Commit 5191045371 for openssl.org
commit 5191045371b4ae1383f0ae1a0f078117e9d9b1c4
Author: Neil Horman <nhorman@openssl.org>
Date: Tue May 5 16:53:49 2026 -0400
Disable tls test in pkcs11 provider
The head of the tree is broken due to a combined inability for openssl
and the provider to allow for duplication of MD contexts on an in flight
session
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Bob Beck <beck@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Tue Jun 9 18:17:32 2026
(Merged from https://github.com/openssl/openssl/pull/31018)
diff --git a/test/recipes/95-test_external_pkcs11_provider_data/patches/0001-Fix-direct-ASN1_STRING-access-in-encoder.c.patch b/test/recipes/95-test_external_pkcs11_provider_data/patches/0001-Fix-direct-ASN1_STRING-access-in-encoder.c.patch
deleted file mode 100644
index 9afb4bb7f2..0000000000
--- a/test/recipes/95-test_external_pkcs11_provider_data/patches/0001-Fix-direct-ASN1_STRING-access-in-encoder.c.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 1caefba8f76f5582a9f8b1a82fc5d0117afa0efb Mon Sep 17 00:00:00 2001
-From: Bob Beck <beck@openssl.org>
-Date: Sun, 22 Feb 2026 12:10:42 -0700
-Subject: [PATCH 1/2] Fix direct ASN1_STRING access in encoder.c
-
----
- src/encoder.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/src/encoder.c b/src/encoder.c
-index e5e1019..9a9e8f4 100644
---- a/src/encoder.c
-+++ b/src/encoder.c
-@@ -646,6 +646,7 @@ static int p11prov_ec_set_keypoint_data(const OSSL_PARAM *params, void *key)
- keypoint->curve_type = V_ASN1_OBJECT;
- } else {
- EC_GROUP *group = EC_GROUP_new_from_params(params, NULL, NULL);
-+ int len = 0;
- if (!group) {
- return RET_OSSL_ERR;
- }
-@@ -655,12 +656,14 @@ static int p11prov_ec_set_keypoint_data(const OSSL_PARAM *params, void *key)
- EC_GROUP_free(group);
- return RET_OSSL_ERR;
- }
-- pstr->length = i2d_ECPKParameters(group, &pstr->data);
-+ unsigned char *buf = NULL;
-+ len = i2d_ECPKParameters(group, &buf);
- EC_GROUP_free(group);
-- if (pstr->length <= 0) {
-- ASN1_STRING_free(pstr);
-+ if (len <= 0) {
-+ OPENSSL_free(buf);
- return RET_OSSL_ERR;
- }
-+ ASN1_STRING_set0(pstr, buf, len);
- keypoint->curve.sequence = pstr;
- keypoint->curve_type = V_ASN1_SEQUENCE;
- }
---
-2.52.0
-
diff --git a/test/recipes/95-test_external_pkcs11_provider_data/patches/0001-temporarily-disable-tls-test-in-pkcs11.patch b/test/recipes/95-test_external_pkcs11_provider_data/patches/0001-temporarily-disable-tls-test-in-pkcs11.patch
new file mode 100644
index 0000000000..22e973beac
--- /dev/null
+++ b/test/recipes/95-test_external_pkcs11_provider_data/patches/0001-temporarily-disable-tls-test-in-pkcs11.patch
@@ -0,0 +1,30 @@
+From 5a1d2efd3ed5d5766e5ebbfb95ab4883a636a588 Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Wed, 6 May 2026 09:09:28 -0400
+Subject: [PATCH] temporarily disable tls test in pkcs11
+
+The pkcs11_provider has something of a conflict with openssl here. The
+provider implements a dupctx method for digests (which is required),
+however, pkcs11 devices, being somewhat asynchronous in nature, can't
+really reliably duplicate a context with a session handle for a remote
+device while operations are in flight. Until this gets sorted,
+temporarily disable the tls test, which runs afoul of this bug.
