Package: openvpn
Version: 2.3.4-5
Followup-For: Bug #772812
Dear Maintainer,
I ran into this problem today as well. It's actually also fallout from the
recent patch to fix the systemd detection. Prior to that the systemd check
was often incorrect and hence this problem didn't occur or could be worked
around.
I've rebuilt both the pkcs11-helper and openvpn packages with debug symbols
and collected the backtrace below. As pointed out in the previous message
in this bug by Camille Oudot this module has pkcs11h_setForkMode() set so
attempting to fork triggers a deadlock. For reference I'm using the Alladin
eToken.
At this point I'd suggest either disabling the systemd support (since it
only affects the prompting AFAICS) or provide some way to override the
systemd check. The proper fix would be to recognise that forking is not
allowed and then not attempt it, but that would be quite invasive.
For now the easiest fix appears to be rebuilding openvpn and disable it that
way.
(gdb) bt
#0 0x00007ffff67ff6fd in nanosleep () at
../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff68279d4 in usleep (useconds=<optimized out>) at
../sysdeps/unix/sysv/linux/usleep.c:32
#2 0x0000555555599579 in __mysleep (usec=1000000) at pkcs11.c:66
#3 0x00007ffff7353f31 in _pkcs11h_threading_sleep (milli=1000) at
pkcs11h-threading.c:95
#4 0x00007ffff73542cf in _pkcs1h_threading_mutexLockAll () at
pkcs11h-threading.c:306
#5 0x00007ffff7360710 in __pkcs11h_threading_atfork_prepare () at
pkcs11h-core.c:1261
#6 0x00007ffff67ff782 in __libc_fork () at
../nptl/sysdeps/unix/sysv/linux/x86_64/../fork.c:95
#7 0x00005555555855a7 in openvpn_popen (a=0x7fffffff8ab0, es=0x0) at
misc.c:365
#8 0x000055555558a100 in get_console_input_systemd (prompt=0x555555852f58
"NEED-OK|token-insertion-request|Please insert Martijn vO token:",
echo=true, input=0x7fffffff9c92 "",
capacity=4096) at console.c:163
#9 0x000055555558a211 in get_console_input (prompt=0x555555852f58
"NEED-OK|token-insertion-request|Please insert Martijn vO token:",
echo=true, input=0x7fffffff9c92 "", capacity=4096)
at console.c:196
#10 0x0000555555586e61 in get_user_pass_cr (up=0x7fffffff8c90,
auth_file=0x0, prefix=0x5555555f106b "token-insertion-request", flags=25,
auth_challenge=0x0) at misc.c:1079
#11 0x00005555555994e4 in get_user_pass (up=0x7fffffff8c90, auth_file=0x0,
prefix=0x5555555f106b "token-insertion-request", flags=25) at misc.h:272
#12 0x0000555555599805 in _pkcs11_openvpn_token_prompt (global_data=0x0,
user_data=0x0, token=0x5555558523f0, retry=0) at pkcs11.c:196
#13 0x00007ffff7356360 in _pkcs11h_session_reset (session=0x55555584acd0,
user_data=0x0, mask_prompt=3, p_slot=0x7fffffffae40) at
pkcs11h-session.c:743
#14 0x00007ffff7356989 in _pkcs11h_session_login (session=0x55555584acd0,
is_publicOnly=1, readonly=1, user_data=0x0, mask_prompt=3) at
pkcs11h-session.c:969
#15 0x00007ffff73592aa in _pkcs11h_certificate_resetSession
(certificate=0x55555584ac40, public_only=1, session_mutex_locked=0) at
pkcs11h-certificate.c:728
#16 0x00007ffff735baba in pkcs11h_certificate_getCertificateBlob
(certificate=0x55555584ac40, certificate_blob=0x0,
p_certificate_blob_size=0x7fffffffb328) at pkcs11h-certificate.c:2041
#17 0x00007ffff7363ad1 in pkcs11h_openssl_getX509
(certificate=0x55555584ac40) at pkcs11h-openssl.c:860
#18 0x00007ffff7364404 in pkcs11h_openssl_session_getX509
(openssl_session=0x555555851960) at pkcs11h-openssl.c:1216
#19 0x00007ffff73641d7 in pkcs11h_openssl_session_getEVP
(openssl_session=0x555555851960) at pkcs11h-openssl.c:1123
#20 0x000055555559b3bb in pkcs11_init_tls_session (certificate=0x0,
ssl_ctx=0x7fffffffdfb0) at pkcs11_openssl.c:66
#21 0x000055555559a9c3 in tls_ctx_use_pkcs11 (ssl_ctx=0x7fffffffdfb0,
pkcs11_id_management=false,
pkcs11_id=0x55555584d968
"SafeNet\\x20Inc\\x2E/eToken/????????/Martijn\\x20vO/????????????????") at
pkcs11.c:697
#22 0x00005555555d69c2 in init_ssl (options=0x7fffffffd7b0,
new_ctx=0x7fffffffdfb0) at ssl.c:508
#23 0x000055555557691a in do_init_crypto_tls_c1 (c=0x7fffffffd7b0) at
init.c:2073
#24 0x0000555555576be5 in do_init_crypto_tls (c=0x7fffffffd7b0, flags=3) at
init.c:2153
#25 0x000055555557737b in do_init_crypto (c=0x7fffffffd7b0, flags=3) at
init.c:2325
#26 0x0000555555579831 in init_instance (c=0x7fffffffd7b0,
env=0x555555846bc0, flags=4) at init.c:3372
#27 0x0000555555579416 in init_instance_handle_signals (c=0x7fffffffd7b0,
env=0x555555846bc0, flags=4) at init.c:3233
#28 0x000055555559b8e6 in tunnel_point_to_point (c=0x7fffffffd7b0) at
openvpn.c:70
#29 0x000055555559bcc0 in openvpn_main (argc=2, argv=0x7fffffffe658) at
openvpn.c:250
#30 0x000055555559bdd5 in main (argc=2, argv=0x7fffffffe658) at
openvpn.c:325
-- System Information:
Debian Release: 8.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openvpn depends on:
ii debconf [debconf-2.0] 1.5.56
ii init-system-helpers 1.22
ii initscripts 2.88dsf-59
ii iproute2 3.16.0-2
ii libc6 2.19-18
ii liblzo2-2 2.08-1.2
ii libpam0g 1.1.8-3.1
ii libpkcs11-helper1 1.11-2
ii libssl1.0.0 1.0.1k-3
Versions of packages openvpn recommends:
ii easy-rsa 2.2.2-1
Versions of packages openvpn suggests:
ii openssl 1.0.1k-3
pn resolvconf <none>
-- debconf information:
openvpn/create_tun: false
--
Martijn van Oosterhout <klep...@gmail.com> http://svana.org/kleptog/
