[gnutls-devel] 3.6.2 testsuite error with softhsm 2.4.0

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu May 10 20:19:58 CEST 2018 

On Thu, May 10, 2018 at 4:21 PM, Andreas Metzler <ametzler at bebt.de> wrote:
> Hello,
>
> tests/pkcs11/tls-neg-pkcs11-key fails after upgrading softhsm from 2.2.0
> to 2.4.0:
> # 2.2.0
> (sid)ametzler at argenau:/tmp/GNUTLS/gnutls-3.6.2/b4deb$ tests/pkcs11/tls-neg-pkcs11-key
> The token has been initialized.
> checking: tls1.2: ecc key
> checking: tls1.2: rsa-sign key
> checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized
> checking: tls1.2: rsa-pss-sign key
> softhsm2 doesn't support CKM_RSA_PKCS_PSS; skipping test
> checking: tls1.2: rsa-pss cert, rsa-sign key
> softhsm2 doesn't support CKM_RSA_PKCS_PSS; skipping test
> checking: tls1.2: rsa-pss cert, rsa-sign key no PSS signatures
> checking: tls1.2: ed25519 cert, ed25519 key
> # 2.4.0
> (sid)ametzler at argenau:/tmp/GNUTLS/gnutls-3.6.2/b4deb$ tests/pkcs11/tls-neg-pkcs11-key
> The token has been initialized and is reassigned to slot 1993469037
> checking: tls1.2: ecc key
> checking: tls1.2: rsa-sign key
> checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized
> checking: tls1.2: rsa-pss-sign key
> client[-28]: Resource temporarily unavailable, try again.
> server[-87]: No supported cipher suites have been found.
> try_with_key:189: Handshake failed
> This is on Debian sid.

I have debian testing at home and it seems to work here (trying from
gnutls master)

$ tests/pkcs11/tls-neg-pkcs11-key
The token has been initialized and is reassigned to slot 93147054
checking: tls1.2: ecc key
checking: tls1.2: rsa-sign key
checking: tls1.2: rsa-sign key with rsa-pss sigs prioritized
checking: tls1.2: rsa-pss-sign key
checking: tls1.2: rsa-pss cert, rsa-sign key
checking: tls1.2: rsa-pss cert, rsa-sign key no PSS signatures
checking: tls1.2: ed25519 cert, ed25519 key

Seeing the log it is a big modified since 3.6.2 (attached patch). If
the patch doesn't fix it (not sure if the new sign algorithms were
there), could  safely ignore that issue as the RSA-PSS signatures in
3.6.2 are effectively disabled and the failure doesn't indicate a
functional issue.

regards,
Nikos
-------------- next part --------------
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
index c85d8789df..c32dee27a6 100644
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
@@ -286,7 +286,7 @@ static const test_st tests[] = {
 	},
 	{.name = "tls1.2: rsa-pss cert, rsa-sign key no PSS signatures",
 	 .pk = GNUTLS_PK_RSA,
-	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512",
+	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA256:-SIGN-RSA-PSS-RSAE-SHA384:-SIGN-RSA-PSS-RSAE-SHA512",
 	 .cert = &server_ca3_rsa_pss_cert,
 	 .key = &server_ca3_rsa_pss_key,
 	 .exp_kx = GNUTLS_KX_ECDHE_RSA,

More information about the Gnutls-devel mailing list