On Sun, Oct 24, 2021 at 05:21:35PM +0200, Tobias Heider wrote:
> On Sun, Oct 24, 2021 at 05:05:06PM +0200, Tobias Heider wrote:
> > On Sat, Oct 23, 2021 at 10:17:54PM +0200, Tobias Heider wrote:
> > > The diff below removes a few leftover tdb_crypto allocations in
> > > esp_input()
> > > and esp_output(). The allocations were needed to pass arguments to the
> > > callback function with the non-blocking crypto API and are redundant now
> > > that crypto is blocking.
> > > This should result in a notable speedup for ESP.
> > >
> > > ok?
> > >
> >
> > updated diff to work with bluhm's latest change.
>
> same diff, but with ip_ipsp.h
Passes IPsec regress. OK bluhm@
> Index: ip_esp.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_esp.c,v
> retrieving revision 1.181
> diff -u -p -r1.181 ip_esp.c
> --- ip_esp.c 24 Oct 2021 14:50:42 -0000 1.181
> +++ ip_esp.c 24 Oct 2021 15:20:58 -0000
> @@ -342,12 +342,12 @@ esp_zeroize(struct tdb *tdbp)
> int
> esp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
> {
> + uint8_t abuf[AH_HMAC_MAX_HASHLEN];
> const struct auth_hash *esph = tdb->tdb_authalgxform;
> const struct enc_xform *espx = tdb->tdb_encalgxform;
> struct mbuf *m = *mp;
> struct cryptodesc *crde = NULL, *crda = NULL;
> struct cryptop *crp = NULL;
> - struct tdb_crypto *tc = NULL;
> int plen, alen, hlen, error, clen;
> u_int32_t btsx, esn;
> #ifdef ENCDEBUG
> @@ -453,18 +453,6 @@ esp_input(struct mbuf **mp, struct tdb *
> goto drop;
> }
>
> - /* Get IPsec-specific opaque pointer */
> - if (esph == NULL)
> - tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
> - else
> - tc = malloc(sizeof(*tc) + alen, M_XDATA, M_NOWAIT | M_ZERO);
> - if (tc == NULL) {
> - DPRINTF("failed to allocate tdb_crypto");
> - espstat_inc(esps_crypto);
> - error = ENOBUFS;
> - goto drop;
> - }
> -
> if (esph) {
> crda = &crp->crp_desc[0];
> crde = &crp->crp_desc[1];
> @@ -491,7 +479,7 @@ esp_input(struct mbuf **mp, struct tdb *
> crda->crd_len = m->m_pkthdr.len - (skip + alen);
>
> /* Copy the authenticator */
> - m_copydata(m, m->m_pkthdr.len - alen, alen, tc + 1);
> + m_copydata(m, m->m_pkthdr.len - alen, alen, abuf);
> } else
> crde = &crp->crp_desc[0];
>
> @@ -501,15 +489,6 @@ esp_input(struct mbuf **mp, struct tdb *
> crp->crp_buf = (caddr_t)m;
> crp->crp_sid = tdb->tdb_cryptoid;
>
> - /* These are passed as-is to the callback */
> - tc->tc_skip = skip;
> - tc->tc_protoff = protoff;
> - tc->tc_spi = tdb->tdb_spi;
> - tc->tc_proto = tdb->tdb_sproto;
> - tc->tc_rdomain = tdb->tdb_rdomain;
> - tc->tc_dst = tdb->tdb_dst;
> - tc->tc_rpl = tdb->tdb_rpl;
> -
> /* Decryption descriptor */
> if (espx) {
> crde->crd_skip = skip + hlen;
> @@ -543,12 +522,11 @@ esp_input(struct mbuf **mp, struct tdb *
> /* Release the crypto descriptors */
> crypto_freereq(crp);
>
> - return esp_input_cb(tdb, tc, m, clen);
> + return esp_input_cb(tdb, abuf, skip, protoff, tdb->tdb_rpl, m, clen);
>
> drop:
> m_freemp(mp);
> crypto_freereq(crp);
> - free(tc, M_XDATA, 0);
> return error;
> }
>
> @@ -556,23 +534,18 @@ esp_input(struct mbuf **mp, struct tdb *
> * ESP input callback, called directly by the crypto driver.
> */
> int
> -esp_input_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int
> clen)
> +esp_input_cb(struct tdb *tdb, uint8_t *abuf, int skip, int protoff, uint64_t
> rpl,
> + struct mbuf *m, int clen)
> {
> u_int8_t lastthree[3], aalg[AH_HMAC_MAX_HASHLEN];
> - int hlen, roff, skip, protoff;
> + int hlen, roff;
> struct mbuf *m1, *mo;
> const struct auth_hash *esph;
> - u_int64_t rpl;
> u_int32_t btsx, esn;
> - caddr_t ptr;
> #ifdef ENCDEBUG
> char buf[INET6_ADDRSTRLEN];
> #endif
>
> - skip = tc->tc_skip;
> - protoff = tc->tc_protoff;
> - rpl = tc->tc_rpl;
> -
> NET_ASSERT_LOCKED();
>
> esph = tdb->tdb_authalgxform;
> @@ -583,10 +556,8 @@ esp_input_cb(struct tdb *tdb, struct tdb
> m_copydata(m, m->m_pkthdr.len - esph->authsize,
> esph->authsize, aalg);
>
> - ptr = (caddr_t) (tc + 1);
> -
> /* Verify authenticator */
> - if (timingsafe_bcmp(ptr, aalg, esph->authsize)) {
> + if (timingsafe_bcmp(abuf, aalg, esph->authsize)) {
> DPRINTF("authentication failed for packet "
> "in SA %s/%08x",
> ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
> @@ -738,15 +709,11 @@ esp_input_cb(struct tdb *tdb, struct tdb
> /* Restore the Next Protocol field */
> m_copyback(m, protoff, sizeof(u_int8_t), lastthree + 2, M_NOWAIT);
>
> - /* Release the crypto descriptors */
> - free(tc, M_XDATA, 0);
> -
> /* Back to generic IPsec input processing */
> return ipsec_common_input_cb(m, tdb, skip, protoff);
>
> baddone:
> m_freem(m);
> - free(tc, M_XDATA, 0);
> return -1;
> }
>
> @@ -762,7 +729,6 @@ esp_output(struct mbuf *m, struct tdb *t
> u_int64_t replay64;
> u_int32_t replay;
> struct mbuf *mi, *mo = (struct mbuf *) NULL;
> - struct tdb_crypto *tc = NULL;
> unsigned char *pad;
> u_int8_t prot;
> #ifdef ENCDEBUG
> @@ -978,20 +944,6 @@ esp_output(struct mbuf *m, struct tdb *t
> } else
> crda = &crp->crp_desc[0];
>
> - /* IPsec-specific opaque crypto info. */
> - tc = malloc(sizeof(*tc), M_XDATA, M_NOWAIT | M_ZERO);
> - if (tc == NULL) {
> - DPRINTF("failed to allocate tdb_crypto");
> - espstat_inc(esps_crypto);
> - error = ENOBUFS;
> - goto drop;
> - }
> -
> - tc->tc_spi = tdb->tdb_spi;
> - tc->tc_proto = tdb->tdb_sproto;
> - tc->tc_rdomain = tdb->tdb_rdomain;
> - tc->tc_dst = tdb->tdb_dst;
> -
> /* Crypto operation descriptor. */
> crp->crp_ilen = m->m_pkthdr.len; /* Total input length. */
> crp->crp_flags = CRYPTO_F_IMBUF | CRYPTO_F_MPSAFE;
> @@ -1043,28 +995,15 @@ esp_output(struct mbuf *m, struct tdb *t
> /* Release the crypto descriptors */
> crypto_freereq(crp);
>
> - return esp_output_cb(tdb, tc, m, ilen, olen);
> -
> - drop:
> - m_freem(m);
> - crypto_freereq(crp);
> - free(tc, M_XDATA, 0);
> - return error;
> -}
> -
> -int
> -esp_output_cb(struct tdb *tdb, struct tdb_crypto *tc, struct mbuf *m, int
> ilen,
> - int olen)
> -{
> - int error;
> -
> - /* Release crypto descriptors. */
> - free(tc, M_XDATA, 0);
> -
> /* Call the IPsec input callback. */
> error = ipsp_process_done(m, tdb);
> if (error)
> espstat_inc(esps_outfail);
> + return (error);
> +
> + drop:
> + m_freem(m);
> + crypto_freereq(crp);
> return error;
> }
>
> Index: ip_ipsp.h
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v
> retrieving revision 1.212
> diff -u -p -r1.212 ip_ipsp.h
> --- ip_ipsp.h 23 Oct 2021 22:19:37 -0000 1.212
> +++ ip_ipsp.h 24 Oct 2021 15:20:58 -0000
> @@ -590,10 +590,8 @@ int esp_attach(void);
> int esp_init(struct tdb *, const struct xformsw *, struct ipsecinit *);
> int esp_zeroize(struct tdb *);
> int esp_input(struct mbuf **, struct tdb *, int, int);
> -int esp_input_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int);
> +int esp_input_cb(struct tdb *, uint8_t *, int, int, uint64_t, struct mbuf
> *, int);
> int esp_output(struct mbuf *, struct tdb *, int, int);
> -int esp_output_cb(struct tdb *, struct tdb_crypto *, struct mbuf *, int,
> - int);
> int esp_sysctl(int *, u_int, void *, size_t *, void *, size_t);
>
> int esp4_input(struct mbuf **, int *, int, int);
