For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.
Fixes: VPP-2037
Type: fix
Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Fix an issue where multiple VPP instances with DPDK starting at the
same time would not initialize VFs properly. This is done by using the
iavf PMD (where the issue can't be reproduced) instead of the i40evf
PMD.
Type: fix
Ticket: VPP-1943
Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
Change-Id: Idcc48088c7d66a76da2b4675c02c7c115706c8b3
Type: test
Ticket: VPP-1903
Change-Id: I7fab6931833d6e253b7b921172825387302d8f70
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
(cherry picked from commit 027d813a50)
- In a new centos-8 installation, vpp-ext-deps fails on missing
ssl.h header file after 'make install-deps'.
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I521d817dd1f1e21aff427d98b9832ea7c7b89339
The list of plugins is outdated.
This change introduces a dynamically
generated list of the plugins along with their descriptions,
extracted directly from the sources.
Type: docs
Change-Id: Icb7b65e6b45289e257d71a1c18d10f62ced59cbe
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
(cherry picked from commit 630ca994e0)
Fix in nat44 hairpinning code to check if anything was actually
changed in the snat_hairpinning() routine, and return 0 if nothing
changed. This helps avoid an infinite loop repeating the three
nodes nat44-hairpinning-->ip4-lookup-->ip4-local in case there
was no change. Also add a corresponding test case.
This is essentially a cherry-pick of change 30284 but the
automatic cherry-picking did not work because of some filename
changes.
Type: fix
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Change-Id: I21a59ae7423f40abeff9fc0411330da58b3011f0
- The name of the powertools repo was changed [0]
in centos-8 from 'PowerTools' to 'powertools'.
Retrieve the correct name from 'dnf repolist all'
instead of hard coding it.
[0] b759b17557
Type: fix
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: Ic1402e671eb1d70dec429bab82ad18d8251f4eef
(cherry picked from commit 1affb31ef5)
A simple counter is a two dimensional array by threads and
counter index. 28017 introduced an error missing the first
dimension.
If a vector is updated at the same time as a client reads,
an invalid pointer my result. This will be caught by the
optimistic locking after copying out the data, but if
following a pointer outside of the stat segment then
the stat client would crash. Add suitable boundary checks
for access to stat memory segment.
Fixes: 7d29e320fb
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I94f124ec71d98218c4eda5d124ac5594743d93d6
(cherry picked from commit 65c56c83ce)
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
IPSec punting to IKEv2 is valid only for NAT-T in IPv4.
Fix coverity CID 214915.
Type: fix
Change-Id: I6f2db38abf179565316f50c5d47c78acce3a0d01
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit d9ed0b6786)
This helps to resolve sporadic failures in unit tests.
Type: fix
Change-Id: I3abd77ed74310f9729a841e8569eafe6d7758dcb
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
(cherry picked from commit 761f8f0eaa)
Type: fix
Ticket: VPP-1900
This fixes a crash when initiating IKE connection using interface
without any IP address.
It also ensures that the IKE connection is automatically retried once the
interface obtains an address.
Signed-off-by: jan_cavojsky <Jan.Cavojsky@pantheon.tech>
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Change-Id: Ia1919c349e64b3a0a4198365e075e177e3ba3de5
(cherry picked from commit 6960da5284)
When looking for existing SA connection to clean up search all per
thread data, not only current one.
Type: fix
Change-Id: I59312e08a07ca1f474b6389999e59320c5128e7d
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
(cherry picked from commit e7c8396982)
Using vlib_main of another thread is prohibited.
Type: fix
Change-Id: I7ae294dfaf2526738e91408c9b4865ef9f801b8a
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 7483a7272d)
We should not use main thread vlib_main in workers.
Type: fix
Change-Id: I58c0a8cadf2dc7f768b20ac90e7ec7921e2e8ca4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 0a2fde105a)
dns cache should no longer be unlocked by caller.
Type: fix
Fixes: 84a563ae40
Change-Id: I3708718ae8f00e4e4f4e04381caa0095c8494b82
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 2113c7f28b)
crypto_native/main.h is being built as default,
and crypto_native_main is initialized with a size of 64 bytes.
crypto_native/aes_gcm.c and crypto_native/aes_cbc.c are march
variants, their ICL variants are expecting crypto_native_main
to be 256 bytes.
Type: fix
Signed-off-by: Georgii Tkachuk <georgii.tkachuk@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I4cddb75b712ea83c9cfca621887605d7bae104ec
When removing an interface we must reset all per-interface per-feature
arc data to ensure we do not get wrong feature arc config data when the
sw_if_index is recycled.
Type: fix
Change-Id: I8c9d850d7c62b7b77193da4258ab5fb9bdda85a6
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 6178bdafa6)
NUMA node parsing with vlib_get_thread_core_numa() can failed on single
socket systems. Use clib_get_current_numa_node() instead as we already
pinned the main thread to the requested core.
Type: fix
Change-Id: I22339516d0305689a58584c92ded7c96eb53be39
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 33ce5e568f)
ipsec_{crypto,integ}_alg_t are packed and smaller than u32. Callers are
using those enums so unformat functions should too instead of u32 to
not overflow the stack.
Type: fix
Change-Id: Ifc86366f1928ca6352f06f390a88ac64668289d5
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit f6422ffbc8)
- fix fifo initialization overflowing chunk size
- stick to the default base virtual address to initialize fifo. ASAN
can be picky about address space
Type: fix
Change-Id: If9a29138d2c207859d72845e928290c808c4a982
Signed-off-by: Benoît Ganne <bganne@cisco.com>
(cherry picked from commit 07b9455808)
