Problems with automatic pkcs11 reinit on fork

Stef Walter stefw at collabora.co.uk
Sat Oct 8 17:39:20 CEST 2011 

On 2011-10-08 12:22, Nikos Mavrogiannopoulos wrote:
> Actually that would have to be gnutls' applications that I don't expect
> them to do it. gnutls itself it does know of fork, unless we call
> getpid() on every pkcs11 call to detect forks.

Right, that makes sense.

Essentially though, the core issue is that a library like gnutls cannot
use pkcs11 blindly across forks. In particular all sessions, object
handles and everything else related to PKCS#11 becomes invalid after a fork.

When it comes to PKCS#11, we cannot make forking transparent for gnutls
or any other library or application.

> Couldn't this be handled entirely within p11-kit? I.e. at fork instead
> of initializing everything, mark as everything being uninitialized. Then
> (a) either reinitialize everything on the first pkcs11 call, 

We don't wrap every pkcs11 call, so sadly this wouldn't work, see the
problem with transparency above.

or (b)
> provide a call like p11_kit_reinitialize_if_needed() or so.

I guess we can do this or something like it. We could have a macro that
checks a global variable to make this a very fast check.

But would it make more sense for gnutls to listen to pthread_atfork()
and clear out its pkcs#11 state?

> On the (b) case the user of p11-kit would have to call
> p11_kit_reinitialize_if_needed() before every pkcs11 call. This is very
> ugly, but better than nothing. I'd prefer (a).

Me too. I wish there was a nice clean solution. Essentially we have (a)
right now, by initializing right as the fork occurs. Sadly this has
performance problems when fork/exec is encountered.

But there's another problem with the current solution (reinitializing
right as the fork occurs using pthread_atfork), and that is that PKCS#11
implementations often also use pthread_atfork to detect and emulate the
correct behavior. Pakchois also has this problem. We cannot guarantee
that pthread_atfork callback that p11-kit installs happens after the
pthread_atfork callback that a pkcs11 library is using.

Cheers,

Stef

More information about the Gnutls-devel mailing list