> The example IPsec application does not work properly when using
> AES-GCM with crypto_openssl.
> ESP with AES-GCM uses standard 96bit long algorithm IV ([1]) which
> later concatenated with be32(1) forms a J0 block. GCM specification
> ([2], chapter 7.1) states that when length of IV is different than
> 96b, in order to format a J0 block, GHASH function must be used.
> According to specification ([2], chapter 5.1.1) GCM implementations
> should support standard 96bit IVs, other lengths are optional. Every
> DPDK cryptodev supports 96bit IV and few of them supports 128bit
> IV as well (openssl, mrvl, ccp). When passing iv::length=16 to a
> cryptodev which does support standard IVs only (e.g. qat) it
> implicitly uses starting 96 bits. On the other hand, openssl follows
> specification and uses GHASH to compute J0 for that case which results
> in different than expected J0 values used for encryption/decryption.
> Fix an inability to use AES-GCM with crypto_openssl by changing IV
> length to the standard value of 12.
> [1] RFC4106, section "4. Nonce format" and "3.1. Initialization Vector"
> [2] NIST SP800-38D
> Fixes: 0fbd75a99f ("cryptodev: move IV parameters to session")
> Cc: sta...@dpdk.org
> Signed-off-by: Marcin Smoczynski <marcinx.smoczyn...@intel.com>
> ---
Acked-by: Akhil Goyal <akhil.go...@nxp.com>
Applied to dpdk-next-crypto


