Bug#1035402: libtpm2-pkcs11-1: libtpm2_pkcs11.so.1 exposes too many symbols, fails to work with strongswan

Andrew Brown Tue, 02 May 2023 14:27:20 -0700

Package: libtpm2-pkcs11-1
Version: 1.9.0-0.1
Severity: important
Tags: patch
X-Debbugs-Cc: andr...@twosigma.com


The patch set-version-of-library.patch inadvertently suppresses the
use of "-Wl,--version-script" later in Makefile.am, which leads to
many internal symbols being exposed and/or resolved improperly at
runtime.  One of these is mutex_create().  Strongswan also has a
symbol by that name, so when libstrongswan calls C_Initialize(), the
resulting call (from inside libtpm2_pkcs11.so.1) resolves to the
strongswan symbol.  That function returns a pointer (not an unsigned
long), the C_Initialize() call fails, and Strongswan cannot use the
PKCS11 stack.

The charon process logs a message like this when this happens:

   2023-04-11T21:59:51.231215+00:00 spindle charon: 00[CFG] C_Initialize() 
error for 'tpm2-pkcs11': (-2052707168)

The attached patch (against the offending patch) arranges for the
version-script to be used properly, and also reduces the
libtpm2-pkcs11-1.symbols file to the list of symbols that are now
supposed to be exported.

-- System Information:
Debian Release: 12.0
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-7-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libtpm2-pkcs11-1 depends on:
ii  libc6                 2.36-9
ii  libsqlite3-0          3.40.1-2
ii  libssl3               3.0.8-1
ii  libtss2-esys-3.0.2-0  3.2.1-3
ii  libtss2-mu0           3.2.1-3
ii  libtss2-rc0           3.2.1-3
ii  libtss2-tctildr0      3.2.1-3
ii  libyaml-0-2           0.2.5-1

libtpm2-pkcs11-1 recommends no packages.

libtpm2-pkcs11-1 suggests no packages.

