Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/29078/?format=api
{ "id": 29078, "url": "http://patches.dpdk.org/api/patches/29078/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/20170921131123.16513-7-pablo.de.lara.guarch@intel.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20170921131123.16513-7-pablo.de.lara.guarch@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20170921131123.16513-7-pablo.de.lara.guarch@intel.com", "date": "2017-09-21T13:11:19", "name": "[dpdk-dev,v2,6/9] crypto/openssl: add AES-CCM support", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "8542021be2d69e9164739c99bb4e36d692f6093d", "submitter": { "id": 9, "url": "http://patches.dpdk.org/api/people/9/?format=api", "name": "De Lara Guarch, Pablo", "email": "pablo.de.lara.guarch@intel.com" }, "delegate": { "id": 22, "url": "http://patches.dpdk.org/api/users/22/?format=api", "username": "pdelarag", "first_name": "Pablo", "last_name": "de Lara Guarch", "email": "pablo.de.lara.guarch@intel.com" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/20170921131123.16513-7-pablo.de.lara.guarch@intel.com/mbox/", "series": [], "comments": "http://patches.dpdk.org/api/patches/29078/comments/", "check": "success", "checks": "http://patches.dpdk.org/api/patches/29078/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@dpdk.org", "Delivered-To": "patchwork@dpdk.org", "Received": [ "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id E24941B1BC;\n\tThu, 21 Sep 2017 23:11:59 +0200 (CEST)", "from mga02.intel.com (mga02.intel.com [134.134.136.20])\n\tby dpdk.org (Postfix) with ESMTP id CF8F21B1B0\n\tfor <dev@dpdk.org>; Thu, 21 Sep 2017 23:11:55 +0200 (CEST)", "from fmsmga003.fm.intel.com ([10.253.24.29])\n\tby orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;\n\t21 Sep 2017 14:11:55 -0700", "from silpixa00399464.ir.intel.com (HELO\n\tsilpixa00399464.ger.corp.intel.com) ([10.237.222.157])\n\tby FMSMGA003.fm.intel.com with ESMTP; 21 Sep 2017 14:11:53 -0700" ], "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos;i=\"5.42,426,1500966000\"; d=\"scan'208\";a=\"902703303\"", "From": "Pablo de Lara <pablo.de.lara.guarch@intel.com>", "To": "declan.doherty@intel.com, fiona.trahe@intel.com, deepak.k.jain@intel.com,\n\tjohn.griffin@intel.com", "Cc": "dev@dpdk.org,\n\tPablo de Lara <pablo.de.lara.guarch@intel.com>", "Date": "Thu, 21 Sep 2017 14:11:19 +0100", "Message-Id": "<20170921131123.16513-7-pablo.de.lara.guarch@intel.com>", "X-Mailer": "git-send-email 2.9.4", "In-Reply-To": "<20170921131123.16513-1-pablo.de.lara.guarch@intel.com>", "References": "<20170818080728.43248-1-pablo.de.lara.guarch@intel.com>\n\t<20170921131123.16513-1-pablo.de.lara.guarch@intel.com>", "Subject": "[dpdk-dev] [PATCH v2 6/9] crypto/openssl: add AES-CCM support", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<http://dpdk.org/ml/options/dev>,\n\t<mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://dpdk.org/ml/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<http://dpdk.org/ml/listinfo/dev>,\n\t<mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "Add support to AES-CCM, for 128, 192 and 256-bit keys.