gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNUTLS handshake errors and memory leaks (ECDHE related?)

From: Yaroslav
Subject: Re: GNUTLS handshake errors and memory leaks (ECDHE related?)
Date: Wed, 11 Jan 2012 02:26:01 +0400
After rebuilding gnutls with included libtasn1 and applying the patch these are the only errors/warnings left:

==27777== HEAP SUMMARY:
==27777==     in use at exit: 336 bytes in 4 blocks
==27777==   total heap usage: 3,611,146 allocs, 3,611,142 frees, 488,917,755 bytes allocated
==27777== 
==27777== 8 bytes in 1 blocks are definitely lost in loss record 1 of 4
==27777==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==27777==    by 0x5D22908: __gmp_default_allocate (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x5D33DA7: __gmpz_init (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x50F22DF: wrap_nettle_generate_group (mpi.c:424)
==27777==    by 0x5071FA0: gnutls_dh_params_generate2 (gnutls_dh_primes.c:191)
==27777==    by 0x4086C3: nxd_ssl_socket_init_server_parameters (nxd_ssl_socket.c:102)
==27777==    by 0x4036BF: nxweb_listen (http_server.c:369)
==27777==    by 0x411397: main (main.c:36)
==27777== 
==27777== 8 bytes in 1 blocks are definitely lost in loss record 2 of 4
==27777==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==27777==    by 0x5D22908: __gmp_default_allocate (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x5D33DA7: __gmpz_init (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x50F22E8: wrap_nettle_generate_group (mpi.c:425)
==27777==    by 0x5071FA0: gnutls_dh_params_generate2 (gnutls_dh_primes.c:191)
==27777==    by 0x4086C3: nxd_ssl_socket_init_server_parameters (nxd_ssl_socket.c:102)
==27777==    by 0x4036BF: nxweb_listen (http_server.c:369)
==27777==    by 0x411397: main (main.c:36)
==27777== 
==27777== 160 bytes in 1 blocks are definitely lost in loss record 3 of 4
==27777==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==27777==    by 0x5D22908: __gmp_default_allocate (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x5D33E00: __gmpz_init2 (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x50F20C0: wrap_nettle_mpi_new (mpi.c:97)
==27777==    by 0x50F22AB: wrap_nettle_generate_group (mpi.c:587)
==27777==    by 0x5071FA0: gnutls_dh_params_generate2 (gnutls_dh_primes.c:191)
==27777==    by 0x4086C3: nxd_ssl_socket_init_server_parameters (nxd_ssl_socket.c:102)
==27777==    by 0x4036BF: nxweb_listen (http_server.c:369)
==27777==    by 0x411397: main (main.c:36)
==27777== 
==27777== 160 bytes in 1 blocks are definitely lost in loss record 4 of 4
==27777==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==27777==    by 0x5D22908: __gmp_default_allocate (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x5D33E00: __gmpz_init2 (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x50F20C0: wrap_nettle_mpi_new (mpi.c:97)
==27777==    by 0x50F22C0: wrap_nettle_generate_group (mpi.c:597)
==27777==    by 0x5071FA0: gnutls_dh_params_generate2 (gnutls_dh_primes.c:191)
==27777==    by 0x4086C3: nxd_ssl_socket_init_server_parameters (nxd_ssl_socket.c:102)
==27777==    by 0x4036BF: nxweb_listen (http_server.c:369)
==27777==    by 0x411397: main (main.c:36)
==27777== 
==27777== LEAK SUMMARY:
==27777==    definitely lost: 336 bytes in 4 blocks
==27777==    indirectly lost: 0 bytes in 0 blocks
==27777==      possibly lost: 0 bytes in 0 blocks
==27777==    still reachable: 0 bytes in 0 blocks
==27777==         suppressed: 0 bytes in 0 blocks

Not really critical but still not completely clean. All related to gnutls_dh_params_generate2().

On server startup I do the following (for each SSL listening port):

  gnutls_certificate_allocate_credentials(x509_cred);
  gnutls_certificate_set_x509_key_file(*x509_cred, cert_file, key_file, GNUTLS_X509_FMT_PEM);
  int bits=gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW);
  gnutls_dh_params_init(dh_params);
  gnutls_dh_params_generate2(*dh_params, bits);
  gnutls_priority_init(priority_cache, NXWEB_SSL_PRIORITIES, 0);
  gnutls_certificate_set_dh_params(*x509_cred, *dh_params);
  gnutls_session_ticket_key_generate(session_ticket_key);

And on server shutdown I do the following (for each SSL listening port):

  gnutls_certificate_free_credentials(x509_cred);
  gnutls_dh_params_deinit(dh_params);
  gnutls_priority_deinit(priority_cache);
  gnutls_free(session_ticket_key->data);

Yaroslav

On Tue, Jan 10, 2012 at 6:14 PM, Nikos Mavrogiannopoulos <address@hidden> wrote:
On Tue, Jan 10, 2012 at 3:03 PM, Yaroslav <address@hidden> wrote:

>> btw. from the logs I see that the version of libtasn1 you have doesn't
>> compile well with
>> the gcc you have. You can use the included libtasn1 to avoid the
>> valgrind warnings.
> libtasn1 is installed in my Ubuntu and there seems to be quite a lot of
> software that depends on it. Is there a way to configure gnutls to use
> included libtasn1 when I already have libtasn1 on my system?

Use --with-included-libtasn1 when configuring gnutls. That way it will
ignore the installed version.

> Not sure about this. I have Intel Q6700 processor. The spec
> (http://ark.intel.com/products/30790/Intel-Core2-Quad-Processor-Q6700-(8M-Cache-2_66-GHz-1066-MHz-FSB))
> says: "AES New Instructions: No".

It doesn't seem to have them. You can always check in realtime with
"cat /proc/cpuinfo". If aes is in your flags.

regards,
Nikos

reply via email to
[Prev in Thread] Current Thread [Next in Thread]