openvpn crashes when run with fips openssl

Hi,
I'm really unsure what the expectation here is now.
This does not contain steps to reproduce the issue nor any suggested changes to make it work better.
Both would be needed.

Also is this actually the code in the main archive or any FIPS special PPA?

Checked on IRC, there are debdiff, testing data, etc...
Please set back to new once that was made available.

Thanks for the first update, when you attach the rest of the test data please make sure to not only add words like "comprised establishing a tls connection between an openvpn client and server" but more like:
#1 fresh container
$ command 1
$ command 2
<result>

build log for disco: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743680

debdiff.disco

testcase-data contains some of the data produces as a result of interoperability testing. It is applicable to xenial, bionic and disco.

Hi Christian,

Hopefully the testcase-data file follows what you described. If not, let me know and I can reorganize it for improved readability.

build log for bionic: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743676

build log for xenial: https://launchpad.net/~j-latten/+archive/ubuntu/joyppa/+build/15743720

The xenial patch has additional code. In version 2.3.10, openvpn uses MD5 for PRF and internally for configuration status verification. FIPS 140-2 permits MD5 for PRF, but not as a hash for internal verification. Subsequent versions of openvpn (2.4) was changed upstream to not use MD5, instead uses SHA256. The attached patch provided by atsec uses SHA1 instead of MD5.

2 testcases using same parameters for prior testcases, except that installed FIPS-mode libcrypto.so to test and ensure FIPS-mode libcrypto.so honors the flag to allow MD5 in PRF and does not cause openvpn to segfault because MD5 is missing.

Taking a look

Thanks for all this testing!

Could you please convert the debdiffs into actual merge proposals against openvpn? It's easier to review.

For example, the dep3 header in the xenial patch:
+Description: Use FIPS algos in openvpn
+Bug-Ubuntu:
+Forwarded: not-needed
+Author: Stephan Mueller <email address hidden>
+---
+OpenVPN uses MD5 for (1) internal configuration status verification
+and (2) TLS PRF. MD5 is not allowed in FIPS 140-2. Sending MD5 request
+to FIPS mode openssl causes it to abort or enter error mode.
+OpenVPN needs to use SHA instead of MD5 for internal verification and
+send EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag to openssl when using MD5 for
+PRF to indicate the exception.

a) Bug-Ubuntu should point at this bug url
b) Is there an upstream bug report? If yes, use "Bug: <url>" for it
c) The long description should be under the "Description:" header, indented by one space for each line
d) is there a link to the origin of the patch, like a commit?
e) in xenial the patch switched the internal usage of md5 to sha1, but later versions seem to be using sha256, any idea why not use sha256 in xenial as well, to follow upstream?

Feel free to ping me on irc for assistance with creating the MP. Basically you either:
- install the git-ubuntu snap, and run "git ubuntu clone openvpn". You will get some default branches you can branch off: ubuntu/devel is disco, ubuntu/xenial-devel is xenial, and so on.
- or just go to https://code.launchpad.net/ubuntu/+source/openvpn and clone/branch manually what you need

Applied fixes for above comments. After some team discussion, decided to use sha256 for internal hash rather than sha1 in xenial as well. Internal hash is never communicated externally. Performed additional interoperability testing successfully using same test parameters as previously.

cosmic(with patch) <--> xenial (with patch)
cosmic(with patch) <--> xenial (with patch and in fips mode)
xenial(without patch) <--> xenial(with patch)
xenial(without patch) <--> xenial (with patch and fips mode)
xenial(with patch) <--> xenial (with patch)
xenial (with patch) <--> xenial (with patch and fips mode)
xenial (with patch and fips mode) <--> xenial(with patch and fips mode)

This bug has been reported:
1.Upstream Bug: https://community.openvpn.net/openvpn/ticket/725
2.Suse Bug report: https://build.opensuse.org/package/view_file/network:vpn/openvpn/openvpn-fips140-2.3.2.patch

This bug was fixed in the package openvpn - 2.4.6-1ubuntu3

---------------
openvpn (2.4.6-1ubuntu3) disco; urgency=medium

  * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
    (LP: #1807439)

 -- Joy Latten <email address hidden> Wed, 09 Jan 2019 12:25:59 -0600

Hello Joy, or anyone else affected,

Accepted openvpn into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.4.6-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Joy, or anyone else affected,

Accepted openvpn into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.4.4-2ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Joy, or anyone else affected,

Accepted openvpn into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.3.10-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Accepted, thanks.

For the record, I think it's a little blurry as to whether this is a bugfix or a new (FIPS-related) feature, but regardless I think it clearly qualifies under the "For Long Term Support releases we sometimes want to introduce new features" from a FIPS perspective. I think the record here shows that "these changes are unintrusive, have a minimal regression potential, and have been tested properly", subject to the usual SRU verification.

On the SRU verification point, please make sure to test again that everything works correctly with both FIPS and non-FIPS openssl, and again report the testing matrix here, including the package versions used.

Thanks!

Oh, and a special thanks for explaining clearly all the details in the bug description. That got me up to speed quickly and allowed me to review without having to ask any questions!

Hello there!

This bug looks like a really well-done SRU bug - a nice clear test case and justification.

The only thing it's missing now is actually testing the upload! :)

There's another openvpn SRU waiting in the queue now; could someone please do the testing for this so that we can release it into -updates and get the next openvpn into the testing queue.

Thanks!

Testing in progress...

Successfully verified xenial, bionic, and cosmic.

Verified using same test data allowing for interoperability testing between the various releases and with fips for xenial and bionic.

verification done on following:
xenial: openvpn-2.3.10-1ubuntu2.2
bionic: openvpn-2.4.4-2ubuntu1.2
cosmic: openvpn-2.4.6-1ubuntu2.1

The verification of the Stable Release Update for openvpn has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package openvpn - 2.4.6-1ubuntu2.1

---------------
openvpn (2.4.6-1ubuntu2.1) cosmic; urgency=medium

  * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
    (LP: #1807439)

 -- Joy Latten <email address hidden> Thu, 10 Jan 2019 13:48:21 -0600

This bug was fixed in the package openvpn - 2.4.4-2ubuntu1.2

---------------
openvpn (2.4.4-2ubuntu1.2) bionic; urgency=medium

  * d/p/openvpn-fips-2.4.patch: Allow MD5 in FIPS mode (openssl) for PRF.
    (LP: #1807439)

 -- Joy Latten <email address hidden> Wed, 09 Jan 2019 15:50:03 -0600

This bug was fixed in the package openvpn - 2.3.10-1ubuntu2.2

---------------
openvpn (2.3.10-1ubuntu2.2) xenial; urgency=medium

  * d/p/openvpn-fips140-2.3.2.patch: Replace MD5 internal hash
    with SHA256 and allow MD5 for PRF. (LP: #1807439)

 -- Joy Latten <email address hidden> Wed, 09 Jan 2019 16:31:45 -0600