-- no debconf information

diff --git a/debian/libtpm2-pkcs11-1.symbols b/debian/libtpm2-pkcs11-1.symbols
index d51dfe31..e8b9113f 100644
--- a/debian/libtpm2-pkcs11-1.symbols
+++ b/debian/libtpm2-pkcs11-1.symbols
@@ -68,379 +68,3 @@ libtpm2_pkcs11.so.1 libtpm2-pkcs11-1 #MINVER#
  C_VerifyUpdate@Base 1.2.0
  C_WaitForSlotEvent@Base 1.2.0
  C_WrapKey@Base 1.2.0
- __real_db_tobject_new@Base 1.5.0
- __real_init_pobject@Base 1.5.0
- __real_init_sealobjects@Base 1.5.0
- __real_init_tobjects@Base 1.5.0
- __real_tobject_new@Base 1.5.0
- __real_twistbin_new@Base 1.5.0
- _db_update_tobject_attrs@Base 1.6.0
- _g_ecc_curve_nids_templ@Base 1.5.0
- _g_rsa_keysizes_templ@Base 1.5.0
- _session_ctx_opdata_get@Base 1.2.0
- _tobject_user_decrement@Base 1.6.0
- _tobject_user_increment@Base 1.6.0
- aes256_gcm_decrypt@Base 1.2.0
- aes256_gcm_encrypt@Base 1.2.0
- apply_pkcs7_pad@Base 1.6.0
- attr_CK_BBOOL@Base 1.2.0
- attr_CK_KEY_TYPE@Base 1.2.0
- attr_CK_OBJECT_CLASS@Base 1.2.0
- attr_CK_ULONG@Base 1.2.0
- attr_add_missing_attrs@Base 1.2.0
- attr_common_add_RSA_publickey@Base 1.2.0
- attr_common_add_data@Base 1.3.2
- attr_common_add_storage@Base 1.5.0
- attr_get_attribute_by_type@Base 1.2.0
- attr_get_attribute_by_type_raw@Base 1.2.0
- attr_get_name@Base 1.7.0
- attr_list_add_bool@Base 1.2.0
- attr_list_add_buf@Base 1.2.0
- attr_list_add_int@Base 1.2.0
- attr_list_add_int_seq@Base 1.9.0
- attr_list_append_attrs@Base 1.2.0
- attr_list_append_entry@Base 1.3.2
- attr_list_dup@Base 1.5.0
- attr_list_free@Base 1.2.0
- attr_list_get_CKA_CLASS@Base 1.3.2
- attr_list_get_CKA_KEY_TYPE@Base 1.6.0
- attr_list_get_CKA_PRIVATE@Base 1.3.2
- attr_list_get_CKA_TOKEN@Base 1.5.0
- attr_list_get_count@Base 1.2.0
- attr_list_get_ptr@Base 1.2.0
- attr_list_invoke_handlers@Base 1.2.0
- attr_list_new@Base 1.2.0
- attr_list_raw_invoke_handlers@Base 1.2.0
- attr_list_update_entry@Base 1.3.2
- attr_pfree_cleanse@Base 1.3.2
- attr_typify@Base 1.2.0
- backend_add_object@Base 1.5.0
- backend_create_token_seal@Base 1.5.0
- backend_ctx_free@Base 1.5.0
- backend_ctx_new@Base 1.5.0
- backend_ctx_reset@Base 1.5.0
- backend_destroy@Base 1.5.0
- backend_esysdb_add_object@Base 1.5.0
- backend_esysdb_create_token_seal@Base 1.5.0
- backend_esysdb_ctx_free@Base 1.5.0
- backend_esysdb_ctx_new@Base 1.5.0
- backend_esysdb_ctx_reset@Base 1.5.0
- backend_esysdb_destroy@Base 1.5.0
- backend_esysdb_get_tokens@Base 1.5.0
- backend_esysdb_init@Base 1.5.0
- backend_esysdb_init_user@Base 1.5.0
- backend_esysdb_rm_tobject@Base 1.5.0
- backend_esysdb_token_changeauth@Base 1.5.0
- backend_esysdb_token_unseal_wrapping_key@Base 1.5.0
- backend_esysdb_update_tobject_attrs@Base 1.5.0
- backend_esysdb_update_token_config@Base 1.5.0
- backend_fapi_add_object@Base 1.5.0
