p11-kit 0.24.1 fails assertions

[mouse07410]

Apple Silicon M2, MacOS Ventura 13.3.1, Xcode-14.3, OpenSSL-3.1.0, pkcs11-provider (current master), p11-kit v0.24.1, installed via Macports.

$ openssl pkeyutl  -decrypt -inkey "pkcs11:id=%03;type=private" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha384 -pkeyopt rsa_mgf1_md:sha384 -in /tmp/derive.25519.key.enc -out /tmp/derive.25519.key.dec
Enter pass phrase for PKCS#11 Token (Slot 17 - Yubico YubiKey OTP+FIDO+CCID):
p11-kit: 'bound != NULL' not true at fixed4_C_CloseSession
p11-kit: 'bound != NULL' not true at fixed4_C_CloseSession
p11-kit: 'bound != NULL' not true at fixed4_C_CloseSession
p11-kit: 'bound != NULL' not true at fixed4_C_CloseSession
p11-kit: 'bound != NULL' not true at fixed4_C_CloseSession
p11-kit: 'bound != NULL' not true at fixed4_C_Finalize

Despite the above bunch of failed assertions, apparently the decryption succeeds and produces correct output.

Still, these assertions are rather unnerving, and it would be great to fix their cause or get rid of them. ;-)

Update

Cloning this repo, building, and running tests (as your README suggests), showed a few failed tests:

18/57 test-modules             FAIL            1.75s   exit status 12
>>> MALLOC_PERTURB_=12 /Users/ur20980/src/p11-kit/_build/p11-kit/test-modules

19/57 test-init                FAIL            1.97s   killed by signal 6 SIGABRT
>>> MALLOC_PERTURB_=190 /Users/ur20980/src/p11-kit/_build/p11-kit/test-init

20/57 test-deprecated          FAIL            1.62s   killed by signal 6 SIGABRT
>>> MALLOC_PERTURB_=11 /Users/ur20980/src/p11-kit/_build/p11-kit/test-deprecated

21/57 test-proxy               FAIL            1.59s   killed by signal 6 SIGABRT
>>> MALLOC_PERTURB_=36 /Users/ur20980/src/p11-kit/_build/p11-kit/test-proxy

22/57 test-proxy3              FAIL            1.60s   exit status 48
>>> MALLOC_PERTURB_=87 /Users/ur20980/src/p11-kit/_build/p11-kit/test-proxy3

23/57 test-iter                FAIL            1.42s   killed by signal 6 SIGABRT
>>> MALLOC_PERTURB_=232 /Users/ur20980/src/p11-kit/_build/p11-kit/test-iter

24/57 test-rpc-message         OK              1.43s
25/57 test-rpc                 OK              1.65s
26/57 test-conf                FAIL            3.37s   killed by signal 6 SIGABRT
>>> MALLOC_PERTURB_=126 /Users/ur20980/src/p11-kit/_build/p11-kit/test-conf

.  .  .

>>> MALLOC_PERTURB_=117 /Users/ur20980/src/p11-kit/_build/p11-kit/test-transport

56/57 test-transport3          TIMEOUT        30.00s   exit status 54
>>> MALLOC_PERTURB_=162 /Users/ur20980/src/p11-kit/_build/p11-kit/test-transport3

57/57 test-server              TIMEOUT        30.01s   exit status 7
>>> MALLOC_PERTURB_=68 /Users/ur20980/src/p11-kit/_build/p11-kit/test-server


Ok:                 47  
Expected Fail:      0   
Fail:               7   
Unexpected Pass:    0   
Skipped:            0   
Timeout:            3   

The full test log: testlog.txt
Meson log, in case it's useful: meson-log.txt

[ueno]

Thank you for the report. As for the test failures, would anything change if you specify -Dclosures=0 at the meson setup command line?

[neverpanic]

I've seen these (or similar assertions) before on macOS when running the pkcs11-provider tests, but as you noticed they don't seem to affect functionality, so I didn't spend a lot of time investigating.

