[PATCH 0/2] AES-NI MB PMD: support Multi-buffer library 0.46

[PATCH 0/2] AES-NI MB PMD: support Multi-buffer library 0.46

[Pablo de Lara]

Intel IPSec Multi-buffer library v0.46 has been released,
which among other features, adds support for 12-byte IVs
for AES Counter mode (AES-CTR), since IPSec requires only
12 bytes from the user, which are appended 4 extra bytes,
set to 1 always.

There are no major changes made in the PMD, just
documentation updates and new capability for new IV size
supported.

Pablo de Lara (2):
  crypto/aesni_mb: support IPSec Multi-buffer lib v0.46
  test/crypto: add 12-byte IV AES-CTR test cases

 doc/guides/cryptodevs/aesni_mb.rst             |  18 ++-
 doc/guides/rel_notes/release_17_08.rst         |   6 +
 drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c |   4 +-
 test/test/test_cryptodev_aes_test_vectors.h    | 186 +++++++++++++++++++++++++
 4 files changed, 211 insertions(+), 3 deletions(-)

-- 
2.9.4

[PATCH 1/2] crypto/aesni_mb: support IPSec Multi-buffer lib v0.46

[Pablo de Lara]

IPSec Multi-buffer library v0.46 has been released,
which includes, among othe features, support for 12-byte IV,
for AES-CTR, keeping also the previous 16-byte IV,
for backward compatibility reasons.

Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
---
 doc/guides/cryptodevs/aesni_mb.rst             | 18 +++++++++++++++++-
 doc/guides/rel_notes/release_17_08.rst         |  6 ++++++
 drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c |  4 ++--
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/doc/guides/cryptodevs/aesni_mb.rst b/doc/guides/cryptodevs/aesni_mb.rst
index ecb52a1..fafcd9f 100644
--- a/doc/guides/cryptodevs/aesni_mb.rst
+++ b/doc/guides/cryptodevs/aesni_mb.rst
@@ -69,6 +69,9 @@ Limitations
 * Chained mbufs are not supported.
 * Only in-place is currently supported (destination address is the same as source address).
 * Only supports session-oriented API implementation (session-less APIs are not supported).
+* If IV is passed with 16 bytes, last 4 bytes will be ignored, as underlying library only
+  requires 12 bytes and will append 4 bytes (counter) at the end.
+  The library always set these 4 bytes to 1, as IPSec requires counter to be set to 1.
 
 Installation
 ------------
@@ -95,7 +98,7 @@ and the Multi-Buffer library version supported by them:
    =============  ============================
    2.2 - 16.11    0.43 - 0.44
    17.02          0.44
-   17.05          0.45
+   17.05 - 17.08  0.45 - 0.46
    =============  ============================
 
 
@@ -131,3 +134,16 @@ Example:
 .. code-block:: console
 
     ./l2fwd-crypto -l 6 -n 4 --vdev="crypto_aesni_mb,socket_id=1,max_nb_sessions=128"
+
+Extra notes
+-----------
+
+For AES Counter mode (AES-CTR), the library supports two different sizes for Initialization
+Vector (IV):
+
+* 12 bytes: used mainly for IPSec, as it requires 12 bytes from the user, which internally
+  are appended the counter block (4 bytes), which is set to 1 for the first block
+  (no padding required from the user)
+
+* 16 bytes: when passing 16 bytes, the library will take them and use the last 4 bytes
+  as the initial counter block for the first block.
diff --git a/doc/guides/rel_notes/release_17_08.rst b/doc/guides/rel_notes/release_17_08.rst
index 842f46f..3d9500a 100644
--- a/doc/guides/rel_notes/release_17_08.rst
+++ b/doc/guides/rel_notes/release_17_08.rst
@@ -75,6 +75,12 @@ New Features
 
   Added support for firmwares with multiple Ethernet ports per physical port.
 
+* **Updated the AESNI MB PMD.**
+
+  The AESNI MB PMD has been updated with additional support for:
+
+  * 12-byte IV on AES Counter Mode, apart from the previous 16-byte IV.
+
 
 Resolved Issues
 ---------------
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index d1bc28e..82630be 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -220,9 +220,9 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
 					.increment = 8
 				},
 				.iv_size = {
-					.min = 16,
+					.min = 12,
 					.max = 16,
-					.increment = 0
+					.increment = 4
 				}
 			}, }
 		}, }
-- 
2.9.4

[PATCH 2/2] test/crypto: add 12-byte IV AES-CTR test cases

[Pablo de Lara]

AESNI MB PMD supports now 12-byte IVs, so some tests
are added to check that, apart from the ones with 16-byte IVs,
as this is still compatible.

Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
---
 test/test/test_cryptodev_aes_test_vectors.h | 186 ++++++++++++++++++++++++++++
 1 file changed, 186 insertions(+)

diff --git a/test/test/test_cryptodev_aes_test_vectors.h b/test/test/test_cryptodev_aes_test_vectors.h
index 07d6eab..6ebc1c5 100644
--- a/test/test/test_cryptodev_aes_test_vectors.h
+++ b/test/test/test_cryptodev_aes_test_vectors.h
@@ -56,6 +56,17 @@ static const uint8_t ciphertext64_aes128ctr[] = {
 	0x79, 0x21, 0x70, 0xA0, 0xF3, 0x00, 0x9C, 0xEE
 };
 
+static const uint8_t ciphertext64_aes128ctr_IV_12bytes[] = {
+	0x28, 0x80, 0x28, 0xC7, 0x15, 0x99, 0xC5, 0xA8,
+	0xDD, 0x53, 0xC2, 0x67, 0x1B, 0x86, 0xB8, 0x13,
+	0xAB, 0x25, 0x39, 0x7A, 0xD2, 0x1F, 0x8B, 0x4B,
+	0x94, 0x89, 0x2B, 0x65, 0xCF, 0x89, 0x1E, 0xDD,
+	0xD4, 0x7C, 0xFD, 0x8D, 0x0E, 0xCD, 0x23, 0xA4,
+	0xEB, 0x8C, 0x05, 0x58, 0x45, 0x4A, 0x63, 0x44,
+	0x11, 0x42, 0x07, 0x17, 0xB4, 0xD2, 0xCC, 0x75,
+	0xB7, 0x23, 0x99, 0xA9, 0xC5, 0x89, 0x7F, 0x66
+};
+
 static const uint8_t plaintext_aes_docsis_bpi_cfb[] = {
 	0x00, 0x01, 0x02, 0x88, 0xEE, 0x59, 0x7E
 };
@@ -98,6 +109,17 @@ static const uint8_t ciphertext64_aes192ctr[] = {
 	0x59, 0x5E, 0x9E, 0xA5, 0x7B, 0x2D, 0xD7, 0xF0
 };
 
+static const uint8_t ciphertext64_aes192ctr_IV_12bytes[] = {
+	0x67, 0x65, 0xa9, 0xee, 0xfd, 0x31, 0x62, 0xfc,
+	0xad, 0xfd, 0xc7, 0x25, 0xb7, 0x25, 0x16, 0xbe,
+	0x25, 0xce, 0xc0, 0x1d, 0xda, 0xa9, 0xd3, 0xda,
+	0x1b, 0x7d, 0x68, 0x6a, 0x6f, 0x06, 0xea, 0x47,
+	0xa0, 0xe0, 0x15, 0xf4, 0xbd, 0x1b, 0x70, 0x34,
+	0xd4, 0x6d, 0x1c, 0x84, 0x17, 0x91, 0x46, 0x0c,
+	0xe8, 0xbc, 0x7a, 0xfb, 0x9f, 0x2a, 0x8f, 0xb4,
+	0xd4, 0xf3, 0x6e, 0x5b, 0x75, 0xa0, 0xce, 0x32
+};
+
 static const uint8_t plaintext_aes256ctr[] = {
 	0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
 	0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
@@ -120,6 +142,17 @@ static const uint8_t ciphertext64_aes256ctr[] = {
 	0x13, 0xC2, 0xDD, 0x08, 0x45, 0x79, 0x41, 0xA6
 };
 
+static const uint8_t ciphertext64_aes256ctr_IV_12bytes[] = {
+	0x7B, 0x7A, 0x7D, 0x83, 0x85, 0xF8, 0x81, 0xF3,
+	0x32, 0x33, 0xD9, 0xFB, 0x04, 0x73, 0xD4, 0x2F,
+	0x70, 0xDE, 0x90, 0x3E, 0xD0, 0xA9, 0x93, 0x8A,
+	0x91, 0xF3, 0xB5, 0x29, 0x4D, 0x2A, 0x74, 0xD0,
+	0xDC, 0x4E, 0x5C, 0x9B, 0x97, 0x24, 0xD8, 0x02,
+	0xFE, 0xAB, 0x38, 0xE8, 0x73, 0x51, 0x29, 0x7E,
+	0xF1, 0xF9, 0x40, 0x78, 0xB1, 0x04, 0x7A, 0x78,
+	0x61, 0x07, 0x47, 0xE6, 0x8C, 0x0F, 0xA8, 0x76
+};
+
 static const uint8_t plaintext_aes_common[] = {
 	"What a lousy earth! He wondered how many people "
 	"were destitute that same night even in his own "
@@ -352,6 +385,141 @@ static const struct blockcipher_test_data aes_test_data_3 = {
 	}
 };
 
