Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use gnutls_x509_privkey_generate(). Discard the private key properly, after usage.
==22137== at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==22137== by 0x33E2809490: do_malloc (global.c:770)
==22137== by 0x33E280A3C8: _gcry_malloc (global.c:792)
==22137== by 0x33E280A70E: _gcry_xmalloc (global.c:946)
==22137== by 0x33E2851A99: _gcry_mpi_alloc (mpiutil.c:51)
==22137== by 0x3F70C918F6: wrap_gcry_pk_generate_params (pk.c:736)
==22137== by 0x3F70C2FDEA: _generate_params (gnutls_pk.c:531)
==22137== by 0x3F70C6D1E9: gnutls_x509_privkey_generate (privkey.c:1488)
Looking at the code, the leak is obvious. This already appears to be fixed upstream, in the current release, so an update would be in order.
Do you refer to tmp in _rsa_generate_params?
It seems it was added in:
but got broken shortly after:
and does not seem fixed upstream in 2.12.x.
Any good use case where keys are generated in long running process? Sounds more like a bug.
I do see that it's still there in 2.12.x series. I looked at the wrong snapshot initially.
Any server session that supports export-grade RSA calls gnutls_rsa_params_generate2(), which calls gnutls_x509_privkey_generate().
The use case here would be servers that support export-grade RSA and use a per-session set of RSA keys; rather than generating them once for their entire lifetime. That does not seem unreasonable.
The ciphersuites that involve the RSA-EXPORT key exchange require additional
parameters. Those ciphersuites are rarely used today because they are by
design insecure, thus if you have no requirement for them, the rest of this
section can be skipped.
Export ciphers are disabled by default. Hence the impact still seems rather limited. We can report this to upstream privately, but it seems ok to report that via upstream devel list (I believe you already reported some other leak there recently).
Once this issue is fixed upstream, we can push the fix to Fedora. Tomas M., do you agree?
I sent a mail with a patch to the upstream devel mailing list.
And I decided to build a new package with the fix in rawhide.
(In reply to comment #5)
> I sent a mail with a patch to the upstream devel mailing list.
Looks like Sam managed to beat you by a bit:
At least I've added a few more leak fixes - albeit in error paths only. :)
gnutls-2.12.14-2.fc16 has been submitted as an update for Fedora 16.
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-2.12.14-2.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
gnutls-2.12.14-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.