\n\nSigned-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>\n---\n doc/guides/cryptodevs/features/default.ini | 3 +\n doc/guides/cryptodevs/features/openssl.ini | 3 +\n doc/guides/cryptodevs/openssl.rst | 1 +\n doc/guides/rel_notes/release_17_11.rst | 6 +\n drivers/crypto/openssl/rte_openssl_pmd.c | 178 ++++++++++++++++++++++++---\n drivers/crypto/openssl/rte_openssl_pmd_ops.c | 30 +++++\n lib/librte_cryptodev/rte_crypto_sym.h | 9 +-\n 7 files changed, 210 insertions(+), 20 deletions(-)", "diff": "diff --git a/doc/guides/cryptodevs/features/default.ini b/doc/guides/cryptodevs/features/default.ini\nindex 0926887..c98717a 100644\n--- a/doc/guides/cryptodevs/features/default.ini\n+++ b/doc/guides/cryptodevs/features/default.ini\n@@ -68,3 +68,6 @@ ZUC EIA3 =\n AES GCM (128) =\n AES GCM (192) =\n AES GCM (256) =\n+AES CCM (128) =\n+AES CCM (192) =\n+AES CCM (256) =\ndiff --git a/doc/guides/cryptodevs/features/openssl.ini b/doc/guides/cryptodevs/features/openssl.ini\nindex aeb2a50..385ec4e 100644\n--- a/doc/guides/cryptodevs/features/openssl.ini\n+++ b/doc/guides/cryptodevs/features/openssl.ini\n@@ -45,3 +45,6 @@ AES GMAC = Y\n AES GCM (128) = Y\n AES GCM (192) = Y\n AES GCM (256) = Y\n+AES CCM (128) = Y\n+AES CCM (192) = Y\n+AES CCM (256) = Y\ndiff --git a/doc/guides/cryptodevs/openssl.rst b/doc/guides/cryptodevs/openssl.rst\nindex 08cc9ba..1270dc1 100644\n--- a/doc/guides/cryptodevs/openssl.rst\n+++ b/doc/guides/cryptodevs/openssl.rst\n@@ -67,6 +67,7 @@ Supported authentication algorithms:\n \n Supported AEAD algorithms:\n * ``RTE_CRYPTO_AEAD_AES_GCM``\n+* ``RTE_CRYPTO_AEAD_AES_CCM``\n \n \n Installation\ndiff --git a/doc/guides/rel_notes/release_17_11.rst b/doc/guides/rel_notes/release_17_11.rst\nindex ebb5021..63cd1b5 100644\n--- a/doc/guides/rel_notes/release_17_11.rst\n+++ b/doc/guides/rel_notes/release_17_11.rst\n@@ -49,6 +49,12 @@ New Features\n * Coalesce writes to HEAD CSR on response processing.\n * Coalesce writes to TAIL CSR on request processing.\n \n+* **Updated the OpenSSL PMD.**\n+\n+ The OpenSSL PMD has been updated with additional support for:\n+\n+ * AES-CCM algorithm.\n+\n * **Add new benchmarking mode to dpdk-test-crypto-perf application.