VeraCrypt / Forums / Technical Topics: After update to 1.26 no PKCS#11

tjadm - 2023-12-15

After updating to 1.26.x i have no more possibility to use tokens. The version of the PKCS#11 library i used before (a file called cmP1164.dll, part of the Charismathics Smart Security Interface PKCS#11 Module) is no longer accepted.
If I install an older version of VC (same Windows version) everything is fine.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mounir IDRASSI - 2023-12-16

@tjadm: can you please share the error you receive? Can you describe what do you mean by "no longer accepted"? Be sure to use 64-bit version of VeraCrypt in case of portable mode (VeraCrypt-x64.exe)

I have done tests using different PKCS#11 libraries and I didn't encounter any issue.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mounir IDRASSI - 2023-12-16

@tjadm: I noticed that a similar issue has been reported in another ticket (https://sourceforge.net/p/veracrypt/tickets/541/), where the error described was "the operation was blocked as the process prohibits dynamic code generation."

In case you're encountering the same problem, here's a quote of my response to that ticket:

Version 1.26 of VeraCrypt introduced an enhanced security feature aimed at mitigating injection attacks by malicious software. A key aspect of this upgrade is the prohibition of dynamic code generation that alters executable code during runtime.

Your experience suggests that you're utilizing a PKCS#11 library that relies on dynamic code generation. Throughout my extensive testing with major PKCS#11 libraries, I did not encounter this unusual behavior. Furthermore, it's uncommon and somewhat suspicious for a PKCS#11 library to modify executable code at runtime.

Could you please specify the particular PKCS#11 library you are using? I recommend reaching out to the library's manufacturer for detailed insights into why dynamic code generation is employed in their product. Understanding their rationale could be crucial, especially given the new security protocols in VeraCrypt.

If the error you're experiencing is similar, it may indicate that the Charismathics PKCS#11 library employs this questionable feature. Alternatively, the library might be compromised by malware, as it's atypical for a smart card PKCS#11 library to modify executable code at runtime.

I recommend reaching out to Charismathics to confirm whether this behavior is a standard aspect of their PKCS#11 implementation or if their middleware might be infected.

Last edit: Mounir IDRASSI 2023-12-16

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

tjadm - 2023-12-18

Thank you very much for your information!
I get
VeraCrypt::SecurityToken::InitLibrary:534
And yes, it is the dynamic code generation issue.
It is the middleware for a Pinpad to store keyfile(s).

Last edit: tjadm 2024-01-22

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

After update to 1.26 no PKCS#11

Open source disk encryption with strong security for the Paranoid

Forums

Help

After update to 1.26 no PKCS#11

After update to 1.26 no PKCS#11

Open source disk encryption with strong security for the Paranoid

Forums

Help

After update to 1.26 no PKCS#11 document.SUBSCRIPTION_OPTIONS = { "thing": "topic", "subscribed": false, "url": "subscribe", "icon": { "css": "fa fa-envelope-o" } };

After update to 1.26 no PKCS#11