<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en" style='--code-editor-font: var(--default-mono-font, "Menlo"), DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style data-premailer="ignore" type="text/css">

a { color: #1068bf; }

</style>

<style>img {

max-width: 100%; height: auto;

}

body {

font-size: 0.875rem;

}

body {

-webkit-text-shadow: rgba(255,255,255,0.01) 0 0 1px;

}

body {

font-family: var(--default-regular-font, -apple-system),BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;

}

</style>

</head>

<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,0.01) 0 0 1px; font-family: var(--default-regular-font, -apple-system),BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>

<div class="content">

<p class="details" style="font-style: italic; color: #737278;">

<a href="https://gitlab.com/berrange">Daniel P. Berrangé</a> created an issue: <a href="https://gitlab.com/gnutls/gnutls/-/issues/1466">#1466</a>

</p>

<div class="md" style="color: #333238; word-wrap: break-word;">

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">With the 3.8.0 release of GNUTLS, the public API has broken ABI compatibility on 32-bit platforms which have glibc >= 2.34 present.</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">The issue affects any GNUTLS API that uses the <code style='font-size: 0.875rem; color: #1f1e24; word-wrap: break-word; background-color: #ececef; border-radius: 4px; margin-top: 0; font-weight: inherit; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; white-space: pre-wrap; overflow-wrap: break-word; word-break: keep-all; padding: 2px 4px;'>time_t</code> type.  We detected this because it broken all the libvirt and QEMU unit tests which generate certificates, with errors about the certificate not being active yet.</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">A condensed snippet from the QEMU tests to reproduce the problem is as follows:</p>

<div class="gl-relative markdown-code-block js-markdown-code">

<pre lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true" style='display: block; font-size: 0.875rem; color: #333238; line-height: 1.6em; overflow-x: auto; border-radius: 4px; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; margin: 0 0 16px; padding: 12px; border: 1px solid #dcdcde;'><code style='font-size: 0.875rem; color: inherit; word-wrap: normal; word-break: keep-all; background-color: inherit; border-radius: 4px; white-space: pre; margin-top: 0; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; overflow-wrap: normal; padding: unset;'><span id="LC1" class="line" lang="plaintext" style="margin-top: 0;">$ cat demo.c</span>

<span id="LC2" class="line" lang="plaintext"></span>

<span id="LC3" class="line" lang="plaintext">#include <gnutls/gnutls.h></span>

<span id="LC4" class="line" lang="plaintext">#include <gnutls/x509.h></span>

<span id="LC5" class="line" lang="plaintext">#include <string.h></span>

<span id="LC6" class="line" lang="plaintext">#include <stdio.h></span>

<span id="LC7" class="line" lang="plaintext">#include <assert.h></span>

<span id="LC8" class="line" lang="plaintext"></span>

<span id="LC9" class="line" lang="plaintext"># define PRIVATE_KEY \</span>

<span id="LC10" class="line" lang="plaintext">    "-----BEGIN RSA PRIVATE KEY-----\n" \</span>

<span id="LC11" class="line" lang="plaintext">    "MIIG5AIBAAKCAYEAyjWyLSNm5PZvYUKUcDWGqbLX10b2ood+YaFjWSnJrqx/q3qh\n" \</span>

<span id="LC12" class="line" lang="plaintext">    "rVGBJglD25AJENJsmZF3zPP1oMhfIxsXu63Hdkb6Rdlc2RUoUP34x9VC1izH25mR\n" \</span>

<span id="LC13" class="line" lang="plaintext">    "6c8DPDp1d6IraZ/llDMI1HsBFz0qGWtvOHgm815XG4PAr/N8rDsuqfv/cJ01KlnO\n" \</span>

<span id="LC14" class="line" lang="plaintext">    "0OdO5QRXCJf9g/dYd41MPu7wOXk9FqjQlmRoP59HgtJ+zUpE4z+Keruw9cMT9VJj\n" \</span>

<span id="LC15" class="line" lang="plaintext">    "0oT+pQ9ysenqeZ3gbT224T1khrEhT5kifhtFLNyDssRchUUWH0hiqoOO1vgb+850\n" \</span>

