Ubuntu
strongswan package

Merge ~paride/ubuntu/+source/strongswan:lp1940079-tss2-focal into ubuntu/+source/strongswan:ubuntu/devel

  1. Git
  2. lp:~paride/ubuntu/+source/strongswan
  3. lp1940079-tss2-focal
  4. Merge into ubuntu/devel
Proposed by Paride Legovini
Status: Superseded
Proposed branch: ~paride/ubuntu/+source/strongswan:lp1940079-tss2-focal
Merge into: ubuntu/+source/strongswan:ubuntu/devel
Diff against target: 529 lines (+411/-2) (has conflicts)
9 files modified
debian/changelog (+19/-0)
debian/control (+61/-2)
debian/libcharon-extra-plugins.maintscript (+11/-0)
debian/patches/lp-1879692-1.patch (+75/-0)
debian/patches/lp-1879692-2.patch (+50/-0)
debian/patches/lp-1879692-3.patch (+37/-0)
debian/patches/lp-1879692-4.patch (+42/-0)
debian/patches/lp-1879692-5.patch (+111/-0)
debian/patches/series (+5/-0)
Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/libcharon-extra-plugins.maintscript
Reviewer Review Type Date Requested Status
Christian Ehrhardt  Pending
Canonical Server Pending
Review via email: mp+408927@code.launchpad.net

This proposal has been superseded by a proposal from 2021-09-21.

Commit message

Focal SRU fix for LP #1940079. This is the same change that landed in the Debian packaging (git) and in Impish, applied to Focal.

Test Plan: see the SRU template.
Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan

Fix verified by the bug submitter using the PPA package.

Please review; no sponsorship needed.

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This one was abandoned (wrong merge target)

Unmerged commits

58edb43... by Paride Legovini

Update d/changelog for 5.8.2-1ubuntu3.2

aaaf3bd... by Paride Legovini

tpm plugin: compile against the tpm2 software stack (tss2)

d/rules: configure with --enable-tss-tss2
d/control: build-depend on libtss2-dev

Closes: #994396, LP: #1940079

c50c2d7... by Lucas Kanashiro

Update changelog

546ba27... by Lucas Kanashiro

Add patches to fix the chunk_from_chars() macro compiled with GCC 9+

Those patches fix also the pki CA certificate creation issue reported on
LP: #1879692.

06156b5... by Lucas Kanashiro

Remove conf files of plugins removed from libcharon-extra-plugins

These plugins were removed in version 5.8.0-2, and after upgrading to a
greater version an user might get confused since the conf files are
there but the plugins are not installed.

1a29456... by Lucas Kanashiro

Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)

eap-dynamic might be quite useful for users because it allows clients to
select an alternative EAP method if the one selected by the server
initially is not supported.

eap-peap is still widely used by users because it is what most of the
clients implements. It is often used in combination with EAP-MSCHAPv2 to
authenticate e.g. WiFi clients (the TLS connection in EAP-PEAP protects
the potentially weak password authentication in EAP-MSCHAPv2). For
instance, using the same protocol for VPN clients allows reusing the
existing AAA infrastructure (AD/RADIUS server).

174d2fa... by Christian Ehrhardt 

5.8.2-1ubuntu3 (patches unapplied)

Imported using git-ubuntu import.

e718509... by Christian Ehrhardt 

changelog: re-add BLISS and NTRU (LP: #1863749)

Signed-off-by: Christian Ehrhardt <email address hidden>

a224d03... by Christian Ehrhardt 

d/control: d/libstrongswan-extra-plugins.install: re-add nttfft (Number Theoretic Transform via the FFT algorithm) which is required by BLISS

Note: Debian won't follow (for now) so this is intentional delta for now
=> https://salsa.debian.org/debian/strongswan/-/merge_requests/8
=> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787

Signed-off-by: Christian Ehrhardt <email address hidden>

26d1d13... by Christian Ehrhardt 

d/control: d/rules: d/libstrongswan-extra-plugins.install: re-add BLISS (Bimodal Lattice Signature Scheme post-quantum computer signature scheme) plugin (LP: #1863749)

