[SRU] Strongswan pki creates CA certificates with invalid Key Usage flags
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongSwan |
Unknown
|
Unknown
|
|||
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Lucas Kanashiro |
Bug Description
[Impact]
Strongswan pki/x509 modules create CA certificates with invalid Key Usage flags when compiling with GCC 9+. Actually this is an issue when calling the chunk_from_chars() macro, not impacting only the mentioned modules. The newer compilers might optimize out the assignment leading to invalid values. More information here:
https:/
In the case of the CA certificate creation, the NSS library using RFC 4945 IPsec profiles will reject the certificate validation because of the empty yet critical Key Usage section.
[Test Case]
$ lxc launch ubuntu-daily:focal strongswan-sru
$ lxc shell strongswan-sru
$ apt update && apt upgrade -y
$ apt install strongswan strongswan-pki -y
# Generate key an certificate
$ pki --gen --type ecdsa --size 384 > strongCAkey.der
$ pki --self --in strongCAkey.der --dn "C=CH, O=strongSwan, CN=strongSwan CA" --ca > strongCAcert.der
# Check the certificate with openssl, note the '....' in the Key Usage extension, this is not valid
$ openssl x509 -inform DER -in strongCAcert.der -noout -text | grep -A3 -B3 'Key Usage'
X509v3 extensions:
X509v3 Basic Constraints: critical
X509v3 Key Usage: critical
X509v3 Subject Key Identifier:
[Regression Potential]
The upstream patches touch many places of the code base, look here:
https:/
So a possible regression because of this SRU would be expected in one of those modules: pki, x509, libtpmtss, tls-crypto and lgtm. However, the changes are trivial and the risk is low.
[Original Description]
This bug is already fixed in upstream.
For explanation and steps to reproduce seee https:/
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: strongswan-pki 5.8.2-1ubuntu3
ProcVersionSign
Uname: Linux 5.4.0-1010-azure x86_64
ApportVersion: 2.20.11-0ubuntu27
Architecture: amd64
CasperMD5CheckR
Date: Wed May 20 12:09:33 2020
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
XDG_RUNTIME_
LANG=C.UTF-8
SHELL=/bin/bash
SourcePackage: strongswan
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- Christian Ehrhardt : Pending requested
- Canonical Server: Pending requested
-
Diff: 529 lines (+411/-2) (has conflicts)9 files modifieddebian/changelog (+19/-0)
debian/control (+61/-2)
debian/libcharon-extra-plugins.maintscript (+11/-0)
debian/patches/lp-1879692-1.patch (+75/-0)
debian/patches/lp-1879692-2.patch (+50/-0)
debian/patches/lp-1879692-3.patch (+37/-0)
debian/patches/lp-1879692-4.patch (+42/-0)
debian/patches/lp-1879692-5.patch (+111/-0)
debian/patches/series (+5/-0)
- Christian Ehrhardt (community): Approve
- Lucas Kanashiro (community): Abstain
- Canonical Server: Pending requested
-
Diff: 469 lines (+358/-0)11 files modifieddebian/changelog (+19/-0)
debian/control (+3/-0)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/patches/lp-1879692-1.patch (+75/-0)
debian/patches/lp-1879692-2.patch (+50/-0)
debian/patches/lp-1879692-3.patch (+37/-0)
debian/patches/lp-1879692-4.patch (+42/-0)
debian/patches/lp-1879692-5.patch (+111/-0)
debian/patches/series (+5/-0)
debian/rules (+2/-0)
Changed in strongswan (Ubuntu Focal): | |
status: | New → Triaged |
Changed in strongswan (Ubuntu): | |
status: | Triaged → Fix Released |
Changed in strongswan (Ubuntu Focal): | |
assignee: | nobody → Lucas Kanashiro (lucaskanashiro) |
importance: | Undecided → High |
tags: | added: verification-done verification-done-focal |
tags: |
added: verification-done-focal removed: verification-needed-focal |
tags: |
added: verification-done removed: verification-needed |
Thanks Alexander for this bug report and for finding the upstream bug report, I linked it to this report.
The bug is fixed upstream, but the required patches are spread across at least 5 commits:
https:/ /git.strongswan .org/?p= strongswan. git&a=search& h=HEAD& st=commit& s=3249
It is not totally straightforward to understand the scope of those changes, but the bug is valid and actionable.