- backend_fapi_add_tokens@Base 1.5.0
- backend_fapi_create_token_seal@Base 1.5.0
- backend_fapi_ctx_free@Base 1.5.0
- backend_fapi_ctx_new@Base 1.5.0
- backend_fapi_destroy@Base 1.5.0
- backend_fapi_init@Base 1.5.0
- backend_fapi_init_user@Base 1.5.0
- backend_fapi_rm_tobject@Base 1.5.0
- backend_fapi_token_changeauth@Base 1.5.0
- backend_fapi_token_unseal_wrapping_key@Base 1.5.0
- backend_fapi_update_tobject_attrs@Base 1.5.0
- backend_get_tokens@Base 1.5.0
- backend_init@Base 1.5.0
- backend_init_user@Base 1.5.0
- backend_rm_tobject@Base 1.5.0
- backend_token_changeauth@Base 1.5.0
- backend_token_unseal_wrapping_key@Base 1.5.0
- backend_update_tobject_attrs@Base 1.5.0
- backend_update_token_config@Base 1.5.0
- check_common_attrs@Base 1.2.0
- convert_pobject_v3_to_v4@Base 1.5.0
- db_add_new_object@Base 1.2.0
- db_add_pobject_v4@Base 1.5.0
- db_add_primary@Base 1.2.0
- db_add_token@Base 1.2.0
- db_debug_set_db@Base 1.5.0
- db_delete_object@Base 1.2.0
- db_destroy@Base 1.2.0
- db_get_first_pid@Base 1.2.0
- db_get_label@Base 1.5.0
- db_get_tokens@Base 1.2.0
- db_init@Base 1.2.0
- db_init_new@Base 1.5.0
- db_init_pobject@Base 1.2.0
- db_new@Base 1.5.0
- db_tobject_new@Base 1.5.0
- db_update_for_pinchange@Base 1.2.0
- db_update_tobject_attrs@Base 1.5.0
- db_update_token_config@Base 1.5.0
- decrypt_final_ex@Base 1.8.0
- decrypt_init_op@Base 1.2.0
- decrypt_oneshot_op@Base 1.2.0
- decrypt_update_op@Base 1.2.0
- digest_final_op@Base 1.2.0
- digest_init_op@Base 1.2.0
- digest_oneshot@Base 1.2.0
- digest_op_data_free@Base 1.2.0
- digest_op_data_new@Base 1.2.0
- digest_update_op@Base 1.2.0
- emit_attributes_to_string@Base 1.2.0
- emit_config_to_string@Base 1.2.0
- emit_pobject_to_conf_string@Base 1.5.0
- encrypt_final_ex@Base 1.8.0
- encrypt_init_op@Base 1.2.0
- encrypt_oneshot_op@Base 1.2.0
- encrypt_op_data_free@Base 1.2.0
- encrypt_op_data_new@Base 1.2.0
- encrypt_update_op@Base 1.2.0
- general_finalize@Base 1.2.0
- general_get_func_list@Base 1.2.0
- general_get_info@Base 1.2.0
- general_init@Base 1.2.0
- general_is_init@Base 1.2.0
- get_blob@Base 1.5.0
- get_blob_null@Base 1.5.0
- handle_attr_event@Base 1.2.0
- handle_token_config_event@Base 1.5.0
- init_pobject@Base 1.5.0
- init_pobject_from_stmt@Base 1.5.0
- init_pobject_v3_from_stmt@Base 1.5.0
- init_sealobjects@Base 1.5.0
- init_tobjects@Base 1.5.0
- key_gen@Base 1.2.0
- mdetail_free@Base 1.5.0
- mdetail_new@Base 1.5.0
- mdetail_set_pss_status@Base 1.5.0
- mech_get_digest_alg@Base 1.2.0
- mech_get_digester@Base 1.2.0
- mech_get_info@Base 1.2.0
- mech_get_label@Base 1.5.0
- mech_get_padding@Base 1.5.0
- mech_get_supported@Base 1.2.0
- mech_get_tpm_opdata@Base 1.2.0
- mech_is_HMAC@Base 1.7.0
- mech_is_ecc@Base 1.7.0
- mech_is_hashing_knowledge_needed@Base 1.5.0
- mech_is_hashing_needed@Base 1.2.0
- mech_is_synthetic@Base 1.2.0
- mech_synthesize@Base 1.2.0
- mech_unsynthesize@Base 1.5.0
- mech_validate@Base 1.2.0
- mutex_create@Base 1.2.0
- mutex_destroy@Base 1.2.0
- mutex_lock@Base 1.2.0
- mutex_set_handlers@Base 1.2.0
- mutex_unlock@Base 1.2.0
- object_attr_filter@Base 1.2.0
- object_create@Base 1.2.0
- object_destroy@Base 1.2.0
- object_find@Base 1.2.0
- object_find_data_free@Base 1.2.0
- object_find_final@Base 1.2.0
- object_find_init@Base 1.2.0
- object_get_attributes@Base 1.2.0
- object_init_from_attrs@Base 1.3.2
- object_mech_is_supported@Base 1.2.0
- object_set_attributes@Base 1.5.0
- on_map_scalar_event@Base 1.2.0
- on_seq_scalar_event@Base 1.2.0
- parse_attributes@Base 1.2.0
- parse_attributes_from_string@Base 1.2.0
- parse_lib_version@Base 1.7.0
- parse_pobject_config_from_string@Base 1.5.0
- parse_token_config_from_string@Base 1.2.0
- pobject_config_free@Base 1.5.0
- pobject_free@Base 1.5.0
- pop_handler@Base 1.2.0
- push_handler@Base 1.2.0
- random_get@Base 1.2.0
- remove_pkcs7_pad@Base 1.6.0
- rsa_gen_mechs@Base 1.2.0
- seed_random@Base 1.2.0
- session_close@Base 1.2.0
- session_closeall@Base 1.2.0
- session_ctx_flags_get@Base 1.2.0
- session_ctx_free@Base 1.2.0
- session_ctx_get_info@Base 1.2.0
- session_ctx_get_token@Base 1.2.0
- session_ctx_login@Base 1.2.0
- session_ctx_login_event@Base 1.2.0
- session_ctx_logout@Base 1.2.0
- session_ctx_logout_event@Base 1.2.0
- session_ctx_new@Base 1.2.0
- session_ctx_opdata_clear@Base 1.2.0
- session_ctx_opdata_get_tobject@Base 1.2.0
- session_ctx_opdata_is_active@Base 1.2.0
- session_ctx_opdata_set@Base 1.2.0
- session_ctx_state_get@Base 1.2.0
- session_ctx_tobject_authenticated@Base 1.2.0
- session_lookup@Base 1.2.0
- session_open@Base 1.2.0
- session_table_free@Base 1.2.0
- session_table_free_ctx@Base 1.2.0
- session_table_free_ctx_all@Base 1.2.0
- session_table_free_ctx_by_handle@Base 1.2.0
- session_table_get_cnt@Base 1.2.0
- session_table_login_event@Base 1.2.0
- session_table_lookup@Base 1.2.0
- session_table_new@Base 1.2.0
- session_table_new_entry@Base 1.2.0
- sign@Base 1.2.0
- sign_final_ex@Base 1.2.0
- sign_init@Base 1.2.0
- sign_update@Base 1.2.0
- slot_add_uninit_token@Base 1.2.0
- slot_destroy@Base 1.2.0
- slot_get_info@Base 1.2.0
- slot_get_list@Base 1.2.0
- slot_get_token@Base 1.2.0
- slot_init@Base 1.2.0
- slot_mechanism_info_get@Base 1.2.0
- slot_mechanism_list_get@Base 1.2.0
- ssl_util_add_PKCS1_PSS@Base 1.8.0
- ssl_util_add_PKCS1_TYPE_1@Base 1.8.0
- ssl_util_attrs_to_evp@Base 1.8.0
- ssl_util_check_PKCS1_TYPE_2@Base 1.8.0
- ssl_util_encrypt@Base 1.5.0
- ssl_util_hash_pass@Base 1.8.0
- ssl_util_params_to_nid@Base 1.8.0
