[PATCH v2 0/2] Adding new cases to lookaside IPsec tests

[PATCH v2 0/2] Adding new cases to lookaside IPsec tests

[Tejasree Kondoj]

Adding new test cases to lookaside IPsec tests.
* Set and copy DSCP cases
* ESN and antireplay support

Changes in v2:
* Fixed 32-bit build failure

Anoob Joseph (1):
  test/crypto: add copy and set DSCP cases

Tejasree Kondoj (1):
  test/cryptodev: add ESN and Antireplay tests

 app/test/test_cryptodev.c                     | 352 +++++++++++++++++-
 app/test/test_cryptodev_security_ipsec.c      | 173 +++++++--
 app/test/test_cryptodev_security_ipsec.h      |  16 +-
 ...st_cryptodev_security_ipsec_test_vectors.h |   1 +
 doc/guides/rel_notes/release_22_03.rst        |   5 +
 5 files changed, 518 insertions(+), 29 deletions(-)

-- 
2.27.0

[PATCH v2 1/2] test/crypto: add copy and set DSCP cases

[Tejasree Kondoj]

From: Anoob Joseph <anoobj@marvell.com>

Add test cases to verify copy and set DSCP with IPv4 and IPv6 tunnels.

Signed-off-by: Anoob Joseph <anoobj@marvell.com>
---
 app/test/test_cryptodev.c                | 166 +++++++++++++++++++++++
 app/test/test_cryptodev_security_ipsec.c | 150 ++++++++++++++++----
 app/test/test_cryptodev_security_ipsec.h |  10 ++
 3 files changed, 301 insertions(+), 25 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index ec4a61bdf9..47ad991c31 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9176,7 +9176,21 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 			if (flags->df == TEST_IPSEC_SET_DF_1_INNER_0)
 				ipsec_xform.tunnel.ipv4.df = 1;
 
