Right now majority of lib mode functional tests enable
library mode with '-w N' option.
It worked till recently, as legacy mode didn't support replay window.
Now it changed.
To fix - use '-l' option to enable library mode explicitly.
Fixes: 9297844520 ("examples/ipsec-secgw: add scripts for functional test")
Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
The rte_security lib has introduced replay_win_sz,
so it can be removed from the rte_ipsec lib.
The relevant tests, app are also update to reflect
the usages.
Note that esn and anti-replay fileds were earlier used
only for ipsec library, they were enabling the libipsec
by default. With this change esn and anti-replay setting
will not automatically enabled libipsec.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
At present the ipsec xfrom is missing the important step
to configure the anti replay window size.
The newly added field will also help in to enable or disable
the anti replay checking, if available in offload by means
of non-zero or zero value.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
As per RFC4868, SHA-256 should use 128 bits of ICV.
Fixes: b5350285ce ("examples/ipsec-secgw: support SHA256 HMAC")
Cc: stable@dpdk.org
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
The protocol aware ipsec descriptor has been modified to
use ctr_initial value of 1 and salt configured for ipsec SA.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
As per RFC3686, the initial aes-ctr counter value should be '1' for use
in ipsec. The patches changes SEC descriptor for using correct counter
value. In addition, it drops a redundant parameter for passing IV while
creating the descriptor.
This patch adds changes for all NXP crypto PMDs
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch throw the warning when using truncated digest
len for SHA256 case.
As per RFC4868, SHA-256 should use 128 bits of ICV.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch enables short buffer and 12 bit IV AES-CTR cases
for dpaax_sec pmds.
Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
This patch add support for AES-128-GCM, when used in
lookaside protocol offload case.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
These are supported when using protocol offload mode or when
in chain mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
These are supported when using protocol offload mode or in chain mode.
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
set the pdcp capa_flags to 0 by default.
Fixes: a1173d5559 ("crypto/dpaa_sec: support PDCP offload")
Cc: stable@dpdk.org
Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
IPSec Multi buffer library supports encryption on multiple segments.
When dealing with chained buffers (multiple segments), as long as
the operation is in-place, the destination buffer does not have to
be contiguous (unlike in the case of out-of-place operation).
Therefore, the limitation of not supporting in-place chained mbuf
can be removed.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
Updated AESNI MB and AESNI GCM PMD documentation guides
with information about the latest Intel IPSec Multi-buffer
library supported.
Signed-off-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
The example IPsec application does not work properly when using
AES-GCM with crypto_openssl.
ESP with AES-GCM uses standard 96bit long algorithm IV ([1]) which
later concatenated with be32(1) forms a J0 block. GCM specification
([2], chapter 7.1) states that when length of IV is different than
96b, in order to format a J0 block, GHASH function must be used.
According to specification ([2], chapter 5.1.1) GCM implementations
should support standard 96bit IVs, other lengths are optional. Every
DPDK cryptodev supports 96bit IV and few of them supports 128bit
IV as well (openssl, mrvl, ccp). When passing iv::length=16 to a
cryptodev which does support standard IVs only (e.g. qat) it
implicitly uses starting 96 bits. On the other hand, openssl follows
specification and uses GHASH to compute J0 for that case which results
in different than expected J0 values used for encryption/decryption.
Fix an inability to use AES-GCM with crypto_openssl by changing IV
length to the standard value of 12.
[1] RFC4106, section "4. Nonce format" and "3.1. Initialization Vector"
https://tools.ietf.org/html/rfc4106
[2] NIST SP800-38D
https://csrc.nist.gov/publications/detail/sp/800-38d/final
Fixes: 0fbd75a99f ("cryptodev: move IV parameters to session")
Cc: stable@dpdk.org
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
FD retrieved from SEC after crypto processing provides
an updated length of the buffer which need to be updated
in mbuf. The difference in length can be negative hence
changing diff to int32_t from uint32_t.
