You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Robert Varga (JIRA)" <ji...@apache.org> on 2018/10/02 12:38:00 UTC
[jira] [Comment Edited] (SSHD-846) ECDH/HDG kex retains
KeyPairGenerator
[ https://issues.apache.org/jira/browse/SSHD-846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16635405#comment-16635405 ]
Robert Varga edited comment on SSHD-846 at 10/2/18 12:37 PM:
-------------------------------------------------------------
[~lgoldstein] thanks for the patch, two comments:
# I think it is still useful to nullify KeyPairGenerators, as it allows them to be freed while the key exchange is going on – it can take some time based on how quickly our peer responds, during which we should be able to shed it
# I am no expert on locking and the codepaths, but it would seem that "kex = null" should happen before kexState.set(KexState.DONE) – otherwise the guard via compareAndSet() could be ineffective:
## Thread A: kexState.set(KexState.DONE)
## Thread A is scheduled out
## Thread B: kexState.compareAndSwap(KexState.DONE, KexState.RUN)
## Thread B: kex = ...
## Thread B is scheduled out
## Thread A is scheduled in
## kex = null
## Thread B is scheduled in and accesses kex (which should be valid)
## NullPointerException
was (Author: nite):
[~lgoldstein] thanks for the patch, two comments:
# I think it is still useful to nullify KeyPairGenerators, as it allows them to be freed while the key exchange is going on – it can take some time
# I am no expert on locking and codepaths, but it would seem that "kex = null" should happen before kexState.set(KexState.DONE) – otherwise the guard via compareAndSet() could be ineffective:
> ECDH/HDG kex retains KeyPairGenerator
> -------------------------------------
>
> Key: SSHD-846
> URL: https://issues.apache.org/jira/browse/SSHD-846
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 1.6.0, 1.7.0, 2.0.0
> Reporter: Robert Varga
> Assignee: Goldstein Lyor
> Priority: Major
>
> Analysis of a heap dump of running OpenDaylight with 10K concurrent NETCONF sessions over SSH transport shows that around 16% of the heap is used by Bouncy Castle's KeyPairGeneratorSpi$EC and related objects – accounting for ~26% of OpenDaylight's per-session memory overhead.
> These objects are retained by org.apache.sshd.common.kex.ECDH's myKpairGen field, which is never used once a keypair is generated.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)