Note: Debian won't follow (for now) so this is intentional delta for now
=> https://salsa.debian.org/debian/strongswan/-/merge_requests/8
=> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803787

Signed-off-by: Christian Ehrhardt <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 436a5e3..e303419 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,10 +1,15 @@
6+<<<<<<< debian/changelog
7 strongswan (5.9.1-1ubuntu3) impish; urgency=medium
8+=======
9+strongswan (5.8.2-1ubuntu3.2) focal; urgency=medium
10+>>>>>>> debian/changelog
11
12 * Compile the tpm plugin against the tpm2 software stack (tss2)
13 (Debian packaging cherry-pick, LP: #1940079)
14 - d/rules: add the --enable-tss-tss2 configure flag
15 - d/control: add Build-Depends: libtss2-dev
16
17+<<<<<<< debian/changelog
18 -- Paride Legovini <paride@ubuntu.com> Thu, 16 Sep 2021 11:40:38 +0200
19
20 strongswan (5.9.1-1ubuntu2) impish; urgency=medium
21@@ -53,6 +58,11 @@ strongswan (5.9.0-1) unstable; urgency=medium
22 -- Yves-Alexis Perez <corsac@debian.org> Thu, 17 Sep 2020 10:21:30 +0200
23
24 strongswan (5.8.4-1ubuntu2) groovy; urgency=medium
25+=======
26+ -- Paride Legovini <paride@ubuntu.com> Fri, 17 Sep 2021 10:48:56 +0200
27+
28+strongswan (5.8.2-1ubuntu3.1) focal; urgency=medium
29+>>>>>>> debian/changelog
30
31 * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
32 - d/control: update libcharon-extra-plugins description.
33@@ -64,6 +74,7 @@ strongswan (5.8.4-1ubuntu2) groovy; urgency=medium
34 eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
35 - Created d/libcharon-extra-plugins.maintscript to handle the removals
36 properly.
37+<<<<<<< debian/changelog
38
39 -- Lucas Kanashiro <kanashiro@ubuntu.com> Thu, 21 May 2020 14:53:05 -0300
40
41@@ -105,6 +116,14 @@ strongswan (5.8.2-2) unstable; urgency=medium
42 * d/copyright updated
43
44 -- Yves-Alexis Perez <corsac@debian.org> Thu, 13 Feb 2020 22:46:40 +0100
45+=======
46+ * Add patches to fix the chunk_from_chars() macro compiled with GCC 9+
47+ (LP: #1879692)
48+ - Patches backported from upstream: lp-1879692-{1,2,3,4,5}.patch.
49+ - Fix the pki CA certificate creation issue.
50+
51+ -- Lucas Kanashiro <kanashiro@ubuntu.com> Fri, 22 May 2020 10:53:07 -0300
52+>>>>>>> debian/changelog
53
54 strongswan (5.8.2-1ubuntu3) focal; urgency=medium
55
56diff --git a/debian/control b/debian/control
57index a64a176..382587e 100644
58--- a/debian/control
59+++ b/debian/control
60@@ -14,6 +14,11 @@ Build-Depends: bison,
61 dpkg-dev (>= 1.16.2),
62 flex,
63 gperf,
64+<<<<<<< debian/control
65+=======
66+ libip4tc-dev [linux-any],
67+ libip6tc-dev [linux-any],
68+>>>>>>> debian/control
69 libiptc-dev [linux-any],
70 libcap-dev [linux-any],
71 libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev,
72@@ -152,8 +157,8 @@ Architecture: any
73 Depends: libstrongswan (= ${binary:Version}),
74 ${misc:Depends},
75 ${shlibs:Depends}
76-Breaks: libcharon-extra-plugins (<< 5.8.0-2~)
77-Replaces: libcharon-extra-plugins (<< 5.8.0-2~)
78+Breaks: libcharon-extra-plugins (<< 5.8.0-2~), libcharon-standard-plugins (<< 5.8.1-1ubuntu1~)
79+Replaces: libcharon-extra-plugins (<< 5.8.0-2~), libcharon-standard-plugins (<< 5.8.1-1ubuntu1~)
80 Description: strongSwan charon library (extended authentication plugins)
81 The strongSwan VPN suite uses the native IPsec stack in the standard
82 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
83@@ -172,11 +177,65 @@ Description: strongSwan charon library (extended authentication plugins)
84 These are the "not always, but still more commonly used" plugins, for further
85 needs even more plugins can be found in the package libcharon-extra-plugins.
86
87+# Transition from former Ubuntu only libcharon-standard-plugins to common libcharon-extauth-plugins
88+Package: libcharon-standard-plugins
89+Depends: libcharon-extauth-plugins (= ${source:Version}), ${misc:Depends}
90+Architecture: all
91+Priority: optional
92+Section: oldlibs
93+Description: transitional package
94+ This is a transitional package. It can safely be removed.
95+
96+# Transition back from strongswan-tnc-* being in extra packages
97+# Can be dropped after 20.04
98+Package: strongswan-tnc-ifmap
99+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
100+Architecture: all
101+Priority: optional
102+Section: oldlibs
103+Description: transitional package
104+ This is a transitional package. It can safely be removed.
105+
106+Package: strongswan-tnc-base
107+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
108+Architecture: all
109+Priority: optional
110+Section: oldlibs
111+Description: transitional package
112+ This is a transitional package. It can safely be removed.
113+
114+Package: strongswan-tnc-client
115+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
116+Architecture: all
117+Priority: optional
118+Section: oldlibs
119+Description: transitional package
120+ This is a transitional package. It can safely be removed.
121+
122+Package: strongswan-tnc-server
123+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
124+Architecture: all
125+Priority: optional
126+Section: oldlibs
127+Description: transitional package
128+ This is a transitional package. It can safely be removed.
129+
130+Package: strongswan-tnc-pdp
131+Depends: libcharon-extra-plugins (= ${source:Version}), ${misc:Depends}
132+Architecture: all
133+Priority: optional
134+Section: oldlibs
135+Description: transitional package
136+ This is a transitional package. It can safely be removed.
137+
138 Package: libcharon-extra-plugins
139 Architecture: any
140 Depends: libstrongswan (= ${binary:Version}),
141 ${misc:Depends},
142 ${shlibs:Depends}
143+Breaks: strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1)
144+Replaces: strongswan-tnc-ifmap (<< 5.7.2-1ubuntu1), strongswan-tnc-base (<< 5.7.2-1ubuntu1), strongswan-tnc-client (<< 5.7.2-1ubuntu1), strongswan-tnc-server (<< 5.7.2-1ubuntu1), strongswan-tnc-pdp (<< 5.7.2-1ubuntu1)
145+Provides: strongswan-tnc-base
146 Description: strongSwan charon library (extra plugins)
147 The strongSwan VPN suite uses the native IPsec stack in the standard
148 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
149diff --git a/debian/libcharon-extra-plugins.maintscript b/debian/libcharon-extra-plugins.maintscript
150index f6e7a3a..8c58c56 100644
151--- a/debian/libcharon-extra-plugins.maintscript
152+++ b/debian/libcharon-extra-plugins.maintscript
153@@ -1,3 +1,4 @@
154+<<<<<<< debian/libcharon-extra-plugins.maintscript
155 rm_conffile /etc/strongswan.d/charon/eap-aka-3gpp2.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
156 rm_conffile /etc/strongswan.d/charon/eap-sim-file.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
157 rm_conffile /etc/strongswan.d/charon/eap-sim-pcsc.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
158@@ -6,3 +7,13 @@ rm_conffile /etc/strongswan.d/charon/eap-simaka-pseudonym.conf 5.8.4-1ubuntu2~ l
159 rm_conffile /etc/strongswan.d/charon/eap-simaka-reauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
