On Sun, Oct 24, 2021 at 05:05:06PM +0200, Tobias Heider wrote:
> On Sat, Oct 23, 2021 at 10:17:54PM +0200, Tobias Heider wrote:
> > The diff below removes a few leftover tdb_crypto allocations in esp_input()
> > and esp_output(). The allocations were needed to pass arguments to the
> > callback function with the non-blocking crypto API and are redundant now
> > that crypto is blocking.
> > This should result in a notable speedup for ESP.
> >
> > ok?
> >
>
> updated diff to work with bluhm's latest change.
same diff, but with ip_ipsp.h
Index: ip_esp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp.c,v
retrieving revision 1.181
diff -u -p -r1.181 ip_esp.c
--- ip_esp.c 24 Oct 2021 14:50:42 -0000 1.181
+++ ip_esp.c 24 Oct 2021 15:20:58 -0000
@@ -342,12 +342,12 @@ esp_zeroize(struct tdb *tdbp)
int
esp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
{
+ uint8_t abuf[AH_HMAC_MAX_HASHLEN];
const struct auth_hash *esph = tdb->tdb_authalgxform;
const struct enc_xform *espx = tdb->tdb_encalgxform;
struct mbuf *m = *mp;
struct cryptodesc *crde = NULL, *crda = NULL;
struct cryptop *crp = NULL;
- struct tdb_crypto *tc = NULL;
int plen, alen, hlen, error, clen;
u_int32_t btsx, esn;
#ifdef ENCDEBUG
@@ -453,18 +453,6 @@ esp_input(struct mbuf **mp, struct tdb *
goto drop;
}
- /* Get IPsec-specific opaque pointer */
- if (esph == NULL)
- tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
- else
- tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO);
- if (tc == NULL) {
- DPRINTF("failed to allocate tdb_crypto");
- espstat_inc(esps_crypto);
- error = ENOBUFS;
- goto drop;
- }
-
if (esph) {
crda = &crp->crp_desc[0];
crde = &crp->crp_desc[1];
@@ -491,7 +479,7 @@ esp_input(struct mbuf **mp, struct tdb *
crda->crd_len = m->m_pkthdr.len - (skip + alen);
/* Copy the authenticator */
- m_copydata(m, m->m_pkthdr.len - alen, alen, tc + 1);
+ m_copydata(m, m->m_pkthdr.len - alen, alen, abuf);
} else
crde = &crp->crp_desc[0];
@@ -501,15 +489,6 @@ esp_input(struct mbuf **mp, struct tdb *
crp->crp_buf = (caddr_t)m;
crp->crp_sid = tdb->tdb_cryptoid;
- /* These are passed as-is to the callback */
- tc->tc_skip = skip;
- tc->tc_protoff = protoff;
- tc->tc_spi = tdb->tdb_spi;
- tc->tc_proto = tdb->tdb_sproto;
- tc->tc_rdomain = tdb->tdb_rdomain;
- tc->tc_dst = tdb->tdb_dst;
- tc->tc_rpl = tdb->tdb_rpl;
-
/* Decryption descriptor */
if (espx) {
crde->crd_skip = skip + hlen;
@@ -543,12 +522,11 @@ esp_input(struct mbuf **mp, struct tdb *
/* Release the crypto descriptors */
crypto_freereq(crp);
- return esp_input_cb(tdb, tc, m, clen);
+ return esp_input_cb(tdb, abuf, skip, protoff, tdb->tdb_rpl, m, clen);
drop:
m_freemp(mp);
crypto_freereq(crp);
- free(tc, M_XDATA, 0);
return error;
}
@@ -556,23 +534,18 @@ esp_input(struct mbuf **mp, struct tdb *
* ESP input callback, called directly by the crypto driver.