+			if (flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
+				ipsec_xform.tunnel.ipv4.dscp = 0;
+
+			if (flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0)
+				ipsec_xform.tunnel.ipv4.dscp =
+						TEST_IPSEC_DSCP_VAL;
+
 		} else {
+			if (flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
+				ipsec_xform.tunnel.ipv6.dscp = 0;
+
+			if (flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0)
+				ipsec_xform.tunnel.ipv6.dscp =
+						TEST_IPSEC_DSCP_VAL;
+
 			memcpy(&ipsec_xform.tunnel.ipv6.src_addr, &v6_src,
 			       sizeof(v6_src));
 			memcpy(&ipsec_xform.tunnel.ipv6.dst_addr, &v6_dst,
@@ -9761,6 +9775,126 @@ test_ipsec_proto_set_df_1_inner_0(const void *data __rte_unused)
 	return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_proto_ipv4_copy_dscp_inner_0(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_0;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv4_copy_dscp_inner_1(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_1;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv4_set_dscp_0_inner_1(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	if (gbl_driver_id == rte_cryptodev_driver_id_get(
+			RTE_STR(CRYPTODEV_NAME_CN9K_PMD)))
+		return TEST_SKIPPED;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.dscp = TEST_IPSEC_SET_DSCP_0_INNER_1;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv4_set_dscp_1_inner_0(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	if (gbl_driver_id == rte_cryptodev_driver_id_get(
+			RTE_STR(CRYPTODEV_NAME_CN9K_PMD)))
+		return TEST_SKIPPED;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.dscp = TEST_IPSEC_SET_DSCP_1_INNER_0;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv6_copy_dscp_inner_0(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.ipv6 = true;
+	flags.tunnel_ipv6 = true;
+	flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_0;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv6_copy_dscp_inner_1(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.ipv6 = true;
+	flags.tunnel_ipv6 = true;
+	flags.dscp = TEST_IPSEC_COPY_DSCP_INNER_1;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv6_set_dscp_0_inner_1(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	if (gbl_driver_id == rte_cryptodev_driver_id_get(
+			RTE_STR(CRYPTODEV_NAME_CN9K_PMD)))
+		return TEST_SKIPPED;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.ipv6 = true;
+	flags.tunnel_ipv6 = true;
+	flags.dscp = TEST_IPSEC_SET_DSCP_0_INNER_1;
+
+	return test_ipsec_proto_all(&flags);
+}
+
+static int
+test_ipsec_proto_ipv6_set_dscp_1_inner_0(const void *data __rte_unused)
+{
+	struct ipsec_test_flags flags;
+
+	if (gbl_driver_id == rte_cryptodev_driver_id_get(
+			RTE_STR(CRYPTODEV_NAME_CN9K_PMD)))
+		return TEST_SKIPPED;
+
+	memset(&flags, 0, sizeof(flags));
+
+	flags.ipv6 = true;
+	flags.tunnel_ipv6 = true;
+	flags.dscp = TEST_IPSEC_SET_DSCP_1_INNER_0;
+
+	return test_ipsec_proto_all(&flags);
+}
+
 static int
 test_PDCP_PROTO_all(void)
 {
@@ -14799,6 +14933,38 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Tunnel header set DF 1 (inner 0)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_set_df_1_inner_0),
+		TEST_CASE_NAMED_ST(
+			"Tunnel header IPv4 copy DSCP (inner 0)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_ipv4_copy_dscp_inner_0),
+		TEST_CASE_NAMED_ST(
+			"Tunnel header IPv4 copy DSCP (inner 1)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_ipv4_copy_dscp_inner_1),
+		TEST_CASE_NAMED_ST(
+			"Tunnel header IPv4 set DSCP 0 (inner 1)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_ipv4_set_dscp_0_inner_1),
+		TEST_CASE_NAMED_ST(
+			"Tunnel header IPv4 set DSCP 1 (inner 0)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_ipv4_set_dscp_1_inner_0),
+		TEST_CASE_NAMED_ST(
+			"Tunnel header IPv6 copy DSCP (inner 0)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_ipv6_copy_dscp_inner_0),
+		TEST_CASE_NAMED_ST(
+			"Tunnel header IPv6 copy DSCP (inner 1)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_ipv6_copy_dscp_inner_1),
+		TEST_CASE_NAMED_ST(
+			"Tunnel header IPv6 set DSCP 0 (inner 1)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_ipv6_set_dscp_0_inner_1),
+		TEST_CASE_NAMED_ST(
+			"Tunnel header IPv6 set DSCP 1 (inner 0)",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_ipv6_set_dscp_1_inner_0),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index e662ea279f..54f59c7f79 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -430,6 +430,10 @@ test_ipsec_td_prepare(const struct crypto_param *param1,
 		if (flags->df == TEST_IPSEC_COPY_DF_INNER_0 ||
 		    flags->df == TEST_IPSEC_COPY_DF_INNER_1)
 			td->ipsec_xform.options.copy_df = 1;
+
+		if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_0 ||
+		    flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1)
+			td->ipsec_xform.options.copy_dscp = 1;
 	}
 }
 
@@ -769,6 +773,87 @@ test_ipsec_res_d_prepare(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	return TEST_SUCCESS;
 }
 
