[COMMIT] branch api-next updated. v1.16.0.0-585-gbe65d81a - git-lng-odp

14 Nov 2017

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, api-next has been updated
       via  be65d81a9342e322b70376adab69270c5c9bb9e2 (commit)
       via  71b8cfcecb99c8416200f1f54ab5d6dab004a69a (commit)
       via  dae20519a6825217dbe27842f1a24b1401410836 (commit)
       via  5a5a8148fcd174cffd3e9140bed3259ac1af2d9f (commit)
       via  c54180d65bc9b86200f46b4f0ac540f74b884ee8 (commit)
       via  7c665557d21db3ba7c4dd3d3845e7175a4a2acb6 (commit)
       via  774f242c72008eecf5b07b341b76f577445fb4fb (commit)
       via  a4165611e5aa58b138946e17a079f8a7f065d08c (commit)
       via  fee9e59ca4a53ac30fea62d6b2f4b22a53042fe1 (commit)
       via  ad863d29c6e46487ed1ef3fad0766037faac919f (commit)
       via  44f8d1421361c3238fed85a1a3d5ebff8f39cc88 (commit)
       via  412235594802aa4e4b3f63efc464de18955265c5 (commit)
       via  11620182599921c91e2d4f764b0ef921c171523b (commit)
       via  043db6742a8dfc218409aba0e456365163b8b249 (commit)
       via  16568d747ba2eb4a91962641e19b5da1d7a6091c (commit)
       via  cf17398302b4114b17d92d41de4dd4fe7d72a16a (commit)
      from  26a556e03e07e62e4bcdf3dec6c76ebb02aa5efd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit be65d81a9342e322b70376adab69270c5c9bb9e2
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Fri Nov 3 13:58:57 2017 +0300
validation: ipsec: add AES-CTR tests
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org

diff --git a/test/validation/api/ipsec/ipsec.c b/test/validation/api/ipsec/ipsec.c
index 6c562358..277d393a 100644
--- a/test/validation/api/ipsec/ipsec.c
+++ b/test/validation/api/ipsec/ipsec.c
@@ -168,6 +168,10 @@ int ipsec_check(odp_bool_t ah,
    	if (!capa.ciphers.bit.aes_cbc)
    		return ODP_TEST_INACTIVE;
    	break;
+	case ODP_CIPHER_ALG_AES_CTR:
+		if (!capa.ciphers.bit.aes_ctr)
+			return ODP_TEST_INACTIVE;
+		break;
    case ODP_CIPHER_ALG_AES_GCM:
    	if (!capa.ciphers.bit.aes_gcm)
    		return ODP_TEST_INACTIVE;
@@ -259,6 +263,12 @@ int ipsec_check_esp_aes_cbc_128_sha256(void)
    			ODP_AUTH_ALG_SHA256_HMAC);
 }
+int ipsec_check_esp_aes_ctr_128_null(void)
+{
+	return  ipsec_check_esp(ODP_CIPHER_ALG_AES_CTR, 128,
+				ODP_AUTH_ALG_NULL);
+}
+
 int ipsec_check_esp_aes_gcm_128(void)
 {
    return  ipsec_check_esp(ODP_CIPHER_ALG_AES_GCM, 128,
diff --git a/test/validation/api/ipsec/ipsec.h b/test/validation/api/ipsec/ipsec.h
index d1c6854b..d4506367 100644
--- a/test/validation/api/ipsec/ipsec.h
+++ b/test/validation/api/ipsec/ipsec.h
@@ -83,6 +83,7 @@ int ipsec_check_ah_sha256(void);
 int ipsec_check_esp_null_sha256(void);
 int ipsec_check_esp_aes_cbc_128_null(void);
 int ipsec_check_esp_aes_cbc_128_sha256(void);
+int ipsec_check_esp_aes_ctr_128_null(void);
 int ipsec_check_esp_aes_gcm_128(void);
 int ipsec_check_esp_aes_gcm_256(void);
diff --git a/test/validation/api/ipsec/ipsec_test_in.c b/test/validation/api/ipsec/ipsec_test_in.c
index 598a83e3..8c883262 100644
--- a/test/validation/api/ipsec/ipsec_test_in.c
+++ b/test/validation/api/ipsec/ipsec_test_in.c
@@ -191,6 +191,36 @@ static void test_in_esp_aes_cbc_sha256(void)
    ipsec_sa_destroy(sa);
 }
+static void test_in_esp_aes_ctr_null(void)
+{
+	odp_ipsec_sa_param_t param;
+	odp_ipsec_sa_t sa;
+
+	ipsec_sa_param_fill(&param,
+			    true, false, 123, NULL,
+			    ODP_CIPHER_ALG_AES_CTR, &key_a5_128,
+			    ODP_AUTH_ALG_NULL, NULL,
+			    &key_mcgrew_gcm_salt_3);
+
+	sa = odp_ipsec_sa_create(&param);
+
+	CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa);
+
+	ipsec_test_part test = {
+		.pkt_in = &pkt_icmp_0_esp_aes_ctr_null_1,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_check_in_one(&test, sa);
+
+	ipsec_sa_destroy(sa);
+}
+
 static void test_in_lookup_ah_sha256(void)
 {
    odp_ipsec_sa_param_t param;
@@ -987,6 +1017,8 @@ odp_testinfo_t ipsec_in_suite[] = {
    			  ipsec_check_esp_aes_cbc_128_null),
    ODP_TEST_INFO_CONDITIONAL(test_in_esp_aes_cbc_sha256,
    			  ipsec_check_esp_aes_cbc_128_sha256),
+	ODP_TEST_INFO_CONDITIONAL(test_in_esp_aes_ctr_null,
+				  ipsec_check_esp_aes_ctr_128_null),
    ODP_TEST_INFO_CONDITIONAL(test_in_lookup_ah_sha256,
    			  ipsec_check_ah_sha256),
    ODP_TEST_INFO_CONDITIONAL(test_in_lookup_esp_null_sha256,
diff --git a/test/validation/api/ipsec/ipsec_test_out.c b/test/validation/api/ipsec/ipsec_test_out.c
index 39a3c30f..b543271b 100644
--- a/test/validation/api/ipsec/ipsec_test_out.c
+++ b/test/validation/api/ipsec/ipsec_test_out.c
@@ -277,6 +277,48 @@ static void test_out_esp_aes_cbc_sha256(void)
    ipsec_sa_destroy(sa);
 }
+static void test_out_esp_aes_ctr_null(void)
+{
+	odp_ipsec_sa_param_t param;
+	odp_ipsec_sa_t sa;
+	odp_ipsec_sa_t sa2;
+
+	ipsec_sa_param_fill(&param,
+			    false, false, 123, NULL,
+			    ODP_CIPHER_ALG_AES_CTR, &key_a5_128,
+			    ODP_AUTH_ALG_NULL, NULL,
+			    &key_mcgrew_gcm_salt_3);
+
+	sa = odp_ipsec_sa_create(&param);
+
+	CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa);
+
+	ipsec_sa_param_fill(&param,
+			    true, false, 123, NULL,
+			    ODP_CIPHER_ALG_AES_CTR, &key_a5_128,
+			    ODP_AUTH_ALG_NULL, NULL,
+			    &key_mcgrew_gcm_salt_3);
+
+	sa2 = odp_ipsec_sa_create(&param);
+
+	CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa2);
+
+	ipsec_test_part test = {
+		.pkt_in = &pkt_icmp_0,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_check_out_in_one(&test, sa, sa2);
+
+	ipsec_sa_destroy(sa2);
+	ipsec_sa_destroy(sa);
+}
+
 static void test_out_esp_aes_gcm128(void)
 {
    odp_ipsec_sa_param_t param;
@@ -342,6 +384,8 @@ odp_testinfo_t ipsec_out_suite[] = {
    			  ipsec_check_esp_aes_cbc_128_null),
    ODP_TEST_INFO_CONDITIONAL(test_out_esp_aes_cbc_sha256,
    			  ipsec_check_esp_aes_cbc_128_sha256),
+	ODP_TEST_INFO_CONDITIONAL(test_out_esp_aes_ctr_null,
+				  ipsec_check_esp_aes_ctr_128_null),
    ODP_TEST_INFO_CONDITIONAL(test_out_esp_aes_gcm128,
    			  ipsec_check_esp_aes_gcm_128),
    ODP_TEST_INFO_NULL,
diff --git a/test/validation/api/ipsec/test_vectors.h b/test/validation/api/ipsec/test_vectors.h
index 593a8f45..fbf7d366 100644
--- a/test/validation/api/ipsec/test_vectors.h
+++ b/test/validation/api/ipsec/test_vectors.h
@@ -583,6 +583,45 @@ static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_aes_cbc_sha256_1 = {
    },
 };
+static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_aes_ctr_null_1 = {
+	.len = 162,
+	.l2_offset = 0,
+	.l3_offset = 14,
+	.l4_offset = 34,
+	.data = {
+		/* ETH */
+		0xf1, 0xf1, 0xf1, 0xf1, 0xf1, 0xf1,
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0x08, 0x00,
+
+		/* IP */
+		0x45, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x00,
+		0x40, 0x32, 0xab, 0xe2, 0xc0, 0xa8, 0x6f, 0x02,
+		0xc0, 0xa8, 0xde, 0x02,
+
+		/* ESP */
+		0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x00, 0x01,
+
+		/* IV */
+		0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+
+		/* data */
+		0x39, 0xab, 0xe5, 0xae, 0x74, 0x57, 0x76, 0x7f,
+		0x1d, 0x1f, 0xce, 0xe8, 0xca, 0xf1, 0x87, 0xf5,
+		0xfd, 0x9e, 0x1d, 0x20, 0x38, 0x30, 0x8a, 0xe5,
+		0xb9, 0x55, 0x80, 0x7b, 0xfd, 0x9d, 0xb9, 0x99,
+		0x85, 0xcd, 0xb5, 0x30, 0x86, 0xaa, 0xe1, 0x7a,
+		0x69, 0xe5, 0xfa, 0x38, 0xf3, 0x0f, 0x91, 0x18,
+		0x75, 0x7b, 0x5f, 0x4e, 0x69, 0x17, 0xaa, 0xe7,
+		0x84, 0x6c, 0x40, 0x31, 0xec, 0x87, 0x4c, 0x8c,
+		0xb3, 0xb4, 0x9f, 0x7e, 0xea, 0x83, 0x6f, 0xc6,
+		0x11, 0xd5, 0xce, 0xbe, 0x65, 0x37, 0x1c, 0xb6,
+		0xd3, 0xcb, 0x51, 0xa8, 0xa4, 0x0e, 0x3e, 0xe6,
+		0x26, 0xd8, 0x17, 0xec, 0x8b, 0xca, 0x79, 0x96,
+		0xa0, 0xcd, 0x6f, 0xdd, 0x9e, 0xe9, 0x6a, 0xc0,
+		0xf2, 0x6c, 0xdb, 0xfd, 0x99, 0xa2, 0xb5, 0xbf,
+	},
+};
+
 static const ODP_UNUSED ipsec_test_packet pkt_rfc3602_5 = {
    .len = 98,
    .l2_offset = 0,
commit 71b8cfcecb99c8416200f1f54ab5d6dab004a69a
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Fri Nov 3 13:59:44 2017 +0300
linux-gen: ipsec: add AES-CTR cipher support
Add support for encrypting packets with AES-CTR cipher.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h
index 0a7f9625..b50b65be 100644
--- a/platform/linux-generic/include/odp_ipsec_internal.h
+++ b/platform/linux-generic/include/odp_ipsec_internal.h
@@ -127,6 +127,7 @@ struct ipsec_sa_s {
    		unsigned	dec_ttl : 1;
    		unsigned	copy_dscp : 1;
    		unsigned	copy_df : 1;
+			unsigned	aes_ctr_iv : 1;
/* Only for outbound */
    		unsigned	use_counter_iv : 1;
diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index 4c032b9c..9533ca42 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -337,6 +337,13 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    		goto err;
    	}
+		if (ipsec_sa->aes_ctr_iv) {
+			iv[12] = 0;
+			iv[13] = 0;
+			iv[14] = 0;
+			iv[15] = 1;
+		}
+
    	hdr_len = _ODP_ESPHDR_LEN + ipsec_sa->esp_iv_len;
    	trl_len = _ODP_ESPTRL_LEN + ipsec_sa->icv_len;
@@ -729,6 +736,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    		memcpy(iv + ipsec_sa->salt_length, &ctr,
    		       ipsec_sa->esp_iv_len);
+			if (ipsec_sa->aes_ctr_iv) {
+				iv[12] = 0;
+				iv[13] = 0;
+				iv[14] = 0;
+				iv[15] = 1;
+			}
    	} else if (ipsec_sa->esp_iv_len) {
    		uint32_t len;
diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index 42517569..8eaa4f90 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -319,6 +319,13 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
    	ipsec_sa->esp_block_len = 16;
    	crypto_param.iv.length = 16;
    	break;
+	case ODP_CIPHER_ALG_AES_CTR:
+		ipsec_sa->use_counter_iv = 1;
+		ipsec_sa->aes_ctr_iv = 1;
+		ipsec_sa->esp_iv_len = 8;
+		ipsec_sa->esp_block_len = 16;
+		crypto_param.iv.length = 16;
+		break;
 #if ODP_DEPRECATED_API
    case ODP_CIPHER_ALG_AES128_GCM:
 #endif
commit dae20519a6825217dbe27842f1a24b1401410836
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Wed Nov 8 20:12:37 2017 +0300
linux-gen: ipsec: don't leak SA on creation error
Some paths during odp_ipsec_sa_create() can lead to SA leakage. Fix
    them by always releasing SA in error case.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index c3011924..42517569 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -296,7 +296,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
    	ipsec_sa->icv_len = 16;
    	break;
    default:
-		return ODP_IPSEC_SA_INVALID;
+		goto error;
    }
switch (crypto_param.cipher_alg) {
@@ -329,7 +329,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
    	crypto_param.iv.length = 12;
    	break;
    default:
-		return ODP_IPSEC_SA_INVALID;
+		goto error;
    }
if (1 == ipsec_sa->use_counter_iv &&
commit 5a5a8148fcd174cffd3e9140bed3259ac1af2d9f
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Wed Nov 1 11:00:27 2017 +0300
linux-gen: ipsec: correct frag_offset for tunneled packets
Generated outer header should have frag_offset = 0, MF = 0. Change code
    accordingly.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index aadc671f..4c032b9c 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -663,10 +663,10 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    	out_ip.id = odp_atomic_fetch_add_u32(&ipsec_sa->out.tun_hdr_id,
    					     1);
    	if (ipsec_sa->copy_df)
-			out_ip.frag_offset = ip->frag_offset;
+			out_ip.frag_offset = ip->frag_offset & 0x4000;
    	else
-			out_ip.frag_offset = (ip->frag_offset & ~0x4000) |
-					     (ipsec_sa->out.tun_df << 14);
+			out_ip.frag_offset =
+				((uint16_t)ipsec_sa->out.tun_df) << 14;
    	out_ip.ttl = ipsec_sa->out.tun_ttl;
    	out_ip.proto = _ODP_IPV4;
    	/* Will be filled later by packet checksum update */
commit c54180d65bc9b86200f46b4f0ac540f74b884ee8
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Fri Nov 3 13:57:27 2017 +0300
linux-gen: ipsec: validate ip header total length
Check that IP packet length from the header is not bogus.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index f8085756..aadc671f 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -286,6 +286,11 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
ipsec_offset = ip_offset + ip_hdr_len;
+	if (odp_be_to_cpu_16(ip->tot_len) + ip_offset > odp_packet_len(pkt)) {
+		status->error.alg = 1;
+		goto err;
+	}
+
    if (_ODP_IPV4HDR_IS_FRAGMENT(odp_be_to_cpu_16(ip->frag_offset))) {
    	status->error.proto = 1;
    	goto err;
@@ -634,6 +639,11 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    	goto err;
    }
+	if (odp_be_to_cpu_16(ip->tot_len) + ip_offset > odp_packet_len(pkt)) {
+		status->error.alg = 1;
+		goto err;
+	}
+
    if (ODP_IPSEC_MODE_TUNNEL == ipsec_sa->mode) {
    	_odp_ipv4hdr_t out_ip;
    	uint16_t tot_len;
commit 7c665557d21db3ba7c4dd3d3845e7175a4a2acb6
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Tue Oct 31 18:04:35 2017 +0300
validation: check that erroneous IPsec packets have error flag set
Verify that odp_packet_has_error() returns true for IPsec packets with
    error status in result.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/test/validation/api/ipsec/ipsec.c b/test/validation/api/ipsec/ipsec.c
index 853bd88a..6c562358 100644
--- a/test/validation/api/ipsec/ipsec.c
+++ b/test/validation/api/ipsec/ipsec.c
