x11/kde4/libs X509_getm_notBefore fix

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

x11/kde4/libs X509_getm_notBefore fix

Theo Buehler-3
X509_getm_notBefore(), aka the gift that keeps on giving...

jca pointed out to me that kde/libs failed to build on ld.bfd
architectures due to a linking error in libkio [1]:

/usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined reference to `X509_getm_notBefore'
/usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined reference to `X509_getm_notAfter'

This started happening after I fixed a qt4 SSL-related runtime failure
that rsadowski@ showed me during p2k19.

Before that fix, it linked, but only by accident. This was defintely
broken on all architectures since August 2018.

This is what happened (the notAfter case is the same):

X509_get_notBefore(x) used to be a macro that reached inside the X509 x.
In OpenSSL, this macro was replaced with a function,
X509_getm_notBefore(), and openssl/x509.h now contains

#define X509_get_notBefore      X509_getm_notBefore

so when an linking a program that uses X509_get_notBefore() this means
ld.bfd will look up X509_getm_notBefore().

When trying to adapt the Qt4 openssl symbols sausage factory to this, I
accidentally exposed a bogus symbol X509_getm_notBefore() in QtNetwork,
which was enough to make ld.bfd happy.  The Qt symbol lookup madness got
rightfully confused by this, and this led to the segfault rsadowski
showed me. The Qt4 side was fixed last November (although there should
have been a major bump for QtNetwork and some other Qt libraries).

The diff below fixes libkio by adding a symbol lookup similar to other
libcrypto symbols and using it in ksslcertificate.cpp in place of the
macro. Note that this is internal only, so no library bump required.

check_sym shows the expected removal of the two external references to
X509_getm_notBefore and X509_getm_notAfter for libkio.

I have build tested this on amd64 and sparc64.

[1]: http://build-failures.rhaalovely.net/sparc64/2020-03-08/x11/kde4/libs,,-en_US.log

Index: Makefile
===================================================================
RCS file: /var/cvs/ports/x11/kde4/libs/Makefile,v
retrieving revision 1.93
diff -u -p -r1.93 Makefile
--- Makefile 23 Nov 2019 15:25:31 -0000 1.93
+++ Makefile 17 Mar 2020 12:40:02 -0000
@@ -12,7 +12,7 @@ PKGNAME-langlist = kde4-langlist-$V
 PKG_ARCH-en_US = *
 PKG_ARCH-langlist = *
 PKGSPEC-main = kdelibs-${MODKDE4_SPEC}
-REVISION-main = 19
+REVISION-main = 20
 REVISION-en_US = 0
 REVISION-langlist = 0
 
Index: patches/patch-kio_kssl_kopenssl_cpp
===================================================================
RCS file: patches/patch-kio_kssl_kopenssl_cpp
diff -N patches/patch-kio_kssl_kopenssl_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-kio_kssl_kopenssl_cpp 17 Mar 2020 11:54:08 -0000
@@ -0,0 +1,42 @@
+$OpenBSD$
+
+Index: kio/kssl/kopenssl.cpp
+--- kio/kssl/kopenssl.cpp.orig
++++ kio/kssl/kopenssl.cpp
+@@ -80,6 +80,8 @@ static void (*K_X509_free) (X509 *) = 0L;
+ static char *(*K_X509_NAME_oneline) (X509_NAME *,char *,int) = 0L;
+ static X509_NAME *(*K_X509_get_subject_name) (X509 *) = 0L;
+ static X509_NAME *(*K_X509_get_issuer_name) (X509 *) = 0L;
++static ASN1_TIME *(*K_X509_getm_notBefore) (const X509 *) = 0L;
++static ASN1_TIME *(*K_X509_getm_notAfter) (const X509 *) = 0L;
+ static X509_LOOKUP *(*K_X509_STORE_add_lookup) (X509_STORE *, X509_LOOKUP_METHOD *) = 0L;
+ static X509_LOOKUP_METHOD *(*K_X509_LOOKUP_file)(void) = 0L;
+ static void (*K_X509_LOOKUP_free)(X509_LOOKUP *) = 0L;
+@@ -422,6 +424,8 @@ KOpenSSLProxy::KOpenSSLProxy()
+       K_X509_NAME_oneline = (char * (*) (X509_NAME *,char *,int)) d->cryptoLib->resolveFunction("X509_NAME_oneline");
+       K_X509_get_subject_name = (X509_NAME * (*) (X509 *)) d->cryptoLib->resolveFunction("X509_get_subject_name");
+       K_X509_get_issuer_name = (X509_NAME * (*) (X509 *)) d->cryptoLib->resolveFunction("X509_get_issuer_name");
++      K_X509_getm_notBefore = (ASN1_TIME  * (*) (const X509 *)) d->cryptoLib->resolveFunction("X509_getm_notBefore");
++      K_X509_getm_notAfter = (ASN1_TIME  * (*) (const X509 *)) d->cryptoLib->resolveFunction("X509_getm_notAfter");
+       K_X509_STORE_add_lookup = (X509_LOOKUP *(*) (X509_STORE *, X509_LOOKUP_METHOD *)) d->cryptoLib->resolveFunction("X509_STORE_add_lookup");
+       K_X509_LOOKUP_file = (X509_LOOKUP_METHOD *(*)(void)) d->cryptoLib->resolveFunction("X509_LOOKUP_file");
+       K_X509_LOOKUP_free = (void (*)(X509_LOOKUP *)) d->cryptoLib->resolveFunction("X509_LOOKUP_free");
+@@ -902,6 +906,18 @@ X509_NAME *KOpenSSLProxy::X509_get_subject_name(X509 *
+
+ X509_NAME *KOpenSSLProxy::X509_get_issuer_name(X509 *a) {
+    if (K_X509_get_issuer_name) return (K_X509_get_issuer_name)(a);
++   return 0L;
++}
++
++
++ASN1_TIME *KOpenSSLProxy::X509_getm_notBefore(const X509 *a) {
++   if (K_X509_getm_notBefore) return (K_X509_getm_notBefore)(a);
++   return 0L;
++}
++
++
++ASN1_TIME *KOpenSSLProxy::X509_getm_notAfter(const X509 *a) {
++   if (K_X509_getm_notAfter) return (K_X509_getm_notAfter)(a);
+    return 0L;
+ }
+
Index: patches/patch-kio_kssl_kopenssl_h
===================================================================
RCS file: patches/patch-kio_kssl_kopenssl_h
diff -N patches/patch-kio_kssl_kopenssl_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-kio_kssl_kopenssl_h 17 Mar 2020 11:57:40 -0000
@@ -0,0 +1,22 @@
+$OpenBSD$
+
+Index: kio/kssl/kopenssl.h
+--- kio/kssl/kopenssl.h.orig
++++ kio/kssl/kopenssl.h
+@@ -361,6 +361,16 @@ class KOpenSSLProxy { (public)
+
+
+    /*
++    *   X509_getm_notBefore - start of validity
++    */
++   ASN1_TIME *X509_getm_notBefore(const X509 *a);
++
++   /*
++    *   X509_getm_notBefore - end of validity
++    */
++   ASN1_TIME *X509_getm_notAfter(const X509 *a);
++
++   /*
+     *   X509_STORE_add_lookup - add a lookup file/method to an X509 store
+     */
+    X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
Index: patches/patch-kio_kssl_ksslcertificate_cpp
===================================================================
RCS file: patches/patch-kio_kssl_ksslcertificate_cpp
diff -N patches/patch-kio_kssl_ksslcertificate_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-kio_kssl_ksslcertificate_cpp 17 Mar 2020 12:01:16 -0000
@@ -0,0 +1,41 @@
+$OpenBSD$
+
+Index: kio/kssl/ksslcertificate.cpp
+--- kio/kssl/ksslcertificate.cpp.orig
++++ kio/kssl/ksslcertificate.cpp
+@@ -978,7 +978,7 @@ KSSLCertificate::KSSLValidation KSSLCertificate::proce
+
+ QString KSSLCertificate::getNotBefore() const {
+ #ifdef KSSL_HAVE_SSL
+-    return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert));
++    return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert));
+ #else
+     return QString();
+ #endif
+@@ -987,7 +987,7 @@ QString KSSLCertificate::getNotBefore() const {
+
+ QString KSSLCertificate::getNotAfter() const {
+ #ifdef KSSL_HAVE_SSL
+-    return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert));
++    return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert));
+ #else
+     return QString();
+ #endif
+@@ -996,7 +996,7 @@ QString KSSLCertificate::getNotAfter() const {
+
+ QDateTime KSSLCertificate::getQDTNotBefore() const {
+ #ifdef KSSL_HAVE_SSL
+-    return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL);
++    return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), NULL);
+ #else
+     return QDateTime::currentDateTime();
+ #endif
+@@ -1005,7 +1005,7 @@ QDateTime KSSLCertificate::getQDTNotBefore() const {
+
+ QDateTime KSSLCertificate::getQDTNotAfter() const {
+ #ifdef KSSL_HAVE_SSL
+-    return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL);
++    return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), NULL);
+ #else
+     return QDateTime::currentDateTime();
+ #endif

