Description of problem: Memory leak. Version-Release number of selected component (if applicable): gnutls-2.12.14-1.fc16 How reproducible: Always. Steps to Reproduce: 1. Use gnutls_x509_privkey_generate(). Discard the private key properly, after usage. Actual results: Valgrind complains: ==22137== at 0x4A074CD: malloc (vg_replace_malloc.c:236) ==22137== by 0x33E2809490: do_malloc (global.c:770) ==22137== by 0x33E280A3C8: _gcry_malloc (global.c:792) ==22137== by 0x33E280A70E: _gcry_xmalloc (global.c:946) ==22137== by 0x33E2851A99: _gcry_mpi_alloc (mpiutil.c:51) ==22137== by 0x3F70C918F6: wrap_gcry_pk_generate_params (pk.c:736) ==22137== by 0x3F70C2FDEA: _generate_params (gnutls_pk.c:531) ==22137== by 0x3F70C6D1E9: gnutls_x509_privkey_generate (privkey.c:1488) Additional info: Looking at the code, the leak is obvious. This already appears to be fixed upstream, in the current release, so an update would be in order.
Do you refer to tmp in _rsa_generate_params? It seems it was added in: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=d4a4643dbe1bd739e55706fa4affaf10aae1dfa9#patch3 but got broken shortly after: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=bab8c93bf9501e0eece9d99b491987c83b998e26#patch1 and does not seem fixed upstream in 2.12.x. Any good use case where keys are generated in long running process? Sounds more like a bug.
I do see that it's still there in 2.12.x series. I looked at the wrong snapshot initially. Any server session that supports export-grade RSA calls gnutls_rsa_params_generate2(), which calls gnutls_x509_privkey_generate(). The use case here would be servers that support export-grade RSA and use a per-session set of RSA keys; rather than generating them once for their entire lifetime. That does not seem unreasonable.
Quoting from: http://www.gnu.org/software/gnutls/manual/gnutls.html#Parameter-generation The ciphersuites that involve the RSA-EXPORT key exchange require additional parameters. Those ciphersuites are rarely used today because they are by design insecure, thus if you have no requirement for them, the rest of this section can be skipped. Export ciphers are disabled by default. Hence the impact still seems rather limited. We can report this to upstream privately, but it seems ok to report that via upstream devel list (I believe you already reported some other leak there recently). Once this issue is fixed upstream, we can push the fix to Fedora. Tomas M., do you agree?
Yes, sure.
I sent a mail with a patch to the upstream devel mailing list. And I decided to build a new package with the fix in rawhide.
(In reply to comment #5) > I sent a mail with a patch to the upstream devel mailing list. http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5922 Looks like Sam managed to beat you by a bit: http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5921
At least I've added a few more leak fixes - albeit in error paths only. :)
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=ff19ba8b9c5540e46ec876f264ffdbb92cfcf8c9
gnutls-2.12.14-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/gnutls-2.12.14-2.fc16
Package gnutls-2.12.14-2.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-2.12.14-2.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4578/gnutls-2.12.14-2.fc16 then log in and leave karma (feedback).
gnutls-2.12.14-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.