@@ -613,6 +613,8 @@ void ipsec_check_in_one(const ipsec_test_part *part, odp_ipsec_sa_t sa)
    		CU_ASSERT_EQUAL(0, odp_ipsec_result(&result, pkto[i]));
    		CU_ASSERT_EQUAL(part->out[i].status.error.all,
    				result.status.error.all);
+			CU_ASSERT(!result.status.error.all ==
+				  !odp_packet_has_error(pkto[i]));
    		CU_ASSERT_EQUAL(suite_context.inbound_op_mode ==
    				ODP_IPSEC_OP_MODE_INLINE,
    				result.flag.inline_mode);
@@ -652,6 +654,8 @@ void ipsec_check_out_one(const ipsec_test_part *part, odp_ipsec_sa_t sa)
    		CU_ASSERT_EQUAL(0, odp_ipsec_result(&result, pkto[i]));
    		CU_ASSERT_EQUAL(part->out[i].status.error.all,
    				result.status.error.all);
+			CU_ASSERT(!result.status.error.all ==
+				  !odp_packet_has_error(pkto[i]));
    		CU_ASSERT_EQUAL(sa, result.sa);
    		CU_ASSERT_EQUAL(IPSEC_SA_CTX,
    				odp_ipsec_sa_context(sa));
commit 774f242c72008eecf5b07b341b76f577445fb4fb
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Tue Oct 31 18:02:50 2017 +0300
linux-gen: ipsec: mark IPsec packets with errors with error flag
Add new ipsec_err error flag, which is set by IPsec code if there was an
    error during IPsec packet processing. This allow application code to
    quickly check packets using odp_packet_has_error() function and use fast
    path if there was none.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/include/odp_packet_internal.h b/platform/linux-generic/include/odp_packet_internal.h
index fc10d61c..e62854b1 100644
--- a/platform/linux-generic/include/odp_packet_internal.h
+++ b/platform/linux-generic/include/odp_packet_internal.h
@@ -55,6 +55,7 @@ typedef union {
    	uint32_t tcp_err:1;   /**< TCP error, checks TBD */
    	uint32_t udp_err:1;   /**< UDP error, checks TBD */
    	uint32_t l4_chksum:1; /**< L4 checksum error */
+		uint32_t ipsec_err:1; /**< IPsec error */
    };
 } error_flags_t;
diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index 1f9d410d..f8085756 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -272,6 +272,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    uint8_t  ip_ttl;         /**< Saved IP TTL value */
    uint16_t ip_frag_offset; /**< Saved IP flags value */
    odp_crypto_packet_result_t crypto; /**< Crypto operation result */
+	odp_packet_hdr_t *pkt_hdr;
ODP_ASSERT(ODP_PACKET_OFFSET_INVALID != ip_offset);
    ODP_ASSERT(NULL != ip);
@@ -287,7 +288,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
if (_ODP_IPV4HDR_IS_FRAGMENT(odp_be_to_cpu_16(ip->frag_offset))) {
    	status->error.proto = 1;
-		goto out;
+		goto err;
    }
/* Check IP header for IPSec protocols and look it up */
@@ -297,7 +298,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	if (odp_packet_copy_to_mem(pkt, ipsec_offset,
    				   sizeof(esp), &esp) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
if (ODP_IPSEC_SA_INVALID == sa) {
@@ -310,7 +311,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    		ipsec_sa = _odp_ipsec_sa_lookup(&lookup);
    		if (NULL == ipsec_sa) {
    			status->error.sa_lookup = 1;
-				goto out;
+				goto err;
    		}
    	} else {
    		ipsec_sa = _odp_ipsec_sa_use(sa);
@@ -318,7 +319,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    		if (ipsec_sa->proto != ODP_IPSEC_ESP ||
    		    ipsec_sa->spi != odp_be_to_cpu_32(esp.spi)) {
    			status->error.proto = 1;
-				goto out;
+				goto err;
    		}
    	}
@@ -328,7 +329,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    				   ipsec_sa->esp_iv_len,
    				   iv + ipsec_sa->salt_length) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
hdr_len = _ODP_ESPHDR_LEN + ipsec_sa->esp_iv_len;
@@ -362,7 +363,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	if (odp_packet_copy_to_mem(pkt, ipsec_offset,
    				   sizeof(ah), &ah) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
if (ODP_IPSEC_SA_INVALID == sa) {
@@ -375,7 +376,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    		ipsec_sa = _odp_ipsec_sa_lookup(&lookup);
    		if (NULL == ipsec_sa) {
    			status->error.sa_lookup = 1;
-				goto out;
+				goto err;
    		}
    	} else {
    		ipsec_sa = _odp_ipsec_sa_use(sa);
@@ -383,7 +384,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    		if (ipsec_sa->proto != ODP_IPSEC_AH ||
    		    ipsec_sa->spi != odp_be_to_cpu_32(ah.spi)) {
    			status->error.proto = 1;
-				goto out;
+				goto err;
    		}
    	}
@@ -417,16 +418,16 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	stats_length = param.auth_range.length;
    } else {
    	status->error.proto = 1;
-		goto out;
+		goto err;
    }
if (_odp_ipsec_sa_replay_precheck(ipsec_sa,
    				  odp_be_to_cpu_32(aad.seq_no),
    				  status) < 0)
-		goto out;
+		goto err;
if (_odp_ipsec_sa_stats_precheck(ipsec_sa, status) < 0)
-		goto out;
+		goto err;
param.session = ipsec_sa->session;
@@ -434,14 +435,14 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    if (rc < 0) {
    	ODP_DBG("Crypto failed\n");
    	status->error.alg = 1;
-		goto out;
+		goto err;
    }
rc = odp_crypto_result(&crypto, pkt);
    if (rc < 0) {
    	ODP_DBG("Crypto failed\n");
    	status->error.alg = 1;
-		goto out;
+		goto err;
    }
if (!crypto.ok) {
@@ -457,16 +458,16 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	     ODP_CRYPTO_HW_ERR_NONE))
    		status->error.auth = 1;
-		goto out;
+		goto err;
    }
if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0)
-		goto out;
+		goto err;
if (_odp_ipsec_sa_replay_update(ipsec_sa,
    				odp_be_to_cpu_32(aad.seq_no),
    				status) < 0)
-		goto out;
+		goto err;
ip_offset = odp_packet_l3_offset(pkt);
    ip = odp_packet_l3_ptr(pkt, NULL);
@@ -484,18 +485,18 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	if (odp_packet_copy_to_mem(pkt, esptrl_offset,
    				   sizeof(esptrl), &esptrl) < 0) {
    		status->error.proto = 1;
-			goto out;
+			goto err;
    	}
if (ip_offset + esptrl.pad_len > esptrl_offset) {
    		status->error.proto = 1;
-			goto out;
+			goto err;
    	}
if (_odp_packet_cmp_data(pkt, esptrl_offset - esptrl.pad_len,
    				 ipsec_padding, esptrl.pad_len) != 0) {
    		status->error.proto = 1;
-			goto out;
+			goto err;
    	}
ip->proto = esptrl.next_header;
@@ -509,7 +510,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	if (odp_packet_copy_to_mem(pkt, ipsec_offset,
    				   sizeof(ah), &ah) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
ip->proto = ah.next_header;
@@ -520,12 +521,12 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	ip->frag_offset = odp_cpu_to_be_16(ip_frag_offset);
    } else {