**\n \n Added new \"PMD cyclecount\" benchmark mode to dpdk-test-crypto-perf application\ndiff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c\nindex b6ccd8b..9993d89 100644\n--- a/drivers/crypto/openssl/rte_openssl_pmd.c\n+++ b/drivers/crypto/openssl/rte_openssl_pmd.c\n@@ -287,6 +287,21 @@ get_aead_algo(enum rte_crypto_aead_algorithm sess_algo, size_t keylen,\n \t\t\t\tres = -EINVAL;\n \t\t\t}\n \t\t\tbreak;\n+\t\tcase RTE_CRYPTO_AEAD_AES_CCM:\n+\t\t\tswitch (keylen) {\n+\t\t\tcase 16:\n+\t\t\t\t*algo = EVP_aes_128_ccm();\n+\t\t\t\tbreak;\n+\t\t\tcase 24:\n+\t\t\t\t*algo = EVP_aes_192_ccm();\n+\t\t\t\tbreak;\n+\t\t\tcase 32:\n+\t\t\t\t*algo = EVP_aes_256_ccm();\n+\t\t\t\tbreak;\n+\t\t\tdefault:\n+\t\t\t\tres = -EINVAL;\n+\t\t\t}\n+\t\t\tbreak;\n \t\tdefault:\n \t\t\tres = -EINVAL;\n \t\t\tbreak;\n@@ -305,6 +320,7 @@ openssl_set_sess_aead_enc_param(struct openssl_session *sess,\n \t\tuint8_t tag_len, uint8_t *key)\n {\n \tint iv_type = 0;\n+\tunsigned int do_ccm;\n \n \tsess->cipher.direction = RTE_CRYPTO_CIPHER_OP_ENCRYPT;\n \tsess->auth.operation = RTE_CRYPTO_AUTH_OP_GENERATE;\n@@ -315,6 +331,14 @@ openssl_set_sess_aead_enc_param(struct openssl_session *sess,\n \t\tiv_type = EVP_CTRL_GCM_SET_IVLEN;\n \t\tif (tag_len != 16)\n \t\t\treturn -EINVAL;\n+\t\tdo_ccm = 0;\n+\t\tbreak;\n+\tcase RTE_CRYPTO_AEAD_AES_CCM:\n+\t\tiv_type = EVP_CTRL_CCM_SET_IVLEN;\n+\t\t/* Digest size can be 4, 6, 8, 10, 12, 14 or 16 bytes */\n+\t\tif (tag_len < 4 || tag_len > 16 || (tag_len & 1) == 1)\n+\t\t\treturn -EINVAL;\n+\t\tdo_ccm = 1;\n \t\tbreak;\n \tdefault:\n \t\treturn -ENOTSUP;\n@@ -339,6 +363,10 @@ openssl_set_sess_aead_enc_param(struct openssl_session *sess,\n \t\t\tNULL) <= 0)\n \t\treturn -EINVAL;\n \n+\tif (do_ccm)\n+\t\tEVP_CIPHER_CTX_ctrl(sess->cipher.ctx, EVP_CTRL_CCM_SET_TAG,\n+\t\t\t\ttag_len, NULL);\n+\n \tif (EVP_EncryptInit_ex(sess->cipher.ctx, NULL, NULL, key, NULL) <= 0)\n \t\treturn -EINVAL;\n \n@@ -352,6 +380,7 @@ openssl_set_sess_aead_dec_param(struct openssl_session *sess,\n \t\tuint8_t tag_len, uint8_t *key)\n {\n \tint iv_type = 0;\n+\tunsigned int do_ccm = 0;\n \n \tsess->cipher.direction = RTE_CRYPTO_CIPHER_OP_DECRYPT;\n \tsess->auth.operation = RTE_CRYPTO_AUTH_OP_VERIFY;\n@@ -363,6 +392,13 @@ openssl_set_sess_aead_dec_param(struct openssl_session *sess,\n \t\tif (tag_len != 16)\n \t\t\treturn -EINVAL;\n \t\tbreak;\n+\tcase RTE_CRYPTO_AEAD_AES_CCM:\n+\t\tiv_type = EVP_CTRL_CCM_SET_IVLEN;\n+\t\t/* Digest size can be 4, 6, 8, 10, 12, 14 or 16 bytes */\n+\t\tif (tag_len < 4 || tag_len > 16 || (tag_len & 1) == 1)\n+\t\t\treturn -EINVAL;\n+\t\tdo_ccm = 1;\n+\t\tbreak;\n \tdefault:\n \t\treturn -ENOTSUP;\n \t}\n@@ -386,6 +422,10 @@ openssl_set_sess_aead_dec_param(struct openssl_session *sess,\n \t\t\tsess->iv.length, NULL) <= 0)\n \t\treturn -EINVAL;\n \n+\tif (do_ccm)\n+\t\tEVP_CIPHER_CTX_ctrl(sess->cipher.ctx, EVP_CTRL_CCM_SET_TAG,\n+\t\t\t\ttag_len, NULL);\n+\n \tif (EVP_DecryptInit_ex(sess->cipher.ctx, NULL, NULL, key, NULL) <= 0)\n \t\treturn -EINVAL;\n \n@@ -573,7 +613,16 @@ openssl_set_session_aead_parameters(struct openssl_session *sess,\n \tsess->cipher.key.length = xform->aead.key.length;\n \n \t/* Set IV parameters */\n-\tsess->iv.offset = xform->aead.iv.offset;\n+\tif (xform->aead.algo == RTE_CRYPTO_AEAD_AES_CCM)\n+\t\t/*\n+\t\t * For AES-CCM, the actual IV is placed\n+\t\t * one byte after the start of the IV field,\n+\t\t * according to the API.