pkinit makes application crash

Wed Jun 24 14:21:11 EDT 2015

Hi folks,

we are trying to perform some LDAP requests with Perl against Active Directory
with Kerberos auth by MIT Kerberos.
A core file is dumped and following written to stderr:
$ ./ldap.pl
Assertion failed: __thread_init == NULL, file ../../../../../core/libs/libc/shared_em_32_perf/../core/threads/pthread_stubs1.c, line 1045
Abbruchkommando (Speicherabzug geschrieben)

I first have assumed that the Perl module is broken but I guess it isn't?!
Loading the core file into GDB gives me:
===============================================================================
(gdb) where
#0  0x60000000c020f6d0:0 in _lwp_kill+0x30 ()
   from /usr/lib/hpux32/libpthread.so.1
#1  0x60000000c0174be0:0 in pthread_kill+0x9f0 ()
   from /usr/lib/hpux32/libpthread.so.1
#2  0x60000000c0403460:0 in raise+0xe0 () from /usr/lib/hpux32/libc.so.1
#3  0x60000000c05277b0:0 in abort+0x170 () from /usr/lib/hpux32/libc.so.1
#4  0x60000000c03ce5f0:0 in _assert+0x260 () from /usr/lib/hpux32/libc.so.1
#5  0x60000000c0590980:0 in pthread_once+0x80 () from /usr/lib/hpux32/libc.so.1
#6  0x60000000c4bab160:0 in pkinit_init_plg_crypto ()
    at pkinit_crypto_openssl.c:410
#7  0x60000000c4ba0b20:0 in pkinit_client_plugin_init () at pkinit_clnt.c:1490
#8  0x60000000c4d19110:0 in k5_init_preauth_context () at preauth2.c:154
#9  0x60000000c4d19540:0 in k5_preauth_request_context_init ()
    at preauth2.c:218
#10 0x60000000c4cee100:0 in restart_init_creds_loop () at get_in_tkt.c:742
#11 0x60000000c4cef8f0:0 in krb5_init_creds_init () at get_in_tkt.c:981
#12 0x60000000c4cf48a0:0 in get_init_creds_keytab () at gic_keytab.c:229
#13 0x60000000c4cf4c10:0 in krb5_get_init_creds_keytab () at gic_keytab.c:283
#14 0x60000000c3a62750:0 in get_initial_cred () at acquire_cred.c:608
#15 0x60000000c3a62980:0 in maybe_get_initial_cred () at acquire_cred.c:634
#16 0x60000000c3a64320:0 in kg_cred_resolve () at acquire_cred.c:975
#17 0x60000000c3a803d0:0 in krb5_gss_init_sec_context_ext ()
    at init_sec_context.c:972
---Type <return> to continue, or q <return> to quit---
#18 0x60000000c3a80f50:0 in krb5_gss_init_sec_context ()
    at init_sec_context.c:1085
#19 0x60000000c3a3b9d0:0 in gss_init_sec_context () at g_init_sec_context.c:210
#20 0x60000000c3414020:0 in gssapi_client_mech_step () at gssapi.c:1604
#21 0x60000000c38d7780:0 in sasl_client_step () at client.c:958
#22 0x60000000c38d7370:0 in sasl_client_start () at client.c:904
#23 0x60000000c3321a20:0 in XS_Authen__SASL__XS_client_start () at XS.xs:1382
#24 0x60000000c48888e0:0 in Perl_pp_entersub () at pp_hot.c:2877
#25 0x60000000c4870c00:0 in Perl_runops_standard () at run.c:38
#26 0x60000000c4773870:0 in S_run_body () at perl.c:2366
#27 0x60000000c4772d60:0 in perl_run () at perl.c:2283
#28 0x4003720:0 in main () at perlmain.c:99
===============================================================================

As you can see, the fault happens when PKINIT is attempted with OpenSSL.
After that I have recompiled MIT Kerberos (1.13.1 and 1.13.2) without PKINIT
support and it worked instantly.

This is our environment:
HP-UX 11.31, MIT Kerberos 1.13.1, Perl 5.8.8, Cyrus SASL 2.1.16, OpenSSL 1.0.1m

What we would like to do:
Use Net::LDAP with uses Authen::SASL which in turn calls Authen::SASL::XS with
a Perl to C binding against Cyrus SASL. The very same happens when Authen::SASL::Perl
with GSSAPI module is used: failure. This must be some generic incompat.
All calls are performed with an empty ticket cache (non-default location as once
advised by Greg Hudson) and a client keytab.
Using an interactive ticket cache makes the entire stuff work, so client ticket
makes it crash. We do not use PKINIT at all.
Interesting to say that the very same LDAP request works with ldapsearch(1)
and a minimal C app with libldap.

Any ideas? Can this be some interference with Perl and preinit of OpenSSL?

As a workaround, I would recompile MIT Kerberos on all servers without pkinit
for now.

I'd be more than happy to assist here.

Michael