Merge "Update IPSec message to pass ESP sequence number and trailer skip."
diff --git a/exports/nss_ipsec.h b/exports/nss_ipsec.h
index e5061af..9ae399a 100644
--- a/exports/nss_ipsec.h
+++ b/exports/nss_ipsec.h
@@ -106,11 +106,12 @@
uint8_t cipher_algo; /**< Cipher algorithm */
uint8_t auth_algo; /**< Authentication algorithm */
- uint8_t esp_seq_skip; /**< Skip ESP sequence number */
+ uint8_t nat_t_req; /**< NAT-T required */
uint8_t esp_icv_len; /**< ESP trailers ICV length to apply */
- uint8_t nat_t_req; /**< NAT-T required */
- uint8_t res[3]; /**< Reserve bytes for alignment */
+ uint8_t esp_seq_skip; /**< Skip ESP sequence number */
+ uint8_t esp_tail_skip; /**< Skip ESP trailer */
+ uint8_t res[2]; /**< Reserve bytes for alignment */
};
/*
diff --git a/exports/nss_ipsecmgr.h b/exports/nss_ipsecmgr.h
index f53f4b2..7bbfe5b 100644
--- a/exports/nss_ipsecmgr.h
+++ b/exports/nss_ipsecmgr.h
@@ -42,6 +42,8 @@
#define NSS_IPSECMGR_TUN_MTU(x) (x - NSS_IPSECMGR_TUN_MAX_HDR_LEN)
+#define NSS_IPSECMGR_NATT_PORT_DATA 4500
+
/**
* @brief Definition of an IPsec encapsulation rule for an add operation
*/
@@ -67,7 +69,8 @@
uint8_t esp_icv_len; /**< ESP trailer's ICV length */
uint8_t esp_seq_skip; /**< Skip ESP sequence number in header*/
- uint8_t res[3]; /**< reserve for 4-byte alignment */
+ uint8_t esp_tail_skip; /**< Skip ESP trailer*/
+ uint8_t res[2]; /**< reserve for 4-byte alignment */
};
/**
@@ -100,6 +103,10 @@
uint8_t auth_algo; /**< Authentication algorithm */
uint8_t esp_icv_len; /**< ESP trailer's ICV length */
uint8_t nat_t_req; /**< Remove NAT-T header */
+
+ uint8_t esp_seq_skip; /**< Skip ESP sequence number in header*/
+ uint8_t esp_tail_skip; /**< Skip ESP trailer*/
+ uint8_t res[2]; /**< reserve for 4-byte alignment */
};
/**
diff --git a/nss_ipsecmgr.c b/nss_ipsecmgr.c
index 6f486ec..67d9d33 100644
--- a/nss_ipsecmgr.c
+++ b/nss_ipsecmgr.c
@@ -182,6 +182,7 @@
*/
data->cipher_algo = encap->cipher_algo;
data->esp_seq_skip = (encap->esp_seq_skip == 1);
+ data->esp_tail_skip = (encap->esp_tail_skip == 1);
data->esp_icv_len = encap->esp_icv_len;
data->auth_algo = encap->auth_algo;
@@ -216,11 +217,17 @@
data->cipher_algo = decap->cipher_algo;
data->esp_icv_len = decap->esp_icv_len;
+ data->esp_seq_skip = (decap->esp_seq_skip == 1);
+ data->esp_tail_skip = (decap->esp_tail_skip == 1);
data->auth_algo = decap->auth_algo;
data->crypto_index = decap->crypto_index;
data->nat_t_req = decap->nat_t_req;
+ if (data->nat_t_req) {
+ sel->dst_port = NSS_IPSECMGR_NATT_PORT_DATA;
+ }
+
data->window_size = decap->window_size;
}