David Strauss | 18 Jan 01:06 2013

Memory leak in GnuTLS session management?

I keep getting memory leak traces for sessions in Valgrind, so I dug
into the Neon and GnuTLS code a bit.

Here's what I see:
 * ne_sock_connect_ssl() calls gnutls_session_get_data2() and sends in
&ctx->cache.client as the second argument.
 * gnutls_session_get_data2() allocates memory for what it puts into
its second argument. This memory should be freed by the caller using
gnutls_free(). This is documented in the man page [1].
 * There are only four calls to gnutls_free() from Neon, and they're
all for ctx->cache.server.key.data or ctx->cache.server.data.data.
 * I don't see any obvious way the ctx->cache.client pointer would get
copied into either of the values being freed.

It would break abstraction for us to access and free parts of the
context. Surely, session data shouldn't just linger. Multithreaded
clients (like ours) need to create and clean up sessions often without
leaking memory.

This is the trace I see in Valgrind for the packaged Neon 0.29.6 on Fedora 17:

3,072 bytes in 1 blocks are definitely lost in loss record 27 of 31
realloc (vg_replace_malloc.c:662)
_gnutls_buffer_append_data (gnutls_str.c:146)
_gnutls_session_pack (gnutls_session_pack.c:781)
gnutls_session_get_data2 (gnutls_session.c:119)
ne_sock_connect_ssl (ne_socket.c:1804)
ne__negotiate_ssl (ne_gnutls.c:928)
send_request.isra.5 (ne_request.c:1650)
ne_begin_request (ne_request.c:1189)
(Continue reading)

kk kk | 10 Dec 09:25 2012

About ne_set_read_timeout

Dear all,

If i use ne_set_read_timeout to indicate timeout value, for example, ne_set_read_timeout(sess, 10); // about 10s.
How can i interrupt the READ operation before timeout?
For example, user wants to cancel the operation immediately.


Markus Goetz | 6 Dec 17:55 2012

Decompression PROPFIND compressed with gzip?


I'm trying to find a way to integrate ne_propfind_named with ne_decompress_reader.
How can my body reader feed back the decompressed bytes back into neon so it can parse the WebDAV XML and give me the PROPFIND results?

Markus Goetz p, li { white-space: pre-wrap; }
Matthias Petschick | 22 Nov 12:40 2012

[PATCH] fix segfault due to unitialized variable


x509_crt_copy in ne_gnutls.c depends on the local size variable being 0
(or small enough) so that the subsequent call to gnutls_x509_crt_export
updates the variable to the correct size to hold the certificate. Since
size is used unitialized, the value for it is undefined and more than
likely not 0, resulting in gnutls_x509_crt_export not returning
GNUTLS_E_SHORT_MEMORY_BUFFER and consequently x509_crt_copy returning NULL.
This is not caught by make_peers_chain which then passes the NULL
pointer to populate_cert, which eventually causes a segfault down the
road when NULL is dereferenced by get_dn in gnutls.

The attached patch makes sure size is initialized correctly to 0 and
checks if x509_crt_copy returns NULL.



Attachment (ne_gnutls.c.patch): text/x-patch, 961 bytes
Chris Pick | 28 Oct 00:18 2012

Method to require SSL dependency

Is there an equivalent of NEON_NEED_XML_PARSER for SSL?
If I'm bundling neon with a program that uses ssl functionality, is
there any other way to require it?

My current setup:
$ cat configure.ac
#                                               -*- Autoconf -*-
# Process this file with autoconf to produce a configure script.

AC_INIT([test], [1.0], [neon@...])
AM_INIT_AUTOMAKE([-Wall -Werror foreign])

# Checks for programs.

# Checks for libraries.
NEON_VPATH_BUNDLED([${srcdir}/neon-0.29.6], [neon-0.29.6], [

# Checks for header files.

# Checks for typedefs, structures, and compiler characteristics.

# Checks for library functions.


$ cat Makefile.am
bin_PROGRAMS = test
test_SOURCES = src/test.c
test_LDADD =  <at> NEON_LIBS <at> 

ACLOCAL_AMFLAGS = -I neon-0.29.6/macros

gcc -DHAVE_CONFIG_H -I. -I..     -g -O2 -I../neon-0.29.6 -MT test.o
-MD -MP -MF .deps/test.Tpo -c -o test.o `test -f 'src/test.c' || echo
../src/test.c:4:22: error: ne_alloc.h: No such file or directory

Mat Booth | 27 Oct 15:44 2012

Re: Hi , question about your post on mailing list

On 25 October 2012 10:48, Robert Gdula <robert.gdula@...> wrote:
> Hi, I've found on the mailing list, that you try to compile neon library
> with mingw32 on windows, maybe you have already compile library to share
> with me, I'm trying almost 2 days without success.
> Best regards,
> Robert Gdula

Indeed. Have you tried the patch that I sent to the mailing list? It
can be found here:


I'm afraid I don't currently have access to a Windows machine to test
it on. These were the commands I issued to build it (cross-compiled to
mingw from within the cygwin environment):

# Need some configure "help" on Windows
echo "ne_cv_libsfor_RSA_new='-lcrypto'" >> config.cache
echo "ne_cv_libsfor_SSL_library_init='-lssl'" >> config.cache
echo "lt_cv_deplibs_check_method='pass_all'" >> config.cache
echo "ne_cv_fmt_off64_t=lld" >> config.cache
LDFLAGS="$LDFLAGS -lssl -lcrypto" \
  ./configure --enable-shared --with-expat --disable-nls \
  --with-ssl=openssl --with-zlib --without-gssapi \
  -C --host=i686-pc-mingw32

This assumes of course that you already have zlib, expat and openssl
build and available.

