[Bug 3963] New: pkcs11: is broken in 10.3p1 with HAVE_NLIST

Sun May 17 05:44:26 AEST 2026

https://bugzilla.mindrot.org/show_bug.cgi?id=3963

            Bug ID: 3963
           Summary: pkcs11: is broken in 10.3p1 with HAVE_NLIST
           Product: Portable OpenSSH
           Version: 10.3p1
          Hardware: Other
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Smartcard
          Assignee: unassigned-bugs at mindrot.org
          Reporter: pouria at FreeBSD.org

Hi

It seems the `lib_contains_symbol` function in misc.c fails to verify
the existence of the C_GetFunctionList symbol using nlist(3) in PKCS11
libraries.

```
% grep -A2 C_GetFunctionList crypto/openssh/ssh-pkcs11.c
if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) {
error("provider %s is not a PKCS11 library", provider_id);
goto fail;
```

But I can see it exists:
```
elfdump -s /usr/local/lib/libykcs11.so | grep -A4 -B1 C_GetFunctionList
entry: 240
st_name: C_GetFunctionList
st_value: 0x136e0
st_size: 157
st_info: STT_FUNC STB_GLOBAL
st_shndx: 13
```
Same issue exists for openssh-portable port/pkg.

Log:
```
% ssh-agent -d -a /tmp/agent.socket
SSH_AUTH_SOCK=/tmp/agent.socket; export SSH_AUTH_SOCK;
echo Agent pid 15732;
...
debug3: process_add: add /usr/local/lib/libpcsclite.so.1
lib_contains_symbol: nlist failed for /usr/local/lib/libpcsclite.so.1
provider /usr/local/lib/libpcsclite.so.1 is not a PKCS11 library
debug3: pkcs11_add_provider: response 5
debug1: pkcs11_add_provider: no keys; terminate helper
debug3: helper_terminate: terminating helper for
/usr/local/lib/libpcsclite.so.1; remaining 0 keys
```
Same for opensc and libykcs11.so (yubikey):

```
debug3: process_add: add /usr/local/lib/libykcs11.so.2.7.2
lib_contains_symbol: nlist failed for /usr/local/lib/libykcs11.so.2.7.2
provider /usr/local/lib/libykcs11.so.2.7.2 is not a PKCS11 library
debug3: pkcs11_add_provider: response 5
debug1: pkcs11_add_provider: no keys; terminate helper
```

After disabling the HAVE_NLIST, it works:
```
debug3: pkcs11_start_helper: helper 1 for
"/usr/local/lib/libykcs11.so.2.7.2" on fd 6 pid 61042
debug3: pkcs11_add_provider: add /usr/local/lib/libykcs11.so.2.7.2
debug1: pkcs11_start_helper: starting
/usr/local/libexec/ssh-pkcs11-helper -vvv
debug3: pkcs11_init: called, interactive = 0
debug1: process_add
debug3: process_add: add /usr/local/lib/libykcs11.so.2.7.2
debug1: provider /usr/local/lib/libykcs11.so.2.7.2: manufacturerID
<Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription
<PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.72
```

-- 
You are receiving this mail because:
You are watching the assignee of the bug.