pkinit makes application crash

Benjamin Kaduk kaduk at MIT.EDU
Wed Jun 24 14:48:03 EDT 2015 

On Wed, 24 Jun 2015, Osipov, Michael wrote:

> Hi folks,
>
> we are trying to perform some LDAP requests with Perl against Active Directory
> with Kerberos auth by MIT Kerberos.
> A core file is dumped and following written to stderr:
> $ ./ldap.pl
> Assertion failed: __thread_init == NULL, file ../../../../../core/libs/libc/shared_em_32_perf/../core/threads/pthread_stubs1.c, line 1045
> Abbruchkommando (Speicherabzug geschrieben)
>
> I first have assumed that the Perl module is broken but I guess it isn't?!
> Loading the core file into GDB gives me:
> ===============================================================================
> (gdb) where
> #0  0x60000000c020f6d0:0 in _lwp_kill+0x30 ()
>    from /usr/lib/hpux32/libpthread.so.1
> #1  0x60000000c0174be0:0 in pthread_kill+0x9f0 ()
>    from /usr/lib/hpux32/libpthread.so.1
> #2  0x60000000c0403460:0 in raise+0xe0 () from /usr/lib/hpux32/libc.so.1
> #3  0x60000000c05277b0:0 in abort+0x170 () from /usr/lib/hpux32/libc.so.1
> #4  0x60000000c03ce5f0:0 in _assert+0x260 () from /usr/lib/hpux32/libc.so.1
> #5  0x60000000c0590980:0 in pthread_once+0x80 () from /usr/lib/hpux32/libc.so.1
> #6  0x60000000c4bab160:0 in pkinit_init_plg_crypto ()
>     at pkinit_crypto_openssl.c:410

This pthread_once() stuff is in the library initializor for pkinit's use
of openssl, thought it's not immediately clear what assertion is being
made in the innards of libc.  The fact that the file named in the
assertion failure message is named pthread_stubs1.c makes me wonder if
there is an issue with an executable which was not compiled as threaded
(i.e., is compiled to use the stub implementation) then loaded an object
which uses the pthread interfaces, but that is basically pure speculation.
I don't have enough experience with HP-UX to have any sense of how
plausible that might be.

> What we would like to do:
> Use Net::LDAP with uses Authen::SASL which in turn calls Authen::SASL::XS with
> a Perl to C binding against Cyrus SASL. The very same happens when Authen::SASL::Perl
> with GSSAPI module is used: failure. This must be some generic incompat.
> All calls are performed with an empty ticket cache (non-default location as once
> advised by Greg Hudson) and a client keytab.
> Using an interactive ticket cache makes the entire stuff work, so client ticket
> makes it crash. We do not use PKINIT at all.
> Interesting to say that the very same LDAP request works with ldapsearch(1)
> and a minimal C app with libldap.
>
> Any ideas? Can this be some interference with Perl and preinit of OpenSSL?

Not necessarily perl itself, but this is quite plausible.  The motivation
for switching to library initializers for the openssl calls is discussed
in http://krbdev.mit.edu/rt/Ticket/Display.html?id=6413 , but in general,
openssl is not amenable to having multiple library consumers in a given
application.

I was not directly involved in this work, so it is possible that someone
else (Greg?) may have more insights to offer.

> As a workaround, I would recompile MIT Kerberos on all servers without pkinit
> for now.

That workaround seems advisable for now.

-Ben Kaduk

More information about the Kerberos mailing list