[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pkcs11] Async Operations - comments
Hi Darren, Iâve posted an updated version of the proposal (v5) that, hopefully, addresses the memory management concerns. Thank you very much for the feedback. I really appreciate it! Sincerely, Jonathan From: JOHNSON Darren <darren.johnson@thalesgroup.com> Hi Jonathan sorry for the delayed response. Most of you responses pointed out my mistakes and clarified a lot of details. However I have more follow up questions related to buffer management/ownership. Thanks Darren From: Jonathan Schulze-Hewett <schulze-hewett@infoseccorp.com> Hi Darren, Thanks for the detailed feedback. It is much appreciated.
[DJ] sorry. I completely misread that sentence. I read âTokens must support asynchronous sessionsâ, which didnât make any sense, hence why I asked the question J I agree 100%. Tokens MUST continue to support the existing functionality. Thanks
[DJ] right. Again, I completely misread that. I was reading way too many specs that dayâ Its CK_ASYNC_DATA_PTR, so it is updatable. Thanks
[DJ] Right. Now that I understand things that makes sense. First, I agree. this is an input parameter to the function, and it receive the output/result. The confusion here was mostly based on my misreading the spec. What isnât clear in the spec is that this buffer is held by the provider and that when C_AsyncComplete is called, the buffer is populated with the response and the pResult->pValue is assigned the pointer to that buffer. I didnât fully understand that until I read your response to (7) below. Maybe this should be added to an extended explanation on how to interpret CKR_PENDING. Or a dedicated section on how asynchronous operations work as a whole. The second part of your response, you are saying the application doesnât need to keep track of the buffer. pValue and ulValue are for the callers convenience. I think that makes sense now. How does this convenience part work if I decide I need to call C_AsyncGetId for whatever reason? If the application hasnât tracked that pointer, why would it if we state it would be returned later, it means the application canât get it back. So an application MUST decide up front if it will ever call C_AsyncGetId and use that to decide if it needs to track the buffer or not? For the last question you asked above, I think a simple statement that when CKR_PENDING is returned, no data will be written to the CK_ASYNC_DATA structure. Or inversely, until an asynchronous operation is complete, no data will be written to the memory pointed to by the CK_ASYNC_DATA _PTR. For example, C_AsyncComplete checks if the function identified by pFunctionName has completed an asynchronous operation and, if so, returns the associated result(s). hSession is the sessionâs handle; pFunctionName is the name of the function whose state is being queried; pResult is a pointer to a structure to receive the result(s) if the function has completed. If the operation has not completed, CKR_PENDING is returned and the location pointed to by pResult is not modified. Iâm not the best spec writer, so others may be able to further fix it up. Or we can perfect it when it is incorporated in to the final spec. And based on comments above and below, maybe the pBuffer is always returned?
[DJ] makes sense. Iâm not sure how, but it might be worth highlighting that this survives a call to C_Finalize and can be resumed after C_Initialize. I think it would be relatively easy to define some rules related to authentication requirements, but it would probably clash with how various vendors implement authentication/authorization. I agree to leave it as it is.
[DJ] Now that I understand how this works, that makes sense. I donât think we need to make a statement about the implementers not using the buffer. The whole model of these APIs is that the buffer is passed to the library and remains in the libraries control. However I think we should define when ownership of the buffer is returned back to the calling application. That part is not necessarily clear. I think if we just make it clear that when an operation is being processed asynchronously, the output buffer is under the control of the provider until a few different possible events happen:
In most of these scenarios, there is no obvious way for the application to get the pointer back from the library. Alternatively, if we are worried about this, then the APIs should probably be restructured so that the memory is not left under the providers control. To be honest, I donât see what value there is in passing the buffer to the library and getting the pointer back later. If the library isnât supposed to use it until the operation is complete, that removes the benefit for the library. And application that is using asynchronous APIs will need to track the operation. So tracking buffers along with the operation is not going to be any additional complexity and would probably be a very natural thing for the application to do. Another thing, an application that allocates memory, passes the address to a library and then just âforgetsâ about it causes many problems when it comes to code quality and static analysis tools. And finally, it is inconsistent that an application may provide multiple response pointers (i.e. pointer for the data and a pointer for the length of the data), yet only one pointer is held by the library. I understand why you make that distinction, but it still results in a bit of inconsistency.
