Merge ~sergiodj/ubuntu/+source/strongswan:bug1964977-ipsec-pki-segfault into ubuntu/+source/strongswan:ubuntu/devel

Proposed by Sergio Durigan Junior
Status: Merged
Merged at revision: 6bdb73f7ec8c8e04ec7c8654f2bdc172bc0d2675
Proposed branch: ~sergiodj/ubuntu/+source/strongswan:bug1964977-ipsec-pki-segfault
Merge into: ubuntu/+source/strongswan:ubuntu/devel
Diff against target: 120 lines (+98/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/lp1964977-fix-ipsec-pki-segfault.patch (+89/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Simon Déziel (community) drive-by ;) Approve
Canonical Server packageset reviewers Pending
Canonical Server Pending
Review via email: mp+417111@code.launchpad.net

Description of the change

This MP fixes bug 1964977.

This is about a segmentation fault that is occurring when using the "ipsec pki" command. It's very easy to reproduce:

$ lxc launch ubuntu-daily:jammy ipsec-bug1964977
$ lxc shell ipsec-bug1964977
# apt update && apt full-upgrade -y
# apt install strongswan strongswan-pki
# ipsec pki --gen --size 4096 --outform pem

Upstream has a patch for it:

https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524

As explained in the commit message, the problem happens because of some bad interaction between atexit handlers for both strongswan and openssl. Strongswan uses these handlers to unload/destroy its plugins, and the problem is that it tried to access openssl objects during these operations. However, with openssl's atexit handlers in place, this will now generate a segmentation fault. There's also an openssl bug about this problem here:

https://github.com/openssl/openssl/issues/15915

You can find a PPA with the proposed changes here:

https://launchpad.net/~sergiodj/+archive/ubuntu/strongswan-bugfix/+packages

autopkgtest is still OK:

autopkgtest [14:54:23]: @@@@@@@@@@@@@@@@@@@@ summary
admin-strongswan-charon PASS
admin-strongswan-starter PASS
daemon PASS
plugins PASS

To post a comment you must log in.
Revision history for this message
Simon Déziel (sdeziel) wrote :

LGTM and I confirmed your package to work, thanks!

review: Approve (drive-by ;))
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Friday, March 18 2022, Simon Déziel wrote:

> LGTM and I confirmed your package to work, thanks!

Thank you, Simon!

Uploaded:

$ dput strongswan_5.9.5-2ubuntu2_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/strongswan/strongswan_5.9.5-2ubuntu2_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/strongswan/strongswan_5.9.5-2ubuntu2.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading strongswan_5.9.5-2ubuntu2.dsc: done.
  Uploading strongswan_5.9.5-2ubuntu2.debian.tar.xz: done.
  Uploading strongswan_5.9.5-2ubuntu2_source.buildinfo: done.
  Uploading strongswan_5.9.5-2ubuntu2_source.changes: done.
Successfully uploaded packages.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 8d263b9..7a68e26 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+strongswan (5.9.5-2ubuntu2) jammy; urgency=medium
7+
8+ * d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
9+ segmentation fault; don't access OpenSSL objects inside atexit()
10+ handlers. (LP: #1964977)
11+
12+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 18 Mar 2022 14:24:34 -0400
13+
14 strongswan (5.9.5-2ubuntu1) jammy; urgency=medium
15
16 * Merge with Debian unstable. Remaining changes:
17diff --git a/debian/patches/lp1964977-fix-ipsec-pki-segfault.patch b/debian/patches/lp1964977-fix-ipsec-pki-segfault.patch
18new file mode 100644
19index 0000000..c40972f
20--- /dev/null
21+++ b/debian/patches/lp1964977-fix-ipsec-pki-segfault.patch
22@@ -0,0 +1,89 @@
23+From: Tobias Brunner <tobias@strongswan.org>
24+Date: Wed, 23 Feb 2022 17:29:02 +0100
25+Subject: openssl: Don't unload providers
26+
27+There is a conflict between atexit() handlers registered by OpenSSL and
28+some executables (e.g. swanctl or pki) to deinitialize libstrongswan.
29+Because plugins are usually loaded after atexit() has been called, the
30+handler registered by OpenSSL will run before our handler. So when the
31+latter destroys the plugins it's a bad idea to try to access any OpenSSL
32+objects as they might already be invalid.
33+
34+Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.")
35+Closes strongswan/strongswan#921
36+
37+Origin: upstream, https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524
38+Bug: https://github.com/strongswan/strongswan/issues/921
39+Bug: https://github.com/openssl/openssl/issues/15915
40+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1964977
41+Applied-Upstream: 6.0dr14
42+---
43+ src/libstrongswan/plugins/openssl/openssl_plugin.c | 27 +++-------------------
44+ 1 file changed, 3 insertions(+), 24 deletions(-)
45+
46+diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
47+index c93ea60..f1d0ad8 100644
48+--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
49++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
50+@@ -16,7 +16,6 @@
51+
52+ #include <library.h>
53+ #include <utils/debug.h>
54+-#include <collections/array.h>
55+ #include <threading/thread.h>
56+ #include <threading/mutex.h>
57+ #include <threading/thread_value.h>
58+@@ -74,13 +73,6 @@ struct private_openssl_plugin_t {
59+ * public functions
60+ */
61+ openssl_plugin_t public;
62+-
63+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
64+- /**
65+- * Loaded providers
66+- */
67+- array_t *providers;
68+-#endif
69+ };
70+
71+ /**
72+@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int,
73+ METHOD(plugin_t, destroy, void,
74+ private_openssl_plugin_t *this)
75+ {
76+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
77+- OSSL_PROVIDER *provider;
78+- while (array_remove(this->providers, ARRAY_TAIL, &provider))
79+- {
80+- OSSL_PROVIDER_unload(provider);
81+- }
82+- array_destroy(this->providers);
83+-#endif /* OPENSSL_VERSION_NUMBER */
84+-
85+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
86+ * can't call it as we couldn't re-initialize the library (as required by the
87+ * unit tests and the Android app) */
88+@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create()
89+ DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
90+ return NULL;
91+ }
92+- array_insert_create(&this->providers, ARRAY_TAIL, fips);
93+ /* explicitly load the base provider containing encoding functions */
94+- array_insert_create(&this->providers, ARRAY_TAIL,
95+- OSSL_PROVIDER_load(NULL, "base"));
96++ OSSL_PROVIDER_load(NULL, "base");
97+ }
98+ else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
99+ TRUE, lib->ns))
100+ {
101+ /* load the legacy provider for algorithms like MD4, DES, BF etc. */
102+- array_insert_create(&this->providers, ARRAY_TAIL,
103+- OSSL_PROVIDER_load(NULL, "legacy"));
104++ OSSL_PROVIDER_load(NULL, "legacy");
105+ /* explicitly load the default provider, as mentioned by crypto(7) */
106+- array_insert_create(&this->providers, ARRAY_TAIL,
107+- OSSL_PROVIDER_load(NULL, "default"));
108++ OSSL_PROVIDER_load(NULL, "default");
109+ }
110+ ossl_provider_names_t data = {};
111+ OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);
112diff --git a/debian/patches/series b/debian/patches/series
113index c72895f..31ba246 100644
114--- a/debian/patches/series
115+++ b/debian/patches/series
116@@ -3,3 +3,4 @@
117 03_systemd-service.patch
118 04_disable-libtls-tests.patch
119 dont-load-kernel-libipsec-plugin-by-default.patch
120+lp1964977-fix-ipsec-pki-segfault.patch

Subscribers

People subscribed via source and target branches