+static int
+test_ipsec_iph4_hdr_validate(const struct rte_ipv4_hdr *iph4,
+			     const struct ipsec_test_flags *flags)
+{
+	uint8_t tos, dscp;
+	uint16_t f_off;
+
+	if (!is_valid_ipv4_pkt(iph4)) {
+		printf("Tunnel outer header is not IPv4\n");
+		return -1;
+	}
+
+	f_off = rte_be_to_cpu_16(iph4->fragment_offset);
+	if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 ||
+	    flags->df == TEST_IPSEC_SET_DF_1_INNER_0) {
+		if (!(f_off & RTE_IPV4_HDR_DF_FLAG)) {
+			printf("DF bit is not set\n");
+			return -1;
+		}
+	} else {
+		if (f_off & RTE_IPV4_HDR_DF_FLAG) {
+			printf("DF bit is set\n");
+			return -1;
+		}
+	}
+
+	tos = iph4->type_of_service;
+	dscp = (tos & RTE_IPV4_HDR_DSCP_MASK) >> 2;
+
+	if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+	    flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) {
+		if (dscp != TEST_IPSEC_DSCP_VAL) {
+			printf("DSCP value is not matching [exp: %x, actual: %x]\n",
+			       TEST_IPSEC_DSCP_VAL, dscp);
+			return -1;
+		}
+	} else {
+		if (dscp != 0) {
+			printf("DSCP value is set [exp: 0, actual: %x]\n",
+			       dscp);
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
+static int
+test_ipsec_iph6_hdr_validate(const struct rte_ipv6_hdr *iph6,
+			     const struct ipsec_test_flags *flags)
+{
+	uint32_t vtc_flow;
+	uint8_t dscp;
+
+	if (!is_valid_ipv6_pkt(iph6)) {
+		printf("Tunnel outer header is not IPv6\n");
+		return -1;
+	}
+
+	vtc_flow = rte_be_to_cpu_32(iph6->vtc_flow);
+	dscp = (vtc_flow & RTE_IPV6_HDR_DSCP_MASK) >>
+	       (RTE_IPV6_HDR_TC_SHIFT + 2);
+
+	if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+	    flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) {
+		if (dscp != TEST_IPSEC_DSCP_VAL) {
+			printf("DSCP value is not matching [exp: %x, actual: %x]\n",
+			       TEST_IPSEC_DSCP_VAL, dscp);
+			return -1;
+		}
+	} else {
+		if (dscp != 0) {
+			printf("DSCP value is set [exp: 0, actual: %x]\n",
+			       dscp);
+			return -1;
+		}
+	}
+
+	return 0;
+}
+
 int
 test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 			struct ipsec_test_data *res_d, bool silent,
@@ -806,33 +891,12 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 		} else {
 			if (td->ipsec_xform.tunnel.type ==
 					RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
-				uint16_t f_off;
-
-				if (is_valid_ipv4_pkt(iph4) == false) {
-					printf("Tunnel outer header is not IPv4\n");
+				if (test_ipsec_iph4_hdr_validate(iph4, flags))
 					return TEST_FAILED;
-				}
-
-				f_off = rte_be_to_cpu_16(iph4->fragment_offset);
-
-				if (flags->df == TEST_IPSEC_COPY_DF_INNER_1 ||
-				    flags->df == TEST_IPSEC_SET_DF_1_INNER_0) {
-					if (!(f_off & RTE_IPV4_HDR_DF_FLAG)) {
-						printf("DF bit is not set\n");
-						return TEST_FAILED;
-					}
-				} else {
-					if ((f_off & RTE_IPV4_HDR_DF_FLAG)) {
-						printf("DF bit is set\n");
-						return TEST_FAILED;
-					}
-				}
 			} else {
 				iph6 = (const struct rte_ipv6_hdr *)output_text;
-				if (is_valid_ipv6_pkt(iph6) == false) {
-					printf("Tunnel outer header is not IPv6\n");
+				if (test_ipsec_iph6_hdr_validate(iph6, flags))
 					return TEST_FAILED;
-				}
 			}
 		}
 	}
@@ -940,8 +1004,8 @@ int
 test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags)
 {
 	struct rte_ipv4_hdr *iph4;
+	struct rte_ipv6_hdr *iph6;
 	bool cksum_dirty = false;
-	uint16_t frag_off;
 
 	iph4 = (struct rte_ipv4_hdr *)pkt;
 
@@ -949,9 +1013,10 @@ test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags)
 	    flags->df == TEST_IPSEC_SET_DF_0_INNER_1 ||
 	    flags->df == TEST_IPSEC_COPY_DF_INNER_0 ||
 	    flags->df == TEST_IPSEC_SET_DF_1_INNER_0) {
+		uint16_t frag_off;
 
 		if (!is_ipv4(iph4)) {
-			printf("Invalid packet type");
+			printf("Invalid packet type\n");
 			return -1;
 		}
 
@@ -967,6 +1032,41 @@ test_ipsec_pkt_update(uint8_t *pkt, const struct ipsec_test_flags *flags)
 		cksum_dirty = true;
 	}
 