Reply | Threaded
Open this post in threaded view
|

Re: x11/kde4/libs X509_getm_notBefore fix

Rafael Sadowski
On Tue Mar 17, 2020 at 06:09:20PM +0100, Theo Buehler wrote:

> X509_getm_notBefore(), aka the gift that keeps on giving...
>
> jca pointed out to me that kde/libs failed to build on ld.bfd
> architectures due to a linking error in libkio [1]:
>
> /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined reference to `X509_getm_notBefore'
> /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined reference to `X509_getm_notAfter'
>
> This started happening after I fixed a qt4 SSL-related runtime failure
> that rsadowski@ showed me during p2k19.
>
> Before that fix, it linked, but only by accident. This was defintely
> broken on all architectures since August 2018.
>
> This is what happened (the notAfter case is the same):
>
> X509_get_notBefore(x) used to be a macro that reached inside the X509 x.
> In OpenSSL, this macro was replaced with a function,
> X509_getm_notBefore(), and openssl/x509.h now contains
>
> #define X509_get_notBefore      X509_getm_notBefore
>
> so when an linking a program that uses X509_get_notBefore() this means
> ld.bfd will look up X509_getm_notBefore().
>
> When trying to adapt the Qt4 openssl symbols sausage factory to this, I
> accidentally exposed a bogus symbol X509_getm_notBefore() in QtNetwork,
> which was enough to make ld.bfd happy.  The Qt symbol lookup madness got
> rightfully confused by this, and this led to the segfault rsadowski
> showed me. The Qt4 side was fixed last November (although there should
> have been a major bump for QtNetwork and some other Qt libraries).
>
> The diff below fixes libkio by adding a symbol lookup similar to other
> libcrypto symbols and using it in ksslcertificate.cpp in place of the
> macro. Note that this is internal only, so no library bump required.
>
> check_sym shows the expected removal of the two external references to
> X509_getm_notBefore and X509_getm_notAfter for libkio.
>
> I have build tested this on amd64 and sparc64.

With some meaningful comments in the new patches, ok with me but please
wait for jca@' feedback. Thanks tb

>
> [1]: http://build-failures.rhaalovely.net/sparc64/2020-03-08/x11/kde4/libs,,-en_US.log
>
> Index: Makefile
> ===================================================================
> RCS file: /var/cvs/ports/x11/kde4/libs/Makefile,v
> retrieving revision 1.93
> diff -u -p -r1.93 Makefile
> --- Makefile 23 Nov 2019 15:25:31 -0000 1.93
> +++ Makefile 17 Mar 2020 12:40:02 -0000
> @@ -12,7 +12,7 @@ PKGNAME-langlist = kde4-langlist-$V
>  PKG_ARCH-en_US = *
>  PKG_ARCH-langlist = *
>  PKGSPEC-main = kdelibs-${MODKDE4_SPEC}
> -REVISION-main = 19
> +REVISION-main = 20
>  REVISION-en_US = 0
>  REVISION-langlist = 0
>  
> Index: patches/patch-kio_kssl_kopenssl_cpp
> ===================================================================
> RCS file: patches/patch-kio_kssl_kopenssl_cpp
> diff -N patches/patch-kio_kssl_kopenssl_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-kio_kssl_kopenssl_cpp 17 Mar 2020 11:54:08 -0000
> @@ -0,0 +1,42 @@
> +$OpenBSD$
> +
> +Index: kio/kssl/kopenssl.cpp
> +--- kio/kssl/kopenssl.cpp.orig
> ++++ kio/kssl/kopenssl.cpp
> +@@ -80,6 +80,8 @@ static void (*K_X509_free) (X509 *) = 0L;
> + static char *(*K_X509_NAME_oneline) (X509_NAME *,char *,int) = 0L;
> + static X509_NAME *(*K_X509_get_subject_name) (X509 *) = 0L;
> + static X509_NAME *(*K_X509_get_issuer_name) (X509 *) = 0L;
> ++static ASN1_TIME *(*K_X509_getm_notBefore) (const X509 *) = 0L;
> ++static ASN1_TIME *(*K_X509_getm_notAfter) (const X509 *) = 0L;
> + static X509_LOOKUP *(*K_X509_STORE_add_lookup) (X509_STORE *, X509_LOOKUP_METHOD *) = 0L;
> + static X509_LOOKUP_METHOD *(*K_X509_LOOKUP_file)(void) = 0L;
> + static void (*K_X509_LOOKUP_free)(X509_LOOKUP *) = 0L;
> +@@ -422,6 +424,8 @@ KOpenSSLProxy::KOpenSSLProxy()
> +       K_X509_NAME_oneline = (char * (*) (X509_NAME *,char *,int)) d->cryptoLib->resolveFunction("X509_NAME_oneline");
> +       K_X509_get_subject_name = (X509_NAME * (*) (X509 *)) d->cryptoLib->resolveFunction("X509_get_subject_name");
> +       K_X509_get_issuer_name = (X509_NAME * (*) (X509 *)) d->cryptoLib->resolveFunction("X509_get_issuer_name");
> ++      K_X509_getm_notBefore = (ASN1_TIME  * (*) (const X509 *)) d->cryptoLib->resolveFunction("X509_getm_notBefore");
> ++      K_X509_getm_notAfter = (ASN1_TIME  * (*) (const X509 *)) d->cryptoLib->resolveFunction("X509_getm_notAfter");
> +       K_X509_STORE_add_lookup = (X509_LOOKUP *(*) (X509_STORE *, X509_LOOKUP_METHOD *)) d->cryptoLib->resolveFunction("X509_STORE_add_lookup");
> +       K_X509_LOOKUP_file = (X509_LOOKUP_METHOD *(*)(void)) d->cryptoLib->resolveFunction("X509_LOOKUP_file");
> +       K_X509_LOOKUP_free = (void (*)(X509_LOOKUP *)) d->cryptoLib->resolveFunction("X509_LOOKUP_free");
> +@@ -902,6 +906,18 @@ X509_NAME *KOpenSSLProxy::X509_get_subject_name(X509 *
> +
> + X509_NAME *KOpenSSLProxy::X509_get_issuer_name(X509 *a) {
> +    if (K_X509_get_issuer_name) return (K_X509_get_issuer_name)(a);
> ++   return 0L;
> ++}
> ++
> ++
> ++ASN1_TIME *KOpenSSLProxy::X509_getm_notBefore(const X509 *a) {
> ++   if (K_X509_getm_notBefore) return (K_X509_getm_notBefore)(a);
> ++   return 0L;
> ++}
> ++
> ++
> ++ASN1_TIME *KOpenSSLProxy::X509_getm_notAfter(const X509 *a) {
> ++   if (K_X509_getm_notAfter) return (K_X509_getm_notAfter)(a);
> +    return 0L;
> + }
> +
> Index: patches/patch-kio_kssl_kopenssl_h
> ===================================================================
> RCS file: patches/patch-kio_kssl_kopenssl_h
> diff -N patches/patch-kio_kssl_kopenssl_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-kio_kssl_kopenssl_h 17 Mar 2020 11:57:40 -0000
> @@ -0,0 +1,22 @@
> +$OpenBSD$
> +
> +Index: kio/kssl/kopenssl.h
> +--- kio/kssl/kopenssl.h.orig
> ++++ kio/kssl/kopenssl.h
> +@@ -361,6 +361,16 @@ class KOpenSSLProxy { (public)
> +
> +
> +    /*
> ++    *   X509_getm_notBefore - start of validity
> ++    */
> ++   ASN1_TIME *X509_getm_notBefore(const X509 *a);
> ++
> ++   /*
> ++    *   X509_getm_notBefore - end of validity
> ++    */
> ++   ASN1_TIME *X509_getm_notAfter(const X509 *a);
> ++
> ++   /*
> +     *   X509_STORE_add_lookup - add a lookup file/method to an X509 store
> +     */
> +    X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
> Index: patches/patch-kio_kssl_ksslcertificate_cpp
> ===================================================================
> RCS file: patches/patch-kio_kssl_ksslcertificate_cpp
> diff -N patches/patch-kio_kssl_ksslcertificate_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-kio_kssl_ksslcertificate_cpp 17 Mar 2020 12:01:16 -0000
> @@ -0,0 +1,41 @@
> +$OpenBSD$
> +
> +Index: kio/kssl/ksslcertificate.cpp
> +--- kio/kssl/ksslcertificate.cpp.orig
> ++++ kio/kssl/ksslcertificate.cpp
> +@@ -978,7 +978,7 @@ KSSLCertificate::KSSLValidation KSSLCertificate::proce
> +
> + QString KSSLCertificate::getNotBefore() const {
> + #ifdef KSSL_HAVE_SSL
> +-    return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert));
> ++    return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert));
> + #else
> +     return QString();
> + #endif
> +@@ -987,7 +987,7 @@ QString KSSLCertificate::getNotBefore() const {
> +
> + QString KSSLCertificate::getNotAfter() const {
> + #ifdef KSSL_HAVE_SSL
> +-    return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert));
> ++    return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert));
> + #else
> +     return QString();
> + #endif
> +@@ -996,7 +996,7 @@ QString KSSLCertificate::getNotAfter() const {
> +
> + QDateTime KSSLCertificate::getQDTNotBefore() const {
> + #ifdef KSSL_HAVE_SSL
> +-    return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL);
> ++    return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), NULL);
> + #else
> +     return QDateTime::currentDateTime();
> + #endif
> +@@ -1005,7 +1005,7 @@ QDateTime KSSLCertificate::getQDTNotBefore() const {
> +
> + QDateTime KSSLCertificate::getQDTNotAfter() const {
> + #ifdef KSSL_HAVE_SSL
> +-    return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL);
> ++    return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), NULL);
> + #else
> +     return QDateTime::currentDateTime();
> + #endif
>