\n+\t\t */\n+\t\tsess->iv.offset = xform->aead.iv.offset + 1;\n+\telse\n+\t\tsess->iv.offset = xform->aead.iv.offset;\n+\n \tsess->iv.length = xform->aead.iv.length;\n \n \tsess->auth.aad_length = xform->aead.aad_length;\n@@ -946,7 +995,7 @@ process_openssl_cipher_des3ctr(struct rte_mbuf *mbuf_src, uint8_t *dst,\n \treturn -EINVAL;\n }\n \n-/** Process auth/encription aes-gcm algorithm */\n+/** Process AES-GCM encrypt algorithm */\n static int\n process_openssl_auth_encryption_gcm(struct rte_mbuf *mbuf_src, int offset,\n \t\tint srclen, uint8_t *aad, int aadlen, uint8_t *iv,\n@@ -984,6 +1033,48 @@ process_openssl_auth_encryption_gcm(struct rte_mbuf *mbuf_src, int offset,\n \treturn -EINVAL;\n }\n \n+/** Process AES-CCM encrypt algorithm */\n+static int\n+process_openssl_auth_encryption_ccm(struct rte_mbuf *mbuf_src, int offset,\n+\t\tint srclen, uint8_t *aad, int aadlen, uint8_t *iv,\n+\t\tuint8_t *dst, uint8_t *tag, uint8_t taglen, EVP_CIPHER_CTX *ctx)\n+{\n+\tint len = 0;\n+\n+\tif (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)\n+\t\tgoto process_auth_encryption_ccm_err;\n+\n+\tif (EVP_EncryptUpdate(ctx, NULL, &len, NULL, srclen) <= 0)\n+\t\tgoto process_auth_encryption_ccm_err;\n+\n+\tif (aadlen > 0)\n+\t\t/*\n+\t\t * For AES-CCM, the actual AAD is placed\n+\t\t * 18 bytes after the start of the AAD field,\n+\t\t * according to the API.\n+\t\t */\n+\t\tif (EVP_EncryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <= 0)\n+\t\t\tgoto process_auth_encryption_ccm_err;\n+\n+\tif (srclen > 0)\n+\t\tif (process_openssl_encryption_update(mbuf_src, offset, &dst,\n+\t\t\t\tsrclen, ctx))\n+\t\t\tgoto process_auth_encryption_ccm_err;\n+\n+\tif (EVP_EncryptFinal_ex(ctx, dst, &len) <= 0)\n+\t\tgoto process_auth_encryption_ccm_err;\n+\n+\tif (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, taglen, tag) <= 0)\n+\t\tgoto process_auth_encryption_ccm_err;\n+\n+\treturn 0;\n+\n+process_auth_encryption_ccm_err:\n+\tOPENSSL_LOG_ERR(\"Process openssl auth encryption ccm failed\");\n+\treturn -EINVAL;\n+}\n+\n+/** Process AES-GCM decrypt algorithm */\n static int\n process_openssl_auth_decryption_gcm(struct rte_mbuf *mbuf_src, int offset,\n \t\tint srclen, uint8_t *aad, int aadlen, uint8_t *iv,\n@@ -1012,16 +1103,52 @@ process_openssl_auth_decryption_gcm(struct rte_mbuf *mbuf_src, int offset,\n \t\tgoto process_auth_decryption_gcm_err;\n \n \tif (EVP_DecryptFinal_ex(ctx, dst, &len) <= 0)\n-\t\tgoto process_auth_decryption_gcm_final_err;\n+\t\treturn -EFAULT;\n \n \treturn 0;\n \n process_auth_decryption_gcm_err:\n-\tOPENSSL_LOG_ERR(\"Process openssl auth description gcm