    	status->error.proto = 1;
-		goto out;
+		goto err;
    }
if (odp_packet_trunc_tail(&pkt, trl_len, NULL, NULL) < 0) {
    	status->error.alg = 1;
-		goto out;
+		goto err;
    }
if (ODP_IPSEC_MODE_TUNNEL == ipsec_sa->mode) {
@@ -536,7 +537,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	if (odp_packet_trunc_head(&pkt, ip_hdr_len + hdr_len,
    				  NULL, NULL) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
    } else {
    	odp_packet_move_data(pkt, hdr_len, 0,
@@ -544,7 +545,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	if (odp_packet_trunc_head(&pkt, hdr_len,
    				  NULL, NULL) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
    }
@@ -559,15 +560,21 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	_odp_ipv4_csum_update(pkt);
    }
-	if (!status->error.all) {
-		odp_packet_hdr_t *pkt_hdr = odp_packet_hdr(pkt);
+	pkt_hdr = odp_packet_hdr(pkt);
+
+	packet_parse_reset(pkt_hdr);
-		packet_parse_reset(pkt_hdr);
+	packet_parse_l3_l4(pkt_hdr, parse_layer(ipsec_config.inbound.parse),
+			   ip_offset, _ODP_ETHTYPE_IPV4);
+
+	*pkt_out = pkt;
+
+	return ipsec_sa;
+
+err:
+	pkt_hdr = odp_packet_hdr(pkt);
+	pkt_hdr->p.error_flags.ipsec_err = 1;
-		packet_parse_l3_l4(pkt_hdr, parse_layer(ipsec_config.inbound.parse),
-				   ip_offset, _ODP_ETHTYPE_IPV4);
-	}
-out:
    *pkt_out = pkt;
return ipsec_sa;
@@ -606,6 +613,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    uint8_t  ip_ttl;         /**< Saved IP TTL value */
    uint16_t ip_frag_offset; /**< Saved IP flags value */
    odp_crypto_packet_result_t crypto; /**< Crypto operation result */
+	odp_packet_hdr_t *pkt_hdr;
ODP_ASSERT(ODP_PACKET_OFFSET_INVALID != ip_offset);
    ODP_ASSERT(NULL != ip);
@@ -623,7 +631,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    if (ODP_IPSEC_MODE_TRANSPORT == ipsec_sa->mode &&
        _ODP_IPV4HDR_IS_FRAGMENT(odp_be_to_cpu_16(ip->frag_offset))) {
    	status->error.alg = 1;
-		goto out;
+		goto err;
    }
if (ODP_IPSEC_MODE_TUNNEL == ipsec_sa->mode) {
@@ -659,7 +667,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    	if (odp_packet_extend_head(&pkt, _ODP_IPV4HDR_LEN,
    				   NULL, NULL) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
odp_packet_move_data(pkt, 0, _ODP_IPV4HDR_LEN, ip_offset);
@@ -705,7 +713,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    					       1);
    		/* Check for overrun */
    		if (ctr == 0)
-				goto out;
+				goto err;
memcpy(iv, ipsec_sa->salt, ipsec_sa->salt_length);
    		memcpy(iv + ipsec_sa->salt_length, &ctr,
@@ -719,7 +727,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
if (len != ipsec_sa->esp_iv_len) {
    			status->error.alg = 1;
-				goto out;
+				goto err;
    		}
    	}
@@ -727,12 +735,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
if (odp_packet_extend_tail(&pkt, trl_len, NULL, NULL) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
if (odp_packet_extend_head(&pkt, hdr_len, NULL, NULL) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
odp_packet_move_data(pkt, 0, hdr_len, ipsec_offset);
@@ -805,12 +813,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
if (odp_packet_extend_tail(&pkt, trl_len, NULL, NULL) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
if (odp_packet_extend_head(&pkt, hdr_len, NULL, NULL) < 0) {
    		status->error.alg = 1;
-			goto out;
+			goto err;
    	}
odp_packet_move_data(pkt, 0, hdr_len, ipsec_offset);
@@ -852,12 +860,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    	stats_length = param.auth_range.length;
    } else {
    	status->error.alg = 1;
-		goto out;
+		goto err;
    }
/* No need to run precheck here, we know that packet is authentic */
    if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0)
-		goto out;
+		goto err;
param.session = ipsec_sa->session;
@@ -865,14 +873,14 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    if (rc < 0) {
    	ODP_DBG("Crypto failed\n");
    	status->error.alg = 1;
-		goto out;
+		goto err;
    }
rc = odp_crypto_result(&crypto, pkt);
    if (rc < 0) {
    	ODP_DBG("Crypto failed\n");
    	status->error.alg = 1;
-		goto out;
+		goto err;
    }
if (!crypto.ok) {
@@ -888,7 +896,7 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    	     ODP_CRYPTO_HW_ERR_NONE))
    		status->error.auth = 1;
-		goto out;
+		goto err;
    }
ip = odp_packet_l3_ptr(pkt, NULL);
@@ -902,7 +910,13 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
_odp_ipv4_csum_update(pkt);
-out:
+	*pkt_out = pkt;
+	return ipsec_sa;
+
+err:
+	pkt_hdr = odp_packet_hdr(pkt);
+
+	pkt_hdr->p.error_flags.ipsec_err = 1;
*pkt_out = pkt;
    return ipsec_sa;
commit a4165611e5aa58b138946e17a079f8a7f065d08c
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Sun Oct 15 08:15:04 2017 +0300
validation: ipsec: add replay window checks
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/test/validation/api/ipsec/ipsec_test_in.c b/test/validation/api/ipsec/ipsec_test_in.c
index 25fc00e1..598a83e3 100644
--- a/test/validation/api/ipsec/ipsec_test_in.c
+++ b/test/validation/api/ipsec/ipsec_test_in.c
@@ -284,6 +284,202 @@ static void test_in_esp_null_sha256_tun(void)
    ipsec_sa_destroy(sa);
 }
+static void test_in_ah_sha256_noreplay(void)
+{
+	odp_ipsec_sa_param_t param;
+	odp_ipsec_sa_t sa;
+
+	ipsec_sa_param_fill(&param,
+			    true, true, 123, NULL,
+			    ODP_CIPHER_ALG_NULL, NULL,
+			    ODP_AUTH_ALG_SHA256_HMAC, &key_5a_256,
+			    NULL);
+	param.inbound.antireplay_ws = 0;
+
+	sa = odp_ipsec_sa_create(&param);
+
+	CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa);
+
+	ipsec_test_part test = {
+		.pkt_in = &pkt_icmp_0_ah_sha256_1,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_test_part test_1235 = {
+		.pkt_in = &pkt_icmp_0_ah_sha256_1235,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_check_in_one(&test, sa);
+	ipsec_check_in_one(&test, sa);
+	ipsec_check_in_one(&test_1235, sa);
+	ipsec_check_in_one(&test, sa);
+
+	ipsec_sa_destroy(sa);
+}
+
+static void test_in_ah_sha256_replay(void)
+{
+	odp_ipsec_sa_param_t param;
+	odp_ipsec_sa_t sa;
+
+	ipsec_sa_param_fill(&param,
+			    true, true, 123, NULL,
+			    ODP_CIPHER_ALG_NULL, NULL,
+			    ODP_AUTH_ALG_SHA256_HMAC, &key_5a_256,
+			    NULL);
+	param.inbound.antireplay_ws = 32;
+
+	sa = odp_ipsec_sa_create(&param);
+
+	CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa);
+
+	ipsec_test_part test = {
+		.pkt_in = &pkt_icmp_0_ah_sha256_1,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_test_part test_repl = {
+		.pkt_in = &pkt_icmp_0_ah_sha256_1,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.antireplay = 1,
+			  .pkt_out = NULL },
+		},
+	};
+
+	ipsec_test_part test_1235 = {
+		.pkt_in = &pkt_icmp_0_ah_sha256_1235,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_check_in_one(&test, sa);
+	ipsec_check_in_one(&test_repl, sa);
+	ipsec_check_in_one(&test_1235, sa);
+	ipsec_check_in_one(&test_repl, sa);
+
+	ipsec_sa_destroy(sa);
+}
+
+static void test_in_esp_null_sha256_noreplay(void)
+{
+	odp_ipsec_sa_param_t param;
+	odp_ipsec_sa_t sa;
+
+	ipsec_sa_param_fill(&param,
+			    true, false, 123, NULL,
+			    ODP_CIPHER_ALG_NULL, NULL,
+			    ODP_AUTH_ALG_SHA256_HMAC, &key_5a_256,
+			    NULL);
+	param.inbound.antireplay_ws = 0;
+
+	sa = odp_ipsec_sa_create(&param);
+
+	CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa);
+
+	ipsec_test_part test = {
+		.pkt_in = &pkt_icmp_0_esp_null_sha256_1,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_test_part test_1235 = {
+		.pkt_in = &pkt_icmp_0_esp_null_sha256_1235,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_check_in_one(&test, sa);
+	ipsec_check_in_one(&test, sa);
+	ipsec_check_in_one(&test_1235, sa);
+	ipsec_check_in_one(&test, sa);
+
+	ipsec_sa_destroy(sa);
+}
+
+static void test_in_esp_null_sha256_replay(void)
+{
+	odp_ipsec_sa_param_t param;
+	odp_ipsec_sa_t sa;
+
+	ipsec_sa_param_fill(&param,
+			    true, false, 123, NULL,
+			    ODP_CIPHER_ALG_NULL, NULL,
+			    ODP_AUTH_ALG_SHA256_HMAC, &key_5a_256,
+			    NULL);
+	param.inbound.antireplay_ws = 32;
+
+	sa = odp_ipsec_sa_create(&param);
+
+	CU_ASSERT_NOT_EQUAL_FATAL(ODP_IPSEC_SA_INVALID, sa);
+
+	ipsec_test_part test = {
+		.pkt_in = &pkt_icmp_0_esp_null_sha256_1,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_test_part test_repl = {
+		.pkt_in = &pkt_icmp_0_esp_null_sha256_1,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.antireplay = 1,
+			  .pkt_out = NULL },
+		},
+	};
+
+	ipsec_test_part test_1235 = {
+		.pkt_in = &pkt_icmp_0_esp_null_sha256_1235,
+		.out_pkt = 1,
+		.out = {
+			{ .status.warn.all = 0,
+			  .status.error.all = 0,
+			  .pkt_out = &pkt_icmp_0 },
+		},
+	};
+
+	ipsec_check_in_one(&test, sa);
+	ipsec_check_in_one(&test_repl, sa);
+	ipsec_check_in_one(&test_1235, sa);
+	ipsec_check_in_one(&test_repl, sa);
+
+	ipsec_sa_destroy(sa);
+}
+
 static void test_in_ah_esp_pkt(void)
 {
    odp_ipsec_sa_param_t param;
@@ -797,6 +993,14 @@ odp_testinfo_t ipsec_in_suite[] = {
    			  ipsec_check_esp_null_sha256),
    ODP_TEST_INFO_CONDITIONAL(test_in_esp_null_sha256_tun,
    			  ipsec_check_esp_null_sha256),
+	ODP_TEST_INFO_CONDITIONAL(test_in_ah_sha256_noreplay,
+				  ipsec_check_ah_sha256),
+	ODP_TEST_INFO_CONDITIONAL(test_in_ah_sha256_replay,
+				  ipsec_check_ah_sha256),
+	ODP_TEST_INFO_CONDITIONAL(test_in_esp_null_sha256_noreplay,
+				  ipsec_check_esp_null_sha256),
+	ODP_TEST_INFO_CONDITIONAL(test_in_esp_null_sha256_replay,
+				  ipsec_check_esp_null_sha256),
    ODP_TEST_INFO_CONDITIONAL(test_in_ah_esp_pkt,
    			  ipsec_check_ah_sha256),
    ODP_TEST_INFO_CONDITIONAL(test_in_esp_ah_pkt,
diff --git a/test/validation/api/ipsec/test_vectors.h b/test/validation/api/ipsec/test_vectors.h
index 2fb06b2b..593a8f45 100644
--- a/test/validation/api/ipsec/test_vectors.h
+++ b/test/validation/api/ipsec/test_vectors.h
@@ -278,6 +278,50 @@ static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_ah_sha256_1_bad2 = {
    },
 };
+static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_ah_sha256_1235 = {
+	.len = 170,
+	.l2_offset = 0,
+	.l3_offset = 14,
+	.l4_offset = 34,
+	.data = {
+		/* ETH */
+		0xf1, 0xf1, 0xf1, 0xf1, 0xf1, 0xf1,
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0x08, 0x00,
+
+		/* IP */
+		0x45, 0x00, 0x00, 0x9c, 0x00, 0x00, 0x00, 0x00,
+		0x40, 0x33, 0xab, 0xd9, 0xc0, 0xa8, 0x6f, 0x02,
+		0xc0, 0xa8, 0xde, 0x02,
+
+		/* AH */
+		0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b,
+		0x00, 0x00, 0x12, 0x35,
+		0x04, 0xef, 0x71, 0x73, 0xa1, 0xd4, 0x71, 0x3f,
+		0xd6, 0x78, 0xfe, 0xa2, 0x59, 0xe9, 0x93, 0x70,
+
+		/* ICMP */
+		0x08, 0x00, 0xfb, 0x37,
+
+		/* ICMP echo */
+		0x12, 0x34, 0x00, 0x00,
+
+		/* data */
+		0xba, 0xbe, 0x01, 0x23, 0x45, 0x67, 0xca, 0xfe,
+		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+		0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+		0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+		0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+		0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+		0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+		0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+		0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
+		0x58, 0x59, 0x5a, 0x5b
+	},
+};
+
 static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_null_sha256_1 = {
    .len = 170,
    .l2_offset = 0,
@@ -412,6 +456,49 @@ static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_null_sha256_1_bad1 = {
    },
 };
+static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_null_sha256_1235 = {
+	.len = 170,
+	.l2_offset = 0,
+	.l3_offset = 14,
+	.l4_offset = 34,
+	.data = {
+		/* ETH */
+		0xf1, 0xf1, 0xf1, 0xf1, 0xf1, 0xf1,
+		0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0x08, 0x00,
+
+		/* IP */
+		0x45, 0x00, 0x00, 0x9c, 0x00, 0x00, 0x00, 0x00,
+		0x40, 0x32, 0xab, 0xda, 0xc0, 0xa8, 0x6f, 0x02,
+		0xc0, 0xa8, 0xde, 0x02,
+
+		/* ESP */
+		0x00, 0x00, 0x00, 0x7b, 0x00, 0x00, 0x12, 0x35,
+
+		/* ICMP */
+		0x08, 0x00, 0xfb, 0x37, 0x12, 0x34, 0x00, 0x00,
+		0xba, 0xbe, 0x01, 0x23, 0x45, 0x67, 0xca, 0xfe,
+		0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+		0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+		0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+		0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+		0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+		0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+		0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+		0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+		0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+		0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+		0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
+		0x58, 0x59, 0x5a, 0x5b,
+
+		/* ESP TRL */
+		0x01, 0x02, 0x02, 0x01,
+
+		/* ICV */
+		0x2f, 0xfb, 0xdd, 0x9d, 0xc0, 0xca, 0xb8, 0x0a,
+		0xaa, 0xf1, 0x59, 0x31, 0x4e, 0xef, 0x62, 0x50,
+	},
+};
+
 static const ODP_UNUSED ipsec_test_packet pkt_icmp_0_esp_aes_cbc_null_1 = {
    .len = 170,
    .l2_offset = 0,
commit fee9e59ca4a53ac30fea62d6b2f4b22a53042fe1
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Sun Oct 15 08:12:01 2017 +0300
