On Tue Mar 17, 2020 at 06:09:20PM +0100, Theo Buehler wrote: > X509_getm_notBefore(), aka the gift that keeps on giving... > > jca pointed out to me that kde/libs failed to build on ld.bfd > architectures due to a linking error in libkio [1]: > > /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined > reference to `X509_getm_notBefore' > /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined > reference to `X509_getm_notAfter' > > This started happening after I fixed a qt4 SSL-related runtime failure > that rsadowski@ showed me during p2k19. > > Before that fix, it linked, but only by accident. This was defintely > broken on all architectures since August 2018. > > This is what happened (the notAfter case is the same): > > X509_get_notBefore(x) used to be a macro that reached inside the X509 x. > In OpenSSL, this macro was replaced with a function, > X509_getm_notBefore(), and openssl/x509.h now contains > > #define X509_get_notBefore X509_getm_notBefore > > so when an linking a program that uses X509_get_notBefore() this means > ld.bfd will look up X509_getm_notBefore(). > > When trying to adapt the Qt4 openssl symbols sausage factory to this, I > accidentally exposed a bogus symbol X509_getm_notBefore() in QtNetwork, > which was enough to make ld.bfd happy. The Qt symbol lookup madness got > rightfully confused by this, and this led to the segfault rsadowski > showed me. The Qt4 side was fixed last November (although there should > have been a major bump for QtNetwork and some other Qt libraries). > > The diff below fixes libkio by adding a symbol lookup similar to other > libcrypto symbols and using it in ksslcertificate.cpp in place of the > macro. Note that this is internal only, so no library bump required. > > check_sym shows the expected removal of the two external references to > X509_getm_notBefore and X509_getm_notAfter for libkio. > > I have build tested this on amd64 and sparc64.
With some meaningful comments in the new patches, ok with me but please wait for jca@' feedback. Thanks tb > > [1]: > http://build-failures.rhaalovely.net/sparc64/2020-03-08/x11/kde4/libs,,-en_US.log > > Index: Makefile > =================================================================== > RCS file: /var/cvs/ports/x11/kde4/libs/Makefile,v > retrieving revision 1.93 > diff -u -p -r1.93 Makefile > --- Makefile 23 Nov 2019 15:25:31 -0000 1.93 > +++ Makefile 17 Mar 2020 12:40:02 -0000 > @@ -12,7 +12,7 @@ PKGNAME-langlist = kde4-langlist-$V > PKG_ARCH-en_US = * > PKG_ARCH-langlist = * > PKGSPEC-main = kdelibs-${MODKDE4_SPEC} > -REVISION-main = 19 > +REVISION-main = 20 > REVISION-en_US = 0 > REVISION-langlist = 0 > > Index: patches/patch-kio_kssl_kopenssl_cpp > =================================================================== > RCS file: patches/patch-kio_kssl_kopenssl_cpp > diff -N patches/patch-kio_kssl_kopenssl_cpp > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-kio_kssl_kopenssl_cpp 17 Mar 2020 11:54:08 -0000 > @@ -0,0 +1,42 @@ > +$OpenBSD$ > + > +Index: kio/kssl/kopenssl.cpp > +--- kio/kssl/kopenssl.cpp.orig > ++++ kio/kssl/kopenssl.cpp > +@@ -80,6 +80,8 @@ static void (*K_X509_free) (X509 *) = 0L; > + static char *(*K_X509_NAME_oneline) (X509_NAME *,char *,int) = 0L; > + static X509_NAME *(*K_X509_get_subject_name) (X509 *) = 0L; > + static X509_NAME *(*K_X509_get_issuer_name) (X509 *) = 0L; > ++static ASN1_TIME *(*K_X509_getm_notBefore) (const X509 *) = 0L; > ++static ASN1_TIME *(*K_X509_getm_notAfter) (const X509 *) = 0L; > + static X509_LOOKUP *(*K_X509_STORE_add_lookup) (X509_STORE *, > X509_LOOKUP_METHOD *) = 0L; > + static X509_LOOKUP_METHOD *(*K_X509_LOOKUP_file)(void) = 0L; > + static void (*K_X509_LOOKUP_free)(X509_LOOKUP *) = 0L; > +@@ -422,6 +424,8 @@ KOpenSSLProxy::KOpenSSLProxy() > + K_X509_NAME_oneline = (char * (*) (X509_NAME *,char *,int)) > d->cryptoLib->resolveFunction("X509_NAME_oneline"); > + K_X509_get_subject_name = (X509_NAME * (*) (X509 *)) > d->cryptoLib->resolveFunction("X509_get_subject_name"); > + K_X509_get_issuer_name = (X509_NAME * (*) (X509 *)) > d->cryptoLib->resolveFunction("X509_get_issuer_name"); > ++ K_X509_getm_notBefore = (ASN1_TIME * (*) (const X509 *)) > d->cryptoLib->resolveFunction("X509_getm_notBefore"); > ++ K_X509_getm_notAfter = (ASN1_TIME * (*) (const X509 *)) > d->cryptoLib->resolveFunction("X509_getm_notAfter"); > + K_X509_STORE_add_lookup = (X509_LOOKUP *(*) (X509_STORE *, > X509_LOOKUP_METHOD *)) d->cryptoLib->resolveFunction("X509_STORE_add_lookup"); > + K_X509_LOOKUP_file = (X509_LOOKUP_METHOD *(*)(void)) > d->cryptoLib->resolveFunction("X509_LOOKUP_file"); > + K_X509_LOOKUP_free = (void (*)(X509_LOOKUP *)) > d->cryptoLib->resolveFunction("X509_LOOKUP_free"); > +@@ -902,6 +906,18 @@ X509_NAME *KOpenSSLProxy::X509_get_subject_name(X509 * > + > + X509_NAME *KOpenSSLProxy::X509_get_issuer_name(X509 *a) { > + if (K_X509_get_issuer_name) return (K_X509_get_issuer_name)(a); > ++ return 0L; > ++} > ++ > ++ > ++ASN1_TIME *KOpenSSLProxy::X509_getm_notBefore(const X509 *a) { > ++ if (K_X509_getm_notBefore) return (K_X509_getm_notBefore)(a); > ++ return 0L; > ++} > ++ > ++ > ++ASN1_TIME *KOpenSSLProxy::X509_getm_notAfter(const X509 *a) { > ++ if (K_X509_getm_notAfter) return (K_X509_getm_notAfter)(a); > + return 0L; > + } > + > Index: patches/patch-kio_kssl_kopenssl_h > =================================================================== > RCS file: patches/patch-kio_kssl_kopenssl_h > diff -N patches/patch-kio_kssl_kopenssl_h > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-kio_kssl_kopenssl_h 17 Mar 2020 11:57:40 -0000 > @@ -0,0 +1,22 @@ > +$OpenBSD$ > + > +Index: kio/kssl/kopenssl.h > +--- kio/kssl/kopenssl.h.orig > ++++ kio/kssl/kopenssl.h > +@@ -361,6 +361,16 @@ class KOpenSSLProxy { (public) > + > + > + /* > ++ * X509_getm_notBefore - start of validity > ++ */ > ++ ASN1_TIME *X509_getm_notBefore(const X509 *a); > ++ > ++ /* > ++ * X509_getm_notBefore - end of validity > ++ */ > ++ ASN1_TIME *X509_getm_notAfter(const X509 *a); > ++ > ++ /* > + * X509_STORE_add_lookup - add a lookup file/method to an X509 store > + */ > + X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m); > Index: patches/patch-kio_kssl_ksslcertificate_cpp > =================================================================== > RCS file: patches/patch-kio_kssl_ksslcertificate_cpp > diff -N patches/patch-kio_kssl_ksslcertificate_cpp > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-kio_kssl_ksslcertificate_cpp 17 Mar 2020 12:01:16 > -0000 > @@ -0,0 +1,41 @@ > +$OpenBSD$ > + > +Index: kio/kssl/ksslcertificate.cpp > +--- kio/kssl/ksslcertificate.cpp.orig > ++++ kio/kssl/ksslcertificate.cpp > +@@ -978,7 +978,7 @@ KSSLCertificate::KSSLValidation KSSLCertificate::proce > + > + QString KSSLCertificate::getNotBefore() const { > + #ifdef KSSL_HAVE_SSL > +- return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert)); > ++ return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert)); > + #else > + return QString(); > + #endif > +@@ -987,7 +987,7 @@ QString KSSLCertificate::getNotBefore() const { > + > + QString KSSLCertificate::getNotAfter() const { > + #ifdef KSSL_HAVE_SSL > +- return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert)); > ++ return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert)); > + #else > + return QString(); > + #endif > +@@ -996,7 +996,7 @@ QString KSSLCertificate::getNotAfter() const { > + > + QDateTime KSSLCertificate::getQDTNotBefore() const { > + #ifdef KSSL_HAVE_SSL > +- return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL); > ++ return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), > NULL); > + #else > + return QDateTime::currentDateTime(); > + #endif > +@@ -1005,7 +1005,7 @@ QDateTime KSSLCertificate::getQDTNotBefore() const { > + > + QDateTime KSSLCertificate::getQDTNotAfter() const { > + #ifdef KSSL_HAVE_SSL > +- return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL); > ++ return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), > NULL); > + #else > + return QDateTime::currentDateTime(); > + #endif >
