Ubuntu
strongswan package

Merge ~paride/ubuntu/+source/strongswan:lp1946213-JAMMY into ubuntu/+source/strongswan:ubuntu/devel

  1. Git
  2. lp:~paride/ubuntu/+source/strongswan
  3. lp1946213-JAMMY
  4. Merge into ubuntu/devel
Proposed by Paride Legovini
Status: Merged
Merged at revision: 78d7af81d0afc06f959e85b077b9fde9209f0b3e
Proposed branch: ~paride/ubuntu/+source/strongswan:lp1946213-JAMMY
Merge into: ubuntu/+source/strongswan:ubuntu/devel
Diff against target: 146 lines (+124/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/load-legacy-provider-in-openssl3.patch (+116/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Lucas Kanashiro (community) Approve
Canonical Server packageset reviewers Pending
git-ubuntu import Pending
Review via email: mp+412022@code.launchpad.net

Commit message

Add d/p/load-legacy-provider-in-openssl3.patch.
Upstream cherry-pick to fix FTBFS against OpenSSL 3.0.
Fixes LP: #1946213.

Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan-openssl3

The test PPA builds with jammy-proposed and with https://launchpad.net/~schopin/+archive/ubuntu/openssl-3.0.0 as a dependency.

I verified from the build logs that the builds are actually done against openssl3, see for example: https://launchpadlibrarian.net/569418904/buildlog_ubuntu-jammy-amd64.strongswan_5.9.4-1ubuntu2~paride1_BUILDING.txt.gz

The PPA builds on all the supported archs.

# Autopkgtest results

Tested out of the PPAs:

$ autopkgtest --add-apt-source={deb,deb-src}' [trusted=yes] http://ppa.launchpad.net/paride/strongswan-openssl3/ubuntu jammy main' --add-apt-source='deb [trusted=yes] http://ppa.launchpad.net/schopin/openssl-3.0.0/ubuntu jammy main' -U --no-built-binaries strongswan -- qemu ~/ubuntu/autopkgtest-images/autopkgtest-jammy-amd64.img

Results:

autopkgtest [18:14:07]: @@@@@@@@@@@@@@@@@@@@ summary
admin-strongswan-charon PASS
admin-strongswan-starter PASS
daemon PASS
plugins PASS

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) :
Revision history for this message
Paride Legovini (paride) wrote (last edit ):

Added "upstream" to the Origin DEP-3 header, thanks Sergio.

This is now ready for review.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks Paride, LGTM. I am sponsoring this upload for you:

$ dput ubuntu ../strongswan_5.9.4-1ubuntu2_source.changes
Checking signature on .changes
gpg: ../strongswan_5.9.4-1ubuntu2_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../strongswan_5.9.4-1ubuntu2.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading strongswan_5.9.4-1ubuntu2.dsc: done.
  Uploading strongswan_5.9.4.orig.tar.bz2: done.
  Uploading strongswan_5.9.4.orig.tar.bz2.asc: done.
  Uploading strongswan_5.9.4-1ubuntu2.debian.tar.xz: done.
  Uploading strongswan_5.9.4-1ubuntu2_source.buildinfo: done.
  Uploading strongswan_5.9.4-1ubuntu2_source.changes: done.
Successfully uploaded packages.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 420061f..d430fc2 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+strongswan (5.9.4-1ubuntu2) jammy; urgency=medium
7+
8+ * Add d/p/load-legacy-provider-in-openssl3.patch.
9+ Upstream cherry-pick to fix FTBFS against OpenSSL 3.0. (LP: #1946213)
10+
11+ -- Paride Legovini <paride@ubuntu.com> Wed, 17 Nov 2021 17:04:27 +0100
12+
13 strongswan (5.9.4-1ubuntu1) jammy; urgency=medium
14
15 * Merge with Debian unstable. Remaining changes:
16diff --git a/debian/patches/load-legacy-provider-in-openssl3.patch b/debian/patches/load-legacy-provider-in-openssl3.patch
17new file mode 100644
18index 0000000..96399cb
19--- /dev/null
20+++ b/debian/patches/load-legacy-provider-in-openssl3.patch
21@@ -0,0 +1,116 @@
22+From: Tobias Brunner <tobias@strongswan.org>
23+Date: Thu, 30 Sep 2021 09:41:57 +0200
24+Origin: upstream, https://github.com/strongswan/strongswan/commit/a373b6aee36c01b7f6c5ca052c932595bc93d471
25+Bug: https://github.com/strongswan/strongswan/issues/759
26+Bug-Ubuntu: https://bugs.launchpad.net/strongswan/+bug/1946213
27+Last-Update: 2021-11-17
28+Subject: [PATCH] openssl: Load "legacy" provider in OpenSSL 3 for algorithms
29+ like MD4, DES etc.
30+
31+We still require these algorithms for e.g. EAP-MSCHAPv2, so the option is
32+enabled, by default. To use other providers (e.g. fips or even custom
33+ones), the option can be disabled and the providers to load/activate can
34+be configured in openssl.cnf. For instance, the following has the same
35+effect as enabling the option:
36+
37+ openssl_conf = openssl_init
38+
39+ [openssl_init]
40+ providers = providers
41+
42+ [providers]
43+ default = activate
44+ legacy = activate
45+
46+ [activate]
47+ activate = yes
48+---
49+ conf/plugins/openssl.opt | 5 +++
50+ .../plugins/openssl/openssl_plugin.c | 33 +++++++++++++++++++
51+ 2 files changed, 38 insertions(+)
52+
53+diff --git a/conf/plugins/openssl.opt b/conf/plugins/openssl.opt
54+index 55d8dcaa184..29aabd3682c 100644
55+--- a/conf/plugins/openssl.opt
56++++ b/conf/plugins/openssl.opt
57+@@ -3,3 +3,8 @@ charon.plugins.openssl.engine_id = pkcs11
58+
59+ charon.plugins.openssl.fips_mode = 0
60+ Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
61++
62++charon.plugins.openssl.load_legacy = yes
63++ Load the legacy provider in OpenSSL 3+ for algorithms like MD4, DES, or
64++ Blowfish. If disabled, the default provider is loaded, or those configured
65++ in the OpenSSL config.
66+diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
67+index 5009f4e3f08..36c0c45be70 100644
68+--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
69++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
70+@@ -16,6 +16,7 @@
71+
72+ #include <library.h>
73+ #include <utils/debug.h>
74++#include <collections/array.h>
75+ #include <threading/thread.h>
76+ #include <threading/mutex.h>
77+ #include <threading/thread_value.h>
78+@@ -28,6 +29,9 @@
79+ #ifndef OPENSSL_NO_ENGINE
80+ #include <openssl/engine.h>
81+ #endif
82++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
83++#include <openssl/provider.h>
84++#endif
85+
86+ #include "openssl_plugin.h"
87+ #include "openssl_util.h"
88+@@ -67,6 +71,13 @@ struct private_openssl_plugin_t {
89+ * public functions
90+ */
91+ openssl_plugin_t public;
92++
93++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
94++ /**
95++ * Loaded providers
96++ */
97++ array_t *providers;
98++#endif
99+ };
100+
101+ /**
102+@@ -813,6 +824,15 @@ METHOD(plugin_t, get_features, int,
103+ METHOD(plugin_t, destroy, void,
104+ private_openssl_plugin_t *this)
105+ {
106++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
107++ OSSL_PROVIDER *provider;
108++ while (array_remove(this->providers, ARRAY_TAIL, &provider))
109++ {
110++ OSSL_PROVIDER_unload(provider);
111++ }
112++ array_destroy(this->providers);
113++#endif /* OPENSSL_VERSION_NUMBER */
114++
115+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
116+ * can't call it as we couldn't re-initialize the library (as required by the
117+ * unit tests and the Android app) */
118+@@ -889,6 +909,19 @@ plugin_t *openssl_plugin_create()
119+ #endif /* OPENSSL_NO_ENGINE */
120+ #endif /* OPENSSL_VERSION_NUMBER */
121+
122++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
123++ if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
124++ TRUE, lib->ns))
125++ {
126++ /* load the legacy provider for algorithms like MD4, DES, BF etc. */
127++ array_insert_create(&this->providers, ARRAY_TAIL,
128++ OSSL_PROVIDER_load(NULL, "legacy"));
129++ /* explicitly load the default provider, as mentioned by crypto(7) */
130++ array_insert_create(&this->providers, ARRAY_TAIL,
131++ OSSL_PROVIDER_load(NULL, "default"));
132++ }
133++#endif /* OPENSSL_VERSION_NUMBER */
134++
135+ #ifdef OPENSSL_FIPS
136+ /* we do this here as it may have been enabled via openssl.conf */
137+ fips_mode = FIPS_mode();
138diff --git a/debian/patches/series b/debian/patches/series
139index c72895f..b77b047 100644
140--- a/debian/patches/series
141+++ b/debian/patches/series
142@@ -3,3 +3,4 @@
143 03_systemd-service.patch
144 04_disable-libtls-tests.patch
145 dont-load-kernel-libipsec-plugin-by-default.patch
146+load-legacy-provider-in-openssl3.patch

Subscribers

People subscribed via source and target branches