MRE Updates 2.5.9 / 2.4.12

Hello Lena, or anyone else affected,

Accepted openvpn into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.5.8-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Jammy mp was uploaded early on accident without MRE approval. Marking block-proposed until the MRE at https://wiki.ubuntu.com/OpenVPNUpdates is accepted

For what it's worth, upgrading a Jammy client (2.5.5 -> 2.5.8) went well:

$ tail -n5 /var/log/apt/history.log
Start-Date: 2023-05-08 18:49:20
Commandline: apt-get install openvpn
Requested-By: sdeziel (1000)
Upgrade: openvpn:amd64 (2.5.5-1ubuntu3.1, 2.5.8-0ubuntu0.22.04.1)
End-Date: 2023-05-08 18:49:22

My single VPN config works the same as before. It uses TLS 1.3 + tls-crypt + client cert and client username/password.

Lena, based on the history here, is there a reason we don't want to go ahead with releasing 2.5.8 which has been in -proposed for a while and has had some user testing, before moving to 2.5.9?

If the changes in 2.5.9 are safe and appropriate, the subset of changes in 2.5.8 should be safer, right?

There’s no reason not to release 2.5.8 first now that the SRU exception for Jammy specifically has been agreed upon. I can unblock it from proposed now.

Also autopkgtests are still succeeding, and my test install is working as intended. So I’ll mark it as verified to.

I went over the changes in openvpn since 2.5.5 all the way to 2.5.9, and I have concerns over this one in particular, in 2.5.7:

    The OpenSSL engine feature ``--engine`` is not enabled by default
    anymore if OpenSSL 3.0 is detected.

And a quick runtime check of 2.5.5 and 2.5.8 (which we have in jammy-proposed at the moment), shows:

2.5.5 (jammy-updates):
$ sudo openvpn --show-engines
OpenSSL Crypto Engines

Intel RDRAND engine [rdrand]
Dynamic engine loading support [dynamic]

2.5.8 (jammy-proposed):
$ sudo openvpn --show-engines
Sorry, OpenSSL hardware crypto engine functionality is not available.

There is a new configure option that could be used to re-enable engines it seems:

  --with-openssl-engine enable engine support with OpenSSL. Default enabled
                          for OpenSSL < 3.0, auto,yes,no [default=auto]

We are not using it in our d/rules, so the default takes place which disables engines.

Now, AFAIK engines are indeed deprecated (disabled?) in openssl 3, and enabling them again with the option above might be an error.

Furthermore, I'm not sure if engines in 2.5.5 with openssl 3 are even working. We had a similar case with a squid SRU[1], where using engines with openssl 3 was an error, and later was made more explicit that it was disabled.

So I guess the way forward here is to check whether openvpn 2.5.5 (jammy-updates) could be using openssl 3 engines, correctly. If not, then this aspect of the SRU would not introduce a regression per se. If, however, engines were available and usable there, then we have to evaluate pros and cons of disabling it as upstream wants, or enabling it via --with-openssl-engine and test that it keeps working.

There are other items from the release notes that I wanted to check, but since I stumbled on the above one first, I didn't yet. They are, from 2.5.7:

- "fix client-pending-auth error msg to say ERROR instead of SUCCESS". I assume it's just a string change, and not an actual exit status.
- "Translate openssl 3 digest names to openssl 1.1 ones". Would this impact algorithm names used in configuration files and command-line options?

1. https://launchpad.net/ubuntu/+source/squid/5.7-0ubuntu0.22.04.1

I'll mark jammy as incomplete pending this investigation from the previous comment.

I tested openssl engine compatibility with 3.0 using rdrand and it does seem to work still prior to the update. I also tested the update with --with-openssl-engine=yes though and the original functionality is maintained. I have a ppa for that here:

https://launchpad.net/~lvoytek/+archive/ubuntu/openvpn-allow-engine

I'm not sure the rdrand engine is a good test. I was thinking about:

- install the pkcs11 engine: sudo apt install libengine-pkcs11-openssl
- enable it in /etc/ssl/openssl.cnf:
--- /etc/ssl/openssl.cnf.orig 2023-09-25 12:20:32.101311003 +0000
+++ /etc/ssl/openssl.cnf 2023-09-24 15:20:39.949764703 +0000
@@ -53,6 +53,15 @@
 [openssl_init]
 providers = provider_sect
 ssl_conf = ssl_sect
+engines = engine_section
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+engine_id = pkcs11
+MODULE_PATH = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
+init = 0

 # List of providers to load
 [provider_sect]

- confirm it's available:
$ openssl list -engines
Engines:
rdrand
dynamic
pkcs11 <---

- tell openvpn to use it. This is the big one. With the version in jammy currently (2.5.5-1ubuntu3.1), at least pkcs11 is now listed:

$ openvpn --show-engines
OpenSSL Crypto Engines

Intel RDRAND engine [rdrand]
Dynamic engine loading support [dynamic]
pkcs11 engine [pkcs11]

But I don't know yet how to use it. The idea would be to setup an openvpn peer with a certificate for authentication, but using the pkcs11 engine on that side. This involves smart cards, or software emulation of SCs, like done in the libp11 dep8 engine test perhaps. I tried with TPM, but the TPM openssl engine is not working (even found a bug in LP about it), and was deprecated in favor of the TPM provider, which works.

I'll see if I can find some time to try to set this up, but also feel free to start without me :)

This is the last step in that libp11 dep8 test[1] that we need: generate the certificate request:

echo "With openssl engine, generate a certificate request with the RSA key in the softhsm2 token"
OPENSSL_CONF="${ssl_cnf}" openssl \
    req -engine pkcs11 -new -key "${URI};object=test-key;pin-value=${PIN}" \
    -keyform engine -out ${req_pem} -text -x509 -subj "/${SUBJECT}"

Then we need to go back to the openvpn ca (presumably created with easy-rsa), sign this request, and the resulting signed cert is what has to be used in the openvpn client. And then see what openvpn does with it.

1. https://git.launchpad.net/ubuntu/+source/libp11/tree/debian/tests/engine?h=applied/ubuntu/devel

Alright, added an mp that maintains behavior for openssl engines here:
https://code.launchpad.net/~lvoytek/ubuntu/+source/openvpn/+git/openvpn/+merge/452307

As for the other two commits: I can confirm "fix client-pending-auth error msg to say ERROR instead of SUCCESS" is just a string change that doesn't modify the return value which stays as the value of (*man->persist.callback.client_pending_auth)(man->persist.callback.arg, cid, extra), and is not created dynamically from the string.

"Translate openssl 3 digest names to openssl 1.1 ones" won't cause issues for existing config files as their names are still accepted. If new openssl3 names are used now though they will be accepted as the correct equivalent value using a translation table.

I asked on IRC:

> It sounds like Andreas was expecting a PKCS #11 based test to ensure that the engine support doesn't regress, but I don't see any further plans on that in the bug. For example, was someone planning on verifying this first, or adding it to the Test Plan? Are you expecting something different?

Andreas said he'd take a look.

I did the testing from comment #11 with the openvpn build that still had engines disabled, and couldn't get it to fail. It also kept working with the new build resulting from [1] (tested with a ppa).

I'm writing a simple test script to use for this SRU, and potentially add it as a DEP8 at some later point. I'll attach it to this bug when ready, and update the test plan. Even though the script hasn't flagged a failure in the previous openvpn build (without openssl3 engine support), I think it's still useful and shows that there is no regression in that area with the changes we are proposing in this SRU.

1. https://code.launchpad.net/~lvoytek/ubuntu/+source/openvpn/+git/openvpn/+merge/452307

I created a DEP8 test[1] and am currently testing it in a PPA[2] build. It passed locally, and failed when openvpn didn't have openssl engine support.

We'll see if we will decide to include it as a proper DEP8 test, or, for this specific SRU, run it manually. I still want to test it in focal.

1. https://git.launchpad.net/~ahasenack/ubuntu/+source/openvpn/commit/?id=409fa30836447a76a0547f422702593ee04a5c5c
2. https://launchpad.net/~ahasenack/+archive/ubuntu/openvpn-pkcs11-dep8/+packages

Test script to use openvpn with a pkcs11 engine.

First install dependencies:
sudo apt install openvpn easy-rsa openssl opensc-pkcs11 gnutls-bin softhsm2 dpkg-dev libengine-pkcs11-openssl expect

Then run the script, saving the log:

sudo ./vpn-setup-with-pkcs11 2>&1 | tee log

In focal that script doesn't work, the engine path is engines-1.1 instead of engines-3, but openssl still crashes after that change when generating the certificate request. I would either find out what's wrong, or use another method to generate the certificate request. With certtool perhaps, instead of openssl.

But if memory serves correctly, there was no engine-related change in openvpn for focal, that change was just in the jammy series, right?

I updated the test plan with the jammy-specific pkcs11 test.

Regarding comment #16, focal does not need that test script to run, because where is no openssl3 engine disabling happening there. Focal doesn't have openssl3.

Hello Lena, or anyone else affected,

Accepted openvpn into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.5.9-0ubuntu0.22.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Lena, or anyone else affected,

Accepted openvpn into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.4.12-0ubuntu0.20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Not an official verification but just a "it works for me" on Jammy:

# apt-get install -t jammy-proposed openvpn
...
The following packages will be upgraded:
   openvpn (2.5.8-0ubuntu0.22.04.1 => 2.5.9-0ubuntu0.22.04.2)
...

Note that I was already running the older -proposed version (2.5.8-0ubuntu0.22.04.1) which was working well.

This new -proposed version (2.5.9-0ubuntu0.22.04.2) worked equally well for me when I tested it with `systemctl start openvpn-client@foo` to connects to a private VPN endpoint. The NM client integration also had not problem connecting to Canonical VPN servers. Thanks Lena and Andreas!

Thanks Simon for helping to verify the new version in Jammy!

Verified for focal and jammy:

autopkgtests succeeding:
jammy - https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/o/openvpn/20231122_030456_ef36f@/log.gz
focal - https://autopkgtest.ubuntu.com/results/autopkgtest-focal/focal/amd64/o/openvpn/20231122_022726_eb3f6@/log.gz

jammy test for engines:

$ lxc launch ubuntu:jammy test-openvpn-jammy --vm
$ lxc shell test-openvpn-jammy

# apt update && apt dist-upgrade -y
# apt install wget openvpn easy-rsa openssl opensc-pkcs11 gnutls-bin softhsm2 dpkg-dev libengine-pkcs11-openssl expect -y
# wget https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676/+attachment/5714185/+files/vpn-setup-with-pkcs11
# chmod +x vpn-setup-with-pkcs11
# ./vpn-setup-with-pkcs11

...
## All good, stopping client and server services
## Done.

# echo $?
0

The verification of the Stable Release Update for openvpn has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package openvpn - 2.4.12-0ubuntu0.20.04.1

---------------
openvpn (2.4.12-0ubuntu0.20.04.1) focal; urgency=medium

  * New upstream releases 2.4.8-2.4.12 (LP: #2004676)
    - The version is being updated to the latest in 2.4.x rather than 2.6.x to
      avoid feature releases and focus on bug fixes
    - Updates:
      + Support compiling with OpenSSL 1.1 without deprecated APIs
      + Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
      + Client will now announce the acceptable ciphers to the server
        (IV_CIPHER=...), so NCP cipher negotiation works better
    - Bug Fixes Include:
      + CVE-2020-11810
      + CVE-2020-15078
      + CVE-2022-0547
      + Fix "--mtu-disc maybe|yes"
      + Fix argv leaks in add_route() and add_route_ipv6()
      + Ensure the current common_name is in the environment for scripts
      + Apply connect-retry backoff only to one side of the connection for p2p
      + Fix PIN querying in systemd environments
      + Fix condition where a client's session could float to a new IP address
        that is not authorized
      + Fix combination of async push and NCP
      + Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
      + Fix broken fragmentation logic when using NCP
      + Fix handling of 'route remote_host' for IPv6 transport case
      + Fix fatal error at switching remotes
      + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 for
        additional bug fixes and information
  * Remove patches fixed upstream:
    - fix-pkcs11-helper-hang.patch
    - increase-listen-backlog-queue-to-32.patch
      [Included in upstream release 2.4.8]
    - CVE-2020-11810.patch
      [Included in upstream release 2.4.9]
    - CVE-2020-15078.patch
      [Included in upstream release 2.4.11]
    - CVE-2022-0547.patch
      [Included in upstream release 2.4.12]
  * Add DEP-8 tests from later releases
    - d/t/server-setup-with-static-key: test the OpenVPN server side setup
      using a static key.
    - d/t/server-setup-with-ca: test the OpenVPN server side setup using a
      CA built with easy-rsa.
    - The tests match those seen in Jammy and later with the exception of
      checking for /sbin/ip commands instead of net_... commands

 -- Lena Voytek <email address hidden> Mon, 21 Aug 2023 11:08:59 -0700

This bug was fixed in the package openvpn - 2.5.9-0ubuntu0.22.04.2

---------------
openvpn (2.5.9-0ubuntu0.22.04.2) jammy; urgency=medium

  * d/rules: Use --with-openssl-engine=yes during configuration to maintain the
    existing behavior of technically allowing openssl engine access in jammy.
    For more information see
    https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676/comments/6

openvpn (2.5.9-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream release 2.5.9 (LP: #2004676):
    - The version is being updated to the latest in 2.5.x rather than 2.6.x to
      avoid feature releases and focus on bug fixes
    - Updates:
      + Allow optional ciphers in --data-ciphers
    - Bug Fixes Include:
      + Fix null pointer error when running openvpn --show-tls with mbedtls
      + Fix corner case that could lead to leaked file descriptor
      + Fix parsing issue in pull-filter when there are leading spaces
      + Fix possible buffer overflow in parse_line argument
      + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25 for
        additional bug fixes and information

openvpn (2.5.8-0ubuntu0.22.04.1) jammy; urgency=medium

  * New upstream releases 2.5.6-2.5.8 (LP: #2004676):
    - The version is being updated to the latest in 2.5.x rather than 2.6.x to
      avoid feature releases and focus on bug fixes
    - Updates:
      + OpenSSL3 support
      + pkcs11-helper upgrade to 1.28.4
      + allow running a default configuration with TLS libraries without BF-CBC
    - Bug Fixes Include:
      + CVE-2022-0547
      + Fix potential memory leaks in add_route() and add_route_ipv6()
      + Fix PATH_MAX build failure in auth-pam.c
      + Fix using --auth-token together with --management-client-auth
      + Fix clearing of username+password when using --auth-nocache
      + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25 for
        additional bug fixes and information
  * Remove patches fixed upstream:
    - d/p/CVE-2022-0547.patch
      [Included in upstream release 2.5.6]
    - d/p/openssl-3/0001-Add-insecure-tls-cert-profile-options.patch
    - d/p/openssl-3/0002-Refactor-early-initialisation-and-uninitialisation-
      into-methods.patch
    - d/p/openssl-3/0003-Allow-loading-of-non-default-providers.patch
    - d/p/openssl-3/0004-Fix-allowing-showing-unsupported-ciphers-digests.patch
    - d/p/openssl-3/0005-Add-message-when-decoding-PKCS12-file-fails.patch
    - d/p/openssl-3/0006-Translate-OpenSSL-3.0-digest-names-to-OpenSSL-1.1-
      digest-names.patch
     [Included in upstream release 2.5.7]
    - d/p/openssl-3/0007-Allow-running-a-default-configuration-with-TLS-
      libraries-without-BF-CBC.patch
    - d/p/match-manpage-and-command-help.patch
      [Included in upstream release 2.5.8]

 -- Lena Voytek <email address hidden> Fri, 29 Sep 2023 16:14:48 -0700