Re: x11/kde4/libs X509_getm_notBefore fix
On Wed, Mar 18 2020, Rafael Sadowski wrote: > On Tue Mar 17, 2020 at 06:09:20PM +0100, Theo Buehler wrote: >> X509_getm_notBefore(), aka the gift that keeps on giving... >> >> jca pointed out to me that kde/libs failed to build on ld.bfd >> architectures due to a linking error in libkio [1]: >> >> /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined >> reference to `X509_getm_notBefore' >> /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined >> reference to `X509_getm_notAfter' >> >> This started happening after I fixed a qt4 SSL-related runtime failure >> that rsadowski@ showed me during p2k19. >> >> Before that fix, it linked, but only by accident. This was defintely >> broken on all architectures since August 2018. >> >> This is what happened (the notAfter case is the same): >> >> X509_get_notBefore(x) used to be a macro that reached inside the X509 x. >> In OpenSSL, this macro was replaced with a function, >> X509_getm_notBefore(), and openssl/x509.h now contains >> >> #define X509_get_notBefore X509_getm_notBefore >> >> so when an linking a program that uses X509_get_notBefore() this means >> ld.bfd will look up X509_getm_notBefore(). >> >> When trying to adapt the Qt4 openssl symbols sausage factory to this, I >> accidentally exposed a bogus symbol X509_getm_notBefore() in QtNetwork, >> which was enough to make ld.bfd happy. The Qt symbol lookup madness got >> rightfully confused by this, and this led to the segfault rsadowski >> showed me. The Qt4 side was fixed last November (although there should >> have been a major bump for QtNetwork and some other Qt libraries). >> >> The diff below fixes libkio by adding a symbol lookup similar to other >> libcrypto symbols and using it in ksslcertificate.cpp in place of the >> macro. Note that this is internal only, so no library bump required. >> >> check_sym shows the expected removal of the two external references to >> X509_getm_notBefore and X509_getm_notAfter for libkio. >> >> I have build tested this on amd64 and sparc64. > > With some meaningful comments in the new patches, ok with me but please > wait for jca@' feedback. Thanks tb Wait, I'm no expert in how to run an OpenSSL sausage factory! That being said, thank you Theo for your thorough analysis. Your fixes seem to fit properly in the existing code. ok jca@ -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: x11/kde4/libs X509_getm_notBefore fix
On Wed, Mar 18, 2020 at 07:20:00AM +0100, Rafael Sadowski wrote:
> On Tue Mar 17, 2020 at 06:09:20PM +0100, Theo Buehler wrote:
> > X509_getm_notBefore(), aka the gift that keeps on giving...
> >
> > jca pointed out to me that kde/libs failed to build on ld.bfd
> > architectures due to a linking error in libkio [1]:
> >
> > /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined
> > reference to `X509_getm_notBefore'
> > /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined
> > reference to `X509_getm_notAfter'
> >
> > This started happening after I fixed a qt4 SSL-related runtime failure
> > that rsadowski@ showed me during p2k19.
> >
> > Before that fix, it linked, but only by accident. This was defintely
> > broken on all architectures since August 2018.
> >
> > This is what happened (the notAfter case is the same):
> >
> > X509_get_notBefore(x) used to be a macro that reached inside the X509 x.
> > In OpenSSL, this macro was replaced with a function,
> > X509_getm_notBefore(), and openssl/x509.h now contains
> >
> > #define X509_get_notBefore X509_getm_notBefore
> >
> > so when an linking a program that uses X509_get_notBefore() this means
> > ld.bfd will look up X509_getm_notBefore().
> >
> > When trying to adapt the Qt4 openssl symbols sausage factory to this, I
> > accidentally exposed a bogus symbol X509_getm_notBefore() in QtNetwork,
> > which was enough to make ld.bfd happy. The Qt symbol lookup madness got
> > rightfully confused by this, and this led to the segfault rsadowski
> > showed me. The Qt4 side was fixed last November (although there should
> > have been a major bump for QtNetwork and some other Qt libraries).
> >
> > The diff below fixes libkio by adding a symbol lookup similar to other
> > libcrypto symbols and using it in ksslcertificate.cpp in place of the
> > macro. Note that this is internal only, so no library bump required.
> >
> > check_sym shows the expected removal of the two external references to
> > X509_getm_notBefore and X509_getm_notAfter for libkio.
> >
> > I have build tested this on amd64 and sparc64.
>
> With some meaningful comments in the new patches, ok with me but please
> wait for jca@' feedback. Thanks tb
Thanks. I added comments to the patches and fixed a copy-paste error in
a code comment for kio/kssl/kopenssl.h.
Index: Makefile
===
RCS file: /var/cvs/ports/x11/kde4/libs/Makefile,v
retrieving revision 1.93
diff -u -p -r1.93 Makefile
--- Makefile23 Nov 2019 15:25:31 - 1.93
+++ Makefile18 Mar 2020 07:18:08 -
@@ -12,7 +12,7 @@ PKGNAME-langlist =kde4-langlist-$V
PKG_ARCH-en_US = *
PKG_ARCH-langlist =*
PKGSPEC-main = kdelibs-${MODKDE4_SPEC}
-REVISION-main =19
+REVISION-main =20
REVISION-en_US = 0
REVISION-langlist =0
Index: patches/patch-kio_kssl_kopenssl_cpp
===
RCS file: patches/patch-kio_kssl_kopenssl_cpp
diff -N patches/patch-kio_kssl_kopenssl_cpp
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-kio_kssl_kopenssl_cpp 18 Mar 2020 07:09:42 -
@@ -0,0 +1,46 @@
+$OpenBSD$
+
+Resolve X509_getm_notBefore() and X509_getm_notAfter() at runtime
+to fix use of X509_get_notBefore() and X509_get_notAfter() in
+kio/kssl/ksslcertificate.cpp after openssl/x509.h rev 1.70.
+
+Index: kio/kssl/kopenssl.cpp
+--- kio/kssl/kopenssl.cpp.orig
kio/kssl/kopenssl.cpp
+@@ -80,6 +80,8 @@ static void (*K_X509_free) (X509 *) = 0L;
+ static char *(*K_X509_NAME_oneline) (X509_NAME *,char *,int) = 0L;
+ static X509_NAME *(*K_X509_get_subject_name) (X509 *) = 0L;
+ static X509_NAME *(*K_X509_get_issuer_name) (X509 *) = 0L;
++static ASN1_TIME *(*K_X509_getm_notBefore) (const X509 *) = 0L;
++static ASN1_TIME *(*K_X509_getm_notAfter) (const X509 *) = 0L;
+ static X509_LOOKUP *(*K_X509_STORE_add_lookup) (X509_STORE *,
X509_LOOKUP_METHOD *) = 0L;
+ static X509_LOOKUP_METHOD *(*K_X509_LOOKUP_file)(void) = 0L;
+ static void (*K_X509_LOOKUP_free)(X509_LOOKUP *) = 0L;
+@@ -422,6 +424,8 @@ KOpenSSLProxy::KOpenSSLProxy()
+ K_X509_NAME_oneline = (char * (*) (X509_NAME *,char *,int))
d->cryptoLib->resolveFunction("X509_NAME_oneline");
+ K_X509_get_subject_name = (X509_NAME * (*) (X509 *))
d->cryptoLib->resolveFunction("X509_get_subject_name");
+ K_X509_get_issuer_name = (X509_NAME * (*) (X509 *))
d->cryptoLib->resolveFunction("X509_get_issuer_name");
++ K_X509_getm_notBefore = (ASN1_TIME * (*) (const X509 *))
d->cryptoLib->resolveFunction("X509_getm_notBefore");
++ K_X509_getm_notAfter = (ASN1_TIME * (*) (const X509 *))
d->cryptoLib->resolveFunction("X509_getm_notAfter");
+ K_X509_STORE_add_lookup = (X509_LOOKUP *(*) (X509_STORE *,
X509_LOOKUP_METHOD *)) d->cryptoLib->resolveFunction("X509_STORE_add_lookup");
+ K_X509_LOOKUP_file = (X509_LOOKUP_METHOD
Re: x11/kde4/libs X509_getm_notBefore fix
On Tue Mar 17, 2020 at 06:09:20PM +0100, Theo Buehler wrote:
> X509_getm_notBefore(), aka the gift that keeps on giving...
