Problems with automatic pkcs11 reinit on fork
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Sat Oct 8 12:22:45 CEST 2011
On 10/08/2011 08:19 AM, Stef Walter wrote:
> In p11-kit we've copied the pakchois behavior of automatically
> reinitializing when a fork happens. In PKCS#11 an application using
> PKCS#11 modules has to call C_Initialize after a fork to reinitialize
> the smart card driver.
>
> The automatic reinitialization behavior of p11-kit is sort of nice from
> the perspective of the consumers of the library, however it causes
> performance problems when it's automatic.
[...]
> For example if a process that's using p11-kit forks/execs another
> executable, then all the PKCS#11 providers are reinitialized after the
> fork and before the exec.
> Perhaps we should change p11-kit so that it's fork aware, and zeros its
> initialization ref counts, but expects the user of the library to
> actually reinitialize after a fork.
> For example, in the case of gnutls, on the next use of PKCS#11 after a
> fork gnutls would need to call p11_kit_initialize_registered() again.
Actually that would have to be gnutls' applications that I don't expect
them to do it. gnutls itself it does know of fork, unless we call
getpid() on every pkcs11 call to detect forks.
Couldn't this be handled entirely within p11-kit? I.e. at fork instead
of initializing everything, mark as everything being uninitialized. Then
(a) either reinitialize everything on the first pkcs11 call, or (b)
provide a call like p11_kit_reinitialize_if_needed() or so.
On the (b) case the user of p11-kit would have to call
p11_kit_reinitialize_if_needed() before every pkcs11 call. This is very
ugly, but better than nothing. I'd prefer (a).
regards,
Nikos
More information about the Gnutls-devel
mailing list