failed\");\n+\tOPENSSL_LOG_ERR(\"Process openssl auth decryption gcm failed\");\n \treturn -EINVAL;\n+}\n \n-process_auth_decryption_gcm_final_err:\n-\treturn -EFAULT;\n+/** Process AES-CCM decrypt algorithm */\n+static int\n+process_openssl_auth_decryption_ccm(struct rte_mbuf *mbuf_src, int offset,\n+\t\tint srclen, uint8_t *aad, int aadlen, uint8_t *iv,\n+\t\tuint8_t *dst, uint8_t *tag, uint8_t tag_len,\n+\t\tEVP_CIPHER_CTX *ctx)\n+{\n+\tint len = 0;\n+\n+\tif (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, tag_len, tag) <= 0)\n+\t\tgoto process_auth_decryption_ccm_err;\n+\n+\tif (EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)\n+\t\tgoto process_auth_decryption_ccm_err;\n+\n+\tif (EVP_DecryptUpdate(ctx, NULL, &len, NULL, srclen) <= 0)\n+\t\tgoto process_auth_decryption_ccm_err;\n+\n+\tif (aadlen > 0)\n+\t\t/*\n+\t\t * For AES-CCM, the actual AAD is placed\n+\t\t * 18 bytes after the start of the AAD field,\n+\t\t * according to the API.\n+\t\t */\n+\t\tif (EVP_DecryptUpdate(ctx, NULL, &len, aad + 18, aadlen) <= 0)\n+\t\t\tgoto process_auth_decryption_ccm_err;\n+\n+\tif (srclen > 0)\n+\t\tif (process_openssl_decryption_update(mbuf_src, offset, &dst,\n+\t\t\t\tsrclen, ctx))\n+\t\t\treturn -EFAULT;\n+\n+\treturn 0;\n+\n+process_auth_decryption_ccm_err:\n+\tOPENSSL_LOG_ERR(\"Process openssl auth decryption ccm failed\");\n+\treturn -EINVAL;\n }\n \n /** Process standard openssl auth algorithms */\n@@ -1142,6 +1269,7 @@ process_openssl_combined_op\n \tuint8_t *dst = NULL, *iv, *tag, *aad;\n \tint srclen, aadlen, status = -1;\n \tuint32_t offset;\n+\tuint8_t taglen;\n \n \t/*\n \t * Segmented destination buffer is not supported for\n@@ -1177,16 +1305,34 @@ process_openssl_combined_op\n \t\t\t\toffset + srclen);\n \t}\n \n-\tif (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT)\n-\t\tstatus = process_openssl_auth_encryption_gcm(\n-\t\t\t\tmbuf_src, offset, srclen,\n-\t\t\t\taad, aadlen, iv,\n-\t\t\t\tdst, tag, sess->cipher.ctx);\n-\telse\n-\t\tstatus = process_openssl_auth_decryption_gcm(\n-\t\t\t\tmbuf_src, offset, srclen,\n-\t\t\t\taad, aadlen, iv,\n-\t\t\t\tdst, tag, sess->cipher.ctx);\n+\ttaglen = sess->auth.digest_length;\n+\n+\tif (sess->cipher.direction == RTE_CRYPTO_CIPHER_OP_ENCRYPT) {\n+\t\tif (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||\n+\t\t\t\tsess->aead_algo == RTE_CRYPTO_AEAD_AES_GCM)\n+\t\t\tstatus = process_openssl_auth_encryption_gcm(\n+\t\t\t\t\tmbuf_src, offset, srclen,\n+\t\t\t\t\taad, aadlen, iv,\n+\t\t\t\t\tdst, tag, sess->cipher.ctx);\n+\t\telse\n+\t\t\tstatus = process_openssl_auth_encryption_ccm(\n+\t\t\t\t\tmbuf_src, offset, srclen,\n+\t\t\t\t\taad, aadlen, iv,\n+\t\t\t\t\tdst, tag, taglen, sess->cipher.ctx);\n+\n+\t} else {\n+\t\tif (sess->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC ||\n+\t\t\t\tsess->aead_algo == RTE_CRYPTO_AEAD_AES_GCM)\n+\t\t\tstatus = process_openssl_auth_decryption_gcm(\n+\t\t\t\t\tmbuf_src, offset, srclen,\n+\t\t\t\t\taad, aadlen, iv,\n+\t\t\t\t\tdst, tag, sess->cipher.ctx);\n+\t\telse\n+\t\t\tstatus = process_openssl_auth_decryption_ccm(\n+\t\t\t\t\tmbuf_src, offset, srclen,\n+\t\t\t\t\taad, aadlen, iv,\n+\t\t\t\t\tdst, tag, taglen, sess->cipher.ctx);\n+\t}\n \n \tif (status != 0) {\n \t\tif (status == (-EFAULT) &&\ndiff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c\nindex 8cdd0b2..cccb7ca 100644\n--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c\n+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c\n@@ -362,6 +362,36 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {\n \t\t\t}, }\n \t\t}, }\n \t},\n+\t{\t/* AES CCM */\n+\t\t.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,\n+\t\t{.sym = {\n+\t\t\t.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,\n+\t\t\t{.aead = {\n+\t\t\t\t.algo = RTE_CRYPTO_AEAD_AES_CCM,\n+\t\t\t\t.block_size = 16,\n+\t\t\t\t.key_size = {\n+\t\t\t\t\t.min = 16,\n+\t\t\t\t\t.max = 32,\n+\t\t\t\t\t.increment = 8\n+\t\t\t\t},\n+\t\t\t\t.digest_size = {\n+\t\t\t\t\t.min = 4,\n+\t\t\t\t\t.max = 16,\n+\t\t\t\t\t.increment = 2\n+\t\t\t\t},\n+\t\t\t\t.aad_size = {\n+\t\t\t\t\t.min = 0,\n+\t\t\t\t\t.max = 65535,\n+\t\t\t\t\t.increment = 1\n+\t\t\t\t},\n+\t\t\t\t.iv_size = {\n+\t\t\t\t\t.min = 7,\n+\t\t\t\t\t.max = 13,\n+\t\t\t\t\t.increment = 1\n+\t\t\t\t},\n+\t\t\t}, }\n+\t\t}, }\n+\t},\n \t{\t/* AES GMAC (AUTH) */\n \t\t.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,\n \t\t{.sym = {\ndiff --git a/lib/librte_cryptodev/rte_crypto_sym.h b/lib/librte_cryptodev/rte_crypto_sym.h\nindex 5f859ec..0a0ea59 100644\n--- a/lib/librte_cryptodev/rte_crypto_sym.h\n+++ b/lib/librte_cryptodev/rte_crypto_sym.h\n@@ -160,9 +160,6 @@ struct rte_crypto_cipher_xform {\n \t * Cipher key length is in bytes. For AES it can be 128 bits (16 bytes),\n \t * 192 bits (24 bytes) or 256 bits (32 bytes).\n \t *\n-\t * For the CCM mode of operation, the only supported key length is 128\n-\t * bits (16 bytes).\n-\t *\n \t * For the RTE_CRYPTO_CIPHER_AES_F8 mode of operation, key.length\n \t * should be set to the combined length of the encryption key and the\n \t * keymask. Since the keymask and the encryption key are the same size,\n@@ -429,7 +426,11 @@ struct rte_crypto_aead_xform {\n \tuint16_t digest_length;\n \n \tuint16_t aad_length;\n-\t/**< The length of the additional authenticated data (AAD) in bytes. */\n+\t/**< The length of the additional authenticated data (AAD) in bytes.\n+\t * For CCM mode, this is the length of the actual AAD, even though\n+\t * it is required to reserve 18 bytes before the AAD and padding\n+\t * at the end of it, so a multiple of 16 bytes is allocated.\n+\t */\n };\n \n /** Crypto transformation types */\n", "prefixes": [ "dpdk-dev", "v2", "6/9" ] }