*/
int
-esp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int clen)
+esp_input_cb(struct tdb *tdb, uint8_t *abuf, int skip, int protoff, uint64_t
rpl,
+ struct mbuf *m, int clen)
{
u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN];
- int hlen, roff, skip, protoff;
+ int hlen, roff;
struct mbuf *m1, *mo;
const struct auth_hash *esph;
- u_int64_t rpl;
u_int32_t btsx, esn;
- caddr_t ptr;
#ifdef ENCDEBUG
char buf[INET6_ADDRSTRLEN];
#endif
- skip = tc->tc_skip;
- protoff = tc->tc_protoff;
- rpl = tc->tc_rpl;
-
NET_ASSERT_LOCKED();
esph = tdb->tdb_authalgxform;
@@ -583,10 +556,8 @@ esp_input_cb(struct tdb *tdb, struct tdb
m_copydata(m, m->m_pkthdr.len - esph->authsize,
esph->authsize, aalg);
- ptr = (caddr_t) (tc + 1);
-
/* Verify authenticator */
- if (timingsafe_bcmp(ptr, aalg, esph->authsize)) {
+ if (timingsafe_bcmp(abuf, aalg, esph->authsize)) {
DPRINTF("authentication failed for packet "
"in SA %s/%08x",
ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
@@ -738,15 +709,11 @@ esp_input_cb(struct tdb *tdb, struct tdb
/* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT);
- /* Release the crypto descriptors */
- free(tc, M_XDATA, 0);
-
/* Back to generic IPsec input processing */
return ipsec_common_input_cb(m, tdb, skip, protoff);
baddone:
m_freem(m);
- free(tc, M_XDATA, 0);
return -1;
}
@@ -762,7 +729,6 @@ esp_output(struct mbuf *m, struct tdb *t
u_int64_t replay64;
u_int32_t replay;
struct mbuf *mi, *mo = (struct mbuf *) NULL;
- struct tdb_crypto *tc = NULL;
unsigned char *pad;
u_int8_t prot;
#ifdef ENCDEBUG
@@ -978,20 +944,6 @@ esp_output(struct mbuf *m, struct tdb *t
} else
crda = &crp->crp_desc[0];
- /* IPsec-specific opaque crypto info. */
- tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
- if (tc == NULL) {
- DPRINTF("failed to allocate tdb_crypto");
- espstat_inc(esps_crypto);
- error = ENOBUFS;
- goto drop;
- }
-
- tc->tc_spi = tdb->tdb_spi;
- tc->tc_proto = tdb->tdb_sproto;
- tc->tc_rdomain = tdb->tdb_rdomain;
- tc->tc_dst = tdb->tdb_dst;
-
/* Crypto operation descriptor. */
crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_MPSAFE;
@@ -1043,28 +995,15 @@ esp_output(struct mbuf *m, struct tdb *t
/* Release the crypto descriptors */
crypto_freereq(crp);
- return esp_output_cb(tdb, tc, m, ilen, olen);
-
- drop:
- m_freem(m);
- crypto_freereq(crp);
- free(tc, M_XDATA, 0);
- return error;
-}
-
-int
-esp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int ilen,
- int olen)
-{
- int error;
-
- /* Release crypto descriptors. */
- free(tc, M_XDATA, 0);
-
/* Call the IPsec input callback. */
error = ipsp_process_done(m, tdb);
if (error)
espstat_inc(esps_outfail);
+ return (error);
+
+ drop:
+ m_freem(m);
+ crypto_freereq(crp);
return error;
}
Index: ip_ipsp.h
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v
retrieving revision 1.212
diff -u -p -r1.212 ip_ipsp.h
--- ip_ipsp.h 23 Oct 2021 22:19:37 -0000 1.212
+++ ip_ipsp.h 24 Oct 2021 15:20:58 -0000
@@ -590,10 +590,8 @@ int esp_attach(void);
int esp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
int esp_zeroize(struct tdb *);
int esp_input(struct mbuf **, struct tdb *, int, int);
-int esp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
+int esp_input_cb(struct tdb *, uint8_t *, int, int, uint64_t, struct mbuf
*, int);
int esp_output(struct mbuf *, struct tdb *, int, int);
-int esp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
- int);
int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
int esp4_input(struct mbuf **, int *, int, int);
