Bug#1068119: Solution for 1068119 - compile error for s390-tools 2.16.0-2

To: 1068119@bugs.debian.org
Cc: seiden@linux.ibm.com
Subject: Bug#1068119: Solution for 1068119 - compile error for s390-tools 2.16.0-2
From: Johannes Schauer Marin Rodrigues <josch@debian.org>
Date: Tue, 11 Jun 2024 11:58:32 +0200
Message-id: <[🔎] 171809991267.1521433.14820240806944451536@localhost>
Reply-to: Johannes Schauer Marin Rodrigues <josch@debian.org>, 1068119@bugs.debian.org
In-reply-to: <e1e50a09-2f1a-49d0-8490-46c703242683@linux.ibm.com>
References: <ZgkeXslhlji0Qyv9@ramacher.at>

Control: affects -1 + mmdebstrap

Hi,

On Mon, 27 May 2024 12:07:11 +0200 Steffen Eiden <seiden@linux.ibm.com> wrote:
> this issue is already fixed upstream since v2.22.0.
> 
> Do one of:
> - apply the upstream fix [1,2]
> - update your package to at least v2.22.0
> 
> 
> The upstream fix disables the warning similar to the kernel[3] (see 
> commit description) as there is no better solution for this as of now.
> 
> I can ensure the code is correct and does no weird things (see lkml).
> There is also a s390-tools upstream discussion regarding this issue.[4]
> 
> 
> Steffen Eiden
> s390-tools upstream-maintainer

based on Steffen's input, I just did a 0-day NMU of s390-tools as this RC bug
is older than 7 days and there was no maintainer activity on the bug for 7 days
and there does not seem to be a packaging VCS where a fix could maybe be found
already.

I also had to cherry-pick another commit from upstream fixing another build
failure with OpenSSL 3.0, namely 8723dbce048add87ce10fe8c72eea75c4f828ef8

This package affects the /usr-move transition because due to this FTBFS, it is
not possible to rebuild s390-tools on unstable with new packages for the 64-bit
time_t transition and that in turn makes apt select the wrong packages in the
mmmdebstrap autopkgtest which we need to succeed to transition util-linux,
bash, dash, glibc and base-files to testing.

The debdiff is attached.

Thanks!

cheers, josch

diff -Nru s390-tools-2.16.0/debian/changelog s390-tools-2.16.0/debian/changelog
--- s390-tools-2.16.0/debian/changelog	2021-08-18 09:26:50.000000000 +0200
+++ s390-tools-2.16.0/debian/changelog	2024-06-11 11:15:24.000000000 +0200
@@ -1,3 +1,12 @@
+s390-tools (2.16.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add patches from upstream to fix FTBFS (closes: #1068119)
+     - 0001-genprotimg-boot-disable-Warray-bounds-for-now.patch
+     - 0001-genprotimg-add-OpenSSL-3.0-support.patch
+
+ -- Johannes Schauer Marin Rodrigues <josch@debian.org>  Tue, 11 Jun 2024 11:15:24 +0200
+
 s390-tools (2.16.0-2) unstable; urgency=medium
 
   * Add missing build-dependency on libglib2.0-dev. (Closes: #992249)
diff -Nru s390-tools-2.16.0/debian/patches/0001-genprotimg-add-OpenSSL-3.0-support.patch s390-tools-2.16.0/debian/patches/0001-genprotimg-add-OpenSSL-3.0-support.patch
--- s390-tools-2.16.0/debian/patches/0001-genprotimg-add-OpenSSL-3.0-support.patch	1970-01-01 01:00:00.000000000 +0100
+++ s390-tools-2.16.0/debian/patches/0001-genprotimg-add-OpenSSL-3.0-support.patch	2024-06-11 11:15:06.000000000 +0200
@@ -0,0 +1,151 @@
+From 8723dbce048add87ce10fe8c72eea75c4f828ef8 Mon Sep 17 00:00:00 2001
+From: Marc Hartmayer <mhartmay@linux.ibm.com>
+Date: Wed, 23 Jun 2021 13:16:25 +0000
+Subject: [PATCH] genprotimg: add OpenSSL 3.0 support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add OpenSSL 3.0 support while still supporting OpenSSL 1.1.0 and newer. For this
+set the OPENSSL_API_COMPAT user defined macro to OpenSSL 1.1.0 (see
+https://www.openssl.org/docs/manmaster/man7/OPENSSL_API_COMPAT.html) so we don't
+see any deprecation warnings when using OpenSSL 3.0. In addition, add an
+compatibility layer for OpenSSL since some OpenSSL API functions were constified
+with OpenSSL 3.0.
+
+Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/112
+Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+---
+ genprotimg/src/Makefile               |  1 +
+ genprotimg/src/utils/crypto.c         | 15 ++++++------
+ genprotimg/src/utils/openssl_compat.h | 33 +++++++++++++++++++++++++++
+ 4 files changed, 43 insertions(+), 7 deletions(-)
+ create mode 100644 genprotimg/src/utils/openssl_compat.h
+
+diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile
+index a71bb1e..0e811d6 100644
+--- a/genprotimg/src/Makefile
++++ b/genprotimg/src/Makefile
+@@ -29,6 +29,7 @@ $(bin_PROGRAM)_OBJS := $($(bin_PROGRAM)_SRCS:.c=.o)
+ 
+ ALL_CFLAGS += -std=gnu11 -DPKGDATADIR=$(PKGDATADIR) \
+ 	$(GLIB2_CFLAGS) $(LIBCRYPTO_CFLAGS) $(LIBCURL_CFLAGS) \
++	-DOPENSSL_API_COMPAT=0x10100000L \
+ 	$(WARNINGS) \
+ 	$(NULL)
+ ALL_CPPFLAGS += $(INCLUDE_PARMS)
+diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
+index 2e4750b..087de37 100644
+--- a/genprotimg/src/utils/crypto.c
++++ b/genprotimg/src/utils/crypto.c
+@@ -31,6 +31,7 @@
+ 
+ #include "buffer.h"
+ #include "curl.h"
++#include "openssl_compat.h"
+ #include "crypto.h"
+ 
+ #define DEFINE_GSLIST_MAP(t2, t1)					\
+@@ -1438,7 +1439,7 @@ static const char *get_first_dp_url(DIST_POINT *dp)
+ 	return NULL;
+ }
+ 
+-static gboolean insert_crl(X509_NAME *name, X509_CRL *crl)
++static gboolean insert_crl(const X509_NAME *name, X509_CRL *crl)
+ {
+ 	g_autofree gchar *key = NULL;
+ 
+@@ -1453,7 +1454,7 @@ static gboolean insert_crl(X509_NAME *name, X509_CRL *crl)
+ }
+ 
+ /* Caller is responsible for free'ing */
+-static X509_CRL *lookup_crl(X509_NAME *name)
++static X509_CRL *lookup_crl(const X509_NAME *name)
+ {
+ 	g_autoptr(X509_CRL) crl = NULL;
+ 	g_autofree gchar *key = NULL;
+@@ -1473,7 +1474,7 @@ static X509_CRL *lookup_crl(X509_NAME *name)
+ }
+ 
+ /* Returns empty stack if no CRL downloaded. */
+-static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
++static STACK_OF_X509_CRL *crls_download_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm)
+ {
+ 	g_autoptr(STACK_OF_X509_CRL) crls = NULL;
+ 	g_autoptr(X509_CRL) crl = NULL;
+@@ -1483,7 +1484,7 @@ static STACK_OF_X509_CRL *crls_download_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
+ 	crls = sk_X509_CRL_new_null();
+ 	if (!crls)
+ 		g_abort();
+-	cert = X509_STORE_CTX_get_current_cert(ctx);
++	cert = Pv_X509_STORE_CTX_get_current_cert(ctx);
+ 	if (!cert)
+ 		return g_steal_pointer(&crls);
+ 	g_assert(X509_NAME_cmp(X509_get_issuer_name(cert), nm) == 0);
+@@ -1527,19 +1528,19 @@ void STACK_OF_X509_CRL_free(STACK_OF_X509_CRL *stack)
+ /* Downloaded CRLs have a higher precedence than the CRLs specified on the
+  * command line.
+  */
+-static STACK_OF_X509_CRL *crls_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
++static STACK_OF_X509_CRL *crls_cb(const X509_STORE_CTX *ctx, const X509_NAME *nm)
+ {
+ 	g_autoptr(STACK_OF_X509_CRL) crls = crls_download_cb(ctx, nm);
+ 
+ 	if (sk_X509_CRL_num(crls) > 0)
+ 		return g_steal_pointer(&crls);
+-	return X509_STORE_CTX_get1_crls(ctx, nm);
++	return Pv_X509_STORE_CTX_get1_crls(ctx, nm);
+ }
+ 
+ /* Set up CRL lookup with download support */
+ void store_setup_crl_download(X509_STORE *st)
+ {
+-	X509_STORE_set_lookup_crls(st, crls_cb);
++	Pv_X509_STORE_set_lookup_crls(st, crls_cb);
+ }
+ 
+ /* Download a CRL using the URI specified in the distribution @crldp */
+diff --git a/genprotimg/src/utils/openssl_compat.h b/genprotimg/src/utils/openssl_compat.h
+new file mode 100644
+index 0000000..791c31f
