Ubuntu
strongswan package

strongswan: Fail to build against OpenSSL 3.0

Bug #1946213 reported by Simon Chopin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenSSL
Fix Released
Unknown
strongSwan
Fix Released
Unknown
openssl (Ubuntu)
Fix Released
Undecided
Unassigned
strongswan (Ubuntu)
Fix Released
High
Paride Legovini

Bug Description

Hello,

As part of a rebuild against OpenSSL3, this package failed to build on one or
several architectures. You can find the details of the rebuild at

https://people.canonical.com/~schopin/rebuilds/openssl-3.0.0-impish.html

or for the amd64 failed build, directly at

https://launchpad.net/~schopin/+archive/ubuntu/openssl-3.0.0/+build/22099394/+files/buildlog_ubuntu-impish-amd64.strongswan_5.9.1-1ubuntu3.0~ssl3ppa1.1_BUILDING.txt.gz

We're planning to transition to OpenSSL 3.0 for the 22.04 release, and consider
this issue as blocking for this transition.

You can find general migration informations at
https://www.openssl.org/docs/manmaster/man7/migration_guide.html
For your tests, you can build against libssl-dev as found in the PPA
schopin/openssl-3.0.0

The issue looks fixed upstream on master:
https://github.com/strongswan/strongswan/commit/72e5b3b7022ad14b245565a5aadcd097106af168

Related branches

~paride/ubuntu/+source/strongswan:lp1946213-JAMMY
Lucas Kanashiro (community): Approve
Canonical Server packageset reviewers: Pending requested
git-ubuntu import: Pending requested
Diff: 146 lines (+124/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/load-legacy-provider-in-openssl3.patch (+116/-0)
debian/patches/series (+1/-0)

CVE References

Paride Legovini (paride)
Changed in strongswan (Ubuntu):
importance: Undecided → High
Christian Ehrhardt  (paelzer)
Changed in strongswan (Ubuntu):
assignee: nobody → Paride Legovini (paride)
tags: added: server-next
Revision history for this message
Paride Legovini (paride) wrote :

The upstream bug I just linked affects 5.9.4-1 which I'm currently merging from Debian.

Bug Watch Updater (bug-watch-updater)
Changed in strongswan:
status: Unknown → New
Revision history for this message
Paride Legovini (paride) wrote :

Apparently this is an OpenSSL 3 bug uncovered by the strongswan testsuite:

https://github.com/openssl/openssl/issues/17017

It's actively being worked on upstream.

Bug Watch Updater (bug-watch-updater)
Changed in openssl:
status: Unknown → New
Revision history for this message
Simon Chopin (schopin) wrote :

I've just uploaded a new version to my PPA, with a patch from https://github.com/openssl/openssl/pull/17041 that should fix this.

Revision history for this message
Paride Legovini (paride) wrote :

Thanks! I'll re-test the strongswan build once 3.0.0-1ubuntu1~ppa2 gets published in the PPA.

Revision history for this message
Paride Legovini (paride) wrote :

With openssl 3.0.0-1ubuntu1~ppa2 the ed25519_fail issue is fixed, but we then hit another (unrelated) test failure. I reported it upstream here:

https://github.com/strongswan/strongswan/issues/759

Revision history for this message
Paride Legovini (paride) wrote :

Issue #735 has been closed as it's actually an OpenSSL bug (and we already have a task for that). I'm making this track #759 instead.

Changed in strongswan:
status: New → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in strongswan:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in openssl:
status: New → Fix Released
Christian Ehrhardt  (paelzer)
Changed in openssl (Ubuntu):
status: New → Invalid
Paride Legovini (paride)
Changed in strongswan (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 5.9.4-1ubuntu2

---------------
strongswan (5.9.4-1ubuntu2) jammy; urgency=medium

  * Add d/p/load-legacy-provider-in-openssl3.patch.
    Upstream cherry-pick to fix FTBFS against OpenSSL 3.0. (LP: #1946213)

 -- Paride Legovini <email address hidden> Wed, 17 Nov 2021 17:04:27 +0100

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.6 KiB)

