Package: libgnutls-deb0-28 Version: 3.3.8-3 Severity: grave Justification: breaks related softwares (minbif, ircd-ratbox) Control: affects -1 = minbif ircd-ratbox
Coin,I had to update all my certificates because our CA is going to expire soon. I then restarted all services with the new CA and server certificates and it worked for all services but minbif and ircd-ratbox (probably the only ones using gnutls). minbif fork for each connecting user and the new process crash ; see the strace and gdb trace attached. I was not able yet to get a core for ircd-ratbox but the strace is similar.
Reverting the certificates (which are still valid until the end of the month) did not help. Downgrading gnutls to 3.3.8-2 (before the rusage patch) did not help either.
I find two things disturbing. First, fd 3 is used to read the public key, closed, but then read again which fails and the abort is done shortly afterwards. Second, rnd_func() fails like if there was no entropy available, but /proc/sys/kernel/random/entropy_avail proves it wrong (the machine has a hardware generator with rngd).
As for the timing, i uploaded ircd-ratbox on 2014-07-29 which worked perfectly on the testing suite at that time (after a gnutls 3 patch).
Tell me if you need anything tested and thanks for your help. Regards. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libgnutls-deb0-28 depends on: ii libc6 2.19-12 ii libgmp10 2:6.0.0+dfsg-4 ii libhogweed2 2.7.1-3 ii libnettle4 2.7.1-3 ii libp11-kit0 0.20.7-1 ii libtasn1-6 4.1-1 ii multiarch-support 2.19-12 ii zlib1g 1:1.2.8.dfsg-1 -- Marc Dequènes (Duck)
#0 0x00007f9727650107 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
resultvar = 0
pid = 28099
selftid = 28099
#1 0x00007f97276514e8 in __GI_abort () at abort.c:89
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x1631eb0, sa_sigaction =
0x1631eb0}, sa_mask = {__val = {140733327892112, 140733327890224,
140287214206471, 1, 0, 0, 140287177530664, 23280608, 140733327890224, 23290456,
140287214232357, 4294966954, 0, 23264720, 0, 0}}, sa_flags = 0, sa_restorer =
0x161a220}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f9728009199 in rnd_func (_ctx=0x0, length=264, data=0x7fff08045740
"") at pk.c:62
No locals.
#3 0x00007f97238cd346 in nettle_mpz_random_size (x=0x7fff08045910, ctx=0x0,
random=0x7f9728009169 <rnd_func>, bits=2112) at bignum-random.c:44
length = 264
data = 0x7fff08045740 ""
#4 0x00007f97238cd3d1 in nettle_mpz_random (x=0x7fff08045910, ctx=0x0,
random=0x7f9728009169 <rnd_func>, n=0x7fff08045a48) at bignum-random.c:81
No locals.
#5 0x00007f97238d024a in _nettle_rsa_blind (pub=0x7fff08045a40,
random_ctx=0x0, random=0x7f9728009169 <rnd_func>, c=0x7fff08045a30,
ri=0x7fff08045980) at rsa-blind.c:50
r = {{_mp_alloc = 1, _mp_size = 0, _mp_d = 0x161a400}}
#6 0x00007f97238cedbd in nettle_rsa_pkcs1_sign_tr (pub=0x7fff08045a40,
key=0x7fff08045a70, random_ctx=0x0, random=0x7f9728009169 <rnd_func>,
length=51, digest_info=0x1638500 "010\r\006\t`\206H\001e\003\004\002\001\005",
s=0x7fff08045a30) at rsa-pkcs1-sign-tr.c:47
ri = {{_mp_alloc = 1, _mp_size = 0, _mp_d = 0x161a310}}
#7 0x00007f972800a997 in _wrap_nettle_pk_sign (algo=GNUTLS_PK_RSA,
signature=0x7fff08045bf0, vdata=0x7fff08045b80, pk_params=0x1644680) at pk.c:566
priv = {size = 256, d = {{_mp_alloc = 33, _mp_size = 32, _mp_d =
0x1639180}}, p = {{_mp_alloc = 17, _mp_size = 16, _mp_d = 0x1639320}}, q =
{{_mp_alloc = 17, _mp_size = 16, _mp_d = 0x1638a10}}, a = {{_mp_alloc = 16,
_mp_size = 16, _mp_d = 0x16398d0}}, b = {{_mp_alloc = 16, _mp_size = 16, _mp_d
= 0x1639960}}, c = {{_mp_alloc = 17, _mp_size = 16, _mp_d = 0x1638aa0}}}
pub = {size = 256, n = {{_mp_alloc = 33, _mp_size = 32, _mp_d =
0x1639070}}, e = {{_mp_alloc = 1, _mp_size = 1, _mp_d = 0x1616800}}}
s = {{_mp_alloc = 32, _mp_size = 32, _mp_d = 0x1639e40}}
ret = 134502912
hash_len = 32767
me = 0x7f9723d44e5a
#8 0x00007f9727f4176c in gnutls_privkey_sign_raw_data (key=0x1645860, flags=0,
data=0x7fff08045b80, signature=0x7fff08045bf0) at gnutls_privkey.c:909
No locals.
#9 0x00007f9727f4147c in gnutls_privkey_sign_data (signer=0x1645860,
hash=GNUTLS_DIG_SHA256, flags=0, data=0x7fff08045be0, signature=0x7fff08045bf0)
at gnutls_privkey.c:788
ret = 0
digest = {data = 0x1638500
"010\r\006\t`\206H\001e\003\004\002\001\005", size = 51}
me = 0x7f972824b360 <hash_algorithms+96>
#10 0x00007f9727f2d4ad in _gnutls_check_key_cert_match (res=0x16350e0) at
gnutls_cert.c:936
test = {data = 0x7f972801695d "test text", size = 9}
sig = {data = 0x0, size = 0}
pk = 1
pk2 = 1
ret = 32663
__func__ = "_gnutls_check_key_cert_match"
#11 0x00007f9727f3d721 in gnutls_certificate_set_x509_key_file2 (res=0x16350e0,
certfile=0x1636208 "/etc/minbif/certs/duckcorp_irc_mp-minbif.crt",
keyfile=0x1636258 "/etc/minbif/certs/duckcorp_irc_mp-minbif.key",
type=GNUTLS_X509_FMT_PEM, pass=0x0, flags=0) at gnutls_x509.c:1336
ret = 1
#12 0x00007f9727f3d691 in gnutls_certificate_set_x509_key_file (res=0x16350e0,
certfile=0x1636208 "/etc/minbif/certs/duckcorp_irc_mp-minbif.crt",
keyfile=0x1636258 "/etc/minbif/certs/duckcorp_irc_mp-minbif.key",
type=GNUTLS_X509_FMT_PEM) at gnutls_x509.c:1282
No locals.
#13 0x0000000000446d32 in sock::SockWrapperTLS::SockWrapperTLS (this=0x1633be0,
_config=<optimized out>, _recv_fd=<optimized out>, _send_fd=<optimized out>) at
/build/minbif-e0OeNy/minbif-1.0.5+git20120508/src/sockwrap/sockwrap_tls.cpp:80
c_section = 0x1631eb0
trust_file = "/etc/ssl/certs/ca-certificates.crt"
crl_file = " "
#14 0x000000000043fb56 in sock::SockWrapper::Builder (_config=0x1631790,
_recv_fd=_recv_fd@entry=5, _send_fd=_send_fd@entry=5) at
/build/minbif-e0OeNy/minbif-1.0.5+git20120508/src/sockwrap/sockwrap.cpp:61
sec_mode = "tls"
#15 0x0000000000453a6f in DaemonForkServerPoll::new_client_cb (this=0x1633b80)
at
/build/minbif-e0OeNy/minbif-1.0.5+git20120508/src/server_poll/daemon_fork.cpp:241
newcon = {sin_family = 10, sin_port = 4524, sin_addr = {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}
new_socket = 5
fds = {6, 7}
addrlen = 28
client_pid = 0
#16 0x0000000000437000 in _callback (data=<optimized out>) at
/build/minbif-e0OeNy/minbif-1.0.5+git20120508/src/core/callback.cpp:31
cb = <optimized out>
#17 g_callback_input (data=<optimized out>, src=<optimized out>,
i=i@entry=PURPLE_INPUT_READ) at
/build/minbif-e0OeNy/minbif-1.0.5+git20120508/src/core/callback.cpp:37
No locals.
#18 0x0000000000434c3e in purple_glib_io_invoke (source=<optimized out>,
condition=<optimized out>, data=0x1630350) at
/build/minbif-e0OeNy/minbif-1.0.5+git20120508/src/core/util.cpp:82
closure = 0x1630350
purple_cond = PURPLE_INPUT_READ
#19 0x00007f9728de4b6d in g_main_dispatch (context=0x1633d40) at
/build/glib2.0-dt6trg/glib2.0-2.42.0/./glib/gmain.c:3111
dispatch = 0x7f9728e298a0 <g_io_unix_dispatch>
prev_source = 0x0
was_in_call = 0
user_data = 0x1630350
callback = 0x434c10 <purple_glib_io_invoke(GIOChannel*, GIOCondition,
gpointer)>
cb_funcs = <optimized out>
cb_data = 0x1635e00
need_destroy = <optimized out>
source = 0x1633cc0
current = 0x1611260
i = 0
#20 g_main_context_dispatch (context=context@entry=0x1633d40) at
/build/glib2.0-dt6trg/glib2.0-2.42.0/./glib/gmain.c:3710
No locals.
#21 0x00007f9728de4f48 in g_main_context_iterate (context=0x1633d40,
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at
/build/glib2.0-dt6trg/glib2.0-2.42.0/./glib/gmain.c:3781
max_priority = 2147483647
timeout = -1
some_ready = 1
nfds = <optimized out>
allocated_nfds = 2
fds = 0x1613170
#22 0x00007f9728de5272 in g_main_loop_run (loop=0x1612fd0) at
/build/glib2.0-dt6trg/glib2.0-2.42.0/./glib/gmain.c:3975
__FUNCTION__ = "g_main_loop_run"
#23 0x0000000000425580 in Minbif::main (this=this@entry=0x7fff080470e0,
argc=argc@entry=4, argv=argv@entry=0x7fff080471f8) at
/build/minbif-e0OeNy/minbif-1.0.5+git20120508/src/core/minbif.cpp:244
rlim = {rlim_cur = 18446744073709551615, rlim_max =
18446744073709551615}
long_options = {{name = 0x4f7795 "pidfile", has_arg = 1, flag = 0x0,
val = 112}, {name = 0x4f779d "help", has_arg = 0, flag = 0x0, val = 104}, {name
= 0x4f77a2 "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x4f8db6
"mode", has_arg = 1, flag = 0x0, val = 109}, {name = 0x0, has_arg = 0, flag =
0x0, val = 0}}
option_index = 0
c = <optimized out>
mode = 2
#24 0x0000000000425b80 in main (argc=4, argv=0x7fff080471f8) at
/build/minbif-e0OeNy/minbif-1.0.5+git20120508/src/core/minbif.cpp:285
minbif = {loop = 0x1612fd0, server_poll = 0x1633b80, pidfile =
"/var/run/minbif/minbif.pid"}
quit
2103 restart_syscall(<... resuming interrupted call ...>) = 1
2103 read(4, 0x7fffdc9a6820, 16) = -1 EAGAIN (Resource temporarily
unavailable)
2103 write(4, "\1\0\0\0\0\0\0\0", 8) = 8
2103 accept(3, {sa_family=AF_INET6, sin6_port=htons(43856),
inet_pton(AF_INET6, "::ffff:ffff:0:0", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=3011625552}, [28]) = 5
2103 socketpair(PF_LOCAL, SOCK_STREAM, 0, [6, 7]) = 0
2103 fcntl(6, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
2103 fcntl(7, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
2103 clone( <unfinished ...>
3976 set_robust_list(0x7fe7b4522ae0, 24) = 0
3976 close(3) = 0
3976 fstat(7, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
3976 fcntl(7, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
3976 write(4, "\1\0\0\0\0\0\0\0", 8) = 8
3976 close(6) = 0
2103 <... clone resumed> child_stack=0,
flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7fe7b4522ad0) = 3976
2103 gettimeofday({1415543029, 613800}, NULL) = 0
2103 write(1, "[INFO] Creating new process with"..., 42) = 42
2103 close(5) = 0
3976 open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY <unfinished ...>
2103 fstat(6, <unfinished ...>
3976 <... open resumed> ) = 3
2103 <... fstat resumed> {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
3976 fstat(3, <unfinished ...>
2103 fcntl(6, F_GETFL <unfinished ...>
3976 <... fstat resumed> {st_mode=S_IFREG|0644, st_size=5578, ...}) = 0
2103 <... fcntl resumed> ) = 0x802 (flags O_RDWR|O_NONBLOCK)
3976 fstat(3, <unfinished ...>
2103 write(4, "\1\0\0\0\0\0\0\0", 8 <unfinished ...>
3976 <... fstat resumed> {st_mode=S_IFREG|0644, st_size=5578, ...}) = 0
2103 <... write resumed> ) = 8
3976 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0
<unfinished ...>
2103 close(7 <unfinished ...>
3976 <... mmap resumed> ) = 0x7fe7b4546000
2103 <... close resumed> ) = 0
3976 lseek(3, 0, SEEK_CUR <unfinished ...>
2103 write(4, "\1\0\0\0\0\0\0\0", 8 <unfinished ...>
3976 <... lseek resumed> ) = 0
2103 <... write resumed> ) = 8
3976 read(3, <unfinished ...>
2103 poll([{fd=4, events=POLLIN}, {fd=6, events=POLLIN}, {fd=3,
events=POLLIN}], 3, 4294967295 <unfinished ...>
