[strongSwan] strongSwan with "FEITIAN PKI card"

Martin Willi martin at strongswan.org
Fri Nov 12 14:54:46 CET 2010

Hi Peter,

> loaded PKCS#11 v2.20 library 'openSC' (/usr/lib/opensc-pkcs11.so)
>   OpenSC (www.opensc-project.org): smart card PKCS#11 API v0.0

> kernel: [94745.511060] charon[8281]: segfault at 1 ip 00000001 sp
> bfeb733c error 4 in librt-2.12.1.so[110000+7000]

I could reproduce this segfault with the OpenSC PKCS#11 library. A gdb
backtrace shows:

> #0  0x00000000006402e0 in ?? ()
> #1  0x00007ffff3a4cbd1 in sc_pkcs11_lock () at pkcs11-global.c:709
> #2  0x00007ffff3a4d201 in C_GetSlotList (tokenPresent=32 ' ', pSlotList=0x0, pulCount=0x7ffff3c5f7f0) at pkcs11-global.c:332
> #3  0x00007ffff4eb0e03 in get_slot_list (p11=0x62f7d0, out=0x7fffffffceb8) at pkcs11_manager.c:221
> #4  0x00007ffff4eb1555 in query_slots (cb=<value optimized out>, data=<value optimized out>) at pkcs11_manager.c:252
> #5  pkcs11_manager_create (cb=<value optimized out>, data=<value optimized out>) at pkcs11_manager.c:391

The invocation of C_GetSlotList looks fine, but it crashes in the
locking function. The registered locking callback pointers get messed up
for some reason, but I don't know why yet (OpenSC bug?).

The OpenSC library seems to work fine with OS Locking functions.
Unfortunately, we can't enforce these for OpenSC: querying the library
name is not allowed before initializing it.

The attached patch allows you to enforce these functions by specifying
os_locking=yes in your PKCS#11 module section.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-a-PKCS-11-module-option-to-enforce-OS-Locking-.patch
Type: text/x-patch
Size: 3548 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101112/02c95142/attachment.bin>

More information about the Users mailing list