Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8294906

Memory leak in PKCS11 NSS TLS server

    XMLWordPrintable

Details

    Backports

      Description

        P11TlsKeyMaterialGenerator leaks 2 handles (hClientMacSecret and hServerMacSecret) every time a connection using AES-GCM is established. PKCS11 library used was NSS.

        MAC keys are not needed when using AEAD, and the PKCS spec [1] suggests that they don't need to be created. However, it doesn't prohibit creating MAC keys, and come libraries like NSS create them.

        https://docs.oasis-open.org/pkcs11/pkcs11-spec/v3.1/cs01/pkcs11-spec-v3.1-cs01.html#_Toc111203671

        Attachments

          Issue Links

            Activity

              People

                djelinski Daniel Jelinski
                djelinski Daniel Jelinski
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: