Ignore network errors during C_Finalize

The Trustway Proteccio HSM can somtimes return a network error when attempting to finalize the cryptoki library. The error can prevent reinitialization because we attempt to finalize the library before initalizing a new connection. When a network error occurrs, barbican gets stuck in an error loop trying to finalize the dead connection before starting a new one. This patch adds code to ignore the network error when finalizing to ensure we are able to attempt to reinitialize. Connection errors during other operations will still result in 500 errors as expected. Change-Id: I9ac6c7bbda0f81cb26e1c589803317df1ef11f39 (cherry picked from commit 70aac1f698) (cherry picked from commit 1b6cf81c23) (cherry picked from commit 2792aca796)
2021-09-17 13:36:03 -05:00 · 2021-09-17 13:36:03 -05:00 · 28b13bce25
parent 4079fcc1b0
commit 28b13bce25
3 changed files with 21 additions and 2 deletions
--- a/barbican/common/exception.py
+++ b/barbican/common/exception.py
@ -339,6 +339,10 @@ class P11CryptoTokenException(PKCS11Exception):
    message = u._("No token was found in slot %(slot_id)s")


+class TrustwayProteccioException(PKCS11Exception):
+    message = u._("Trustway Proteccio HSM Error")
+
+
 class MultipleStorePreferredPluginMissing(BarbicanException):
    """Raised when a preferred plugin is missing in service configuration."""
    def __init__(self, store_name):
--- a/barbican/plugin/crypto/pkcs11.py
+++ b/barbican/plugin/crypto/pkcs11.py
@ -259,7 +259,9 @@ ERROR_CODES = {
    0x1a0: 'CKR_MUTEX_BAD',
    0x1a1: 'CKR_MUTEX_NOT_LOCKED',
    0x200: 'CKR_FUNCTION_REJECTED',
-    1 << 31: 'CKR_VENDOR_DEFINED'
+    1 << 31: 'CKR_VENDOR_DEFINED',
+    # Trustway Proteccio Codes
+    0x81000071: 'EHOSTUNREACH'
 }


@ -857,7 +859,10 @@ class PKCS11(object):

    def finalize(self):
        rv = self.lib.C_Finalize(self.ffi.NULL)
-        self._check_error(rv)
+        try:
+            self._check_error(rv)
+        except exception.TrustwayProteccioException:
+            LOG.warning("Trustway Proteccio client failed to finalize.")

    def _check_error(self, value):
        if value != CKR_OK and value != CKR_CRYPTOKI_ALREADY_INITIALIZED:
@ -867,6 +872,10 @@ class PKCS11(object):
            if code == 'CKR_TOKEN_NOT_PRESENT':
                raise exception.P11CryptoTokenException(slot_id=self.slot_id)

+            if code == 'EHOSTUNREACH':
+                raise exception.TrustwayProteccioException(
+                    "Trustway Proteccio Error: {code}".format(code=hex_code))
+
            raise exception.P11CryptoPluginException(u._(
                "HSM returned response code: {code}").format(code=hex_code))

--- a/barbican/tests/plugin/crypto/test_pkcs11.py
+++ b/barbican/tests/plugin/crypto/test_pkcs11.py
@ -456,6 +456,12 @@ class WhenTestingPKCS11(utils.BaseTestCase):

        self.assertEqual(1, self.lib.C_Finalize.call_count)

+    def test_finalize_ignores_trustway_network_errors(self):
+        self.lib.C_Finalize.return_value = 0x81000071
+        self.pkcs11.finalize()
+
+        self.assertEqual(1, self.lib.C_Finalize.call_count)
+
    def test_check_error(self):
        self.assertIsNone(self.pkcs11._check_error(pkcs11.CKR_OK))