Problem with Subversion + Neon + GnuTLS 2.5

Simon Josefsson simon at josefsson.org
Mon Aug 18 13:00:47 CEST 2008 

Joe Orton <joe at manyfish.co.uk> writes:

> [resent with the correct address for gnutls-devel]
>
> On Sun, Aug 17, 2008 at 10:13:36PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
>> I have Neon configured with the --with-ssl=gnutls option. I use
>> Neon trunk r1531 and Subversion trunk r32513. I recently upgraded
>> GnuTLS from 2.4.1 to 2.5.3 and now when I try to use Subversion
>> (which uses Neon) with https:// protocol I get this error:
>> 
>> Ohhhh jeeee: operation is not possible without initialized secure memory
>> Aborted
>> 
>> This error doesn't happen when I use ra_serf instead of ra_neon.
>> This error also ceases to happen after downgrading GnuTLS to 2.4.1.
>
> Sounds like an issue in GnuTLS 2.5, I can't see any new initialization 
> requirements there.  CC'ing gnutls-dev for any further clues?

I believe this happens if gnutls is initialized after gcrypt has already
been initialized to use secure memory (the default).
Libgcrypt-applications needs a setuid bit in this case, I think.
Normally it is better to disable secure memory usage in libgcrypt and
avoid the root-requirement to be able to lock memory pages.  GnuTLS does
takes care of this in its gnutls_global_init() code, but if libgcrypt
has already been initialized, this cannot be modified.

I cannot explain why this happens only for 2.5.3 and not 2.4.1 though.

Hm.  The new crypto code in 2.5.x could explain this.  Possibly the
initialization order changed.  Yes.  Try the patch below.

Thanks,
/Simon

diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
index ad0dde6..d94b926 100644
--- a/lib/gnutls_global.c
+++ b/lib/gnutls_global.c
@@ -250,11 +250,6 @@ gnutls_global_init (void)
 	  return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY;
 	}
 
-      /* for gcrypt in order to be able to allocate memory */
-      gcry_set_allocation_handler (gnutls_malloc, gnutls_secure_malloc,
-				   _gnutls_is_secure_memory, gnutls_realloc,
-				   gnutls_free);
-
       /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */
 
       gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL, 0);
@@ -267,6 +262,11 @@ gnutls_global_init (void)
 #endif
     }
 
+  /* for gcrypt in order to be able to allocate memory */
+  gcry_set_allocation_handler (gnutls_malloc, gnutls_secure_malloc,
+			       _gnutls_is_secure_memory, gnutls_realloc,
+			       gnutls_free);
+
 #ifdef DEBUG
   gnutls_global_set_log_function (dlog);
 #endif

More information about the Gnutls-devel mailing list