Fixes: 0a23d4b6f4 ("crypto/dpaa2_sec: support protocol offload IPsec")
Cc: stable@dpdk.org
Signed-off-by: Akhil Goyal <akhil.goyal@nxp.com>
Coverity reported about two division by zero:
*** CID 350344: Incorrect expression (DIVIDE_BY_ZERO)
Although in fact these dividers will never be equal to 0,
adding explicit checks in lookup() to make coverity happy
will not affect the execution speed.
Fixes: 908be0651a ("app/test-sad: add test application for IPsec SAD")
Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Add tests for offload fallback feature; add inbound config modificator
SGW_CFG_XPRM_IN (offload fallback setting can be set only for inbound
SAs). Tests are using cryptodev for outbound SA.
To test fragmentation with QAT set:
MULTI_SEG_TEST="--reassemble=4096 --cryptodev_mask=0x5555"
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
Due to fragment loss on highly saturated links and long fragment
lifetime, ipsec-secgw application quickly runs out of free reassembly
buckets. As a result new fragments are being dropped.
Introduce --frag-ttl option which allow user to lower default fragment
lifetime which solves problem of saturated reassembly buckets with high
bandwidth fragmented traffic.
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Inline processing is limited to a specified subset of traffic. It is
often unable to handle more complicated situations, such as fragmented
traffic. When using inline processing such traffic is dropped.
Introduce fallback session for inline crypto processing allowing
handling packets that normally would be dropped. A fallback session is
configured by adding 'fallback' keyword with 'lookaside-none' parameter
to an SA configuration. Only 'inline-crypto-offload" as a primary
session and 'lookaside-none' as a fall-back session combination is
supported by this patch.
Fallback session feature is not available in the legacy mode.
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
Cleanup ipsec_sa structure by removing every field that is already in
the rte_ipsec_session structure:
* cryptodev/security session union
* action type
* offload flags
* security context
References to abovementioned fields are changed to direct references
to matching fields of rte_ipsec_session structure.
Such refactoring is needed to introduce many sessions per SA feature,
e.g. fallback session for inline offload processing.
Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Acked-by: Radu Nicolau <radu.nicolau@intel.com>
Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
Tested-by: Bernard Iremonger <bernard.iremonger@intel.com>
The LTO job using gcc-7 has two issues at the moment:
- warnings about implicit fallthroughs trigger build errors:
In file included from ...common/include/rte_memory.h:22:0,
from ...linux/eal/eal_hugepage_info.c:24:
...common/include/rte_common.h: In function ‘rte_str_to_size’:
...common/include/rte_common.h:744:27: error: this statement may
fall through [-Werror=implicit-fallthrough=]
case 'G': case 'g': size *= 1024; /* fall-through */
~~~~~^~~~~~~
- if we disable this warning, linking the binaries takes too much time
and the job is terminated by Travis because it reaches the maximum
time limit
Fixes: 098cc0fea3 ("build: add option to enable LTO")
Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Thomas Monjalon <thomas@monjalon.net>
This disables OCTEON TX2 for gcc 4.8.5 as the compiler is
emitting "internal compiler error" for aarch64.
Fixes: 9a8864c8b5 ("net/octeontx2: add build and doc infrastructure")
Cc: stable@dpdk.org
Signed-off-by: Ali Alnubani <alialnu@mellanox.com>
Acked-by: Jerin Jacob <jerinj@marvell.com>
OcteonTx was disabled for causing an internal compiler error on old gcc
versions.
See commit 4f760550a0 ("mk: disable OcteonTx for buggy compilers").
The condition that was added later to apply disabling OcteonTx
only on arm64 caused the condition to never be obeyed because it
compares ["arm64"] to [arm64].
This fixes the condition by using RTE_ARCH instead of CONFIG_RTE_ARCH,
because the former has the quotes removed, while the later doesn't.
