RFR: 8294906: Memory leak in PKCS11 NSS TLS server [v3]
Daniel Jeliński
djelinski at openjdk.org
Wed Oct 12 12:13:20 UTC 2022
> C_DeriveKey with mechanisms `CKM_*_KEY_AND_MAC_DERIVE` always returns mac keys, even if macBits is zero. These keys must be free'd when no longer needed.
>
> Verified that:
> - SSL server configured with PKCS11-NSS provider leaks memory without this patch, does not leak memory with this patch
> - The same server continues to function correctly
> - Existing tier1-3 tests continue to pass with NSS; did not test any other PKCS11 providers
> - new tests for AES-128-GCM-SHA256 and AES-256-GCM-SHA384 key derivation pass
Daniel Jeliński has updated the pull request incrementally with one additional commit since the last revision:
Add comment about unused parameters
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/10594/files
- new: https://git.openjdk.org/jdk/pull/10594/files/fdbe559f..4bb0db7d
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=10594&range=02
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=10594&range=01-02
Stats: 2 lines in 1 file changed: 1 ins; 0 del; 1 mod
Patch: https://git.openjdk.org/jdk/pull/10594.diff
Fetch: git fetch https://git.openjdk.org/jdk pull/10594/head:pull/10594
PR: https://git.openjdk.org/jdk/pull/10594
More information about the security-dev
mailing list