<span id="LC16" class="line" lang="plaintext">    "W6/1VdxvuPam48py4diSPi1Vip8NITCOBaX9FIpVp4Ruw4rTPVMNMjq9Cpx/DwMP\n" \</span>

<span id="LC17" class="line" lang="plaintext">    "9MbfXfnaVaZaMrmq67/zPhl0eVbUrecH2hQ3ZB9oIF4GkNskzlWF5+yPy6zqk304\n" \</span>

<span id="LC18" class="line" lang="plaintext">    "AKaiFR6jRyh3YfHo2XFqV8x/hxdsIEXOtEUGhSIcpynsW+ckUCartzu7xbhXjd4b\n" \</span>

<span id="LC19" class="line" lang="plaintext">    "kxJT89+riPFYij09AgMBAAECggGBAKyFkaZXXROeejrmHlV6JZGlp+fhgM38gkRz\n" \</span>

<span id="LC20" class="line" lang="plaintext">    "+Jp7P7rLLAY3E7gXIPQ91WqAAmwazFNdvHPd9USfkCQYmnAi/VoZhrCPmlsQZRxt\n" \</span>

<span id="LC21" class="line" lang="plaintext">    "A5QjjOnEvSPMa6SrXZxGWDCg6R8uMCb4P+FhrPWR1thnRDZOtRTQ+crc50p3mHgt\n" \</span>

<span id="LC22" class="line" lang="plaintext">    "6ktXWIJRbqnag8zSfQqCYGtRmhe8sfsWT+Yl4El4+jjaAVU/B364u7+PLmaiphGp\n" \</span>

<span id="LC23" class="line" lang="plaintext">    "BdJfTsTwEpgtGkPj+osDmhzXcZkfq3V+fz5JLkemsCiQKmn4VJRpg8c3ZmE8NPNt\n" \</span>

<span id="LC24" class="line" lang="plaintext">    "gRtGWZ4W3WKDvhotT65WpQx4+6R8Duux/blNPBmH1Upmwd7kj7GYFBArbCjgd9PT\n" \</span>

<span id="LC25" class="line" lang="plaintext">    "xgfCSUZpgOZHHkcgSB+022a8XncXna7WYYij28SLtwImFyu0nNtqECFQHH5u+k6C\n" \</span>

<span id="LC26" class="line" lang="plaintext">    "LRYBSN+3t3At8dQuk01NVrJBndmjmXRfxpqUtTdeaNgVpdUYRY98s30G68NYGSra\n" \</span>

<span id="LC27" class="line" lang="plaintext">    "aEvhhRSghkcLNetkobpY9pUgeqW/tQKBwQDZHHK9nDMt/zk1TxtILeUSitPXcv1/\n" \</span>

<span id="LC28" class="line" lang="plaintext">    "8ufXqO0miHdH23XuXhIEA6Ef26RRVGDGgpjkveDJK/1w5feJ4H/ni4Vclil/cm38\n" \</span>

<span id="LC29" class="line" lang="plaintext">    "OwRqjjd7ElHJX6JQbsxEx/gNTk5/QW1iAL9TXUalgepsSXYT6AJ0/CJv0jmJSJ36\n" \</span>

<span id="LC30" class="line" lang="plaintext">    "YoKMOM8uqzb2KhN6i+RlJRi5iY53kUhWTJq5ArWvNhUzQNSYODI4bNxlsKSBL2Ik\n" \</span>

<span id="LC31" class="line" lang="plaintext">    "LZ5QKHuaEjQet0IlPlfIb4PzMm8CHa/urOcCgcEA7m3zW/lL5bIFoKPjWig5Lbn1\n" \</span>

<span id="LC32" class="line" lang="plaintext">    "aHfrG2ngqzWtgWtfZqMH8OkZc1Mdhhmvd46titjiLjeI+UP/uHXR0068PnrNngzl\n" \</span>

<span id="LC33" class="line" lang="plaintext">    "tTgwlakzu+bWzqhBm1F+3/341st/FEk07r0P/3/PhezVjwfO8c8Exj7pLxH4wrH0\n" \</span>

<span id="LC34" class="line" lang="plaintext">    "ROHgDbClmlJRu6OO78wk1+Vapf5DWa8YfA+q+fdvr7KvgGyytheKMT/b/dsqOq7y\n" \</span>

