tests: Run more TLS tests when forcing all server operations on token

docs/provider-pkcs11.7

@@ -202,6 +202,12 @@ Some implementatations of PKCS11 don\[cq]t allow setting
 \f[V]pApplication\f[R] and \f[V]Notify\f[R] callback functions in
 \f[V]C_OpenSession\f[R].
 This option sets NULL values for both callbacks.
+.SS no-allowed-mechanisms
+.PP
+Some implementatations of PKCS11 don\[cq]t support
+\f[V]CKA_ALLOWED_MECHANISMS\f[R] attribute on keys.
+Setting this quirk prevents the provider from attempting to set and read
+this attribute.
 .PP
 Default: none
 .PP

docs/provider-pkcs11.7.md

@@ -194,6 +194,11 @@ Some implementatations of PKCS11 don't allow setting `pApplication` and
 `Notify` callback functions in `C_OpenSession`.
 This option sets NULL values for both callbacks.
 
+### no-allowed-mechanisms
+Some implementatations of PKCS11 don't support `CKA_ALLOWED_MECHANISMS`
+attribute on keys. Setting this quirk prevents the provider from
+attempting to set and read this attribute.
+
 Default: none
 
 Example:

src/debug.c

@@ -107,6 +107,9 @@ void p11prov_debug_mechanism(P11PROV_CTX *ctx, CK_SLOT_ID slotid,
         }
     }
 
+    /* set error mark so we can clear spurious errors */
+    p11prov_set_error_mark(ctx);
+
     ret = p11prov_GetMechanismInfo(ctx, slotid, type, &info);
     if (ret != CKR_OK) {
         p11prov_debug(NULL, 0, NULL,
@@ -129,6 +132,8 @@ void p11prov_debug_mechanism(P11PROV_CTX *ctx, CK_SLOT_ID slotid,
             }
         }
     }
+    /* if there was any error, remove it, this is just a debug function */
+    p11prov_pop_error_to_mark(ctx);
 }
 
 extern struct ckmap token_flags[];

src/signature.c

@@ -430,9 +430,25 @@ static CK_RSA_PKCS_MGF_TYPE p11prov_sig_map_mgf(const char *digest_name)
 static CK_RV p11prov_sig_pss_restrictions(P11PROV_SIG_CTX *sigctx,
                                           CK_MECHANISM *mechanism)
 {
-    CK_ATTRIBUTE *allowed_mechs =
-        p11prov_obj_get_attr(sigctx->key, CKA_ALLOWED_MECHANISMS);
+    CK_BBOOL token_supports_allowed_mechs = CK_TRUE;
+    CK_ATTRIBUTE *allowed_mechs = NULL;
+    CK_RV ret;
+
+    /* check if token supports CKA_ALLOWED_MECHANISMS at all */
+    ret = p11prov_token_sup_attr(
+        sigctx->provctx, p11prov_obj_get_slotid(sigctx->key), GET_ATTR,
+        CKA_ALLOWED_MECHANISMS, &token_supports_allowed_mechs);
+    if (ret != CKR_OK) {
+        P11PROV_raise(sigctx->provctx, ret,
+                      "Failed to probe CKA_ALLOWED_MECHANISMS quirk");
+        return ret;
+    }
+    if (token_supports_allowed_mechs == CK_FALSE) {
+        /* Token does not support CKA_ALLOWED_MECHANISMS so there are no restrictions */
+        return CKR_OK;
+    }
 
