summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarko Kovacevic <marko.kovacevic@intel.com>2018-11-02 09:55:28 +0000
committerAkhil Goyal <akhil.goyal@nxp.com>2018-11-02 12:26:06 +0100
commit3d0fad56b74a02fe6c1bb2b3ee752646c34cfbc5 (patch)
tree9118d24e761948a4c77cd210c7457980d091bfd3
parent1713ad8bc5578db230830c3713d140184b364a3d (diff)
downloaddpdk-3d0fad56b74a02fe6c1bb2b3ee752646c34cfbc5.zip
dpdk-3d0fad56b74a02fe6c1bb2b3ee752646c34cfbc5.tar.gz
dpdk-3d0fad56b74a02fe6c1bb2b3ee752646c34cfbc5.tar.xz
examples/fips_validation: add crypto FIPS application
Added FIPS application into the examples to allow users to use a simple sample app to validate their systems and be able to get FIPS certification. Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Arek Kusztal <arkadiuszx.kusztal@intel.com> Reviewed-by: Akhil Goyal <akhil.goyal@nxp.com>
-rw-r--r--MAINTAINERS4
-rw-r--r--doc/guides/rel_notes/release_18_11.rst6
-rw-r--r--doc/guides/sample_app_ug/fips_validation.rst125
-rw-r--r--doc/guides/sample_app_ug/index.rst1
-rw-r--r--examples/fips_validation/Makefile69
-rw-r--r--examples/fips_validation/fips_validation.c564
-rw-r--r--examples/fips_validation/fips_validation.h149
-rw-r--r--examples/fips_validation/main.c388
-rw-r--r--examples/fips_validation/meson.build14
9 files changed, 1320 insertions, 0 deletions
diff --git a/MAINTAINERS b/MAINTAINERS
index e60379d..19353ac 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1271,6 +1271,10 @@ F: doc/guides/sample_app_ug/ethtool.rst
F: examples/exception_path/
F: doc/guides/sample_app_ug/exception_path.rst
+M: Marko Kovacevic <marko.kovacevic@intel.com>
+F: examples/fips_validation/
+F: doc/guides/sample_app_ug/fips_validation.rst
+
M: Ori Kam <orika@mellanox.com>
F: examples/flow_filtering/
F: doc/guides/sample_app_ug/flow_filtering.rst
diff --git a/doc/guides/rel_notes/release_18_11.rst b/doc/guides/rel_notes/release_18_11.rst
index 11a2740..c60879c 100644
--- a/doc/guides/rel_notes/release_18_11.rst
+++ b/doc/guides/rel_notes/release_18_11.rst
@@ -285,6 +285,12 @@ New Features
this application doesn't need to launch dedicated worker threads for vhost
enqueue/dequeue operations.
+* **Added cryptodev FIPS validation example application.**
+
+ Added an example application to parse and perform symmetric cryptography
+ computation to the NIST Cryptographic Algorithm Validation Program (CAVP)
+ test vectors.
+
API Changes
-----------
diff --git a/doc/guides/sample_app_ug/fips_validation.rst b/doc/guides/sample_app_ug/fips_validation.rst
new file mode 100644
index 0000000..9ca6ffe
--- /dev/null
+++ b/doc/guides/sample_app_ug/fips_validation.rst
@@ -0,0 +1,125 @@
+.. SPDX-License-Identifier: BSD-3-Clause
+ Copyright(c) 2018 Intel Corporation.
+
+Federal Information Processing Standards (FIPS) CryptoDev Validation
+====================================================================
+
+Overview
+--------
+
+Federal Information Processing Standards (FIPS) are publicly announced standards
+developed by the United States federal government for use in computer systems by
+non-military government agencies and government contractors.
+
+This application is used to parse and perform symmetric cryptography
+computation to the NIST Cryptographic Algorithm Validation Program (CAVP) test
+vectors.
+
+For an algorithm implementation to be listed on a cryptographic module
+validation certificate as an Approved security function, the algorithm
+implementation must meet all the requirements of FIPS 140-2 and must
+successfully complete the cryptographic algorithm validation process.
+
+Limitations
+-----------
+
+* Only NIST CAVP request files are parsed by this application.
+* The version of request file supported is ``CAVS 21.0``
+* If the header comment in a ``.req`` file does not contain a Algo tag
+ i.e ``AES,TDES,GCM`` you need to manually add it into the header comment for
+ example::
+
+ # VARIABLE KEY - KAT for CBC / # TDES VARIABLE KEY - KAT for CBC
+
+* The application does not supply the test vectors. The user is expected to
+ obtain the test vector files from `NIST
+ <https://csrc.nist.gov/projects/cryptographic-algorithm-validation-
+ program/block-ciphers>`_ website. To obtain the ``.req`` files you need to
+ email a person from the NIST website and pay for the ``.req`` files.
+ The ``.rsp`` files from the site can be used to validate and compare with
+ the ``.rsp`` files created by the FIPS application.
+
+* Supported test vectors
+
+Application Information
+-----------------------
+
+If a ``.req`` is used as the input file after the application is finished
+running it will generate a response file or ``.rsp``. Differences between the
+two files are, the ``.req`` file has missing information for instance if doing
+encryption you will not have the cipher text and that will be generated in the
+response file. Also if doing decryption it will not have the plain text until it
+finished the work and in the response file it will be added onto the end of each
+operation.
+
+The application can be run with a ``.rsp`` file and what the outcome of that
+will be is it will add a extra line in the generated ``.rsp`` which should be
+the same as the ``.rsp`` used to run the application, this is useful for
+validating if the application has done the operation correctly.
+
+
+Compiling the Application
+-------------------------
+
+* Compile Application
+
+ .. code-block:: console
+
+ make -C examples/fips_validation
+
+* Run ``dos2unix`` on the request files
+
+ .. code-block:: console
+
+ dos2unix AES/req/*
+ dos2unix AES_GCM/req/*
+ dos2unix CCM/req/*
+ dos2unix CMAC/req/*
+ dos2unix HMAC/req/*
+ dos2unix TDES/req/*
+
+Running the Application
+-----------------------
+
+The application requires a number of command line options:
+
+ .. code-block:: console
+
+ ./fips_validation [EAL options]
+ -- --req-file FILE_PATH/FOLDER_PATH
+ --rsp-file FILE_PATH/FOLDER_PATH
+ [--cryptodev DEVICE_NAME] [--cryptodev-id ID] [--path-is-folder]
+
+where,
+ * req-file: The path of the request file or folder, separated by
+ ``path-is-folder`` option.
+
+ * rsp-file: The path that the response file or folder is stored. separated by
+ ``path-is-folder`` option.
+
+ * cryptodev: The name of the target DPDK Crypto device to be validated.
+
+ * cryptodev-id: The id of the target DPDK Crypto device to be validated.
+
+ * path-is-folder: If presented the application expects req-file and rsp-file
+ are folder paths.
+
+
+To run the application in linuxapp environment to test one AES FIPS test data
+file for crypto_aesni_mb PMD, issue the command:
+
+.. code-block:: console
+
+ $ ./fips_validation --vdev crypto_aesni_mb --
+ --req-file /PATH/TO/REQUEST/FILE.req --rsp-file ./PATH/TO/RESPONSE/FILE.rsp
+ --cryptodev crypto_aesni_mb
+
+To run the application in linuxapp environment to test all AES-GCM FIPS test
+data files in one folder for crypto_aesni_gcm PMD, issue the command:
+
+.. code-block:: console
+
+ $ ./fips_validation --vdev crypto_aesni_gcm0 --
+ --req-file /PATH/TO/REQUEST/FILE/FOLDER/
+ --rsp-file ./PATH/TO/RESPONSE/FILE/FOLDER/
+ --cryptodev-id 0 --path-is-folder
diff --git a/doc/guides/sample_app_ug/index.rst b/doc/guides/sample_app_ug/index.rst
index 74b12af..b2455e0 100644
--- a/doc/guides/sample_app_ug/index.rst
+++ b/doc/guides/sample_app_ug/index.rst
@@ -55,6 +55,7 @@ Sample Applications User Guides
tep_termination
ptpclient
performance_thread
+ fips_validation
ipsec_secgw
bbdev_app
diff --git a/examples/fips_validation/Makefile b/examples/fips_validation/Makefile
new file mode 100644
index 0000000..59d56c7
--- /dev/null
+++ b/examples/fips_validation/Makefile
@@ -0,0 +1,69 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright(c) 2018 Intel Corporation
+
+# binary name
+APP = fips_validation
+
+# all source are stored in SRCS-y
+SRCS-y := fips_validation.c
+SRCS-y += main.c
+
+# Build using pkg-config variables if possible
+$(shell pkg-config --exists libdpdk)
+ifeq ($(.SHELLSTATUS),0)
+
+all: shared
+.PHONY: shared static
+shared: build/$(APP)-shared
+ ln -sf $(APP)-shared build/$(APP)
+static: build/$(APP)-static
+ ln -sf $(APP)-static build/$(APP)
+
+PC_FILE := $(shell pkg-config --path libdpdk)
+CFLAGS += -O3 $(shell pkg-config --cflags libdpdk)
+LDFLAGS_SHARED = $(shell pkg-config --libs libdpdk)
+LDFLAGS_STATIC = -Wl,-Bstatic $(shell pkg-config --static --libs libdpdk)
+
+build/$(APP)-shared: $(SRCS-y) Makefile $(PC_FILE) | build
+ $(CC) $(CFLAGS) $(SRCS-y) -o $@ $(LDFLAGS) $(LDFLAGS_SHARED)
+
+build/$(APP)-static: $(SRCS-y) Makefile $(PC_FILE) | build
+ $(CC) $(CFLAGS) $(SRCS-y) -o $@ $(LDFLAGS) $(LDFLAGS_STATIC)
+
+build:
+ @mkdir -p $@
+
+.PHONY: clean
+clean:
+ rm -f build/$(APP) build/$(APP)-static build/$(APP)-shared
+ rmdir --ignore-fail-on-non-empty build
+
+else
+
+ifeq ($(RTE_SDK),)
+$(error "Please define RTE_SDK environment variable")
+endif
+
