Description of problem: When installing and configuring this component with a (IMHO) fairly standard configuration, it causes some service to fail on startup. When the configuration causes this to be included into the initramfs, it may even make booting impossible (this is why I found this bug). This happened to me after upgrading from fedora 40. Version-Release number of selected component (if applicable): 1.0.1-3.fc42.x86_64 How reproducible: Steps to Reproduce: 1. Install and configure package dnf install openssl-pkcs11-sign-provider cat >>/etc/pki/tls/openssl.cnf <<EOF [pkcs11sign_sect] module = /usr/lib64/ossl-modules/pkcs11sign.so identity = pkcs11sign # pkcs11sign-module-path = libopencryptoki.so pkcs11sign-module-path = /usr/lib64/p11-kit-proxy.so pkcs11sign-forward = provider=default activate = 1 EOF and make sure the provider_sect in this file contains the line "pkcs11sign = pkcs11sign_sect", eg: [provider_sect] default = default_sect pkcs11sign = pkcs11sign_sect # <------- this line added 2. Make sure pkcs11-proxy is configured per user only: (I am not sure if this is required) cat >/etc/pkcs11/pkcs11.conf <<EOF user-config: only EOF *AND* do not configure anything for the root user 3. Restart gssproxy service Actual results: root@laptop:~# systemctl restart gssproxy Job for gssproxy.service failed because a fatal signal was delivered causing the control process to dump core. See "systemctl status gssproxy.service" and "journalctl -xeu gssproxy.service" for details. Expected results: The service should start up Additional info: The journal contains information about a core dump, that led me to the problem: root@laptop:~# systemctl status gssproxy × gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; preset: disabled) Drop-In: /usr/lib/systemd/system/service.d └─10-timeout-abort.conf Active: failed (Result: core-dump) since Mon 2025-06-02 09:39:44 CEST; 1min 10s ago Duration: 8.930s Invocation: 08821b0150484d7e9dd83396d9ba863b Process: 1506006 ExecStart=/usr/bin/gssproxy -i (code=dumped, signal=ABRT) Main PID: 1506006 (code=dumped, signal=ABRT) Mem peak: 3.7M CPU: 25ms Jun 02 09:39:43 tsplin.rz.bmi.intra.gv.at systemd[1]: Starting gssproxy.service - GSSAPI Proxy Daemon... Jun 02 09:39:43 tsplin.rz.bmi.intra.gv.at gssproxy[1506006]: free(): double free detected in tcache 2 Jun 02 09:39:44 tsplin.rz.bmi.intra.gv.at systemd-coredump[1506010]: [🡕] Process 1506006 (gssproxy) of user 0 dumped core. Module /usr/bin/gssproxy from rpm gssproxy-0.9.2-8.fc42.x86_64 Module libffi.so.8 from rpm libffi-3.4.6-5.fc42.x86_64 Module p11-kit-proxy.so from rpm p11-kit-0.25.5-5.fc42.x86_64 Module libssl.so.3 from rpm openssl-3.2.4-3.fc42.x86_64 Module pkcs11sign.so from rpm openssl-pkcs11-sign-provider-1.0.1-3.fc42.x86_64 Module libz.so.1 from rpm zlib-ng-2.2.4-3.fc42.x86_64 Module libbasicobjects.so.0 from rpm ding-libs-0.6.2-58.fc42.x86_64 Module libpath_utils.so.1 from rpm ding-libs-0.6.2-58.fc42.x86_64 Module libcollection.so.4 from rpm ding-libs-0.6.2-58.fc42.x86_64 Module libpcre2-8.so.0 from rpm pcre2-10.45-1.fc42.x86_64 Module libcap.so.2 from rpm libcap-2.73-2.fc42.x86_64 Module libcrypto.so.3 from rpm openssl-3.2.4-3.fc42.x86_64 Module libkeyutils.so.1 from rpm keyutils-1.6.3-5.fc42.x86_64 Module libkrb5support.so.0 from rpm krb5-1.21.3-5.fc42.x86_64 Module libcom_err.so.2 from rpm e2fsprogs-1.47.2-3.fc42.x86_64 Module libgssapi_krb5.so.2 from rpm krb5-1.21.3-5.fc42.x86_64 Module libgssrpc.so.4 from rpm krb5-1.21.3-5.fc42.x86_64 Module libverto.so.1 from rpm libverto-0.3.2-10.fc42.x86_64 Module libini_config.so.5 from rpm ding-libs-0.6.2-58.fc42.x86_64 Module libref_array.so.1 from rpm ding-libs-0.6.2-58.fc42.x86_64 Module libselinux.so.1 from rpm libselinux-3.8-1.fc42.x86_64 Module libsystemd.so.0 from rpm systemd-257.5-6.fc42.x86_64 Module libpopt.so.0 from rpm popt-1.19-8.fc42.x86_64 Module libk5crypto.so.3 from rpm krb5-1.21.3-5.fc42.x86_64 Module libkrb5.so.3 from rpm krb5-1.21.3-5.fc42.x86_64 Stack trace of thread 1506006: #0 0x00007ff3ed92811c __pthread_kill_implementation (libc.so.6 + 0x7311c) #1 0x00007ff3ed8ceafe raise (libc.so.6 + 0x19afe) #2 0x00007ff3ed8b66d0 abort (libc.so.6 + 0x16d0) #3 0x00007ff3ed8b76f3 __libc_message_impl.cold (libc.so.6 + 0x26f3) #4 0x00007ff3ed932275 malloc_printerr (libc.so.6 + 0x7d275) #5 0x00007ff3ed932303 tcache_double_free_verify (libc.so.6 + 0x7d303) #6 0x00007ff3ed9376ae free (libc.so.6 + 0x826ae) #7 0x00007ff3ed1a2aaf ps_prov_teardown.part.0 (pkcs11sign.so + 0x1aaf) #8 0x00007ff3ed1a4a2b OSSL_provider_init (pkcs11sign.so + 0x3a2b) #9 0x00007ff3ed33ec4a provider_activate (libcrypto.so.3 + 0x13ec4a) #10 0x00007ff3ed33f16c ossl_provider_activate (libcrypto.so.3 + 0x13f16c) #11 0x00007ff3ed3406d7 provider_conf_activate (libcrypto.so.3 + 0x1406d7) #12 0x00007ff3ed340aa9 provider_conf_load (libcrypto.so.3 + 0x140aa9) #13 0x00007ff3ed3411db provider_conf_init.lto_priv.0 (libcrypto.so.3 + 0x1411db) #14 0x00007ff3ed272d1a CONF_modules_load (libcrypto.so.3 + 0x72d1a) #15 0x00007ff3ed2732b8 CONF_modules_load_file_ex (libcrypto.so.3 + 0x732b8) #16 0x00007ff3ed32e7f8 ossl_init_config_ossl_ (libcrypto.so.3 + 0x12e7f8) #17 0x00007ff3ed92b554 __pthread_once_slow.isra.0 (libc.so.6 + 0x76554) #18 0x00007ff3ed92b5c9 pthread_once.5 (libc.so.6 + 0x765c9) #19 0x00007ff3ed33c50d CRYPTO_THREAD_run_once (libcrypto.so.3 + 0x13c50d) #20 0x00007ff3ed32f243 OPENSSL_init_crypto (libcrypto.so.3 + 0x12f243) #21 0x00007ff3ed2febbc EVP_default_properties_is_fips_enabled (libcrypto.so.3 + 0xfebbc) #22 0x00007ff3edcb133f krb5_c_random_make_octets (libk5crypto.so.3 + 0x933f) #23 0x00007ff3edcb18c3 krb5_c_make_random_key (libk5crypto.so.3 + 0x98c3) #24 0x00005620a368a5b8 gp_init_creds_handle (/usr/bin/gssproxy + 0xf5b8) #25 0x00005620a368a6ab setup_krb5_creds_handle.lto_priv.0 (/usr/bin/gssproxy + 0xf6ab) #26 0x00005620a368d8d2 read_config (/usr/bin/gssproxy + 0x128d2) #27 0x00005620a367ebe7 main (/usr/bin/gssproxy + 0x3be7) #28 0x00007ff3ed8b85f5 __libc_start_call_main (libc.so.6 + 0x35f5) #29 0x00007ff3ed8b86a8 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x36a8) #30 0x00005620a367f5e5 _start (/usr/bin/gssproxy + 0x45e5) ELF object binary architecture: AMD x86-64 Jun 02 09:39:44 tsplin.rz.bmi.intra.gv.at systemd[1]: gssproxy.service: Main process exited, code=dumped, status=6/ABRT Jun 02 09:39:44 tsplin.rz.bmi.intra.gv.at systemd[1]: gssproxy.service: Failed with result 'core-dump'. Jun 02 09:39:44 tsplin.rz.bmi.intra.gv.at systemd[1]: Failed to start gssproxy.service - GSSAPI Proxy Daemon.
Unfortunately, I'm currently not able to reproduce the problem (on rawhide). I'm using gssproxy.x86_64 0.9.2-8.fc43 and openssl-pkcs11-sign-provider.x86_64 1.0.1-3.fc42. Please provide some more debugging information. 1. Set debug environment variables for gssproxy.service sudo mkdir /run/systemd/system/gssproxy.service.d cat | sudo tee /run/systemd/system/gssproxy.service.d/env.conf << EOF [Service] Environment="PKCS11SIGN_DEBUG=/tmp/pkcs11-sign.log" Environment="PKCS11SIGN_DEBUG_LEVEL=3" EOF 2. Restart gssproxy.service sudo systemctl daemon-reload sudo systemctl restart gssproxy-service 3. Collect debug data Please post /tmp/pkcs11-sign.log here. In parallel, I'll do some debugging here on my local machine. At a first sight, the problem might be in some of the (not yet fully tested) error paths.
FEDORA-2025-8823bd326d (new upstream release) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-8823bd326d
FEDORA-2025-c1a9787a59 (new upstream release) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-c1a9787a59
The new mainline release (v1.0.2) fixes two double frees. The packages for f41/f42/rawhide has been updated. Please verify, if the problem has been solved.
FEDORA-2025-c1a9787a59 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-c1a9787a59` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-c1a9787a59 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-8823bd326d has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-8823bd326d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-8823bd326d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Installing 1.0.2 from f42 updates-testing fixed the issue with gssproxy. I'm happy to avoid the additional debugging you requested given my time constraints. Thank you.
FEDORA-2025-8823bd326d (new upstream release) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-c1a9787a59 (new upstream release) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.