RFR: 8294906: Memory leak in PKCS11 TLS server
Daniel Jeliński
djelinski at openjdk.org
Thu Oct 6 19:11:52 UTC 2022
C_DeriveKey with mechanisms `CKM_*_KEY_AND_MAC_DERIVE` always returns mac keys, even if macBits is zero. These keys must be free'd when no longer needed.
Verified that:
- SSL server configured with PKCS11-NSS provider leaks memory without this patch, does not leak memory with this patch
- The same server continues to function correctly
- Existing tier1-3 tests continue to pass with NSS; did not test any other PKCS11 providers
- new tests for AES-128-GCM-SHA256 and AES-256-GCM-SHA384 key derivation pass
-------------
Commit messages:
- Update copyright dates
- Fix file attributes
- Fix key handling, add tests
- Fix memory leak in key derivation
Changes: https://git.openjdk.org/jdk/pull/10594/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=10594&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8294906
Stats: 113 lines in 5 files changed: 102 ins; 3 del; 8 mod
Patch: https://git.openjdk.org/jdk/pull/10594.diff
Fetch: git fetch https://git.openjdk.org/jdk pull/10594/head:pull/10594
PR: https://git.openjdk.org/jdk/pull/10594
More information about the security-dev
mailing list