Project

General

Profile

Feature #1534

Add support for OpenSSL 1.1.0

Added by Yves-Alexis Perez about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Category:
libstrongswan
Target version:
Start date:
26.06.2016
Due date:
Estimated time:
Resolution:
Fixed

Description

Hi,

I just had a report from Debian OpenSSL maintainers, saying that strongSwan didn't build with the about to be released OpenSSL 1.1.0 (because of API changes).

Downstream report is at http://bugs.debian.org/828561 and an example build log is at https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/strongswan_5.4.0-1_amd64-20160529-1540

openssl-1.1-5.4.0.patch (37 KB) openssl-1.1-5.4.0.patch Tobias Brunner, 28.06.2016 16:11
strongswan_5.4.0-3_amd64.build (390 KB) strongswan_5.4.0-3_amd64.build Yves-Alexis Perez, 28.06.2016 23:14
openssl-1.1-5.4.0v2.patch (40.4 KB) openssl-1.1-5.4.0v2.patch Tobias Brunner, 29.06.2016 10:04

History

#1 Updated by Tobias Brunner about 4 years ago

  • Tracker changed from Issue to Feature
  • Subject changed from Build failure with OpenSSL 1.1.0 to Add support for OpenSSL 1.1.0
  • Category set to libstrongswan
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner
  • Target version set to 5.5.0

Thanks for the report. Looks like they changed the API quite a bit. I pushed several fixes to the openssl-1.1 branch. Not sure how far back these work, the oldest version I tested was 1.0.1 (Ubuntu 12.04). But I guess older versions should not be in use anyway due to security concerns.

#2 Updated by Yves-Alexis Perez about 4 years ago

Tobias Brunner wrote:

Thanks for the report. Looks like they changed the API quite a bit. I pushed several fixes to the openssl-1.1 branch. Not sure how far back these work, the oldest version I tested was 1.0.1 (Ubuntu 12.04). But I guess older versions should not be in use anyway due to security concerns.

Thanks. I'll try to test it. It doesn't seem to apply against 5.4.0 unfortunately, so I'll try just the openssl-1.1 branch. 5.5 is supposedly due in 13 days, do you think it'll be out on time? I'm unsure when OpenSSL 1.1.0 is supposed to enter Debian unstable but I don't really think backporting to 5.4 really makes sense.

#3 Updated by Tobias Brunner about 4 years ago

It doesn't seem to apply against 5.4.0 unfortunately, so I'll try just the openssl-1.1 branch.

I've force-pushed the branch with some small updates. I also attached a patch that applies to 5.4.0.

5.5 is supposedly due in 13 days, do you think it'll be out on time?

I think so, we'll soon do the RC.

I'm unsure when OpenSSL 1.1.0 is supposed to enter Debian unstable but I don't really think backporting to 5.4 really makes sense.

The conflicts were due to some updates regarding BoringSSL, were quite easy to resolve (some of these changes are just included now in the patch).

#4 Updated by Yves-Alexis Perez about 4 years ago

I've tried the patch, for now against libssl 1.0. It built fine, but I have failures at load time:


juin 28 21:30:30 scapa charon[3406]: 00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux 4.5.0-2-grsec-amd64, x86_64)
juin 28 21:30:30 scapa charon[3406]: 00[LIB] plugin 'openssl' failed to load: /usr/lib/ipsec/plugins/libstrongswan-openssl.so: undefined symbol: X509v3_addr_is_canonical
juin 28 21:30:30 scapa charon[3406]: 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
juin 28 21:30:30 scapa charon[3406]: 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:libcharon-sa-managers
juin 28 21:30:30 scapa charon[3406]: 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1

#5 Updated by Yves-Alexis Perez about 4 years ago

The naive patch:

diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 6c963f0..b805789 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -876,7 +876,11 @@ static void parse_ipAddrBlock_ext_fam(private_openssl_x509_t *this,
         return;
     }

+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
     afi = X509v3_addr_get_afi(fam);
+#else
+    afi = v3_addr_get_afi(fam);
+#endif
     switch (afi)
     {
         case IANA_AFI_IPV4:
@@ -897,7 +901,11 @@ static void parse_ipAddrBlock_ext_fam(private_openssl_x509_t *this,
     for (i = 0; i < sk_IPAddressOrRange_num(list); i++)
     {
         aor = sk_IPAddressOrRange_value(list, i);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
         if (X509v3_addr_get_range(aor, afi, from.ptr, to.ptr, from.len) > 0)
+#else
+        if (v3_addr_get_range(aor, afi, from.ptr, to.ptr, from.len) > 0)
+#endif
         {
             ts = traffic_selector_create_from_bytes(0, type, from, 0, to, 65535);
             if (ts)
@@ -923,7 +931,11 @@ static bool parse_ipAddrBlock_ext(private_openssl_x509_t *this,
         return FALSE;
     }

+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
     if (!X509v3_addr_is_canonical(blocks))
+#else
+    if (!v3_addr_is_canonical(blocks))
+#endif
     {
         sk_IPAddressFamily_free(blocks);
         return FALSE;

seems to workaround the issue but I'm not sure it's the best way to do it.

#6 Updated by Yves-Alexis Perez about 4 years ago

Building against 1.1 fails with the attached log.

#7 Updated by Tobias Brunner about 4 years ago

Thanks for the feedback.

juin 28 21:30:30 scapa charon[3406]: 00[LIB] plugin 'openssl' failed to load: /usr/lib/ipsec/plugins/libstrongswan-openssl.so: undefined symbol: X509v3_addr_is_canonical

Ah, interesting. Didn't realize that Ubuntu's OpenSSL packages are compiled with OPENSSL_NO_RFC3779 (at least in 12.04 and 14.04). I've added some macros where the other fallbacks are defined.

Building against 1.1 fails with the attached log.

That's one of the things I fixed when adding support for BoringSSL. One of the things that didn't make it into the patch above, which only included the changes from the openssl-1.1 branch (plus conflicts). I added a new patch that includes all changes to the openssl plugin since 5.4.0.

#8 Updated by Yves-Alexis Perez about 4 years ago

Thanks! New patch seems to work fine indeed.

#9 Updated by Tobias Brunner about 4 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Fixed

OK, great. I've merged the changes to master.

Also available in: Atom PDF