GNUTLS handshake errors and memory leaks (ECDHE related?)

Yaroslav yarosla at gmail.com
Tue Jan 10 23:26:01 CET 2012 

After rebuilding gnutls with included libtasn1 and applying the patch these
are the only errors/warnings left:

==27777== HEAP SUMMARY:
==27777==     in use at exit: 336 bytes in 4 blocks
==27777==   total heap usage: 3,611,146 allocs, 3,611,142 frees,
488,917,755 bytes allocated
==27777==
==27777== 8 bytes in 1 blocks are definitely lost in loss record 1 of 4
==27777==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==27777==    by 0x5D22908: __gmp_default_allocate (in
/usr/lib/libgmp.so.10.0.1)
==27777==    by 0x5D33DA7: __gmpz_init (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x50F22DF: wrap_nettle_generate_group (mpi.c:424)
==27777==    by 0x5071FA0: gnutls_dh_params_generate2
(gnutls_dh_primes.c:191)
==27777==    by 0x4086C3: nxd_ssl_socket_init_server_parameters
(nxd_ssl_socket.c:102)
==27777==    by 0x4036BF: nxweb_listen (http_server.c:369)
==27777==    by 0x411397: main (main.c:36)
==27777==
==27777== 8 bytes in 1 blocks are definitely lost in loss record 2 of 4
==27777==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==27777==    by 0x5D22908: __gmp_default_allocate (in
/usr/lib/libgmp.so.10.0.1)
==27777==    by 0x5D33DA7: __gmpz_init (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x50F22E8: wrap_nettle_generate_group (mpi.c:425)
==27777==    by 0x5071FA0: gnutls_dh_params_generate2
(gnutls_dh_primes.c:191)
==27777==    by 0x4086C3: nxd_ssl_socket_init_server_parameters
(nxd_ssl_socket.c:102)
==27777==    by 0x4036BF: nxweb_listen (http_server.c:369)
==27777==    by 0x411397: main (main.c:36)
==27777==
==27777== 160 bytes in 1 blocks are definitely lost in loss record 3 of 4
==27777==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==27777==    by 0x5D22908: __gmp_default_allocate (in
/usr/lib/libgmp.so.10.0.1)
==27777==    by 0x5D33E00: __gmpz_init2 (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x50F20C0: wrap_nettle_mpi_new (mpi.c:97)
==27777==    by 0x50F22AB: wrap_nettle_generate_group (mpi.c:587)
==27777==    by 0x5071FA0: gnutls_dh_params_generate2
(gnutls_dh_primes.c:191)
==27777==    by 0x4086C3: nxd_ssl_socket_init_server_parameters
(nxd_ssl_socket.c:102)
==27777==    by 0x4036BF: nxweb_listen (http_server.c:369)
==27777==    by 0x411397: main (main.c:36)
==27777==
==27777== 160 bytes in 1 blocks are definitely lost in loss record 4 of 4
==27777==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==27777==    by 0x5D22908: __gmp_default_allocate (in
/usr/lib/libgmp.so.10.0.1)
==27777==    by 0x5D33E00: __gmpz_init2 (in /usr/lib/libgmp.so.10.0.1)
==27777==    by 0x50F20C0: wrap_nettle_mpi_new (mpi.c:97)
==27777==    by 0x50F22C0: wrap_nettle_generate_group (mpi.c:597)
==27777==    by 0x5071FA0: gnutls_dh_params_generate2
(gnutls_dh_primes.c:191)
==27777==    by 0x4086C3: nxd_ssl_socket_init_server_parameters
(nxd_ssl_socket.c:102)
==27777==    by 0x4036BF: nxweb_listen (http_server.c:369)
==27777==    by 0x411397: main (main.c:36)
==27777==
==27777== LEAK SUMMARY:
==27777==    definitely lost: 336 bytes in 4 blocks
==27777==    indirectly lost: 0 bytes in 0 blocks
==27777==      possibly lost: 0 bytes in 0 blocks
==27777==    still reachable: 0 bytes in 0 blocks
==27777==         suppressed: 0 bytes in 0 blocks

Not really critical but still not completely clean. All related
to gnutls_dh_params_generate2().

On server startup I do the following (for each SSL listening port):

  gnutls_certificate_allocate_credentials(x509_cred);
  gnutls_certificate_set_x509_key_file(*x509_cred, cert_file, key_file,
GNUTLS_X509_FMT_PEM);
  int bits=gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LOW);
  gnutls_dh_params_init(dh_params);
  gnutls_dh_params_generate2(*dh_params, bits);
  gnutls_priority_init(priority_cache, NXWEB_SSL_PRIORITIES, 0);
  gnutls_certificate_set_dh_params(*x509_cred, *dh_params);
  gnutls_session_ticket_key_generate(session_ticket_key);

And on server shutdown I do the following (for each SSL listening port):

  gnutls_certificate_free_credentials(x509_cred);
  gnutls_dh_params_deinit(dh_params);
  gnutls_priority_deinit(priority_cache);
  gnutls_free(session_ticket_key->data);

Yaroslav

On Tue, Jan 10, 2012 at 6:14 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org>wrote:

> On Tue, Jan 10, 2012 at 3:03 PM, Yaroslav <yarosla at gmail.com> wrote:
>
> >> btw. from the logs I see that the version of libtasn1 you have doesn't
> >> compile well with
> >> the gcc you have. You can use the included libtasn1 to avoid the
> >> valgrind warnings.
> > libtasn1 is installed in my Ubuntu and there seems to be quite a lot of
> > software that depends on it. Is there a way to configure gnutls to use
> > included libtasn1 when I already have libtasn1 on my system?
>
> Use --with-included-libtasn1 when configuring gnutls. That way it will
> ignore the installed version.
>
> > Not sure about this. I have Intel Q6700 processor. The spec
> > (
> http://ark.intel.com/products/30790/Intel-Core2-Quad-Processor-Q6700-(8M-Cache-2_66-GHz-1066-MHz-FSB)
> )
> > says: "AES New Instructions: No".
>
> It doesn't seem to have them. You can always check in realtime with
> "cat /proc/cpuinfo". If aes is in your flags.
>
> regards,
> Nikos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120111/249cd942/attachment.htm>

More information about the Gnutls-devel mailing list