+/* AES128-CTR-SHA1 test vector (12-byte IV) */
+static const struct blockcipher_test_data aes_test_data_1_IV_12_bytes = {
+	.crypto_algo = RTE_CRYPTO_CIPHER_AES_CTR,
+	.cipher_key = {
+		.data = {
+			0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+			0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C
+		},
+		.len = 16
+	},
+	.iv = {
+		.data = {
+			0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7,
+			0xF8, 0xF9, 0xFA, 0xFB
+		},
+		.len = 12
+	},
+	.plaintext = {
+		.data = plaintext_aes128ctr,
+		.len = 64
+	},
+	.ciphertext = {
+		.data = ciphertext64_aes128ctr_IV_12bytes,
+		.len = 64
+	},
+	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+	.auth_key = {
+		.data = {
+			0xF8, 0x2A, 0xC7, 0x54, 0xDB, 0x96, 0x18, 0xAA,
+			0xC3, 0xA1, 0x53, 0xF6, 0x1F, 0x17, 0x60, 0xBD,
+			0xDE, 0xF4, 0xDE, 0xAD
+		},
+		.len = 20
+	},
+	.digest = {
+		.data = {
+			0x5C, 0x34, 0x6B, 0xE4, 0x9A, 0x7F, 0x4A, 0xC3,
+			0x82, 0xBE, 0xA0, 0x12, 0xD1, 0xF0, 0x15, 0xFA,
+			0xCF, 0xC8, 0x7F, 0x60
+		},
+		.len = 20,
+		.truncated_len = 12
+	}
+};
+
+/** AES-192-CTR XCBC test vector (12-byte IV) */
+static const struct blockcipher_test_data aes_test_data_2_IV_12_bytes = {
+	.crypto_algo = RTE_CRYPTO_CIPHER_AES_CTR,
+	.cipher_key = {
+		.data = {
+			0xCB, 0xC5, 0xED, 0x5B, 0xE7, 0x7C, 0xBD, 0x8C,
+			0x50, 0xD9, 0x30, 0xF2, 0xB5, 0x6A, 0x0E, 0x5F,
+			0xAA, 0xAE, 0xAD, 0xA2, 0x1F, 0x49, 0x52, 0xD4
+		},
+		.len = 24
+	},
+	.iv = {
+		.data = {
+			0x3F, 0x69, 0xA8, 0xCD, 0xE8, 0xF0, 0xEF, 0x40,
+			0xB8, 0x7A, 0x4B, 0xED
+		},
+		.len = 12
+	},
+	.plaintext = {
+		.data = plaintext_aes192ctr,
+		.len = 64
+	},
+	.ciphertext = {
+		.data = ciphertext64_aes192ctr_IV_12bytes,
+		.len = 64
+	},
+	.auth_algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
+	.auth_key = {
+		.data = {
+			0x87, 0x61, 0x54, 0x53, 0xC4, 0x6D, 0xDD, 0x51,
+			0xE1, 0x9F, 0x86, 0x64, 0x39, 0x0A, 0xE6, 0x59
+		},
+		.len = 16
+	},
+	.digest = {
+		.data = {
+			0x0C, 0xA1, 0xA5, 0xAF, 0x3E, 0x41, 0xD2, 0xF4,
+			0x4C, 0x4C, 0xAB, 0x13
+		},
+		.len = 12,
+		.truncated_len = 12
+	}
+};
+
+/** AES-256-CTR SHA1 test vector (12-byte IV) */
+static const struct blockcipher_test_data aes_test_data_3_IV_12_bytes = {
+	.crypto_algo = RTE_CRYPTO_CIPHER_AES_CTR,
+	.cipher_key = {
+		.data = {
+			0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+			0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+			0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+			0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4
+		},
+		.len = 32
+	},
+	.iv = {
+		.data = {
+			0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7,
+			0xF8, 0xF9, 0xFA, 0xFB
+		},
+		.len = 12
+	},
+	.plaintext = {
+		.data = plaintext_aes256ctr,
+		.len = 64
+	},
+	.ciphertext = {
+		.data = ciphertext64_aes256ctr_IV_12bytes,
+		.len = 64
+	},
+	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+	.auth_key = {
+		.data = {
+			0xF8, 0x2A, 0xC7, 0x54, 0xDB, 0x96, 0x18, 0xAA,
+			0xC3, 0xA1, 0x53, 0xF6, 0x1F, 0x17, 0x60, 0xBD,
+			0xDE, 0xF4, 0xDE, 0xAD
+		},
+		.len = 20
+	},
+	.digest = {
+		.data = {
+			0x57, 0x9A, 0x52, 0x6E, 0x31, 0x17, 0x57, 0x49,
+			0xE7, 0xA1, 0x88, 0x6C, 0x2E, 0x36, 0x67, 0x63,
+			0x3F, 0x2D, 0xA3, 0xEF
+		},
+		.len = 20,
+		.truncated_len = 12
+	}
+};
 /** AES-128-CBC SHA1 test vector */
 static const struct blockcipher_test_data aes_test_data_4 = {
 	.crypto_algo = RTE_CRYPTO_CIPHER_AES_CBC,
@@ -1447,6 +1615,24 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
 			BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			BLOCKCIPHER_TEST_TARGET_PMD_SCHEDULER
 	},
+	{
+		.test_descr = "AES-128-CTR Encryption (12-byte IV)",
+		.test_data = &aes_test_data_1_IV_12_bytes,
+		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
+		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB
+	},
+	{
+		.test_descr = "AES-192-CTR Encryption (12-byte IV)",
+		.test_data = &aes_test_data_2_IV_12_bytes,
+		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
+		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB
+	},
+	{
+		.test_descr = "AES-256-CTR Encryption (12-byte IV)",
+		.test_data = &aes_test_data_3_IV_12_bytes,
+		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
+		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB
+	}
 };
 
 static const struct blockcipher_test_case aes_docsis_test_cases[] = {
-- 
2.9.4

Re: [PATCH 1/2] crypto/aesni_mb: support IPSec Multi-buffer lib v0.46

[Sergio Gonzalez Monroy]