160 rm_conffile /etc/strongswan.d/charon/eap-simaka-sql.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
161 rm_conffile /etc/strongswan.d/charon/xauth-noauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
162+=======
163+rm_conffile /etc/strongswan.d/charon/eap-aka-3gpp2.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
164+rm_conffile /etc/strongswan.d/charon/eap-sim-file.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
165+rm_conffile /etc/strongswan.d/charon/eap-sim-pcsc.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
166+rm_conffile /etc/strongswan.d/charon/eap-sim.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
167+rm_conffile /etc/strongswan.d/charon/eap-simaka-pseudonym.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
168+rm_conffile /etc/strongswan.d/charon/eap-simaka-reauth.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
169+rm_conffile /etc/strongswan.d/charon/eap-simaka-sql.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
170+rm_conffile /etc/strongswan.d/charon/xauth-noauth.conf 5.8.2-1ubuntu3.1~ libcharon-extra-plugins
171+>>>>>>> debian/libcharon-extra-plugins.maintscript
172diff --git a/debian/patches/lp-1879692-1.patch b/debian/patches/lp-1879692-1.patch
173new file mode 100644
174index 0000000..dad8ff4
175--- /dev/null
176+++ b/debian/patches/lp-1879692-1.patch
177@@ -0,0 +1,75 @@
178+From ef4113a49dbf3d0315d5c3e486a3717dda5f4c7c Mon Sep 17 00:00:00 2001
179+From: Tobias Brunner <tobias@strongswan.org>
180+Date: Wed, 29 Jan 2020 11:22:07 +0100
181+Subject: [PATCH] libtpmtss: Fix problematic usage of chunk_from_chars() in
182+ TSS2 implementations
183+
184+See 8ea13bbc5ccd for details.
185+
186+References #3249.
187+
188+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ef4113a49dbf3d0315d5c3e486a3717dda5f4c7c
189+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
190+Last-Updated: 2020-05-22
191+---
192+ src/libtpmtss/tpm_tss_tss2_v1.c | 9 +++------
193+ src/libtpmtss/tpm_tss_tss2_v2.c | 9 +++------
194+ 2 files changed, 6 insertions(+), 12 deletions(-)
195+
196+diff --git a/src/libtpmtss/tpm_tss_tss2_v1.c b/src/libtpmtss/tpm_tss_tss2_v1.c
197+index fb26d05..31465da 100644
198+--- a/src/libtpmtss/tpm_tss_tss2_v1.c
199++++ b/src/libtpmtss/tpm_tss_tss2_v1.c
200+@@ -494,7 +494,8 @@ METHOD(tpm_tss_t, get_public, chunk_t,
201+ {
202+ TPM2B_PUBLIC_KEY_RSA *rsa;
203+ TPMT_RSA_SCHEME *scheme;
204+- chunk_t aik_exponent, aik_modulus;
205++ chunk_t aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
206++ chunk_t aik_modulus;
207+ uint32_t exponent;
208+
209+ scheme = &public.t.publicArea.parameters.rsaDetail.scheme;
210+@@ -504,11 +505,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
211+ rsa = &public.t.publicArea.unique.rsa;
212+ aik_modulus = chunk_create(rsa->t.buffer, rsa->t.size);
213+ exponent = htonl(public.t.publicArea.parameters.rsaDetail.exponent);
214+- if (!exponent)
215+- {
216+- aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
217+- }
218+- else
219++ if (exponent)
220+ {
221+ aik_exponent = chunk_from_thing(exponent);
222+ }
223+diff --git a/src/libtpmtss/tpm_tss_tss2_v2.c b/src/libtpmtss/tpm_tss_tss2_v2.c
224+index c5d78d6..fef32e1 100644
225+--- a/src/libtpmtss/tpm_tss_tss2_v2.c
226++++ b/src/libtpmtss/tpm_tss_tss2_v2.c
227+@@ -448,7 +448,8 @@ METHOD(tpm_tss_t, get_public, chunk_t,
228+ {
229+ TPM2B_PUBLIC_KEY_RSA *rsa;
230+ TPMT_RSA_SCHEME *scheme;
231+- chunk_t aik_exponent, aik_modulus;
232++ chunk_t aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
