Ubuntu
openvpn package

MRE Updates 2.5.9 / 2.4.12

Bug #2004676 reported by Lena Voytek
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
In Progress
Undecided
Lena Voytek
Jammy
In Progress
Undecided
Lena Voytek

Bug Description

This bug tracks an update for the OpenVPN package, moving to versions:

* Jammy (22.04): OpenVPN 2.5.9
* Focal (20.04): OpenVPN 2.4.12

Note that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html

[Upstream Changes]

Jammy:

For openvpn 2.5.6-2.5.9, major changes include:

Updates:
OpenSSL3 support
Add insecure tls-cert-profile options for openssl 3 SHA1 deprecation
Add --with-openssl-engine autoconf option
pkcs11-helper upgrade to 1.28.4
allow running a default configuration with TLS libraries without BF-CBC
allow optional ciphers in --data-ciphers

CVE Fixes:
CVE-2022-0547

Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix $common_name variable passed to scripts when username-as-common-name is in effect
Fix potential memory leaks in add_route() and add_route_ipv6()
Apply connect-retry backoff only to one side of the connection in p2p mode
Repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
Repair handling of EC certificates on Windows with pkcs11-helper
Fix PATH_MAX build failure in auth-pam.c
Fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
Fix overlong path names, leading to missing pkcs11-helper patch in tarball
Fix using --auth-token together with --management-client-auth
Fix clearing of username+password when using --auth-nocache
Ensure that auth-token received from server is cleared if requested by the management interface
Ensure the current common_name is in the environment for scripts
Stop asking for username+password on token expiry on system without credentials
Fix argv leaks in add_route() and add_route_ipv6()
Fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
Fix null pointer error when running openvpn --show-tls with mbedtls
Fix corner case that could lead to leaked file descriptor
Fix parsing issue in pull-filter when there are leading spaces
Fix possible buffer overflow in parse_line argument

Looking through each commit from the release of 2.5.5 to 2.5.9, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, an additional command line option has been added, and some additional inputs have been provided to the user such as insecure tls-cert-profile options and optional ciphers in --data-ciphers.

Full release notes for versions 2.5.6-2.5.9: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25

Focal:

For openvpn 2.4.8-2.4.12, major changes include:

Updates:
Support compiling with OpenSSL 1.1 without deprecated APIs
Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
Client will now announce the acceptable ciphers to the server (IV_CIPHER=...), so NCP cipher negotiation works better

CVE Fixes:
CVE-2020-11810
CVE-2020-15078

Bug Fixes:
Fix "--mtu-disc maybe|yes"
Fix argv leaks in add_route() and add_route_ipv6()
Ensure the current common_name is in the environment for scripts
Apply connect-retry backoff only to one side of the connection in p2p mode
Fix PIN querying in systemd environments
Fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float").
Fix combination of async push (deferred auth) and NCP
Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
Fix OpenSSL private key passphrase notices
Fix broken fragmentation logic when using NCP
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Fix auth-token not being updated if auth-nocache is set
Fix error detection / abort in --inetd corner case
Fix handling of 'route remote_host' for IPv6 transport case
Fix fatal error at switching remotes
Documentation fixes

Looking through each commit from the release of 2.4.7 to 2.4.12, I found one commit with backwards-incompatible changes, this is:

https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131 - multiple deferred authentication plug-ins no longer work with this commit, luckily this was already added in Focal previously through CVE-2022-0547.patch so no regression should occur by including it.

Full release notes for versions 2.4.8-2.4.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

[Test Plan]

DEP-8 Tests:
server-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority
server-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication

Both tests are passing on all architectures, see:
https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-lvoytek-openvpn-mre/
https://autopkgtest.ubuntu.com/results/autopkgtest-focal-lvoytek-openvpn-mre/

[Regression Potential]

Upstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions in Jammy may arise for users due to behavior changes from updates to items such as pkcs11-helper. In Focal, updates in NCP cipher negotiation could lead to regressions there.