+    allowed_mechs = p11prov_obj_get_attr(sigctx->key, CKA_ALLOWED_MECHANISMS);
     if (allowed_mechs) {
         CK_ATTRIBUTE_TYPE *mechs = (CK_ATTRIBUTE_TYPE *)allowed_mechs->pValue;
         int num_mechs = allowed_mechs->ulValueLen / sizeof(CK_MECHANISM_TYPE);
@@ -1484,6 +1500,16 @@ static int p11prov_rsasig_set_ctx_params(void *ctx, const OSSL_PARAM params[])
     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PAD_MODE);
     if (p) {
         CK_MECHANISM_TYPE mechtype = CK_UNAVAILABLE_INFORMATION;
+        CK_SLOT_ID slotid = p11prov_obj_get_slotid(sigctx->key);
+
+        /* If the object is imported, use the default slot */
+        if (slotid == CK_UNAVAILABLE_INFORMATION) {
+            P11PROV_SLOTS_CTX *slots = p11prov_ctx_get_slots(sigctx->provctx);
+            if (!slots) {
+                return RET_OSSL_ERR;
+            }
+            slotid = p11prov_get_default_slot(slots);
+        }
         if (p->data_type == OSSL_PARAM_INTEGER) {
             int pad_mode;
             /* legacy pad mode number */
@@ -1525,8 +1551,7 @@ static int p11prov_rsasig_set_ctx_params(void *ctx, const OSSL_PARAM params[])
              * regardless, and this is not the case in PKCS#11 */
             CK_RV rv;
 
-            rv = p11prov_check_mechanism(sigctx->provctx,
-                                         p11prov_obj_get_slotid(sigctx->key),
+            rv = p11prov_check_mechanism(sigctx->provctx, slotid,
                                          CKM_RSA_PKCS_PSS);
             if (rv != CKR_OK) {
                 P11PROV_raise(sigctx->provctx, rv,
@@ -1537,9 +1562,7 @@ static int p11prov_rsasig_set_ctx_params(void *ctx, const OSSL_PARAM params[])
 
         sigctx->mechtype = mechtype;
 
-        P11PROV_debug_mechanism(sigctx->provctx,
-                                p11prov_obj_get_slotid(sigctx->key),
-                                sigctx->mechtype);
+        P11PROV_debug_mechanism(sigctx->provctx, slotid, sigctx->mechtype);
     }
 
     p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_PSS_SALTLEN);

tests/setup.sh

@@ -474,7 +474,7 @@ fi
 cat >> "${TMPPDIR}/testvars" <<DBGSCRIPT
 
 # for listing the separate pkcs11 calls
-#export PKCS11SPY="${PKCS11_PROVIDER_MODULE}"
+#export PKCS11SPY="${P11LIB}"
 #export PKCS11_PROVIDER_MODULE=/usr/lib64/pkcs11-spy.so
 DBGSCRIPT
 gen_unsetvars

tests/softhsm-init.sh

@@ -62,6 +62,6 @@ export TOKENLABELURI="SoftHSM%20Token"
 softhsm2-util --init-token --label "${TOKENLABEL}" --free --pin "${PINVALUE}" --so-pin "${PINVALUE}"
 
 #softhsm crashes on de-init so we need to default to this quirk
-export TOKENOPTIONS="pkcs11-module-quirks = no-deinit"
+export TOKENOPTIONS="pkcs11-module-quirks = no-deinit no-operation-state"
 
 export TOKENCONFIGVARS="export SOFTHSM2_CONF=${TMPPDIR}/softhsm.conf"

tests/softokn-init.sh

@@ -18,4 +18,6 @@ export NSS_LIB_PARAMS="configDir=${TOKDIR}"
 
 export TOKENLABEL="NSS Certificate DB"
 export TOKENLABELURI="NSS%20Certificate%20DB"
+
+export TOKENOPTIONS="pkcs11-module-quirks = no-operation-state no-allowed-mechanisms"
 export TOKENCONFIGVARS="export NSS_LIB_PARAMS=configDir=${TOKDIR}"

tests/test-wrapper

@@ -46,5 +46,5 @@ LOGFILE="${TESTBLDDIR}/${TEST_NAME}.${TOKEN_DRIVER}.log"
 echo "Executing ${COMMAND}"
 (
   set -o pipefail
-  ${COMMAND} | tee "${LOGFILE}"
+  ${COMMAND} 2>&1 | tee "${LOGFILE}"
 )

tests/ttls

@@ -25,7 +25,7 @@ SERVER_PID=-1
 # Make sure we terminate programs if test fails in the middle
 # shellcheck disable=SC2317  # Shellcheck for some reason does not follow trap
 wait_for_server_at_exit() {
-    wait "$1"
+    wait "$1" || :
     echo "Server output:"
     cat "${TMPPDIR}/s_server_output"
 }
@@ -42,6 +42,7 @@ run_test() {
         set timeout 60;
         expect {
             \"ACCEPT\" {};
+            eof { exit 2; }
             default {
                 send \" NO ACCEPT \n\";
                 exit 1;
@@ -52,6 +53,7 @@ run_test() {
         close \$server_ready;
         expect {
             \"END SSL SESSION PARAMETERS\" {};
+            eof { exit 2; }
             default {
                 send \" NO SESSION PARAMETERS \n\";
                 exit 1;
@@ -65,7 +67,7 @@ run_test() {
                 send \" NO EOF \n\";
                 exit 1;
             };
-        }" > "${TMPPDIR}/s_server_output" &
+        }" &> "${TMPPDIR}/s_server_output" &
     SERVER_PID=$!
 
     read -r < "${TMPPDIR}/s_server_ready"
@@ -74,6 +76,7 @@ run_test() {
         set timeout 60;
         expect {
             \" TLS SUCCESSFUL \" {};
+            eof { exit 2; }
             default {
                 send \" NO TLS SUCCESSFUL MESSAGE \n\";
                 exit 1;
@@ -85,41 +88,51 @@ run_test() {
                 send \" NO EOF \n\";
                 exit 1;
             };
-        }"
+        }" || (wait_for_server_at_exit $SERVER_PID; exit 1; )
 
     wait_for_server_at_exit $SERVER_PID
 }
 
-title PARA "Run sanity test with default values (RSA)"
-run_test "$PRIURI" "$CRTURI"
+run_tests() {
 
-title PARA "Run sanity test with default values (ECDSA)"
-run_test "$ECPRIURI" "$ECCRTURI"
+    title PARA "Run sanity test with default values (RSA)"
+    run_test "$PRIURI" "$CRTURI"
 
-title PARA "Run test with TLS 1.2"
-run_test "$PRIURI" "$CRTURI" "" "-tls1_2"
+    title PARA "Run sanity test with default values (ECDSA)"
+    run_test "$ECPRIURI" "$ECCRTURI"
 
-title PARA "Run test with explicit TLS 1.3"
-run_test "$PRIURI" "$CRTURI" "" "-tls1_3"
+    title PARA "Run test with TLS 1.2"
+    run_test "$PRIURI" "$CRTURI" "" "-tls1_2"
 
-title PARA "Run test with TLS 1.2 (ECDSA)"
-run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2"
+    title PARA "Run test with explicit TLS 1.3"
+    run_test "$PRIURI" "$CRTURI" "" "-tls1_3"
 
-title PARA "Run test with TLS 1.2 and ECDH"
-run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1"
+    title PARA "Run test with TLS 1.2 (ECDSA)"
+    run_test "$ECPRIURI" "$ECCRTURI" "-tls1_2" "-tls1_2"
 
+    title PARA "Run test with TLS 1.2 and ECDH"
+    run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1"
+
+    title PARA "Run test with TLS 1.3 and specific suite"
+    run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1"
+}
+
+title SECTION "TLS with key in provider"
+run_tests
+title ENDSECTION
+
+title SECTION "Forcing the provider for all server operations"
 #Try again forcing all operations on the token
 #We need to disable digest operations as OpenSSL depends on context duplication working
 ORIG_OPENSSL_CONF=${OPENSSL_CONF}
-sed -e "s/#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \
-    -e "s/#pkcs11-module-block-operations/pkcs11-module-block-operations = digest/" \
+sed -e "s/^#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \
+    -e "s/^#pkcs11-module-block-operations/pkcs11-module-block-operations = digest/" \
     "${OPENSSL_CONF}" > "${OPENSSL_CONF}.forcetoken"
 OPENSSL_CONF=${OPENSSL_CONF}.forcetoken
 
-title PARA "Run test with TLS 1.3 preferring token functions"
-run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_3"
+run_tests
 
 OPENSSL_CONF=${ORIG_OPENSSL_CONF}
-
+title ENDSECTION
 
 exit 0;