Reply | Threaded
Open this post in threaded view
|

Re: x11/kde4/libs X509_getm_notBefore fix

Theo Buehler-3
On Wed, Mar 18, 2020 at 07:20:00AM +0100, Rafael Sadowski wrote:

> On Tue Mar 17, 2020 at 06:09:20PM +0100, Theo Buehler wrote:
> > X509_getm_notBefore(), aka the gift that keeps on giving...
> >
> > jca pointed out to me that kde/libs failed to build on ld.bfd
> > architectures due to a linking error in libkio [1]:
> >
> > /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined reference to `X509_getm_notBefore'
> > /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined reference to `X509_getm_notAfter'
> >
> > This started happening after I fixed a qt4 SSL-related runtime failure
> > that rsadowski@ showed me during p2k19.
> >
> > Before that fix, it linked, but only by accident. This was defintely
> > broken on all architectures since August 2018.
> >
> > This is what happened (the notAfter case is the same):
> >
> > X509_get_notBefore(x) used to be a macro that reached inside the X509 x.
> > In OpenSSL, this macro was replaced with a function,
> > X509_getm_notBefore(), and openssl/x509.h now contains
> >
> > #define X509_get_notBefore      X509_getm_notBefore
> >
> > so when an linking a program that uses X509_get_notBefore() this means
> > ld.bfd will look up X509_getm_notBefore().
> >
> > When trying to adapt the Qt4 openssl symbols sausage factory to this, I
> > accidentally exposed a bogus symbol X509_getm_notBefore() in QtNetwork,
> > which was enough to make ld.bfd happy.  The Qt symbol lookup madness got
> > rightfully confused by this, and this led to the segfault rsadowski
> > showed me. The Qt4 side was fixed last November (although there should
> > have been a major bump for QtNetwork and some other Qt libraries).
> >
> > The diff below fixes libkio by adding a symbol lookup similar to other
> > libcrypto symbols and using it in ksslcertificate.cpp in place of the
> > macro. Note that this is internal only, so no library bump required.
> >
> > check_sym shows the expected removal of the two external references to
> > X509_getm_notBefore and X509_getm_notAfter for libkio.
> >
> > I have build tested this on amd64 and sparc64.
>
> With some meaningful comments in the new patches, ok with me but please
> wait for jca@' feedback. Thanks tb

Thanks. I added comments to the patches and fixed a copy-paste error in
a code comment for kio/kssl/kopenssl.h.

Index: Makefile
===================================================================
RCS file: /var/cvs/ports/x11/kde4/libs/Makefile,v
retrieving revision 1.93
diff -u -p -r1.93 Makefile
--- Makefile 23 Nov 2019 15:25:31 -0000 1.93
+++ Makefile 18 Mar 2020 07:18:08 -0000
@@ -12,7 +12,7 @@ PKGNAME-langlist = kde4-langlist-$V
 PKG_ARCH-en_US = *
 PKG_ARCH-langlist = *
 PKGSPEC-main = kdelibs-${MODKDE4_SPEC}
-REVISION-main = 19
+REVISION-main = 20
 REVISION-en_US = 0
 REVISION-langlist = 0
 