- ssl_util_setup_evp_pkey_ctx@Base 1.5.0
- ssl_util_sig_verify@Base 1.5.0
- ssl_util_verify_recover@Base 1.5.0
- str_to_ul@Base 1.2.0
- sw_encrypt_data_init@Base 1.5.0
- take_lock@Base 1.9.0
- tobject_free@Base 1.2.0
- tobject_get_attrs@Base 1.2.0
- tobject_get_min_buf_size@Base 1.7.0
- tobject_new@Base 1.2.0
- tobject_set_auth@Base 1.2.0
- tobject_set_blob_data@Base 1.2.0
- tobject_set_handle@Base 1.2.0
- tobject_set_id@Base 1.2.0
- token_add_tobject@Base 1.2.0
- token_add_tobject_last@Base 1.2.0
- token_config_free@Base 1.5.0
- token_find_tobject@Base 1.2.0
- token_free@Base 1.2.0
- token_free_list@Base 1.2.0
- token_get_info@Base 1.2.0
- token_init@Base 1.2.0
- token_initpin@Base 1.2.0
- token_is_any_user_logged_in@Base 1.2.0
- token_is_so_logged_in@Base 1.2.0
- token_is_user_logged_in@Base 1.2.0
- token_load_object@Base 1.2.0
- token_lock@Base 1.2.0
- token_logout_all_sessions@Base 1.2.0
- token_min_init@Base 1.2.0
- token_reset@Base 1.3.2
- token_rm_tobject@Base 1.2.0
- token_setpin@Base 1.2.0
- token_unlock@Base 1.2.0
- tpm2_create_seal_obj@Base 1.2.0
- tpm2_generate_key@Base 1.2.0
- tpm2_getmechanisms@Base 1.2.0
- tpm_aes_cbc_get_opdata@Base 1.2.0
- tpm_aes_cfb_get_opdata@Base 1.2.0
- tpm_aes_ctr_get_opdata@Base 1.6.0
- tpm_aes_ecb_get_opdata@Base 1.2.0
- tpm_changeauth@Base 1.2.0
- tpm_contextload_handle@Base 1.5.0
- tpm_create_persistent_primary@Base 1.5.0
- tpm_create_transient_primary_from_template@Base 1.5.0
- tpm_ctx_free@Base 1.2.0
- tpm_ctx_new@Base 1.2.0
- tpm_ctx_new_fromtcti@Base 1.5.0
- tpm_decrypt@Base 1.2.0
- tpm_deserialize_handle@Base 1.2.0
- tpm_destroy@Base 1.2.0
- tpm_ec_ecdsa_get_opdata@Base 1.2.0
- tpm_ec_ecdsa_sha1_get_opdata@Base 1.2.0
- tpm_ec_ecdsa_sha256_get_opdata@Base 1.7.0
- tpm_ec_ecdsa_sha384_get_opdata@Base 1.7.0
- tpm_ec_ecdsa_sha512_get_opdata@Base 1.7.0
- tpm_encrypt@Base 1.2.0
- tpm_final_decrypt@Base 1.6.0
- tpm_final_encrypt@Base 1.6.0
- tpm_find_aes_keysizes@Base 1.2.0
- tpm_find_ecc_keysizes@Base 1.2.0
- tpm_find_max_rsa_keysize@Base 1.2.0
- tpm_flushcontext@Base 1.2.0
- tpm_get_algorithms@Base 1.2.0
- tpm_get_existing_primary@Base 1.2.0
- tpm_get_name@Base 1.6.0
- tpm_get_pss_sig_state@Base 1.5.0
- tpm_get_token_info@Base 1.2.0
- tpm_getrandom@Base 1.2.0
- tpm_hmac_sha1_get_opdata@Base 1.7.0
- tpm_hmac_sha256_get_opdata@Base 1.7.0
- tpm_hmac_sha384_get_opdata@Base 1.7.0
- tpm_hmac_sha512_get_opdata@Base 1.7.0
- tpm_init@Base 1.2.0
- tpm_is_ecc_curve_supported@Base 1.2.0
- tpm_is_rsa_keysize_supported@Base 1.2.0
- tpm_loadobj@Base 1.2.0
- tpm_objdata_free@Base 1.2.0
- tpm_opdata_free@Base 1.2.0
- tpm_opdata_reset@Base 1.8.0
- tpm_readpub@Base 1.2.0
- tpm_rsa_decrypt@Base 1.2.0
- tpm_rsa_oaep_get_opdata@Base 1.2.0
- tpm_rsa_pkcs_get_opdata@Base 1.2.0
- tpm_rsa_pkcs_sha1_get_opdata@Base 1.2.0
- tpm_rsa_pkcs_sha256_get_opdata@Base 1.2.0
- tpm_rsa_pkcs_sha384_get_opdata@Base 1.2.0
- tpm_rsa_pkcs_sha512_get_opdata@Base 1.2.0
- tpm_rsa_pss_get_opdata@Base 1.5.0
- tpm_rsa_pss_sha1_get_opdata@Base 1.2.0
- tpm_rsa_pss_sha256_get_opdata@Base 1.2.0
- tpm_rsa_pss_sha384_get_opdata@Base 1.2.0
- tpm_rsa_pss_sha512_get_opdata@Base 1.2.0
- tpm_serialize_handle@Base 1.2.0
- tpm_session_active@Base 1.5.0
- tpm_session_start@Base 1.2.0
- tpm_session_stop@Base 1.2.0
- tpm_sign@Base 1.2.0
- tpm_stirrandom@Base 1.2.0
- tpm_unseal@Base 1.2.0
- tpm_verify@Base 1.7.0
- twist_append@Base 1.2.0
- twist_append_twist@Base 1.2.0
- twist_calloc@Base 1.2.0
- twist_concat@Base 1.2.0
- twist_concat_twist@Base 1.2.0
- twist_create@Base 1.2.0
- twist_dup@Base 1.2.0
- twist_end@Base 1.2.0
- twist_eq@Base 1.2.0
- twist_free@Base 1.2.0
- twist_hex_new@Base 1.2.0
- twist_hexlify@Base 1.2.0
- twist_len@Base 1.2.0
- twist_new@Base 1.2.0
- twist_next_alloc_fails@Base 1.2.0
- twist_truncate@Base 1.2.0
- twistbin_aappend@Base 1.2.0
- twistbin_append@Base 1.2.0
- twistbin_concat@Base 1.2.0
- twistbin_create@Base 1.2.0
- twistbin_new@Base 1.2.0
- twistbin_unhexlify@Base 1.2.0
- type_calloc@Base 1.2.0
- type_from_ptr@Base 1.2.0
- type_mem_cpy@Base 1.2.0
- type_mem_dup@Base 1.2.0
- type_to_str@Base 1.3.2
- type_zrealloc@Base 1.3.2
- utils_ctx_unwrap_objauth@Base 1.2.0
- utils_ctx_wrap_objauth@Base 1.2.0
- utils_get_halg_size@Base 1.2.0
- utils_get_rand_hex_str@Base 1.2.0
- utils_setup_new_object_auth@Base 1.2.0
- verify@Base 1.2.0
- verify_final@Base 1.2.0
- verify_init@Base 1.2.0
- verify_recover@Base 1.5.0
- verify_recover_init@Base 1.5.0
- verify_update@Base 1.2.0
diff --git a/debian/patches/set-version-of-library.patch 
b/debian/patches/set-version-of-library.patch
index 5b13df0f..ddbe153e 100644
--- a/debian/patches/set-version-of-library.patch
+++ b/debian/patches/set-version-of-library.patch
@@ -18,3 +18,12 @@ index 0f5e05b..6c9c9be 100644
  INCLUDE_DIRS    = -I$(srcdir)/src -I$(top_srcdir)/src/lib
  ACLOCAL_AMFLAGS = -I m4 --install
  AM_CFLAGS       = $(INCLUDE_DIRS) $(EXTRA_CFLAGS) $(CODE_COVERAGE_CFLAGS) \
+@@ -52,7 +52,7 @@
+ EXTRA_DIST += lib/tpm2-pkcs11.map
+ 
+ if HAVE_LD_VERSION_SCRIPT
+-src_libtpm2_pkcs11_la_LDFLAGS = 
-Wl,--version-script=$(srcdir)/lib/tpm2-pkcs11.map
++src_libtpm2_pkcs11_la_LDFLAGS += 
-Wl,--version-script=$(srcdir)/lib/tpm2-pkcs11.map
+ endif # HAVE_LD_VERSION_SCRIPT
+ src_libtpm2_pkcs11_la_LIBADD = $(AM_LDFLAGS)
+ src_libtpm2_pkcs11_la_SOURCES = $(LIB_PKCS11_SRC) 
$(LIB_PKCS11_INTERNAL_LIB_SRC)

Bug#1035402: libtpm2-pkcs11-1: libtpm2_pkcs11.so.1 exposes too many symbols, fails to work with strongswan

Reply via email to