NetBSD Problem Report #52298

From www@NetBSD.org  Wed Jun 14 01:34:07 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id A6F097A111
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 14 Jun 2017 01:34:07 +0000 (UTC)
Message-Id: <20170614013406.63ECB7A290@mollari.NetBSD.org>
Date: Wed, 14 Jun 2017 01:34:06 +0000 (UTC)
From: venture37@geeklan.co.uk
Reply-To: venture37@geeklan.co.uk
To: gnats-bugs@NetBSD.org
Subject: pkgtools/pkg_install fails to build with OpenSSL 1.1.0 due to incomplete type in check_ca()
X-Send-Pr-Version: www-1.0

>Number:         52298
>Category:       pkg
>Synopsis:       pkgtools/pkg_install fails to build with OpenSSL 1.1.0 due to incomplete type in check_ca()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    agc
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 14 01:35:00 +0000 2017
>Closed-Date:    Tue Oct 24 15:55:18 +0000 2017
>Last-Modified:  Sun Feb 04 09:05:01 +0000 2018
>Originator:     Sevan Janiyan
>Release:        pkgsrc-current
>Organization:
>Environment:
Linux pkgsrc 4.9.0-3-amd64 #1 SMP Debian 4.9.30-1 (2017-06-04) x86_64 GNU/Linux

>Description:
On Debian 9.0 with OpenSSL 1.1.0f install, attempting to bootstrap pkgsrc fails with the following error

cc -DHAVE_CONFIG_H -DDEF_LOG_DIR=\"/usr/pbulk/pkgdb\" -D_LARGEFILE_SOURCE -D_LARGE_FILES -D_FILE_OFFSET_BITS=64 -DDEF_UMASK=022 -I/tmp/work-pbulk/wrk/pkgtools/pkg_install/work/bzip2 -I/tmp/work-
pbulk/wrk/pkgtools/pkg_install/work/libarchive/libarchive -I/tmp/work-pbulk/wrk/pkgtools/pkg_install/work/libfetch -I/tmp/work-pbulk/wrk/pkgtools/pkg_install/work -DHAVE_NBCOMPAT_H=1 -I/tmp/work
-pbulk/wrk/pkgtools/pkg_install/work/libnbcompat -I/usr/include -I. -I. -DSYSCONFDIR=\"/usr/pbulk/etc\" -DHAVE_SSL -O2 -I/usr/include -c pkcs7.c
pkcs7.c: In function 'check_ca':
pkcs7.c:63:11: error: dereferencing pointer to incomplete type 'X509 {aka struct x509_st}'
  if ((cert->ex_flags & EXFLAG_KUSAGE) != 0 &&
           ^~
*** [pkcs7.o] Error code 1

bmake[1]: stopped in /tmp/work-pbulk/wrk/pkgtools/pkg_install/work/pkg_install-20170419/lib

>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: pkg-manager->agc
Responsible-Changed-By: hauke@NetBSD.org
Responsible-Changed-When: Wed, 14 Jun 2017 19:28:04 +0000
Responsible-Changed-Why:
Over to maintainer.


From: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL
 1.1.0 due to incomplete type in check_ca()
Date: Sun, 25 Jun 2017 03:54:01 +0000

 --82I3+IH0IqGh5yIs
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

 Hi, candidate patch

 --82I3+IH0IqGh5yIs
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="pkcs7.diff"

 Index: lib/pkcs7.c
 ===================================================================
 RCS file: /cvsroot/pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c,v
 retrieving revision 1.5
 diff -u -r1.5 pkcs7.c
 --- lib/pkcs7.c	2 Aug 2009 17:56:45 -0000	1.5
 +++ lib/pkcs7.c	25 Jun 2017 03:52:28 -0000
 @@ -57,6 +57,7 @@

  static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;

 +#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x100020bfL)
  static int
  check_ca(X509 *cert)
  {
 @@ -74,6 +75,13 @@
  		return 1;
  	return 0;
  }
 +#else
 +static int
 +check_ca(X509 *cert)
 +{
 +	return X509_check_ca(cert);
 +}
 +#endif

  static STACK_OF(X509) *
  file_to_certs(const char *file)

 --82I3+IH0IqGh5yIs--

From: Sevan Janiyan <venture37@geeklan.co.uk>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL 1.1.0
 due to incomplete type in check_ca()
Date: Mon, 26 Jun 2017 01:24:20 +0100

 That worked but it looks like there's more fallout.

 pkcs7.c: In function 'easy_pkcs7_verify':
 pkcs7.c:196:33: error: dereferencing pointer to incomplete type 'X509
 {aka struct x509_st}'
     if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) {
                                  ^~


 sevan

From: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/52298: pkgtools/pkg_install fails to build with OpenSSL
 1.1.0 due to incomplete type in check_ca()
Date: Tue, 4 Jul 2017 09:06:00 +0000

 ===================================================================
 RCS file: /cvsroot/pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c,v
 retrieving revision 1.5
 diff -u -r1.5 pkcs7.c
 --- lib/pkcs7.c	2 Aug 2009 17:56:45 -0000	1.5
 +++ lib/pkcs7.c	2 Jul 2017 17:27:34 -0000
 @@ -55,25 +55,11 @@
  #define NS_ANY_CA		(NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
  #endif

 -static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;
 +#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x10100000L)
 +#define X509_get_extended_key_usage(x) x->ex_xkusage
 +#endif

