CTR/GCM/CCM algorithms require static IV part provided by control party. Usually it is a part of KEYMAT returned from IKE.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsoleni...@linaro.org> --- include/odp/api/spec/ipsec.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/include/odp/api/spec/ipsec.h b/include/odp/api/spec/ipsec.h index e83494d3..2e3421c7 100644 --- a/include/odp/api/spec/ipsec.h +++ b/include/odp/api/spec/ipsec.h @@ -360,6 +360,9 @@ typedef struct odp_ipsec_crypto_param_t { /** Cipher key */ odp_crypto_key_t cipher_key; + /** Cipher nonce/salt for CTR/GCM/CCM */ + odp_crypto_key_t cipher_nonce; + /** Authentication algorithm */ odp_auth_alg_t auth_alg; @@ -693,7 +696,9 @@ int odp_ipsec_capability(odp_ipsec_capability_t *capa); * Outputs all supported configuration options for the algorithm. Output is * sorted (from the smallest to the largest) first by key length, then by IV * length. Use this information to select key lengths, etc cipher algorithm - * options for SA creation (odp_ipsec_crypto_param_t). + * options for SA creation (odp_ipsec_crypto_param_t). Note, as usually IV + * blocks are constructed internally, the @iv_len field returns the length of + * the nonce (or salt) part, acquired from keying material. * * @param cipher Cipher algorithm * @param[out] capa Array of capability structures for output -- 2.11.0