>
> jca pointed out to me that kde/libs failed to build on ld.bfd
> architectures due to a linking error in libkio [1]:
>
> /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined
> reference to `X509_getm_notBefore'
> /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined
> reference to `X509_getm_notAfter'
>
> This started happening after I fixed a qt4 SSL-related runtime failure
> that rsadowski@ showed me during p2k19.
>
> Before that fix, it linked, but only by accident. This was defintely
> broken on all architectures since August 2018.
>
> This is what happened (the notAfter case is the same):
>
> X509_get_notBefore(x) used to be a macro that reached inside the X509 x.
> In OpenSSL, this macro was replaced with a function,
> X509_getm_notBefore(), and openssl/x509.h now contains
>
> #define X509_get_notBefore X509_getm_notBefore
>
> so when an linking a program that uses X509_get_notBefore() this means
> ld.bfd will look up X509_getm_notBefore().
>
> When trying to adapt the Qt4 openssl symbols sausage factory to this, I
> accidentally exposed a bogus symbol X509_getm_notBefore() in QtNetwork,
> which was enough to make ld.bfd happy. The Qt symbol lookup madness got
> rightfully confused by this, and this led to the segfault rsadowski
> showed me. The Qt4 side was fixed last November (although there should
> have been a major bump for QtNetwork and some other Qt libraries).
>
> The diff below fixes libkio by adding a symbol lookup similar to other
> libcrypto symbols and using it in ksslcertificate.cpp in place of the
> macro. Note that this is internal only, so no library bump required.
>
> check_sym shows the expected removal of the two external references to
> X509_getm_notBefore and X509_getm_notAfter for libkio.
>
> I have build tested this on amd64 and sparc64.
With some meaningful comments in the new patches, ok with me but please
wait for jca@' feedback. Thanks tb
>
> [1]:
> http://build-failures.rhaalovely.net/sparc64/2020-03-08/x11/kde4/libs,,-en_US.log
>
> Index: Makefile
> ===
> RCS file: /var/cvs/ports/x11/kde4/libs/Makefile,v
> retrieving revision 1.93
> diff -u -p -r1.93 Makefile
> --- Makefile 23 Nov 2019 15:25:31 - 1.93
> +++ Makefile 17 Mar 2020 12:40:02 -
> @@ -12,7 +12,7 @@ PKGNAME-langlist = kde4-langlist-$V
> PKG_ARCH-en_US = *
> PKG_ARCH-langlist = *
> PKGSPEC-main = kdelibs-${MODKDE4_SPEC}
> -REVISION-main = 19
> +REVISION-main = 20
> REVISION-en_US = 0
> REVISION-langlist = 0
>
> Index: patches/patch-kio_kssl_kopenssl_cpp
> ===
> RCS file: patches/patch-kio_kssl_kopenssl_cpp
> diff -N patches/patch-kio_kssl_kopenssl_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-kio_kssl_kopenssl_cpp 17 Mar 2020 11:54:08 -
> @@ -0,0 +1,42 @@
> +$OpenBSD$
> +
> +Index: kio/kssl/kopenssl.cpp
> +--- kio/kssl/kopenssl.cpp.orig
> kio/kssl/kopenssl.cpp
> +@@ -80,6 +80,8 @@ static void (*K_X509_free) (X509 *) = 0L;
> + static char *(*K_X509_NAME_oneline) (X509_NAME *,char *,int) = 0L;
> + static X509_NAME *(*K_X509_get_subject_name) (X509 *) = 0L;
> + static X509_NAME *(*K_X509_get_issuer_name) (X509 *) = 0L;
> ++static ASN1_TIME *(*K_X509_getm_notBefore) (const X509 *) = 0L;
