From: Gagandeep Singh <g.si...@nxp.com>
Setting ESN seq number initialization.
Initialize the sequence number of ESP to 1.
Signed-off-by: Gagandeep Singh <g.si...@nxp.com>
Signed-off-by: Barry Cao <barry....@nxp.com>
---
drivers/crypto/dpaa_sec/dpaa_sec.c | 17 ++++++++++++++---
drivers/crypto/dpaa_sec/dpaa_sec.h | 10 +++++++---
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.c
b/drivers/crypto/dpaa_sec/dpaa_sec.c
index 225bf950e9..e6ca0e6f0e 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.c
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.c
@@ -3011,9 +3011,17 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
rte_cryptodev *dev,
PDBHMO_ESP_SNR;
if (ipsec_xform->options.dec_ttl)
session->encap_pdb.options |= PDBHMO_ESP_ENCAP_DTTL;
- if (ipsec_xform->options.esn)
- session->encap_pdb.options |= PDBOPTS_ESP_ESN;
session->encap_pdb.spi = ipsec_xform->spi;
+ /* Initializing the sequence number to 1, Security
+ * engine will choose this sequence number for first packet
+ * Refer: RFC4303 section: 3.3.3.Sequence Number Generation
+ */
+ session->encap_pdb.seq_num = 1;
+ if (ipsec_xform->options.esn) {
+ session->encap_pdb.options |= PDBOPTS_ESP_ESN;
+ session->encap_pdb.seq_num_ext_hi = conf->ipsec.esn.hi;
+ session->encap_pdb.seq_num = conf->ipsec.esn.low;
+ }
} else if (ipsec_xform->direction ==
RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
@@ -3022,8 +3030,11 @@ dpaa_sec_set_ipsec_session(__rte_unused struct
rte_cryptodev *dev,
else
session->decap_pdb.options =
sizeof(struct rte_ipv6_hdr) << 16;
- if (ipsec_xform->options.esn)
+ if (ipsec_xform->options.esn) {
session->decap_pdb.options |= PDBOPTS_ESP_ESN;
+ session->decap_pdb.seq_num_ext_hi = conf->ipsec.esn.hi;
+ session->decap_pdb.seq_num = conf->ipsec.esn.low;
+ }
if (ipsec_xform->replay_win_sz) {
uint32_t win_sz;
win_sz = rte_align32pow2(ipsec_xform->replay_win_sz);
diff --git a/drivers/crypto/dpaa_sec/dpaa_sec.h
b/drivers/crypto/dpaa_sec/dpaa_sec.h
index eff6dcf311..02e5307660 100644
--- a/drivers/crypto/dpaa_sec/dpaa_sec.h
+++ b/drivers/crypto/dpaa_sec/dpaa_sec.h
@@ -1,6 +1,6 @@
/* SPDX-License-Identifier: BSD-3-Clause
*
- * Copyright 2016-2023 NXP
+ * Copyright 2016-2024 NXP
*
*/
@@ -989,7 +989,9 @@ static const struct rte_security_capability
dpaa_sec_security_cap[] = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
- .options = { 0 },
+ .options = {
+ .esn = 1,
+ },
.replay_win_sz_max = 128
},
.crypto_capabilities = dpaa_sec_capabilities
@@ -1001,7 +1003,9 @@ static const struct rte_security_capability
dpaa_sec_security_cap[] = {
.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
.direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
- .options = { 0 },
+ .options = {
+ .esn = 1,
+ },
.replay_win_sz_max = 128
},
.crypto_capabilities = dpaa_sec_capabilities
--
2.25.1
