From: | Ken Raeburn <raeburn@MIT.EDU> |
To: | krb5-bugs@MIT.EDU |
Subject: | pkinit thread safety |
Date: | Thu, 12 Mar 2009 17:36:16 -0400 |
Begin forwarded message:
Show quoted text
> From: Mark Phalan <Mark.Phalan@Sun.COM>
> Date: March 12, 2009 17:13:40 EDT
> To: Ken Raeburn <raeburn@mit.edu>
> Cc: Nikhil Mishra <nikhilm@gs-lab.com>, krbdev@mit.edu
> Subject: Re: Is MIT kerberos thread safe ??
> X-Spam-Score: 0.00
>
>
> On 12 Mar 2009, at 17:43, Ken Raeburn wrote:
>
>
> The PKINIT plugin is a problem if it is used in multiple threads due
> to its use of OpenSSL.
>
> -M
> Date: March 12, 2009 17:13:40 EDT
> To: Ken Raeburn <raeburn@mit.edu>
> Cc: Nikhil Mishra <nikhilm@gs-lab.com>, krbdev@mit.edu
> Subject: Re: Is MIT kerberos thread safe ??
> X-Spam-Score: 0.00
>
>
> On 12 Mar 2009, at 17:43, Ken Raeburn wrote:
>
>> On Mar 12, 2009, at 08:55, Nikhil Mishra wrote:
>> The 1.6.x releases should be thread-safe provided certain objects are
>> not shared across threads for simultaneous use, primarily the
>> Kerberos
>> and GSSAPI context types. Various other objects, especially the
>> simpler ones like krb5_data and krb5_principal, and most of the
>> structures exposed in our API, can be shared as long as both uses are
>> read-only. Some more complex, opaque types like krb5_ccache, and
>> most
>> if not all internal static data, have internal locking performed
>> within the libraries, so that they can be used from multiple threads
>> without corruption.
>>
>> Unfortunately, we don't have documentation written up on *exactly*
>> what can be shared across threads and when, but "never share
>> contexts,
>> and share other stuff only as inputs not outputs" is a good
>> guideline.
>>
>> And, all the above said, there could of course be bugs; if you run
>> into anything, we'd like to know.
>>>> As the subject says , Is MIT kerberos thread safe ?
>>> My device is a high performance network appliance and
>>> I need to analyze threadsafe-ness of MIT kerberos library.
>>>>> My device is a high performance network appliance and
>>> I need to analyze threadsafe-ness of MIT kerberos library.
>> The 1.6.x releases should be thread-safe provided certain objects are
>> not shared across threads for simultaneous use, primarily the
>> Kerberos
>> and GSSAPI context types. Various other objects, especially the
>> simpler ones like krb5_data and krb5_principal, and most of the
>> structures exposed in our API, can be shared as long as both uses are
>> read-only. Some more complex, opaque types like krb5_ccache, and
>> most
>> if not all internal static data, have internal locking performed
>> within the libraries, so that they can be used from multiple threads
>> without corruption.
>>
>> Unfortunately, we don't have documentation written up on *exactly*
>> what can be shared across threads and when, but "never share
>> contexts,
>> and share other stuff only as inputs not outputs" is a good
>> guideline.
>>
>> And, all the above said, there could of course be bugs; if you run
>> into anything, we'd like to know.
>
> The PKINIT plugin is a problem if it is used in multiple threads due
> to its use of OpenSSL.
>
> -M