CTR/GCM/CCM algorithms require static IV part provided by control party.
Usually it is a part of KEYMAT returned from IKE.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org>
---
include/odp/api/spec/ipsec.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h
index e83494d3..2e3421c7 100644
--- a/include/odp/api/spec/ipsec.h
+++ b/include/odp/api/spec/ipsec.h
@@ -360,6 +360,9 @@ typedef struct odp_ipsec_crypto_param_t {
/** Cipher key */
odp_crypto_key_t cipher_key;
+ /** Cipher nonce/salt for CTR/GCM/CCM */
+ odp_crypto_key_t cipher_nonce;
+
/** Authentication algorithm */
odp_auth_alg_t auth_alg;
@@ -693,7 +696,9 @@ int odp_ipsec_capability(odp_ipsec_capability_t *capa);
* Outputs all supported configuration options for the algorithm. Output is
* sorted (from the smallest to the largest) first by key length, then by IV
* length. Use this information to select key lengths, etc cipher algorithm
- * options for SA creation (odp_ipsec_crypto_param_t).
+ * options for SA creation (odp_ipsec_crypto_param_t). Note, as usually IV
+ * blocks are constructed internally, the @iv_len field returns the length of
+ * the nonce (or salt) part, acquired from keying material.
*
* @param cipher Cipher algorithm
* @param[out] capa Array of capability structures for output
--
2.11.0
