Add patch for OpenSSL v3.2.0

Add a patch [1] to silence warnings from OpenSSL v3.2.0-v3.2.1 for reading from
stdin without using -in [2,3]. This will be fixed by upstream OpenSSL v3.2.2 and
v3.3.0 as well [4].

[1] https://git.build2.org/cgit/bpkg/commit/?id=40bb034f57cf37c1cbdcef337733507c230c6004
[2] https://github.com/build2/build2/issues/353
[3] https://github.com/build2/build2/issues/379
[4] https://github.com/openssl/openssl/pull/23526
This commit is contained in:
Matthew Krupcale 2024-04-24 20:24:07 -04:00
parent f069aa603a
commit b9c3486428
2 changed files with 234 additions and 0 deletions

View File

@ -0,0 +1,227 @@
From 40bb034f57cf37c1cbdcef337733507c230c6004 Mon Sep 17 00:00:00 2001
From: Karen Arutyunov <karen@codesynthesis.com>
Date: Tue, 23 Apr 2024 12:25:33 +0300
Subject: Suppress the 'reading certificate from stdin' openssl warning on
POSIX systems in bpkg-fetch
---
bpkg/auth.cxx | 137 ++++++++++++++++++++++++++++++++++++++--------------------
1 file changed, 89 insertions(+), 48 deletions(-)
diff --git a/bpkg/auth.cxx b/bpkg/auth.cxx
index 663054d..191da0a 100644
--- a/bpkg/auth.cxx
+++ b/bpkg/auth.cxx
@@ -23,15 +23,15 @@ using namespace butl;
namespace bpkg
{
- static const string openssl_version ("version");
- static const string openssl_pkeyutl ("pkeyutl");
- static const string openssl_rsautl ("rsautl");
- static const string openssl_x509 ("x509");
-
- const char* openssl_commands[5] = {openssl_version.c_str (),
- openssl_pkeyutl.c_str (),
- openssl_rsautl.c_str (),
- openssl_x509.c_str (),
+ static const string openssl_version_cmd ("version");
+ static const string openssl_pkeyutl_cmd ("pkeyutl");
+ static const string openssl_rsautl_cmd ("rsautl");
+ static const string openssl_x509_cmd ("x509");
+
+ const char* openssl_commands[5] = {openssl_version_cmd.c_str (),
+ openssl_pkeyutl_cmd.c_str (),
+ openssl_rsautl_cmd.c_str (),
+ openssl_x509_cmd.c_str (),
nullptr};
// Print process command line.
@@ -43,9 +43,42 @@ namespace bpkg
print_process (args, n);
}
+ // Query the openssl information and return the openssl version. Cache the
+ // version on the first function call. Fail on the underlying process and IO
+ // error. Return the 0.0.0 version if unable to parse the openssl stdout.
+ //
+ static optional<semantic_version> openssl_ver;
+
+ static const semantic_version&
+ openssl_version (const common_options& co)
+ {
+ const path& openssl_path (co.openssl ()[openssl_version_cmd]);
+
+ if (!openssl_ver)
+ try
+ {
+ optional<openssl_info> oi (
+ openssl::info (print_command, 2, openssl_path));
+
+ openssl_ver = (oi && oi->name == "OpenSSL"
+ ? move (oi->version)
+ : semantic_version ());
+ }
+ catch (const process_error& e)
+ {
+ fail << "unable to execute " << openssl_path << ": " << e << endf;
+ }
+ catch (const io_error& e)
+ {
+ fail << "unable to read '" << openssl_path << "' output: " << e
+ << endf;
+ }
+
+ return *openssl_ver;
+ }
+
// Return true if the openssl version is greater or equal to 3.0.0 and so
- // pkeyutl needs to be used instead of rsautl. Cache the result on the first
- // function call.
+ // pkeyutl needs to be used instead of rsautl.
//
// Note that openssl 3.0.0 deprecates rsautl in favor of pkeyutl.
//
@@ -54,37 +87,28 @@ namespace bpkg
// (see the 'pkeyutl -verifyrecover error "input data too long to be a
// hash"' issue report for details).
//
- static optional<bool> use_pkeyutl;
-
- static bool
+ static inline bool
use_openssl_pkeyutl (const common_options& co)
{
- if (!use_pkeyutl)
- {
- const path& openssl_path (co.openssl ()[openssl_version]);
-
- try
- {
- optional<openssl_info> oi (
- openssl::info (print_command, 2, openssl_path));
-
- use_pkeyutl = oi &&
- oi->name == "OpenSSL" &&
- oi->version >= semantic_version {3, 0, 0};
- }
- catch (const process_error& e)
- {
- fail << "unable to execute " << openssl_path << ": " << e << endf;
- }
- catch (const io_error& e)
- {
- fail << "unable to read '" << openssl_path << "' output: " << e
- << endf;
- }
- }
+ return openssl_version (co) >= semantic_version {3, 0, 0};
+ }
- return *use_pkeyutl;
+ // Return true if some openssl commands (openssl x509 -fingerprint, etc) may
+ // issue the 'Reading certificate from stdin since no -in or -new option is
+ // given' warning. This is the case for the openssl version in the [3.2.0
+ // 3.3.0) range (see GH issue #353 for details).
+ //
+ // Note that there is no easy way to suppress this warning on Windows and
+ // thus we don't define this function there.
+ //
+#ifndef _WIN32
+ static inline bool
+ openssl_warn_stdin (const common_options& co)
+ {
+ const semantic_version& v (openssl_version (co));
+ return v >= semantic_version {3, 2, 0} && v < semantic_version {3, 3, 0};
}
+#endif
// Find the repository location prefix that ends with the version component.
// We consider all repositories under this location to be related.
@@ -190,15 +214,25 @@ namespace bpkg
dr << ": " << *e;
};
- const path& openssl_path (co.openssl ()[openssl_x509]);
- const strings& openssl_opts (co.openssl_option ()[openssl_x509]);
+ const path& openssl_path (co.openssl ()[openssl_x509_cmd]);
+ const strings& openssl_opts (co.openssl_option ()[openssl_x509_cmd]);
try
{
openssl os (print_command,
fdstream_mode::text, fdstream_mode::text, 2,
- openssl_path, openssl_x509,
- openssl_opts, "-sha256", "-noout", "-fingerprint");
+ openssl_path, openssl_x509_cmd,
+ openssl_opts,
+ "-sha256",
+ "-noout",
+ "-fingerprint"
+#ifndef _WIN32
+ ,
+ (openssl_warn_stdin (co)
+ ? cstrings ({"-in", "/dev/stdin"})
+ : cstrings ())
+#endif
+ );
os.out << pem;
os.out.close ();
@@ -288,8 +322,8 @@ namespace bpkg
dr << ": " << *e;
};
- const path& openssl_path (co.openssl ()[openssl_x509]);
- const strings& openssl_opts (co.openssl_option ()[openssl_x509]);
+ const path& openssl_path (co.openssl ()[openssl_x509_cmd]);
+ const strings& openssl_opts (co.openssl_option ()[openssl_x509_cmd]);
try
{
@@ -315,7 +349,7 @@ namespace bpkg
openssl os (
print_command,
fdstream_mode::text, fdstream_mode::text, 2,
- openssl_path, openssl_x509,
+ openssl_path, openssl_x509_cmd,
openssl_opts, "-noout", "-subject", "-dates", "-email",
// Previously we have used "RFC2253,sep_multiline" format to display
@@ -347,6 +381,13 @@ namespace bpkg
// sep_multiline - display field per line.
//
"-nameopt", "utf8,esc_ctrl,dump_nostr,dump_der,sname,sep_multiline"
+
+#ifndef _WIN32
+ ,
+ (openssl_warn_stdin (co)
+ ? cstrings ({"-in", "/dev/stdin"})
+ : cstrings ())
+#endif
);
// We unset failbit to provide the detailed error description (which
@@ -877,7 +918,7 @@ namespace bpkg
};
bool ku (use_openssl_pkeyutl (co));
- const string& cmd (ku ? openssl_pkeyutl : openssl_rsautl);
+ const string& cmd (ku ? openssl_pkeyutl_cmd : openssl_rsautl_cmd);
const path& openssl_path (co.openssl ()[cmd]);
const strings& openssl_opts (co.openssl_option ()[cmd]);
@@ -973,8 +1014,8 @@ namespace bpkg
};
const string& cmd (use_openssl_pkeyutl (co)
- ? openssl_pkeyutl
- : openssl_rsautl);
+ ? openssl_pkeyutl_cmd
+ : openssl_rsautl_cmd);
const path& openssl_path (co.openssl ()[cmd]);
const strings& openssl_opts (co.openssl_option ()[cmd]);
--
cgit v1.1

View File

@ -27,6 +27,9 @@ Source100: https://pkg.cppget.org/1/beta/odb/libodb-%{libodb_bundle_version
Source101: https://pkg.cppget.org/1/beta/odb/libodb-sqlite-%{libodb_bundle_version}.tar.gz
%endif
# Upstream: https://git.build2.org/cgit/bpkg/commit/?id=40bb034f57cf37c1cbdcef337733507c230c6004
Patch3000: bpkg-openssl-v3.2.0-stdin-warn.patch
BuildRequires: gcc-c++
BuildRequires: libpkgconf-devel
%if %{with bootstrap}
@ -257,6 +260,9 @@ This package contains the %{name} RPM macros.
%else
%setup -q -c -n %{name}-toolchain-%{version} -a 1 -a 2 -a 3 -a 4 -a 100 -a 101
%endif
pushd bpkg-%{version}
%patch -p 1 -P 3000
popd
mv libbutl-%{version} %{name}-%{version}
%build
@ -635,6 +641,7 @@ b test:
%changelog
* Sat Apr 20 2024 Matthew Krupcale <mkrupcale@gmail.com> - 0.16.0-4
- Rebuild for libpkgconf ABI changes
- Apply patch to silence OpenSSL v3.2.0 warnings in bpkg
* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.16.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild