Bug 252548 - security/libtasn1: fail to parse certificate if compiled with clang 10+ and -O2/-O3
Summary: security/libtasn1: fail to parse certificate if compiled with clang 10+ and -...
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Roman Bogorodskiy
URL: https://gitlab.com/gnutls/libtasn1/-/...
Keywords:
Depends on:
Blocks: 251153
  Show dependency treegraph
 
Reported: 2021-01-10 01:50 UTC by rozhuk.im
Modified: 2021-01-11 15:19 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (novel)

Attachments
test tool (3.78 KB, text/plain)
2021-01-10 01:50 UTC, rozhuk.im 		no flags Details
test data (1.48 KB, application/pkix-cert)
2021-01-10 01:50 UTC, rozhuk.im 		no flags Details
port fix (916 bytes, patch)
2021-01-11 12:47 UTC, Roman Bogorodskiy 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description rozhuk.im 2021-01-10 01:50:13 UTC 
Created attachment 221432 [details]
test tool

Not sure that this is a libtasn1 error or clang.

I am update my desktop to current and claws-mail show me certs errors, I dig inside and found that gnutls_x509_crt_get_fingerprint() fails.
At next step I found that if I rebuild libtasn1 with debug then it fixes errors.

I wrote test app to reproduce error and check on other systems.
On my home server (12.2) gnutls+libtasn1 was already installed and no errors happen. But after I rebuild libtasn1 - test app show error.
Now I can not fix because even with -O0 it produces error.


Build test tool:
cc gnutls_test.c -O0 -DDEBUG -I/usr/local/include -L/usr/local/lib -lm -lgnutls -o gnutls_test

Run test:
./gnutls_test ./pop.mail.ru.995.cert


With:
clang version 11.0.1 (git@github.com:llvm/llvm-project.git llvmorg-11.0.1-rc2-0-g43ff75f2c3f)
13.0-CURRENT FreeBSD 13.0-CURRENT
even -O2 gives code that does not work.
-O1, -O0 - work.

With:
clang version 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
12.2-STABLE 5586a4e13931(stable/12)
does not work with any -O values.
Comment 1 rozhuk.im 2021-01-10 01:50:36 UTC 
Created attachment 221433 [details]
test data
Comment 2 rozhuk.im 2021-01-10 02:47:24 UTC 
I make small mistake: on 12.2 with clang 10.0.1 -O1 and -O0 work.
gcc9 -O3 - work.
Comment 3 rozhuk.im 2021-01-10 02:49:20 UTC 
https://gitlab.com/gnutls/libtasn1/-/issues/30
Comment 4 rozhuk.im 2021-01-10 02:59:28 UTC 
Workaround:
CFLAGS+=-O1
Comment 5 Eirik Oeverby 2021-01-10 12:22:58 UTC 
This also breaks gnutls certtool, thank you for reporting. Finally explains the bizarre behaviour we've seen here.
Comment 6 Roman Bogorodskiy freebsd_committer 2021-01-11 12:47:40 UTC 
Created attachment 221457 [details]
port fix

Thanks for the report.
Does the attached patch look good to you?
Comment 7 Kurt Jaeger freebsd_committer 2021-01-11 12:55:12 UTC 
tested with rdesktop on 12.2.

Before: rdesktop dumps core
Steps: rebuild libtasn1 and pkg add -f on the target system
After that: rdesktop works.
Comment 8 rozhuk.im 2021-01-11 14:27:58 UTC 
(In reply to Roman Bogorodskiy from comment #6)

Yes, but I do not test it.
Comment 9 commit-hook freebsd_committer 2021-01-11 15:19:44 UTC 
A commit references this bug:

Author: novel
Date: Mon Jan 11 15:19:10 UTC 2021
New revision: 561219
URL: https://svnweb.freebsd.org/changeset/ports/561219

Log:
  security/libtasn1: add a workaround for clang 10+

  When compiled with clang 10+ and -O[2-9], the resulting package
  fails to parse certificates.

  As a workaround, downgrade optimization to -O1.

  Upstream issue: https://gitlab.com/gnutls/libtasn1/-/issues/30

  PR:		252548
  Reported by:	rozhuk.im@gmail.com

Changes:
  head/security/libtasn1/Makefile