+	if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+	    flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1 ||
+	    flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_0 ||
+	    flags->dscp == TEST_IPSEC_SET_DSCP_1_INNER_0) {
+
+		if (is_ipv4(iph4)) {
+			uint8_t tos;
+
+			tos = iph4->type_of_service;
+			if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+			    flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
+				tos |= (RTE_IPV4_HDR_DSCP_MASK &
+					(TEST_IPSEC_DSCP_VAL << 2));
+			else
+				tos &= ~RTE_IPV4_HDR_DSCP_MASK;
+
+			iph4->type_of_service = tos;
+			cksum_dirty = true;
+		} else {
+			uint32_t vtc_flow;
+
+			iph6 = (struct rte_ipv6_hdr *)pkt;
+
+			vtc_flow = rte_be_to_cpu_32(iph6->vtc_flow);
+			if (flags->dscp == TEST_IPSEC_COPY_DSCP_INNER_1 ||
+			    flags->dscp == TEST_IPSEC_SET_DSCP_0_INNER_1)
+				vtc_flow |= (RTE_IPV6_HDR_DSCP_MASK &
+					     (TEST_IPSEC_DSCP_VAL << (RTE_IPV6_HDR_TC_SHIFT + 2)));
+			else
+				vtc_flow &= ~RTE_IPV6_HDR_DSCP_MASK;
+
+			iph6->vtc_flow = rte_cpu_to_be_32(vtc_flow);
+		}
+	}
+
 	if (cksum_dirty && is_ipv4(iph4)) {
 		iph4->hdr_checksum = 0;
 		iph4->hdr_checksum = rte_ipv4_cksum(iph4);
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index 12a9b77c55..c4ecfafca6 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -57,6 +57,15 @@ enum df_flags {
 	TEST_IPSEC_SET_DF_1_INNER_0,
 };
 
+#define TEST_IPSEC_DSCP_VAL 0x12
+
+enum dscp_flags {
+	TEST_IPSEC_COPY_DSCP_INNER_0 = 1,
+	TEST_IPSEC_COPY_DSCP_INNER_1,
+	TEST_IPSEC_SET_DSCP_0_INNER_1,
+	TEST_IPSEC_SET_DSCP_1_INNER_0,
+};
+
 struct ipsec_test_flags {
 	bool display_alg;
 	bool sa_expiry_pkts_soft;
@@ -74,6 +83,7 @@ struct ipsec_test_flags {
 	bool fragment;
 	bool stats_success;
 	enum df_flags df;
+	enum dscp_flags dscp;
 };
 
 struct crypto_param {
-- 
2.27.0

[PATCH v2 2/2] test/cryptodev: add ESN and Antireplay tests

[Tejasree Kondoj]

Adding test cases for IPsec ESN and Antireplay.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
---
 app/test/test_cryptodev.c                     | 186 +++++++++++++++++-
 app/test/test_cryptodev_security_ipsec.c      |  23 ++-
 app/test/test_cryptodev_security_ipsec.h      |   6 +-
 ...st_cryptodev_security_ipsec_test_vectors.h |   1 +
 doc/guides/rel_notes/release_22_03.rst        |   5 +
 5 files changed, 217 insertions(+), 4 deletions(-)

diff --git a/app/test/test_cryptodev.c b/app/test/test_cryptodev.c
index 47ad991c31..3536b65c52 100644
--- a/app/test/test_cryptodev.c
+++ b/app/test/test_cryptodev.c
@@ -9292,6 +9292,18 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		return TEST_SKIPPED;
 
 	for (i = 0; i < nb_td; i++) {
+		if (flags->antireplay &&
+		    (dir == RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) {
+			sess_conf.ipsec.esn.value = td[i].ipsec_xform.esn.value;
+			ret = rte_security_session_update(ctx,
+				ut_params->sec_session, &sess_conf);
+			if (ret) {
+				printf("Could not update sequence number in "
+				       "session\n");
+				return TEST_SKIPPED;
+			}
+		}
+
 		/* Setup source mbuf payload */
 		ut_params->ibuf = rte_pktmbuf_alloc(ts_params->mbuf_pool);
 		memset(rte_pktmbuf_mtod(ut_params->ibuf, uint8_t *), 0,
@@ -9344,7 +9356,8 @@ test_ipsec_proto_process(const struct ipsec_test_data td[],
 		/* Process crypto operation */
 		process_crypto_request(dev_id, ut_params->op);
 
-		ret = test_ipsec_status_check(ut_params->op, flags, dir, i + 1);
+		ret = test_ipsec_status_check(&td[i], ut_params->op, flags, dir,
+					      i + 1);
 		if (ret != TEST_SUCCESS)
 			goto crypto_op_free;
 
@@ -9895,6 +9908,150 @@ test_ipsec_proto_ipv6_set_dscp_1_inner_0(const void *data __rte_unused)
 	return test_ipsec_proto_all(&flags);
 }
 