On 28/06/2017 12:48, Pablo de Lara wrote:
> IPSec Multi-buffer library v0.46 has been released,
> which includes, among othe features, support for 12-byte IV,
> for AES-CTR, keeping also the previous 16-byte IV,
> for backward compatibility reasons.
>
> Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
> ---
>   doc/guides/cryptodevs/aesni_mb.rst             | 18 +++++++++++++++++-
>   doc/guides/rel_notes/release_17_08.rst         |  6 ++++++
>   drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c |  4 ++--
>   3 files changed, 25 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guides/cryptodevs/aesni_mb.rst b/doc/guides/cryptodevs/aesni_mb.rst
> index ecb52a1..fafcd9f 100644
> --- a/doc/guides/cryptodevs/aesni_mb.rst
> +++ b/doc/guides/cryptodevs/aesni_mb.rst
> @@ -69,6 +69,9 @@ Limitations
>   * Chained mbufs are not supported.
>   * Only in-place is currently supported (destination address is the same as source address).
>   * Only supports session-oriented API implementation (session-less APIs are not supported).
> +* If IV is passed with 16 bytes, last 4 bytes will be ignored, as underlying library only
> +  requires 12 bytes and will append 4 bytes (counter) at the end.
> +  The library always set these 4 bytes to 1, as IPSec requires counter to be set to 1.

I don't think the text above is correct.

Thanks,
Sergio

>   
>   Installation
>   ------------
> @@ -95,7 +98,7 @@ and the Multi-Buffer library version supported by them:
>      =============  ============================
>      2.2 - 16.11    0.43 - 0.44
>      17.02          0.44
> -   17.05          0.45
> +   17.05 - 17.08  0.45 - 0.46
>      =============  ============================
>   
>   
> @@ -131,3 +134,16 @@ Example:
>   .. code-block:: console
>   
>       ./l2fwd-crypto -l 6 -n 4 --vdev="crypto_aesni_mb,socket_id=1,max_nb_sessions=128"
> +
> +Extra notes
> +-----------
> +
> +For AES Counter mode (AES-CTR), the library supports two different sizes for Initialization
> +Vector (IV):
> +
> +* 12 bytes: used mainly for IPSec, as it requires 12 bytes from the user, which internally
> +  are appended the counter block (4 bytes), which is set to 1 for the first block
> +  (no padding required from the user)
> +
> +* 16 bytes: when passing 16 bytes, the library will take them and use the last 4 bytes
> +  as the initial counter block for the first block.
> diff --git a/doc/guides/rel_notes/release_17_08.rst b/doc/guides/rel_notes/release_17_08.rst
> index 842f46f..3d9500a 100644
> --- a/doc/guides/rel_notes/release_17_08.rst
> +++ b/doc/guides/rel_notes/release_17_08.rst
> @@ -75,6 +75,12 @@ New Features
>   
>     Added support for firmwares with multiple Ethernet ports per physical port.
>   
> +* **Updated the AESNI MB PMD.**
> +
> +  The AESNI MB PMD has been updated with additional support for:
> +
> +  * 12-byte IV on AES Counter Mode, apart from the previous 16-byte IV.
> +
>   
>   Resolved Issues
>   ---------------
> diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
> index d1bc28e..82630be 100644
> --- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
> +++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
> @@ -220,9 +220,9 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
>   					.increment = 8
>   				},
>   				.iv_size = {
> -					.min = 16,
> +					.min = 12,
>   					.max = 16,
> -					.increment = 0
> +					.increment = 4
>   				}
>   			}, }
>   		}, }

[PATCH v2 0/2] AES-NI MB PMD: support Multi-buffer library 0.46

[Pablo de Lara]

Intel IPSec Multi-buffer library v0.46 has been released,
which among other features, adds support for 12-byte IVs
for AES Counter mode (AES-CTR), since IPSec requires only
12 bytes from the user, which are appended 4 extra bytes,
set to 1 always.

There are no major changes made in the PMD, just documentation
updates and new capability for new IV size supported.

