Ubuntu
strongswan package

Merge ~lucaskanashiro/ubuntu/+source/strongswan:focal-bug-fixes into ubuntu/+source/strongswan:ubuntu/focal-devel

  1. Git
  2. lp:~lucaskanashiro/ubuntu/+source/strongswan
  3. focal-bug-fixes
  4. Merge into ubuntu/focal-devel
Proposed by Lucas Kanashiro
Status: Merged
Approved by: Lucas Kanashiro
Approved revision: 67fe07f0d1d3d74497bd009bff797ed4473866e6
Merged at revision: 67fe07f0d1d3d74497bd009bff797ed4473866e6
Proposed branch: ~lucaskanashiro/ubuntu/+source/strongswan:focal-bug-fixes
Merge into: ubuntu/+source/strongswan:ubuntu/focal-devel
Diff against target: 469 lines (+358/-0)
11 files modified
debian/changelog (+19/-0)
debian/control (+3/-0)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/patches/lp-1879692-1.patch (+75/-0)
debian/patches/lp-1879692-2.patch (+50/-0)
debian/patches/lp-1879692-3.patch (+37/-0)
debian/patches/lp-1879692-4.patch (+42/-0)
debian/patches/lp-1879692-5.patch (+111/-0)
debian/patches/series (+5/-0)
debian/rules (+2/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Lucas Kanashiro (community) Abstain
Canonical Server Pending
Review via email: mp+384464@code.launchpad.net

Description of the change

Fix the following 2 bugs in Focal:

https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1878887
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1879692

Here is a PPA with the proposed package:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/focal-strongswan-bug-fixes/+packages

No regression reported by autopkgtest:

autopkgtest [18:24:34]: @@@@@@@@@@@@@@@@@@@@ summary
admin-strongswan-charon PASS
admin-strongswan-starter PASS
daemon PASS
plugins PASS

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For the conffile handling the same comment as https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/strongswan/+git/strongswan/+merge/384385/comments/1009777 applies

review: Needs Fixing
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

+1 on adding plugins back and that this should make sense even in the SRU context.

+1 on the fixes for "chunk_from_chars".
The names became rather short now just being 1,2,3,4,5 but that is fine - I usually use the git-format-patch naming which is a bit more readable, but this is just a suggestion for next time no change required.

+1 overall after the conffile handling is resolved

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Removal of conf files was fixed. I uploaded a new version to the PPA fwiw.

Up for review again.

review: Needs Resubmitting
Revision history for this message
Lucas Kanashiro (lucaskanashiro) :
review: Abstain
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

LGTM now if the testing of the conffile removal works I'm fine - thanks for reworking this for me.

review: Approve
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

I did test it again and it worked as expected (old conf files removed). Since it is good enough now, I am going to upload it.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

$ git push pkg upload/5.8.2-1ubuntu3.1
Enumerating objects: 33, done.
Counting objects: 100% (33/33), done.
Delta compression using up to 8 threads
Compressing objects: 100% (25/25), done.
Writing objects: 100% (25/25), 8.80 KiB | 2.93 MiB/s, done.
Total 25 (delta 13), reused 0 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/strongswan
 * [new tag] upload/5.8.2-1ubuntu3.1 -> upload/5.8.2-1ubuntu3.1

