ipsec: fix AES CBC IV generation (CVE-2022-46397)

For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix C). Chaining IVs like is done by ipsecmb and native backends for the VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable. Encrypt a counter as part of the message, making the (predictable) counter-generated IV unpredictable. Fixes: VPP-2037 Type: fix Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae Signed-off-by: Benoît Ganne <bganne@cisco.com>
misc: fix the MAKE_PARALLEL_JOBS for 'make verify' target
2023-02-06 16:27:55 +01:00 · 2020-06-29 13:30:00 +00:00 · 2019-12-17 00:11:29 +00:00 · 2019-12-12 21:27:45 +00:00 · 2019-11-14 12:25:21 +00:00 · 2019-10-30 20:42:38 +00:00
192 changed files with 2863 additions and 817 deletions
--- a/.gitreview
+++ b/.gitreview
@ -2,3 +2,4 @@
 host=gerrit.fd.io
 port=29418
 project=vpp
+defaultbranch=stable/1904
--- a/5
+++ b/5
@ -105,6 +105,11 @@ M:	Florin Coras <fcoras@cisco.com>
 F:	src/vnet/lisp-cp/
 F:	src/vnet/lisp-gpe/

+VNET GSO
+I: gso
+M: Andrew Yourtchenko <ayourtch@gmail.com>
+F: src/vnet/interface_output.c
+
 Plugin - MAP
 M:	Ole Troan <ot@cisco.com>
 F:	src/plugins/map
--- a/2
+++ b/2
@ -101,7 +101,7 @@ else
 	RPM_DEPENDS += yum-utils
 	RPM_DEPENDS += openssl-devel
 	RPM_DEPENDS += python-devel python36-ply
-	RPM_DEPENDS += python36-devel python36-pip
+	RPM_DEPENDS += python3-devel python3-pip
 	RPM_DEPENDS += python-virtualenv
 	RPM_DEPENDS += devtoolset-7
 	RPM_DEPENDS += cmake3
--- a/RELEASE.md
+++ b/RELEASE.md
--- a/build-root/Makefile
+++ b/build-root/Makefile
@ -653,12 +653,10 @@ configure_check_timestamp =						\
 # NB: GNU Make 4.2 will let us use '$(file </proc/cpuinfo)' to both test
 # for file presence and content; for now this will have to do.
 ifndef MAKE_PARALLEL_JOBS
-MAKE_PARALLEL_JOBS = -j $(if $(shell [ -f /proc/cpuinfo ] && head /proc/cpuinfo), \
+MAKE_PARALLEL_JOBS = $(if $(shell [ -f /proc/cpuinfo ] && head /proc/cpuinfo), \
 	$(shell grep -c ^processor /proc/cpuinfo), 2)
-else
-MAKE_PARALLEL_JOBS := -j $(MAKE_PARALLEL_JOBS)
 endif
-MAKE_PARALLEL_FLAGS ?= $(if $($(PACKAGE)_make_parallel_fails),,$(MAKE_PARALLEL_JOBS))
+MAKE_PARALLEL_FLAGS ?= $(if $($(PACKAGE)_make_parallel_fails),,-j $(MAKE_PARALLEL_JOBS))

 # Make command shorthand for packages & tools.
 PACKAGE_MAKE =					\
--- a/build-root/platforms.mk
+++ b/build-root/platforms.mk
@ -35,7 +35,7 @@
 #

 # Platform selects e.g. Linux config file
-PLATFORM = native
+PLATFORM = vpp

 native_arch = native

--- a/build/external/packages/ipsec-mb.mk
+++ b/build/external/packages/ipsec-mb.mk
@ -25,7 +25,8 @@ define  ipsec-mb_config_cmds
 endef

 define  ipsec-mb_build_cmds
-	@true
+	echo "BUILDING"
+	make -C $(ipsec-mb_src_dir) DEBUG=y NASM=$(ipsec-mb_install_dir)/bin/nasm 
 endef

 define  ipsec-mb_install_cmds
--- a/docs/about.rst
+++ b/docs/about.rst
@ -4,6 +4,6 @@
 About
 =====

-**VPP Version:** 19.04-rc0~276-g3bce8eb
+**VPP Version:** 19.04.3-release

-**Built on:** Tue Feb 26 14:00:03 GMT 2019
+**Built on:** Tue Oct 29 04:31:44 GMT 2019
--- a/docs/etc/requirements.txt
+++ b/docs/etc/requirements.txt
@ -20,4 +20,4 @@ Sphinx==1.8.2
 sphinx-rtd-theme==0.4.2
 sphinxcontrib-websupport==1.1.0
 typing==3.6.6
-urllib3==1.24.1
+urllib3==1.24.2
--- a/doxygen/dev_doc.md
+++ b/doxygen/dev_doc.md
@ -12,3 +12,6 @@ Programming notes for developers.
 - @subpage acl_lookup_context
 - @subpage libmemif_doc
 - @subpage syslog_doc
+- @subpage ipfix_doc
+- @subpage stats_doc
+- @subpage if_stats_client_doc
--- a/doxygen/test_framework_doc.md
+++ b/doxygen/test_framework_doc.md
@ -4,6 +4,7 @@ Test Framework Documentation    {#test_framework_doc}
 PyDoc generated documentation for the "make test" framework is available for
 the following releases:

+- [Test framework documentation for VPP 19.04](https://docs.fd.io/vpp/19.04/vpp_make_test/html)
 - [Test framework documentation for VPP 19.01](https://docs.fd.io/vpp/19.01/vpp_make_test/html)
 - [Test framework documentation for VPP 18.10](https://docs.fd.io/vpp/18.10/vpp_make_test/html)
 - [Test framework documentation for VPP 18.07](https://docs.fd.io/vpp/18.07/vpp_make_test/html)
--- a/doxygen/user_doc.md
+++ b/doxygen/user_doc.md
@ -7,6 +7,7 @@ Several modules provide operational, dataplane-user focused documentation.
 - @subpage avf_plugin_doc
 - @subpage bfd_doc
 - @subpage dpdk_crypto_ipsec_doc
+- @subpage dhcp6_pd_doc
 - @subpage flowprobe_plugin_doc
 - @subpage ioam_plugin_doc
 - @subpage ipsec_gre_doc
@ -16,10 +17,13 @@ Several modules provide operational, dataplane-user focused documentation.
 - @subpage lldp_doc
 - @subpage map_doc
 - @subpage marvel_plugin_doc
+- @subpage mtu_doc
 - @subpage nat64_doc
+- @subpage nat_ha_doc
 - @subpage qos_doc
 - @subpage selinux_doc
 - @subpage span_doc
 - @subpage srmpls_doc
 - @subpage srv6_doc
 - @subpage vcl_ldpreload_doc
+- @subpage vmxnet3_doc
--- a/extras/rpm/vpp-suse.spec
+++ b/extras/rpm/vpp-suse.spec
@ -223,7 +223,7 @@ chmod -x %{buildroot}%{python_sitelib}/vpp_papi/*.txt
 #
 # devel
 #
-for dir in $(find %{_vpp_install_dir}/*/include/ -maxdepth 0 -type d -print | grep -v dpdk)
+for dir in %{_vpp_install_dir}/{vom,vpp}/include/
 do
 	for subdir in $(cd ${dir} && find . -type d -print)
 	do
--- a/extras/rpm/vpp.spec
+++ b/extras/rpm/vpp.spec
@ -46,7 +46,7 @@ Summary: Vector Packet Processing
 License: ASL 2.0
 Version: %{_version}
 Release: %{_release}
-Requires: vpp-lib = %{_version}-%{_release}, vpp-selinux-policy = %{_version}-%{_release}, net-tools, pciutils, python
+Requires: vpp-lib = %{_version}-%{_release}, vpp-selinux-policy = %{_version}-%{_release}, epel-release, net-tools, pciutils, python, python36
 BuildRequires: systemd, chrpath
 BuildRequires: check, check-devel
 %if 0%{?fedora}
@ -57,10 +57,14 @@ BuildRequires: mbedtls-devel
 BuildRequires: cmake
 %else
 %if 0%{rhel} == 7
+BuildRequires: epel-release
 BuildRequires: devtoolset-7-toolchain
 BuildREquires: openssl-devel
-BuildRequires: python-devel, python-virtualenv, python-ply
+BuildRequires: python-devel, python-virtualenv
+BuildRequires: mbedtls-devel
+BuildRequires: python36-devel python36-pip python36-ply
 BuildRequires: cmake3
+BuildRequires: boost-filesystem
 %endif
 %endif
 BuildRequires: libffi-devel
@ -83,7 +87,7 @@ vpp_json_test - vector packet engine JSON test tool
 %package lib
 Summary: VPP libraries
 Group: System Environment/Libraries
-Requires: vpp-selinux-policy = %{_version}-%{_release}
+Requires: vpp-selinux-policy = %{_version}-%{_release} boost-filesystem

 %description lib
 This package contains the VPP shared libraries, including:
@ -111,7 +115,7 @@ vppinfra
 %package plugins
 Summary: Vector Packet Processing--runtime plugins
 Group: System Environment/Libraries
-Requires: vpp = %{_version}-%{_release} numactl-libs
+Requires: vpp = %{_version}-%{_release} numactl-libs mbedtls
 %description plugins
 This package contains VPP plugins

@ -231,7 +235,7 @@ install -m 0644 $MODULES \
 #
 # devel
 #
-for dir in $(find %{_mu_build_dir}/%{_vpp_install_dir}/*/include/ -maxdepth 0 -type d -print | grep -v dpdk)
+for dir in %{_mu_build_dir}/%{_vpp_install_dir}/{vom,vpp}/include/
 do
 	for subdir in $(cd ${dir} && find . -type d -print)
 	do
--- a/extras/scripts/list_api_changes.py
+++ b/extras/scripts/list_api_changes.py
@ -1,8 +1,8 @@
 #!/usr/bin/env python
 import os, fnmatch, subprocess

-starttag = 'v19.01-rc0'
-endtag = 'v19.01'
+starttag = 'v19.04-rc0'
+endtag = 'HEAD'
 emit_md = True
 apifiles = []

--- a/extras/vpp_if_stats/README.md
+++ b/extras/vpp_if_stats/README.md
@ -1,4 +1,4 @@
-# VPP interface stats client
+# VPP interface stats client {#if_stats_client_doc}

 This is a source code and a binary of a 'thin client' to collect, 
 aggregate and expose VPP interface stats through VPP stats socket API. 
--- a/src/plugins/abf/abf_api.c
+++ b/src/plugins/abf/abf_api.c
@ -312,7 +312,7 @@ VLIB_INIT_FUNCTION (abf_api_init);
 /* *INDENT-OFF* */
 VLIB_PLUGIN_REGISTER () = {
    .version = VPP_BUILD_VER,
-    .description = "ACL based Forwarding",
+    .description = "Access Control List (ACL) Based Forwarding",
 };
 /* *INDENT-ON* */

--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@ -92,7 +92,7 @@ _(ACL_PLUGIN_GET_CONN_TABLE_MAX_ENTRIES,acl_plugin_get_conn_table_max_entries)
 /* *INDENT-OFF* */
 VLIB_PLUGIN_REGISTER () = {
    .version = VPP_BUILD_VER,
-    .description = "Access Control Lists",
+    .description = "Access Control Lists (ACL)",
 };
 /* *INDENT-ON* */

--- a/src/plugins/acl/sess_mgmt_node.c
+++ b/src/plugins/acl/sess_mgmt_node.c
@ -727,6 +727,7 @@ acl_fa_session_cleaner_process (vlib_main_t * vm, vlib_node_runtime_t * rt,
 		}
 	      else
 		{
+		  clib_bitmap_free (pw0->pending_clear_sw_if_index_bitmap);
 		  if (clear_all)
 		    {
 		      /* if we need to clear all, then just clear the interfaces that we are servicing */
--- a/src/plugins/avf/README.md
+++ b/src/plugins/avf/README.md
@ -75,6 +75,13 @@ setup 0000:3b:00.0 00:11:22:33:44:00
 setup 0000:3b:00.1 00:11:22:33:44:01
 ```

+### Promisc mode
+In cases when interface is used in the L2 mode or promisc mode is needed for some other reason,
+trust needs to be set to "on" using the linux "ip link" utility.
+```
+ip link set dev <PF inteface name> vf <VF id> trust on
+```
+
 ### Interface Creation
 Interfaces can be dynamically created by using following CLI:
 ```
--- a/src/plugins/avf/avf.h
+++ b/src/plugins/avf/avf.h
@ -22,6 +22,9 @@

 #include <vlib/log.h>

+#define AVF_AQ_ENQ_SUSPEND_TIME		50e-6
+#define AVF_AQ_ENQ_MAX_WAIT_TIME	50e-3
+
 #define AVF_RXD_STATUS(x)		(1ULL << x)
 #define AVF_RXD_STATUS_DD		AVF_RXD_STATUS(0)
 #define AVF_RXD_STATUS_EOP		AVF_RXD_STATUS(1)
@ -161,6 +164,7 @@ typedef struct

  /* stats */
  virtchnl_eth_stats_t eth_stats;
+  virtchnl_eth_stats_t last_cleared_eth_stats;

  /* error */
  clib_error_t *error;
--- a/src/plugins/avf/avf_api.c
+++ b/src/plugins/avf/avf_api.c
@ -94,7 +94,9 @@ vl_api_avf_delete_t_handler (vl_api_avf_delete_t * mp)
  vnet_hw_interface_t *hw;
  int rv = 0;

-  hw = vnet_get_sup_hw_interface (vnm, htonl (mp->sw_if_index));
+  hw =
+    vnet_get_sup_hw_interface_api_visible_or_null (vnm,
+						   htonl (mp->sw_if_index));
  if (hw == NULL || avf_device_class.index != hw->dev_class_index)
    {
      rv = VNET_API_ERROR_INVALID_INTERFACE;
--- a/src/plugins/avf/cli.c
+++ b/src/plugins/avf/cli.c
@ -109,7 +109,7 @@ avf_delete_command_fn (vlib_main_t * vm, unformat_input_t * input,
    return clib_error_return (0,
 			      "please specify interface name or sw_if_index");

-  hw = vnet_get_sup_hw_interface (vnm, sw_if_index);
+  hw = vnet_get_sup_hw_interface_api_visible_or_null (vnm, sw_if_index);
  if (hw == NULL || avf_device_class.index != hw->dev_class_index)
    return clib_error_return (0, "not an AVF interface");

@ -168,7 +168,7 @@ avf_test_command_fn (vlib_main_t * vm, unformat_input_t * input,
    return clib_error_return (0,
 			      "please specify interface name or sw_if_index");

-  hw = vnet_get_sup_hw_interface (vnm, sw_if_index);
+  hw = vnet_get_sup_hw_interface_api_visible_or_null (vnm, sw_if_index);
  if (hw == NULL || avf_device_class.index != hw->dev_class_index)
    return clib_error_return (0, "not a AVF interface");

--- a/src/plugins/avf/device.c
+++ b/src/plugins/avf/device.c
@ -101,10 +101,9 @@ clib_error_t *
 avf_aq_desc_enq (vlib_main_t * vm, avf_device_t * ad, avf_aq_desc_t * dt,
 		 void *data, int len)
 {
-  avf_main_t *am = &avf_main;
  clib_error_t *err = 0;
  avf_aq_desc_t *d, dc;
-  int n_retry = 5;
+  f64 t0, wait_time, suspend_time = AVF_AQ_ENQ_SUSPEND_TIME;

  d = &ad->atq[ad->atq_next_slot];
  clib_memcpy_fast (d, dt, sizeof (avf_aq_desc_t));
@ -126,22 +125,24 @@ avf_aq_desc_enq (vlib_main_t * vm, avf_device_t * ad, avf_aq_desc_t * dt,
    clib_memcpy_fast (&dc, d, sizeof (avf_aq_desc_t));

  CLIB_MEMORY_BARRIER ();
-  vlib_log_debug (am->log_class, "%U", format_hexdump, data, len);
  ad->atq_next_slot = (ad->atq_next_slot + 1) % AVF_MBOX_LEN;
  avf_reg_write (ad, AVF_ATQT, ad->atq_next_slot);
  avf_reg_flush (ad);

+  t0 = vlib_time_now (vm);
 retry:
-  vlib_process_suspend (vm, 10e-6);
+  vlib_process_suspend (vm, suspend_time);
+  wait_time = vlib_time_now (vm) - t0;

  if (((d->flags & AVF_AQ_F_DD) == 0) || ((d->flags & AVF_AQ_F_CMP) == 0))
    {
-      if (--n_retry == 0)
+      if (wait_time > AVF_AQ_ENQ_MAX_WAIT_TIME)
 	{
 	  err = clib_error_return (0, "adminq enqueue timeout [opcode 0x%x]",
 				   d->opcode);
 	  goto done;
 	}
+      suspend_time *= 2;
      goto retry;
    }

@ -561,7 +562,7 @@ avf_config_promisc_mode (vlib_main_t * vm, avf_device_t * ad)
  virtchnl_promisc_info_t pi = { 0 };

  pi.vsi_id = ad->vsi_id;
-  pi.flags = 1;
+  pi.flags = FLAG_VF_UNICAST_PROMISC | FLAG_VF_MULTICAST_PROMISC;
  return avf_send_to_pf (vm, ad, VIRTCHNL_OP_CONFIG_PROMISCUOUS_MODE, &pi,
 			 sizeof (virtchnl_promisc_info_t), 0, 0);
 }
@ -628,7 +629,8 @@ avf_op_config_irq_map (vlib_main_t * vm, avf_device_t * ad)

  imi->vecmap[0].vector_id = 1;
  imi->vecmap[0].vsi_id = ad->vsi_id;
-  imi->vecmap[0].rxq_map = 1;
+  imi->vecmap[0].rxq_map = (1 << ad->n_rx_queues) - 1;
+  imi->vecmap[0].txq_map = (1 << ad->n_tx_queues) - 1;
  return avf_send_to_pf (vm, ad, VIRTCHNL_OP_CONFIG_IRQ_MAP, msg, msg_len, 0,
 			 0);
 }
@ -1415,10 +1417,20 @@ static char *avf_tx_func_error_strings[] = {
 #undef _
 };

