Problem with Subversion + Neon + GnuTLS 2.5

Arfrever Frehtes Taifersar Arahesis arfrever.fta at gmail.com
Mon Aug 18 14:40:39 CEST 2008


2008-08-18 13:00:47 Simon Josefsson napisał(a):
> Joe Orton <joe at manyfish.co.uk> writes:
> > On Sun, Aug 17, 2008 at 10:13:36PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> >> I have Neon configured with the --with-ssl=gnutls option. I use
> >> Neon trunk r1531 and Subversion trunk r32513. I recently upgraded
> >> GnuTLS from 2.4.1 to 2.5.3 and now when I try to use Subversion
> >> (which uses Neon) with https:// protocol I get this error:
> >> 
> >> Ohhhh jeeee: operation is not possible without initialized secure memory
> >> Aborted
> >> 
> >> This error doesn't happen when I use ra_serf instead of ra_neon.
> >> This error also ceases to happen after downgrading GnuTLS to 2.4.1.
> >
> > Sounds like an issue in GnuTLS 2.5, I can't see any new initialization 
> > requirements there.  CC'ing gnutls-dev for any further clues?
> 
> I believe this happens if gnutls is initialized after gcrypt has already
> been initialized to use secure memory (the default).
> Libgcrypt-applications needs a setuid bit in this case, I think.
> Normally it is better to disable secure memory usage in libgcrypt and
> avoid the root-requirement to be able to lock memory pages.  GnuTLS does
> takes care of this in its gnutls_global_init() code, but if libgcrypt
> has already been initialized, this cannot be modified.
> 
> I cannot explain why this happens only for 2.5.3 and not 2.4.1 though.
> 
> Hm.  The new crypto code in 2.5.x could explain this.  Possibly the
> initialization order changed.  Yes.  Try the patch below.
> 
> Thanks,
> /Simon
> 
> diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
> index ad0dde6..d94b926 100644
> --- a/lib/gnutls_global.c
> +++ b/lib/gnutls_global.c
> @@ -250,11 +250,6 @@ gnutls_global_init (void)
>  	  return GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY;
>  	}
>  
> -      /* for gcrypt in order to be able to allocate memory */
> -      gcry_set_allocation_handler (gnutls_malloc, gnutls_secure_malloc,
> -				   _gnutls_is_secure_memory, gnutls_realloc,
> -				   gnutls_free);
> -
>        /* gcry_control (GCRYCTL_DISABLE_INTERNAL_LOCKING, NULL, 0); */
>  
>        gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL, 0);
> @@ -267,6 +262,11 @@ gnutls_global_init (void)
>  #endif
>      }
>  
> +  /* for gcrypt in order to be able to allocate memory */
> +  gcry_set_allocation_handler (gnutls_malloc, gnutls_secure_malloc,
> +			       _gnutls_is_secure_memory, gnutls_realloc,
> +			       gnutls_free);
> +
>  #ifdef DEBUG
>    gnutls_global_set_log_function (dlog);
>  #endif
> 

I'm confirming that this patch fixes this problem.

-- 
Arfrever Frehtes Taifersar Arahesis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20080818/f68a1d13/attachment.pgp>


More information about the Gnutls-devel mailing list