RFR: 8294906: Memory leak in PKCS11 NSS TLS server [v3]
Mark Powers
mpowers at openjdk.org
Wed Oct 12 14:02:13 UTC 2022
On Wed, 12 Oct 2022 12:13:20 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
>> C_DeriveKey with mechanisms `CKM_*_KEY_AND_MAC_DERIVE` always returns mac keys, even if macBits is zero. These keys must be free'd when no longer needed.
>>
>> Verified that:
>> - SSL server configured with PKCS11-NSS provider leaks memory without this patch, does not leak memory with this patch
>> - The same server continues to function correctly
>> - Existing tier1-3 tests continue to pass with NSS; did not test any other PKCS11 providers
>> - new tests for AES-128-GCM-SHA256 and AES-256-GCM-SHA384 key derivation pass
>
> Daniel Jeliński has updated the pull request incrementally with one additional commit since the last revision:
>
> Add comment about unused parameters
On Linux you might be able to use brew to get an older version of nss:
% brew tap-new $USER/local-nss
% brew extract --version=3.35 nss $USER/local-nss
% brew install nss at 3.35
-------------
PR: https://git.openjdk.org/jdk/pull/10594
More information about the security-dev
mailing list