+static int
+test_ipsec_pkt_replay(const void *test_data, const uint64_t esn[],
+		      bool replayed_pkt[], uint32_t nb_pkts, bool esn_en,
+		      uint64_t winsz)
+{
+	struct ipsec_test_data td_outb[IPSEC_TEST_PACKETS_MAX];
+	struct ipsec_test_data td_inb[IPSEC_TEST_PACKETS_MAX];
+	struct ipsec_test_flags flags;
+	uint32_t i = 0, ret = 0;
+
+	memset(&flags, 0, sizeof(flags));
+	flags.antireplay = true;
+
+	for (i = 0; i < nb_pkts; i++) {
+		memcpy(&td_outb[i], test_data, sizeof(td_outb[i]));
+		td_outb[i].ipsec_xform.options.iv_gen_disable = 1;
+		td_outb[i].ipsec_xform.replay_win_sz = winsz;
+		td_outb[i].ipsec_xform.options.esn = esn_en;
+	}
+
+	for (i = 0; i < nb_pkts; i++)
+		td_outb[i].ipsec_xform.esn.value = esn[i];
+
+	ret = test_ipsec_proto_process(td_outb, td_inb, nb_pkts, true,
+				       &flags);
+	if (ret != TEST_SUCCESS)
+		return ret;
+
+	test_ipsec_td_update(td_inb, td_outb, nb_pkts, &flags);
+
+	for (i = 0; i < nb_pkts; i++) {
+		td_inb[i].ipsec_xform.options.esn = esn_en;
+		/* Set antireplay flag for packets to be dropped */
+		td_inb[i].ar_packet = replayed_pkt[i];
+	}
+
+	ret = test_ipsec_proto_process(td_inb, NULL, nb_pkts, true,
+				       &flags);
+
+	return ret;
+}
+
+static int
+test_ipsec_proto_pkt_antireplay(const void *test_data, uint64_t winsz)
+{
+
+	uint32_t nb_pkts = 5;
+	bool replayed_pkt[5];
+	uint64_t esn[5];
+
+	/* 1. Advance the TOP of the window to WS * 2 */
+	esn[0] = winsz * 2;
+	/* 2. Test sequence number within the new window(WS + 1) */
+	esn[1] = winsz + 1;
+	/* 3. Test sequence number less than the window BOTTOM */
+	esn[2] = winsz;
+	/* 4. Test sequence number in the middle of the window */
+	esn[3] = winsz + (winsz / 2);
+	/* 5. Test replay of the packet in the middle of the window */
+	esn[4] = winsz + (winsz / 2);
+
+	replayed_pkt[0] = false;
+	replayed_pkt[1] = false;
+	replayed_pkt[2] = true;
+	replayed_pkt[3] = false;
+	replayed_pkt[4] = true;
+
+	return test_ipsec_pkt_replay(test_data, esn, replayed_pkt, nb_pkts,
+				     false, winsz);
+}
+
+static int
+test_ipsec_proto_pkt_antireplay1024(const void *test_data)
+{
+	return test_ipsec_proto_pkt_antireplay(test_data, 1024);
+}
+
+static int
+test_ipsec_proto_pkt_antireplay2048(const void *test_data)
+{
+	return test_ipsec_proto_pkt_antireplay(test_data, 2048);
+}
+
+static int
+test_ipsec_proto_pkt_antireplay4096(const void *test_data)
+{
+	return test_ipsec_proto_pkt_antireplay(test_data, 4096);
+}
+
+static int
+test_ipsec_proto_pkt_esn_antireplay(const void *test_data, uint64_t winsz)
+{
+
+	uint32_t nb_pkts = 7;
+	bool replayed_pkt[7];
+	uint64_t esn[7];
+
+	/* Set the initial sequence number */
+	esn[0] = (uint64_t)(0xFFFFFFFF - winsz);
+	/* 1. Advance the TOP of the window to (1<<32 + WS/2) */
+	esn[1] = (uint64_t)((1ULL << 32) + (winsz / 2));
+	/* 2. Test sequence number within new window (1<<32 + WS/2 + 1) */
+	esn[2] = (uint64_t)((1ULL << 32) - (winsz / 2) + 1);