+# Default target, can be overridden by command line or environment
+RTE_TARGET ?= x86_64-native-linuxapp-gcc
+
+INC += $(sort $(wildcard *.h))
+
+include $(RTE_SDK)/mk/rte.vars.mk
+
+CFLAGS += $(WERROR_FLAGS)
+
+# workaround for a gcc bug with noreturn attribute
+# http://gcc.gnu.org/bugzilla/show_bug.cgi?id=12603
+ifeq ($(CONFIG_RTE_TOOLCHAIN_GCC),y)
+CFLAGS_main.o += -Wno-return-type
+endif
+
+CFLAGS += -DALLOW_EXPERIMENTAL_API
+CFLAGS += -I$(SRCDIR)
+CFLAGS += -O3
+CFLAGS += $(WERROR_FLAGS)
+
+include $(RTE_SDK)/mk/rte.extapp.mk
+
+endif
diff --git a/examples/fips_validation/fips_validation.c b/examples/fips_validation/fips_validation.c
new file mode 100644
index 0000000..58a3c1b
--- /dev/null
+++ b/examples/fips_validation/fips_validation.c
@@ -0,0 +1,564 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <rte_string_fns.h>
+#include <rte_cryptodev.h>
+#include <rte_malloc.h>
+
+#include "fips_validation.h"
+
+#define skip_white_spaces(pos) \
+({ \
+ __typeof__(pos) _p = (pos); \
+ for ( ; isspace(*_p); _p++) \
+ ; \
+ _p; \
+})
+
+static int
+get_file_line(void)
+{
+ FILE *fp = info.fp_rd;
+ char *line = info.one_line_text;
+ int ret;
+ uint32_t loc = 0;
+
+ memset(line, 0, MAX_LINE_CHAR);
+ while ((ret = fgetc(fp)) != EOF) {
+ char c = (char)ret;
+
+ if (loc >= MAX_LINE_CHAR - 1)
+ return -ENOMEM;
+ if (c == '\n')
+ break;
+ line[loc++] = c;
+ }
+
+ if (ret == EOF)
+ return -EOF;
+
+ return 0;
+}
+
+int
+fips_test_fetch_one_block(void)
+{
+ size_t size;
+ int ret = 0;
+ uint32_t i;
+
+ for (i = 0; i < info.nb_vec_lines; i++) {
+ free(info.vec[i]);
+ info.vec[i] = NULL;
+ }
+
+ i = 0;
+ do {
+ if (i >= MAX_LINE_PER_VECTOR) {
+ ret = -ENOMEM;
+ goto error_exit;
+ }
+
+ ret = get_file_line();
+ size = strlen(info.one_line_text);
+ if (size == 0)
+ break;
+
+ info.vec[i] = calloc(1, size + 5);
+ if (info.vec[i] == NULL)
+ goto error_exit;
+
+ strlcpy(info.vec[i], info.one_line_text, size + 1);
+ i++;
+ } while (ret == 0);
+
+ info.nb_vec_lines = i;
+
+ return ret;
+
+error_exit:
+ for (i = 0; i < MAX_LINE_PER_VECTOR; i++)
+ if (info.vec[i] != NULL) {
+ free(info.vec[i]);
+ info.vec[i] = NULL;
+ }
+
+ info.nb_vec_lines = 0;
+
+ return -ENOMEM;
+}
+
+static int
+fips_test_parse_header(void)
+{
+ uint32_t i;
+ char *tmp;
+ int ret;
+ time_t t = time(NULL);
+ struct tm *tm_now = localtime(&t);
+
+ ret = fips_test_fetch_one_block();
+ if (ret < 0)
+ return ret;
+
+ for (i = 0; i < info.nb_vec_lines; i++) {
+
+ tmp = strstr(info.vec[i], "# Config info for ");
+ if (tmp != NULL) {
+ fprintf(info.fp_wr, "%s%s\n", "# Config info for DPDK Cryptodev ",
+ info.device_name);
+ continue;
+ }
+
+ tmp = strstr(info.vec[i], "# HMAC information for ");
+ if (tmp != NULL) {
+ fprintf(info.fp_wr, "%s%s\n", "# HMAC information for "
+ "DPDK Cryptodev ",
+ info.device_name);
+ continue;
+ }
+
+ tmp = strstr(info.vec[i], "# Config Info for : ");
+ if (tmp != NULL) {
+
+ fprintf(info.fp_wr, "%s%s\n", "# Config Info for DPDK Cryptodev : ",
+ info.device_name);
+ continue;
+ }
+
+ tmp = strstr(info.vec[i], "# information for ");
+ if (tmp != NULL) {
+
+ char tmp_output[128] = {0};
+
+ strlcpy(tmp_output, info.vec[i], tmp - info.vec[i] + 1);
+
+ fprintf(info.fp_wr, "%s%s%s\n", tmp_output,
+ "information for DPDK Cryptodev ",
+ info.device_name);
+ continue;
+ }
+
+ tmp = strstr(info.vec[i], " test information for ");
+ if (tmp != NULL) {
+ char tmp_output[128] = {0};
+
+ strlcpy(tmp_output, info.vec[i], tmp - info.vec[i] + 1);
+
+ fprintf(info.fp_wr, "%s%s%s\n", tmp_output,
+ "test information for DPDK Cryptodev ",
+ info.device_name);
+ continue;
+ }
+
+ if (i == info.nb_vec_lines - 1) {
+ /** update the time as current time, write to file */
+ fprintf(info.fp_wr, "%s%s\n", "# Generated on ",
+ asctime(tm_now));
+ continue;
+ }
+
+ /* to this point, no field need to update,
+ * only copy to rsp file
+ */
+ fprintf(info.fp_wr, "%s\n", info.vec[i]);
+ }
+
+ return 0;
+}
+
+static int
+parse_file_type(const char *path)
+{
+ const char *tmp = path + strlen(path) - 3;
+
+ if (strstr(tmp, REQ_FILE_PERFIX))
+ info.file_type = FIPS_TYPE_REQ;
+ else if (strstr(tmp, RSP_FILE_PERFIX))
+ info.file_type = FIPS_TYPE_RSP;
+ else if (strstr(path, FAX_FILE_PERFIX))
+ info.file_type = FIPS_TYPE_FAX;
+ else
+ return -EINVAL;
+
+ return 0;
+}
+
+int
+fips_test_init(const char *req_file_path, const char *rsp_file_path,
+ const char *device_name)
+{
+ if (strcmp(req_file_path, rsp_file_path) == 0) {
+ RTE_LOG(ERR, USER1, "File paths cannot be the same\n");
+ return -EINVAL;
+ }
+
+ fips_test_clear();
+
+ info.algo = FIPS_TEST_ALGO_MAX;
+ if (parse_file_type(req_file_path) < 0) {
+ RTE_LOG(ERR, USER1, "File %s type not supported\n",
+ req_file_path);
+ return -EINVAL;
+ }
+
+ info.fp_rd = fopen(req_file_path, "r");
+ if (!info.fp_rd) {
+ RTE_LOG(ERR, USER1, "Cannot open file %s\n", req_file_path);
+ return -EINVAL;
+ }
+
+ info.fp_wr = fopen(rsp_file_path, "w");
+ if (!info.fp_wr) {
+ RTE_LOG(ERR, USER1, "Cannot open file %s\n", rsp_file_path);
+ return -EINVAL;
+ }
+
+ info.one_line_text = calloc(1, MAX_LINE_CHAR);
+ if (!info.one_line_text) {
+ RTE_LOG(ERR, USER1, "Insufficient memory\n");
+ return -ENOMEM;
+ }
+
+ strlcpy(info.device_name, device_name, sizeof(info.device_name));
+
+ if (fips_test_parse_header() < 0) {
+ RTE_LOG(ERR, USER1, "Failed parsing header\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+void
+fips_test_clear(void)
+{
+ if (info.fp_rd)
+ fclose(info.fp_rd);
+ if (info.fp_wr)
+ fclose(info.fp_wr);
+ if (info.one_line_text)
+ free(info.one_line_text);
+ if (info.nb_vec_lines) {
+ uint32_t i;
+
+ for (i = 0; i < info.nb_vec_lines; i++)
+ free(info.vec[i]);
+ }
+
+ memset(&info, 0, sizeof(info));
+}
+
+int
+fips_test_parse_one_case(void)
+{
+ uint32_t i, j = 0;
+ uint32_t is_interim = 0;
+ int ret;
+
+ if (info.interim_callbacks) {
+ for (i = 0; i < info.nb_vec_lines; i++) {
+ for (j = 0; info.interim_callbacks[j].key != NULL; j++)
+ if (strstr(info.vec[i],
+ info.interim_callbacks[j].key)) {
+ is_interim = 1;
+
+ ret = info.interim_callbacks[j].cb(
+ info.interim_callbacks[j].key,
+ info.vec[i],
+ info.interim_callbacks[j].val);
+ if (ret < 0)
+ return ret;
+ }
+ }
+ }
+
+ if (is_interim) {
+ for (i = 0; i < info.nb_vec_lines; i++)
+ fprintf(info.fp_wr, "%s\n", info.vec[i]);
+ fprintf(info.fp_wr, "\n");
+ return 1;
+ }
+
+ for (i = 0; i < info.nb_vec_lines; i++) {
+ for (j = 0; info.callbacks[j].key != NULL; j++)
+ if (strstr(info.vec[i], info.callbacks[j].key)) {
+ ret = info.callbacks[j].cb(
+ info.callbacks[j].key,
+ info.vec[i], info.callbacks[j].val);
+ if (ret < 0)
+ return ret;
+ break;
+ }
+ }
+
+ return 0;
+}
+
+void
+fips_test_write_one_case(void)
+{
+ uint32_t i;
+
+ for (i = 0; i < info.nb_vec_lines; i++)
+ fprintf(info.fp_wr, "%s\n", info.vec[i]);
+}
+
+static int
+parser_read_uint64_hex(uint64_t *value, const char *p)
+{
+ char *next;
+ uint64_t val;
+
+ p = skip_white_spaces(p);
+
+ val = strtoul(p, &next, 16);
+ if (p == next)
+ return -EINVAL;
+
+ p = skip_white_spaces(next);
+ if (*p != '\0')
+ return -EINVAL;
+
+ *value = val;
+ return 0;
+}
+
+int
+parser_read_uint8_hex(uint8_t *value, const char *p)
+{
+ uint64_t val = 0;
+ int ret = parser_read_uint64_hex(&val, p);
+
+ if (ret < 0)
+ return ret;
+
+ if (val > UINT8_MAX)
+ return -ERANGE;
+
+ *value = val;
+ return 0;
+}
+
+int
+parse_uint8_known_len_hex_str(const char *key, char *src, struct fips_val *val)
+{
+ struct fips_val tmp_val = {0};
+ uint32_t len = val->len;
+ int ret;
+
+ if (len == 0) {
+ if (val->val != NULL) {
+ rte_free(val->val);
+ val->val = NULL;
+ }
+
+ return 0;
+ }
+
+ ret = parse_uint8_hex_str(key, src, &tmp_val);
+ if (ret < 0)
+ return ret;
+
+ if (tmp_val.len == val->len) {
+ val->val = tmp_val.val;
+ return 0;
+ }
+
+ if (tmp_val.len < val->len) {
+ rte_free(tmp_val.val);
+ return -EINVAL;
+ }
+
+ val->val = rte_zmalloc(NULL, val->len, 0);
+ if (!val->val) {
+ rte_free(tmp_val.val);
+ memset(val, 0, sizeof(*val));
+ return -ENOMEM;
+ }
+
+ memcpy(val->val, tmp_val.val, val->len);
+ rte_free(tmp_val.val);
+
+ return 0;
+}
+
+int
+parse_uint8_hex_str(const char *key, char *src, struct fips_val *val)
+{
+ uint32_t len, j;
+
+ src += strlen(key);
+
+ len = strlen(src) / 2;
+
+ if (val->val) {
+ rte_free(val->val);
+ val->val = NULL;
+ }
+
+ val->val = rte_zmalloc(NULL, len, 0);
+ if (!val->val)
+ return -ENOMEM;
+
+ for (j = 0; j < len; j++) {
+ char byte[3] = {src[j * 2], src[j * 2 + 1], '\0'};
+
+ if (parser_read_uint8_hex(&val->val[j], byte) < 0) {
+ rte_free(val->val);
+ memset(val, 0, sizeof(*val));
+ return -EINVAL;
+ }
+ }
+
+ val->len = len;
+
+ return 0;
+}
+
+int
+parser_read_uint32_val(const char *key, char *src, struct fips_val *val)
+{
+ char *data = src + strlen(key);
+ size_t data_len = strlen(data);
+ int ret;
+
+ if (data[data_len - 1] == ']') {
+ char *tmp_data = calloc(1, data_len + 1);
+
+ if (tmp_data == NULL)
+ return -ENOMEM;
+
+ strlcpy(tmp_data, data, data_len);
+
+ ret = parser_read_uint32(&val->len, tmp_data);
+
+ free(tmp_data);
+ } else
+ ret = parser_read_uint32(&val->len, data);
+
+ return ret;
+}
+
+int
+parser_read_uint32_bit_val(const char *key, char *src, struct fips_val *val)
+{
+ int ret;
+
+ ret = parser_read_uint32_val(key, src, val);
+
+ if (ret < 0)
+ return ret;
+
+ val->len /= 8;
+
+ return 0;
+}
+
+int
+writeback_hex_str(const char *key, char *dst, struct fips_val *val)
+{
+ char *str = dst;
+ uint32_t len;
+
+ str += strlen(key);
+
+ for (len = 0; len < val->len; len++)
+ snprintf(str + len * 2, 255, "%02x", val->val[len]);
+
+ return 0;
+}
+
+static int
+parser_read_uint64(uint64_t *value, const char *p)
+{
+ char *next;
+ uint64_t val;
+
+ p = skip_white_spaces(p);
+ if (!isdigit(*p))
+ return -EINVAL;
+
+ val = strtoul(p, &next, 10);
+ if (p == next)
+ return -EINVAL;
+
+ p = next;
+ switch (*p) {
+ case 'T':
+ val *= 1024ULL;
+ /* fall through */
+ case 'G':
+ val *= 1024ULL;
+ /* fall through */
+ case 'M':
+ val *= 1024ULL;
+ /* fall through */
+ case 'k':
+ case 'K':
+ val *= 1024ULL;
+ p++;
+ break;
+ }
+
+ p = skip_white_spaces(p);
+ if (*p != '\0')
+ return -EINVAL;
+
+ *value = val;
+ return 0;
+}
+
+int
+parser_read_uint32(uint32_t *value, char *p)
+{
+ uint64_t val = 0;
+ int ret = parser_read_uint64(&val, p);
+
+ if (ret < 0)
+ return ret;
+
+ if (val > UINT32_MAX)
+ return -EINVAL;
+
+ *value = val;
+ return 0;
+}
+
+void
+parse_write_hex_str(struct fips_val *src)
+{
+ writeback_hex_str("", info.one_line_text, src);
+
+ fprintf(info.fp_wr, "%s\n", info.one_line_text);
+}
+
+int
+update_info_vec(uint32_t count)
+{
+ const struct fips_test_callback *cb;
+ uint32_t i, j;
+
+ if (!info.writeback_callbacks)
+ return -1;
+
+ cb = &info.writeback_callbacks[0];
+
+ snprintf(info.vec[0], strlen(info.vec[0]) + 4, "%s%u", cb->key, count);
+
+ for (i = 1; i < info.nb_vec_lines; i++) {
+ for (j = 1; info.writeback_callbacks[j].key != NULL; j++) {
+ cb = &info.writeback_callbacks[j];
+ if (strstr(info.vec[i], cb->key)) {
+ cb->cb(cb->key, info.vec[i], cb->val);
+ break;
+ }
+ }
+ }
+
+ return 0;
+}
diff --git a/examples/fips_validation/fips_validation.h b/examples/fips_validation/fips_validation.h
new file mode 100644
index 0000000..dd3bc09
--- /dev/null
+++ b/examples/fips_validation/fips_validation.h
@@ -0,0 +1,149 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#ifndef _FIPS_VALIDATION_H_
+#define _FIPS_VALIDATION_H_
+
+#define FIPS_PARSE_ERR(fmt, args) \
+ RTE_LOG(ERR, USER1, "FIPS parse error" ## fmt ## "\n", ## args)
+
+#define ERR_MSG_SIZE 128
+#define MAX_CASE_LINE 15
+#define MAX_LINE_CHAR 204800 /*< max number of characters per line */
