NetBSD Problem Report #52298
From www@NetBSD.org Wed Jun 14 01:34:07 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id A6F097A111
for <gnats-bugs@gnats.NetBSD.org>; Wed, 14 Jun 2017 01:34:07 +0000 (UTC)
Message-Id: <20170614013406.63ECB7A290@mollari.NetBSD.org>
Date: Wed, 14 Jun 2017 01:34:06 +0000 (UTC)
From: venture37@geeklan.co.uk
Reply-To: venture37@geeklan.co.uk
To: gnats-bugs@NetBSD.org
Subject: pkgtools/pkg_install fails to build with OpenSSL 1.1.0 due to incomplete type in check_ca()
X-Send-Pr-Version: www-1.0
>Number: 52298
>Category: pkg
>Synopsis: pkgtools/pkg_install fails to build with OpenSSL 1.1.0 due to incomplete type in check_ca()
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: agc
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jun 14 01:35:00 +0000 2017
>Closed-Date: Tue Oct 24 15:55:18 +0000 2017
>Last-Modified: Sun Feb 04 09:05:01 +0000 2018
>Originator: Sevan Janiyan
>Release: pkgsrc-current
>Organization:
>Environment:
Linux pkgsrc 4.9.0-3-amd64 #1 SMP Debian 4.9.30-1 (2017-06-04) x86_64 GNU/Linux
>Description:
On Debian 9.0 with OpenSSL 1.1.0f install, attempting to bootstrap pkgsrc fails with the following error
cc -DHAVE_CONFIG_H -DDEF_LOG_DIR=\"/usr/pbulk/pkgdb\" -D_LARGEFILE_SOURCE -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 -DDEF_UMASK=022 -I/tmp/work-pbulk/wrk/pkgtools/pkg_install/work/bzip2 -I/tmp/work-
pbulk/wrk/pkgtools/pkg_install/work/libarchive/libarchive -I/tmp/work-pbulk/wrk/pkgtools/pkg_install/work/libfetch -I/tmp/work-pbulk/wrk/pkgtools/pkg_install/work -DHAVE_NBCOMPAT_H=1 -I/tmp/work
-pbulk/wrk/pkgtools/pkg_install/work/libnbcompat -I/usr/include -I. -I. -DSYSCONFDIR=\"/usr/pbulk/etc\" -DHAVE_SSL -O2 -I/usr/include -c pkcs7.c
pkcs7.c: In function 'check_ca':
pkcs7.c:63:11: error: dereferencing pointer to incomplete type 'X509 {aka struct x509_st}'
if ((cert->ex_flags & EXFLAG_KUSAGE) != 0 &&
^~
*** [pkcs7.o] Error code 1
bmake[1]: stopped in /tmp/work-pbulk/wrk/pkgtools/pkg_install/work/pkg_install-20170419/lib
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->agc
Responsible-Changed-By: hauke@NetBSD.org
Responsible-Changed-When: Wed, 14 Jun 2017 19:28:04 +0000
Responsible-Changed-Why:
Over to maintainer.
From: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL
1.1.0 due to incomplete type in check_ca()
Date: Sun, 25 Jun 2017 03:54:01 +0000
--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Hi, candidate patch
--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pkcs7.diff"
Index: lib/pkcs7.c
===================================================================
RCS file: /cvsroot/pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c,v
retrieving revision 1.5
diff -u -r1.5 pkcs7.c
--- lib/pkcs7.c 2 Aug 2009 17:56:45 -0000 1.5
+++ lib/pkcs7.c 25 Jun 2017 03:52:28 -0000
@@ -57,6 +57,7 @@
static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
+#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x100020bfL)
static int
check_ca(X509 *cert)
{
@@ -74,6 +75,13 @@
return 1;
return 0;
}
+#else
+static int
+check_ca(X509 *cert)
+{
+ return X509_check_ca(cert);
+}
+#endif
static STACK_OF(X509) *
file_to_certs(const char *file)
--82I3+IH0IqGh5yIs--
From: Sevan Janiyan <venture37@geeklan.co.uk>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL 1.1.0
due to incomplete type in check_ca()
Date: Mon, 26 Jun 2017 01:24:20 +0100
That worked but it looks like there's more fallout.