+--- /dev/null
++++ b/genprotimg/src/utils/openssl_compat.h
+@@ -0,0 +1,33 @@
++/*
++ * OpenSSL compatibility utils
++ *
++ * Copyright IBM Corp. 2021
++ *
++ * s390-tools is free software; you can redistribute it and/or modify
++ * it under the terms of the MIT license. See LICENSE for details.
++ */
++
++#ifndef PV_UTILS_OPENSSL_COMPAT_H
++#define PV_UTILS_OPENSSL_COMPAT_H
++
++#include <openssl/opensslv.h>
++#include <openssl/x509.h>
++#include <openssl/x509_vfy.h>
++
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#define Pv_X509_STORE_CTX_get_current_cert(ctx)                                \
++	X509_STORE_CTX_get_current_cert((X509_STORE_CTX *)(ctx))
++#define Pv_X509_STORE_CTX_get1_crls(ctx, nm)                                   \
++	X509_STORE_CTX_get1_crls((X509_STORE_CTX *)(ctx), (X509_NAME *)(nm))
++#define Pv_X509_STORE_set_lookup_crls(st, cb)                                  \
++	X509_STORE_set_lookup_crls(st, (X509_STORE_CTX_lookup_crls_fn)(cb))
++#else
++#define Pv_X509_STORE_CTX_get_current_cert(ctx)                                \
++	X509_STORE_CTX_get_current_cert(ctx)
++#define Pv_X509_STORE_CTX_get1_crls(ctx, nm)                                   \
++	X509_STORE_CTX_get1_crls(ctx, nm)
++#define Pv_X509_STORE_set_lookup_crls(st, cb)                                  \
++	X509_STORE_set_lookup_crls(st, cb)
++#endif
++
++#endif
+-- 
+2.39.2
+
diff -Nru s390-tools-2.16.0/debian/patches/0001-genprotimg-boot-disable-Warray-bounds-for-now.patch s390-tools-2.16.0/debian/patches/0001-genprotimg-boot-disable-Warray-bounds-for-now.patch
--- s390-tools-2.16.0/debian/patches/0001-genprotimg-boot-disable-Warray-bounds-for-now.patch	1970-01-01 01:00:00.000000000 +0100
+++ s390-tools-2.16.0/debian/patches/0001-genprotimg-boot-disable-Warray-bounds-for-now.patch	2024-06-11 11:15:06.000000000 +0200
@@ -0,0 +1,50 @@
+From 9e620058184cfdf026241b953bfbb095256198a0 Mon Sep 17 00:00:00 2001
+From: Marc Hartmayer <mhartmay@linux.ibm.com>
+Date: Tue, 26 Apr 2022 09:22:10 +0000
+Subject: [PATCH] genprotimg/boot: disable `-Warray-bounds` for now
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This work around fixes the gcc-12 false positive by disabling `Warray-bounds`:
+
+  CC      genprotimg/boot/stage3a.o
+  In file included from stage3a.c:14:
+  In function ‘__test_facility’,
+      inlined from ‘test_facility’ at ../../include/boot/s390.h:428:9,
+      inlined from ‘start’ at stage3a.c:42:7:
+  ../../include/boot/s390.h:418:17: error: array subscript 0 is outside array bounds of ‘void[0]’ [-Werror=array-bounds]
+    418 |         return (*ptr & (0x80 >> (nr & 7))) != 0;
+	|                 ^~~~
+
+Unfortunately, there is currently no better fix available that doesn't result
+in larger boot loader code sizes. Given the importancy of the boot loader file
+sizes the other fixes aren't acceptable. The Linux kernel shares the
+problem (but for performance reasons), take a look at the discussion
+https://lore.kernel.org/lkml/yt9dzgkelelc.fsf@linux.ibm.com/ for details.
+
+Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/130
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+---
+ genprotimg/boot/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/genprotimg/boot/Makefile b/genprotimg/boot/Makefile
+index f957a70..95bd6cc 100644
+--- a/genprotimg/boot/Makefile
++++ b/genprotimg/boot/Makefile
+@@ -15,7 +15,8 @@ ALL_CFLAGS := $(NO_PIE_CFLAGS) -Os -g \
+ 	-fno-delete-null-pointer-checks -fno-stack-protector \
+ 	-fexec-charset=IBM1047 -m64 -mpacked-stack \
+ 	-mstack-size=4096 -mstack-guard=128 -msoft-float \
+-	-Wall -Wformat-security -Wextra -Werror
++	-Wall -Wformat-security -Wextra -Werror \
++	-Wno-array-bounds
+ 
+ FILES := stage3a.bin stage3b.bin stage3b_reloc.bin
+ 
+-- 
+2.39.2
+
diff -Nru s390-tools-2.16.0/debian/patches/series s390-tools-2.16.0/debian/patches/series
--- s390-tools-2.16.0/debian/patches/series	2018-02-04 17:28:02.000000000 +0100
+++ s390-tools-2.16.0/debian/patches/series	2024-06-11 11:15:06.000000000 +0200
@@ -4,3 +4,5 @@
 zipl-optional.patch
 disable.patch
 sg3-utils.patch
+0001-genprotimg-boot-disable-Warray-bounds-for-now.patch
+0001-genprotimg-add-OpenSSL-3.0-support.patch

Attachment: signature.asc
Description: signature

Reply to:

Prev by Date: Processed: Re: Solution for 1068119 - compile error for s390-tools 2.16.0-2
Next by Date: s390-tools_2.16.0-2.1_source.changes ACCEPTED into unstable
Previous by thread: Bug#1063647: marked as done (sysconfig: missing required debian/rules targets build-arch and/or build-indep)
Next by thread: Processed: Re: Solution for 1068119 - compile error for s390-tools 2.16.0-2
Index(es):
- Date
- Thread