From 4470c22de2e1c2b4bf2f5486c43102d2aca58b8a Mon Sep 17 00:00:00 2001
From: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Date: Thu, 29 Sep 2016 16:44:10 +0100
Subject: [PATCH] examples/ipsec-secgw: add AES-CTR

RFC3686: Using AES Counter (CTR) Mode With IPsec ESP.`

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
---
 doc/guides/rel_notes/release_16_11.rst   | 2 +-
 doc/guides/sample_app_ug/ipsec_secgw.rst | 3 ++-
 examples/ipsec-secgw/esp.c               | 2 ++
 examples/ipsec-secgw/sa.c                | 7 +++++++
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/doc/guides/rel_notes/release_16_11.rst b/doc/guides/rel_notes/release_16_11.rst
index 3779f133d7..905186a93d 100644
--- a/doc/guides/rel_notes/release_16_11.rst
+++ b/doc/guides/rel_notes/release_16_11.rst
@@ -87,7 +87,7 @@ New Features
 
   * configuration file
   * AES CBC IV generation with cipher forward function
-  * AES GCM mode
+  * AES GCM/CTR mode
 
 
 Resolved Issues
diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 503f6748a0..885c77e397 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -79,7 +79,7 @@ Constraints
 
 *  No IPv6 options headers.
 *  No AH mode.
-*  Supported algorithms: AES-CBC, AES-GCM, HMAC-SHA1 and NULL.
+*  Supported algorithms: AES-CBC, AES-CTR, AES-GCM, HMAC-SHA1 and NULL.
 *  Each SA must be handle by a unique lcore (*1 RX queue per port*).
 *  No chained mbufs.
 
@@ -418,6 +418,7 @@ where each options means:
 
    * *null*: NULL algorithm
    * *aes-128-cbc*: AES-CBC 128-bit algorithm
+   * *aes-128-ctr*: AES-CTR 128-bit algorithm
    * *aes-128-gcm*: AES-GCM 128-bit algorithm
 
  * Syntax: *cipher_algo <your algorithm>*
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index 7ee53da5b3..ec5a2e627e 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -102,6 +102,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 				 ip_hdr_len + sizeof(struct esp_hdr));
 		sym_cop->cipher.iv.length = sa->iv_len;
 		break;
+	case RTE_CRYPTO_CIPHER_AES_CTR:
 	case RTE_CRYPTO_CIPHER_AES_GCM:
 		icb = get_cnt_blk(m);
 		icb->salt = sa->salt;
@@ -320,6 +321,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 			sizeof(struct esp_hdr);
 		sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
 		break;
+	case RTE_CRYPTO_CIPHER_AES_CTR:
 	case RTE_CRYPTO_CIPHER_AES_GCM:
 		*iv = sa->seq;
 		sym_cop->cipher.data.offset = ip_hdr_len +
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index d5ad5af70d..00c8cceed7 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -88,6 +88,13 @@ const struct supported_cipher_algo cipher_algos[] = {
 		.iv_len = 8,
 		.block_size = 4,
 		.key_len = 16
+	},
+	{
+		.keyword = "aes-128-ctr",
+		.algo = RTE_CRYPTO_CIPHER_AES_CTR,
+		.iv_len = 8,
+		.block_size = 16, /* XXX AESNI MB limition, should be 4 */
+		.key_len = 16
 	}
 };
 
-- 
2.39.5