Re: C_Initialize

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: C_Initialize

Nikos Mavrogiannopoulos
Hello,
 I've noticed that C_Initialize takes excessive time on the opensc
pkcs11 module when a smart card is present. When no smart card is
present everything is ok. This causes quite a problem in gnutls which
has transparent smart card support and calls C_Initialize on startup. As
a result, every application that uses gnutls gets 4-6 second delay on
startup, irrespective on whether it will read that smart card or not.

The attached patch seems to fix the initialization delays and the cards
I have seem to work fine.

regards,
Nikos

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

0001-disable-card-reading-during-initialization-of-the-li.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: C_Initialize

Douglas E. Engert


On 2/16/2013 6:40 PM, Nikos Mavrogiannopoulos wrote:

> Hello,
>   I've noticed that C_Initialize takes excessive time on the opensc
> pkcs11 module when a smart card is present. When no smart card is
> present everything is ok. This causes quite a problem in gnutls which
> has transparent smart card support and calls C_Initialize on startup. As
> a result, every application that uses gnutls gets 4-6 second delay on
> startup, irrespective on whether it will read that smart card or not.
>
> The attached patch seems to fix the initialization delays and the cards
> I have seem to work fine.

With your mod in place, do smart cards still work with gnutls?

The card-detect will have to be called sometime...

>
> regards,
> Nikos
>
>
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: C_Initialize

Nikos Mavrogiannopoulos-2
On 02/18/2013 06:34 PM, Douglas E. Engert wrote:


>> Hello,
>>   I've noticed that C_Initialize takes excessive time on the opensc
>> pkcs11 module when a smart card is present. When no smart card is
>> present everything is ok. This causes quite a problem in gnutls which
>> has transparent smart card support and calls C_Initialize on startup. As
>> a result, every application that uses gnutls gets 4-6 second delay on
>> startup, irrespective on whether it will read that smart card or not.
>>
>> The attached patch seems to fix the initialization delays and the cards
>> I have seem to work fine.
>
> With your mod in place, do smart cards still work with gnutls?
>
> The card-detect will have to be called sometime...


Yes, but that should be when someone asks for a card. GnuTLS works fine
with this patch, because the cards are detected in C_GetTokenInfo()
which is the expected place.

regards,
Nikos

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: C_Initialize

Douglas E. Engert


On 2/18/2013 12:35 PM, Nikos Mavrogiannopoulos wrote:

> On 02/18/2013 06:34 PM, Douglas E. Engert wrote:
>
>
>>> Hello,
>>>    I've noticed that C_Initialize takes excessive time on the opensc
>>> pkcs11 module when a smart card is present. When no smart card is
>>> present everything is ok. This causes quite a problem in gnutls which
>>> has transparent smart card support and calls C_Initialize on startup. As
>>> a result, every application that uses gnutls gets 4-6 second delay on
>>> startup, irrespective on whether it will read that smart card or not.
>>>
>>> The attached patch seems to fix the initialization delays and the cards
>>> I have seem to work fine.
>>
>> With your mod in place, do smart cards still work with gnutls?
>>
>> The card-detect will have to be called sometime...
>
>
> Yes, but that should be when someone asks for a card. GnuTLS works fine
> with this patch, because the cards are detected in C_GetTokenInfo()
> which is the expected place.


I understand that card_detect may not be needed by C_Initialize,
and postponing the calling of card_detect till actually needed
would help in your situation.

But your patch does not appear to do that, it just removes
two calls to card_detect, and removes the call to sc_detect_card_presence.

We need to make sure there are no code paths that avoid calling
the card_detect or rely on the results of one  of the removed
card_detect calls.  Either could result in not recogniing
a card is present, or some segfault if card_detect set some
values that other code is depending on.

I don't believe that calling C_GetTokenInfo is a required call. So
depending on C_GetTokenInfo it to do the card_detect is not good
enough.



>
> regards,
> Nikos
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: C_Initialize

Nikos Mavrogiannopoulos-2
On 02/18/2013 08:16 PM, Douglas E. Engert wrote:


> I understand that card_detect may not be needed by C_Initialize,
> and postponing the calling of card_detect till actually needed
> would help in your situation.
> But your patch does not appear to do that, it just removes
> two calls to card_detect, and removes the call to sc_detect_card_presence.


The call to sc_detect_card_presence seem superfluous since it is
repeated in card_detect().

> We need to make sure there are no code paths that avoid calling

> the card_detect or rely on the results of one  of the removed
> card_detect calls.  Either could result in not recogniing
> a card is present, or some segfault if card_detect set some
> values that other code is depending on.


So in that case that should be called on every function except
C_Initialize, C_GetSlotList, C_GetFunctionList, C_GetInfo,
C_Finalize.

