You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Robert Varga (JIRA)" <ji...@apache.org> on 2018/10/02 12:38:00 UTC

[jira] [Comment Edited] (SSHD-846) ECDH/HDG kex retains KeyPairGenerator

    [ https://issues.apache.org/jira/browse/SSHD-846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16635405#comment-16635405 ] 

Robert Varga edited comment on SSHD-846 at 10/2/18 12:37 PM:
-------------------------------------------------------------

[~lgoldstein] thanks for the patch, two comments:
 # I think it is still useful to nullify KeyPairGenerators, as it allows them to be freed while the key exchange is going on – it can take some time based on how quickly our peer responds, during which we should be able to shed it
 # I am no expert on locking and the codepaths, but it would seem that "kex = null" should happen before kexState.set(KexState.DONE) – otherwise the guard via compareAndSet() could be ineffective:
 ## Thread A: kexState.set(KexState.DONE)
 ## Thread A is scheduled out
 ## Thread B: kexState.compareAndSwap(KexState.DONE, KexState.RUN)
 ## Thread B: kex = ...
 ## Thread B is scheduled out
 ## Thread A is scheduled in
 ## kex = null
 ## Thread B is scheduled in and accesses kex (which should be valid)
 ## NullPointerException


was (Author: nite):
[~lgoldstein] thanks for the patch, two comments:
 # I think it is still useful to nullify KeyPairGenerators, as it allows them to be freed while the key exchange is going on – it can take some time
 # I am no expert on locking and codepaths, but it would seem that "kex = null" should happen before kexState.set(KexState.DONE) – otherwise the guard via compareAndSet() could be ineffective:

> ECDH/HDG kex retains KeyPairGenerator
> -------------------------------------
>
>                 Key: SSHD-846
>                 URL: https://issues.apache.org/jira/browse/SSHD-846
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 1.6.0, 1.7.0, 2.0.0
>            Reporter: Robert Varga
>            Assignee: Goldstein Lyor
>            Priority: Major
>
> Analysis of a heap dump of running OpenDaylight with 10K concurrent NETCONF sessions over SSH transport shows that around 16% of the heap is used by Bouncy Castle's KeyPairGeneratorSpi$EC and related objects – accounting for ~26% of OpenDaylight's per-session memory overhead.
> These objects are retained by org.apache.sshd.common.kex.ECDH's myKpairGen field, which is never used once a keypair is generated.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)