[DPDK/cryptodev Bug 1669] Cannot use ESN with GMAC authentication

[bugzilla at dpdk.org]

https://bugs.dpdk.org/show_bug.cgi?id=1669

            Bug ID: 1669
           Summary: Cannot use ESN with GMAC authentication
           Product: DPDK
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: cryptodev
          Assignee: dev at dpdk.org
          Reporter: arieltraver at gmail.com
  Target Milestone: ---

Hi all, 

I want to use NULL encryption and AES GMAC with an Extended Sequence Number
(ESN), but it seems like DPDK doesn't support doing so.

According to RFC 4303, only the lower-order 32 bits of an ESN are stored in the
packet itself. The whole ESN is passed in separately, as part of the Additional
Authenticated Data (AAD).

DPDK allows you to set this AAD for AEAD encryption modes by adjusting
rte_crypto_op->sym->aead.aad.data and rte_crypto_op->sym->aead.aad.phys_addr.
However, DPDK treats AES GMAC as a separate authentication transform, not as an
AEAD transform with null plaintext. If you aren't using AEAD encryption, there
doesn't seem to be any way to include AAD, either in the crypto op or in the
rte_crypto_auth_xform struct. 

As such, you can't supply an ESN without including it in the packet itself,
which violates RFC 4303:2.2.1, or copying the whole packet + ESN to another
buffer just to authenticate.

I'm a new DPDK developer, so apologies if I misunderstood the situation. I did
my best to carefully read all of the crypto examples and even investigated the
implementation of some of the drivers to see how they handle AES GMAC. So far I
have found no clues.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mails.dpdk.org/archives/dev/attachments/20250305/ee58326b/attachment.htm>