Please send future messages to the mailing list, so that everyone can
see our conversation :-)


Mat Booth
Software Engineer
WANdisco, Inc.

Marco Maggi | 30 Sep 08:35 2012

wrong return value in ne_set_request_body_fd documentation

The    manual    page    says   the    return    value    of
"ne_set_request_body_fd()"  is  "int",   but  it  is  "void"

Marco Maggi

Marco Maggi | 30 Sep 08:50 2012

on the status of the documentation


  I see that there are a number of undocumented functions in
the header files; can someone  tell me the current status of
the  documentation?    Should  the  undocumented   funcs  be
documented?  Manpages and XML?  Manpages or XML?


Marco Maggi

Bartosz Brachaczek | 26 Sep 23:35 2012

Failing SSL automatic tests


Some SSL automatic test fail on my machine:

- With openssl-1.0.1c:
  * ssl::simple_sslv2 (server process terminated abnormally: FAIL (1));
  * ssl::pkcs11 (server process terminated abnormally: FAIL (1));
  * ssl::pkcs11_dsa (server process terminated abnormally: FAIL (1)) (just for
    the record, it's already marked as failing).

- With gnutls-3.0.23 and 3.1.1:
  * ssl::fail_ca_notyetvalid (verification flags were 17 not 16) -- it seems
    strange to me, as NE_SSL_BADCHAIN | NE_SSL_NOTYETVALID is reported, but
    only NE_SSL_BADCHAIN is expected, despite the test name;
  * ssl::fail_ca_expired (verification flags were 18 not 16) -- ditto, only
  * ssl::pkcs11 (segmentation fault) -- the test is probably broken (fails
    with openssl too) but the crash is somewhere deep in gnutls internals, so
    it's likely a gnutls bug and it should be reported upstream.

- With gnutls-2.12.20 the same as with gnutls-3.0.23, plus the following:
  * ssl::cc_provided_dnames (dname count was 10 not 5)
  * ssl::fail_expired (no error in verification callback; error string: SSL
    handshake failed: Secure connection truncated)
  * ssl::fail_notvalid (no error in verification callback; error string: SSL
    handshake failed: Secure connection truncated)

- And, as a bonus, with gnutls-3.1.2 a whole bunch of tests fail, starting
  from ssl::simple:
      line 227: HTTP error:
      Could not verify server certificate: Error in the certificate.
  I don't know if it's a regression in gnutls-3.1.2 or an actual problem in
  the test suite.

Bartosz Brachaczek

b.brachaczek | 26 Sep 23:21 2012

[PATCH] GnuTLS 3 support


I prepared a patch which makes neon from trunk compile and not regress in the 
test suite when compiled with gnutls-3 as the ssl backend. (Actually there are 
3 tests that fail with gnutls-2.12.18 and 2.12.20 while they pass with 
gnutls-3.0.23 and 3.1.1). I'm attaching it.

Bartosz Brachaczek
Index: macros/neon.m4
--- macros/neon.m4	(revision 1895)
+++ macros/neon.m4	(working copy)
 <at>  <at>  -989,12 +989,13  <at>  <at> 
    # Check for functions in later releases
    NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \
                   gnutls_sign_callback_set \
+                  gnutls_certificate_get_issuer \
                   gnutls_certificate_get_x509_cas \
-                  gnutls_certificate_verify_peers2])
+                  gnutls_x509_crt_sign2])

-   # fail if gnutls_certificate_verify_peers2 is not found
-   if test x${ac_cv_func_gnutls_certificate_verify_peers2} != xyes; then
-       AC_MSG_ERROR([GnuTLS version predates gnutls_certificate_verify_peers2, newer version required])
+   # fail if gnutls_x509_crt_sign2 is not found (it was introduced in 1.2.0, which is required)
+   if test x${ac_cv_func_gnutls_x509_crt_sign2} != xyes; then
+       AC_MSG_ERROR([GnuTLS version predates gnutls_x509_crt_sign2, newer version required (at least 1.2.0)])