$ dput ubuntu ../strongswan_5.8.2-1ubuntu3.1_source.changes
Checking signature on .changes
gpg: ../strongswan_5.8.2-1ubuntu3.1_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../strongswan_5.8.2-1ubuntu3.1.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading strongswan_5.8.2-1ubuntu3.1.dsc: done.
  Uploading strongswan_5.8.2-1ubuntu3.1.debian.tar.xz: done.
  Uploading strongswan_5.8.2-1ubuntu3.1_source.buildinfo: done.
  Uploading strongswan_5.8.2-1ubuntu3.1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index aa4f342..0443e1b 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,22 @@
6+strongswan (5.8.2-1ubuntu3.1) focal; urgency=medium
7+
8+ * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
9+ - d/control: update libcharon-extra-plugins description.
10+ - d/libcharon-extra-plugins.install: install .so and conf files.
11+ - d/rules: add plugins to the configuration arguments.
12+ * Remove conf files of plugins removed from libcharon-extra-plugins
13+ - The conf file of the following plugins were removed: eap-aka-3gpp2,
14+ eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
15+ eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
16+ - Created d/libcharon-extra-plugins.maintscript to handle the removals
17+ properly.
18+ * Add patches to fix the chunk_from_chars() macro compiled with GCC 9+
19+ (LP: #1879692)
20+ - Patches backported from upstream: lp-1879692-{1,2,3,4,5}.patch.
21+ - Fix the pki CA certificate creation issue.
22+
23+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Fri, 22 May 2020 10:53:07 -0300
24+
25 strongswan (5.8.2-1ubuntu3) focal; urgency=medium
26
27 * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as
28diff --git a/debian/control b/debian/control
29index 6a88299..3859289 100644
30--- a/debian/control
31+++ b/debian/control
32@@ -260,6 +260,9 @@ Description: strongSwan charon library (extra plugins)
33 - unity (Cisco Unity extensions for IKEv1)
34 - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
35 - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
36+ - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method
37+ requested/supported by the client (since 5.0.1))
38+ - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely)
39
40 Package: strongswan-starter
41 Architecture: any
42diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
43index 7765f20..cc0bf6f 100644
44--- a/debian/libcharon-extra-plugins.install
45+++ b/debian/libcharon-extra-plugins.install
46@@ -2,9 +2,11 @@
47 usr/lib/ipsec/plugins/libstrongswan-addrblock.so
48 usr/lib/ipsec/plugins/libstrongswan-certexpire.so
49 usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
50+usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
51 usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
52 usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
53 usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
54+usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
55 usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
56 usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
57 usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
58@@ -24,9 +26,11 @@ usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
59 usr/share/strongswan/templates/config/plugins/addrblock.conf
60 usr/share/strongswan/templates/config/plugins/certexpire.conf
61 usr/share/strongswan/templates/config/plugins/eap-aka.conf
62+usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
63 usr/share/strongswan/templates/config/plugins/eap-gtc.conf
64 usr/share/strongswan/templates/config/plugins/eap-identity.conf
65 usr/share/strongswan/templates/config/plugins/eap-md5.conf
66+usr/share/strongswan/templates/config/plugins/eap-peap.conf
67 usr/share/strongswan/templates/config/plugins/eap-radius.conf
68 usr/share/strongswan/templates/config/plugins/eap-tls.conf
69 usr/share/strongswan/templates/config/plugins/eap-tnc.conf
70@@ -47,9 +51,11 @@ etc/strongswan.d/tnc.conf
71 etc/strongswan.d/charon/addrblock.conf
72 etc/strongswan.d/charon/certexpire.conf
73 etc/strongswan.d/charon/eap-aka.conf
74+etc/strongswan.d/charon/eap-dynamic.conf
75 etc/strongswan.d/charon/eap-gtc.conf
76 etc/strongswan.d/charon/eap-identity.conf
77 etc/strongswan.d/charon/eap-md5.conf
78+etc/strongswan.d/charon/eap-peap.conf
79 etc/strongswan.d/charon/eap-radius.conf
80 etc/strongswan.d/charon/eap-tls.conf
81 etc/strongswan.d/charon/eap-tnc.conf
82diff --git a/debian/libcharon-extra-plugins.maintscript b/debian/libcharon-extra-plugins.maintscript
83new file mode 100644
84index 0000000..61b27e6
85--- /dev/null
86+++ b/debian/libcharon-extra-plugins.maintscript
87@@ -0,0 +1,8 @@
88+rm_conffile /etc/strongswan.d/charon/eap-aka-3gpp2.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
89+rm_conffile /etc/strongswan.d/charon/eap-sim-file.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
90+rm_conffile /etc/strongswan.d/charon/eap-sim-pcsc.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
91+rm_conffile /etc/strongswan.d/charon/eap-sim.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
92+rm_conffile /etc/strongswan.d/charon/eap-simaka-pseudonym.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
93+rm_conffile /etc/strongswan.d/charon/eap-simaka-reauth.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
94+rm_conffile /etc/strongswan.d/charon/eap-simaka-sql.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
95+rm_conffile /etc/strongswan.d/charon/xauth-noauth.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
96diff --git a/debian/patches/lp-1879692-1.patch b/debian/patches/lp-1879692-1.patch
97new file mode 100644
98index 0000000..dad8ff4
99--- /dev/null
100+++ b/debian/patches/lp-1879692-1.patch
101@@ -0,0 +1,75 @@
102+From ef4113a49dbf3d0315d5c3e486a3717dda5f4c7c Mon Sep 17 00:00:00 2001
103+From: Tobias Brunner <tobias@strongswan.org>
104+Date: Wed, 29 Jan 2020 11:22:07 +0100
105+Subject: [PATCH] libtpmtss: Fix problematic usage of chunk_from_chars() in
106+ TSS2 implementations
107+
108+See 8ea13bbc5ccd for details.
109+
110+References #3249.
111+
112+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ef4113a49dbf3d0315d5c3e486a3717dda5f4c7c
113+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
114+Last-Updated: 2020-05-22
115+---
116+ src/libtpmtss/tpm_tss_tss2_v1.c | 9 +++------
117+ src/libtpmtss/tpm_tss_tss2_v2.c | 9 +++------
118+ 2 files changed, 6 insertions(+), 12 deletions(-)
119+
120+diff --git a/src/libtpmtss/tpm_tss_tss2_v1.c b/src/libtpmtss/tpm_tss_tss2_v1.c
121+index fb26d05..31465da 100644
122+--- a/src/libtpmtss/tpm_tss_tss2_v1.c
123++++ b/src/libtpmtss/tpm_tss_tss2_v1.c
124+@@ -494,7 +494,8 @@ METHOD(tpm_tss_t, get_public, chunk_t,
125+ {
126+ TPM2B_PUBLIC_KEY_RSA *rsa;
127+ TPMT_RSA_SCHEME *scheme;
128+- chunk_t aik_exponent, aik_modulus;
129++ chunk_t aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
130++ chunk_t aik_modulus;
131+ uint32_t exponent;
132+
133+ scheme = &public.t.publicArea.parameters.rsaDetail.scheme;
134+@@ -504,11 +505,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
135+ rsa = &public.t.publicArea.unique.rsa;
136+ aik_modulus = chunk_create(rsa->t.buffer, rsa->t.size);
137+ exponent = htonl(public.t.publicArea.parameters.rsaDetail.exponent);
138+- if (!exponent)
139+- {
140+- aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
141+- }
142+- else
143++ if (exponent)
144+ {
145+ aik_exponent = chunk_from_thing(exponent);
146+ }
147+diff --git a/src/libtpmtss/tpm_tss_tss2_v2.c b/src/libtpmtss/tpm_tss_tss2_v2.c
148+index c5d78d6..fef32e1 100644
149+--- a/src/libtpmtss/tpm_tss_tss2_v2.c
150++++ b/src/libtpmtss/tpm_tss_tss2_v2.c
151+@@ -448,7 +448,8 @@ METHOD(tpm_tss_t, get_public, chunk_t,
152+ {
153+ TPM2B_PUBLIC_KEY_RSA *rsa;
154+ TPMT_RSA_SCHEME *scheme;
155+- chunk_t aik_exponent, aik_modulus;
156++ chunk_t aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
157++ chunk_t aik_modulus;
158+ uint32_t exponent;
159+
160+ scheme = &public.publicArea.parameters.rsaDetail.scheme;
161+@@ -458,11 +459,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
162+ rsa = &public.publicArea.unique.rsa;
163+ aik_modulus = chunk_create(rsa->buffer, rsa->size);
164+ exponent = htonl(public.publicArea.parameters.rsaDetail.exponent);
165+- if (!exponent)
166+- {
167+- aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
168+- }
169+- else
170++ if (exponent)
171+ {
172+ aik_exponent = chunk_from_thing(exponent);
173+ }
174+--
175+2.7.4
176+
177diff --git a/debian/patches/lp-1879692-2.patch b/debian/patches/lp-1879692-2.patch
178new file mode 100644
179index 0000000..2dddeac
180--- /dev/null
181+++ b/debian/patches/lp-1879692-2.patch
182@@ -0,0 +1,50 @@
183+From 776433505b8581866010c2c82bf7611f4f0946e8 Mon Sep 17 00:00:00 2001
184+From: Tobias Brunner <tobias@strongswan.org>
185+Date: Wed, 29 Jan 2020 11:12:12 +0100
186+Subject: [PATCH] x509: Replace problematic calls of chunk_from_chars() for
187+ keyUsage extension
188+
189+As noted in 8ea13bbc5ccd newer compilers might optimize out the
190+assignment leading to invalid values in the keyUsage extension (as the
191+length was still set, the extension was encoded, just not with the
192+intended values).
193+
194+Fixes #3249.
195+
196+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=776433505b8581866010c2c82bf7611f4f0946e8
197+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
198+Last-Updated: 2020-05-22
199+---
200+ src/libstrongswan/plugins/x509/x509_cert.c | 6 ++++--
201+ 1 file changed, 4 insertions(+), 2 deletions(-)
202+
203+diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
204+index 7311708..5a3f838 100644
205+--- a/src/libstrongswan/plugins/x509/x509_cert.c
206++++ b/src/libstrongswan/plugins/x509/x509_cert.c
207+@@ -2198,6 +2198,8 @@ static chunk_t generate_ts(traffic_selector_t *ts)
208+ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
209+ private_key_t *sign_key, int digest_alg)
210+ {
211++ const chunk_t keyUsageCrlSign = chunk_from_chars(0x01, 0x02);
212++ const chunk_t keyUsageCertSignCrlSign = chunk_from_chars(0x01, 0x06);
213+ chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
214+ chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
215+ chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
216+@@ -2317,11 +2319,11 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
217+ chunk_from_chars(0xFF)),
218+ pathLenConstraint)));
219+ /* set CertificateSign and implicitly CRLsign */
220+- keyUsageBits = chunk_from_chars(0x01, 0x06);
221++ keyUsageBits = keyUsageCertSignCrlSign;
222+ }
223+ else if (cert->flags & X509_CRL_SIGN)
224+ {
225+- keyUsageBits = chunk_from_chars(0x01, 0x02);
226++ keyUsageBits = keyUsageCrlSign;
227+ }
228+ if (keyUsageBits.len)
229+ {
230+--
231+2.7.4
232+
233diff --git a/debian/patches/lp-1879692-3.patch b/debian/patches/lp-1879692-3.patch
234new file mode 100644
235index 0000000..5b6152a
236--- /dev/null
237+++ b/debian/patches/lp-1879692-3.patch
238@@ -0,0 +1,37 @@
239+From d16e81077808c9c898e35db0f4b8f60e0490bf09 Mon Sep 17 00:00:00 2001
240+From: Tobias Brunner <tobias@strongswan.org>
241+Date: Wed, 29 Jan 2020 11:05:30 +0100
242+Subject: [PATCH] pki: Remove unnecessary and problematic chunk_from_chars()
243+ usage in --signcrl
244+
245+If the serial is not yet set, the same default value is set just below.
