[17287] in Kerberos_V5_Development
Re: NSS for PKINIT, in-progress patches available, feedback sought
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Oct 13 12:05:10 2011
Message-ID: <4E970C32.7000704@mit.edu>
Date: Thu, 13 Oct 2011 12:05:06 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Nalin Dahyabhai <nalin@redhat.com>
In-Reply-To: <20111012215210.GC22808@redhat.com>
Content-Type: multipart/mixed; boundary="------------060703070205010307000504"
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Errors-To: krbdev-bounces@mit.edu
This is a multi-part message in MIME format.
--------------060703070205010307000504
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
I'm about to commit this.
I'm seeing an apparent regression in the crypto-after-fork situation
(which I don't think has anything to do with the PKINIT support). The
symptom is that t_workers.py fails with the child workers failing to
start. The control flow is:
* k5_nss_init() detects the fork and calls SECMOD_RestartModules
* NSC_Finalize() is invoked and succeeds
* secmod_ModuleInit() is invoked and succeeds
* PK11_InitToken() is invoked for the module's first slot (of 3)
* NSC_GetTokenInfo() is invoked to get info for the slot
* sftk_SlotFromID() is invoked
* nscSlotHashTable[0] is NULL, so sftk_SlotFromID() returns NULL
* Errors are returned down the chain until SECMOD_RestartModules()
returns a failure
I think this problem is internal to NSS, so I'm going to leave it up to
you guys to figure out where the mistake is if this manifests on Fedora.
I'll attach a backtrace from where the error originates.
> That's fine by me; I'm not sure how dependencies on other out-of-tree
> libraries are handled elsewhere in the package -- libk5crypto has to
> have this problem when it's built with something other than built-in
> crypto, and I guess the kdb_ldap driver does, too.
krb5 dependencies are generally linked in, not dynamically loaded at
runtime. If you want to link libk5crypto with an NSS installation
outside of /usr/lib, you set the appropriate linker flags to add a
DT_RPATH or DT_RUNPATH to libk5crypto so the linker can find the
dependent libraries at load time.
NSS appears to be unusual in that it has dynamically loaded modules but
no apparent framework for locating them. Relying on dlopen() to find
modules in the place where NSS libraries are installed seems to work on
some platforms, but hardly seems reliable.
--------------060703070205010307000504
Content-Type: text/plain;
name="backtrace.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="backtrace.txt"
#0 sftk_SlotFromID (slotID=1, all=0) at pkcs11.c:2192
#1 0x00007f67d7504b4a in NSC_GetTokenInfo (slotID=1, pInfo=0x7ffffe4a9b30) at pkcs11.c:3112
#2 0x00007f67d8b77c21 in PK11_InitToken (slot=0xa95a80, loadCerts=1) at pk11slot.c:1117
#3 0x00007f67d8b7c787 in SECMOD_RestartModules (force=1) at pk11util.c:1570
#4 0x00007f67da077ac0 in k5_nss_init () at ../../../../../src/lib/crypto/nss/enc_provider/enc_gen.c:114
#5 0x00007f67da0873e5 in k5_nss_prng_add_entropy (context=0xa9f460, indata=0x7ffffe4a9d40) at ../../../../src/lib/crypto/nss/prng.c:37
#6 0x00007f67da083dd3 in krb5_c_random_add_entropy (context=0xa9f460, randsource=1, indata=0x7ffffe4a9d40) at ../../../../src/lib/crypto/krb/prng_nss.c:52
#7 0x00007f67da083cfc in add_entropy_from_device (context=0xa9f460, device=0x7f67da088ad4 "/dev/urandom") at ../../../../src/lib/crypto/krb/prng.c:126
#8 0x00007f67da083d86 in krb5_c_random_os_entropy (context=0xa9f460, strong=0, success=0x0) at ../../../../src/lib/crypto/krb/prng.c:145
#9 0x00007f67da2fd2aa in krb5_init_context_profile (profile=0x0, flags=2, context_out=0xa9fc78) at ../../../../src/lib/krb5/krb/init_ctx.c:182
#10 0x00007f67da2fd0c0 in krb5int_init_context_kdc (context=0xa9fc78) at ../../../../src/lib/krb5/krb/init_ctx.c:103
#11 0x0000000000415b23 in init_realm (rdp=0xa9fc70, realm=0xa9fbb0 "KRBTEST.COM", def_mpname=0x0, def_enctype=511, def_udp_ports=0xaa2d20 "88,750",
def_tcp_ports=0xa9f330 "", def_manual=0, def_restrict_anon=0, db_args=0x0, no_refrls=0x0, host_based_srvcs=0x0) at ../../src/kdc/main.c:293
#12 0x0000000000417057 in initialize_realms (kcontext=0xa51230, argc=4, argv=0x7ffffe4aa168) at ../../src/kdc/main.c:870
#13 0x0000000000417882 in main (argc=4, argv=0x7ffffe4aa168) at ../../src/kdc/main.c:1098
--------------060703070205010307000504
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--------------060703070205010307000504--