    # Check for iconv support if using the new RDN access functions:
Index: src/ne_gnutls.c
--- src/ne_gnutls.c	(revision 1895)
+++ src/ne_gnutls.c	(working copy)
 <at>  <at>  -83,7 +83,7  <at>  <at> 

 struct ne_ssl_client_cert_s {
-    gnutls_pkcs12 p12;
+    gnutls_pkcs12_t p12;
     int decrypted; /* non-zero if successfully decrypted. */
     int keyless;
     ne_ssl_certificate cert;
 <at>  <at>  -697,7 +697,7  <at>  <at> 

 /* Return the issuer of the given certificate, or NULL if none can be
  * found. */
 static gnutls_x509_crt find_issuer(gnutls_x509_crt *ca_list,
 <at>  <at>  -752,20 +752,29  <at>  <at> 

     /* GnuTLS only returns the peers which were *sent* by the server
      * in the Certificate list during the handshake.  Fill in the
      * complete chain manually against the certs we trust: */
     if (current->issuer == NULL) {
         gnutls_x509_crt issuer;
         gnutls_x509_crt *ca_list;
         unsigned int num_cas;

         gnutls_certificate_get_x509_cas(crd, &ca_list, &num_cas);

         do { 
             /* Look up the issuer. */
             issuer = find_issuer(ca_list, num_cas, current->subject);
+            if (gnutls_certificate_get_issuer(crd, current->subject, &issuer, 0))
+                issuer = NULL;
             if (issuer) {
                 issuer = x509_crt_copy(issuer);
                 cert = populate_cert(ne_calloc(sizeof *cert), issuer);
 <at>  <at>  -1037,11 +1046,11  <at>  <at> 
 /* Parses a PKCS#12 structure and loads the certificate, private key
  * and friendly name if possible.  Returns zero on success, non-zero
  * on error. */
-static int pkcs12_parse(gnutls_pkcs12 p12, gnutls_x509_privkey *pkey,
+static int pkcs12_parse(gnutls_pkcs12_t p12, gnutls_x509_privkey *pkey,
                         gnutls_x509_crt *x5, char **friendly_name,
                         const char *password)
-    gnutls_pkcs12_bag bag = NULL;
+    gnutls_pkcs12_bag_t bag = NULL;
     int i, j, ret = 0;

     for (i = 0; ret == 0; ++i) {
 <at>  <at>  -1056,7 +1065,7  <at>  <at> 
         gnutls_pkcs12_bag_decrypt(bag, password);

         for (j = 0; ret == 0 && j < gnutls_pkcs12_bag_get_count(bag); ++j) {
-            gnutls_pkcs12_bag_type type;
+            gnutls_pkcs12_bag_type_t type;
             gnutls_datum data;

             if (friendly_name && *friendly_name == NULL) {
 <at>  <at>  -1141,7 +1150,7  <at>  <at> 
     int ret;
     gnutls_datum data;
-    gnutls_pkcs12 p12;
+    gnutls_pkcs12_t p12;
     ne_ssl_client_cert *cc;
     char *friendly_name = NULL;
     gnutls_x509_crt cert = NULL;
Index: src/ne_socket.c
--- src/ne_socket.c	(revision 1895)
+++ src/ne_socket.c	(working copy)
 <at>  <at>  -724,9 +724,11  <at>  <at> 
                     _("SSL alert received: %s"),
-        /* It's not exactly an API guarantee but this error will
-         * always mean a premature EOF. */
         ret = NE_SOCK_TRUNC;
         set_error(sock, _("Secure connection truncated"));
 <at>  <at>  -1705,6 +1707,8  <at>  <at> 
         NE_DEBUG(NE_DBG_SSL, "ssl: Server reused session.\n");
 #elif defined(HAVE_GNUTLS)
+    unsigned int verify_status;
     gnutls_init(&ssl, GNUTLS_SERVER);
     gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
 <at>  <at>  -1724,7 +1728,7  <at>  <at> 
     if (ret < 0) {
         return error_gnutls(sock, ret);
-    if (ctx->verify && gnutls_certificate_verify_peers(ssl)) {
+    if (ctx->verify && (gnutls_certificate_verify_peers2(ssl, &verify_status) || verify_status)) {
         set_error(sock, _("Client certificate verification failed"));
         return NE_SOCK_ERROR;
Brad Smith | 3 Sep 21:34 2012

[PATCH] Fix autoconf bindtextdomain() test on OpenBSD

The following diff fixes the bindtextdomain() test on OpenBSD to properly
be able to detect the presence of libintl (gettext) which requires NE_SEARCH_LIBS
to try also linking libintl with libiconv.

Index: macros/neon.m4
--- macros/neon.m4	(revision 1895)
+++ macros/neon.m4	(working copy)
 <at>  <at>  -1188,7 +1188,7  <at>  <at> 
   # presume that dgettext() is available if bindtextdomain() is...
   # checking for dgettext() itself is awkward because gcc has a 
   # builtin of that function, which confuses AC_CHECK_FUNCS et al.
-  NE_SEARCH_LIBS(bindtextdomain, intl,,[enable_nls=no])
+  NE_SEARCH_LIBS(bindtextdomain, intl, -liconv,[enable_nls=no])


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.