On 2011-08-25 "Andrew M. Bishop" <a...@gedanken.demon.co.uk> wrote: [...] > A better test is to do the following against your running WWWOFFLE > server (you don't need to be online):
> lynx -dump https://localhost:8443/ ok. That makes it reproducible. gnutls-cli or openssl s_client -connect 127.0.0.1:8443 also does the trick. [...] > I can run WWWOFFLE under gdb to demonstrate the crash like this (while > wwwoffled is running I run the lynx command above): > # gdb /home/amb/wwwoffle-2.9g/src/wwwoffled [...] Throwing in a slightly better readable backtrace (against gnutls 2.12.7): ---------------------------------- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xf7d036c0 (LWP 24626)] _gcry_mpi_normalize (a=0x0) at mpi-bit.c:60 60 mpi-bit.c: No such file or directory. in mpi-bit.c (gdb) bt #0 _gcry_mpi_normalize (a=0x0) at mpi-bit.c:60 #1 0xf7d87e7a in _gcry_mpi_get_nbits (a=0x0) at mpi-bit.c:78 #2 0xf7d3c93b in gcry_mpi_get_nbits (a=0x0) at visibility.c:421 #3 0xf7f9d4eb in wrap_gcry_mpi_get_nbits (a=0x0) at mpi.c:131 #4 0xf7f2888a in _gnutls_pkcs1_rsa_decrypt (plaintext=0xffffd2b0, ciphertext=0xffffd2b8, params=0x810fb10, params_len=0, btype=2) at gnutls_pk.c:223 #5 0xf7f4000b in gnutls_privkey_decrypt_data (key=0x8111ed0, flags=0, ciphertext=0xffffd2b8, plaintext=0xffffd2b0) at gnutls_privkey.c:614 #6 0xf7f2481e in proc_rsa_client_kx (session=0x8110490, data=0x810fbb8 "", _data_size=66) at auth_rsa.c:180 #7 0xf7f1d1f1 in _gnutls_recv_client_kx_message (session=0x8110490) at gnutls_kx.c:456 #8 0xf7f19076 in _gnutls_handshake_server (session=0x8110490) at gnutls_handshake.c:3059 #9 0xf7f1995f in gnutls_handshake (session=0x8110490) at gnutls_handshake.c:2677 #10 0x080875e3 in io_init_gnutls (fd=0, host=0x80fc580 "localhost", type=1) at iognutls.c:160 #11 0x080853ab in configure_io_gnutls (fd=0, host=0x80fc580 "localhost", type=1) at io.c:376 #12 0x0804e863 in wwwoffles (online=0, fetching=0, client=0) at wwwoffles.c:174 #13 0x080641ad in ForkServer (fd=0) at connect.c:501 #14 0x0804ca55 in main (argc=5, argv=0xffffd884) at wwwoffled.c:649 ---------------------------------- downgrading libgnutls26 to 2.10.5 fixes the issue. I have trying to bisect this, but neither Gnutls master nor gnutls_2_12_x are bisectable, the tree does not build for a a long time, from August 2009 to May 2010. (after 9c8631c68a728584b46b7d2ceff2e872ae8a59dd and before 743dedcddb41d9a29a0e92fa85a24a5c270d5f01). Making wwwoffle generate/use v3 certs or using Gnutls 3.0 does not improve things. cu andreas [ Full quote, since I am Cc-ing bug-gnu...@gnu.org] > This is with a vanilla wwwoffle 2.9g - unmodified since released. > If you look at the WWWOFFLE code you will see that I am paranoid about > a problem with gnutls and I check the return value from every gnutls > function that is called before trying the handshake. > Another way to view the problem is to look at the libgnutls functions > that WWWOFFLE calls: > # ltrace -l /usr/lib/i386-linux-gnu/libgnutls.so \ > /home/amb/wwwoffle-2.9g/src/wwwoffled -c /etc/wwwoffle/wwwoffle.conf -f > gnutls_global_init(0x810cf18, 0x80f01a4, 0x80f030e, 0xbf9e56c8, 88) = 0 > gnutls_x509_privkey_init(0xbf9e568c, 0xbf9e5284, 1024, 0xb78b0840, > 0xb77bc28c) = 0 > gnutls_x509_privkey_import(0x8113830, 0xbf9e5684, 1, 0xb78b0840, 0xb77bc28c) > = 0 > gnutls_x509_crt_list_import(0x80fbf60, 0xbf9e565c, 0xbf9e5654, 1, 1) = 1 > gnutls_x509_crt_get_activation_time(0x81039f0, 0x80d9150, 0xbf9e56b8, > 0xbf9e56c8, 88) = 0x4abe3b3f > gnutls_x509_crt_get_expiration_time(0x81039f0, 0x80d9150, 0xbf9e56b8, > 0xbf9e56c8, 88) = 0x5061d5bf > gnutls_dh_params_init(0x80fbf54, 0x80d9150, 0xbf9e56b8, 0xbf9e56c8, 88) = 0 > gnutls_dh_params_generate2(0x80feaa8, 1024, 0xbf9e56b8, 0xbf9e56c8, 88) = 0 > ... > gnutls_init(0x82af284, 1, 10, 0x80f9104, 0xbf808cf8) = 0 > gnutls_set_default_priority(0x8195178, 1, 10, 0x80f9104, 0xbf808cf8) = 0 > gnutls_x509_privkey_init(0xbf808bec, 0xbf8087e4, 1024, 0x80fc480, 0xbf808822) > = 0 > gnutls_x509_privkey_import(0x818dd18, 0xbf808be4, 1, 0x80fc480, 0xbf808822) = > 0 > gnutls_x509_crt_list_import(0x80fbf60, 0xbf808bbc, 0xbf808bb4, 1, 1) = 1 > gnutls_x509_crt_get_activation_time(0x8159d50, 0x82b1c28, 0xbf808c4c, > 0x80fc480, 1) = 0x4e4fff40 > gnutls_x509_crt_get_expiration_time(0x8159d50, 0x82b1c28, 0xbf808c4c, > 0x80fc480, 1) = 0x53f399c0 > gnutls_x509_crt_verify(0x8159d50, 0x80fbf50, 1, 0, 0xbf808cac) = 0 > gnutls_certificate_allocate_credentials(0xbf808ca4, 0x80fbf50, 1, 0, > 0xbf808cac) = 0 > gnutls_certificate_set_x509_key(0x818ff70, 0xbf808ca8, 1, 0x818dd18, > 0xbf808cac) = 0 > gnutls_certificate_set_dh_params(0x818ff70, 0x80feaa8, 1, 0x818dd18, > 0xbf808cac) = 0x818ff70 > gnutls_x509_crt_deinit(0x8159d50, 0x80feaa8, 1, 0x818dd18, 0xbf808cac) = > 0xb77063c0 > gnutls_x509_privkey_deinit(0x818dd18, 0x80feaa8, 1, 0x818dd18, 0xbf808cac) = > 161 > gnutls_credentials_set(0x8195178, 1, 0x818ff70, 0x80f9104, 0xbf808cf8) = 0 > gnutls_transport_set_ptr(0x8195178, 0, 0x818ff70, 0x80f9104, 0xbf808cf8) = > 0x8195178 > gnutls_handshake(0x8195178, 0, 0x818ff70, 0x80f9104, 0xbf808cf8 <unfinished > ...> > Looking at the list of functions I can see that there are two > gnutls_x509_*_deinit() functions called before the handshake. > Calling the first one, gnutls_x509_crt_deinit(), is OK, but calling > the second one, gnutls_x509_privkey_deinit(), before the handshake > will cause it to crash. > The documentation for these functions don't say that you can't call > the 'deinit' function until after the handshake. The libgnutls NEWS > file doesn't say that there is an ABI change in this area either. It > certainly used to work that you could do this. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
