[gnutls-devel] Please stop automatically initializing p11-kit

Andy Lutomirski luto at amacapital.net
Fri Apr 25 00:37:40 CEST 2014

I just found this call trace when my program starts:

#0  0x0000003a76a2a4c0 in pthread_atfork () from /lib64/libp11-kit.so.0
#1  0x0000003a76a19a32 in init_globals_unlocked () from /lib64/libp11-kit.so.0
#2  0x0000003a76a1bb2a in p11_kit_initialize_registered () from
#3  0x0000003d59459b68 in gnutls_pkcs11_init () from /lib64/libgnutls.so.28
#4  0x0000003d5943f5d3 in gnutls_global_init () from /lib64/libgnutls.so.28
#5  0x00007ffff5b57b39 in _GLOBAL__sub_I_net_tls_TLSSession.cpp ()
from /lib64/libvmime.so.0
#6  0x0000003a5ca0f2ea in call_init.part.0 () from /lib64/ld-linux-x86-64.so.2
#7  0x0000003a5ca0f3d3 in _dl_init_internal () from /lib64/ld-linux-x86-64.so.2
#8  0x0000003a5ca0122a in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
#9  0x0000000000000001 in ?? ()
#10 0x00007fffffffe2d5 in ?? ()
#11 0x0000000000000000 in ?? ()

I'm not doing any crypto whatsoever.  This program *does not use* TLS
under any circumstances whatsoever.  It links against a library that
optionally speaks TLS, and that library links against gnutls, and
gnutls is automagically initializing PKCS11 at startup.  This happens

 - A constructor calls gnutls_global_init.  This is fine, as long as
gnutls_global_init has no harmful side effects.

 - gnutls_global_init calls gnutls_pkcs11_init, which I think is a
disaster.  PKCS11 sucks, full stop.  The API is fundamentally broken.

But now I'm screwed, because p11-kit's atfork handler is buggy and is
sitting here deadlocked.  In a test case.  THAT HAS NOTHING TO DO WITH

I understand that gnutls needs to support PKCS11.  Fine.  But please
don't initialize the damn thing until someone actually tries to use

I realize that this is arguably a bug in p11-kit.  But it's a problem
with gnutls, too.  Please just stop all the automatic PKCS11 madness.


More information about the Gnutls-devel mailing list