[Pkg-openssl-devel] Bug#358825: libwhisker bug

Mon May 29 23:26:35 UTC 2006

reassign 358825 libwhisker-perl
thanks nice robot

Hello libwhisker, this report is being passed on again, but with some
useful information for you.

I have tracked this problem down to a bug in libwhisker, I'll explain
why I think it's in libwhisker.

There was a change in openssl a few years ago to change the way that
callbacks are set up for temporary keys. This can be seen at
http://cvs.openssl.org/chngview?cn=2005

This change is what causes the error message shown earlier, but whisker
does a poor job of dealing with this and so creates a distraction. The
error message is emitted when ssl3_ctrl is called with
SSL_CTRL_SET_TMP_DH_CB (6).

In the rest of this mail I am describing /usr/share/perl5/LW.pm.

At first it appears as though it is in the call to
Net::SSLeay::ssl_write_all on line 3109 that causes the problem as this
is where the error message is printed and the errors cause the program
to fail. I spent a while looking for an openssl bug that caused the
offending function to be called when writing data, but couldn't see it. 

Then looking at Net::SSLeay for problems I checked the status of the
error structure before the write was made, and it still showed the error
message. So looking at the whisker code I noted that there are lots of
Net::SSLeay functions used in LW::http_do_request_ex that do not check
for errors. As they are xs wrappers in Net::SSLeay they do not provide
the same error checking as the Net::SSLeay::ssl_write_all that shows the
error. 

Looking at the functions that it calls shows that it calls
Net::SSLeay::ctrl($$Z[4],6,0,''); on 2538 which will trigger the error. 

This only triggers the error when using SSLv3 (and maybe TLS, I didn't
check) but not SSLv2, so maybe this gives some indication of how the bug
stayed hidden. 

It is not clear to me why this function is being called, especially as
it seems to set a null callback. I couldn't find a public VCS to try and
find where the code was introduced. 

Simply commenting out the line appears to solve this problem, but I
haven't really tested it. Another thing that works is inserting
Net::SSLeay::print_errs(); after this line, which swallows the error
before the write chokes on it. It might be better to check for errors
and handle them accordingly. Also the return value isn't checked, and this 
appears to indicate whether there was an error.

It might be necessary to wrap all Net::SSLeay functions in this check so
that errors are caught at source to make bugs less obscure.

Feel free to contact me if you would like any more information.

James

-- 
  James Westby
  jw+debian at jameswestby.net
  http://jameswestby.net/