2008-03-14 18:23:22

by Kevin Coffman

[permalink] [raw]
Subject: theoretical rpcsec_gss deadlock

The rpcsec_gss code used for NFS currently does basically the
following to create a checksum for each rpc:

crypto_alloc_hash()
crypto_hash_init()
crypto_hash_update() ...
crypto_hash_final()
crypto_free_hash()

The crypto_alloc_hash() poses a possible deadlock situation.
(Although it hasn't been a problem so far in practice.) It would be
preferable to allocate the transform once in a context (shared by
multiple tasks). However, doing so seems to cause problems with bad
checksums. We'd rather not have to add a spinlock to serialize its
use. Is there a way to allocate state information on the stack (or
elsewhere) such that the transform can be shared simultaneously?

Herbert, Bruce Fields says you suggested a while back that an
interface was already there, or was being planned? Can you give me
any details? Could we possibly help?

Another question: The current checksum code deals only with "md5".
Support for newer Kerberos encryption types uses keyed hashes. In an
extreme case, support for the rc4-hmac Kerberos encryption type
requires a new hash key be derived for each rpc. Would this interface
be able to deal with changing keys as well? In that same case, the
"rc4" cipher key changes with each rpc as well.

Thanks,
K.C.


2008-03-15 01:18:16

by Herbert Xu

[permalink] [raw]
Subject: Re: theoretical rpcsec_gss deadlock

On Fri, Mar 14, 2008 at 02:23:20PM -0400, Kevin Coffman wrote:
>
> Herbert, Bruce Fields says you suggested a while back that an
> interface was already there, or was being planned? Can you give me
> any details? Could we possibly help?

Have a look at the linux-crypto archive for the async hash patch
that was posted in January/February. That will eventually allow
the same tfm to be used in parallel. However, there is much work
to be done as all existing transforms would have to be updated for
this.

> Another question: The current checksum code deals only with "md5".
> Support for newer Kerberos encryption types uses keyed hashes. In an
> extreme case, support for the rc4-hmac Kerberos encryption type
> requires a new hash key be derived for each rpc. Would this interface
> be able to deal with changing keys as well? In that same case, the
> "rc4" cipher key changes with each rpc as well.

Sorry, but setting the key is an expensive operation in general,
so the rule is one tfm per key to allow simultaneous operations
on the same key.

However, if hmac is the only mode you're ever going to support,
you could consider implementing hmac by hand which would allow you
to share the underlying algorithm tfm object. This is because
the hmac key just gets hashed into the underlying tfm.

Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt