pkcs#11 内存错误 - 常见原因可能是什么？

发布于 2024-09-09 01:52:00 字数 513 浏览 5 评论 0原文

我收到使用 cryptoki 库的 C_Encrypt 调用的 CKR_DEVICE_MEMORY 错误代码。

根据 PKCS#11 规范，CKR_DEVICE_MEMORY 表示令牌没有足够的内存来执行请求的功能。

什么情况下，我们的token内存会完全满呢？

HSM 已连续 7 天 24x7 工作，主要在白天通过 2 个并行会话加密和解密文件。我在过去 7 天内没有调用 C_Finalize。所以 cryptoki 库从初始化起就一直在其内存空间中工作（请参阅有关此的相关文章）。

我可以从我的应用程序、调试日志中看到我正在分配、正在解除分配的任何内容，因此我的应用程序代码中没有内存泄漏。

更新1：有一个

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

中二柚 2024-09-16 01:52:00

让我们分别考虑 HSM 和主机（运行 Cryptoki 库）的内存。如果 HSM 设备内存不足，则正确实现的 Cryptoki 库应返回 CKR_DEVICE_MEMORY；如果 Cryptoki 库无法为其内部结构分配主机内存，则应返回 CKR_HOST_MEMORY（如果它实现为共享库，则进程无法分配内存）。因此，如果您的 pkcs11 库正确实现，那么 CKR_DEVICE_MEMORY 意味着设备 (HSM) 内存不足。
造成此类错误的原因有很多。我们不能考虑所有分支。可以仅限制某些问题。回答您的问题时，Cryptoki 库中内存问题的三个主要常见原因：

用于加密操作的内存。 Cryptoki 的客户端负责分配此类内存，而不是 Cryptoki 库。例如，Cryptoki 库的客户端必须在调用 C_EncryptFinal 之前为最终结果分配缓冲区。如果缓冲区大小不够，则 Cryptoki 返回 CKR_BUFFER_TOO_SMALL。
HSM 内存。 CKR_DEVICE_MEMORY 指出了这种情况，但它超出了大多数软件开发人员的控制范围。
Cryptoki 库中内部服务结构的内存。例如，当您打开会话时，就会分配该结构的内存。当您停止加密过程并在同一会话中开始解密时，该会话的模式会发生变化。 Cryptoki 库应该支持调用之间的内部状态，因为它支持多部分迭代操作。当从一种操作切换到另一种操作时，它应该释放以前的结构并在内存中分配新的结构，例如堆。如果应用程序开发人员有库源或想要帮助查找错误，则在这种情况下值得执行以下操作（对于此特定事件，假设库错误地报告 CKR_DEVICE_MEMORY 而不是 CKR_HOST_MEMORY）。尝试仅针对一种操作（例如加密）运行程序。如果在上述时间内没有出现内存错误，则在更改操作类型时可能会发生内存泄漏。但你说：“一个会话用于加密，另一个会话用于解密”。它缩小了范围。可能是用于存储多部分操作泄漏状态的内存。监视几次操作后的内存量。如果您不使用多部分操作，那么很可能是情况 2，因为在这种情况下 Cryptoki 库不应分配任何非堆栈内存。

这些估计只是为了说明此类库中内存的一般问题。

Let’s consider the memory of HSM and host computer (which Cryptoki library runs on) separately. Correctly implemented Cryptoki library should return CKR_DEVICE_MEMORY if HSM device suffers from the lack of memory and CKR_HOST_MEMORY if Cryptoki library can’t allocate host computer memory for its internal structures (if it is implemented as a shared library then the process can’t allocate memory). So if your pkcs11 library is implemented correctly then CKR_DEVICE_MEMORY means insufficient device (HSM) memory literally.
There are a lot of reasons of such bugs. We can’t consider all branches. It’s possible to restrict some issues only. Answering your question there are three main common reasons of problems with memory in Cryptoki library:

Memory for crypto operations. Client of Cryptoki is responsible for allocating such memory, not Cryptoki library. For example client of Cryptoki library must allocate buffer for final result before invoking C_EncryptFinal. If buffer size is not enough then Cryptoki returns CKR_BUFFER_TOO_SMALL.
HSM memory. CKR_DEVICE_MEMORY points to this case but it's beyond control of most software developers.
Memory for internal service structures in Cryptoki library. For example when you open session the memory for this structure is allocated. When you stop encryption process and start decryption within the same session the mode for this session changes. Cryptoki library should support internal state between calls because it supports multi-part iterative operations. When switching from one kind of operation to another it should free previous structures and allocate new ones in memory like heap. If application developer has library sources or wants to help in finding error it worth to do following in this situation(for this particular incident assuming library erroneously reports CKR_DEVICE_MEMORY instead of CKR_HOST_MEMORY). Try to run program only for one kind of operation (say encryption). If it works without memory error for mentioned period of time then it’s possible that memory leaks occurres while changing operation types. But you says that:"one session for encryption and the other for decryption". It narrows the scope. Probably memory for storing the state for multi-part operation leaks. Monitor the amount of memory after several operations. If you don't use multi-part operations then most likely it's the case 2 because Cryptoki library in such circumstances shouldn't allocate any non-stack memory.

These estimates are only to illustrate general issues with memory in such libraries.

回复收藏 0 原文

夏有森光若流苏 2024-09-16 01:52:00

您此处提到您没有关闭会话。如果这是真的，那么这很可能就是 CKR_DEVICE_MEMORY 的原因。

回复收藏 0 原文

忆离笙 2024-09-16 01:52:00

我也有这个问题，年份是 2020 :S
.Net Framework + Rest Api 这对组合这次遇到了这个问题。
我使用 HSM 进行解密方法。我有一个登录方式的交互频道，我们需要进行性能测试。该服务有一个来自 Pkcs11 的实例

pkcs11 = new Pkcs11(hsmPath, true);
slot = GetUsableSlot(pkcs11);
TokenInfo tokenInfo = slot.GetTokenInfo();
session = slot.OpenSession(true);
session.Login(CKU.CKU_USER, userLoginPin);
secretKey = GenerateKey(session);

，这是 Decrypt 方法。

公共字节[]解密（字节[]加密的TextByteArray）
{

    Mechanism mechanism = new Mechanism(CKM.CKM_AES_ECB);
    byte[] sourceData = encryptedTextByteArray;
    byte[] decryptedData = null;

    using (MemoryStream inputStream = new MemoryStream(sourceData), outputStream = new MemoryStream())
    {
        try
        {                
            session.Decrypt(mechanism, secretKey, inputStream, outputStream, 4096);
        }
        catch (Pkcs11Exception ex)
        {
            throw;
        }
        decryptedData = outputStream.ToArray();
    }
    return decryptedData;
}

当我尝试使用 Postman runner 进行性能测试时，一个线程没有问题。
如果我增加线程数，就会出现这些错误。
第一个错误：CKR_OPERATION_ACTIVE
下一个错误：CKR_DEVICE_MEMORY

我尝试了这些方法。
-对于每个请求关闭会话。并且还为新请求打开了会话。但没有成功。出现了同样的错误。（当然请求和响应时间增加了）
-对于每个请求都关闭了连接。并且还为新请求打开了新连接。出现了同样的错误。（当然请求和响应时间增加了）

有人帮助我吗？ :)

I have also this problem and year is 2020 :S
.Net Framework + Rest Api couple have this problem this time.
I'm using HSM for decrypt method. I have a login method interactive channel, and we need to make performance test. The service has an instance from Pkcs11

pkcs11 = new Pkcs11(hsmPath, true);
slot = GetUsableSlot(pkcs11);
TokenInfo tokenInfo = slot.GetTokenInfo();
session = slot.OpenSession(true);
session.Login(CKU.CKU_USER, userLoginPin);
secretKey = GenerateKey(session);

And this is the Decrypt method.

public byte[] Decrypt(byte[] encryptedTextByteArray)
{

    Mechanism mechanism = new Mechanism(CKM.CKM_AES_ECB);
    byte[] sourceData = encryptedTextByteArray;
    byte[] decryptedData = null;

    using (MemoryStream inputStream = new MemoryStream(sourceData), outputStream = new MemoryStream())
    {
        try
        {                
            session.Decrypt(mechanism, secretKey, inputStream, outputStream, 4096);
        }
        catch (Pkcs11Exception ex)
        {
            throw;
        }
        decryptedData = outputStream.ToArray();
    }
    return decryptedData;
}

When I try to make performance test using Postman runner, there is no problem for one thread.
If I increase thread count, It appears these errors.
First error: CKR_OPERATION_ACTIVE
Next error: CKR_DEVICE_MEMORY

I tried these methods.
-For every request closed session. And also opened session for new request. But not succeeed. The same errors appeared. (Of course request and response time increased)
-For evey request closed the conenction. And also opened new connection for new request. The same errors appeared. (Of course request and response time increased)

Anyone helps me? :)

回复收藏 0 原文

~没有更多了~