Thanks Richard and Matt, I will patch it and send the patch. It will take me couple of days.
Regards Darshan -----Original Message----- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Richard Levitte Sent: Thursday, March 23, 2017 7:31 PM To: openssl-dev@openssl.org Subject: Re: [openssl-dev] Memory leak in application when we use ECDH I think that Matt is asking for example code that exhibits this leak. You could patch apps/s_server.c with your callback, or ssl/ssltest.c, and give us that patch. The reason is that we can't know what assumptions you're going with in your callback or application, so if we code an example together, it will be with Our conditions, not yours, and therefore a pretty bad method to figure this out. Cheers, Richard In message <25d2ec755404b4409f263ac6d050febb2a107...@az-ffexmb03.global.avaya.com> on Thu, 23 Mar 2017 13:47:10 +0000, "Mody, Darshan (Darshan)" <darshanm...@avaya.com> said: darshanmody> Matt, darshanmody> darshanmody> Below is the scenario. darshanmody> darshanmody> 1. Have server open a listen socket which always validates the client certificate and chain. darshanmody> 2. On server support ECDHE using callback. Ensure the EC_KEY passed to openssl from app is cleaned up by the app. darshanmody> 3. Connect client with certificates that server does not trust. darshanmody> 4. The connections from client to server fails darshanmody> darshanmody> In course of time the app running the server has been leaking. Even after accounting for the EC_KEY passed by the server app to openssl we find there seems to be leak. Further investigation on the core dumps generated from the server app shows that it has the certificates from the client saved. darshanmody> darshanmody> Hope this helps darshanmody> darshanmody> Thanks darshanmody> Darshan darshanmody> darshanmody> -----Original Message----- darshanmody> From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] darshanmody> On Behalf Of Matt Caswell darshanmody> Sent: Thursday, March 23, 2017 6:55 PM darshanmody> To: openssl-dev@openssl.org darshanmody> Subject: Re: [openssl-dev] Memory leak in application when darshanmody> we use ECDH darshanmody> darshanmody> darshanmody> darshanmody> On 23/03/17 13:19, Mody, Darshan (Darshan) wrote: darshanmody> > Can you further elaborate? darshanmody> > darshanmody> > What we did is to create a TLS connection and with darshanmody> > invalid certificates from the client and server on darshanmody> > verification would reject the certificate. The cipher darshanmody> > negotiated was ECDHE cipher between client and server. darshanmody> > darshanmody> > This was done with load (multiple while 1 script trying darshanmody> > to connect to server using invalid certificates and in darshanmody> > course of time the memory was increasing). darshanmody> darshanmody> Without being able to recreate the problem its going to be very difficult/impossible for us to fix it (assuming the problem is in OpenSSl itself). We would need some simple reproducer code that demonstrates the problem occurring. darshanmody> darshanmody> Matt darshanmody> darshanmody> darshanmody> > darshanmody> > Thanks Darshan darshanmody> > darshanmody> > -----Original Message----- From: openssl-dev darshanmody> > [mailto:openssl-dev-boun...@openssl.org] On Behalf Of darshanmody> > Matt Caswell darshanmody> > Sent: Thursday, March 23, 2017 4:09 PM To: darshanmody> > openssl-dev@openssl.org darshanmody> > Subject: Re: [openssl-dev] Memory leak in application darshanmody> > when we use ECDH darshanmody> > darshanmody> > darshanmody> > darshanmody> > On 23/03/17 10:13, Mody, Darshan (Darshan) wrote: darshanmody> >> Matt, darshanmody> >> darshanmody> >> Even after accounting for the EC_KEY we still observe some leak. darshanmody> >> The leak started after we started using supporting EC darshanmody> >> with callback SSL_set_tmp_ecdh_callback(). darshanmody> >> darshanmody> >> The core dump shows the string data of the far-end certificates. darshanmody> >> I cannot pin point the code in openssl with this regard. darshanmody> > darshanmody> > Are you able to create a simple reproducer demonstrating darshanmody> > the problem with the callback? darshanmody> > darshanmody> > Matt darshanmody> > darshanmody> -- darshanmody> openssl-dev mailing list darshanmody> To unsubscribe: darshanmody> https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.op darshanmody> enssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8 darshanmody> bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrK darshanmody> fQ&m=VbrRgO8PZIVkFM4PjeK7TEgKDHnbLu_QfbyqRhmvx8I&s=u0cR7sQf darshanmody> _Zz8FoCnrzgLc3drBSR8Ou1qDUyxV8z1xYQ&e= darshanmody> -- darshanmody> openssl-dev mailing list darshanmody> To unsubscribe: darshanmody> https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.op darshanmody> enssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8 darshanmody> bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrK darshanmody> fQ&m=OtZlUFiavvOVqXL900IST85y3pZLikUdEgekBIIyZoI&s=3T5xlm8q darshanmody> 92-eP1ItbDzGOU972l4wFrkJUgLrBNR4Qx8&e= darshanmody> -- openssl-dev mailing list To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=DwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=bsEULbVnjelD7InzgsegHBEbtXzaIDagy9EuEhJrKfQ&m=OtZlUFiavvOVqXL900IST85y3pZLikUdEgekBIIyZoI&s=3T5xlm8q92-eP1ItbDzGOU972l4wFrkJUgLrBNR4Qx8&e= -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev