Andreas Metzler created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1784
Hello, this is http://bugs.debian.org/1125519 reported by Claudio Ferreira Filho. Attaching verbatim since I really have no opinion whether this is a clear-cut hardware bug or not. Dear Maintainer, I've discovered an incompatibility between GnuTLS 3.8.11 and SafeSign IC 3.8.0.0 PKCS#11 module that prevents the use of SafeSign tokens with applications like OpenConnect VPN. ## Problem Description When GnuTLS attempts to initialize the SafeSign PKCS#11 module, it fails with "Thread locking error" because SafeSign returns CKR_NEED_TO_CREATE_THREADS (0x09) when it receives the CKF_LIBRARY_CANT_CREATE_OS_THREADS flag. This is contradictory behavior: the module is saying "I need to create threads" when explicitly told "you cannot create threads". However, SafeSign works correctly when initialized with flags=0. ## Steps to Reproduce 1. Install SafeSign IC 3.8.0.0 driver (libaetpkss.so) 2. Insert a SafeSign token (e.g., G&D StarSign CUT S) 3. Try to use the token with OpenConnect or any GnuTLS-based application 4. Observe "Cannot initialize PKCS #11 module" error ## Testing Direct testing shows the issue: ```c CK_C_INITIALIZE_ARGS args = {NULL, NULL, NULL, NULL, CKF_OS_LOCKING_OK | CKF_LIBRARY_CANT_CREATE_OS_THREADS, NULL}; rv = C_Initialize(&args); // SafeSign returns: 0x00000009 (CKR_NEED_TO_CREATE_THREADS) args.flags = 0; rv = C_Initialize(&args); // SafeSign returns: 0x00000000 (CKR_OK) ``` ## Proposed Solution Add a fallback for CKR_NEED_TO_CREATE_THREADS similar to the existing CKR_CANT_LOCK fallback. When a module returns CKR_NEED_TO_CREATE_THREADS, retry initialization with flags=0. I've attached a patch that implements this solution. The patch: - Maintains compatibility with conforming PKCS#11 modules - Enables support for SafeSign and potentially other non-conforming modules - Follows the same pattern as the existing CKR_CANT_LOCK fallback - Has been tested successfully with SafeSign tokens ## Impact This issue affects users of: - SafeSign tokens (common in Brazilian government/corporate environments) - OpenConnect VPN with certificate authentication - Any GnuTLS-based application using PKCS#11 ## Environment - Debian: Sid/Forky - GnuTLS: 3.8.11-3 - SafeSign: IC Standard Linux 3.8.0.0 - Token: Giesecke & Devrient StarSign CUT S - Certificate: ICP-Brasil (Brazilian PKI) ## Additional Information The issue does NOT occur with: - pkcs11-tool (OpenSC) - works correctly - GnuTLS 3.7.x (Debian Trixie) - works correctly This suggests the issue was introduced in GnuTLS 3.8.x or that 3.7.x had more lenient initialization logic. ## Documentation Complete investigation and testing documentation available at: https://github.com/dataprev/vpn-safesign-gnutls (if published) The investigation took approximately 8 hours and included: - Analysis of GnuTLS source code - Testing with multiple PKCS#11 modules - Comparison between GnuTLS 3.7.x and 3.8.x - Validation with real-world VPN usage ## Patch Please find attached the patch file: 0001-pkcs11-Add-fallback-for-CKR_NEED_TO_CREATE_THREADS.patch The patch is minimal (7 lines) and follows GnuTLS coding standards. [sugggested.patch](/uploads/17259892134d08ac9dd25c1371e075bb/sugggested.patch) -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1784 You're receiving this email because of your account on gitlab.com.
_______________________________________________ Gnutls-devel mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-devel