linux-gen: ipsec: support replay window checks
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index dc6359d6..1f9d410d 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -42,6 +42,8 @@ int odp_ipsec_capability(odp_ipsec_capability_t *capa)
capa->max_num_sa = ODP_CONFIG_IPSEC_SAS;
+	capa->max_antireplay_ws = IPSEC_ANTIREPLAY_WS;
+
    rc = odp_crypto_capability(&crypto_capa);
    if (rc < 0)
    	return rc;
@@ -402,6 +404,12 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	ip->frag_offset = 0;
    	ip->ttl = 0;
+		aad.spi = ah.spi;
+		aad.seq_no = ah.seq_no;
+
+		param.aad.ptr = (uint8_t *)&aad;
+		param.aad.length = sizeof(aad);
+
    	param.auth_range.offset = ip_offset;
    	param.auth_range.length = odp_be_to_cpu_16(ip->tot_len);
    	param.hash_result_offset = ipsec_offset + _ODP_AHHDR_LEN;
@@ -412,6 +420,11 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	goto out;
    }
+	if (_odp_ipsec_sa_replay_precheck(ipsec_sa,
+					  odp_be_to_cpu_32(aad.seq_no),
+					  status) < 0)
+		goto out;
+
    if (_odp_ipsec_sa_stats_precheck(ipsec_sa, status) < 0)
    	goto out;
@@ -450,6 +463,11 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0)
    	goto out;
+	if (_odp_ipsec_sa_replay_update(ipsec_sa,
+					odp_be_to_cpu_32(aad.seq_no),
+					status) < 0)
+		goto out;
+
    ip_offset = odp_packet_l3_offset(pkt);
    ip = odp_packet_l3_ptr(pkt, NULL);
    ip_hdr_len = ipv4_hdr_len(ip);
@@ -809,6 +827,12 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    	ah.next_header = ip->proto;
    	ip->proto = _ODP_IPPROTO_AH;
+		aad.spi = ah.spi;
+		aad.seq_no = ah.seq_no;
+
+		param.aad.ptr = (uint8_t *)&aad;
+		param.aad.length = sizeof(aad);
+
    	odp_packet_copy_from_mem(pkt,
    				 ipsec_offset, _ODP_AHHDR_LEN,
    				 &ah);
commit ad863d29c6e46487ed1ef3fad0766037faac919f
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Sun Oct 15 08:11:28 2017 +0300
linux-gen: ipsec: add replay window support to SAD
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h
index 68ab195c..0a7f9625 100644
--- a/platform/linux-generic/include/odp_ipsec_internal.h
+++ b/platform/linux-generic/include/odp_ipsec_internal.h
@@ -81,6 +81,9 @@ int _odp_ipsec_status_send(odp_queue_t queue,
#define IPSEC_MAX_SALT_LEN	4    /**< Maximum salt length in bytes */
+/* 32 is minimum required by the standard. We do not support more */
+#define IPSEC_ANTIREPLAY_WS	32
+
 /**
  * Maximum number of available SAs
  */
@@ -127,6 +130,9 @@ struct ipsec_sa_s {
/* Only for outbound */
    		unsigned	use_counter_iv : 1;
+
+			/* Only for inbound */
+			unsigned	antireplay : 1;
    	};
    };
@@ -134,6 +140,7 @@ struct ipsec_sa_s {
    	struct {
    		odp_ipsec_lookup_mode_t lookup_mode;
    		odp_u32be_t	lookup_dst_ip;
+			odp_atomic_u64_t antireplay;
    	} in;
struct {
@@ -200,6 +207,19 @@ int _odp_ipsec_sa_stats_precheck(ipsec_sa_t *ipsec_sa,
 int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len,
    		       odp_ipsec_op_status_t *status);
+/* Run pre-check on sequence number of the packet.
+ *
+ * @retval <0 if the packet falls out of window
+ */
+int _odp_ipsec_sa_replay_precheck(ipsec_sa_t *ipsec_sa, uint32_t seq,
+				  odp_ipsec_op_status_t *status);
+
+/* Run check on sequence number of the packet and update window if necessary.
+ *
+ * @retval <0 if the packet falls out of window
+ */
+int _odp_ipsec_sa_replay_update(ipsec_sa_t *ipsec_sa, uint32_t seq,
+				odp_ipsec_op_status_t *status);
 /**
  * Try inline IPsec processing of provided packet.
  *
diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index e42bf94e..c3011924 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -215,6 +215,10 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
    		       param->inbound.lookup_param.dst_addr,
    		       sizeof(ipsec_sa->in.lookup_dst_ip));
+		if (param->inbound.antireplay_ws > IPSEC_ANTIREPLAY_WS)
+			return ODP_IPSEC_SA_INVALID;
+		ipsec_sa->antireplay = (param->inbound.antireplay_ws != 0);
+		odp_atomic_init_u64(&ipsec_sa->in.antireplay, 0);
    } else {
    	odp_atomic_store_u32(&ipsec_sa->out.seq, 1);
    }
@@ -528,3 +532,59 @@ int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len,
return rc;
 }
+
+int _odp_ipsec_sa_replay_precheck(ipsec_sa_t *ipsec_sa, uint32_t seq,
+				  odp_ipsec_op_status_t *status)
+{
+	/* Try to be as quick as possible, we will discard packets later */
+	if (ipsec_sa->antireplay &&
+	    seq + IPSEC_ANTIREPLAY_WS <=
+	    (odp_atomic_load_u64(&ipsec_sa->in.antireplay) & 0xffffffff)) {
+		status->error.antireplay = 1;
+		return -1;
+	}
+
+	return 0;
+}
+
+int _odp_ipsec_sa_replay_update(ipsec_sa_t *ipsec_sa, uint32_t seq,
+				odp_ipsec_op_status_t *status)
+{
+	int cas = 0;
+	uint64_t state, new_state;
+
+	if (!ipsec_sa->antireplay)
+		return 0;
+
+	state = odp_atomic_load_u64(&ipsec_sa->in.antireplay);
+
+	while (0 == cas) {
+		uint32_t max_seq = state & 0xffffffff;
+		uint32_t mask = state >> 32;
+
+		if (seq + IPSEC_ANTIREPLAY_WS <= max_seq) {
+			status->error.antireplay = 1;
+			return -1;
+		}
+
+		if (seq > max_seq) {
+			mask <<= seq - max_seq;
+			mask |= 1;
+			max_seq = seq;
+		} else {
+			if (mask & (1U << (max_seq - seq))) {
+				status->error.antireplay = 1;
+				return -1;
+			}
+
+			mask |= (1U << (max_seq - seq));
+		}
+
+		new_state = (((uint64_t)mask) << 32) | max_seq;
+
+		cas = odp_atomic_cas_acq_rel_u64(&ipsec_sa->in.antireplay,
+						 &state, new_state);
+	}
+
+	return 0;
+}
commit 44f8d1421361c3238fed85a1a3d5ebff8f39cc88
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Sun Oct 15 08:04:30 2017 +0300
linux-gen: ipsec: fix soft/hard limits check
Split count expiration check into two phases:
     - optional precheck, run before crypto, which fails only if hard limit
       is already breached
     - update, run after crypto in INBOUND case, so that limits will not be
       updated for packets failing ICV check.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h
index afc2f686..68ab195c 100644
--- a/platform/linux-generic/include/odp_ipsec_internal.h
+++ b/platform/linux-generic/include/odp_ipsec_internal.h
@@ -184,12 +184,20 @@ void _odp_ipsec_sa_unuse(ipsec_sa_t *ipsec_sa);
  */
 ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup);
+/**
+ * Run pre-check on SA usage statistics.
+ *
+ * @retval <0 if hard limits were breached
+ */
+int _odp_ipsec_sa_stats_precheck(ipsec_sa_t *ipsec_sa,
+				 odp_ipsec_op_status_t *status);
+
 /**
  * Update SA usage statistics, filling respective status for the packet.
