OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [GRAYMAIL] Re: [pkcs11] A question about C_Finalize




On 5/28/2015 3:47 PM, Mark Joseph wrote:


    On 5/15/2015 8:35 AM, Mark Joseph wrote:
     >  From the Base Specification Version 2.40
     >
     > In Section 5.4 General-purpose functions, C_Finalize() the following text
    appears:
     >
     > "If several applications are using Cryptoki, each one should call
    C_Finalize.
     > Each application’s call to
     > C_Finalize should be preceded by a single call to C_Initialize;"
     >
     > I interpret this to mean: each *successful* call to C_Initialize should
    have a
     > matching call to C_Finalize.  What if
     > the call to C_Initialize returns CKR_ARGUMENTS_BAD or
     > CKR_CRYPTOKI_ALREADY_INITIALIZED, does the application
     > still call C_Finalize ??
     >
     > I looked in the User Guide and found nothing to clarify this point.

    Hi Mark-

    Sorry missed this email before. You have interpreted it the same way that we
    have, that every successful call to C_Initialize requires a call to C_Finalize

    In our documentation, we actually have special advice regarding the use of
    C_Finalize with respect to libraries: the advice is don't call it.

     From our libpkcs11 man page:

            Because C_Initalize() might have been called by both an application and
            a library, it is not safe for a library or its plugins to call C_Final-
            ize(). A library can be  finished  calling  functions  from  libpkcs11,
            while an application might not.

    Valerie


Thanks Valerie, but couldn't the above result in memory leaks?
If only the code that received CKR_OK from C_Initialize() calls C_Finalize() and
C_Initialize() returns an error "already initialized" if previously called, then
that should work and avoid memory leaks right?
Otherwise the PKCS11 has to implement reference counting?


We are able to do a lot of this by taking advantage of Solaris linker technology. The linker maintains a sort of reference counts for how many people are using this, and when the last user of this loaded module goes away, things are cleaned up.

__fini() is the function we use.

I wonder if Red Hat has a different solution?

I think ours is kind of a special purpose area, because we are providing a general-purpose library for an operating system that could be used by many things the stack.

For example, liba could load libb for some tasks, and both of those libraries might use libpkcs11. So we have to rely on the Solaris linker to let us know when we are truly done, and be very careful with memory use as well.

Valerie

--
NOTE: Using voice recognition software, forgive typos/grammar mistakes!
Valerie Fenwick, http://bubbva.blogspot.com/ @bubbva
Solaris Cryptographic & Key Management Technologies, Manager
Oracle Corporation: 4180 Network Circle, Santa Clara, CA, 95054.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]