Opencryptoki in F21 can no longer talk to on-board TPM. Back in F19 it was fine. % rpm -qf /usr/lib64/opencryptoki/stdll/libpkcs11_tpm.so opencryptoki-tpmtok-3.2-1.fc21.x86_64 % grep tpm /var/log/messages Feb 17 10:18:57 very pkcsconf: apiutil.c DL_Load: dlopen() failed for [libpkcs11_tpm.so]; dlerror = [/usr/lib64/opencryptoki/stdll/libpkcs11_tpm.so: undefined symbol: sw_des3_cbc] This might be related to the removal of DES support from underlying fedora crypto libraries.
might be actually a bug in opencryptoki, looks as missing sw_crypt.c in SOURCES in usr/lib/pkcs11/tpm_stdll/Makefile.am
I baked you scratch build with this fix, but since I don't have TPM set up, I can't reproduce this problem. Please let me know if it changed something. http://koji.fedoraproject.org/koji/taskinfo?taskID=9575220
Sorry, % pkcsconf -t Error loading PKCS#11 library dlopen error: /usr/lib64/opencryptoki/libopencryptoki.so: undefined symbol: bt_is_empty % rpm -qa opencryptoki\* opencryptoki-3.2-2.fc23.x86_64 opencryptoki-libs-3.2-2.fc23.x86_64 opencryptoki-tpmtok-3.2-2.fc23.x86_64
Sorry. I was too naive about f23 package. opencryptoki doesn't go well with the new gcc-5 so there are some issues. Can you have a try with this f21 package to see if proposed helps: http://koji.fedoraproject.org/koji/taskinfo?taskID=9596256 If not, I will investigate it further with some tweaks for gcc-5.
Apr 29 10:28:46 very pkcsconf: apiutil.c DL_Load: dlopen() failed for [libpkcs11_tpm.so]; dlerror = [/usr/lib64/opencryptoki/stdll/libpkcs11_tpm.so: undefined symbol: ec_hash_sign] Not quite there yet. :-)
hm, isn't there a tool that would print symbols that can't be resolved in a "so"? Seems there are more files from the common dir missing for the tpm token.
nm -D /lib.../libfoo.so gives a list of dynamic symbols. ldd /lib.../libfoo.so gives a list of shared libraries that might supply them. There is no quickie tool to match up the two lists (other than by running the executables via "env LD_BIND=now LD_DEBUG=all libfoo_user_executable"). I wonder if the tpm.so link command needs a -Wl,--as-needed and/or -Wl,--no-undefined to catch these problems sooner.
Thank you. > -Wl,--no-undefined Helped me with debugging this issue. Seems, that this issue was just an top of iceberg of problems in this version. I added missing files and did some code reorganization and it is now able to build. Please, can you have one more try on this one scratch? If it works, I will push it to Fedora. http://koji.fedoraproject.org/koji/taskinfo?taskID=9652039 I have no idea how is upstream running this, but the amount of undefined symbols was quite large. Since upstream version is 3.3, I will try to rebase patches and see how the latest version works and report upstream.
It's alive! Alive!
opencryptoki-3.2-2.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/opencryptoki-3.2-2.fc22
opencryptoki-3.2-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/opencryptoki-3.2-2.fc21
opencryptoki-3.2-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
opencryptoki-3.2-3.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
updates are stable, closing.