Package: libgnutls30
Version: 3.8.11-3
Severity: normal
Tags: patch upstream
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I've discovered an incompatibility between GnuTLS 3.8.11 and SafeSign IC
3.8.0.0 PKCS#11 module that prevents the use of SafeSign tokens with
applications like OpenConnect VPN.
## Problem Description
When GnuTLS attempts to initialize the SafeSign PKCS#11 module, it fails
with "Thread locking error" because SafeSign returns CKR_NEED_TO_CREATE_THREADS
(0x09) when it receives the CKF_LIBRARY_CANT_CREATE_OS_THREADS flag.
This is contradictory behavior: the module is saying "I need to create threads"
when explicitly told "you cannot create threads". However, SafeSign works
correctly when initialized with flags=0.
## Steps to Reproduce
1. Install SafeSign IC 3.8.0.0 driver (libaetpkss.so)
2. Insert a SafeSign token (e.g., G&D StarSign CUT S)
3. Try to use the token with OpenConnect or any GnuTLS-based application
4. Observe "Cannot initialize PKCS #11 module" error
## Testing
Direct testing shows the issue:
```c
CK_C_INITIALIZE_ARGS args = {NULL, NULL, NULL, NULL,
CKF_OS_LOCKING_OK |
CKF_LIBRARY_CANT_CREATE_OS_THREADS,
NULL};
rv = C_Initialize(&args);
// SafeSign returns: 0x00000009 (CKR_NEED_TO_CREATE_THREADS)
args.flags = 0;
rv = C_Initialize(&args);
// SafeSign returns: 0x00000000 (CKR_OK)
```
## Proposed Solution
Add a fallback for CKR_NEED_TO_CREATE_THREADS similar to the existing
CKR_CANT_LOCK fallback. When a module returns CKR_NEED_TO_CREATE_THREADS,
retry initialization with flags=0.
I've attached a patch that implements this solution. The patch:
- Maintains compatibility with conforming PKCS#11 modules
- Enables support for SafeSign and potentially other non-conforming modules
- Follows the same pattern as the existing CKR_CANT_LOCK fallback
- Has been tested successfully with SafeSign tokens
## Impact
This issue affects users of:
- SafeSign tokens (common in Brazilian government/corporate environments)
- OpenConnect VPN with certificate authentication
- Any GnuTLS-based application using PKCS#11
## Environment
- Debian: Sid/Forky
- GnuTLS: 3.8.11-3
- SafeSign: IC Standard Linux 3.8.0.0
- Token: Giesecke & Devrient StarSign CUT S
- Certificate: ICP-Brasil (Brazilian PKI)
## Additional Information
The issue does NOT occur with:
- pkcs11-tool (OpenSC) - works correctly
- GnuTLS 3.7.x (Debian Trixie) - works correctly
This suggests the issue was introduced in GnuTLS 3.8.x or that 3.7.x had
more lenient initialization logic.
## Documentation
Complete investigation and testing documentation available at:
https://github.com/dataprev/vpn-safesign-gnutls (if published)
The investigation took approximately 8 hours and included:
- Analysis of GnuTLS source code
- Testing with multiple PKCS#11 modules
- Comparison between GnuTLS 3.7.x and 3.8.x
- Validation with real-world VPN usage
## Patch
Please find attached the patch file:
0001-pkcs11-Add-fallback-for-CKR_NEED_TO_CREATE_THREADS.patch
The patch is minimal (7 lines) and follows GnuTLS coding standards.
Thank you for maintaining GnuTLS in Debian!
Best regards,
Claudio Ferreira Filho