+---
+ tests/meson.build | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tests/meson.build b/tests/meson.build
+index 4605cf4..bed1efc 100644
+--- a/tests/meson.build
++++ b/tests/meson.build
+@@ -161,7 +161,6 @@ tests = {
+ 'skey': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss'], 'timeout': 90},
+ 'rand': {'suites': all_suites},
+ 'readkeys': {'suites': all_suites},
+- 'tls': {'suites': all_suites, 'is_parallel': false, 'timeout': 60},
+ 'tlsfuzzer': {'suites': all_suites, 'timeout': 90},
+ 'uri': {'suites': all_suites, 'timeout': 90},
+ 'ecxc': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']},
+--
+2.54.0
+
diff --git a/test/recipes/95-test_external_pkcs11_provider_data/patches/0002-Fix-direct-ASN1-STRING-access-in-objects.c.patch b/test/recipes/95-test_external_pkcs11_provider_data/patches/0002-Fix-direct-ASN1-STRING-access-in-objects.c.patch
deleted file mode 100644
index 40cd150d1e..0000000000
--- a/test/recipes/95-test_external_pkcs11_provider_data/patches/0002-Fix-direct-ASN1-STRING-access-in-objects.c.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-From f49db84521f99d1bdfba3449dfde341950477e1b Mon Sep 17 00:00:00 2001
-From: Bob Beck <beck@openssl.org>
-Date: Sun, 22 Feb 2026 13:08:11 -0700
-Subject: [PATCH 2/2] Fix direct ASN1 STRING access in objects.c
-
----
- src/objects.c | 105 ++++++++++++++++++++++++++++++++------------------
- 1 file changed, 67 insertions(+), 38 deletions(-)
-
-diff --git a/src/objects.c b/src/objects.c
-index b853181..4745f0f 100644
---- a/src/objects.c
-+++ b/src/objects.c
-@@ -911,12 +911,14 @@ static CK_RV decode_ec_point(CK_KEY_TYPE key_type, CK_ATTRIBUTE *attr,
- }
- }
-
-- ec_point->data = octet->data;
-- ec_point->length = octet->length;
--
-- /* moved octet data, do not free it */
-- octet->data = NULL;
-- octet->length = 0;
-+ ec_point->data =
-+ OPENSSL_memdup(ASN1_STRING_get0_data(octet), ASN1_STRING_length(octet));
-+ if (!ec_point->data) {
-+ ret = CKR_HOST_MEMORY;
-+ ec_point->length = 0;
-+ goto done;
-+ }
-+ ec_point->length = ASN1_STRING_length(octet);
-
- ret = CKR_OK;
- done:
-@@ -1791,7 +1793,6 @@ CK_RV p11prov_derive_key(P11PROV_OBJ *key, CK_MECHANISM *mechanism,
- P11PROV_CTX *ctx = p11prov_obj_get_prov_ctx(key);
- CK_OBJECT_HANDLE handle = CK_INVALID_HANDLE;
- P11PROV_SESSION *session = *_session;
-- bool first_pass = true;
- CK_RV ret;
-
- /* do this first as it may cause a refresh of the object that will
-@@ -3884,42 +3885,53 @@ static CK_RV return_dup_key(P11PROV_OBJ *dst, P11PROV_OBJ *src)
-
- static CK_RV fix_ec_key_import(P11PROV_OBJ *key, int allocattrs)
- {
-+ CK_RV ret = CKR_GENERAL_ERROR;
- CK_ATTRIBUTE *pub;
-- ASN1_OCTET_STRING oct;
-+ ASN1_OCTET_STRING *oct = NULL;
- unsigned char *der = NULL;
- int len;
-
- if (key->numattrs >= allocattrs) {
-- P11PROV_raise(key->ctx, CKR_GENERAL_ERROR,
-- "Too many attributes?? %d >= %d", key->numattrs,
-- allocattrs);
-- return CKR_GENERAL_ERROR;
-+ P11PROV_raise(key->ctx, ret, "Too many attributes?? %d >= %d",
-+ key->numattrs, allocattrs);
-+ goto done;
- }
-
- pub = p11prov_obj_get_attr(key, CKA_P11PROV_PUB_KEY);
- if (!pub) {
-- P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, "No public key found");
-- return CKR_KEY_INDIGESTIBLE;
-+ P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, "No public key found");
-+ ret = CKR_KEY_INDIGESTIBLE;
-+ goto done;
- }
-
-- oct.data = pub->pValue;
-- oct.length = pub->ulValueLen;
-- oct.flags = 0;
--
-- len = i2d_ASN1_OCTET_STRING(&oct, &der);
