Begin forwarded message: > From: Mark Phalan > Date: March 12, 2009 17:13:40 EDT > To: Ken Raeburn > Cc: Nikhil Mishra , krbdev@mit.edu > Subject: Re: Is MIT kerberos thread safe ?? > X-Spam-Score: 0.00 > > > On 12 Mar 2009, at 17:43, Ken Raeburn wrote: > >> On Mar 12, 2009, at 08:55, Nikhil Mishra wrote: >>> As the subject says , Is MIT kerberos thread safe ? >>> My device is a high performance network appliance and >>> I need to analyze threadsafe-ness of MIT kerberos library. >> >> The 1.6.x releases should be thread-safe provided certain objects are >> not shared across threads for simultaneous use, primarily the >> Kerberos >> and GSSAPI context types. Various other objects, especially the >> simpler ones like krb5_data and krb5_principal, and most of the >> structures exposed in our API, can be shared as long as both uses are >> read-only. Some more complex, opaque types like krb5_ccache, and >> most >> if not all internal static data, have internal locking performed >> within the libraries, so that they can be used from multiple threads >> without corruption. >> >> Unfortunately, we don't have documentation written up on *exactly* >> what can be shared across threads and when, but "never share >> contexts, >> and share other stuff only as inputs not outputs" is a good >> guideline. >> >> And, all the above said, there could of course be bugs; if you run >> into anything, we'd like to know. > > > The PKINIT plugin is a problem if it is used in multiple threads due > to its use of OpenSSL. > > -M