Hi Darren, I ve posted an updated version of the proposal (v5) that, hopefully, addresses the memory management concerns. Thank you very much for the feedback. I really appreciate it! Sincerely, Jonathan From: JOHNSON Darren <
darren.johnson@thalesgroup.com> Sent: Thursday, February 23, 2023 1:01 PM To: Jonathan Schulze-Hewett <
schulze-hewett@infoseccorp.com>;
pkcs11@lists.oasis-open.org Subject: RE: [pkcs11] Async Operations - comments Hi Jonathan sorry for the delayed response. Most of you responses pointed out my mistakes and clarified a lot of details. However I have more follow up questions related to buffer management/ownership. Thanks Darren From: Jonathan Schulze-Hewett <
schulze-hewett@infoseccorp.com > Sent: Friday, February 17, 2023 2:35 PM To: JOHNSON Darren <
darren.johnson@thalesgroup.com >;
pkcs11@lists.oasis-open.org Subject: RE: [pkcs11] Async Operations - comments Hi Darren, Thanks for the detailed feedback. It is much appreciated. Tokens must support synchronous sessions. We wanted to be clear that tokens must continue to support the current way of doing things and not switch to only supporting async sessions. [DJ] sorry. I completely misread that sentence. I read Tokens must support asynchronous sessions , which didn t make any sense, hence why I asked the question J I agree 100%. Tokens MUST continue to support the existing functionality. Thanks The input to C_AsyncComplete is CK_ASYNC_DATA_PTR so C_AsyncComplete can update any of the fields in the structure without them needing to be pointers. That being said, by the same logic, CK_OBJECT_HANDLE_PTR should just be CK_OBJECT_HANDLE. I ll update. [DJ] right. Again, I completely misread that. I was reading way too many specs that day Its CK_ASYNC_DATA_ PTR , so it is updatable. Thanks The original buffer refers to the buffer supplied to whatever function was called. I think it s always a buffer input to a function to contain the output value (i.e., from C_SignFinal, C_Encrypt, etc.). I view this as a buffer input to the function, but you re seeing it as a buffer to contain output. I m happy to call it whatever makes it clearer to everyone. The values in CK_ASYNC_DATA are not input values. They are exclusively output values to be filled in by the C_AsyncComplete function. ulValue and pValue are for the caller s convenience so that the caller does not have to keep track of the buffer. If C_AsyncComplete returns CKR_PENDING what happens to the CK_ASYNC_DATA structure is undefined. If anyone has language that would help improve the clarify of this I ll add it in. [DJ] Right. Now that I understand things that makes sense. First, I agree. this is an input parameter to the function, and it receive the output/result. The confusion here was mostly based on my misreading the spec. What isn t clear in the spec is that this buffer is held by the provider and that when C_AsyncComplete is called, the buffer is populated with the response and the pResult->pValue is assigned the pointer to that buffer. I didn t fully understand that until I read your response to (7) below. Maybe this should be added to an extended explanation on how to interpret CKR_PENDING. Or a dedicated section on how asynchronous operations work as a whole. The second part of your response, you are saying the application doesn t need to keep track of the buffer. pValue and ulValue are for the callers convenience. I think that makes sense now. How does this convenience part work if I decide I need to call C_AsyncGetId for whatever reason? If the application hasn t tracked that pointer, why would it if we state it would be returned later, it means the application can t get it back. So an application MUST decide up front if it will ever call C_AsyncGetId and use that to decide if it needs to track the buffer or not? For the last question you asked above, I think a simple statement that when CKR_PENDING is returned, no data will be written to the CK_ASYNC_DATA structure. Or inversely, until an asynchronous operation is complete, no data will be written to the memory pointed to by the CK_ASYNC_DATA _PTR. For example, C_AsyncComplete checks if the function identified by pFunctionName has completed an asynchronous operation and, if so, returns the associated result(s). hSession is the session s handle; pFunctionName is the name of the function whose state is being queried; pResult is a pointer to a structure to receive the result(s) if the function has completed. If the operation has not completed, CKR_PENDING is returned and the location pointed to by pResult is not modified . I m not the best spec writer, so others may be able to further fix it up. Or we can perfect it when it is incorporated in to the final spec. And based on comments above and below, maybe the pBuffer is always returned? The intent of the red text is to cover a reboot or restart of the calling application. To enable an application to start an operation, quit, and then check on it later. We did not have a discussion around authentication requirements and it s up to the module as to what restrictions to place on the session trying to join. We have left the meaning of the ID up to the particular module. My goal was to specify it to the point where it was possible to implement the functionality and leave the details to the implementers. [DJ] makes sense. I m not sure how, but it might be worth highlighting that this survives a call to C_Finalize and can be resumed after C_Initialize. I think it would be relatively easy to define some rules related to authentication requirements, but it would probably clash with how various vendors implement authentication/authorization. I agree to leave it as it is. Indeed. I ll fix. pData and ulData are input to C_AsyncJoin so that they can be returned in the future C_AsyncComplete call. They can be NULL if the original function, say C_GenerateKey pair (which is what got me into this mess in the first place), doesn t take a buffer. Something stating that implementer s should carefully consider whether or not to use the supplied buffers as the caller may quit on them seems reasonable to me. Anyone care to suggest some language? [DJ] Now that I understand how this works, that makes sense. I don t think we need to make a statement about the implementers not using the buffer. The whole model of these APIs is that the buffer is passed to the library and remains in the libraries control. However I think we should define when ownership of the buffer is returned back to the calling application. That part is not necessarily clear. I think if we just make it clear that when an operation is being processed asynchronously, the output buffer is under the control of the provider until a few different possible events happen: C_AsyncComplete returns any other error code than CKR_PENDING. I m saying this in part because of how you described handling BUFFER_TOO_SMALL later in the email. If the application must resize the buffer and recall the previous API, then it must also receive the original pointer back so that it can be free d. until C_AsycnGetID is called and returns CKR_OK. C_SessionCancel is called with the appropriate flags. C_CloseSession is called. C_Finalize is called. If that is made clear, then I don t think we should allow the application to arbitrarily delete memory that it has passed to the library. In most of these scenarios, there is no obvious way for the application to get the pointer back from the library. Alternatively, if we are worried about this, then the APIs should probably be restructured so that the memory is not left under the providers control. To be honest, I don t see what value there is in passing the buffer to the library and getting the pointer back later. If the library isn t supposed to use it until the operation is complete, that removes the benefit for the library. And application that is using asynchronous APIs will need to track the operation. So tracking buffers along with the operation is not going to be any additional complexity and would probably be a very natural thing for the application to do. Another thing, an application that allocates memory, passes the address to a library and then just forgets about it causes many problems when it comes to code quality and static analysis tools. And finally, it is inconsistent that an application may provide multiple response pointers (i.e. pointer for the data and a pointer for the length of the data), yet only one pointer is held by the library. I understand why you make that distinction, but it still results in a bit of inconsistency. As in 6, pData and ulData are input to C_AsyncJoin so that they can be returned in the future C_AsyncComplete call. [DJ] Right. that s clear now. thanks. The big thing that was confusing to me at first is the whole C_AsyncComplete NOT taking input values. My first example had C_AsyncComplete returning CKR_BUFFER_TOO_SMALL and then being called again with a properly sized buffer, but that s not how it would work (thank you Dieter for explaining my own proposal to me). If C_AsyncComplete returns CKR_BUFFER_TOO_SMALL, the application needs to call the original function again with a properly sized buffer (C_SignFinal then C_AsyncComplete then C_SignFinal again with proper buffer then C_AsyncComplete). [DJ], this dynamic certainly needs to be better explained in the spec. To me, if an API returns CKR_BUFFER_TOO_SMALL. the obvious thing to do would be to call the same API with the corrected buffer size. That is how most (all?) the other APIs work. But in this case, we are saying no, you need to go back and call the previous API you called. I can see many reasons why this could make sense as they ARE going back to the actual API for the operation. But at the same time it opens more questions. Does the exact input data need to be provided as well? Maybe it does if we compare it to the non-asynchronous flow use for EncryptUpdate when the buffer is too small. I m not saying we should change it. I m just saying that in my opinion (right or wrong) it seems like a deviation on how all the other APIs work so it should be well documented. So when CKR_BUFFER_TOO_SMALL is returned, as I suggested in (6) above does that mean the originally provided buffer is still returned? If we are expecting application to NOT keep that pointer around, then the provider would have to return it. Otherwise the application would never be able to free it. The whole idea that the provider will keep the buffer and return it, and when it returns it should be well explained as well. I ll update the doc with changes for 2 and 5 above and with any changes arising from the next email on the subject