Problems with automatic pkcs11 reinit on fork
stefw at collabora.co.uk
Sat Oct 8 08:39:20 PDT 2011
On 2011-10-08 12:22, Nikos Mavrogiannopoulos wrote:
> Actually that would have to be gnutls' applications that I don't expect
> them to do it. gnutls itself it does know of fork, unless we call
> getpid() on every pkcs11 call to detect forks.
Right, that makes sense.
Essentially though, the core issue is that a library like gnutls cannot
use pkcs11 blindly across forks. In particular all sessions, object
handles and everything else related to PKCS#11 becomes invalid after a fork.
When it comes to PKCS#11, we cannot make forking transparent for gnutls
or any other library or application.
> Couldn't this be handled entirely within p11-kit? I.e. at fork instead
> of initializing everything, mark as everything being uninitialized. Then
> (a) either reinitialize everything on the first pkcs11 call,
We don't wrap every pkcs11 call, so sadly this wouldn't work, see the
problem with transparency above.
> provide a call like p11_kit_reinitialize_if_needed() or so.
I guess we can do this or something like it. We could have a macro that
checks a global variable to make this a very fast check.
But would it make more sense for gnutls to listen to pthread_atfork()
and clear out its pkcs#11 state?
> On the (b) case the user of p11-kit would have to call
> p11_kit_reinitialize_if_needed() before every pkcs11 call. This is very
> ugly, but better than nothing. I'd prefer (a).
Me too. I wish there was a nice clean solution. Essentially we have (a)
right now, by initializing right as the fork occurs. Sadly this has
performance problems when fork/exec is encountered.
But there's another problem with the current solution (reinitializing
right as the fork occurs using pthread_atfork), and that is that PKCS#11
implementations often also use pthread_atfork to detect and emulate the
correct behavior. Pakchois also has this problem. We cannot guarantee
that pthread_atfork callback that p11-kit installs happens after the
pthread_atfork callback that a pkcs11 library is using.
More information about the p11-glue