233++ chunk_t aik_modulus;
234+ uint32_t exponent;
235+
236+ scheme = &public.publicArea.parameters.rsaDetail.scheme;
237+@@ -458,11 +459,7 @@ METHOD(tpm_tss_t, get_public, chunk_t,
238+ rsa = &public.publicArea.unique.rsa;
239+ aik_modulus = chunk_create(rsa->buffer, rsa->size);
240+ exponent = htonl(public.publicArea.parameters.rsaDetail.exponent);
241+- if (!exponent)
242+- {
243+- aik_exponent = chunk_from_chars(0x01, 0x00, 0x01);
244+- }
245+- else
246++ if (exponent)
247+ {
248+ aik_exponent = chunk_from_thing(exponent);
249+ }
250+--
251+2.7.4
252+
253diff --git a/debian/patches/lp-1879692-2.patch b/debian/patches/lp-1879692-2.patch
254new file mode 100644
255index 0000000..2dddeac
256--- /dev/null
257+++ b/debian/patches/lp-1879692-2.patch
258@@ -0,0 +1,50 @@
259+From 776433505b8581866010c2c82bf7611f4f0946e8 Mon Sep 17 00:00:00 2001
260+From: Tobias Brunner <tobias@strongswan.org>
261+Date: Wed, 29 Jan 2020 11:12:12 +0100
262+Subject: [PATCH] x509: Replace problematic calls of chunk_from_chars() for
263+ keyUsage extension
264+
265+As noted in 8ea13bbc5ccd newer compilers might optimize out the
266+assignment leading to invalid values in the keyUsage extension (as the
267+length was still set, the extension was encoded, just not with the
268+intended values).
269+
270+Fixes #3249.
271+
272+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=776433505b8581866010c2c82bf7611f4f0946e8
273+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
274+Last-Updated: 2020-05-22
275+---
276+ src/libstrongswan/plugins/x509/x509_cert.c | 6 ++++--
277+ 1 file changed, 4 insertions(+), 2 deletions(-)
278+
279+diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
280+index 7311708..5a3f838 100644
281+--- a/src/libstrongswan/plugins/x509/x509_cert.c
282++++ b/src/libstrongswan/plugins/x509/x509_cert.c
283+@@ -2198,6 +2198,8 @@ static chunk_t generate_ts(traffic_selector_t *ts)
284+ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
285+ private_key_t *sign_key, int digest_alg)
286+ {
287++ const chunk_t keyUsageCrlSign = chunk_from_chars(0x01, 0x02);
288++ const chunk_t keyUsageCertSignCrlSign = chunk_from_chars(0x01, 0x06);
289+ chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
290+ chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
291+ chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
292+@@ -2317,11 +2319,11 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
293+ chunk_from_chars(0xFF)),
294+ pathLenConstraint)));
295+ /* set CertificateSign and implicitly CRLsign */
296+- keyUsageBits = chunk_from_chars(0x01, 0x06);
297++ keyUsageBits = keyUsageCertSignCrlSign;
298+ }
299+ else if (cert->flags & X509_CRL_SIGN)
300+ {
301+- keyUsageBits = chunk_from_chars(0x01, 0x02);
302++ keyUsageBits = keyUsageCrlSign;
303+ }
304+ if (keyUsageBits.len)
305+ {
306+--
307+2.7.4
308+
309diff --git a/debian/patches/lp-1879692-3.patch b/debian/patches/lp-1879692-3.patch
310new file mode 100644
311index 0000000..5b6152a
312--- /dev/null
313+++ b/debian/patches/lp-1879692-3.patch
314@@ -0,0 +1,37 @@
315+From d16e81077808c9c898e35db0f4b8f60e0490bf09 Mon Sep 17 00:00:00 2001
316+From: Tobias Brunner <tobias@strongswan.org>
317+Date: Wed, 29 Jan 2020 11:05:30 +0100
318+Subject: [PATCH] pki: Remove unnecessary and problematic chunk_from_chars()
319+ usage in --signcrl
320+
321+If the serial is not yet set, the same default value is set just below.
322+
323+See 8ea13bbc5ccd for details on chunk_from_chars().
324+
325+References #3249.
326+
327+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d16e81077808c9c898e35db0f4b8f60e0490bf09
328+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
329+Last-Updated: 2020-05-22
330+---
331+ src/pki/commands/signcrl.c | 4 ----
332+ 1 file changed, 4 deletions(-)
333+
334+diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
335+index dfe1ce0..60d880e 100644
336+--- a/src/pki/commands/signcrl.c
337++++ b/src/pki/commands/signcrl.c
338+@@ -385,10 +385,6 @@ static int sign_crl()
339+ }
340+ else
341+ {
342+- if (!crl_serial.ptr)
343+- {
344+- crl_serial = chunk_from_chars(0x00);
345+- }
346+ lastenum = enumerator_create_empty();
347+ }
348+
349+--
350+2.7.4
351+
352diff --git a/debian/patches/lp-1879692-4.patch b/debian/patches/lp-1879692-4.patch
353new file mode 100644
354index 0000000..348b1c2
355--- /dev/null
356+++ b/debian/patches/lp-1879692-4.patch
357@@ -0,0 +1,42 @@
358+From d5cf2d1f8549a3492916dab3178fba50030e8884 Mon Sep 17 00:00:00 2001
359+From: Tobias Brunner <tobias@strongswan.org>
360+Date: Wed, 29 Jan 2020 10:02:38 +0100
361+Subject: [PATCH] tls-crypto: Fix usage of chunk_from_chars()
362+
363+See 8ea13bbc5ccd for details.
364+
365+References #3249.
366+
367+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d5cf2d1f8549a3492916dab3178fba50030e8884
368+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
369+Last-Updated: 2020-05-22
370+---
371+ src/libtls/tls_crypto.c | 5 +++--
372+ 1 file changed, 3 insertions(+), 2 deletions(-)
373+
374+diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
375+index 0ec2f5c..ebadb91 100644
376+--- a/src/libtls/tls_crypto.c
377++++ b/src/libtls/tls_crypto.c
378+@@ -1409,6 +1409,8 @@ METHOD(tls_crypto_t, sign, bool,
379+ {
380+ if (this->tls->get_version(this->tls) >= TLS_1_2)
381+ {
382++ const chunk_t hashsig_def = chunk_from_chars(
383++ TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
384+ signature_scheme_t scheme;
385+ bio_reader_t *reader;
386+ uint8_t hash, alg;
387+@@ -1417,8 +1419,7 @@ METHOD(tls_crypto_t, sign, bool,
388+
389+ if (!hashsig.len)
390+ { /* fallback if none given */
391+- hashsig = chunk_from_chars(
392+- TLS_HASH_SHA1, TLS_SIG_RSA, TLS_HASH_SHA1, TLS_SIG_ECDSA);
393++ hashsig = hashsig_def;
394+ }
395+ reader = bio_reader_create(hashsig);
396+ while (reader->remaining(reader) >= 2)
397+--
398+2.7.4
399+
400diff --git a/debian/patches/lp-1879692-5.patch b/debian/patches/lp-1879692-5.patch
401new file mode 100644
402index 0000000..85efd71
403--- /dev/null
404+++ b/debian/patches/lp-1879692-5.patch
405@@ -0,0 +1,111 @@
406+From 8ea13bbc5ccdb7a67e5b2c0e0465d432dd24614b Mon Sep 17 00:00:00 2001
407+From: Tobias Brunner <tobias@strongswan.org>
408+Date: Mon, 27 Jan 2020 15:16:51 +0100
409+Subject: [PATCH] lgtm: Add query to detect problematic uses of
410+ chunk_from_chars()
411+
412+GCC 9+ and clang 4+ (partially) optimize out usages of
413+chunk_from_chars() if the value is read outside of the block where the
414+macro is used. For instance:
415+
416+```
417+chunk_t chunk = chunk_empty;
418+if (...)
419+{
420+ chunk = chunk_from_chars(0x01, 0x06);
421+}
422+/* do something with chunk */
423+```
424+
425+The chunk_from_chars() macro expands to a chunk_t declaration, which is
426+technically only defined inside that block.
427+
428+Still, with older GCC versions the fourth line was compiled to something
429+like this:
430+
431+```
432+mov WORD PTR [rsp+14], 1537 # 0x0106 in little-endian
433+lea rdx, [rsp+14]
