap = 0,
+		.options.copy_dscp = 0,
+		.options.copy_flabel = 0,
+		.options.copy_df = 0,
+		.options.dec_ttl = 0,
+		.options.ecn = 0,
+		.options.stats = 0,
+		.options.tunnel_hdr_verify = 0,
+		.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+		.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		.replay_win_sz = 0,
+	},
+
+	.aead = false,
+
+	.xform = {
+		.chain.cipher = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			.cipher = {
+				.op = RTE_CRYPTO_CIPHER_OP_DECRYPT,
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.key.length = 16,
+				.iv.length = 16,
+			},
+		},
+		.chain.auth = {
+			.next = NULL,
+			.type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			.auth = {
+				.algo = RTE_CRYPTO_AUTH_NULL,
+			},
+		},
+	},
+};
+
 #endif /* TEST_CRYPTODEV_SECURITY_IPSEC_TEST_VECTORS_H_ */