+	/* 3. Test with sequence number within window (1<<32 - 1) */
+	esn[3] = (uint64_t)((1ULL << 32) - 1);
+	/* 4. Test with sequence number within window (1<<32 - 1) */
+	esn[4] = (uint64_t)(1ULL << 32);
+	/* 5. Test with duplicate sequence number within
+	 * new window (1<<32 - 1)
+	 */
+	esn[5] = (uint64_t)((1ULL << 32) - 1);
+	/* 6. Test with duplicate sequence number within new window (1<<32) */
+	esn[6] = (uint64_t)(1ULL << 32);
+
+	replayed_pkt[0] = false;
+	replayed_pkt[1] = false;
+	replayed_pkt[2] = false;
+	replayed_pkt[3] = false;
+	replayed_pkt[4] = false;
+	replayed_pkt[5] = true;
+	replayed_pkt[6] = true;
+
+	return test_ipsec_pkt_replay(test_data, esn, replayed_pkt, nb_pkts,
+				     true, winsz);
+}
+
+static int
+test_ipsec_proto_pkt_esn_antireplay1024(const void *test_data)
+{
+	return test_ipsec_proto_pkt_esn_antireplay(test_data, 1024);
+}
+
+static int
+test_ipsec_proto_pkt_esn_antireplay2048(const void *test_data)
+{
+	return test_ipsec_proto_pkt_esn_antireplay(test_data, 2048);
+}
+
+static int
+test_ipsec_proto_pkt_esn_antireplay4096(const void *test_data)
+{
+	return test_ipsec_proto_pkt_esn_antireplay(test_data, 4096);
+}
+
 static int
 test_PDCP_PROTO_all(void)
 {
@@ -14965,6 +15122,33 @@ static struct unit_test_suite ipsec_proto_testsuite  = {
 			"Tunnel header IPv6 set DSCP 1 (inner 0)",
 			ut_setup_security, ut_teardown,
 			test_ipsec_proto_ipv6_set_dscp_1_inner_0),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Antireplay with window size 1024",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_pkt_antireplay1024, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Antireplay with window size 2048",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_pkt_antireplay2048, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"Antireplay with window size 4096",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_pkt_antireplay4096, &pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"ESN and Antireplay with window size 1024",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_pkt_esn_antireplay1024,
+			&pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"ESN and Antireplay with window size 2048",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_pkt_esn_antireplay2048,
+			&pkt_aes_128_gcm),
+		TEST_CASE_NAMED_WITH_DATA(
+			"ESN and Antireplay with window size 4096",
+			ut_setup_security, ut_teardown,
+			test_ipsec_proto_pkt_esn_antireplay4096,
+			&pkt_aes_128_gcm),
 		TEST_CASES_END() /**< NULL terminate unit test array */
 	}
 };
diff --git a/app/test/test_cryptodev_security_ipsec.c b/app/test/test_cryptodev_security_ipsec.c
index 54f59c7f79..eb775eb08a 100644
--- a/app/test/test_cryptodev_security_ipsec.c
+++ b/app/test/test_cryptodev_security_ipsec.c
@@ -176,6 +176,13 @@ test_ipsec_sec_caps_verify(struct rte_security_ipsec_xform *ipsec_xform,
 		return -ENOTSUP;
 	}
 
