[krbdev.mit.edu #6413] pkinit thread safety
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Thu Mar 12 17:36:43 EDT 2009
Begin forwarded message:
> From: Mark Phalan <Mark.Phalan at Sun.COM>
> Date: March 12, 2009 17:13:40 EDT
> To: Ken Raeburn <raeburn at mit.edu>
> Cc: Nikhil Mishra <nikhilm at gs-lab.com>, krbdev at mit.edu
> Subject: Re: Is MIT kerberos thread safe ??
> X-Spam-Score: 0.00
>
>
> On 12 Mar 2009, at 17:43, Ken Raeburn wrote:
>
>> On Mar 12, 2009, at 08:55, Nikhil Mishra wrote:
>>> As the subject says , Is MIT kerberos thread safe ?
>>> My device is a high performance network appliance and
>>> I need to analyze threadsafe-ness of MIT kerberos library.
>>
>> The 1.6.x releases should be thread-safe provided certain objects are
>> not shared across threads for simultaneous use, primarily the
>> Kerberos
>> and GSSAPI context types. Various other objects, especially the
>> simpler ones like krb5_data and krb5_principal, and most of the
>> structures exposed in our API, can be shared as long as both uses are
>> read-only. Some more complex, opaque types like krb5_ccache, and
>> most
>> if not all internal static data, have internal locking performed
>> within the libraries, so that they can be used from multiple threads
>> without corruption.
>>
>> Unfortunately, we don't have documentation written up on *exactly*
>> what can be shared across threads and when, but "never share
>> contexts,
>> and share other stuff only as inputs not outputs" is a good
>> guideline.
>>
>> And, all the above said, there could of course be bugs; if you run
>> into anything, we'd like to know.
>
>
> The PKINIT plugin is a problem if it is used in multiple threads due
> to its use of OpenSSL.
>
> -M
More information about the krb5-bugs
mailing list