  *
  * @retval <0 if hard limits were breached
  */
-int _odp_ipsec_sa_update_stats(ipsec_sa_t *ipsec_sa, uint32_t len,
+int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len,
    		       odp_ipsec_op_status_t *status);
/**
diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index f49fc465..dc6359d6 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -412,9 +412,7 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	goto out;
    }
-	if (_odp_ipsec_sa_update_stats(ipsec_sa,
-				       stats_length,
-				       status) < 0)
+	if (_odp_ipsec_sa_stats_precheck(ipsec_sa, status) < 0)
    	goto out;
param.session = ipsec_sa->session;
@@ -449,6 +447,9 @@ static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
    	goto out;
    }
+	if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0)
+		goto out;
+
    ip_offset = odp_packet_l3_offset(pkt);
    ip = odp_packet_l3_ptr(pkt, NULL);
    ip_hdr_len = ipv4_hdr_len(ip);
@@ -830,9 +831,8 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    	goto out;
    }
-	if (_odp_ipsec_sa_update_stats(ipsec_sa,
-				       stats_length,
-				       status) < 0)
+	/* No need to run precheck here, we know that packet is authentic */
+	if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0)
    	goto out;
param.session = ipsec_sa->session;
diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index dc338bfc..e42bf94e 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -479,7 +479,28 @@ ipsec_sa_t *_odp_ipsec_sa_lookup(const ipsec_sa_lookup_t *lookup)
    return best;
 }
-int _odp_ipsec_sa_update_stats(ipsec_sa_t *ipsec_sa, uint32_t len,
+int _odp_ipsec_sa_stats_precheck(ipsec_sa_t *ipsec_sa,
+				 odp_ipsec_op_status_t *status)
+{
+	int rc = 0;
+
+	if (ipsec_sa->hard_limit_bytes > 0 &&
+	    odp_atomic_load_u64(&ipsec_sa->bytes) >
+	    ipsec_sa->hard_limit_bytes) {
+		status->error.hard_exp_bytes = 1;
+		rc = -1;
+	}
+	if (ipsec_sa->hard_limit_packets > 0 &&
+	    odp_atomic_load_u64(&ipsec_sa->packets) >
+	    ipsec_sa->hard_limit_packets) {
+		status->error.hard_exp_packets = 1;
+		rc = -1;
+	}
+
+	return rc;
+}
+
+int _odp_ipsec_sa_stats_update(ipsec_sa_t *ipsec_sa, uint32_t len,
    		       odp_ipsec_op_status_t *status)
 {
    uint64_t bytes = odp_atomic_fetch_add_u64(&ipsec_sa->bytes, len) + len;
commit 412235594802aa4e4b3f63efc464de18955265c5
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Tue Oct 17 21:27:03 2017 +0300
validation: ipsec: verify odp_ipsec_sa_context
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/test/validation/api/ipsec/ipsec.c b/test/validation/api/ipsec/ipsec.c
index ac0a083b..853bd88a 100644
--- a/test/validation/api/ipsec/ipsec.c
+++ b/test/validation/api/ipsec/ipsec.c
@@ -19,6 +19,9 @@ struct suite_context_s suite_context;
 #define PKT_POOL_NUM  64
 #define PKT_POOL_LEN  (1 * 1024)
+#define PACKET_USER_PTR	((void *)0x1212fefe)
+#define IPSEC_SA_CTX	((void *)0xfefefafa)
+
 static odp_pktio_t pktio_create(odp_pool_t pool)
 {
    odp_pktio_t pktio;
@@ -300,6 +303,8 @@ void ipsec_sa_param_fill(odp_ipsec_sa_param_t *param,
param->dest_queue = suite_context.queue;
+	param->context = IPSEC_SA_CTX;
+
    param->crypto.cipher_alg = cipher_alg;
    if (cipher_key)
    	param->crypto.cipher_key = *cipher_key;
@@ -317,6 +322,8 @@ void ipsec_sa_destroy(odp_ipsec_sa_t sa)
    odp_event_t event;
    odp_ipsec_status_t status;
+	CU_ASSERT_EQUAL(IPSEC_SA_CTX, odp_ipsec_sa_context(sa));
+
    CU_ASSERT_EQUAL(ODP_IPSEC_OK, odp_ipsec_sa_disable(sa));
if (ODP_QUEUE_INVALID != suite_context.queue) {
@@ -339,8 +346,6 @@ void ipsec_sa_destroy(odp_ipsec_sa_t sa)
    CU_ASSERT_EQUAL(ODP_IPSEC_OK, odp_ipsec_sa_destroy(sa));
 }
-#define PACKET_USER_PTR	((void *)0x1212fefe)
-
 odp_packet_t ipsec_packet(const ipsec_test_packet *itp)
 {
    odp_packet_t pkt = odp_packet_alloc(suite_context.pool, itp->len);
@@ -612,6 +617,9 @@ void ipsec_check_in_one(const ipsec_test_part *part, odp_ipsec_sa_t sa)
    				ODP_IPSEC_OP_MODE_INLINE,
    				result.flag.inline_mode);
    		CU_ASSERT_EQUAL(sa, result.sa);
+			if (ODP_IPSEC_SA_INVALID != sa)
+				CU_ASSERT_EQUAL(IPSEC_SA_CTX,
+						odp_ipsec_sa_context(sa));
    	}
    	ipsec_check_packet(part->out[i].pkt_out,
    			   pkto[i]);
@@ -645,6 +653,8 @@ void ipsec_check_out_one(const ipsec_test_part *part, odp_ipsec_sa_t sa)
    		CU_ASSERT_EQUAL(part->out[i].status.error.all,
    				result.status.error.all);
    		CU_ASSERT_EQUAL(sa, result.sa);
+			CU_ASSERT_EQUAL(IPSEC_SA_CTX,
+					odp_ipsec_sa_context(sa));
    	}
    	ipsec_check_packet(part->out[i].pkt_out,
    			   pkto[i]);
@@ -682,6 +692,8 @@ void ipsec_check_out_in_one(const ipsec_test_part *part,
    		CU_ASSERT_EQUAL(part->out[i].status.error.all,
    				result.status.error.all);
    		CU_ASSERT_EQUAL(sa, result.sa);
+			CU_ASSERT_EQUAL(IPSEC_SA_CTX,
+					odp_ipsec_sa_context(sa));
    	}
    	CU_ASSERT_FATAL(odp_packet_len(pkto[i]) <=
    			sizeof(pkt_in.data));
commit 11620182599921c91e2d4f764b0ef921c171523b
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Fri Oct 20 11:29:39 2017 +0300
validation: ipsec: drop unused file
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/test/validation/api/ipsec/ipsec_sync_in.c b/test/validation/api/ipsec/ipsec_sync_in.c
deleted file mode 100644
index 8a7fc468..00000000
--- a/test/validation/api/ipsec/ipsec_sync_in.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/* Copyright (c) 2017, Linaro Limited
- * All rights reserved.
- *
- * SPDX-License-Identifier:     BSD-3-Clause
- */
-
-#include "config.h"
-
-#include "ipsec.h"
-
-int main(int argc, char *argv[])
-{
-	int ret;
-
-	/* parse common options: */
-	if (odp_cunit_parse_options(argc, argv))
-		return -1;
-
-	odp_cunit_register_global_init(ipsec_init);
-	odp_cunit_register_global_term(ipsec_term);
-
-	ret = odp_cunit_register(ipsec_suites);
-	if (ret == 0)
-		ret = odp_cunit_run();
-
-	return ret;
-}
commit 043db6742a8dfc218409aba0e456365163b8b249
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Mon Nov 13 16:15:13 2017 +0300
validation: ipsec: verify inline_mode flag
Verify inline_mode flag being set for inbound inline packets.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/test/validation/api/ipsec/ipsec.c b/test/validation/api/ipsec/ipsec.c
index a8fdf2b1..ac0a083b 100644
--- a/test/validation/api/ipsec/ipsec.c
+++ b/test/validation/api/ipsec/ipsec.c
@@ -608,6 +608,9 @@ void ipsec_check_in_one(const ipsec_test_part *part, odp_ipsec_sa_t sa)
    		CU_ASSERT_EQUAL(0, odp_ipsec_result(&result, pkto[i]));
    		CU_ASSERT_EQUAL(part->out[i].status.error.all,
    				result.status.error.all);
+			CU_ASSERT_EQUAL(suite_context.inbound_op_mode ==
+					ODP_IPSEC_OP_MODE_INLINE,
+					result.flag.inline_mode);
    		CU_ASSERT_EQUAL(sa, result.sa);
    	}
    	ipsec_check_packet(part->out[i].pkt_out,
commit 16568d747ba2eb4a91962641e19b5da1d7a6091c
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Mon Nov 13 16:13:23 2017 +0300
linux-gen: ipsec: set inline_mode flag for inline inbound packets
Set IPsec inline_mode_flag for inbound inline packets according to the
    API specification.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index 6a731e99..f49fc465 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -1131,6 +1131,7 @@ int _odp_ipsec_try_inline(odp_packet_t pkt)
    memset(result, 0, sizeof(*result));
    result->status = status;
    result->sa = ipsec_sa->ipsec_sa_hdl;
+	result->flag.inline_mode = 1;
pkt_hdr = odp_packet_hdr(pkt);
    pkt_hdr->p.input_flags.dst_queue = 1;
commit cf17398302b4114b17d92d41de4dd4fe7d72a16a
Author: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
Date:   Fri Oct 20 12:11:25 2017 +0300
linux-gen: ipsec: use counter instead of random IV for GCM
Reusing IV block with GCM results in disastrous consequences. Use
    counter instead of random-generated IV to remove possibility for IV
    reuse.
