On Mon, Dec 18, 2000 at 12:56:21PM -0800, Geoff Thorpe wrote:
[...]
> What if the code was structured as follows;
>
> if((rsa->_method_mod_n == NULL) && [etc])
> {
> BN_MONT_CTX *bn_mont_ctx;
> int bailout;
> if((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
> [do error stuff]
> if(!BN_MONT_CTX_set(....))
> [do error stuff]
> bailout = 0;
> /* Only now do we grab the lock to ensure threads don't race to
> * assign montgomery stuff to the RSA structure. */
> CRYPTO_w_lock(CRYPTO_LOCK_RSA);
> /* Now we check the _method_mod_n and stuff *inside* the lock */
> if((rsa->_method_mod_n == NULL) & [etc])
> rsa->_method_mod_n = bn_mont_ctx;
> else
> bailout = 1;
> CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
> if(bailout)
> /* Release the pre-calculated montgomery stuff, we had
> * threads race on *this* RSA structure so we wasted some
> * effort in this case. */
> BN_MONT_CTX_free(bn_mont_ctx);
> }
>
> In this case, (as with your existing code), the initial test doesn't
> require a lock - it will test again inside a lock if it gets that far.
> However, the penalty in my variant is that if threads race then some may
> end up creating montgomery stuff only to find out inside the lock that the
> work has just been done by another thread. The worst that can happen is
> that more than one thread does that same work in the event of a race (the
> race is specific to *this* RSA object). However, that's a risk of wasted
> effort local to just this particular RSA structure - the global lock is
> only being used to seal off the final check & assign of the precalculated
> data to the structure. Conversely, the risk in the existing code seems to
> be that all such operations on *all* RSA objects block.
You are right, we should not do such expensive operations while
holding the RSA lock (or, if we think we should do this to avoid
redundant computations of the same Montgomery structure by different
threads, we should at least introduce CRYPTO_LOCK_RSA_MONT instead of
using CRYPTO_LOCK_RSA, since the latter is also needed for standard
stuff such as RSA_free).
--
Bodo M�ller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