<span id="LC35" class="line" lang="plaintext">    "qZPjmaJKWAvV3RWG8lWHFSdHx2IAHMHfGr17Y/w7AoHBALzwZeYebeekiVucGSjq\n" \</span>

<span id="LC36" class="line" lang="plaintext">    "T8SgLhT7zCIx+JMUPjVfYzaUhP/Iu7Lkma6IzWm9nW6Drpy5pUpMzwUWDCLfzU9q\n" \</span>

<span id="LC37" class="line" lang="plaintext">    "eseFIl337kEn9wLn+t5OpgAyCqYmlftxbqvdrrBN9uvnrJjWvqk/8wsDrw9JxAGc\n" \</span>

<span id="LC38" class="line" lang="plaintext">    "fjeD4nBXUqvYWLXApoR9mZoGKedmoH9pFig4zlO9ig8YITnKYuQ0k6SD0b8agJHc\n" \</span>

<span id="LC39" class="line" lang="plaintext">    "Ir0YSUDnRGgpjvFBGbeOCe+FGbohk/EpItJc3IAh5740lwKBwAdXd2DjokSmYKn7\n" \</span>

<span id="LC40" class="line" lang="plaintext">    "oeqKxofz6+yVlLW5YuOiuX78sWlVp87xPolgi84vSEnkKM/Xsc8+goc6YstpRVa+\n" \</span>

<span id="LC41" class="line" lang="plaintext">    "W+mImoA9YW1dF5HkLeWhTAf9AlgoAEIhbeIfTgBv6KNZSv7RDrDPBBxtXx/vAfSg\n" \</span>

<span id="LC42" class="line" lang="plaintext">    "x0ldwk0scZsVYXLKd67yzfV7KdGUdaX4N/xYgfZm/9gCG3+q8NN2KxVHQ5F71BOE\n" \</span>

<span id="LC43" class="line" lang="plaintext">    "JeABOaGo9WvnU+DNMIDZjHJMUWVw4MHz/a/UArDf/2CxaPVBNQKBwASg6j4ohSTk\n" \</span>

<span id="LC44" class="line" lang="plaintext">    "J7aE6RQ3OBmmDDpixcoCJt9u9SjHVYMlbs5CEJGVSczk0SG3y8P1lOWNDSRnMksZ\n" \</span>

<span id="LC45" class="line" lang="plaintext">    "xWnHdP/ogcuYMuvK7UACNAF0zNddtzOhzcpNmejFj+WCHYY/UmPr2/Kf6t7Cxk2K\n" \</span>

<span id="LC46" class="line" lang="plaintext">    "3cZ4tqWsiTmBT8Bknmah7L5DrhS+ZBJliDeFAA8fZHdMH0Xjr4UBp9kF90EMTdW1\n" \</span>

<span id="LC47" class="line" lang="plaintext">    "Xr5uz7ZrMsYpYQI7mmyqV9SSjUg4iBXwVSoag1iDJ1K8Qg/L7Semgg==\n" \</span>

<span id="LC48" class="line" lang="plaintext">    "-----END RSA PRIVATE KEY-----\n"</span>

<span id="LC49" class="line" lang="plaintext"></span>

<span id="LC50" class="line" lang="plaintext">static gnutls_x509_privkey_t load_key(void)</span>

<span id="LC51" class="line" lang="plaintext">{</span>

<span id="LC52" class="line" lang="plaintext">    gnutls_x509_privkey_t key;</span>

<span id="LC53" class="line" lang="plaintext">    const gnutls_datum_t data = { (unsigned char *)PRIVATE_KEY,</span>

<span id="LC54" class="line" lang="plaintext">                                  strlen(PRIVATE_KEY) };</span>

<span id="LC55" class="line" lang="plaintext">    assert(gnutls_x509_privkey_init(&key) >= 0);</span>

<span id="LC56" class="line" lang="plaintext">    assert(gnutls_x509_privkey_import(key, &data,</span>

<span id="LC57" class="line" lang="plaintext">                                      GNUTLS_X509_FMT_PEM) >= 0);</span>

<span id="LC58" class="line" lang="plaintext">    return key;</span>

<span id="LC59" class="line" lang="plaintext">}</span>

<span id="LC60" class="line" lang="plaintext"></span>

<span id="LC61" class="line" lang="plaintext">int main(int argc, char **argv) {</span>

<span id="LC62" class="line" lang="plaintext">    gnutls_x509_crt_t crt;</span>

<span id="LC63" class="line" lang="plaintext">    int err;</span>

<span id="LC64" class="line" lang="plaintext">    static char buffer[1024 * 1024];</span>

<span id="LC65" class="line" lang="plaintext">    size_t size = sizeof(buffer);</span>

<span id="LC66" class="line" lang="plaintext">    char serial[5] = { 1, 2, 3, 4, 0 };</span>

<span id="LC67" class="line" lang="plaintext">    gnutls_datum_t der;</span>

<span id="LC68" class="line" lang="plaintext">    time_t start = time(NULL);</span>

<span id="LC69" class="line" lang="plaintext">    time_t expire = time(NULL) + (60 * 60 * 24);</span>

<span id="LC70" class="line" lang="plaintext">    gnutls_x509_privkey_t privkey = load_key();</span>

<span id="LC71" class="line" lang="plaintext"></span>

<span id="LC72" class="line" lang="plaintext">    assert(gnutls_x509_crt_init(&crt) >= 0);</span>

<span id="LC73" class="line" lang="plaintext">    assert(gnutls_x509_crt_set_key(crt, privkey) >= 0);</span>

<span id="LC74" class="line" lang="plaintext">    assert(gnutls_x509_crt_set_version(crt, 3) >= 0);</span>

<span id="LC75" class="line" lang="plaintext">    assert(gnutls_x509_crt_set_serial(crt, serial, 5) >= 0);</span>

<span id="LC76" class="line" lang="plaintext">    assert(gnutls_x509_crt_set_activation_time(crt, start) >= 0);</span>

<span id="LC77" class="line" lang="plaintext">    assert(gnutls_x509_crt_set_expiration_time(crt, expire) >= 0);</span>

<span id="LC78" class="line" lang="plaintext">    assert(gnutls_x509_crt_sign2(crt, crt, privkey,</span>

<span id="LC79" class="line" lang="plaintext">                                 GNUTLS_DIG_SHA256, 0) >= 0);</span>

<span id="LC80" class="line" lang="plaintext">    assert(gnutls_x509_crt_export(</span>

<span id="LC81" class="line" lang="plaintext">               crt, GNUTLS_X509_FMT_PEM, buffer, &size) >= 0);</span>

<span id="LC82" class="line" lang="plaintext"></span>

<span id="LC83" class="line" lang="plaintext">    assert(start == gnutls_x509_crt_get_activation_time(crt));</span>

<span id="LC84" class="line" lang="plaintext">    printf("%s\n", buffer);</span>

<span id="LC85" class="line" lang="plaintext"></span>

<span id="LC86" class="line" lang="plaintext">    return 0;</span>

<span id="LC87" class="line" lang="plaintext">}</span></code></pre>

<copy-code></copy-code>

</div>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">Compile this on a 32-bit host, (or 64-bit host passing -m32) and then query the certificate contents:</p>

<div class="gl-relative markdown-code-block js-markdown-code">

<pre lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true" style='display: block; font-size: 0.875rem; color: #333238; line-height: 1.6em; overflow-x: auto; border-radius: 4px; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; margin: 0 0 16px; padding: 12px; border: 1px solid #dcdcde;'><code style='font-size: 0.875rem; color: inherit; word-wrap: normal; word-break: keep-all; background-color: inherit; border-radius: 4px; white-space: pre; margin-top: 0; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; overflow-wrap: normal; padding: unset;'><span id="LC1" class="line" lang="plaintext" style="margin-top: 0;">$ gcc  -g -lgnutls -m32 -o demo demo.c</span>

<span id="LC2" class="line" lang="plaintext">$ ./demo  | certtool  -i | grep Not</span>

<span id="LC3" class="line" lang="plaintext">               Not Before: Sat Sep 05 17:30:22 UTC 2703</span>

