Problems with automatic pkcs11 reinit on fork

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Sun Oct 9 14:13:41 PDT 2011


On 10/08/2011 05:39 PM, Stef Walter wrote:

> When it comes to PKCS#11, we cannot make forking transparent for gnutls
> or any other library or application.
>> Couldn't this be handled entirely within p11-kit? I.e. at fork instead
>> of initializing everything, mark as everything being uninitialized. Then
>> (a) either reinitialize everything on the first pkcs11 call,
>
> We don't wrap every pkcs11 call, so sadly this wouldn't work, see the
> problem with transparency above.

What if you wrap every call just like pakchois did. Then it would be 
possible.

> or (b)
>> provide a call like p11_kit_reinitialize_if_needed() or so.
> I guess we can do this or something like it. We could have a macro that
> checks a global variable to make this a very fast check.

This would be problematic when you could also have multiple threads 
(e.g. the way apache works). In most of the cases where multiple 
initialization doesn't really matter it wouldn't be a problem, but here 
multiple initialization might have unexpected outcome. Thus some kind of 
locks would also be required.

> But would it make more sense for gnutls to listen to pthread_atfork()
> and clear out its pkcs#11 state?

Then I'd have exactly the same problem that you have. Performance issues 
:) It might be better for this issue to be solved once and for all users 
of p11-kit.


regards,
Nikos


More information about the p11-glue mailing list