However, several functions depend on a session being setup (so they
would be fine if only C_OpenSession was detecting cards) that leaves us
with:

C_OpenSession, C_GetMechanismList, C_WaitForSlotEvent, C_GetTokenInfo,
C_GetSlotInfo (I hope I'm not missing any here).

Now:
C_OpenSession, C_GetMechanismList, C_GetTokenInfo:
call slot_get_token() which in turn calls card_detect().

C_WaitForSlotEvent calls card_detect_all explicitly.

C_GetSlotInfo: calls slot_get_slot() which doesn't seem to detect anything.

So would calling card_detect_all() in C_GetSlotInfo (see patch) fulfill
your concerns?

regards,
Nikos

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

0001-Disable-card-reading-during-initialization-of-the-li.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: C_Initialize

Douglas E. Engert
Your solution below might work, but I would like others
to comment on your proposal as well.

On a different point, your first note says:
"This causes quite a problem in gnutls which has transparent smart card
support and calls C_Initialize on startup."

How transparent is this?
How does gnutls find a PKCS#11 implementation?
Wll gnutls try and load any and all PKCS#11 modules it finds?
Can it load more then one PKCS#11 module?

I ask this as just loading another PKCS#11 may include
loading more libraries, placing more of a dependency on
all these libraries loading correctly even when they are
not used.

The OpenSC PKCS#11 will include OpenSSL for example.

OpenSC will try and use pcscd as well.

I am asking this as adding "transparent smart card support"
may not be as transparent as you think.

I see in:
http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs

is using /etc/pkcs11/modules a system wide file?



On 2/18/2013 2:11 PM, Nikos Mavrogiannopoulos wrote:

> On 02/18/2013 08:16 PM, Douglas E. Engert wrote:
>
>
>> I understand that card_detect may not be needed by C_Initialize,
>> and postponing the calling of card_detect till actually needed
>> would help in your situation.
>> But your patch does not appear to do that, it just removes
>> two calls to card_detect, and removes the call to sc_detect_card_presence.
>
>
> The call to sc_detect_card_presence seem superfluous since it is
> repeated in card_detect().
>
>> We need to make sure there are no code paths that avoid calling
>
>> the card_detect or rely on the results of one  of the removed
>> card_detect calls.  Either could result in not recogniing
>> a card is present, or some segfault if card_detect set some
>> values that other code is depending on.
>
>
> So in that case that should be called on every function except
> C_Initialize, C_GetSlotList, C_GetFunctionList, C_GetInfo,
> C_Finalize.
>
> However, several functions depend on a session being setup (so they
> would be fine if only C_OpenSession was detecting cards) that leaves us
> with:
>
> C_OpenSession, C_GetMechanismList, C_WaitForSlotEvent, C_GetTokenInfo,
> C_GetSlotInfo (I hope I'm not missing any here).
>
> Now:
> C_OpenSession, C_GetMechanismList, C_GetTokenInfo:
> call slot_get_token() which in turn calls card_detect().
>
> C_WaitForSlotEvent calls card_detect_all explicitly.
>
> C_GetSlotInfo: calls slot_get_slot() which doesn't seem to detect anything.
>
> So would calling card_detect_all() in C_GetSlotInfo (see patch) fulfill
> your concerns?
>
> regards,
> Nikos
>
>
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: C_Initialize

Nikos Mavrogiannopoulos-2
On 02/18/2013 09:37 PM, Douglas E. Engert wrote:

> Your solution below might work, but I would like others
> to comment on your proposal as well.
> On a different point, your first note says:
> "This causes quite a problem in gnutls which has transparent smart card
> support and calls C_Initialize on startup."
> How transparent is this?


You may want to check the manual to get an idea about how that works:
http://www.gnutls.org/manual/html_node/Smart-cards-and-HSMs.html#Smart-cards-and-HSMs

> How does gnutls find a PKCS#11 implementation?


We use p11-kit and additionally a configuration file.

> Wll gnutls try and load any and all PKCS#11 modules it finds?


depending on p11-kit configuration.

> Can it load more then one PKCS#11 module?


yes.


> I ask this as just loading another PKCS#11 may include
> loading more libraries, placing more of a dependency on
> all these libraries loading correctly even when they are
> not used.


So far they load correctly. We have this support quite some time. The
main issue we have is the initialization delay due to opensc (and
sometimes other modules as well).

> The OpenSC PKCS#11 will include OpenSSL for example.


I don't like that, but I don't always get what I like. Nevertheless,
this is dynamic loading so I'm not really concerned.

> OpenSC will try and use pcscd as well.
> I am asking this as adding "transparent smart card support"
> may not be as transparent as you think.


I don't understand what you mean here.

> I see in:
> http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
> is using /etc/pkcs11/modules a system wide file?


Yes. This is the p11-kit configuration file.

p11-kit: http://p11-glue.freedesktop.org/p11-kit.html

regards,
Nikos

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel