For the openssl crypto engine based cipher encrypt/decrypt and HMAC IPSec
use cases, the openssl API calls of doing ctx init and key expansion are
moved to initialization stage.
In current implementation , the ctx is initialized with "key" and "iv" in
EVP_EncryptInit_ex (ctx, 0, 0, key->data, op->iv)
in data plane, while the ctx can be initialized with 'key' and 'iv' separately,
which means there could be two API calls:
1. EVP_EncryptInit_ex (ctx, 0, 0, key->data, 0)
2. EVP_EncryptInit_ex (ctx, 0, 0, 0, op->iv)
As the 'key' for certain IPSec SA is fixed and known, so call #1 can
be placed in IPSec SA initialization stage.
While call #2 should be kept in data plane for each packet, as the "iv"
is random for each packet.
Type: feature
Signed-off-by: Lijian Zhang <Lijian.Zhang@arm.com>
Change-Id: Ided4462c1d4a38addc3078b03d618209e040a07a
This is a prerequisite patch for the following openssl API optimization
patch, which tries to offload openssl ctx init and key expansion work to
the initialization stage.
Wireguard adds crypto keys via vnet_crypto_key_add (), and whenever it
modifies the keys, the underneath openssl crypto engine shoud be informed
of the changes to update the openssl ctx.
Type: feature
Signed-off-by: Lijian Zhang <Lijian.Zhang@arm.com>
Change-Id: I3e8f033f3f77eebcecfbd06e8e3bbbfdc95a50e2
In esp_encrypt_inline(), if two or more consecutive packets are
associated with the same SA which has no crypto or integrity algorithms
set, only the first one gets dropped. Subsequent packets either get sent
(synchronous crypto) or cause a segv (asynchronous crypto).
The current SA's index and pool entry are cached before it can be
determined whether the packet should be dropped due to no algorithms
being set. The check for no algorithms is only performed when the cached
SA index is different than the SA index for the current packet. So
packets after the first one associated with the "none" alg SA aren't
handled properly.
This was broken by my previous commit ("ipsec: keep esp encrypt pointer
and index synced") which fixed a segv that occurred under a different
set of circumstances.
Check whether each packet should be dropped instead of only checking
when a new SA is encountered.
Update unit tests:
- Add a test for no algs on tunnel interface which enables
asynchronous crypto.
- Send more than one packet in the tests for no algs.
Type: fix
Fixes: dac9e566cd16fc375fff14280b37cb5135584fc6
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Change-Id: I69e951f22044051eb8557da187cb58f5535b54bf
Use udp transport refcnt instead of local port refcnt when accepting new
connections.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ibc34677b1138682497f98e96b6fddb5b96094ff9
tuntap requires porting on FreeBSD, only build on Linux for now.
Type: improvement
Change-Id: I448c462b31f3bc06f291a95d0ff5df9d6f8f24b8
Signed-off-by: Tom Jones <thj@freebsd.org>
Working from the implementation in linux/mem.c add FreeBSD specific
functionality. This duplicates parts of the Linux implementation and a
depuplication job could be run in the future.
Stub out some parts of the API for now, they are either use unavailable
features on FreeBSD or require further implementation than this initial
implementation.
Type: improvement
Change-Id: I1e443e32304d19776a9a4d5e34adfa16ec919427
Signed-off-by: Tom Jones <thj@freebsd.org>
Allow FreeBSD as a platform in the main CMakeLists file. This requires a
correct target for the compiler and an explicit name in the system
check.
The included subdirs require further changes to build, but the compiler
needs to find them before it can complain.
Type: improvement
Change-Id: Ic56fe68290519ef5d3ed61082e7fb0ba0528a3fc
Signed-off-by: Tom Jones <thj@freebsd.org>
tap requires some porting on FreeBSD, while we wait for those changes
only build tap on Linux.
Type: improvement
Change-Id: I4361bf43764fdb046c2138d4a2ee5d7efa31bd5a
Signed-off-by: Tom Jones <thj@freebsd.org>
UDP transport port refcount is incremented even if port is shared. So
decrement it, by unregistering, whener udp connections are cleaned up.
Type: fix
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Id0a2c60c5faf4dea8b2cd9ded0334934ad9e918c
Set last thread id and last packet position in TRACE_DUMP_REPLY.
To enable collection of traces from multiple workers using iterator.
Type: fix
Change-Id: I69872af4f6981d50cd050fa3d16de2a3c0d6b496
Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
Make sure ctx is initialized before ho is marked as done.
Type: fix
Change-Id: If0525a9890a56e289e2ab006c669a9d64dc6505d
Signed-off-by: Florin Coras <fcoras@cisco.com>
- improved readability of some error messages
- printing container logs to stdout on test failure (last 20 lines)
Type: test
Change-Id: Idbb358bdd89aa7b1a6bdc9d96bf029d4c299ce64
Signed-off-by: adrianvillin <avillin@cisco.com>
Split virtual interface tests in VPP into smaller and modular
tests for testing various interface types and features.
Type: test
Change-Id: Ic38af88379f75eee3090679d411edbdc8fd5d2e5
Signed-off-by: Naveen Joy <najoy@cisco.com>
Argument to vcl_epoll_ctl_add_unhandled_event is often the result of an
and between events and EPOLLET which is larger than u8
Type: fix
Change-Id: I8c98f557fa1db9f3eb79c90ecdd60ac9366d4d40
Signed-off-by: Florin Coras <fcoras@cisco.com>
FreeBSD's siginfo_t doesn't have the ptr value used on linux to encode a
token. Fow now recover the code from siginfo_t and leave the opaque
value as 0.
Type: improvement
Change-Id: Ic6ef96f018b326b99d68534a4488cfc49fdf16e1
Signed-off-by: Tom Jones <thj@freebsd.org>
As a placeholder stub out clib_perf functions on FreeBSD, the interface
for performance counters on FreeBSD is different and will require its
own implementation.
Type: improvement
Change-Id: I61511ebe5ee1fd6fe93d3179c7843c811f47a846
Signed-off-by: Tom Jones <thj@freebsd.org>
FreeBSD has support netlink since 13.2, but keeps its header in a
slightly different place. Correctly include netlink/netlink.h for
FreeBSD.
Type: improvement
Change-Id: Iec78ca72db74ea7f9c874e7039c7d17b6321f9dc
Signed-off-by: Tom Jones <thj@freebsd.org>
Place Linux specific features behind CLIB_LINUX. The previous #ifdef
calls would still pass even if CLIB_LINUX is set to 0 in clib.h, instead
use #if.
Type: improvement
Change-Id: Ibe4424eee4bc0065f54764b017b9a56a3e854380
Signed-off-by: Tom Jones <thj@freebsd.org>
Limit the libraries we build on FreeBSD. This change intends to get us
closer to building on FreeBSD, DPDK will require a larger set of changes
so remove it until those changes are ready to integrate.
Type: improvement
Change-Id: I0f672a2b5bc30f2228020049fa71a81a2569ef54
Signed-off-by: Tom Jones <thj@freebsd.org>
On FreeBSD we need to include stdint.h to get __WORDSIZE.
Type: improvement
Change-Id: I784aa0856fd8298f33016b7ccedecfa3672d5429
Signed-off-by: Tom Jones <thj@freebsd.org>
Finding the program counter in the ucontext struct is platform and
architecture specific, place the Linux checks inside an #ifdef and add a
look up for the FreeBSD amd64 specific naming.
Type: improvement
Change-Id: I42fcef5f20227c23d84acee336e37c4870146bb4
Signed-off-by: Tom Jones <thj@freebsd.org>
__unused is a clang keyword, this struct member will trip the build when
using clang. Instead call the unused padding 'pad' which should be clear
to the purpose if not the usage.
Type: improvement
Change-Id: I0abae34841651be1ef6b7d94864f0dc8185f0733
Signed-off-by: Tom Jones <thj@freebsd.org>
Don't use the MAP_HUGETLB mmap flag on FreeBSD as it isn't available on
the platform.
Type: improvement
Change-Id: Ie2046601c693f9ef12cf8113d6dbd87c322f1cf0
Signed-off-by: Tom Jones <thj@freebsd.org>
FreeBSD doesn't support sysfs or preallocating hugepages directly. In
lieu of refactoring clib_sysfs calls place this one behind an #ifdef
linux.
Type: improvement
Change-Id: I4079ca70175e4cec44d913db2b0407a3ca6306c9
Signed-off-by: Tom Jones <thj@freebsd.org>
FreeBSD has platform specific APIs for interfacing with performance
counters. Until we bring in FreeBSD support, don't build perfmon on
platforms which aren't linux.
Type: improvement
Change-Id: Iabc418922c0d2e851c6098508761135f53433ae8
Signed-off-by: Tom Jones <thj@freebsd.org>
The SIGPWR signal is specific to Linux, place it behind a Linux flag to
help the build on FreeBSD.
Type: improvement
Change-Id: Ie36c2ceb201afff98e92bbe64595c3953b11c457
Signed-off-by: Tom Jones <thj@freebsd.org>
Add vlib_worker_wait_one_loop prior to invoking dpo_reset
upon uninstalling a fib entry to avoid contention with DP.
Type: fix
Change-Id: If2a6c4cb9b5629dd61e506ab9f9c3e6aef121b45
Signed-off-by: Steven Luong <sluong@cisco.com>
Type: fix
Attempting to create a host-interface with an invalid af_packet name
causes a crash, as we attempt to read the contents of a null ptr.
Change-Id: Ia31ae21684c2b66baa1ceaadf29e19fae33c4ed4
Signed-off-by: hsandid <halsandi@cisco.com>
The improvement was removed in 40129,
causing 5-40% regressions in AVF tests.
There is a memory-speed trade-off,
this change prefers speed over memory efficiency.
Ideally, the choice should be configurable,
but that is not easy to achieve, considering
how early is vlib_buffer_main_init called.
Type: fix
Fixes: 038dad7ef29b0b724071edb5f8cc7a9845584454
Change-Id: I4746f3634abe6d233c9d092a372de05b3d1ae4b6
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
Add/del functions can be used from external modules.
Type: improvement
Change-Id: I267bcfacd58970bcacae13744d8acc690b87d2fc
Signed-off-by: Benoît Ganne <bganne@cisco.com>
RFC 7296 describes the way to rekey IKE SAs: to rekey an IKE SA,
establish a new equivalent IKE SA with the peer to whom the old
IKE SA is shared using a CREATE_CHILD_SA within the existing IKE
SA. An IKE SA so created inherits all of the original IKE SA's
Child SAs, and the new IKE SA is used for all control messages
needed to maintain those Child SAs.
Type: improvement
Signed-off-by: Atzm Watanabe <atzmism@gmail.com>
Change-Id: Icdf43b67c38bf183913a28a08a85236ba16343af
show udp transport ports
Dumps list of ports registered by udp transport, as opposed to udp
local, and their refcount.
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: If3cbe51a7176cb89fa38b524defffbbd76af8f58
Session lookup tables could be allocated from workers, e.g., connects
are done from first worker. Make sure consumers are not affected by
stopping workers.
Type: fix
Change-Id: I63b53c58b41ce91b08f50a2325c69c9f9fd25ed3
Signed-off-by: Florin Coras <fcoras@cisco.com>