Fixes: f3af3e44a4 ("mk: disable OcteonTx for buggy compilers only on arm64")
Cc: stable@dpdk.org
Signed-off-by: Ali Alnubani <alialnu@mellanox.com>
Acked-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Jerin Jacob <jerinj@marvell.com>
Ubuntu ships with a patched version of doxygen that enables
HAVE_DOT (disabled by default). Enabling this option causes the warning:
"""
warning: Included by graph for 'rte_common.h' not generated,
too many nodes. Consider increasing DOT_GRAPH_MAX_NODES
"""
This reproduces with doxygen version 1.8.13 and
dot - graphviz version 2.40.1 on Ubuntu 18.04.
This will force doxygen not to assume that dot (part of Graphviz)
is installed, and will result in dot not being used for visualization.
If someone still needs to generate the graphs, the following can
be considered:
- Increase DOT_GRAPH_MAX_NODES to a large value.
- Set HAVE_DOT for more powerful graphs.
- Set DOT_IMAGE_FORMAT=svg to generate svg images.
- Set INTERACTIVE_SVG=YES to allow zooming and panning.
See:
- http://changelogs.ubuntu.com/changelogs/pool/main/d/doxygen/doxygen_1.8.13-10/changelog
- http://www.doxygen.nl/manual/config.html#cfg_have_dot
- https://github.com/doxygen/doxygen/issues/7345
Signed-off-by: Ali Alnubani <alialnu@mellanox.com>
Acked-by: John McNamara <john.mcnamara@intel.com>
RBP or route by ports can help in translating the DMA
address over the PCI. Thus adding the RBP support with
long and short formats
Signed-off-by: Minghuan Lian <minghuan.lian@nxp.com>
Signed-off-by: Sachin Saxena <sachin.saxena@nxp.com>
Signed-off-by: Nipun Gupta <nipun.gupta@nxp.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
CC l2fwd_event_generic.o
.../l2fwd_event_generic.c: In function
‘l2fwd_rx_tx_adapter_setup_generic’:
.../l2fwd_event_generic.c:203:3: error: missing initializer for field
‘impl_opaque’ of ‘struct <anonymous>’
[-Werror=missing-field-initializers]
}
^
In file included from .../l2fwd_event_generic.c:10:0:
.../include/rte_eventdev.h:1057:12: note: ‘impl_opaque’ declared here
uint8_t impl_opaque;
^
CC l2fwd_event_internal_port.o
.../l2fwd_event_internal_port.c: In function
‘l2fwd_rx_tx_adapter_setup_internal_port’:
.../l2fwd_event_internal_port.c:201:3: error: missing initializer for
field ‘impl_opaque’ of ‘struct <anonymous>’
[-Werror=missing-field-initializers]
}
^
In file included from .../l2fwd_event_internal_port.c:10:0:
.../include/rte_eventdev.h:1057:12: note: ‘impl_opaque’ declared here
uint8_t impl_opaque;
^
Fixes: 50f05aa6ed ("examples/l2fwd-event: setup Rx/Tx adapter")
Signed-off-by: David Marchand <david.marchand@redhat.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
This commented out todo and code is old. Remove it.
Fixes: b7435d660a ("net/bnxt: add ntuple filtering support")
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Ajit Khaparde <ajit.khaparde@broadcom.com>
Some variables are commented out. Remove them.
Fixes: d548ef513c ("event/opdl: add unit tests")
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Liang Ma <liang.j.ma@intel.com>
This code is commented out. Remove it.
Fixes: 43e610bb85 ("compress/octeontx: introduce octeontx zip PMD")
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
These struct members and variable were commented out. Remove them.
Fixes: c01c748e4a ("net/ipn3ke: add new driver")
Fixes: c820468ac9 ("net/ipn3ke: support TM")
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
Reviewed-by: Rosen Xu <rosen.xu@intel.com>
Coverity complains that this statement is not needed as the goto
label is on the next line anyway. Remove the if statement.
653 ret = ipn3ke_cfg_parse_i40e_pf_ethdev(afu_name, pf_name);
CID 337930 (#1 of 1): Identical code for different branches
(IDENTICAL_BRANCHES)identical_branches: The same code is executed
when the condition ret is true or false, because the code in the
if-then branch and after the if statement is identical. Should
the if statement be removed?
654 if (ret)
655 goto end;
implicit_else: The code from the above if-then branch is identical
to the code after the if statement.
656end:
Coverity issue: 337930
Fixes: c01c748e4a ("net/ipn3ke: add new driver")
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
Reviewed-by: Rosen Xu <rosen.xu@intel.com>
Coverity is complaining about identical code regardless of which branch
of the if else is taken. Functionally it means an error will always be
returned if this if else is hit. Remove the else branch.
CID 337928 (#1 of 1): Identical code for different branches
(IDENTICAL_BRANCHES)identical_branches: The same code is executed
regardless of whether n->level != IPN3KE_TM_NODE_LEVEL_COS ||
n->n_children != 0U is true, because the 'then' and 'else' branches
are identical. Should one of the branches be modified, or the entire
'if' statement replaced?
1506 if (n->level != IPN3KE_TM_NODE_LEVEL_COS ||
1507 n->n_children != 0) {
1508 return -rte_tm_error_set(error,
1509 EINVAL,
1510 RTE_TM_ERROR_TYPE_UNSPECIFIED,
1511 NULL,
1512 rte_strerror(EINVAL));
else_branch: The else branch, identical to the then branch.
1513 } else {
1514 return -rte_tm_error_set(error,
1515 EINVAL,
1516 RTE_TM_ERROR_TYPE_UNSPECIFIED,
1517 NULL,
1518 rte_strerror(EINVAL));
1519 }
Coverity issue: 337928
Fixes: c820468ac9 ("net/ipn3ke: support TM")
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Reviewed-by: Rosen Xu <rosen.xu@intel.com>
Coverity complains that ctrl_flags is set to NULL at the start
of the function and it may not have been set before there is a
jump to fc_success and it is dereferenced.
Check for NULL before dereference.
312fc_success:
CID 344983 (#1 of 1): Explicit null dereferenced
(FORWARD_NULL)7. var_deref_op: Dereferencing null pointer ctrl_flags.
313 *ctrl_flags = rte_cpu_to_be_64(*ctrl_flags);
Coverity issue: 344983
Fixes: 6cc5409652 ("crypto/octeontx: add supported sessions")
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>
Previously rx/tx_queues were passed into eth_from_pcaps_common()
as ptrs and were checked for being NULL.
In commit da6ba28f05 ("net/pcap: use a struct to pass user options")
that changed to pass in a ptr to a pmd_devargs_all which contains
the rx/tx_queues.
The parameter checking was not updated as part of that commit and
coverity caught that there was still a check if rx/tx_queues were
NULL, apparently after they had been dereferenced.
In fact as they are a members of the devargs_all struct, they will
not be NULL so remove those checks.
1231 struct pmd_devargs *rx_queues = &devargs_all->rx_queues;
1232 struct pmd_devargs *tx_queues = &devargs_all->tx_queues;
1233 const unsigned int nb_rx_queues = rx_queues->num_of_queue;
deref_ptr: Directly dereferencing pointer tx_queues.
1234 const unsigned int nb_tx_queues = tx_queues->num_of_queue;
1235 unsigned int i;
1236
1237 /* do some parameter checking */
CID 345004: Dereference before null check (REVERSE_INULL)
[select issue]
1238 if (rx_queues == NULL && nb_rx_queues > 0)
1239 return -1;
CID 345029 (#1 of 1): Dereference before null check (REVERSE_INULL)
check_after_deref: Null-checking tx_queues suggests that it may be
null, but it has already been dereferenced on all paths leading to
the check.
1240 if (tx_queues == NULL && nb_tx_queues > 0)
1241 return -1;
Coverity issue: 345029
Coverity issue: 345044
Fixes: da6ba28f05 ("net/pcap: use a struct to pass user options")
Cc: stable@dpdk.org
Signed-off-by: Kevin Traynor <ktraynor@redhat.com>
Acked-by: Cian Ferriter <cian.ferriter@intel.com>
The constants like AF_INET are in sys/socket.h in FreeBSD.
The #ifdef macro __FreeBSD__ is replaced with RTE_EXEC_ENV_FREEBSD
in order to be consistent across DPDK files, and allow to grep
for EXEC_ENV among other benefits.
Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
Acked-by: Olivier Matz <olivier.matz@6wind.com>
The original patch used incorrect subnet range for testing.
Fixes: 37afe381bd ("examples/l3fwd: use reserved IP addresses")
Cc: stable@dpdk.org
Reported-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Reported-by: Ferruh Yigit <ferruh.yigit@intel.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
During LTO build compiler reports some 'false positive' warnings about
variables being possibly used uninitialized. This patch silences these
warnings.
Exemplary compiler warning to suppress (with LTO enabled):
error: ‘transceiver_type’ may be used uninitialized in this function
[-Werror=maybe-uninitialized]
switch (transceiver_type) {
Signed-off-by: Andrzej Ostruszka <aostruszka@marvell.com>
During LTO build compiler reports some 'false positive' warnings about
variables being possibly used uninitialized. This patch silences these
warnings.
Exemplary compiler warning to suppress (with LTO enabled):
error: ‘features’ may be used uninitialized in this function
[-Werror=maybe-uninitialized]
if (RTE_VHOST_NEED_LOG(features)) {
Signed-off-by: Andrzej Ostruszka <aostruszka@marvell.com>
During LTO build compiler reports some 'false positive' warnings about
variables being possibly used uninitialized. This patch silences these
warnings.
Exemplary compiler warning to suppress (with LTO enabled):
error: ‘filter_idx’ may be used uninitialized in this function
[-Werror=maybe-uninitialized]
PMD_DRV_LOG(INFO, "Added port %d with AQ command with index %d",
Signed-off-by: Andrzej Ostruszka <aostruszka@marvell.com>
During LTO build compiler reports some 'false positive' warnings about
variables being possibly used uninitialized. This patch silences these
warnings.
Exemplary compiler warning to suppress (with LTO enabled):
error: ‘link’ may be used uninitialized in this function
[-Werror=maybe-uninitialized]
if (link) {
Signed-off-by: Andrzej Ostruszka <aostruszka@marvell.com>
This patch fixes 'maybe-uninitialized' warnings reported by compiler
when using LTO.
Compiler warning pointing to this error (with LTO enabled):
error: ‘kg_cfg.extracts[0].masks[0].mask’ may be used uninitialized in
this function [-Werror=maybe-uninitialized]
extr->masks[j].mask = cfg->extracts[i].masks[j].mask;
Fixes: 16bbc98a3e ("bus/fslmc: update MC to 10.3.x")
Cc: stable@dpdk.org
Signed-off-by: Andrzej Ostruszka <aostruszka@marvell.com>
During LTO build compiler reports some 'false positive' warnings about
variables being possibly used uninitialized. This patch silences these
warnings.
Exemplary compiler warning to suppress (with LTO enabled):
error: ‘stats.greatest_free_size’ may be used uninitialized in this
function [-Werror=maybe-uninitialized]
return len - overhead;
Signed-off-by: Andrzej Ostruszka <aostruszka@marvell.com>
Acked-by: Yipeng Wang <yipeng1.wang@intel.com>
During LTO build compiler reports some 'false positive' warnings about
variables being possibly used uninitialized. This patch silences these
warnings.
Exemplary compiler warning to suppress (with LTO enabled):
error: ‘chunk’ may be used uninitialized in this function
[-Werror=maybe-uninitialized]
bkt->current_chunk = (uintptr_t)chunk;
Signed-off-by: Andrzej Ostruszka <aostruszka@marvell.com>