Signed-off-by: Dmitry Eremin-Solenikov dmitry.ereminsolenikov@linaro.org
    Reviewed-by: Bill Fischofer bill.fischofer@linaro.org
    Signed-off-by: Maxim Uvarov maxim.uvarov@linaro.org
diff --git a/platform/linux-generic/include/odp_ipsec_internal.h b/platform/linux-generic/include/odp_ipsec_internal.h
index 1340ca7b..afc2f686 100644
--- a/platform/linux-generic/include/odp_ipsec_internal.h
+++ b/platform/linux-generic/include/odp_ipsec_internal.h
@@ -118,9 +118,17 @@ struct ipsec_sa_s {
    uint8_t		salt[IPSEC_MAX_SALT_LEN];
    uint32_t	salt_length;
-	unsigned	dec_ttl : 1;
-	unsigned	copy_dscp : 1;
-	unsigned	copy_df : 1;
+	union {
+		unsigned flags;
+		struct {
+			unsigned	dec_ttl : 1;
+			unsigned	copy_dscp : 1;
+			unsigned	copy_df : 1;
+
+			/* Only for outbound */
+			unsigned	use_counter_iv : 1;
+		};
+	};
union {
    	struct {
@@ -136,6 +144,8 @@ struct ipsec_sa_s {
    		odp_atomic_u32_t tun_hdr_id;
    		odp_atomic_u32_t seq;
+			odp_atomic_u64_t counter; /* for CTR/GCM */
+
    		uint8_t		tun_ttl;
    		uint8_t		tun_dscp;
    		uint8_t		tun_df;
diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index e57736c2..6a731e99 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -676,23 +676,36 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    		       ip_data_len +
    		       ipsec_sa->icv_len;
-		if (ipsec_sa->esp_iv_len) {
+		if (ipsec_sa->use_counter_iv) {
+			uint64_t ctr;
+
+			/* Both GCM and CTR use 8-bit counters */
+			ODP_ASSERT(sizeof(ctr) == ipsec_sa->esp_iv_len);
+
+			ctr = odp_atomic_fetch_add_u64(&ipsec_sa->out.counter,
+						       1);
+			/* Check for overrun */
+			if (ctr == 0)
+				goto out;
+
+			memcpy(iv, ipsec_sa->salt, ipsec_sa->salt_length);
+			memcpy(iv + ipsec_sa->salt_length, &ctr,
+			       ipsec_sa->esp_iv_len);
+
+		} else if (ipsec_sa->esp_iv_len) {
    		uint32_t len;
-			len = odp_random_data(iv + ipsec_sa->salt_length,
-					      ipsec_sa->esp_iv_len,
+			len = odp_random_data(iv, ipsec_sa->esp_iv_len,
    				      ODP_RANDOM_CRYPTO);
if (len != ipsec_sa->esp_iv_len) {
    			status->error.alg = 1;
    			goto out;
    		}
-
-			memcpy(iv, ipsec_sa->salt, ipsec_sa->salt_length);
-
-			param.override_iv_ptr = iv;
    	}
+		param.override_iv_ptr = iv;
+
    	if (odp_packet_extend_tail(&pkt, trl_len, NULL, NULL) < 0) {
    		status->error.alg = 1;
    		goto out;
@@ -734,7 +747,6 @@ static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
    	odp_packet_copy_from_mem(pkt,
    				 ipsec_offset, _ODP_ESPHDR_LEN,
    				 &esp);
-		memcpy(iv, ipsec_sa->salt, ipsec_sa->salt_length);
    	odp_packet_copy_from_mem(pkt,
    				 ipsec_offset + _ODP_ESPHDR_LEN,
    				 ipsec_sa->esp_iv_len,
diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c
index f0b5b9e4..dc338bfc 100644
--- a/platform/linux-generic/odp_ipsec_sad.c
+++ b/platform/linux-generic/odp_ipsec_sad.c
@@ -207,6 +207,7 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
    ipsec_sa->context = param->context;
    ipsec_sa->queue = param->dest_queue;
    ipsec_sa->mode = param->mode;
+	ipsec_sa->flags = 0;
    if (ODP_IPSEC_DIR_INBOUND == param->dir) {
    	ipsec_sa->in.lookup_mode = param->inbound.lookup_mode;
    	if (ODP_IPSEC_LOOKUP_DSTADDR_SPI == ipsec_sa->in.lookup_mode)
@@ -298,11 +299,13 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
    case ODP_CIPHER_ALG_NULL:
    	ipsec_sa->esp_iv_len = 0;
    	ipsec_sa->esp_block_len = 1;
+		crypto_param.iv.length = 0;
    	break;
    case ODP_CIPHER_ALG_DES:
    case ODP_CIPHER_ALG_3DES_CBC:
    	ipsec_sa->esp_iv_len = 8;
    	ipsec_sa->esp_block_len = 8;
+		crypto_param.iv.length = 8;
    	break;
 #if ODP_DEPRECATED_API
    case ODP_CIPHER_ALG_AES128_CBC:
@@ -310,11 +313,13 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
    case ODP_CIPHER_ALG_AES_CBC:
    	ipsec_sa->esp_iv_len = 16;
    	ipsec_sa->esp_block_len = 16;
+		crypto_param.iv.length = 16;
    	break;
 #if ODP_DEPRECATED_API
    case ODP_CIPHER_ALG_AES128_GCM:
 #endif
    case ODP_CIPHER_ALG_AES_GCM:
+		ipsec_sa->use_counter_iv = 1;
    	ipsec_sa->esp_iv_len = 8;
    	ipsec_sa->esp_block_len = 16;
    	crypto_param.iv.length = 12;
@@ -323,6 +328,10 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param)
    	return ODP_IPSEC_SA_INVALID;
    }
+	if (1 == ipsec_sa->use_counter_iv &&
+	    ODP_IPSEC_DIR_OUTBOUND == param->dir)
+		odp_atomic_init_u64(&ipsec_sa->out.counter, 1);
+
    crypto_param.auth_digest_len = ipsec_sa->icv_len;
if (param->crypto.cipher_key_extra.length) {
-----------------------------------------------------------------------
Summary of changes:
 .../linux-generic/include/odp_ipsec_internal.h     |  47 +++-
 .../linux-generic/include/odp_packet_internal.h    |   1 +
 platform/linux-generic/odp_ipsec.c                 | 190 ++++++++++++-----
 platform/linux-generic/odp_ipsec_sad.c             | 103 ++++++++-
 test/validation/api/ipsec/ipsec.c                  |  33 ++-
 test/validation/api/ipsec/ipsec.h                  |   1 +
 test/validation/api/ipsec/ipsec_sync_in.c          |  27 ---
 test/validation/api/ipsec/ipsec_test_in.c          | 236 +++++++++++++++++++++
 test/validation/api/ipsec/ipsec_test_out.c         |  44 ++++
 test/validation/api/ipsec/test_vectors.h           | 126 +++++++++++
 10 files changed, 714 insertions(+), 94 deletions(-)
 delete mode 100644 test/validation/api/ipsec/ipsec_sync_in.c
hooks/post-receive
-- 


    