Index: patches/patch-kio_kssl_kopenssl_cpp
===================================================================
RCS file: patches/patch-kio_kssl_kopenssl_cpp
diff -N patches/patch-kio_kssl_kopenssl_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-kio_kssl_kopenssl_cpp 18 Mar 2020 07:09:42 -0000
@@ -0,0 +1,46 @@
+$OpenBSD$
+
+Resolve X509_getm_notBefore() and X509_getm_notAfter() at runtime
+to fix use of X509_get_notBefore() and X509_get_notAfter() in
+kio/kssl/ksslcertificate.cpp after openssl/x509.h rev 1.70.
+
+Index: kio/kssl/kopenssl.cpp
+--- kio/kssl/kopenssl.cpp.orig
++++ kio/kssl/kopenssl.cpp
+@@ -80,6 +80,8 @@ static void (*K_X509_free) (X509 *) = 0L;
+ static char *(*K_X509_NAME_oneline) (X509_NAME *,char *,int) = 0L;
+ static X509_NAME *(*K_X509_get_subject_name) (X509 *) = 0L;
+ static X509_NAME *(*K_X509_get_issuer_name) (X509 *) = 0L;
++static ASN1_TIME *(*K_X509_getm_notBefore) (const X509 *) = 0L;
++static ASN1_TIME *(*K_X509_getm_notAfter) (const X509 *) = 0L;
+ static X509_LOOKUP *(*K_X509_STORE_add_lookup) (X509_STORE *, X509_LOOKUP_METHOD *) = 0L;
+ static X509_LOOKUP_METHOD *(*K_X509_LOOKUP_file)(void) = 0L;
+ static void (*K_X509_LOOKUP_free)(X509_LOOKUP *) = 0L;
+@@ -422,6 +424,8 @@ KOpenSSLProxy::KOpenSSLProxy()
+       K_X509_NAME_oneline = (char * (*) (X509_NAME *,char *,int)) d->cryptoLib->resolveFunction("X509_NAME_oneline");
+       K_X509_get_subject_name = (X509_NAME * (*) (X509 *)) d->cryptoLib->resolveFunction("X509_get_subject_name");
+       K_X509_get_issuer_name = (X509_NAME * (*) (X509 *)) d->cryptoLib->resolveFunction("X509_get_issuer_name");
++      K_X509_getm_notBefore = (ASN1_TIME  * (*) (const X509 *)) d->cryptoLib->resolveFunction("X509_getm_notBefore");
++      K_X509_getm_notAfter = (ASN1_TIME  * (*) (const X509 *)) d->cryptoLib->resolveFunction("X509_getm_notAfter");
+       K_X509_STORE_add_lookup = (X509_LOOKUP *(*) (X509_STORE *, X509_LOOKUP_METHOD *)) d->cryptoLib->resolveFunction("X509_STORE_add_lookup");
+       K_X509_LOOKUP_file = (X509_LOOKUP_METHOD *(*)(void)) d->cryptoLib->resolveFunction("X509_LOOKUP_file");
+       K_X509_LOOKUP_free = (void (*)(X509_LOOKUP *)) d->cryptoLib->resolveFunction("X509_LOOKUP_free");
+@@ -902,6 +906,18 @@ X509_NAME *KOpenSSLProxy::X509_get_subject_name(X509 *
+
+ X509_NAME *KOpenSSLProxy::X509_get_issuer_name(X509 *a) {
+    if (K_X509_get_issuer_name) return (K_X509_get_issuer_name)(a);
++   return 0L;
++}
++
++
++ASN1_TIME *KOpenSSLProxy::X509_getm_notBefore(const X509 *a) {
++   if (K_X509_getm_notBefore) return (K_X509_getm_notBefore)(a);
++   return 0L;
++}
++
++
++ASN1_TIME *KOpenSSLProxy::X509_getm_notAfter(const X509 *a) {
++   if (K_X509_getm_notAfter) return (K_X509_getm_notAfter)(a);
+    return 0L;
+ }
+
Index: patches/patch-kio_kssl_kopenssl_h
===================================================================
RCS file: patches/patch-kio_kssl_kopenssl_h
diff -N patches/patch-kio_kssl_kopenssl_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-kio_kssl_kopenssl_h 18 Mar 2020 07:12:16 -0000
@@ -0,0 +1,25 @@
+$OpenBSD$
+
+Fix use of X509_get_notBefore() and X509_get_notAfter() in
+kio/kssl/ksslcertificate.cpp after openssl/x509.h rev 1.70.
+
+Index: kio/kssl/kopenssl.h
+--- kio/kssl/kopenssl.h.orig
++++ kio/kssl/kopenssl.h
+@@ -361,6 +361,16 @@ class KOpenSSLProxy { (public)
+
+
+    /*
++    *   X509_getm_notBefore - start of validity
++    */
++   ASN1_TIME *X509_getm_notBefore(const X509 *a);
++
++   /*
++    *   X509_getm_notAfter - end of validity
++    */
++   ASN1_TIME *X509_getm_notAfter(const X509 *a);
++
++   /*
+     *   X509_STORE_add_lookup - add a lookup file/method to an X509 store
+     */
+    X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
Index: patches/patch-kio_kssl_ksslcertificate_cpp
===================================================================
RCS file: patches/patch-kio_kssl_ksslcertificate_cpp
diff -N patches/patch-kio_kssl_ksslcertificate_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-kio_kssl_ksslcertificate_cpp 18 Mar 2020 07:14:37 -0000
@@ -0,0 +1,46 @@
+$OpenBSD$
+
+The X509_get_notBefore() and X509_get_notAfter() macros were changed in
+openssl/x509.h rev 1.70 to reference the functions X509_getm_notBefore()
+and X509_getm_notAfter(), so these need to be resolved at runtime.
+See also the patches for kio/kssl/kopenssl.{cpp,h}.
+
+Index: kio/kssl/ksslcertificate.cpp
+--- kio/kssl/ksslcertificate.cpp.orig
++++ kio/kssl/ksslcertificate.cpp
+@@ -978,7 +978,7 @@ KSSLCertificate::KSSLValidation KSSLCertificate::proce
+
+ QString KSSLCertificate::getNotBefore() const {
+ #ifdef KSSL_HAVE_SSL
+-    return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert));
++    return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert));
+ #else
+     return QString();
+ #endif
+@@ -987,7 +987,7 @@ QString KSSLCertificate::getNotBefore() const {
+
+ QString KSSLCertificate::getNotAfter() const {
+ #ifdef KSSL_HAVE_SSL
+-    return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert));
++    return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert));
+ #else
+     return QString();
+ #endif
+@@ -996,7 +996,7 @@ QString KSSLCertificate::getNotAfter() const {
+
+ QDateTime KSSLCertificate::getQDTNotBefore() const {
+ #ifdef KSSL_HAVE_SSL
+-    return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL);
++    return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), NULL);
+ #else
+     return QDateTime::currentDateTime();
+ #endif
+@@ -1005,7 +1005,7 @@ QDateTime KSSLCertificate::getQDTNotBefore() const {
+
+ QDateTime KSSLCertificate::getQDTNotAfter() const {
+ #ifdef KSSL_HAVE_SSL
+-    return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL);
++    return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), NULL);
+ #else
+     return QDateTime::currentDateTime();
+ #endif