> ++static ASN1_TIME *(*K_X509_getm_notAfter) (const X509 *) = 0L;
> + static X509_LOOKUP *(*K_X509_STORE_add_lookup) (X509_STORE *,
> X509_LOOKUP_METHOD *) = 0L;
> + static X509_LOOKUP_METHOD *(*K_X509_LOOKUP_file)(void) = 0L;
> + static void (*K_X509_LOOKUP_free)(X509_LOOKUP *) = 0L;
> +@@ -422,6 +424,8 @@ KOpenSSLProxy::KOpenSSLProxy()
> + K_X509_NAME_oneline = (char * (*) (X509_NAME *,char *,int))
> d->cryptoLib->resolveFunction("X509_NAME_oneline");
> + K_X509_get_subject_name = (X509_NAME * (*) (X509 *))
> d->cryptoLib->resolveFunction("X509_get_subject_name");
> + K_X509_get_issuer_name = (X509_NAME * (*) (X509 *))
> d->cryptoLib->resolveFunction("X509_get_issuer_name");
> ++ K_X509_getm_notBefore = (ASN1_TIME * (*) (const X509 *))
> d->cryptoLib->resolveFunction("X509_getm_notBefore");
> ++ K_X509_getm_notAfter = (ASN1_TIME * (*) (const X509 *))
> d->cryptoLib->resolveFunction("X509_getm_notAfter");
> + K_X509_STORE_add_lookup = (X509_LOOKUP *(*) (X509_STORE *,
> X509_LOOKUP_METHOD *)) d->cryptoLib->resolveFunction("X509_STORE_add_lookup");
> + K_X509_LOOKUP_file = (X509_LOOKUP_METHOD *(*)(void))
> d->cryptoLib->resolveFunction("X509_LOOKUP_file");
> + K_X509_LOOKUP_free = (void (*)(X509_LOOKUP *))
> d->cryptoLib->resolveFunction("X509_LOOKUP_free");
> +@@ -902,6 +906,18 @@ X509_NAME *KOpenSSLProxy::X509_get_subject_name(X509 *
> +
> + X509_NAME
x11/kde4/libs X509_getm_notBefore fix
X509_getm_notBefore(), aka the gift that keeps on giving...
jca pointed out to me that kde/libs failed to build on ld.bfd
architectures due to a linking error in libkio [1]:
/usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined
reference to `X509_getm_notBefore'
/usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined
reference to `X509_getm_notAfter'
This started happening after I fixed a qt4 SSL-related runtime failure
that rsadowski@ showed me during p2k19.
Before that fix, it linked, but only by accident. This was defintely
broken on all architectures since August 2018.
This is what happened (the notAfter case is the same):
X509_get_notBefore(x) used to be a macro that reached inside the X509 x.
In OpenSSL, this macro was replaced with a function,
X509_getm_notBefore(), and openssl/x509.h now contains
#define X509_get_notBefore X509_getm_notBefore
so when an linking a program that uses X509_get_notBefore() this means
ld.bfd will look up X509_getm_notBefore().
When trying to adapt the Qt4 openssl symbols sausage factory to this, I
accidentally exposed a bogus symbol X509_getm_notBefore() in QtNetwork,
which was enough to make ld.bfd happy. The Qt symbol lookup madness got
rightfully confused by this, and this led to the segfault rsadowski
showed me. The Qt4 side was fixed last November (although there should
have been a major bump for QtNetwork and some other Qt libraries).
The diff below fixes libkio by adding a symbol lookup similar to other
libcrypto symbols and using it in ksslcertificate.cpp in place of the
macro. Note that this is internal only, so no library bump required.
check_sym shows the expected removal of the two external references to
X509_getm_notBefore and X509_getm_notAfter for libkio.
I have build tested this on amd64 and sparc64.
