-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests: Run more TLS tests when forcing all server operations on token #453
Conversation
ugh. In the CI it passes now, but locally it failed for me previously. After proper clean it works for me too locally. Edited the description. Edit: Obviously, I forgot to run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Largely LGTM, some comments.
That said maybe remove the last commit so we can see that CI fails, then I will merge the original PR, and then you can rebase on main and we ensure everything still works.
Pushed without the commit from #449 to demonstrate the failure. |
It looks like I finally see what is going on there. The check on pkcs11-provider/src/signature.c Lines 1528 to 1530 in c7fb177
checks if the mechanism is available on the given slot the key is using, but the key is imported so it has slot -1 (CK_UNAVAILABLE_INFORMATION ) which leads to conclusion the RSA-PSS mechanism is not supported by a slot. I tried to work around it, but I assume there will be a better way.
The fix in #449 changes the handle of the imported EC keys so this does not solve the client issue with imported ECDH keys so it is usable in both client and server operations. But if I see right, it still fails with generic errors, which look like coming from OpenSSL during signature verification, which went through ok. But it looks like the OpenSSL itself is exploring the error stack and if it finds some error, it fails anyway:
This leads me to the question openssl/openssl#23025 which points out that we should really clear these bogus/outdated/non-relevant-anymore messages from the error stack, as the OpenSSL (SSL/TLS API) really cares for the queue and if there is something left, it considers it as an error (or just make this error less verbose so it wont make it to the error queue -- likely not -- this is generic handling of the pkcs11 calls so I would prefer to keep it as it is). The same issue has the With clearing the error stack, I can make all the tests pass (locally -- in CI it still fails for some reason I need to investigate) on both client and server. Any comments/insights welcomed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds like we are finally on the right path.
It should be relatively easy to address the 2 main comments (slot selection and error stack mgmt) I highlighted.
4ca58f7
to
288a1c7
Compare
The default is not catching eof, which happens if either of the sides dies during conversations for some reason. Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>
thanks @Jakuje, great work here! |
Description
This is rebase of previously closed PR #427, which adds also a test reproducer for #449.
This is trying to solve few issues:
default
does not catcheof
, which makes some failures hiddenno-allowed-mechanisms
for the softokn tests and documented this undocumented quirkChecklist
Reviewer's checklist: