-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing CK_P11PROV_IMPORTED_HANDLE while creating mock public key #449
Conversation
63fce94
to
2f431f4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but please fix style
2f431f4
to
5437e94
Compare
SoI have been thinking about this overnight, and I am surprised we do not see this issue in the current tests we have. Is there any change we can make to the test suite to catch this error, so we ensure it does not regress ? |
@kshitizvars tabs vs spaces style failure, I strongly suggest to use |
5437e94
to
3660cdf
Compare
Hi @simo5 , Could you please point out the test? Have you tested full TLS1.3 connection? |
This commit adds CK_P11PROV_IMPORTED_HANDLE argument while creating mock public key session object. Before this patch, when we run TLS1.3 connection, below issue was reported by openssl:- tls_parse_ctos_key_share:unable to find ecdh parameters:ssl/statem/extensions_srvr.c:684 It is because of returning CK_INVALID_HANDLE instead of obj->handle. Signed-off-by: Kshitiz Varshney <[email protected]>
Yes if you look at tests/ttls you will see that the last test verifies a full tls 1.3 connection forcing all operations on the token |
3660cdf
to
995e29f
Compare
@kshitizvars can you tell me what pkcs11-provider function tries to resolve this object? |
@simo5 p11prov_ecdh_derive API calls p11prov_obj_get_handle which further checks the obj->handle and returns obj->handle which was still CK_INVALID_HANDLE and hence cause issue. |
Wait, That's unusual given OpenSSL should be asking the provider to generate the key and therefore you should have a valid handle. Is your provider incapable of generating ECC keys, and relies on OpenSSL to generate them and import them back ? I mean, we can support this scenario I guess, but I want to make sure this is intentional. |
Hi @simo5 Below is the correct explanation:- On debugging, it was found that tls_parse_ctos_key_share API inside ssl/statem/extensions_srvr.c calls ssl_generate_param_group -> EVP_PKEY_paramgen -> EVP_PKEY_generate ->evp_keymgmt_util_gen -> evp_keymgmt_gen -> p11prov_ec_gen -> mock_pub_ec_key -> p11prov_obj_new And before this patch, p11prov_obj_new returns obj as NULL, due to which below conditions gets failed inside OpenSSL in tls_parse_ctos_key_share:-
|
I am sorry but I know that part of ECDH works because we have explicit tests for it, I assume there is a corner case the CI tests do not cover? Or provide a log file that shows the issue so I can attempt to write a test to reproduce the problem in CI ? I understand you have an issue, I am not contesting that at all, and will gladly merge this PR, but my problem is to have a test so we do not regress in future. Currently this code change has no tests... |
Steps used:- Openssl.conf related change:-
Commands used:-
Debug logs:- debug_with_bad_commit.txt |
The debug log says you are testing on version 0.3, is that right ? I can't reproduce with the code on main. |
No, its on latest code base only, logs related to 0.3 version are coming because I have compiled code using yocto and used devtool for changing source code to point at latest pkcs11-provider code. Btw, I am currently on below commit:-
|
I think you tested with an old version of pkcs11-provider before we started supporting mock objects for ECDH, if p11prov_obj_new() were to return NULL (which it did before that was fixed) then you would never get to a pint where you have an object with CK_HANDLE_INVALID at all ... So I am confused here. We test fully tls1.3 connections in tests/ttls and ECDH in How hard is it to get your token in CI? Does it require special HW or special Software ? |
Hi @simo5 After your patch:- 4f67dfd#diff-27cab8114f01afc3d42583bae767a29fedc048b745ad01757090e4235a22ade0 whenever p11prov_obj_new is called with handle as CK_P11PROV_IMPORTED_HANDLE , object get returned, without adding it to pool. See below code:-
and, when handle value is other than CK_P11PROV_IMPORTED_HANDLE, objects get stored into pool and inside p11prov_slot_get_obj_pool, we are calling p11prov_slot_get_obj_pool which do below work:-
And, as slot id is currently CK_UNAVAILABLE_INFORMATION, hence p11prov_slot_get_obj_pool returns with return value 3 which is CKR_SLOT_ID_INVALID, and hence p11prov_obj_new returns NULL. Moreover, I was going through your tests Line 111 in c7fb177
run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_3 -ciphersuites 'TLS_AES_256_GCM_SHA384' -groups secp256r1" .
Point is to run TLS1.3 with ciphersuite as TLS_AES_256_GCM_SHA384 and group as secp256r1 Because, I am getting issue in above scenario only. You can try running this test. |
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Ok we are adding tests and more fixes to this are in #453 so we'll merge this and defer the needed tests to that PR. |
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
This commit adds CK_P11PROV_IMPORTED_HANDLE argument while creating mock public key session object.
Before this patch, when we run TLS1.3 connection, below issue was reported by openssl:-
It is because of returning CK_INVALID_HANDLE instead of obj->handle.
Checklist
Reviewer's checklist:
Any issues marked for closing are addressedThere is a test suite reasonably covering new functionality or modificationsThis feature/change has adequate documentation addedCoverity Scan has run if needed (code PR) and no new defects were found