This bug was fixed in the package openssl - 3.0.0-1ubuntu1

---------------
openssl (3.0.0-1ubuntu1) jammy; urgency=medium

  * Manual merge of version 3.0.0-1 from Debian experimental, remaining
    changes:
    - Replace duplicate files in the doc directory with symlinks.
    - debian/libssl1.1.postinst:
      + Display a system restart required notification on libssl1.1
        upgrade on servers, unless needrestart is available.
      + Use a different priority for libssl1.1/restart-services depending
        on whether a desktop, or server dist-upgrade is being performed.
      + Skip services restart & reboot notification if needrestart is in-use.
      + Bump version check to to 1.1.1.
      + Import libraries/restart-without-asking template as used by above.
    - Revert "Enable system default config to enforce TLS1.2 as a
      minimum" & "Increase default security level from 1 to 2".
    - Reword the NEWS entry, as applicable on Ubuntu.
    - Set OPENSSL_TLS_SECURITY_LEVEL=2 as compiled-in minimum security
      level. Change meaning of SECURITY_LEVEL=2 to prohibit TLS versions
      below 1.2 and update documentation. Previous default of 1, can be set
      by calling SSL_CTX_set_security_level(), SSL_set_security_level() or
      using ':@SECLEVEL=1' CipherString value in openssl.cfg.
    - Add support for building with noudeb build profile.
  * d/p/Don-t-create-an-ECX-key-with-short-keys.patch:
    Backported from upstream to fix a regression with short keys (LP: #1946213)
  * d/p/Add-null-digest-implementation-to-the-default-provid.patch:
    Backported from upstream to fix a compatibility issue with 1.1.1l
  * Manually call dh_installdirs to fix build failure
  * Drop some Ubuntu patches merged upstream
    + The s390x series (00xx) has been applied upstream
    + The lp-1927161 Intel CET series has been applied upstream
    + CVE-2021-3449 has been fixed upstream
    + CVE-2021-3450 doesn't apply to 3.0 branch
  * Refresh and adapt the remaining patches

openssl (3.0.0-1) experimental; urgency=medium

  * Import 3.0.0.
  * Add avr32, patch by Vineet Gupta (Closes: #989442).

openssl (3.0.0~~beta2-1) experimental; urgency=medium

  * Import 3.0.0-beta2.

openssl (3.0.0~~beta1-1) experimental; urgency=medium

  * Import 3.0.0-beta1.
  * Use HARNESS_VERBOSE again (otherwise the test suite might killed since no
    progress is visible).

openssl (3.0.0~~alpha16-1) experimental; urgency=medium

  * Import 3.0.0-alpha16.
  * Use VERBOSE_FAILURE to log only failures in the build log.

openssl (3.0.0~~alpha15-1) experimental; urgency=medium

  * Import 3.0.0-alpha15.

openssl (3.0.0~~alpha13-2) experimental; urgency=medium

  * Add a proposed patch from upstream to skip negativ errno number in the
    testsuite to pass the testsute on hurd.
  * Always link against libatomic.

openssl (3.0.0~~alpha13-1) experimental; urgency=medium

  * Import 3.0.0-alpha13.
  * Move configuration.h to architecture specific include folder. Patch from
    Antonio Terceiro (Closes: #985555).
  * Enable LFS. Thanks to Dan Nicholson for debugging (Closes: #923479).
  * drop `lsof', the testsuite is not using it anymore.
  * Enable ktls.

openssl (3.0.0~~al...

Read more...

Changed in openssl (Ubuntu):
status: Invalid → Fix Released
Revision history for this message
Paride Legovini (paride) wrote :

The upstream commit [1] included as a patch in strongswan (5.9.4-1ubuntu2) should be released in strongswan 5.9.5 [2].

[1] https://github.com/strongswan/strongswan/commit/b158c08c4b919b878ded10bb57e969ed7b3cabc3
[2] https://github.com/strongswan/strongswan/milestone/3?closed=1

Bug Watch Updater (bug-watch-updater)
Changed in strongswan:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.