[neverpanic]

I see significantly fewer failures with -Dclosures=0 with a few other meson build system fixes, which I'll submit in a PR shortly:

$ meson setup -Dsystemd=disabled -Dbash_completion=disabled -Dclosures=0 _build
$ meson compile -C _build
$ meson test -C _build
$ meson test -C _build
ninja: no work to do.
ninja: Entering directory `/Users/cllang/Development/p11-kit/_build'
ninja: no work to do.
 1/57 test-tests               OK              0.06s
 2/57 test-hash                OK              0.05s
 3/57 test-constants           OK              0.03s
 4/57 test-attrs               OK              0.05s
 5/57 test-buffer              OK              0.05s
 6/57 test-dict                OK              0.09s
 7/57 test-url                 OK              0.06s
 8/57 test-path                OK              0.05s
 9/57 test-lexer               OK              0.04s
10/57 test-message             OK              0.05s
11/57 test-argv                OK              0.06s
12/57 test-runtime             OK              0.06s
13/57 test-progname            OK              0.06s
14/57 test-util                OK              0.06s
15/57 test-uri                 OK              0.06s
16/57 test-pin                 OK              0.05s
17/57 test-modules             OK              0.12s
18/57 test-conf                OK              0.24s
19/57 test-compat              OK              0.42s
20/57 test-proxy3              OK              0.23s
21/57 test-proxy               OK              0.27s
22/57 test-rpc-message         OK              0.06s
23/57 test-virtual             OK              0.06s
24/57 test-iter                OK              0.21s
25/57 test-init                OK              0.36s
26/57 test-managed             OK              0.06s
27/57 test-log                 OK              0.06s
28/57 test-log3                OK              0.05s
29/57 test-filter              OK              0.06s
30/57 test-deprecated          OK              0.40s
31/57 test-digest              OK              0.03s
32/57 test-rpc                 OK              0.26s
33/57 test-asn1                OK              0.03s
34/57 test-base64              OK              0.03s
35/57 test-server.sh           OK              0.11s
36/57 test-pem                 OK              0.05s
37/57 test-messages.sh         OK              0.15s
38/57 test-oid                 OK              0.06s
39/57 test-utf8                OK              0.05s
40/57 test-server              FAIL            0.20s   exit status 7
>>> MALLOC_PERTURB_=73 /Users/cllang/Development/p11-kit/_build/p11-kit/test-server

41/57 test-x509                OK              0.06s
42/57 test-persist             OK              0.05s
43/57 test-index               OK              0.04s
44/57 test-parser              OK              0.04s
45/57 test-array               OK              0.78s
46/57 test-builder             OK              0.05s
47/57 test-enumerate           OK              0.04s
48/57 test-save                OK              0.06s
49/57 test-cer                 OK              0.08s
50/57 test-bundle              OK              0.08s
51/57 test-openssl             OK              0.07s
52/57 test-edk2                OK              0.06s
53/57 test-jks                 OK              0.04s
54/57 test-module              OK              0.16s
55/57 test-token               OK              4.49s
56/57 test-transport           OK              6.79s
57/57 test-transport3          OK              7.43s

Ok:                 56
Expected Fail:      0
Fail:               1
Unexpected Pass:    0
Skipped:            0
Timeout:            0

Full log written to /Users/cllang/Development/p11-kit/_build/meson-logs/testlog.txt

test-server fails a number of assertions:

=================================== 40/57 ====================================
test:         test-server
start time:   10:19:13
duration:     0.20s
result:       exit status 7
command:      MALLOC_PERTURB_=73 /Users/cllang/Development/p11-kit/_build/p11-kit/test-server
----------------------------------- stdout -----------------------------------
1..7
not ok 1 /server/initialize
# assertion failed (module != ((void*)0))
# in test_initialize() at test-server.c:174
not ok 2 /server/initialize-no-address
# assertion failed (module != ((void*)0))
# in test_initialize_no_address() at test-server.c:195
not ok 3 /server/open-session
# assertion failed (module != ((void*)0))
# in test_open_session() at test-server.c:217
not ok 4 /server/open-session-write-protected
# assertion failed (module != ((void*)0))
# in test_open_session_write_protected() at test-server.c:249
not ok 5 /server/all/initialize
# assertion failed (module != ((void*)0))
# in test_initialize() at test-server.c:174
not ok 6 /server/all/initialize-no-address
# assertion failed (module != ((void*)0))
# in test_initialize_no_address() at test-server.c:195
not ok 7 /server/all/open-session
# assertion failed (module != ((void*)0))
# in test_open_session() at test-server.c:217
==============================================================================

[neverpanic]

See #496.

[mouse07410]

With PR #496 applied, all tests pass, except for one (57) that timeouts:

57/57 test-server              TIMEOUT        30.01s   exit status 7
>>> MALLOC_PERTURB_=146 /Users/ur20980/src/p11-kit/_build/p11-kit/test-server


Ok:                 56  
Expected Fail:      0   
Fail:               0   
Unexpected Pass:    0   
Skipped:            0   
Timeout:            1   

Testlog: testlog.txt

If I want to install what I compiled into /opt/local/lib (and other appropriate /opt/local dirs, like /opt/local/include) - how should I build this package? Mere meson setup _build configures for /usr/local, and if I try meson install --dry-run --destdir /opt/local, it places stuff into /opt/local/usr/local...

[neverpanic]

If I want to install what I compiled into /opt/local/lib (and other appropriate /opt/local dirs, like /opt/local/include) - how should I build this package? Mere meson setup _build configures for /usr/local, and if I try meson install --dry-run --destdir /opt/local, it places stuff into /opt/local/usr/local...

Please don't manually overwrite contents of /opt/local. MacPorts manages those, and expects that you do not modify them other than using MacPorts. If you want this version of p11-kit, install it somewhere else, e.g. in /opt/p11kit using meson setup --prefix=/opt/p11kit.

The other opportunity would be changing the MacPorts Portfile to include these fixes, but considering the autotools build system currently works fine for that, I think this should be merged here and published into a release before MacPorts' Portfile should follow.

[mouse07410]

If you want this version of p11-kit, install it somewhere else, e.g. in /opt/p11kit using meson setup --prefix=/opt/p11kit

There's a bunch of ports that appear to depend on p11-kit, so I can't just install a "better" copy elsewhere - it would be practically useless.

The following seems a preferred alternative:

The other opportunity would be changing the MacPorts Portfile to include these fixes, but considering the autotools build system currently works fine for that, I think this should be merged here and published into a release before MacPorts' Portfile should follow.

This is what I would absolutely prefer. I'm not crazy about even compiling p11-kit from the source myself, and will be happy to keep relegating this to Macports. So, the sooner this gets merged, and propagated to Macports - the better for me.

[mouse07410]

Oh, test 57 keeps failing with timeout with -Dclosures=0:

57/57 test-server              TIMEOUT        30.01s   exit status 7
>>> MALLOC_PERTURB_=9 /Users/ur20980/src/p11-kit/_build/p11-kit/test-server


Ok:                 56  
Expected Fail:      0   
Fail:               0   
Unexpected Pass:    0   
Skipped:            0   
Timeout:            1   

[neverpanic]

I cannot reproduce the timeout, it fails with an error for me, but I already identified the root cause for that. The timeout must be specific to your system.

[mouse07410]

I already identified the root cause

Great! Can I hope to see a merged fix, or at least a PR soon?

[mouse07410]

Trying to compile the thing on Intel-based Mac (MacOS Ventura 13.3.1, Xcode-14.3), it fails to link with a local library. I think meson erroneously allows linker flags that it should've "blacklisted".

$ meson setup --prefix=/opt/p11kit -Dclosures=0 -Dbash_completion=disabled -Dsystemd=disabled _build
The Meson build system
Version: 1.1.0
Source dir: /Users/ur20980/src/p11-kit
Build dir: /Users/ur20980/src/p11-kit/_build
Build type: native build
Project name: p11-kit
Project version: 0.24.1
C compiler for the host machine: clang (clang 14.0.3 "Apple clang version 14.0.3 (clang-1403.0.22.14.1)")
C linker for the host machine: clang ld64 857.1
Host machine cpu family: x86_64
Host machine cpu: x86_64
Has header "libintl.h" : NO 
Checking for size of "unsigned long" : 8 
Run-time dependency threads found: YES
Checking for function "pthread_create" with dependency threads: YES 
Checking for function "nanosleep" : YES 
Checking for function "dlopen" : YES 
Library nsl found: NO
Has header "locale.h" : YES 
Checking for type "locale_t" : NO 
Has header "sys/resource.h" : YES 
Has header "sys/un.h" : YES 
Has header "ucred.h" : NO 
Checking for function "fdwalk" : NO 
Checking for function "getauxval" : NO 
Checking for function "getexecname" : NO 
Checking for function "getpeereid" : YES 
Checking for function "getpeerucred" : NO 
Checking for function "getprogname" : YES 
Checking for function "getresuid" : NO 
Checking for function "isatty" : YES 
Checking for function "issetugid" : YES 
Checking for function "mkdtemp" : YES 
Checking for function "mkstemp" : YES 
Checking for function "secure_getenv" : NO 
Checking for function "strndup" : YES 
Checking whether type "struct dirent" has member "d_type" : YES 
Checking if "thread-local storage class" compiles: YES 
Checking for function "gmtime_r" : YES 
Checking if "program_invocation_short_name_test_code" : links: NO 
Checking if "__progname" : links: YES 
Checking if "__libc_enable_secure" : links: NO 
Checking if "vsock_test" compiles: NO 
Checking for type "sighandler_t" : NO 
Checking for type "sig_t" : NO 
Checking for type "__sighandler_t" : NO 
Checking for type "sighandler_t" : NO 
Checking for type "sig_t" : YES 
Checking for type "__sighandler_t" : NO 
Has header "stdbool.h" : YES 
Checking for function "asprintf" : YES 
Checking for function "basename" : YES 
Checking for function "memdup" : NO 
Checking for function "reallocarray" : NO 
Checking for function "secure_getenv" : NO (cached)
Checking for function "setenv" : YES 
Checking for function "strerror_r" : YES 
Checking for function "strnstr" : YES 
Checking for function "vasprintf" : YES 
Header "errno.h" has symbol "program_invocation_short_name" : NO 
Header "stdio.h" has symbol "asprintf" : YES 
Header "stdio.h" has symbol "vasprintf" : YES 
Header "stdlib.h" has symbol "reallocarray" : NO 
Found pkg-config: /opt/local/bin/pkg-config (0.29.2)
Run-time dependency libffi found: YES 3.4.4
Run-time dependency libtasn1 found: YES 4.19.0
Program asn1Parser found: YES (/opt/local/bin/asn1Parser)
Found CMake: /opt/local/bin/cmake (3.24.4)
Run-time dependency libsystemd found: NO (tried pkgconfig, framework and cmake)
Run-time dependency systemd found: NO (tried pkgconfig, framework and cmake)
Configuring config.h using configuration
Compiler for C supports link arguments -Wl,--version-script,/Users/ur20980/src/p11-kit/p11-kit/libp11-kit.map: NO 
Compiler for C supports link arguments -Wl,-z,nodelete: NO 
Compiler for C supports link arguments -Wl,--version-script,/Users/ur20980/src/p11-kit/p11-kit/p11-module.map: NO 
Program gen-pkcs11-gnu.sh found: YES (/Users/ur20980/src/p11-kit/p11-kit/gen-pkcs11-gnu.sh)
Program test-messages.sh found: YES (/Users/ur20980/src/p11-kit/p11-kit/test-messages.sh)
Program test-server.sh found: YES (/Users/ur20980/src/p11-kit/p11-kit/test-server.sh)
Configuring pkcs11.conf.example using configuration
Program msgfmt found: YES (/opt/local/bin/msgfmt)
Program msginit found: YES (/opt/local/bin/msginit)
Program msgmerge found: YES (/opt/local/bin/msgmerge)
Program xgettext found: YES (/opt/local/bin/xgettext)
Dependency bash-completion skipped: feature bash_completion disabled
bash-completion/meson.build:7: WARNING: Will not install bash completion due to missing dependencies!
Build targets in project: 184

p11-kit 0.24.1

  User defined options
    prefix         : /opt/p11kit
    bash_completion: disabled
    closures       : 0

Found ninja-1.11.1 at /opt/local/bin/ninja
$ meson compile -C _build && meson test -C _build && meson install --dry-run -C _build
INFO: autodetecting backend as ninja
INFO: calculating backend command to run: /opt/local/bin/ninja -C /Users/ur20980/src/p11-kit/_build
ninja: Entering directory `/Users/ur20980/src/p11-kit/_build'
[51/370] Compiling C object p11-kit/libp11-kit-internal.a.p/conf.c.o
../p11-kit/conf.c:411:6: warning: variable 'count' set but not used [-Wunused-but-set-variable]
        int count = 0;
            ^
1 warning generated.
[70/370] Compiling C object p11-kit/libp11-kit-testable.a.p/conf.c.o
../p11-kit/conf.c:411:6: warning: variable 'count' set but not used [-Wunused-but-set-variable]
        int count = 0;
            ^
1 warning generated.
[140/370] Generating trust/basic.asn.h with a custom command
Done.
[143/370] Generating trust/pkix.asn.h with a custom command
Done.
[144/370] Generating trust/openssl.asn.h with a custom command
Done.
[197/370] Linking target p11-kit/p11-kit-server-testable
FAILED: p11-kit/p11-kit-server-testable 
clang  -o p11-kit/p11-kit-server-testable p11-kit/p11-kit-server-testable.p/server.c.o -Wl,-dead_strip_dylibs -Wl,-headerpad_max_install_names -Wl,-undefined,error -O3 -std=gnu18 -march=native -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -Wl,-rpath,/opt/local/lib p11-kit/libp11-kit-testable.a common/libp11-library.a common/libp11-common.a common/libp11-tool.a /opt/local/lib/libffi.dylib
Undefined symbols for architecture x86_64:
  "_p11_library_mutex", referenced from:
      _p11_kit_be_quiet in libp11-kit-testable.a(util.c.o)
      _p11_kit_be_loud in libp11-kit-testable.a(util.c.o)
      _p11_kit_set_progname in libp11-kit-testable.a(util.c.o)
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
[198/370] Linking target p11-kit/test-uri
FAILED: p11-kit/test-uri 
clang  -o p11-kit/test-uri p11-kit/test-uri.p/test-uri.c.o -Wl,-dead_strip_dylibs -Wl,-headerpad_max_install_names -Wl,-undefined,error -O3 -std=gnu18 -march=native -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -Wl,-rpath,/opt/local/lib p11-kit/libp11-kit-testable.a common/libp11-library.a common/libp11-common.a common/libp11-test.a /opt/local/lib/libffi.dylib
Undefined symbols for architecture x86_64:
  "_p11_library_mutex", referenced from:
      _p11_kit_be_quiet in libp11-kit-testable.a(util.c.o)
      _p11_kit_be_loud in libp11-kit-testable.a(util.c.o)
      _p11_kit_set_progname in libp11-kit-testable.a(util.c.o)
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
[201/370] Linking target p11-kit/test-util
FAILED: p11-kit/test-util 
clang  -o p11-kit/test-util p11-kit/test-util.p/test-util.c.o -Wl,-dead_strip_dylibs -Wl,-headerpad_max_install_names -Wl,-undefined,error -O3 -std=gnu18 -march=native -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -Wl,-rpath,/opt/local/lib p11-kit/libp11-kit-testable.a common/libp11-library.a common/libp11-common.a common/libp11-test.a /opt/local/lib/libffi.dylib
Undefined symbols for architecture x86_64:
  "_p11_library_mutex", referenced from:
      _p11_kit_be_quiet in libp11-kit-testable.a(util.c.o)
      _p11_kit_be_loud in libp11-kit-testable.a(util.c.o)
      _p11_kit_set_progname in libp11-kit-testable.a(util.c.o)
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
[218/370] Linking target p11-kit/test-proxy
ninja: build stopped: subcommand failed.
$ for i in `find . -name '*.a' -print`; do echo $i; nm $i | grep kit_be_loud; done
./_build/common/libp11-tool.a
./_build/common/libp11-library.a
./_build/common/libp11-common.a
./_build/common/libp11-test.a
./_build/trust/liblibtrust-data.a
./_build/p11-kit/libp11-kit-testable.a
00000000000000d0 T _p11_kit_be_loud
./_build/p11-kit/libp11-kit-pkcs11-gnu.a
./_build/p11-kit/libp11-kit-internal.a
$ 

[mouse07410]

Also, with the current master plus #496 applied, I'm getting this crash (which occurs after the result of the crypto operation has been returned):

Date/Time:             2023-04-17 18:58:44.9974 -0400
OS Version:            macOS 13.3.1 (22E261)
Report Version:        12
Bridge OS Version:     7.4 (20P4252)
Anonymous UUID:        BD844EB9-9C6F-867E-78EB-1ACDA55970A0


Time Awake Since Boot: 860000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Codes:       0x0000000000000001, 0x0000000000000000

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [34747]

VM Region Info: 0 is not in any region.  Bytes before following region: 4344360960
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      102f1b000-102f9b000    [  512K] r-x/r-x SM=COW  ...xec/*/openssl

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   ???                           	               0x0 ???
1   libp11-kit.0.dylib            	       0x1033a95a5 binding_C_Finalize + 21 (virtual.c:166)
2   libffi.8.dylib                	       0x10309b942 ffi_closure_unix64_inner + 545
3   libffi.8.dylib                	       0x10309bf4c ffi_closure_unix64 + 72
4   pkcs11.dylib                  	       0x1031b23f6 p11prov_Finalize + 102 (interface.gen.c:33)
5   pkcs11.dylib                  	       0x1031b23f6 p11prov_Finalize + 102 (interface.gen.c:33)
6   pkcs11.dylib                  	       0x1031b23f6 p11prov_Finalize + 102 (interface.gen.c:33)
7   pkcs11.dylib                  	       0x1031b23f6 p11prov_Finalize + 102 (interface.gen.c:33)
8   pkcs11.dylib                  	       0x1031b23f6 p11prov_Finalize + 102 (interface.gen.c:33)
9   pkcs11.dylib                  	       0x1031b23f6 p11prov_Finalize + 102 (interface.gen.c:33)
10  pkcs11.dylib                  	       0x1031b23f6 p11prov_Finalize + 102 (interface.gen.c:33)
.  .  .
510 pkcs11.dylib                  	       0x1031b23f6 p11prov_Finalize + 102 (interface.gen.c:33)
511 pkcs11.dylib                  	       0x1031b23f6 p11prov_Finalize + 102 (interface.gen.c:33)

for encryption, and the same trace except that it's in interface.gen.c:235 for decryption.

Encrypting this random symmetric key to token RSA KEY MAN key...
echo -n e377e8e35160f86f708565fb7aad4bf7f20c775bf5c1b32c5845ca425d74ecb7 | xxd -r -p -c 200 | openssl pkeyutl  -encrypt -pubin -inkey "pkcs11:model=YubiKey%20YK4;id=%03;type=public" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha384 -pkeyopt rsa_mgf1_md:sha384 -out /tmp/derive.34735.key.enc
/Users/ur20980/bin/pkcs11-rsa-encr-prov: line 191: 34745 Done                    echo -n ${KEY}
     34746                       | xxd -r -p -c 200
     34747 Segmentation fault: 11  | ${OPENSSL} pkeyutl ${ENGINE} -encrypt -pubin -inkey "${PUBK}" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha384 -pkeyopt rsa_mgf1_md:sha384 -out ${TMP}.key.enc

Decrypting the symmetric key on the token...
openssl pkeyutl  -decrypt -inkey "pkcs11:model=YubiKey%20YK4;id=%03;type=private" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha384 -pkeyopt rsa_mgf1_md:sha384 -in /tmp/derive.34735.key.enc | xxd -p -c 200
Enter pass phrase for PKCS#11 Token (Slot 23 - Yubico YubiKey OTP+FIDO+CCID):
/Users/ur20980/bin/pkcs11-rsa-encr-prov: line 196: 34752 Segmentation fault: 11  ${OPENSSL} pkeyutl ${ENGINE} -decrypt -inkey "${PRK}" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha384 -pkeyopt rsa_mgf1_md:sha384 -in ${TMP}.key.enc -out ${TMP}.key.dec

Here's the link to the interface.gen.c:33: https://github.com/latchset/pkcs11-provider/blob/d9ec6d61c298f802c5697bc8577e23a36a2d97a6/src/interface.gen.c#L33

Update

@simo5 perhaps you could see what's going on here?

[simo5]

Some of the tools use opnessl directly and race at process exit with openssl deinitialization.
Try to set this olption to no-deinit, and see if it improves the situation.

[mouse07410]

Some of the tools use openssl directly and race at process exit with openssl deinitialization.
Try to set this olption to no-deinit, and see if it improves the situation.

@simo5 thank you - this setting alleviated the de-initialization problem!!

[neverpanic]

I belive #496 should fix the problem reported in this issue when built with -Dclosures=0.

The question that remains is whether we should maybe make -Dclosures=0 the default on macOS?

[ueno]

That might make sense. While we should investigate the root cause, the fixed closure support was added merely to prevent AVC denials when creating and running executable code on the fly (that is what libffi does internally on Linux). If libffi closures work ok on macOS, we don't need to use fixed closures.

[mouse07410]

Assertions now OK. All tests pass too. Thank you!

I guess it's time to close this issue. Hope the fixes make it to a release soon, and Macports picks them up.

[mouse07410]

@ueno in the master, I still have one test failing:

22/59 test-virtual             FAIL            0.11s   exit status 1
>>> MALLOC_PERTURB_=169 /Users/ur20980/src/p11-kit/_build/p11-kit/test-virtual

How important is it, and can it be related to the problem I described elsewhere?

testlog.txt

Update

This failure actually could matter, because the crash reported (near the end of the post) in latchset/pkcs11-provider#234 (comment) fails in virtual.c:309.

[ueno]

Yes, that's a real issue an should be fixed with #505. I'm not sure why it's not caught in the libffi CI target.

[mouse07410]

Yes, that's a real issue an should be fixed with #505. I'm not sure why it's not caught in the libffi CI target.

I think this one is fixed by #505, thank you!