+	if (ipsec_xform->replay_win_sz > sec_cap->ipsec.replay_win_sz_max) {
+		if (!silent)
+			RTE_LOG(INFO, USER1,
+				"Replay window size is not supported\n");
+		return -ENOTSUP;
+	}
+
 	return 0;
 }
 
@@ -654,7 +661,8 @@ test_ipsec_td_verify(struct rte_mbuf *m, const struct ipsec_test_data *td,
 	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
 	    (flags->icv_corrupt ||
 	     flags->sa_expiry_pkts_hard ||
-	     flags->tunnel_hdr_verify))
+	     flags->tunnel_hdr_verify ||
+	     td->ar_packet))
 		return TEST_SUCCESS;
 
 	if (td->ipsec_xform.direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
@@ -921,13 +929,24 @@ test_ipsec_post_process(struct rte_mbuf *m, const struct ipsec_test_data *td,
 }
 
 int
-test_ipsec_status_check(struct rte_crypto_op *op,
+test_ipsec_status_check(const struct ipsec_test_data *td,
+			struct rte_crypto_op *op,
 			const struct ipsec_test_flags *flags,
 			enum rte_security_ipsec_sa_direction dir,
 			int pkt_num)
 {
 	int ret = TEST_SUCCESS;
 
+	if ((dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) &&
+	    td->ar_packet) {
+		if (op->status != RTE_CRYPTO_OP_STATUS_ERROR) {
+			printf("Anti replay test case failed\n");
+			return TEST_FAILED;
+		} else {
+			return TEST_SUCCESS;
+		}
+	}
+
 	if (dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
 	    flags->sa_expiry_pkts_hard &&
 	    pkt_num == IPSEC_TEST_PACKETS_MAX) {
diff --git a/app/test/test_cryptodev_security_ipsec.h b/app/test/test_cryptodev_security_ipsec.h
index c4ecfafca6..a15c1d3015 100644
--- a/app/test/test_cryptodev_security_ipsec.h
+++ b/app/test/test_cryptodev_security_ipsec.h
@@ -40,6 +40,8 @@ struct ipsec_test_data {
 	struct rte_security_ipsec_xform ipsec_xform;
 
 	bool aead;
+	/* Antireplay packet */
+	bool ar_packet;
 
 	union {
 		struct {
@@ -82,6 +84,7 @@ struct ipsec_test_flags {
 	bool transport;
 	bool fragment;
 	bool stats_success;
+	bool antireplay;
 	enum df_flags df;
 	enum dscp_flags dscp;
 };
@@ -234,7 +237,8 @@ int test_ipsec_post_process(struct rte_mbuf *m,
 			    struct ipsec_test_data *res_d, bool silent,
 			    const struct ipsec_test_flags *flags);
 
-int test_ipsec_status_check(struct rte_crypto_op *op,
+int test_ipsec_status_check(const struct ipsec_test_data *td,
+			    struct rte_crypto_op *op,
 			    const struct ipsec_test_flags *flags,
 			    enum rte_security_ipsec_sa_direction dir,
 			    int pkt_num);
diff --git a/app/test/test_cryptodev_security_ipsec_test_vectors.h b/app/test/test_cryptodev_security_ipsec_test_vectors.h
index 85cd6c51a8..fe2fd855df 100644
--- a/app/test/test_cryptodev_security_ipsec_test_vectors.h
+++ b/app/test/test_cryptodev_security_ipsec_test_vectors.h
@@ -102,6 +102,7 @@ struct ipsec_test_data pkt_aes_128_gcm = {
 		.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
 		.tunnel.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
 		.replay_win_sz = 0,
+		.esn.low = 1,
 	},
 
 	.aead = true,
diff --git a/doc/guides/rel_notes/release_22_03.rst b/doc/guides/rel_notes/release_22_03.rst
index 3bc0630c7c..60598432c3 100644
--- a/doc/guides/rel_notes/release_22_03.rst
+++ b/doc/guides/rel_notes/release_22_03.rst
@@ -69,6 +69,11 @@ New Features
 
   The new API ``rte_event_eth_rx_adapter_event_port_get()`` was added.
 
+* **Updated lookaside protocol (IPsec) tests in dpdk-test.**
+
+  * Added test cases to verify copy and set DSCP with IPv4 and IPv6 tunnels.
+  * Added ESN and anti-replay support.
+
 
 Removed Items
 -------------
-- 
2.27.0

RE: [PATCH v2 1/2] test/crypto: add copy and set DSCP cases

[Akhil Goyal]

> From: Anoob Joseph <anoobj@marvell.com>
> 
> Add test cases to verify copy and set DSCP with IPv4 and IPv6 tunnels.
> 
> Signed-off-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

RE: [PATCH v2 2/2] test/cryptodev: add ESN and Antireplay tests

[Akhil Goyal]

> Adding test cases for IPsec ESN and Antireplay.
> 
> Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
> ---
Acked-by: Akhil Goyal <gakhil@marvell.com>

RE: [PATCH v2 0/2] Adding new cases to lookaside IPsec tests

[Akhil Goyal]

> Adding new test cases to lookaside IPsec tests.
> * Set and copy DSCP cases
> * ESN and antireplay support
> 
> Changes in v2:
> * Fixed 32-bit build failure
> 
Series applied to dpdk-next-crypto

Thanks.