[DJ] Right. thatâs clear now. thanks. The big thing that was confusing to me at first is the whole C_AsyncComplete NOT taking input values. My first example had C_AsyncComplete returning CKR_BUFFER_TOO_SMALL and then being called again with a properly sized buffer, but thatâs not how it would work (thank you Dieter for explaining my own proposal to me). If C_AsyncComplete returns CKR_BUFFER_TOO_SMALL, the application needs to call the original function again with a properly sized buffer (C_SignFinal then C_AsyncComplete then C_SignFinal again with proper buffer then C_AsyncComplete). [DJ], this dynamic certainly needs to be better explained in the spec. To me, if an API returns CKR_BUFFER_TOO_SMALL. the obvious thing to do would be to call the same API with the corrected buffer size. That is how most (all?) the other APIs work. But in this case, we are saying no, you need to go back and call the previous API you called. I can see many reasons why this could make sense as they ARE going back to the actual API for the operation. But at the same time it opens more questions. Does the exact input data need to be provided as well? Maybe it does if we compare it to the non-asynchronous flow use for EncryptUpdate when the buffer is too small. Iâm not saying we should change it. Iâm just saying that in my opinion (right or wrong) it seems like a deviation on how all the other APIs work so it should be well documented. So when CKR_BUFFER_TOO_SMALL is returned, as I suggested in (6) aboveâ does that mean the originally provided buffer is still returned? If we are expecting application to NOT keep that pointer around, then the provider would have to return it. Otherwise the application would never be able to free it. The whole idea that the provider will keep the buffer and return it, and when it returns it should be well explained as well. Iâll update the doc with changes for 2 and 5 above and with any changes arising from the next email on the subject 😊 If anyone has suggestions for language on 3 and 6 please send it! Sincerely, Jonathan From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of JOHNSON Darren THIS MESSAGE COMES FROM AN EXTERNAL SOURCE. PLEASE VERIFY THE CONTENTS OF THIS MESSAGE BEFORE PROCEEDING. I missed all the discussions around this proposal. So I apologize if Iâm asking questions that were already discussed and resolved.
I assume the first part, âTokens must support synchronous sessionsâ is going to be removed? Tokens may support async sessions.
Is this supposed to say âoriginal input bufferâ? Or should it be âoriginal output bufferâ? Whether the operation is âon completionâ or âstill processingâ, this value should always âpoints to the location that receives the resultâ. The state of the operation is unknown to the caller, and should not have an impact on the value of âpValueâ, Right? On completion, the result is copied there. Do we really require that it is the âsameâ buffer? Does that imply that we are assuming/expecting or just allowing providers to make use of that buffer during the operation? Which may make sense for memory constrained environments. and may also make sense if a token is streaming result data out and filling this buffer as it progresses. Or should we be more strict and not have this requirement for the âsameâ buffer, which means the provider should not use any of the applications memory. This would be problematic in many cases I think Regardless, we should clearly state who is the owner of that buffer while the operation is being processed asynchronously. âIfâ it must be the same buffer, should we really require it to be re-provided? Should we require any of the output pointers to be re-provided? What is the reason for them to be re-provided?
Looking back at the meeting minutes, I see that this update to the proposal is supposed to cover a reboot. Is that true? So an application can be restarted, and attempt to join the operation? Was there any discussion around authentication requirements? About which role/user initiated the operation vs what role/user is joining the operation? I would assume that only the same role (and user if a user was authenticated) could resume the operation. Or is the âIDâ value essentially treated like an authorization token and grants rights for any role/user to join the operation? Whatever the answer is, it should be documented. What about the current roleâs/userâs ability to access and use the key that is currently being used for the operation. Without requiring the same role/user that was used to initiate the operation, we get in to discussions around escalation.
This may not be obvious to all readers and should probably be mentioned.
This question may be ignored as it may be addressed by the next question below. Why should C_AsyncJoin need to provide pData and ulData? From what I understand, the application will need to call C_AsyncComplete, right? so the output buffer will be provided via CK_ASYNC_DATA? Requiring pData and ulData during the C_AsyncJoin would only be necessary if we think the provider will need to make use of that memory while processing the operation. But the operation has gone through a C_AsyncGetID, so it must already have decoupled itself from any application memory space and is presumably still processing Shouldnât C_AsyncJoin pass CKA_ASYNC_DATA as a parameter so that all of the output locations are provided and not just the buffer? It seems to me that C_AsyncJoin should just join the operation followed by C_AsyncComplete, which will provide all the output pointers/buffers and attempt to complete the operation. Thanks Darren |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]