pkcs7.c: In function 'easy_pkcs7_verify':
pkcs7.c:196:33: error: dereferencing pointer to incomplete type 'X509
{aka struct x509_st}'
if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) {
^~
sevan
From: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL
1.1.0 due to incomplete type in check_ca()
Date: Tue, 4 Jul 2017 09:06:00 +0000
===================================================================
RCS file: /cvsroot/pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c,v
retrieving revision 1.5
diff -u -r1.5 pkcs7.c
--- lib/pkcs7.c 2 Aug 2009 17:56:45 -0000 1.5
+++ lib/pkcs7.c 2 Jul 2017 17:27:34 -0000
@@ -55,25 +55,11 @@
#define NS_ANY_CA (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
#endif
-static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
+#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#define X509_get_extended_key_usage(x) x->ex_xkusage
+#endif
-static int
-check_ca(X509 *cert)
-{
- if ((cert->ex_flags & EXFLAG_KUSAGE) != 0 &&
- (cert->ex_kusage & KU_KEY_CERT_SIGN) != KU_KEY_CERT_SIGN)
- return 0;
- if ((cert->ex_flags & EXFLAG_BCONS) != 0)
- return (cert->ex_flags & EXFLAG_CA) == EXFLAG_CA;
- if ((cert->ex_flags & (EXFLAG_V1|EXFLAG_SS)) == (EXFLAG_V1|EXFLAG_SS))
- return 1;
- if ((cert->ex_flags & EXFLAG_KUSAGE) != 0)
- return 1;
- if ((cert->ex_flags & EXFLAG_NSCERT) != 0 &&
- (cert->ex_nscert & NS_ANY_CA) != 0)
- return 1;
- return 0;
-}
+static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
static STACK_OF(X509) *
file_to_certs(const char *file)
@@ -180,18 +166,18 @@
/* Compute ex_xkusage */
X509_check_purpose(sk_X509_value(signers, i), -1, -1);
- if (check_ca(sk_X509_value(signers, i))) {
+ if (X509_check_ca(sk_X509_value(signers, i))) {
warnx("CA keys are not valid for signatures");
goto cleanup;
}
if (is_pkg) {
- if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) {
+ if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != pkg_key_usage) {
warnx("Certificate must have CODE SIGNING "
"and EMAIL PROTECTION property");
goto cleanup;
}
} else {
- if (sk_X509_value(signers, i)->ex_xkusage != 0) {
+ if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != 0) {
warnx("Certificate must not have any property");
goto cleanup;
}
@@ -271,12 +257,12 @@
/* Compute ex_kusage */
X509_check_purpose(certificate, -1, 0);
- if (check_ca(certificate)) {
+ if (X509_check_ca(certificate)) {
warnx("CA keys are not valid for signatures");
goto cleanup;
}
- if (certificate->ex_xkusage != pkg_key_usage) {
+ if (X509_get_extended_key_usage(certificate) != pkg_key_usage) {
warnx("Certificate must have CODE SIGNING "
"and EMAIL PROTECTION property");
goto cleanup;
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52298 CVS commit: pkgsrc/pkgtools/pkg_install/files/lib
Date: Tue, 24 Oct 2017 15:54:31 +0000
Module Name: pkgsrc
Committed By: maya
Date: Tue Oct 24 15:54:31 UTC 2017
Modified Files:
pkgsrc/pkgtools/pkg_install/files/lib: pkcs7.c
Log Message:
pkg_install: Fix OpenSSL 1.1.0 build
OpenSSL 1.1.0 makes xkusage and ex_flags opaque.
Use X509_check_ca rather than a custom and nearly identical implementation.
This is available since OpenSSL 0.9.8 (even in RHEL5).
This is also done because we cannot implement it identically under
OpenSSL 1.1.0 due to missing getters.
Test EXFLAG_XKUSAGE rather than zero xkusage test no usage to avoid openssl
1.1.0 getter returning a different code on this case.
Use getter for xkusage in the non-zero test case.
Provide fallback definitions for getters.
PR pkg/52298, PR pkg/52648
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 24 Oct 2017 15:55:18 +0000
State-Changed-Why:
fixed
From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52298 CVS commit: src/external/bsd/pkg_install/dist/lib
Date: Sun, 4 Feb 2018 09:00:51 +0000
Module Name: src
Committed By: maya
Date: Sun Feb 4 09:00:51 UTC 2018
Modified Files:
src/external/bsd/pkg_install/dist/lib: license.c pkcs7.c pkg_io.c
version.h
Log Message:
Merge pkg_install-20171030
Bump version to 20171030 for netpgpverify fixes.
Add zsh to default_acceptable_licenses.
Undef bootstrap hack.
Fix OpenSSL 1.1.0 build
OpenSSL 1.1.0 makes xkusage and ex_flags opaque.
Use X509_check_ca rather than a custom and nearly identical implementation.
This is available since OpenSSL 0.9.8 (even in RHEL5).
This is also done because we cannot implement it identically under
OpenSSL 1.1.0 due to missing getters.
Test EXFLAG_XKUSAGE rather than zero xkusage test no usage to avoid openssl
1.1.0 getter returning a different code on this case.
Use getter for xkusage in the non-zero test case.
Provide fallback definitions for getters.
PR pkg/52298, PR pkg/52648
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/external/bsd/pkg_install/dist/lib/license.c
cvs rdiff -u -r1.2 -r1.3 src/external/bsd/pkg_install/dist/lib/pkcs7.c \
src/external/bsd/pkg_install/dist/lib/pkg_io.c
cvs rdiff -u -r1.11 -r1.12 src/external/bsd/pkg_install/dist/lib/version.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.