[1]:
http://build-failures.rhaalovely.net/sparc64/2020-03-08/x11/kde4/libs,,-en_US.log
Index: Makefile
===
RCS file: /var/cvs/ports/x11/kde4/libs/Makefile,v
retrieving revision 1.93
diff -u -p -r1.93 Makefile
--- Makefile23 Nov 2019 15:25:31 - 1.93
+++ Makefile17 Mar 2020 12:40:02 -
@@ -12,7 +12,7 @@ PKGNAME-langlist =kde4-langlist-$V
PKG_ARCH-en_US = *
PKG_ARCH-langlist =*
PKGSPEC-main = kdelibs-${MODKDE4_SPEC}
-REVISION-main =19
+REVISION-main =20
REVISION-en_US = 0
REVISION-langlist =0
Index: patches/patch-kio_kssl_kopenssl_cpp
===
RCS file: patches/patch-kio_kssl_kopenssl_cpp
diff -N patches/patch-kio_kssl_kopenssl_cpp
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-kio_kssl_kopenssl_cpp 17 Mar 2020 11:54:08 -
@@ -0,0 +1,42 @@
+$OpenBSD$
+
+Index: kio/kssl/kopenssl.cpp
+--- kio/kssl/kopenssl.cpp.orig
kio/kssl/kopenssl.cpp
+@@ -80,6 +80,8 @@ static void (*K_X509_free) (X509 *) = 0L;
+ static char *(*K_X509_NAME_oneline) (X509_NAME *,char *,int) = 0L;
+ static X509_NAME *(*K_X509_get_subject_name) (X509 *) = 0L;
+ static X509_NAME *(*K_X509_get_issuer_name) (X509 *) = 0L;
++static ASN1_TIME *(*K_X509_getm_notBefore) (const X509 *) = 0L;
++static ASN1_TIME *(*K_X509_getm_notAfter) (const X509 *) = 0L;
+ static X509_LOOKUP *(*K_X509_STORE_add_lookup) (X509_STORE *,
X509_LOOKUP_METHOD *) = 0L;
+ static X509_LOOKUP_METHOD *(*K_X509_LOOKUP_file)(void) = 0L;
+ static void (*K_X509_LOOKUP_free)(X509_LOOKUP *) = 0L;
+@@ -422,6 +424,8 @@ KOpenSSLProxy::KOpenSSLProxy()
+ K_X509_NAME_oneline = (char * (*) (X509_NAME *,char *,int))
d->cryptoLib->resolveFunction("X509_NAME_oneline");
+ K_X509_get_subject_name = (X509_NAME * (*) (X509 *))
d->cryptoLib->resolveFunction("X509_get_subject_name");
+ K_X509_get_issuer_name = (X509_NAME * (*) (X509 *))
d->cryptoLib->resolveFunction("X509_get_issuer_name");
++ K_X509_getm_notBefore = (ASN1_TIME * (*) (const X509 *))
d->cryptoLib->resolveFunction("X509_getm_notBefore");
++ K_X509_getm_notAfter = (ASN1_TIME * (*) (const X509 *))
d->cryptoLib->resolveFunction("X509_getm_notAfter");
+ K_X509_STORE_add_lookup = (X509_LOOKUP *(*) (X509_STORE *,
X509_LOOKUP_METHOD *)) d->cryptoLib->resolveFunction("X509_STORE_add_lookup");
+ K_X509_LOOKUP_file = (X509_LOOKUP_METHOD *(*)(void))
d->cryptoLib->resolveFunction("X509_LOOKUP_file");
+ K_X509_LOOKUP_free = (void (*)(X509_LOOKUP *))
d->cryptoLib->resolveFunction("X509_LOOKUP_free");
+@@ -902,6 +906,18 @@ X509_NAME *KOpenSSLProxy::X509_get_subject_name(X509 *
+
+ X509_NAME *KOpenSSLProxy::X509_get_issuer_name(X509 *a) {
+if (K_X509_get_issuer_name) return (K_X509_get_issuer_name)(a);
++ return 0L;
++}
++
++
++ASN1_TIME *KOpenSSLProxy::X509_getm_notBefore(const X509 *a) {
++ if (K_X509_getm_notBefore) return (K_X509_getm_notBefore)(a);
++ return 0L;
++}
++
++
++ASN1_TIME *KOpenSSLProxy::X509_getm_notAfter(const X509 *a) {
++
