views:

51

answers:

1

I am getting the CKR_DEVICE_MEMORY error code for C_Encrypt call using cryptoki library.

From the PKCS#11 spec, CKR_DEVICE_MEMORY means The token doesnot have sufficient memory to perform the requested function.

Under what circumstances, do we get the token's memory completely full?

The HSM has been working 24x7 for 7 days continuously mostly encrypting and decrypting files during the day time with 2 parallel sessions. I haven't called C_Finalize in the last 7 days. so cryptoki library has been working in its memory space from the point it has been initialised(see a related post on this).

I can see from my applications, debug log, what ever, i am allocating, i am deallocating so there is no memory leak from my application code.

UPDATE 1: There is a related detailed discussion on how i can call C_Finalize in Application_Endof the ASP.NET. The main reason i couldn't use this because after recycling/timeout, the ASP.net threads access a single session resulting in CKR_OPERATION_ACTIVE error. In my case multiple applications are accessing the HSM via a webservice.

A: 

You mention here that you are not closing your sessions. If that is true, that is most probably the cause of the CKR_DEVICE_MEMORYs.

Rasmus Faber
Hello Rasmus - I donot close my session. I keep my session open and use the handle in Batch mode. My intention is not to close the session at all. can you please help me to understand how keeping the session open will lead to the HSM's memory being used completely? I just open only 2 sessions and hold one for these two handles, one for encryption and the other for decryption. PS: I delete my session object which is an AES128 key(though its a session object);
Raj
@Raj: You mentioned that ASP.NET was shutting down your application every 20 minutes without you calling C_CloseSession() or C_Finalize(). Or have you changed it so it is no longer timing out?
Rasmus Faber
@Rasmus: I no longer use default timeout. When the ASP.Net webservice receives multiple requests for performing a crypto functions - after a timeout, the threads become alive and multiple threads access a single session leading to CKR_OPERATION_ACTIVE error and undefined behaviour. I ended up with similar issues when i enabled the thread recycling in IIS, as IIS creates a new process.
Raj