Bug 252548 - security/libtasn1: fail to parse certificate if compiled with clang 10+ and -O2/-O3
Summary: security/libtasn1: fail to parse certificate if compiled with clang 10+ and -...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Roman Bogorodskiy
URL: https://gitlab.com/gnutls/libtasn1/-/...
Keywords:
Depends on:
Blocks: 251153
  Show dependency treegraph
 
Reported: 2021-01-10 01:50 UTC by Ivan Rozhuk
Modified: 2021-05-23 18:08 UTC (History)
6 users (show)

See Also:
bugzilla: maintainer-feedback? (novel)


Attachments
test tool (3.78 KB, text/plain)
2021-01-10 01:50 UTC, Ivan Rozhuk
no flags Details
test data (1.48 KB, application/pkix-cert)
2021-01-10 01:50 UTC, Ivan Rozhuk
no flags Details
port fix (916 bytes, patch)
2021-01-11 12:47 UTC, Roman Bogorodskiy
no flags Details | Diff
remove clang workaround (696 bytes, patch)
2021-05-16 04:39 UTC, Roman Bogorodskiy
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ivan Rozhuk 2021-01-10 01:50:13 UTC
Created attachment 221432 [details]
test tool

Not sure that this is a libtasn1 error or clang.

I am update my desktop to current and claws-mail show me certs errors, I dig inside and found that gnutls_x509_crt_get_fingerprint() fails.
At next step I found that if I rebuild libtasn1 with debug then it fixes errors.

I wrote test app to reproduce error and check on other systems.
On my home server (12.2) gnutls+libtasn1 was already installed and no errors happen. But after I rebuild libtasn1 - test app show error.
Now I can not fix because even with -O0 it produces error.


Build test tool:
cc gnutls_test.c -O0 -DDEBUG -I/usr/local/include -L/usr/local/lib -lm -lgnutls -o gnutls_test

Run test:
./gnutls_test ./pop.mail.ru.995.cert


With:
clang version 11.0.1 (git@github.com:llvm/llvm-project.git llvmorg-11.0.1-rc2-0-g43ff75f2c3f)
13.0-CURRENT FreeBSD 13.0-CURRENT
even -O2 gives code that does not work.
-O1, -O0 - work.

With:
clang version 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
12.2-STABLE 5586a4e13931(stable/12)
does not work with any -O values.
Comment 1 Ivan Rozhuk 2021-01-10 01:50:36 UTC
Created attachment 221433 [details]
test data
Comment 2 Ivan Rozhuk 2021-01-10 02:47:24 UTC
I make small mistake: on 12.2 with clang 10.0.1 -O1 and -O0 work.
gcc9 -O3 - work.
Comment 3 Ivan Rozhuk 2021-01-10 02:49:20 UTC
https://gitlab.com/gnutls/libtasn1/-/issues/30
Comment 4 Ivan Rozhuk 2021-01-10 02:59:28 UTC
Workaround:
CFLAGS+=-O1
Comment 5 Eirik Oeverby 2021-01-10 12:22:58 UTC
This also breaks gnutls certtool, thank you for reporting. Finally explains the bizarre behaviour we've seen here.
Comment 6 Roman Bogorodskiy freebsd_committer 2021-01-11 12:47:40 UTC
Created attachment 221457 [details]
port fix

Thanks for the report.
Does the attached patch look good to you?
Comment 7 Kurt Jaeger freebsd_committer 2021-01-11 12:55:12 UTC
tested with rdesktop on 12.2.

Before: rdesktop dumps core
Steps: rebuild libtasn1 and pkg add -f on the target system
After that: rdesktop works.
Comment 8 Ivan Rozhuk 2021-01-11 14:27:58 UTC
(In reply to Roman Bogorodskiy from comment #6)

Yes, but I do not test it.
Comment 9 commit-hook freebsd_committer 2021-01-11 15:19:44 UTC
A commit references this bug:

Author: novel
Date: Mon Jan 11 15:19:10 UTC 2021
New revision: 561219
URL: https://svnweb.freebsd.org/changeset/ports/561219

Log:
  security/libtasn1: add a workaround for clang 10+

  When compiled with clang 10+ and -O[2-9], the resulting package
  fails to parse certificates.

  As a workaround, downgrade optimization to -O1.

  Upstream issue: https://gitlab.com/gnutls/libtasn1/-/issues/30

  PR:		252548
  Reported by:	rozhuk.im@gmail.com

Changes:
  head/security/libtasn1/Makefile
Comment 10 Alexey Dokuchaev freebsd_committer 2021-03-15 07:12:26 UTC
Closing per commit ports r561219 and feedback in the bug #251153.
Comment 11 Roman Bogorodskiy freebsd_committer 2021-05-16 04:39:58 UTC
Created attachment 224985 [details]
remove clang workaround

Upstream reports that it should be fixed in 4.17.0. I've checked with gnutls_test.c and looks like the workaround is no longer necessary.
Would appreciate if somebody could double check.
Comment 12 Kurt Jaeger freebsd_committer 2021-05-23 18:08:36 UTC
(In reply to Roman Bogorodskiy from comment #11)
I tested it on CURRENT and 13.0, both amd64, looks ok.