|
From: | Nikos Mavrogiannopoulos |
Subject: | Re: Problems with automatic pkcs11 reinit on fork |
Date: | Sun, 09 Oct 2011 23:13:41 +0200 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Icedove/3.1.13 |
On 10/08/2011 05:39 PM, Stef Walter wrote:
When it comes to PKCS#11, we cannot make forking transparent for gnutls or any other library or application.Couldn't this be handled entirely within p11-kit? I.e. at fork instead of initializing everything, mark as everything being uninitialized. Then (a) either reinitialize everything on the first pkcs11 call,We don't wrap every pkcs11 call, so sadly this wouldn't work, see the problem with transparency above.
What if you wrap every call just like pakchois did. Then it would be possible.
or (b)provide a call like p11_kit_reinitialize_if_needed() or so.I guess we can do this or something like it. We could have a macro that checks a global variable to make this a very fast check.
This would be problematic when you could also have multiple threads (e.g. the way apache works). In most of the cases where multiple initialization doesn't really matter it wouldn't be a problem, but here multiple initialization might have unexpected outcome. Thus some kind of locks would also be required.
But would it make more sense for gnutls to listen to pthread_atfork() and clear out its pkcs#11 state?
Then I'd have exactly the same problem that you have. Performance issues :) It might be better for this issue to be solved once and for all users of p11-kit.
regards, Nikos
[Prev in Thread] | Current Thread | [Next in Thread] |