|
From: | Nikos Mavrogiannopoulos |
Subject: | Re: Problems with automatic pkcs11 reinit on fork |
Date: | Mon, 10 Oct 2011 23:40:33 +0200 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.21) Gecko/20110831 Icedove/3.1.13 |
On 10/10/2011 06:17 PM, Stef Walter wrote:
Then I'd have exactly the same problem that you have. Performance issues :) It might be better for this issue to be solved once and for all users of p11-kit.It's pretty hard to do this correctly at the p11-kit layer. We cannot transparently hide the fact that all of a sudden all slots, token info, sessions, objects, and other handles have been invalidated. Therefore any structures that gnutls is holding must also be cleared on fork. Forgive me if I'm missing something, but the only way I see to solve this part of the problem is for p11-kit to notify gnutls that any and all PKCS#11 state is invalid. gnutls would then start from a clean pkcs#11 state. I'll work on some patches for gnutls.
I wouldn't think gnutls as a special case, but rather as just another user of the p11-kit framework (glue). Having an API that says please during fork do that, but if you do fork very often then wait until the next pkcs11 operation and then do it, or you become slow... sounds really ugly. Of course there could be a fix for gnutls because the API is limiting pkcs11 operations, but other users of p11-kit would have exactly the same problem and a fix might not be so straightforward. A viable solution I see is wrapping pkcs11 calls. I see how you did that in gnutls so it looks pretty straightforward that could be added and exported from p11-kit. But anyway it is your call. regards, Nikos
[Prev in Thread] | Current Thread | [Next in Thread] |