<span id="LC4" class="line" lang="plaintext">               Not After: Sun Sep 06 17:30:22 UTC 2703</span></code></pre>

<copy-code></copy-code>

</div>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">Notice that instead of having a validity/expiry date of today + 1 day, it has a date ~700 years into the future.</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">This did not happen with gnutls 3.7.8 / 3.7.9</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">I ran a git bisect in gnutls and narrowed it down to this change</p>

<div class="gl-relative markdown-code-block js-markdown-code">

<pre lang="plaintext" class="code highlight js-syntax-highlight language-plaintext" data-canonical-lang="" v-pre="true" style='display: block; font-size: 0.875rem; color: #333238; line-height: 1.6em; overflow-x: auto; border-radius: 4px; position: relative; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; margin: 0 0 16px; padding: 12px; border: 1px solid #dcdcde;'><code style='font-size: 0.875rem; color: inherit; word-wrap: normal; word-break: keep-all; background-color: inherit; border-radius: 4px; white-space: pre; margin-top: 0; font-family: var(--default-mono-font, "Menlo"),"DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; overflow-wrap: normal; padding: unset;'><span id="LC1" class="line" lang="plaintext" style="margin-top: 0;">commit 61fa36ca4ea84ca3bc42918690151eec8dfc1148</span>

<span id="LC2" class="line" lang="plaintext">Author: Daiki Ueno <ueno@gnu.org></span>

<span id="LC3" class="line" lang="plaintext">Date:   Sat Jan 8 18:14:16 2022 +0100</span>

<span id="LC4" class="line" lang="plaintext"></span>

<span id="LC5" class="line" lang="plaintext">    gnulib: update git submodule</span>

<span id="LC6" class="line" lang="plaintext">    </span>

<span id="LC7" class="line" lang="plaintext">    Signed-off-by: Daiki Ueno <ueno@gnu.org></span></code></pre>

<copy-code></copy-code>

</div>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">The problem arose because GNULIB has changed the 'largefile' module so that it probes for the C library exposing _TIME_BITS=64, and if available will set that define. This results in time_t changing from 32-bit in size to 64-bit when gnutls is built.</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">Meanwhile essentially no application that uses GNUTLS will have _TIME_BITS=64 set, and thus they will all be passing/receiving time with a 32-bit time_t.</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">This means that any application interacting with GNUTLS APIs that involve time_t will be broken on 32-bit hosts with glibc >= 2.34 (when _TIME_BITS=64 arrived).</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">GNULIB did provide a '--disable-year2038' flag for configure which can be used at build time to disable 64-bit time_t. Essentially everyone who builds GNUTLS today needs to be sure to pass --disable-year2038 to avoid the silent ABI change.</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">See also this thread <a href="https://sourceware.org/pipermail/libc-alpha/2023-March/146002.html" rel="nofollow noreferrer noopener" target="_blank" style="margin-top: 0;">https://sourceware.org/pipermail/libc-alpha/2023-March/146002.html</a></p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">Both Gentoo and Fedora have hit this ABI incompatibility, and any other distro which still has 32-bit builds will do so too.</p>

<p dir="auto" style="color: #333238; margin: 0 0 16px;" align="initial">I'm not sure what the best course of action for GNUTLS is right now. IMHO, ideally GNULIB should not have forced 64-bit time_t on every application using 'largefile', it should have remained strictly opt-in, as GLibC had made it. I don't see a way for GNUTLS to get away from the 'largefile' change because 'largefile' is an important GNULIB module that every app needs.</p>

<p dir="auto" style="color: #333238; margin: 0;" align="initial">The best I can see is to prominently document the importance of setting '--disable-year2038' when building GNUTLS, unless GNULIB wants to revert their change to 'largefile' and make it opt-in.</p>

</div>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #737278;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1466">view it on GitLab</a>.

<br>

You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://gitlab.com">gitlab.com</a>. <a href="https://gitlab.com/-/sent_notifications/d494d07933f38630c64cb27cca47ad31/unsubscribe" target="_blank" rel="noopener noreferrer">Unsubscribe</a> from this thread · <a href="https://gitlab.com/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://gitlab.com/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1466"}}</script>

</p>

</div>

</body>

</html>