Reply | Threaded
Open this post in threaded view
|

Re: x11/kde4/libs X509_getm_notBefore fix

Jeremie Courreges-Anglas-5
In reply to this post by Rafael Sadowski
On Wed, Mar 18 2020, Rafael Sadowski <[hidden email]> wrote:

> On Tue Mar 17, 2020 at 06:09:20PM +0100, Theo Buehler wrote:
>> X509_getm_notBefore(), aka the gift that keeps on giving...
>>
>> jca pointed out to me that kde/libs failed to build on ld.bfd
>> architectures due to a linking error in libkio [1]:
>>
>> /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined reference to `X509_getm_notBefore'
>> /usr/obj/ports/kdelibs-4.14.10/build-sparc64/lib/libkio.so.50.3: undefined reference to `X509_getm_notAfter'
>>
>> This started happening after I fixed a qt4 SSL-related runtime failure
>> that rsadowski@ showed me during p2k19.
>>
>> Before that fix, it linked, but only by accident. This was defintely
>> broken on all architectures since August 2018.
>>
>> This is what happened (the notAfter case is the same):
>>
>> X509_get_notBefore(x) used to be a macro that reached inside the X509 x.
>> In OpenSSL, this macro was replaced with a function,
>> X509_getm_notBefore(), and openssl/x509.h now contains
>>
>> #define X509_get_notBefore      X509_getm_notBefore
>>
>> so when an linking a program that uses X509_get_notBefore() this means
>> ld.bfd will look up X509_getm_notBefore().
>>
>> When trying to adapt the Qt4 openssl symbols sausage factory to this, I
>> accidentally exposed a bogus symbol X509_getm_notBefore() in QtNetwork,
>> which was enough to make ld.bfd happy.  The Qt symbol lookup madness got
>> rightfully confused by this, and this led to the segfault rsadowski
>> showed me. The Qt4 side was fixed last November (although there should
>> have been a major bump for QtNetwork and some other Qt libraries).
>>
>> The diff below fixes libkio by adding a symbol lookup similar to other
>> libcrypto symbols and using it in ksslcertificate.cpp in place of the
>> macro. Note that this is internal only, so no library bump required.
>>
>> check_sym shows the expected removal of the two external references to
>> X509_getm_notBefore and X509_getm_notAfter for libkio.
>>
>> I have build tested this on amd64 and sparc64.
>
> With some meaningful comments in the new patches, ok with me but please
> wait for jca@' feedback. Thanks tb

Wait, I'm no expert in how to run an OpenSSL sausage factory!

That being said, thank you Theo for your thorough analysis.  Your fixes
seem to fit properly in the existing code.  ok jca@

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE