[gnutls-devel] Please stop automatically initializing p11-kit
Andy Lutomirski
luto at amacapital.net
Fri Apr 25 00:37:40 CEST 2014
I just found this call trace when my program starts:
#0 0x0000003a76a2a4c0 in pthread_atfork () from /lib64/libp11-kit.so.0
#1 0x0000003a76a19a32 in init_globals_unlocked () from /lib64/libp11-kit.so.0
#2 0x0000003a76a1bb2a in p11_kit_initialize_registered () from
/lib64/libp11-kit.so.0
#3 0x0000003d59459b68 in gnutls_pkcs11_init () from /lib64/libgnutls.so.28
#4 0x0000003d5943f5d3 in gnutls_global_init () from /lib64/libgnutls.so.28
#5 0x00007ffff5b57b39 in _GLOBAL__sub_I_net_tls_TLSSession.cpp ()
from /lib64/libvmime.so.0
#6 0x0000003a5ca0f2ea in call_init.part.0 () from /lib64/ld-linux-x86-64.so.2
#7 0x0000003a5ca0f3d3 in _dl_init_internal () from /lib64/ld-linux-x86-64.so.2
#8 0x0000003a5ca0122a in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
#9 0x0000000000000001 in ?? ()
#10 0x00007fffffffe2d5 in ?? ()
#11 0x0000000000000000 in ?? ()
I'm not doing any crypto whatsoever. This program *does not use* TLS
under any circumstances whatsoever. It links against a library that
optionally speaks TLS, and that library links against gnutls, and
gnutls is automagically initializing PKCS11 at startup. This happens
because:
- A constructor calls gnutls_global_init. This is fine, as long as
gnutls_global_init has no harmful side effects.
- gnutls_global_init calls gnutls_pkcs11_init, which I think is a
disaster. PKCS11 sucks, full stop. The API is fundamentally broken.
But now I'm screwed, because p11-kit's atfork handler is buggy and is
sitting here deadlocked. In a test case. THAT HAS NOTHING TO DO WITH
CRYPTOGRAPHY.
I understand that gnutls needs to support PKCS11. Fine. But please
don't initialize the damn thing until someone actually tries to use
it.
I realize that this is arguably a bug in p11-kit. But it's a problem
with gnutls, too. Please just stop all the automatic PKCS11 madness.
--Andy
More information about the Gnutls-devel
mailing list