+#define MAX_NB_TESTS 10240
+#define MAX_BUF_SIZE 2048
+#define MAX_STRING_SIZE 64
+
+#define POSITIVE_TEST 0
+#define NEGATIVE_TEST -1
+
+#define REQ_FILE_PERFIX "req"
+#define RSP_FILE_PERFIX "rsp"
+#define FAX_FILE_PERFIX "fax"
+
+enum fips_test_algorithms {
+ FIPS_TEST_ALGO_MAX
+};
+
+enum file_types {
+ FIPS_TYPE_REQ = 1,
+ FIPS_TYPE_FAX,
+ FIPS_TYPE_RSP
+};
+
+enum fips_test_op {
+ FIPS_TEST_ENC_AUTH_GEN = 1,
+ FIPS_TEST_DEC_AUTH_VERIF,
+};
+
+#define MAX_LINE_PER_VECTOR 16
+
+struct fips_val {
+ uint8_t *val;
+ uint32_t len;
+};
+
+struct fips_test_vector {
+ union {
+ struct {
+ struct fips_val key;
+ struct fips_val digest;
+ struct fips_val auth_aad;
+ struct fips_val aad;
+ } cipher_auth;
+ struct {
+ struct fips_val key;
+ struct fips_val digest;
+ struct fips_val aad;
+ } aead;
+ };
+
+ struct fips_val pt;
+ struct fips_val ct;
+ struct fips_val iv;
+
+ enum rte_crypto_op_status status;
+};
+
+typedef int (*post_prcess_t)(struct fips_val *val);
+
+typedef int (*parse_callback_t)(const char *key, char *text,
+ struct fips_val *val);
+
+struct fips_test_callback {
+ const char *key;
+ parse_callback_t cb;
+ struct fips_val *val;
+};
+
+struct fips_test_interim_info {
+ FILE *fp_rd;
+ FILE *fp_wr;
+ enum file_types file_type;
+ enum fips_test_algorithms algo;
+ char *one_line_text;
+ char *vec[MAX_LINE_PER_VECTOR];
+ uint32_t nb_vec_lines;
+ char device_name[MAX_STRING_SIZE];
+
+ enum fips_test_op op;
+
+ const struct fips_test_callback *callbacks;
+ const struct fips_test_callback *interim_callbacks;
+ const struct fips_test_callback *writeback_callbacks;
+
+ post_prcess_t parse_writeback;
+ post_prcess_t kat_check;
+};
+
+extern struct fips_test_vector vec;
+extern struct fips_test_interim_info info;
+
+int
+fips_test_init(const char *req_file_path, const char *rsp_file_path,
+ const char *device_name);
+
+void
+fips_test_clear(void);
+
+int
+fips_test_fetch_one_block(void);
+
+int
+fips_test_parse_one_case(void);
+
+void
+fips_test_write_one_case(void);
+
+int
+parser_read_uint8_hex(uint8_t *value, const char *p);
+
+int
+parse_uint8_hex_str(const char *key, char *src, struct fips_val *val);
+
+int
+parse_uint8_known_len_hex_str(const char *key, char *src, struct fips_val *val);
+
+int
+parser_read_uint32_val(const char *key, char *src, struct fips_val *val);
+
+int
+parser_read_uint32_bit_val(const char *key, char *src, struct fips_val *val);
+
+int
+parser_read_uint32(uint32_t *value, char *p);
+
+int
+parser_read_uint32_val(const char *key, char *src, struct fips_val *val);
+
+int
+writeback_hex_str(const char *key, char *dst, struct fips_val *val);
+
+void
+parse_write_hex_str(struct fips_val *src);
+
+int
+update_info_vec(uint32_t count);
+
+#endif
diff --git a/examples/fips_validation/main.c b/examples/fips_validation/main.c
new file mode 100644
index 0000000..7083462
--- /dev/null
+++ b/examples/fips_validation/main.c
@@ -0,0 +1,388 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2018 Intel Corporation
+ */
+
+#include <sys/stat.h>
+#include <getopt.h>
+#include <dirent.h>
+
+#include <rte_cryptodev.h>
+#include <rte_cryptodev_pmd.h>
+#include <rte_mempool.h>
+#include <rte_mbuf.h>
+#include <rte_string_fns.h>
+
+#include "fips_validation.h"
+
+#define REQ_FILE_PATH_KEYWORD "req-file"
+#define RSP_FILE_PATH_KEYWORD "rsp-file"
+#define FOLDER_KEYWORD "path-is-folder"
+#define CRYPTODEV_KEYWORD "cryptodev"
+#define CRYPTODEV_ID_KEYWORD "cryptodev-id"
+
+struct fips_test_vector vec;
+struct fips_test_interim_info info;
+
+struct cryptodev_fips_validate_env {
+ const char *req_path;
+ const char *rsp_path;
+ uint32_t is_path_folder;
+ uint32_t dev_id;
+ struct rte_mempool *mpool;
+ struct rte_mempool *op_pool;
+ struct rte_mbuf *mbuf;
+ struct rte_crypto_op *op;
+ struct rte_cryptodev_sym_session *sess;
+} env;
+
+static int
+cryptodev_fips_validate_app_int(void)
+{