Changes in v2:

- Fixed download link
- Removed incorrect comment in documentation

Pablo de Lara (2):
  crypto/aesni_mb: support IPSec Multi-buffer lib v0.46
  test/crypto: add 12-byte IV AES-CTR test cases

 doc/guides/cryptodevs/aesni_mb.rst             |  19 ++-
 doc/guides/rel_notes/release_17_08.rst         |   6 +
 drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c |   4 +-
 test/test/test_cryptodev_aes_test_vectors.h    | 186 +++++++++++++++++++++++++
 4 files changed, 210 insertions(+), 5 deletions(-)

-- 
2.9.4

[PATCH v2 1/2] crypto/aesni_mb: support IPSec Multi-buffer lib v0.46

[Pablo de Lara]

IPSec Multi-buffer library v0.46 has been released,
which includes, among othe features, support for 12-byte IV,
for AES-CTR, keeping also the previous 16-byte IV,
for backward compatibility reasons.

Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
---
 doc/guides/cryptodevs/aesni_mb.rst             | 19 ++++++++++++++++---
 doc/guides/rel_notes/release_17_08.rst         |  6 ++++++
 drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c |  4 ++--
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/doc/guides/cryptodevs/aesni_mb.rst b/doc/guides/cryptodevs/aesni_mb.rst
index ecb52a1..7d9e977 100644
--- a/doc/guides/cryptodevs/aesni_mb.rst
+++ b/doc/guides/cryptodevs/aesni_mb.rst
@@ -76,8 +76,8 @@ Installation
 To build DPDK with the AESNI_MB_PMD the user is required to download the multi-buffer
 library from `here <https://github.com/01org/intel-ipsec-mb>`_
 and compile it on their user system before building DPDK.
-The latest version of the library supported by this PMD is v0.45, which
-can be downloaded in `<https://github.com/01org/intel-ipsec-mb/archive/v0.45.zip>`_.
+The latest version of the library supported by this PMD is v0.46, which
+can be downloaded in `<https://github.com/01org/intel-ipsec-mb/archive/v0.46.zip>`_.
 
 .. code-block:: console
 
@@ -95,7 +95,7 @@ and the Multi-Buffer library version supported by them:
    =============  ============================
    2.2 - 16.11    0.43 - 0.44
    17.02          0.44
-   17.05          0.45
+   17.05 - 17.08  0.45 - 0.46
    =============  ============================
 
 
@@ -131,3 +131,16 @@ Example:
 .. code-block:: console
 
     ./l2fwd-crypto -l 6 -n 4 --vdev="crypto_aesni_mb,socket_id=1,max_nb_sessions=128"
+
+Extra notes
+-----------
+
+For AES Counter mode (AES-CTR), the library supports two different sizes for Initialization
+Vector (IV):
+
+* 12 bytes: used mainly for IPSec, as it requires 12 bytes from the user, which internally
+  are appended the counter block (4 bytes), which is set to 1 for the first block
+  (no padding required from the user)
+
+* 16 bytes: when passing 16 bytes, the library will take them and use the last 4 bytes
+  as the initial counter block for the first block.
diff --git a/doc/guides/rel_notes/release_17_08.rst b/doc/guides/rel_notes/release_17_08.rst
index 842f46f..3d9500a 100644
--- a/doc/guides/rel_notes/release_17_08.rst
+++ b/doc/guides/rel_notes/release_17_08.rst
@@ -75,6 +75,12 @@ New Features
 
   Added support for firmwares with multiple Ethernet ports per physical port.
 
+* **Updated the AESNI MB PMD.**
+
+  The AESNI MB PMD has been updated with additional support for:
+
+  * 12-byte IV on AES Counter Mode, apart from the previous 16-byte IV.
+
 
 Resolved Issues
 ---------------
diff --git a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
index d1bc28e..82630be 100644
--- a/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
+++ b/drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c
@@ -220,9 +220,9 @@ static const struct rte_cryptodev_capabilities aesni_mb_pmd_capabilities[] = {
 					.increment = 8
 				},
 				.iv_size = {
-					.min = 16,
+					.min = 12,
 					.max = 16,
-					.increment = 0
+					.increment = 4
 				}
 			}, }
 		}, }
-- 
2.9.4

[PATCH v2 2/2] test/crypto: add 12-byte IV AES-CTR test cases

[Pablo de Lara]

AESNI MB PMD supports now 12-byte IVs, so some tests
are added to check that, apart from the ones with 16-byte IVs,
as this is still compatible.

Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
---
 test/test/test_cryptodev_aes_test_vectors.h | 186 ++++++++++++++++++++++++++++
 1 file changed, 186 insertions(+)

diff --git a/test/test/test_cryptodev_aes_test_vectors.h b/test/test/test_cryptodev_aes_test_vectors.h
index 07d6eab..6ebc1c5 100644
--- a/test/test/test_cryptodev_aes_test_vectors.h
+++ b/test/test/test_cryptodev_aes_test_vectors.h
@@ -56,6 +56,17 @@ static const uint8_t ciphertext64_aes128ctr[] = {
 	0x79, 0x21, 0x70, 0xA0, 0xF3, 0x00, 0x9C, 0xEE
 };
 
+static const uint8_t ciphertext64_aes128ctr_IV_12bytes[] = {
+	0x28, 0x80, 0x28, 0xC7, 0x15, 0x99, 0xC5, 0xA8,
+	0xDD, 0x53, 0xC2, 0x67, 0x1B, 0x86, 0xB8, 0x13,
+	0xAB, 0x25, 0x39, 0x7A, 0xD2, 0x1F, 0x8B, 0x4B,
+	0x94, 0x89, 0x2B, 0x65, 0xCF, 0x89, 0x1E, 0xDD,
+	0xD4, 0x7C, 0xFD, 0x8D, 0x0E, 0xCD, 0x23, 0xA4,
+	0xEB, 0x8C, 0x05, 0x58, 0x45, 0x4A, 0x63, 0x44,
+	0x11, 0x42, 0x07, 0x17, 0xB4, 0xD2, 0xCC, 0x75,
+	0xB7, 0x23, 0x99, 0xA9, 0xC5, 0x89, 0x7F, 0x66
+};
+
 static const uint8_t plaintext_aes_docsis_bpi_cfb[] = {
 	0x00, 0x01, 0x02, 0x88, 0xEE, 0x59, 0x7E
 };
@@ -98,6 +109,17 @@ static const uint8_t ciphertext64_aes192ctr[] = {
 	0x59, 0x5E, 0x9E, 0xA5, 0x7B, 0x2D, 0xD7, 0xF0
 };
 
+static const uint8_t ciphertext64_aes192ctr_IV_12bytes[] = {
+	0x67, 0x65, 0xa9, 0xee, 0xfd, 0x31, 0x62, 0xfc,
+	0xad, 0xfd, 0xc7, 0x25, 0xb7, 0x25, 0x16, 0xbe,
+	0x25, 0xce, 0xc0, 0x1d, 0xda, 0xa9, 0xd3, 0xda,
+	0x1b, 0x7d, 0x68, 0x6a, 0x6f, 0x06, 0xea, 0x47,
+	0xa0, 0xe0, 0x15, 0xf4, 0xbd, 0x1b, 0x70, 0x34,
+	0xd4, 0x6d, 0x1c, 0x84, 0x17, 0x91, 0x46, 0x0c,
+	0xe8, 0xbc, 0x7a, 0xfb, 0x9f, 0x2a, 0x8f, 0xb4,
+	0xd4, 0xf3, 0x6e, 0x5b, 0x75, 0xa0, 0xce, 0x32
+};
+
 static const uint8_t plaintext_aes256ctr[] = {
 	0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
 	0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
@@ -120,6 +142,17 @@ static const uint8_t ciphertext64_aes256ctr[] = {
 	0x13, 0xC2, 0xDD, 0x08, 0x45, 0x79, 0x41, 0xA6
 };
 
+static const uint8_t ciphertext64_aes256ctr_IV_12bytes[] = {
+	0x7B, 0x7A, 0x7D, 0x83, 0x85, 0xF8, 0x81, 0xF3,
+	0x32, 0x33, 0xD9, 0xFB, 0x04, 0x73, 0xD4, 0x2F,
+	0x70, 0xDE, 0x90, 0x3E, 0xD0, 0xA9, 0x93, 0x8A,
+	0x91, 0xF3, 0xB5, 0x29, 0x4D, 0x2A, 0x74, 0xD0,
+	0xDC, 0x4E, 0x5C, 0x9B, 0x97, 0x24, 0xD8, 0x02,
+	0xFE, 0xAB, 0x38, 0xE8, 0x73, 0x51, 0x29, 0x7E,
+	0xF1, 0xF9, 0x40, 0x78, 0xB1, 0x04, 0x7A, 0x78,
+	0x61, 0x07, 0x47, 0xE6, 0x8C, 0x0F, 0xA8, 0x76
+};
+
 static const uint8_t plaintext_aes_common[] = {
 	"What a lousy earth! He wondered how many people "
 	"were destitute that same night even in his own "
@@ -352,6 +385,141 @@ static const struct blockcipher_test_data aes_test_data_3 = {
 	}
 };
 
+/* AES128-CTR-SHA1 test vector (12-byte IV) */
+static const struct blockcipher_test_data aes_test_data_1_IV_12_bytes = {
+	.crypto_algo = RTE_CRYPTO_CIPHER_AES_CTR,
+	.cipher_key = {
+		.data = {
+			0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+			0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C
+		},
+		.len = 16
+	},
+	.iv = {
+		.data = {
+			0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7,
+			0xF8, 0xF9, 0xFA, 0xFB
+		},
+		.len = 12
+	},
+	.plaintext = {
+		.data = plaintext_aes128ctr,
+		.len = 64
+	},
+	.ciphertext = {
+		.data = ciphertext64_aes128ctr_IV_12bytes,
+		.len = 64
+	},
+	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+	.auth_key = {
+		.data = {
+			0xF8, 0x2A, 0xC7, 0x54, 0xDB, 0x96, 0x18, 0xAA,
+			0xC3, 0xA1, 0x53, 0xF6, 0x1F, 0x17, 0x60, 0xBD,
+			0xDE, 0xF4, 0xDE, 0xAD
+		},
+		.len = 20
+	},
+	.digest = {
+		.data = {
+			0x5C, 0x34, 0x6B, 0xE4, 0x9A, 0x7F, 0x4A, 0xC3,
+			0x82, 0xBE, 0xA0, 0x12, 0xD1, 0xF0, 0x15, 0xFA,
+			0xCF, 0xC8, 0x7F, 0x60
+		},
+		.len = 20,
+		.truncated_len = 12
+	}
+};
+
+/** AES-192-CTR XCBC test vector (12-byte IV) */
+static const struct blockcipher_test_data aes_test_data_2_IV_12_bytes = {
+	.crypto_algo = RTE_CRYPTO_CIPHER_AES_CTR,
+	.cipher_key = {
+		.data = {
+			0xCB, 0xC5, 0xED, 0x5B, 0xE7, 0x7C, 0xBD, 0x8C,
+			0x50, 0xD9, 0x30, 0xF2, 0xB5, 0x6A, 0x0E, 0x5F,
+			0xAA, 0xAE, 0xAD, 0xA2, 0x1F, 0x49, 0x52, 0xD4
+		},
+		.len = 24
+	},
+	.iv = {
+		.data = {
+			0x3F, 0x69, 0xA8, 0xCD, 0xE8, 0xF0, 0xEF, 0x40,
+			0xB8, 0x7A, 0x4B, 0xED
+		},
+		.len = 12
+	},
+	.plaintext = {
+		.data = plaintext_aes192ctr,
+		.len = 64
+	},
+	.ciphertext = {
+		.data = ciphertext64_aes192ctr_IV_12bytes,
+		.len = 64
+	},
+	.auth_algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
+	.auth_key = {
+		.data = {
+			0x87, 0x61, 0x54, 0x53, 0xC4, 0x6D, 0xDD, 0x51,
+			0xE1, 0x9F, 0x86, 0x64, 0x39, 0x0A, 0xE6, 0x59
+		},
+		.len = 16
+	},
+	.digest = {
+		.data = {
+			0x0C, 0xA1, 0xA5, 0xAF, 0x3E, 0x41, 0xD2, 0xF4,
+			0x4C, 0x4C, 0xAB, 0x13
+		},
+		.len = 12,
+		.truncated_len = 12
+	}
+};
+
+/** AES-256-CTR SHA1 test vector (12-byte IV) */
+static const struct blockcipher_test_data aes_test_data_3_IV_12_bytes = {
+	.crypto_algo = RTE_CRYPTO_CIPHER_AES_CTR,
+	.cipher_key = {
+		.data = {
+			0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+			0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+			0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+			0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4
+		},
+		.len = 32
+	},
+	.iv = {
+		.data = {
+			0xF0, 0xF1, 0xF2, 0xF3, 0xF4, 0xF5, 0xF6, 0xF7,
+			0xF8, 0xF9, 0xFA, 0xFB
+		},
+		.len = 12
+	},
+	.plaintext = {
+		.data = plaintext_aes256ctr,
+		.len = 64
+	},
+	.ciphertext = {
+		.data = ciphertext64_aes256ctr_IV_12bytes,
+		.len = 64
+	},
+	.auth_algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+	.auth_key = {
+		.data = {
+			0xF8, 0x2A, 0xC7, 0x54, 0xDB, 0x96, 0x18, 0xAA,
+			0xC3, 0xA1, 0x53, 0xF6, 0x1F, 0x17, 0x60, 0xBD,
+			0xDE, 0xF4, 0xDE, 0xAD
+		},
+		.len = 20
+	},
+	.digest = {
+		.data = {
+			0x57, 0x9A, 0x52, 0x6E, 0x31, 0x17, 0x57, 0x49,
+			0xE7, 0xA1, 0x88, 0x6C, 0x2E, 0x36, 0x67, 0x63,
+			0x3F, 0x2D, 0xA3, 0xEF
+		},
+		.len = 20,
+		.truncated_len = 12
+	}
+};
 /** AES-128-CBC SHA1 test vector */
 static const struct blockcipher_test_data aes_test_data_4 = {
 	.crypto_algo = RTE_CRYPTO_CIPHER_AES_CBC,
@@ -1447,6 +1615,24 @@ static const struct blockcipher_test_case aes_cipheronly_test_cases[] = {
 			BLOCKCIPHER_TEST_TARGET_PMD_MB |
 			BLOCKCIPHER_TEST_TARGET_PMD_SCHEDULER
 	},
+	{
+		.test_descr = "AES-128-CTR Encryption (12-byte IV)",
+		.test_data = &aes_test_data_1_IV_12_bytes,
+		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
+		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB
+	},
+	{
+		.test_descr = "AES-192-CTR Encryption (12-byte IV)",
+		.test_data = &aes_test_data_2_IV_12_bytes,
+		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
+		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB
+	},
+	{
+		.test_descr = "AES-256-CTR Encryption (12-byte IV)",
+		.test_data = &aes_test_data_3_IV_12_bytes,
+		.op_mask = BLOCKCIPHER_TEST_OP_ENCRYPT,
+		.pmd_mask = BLOCKCIPHER_TEST_TARGET_PMD_MB
+	}
 };
 
 static const struct blockcipher_test_case aes_docsis_test_cases[] = {
-- 
2.9.4

Re: [PATCH 1/2] crypto/aesni_mb: support IPSec Multi-buffer lib v0.46

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: Gonzalez Monroy, Sergio
> Sent: Friday, June 30, 2017 2:52 PM
> To: De Lara Guarch, Pablo <pablo.de.lara.guarch@intel.com>; Doherty,
> Declan <declan.doherty@intel.com>
> Cc: dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH 1/2] crypto/aesni_mb: support IPSec Multi-
> buffer lib v0.46
> 
> On 28/06/2017 12:48, Pablo de Lara wrote:
> > IPSec Multi-buffer library v0.46 has been released, which includes,
> > among othe features, support for 12-byte IV, for AES-CTR, keeping also
> > the previous 16-byte IV, for backward compatibility reasons.
> >
> > Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
> > ---
> >   doc/guides/cryptodevs/aesni_mb.rst             | 18 +++++++++++++++++-
> >   doc/guides/rel_notes/release_17_08.rst         |  6 ++++++
> >   drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c |  4 ++--
> >   3 files changed, 25 insertions(+), 3 deletions(-)
> >
> > diff --git a/doc/guides/cryptodevs/aesni_mb.rst
> > b/doc/guides/cryptodevs/aesni_mb.rst
> > index ecb52a1..fafcd9f 100644
> > --- a/doc/guides/cryptodevs/aesni_mb.rst
> > +++ b/doc/guides/cryptodevs/aesni_mb.rst
> > @@ -69,6 +69,9 @@ Limitations
> >   * Chained mbufs are not supported.
> >   * Only in-place is currently supported (destination address is the same
> as source address).
> >   * Only supports session-oriented API implementation (session-less APIs
> are not supported).
> > +* If IV is passed with 16 bytes, last 4 bytes will be ignored, as
> > +underlying library only
> > +  requires 12 bytes and will append 4 bytes (counter) at the end.
> > +  The library always set these 4 bytes to 1, as IPSec requires counter to
> be set to 1.
> 
> I don't think the text above is correct.

Forgot to remove that, well spotted!
Will send a v2 shortly.

Thanks,
Pablo

Re: [PATCH v2 1/2] crypto/aesni_mb: support IPSec Multi-buffer lib v0.46

[Declan Doherty]

On 02/07/17 03:55, Pablo de Lara wrote:
> IPSec Multi-buffer library v0.46 has been released,
> which includes, among othe features, support for 12-byte IV,
> for AES-CTR, keeping also the previous 16-byte IV,
> for backward compatibility reasons.
> 
> Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
> ---
...
> 

Acked-by: Declan Doherty <declan.doherty@intel.com>

Re: [PATCH v2 2/2] test/crypto: add 12-byte IV AES-CTR test cases

[Declan Doherty]

On 02/07/17 03:55, Pablo de Lara wrote:
> AESNI MB PMD supports now 12-byte IVs, so some tests
> are added to check that, apart from the ones with 16-byte IVs,
> as this is still compatible.
> 
> Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
> ---
...
> 

Acked-by: Declan Doherty <declan.doherty@intel.com>

Re: [PATCH v2 0/2] AES-NI MB PMD: support Multi-buffer library 0.46

[De Lara Guarch, Pablo]

> -----Original Message-----
> From: De Lara Guarch, Pablo
> Sent: Sunday, July 2, 2017 3:55 AM
> To: Doherty, Declan <declan.doherty@intel.com>
> Cc: dev@dpdk.org; De Lara Guarch, Pablo
> <pablo.de.lara.guarch@intel.com>
> Subject: [PATCH v2 0/2] AES-NI MB PMD: support Multi-buffer library 0.46
> 
> Intel IPSec Multi-buffer library v0.46 has been released, which among other
> features, adds support for 12-byte IVs for AES Counter mode (AES-CTR),
> since IPSec requires only
> 12 bytes from the user, which are appended 4 extra bytes, set to 1 always.
> 
> There are no major changes made in the PMD, just documentation updates
> and new capability for new IV size supported.
> 
> Changes in v2:
> 
> - Fixed download link
> - Removed incorrect comment in documentation
> 
> Pablo de Lara (2):
>   crypto/aesni_mb: support IPSec Multi-buffer lib v0.46
>   test/crypto: add 12-byte IV AES-CTR test cases
> 
>  doc/guides/cryptodevs/aesni_mb.rst             |  19 ++-
>  doc/guides/rel_notes/release_17_08.rst         |   6 +
>  drivers/crypto/aesni_mb/rte_aesni_mb_pmd_ops.c |   4 +-
>  test/test/test_cryptodev_aes_test_vectors.h    | 186
> +++++++++++++++++++++++++
>  4 files changed, 210 insertions(+), 5 deletions(-)
> 
> --
> 2.9.4

Applied to dpdk-next-crypto.

Pablo