+static void
+avf_clear_hw_interface_counters (u32 instance)
+{
+  avf_main_t *am = &avf_main;
+  avf_device_t *ad = vec_elt_at_index (am->devices, instance);
+  clib_memcpy_fast (&ad->last_cleared_eth_stats,
+		    &ad->eth_stats, sizeof (ad->eth_stats));
+}
+
 /* *INDENT-OFF* */
 VNET_DEVICE_CLASS (avf_device_class,) =
 {
  .name = "Adaptive Virtual Function (AVF) interface",
+  .clear_counters = avf_clear_hw_interface_counters,
  .format_device = format_avf_device,
  .format_device_name = format_avf_device_name,
  .admin_up_down_function = avf_interface_admin_up_down,
--- a/src/plugins/avf/format.c
+++ b/src/plugins/avf/format.c
@ -107,9 +107,10 @@ format_avf_device (u8 * s, va_list * args)
    s = format (s, "\n%Uerror %U", format_white_space, indent,
 		format_clib_error, ad->error);

-#define _(c) if (ad->eth_stats.c) \
+#define _(c) if (ad->eth_stats.c - ad->last_cleared_eth_stats.c) \
  a = format (a, "\n%U%-20U %u", format_white_space, indent + 2, \
-	      format_c_identifier, #c, ad->eth_stats.c);
+	      format_c_identifier, #c,                           \
+              ad->eth_stats.c - ad->last_cleared_eth_stats.c);
  foreach_virtchnl_eth_stats;
 #undef _
  if (a)
--- a/src/plugins/avf/input.c
+++ b/src/plugins/avf/input.c
@ -416,7 +416,7 @@ no_more_desc:
      vlib_frame_t *f;
      ethernet_input_frame_t *ef;
      nf = vlib_node_runtime_get_next_frame (vm, node, next_index);
-      f = vlib_get_frame (vm, nf->frame_index);
+      f = vlib_get_frame (vm, nf->frame);
      f->flags = ETH_INPUT_FRAME_F_SINGLE_SW_IF_IDX;

      ef = vlib_frame_scalar_args (f);
--- a/src/plugins/avf/plugin.c
+++ b/src/plugins/avf/plugin.c
@ -22,7 +22,7 @@
 /* *INDENT-OFF* */
 VLIB_PLUGIN_REGISTER () = {
  .version = VPP_BUILD_VER,
-  .description = "Intel Adaptive Virtual Function (AVF) Device Plugin",
+  .description = "Intel Adaptive Virtual Function (AVF) Device Driver",
 };
 /* *INDENT-ON* */

--- a/src/plugins/avf/virtchnl.h
+++ b/src/plugins/avf/virtchnl.h
@ -21,6 +21,16 @@
 #define VIRTCHNL_VERSION_MAJOR 1
 #define VIRTCHNL_VERSION_MINOR 1

+#define foreach_avf_promisc_flags \
+  _(0, UNICAST_PROMISC, "unicast") \
+  _(1, MULTICAST_PROMISC, "multicast")
+
+enum
+{
+#define _(a, b, c) FLAG_VF_ ##b = (1 << a),
+  foreach_avf_promisc_flags
+#undef _
+};

 #define AVFINT_DYN_CTLN(x)  (0x00003800 + (0x4 * x))
 #define AVFINT_ICR0         0x00004800
--- a/src/plugins/cdp/cdp.c
+++ b/src/plugins/cdp/cdp.c
@ -189,6 +189,7 @@ VLIB_INIT_FUNCTION (cdp_init);
 VLIB_PLUGIN_REGISTER () =
 {
  .version = VPP_BUILD_VER,
+  .description = "Cisco Discovery Protocol (CDP)",
 };
 /* *INDENT-ON* */

--- a/src/plugins/crypto_ia32/main.c
+++ b/src/plugins/crypto_ia32/main.c
@ -57,7 +57,7 @@ VLIB_INIT_FUNCTION (crypto_ia32_init);
 /* *INDENT-OFF* */
 VLIB_PLUGIN_REGISTER () = {
  .version = VPP_BUILD_VER,
-  .description = "Intel AESNI Software Crypto Backend Plugin",
+  .description = "Intel IA32 Software Crypto Engine",
 };
 /* *INDENT-ON* */

--- a/Show More
+++ b/Show More