+ struct rte_cryptodev_config conf = {rte_socket_id(), 1};
+ struct rte_cryptodev_qp_conf qp_conf = {128};
+ int ret;
+
+ ret = rte_cryptodev_configure(env.dev_id, &conf);
+ if (ret < 0)
+ return ret;
+
+ env.mpool = rte_pktmbuf_pool_create("FIPS_MEMPOOL", 128, 0, 0,
+ UINT16_MAX, rte_socket_id());
+ if (!env.mpool)
+ return ret;
+
+ ret = rte_cryptodev_queue_pair_setup(env.dev_id, 0, &qp_conf,
+ rte_socket_id(), env.mpool);
+ if (ret < 0)
+ return ret;
+
+ ret = -ENOMEM;
+
+ env.op_pool = rte_crypto_op_pool_create(
+ "FIPS_OP_POOL",
+ RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ 1, 0,
+ 16,
+ rte_socket_id());
+ if (!env.op_pool)
+ goto error_exit;
+
+ env.mbuf = rte_pktmbuf_alloc(env.mpool);
+ if (!env.mbuf)
+ goto error_exit;
+
+ env.op = rte_crypto_op_alloc(env.op_pool, RTE_CRYPTO_OP_TYPE_SYMMETRIC);
+ if (!env.op)
+ goto error_exit;
+
+ return 0;
+
+error_exit:
+ rte_mempool_free(env.mpool);
+ if (env.op_pool)
+ rte_mempool_free(env.op_pool);
+
+ return ret;
+}
+
+static void
+cryptodev_fips_validate_app_uninit(void)
+{
+ rte_pktmbuf_free(env.mbuf);
+ rte_crypto_op_free(env.op);
+ rte_cryptodev_sym_session_clear(env.dev_id, env.sess);
+ rte_cryptodev_sym_session_free(env.sess);
+ rte_mempool_free(env.mpool);
+ rte_mempool_free(env.op_pool);
+}
+
+static int
+fips_test_one_file(void);
+
+static int
+parse_cryptodev_arg(char *arg)
+{
+ int id = rte_cryptodev_get_dev_id(arg);
+
+ if (id < 0) {
+ RTE_LOG(ERR, USER1, "Error %i: invalid cryptodev name %s\n",
+ id, arg);
+ return id;
+ }
+
+ env.dev_id = (uint32_t)id;
+
+ return 0;
+}
+
+static int
+parse_cryptodev_id_arg(char *arg)
+{
+ uint32_t cryptodev_id;
+
+ if (parser_read_uint32(&cryptodev_id, arg) < 0) {
+ RTE_LOG(ERR, USER1, "Error %i: invalid cryptodev id %s\n",
+ -EINVAL, arg);
+ return -1;
+ }
+
+
+ if (!rte_cryptodev_pmd_is_valid_dev(cryptodev_id)) {
+ RTE_LOG(ERR, USER1, "Error %i: invalid cryptodev id %s\n",
+ cryptodev_id, arg);
+ return -1;
+ }
+
+ env.dev_id = (uint32_t)cryptodev_id;
+
+ return 0;
+}
+
+static void
+cryptodev_fips_validate_usage(const char *prgname)
+{
+ printf("%s [EAL options] --\n"
+ " --%s: REQUEST-FILE-PATH\n"
+ " --%s: RESPONSE-FILE-PATH\n"
+ " --%s: indicating both paths are folders\n"
+ " --%s: CRYPTODEV-NAME\n"
+ " --%s: CRYPTODEV-ID-NAME\n",
+ prgname, REQ_FILE_PATH_KEYWORD, RSP_FILE_PATH_KEYWORD,
+ FOLDER_KEYWORD, CRYPTODEV_KEYWORD, CRYPTODEV_ID_KEYWORD);
+}
+
+static int
+cryptodev_fips_validate_parse_args(int argc, char **argv)
+{
+ int opt, ret;
+ char *prgname = argv[0];
+ char **argvopt;
+ int option_index;
+ struct option lgopts[] = {
+ {REQ_FILE_PATH_KEYWORD, required_argument, 0, 0},
+ {RSP_FILE_PATH_KEYWORD, required_argument, 0, 0},
+ {FOLDER_KEYWORD, no_argument, 0, 0},
+ {CRYPTODEV_KEYWORD, required_argument, 0, 0},
+ {CRYPTODEV_ID_KEYWORD, required_argument, 0, 0},
+ {NULL, 0, 0, 0}
+ };
+
+ argvopt = argv;
+
+ while ((opt = getopt_long(argc, argvopt, "s:",
+ lgopts, &option_index)) != EOF) {
+
+ switch (opt) {
+ case 0:
+ if (strcmp(lgopts[option_index].name,
+ REQ_FILE_PATH_KEYWORD) == 0)
+ env.req_path = optarg;
+ else if (strcmp(lgopts[option_index].name,
+ RSP_FILE_PATH_KEYWORD) == 0)
+ env.rsp_path = optarg;
+ else if (strcmp(lgopts[option_index].name,
+ FOLDER_KEYWORD) == 0)
+ env.is_path_folder = 1;
+ else if (strcmp(lgopts[option_index].name,
+ CRYPTODEV_KEYWORD) == 0) {
+ ret = parse_cryptodev_arg(optarg);
+ if (ret < 0) {
+ cryptodev_fips_validate_usage(prgname);
+ return -EINVAL;
+ }
+ } else if (strcmp(lgopts[option_index].name,
+ CRYPTODEV_ID_KEYWORD) == 0) {
+ ret = parse_cryptodev_id_arg(optarg);
+ if (ret < 0) {
+ cryptodev_fips_validate_usage(prgname);
+ return -EINVAL;
+ }
+ } else {
+ cryptodev_fips_validate_usage(prgname);
+ return -EINVAL;
+ }
+ break;
+ default:
+ return -1;
+ }
+ }
+
+ if (env.req_path == NULL || env.rsp_path == NULL ||
+ env.dev_id == UINT32_MAX) {
+ cryptodev_fips_validate_usage(prgname);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+int
+main(int argc, char *argv[])
+{
+ int ret;
+
+ ret = rte_eal_init(argc, argv);
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1, "Error %i: Failed init\n", ret);
+ return -1;
+ }
+
+ argc -= ret;
+ argv += ret;
+
+ ret = cryptodev_fips_validate_parse_args(argc, argv);
+ if (ret < 0)
+ rte_exit(EXIT_FAILURE, "Failed to parse arguments!\n");
+
+ ret = cryptodev_fips_validate_app_int();
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1, "Error %i: Failed init\n", ret);
+ return -1;
+ }
+
+ if (!env.is_path_folder) {
+ printf("Processing file %s... ", env.req_path);
+
+ ret = fips_test_init(env.req_path, env.rsp_path,
+ rte_cryptodev_name_get(env.dev_id));
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1, "Error %i: Failed test %s\n",
+ ret, env.req_path);
+ goto exit;
+ }
+
+
+ ret = fips_test_one_file();
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1, "Error %i: Failed test %s\n",
+ ret, env.req_path);
+ goto exit;
+ }
+
+ printf("Done\n");
+
+ } else {
+ struct dirent *dir;
+ DIR *d_req, *d_rsp;
+ char req_path[1024];
+ char rsp_path[1024];
+
+ d_req = opendir(env.req_path);
+ if (!d_req) {
+ RTE_LOG(ERR, USER1, "Error %i: Path %s not exist\n",
+ -EINVAL, env.req_path);
+ goto exit;
+ }
+
+ d_rsp = opendir(env.rsp_path);
+ if (!d_rsp) {
+ ret = mkdir(env.rsp_path, 0700);
+ if (ret == 0)
+ d_rsp = opendir(env.rsp_path);
+ else {
+ RTE_LOG(ERR, USER1, "Error %i: Invalid %s\n",
+ -EINVAL, env.rsp_path);
+ goto exit;
+ }
+ }
+ closedir(d_rsp);
+
+ while ((dir = readdir(d_req)) != NULL) {
+ if (strstr(dir->d_name, "req") == NULL)
+ continue;
+
+ snprintf(req_path, 1023, "%s/%s", env.req_path,
+ dir->d_name);
+ snprintf(rsp_path, 1023, "%s/%s", env.rsp_path,
+ dir->d_name);
+ strlcpy(strstr(rsp_path, "req"), "rsp", 4);
+
+ printf("Processing file %s... ", req_path);
+
+ ret = fips_test_init(req_path, rsp_path,
+ rte_cryptodev_name_get(env.dev_id));
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1, "Error %i: Failed test %s\n",
+ ret, req_path);
+ break;
+ }
+
+ ret = fips_test_one_file();
+ if (ret < 0) {
+ RTE_LOG(ERR, USER1, "Error %i: Failed test %s\n",
+ ret, req_path);
+ break;
+ }
+
+ printf("Done\n");
+ }
+
+ closedir(d_req);
+ }
+
+
+exit:
+ fips_test_clear();
+ cryptodev_fips_validate_app_uninit();
+
+ return ret;
+
+}
+
+static void
+print_test_block(void)
+{
+ uint32_t i;
+
+ for (i = 0; i < info.nb_vec_lines; i++)
+ printf("%s\n", info.vec[i]);
+
+ printf("\n");
+}
+
+static int
+fips_test_one_file(void)
+{
+ int fetch_ret = 0, ret;
+
+ while (fetch_ret == 0) {
+ fetch_ret = fips_test_fetch_one_block();
+ if (fetch_ret < 0) {
+ RTE_LOG(ERR, USER1, "Error %i: Fetch block\n",
+ fetch_ret);
+ ret = fetch_ret;
+ goto error_one_case;
+ }
+
+ if (info.nb_vec_lines == 0) {
+ if (fetch_ret == -EOF)
+ break;
+
+ fprintf(info.fp_wr, "\n");
+ continue;
+ }
+
+ ret = fips_test_parse_one_case();
+ switch (ret) {
+ case 0:
+ if (ret == 0)
+ break;
+ RTE_LOG(ERR, USER1, "Error %i: test block\n",
+ ret);
+ goto error_one_case;
+ case 1:
+ break;
+ default:
+ RTE_LOG(ERR, USER1, "Error %i: Parse block\n",
+ ret);
+ goto error_one_case;
+ }
+
+ continue;
+error_one_case:
+ print_test_block();
+ }
+
+ fips_test_clear();
+
+}
diff --git a/examples/fips_validation/meson.build b/examples/fips_validation/meson.build
new file mode 100644
index 0000000..cceed4f
--- /dev/null
+++ b/examples/fips_validation/meson.build
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright(c) 2018 Intel Corporation
+
+# meson file, for building this example as part of a main DPDK build.
+#
+# To build this example as a standalone application with an already-installed
+# DPDK instance, use 'make'
+
+deps += ['cryptodev']
+allow_experimental_apis = true
+sources = files(
+ 'fips_validation.c',
+ 'main.c'
+)