See original description

Related branches

~lvoytek/ubuntu/+source/openvpn:MRE-focal-2.4.12
git-ubuntu bot: Approve
Lucas Kanashiro (community): Approve
Canonical Server Reporter: Pending requested
Diff: 15942 lines (+6007/-3189)
107 files modified
.gitignore (+1/-2)
ChangeLog (+184/-0)
Changes.rst (+217/-0)
INSTALL (+93/-58)
Makefile.in (+26/-20)
aclocal.m4 (+25/-23)
build/Makefile.in (+5/-5)
build/msvc/Makefile.in (+5/-5)
build/msvc/msvc-generate/Makefile.in (+5/-5)
compile (+3/-3)
config.guess (+65/-55)
config.h.in (+12/-3)
config.sub (+1192/-1235)
configure (+152/-43)
configure.ac (+27/-25)
debian/changelog (+48/-0)
debian/patches/series (+0/-5)
debian/tests/control (+6/-0)
debian/tests/server-setup-with-ca (+91/-0)
debian/tests/server-setup-with-static-key (+63/-0)
depcomp (+1/-1)
dev/null (+0/-248)
distro/Makefile.am (+1/-1)
distro/Makefile.in (+6/-6)
distro/systemd/Makefile.in (+5/-5)
doc/Makefile.in (+5/-5)
doc/openvpn.8 (+47/-12)
include/Makefile.in (+7/-7)
include/openvpn-plugin.h (+7/-7)
include/openvpn-plugin.h.in (+6/-6)
install-sh (+12/-1)
missing (+1/-1)
sample/Makefile.in (+5/-5)
sample/sample-plugins/defer/simple.c (+300/-98)
sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c (+6/-0)
sample/sample-plugins/log/log.c (+5/-0)
sample/sample-plugins/log/log_v3.c (+5/-0)
sample/sample-plugins/simple/simple.c (+5/-0)
src/Makefile.in (+5/-5)
src/compat/Makefile.in (+5/-5)
src/compat/compat-lz4.c (+1561/-626)
src/compat/compat-lz4.h (+519/-218)
src/openvpn/Makefile.am (+3/-1)
src/openvpn/Makefile.in (+8/-8)
src/openvpn/buffer.c (+0/-1)
src/openvpn/crypto.c (+0/-1)
src/openvpn/crypto_backend.h (+1/-8)
src/openvpn/crypto_mbedtls.c (+1/-6)
src/openvpn/crypto_openssl.c (+1/-7)
src/openvpn/cryptoapi.c (+370/-61)
src/openvpn/forward.c (+4/-1)
src/openvpn/init.c (+32/-7)
src/openvpn/init.h (+1/-1)
src/openvpn/manage.c (+0/-1)
src/openvpn/misc.c (+118/-61)
src/openvpn/misc.h (+16/-1)
src/openvpn/mtcp.c (+1/-1)
src/openvpn/mudp.c (+1/-1)
src/openvpn/multi.c (+37/-22)
src/openvpn/multi.h (+3/-6)
src/openvpn/openssl_compat.h (+12/-0)
src/openvpn/openvpn.c (+1/-1)
src/openvpn/openvpn.h (+1/-0)
src/openvpn/openvpn_win32_resources.rc (+1/-1)
src/openvpn/options.c (+42/-11)
src/openvpn/pkcs11.c (+1/-1)
src/openvpn/plugin.c (+30/-3)
src/openvpn/pool.c (+1/-1)
src/openvpn/proxy.c (+1/-1)
src/openvpn/push.c (+16/-5)
src/openvpn/route.c (+26/-13)
src/openvpn/socket.c (+8/-3)
src/openvpn/socks.c (+10/-3)
src/openvpn/ssl.c (+105/-8)
src/openvpn/ssl.h (+38/-8)
