On Sun, Oct 24, 2021 at 05:05:06PM +0200, Tobias Heider wrote: > On Sat, Oct 23, 2021 at 10:17:54PM +0200, Tobias Heider wrote: > > The diff below removes a few leftover tdb_crypto allocations in esp_input() > > and esp_output(). The allocations were needed to pass arguments to the > > callback function with the non-blocking crypto API and are redundant now > > that crypto is blocking. > > This should result in a notable speedup for ESP. > > > > ok? > > > > updated diff to work with bluhm's latest change.
same diff, but with ip_ipsp.h Index: ip_esp.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_esp.c,v retrieving revision 1.181 diff -u -p -r1.181 ip_esp.c --- ip_esp.c 24 Oct 2021 14:50:42 -0000 1.181 +++ ip_esp.c 24 Oct 2021 15:20:58 -0000 @@ -342,12 +342,12 @@ esp_zeroize(struct tdb *tdbp) int esp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) { + uint8_t abuf[AH_HMAC_MAX_HASHLEN]; const struct auth_hash *esph = tdb->tdb_authalgxform; const struct enc_xform *espx = tdb->tdb_encalgxform; struct mbuf *m = *mp; struct cryptodesc *crde = NULL, *crda = NULL; struct cryptop *crp = NULL; - struct tdb_crypto *tc = NULL; int plen, alen, hlen, error, clen; u_int32_t btsx, esn; #ifdef ENCDEBUG @@ -453,18 +453,6 @@ esp_input(struct mbuf **mp, struct tdb * goto drop; } - /* Get IPsec-specific opaque pointer */ - if (esph == NULL) - tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); - else - tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO); - if (tc == NULL) { - DPRINTF("failed to allocate tdb_crypto"); - espstat_inc(esps_crypto); - error = ENOBUFS; - goto drop; - } - if (esph) { crda = &crp->crp_desc[0]; crde = &crp->crp_desc[1]; @@ -491,7 +479,7 @@ esp_input(struct mbuf **mp, struct tdb * crda->crd_len = m->m_pkthdr.len - (skip + alen); /* Copy the authenticator */ - m_copydata(m, m->m_pkthdr.len - alen, alen, tc + 1); + m_copydata(m, m->m_pkthdr.len - alen, alen, abuf); } else crde = &crp->crp_desc[0]; @@ -501,15 +489,6 @@ esp_input(struct mbuf **mp, struct tdb * crp->crp_buf = (caddr_t)m; crp->crp_sid = tdb->tdb_cryptoid; - /* These are passed as-is to the callback */ - tc->tc_skip = skip; - tc->tc_protoff = protoff; - tc->tc_spi = tdb->tdb_spi; - tc->tc_proto = tdb->tdb_sproto; - tc->tc_rdomain = tdb->tdb_rdomain; - tc->tc_dst = tdb->tdb_dst; - tc->tc_rpl = tdb->tdb_rpl; - /* Decryption descriptor */ if (espx) { crde->crd_skip = skip + hlen; @@ -543,12 +522,11 @@ esp_input(struct mbuf **mp, struct tdb * /* Release the crypto descriptors */ crypto_freereq(crp); - return esp_input_cb(tdb, tc, m, clen); + return esp_input_cb(tdb, abuf, skip, protoff, tdb->tdb_rpl, m, clen); drop: m_freemp(mp); crypto_freereq(crp); - free(tc, M_XDATA, 0); return error; } @@ -556,23 +534,18 @@ esp_input(struct mbuf **mp, struct tdb * * ESP input callback, called directly by the crypto driver. */ int -esp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int clen) +esp_input_cb(struct tdb *tdb, uint8_t *abuf, int skip, int protoff, uint64_t rpl, + struct mbuf *m, int clen) { u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN]; - int hlen, roff, skip, protoff; + int hlen, roff; struct mbuf *m1, *mo; const struct auth_hash *esph; - u_int64_t rpl; u_int32_t btsx, esn; - caddr_t ptr; #ifdef ENCDEBUG char buf[INET6_ADDRSTRLEN]; #endif - skip = tc->tc_skip; - protoff = tc->tc_protoff; - rpl = tc->tc_rpl; - NET_ASSERT_LOCKED(); esph = tdb->tdb_authalgxform; @@ -583,10 +556,8 @@ esp_input_cb(struct tdb *tdb, struct tdb m_copydata(m, m->m_pkthdr.len - esph->authsize, esph->authsize, aalg); - ptr = (caddr_t) (tc + 1); - /* Verify authenticator */ - if (timingsafe_bcmp(ptr, aalg, esph->authsize)) { + if (timingsafe_bcmp(abuf, aalg, esph->authsize)) { DPRINTF("authentication failed for packet " "in SA %s/%08x", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)), @@ -738,15 +709,11 @@ esp_input_cb(struct tdb *tdb, struct tdb /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT); - /* Release the crypto descriptors */ - free(tc, M_XDATA, 0); - /* Back to generic IPsec input processing */ return ipsec_common_input_cb(m, tdb, skip, protoff); baddone: m_freem(m); - free(tc, M_XDATA, 0); return -1; } @@ -762,7 +729,6 @@ esp_output(struct mbuf *m, struct tdb *t u_int64_t replay64; u_int32_t replay; struct mbuf *mi, *mo = (struct mbuf *) NULL; - struct tdb_crypto *tc = NULL; unsigned char *pad; u_int8_t prot; #ifdef ENCDEBUG @@ -978,20 +944,6 @@ esp_output(struct mbuf *m, struct tdb *t } else crda = &crp->crp_desc[0]; - /* IPsec-specific opaque crypto info. */ - tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO); - if (tc == NULL) { - DPRINTF("failed to allocate tdb_crypto"); - espstat_inc(esps_crypto); - error = ENOBUFS; - goto drop; - } - - tc->tc_spi = tdb->tdb_spi; - tc->tc_proto = tdb->tdb_sproto; - tc->tc_rdomain = tdb->tdb_rdomain; - tc->tc_dst = tdb->tdb_dst; - /* Crypto operation descriptor. */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */ crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_MPSAFE; @@ -1043,28 +995,15 @@ esp_output(struct mbuf *m, struct tdb *t /* Release the crypto descriptors */ crypto_freereq(crp); - return esp_output_cb(tdb, tc, m, ilen, olen); - - drop: - m_freem(m); - crypto_freereq(crp); - free(tc, M_XDATA, 0); - return error; -} - -int -esp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int ilen, - int olen) -{ - int error; - - /* Release crypto descriptors. */ - free(tc, M_XDATA, 0); - /* Call the IPsec input callback. */ error = ipsp_process_done(m, tdb); if (error) espstat_inc(esps_outfail); + return (error); + + drop: + m_freem(m); + crypto_freereq(crp); return error; } Index: ip_ipsp.h =================================================================== RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v retrieving revision 1.212 diff -u -p -r1.212 ip_ipsp.h --- ip_ipsp.h 23 Oct 2021 22:19:37 -0000 1.212 +++ ip_ipsp.h 24 Oct 2021 15:20:58 -0000 @@ -590,10 +590,8 @@ int esp_attach(void); int esp_init(struct tdb *, const struct xformsw *, struct ipsecinit *); int esp_zeroize(struct tdb *); int esp_input(struct mbuf **, struct tdb *, int, int); -int esp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int); +int esp_input_cb(struct tdb *, uint8_t *, int, int, uint64_t, struct mbuf *, int); int esp_output(struct mbuf *, struct tdb *, int, int); -int esp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int, - int); int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t); int esp4_input(struct mbuf **, int *, int, int);