tests: Run TLS tests also when forcing all server operations on token

src/keymgmt.c

@@ -1289,6 +1289,7 @@ static void *p11prov_ec_gen(void *genctx, OSSL_CALLBACK *cb_fn, void *cb_arg)
 #define EC_PRIVKEY_TMPL_SIZE 5
     CK_ATTRIBUTE privkey_template[EC_PRIVKEY_TMPL_SIZE + COMMON_TMPL_SIZE] = {
         { CKA_TOKEN, DISCARD_CONST(&val_true), sizeof(CK_BBOOL) },
+        { CKA_DERIVE, DISCARD_CONST(&val_true), sizeof(CK_BBOOL) },
         { CKA_PRIVATE, DISCARD_CONST(&val_true), sizeof(CK_BBOOL) },
         { CKA_SENSITIVE, DISCARD_CONST(&val_true), sizeof(CK_BBOOL) },
         { CKA_SIGN, DISCARD_CONST(&val_true), sizeof(CK_BBOOL) },

tests/openssl.cnf.in

@@ -28,6 +28,7 @@ pkcs11-module-token-pin = file:@PINFILE@
 #pkcs11-module-allow-export
 #pkcs11-module-load-behavior
 #pkcs11-module-block-operations
+#pkcs11-module-cache-keys
 ##QUIRKS
 activate = 1
 

tests/ttls

@@ -48,11 +48,13 @@ run_test() {
         expect {
             eof {exit 0;};
             default {exit 1;};
-        }" > "${TMPPDIR}/s_server_output" &
+        }" 2>&1 | tee "${TMPPDIR}/s_server_output" &
     SERVER_PID=$!
 
     read -r < "${TMPPDIR}/s_server_ready"
 
+    # The point is to force the server to use the pkcs11-provider for all operations, not the client now
+    OPENSSL_CONF="${ORIG_OPENSSL_CONF}" \
     expect -c "spawn $CHECKER openssl s_client -connect \"localhost:${PORT}\" -CAfile \"${CACRT}\" $CLNT_ARGS;
         set timeout 60;
         expect {
@@ -67,22 +69,47 @@ run_test() {
     wait_for_server_at_exit $SERVER_PID
 }
 
-title PARA "Run sanity test with default values (RSA)"
-run_test "$PRIURI" "$CRTURI"
+run_tests() {
 
-title PARA "Run sanity test with default values (ECDSA)"
-run_test "$ECPRIURI" "$ECCRTURI"
+    title PARA "Run sanity test with default values (RSA)"
+    run_test "$PRIURI" "$CRTURI"
 
-title PARA "Run test with TLS 1.2"
-run_test "$PRIURI" "$CRTURI" "" "-tls1_2"
+    title PARA "Run sanity test with default values (ECDSA)"
+    run_test "$ECPRIURI" "$ECCRTURI"
 
-title PARA "Run test with explicit TLS 1.3"
-run_test "$PRIURI" "$CRTURI" "" "-tls1_3"
+    title PARA "Run test with TLS 1.2"
+    run_test "$PRIURI" "$CRTURI" "" "-tls1_2"
 
-title PARA "Run test with TLS 1.2 (ECDSA)"
-run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2"
+    title PARA "Run test with explicit TLS 1.3"
+    run_test "$PRIURI" "$CRTURI" "" "-tls1_3"
 
-title PARA "Run test with TLS 1.2 and ECDH"
-run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1"
+    title PARA "Run test with TLS 1.2 (ECDSA)"
+    run_test "$ECPRIURI" "$ECCRTURI" "-tls1_2" "-tls1_2"
+
+    title PARA "Run test with TLS 1.2 and ECDH"
+    run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1"
+}
+
+title SECTION "TLS with key in provider"
+ORIG_OPENSSL_CONF=${OPENSSL_CONF}
+run_tests
+title ENDSECTION
+
+title SECTION "Forcing the provider for all server operations"
+ORIG_OPENSSL_CONF=${OPENSSL_CONF}
+sed \
+    -e "s/^#pkcs11-module-cache-keys.*$/pkcs11-module-cache-keys = false/" \
+    -e "s/^#pkcs11-module-block-operations.*$/pkcs11-module-block-operations = digest/" \
+    -e "s/pkcs11-module-quirks = /pkcs11-module-quirks = no-operation-state /" \
+    -e "s/^##QUIRKS$/pkcs11-module-quirks = no-operation-state/" \
+    -e "s/#MORECONF/alg_section = algorithm_sect/" \
+    "${OPENSSL_CONF}" > "${OPENSSL_CONF}.force"
+echo "[algorithm_sect]" >> "${OPENSSL_CONF}.force"
+echo "default_properties = ?provider=pkcs11" >> "${OPENSSL_CONF}.force"
+OPENSSL_CONF=${OPENSSL_CONF}.force
+
+run_tests
+OPENSSL_CONF=${ORIG_OPENSSL_CONF}
+title ENDSECTION
 
 exit 0;