246+
247+See 8ea13bbc5ccd for details on chunk_from_chars().
248+
249+References #3249.
250+
251+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d16e81077808c9c898e35db0f4b8f60e0490bf09
252+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
253+Last-Updated: 2020-05-22
254+---
255+ src/pki/commands/signcrl.c | 4 ----
256+ 1 file changed, 4 deletions(-)
257+
258+diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
259+index dfe1ce0..60d880e 100644
260+--- a/src/pki/commands/signcrl.c
261++++ b/src/pki/commands/signcrl.c
262+@@ -385,10 +385,6 @@ static int sign_crl()
263+ }
264+ else
265+ {
266+- if (!crl_serial.ptr)
267+- {
268+- crl_serial = chunk_from_chars(0x00);
269+- }
270+ lastenum = enumerator_create_empty();
271+ }
272+
273+--
274+2.7.4
275+
276diff --git a/debian/patches/lp-1879692-4.patch b/debian/patches/lp-1879692-4.patch
277new file mode 100644
278index 0000000..348b1c2
279--- /dev/null
280+++ b/debian/patches/lp-1879692-4.patch
281@@ -0,0 +1,42 @@
282+From d5cf2d1f8549a3492916dab3178fba50030e8884 Mon Sep 17 00:00:00 2001
283+From: Tobias Brunner <tobias@strongswan.org>
284+Date: Wed, 29 Jan 2020 10:02:38 +0100
285+Subject: [PATCH] tls-crypto: Fix usage of chunk_from_chars()
286+
287+See 8ea13bbc5ccd for details.
288+
289+References #3249.
290+
291+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d5cf2d1f8549a3492916dab3178fba50030e8884
292+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
293+Last-Updated: 2020-05-22
294+---
295+ src/libtls/tls_crypto.c | 5 +++--
296+ 1 file changed, 3 insertions(+), 2 deletions(-)
297+
298+diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
299+index 0ec2f5c..ebadb91 100644
300+--- a/src/libtls/tls_crypto.c
301++++ b/src/libtls/tls_crypto.c
302+@@ -1409,6 +1409,8 @@ METHOD(tls_crypto_t, sign, bool,
303+ {
304+ if (this->tls->get_version(this->tls) >= TLS_1_2)
305+ {
306++ const chunk_t hashsig_def = chunk_from_chars(
307++ TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
308+ signature_scheme_t scheme;
309+ bio_reader_t *reader;
310+ uint8_t hash, alg;
311+@@ -1417,8 +1419,7 @@ METHOD(tls_crypto_t, sign, bool,
312+
313+ if (!hashsig.len)
314+ { /* fallback if none given */
315+- hashsig = chunk_from_chars(
316+- TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
317++ hashsig = hashsig_def;
318+ }
319+ reader = bio_reader_create(hashsig);
320+ while (reader->remaining(reader) >= 2)
321+--
322+2.7.4
323+
324diff --git a/debian/patches/lp-1879692-5.patch b/debian/patches/lp-1879692-5.patch
325new file mode 100644
326index 0000000..85efd71
327--- /dev/null
328+++ b/debian/patches/lp-1879692-5.patch
329@@ -0,0 +1,111 @@
330+From 8ea13bbc5ccdb7a67e5b2c0e0465d432dd24614b Mon Sep 17 00:00:00 2001
331+From: Tobias Brunner <tobias@strongswan.org>
332+Date: Mon, 27 Jan 2020 15:16:51 +0100
333+Subject: [PATCH] lgtm: Add query to detect problematic uses of
334+ chunk_from_chars()
335+
336+GCC 9+ and clang 4+ (partially) optimize out usages of
337+chunk_from_chars() if the value is read outside of the block where the
338+macro is used. For instance:
339+
340+```
341+chunk_t chunk = chunk_empty;
342+if (...)
343+{
344+ chunk = chunk_from_chars(0x01, 0x06);
345+}
346+/* do something with chunk */
347+```
348+
349+The chunk_from_chars() macro expands to a chunk_t declaration, which is
350+technically only defined inside that block.
351+
352+Still, with older GCC versions the fourth line was compiled to something
353+like this:
354+
355+```
356+mov WORD PTR [rsp+14], 1537 # 0x0106 in little-endian
357+lea rdx, [rsp+14]
358+mov ecx, 2
359+```
360+
361+However, with GCC 9.1 and -O2 the first instruction might be omitted
362+(strangely the others usually were not, so the chunk pointed to whatever
363+was stored on the stack). It's not easily reproducible, so there are
364+situations where the seemingly identical code is not optimized in this
365+way.
366+
367+This query should detect such problematic uses of the macro (definition
368+and usage in different blocks).
369+
370+References #3249.
371+
372+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=8ea13bbc5ccdb7a67e5b2c0e0465d432dd24614b
373+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
374+Last-Updated: 2020-05-22
375+
376+---
377+ .lgtm/cpp-queries/chunk_from_chars.ql | 51 +++++++++++++++++++++++++++++++++++
378+ 1 file changed, 51 insertions(+)
379+ create mode 100644 .lgtm/cpp-queries/chunk_from_chars.ql
380+
381+diff --git a/.lgtm/cpp-queries/chunk_from_chars.ql b/.lgtm/cpp-queries/chunk_from_chars.ql
382+new file mode 100644
383+index 0000000..c393e7e
384+--- /dev/null
385++++ b/.lgtm/cpp-queries/chunk_from_chars.ql
386+@@ -0,0 +1,51 @@
387++/**
388++ * @name Invalid use of chunk_from_chars() macro
389++ * @description The chunk_from_chars() macro creates a temporary chunk_t, which
390++ * is not defined outside of the block in which it has been used,
391++ * therefore, compilers might optimize out the assignment.
392++ * @kind path-problem
393++ * @problem.severity error
394++ * @id strongswan/invalid-chunk-from-chars
395++ * @tags correctness
396++ * @precision very-high
397++ */
398++import cpp
399++import DataFlow::PathGraph
400++import semmle.code.cpp.dataflow.DataFlow
401++
402++class ChunkFromChars extends Expr {
403++ ChunkFromChars() {
404++ this = any(MacroInvocation mi |
405++ mi.getOutermostMacroAccess().getMacroName() = "chunk_from_chars"
406++ /* ignore global static uses of the macro */
407++ and exists (Block b | mi.getExpr().getEnclosingBlock() = b)
408++ ).getExpr()
409++ }
410++}
411++
412++class ChunkFromCharsUsage extends DataFlow::Configuration {
413++ ChunkFromCharsUsage() { this = "ChunkFromCharsUsage" }
414++
415++ override predicate isSource(DataFlow::Node source) {
416++ source.asExpr() instanceof ChunkFromChars
417++ }
418++
419++ override predicate isSink(DataFlow::Node sink) {
420++ exists(sink.asExpr())
421++ }
422++
423++ override predicate isBarrierOut(DataFlow::Node node) {
424++ /* don't track beyond function calls */
425++ exists(FunctionCall fc | node.asExpr().getParent*() = fc)
426++ }
427++}
428++
429++Block enclosingBlock(Block b) {
430++ result = b.getEnclosingBlock()
431++}
432++
433++from ChunkFromCharsUsage usage, DataFlow::PathNode source, DataFlow::PathNode sink
434++where
435++ usage.hasFlowPath(source, sink)
436++ and not source.getNode().asExpr().getEnclosingBlock() = enclosingBlock*(sink.getNode().asExpr().getEnclosingBlock())
437++select source, source, sink, "Invalid use of chunk_from_chars() result in sibling/parent block."
438+--
439+2.7.4
440+
441diff --git a/debian/patches/series b/debian/patches/series
442index c72895f..d5cd0fd 100644
443--- a/debian/patches/series
444+++ b/debian/patches/series
445@@ -3,3 +3,8 @@
446 03_systemd-service.patch
447 04_disable-libtls-tests.patch
448 dont-load-kernel-libipsec-plugin-by-default.patch
449+lp-1879692-1.patch
450+lp-1879692-2.patch
451+lp-1879692-3.patch
452+lp-1879692-4.patch
453+lp-1879692-5.patch
454diff --git a/debian/rules b/debian/rules
455index 7ee20ea..f012b4d 100755
456--- a/debian/rules
457+++ b/debian/rules
458@@ -15,9 +15,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
459 --enable-curl \
460 --enable-eap-aka \
461 --enable-eap-gtc \
462+ --enable-eap-dynamic \
463 --enable-eap-identity \
464 --enable-eap-md5 \
465 --enable-eap-mschapv2 \
466+ --enable-eap-peap \
467 --enable-eap-radius \
468 --enable-eap-tls \
469 --enable-eap-tnc \

Subscribers

People subscribed via source and target branches