[openssl-dev] Memory leak in application when we use ECDH

Richard Levitte levitte at openssl.org
Thu Mar 23 14:00:38 UTC 2017 

I think that Matt is asking for example code that exhibits this leak.
You could patch apps/s_server.c with your callback, or ssl/ssltest.c,
and give us that patch.

The reason is that we can't know what assumptions you're going with in
your callback or application, so if we code an example together, it
will be with Our conditions, not yours, and therefore a pretty bad
method to figure this out.

Cheers,
Richard

In message <25D2EC755404B4409F263AC6D050FEBB2A10781E at AZ-FFEXMB03.global.avaya.com> on Thu, 23 Mar 2017 13:47:10 +0000, "Mody, Darshan (Darshan)" <darshanmody at avaya.com> said:

darshanmody> Matt,
darshanmody> 
darshanmody> Below is the scenario.
darshanmody> 
darshanmody> 1. Have server open a listen socket which always validates the client certificate and chain.
darshanmody> 2. On server support ECDHE using callback. Ensure the EC_KEY passed to openssl from app is cleaned up by the app.
darshanmody> 3. Connect client with certificates that server does not trust.
darshanmody> 4. The connections from client to server fails
darshanmody> 
darshanmody> In course of time the app running the server has been leaking. Even after accounting for the EC_KEY passed by the server app to openssl we find there seems to be leak. Further investigation on the core dumps generated from the server app shows that it has the certificates from the client saved.
darshanmody> 
darshanmody> Hope this helps
darshanmody> 
darshanmody> Thanks
darshanmody> Darshan 
darshanmody> 
darshanmody> -----Original Message-----
darshanmody> From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Matt Caswell
darshanmody> Sent: Thursday, March 23, 2017 6:55 PM
darshanmody> To: openssl-dev at openssl.org
darshanmody> Subject: Re: [openssl-dev] Memory leak in application when we use ECDH
darshanmody> 
darshanmody> 
darshanmody> 
darshanmody> On 23/03/17 13:19, Mody, Darshan (Darshan) wrote:
darshanmody> > Can you further elaborate?
darshanmody> > 
darshanmody> > What we did is to create a TLS connection and with invalid 
darshanmody> > certificates from the client and server on verification would reject 
darshanmody> > the certificate. The cipher negotiated was ECDHE cipher between client 
darshanmody> > and server.
darshanmody> > 
darshanmody> > This was done with load (multiple while 1 script trying to connect to 
darshanmody> > server using invalid certificates and in course of time the memory was 
darshanmody> > increasing).
darshanmody> 
darshanmody> Without being able to recreate the problem its going to be very difficult/impossible for us to fix it (assuming the problem is in OpenSSl itself). We would need some simple reproducer code that demonstrates the problem occurring.
darshanmody> 
darshanmody> Matt
darshanmody> 
darshanmody> 
darshanmody> > 
darshanmody> > Thanks Darshan
darshanmody> > 
darshanmody> > -----Original Message----- From: openssl-dev 
darshanmody> > [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Matt Caswell
darshanmody> > Sent: Thursday, March 23, 2017 4:09 PM To: openssl-dev at openssl.org
darshanmody> > Subject: Re: [openssl-dev] Memory leak in application when we use ECDH
darshanmody> > 
darshanmody> > 
darshanmody> > 
darshanmody> > On 23/03/17 10:13, Mody, Darshan (Darshan) wrote:
darshanmody> >> Matt,
darshanmody> >> 
darshanmody> >> Even after accounting for the EC_KEY we still observe some leak.
darshanmody> >> The leak started after we started using supporting EC with
darshanmody> >> callback SSL_set_tmp_ecdh_callback().
darshanmody> >> 
darshanmody> >> The core dump shows  the string data of the far-end certificates.
darshanmody> >> I cannot pin point  the code in openssl with this regard.
darshanmody> > 
darshanmody> > Are you able to create a simple reproducer demonstrating the problem 
darshanmody> > with the callback?
darshanmody> > 
darshanmody> > Matt
darshanmody> > 
darshanmody> -- 
darshanmody> openssl-dev mailing list
darshanmody> To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=VbrRgO8PZIVkFM4PjeK7TEgKDHnbLu_QfbyqRhmvx8I&s=u0cR7sQf_Zz8FoCnrzgLc3drBSR8Ou1qDUyxV8z1xYQ&e= 
darshanmody> -- 
darshanmody> openssl-dev mailing list
darshanmody> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
darshanmody>

More information about the openssl-dev mailing list