Bug 252548

Summary: security/libtasn1: fail to parse certificate if compiled with clang 10+ and -O2/-O3
Product: Ports & Packages Reporter: Ivan Rozhuk <rozhuk.im>
Component: Individual Port(s)Assignee: Roman Bogorodskiy <novel>
Status: Closed FIXED    
Severity: Affects Some People CC: bsd, danfe, ltning-freebsd, novel, pi, rozhuk.im
Priority: --- Flags: bugzilla: maintainer-feedback? (novel)
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://gitlab.com/gnutls/libtasn1/-/issues/31
Bug Depends on:    
Bug Blocks: 251153    
Attachments:
Description Flags
test tool
none
test data
none
port fix
none
remove clang workaround none

Description Ivan Rozhuk 2021-01-10 01:50:13 UTC 
Created attachment 221432 [details]
test tool

Not sure that this is a libtasn1 error or clang.

I am update my desktop to current and claws-mail show me certs errors, I dig inside and found that gnutls_x509_crt_get_fingerprint() fails.
At next step I found that if I rebuild libtasn1 with debug then it fixes errors.

I wrote test app to reproduce error and check on other systems.
On my home server (12.2) gnutls+libtasn1 was already installed and no errors happen. But after I rebuild libtasn1 - test app show error.
Now I can not fix because even with -O0 it produces error.


Build test tool:
cc gnutls_test.c -O0 -DDEBUG -I/usr/local/include -L/usr/local/lib -lm -lgnutls -o gnutls_test

Run test:
./gnutls_test ./pop.mail.ru.995.cert


With:
clang version 11.0.1 (git@github.com:llvm/llvm-project.git llvmorg-11.0.1-rc2-0-g43ff75f2c3f)
13.0-CURRENT FreeBSD 13.0-CURRENT
even -O2 gives code that does not work.
-O1, -O0 - work.

With:
clang version 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
12.2-STABLE 5586a4e13931(stable/12)
does not work with any -O values.
Comment 1 Ivan Rozhuk 2021-01-10 01:50:36 UTC 
Created attachment 221433 [details]
test data
Comment 2 Ivan Rozhuk 2021-01-10 02:47:24 UTC 
I make small mistake: on 12.2 with clang 10.0.1 -O1 and -O0 work.
gcc9 -O3 - work.
Comment 3 Ivan Rozhuk 2021-01-10 02:49:20 UTC 
https://gitlab.com/gnutls/libtasn1/-/issues/30
Comment 4 Ivan Rozhuk 2021-01-10 02:59:28 UTC 
Workaround:
CFLAGS+=-O1
Comment 5 Eirik Oeverby 2021-01-10 12:22:58 UTC 
This also breaks gnutls certtool, thank you for reporting. Finally explains the bizarre behaviour we've seen here.
Comment 6 Roman Bogorodskiy freebsd_committer freebsd_triage 2021-01-11 12:47:40 UTC 
Created attachment 221457 [details]
port fix

Thanks for the report.
Does the attached patch look good to you?
Comment 7 Kurt Jaeger freebsd_committer freebsd_triage 2021-01-11 12:55:12 UTC 
tested with rdesktop on 12.2.

Before: rdesktop dumps core
Steps: rebuild libtasn1 and pkg add -f on the target system
After that: rdesktop works.
Comment 8 Ivan Rozhuk 2021-01-11 14:27:58 UTC 
(In reply to Roman Bogorodskiy from comment #6)

Yes, but I do not test it.
Comment 9 commit-hook freebsd_committer freebsd_triage 2021-01-11 15:19:44 UTC 
A commit references this bug:

Author: novel
Date: Mon Jan 11 15:19:10 UTC 2021
New revision: 561219
URL: https://svnweb.freebsd.org/changeset/ports/561219

Log:
  security/libtasn1: add a workaround for clang 10+

  When compiled with clang 10+ and -O[2-9], the resulting package
  fails to parse certificates.

  As a workaround, downgrade optimization to -O1.

  Upstream issue: https://gitlab.com/gnutls/libtasn1/-/issues/30

  PR:		252548
  Reported by:	rozhuk.im@gmail.com

Changes:
  head/security/libtasn1/Makefile
Comment 10 Alexey Dokuchaev freebsd_committer freebsd_triage 2021-03-15 07:12:26 UTC 
Closing per commit ports r561219 and feedback in the bug #251153.
Comment 11 Roman Bogorodskiy freebsd_committer freebsd_triage 2021-05-16 04:39:58 UTC 
Created attachment 224985 [details]
remove clang workaround

Upstream reports that it should be fixed in 4.17.0. I've checked with gnutls_test.c and looks like the workaround is no longer necessary.
Would appreciate if somebody could double check.
Comment 12 Kurt Jaeger freebsd_committer freebsd_triage 2021-05-23 18:08:36 UTC 
(In reply to Roman Bogorodskiy from comment #11)
I tested it on CURRENT and 13.0, both amd64, looks ok.
Comment 13 commit-hook freebsd_committer freebsd_triage 2021-12-30 10:55:49 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9724b5e9e0b31a29080565f3bbbd7f3f4fcf3499

commit 9724b5e9e0b31a29080565f3bbbd7f3f4fcf3499
Author:     Roman Bogorodskiy <novel@FreeBSD.org>
AuthorDate: 2021-12-30 09:54:00 +0000
Commit:     Roman Bogorodskiy <novel@FreeBSD.org>
CommitDate: 2021-12-30 10:54:55 +0000

    security/libtasn1: remove clang workaround

    The previously applied clang 10+ workaround which lowered -O
    optimization to -O1 appears to be no longer needed according to the
    upstream issue https://gitlab.com/gnutls/libtasn1/-/issues/30.

    PR:             252548
    Reported by:    Brad Smith

 security/libtasn1/Makefile | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)