Closed
Bug 123091
Opened 23 years ago
Closed 23 years ago
SSL server doing client auth in second handshake leaks memory in NSS 3.4
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4
People
(Reporter: julien.pierre, Assigned: wtc)
References
Details
This is occurring with web server 6 and NSS 3.4. It does not occur with web
server 6 and NSS 33.2 .
The test is with an SSL client that presents a client cert signed by a CA which
is trusted by the server.
The server has SSL but with client auth allowed rather than expected. There is
no ACL on the server so the client cert is not further checked, only by NSS
against the trusted CA certs.
dbx checkleaks shows this :
(dbx) showleaks
Checking for memory leaks...
Actual leaks report (actual leaks: 0 total size: 0 bytes)
Possible leaks report (possible leaks: 276 total size: 543780 bytes)
Total Num of Leaked Allocation call stack
Size Blocks Block
Address
====== ====== ========== =======================================
216720 105 - PR_Malloc < PL_ArenaAllocate < PORT_ArenaAlloc <
EncodeDBCertKey < ReadDBCertEntry < FindCertByKey < nsslowcert_FindCertByKey <
nsslowcert_TraversePermCertsForSubject
165120 80 - PR_Malloc < PL_ArenaAllocate < PORT_ArenaAlloc <
PORT_ArenaZAlloc < SEC_ASN1DecoderStart < SEC_ASN1Decode < SEC_ASN1DecodeItem <
nsslowcert_DecodeDERCertificate
117648 57 - PR_Malloc < PL_ArenaAllocate < PORT_ArenaAlloc <
PORT_ArenaZAlloc < SEC_ASN1DecoderStart < SEC_ASN1Decode < SEC_ASN1DecodeItem <
nsspkcs5_AlgidToParam
24768 12 - PR_Malloc < PL_ArenaAllocate < PORT_ArenaAlloc <
ReadDBCertEntry < FindCertByKey < nsslowcert_FindCertByKey <
nsslowcert_TraversePermCertsForSubject < pk11_searchCertsAndTrust
14448 7 - PR_Malloc < PL_ArenaAllocate < PORT_ArenaAlloc <
EncodeDBSubjectKey < ReadDBSubjectEntry < nsslowcert_NumPermCertsForSubject <
pk11_searchCertsAndTrust < pk11_searchTokenList
4128 2 - PR_Malloc < PL_ArenaAllocate < PORT_ArenaAlloc <
PORT_ArenaZAlloc < nsspkcs5_NewParam < nsspkcs5_AlgidToParam <
seckey_decrypt_private_key < seckey_decode_encrypted_private_key
88 1 0x43e0c0 calloc < PR_Calloc < PR_NewLock < nssList_Create <
nssList_Clone < nssList_CreateIterator < nssPKIObject_Initialize <
__CERT_NewTempCertificate
88 1 0x45de98 calloc < PR_Calloc < PR_NewLock <
nssPKIObject_Initialize < __CERT_NewTempCertificate < ssl3_HandleCertificate <
ssl3_HandleHandshakeMessage < ssl3_HandleHandshake
88 1 0x4a7fd0 calloc < PR_Calloc < PR_NewLock < PORT_NewArena <
SECKEY_CopyPrivateKey < ssl_DupSocket < SSL_ImportFD <
SSLSocketConfiguration::enable
88 1 0x595fe8 calloc < PR_Calloc < PR_NewLock <
nssList_CreateIterator < nssPKIObject_Initialize < __CERT_NewTempCertificate <
ssl3_HandleCertificate < ssl3_HandleHandshakeMessage
88 1 0x487600 calloc < PR_Calloc < PR_NewLock < nssList_Create <
nssPKIObject_Initialize < __CERT_NewTempCertificate < ssl3_HandleCertificate <
ssl3_HandleHandshakeMessage
88 1 0x466a60 calloc < PR_Calloc < PR_NewLock < nssArena_Create <
NSSArena_Create < __CERT_NewTempCertificate < ssl3_HandleCertificate <
ssl3_HandleHandshakeMessage
88 1 0x4c4698 calloc < PR_Calloc < PR_NewLock < PORT_NewArena <
CERT_DecodeDERCertificate < nssDecodedPKIXCertificate_Create <
STAN_GetCERTCertificate < __CERT_NewTempCertificate
88 1 0x54adf8 calloc < PR_Calloc < PR_NewLock < PORT_NewArena <
CERT_DupCertList < ssl_DupSocket < SSL_ImportFD < SSLSocketConfiguration::enable
60 1 0x3eaee8 calloc < PR_Calloc < nss_ZAlloc < nssArena_Create <
NSSArena_Create < __CERT_NewTempCertificate < ssl3_HandleCertificate <
ssl3_HandleHandshakeMessage
52 1 0x575bf0 calloc < PR_Calloc < nss_ZAlloc <
nssDecodedPKIXCertificate_Create < STAN_GetCERTCertificate <
__CERT_NewTempCertificate < ssl3_HandleCertificate < ssl3_HandleHandshakeMessage
44 1 0x57ed80 calloc < PR_Calloc < PORT_ZAlloc < PORT_NewArena <
CERT_DupCertList < ssl_DupSocket < SSL_ImportFD < SSLSocketConfiguration::enable
44 1 0x59cb58 calloc < PR_Calloc < PORT_ZAlloc < PORT_NewArena <
CERT_DecodeDERCertificate < nssDecodedPKIXCertificate_Create <
STAN_GetCERTCertificate < __CERT_NewTempCertificate
44 1 0x5b1298 calloc < PR_Calloc < PORT_ZAlloc < PORT_NewArena <
SECKEY_CopyPrivateKey < ssl_DupSocket < SSL_ImportFD <
SSLSocketConfiguration::enable
Reporter | ||
Updated•23 years ago
|
Priority: -- → P1
Reporter | ||
Updated•23 years ago
|
Summary: Memory leak in server-side SSL application with client auth in NSS 3.4 → Memory leak in server-side SSL application with client cert in NSS 3.4
Reporter | ||
Comment 1•23 years ago
|
||
Just FYI, when I ran this test, I configured the web server with a single worker
thread, in order to get the most accurate results possible from the checkleaks
output. However, the web server still has other non-worker background threads
running, which occasionally allocate memory. If a block was allocated by these
threads between the start and end of my run, it will show up erroneously as a
leak. I know for sure that's the case when I run, say, a couple thousand
requests and see a 528 bytes total possible "leak", so I count that as not
leaking. This is another reason why I try to have a high request count before
taking the output of checkleaks.
Reporter | ||
Comment 2•23 years ago
|
||
I am not quite sure I'm testing this correctly . I'm using test aclS04d that I
added to the web server GAT. This leak does not appear to be reproducible in the
server with the current tip of NSS 3.4 .
Before I go ahead and close this as resolved (it may well have been resolved,
given all the fixes done by Ian and Nelson), I'm wondering what's supposed to
happen in this case, namely :
client is configured with a client cert
server is configured to allow client auth, but not requiring it
Is that supposed to cause the cert to be presented over SSL or not ? This was
the case where I was seeing a leak in the server last week. I was not - and
still am not - seeing a leak in the server when neither the client or the server
have client auth enabled.
I know, I could check the code, or ssltap output, but it's rather late and I'm
going home.
Reporter | ||
Updated•23 years ago
|
Target Milestone: --- → 3.4
Reporter | ||
Comment 3•23 years ago
|
||
I have found the answer I was looking for by looking at the code - there is no
cert exchange going on at all if client auth is not required on the SSL socket
and there is no ACL, even if the client has a cert available. The client only
presents the cert if requested by the server, through an NSS callback function.
Therefore, the initial description of this bug must have been incorrect.
Either I had an ACL on the web server for client auth, or client auth was
enforced on the SSL socket (required). The later would be a dupe of 123479. So
I'm going to use this bug for a leak on the second handshake in the server, and
will rerun tests to confirm that.
Summary: Memory leak in server-side SSL application with client cert in NSS 3.4 → SSL server doing client auth in second handshake leaks memory in NSS 3.4
Reporter | ||
Comment 4•23 years ago
|
||
I ran another test over the week-end, with NES 6 and double-handshake client
auth. Neither the client or server leaked memory.
I got 1648310 sessions on the client side, and 94711 errors on the server side.
The errors were
[22/Feb/2002:15:53:11] failure (25911): for host 10.169.25.24 trying to GET /, C
lient-Auth reports: Timeout while waiting for client certificate.
I believe this may be a bug in the web server "get-client-cert" function, which
doesn't give the client enough time. I'm investigating that with the web server tea.
I think the original bug in this defect, which is a memory leak, is fixed, so
I'm closing this bug.
Status: NEW → RESOLVED
Closed: 23 years ago
OS: SunOS → Solaris
Resolution: --- → FIXED
Reporter | ||
Comment 5•23 years ago
|
||
Marking verified.
You need to log in
before you can comment on or make changes to this bug.
Description
•