Bug 1685434 - p11tool is using a RO session when logging as SO
Summary: p11tool is using a RO session when logging as SO
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnutls
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Anderson Sasaki
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-05 08:10 UTC by space88man
Modified: 2019-03-31 03:00 UTC (History)
5 users (show)

Fixed In Version: gnutls-3.6.7-1.fc30 gnutls-3.6.7-1.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-31 00:04:26 UTC


Attachments (Terms of Use)
log of p11tool (4.79 KB, text/plain)
2019-03-05 08:12 UTC, space88man
no flags Details


Links
System ID Priority Status Summary Last Updated
Gitlab gnutls/gnutls/issues/721 None None None 2019-03-05 10:46:08 UTC

Description space88man 2019-03-05 08:10:19 UTC
Description of problem:
p11tool is using a RO session when logging as SO and results in C_Login failure with SoftHSMv2

Version-Release number of selected component (if applicable):
gnutls-utils-3.6.5-2.fc29.x86_64
softhsm-2.5.0-2.fc29.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Use softhsm to create a blank token
2.  p11tool --provider /usr/lib64/pkcs11/libsofthsm2.so  --list-all --so-login 'pkcs11:token=mytoken'
3.

Actual results:
Error in crt_list_import (1): PKCS #11 error in session


Expected results:
Token objects are listed

Additional info:

The C_OpenSession flags used is: 0x4

11: C_OpenSession
2019-03-05 15:47:34.434
[in] slotID = 0x236b8902
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x2
Returned:  0 CKR_OK


The error is 
13: C_Login
2019-03-05 15:47:36.108
[in] hSession = 0x2
[in] userType = CKU_SO
[in] pPin[ulPinLen] 000055729bfbd9a0 / 5
    00000000  73 6F 70 69 6E                                   sopin           
Returned:  183 CKR_SESSION_READ_ONLY_EXISTS


SoftHSMv2 states that SO C_Login must always piggyback on RW session and that this is incorrect behaviour.

See discussion here: https://github.com/opendnssec/SoftHSMv2/issues/451


pkcs11-tool uses flags = 0x6 and this works.

Comment 1 space88man 2019-03-05 08:12:57 UTC
Created attachment 1540863 [details]
log of p11tool

Comment 2 Anderson Sasaki 2019-03-05 10:46:08 UTC
Thank you for reporting this issue. 

I've opened an issue upstream to track it: https://gitlab.com/gnutls/gnutls/issues/721

Comment 3 Anderson Sasaki 2019-03-25 09:48:20 UTC
Upstream fix:
https://gitlab.com/gnutls/gnutls/merge_requests/953

Comment 4 Fedora Update System 2019-03-27 15:46:51 UTC
gnutls-3.6.7-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e8c1cf958f

Comment 5 Fedora Update System 2019-03-27 15:49:53 UTC
gnutls-3.6.7-1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-971ded6f90

Comment 6 Fedora Update System 2019-03-27 18:18:35 UTC
gnutls-3.6.7-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-971ded6f90

Comment 7 Fedora Update System 2019-03-27 20:02:03 UTC
gnutls-3.6.7-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e8c1cf958f

Comment 8 Fedora Update System 2019-03-31 00:04:26 UTC
gnutls-3.6.7-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2019-03-31 03:00:51 UTC
gnutls-3.6.7-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.