From daa5481f82d6b1c2b76b5d17426eba3ec6a5c983 Mon Sep 17 00:00:00 2001 From: Alexander Bluhm Date: Thu, 23 Dec 2021 12:21:49 +0000 Subject: IPsec is not MP safe yet. To allow forwarding in parallel without dirty hacks, it is better to protect IPsec input and output with kernel lock. Not much is lost as crypto needs the kernel lock anyway. From here we can refine the lock later. Note that there is no kernel lock in the SPD lockup path. Goal is to keep that lock free to allow fast forwarding with non IPsec traffic. tested by Hrvoje Popovski; OK tobhe@ --- sys/netinet/ip_ah.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'sys/netinet/ip_ah.c') diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c index 54ca7658fc3..4cf51d26535 100644 --- a/sys/netinet/ip_ah.c +++ b/sys/netinet/ip_ah.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ah.c,v 1.171 2021/12/20 17:09:18 tobhe Exp $ */ +/* $OpenBSD: ip_ah.c,v 1.172 2021/12/23 12:21:48 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -687,13 +687,11 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff) crp->crp_buf = (caddr_t)m; crp->crp_sid = tdb->tdb_cryptoid; - KERNEL_LOCK(); while ((error = crypto_invoke(crp)) == EAGAIN) { /* Reset the session ID */ if (tdb->tdb_cryptoid != 0) tdb->tdb_cryptoid = crp->crp_sid; } - KERNEL_UNLOCK(); if (error) { DPRINTF("crypto error %d", error); ipsecstat_inc(ipsec_noxform); @@ -1112,13 +1110,11 @@ ah_output(struct mbuf *m, struct tdb *tdb, int skip, int protoff) crp->crp_buf = (caddr_t)m; crp->crp_sid = tdb->tdb_cryptoid; - KERNEL_LOCK(); while ((error = crypto_invoke(crp)) == EAGAIN) { /* Reset the session ID */ if (tdb->tdb_cryptoid != 0) tdb->tdb_cryptoid = crp->crp_sid; } - KERNEL_UNLOCK(); if (error) { DPRINTF("crypto error %d", error); ipsecstat_inc(ipsec_noxform); -- cgit v1.2.3