From e7a714bd1f810b75f979e7adf7965bfe8dd5f99f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Fri, 17 Sep 2021 13:36:03 -0500 Subject: [PATCH] Ignore network errors during C_Finalize The Trustway Proteccio HSM can somtimes return a network error when attempting to finalize the cryptoki library. The error can prevent reinitialization because we attempt to finalize the library before initalizing a new connection. When a network error occurrs, barbican gets stuck in an error loop trying to finalize the dead connection before starting a new one. This patch adds code to ignore the network error when finalizing to ensure we are able to attempt to reinitialize. Connection errors during other operations will still result in 500 errors as expected. Change-Id: I9ac6c7bbda0f81cb26e1c589803317df1ef11f39 (cherry picked from commit 70aac1f6980bd1ed6053c4b6c5c4171fdbfeeabb) (cherry picked from commit 1b6cf81c23017915ffb380af6dfa8c7ca176fced) (cherry picked from commit 2792aca796400055c5d1dc3d3f32b7b29f3a605d) (cherry picked from commit 238b72cacaae637829b345c942ed928d0c40cbcd) --- barbican/common/exception.py | 4 ++++ barbican/plugin/crypto/pkcs11.py | 13 +++++++++++-- barbican/tests/plugin/crypto/test_pkcs11.py | 6 ++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/barbican/common/exception.py b/barbican/common/exception.py index 20084d849..d1f398b3c 100644 --- a/barbican/common/exception.py +++ b/barbican/common/exception.py @@ -339,6 +339,10 @@ class P11CryptoTokenException(PKCS11Exception): message = u._("No token was found in slot %(slot_id)s") +class TrustwayProteccioException(PKCS11Exception): + message = u._("Trustway Proteccio HSM Error") + + class MultipleStorePreferredPluginMissing(BarbicanException): """Raised when a preferred plugin is missing in service configuration.""" def __init__(self, store_name): diff --git a/barbican/plugin/crypto/pkcs11.py b/barbican/plugin/crypto/pkcs11.py index cd43b05e8..9d199529c 100644 --- a/barbican/plugin/crypto/pkcs11.py +++ b/barbican/plugin/crypto/pkcs11.py @@ -259,7 +259,9 @@ ERROR_CODES = { 0x1a0: 'CKR_MUTEX_BAD', 0x1a1: 'CKR_MUTEX_NOT_LOCKED', 0x200: 'CKR_FUNCTION_REJECTED', - 1 << 31: 'CKR_VENDOR_DEFINED' + 1 << 31: 'CKR_VENDOR_DEFINED', + # Trustway Proteccio Codes + 0x81000071: 'EHOSTUNREACH' } @@ -857,7 +859,10 @@ class PKCS11(object): def finalize(self): rv = self.lib.C_Finalize(self.ffi.NULL) - self._check_error(rv) + try: + self._check_error(rv) + except exception.TrustwayProteccioException: + LOG.warning("Trustway Proteccio client failed to finalize.") def _check_error(self, value): if value != CKR_OK and value != CKR_CRYPTOKI_ALREADY_INITIALIZED: @@ -867,6 +872,10 @@ class PKCS11(object): if code == 'CKR_TOKEN_NOT_PRESENT': raise exception.P11CryptoTokenException(slot_id=self.slot_id) + if code == 'EHOSTUNREACH': + raise exception.TrustwayProteccioException( + "Trustway Proteccio Error: {code}".format(code=hex_code)) + raise exception.P11CryptoPluginException(u._( "HSM returned response code: {code}").format(code=hex_code)) diff --git a/barbican/tests/plugin/crypto/test_pkcs11.py b/barbican/tests/plugin/crypto/test_pkcs11.py index fcd0b76d0..021f75da0 100644 --- a/barbican/tests/plugin/crypto/test_pkcs11.py +++ b/barbican/tests/plugin/crypto/test_pkcs11.py @@ -459,6 +459,12 @@ class WhenTestingPKCS11(utils.BaseTestCase): self.assertEqual(1, self.lib.C_Finalize.call_count) + def test_finalize_ignores_trustway_network_errors(self): + self.lib.C_Finalize.return_value = 0x81000071 + self.pkcs11.finalize() + + self.assertEqual(1, self.lib.C_Finalize.call_count) + def test_check_error(self): self.assertIsNone(self.pkcs11._check_error(pkcs11.CKR_OK))