Ubuntu
strongswan package

Merge ~paride/ubuntu/+source/strongswan:lp1946213-JAMMY into ubuntu/+source/strongswan:ubuntu/devel

  1. Git
  2. lp:~paride/ubuntu/+source/strongswan
  3. lp1946213-JAMMY
  4. Merge into ubuntu/devel
Proposed by Paride Legovini
Status: Merged
Merged at revision: 78d7af81d0afc06f959e85b077b9fde9209f0b3e
Proposed branch: ~paride/ubuntu/+source/strongswan:lp1946213-JAMMY
Merge into: ubuntu/+source/strongswan:ubuntu/devel
Diff against target: 146 lines (+124/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/load-legacy-provider-in-openssl3.patch (+116/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Lucas Kanashiro (community) Approve
Canonical Server packageset reviewers Pending
git-ubuntu import Pending
Review via email: mp+412022@code.launchpad.net

Commit message

Add d/p/load-legacy-provider-in-openssl3.patch.
Upstream cherry-pick to fix FTBFS against OpenSSL 3.0.
Fixes LP: #1946213.

Test PPA: https://launchpad.net/~paride/+archive/ubuntu/strongswan-openssl3

The test PPA builds with jammy-proposed and with https://launchpad.net/~schopin/+archive/ubuntu/openssl-3.0.0 as a dependency.

I verified from the build logs that the builds are actually done against openssl3, see for example: https://launchpadlibrarian.net/569418904/buildlog_ubuntu-jammy-amd64.strongswan_5.9.4-1ubuntu2~paride1_BUILDING.txt.gz

The PPA builds on all the supported archs.

# Autopkgtest results

Tested out of the PPAs:

$ autopkgtest --add-apt-source={deb,deb-src}' [trusted=yes] http://ppa.launchpad.net/paride/strongswan-openssl3/ubuntu jammy main' --add-apt-source='deb [trusted=yes] http://ppa.launchpad.net/schopin/openssl-3.0.0/ubuntu jammy main' -U --no-built-binaries strongswan -- qemu ~/ubuntu/autopkgtest-images/autopkgtest-jammy-amd64.img

Results:

autopkgtest [18:14:07]: @@@@@@@@@@@@@@@@@@@@ summary
admin-strongswan-charon PASS
admin-strongswan-starter PASS
daemon PASS
plugins PASS

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) :
Revision history for this message
Paride Legovini (paride) wrote (last edit ):

Added "upstream" to the Origin DEP-3 header, thanks Sergio.

This is now ready for review.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks Paride, LGTM. I am sponsoring this upload for you:

$ dput ubuntu ../strongswan_5.9.4-1ubuntu2_source.changes
Checking signature on .changes
gpg: ../strongswan_5.9.4-1ubuntu2_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../strongswan_5.9.4-1ubuntu2.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading strongswan_5.9.4-1ubuntu2.dsc: done.
  Uploading strongswan_5.9.4.orig.tar.bz2: done.
  Uploading strongswan_5.9.4.orig.tar.bz2.asc: done.
  Uploading strongswan_5.9.4-1ubuntu2.debian.tar.xz: done.
  Uploading strongswan_5.9.4-1ubuntu2_source.buildinfo: done.
  Uploading strongswan_5.9.4-1ubuntu2_source.changes: done.
Successfully uploaded packages.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 420061f..d430fc2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1strongswan (5.9.4-1ubuntu2) jammy; urgency=medium
2
3 * Add d/p/load-legacy-provider-in-openssl3.patch.
4 Upstream cherry-pick to fix FTBFS against OpenSSL 3.0. (LP: #1946213)
5
6 -- Paride Legovini <paride@ubuntu.com> Wed, 17 Nov 2021 17:04:27 +0100
7
1strongswan (5.9.4-1ubuntu1) jammy; urgency=medium8strongswan (5.9.4-1ubuntu1) jammy; urgency=medium
29
3 * Merge with Debian unstable. Remaining changes:10 * Merge with Debian unstable. Remaining changes:
diff --git a/debian/patches/load-legacy-provider-in-openssl3.patch b/debian/patches/load-legacy-provider-in-openssl3.patch
4new file mode 10064411new file mode 100644
index 0000000..96399cb
--- /dev/null
+++ b/debian/patches/load-legacy-provider-in-openssl3.patch
@@ -0,0 +1,116 @@
1From: Tobias Brunner <tobias@strongswan.org>
2Date: Thu, 30 Sep 2021 09:41:57 +0200
3Origin: upstream, https://github.com/strongswan/strongswan/commit/a373b6aee36c01b7f6c5ca052c932595bc93d471
4Bug: https://github.com/strongswan/strongswan/issues/759
5Bug-Ubuntu: https://bugs.launchpad.net/strongswan/+bug/1946213
6Last-Update: 2021-11-17
7Subject: [PATCH] openssl: Load "legacy" provider in OpenSSL 3 for algorithms
8 like MD4, DES etc.
9
10We still require these algorithms for e.g. EAP-MSCHAPv2, so the option is
11enabled, by default. To use other providers (e.g. fips or even custom
12ones), the option can be disabled and the providers to load/activate can
13be configured in openssl.cnf. For instance, the following has the same
14effect as enabling the option:
15
16 openssl_conf = openssl_init
17
18 [openssl_init]
19 providers = providers
20
21 [providers]
22 default = activate
23 legacy = activate
24
25 [activate]
26 activate = yes
27---
28 conf/plugins/openssl.opt | 5 +++
29 .../plugins/openssl/openssl_plugin.c | 33 +++++++++++++++++++
30 2 files changed, 38 insertions(+)
31
32diff --git a/conf/plugins/openssl.opt b/conf/plugins/openssl.opt
33index 55d8dcaa184..29aabd3682c 100644
34--- a/conf/plugins/openssl.opt
35+++ b/conf/plugins/openssl.opt
36@@ -3,3 +3,8 @@ charon.plugins.openssl.engine_id = pkcs11
37
38 charon.plugins.openssl.fips_mode = 0
39 Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
40+
41+charon.plugins.openssl.load_legacy = yes
42+ Load the legacy provider in OpenSSL 3+ for algorithms like MD4, DES, or
43+ Blowfish. If disabled, the default provider is loaded, or those configured
44+ in the OpenSSL config.
45diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
46index 5009f4e3f08..36c0c45be70 100644
47--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
48+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
49@@ -16,6 +16,7 @@
50
51 #include <library.h>
52 #include <utils/debug.h>
53+#include <collections/array.h>
54 #include <threading/thread.h>
55 #include <threading/mutex.h>
56 #include <threading/thread_value.h>
57@@ -28,6 +29,9 @@
58 #ifndef OPENSSL_NO_ENGINE
59 #include <openssl/engine.h>
60 #endif
61+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
62+#include <openssl/provider.h>
63+#endif
64
65 #include "openssl_plugin.h"
66 #include "openssl_util.h"
67@@ -67,6 +71,13 @@ struct private_openssl_plugin_t {
68 * public functions
69 */
70 openssl_plugin_t public;
71+
72+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
73+ /**
74+ * Loaded providers
75+ */
76+ array_t *providers;
77+#endif
78 };
79
80 /**
81@@ -813,6 +824,15 @@ METHOD(plugin_t, get_features, int,
82 METHOD(plugin_t, destroy, void,
83 private_openssl_plugin_t *this)
84 {
85+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
86+ OSSL_PROVIDER *provider;
87+ while (array_remove(this->providers, ARRAY_TAIL, &provider))
88+ {
89+ OSSL_PROVIDER_unload(provider);
90+ }
91+ array_destroy(this->providers);
92+#endif /* OPENSSL_VERSION_NUMBER */
93+
94 /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
95 * can't call it as we couldn't re-initialize the library (as required by the
96 * unit tests and the Android app) */
97@@ -889,6 +909,19 @@ plugin_t *openssl_plugin_create()
98 #endif /* OPENSSL_NO_ENGINE */
99 #endif /* OPENSSL_VERSION_NUMBER */
100
101+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
102+ if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
103+ TRUE, lib->ns))
104+ {
105+ /* load the legacy provider for algorithms like MD4, DES, BF etc. */
106+ array_insert_create(&this->providers, ARRAY_TAIL,
107+ OSSL_PROVIDER_load(NULL, "legacy"));
108+ /* explicitly load the default provider, as mentioned by crypto(7) */
109+ array_insert_create(&this->providers, ARRAY_TAIL,
110+ OSSL_PROVIDER_load(NULL, "default"));
111+ }
112+#endif /* OPENSSL_VERSION_NUMBER */
113+
114 #ifdef OPENSSL_FIPS
115 /* we do this here as it may have been enabled via openssl.conf */
116 fips_mode = FIPS_mode();
diff --git a/debian/patches/series b/debian/patches/series
index c72895f..b77b047 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
303_systemd-service.patch303_systemd-service.patch
404_disable-libtls-tests.patch404_disable-libtls-tests.patch
5dont-load-kernel-libipsec-plugin-by-default.patch5dont-load-kernel-libipsec-plugin-by-default.patch
6load-legacy-provider-in-openssl3.patch

Subscribers

People subscribed via source and target branches