 -static int
 -check_ca(X509 *cert)
 -{
 -	if ((cert->ex_flags & EXFLAG_KUSAGE) != 0 &&
 -	    (cert->ex_kusage & KU_KEY_CERT_SIGN) != KU_KEY_CERT_SIGN)
 -		return 0;
 -	if ((cert->ex_flags & EXFLAG_BCONS) != 0)
 -		return (cert->ex_flags & EXFLAG_CA) == EXFLAG_CA;
 -	if ((cert->ex_flags & (EXFLAG_V1|EXFLAG_SS)) == (EXFLAG_V1|EXFLAG_SS))
 -		return 1;
 -	if ((cert->ex_flags & EXFLAG_KUSAGE) != 0)
 -		return 1;
 -	if ((cert->ex_flags & EXFLAG_NSCERT) != 0 &&
 -	    (cert->ex_nscert & NS_ANY_CA) != 0)
 -		return 1;
 -	return 0;
 -}
 +static const unsigned int pkg_key_usage = XKU_CODE_SIGN | XKU_SMIME;

  static STACK_OF(X509) *
  file_to_certs(const char *file)
 @@ -180,18 +166,18 @@
  		/* Compute ex_xkusage */
  		X509_check_purpose(sk_X509_value(signers, i), -1, -1);

 -		if (check_ca(sk_X509_value(signers, i))) {
 +		if (X509_check_ca(sk_X509_value(signers, i))) {
  			warnx("CA keys are not valid for signatures");
  			goto cleanup;
  		}
  		if (is_pkg) {
 -			if (sk_X509_value(signers, i)->ex_xkusage != pkg_key_usage) {
 +			if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != pkg_key_usage) {
  				warnx("Certificate must have CODE SIGNING "
  				    "and EMAIL PROTECTION property");
  				goto cleanup;
  			}
  		} else {
 -			if (sk_X509_value(signers, i)->ex_xkusage != 0) {
 +			if (X509_get_extended_key_usage(sk_X509_value(signers, i)) != 0) {
  				warnx("Certificate must not have any property");
  				goto cleanup;
  			}
 @@ -271,12 +257,12 @@
  	/* Compute ex_kusage */
  	X509_check_purpose(certificate, -1, 0);

 -	if (check_ca(certificate)) {
 +	if (X509_check_ca(certificate)) {
  		warnx("CA keys are not valid for signatures");
  		goto cleanup;
  	}

 -	if (certificate->ex_xkusage != pkg_key_usage) {
 +	if (X509_get_extended_key_usage(certificate) != pkg_key_usage) {
  		warnx("Certificate must have CODE SIGNING "
  		    "and EMAIL PROTECTION property");
  		goto cleanup;

From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52298 CVS commit: pkgsrc/pkgtools/pkg_install/files/lib
Date: Tue, 24 Oct 2017 15:54:31 +0000

 Module Name:	pkgsrc
 Committed By:	maya
 Date:		Tue Oct 24 15:54:31 UTC 2017

 Modified Files:
 	pkgsrc/pkgtools/pkg_install/files/lib: pkcs7.c

 Log Message:
 pkg_install: Fix OpenSSL 1.1.0 build

 OpenSSL 1.1.0 makes xkusage and ex_flags opaque.

 Use X509_check_ca rather than a custom and nearly identical implementation.
 This is available since OpenSSL 0.9.8 (even in RHEL5).

 This is also done because we cannot implement it identically under
 OpenSSL 1.1.0 due to missing getters.

 Test EXFLAG_XKUSAGE rather than zero xkusage test no usage to avoid openssl
 1.1.0 getter returning a different code on this case.

 Use getter for xkusage in the non-zero test case.

 Provide fallback definitions for getters.

 PR pkg/52298, PR pkg/52648


 To generate a diff of this commit:
 cvs rdiff -u -r1.5 -r1.6 pkgsrc/pkgtools/pkg_install/files/lib/pkcs7.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 24 Oct 2017 15:55:18 +0000
State-Changed-Why:
fixed


From: "Maya Rashish" <maya@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52298 CVS commit: src/external/bsd/pkg_install/dist/lib
Date: Sun, 4 Feb 2018 09:00:51 +0000

 Module Name:	src
 Committed By:	maya
 Date:		Sun Feb  4 09:00:51 UTC 2018

 Modified Files:
 	src/external/bsd/pkg_install/dist/lib: license.c pkcs7.c pkg_io.c
 	    version.h

 Log Message:
 Merge pkg_install-20171030

 Bump version to 20171030 for netpgpverify fixes.
 Add zsh to default_acceptable_licenses.
 Undef bootstrap hack.

 Fix OpenSSL 1.1.0 build
 OpenSSL 1.1.0 makes xkusage and ex_flags opaque.
 Use X509_check_ca rather than a custom and nearly identical implementation.
 This is available since OpenSSL 0.9.8 (even in RHEL5).
 This is also done because we cannot implement it identically under
 OpenSSL 1.1.0 due to missing getters.
 Test EXFLAG_XKUSAGE rather than zero xkusage test no usage to avoid openssl
 1.1.0 getter returning a different code on this case.
 Use getter for xkusage in the non-zero test case.
 Provide fallback definitions for getters.

 PR pkg/52298, PR pkg/52648


 To generate a diff of this commit:
 cvs rdiff -u -r1.5 -r1.6 src/external/bsd/pkg_install/dist/lib/license.c
 cvs rdiff -u -r1.2 -r1.3 src/external/bsd/pkg_install/dist/lib/pkcs7.c \
     src/external/bsd/pkg_install/dist/lib/pkg_io.c
 cvs rdiff -u -r1.11 -r1.12 src/external/bsd/pkg_install/dist/lib/version.h

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.