From: Kevin Traynor <ktraynor@redhat.com>
To: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Cc: Akhil Goyal <akhil.goyal@nxp.com>, dpdk stable <stable@dpdk.org>
Subject: [dpdk-stable] patch 'examples/ipsec-secgw: fix GCM IV length' has been queued to LTS release 18.11.6
Date: Tue, 10 Dec 2019 14:59:31 +0000 [thread overview]
Message-ID: <20191210145937.32755-57-ktraynor@redhat.com> (raw)
In-Reply-To: <20191210145937.32755-1-ktraynor@redhat.com>
Hi,
FYI, your patch has been queued to LTS release 18.11.6
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 12/16/19. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable-queue
This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable-queue/commit/ad214b1dc868df16101fc60a669eb1608ff2212a
Thanks.
Kevin.
---
From ad214b1dc868df16101fc60a669eb1608ff2212a Mon Sep 17 00:00:00 2001
From: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Date: Thu, 31 Oct 2019 15:04:45 +0100
Subject: [PATCH] examples/ipsec-secgw: fix GCM IV length
[ upstream commit ce00b504f19896604d60d121008b8a2df48ef114 ]
The example IPsec application does not work properly when using
AES-GCM with crypto_openssl.
ESP with AES-GCM uses standard 96bit long algorithm IV ([1]) which
later concatenated with be32(1) forms a J0 block. GCM specification
([2], chapter 7.1) states that when length of IV is different than
96b, in order to format a J0 block, GHASH function must be used.
According to specification ([2], chapter 5.1.1) GCM implementations
should support standard 96bit IVs, other lengths are optional. Every
DPDK cryptodev supports 96bit IV and few of them supports 128bit
IV as well (openssl, mrvl, ccp). When passing iv::length=16 to a
cryptodev which does support standard IVs only (e.g. qat) it
implicitly uses starting 96 bits. On the other hand, openssl follows
specification and uses GHASH to compute J0 for that case which results
in different than expected J0 values used for encryption/decryption.
Fix an inability to use AES-GCM with crypto_openssl by changing IV
length to the standard value of 12.
[1] RFC4106, section "4. Nonce format" and "3.1. Initialization Vector"
https://tools.ietf.org/html/rfc4106
[2] NIST SP800-38D
https://csrc.nist.gov/publications/detail/sp/800-38d/final
Fixes: 0fbd75a99f ("cryptodev: move IV parameters to session")
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
---
examples/ipsec-secgw/sa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 45b810366..dd01f1fbc 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -912,5 +912,5 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
if (sa->aead_algo == RTE_CRYPTO_AEAD_AES_GCM) {
- iv_length = 16;
+ iv_length = 12;
sa_ctx->xf[idx].a.type = RTE_CRYPTO_SYM_XFORM_AEAD;
--
2.21.0
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2019-12-10 14:49:42.835102506 +0000
+++ 0057-examples-ipsec-secgw-fix-GCM-IV-length.patch 2019-12-10 14:49:39.098456910 +0000
@@ -1 +1 @@
-From ce00b504f19896604d60d121008b8a2df48ef114 Mon Sep 17 00:00:00 2001
+From ad214b1dc868df16101fc60a669eb1608ff2212a Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit ce00b504f19896604d60d121008b8a2df48ef114 ]
+
@@ -32 +33,0 @@
-Cc: stable@dpdk.org
@@ -41 +42 @@
-index 4cb90857c..a8dee342e 100644
+index 45b810366..dd01f1fbc 100644
@@ -44 +45,2 @@
-@@ -986,5 +986,5 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+@@ -912,5 +912,5 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
+
@@ -46 +47,0 @@
- struct rte_ipsec_session *ips;
next prev parent reply other threads:[~2019-12-10 15:01 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-10 14:58 [dpdk-stable] patch 'app/testpmd: fix CRC strip command' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/i40e: fix integer overflow' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'vhost: translate incoming log address to GPA' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'vhost: fix virtqueue not accessible' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'vhost: prevent zero copy mode if IOMMU is on' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/i40e: fix address of first segment' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/ixgbe: " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'doc: fix a common typo in NIC guides' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'app/testpmd: fix help for loop topology option' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/mlx4: remove dependency on libmnl in meson' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/axgbe: fix double unlock' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/af_packet: improve Tx statistics accuracy' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/enetc: fix BD ring alignment' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'bus/fslmc: fix global variable multiple definitions' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/igb: " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'crypto/null: " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'crypto/virtio: " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'compress/octeontx: " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'test: " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'reciprocal: fix off-by-one with 32-bit divisor' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'vfio: fix truncated BAR offset for 32-bit' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'ethdev: fix include of ethernet header file' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/bnxt: fix mbuf free when clearing Tx queue' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/i40e: fix exception with multi-driver' " Kevin Traynor
2019-12-10 14:58 ` [dpdk-stable] patch 'net/ixgbe: fix zeroing of RSS config' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/e1000: " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/virtio: reject deferred Rx start' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/virtio: reject deferred Tx " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/virtio: reject unsupported Rx multi-queue modes' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/virtio: reject unsupported Tx " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'vhost: fix IPv4 checksum' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/mlx: fix debug build with icc' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'app/testpmd: fix Tx checksum when TSO enabled' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/bnxt: fix ping with MTU change' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/bnxt: fix setting max RSS contexts' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/bnxt: fix writing MTU to FW' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/bnxt: expose some missing counters in port stats' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/bonding: use non deprecated PCI API' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'vhost: fix build on RHEL 7.6 for Power' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'app/procinfo: use strlcpy for copying string' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'examples/vm_power: fix type of cmdline token in cli' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'examples/l3fwd-power: fix Rx interrupt disabling' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'power: fix socket indicator value' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'examples/vm_power: fix build without i40e' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'usertools: fix pmdinfo with python 3 and pyelftools>=0.24' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'usertools: fix telemetry client with python 3' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'doc: fix description of links to EAL options pages' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'common/dpaax: fallback to check separate memory node for VM' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'doc: fix description of versioning macros' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'eventdev: fix possible use of uninitialized var' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'common/cpt: fix possible null dereference' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'compress/octeontx: remove commented out code' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'event/opdl: " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/bnxt: " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'mk: fix build on arm64' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'crypto/dpaa2_sec: fix length retrieved from hardware' " Kevin Traynor
2019-12-10 14:59 ` Kevin Traynor [this message]
2019-12-10 14:59 ` [dpdk-stable] patch 'examples/ipsec-secgw: fix SHA256-HMAC digest length' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'crypto/openssl: use local copy for session contexts' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/fm10k: fix mbuf free in vector Rx' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/igb: fix PHY status if PHY reset is not blocked' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'net/bonding: fix port ID check' " Kevin Traynor
2019-12-10 14:59 ` [dpdk-stable] patch 'port: fix pcap support with meson' " Kevin Traynor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191210145937.32755-57-ktraynor@redhat.com \
--to=ktraynor@redhat.com \
--cc=akhil.goyal@nxp.com \
--cc=marcinx.smoczynski@intel.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).