434+mov ecx, 2
435+```
436+
437+However, with GCC 9.1 and -O2 the first instruction might be omitted
438+(strangely the others usually were not, so the chunk pointed to whatever
439+was stored on the stack). It's not easily reproducible, so there are
440+situations where the seemingly identical code is not optimized in this
441+way.
442+
443+This query should detect such problematic uses of the macro (definition
444+and usage in different blocks).
445+
446+References #3249.
447+
448+Origin: upstream, https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=8ea13bbc5ccdb7a67e5b2c0e0465d432dd24614b
449+Reviewed-By: Lucas Kanashiro <kanashiro@ubuntu.com>
450+Last-Updated: 2020-05-22
451+
452+---
453+ .lgtm/cpp-queries/chunk_from_chars.ql | 51 +++++++++++++++++++++++++++++++++++
454+ 1 file changed, 51 insertions(+)
455+ create mode 100644 .lgtm/cpp-queries/chunk_from_chars.ql
456+
457+diff --git a/.lgtm/cpp-queries/chunk_from_chars.ql b/.lgtm/cpp-queries/chunk_from_chars.ql
458+new file mode 100644
459+index 0000000..c393e7e
460+--- /dev/null
461++++ b/.lgtm/cpp-queries/chunk_from_chars.ql
462+@@ -0,0 +1,51 @@
463++/**
464++ * @name Invalid use of chunk_from_chars() macro
465++ * @description The chunk_from_chars() macro creates a temporary chunk_t, which
466++ * is not defined outside of the block in which it has been used,
467++ * therefore, compilers might optimize out the assignment.
468++ * @kind path-problem
469++ * @problem.severity error
470++ * @id strongswan/invalid-chunk-from-chars
471++ * @tags correctness
472++ * @precision very-high
473++ */
474++import cpp
475++import DataFlow::PathGraph
476++import semmle.code.cpp.dataflow.DataFlow
477++
478++class ChunkFromChars extends Expr {
479++ ChunkFromChars() {
480++ this = any(MacroInvocation mi |
481++ mi.getOutermostMacroAccess().getMacroName() = "chunk_from_chars"
482++ /* ignore global static uses of the macro */
483++ and exists (Block b | mi.getExpr().getEnclosingBlock() = b)
484++ ).getExpr()
485++ }
486++}
487++
488++class ChunkFromCharsUsage extends DataFlow::Configuration {
489++ ChunkFromCharsUsage() { this = "ChunkFromCharsUsage" }
490++
491++ override predicate isSource(DataFlow::Node source) {
492++ source.asExpr() instanceof ChunkFromChars
493++ }
494++
495++ override predicate isSink(DataFlow::Node sink) {
496++ exists(sink.asExpr())
497++ }
498++
499++ override predicate isBarrierOut(DataFlow::Node node) {
500++ /* don't track beyond function calls */
501++ exists(FunctionCall fc | node.asExpr().getParent*() = fc)
502++ }
503++}
504++
505++Block enclosingBlock(Block b) {
506++ result = b.getEnclosingBlock()
507++}
508++
509++from ChunkFromCharsUsage usage, DataFlow::PathNode source, DataFlow::PathNode sink
510++where
511++ usage.hasFlowPath(source, sink)
512++ and not source.getNode().asExpr().getEnclosingBlock() = enclosingBlock*(sink.getNode().asExpr().getEnclosingBlock())
513++select source, source, sink, "Invalid use of chunk_from_chars() result in sibling/parent block."
514+--
515+2.7.4
516+
517diff --git a/debian/patches/series b/debian/patches/series
518index c72895f..d5cd0fd 100644
519--- a/debian/patches/series
520+++ b/debian/patches/series
521@@ -3,3 +3,8 @@
522 03_systemd-service.patch
523 04_disable-libtls-tests.patch
524 dont-load-kernel-libipsec-plugin-by-default.patch
525+lp-1879692-1.patch
526+lp-1879692-2.patch
527+lp-1879692-3.patch
528+lp-1879692-4.patch
529+lp-1879692-5.patch

Subscribers

People subscribed via source and target branches