-+ oct = ASN1_OCTET_STRING_new();
-+ if (!oct) {
-+ goto done;
-+ }
-+ if (!ASN1_STRING_set(oct, pub->pValue, pub->ulValueLen)) {
-+ goto done;
-+ }
-+ len = i2d_ASN1_OCTET_STRING(oct, &der);
- if (len < 0) {
-- P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
-- "Failure to encode EC point to DER");
-- return CKR_KEY_INDIGESTIBLE;
-+ ret = CKR_KEY_INDIGESTIBLE;
-+ P11PROV_raise(key->ctx, ret, "Failure to encode EC point to DER");
-+ goto done;
- }
- key->attrs[key->numattrs].type = CKA_EC_POINT;
- key->attrs[key->numattrs].pValue = der;
-+ der = NULL;
- key->attrs[key->numattrs].ulValueLen = len;
- key->numattrs++;
-
- P11PROV_debug("fixing EC key %p import", key);
-
-- return CKR_OK;
-+ ret = CKR_OK;
-+
-+done:
-+ OPENSSL_free(der);
-+ ASN1_OCTET_STRING_free(oct);
-+ return ret;
-+
- }
-
- static CK_RV p11prov_obj_import_public_key(P11PROV_OBJ *key, CK_KEY_TYPE type,
-@@ -5221,11 +5233,11 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
- const void *pubkey,
- size_t pubkey_len)
- {
-- CK_RV rv;
-+ CK_RV rv = CKR_GENERAL_ERROR;
- CK_ATTRIBUTE *pub;
- CK_ATTRIBUTE *ecpoint;
- CK_ATTRIBUTE new_pub;
-- ASN1_OCTET_STRING oct;
-+ ASN1_OCTET_STRING *oct = NULL;
- unsigned char *der = NULL;
- int add_attrs = 0;
- int len;
-@@ -5238,8 +5250,9 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
- /* not matching, error out */
- P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
- "Cannot change public key of a token object");
-- return CKR_KEY_INDIGESTIBLE;
-- }
-+ rv = CKR_KEY_INDIGESTIBLE;
-+ goto done;
-+ }
-
- switch (key->data.key.type) {
- case CKK_EC:
-@@ -5252,13 +5265,15 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
- /* check that this is a public key */
- P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
- "Invalid Key type, not a public key");
-- return CKR_KEY_INDIGESTIBLE;
-+ rv = CKR_KEY_INDIGESTIBLE;
-+ goto done;
- }
- break;
- default:
- P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
- "Invalid Key type, not an EC/ED key");
-- return CKR_KEY_INDIGESTIBLE;
-+ rv = CKR_KEY_INDIGESTIBLE;
-+ goto done;
- }
-
- pub = p11prov_obj_get_attr(key, CKA_P11PROV_PUB_KEY);
-@@ -5277,7 +5292,8 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
- if (!ptr) {
- P11PROV_raise(key->ctx, CKR_HOST_MEMORY,
- "Failed to store key public key");
-- return CKR_HOST_MEMORY;
-+ rv = CKR_HOST_MEMORY;
-+ goto done;
- }
- key->attrs = ptr;
- }
-@@ -5305,24 +5321,37 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
- new_pub.ulValueLen = (CK_ULONG)pubkey_len;
- rv = p11prov_copy_attr(pub, &new_pub);
- if (rv != CKR_OK) {
-- return rv;
-+ goto done;
- }
-
-- oct.data = (unsigned char *)pubkey;
-- oct.length = (int)pubkey_len;
-- oct.flags = 0;
--
-- len = i2d_ASN1_OCTET_STRING(&oct, &der);
-+ oct = ASN1_STRING_new();
-+ if (!oct) {
-+ rv = CKR_HOST_MEMORY;
-+ goto done;
-+ }
-+ if (!ASN1_STRING_set(oct, pubkey, pubkey_len)) {
-+ rv = CKR_HOST_MEMORY;
-+ goto done;
-+ }
-+ len = i2d_ASN1_OCTET_STRING(oct, &der);
- if (len < 0) {
- P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
- "Failure to encode EC point to DER");
-- return CKR_KEY_INDIGESTIBLE;
-+ rv = CKR_KEY_INDIGESTIBLE;
-+ goto done;
- }
- ecpoint->type = CKA_EC_POINT;
- ecpoint->pValue = der;
-+ der = NULL;
- ecpoint->ulValueLen = len;
-
-- return CKR_OK;
-+ rv = CKR_OK;
-+
-+done:
-+ ASN1_OCTET_STRING_free(oct);
-+ OPENSSL_free(der);
-+
-+ return rv;
- }
-
- CK_RV p11prov_obj_copy_specific_attr(P11PROV_OBJ *pub_key,
---
-2.52.0
-