3976 <... read resumed> "-----BEGIN CERTIFICATE-----\nMIID"..., 4096) = 4096
2103 <... poll resumed> ) = 1 ([{fd=4, revents=POLLIN}])
3976 read(3, "h+B99ow/NzTlPNzVLfbM3MU4bWxf0gUJ"..., 4096) = 1482
2103 poll([{fd=4, events=POLLIN}, {fd=6, events=POLLIN}, {fd=3,
events=POLLIN}], 3, 4294967295 <unfinished ...>
3976 read(3, <unfinished ...>
2103 <... poll resumed> ) = 1 ([{fd=4, revents=POLLIN}])
3976 <... read resumed> "", 4096) = 0
2103 read(4, <unfinished ...>
3976 close(3 <unfinished ...>
2103 <... read resumed> "\4\0\0\0\0\0\0\0", 16) = 8
3976 <... close resumed> ) = 0
3976 munmap(0x7fe7b4546000, 4096 <unfinished ...>
2103 poll([{fd=4, events=POLLIN}, {fd=6, events=POLLIN}, {fd=3,
events=POLLIN}], 3, 4294967295 <unfinished ...>
3976 <... munmap resumed> ) = 0
3976 brk(0x1f44000) = 0x1f44000
3976 open("/etc/minbif/certs/duckcorp_irc_mp-minbif.key", O_RDONLY) = 3
3976 fstat(3, {st_mode=S_IFREG|0640, st_size=1679, ...}) = 0
3976 fstat(3, {st_mode=S_IFREG|0640, st_size=1679, ...}) = 0
3976 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7fe7b4546000
3976 lseek(3, 0, SEEK_CUR) = 0
3976 read(3, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 1679
3976 read(3, "", 4096) = 0
3976 close(3) = 0
3976 munmap(0x7fe7b4546000, 4096) = 0
3976 open("/etc/minbif/certs/duckcorp_irc_mp-minbif.crt", O_RDONLY) = 3
3976 fstat(3, {st_mode=S_IFREG|0644, st_size=1306, ...}) = 0
3976 fstat(3, {st_mode=S_IFREG|0644, st_size=1306, ...}) = 0
3976 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7fe7b4546000
3976 lseek(3, 0, SEEK_CUR) = 0
3976 read(3, "-----BEGIN CERTIFICATE-----\nMIID"..., 4096) = 1306
3976 read(3, "", 4096) = 0
3976 close(3) = 0
3976 munmap(0x7fe7b4546000, 4096) = 0
3976 clock_gettime(CLOCK_REALTIME, {1415543029, 617398410}) = 0
3976 getrusage(0x1 /* RUSAGE_??? */, {ru_utime={0, 0}, ru_stime={0, 0}, ...})
= 0
3976 read(3, 0x7fffdc9a52a0, 16) = -1 EBADF (Bad file descriptor)
3976 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
3976 tgkill(3976, 3976, SIGABRT) = 0
3976 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=3976, si_uid=122}
---
2103 <... poll resumed> ) = 1 ([{fd=6, revents=POLLIN|POLLHUP}])
2103 read(4, 0x7fffdc9a6820, 16) = -1 EAGAIN (Resource temporarily
unavailable)
2103 write(4, "\1\0\0\0\0\0\0\0", 8) = 8
2103 recvfrom(6, "", 511, MSG_PEEK, NULL, NULL) = 0
2103 gettimeofday({1415543029, 665359}, NULL) = 0
2103 write(1, "[INFO] IPC: a child left: Resour"..., 59) = 59
2103 close(6) = 0
2103 poll([{fd=4, events=POLLIN}, {fd=3, events=POLLIN}], 2, 4294967295) = 1
([{fd=4, revents=POLLIN}])
2103 poll([{fd=4, events=POLLIN}, {fd=3, events=POLLIN}], 2, 4294967295) = 1
([{fd=4, revents=POLLIN}])
2103 read(4, "\1\0\0\0\0\0\0\0", 16) = 8
2103 poll([{fd=4, events=POLLIN}, {fd=3, events=POLLIN}], 2, 4294967295
<unfinished ...>
3976 +++ killed by SIGABRT (core dumped) +++
2103 <... poll resumed> ) = ? ERESTART_RESTARTBLOCK (Interrupted
by signal)
2103 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_DUMPED, si_pid=3976,
si_uid=122, si_status=SIGABRT, si_utime=0, si_stime=0} ---
2103 wait4(0, [{WIFSIGNALED(s) && WTERMSIG(s) == SIGABRT && WCOREDUMP(s)}],
WNOHANG, NULL) = 3976
2103 wait4(0, 0x7fffdc9a6464, WNOHANG, NULL) = -1 ECHILD (No child processes)
2103 rt_sigreturn() = -1 EINTR (Interrupted system call)
2103 read(4, 0x7fffdc9a6820, 16) = -1 EAGAIN (Resource temporarily
unavailable)
2103 poll([{fd=4, events=POLLIN}, {fd=3, events=POLLIN}], 2, 4294967295
<detached ...>
pgp6BNAp2lvfF.pgp
Description: PGP Digital Signature