src/openvpn/ssl_common.h (+1/-0)
src/openvpn/ssl_mbedtls.c (+32/-23)
src/openvpn/ssl_mbedtls.h (+2/-2)
src/openvpn/ssl_openssl.c (+82/-35)
src/openvpn/ssl_verify.c (+13/-3)
src/openvpn/ssl_verify_mbedtls.c (+3/-2)
src/openvpn/ssl_verify_openssl.c (+3/-2)
src/openvpn/syshead.h (+1/-1)
src/openvpn/tun.c (+10/-7)
src/openvpn/tun.h (+1/-1)
src/openvpn/win32.c (+9/-6)
src/openvpnserv/Makefile.in (+5/-5)
src/openvpnserv/common.c (+3/-1)
src/openvpnserv/interactive.c (+23/-18)
src/openvpnserv/openvpnserv_resources.rc (+1/-1)
src/plugins/Makefile.in (+5/-5)
src/plugins/auth-pam/Makefile.in (+5/-5)
src/plugins/auth-pam/README.auth-pam (+10/-5)
src/plugins/auth-pam/auth-pam.c (+74/-1)
src/plugins/down-root/Makefile.in (+5/-5)
tests/Makefile.in (+5/-5)
tests/t_lpback.sh (+1/-1)
tests/unit_tests/Makefile.in (+5/-5)
tests/unit_tests/example_test/Makefile.in (+5/-5)
tests/unit_tests/openvpn/Makefile.am (+4/-4)
tests/unit_tests/openvpn/Makefile.in (+9/-9)
tests/unit_tests/openvpn/mock_msg.h (+34/-0)
tests/unit_tests/plugins/Makefile.in (+5/-5)
tests/unit_tests/plugins/auth-pam/Makefile.in (+5/-5)
vendor/Makefile.am (+8/-8)
vendor/Makefile.in (+12/-14)
version.m4 (+2/-2)
~lvoytek/ubuntu/+source/openvpn:MRE-focal-2.4.11
Lucas Kanashiro (community): Needs Fixing
Canonical Server Reporter: Pending requested
Diff: 14721 lines (+5725/-3067)
100 files modified
.gitignore (+1/-2)
ChangeLog (+161/-0)
Changes.rst (+172/-0)
INSTALL (+93/-58)
Makefile.in (+2/-3)
build/Makefile.in (+2/-3)
build/msvc/Makefile.in (+2/-3)
build/msvc/msvc-generate/Makefile.in (+2/-3)
config.guess (+65/-55)
config.h.in (+9/-0)
config.sub (+1192/-1235)
configure (+135/-31)
configure.ac (+26/-18)
debian/changelog (+41/-0)
debian/patches/series (+0/-4)
debian/tests/control (+6/-0)
debian/tests/server-setup-with-ca (+91/-0)
debian/tests/server-setup-with-static-key (+63/-0)
dev/null (+0/-248)
distro/Makefile.am (+1/-1)
distro/Makefile.in (+3/-4)
distro/systemd/Makefile.in (+2/-3)
doc/Makefile.in (+2/-3)
doc/openvpn.8 (+33/-11)
include/Makefile.in (+2/-3)
include/openvpn-plugin.h (+7/-7)
include/openvpn-plugin.h.in (+6/-6)
sample/Makefile.in (+2/-3)
sample/sample-plugins/defer/simple.c (+300/-98)
sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c (+6/-0)
sample/sample-plugins/log/log.c (+5/-0)
sample/sample-plugins/log/log_v3.c (+5/-0)
sample/sample-plugins/simple/simple.c (+5/-0)
src/Makefile.in (+2/-3)
src/compat/Makefile.in (+2/-3)
src/compat/compat-lz4.c (+1561/-626)
src/compat/compat-lz4.h (+519/-218)
src/openvpn/Makefile.am (+3/-1)
src/openvpn/Makefile.in (+5/-6)
src/openvpn/buffer.c (+0/-1)
src/openvpn/crypto.c (+0/-1)
src/openvpn/crypto_backend.h (+1/-8)
src/openvpn/crypto_mbedtls.c (+1/-6)
src/openvpn/crypto_openssl.c (+1/-7)
src/openvpn/cryptoapi.c (+370/-61)
src/openvpn/forward.c (+4/-1)
src/openvpn/init.c (+29/-5)
src/openvpn/init.h (+1/-1)
src/openvpn/manage.c (+0/-1)
src/openvpn/misc.c (+118/-61)
src/openvpn/misc.h (+16/-1)
src/openvpn/mtcp.c (+1/-1)
src/openvpn/mudp.c (+1/-1)
src/openvpn/multi.c (+37/-22)
src/openvpn/multi.h (+3/-6)
src/openvpn/openssl_compat.h (+12/-0)
src/openvpn/openvpn.c (+1/-1)
src/openvpn/openvpn.h (+1/-0)
src/openvpn/openvpn_win32_resources.rc (+1/-1)
src/openvpn/options.c (+42/-11)
src/openvpn/pkcs11.c (+1/-1)
src/openvpn/pool.c (+1/-1)
src/openvpn/proxy.c (+1/-1)
src/openvpn/push.c (+16/-5)
src/openvpn/route.c (+24/-13)
src/openvpn/socket.c (+8/-3)
src/openvpn/socks.c (+10/-3)
src/openvpn/ssl.c (+105/-8)
src/openvpn/ssl.h (+38/-8)
src/openvpn/ssl_common.h (+1/-0)
src/openvpn/ssl_mbedtls.c (+32/-23)
src/openvpn/ssl_mbedtls.h (+2/-2)
src/openvpn/ssl_openssl.c (+82/-35)
src/openvpn/ssl_verify.c (+11/-3)
src/openvpn/ssl_verify_mbedtls.c (+3/-2)
src/openvpn/ssl_verify_openssl.c (+3/-2)
src/openvpn/tun.c (+10/-7)
src/openvpn/tun.h (+1/-1)
src/openvpn/win32.c (+9/-6)
src/openvpnserv/Makefile.in (+2/-3)
src/openvpnserv/common.c (+3/-1)
src/openvpnserv/interactive.c (+23/-18)
src/openvpnserv/openvpnserv_resources.rc (+1/-1)
src/plugins/Makefile.in (+2/-3)
src/plugins/auth-pam/Makefile.in (+2/-3)
src/plugins/auth-pam/README.auth-pam (+10/-5)
src/plugins/auth-pam/auth-pam.c (+74/-1)
src/plugins/down-root/Makefile.in (+2/-3)
tests/Makefile.in (+2/-3)
tests/t_lpback.sh (+1/-1)
tests/unit_tests/Makefile.in (+2/-3)
tests/unit_tests/example_test/Makefile.in (+2/-3)
tests/unit_tests/openvpn/Makefile.am (+4/-4)
tests/unit_tests/openvpn/Makefile.in (+6/-7)
tests/unit_tests/openvpn/mock_msg.h (+34/-0)
tests/unit_tests/plugins/Makefile.in (+2/-3)
tests/unit_tests/plugins/auth-pam/Makefile.in (+2/-3)
vendor/Makefile.am (+8/-8)
vendor/Makefile.in (+9/-12)
version.m4 (+2/-2)
~lvoytek/ubuntu/+source/openvpn:MRE-jammy-2.5.8
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 31243 lines (+9488/-5774)
305 files modified
.gitignore (+1/-0)
COPYING (+1/-1)
ChangeLog (+110/-1)
Changes.rst (+175/-3)
Makefile.am (+3/-6)
Makefile.in (+14/-15)
PORTS (+1/-1)
aclocal.m4 (+44/-31)
build/Makefile.am (+1/-1)
build/Makefile.in (+6/-6)
build/msvc/Makefile.am (+1/-1)
build/msvc/Makefile.in (+6/-6)
build/msvc/msvc-generate/Makefile.am (+1/-1)
build/msvc/msvc-generate/Makefile.in (+6/-4)
build/msvc/msvc-generate/Makefile.mak (+38/-9)
build/msvc/msvc-generate/msvc-generate.vcxproj (+1/-1)
compile (+1/-1)
config-msvc.h (+2/-0)
config.guess (+854/-586)
config.h.in (+83/-25)
config.sub (+404/-304)
configure (+5478/-3883)
configure.ac (+49/-21)
contrib/vcpkg-ports/pkcs11-helper/0001-nmake-compatibility-with-vcpkg-nmake.patch (+4/-4)
contrib/vcpkg-ports/pkcs11-helper/0002-config-w32-vc.h.in-indicate-OpenSSL.patch (+33/-0)
contrib/vcpkg-ports/pkcs11-helper/CONTROL (+1/-1)
contrib/vcpkg-ports/pkcs11-helper/portfile.cmake (+5/-5)
contrib/vcpkg-triplets/arm64-windows-ovpn.cmake (+2/-1)
contrib/vcpkg-triplets/x64-windows-ovpn.cmake (+2/-1)
contrib/vcpkg-triplets/x86-windows-ovpn.cmake (+2/-1)
debian/changelog (+36/-0)
debian/patches/series (+0/-10)
depcomp (+1/-1)
dev/null (+0/-30)
distro/Makefile.am (+1/-1)
distro/Makefile.in (+6/-6)
distro/systemd/Makefile.am (+1/-1)
distro/systemd/Makefile.in (+6/-4)
doc/Makefile.am (+16/-6)
doc/Makefile.in (+35/-17)
doc/doxygen/Makefile.in (+5/-3)
doc/man-sections/cipher-negotiation.rst (+96/-0)
doc/man-sections/client-options.rst (+10/-0)
doc/man-sections/generic-options.rst (+12/-0)
doc/man-sections/link-options.rst (+5/-2)
doc/man-sections/plugin-options.rst (+9/-0)
doc/man-sections/tls-options.rst (+6/-0)
doc/openvpn.8 (+50/-2)
doc/openvpn.8.html (+43/-5)
include/Makefile.am (+1/-1)
include/Makefile.in (+6/-6)
include/openvpn-msg.h (+1/-1)
include/openvpn-plugin.h (+2/-2)
include/openvpn-plugin.h.in (+1/-1)
install-sh (+80/-68)
ltmain.sh (+176/-74)
m4/libtool.m4 (+43/-21)
missing (+1/-1)
sample/Makefile.am (+1/-1)
sample/Makefile.in (+6/-4)
sample/sample-keys/gen-sample-keys.sh (+1/-1)
sample/sample-plugins/Makefile (+30/-27)
sample/sample-plugins/Makefile.am (+1/-1)
sample/sample-plugins/Makefile.in (+8/-5)
sample/sample-plugins/Makefile.plugins (+2/-1)
sample/sample-plugins/client-connect/sample-client-connect.c (+1/-1)
sample/sample-plugins/defer/multi-auth.c (+413/-0)
sample/sample-plugins/defer/simple.c (+1/-1)
sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c (+2/-1)
sample/sample-plugins/log/log.c (+1/-1)
sample/sample-plugins/log/log_v3.c (+2/-2)
sample/sample-plugins/simple/base64.c (+1/-1)
sample/sample-plugins/simple/simple.c (+1/-1)
src/Makefile.am (+1/-1)
src/Makefile.in (+6/-6)
src/compat/Makefile.am (+1/-1)
src/compat/Makefile.in (+6/-6)
src/compat/PropertySheet.props (+6/-32)
src/compat/compat-gettimeofday.c (+1/-1)
src/compat/compat-strsep.c (+1/-1)
src/openvpn/Makefile.am (+1/-1)
src/openvpn/Makefile.in (+6/-6)
src/openvpn/argv.c (+1/-1)
src/openvpn/argv.h (+1/-1)
src/openvpn/auth_token.c (+7/-4)
src/openvpn/auth_token.h (+1/-1)
src/openvpn/basic.h (+1/-1)
src/openvpn/block_dns.c (+1/-1)
src/openvpn/block_dns.h (+1/-1)
src/openvpn/buffer.c (+1/-1)
src/openvpn/buffer.h (+1/-1)
src/openvpn/circ_list.h (+1/-1)
src/openvpn/clinat.c (+1/-1)
src/openvpn/clinat.h (+1/-1)
src/openvpn/common.h (+1/-1)
src/openvpn/comp-lz4.c (+2/-2)
src/openvpn/comp-lz4.h (+2/-2)
src/openvpn/comp.c (+1/-1)
src/openvpn/comp.h (+1/-1)
src/openvpn/compstub.c (+1/-1)
src/openvpn/console.c (+2/-2)
src/openvpn/console.h (+2/-2)
src/openvpn/console_builtin.c (+2/-2)
src/openvpn/crypto.c (+1/-1)
src/openvpn/crypto.h (+1/-1)
src/openvpn/crypto_backend.h (+18/-1)
src/openvpn/crypto_mbedtls.c (+14/-1)
src/openvpn/crypto_mbedtls.h (+4/-1)
src/openvpn/crypto_openssl.c (+115/-5)
src/openvpn/crypto_openssl.h (+12/-1)
src/openvpn/dhcp.c (+1/-1)
src/openvpn/dhcp.h (+1/-1)
src/openvpn/env_set.c (+2/-2)
src/openvpn/env_set.h (+1/-1)
src/openvpn/errlevel.h (+1/-1)
src/openvpn/error.c (+26/-8)
src/openvpn/error.h (+30/-11)
src/openvpn/event.c (+1/-1)
src/openvpn/event.h (+1/-1)
src/openvpn/fdmisc.c (+1/-1)
src/openvpn/fdmisc.h (+1/-1)
src/openvpn/forward.c (+9/-2)
src/openvpn/forward.h (+1/-1)
src/openvpn/fragment.c (+1/-1)
src/openvpn/fragment.h (+1/-1)
src/openvpn/gremlin.c (+1/-1)
src/openvpn/gremlin.h (+1/-1)
src/openvpn/helper.c (+1/-1)
src/openvpn/helper.h (+1/-1)
src/openvpn/httpdigest.c (+1/-1)
src/openvpn/httpdigest.h (+1/-1)
src/openvpn/init.c (+31/-22)
src/openvpn/init.h (+1/-1)
src/openvpn/integer.h (+1/-1)
src/openvpn/interval.c (+1/-1)
src/openvpn/interval.h (+1/-1)
src/openvpn/list.c (+1/-1)
src/openvpn/list.h (+1/-1)
src/openvpn/lladdr.c (+2/-1)
src/openvpn/lzo.c (+1/-1)
src/openvpn/lzo.h (+1/-1)
src/openvpn/manage.c (+17/-15)
src/openvpn/manage.h (+1/-1)
src/openvpn/mbuf.c (+1/-1)
src/openvpn/mbuf.h (+1/-1)
src/openvpn/memdbg.h (+1/-1)
src/openvpn/misc.c (+4/-10)
src/openvpn/misc.h (+1/-1)
src/openvpn/mroute.c (+1/-1)
src/openvpn/mroute.h (+1/-1)
src/openvpn/mss.c (+1/-1)
src/openvpn/mss.h (+1/-1)
src/openvpn/mstats.c (+1/-1)
src/openvpn/mstats.h (+1/-1)
src/openvpn/mtcp.c (+1/-1)
src/openvpn/mtcp.h (+1/-1)
src/openvpn/mtu.c (+1/-1)
src/openvpn/mtu.h (+1/-1)
src/openvpn/mudp.c (+1/-1)
src/openvpn/mudp.h (+1/-1)
src/openvpn/multi.c (+1/-1)
src/openvpn/multi.h (+1/-1)
src/openvpn/networking.h (+1/-1)
src/openvpn/networking_iproute2.c (+2/-2)
src/openvpn/networking_iproute2.h (+1/-1)
src/openvpn/networking_sitnl.c (+3/-2)
src/openvpn/networking_sitnl.h (+1/-1)
src/openvpn/occ.c (+1/-1)
src/openvpn/occ.h (+1/-1)
src/openvpn/openssl_compat.h (+1/-1)
src/openvpn/openvpn.c (+32/-6)
src/openvpn/openvpn.h (+2/-2)
src/openvpn/openvpn.vcxproj (+41/-18)
src/openvpn/options.c (+79/-23)
src/openvpn/options.h (+11/-2)
src/openvpn/otime.c (+1/-1)
src/openvpn/otime.h (+1/-1)
src/openvpn/packet_id.c (+1/-1)
src/openvpn/packet_id.h (+1/-1)
src/openvpn/perf.c (+1/-1)
src/openvpn/perf.h (+1/-1)
src/openvpn/pf.c (+1/-1)
src/openvpn/pf.h (+1/-1)
src/openvpn/ping.c (+1/-1)
src/openvpn/ping.h (+1/-1)
src/openvpn/pkcs11.c (+1/-1)
src/openvpn/pkcs11.h (+1/-1)
src/openvpn/pkcs11_backend.h (+1/-1)
src/openvpn/pkcs11_mbedtls.c (+1/-1)
src/openvpn/pkcs11_openssl.c (+1/-1)
src/openvpn/platform.c (+2/-2)
src/openvpn/platform.h (+1/-1)
src/openvpn/plugin.c (+31/-4)
src/openvpn/plugin.h (+1/-1)
src/openvpn/pool.c (+1/-1)
src/openvpn/pool.h (+1/-1)
src/openvpn/proto.c (+1/-1)
src/openvpn/proto.h (+1/-1)
src/openvpn/proxy.c (+1/-1)
src/openvpn/proxy.h (+1/-1)
src/openvpn/ps.c (+1/-1)
src/openvpn/ps.h (+1/-1)
src/openvpn/push.c (+1/-2)
src/openvpn/push.h (+1/-1)
src/openvpn/pushlist.h (+1/-1)
src/openvpn/reliable.c (+1/-1)
src/openvpn/reliable.h (+1/-1)
src/openvpn/ring_buffer.h (+1/-1)
src/openvpn/route.c (+1/-1)
src/openvpn/route.h (+1/-1)
src/openvpn/run_command.c (+1/-1)
src/openvpn/run_command.h (+1/-1)
src/openvpn/schedule.c (+1/-1)
src/openvpn/schedule.h (+1/-1)
src/openvpn/session_id.c (+1/-1)
src/openvpn/session_id.h (+1/-1)
src/openvpn/shaper.c (+1/-1)
src/openvpn/shaper.h (+1/-1)
src/openvpn/sig.c (+1/-1)
src/openvpn/sig.h (+1/-1)
src/openvpn/socket.c (+1/-1)
src/openvpn/socket.h (+1/-1)
src/openvpn/socks.c (+1/-1)
src/openvpn/socks.h (+1/-1)
src/openvpn/ssl.c (+13/-21)
src/openvpn/ssl.h (+5/-7)
src/openvpn/ssl_backend.h (+1/-1)
src/openvpn/ssl_common.h (+1/-1)
src/openvpn/ssl_mbedtls.c (+3/-2)
src/openvpn/ssl_mbedtls.h (+1/-1)
src/openvpn/ssl_ncp.c (+2/-2)
src/openvpn/ssl_ncp.h (+1/-1)
src/openvpn/ssl_openssl.c (+7/-1)
src/openvpn/ssl_openssl.h (+1/-1)
src/openvpn/ssl_verify.c (+9/-2)
src/openvpn/ssl_verify.h (+1/-1)
src/openvpn/ssl_verify_backend.h (+1/-1)
src/openvpn/ssl_verify_mbedtls.c (+1/-1)
src/openvpn/ssl_verify_mbedtls.h (+1/-1)
src/openvpn/ssl_verify_openssl.c (+1/-1)
src/openvpn/ssl_verify_openssl.h (+1/-1)
src/openvpn/status.c (+1/-1)
src/openvpn/status.h (+1/-1)
src/openvpn/syshead.h (+2/-2)
src/openvpn/tls_crypt.c (+2/-1)
src/openvpn/tun.c (+1/-1)
src/openvpn/tun.h (+3/-3)
src/openvpn/vlan.c (+1/-1)
src/openvpn/vlan.h (+1/-1)
src/openvpn/win32.c (+1/-1)
src/openvpn/win32.h (+1/-1)
src/openvpnmsica/Makefile.am (+2/-2)
src/openvpnmsica/Makefile.in (+7/-7)
src/openvpnmsica/dllmain.c (+1/-1)
src/openvpnmsica/msica_arg.c (+1/-1)
src/openvpnmsica/msica_arg.h (+1/-1)
src/openvpnmsica/msiex.c (+1/-1)
src/openvpnmsica/msiex.h (+1/-1)
src/openvpnmsica/openvpnmsica.c (+1/-1)
src/openvpnmsica/openvpnmsica.h (+1/-1)
src/openvpnmsica/openvpnmsica.props (+0/-1)
src/openvpnmsica/openvpnmsica.vcxproj (+48/-0)
src/openvpnmsica/openvpnmsica_resources.rc (+1/-1)
src/openvpnserv/Makefile.am (+1/-1)
src/openvpnserv/Makefile.in (+6/-6)
src/openvpnserv/automatic.c (+1/-1)
src/openvpnserv/common.c (+1/-1)
src/openvpnserv/interactive.c (+1/-1)
src/openvpnserv/openvpnserv.vcxproj (+20/-6)
src/openvpnserv/service.h (+1/-1)
src/openvpnserv/validate.c (+1/-1)
src/openvpnserv/validate.h (+1/-1)
src/plugins/Makefile.am (+1/-1)
src/plugins/Makefile.in (+6/-6)
src/plugins/auth-pam/Makefile.in (+5/-5)
src/plugins/auth-pam/auth-pam.c (+3/-2)
src/plugins/auth-pam/utils.c (+1/-1)
src/plugins/auth-pam/utils.h (+1/-1)
src/plugins/down-root/Makefile.in (+5/-5)
src/plugins/down-root/down-root.c (+1/-1)
src/tapctl/Makefile.am (+2/-2)
src/tapctl/Makefile.in (+7/-7)
src/tapctl/basic.h (+2/-2)
src/tapctl/error.c (+2/-2)
src/tapctl/error.h (+2/-2)
src/tapctl/main.c (+2/-2)
src/tapctl/tap.c (+6/-5)
src/tapctl/tap.h (+1/-1)
src/tapctl/tapctl.vcxproj (+48/-6)
src/tapctl/tapctl_resources.rc (+1/-1)
tests/Makefile.am (+1/-1)
tests/Makefile.in (+6/-6)
tests/t_client.sh (+20/-13)
tests/t_client.sh.in (+19/-12)
tests/t_net.sh (+1/-1)
tests/unit_tests/Makefile.in (+6/-6)
tests/unit_tests/README.md (+40/-0)
tests/unit_tests/engine-key/Makefile.in (+5/-5)
tests/unit_tests/example_test/Makefile.in (+7/-6)
tests/unit_tests/example_test/README.md (+3/-0)
tests/unit_tests/openvpn/Makefile.in (+5/-5)
tests/unit_tests/openvpn/test_ncp.c (+9/-3)
tests/unit_tests/plugins/Makefile.in (+5/-5)
tests/unit_tests/plugins/auth-pam/Makefile.in (+5/-5)
version.m4 (+2/-2)
Lena Voytek (lvoytek)
Changed in openvpn (Ubuntu):
status: New → Fix Released
Changed in openvpn (Ubuntu Focal):
assignee: nobody → Lena Voytek (lvoytek)
Changed in openvpn (Ubuntu Jammy):
assignee: nobody → Lena Voytek (lvoytek)
Lena Voytek (lvoytek)
description: updated
Changed in openvpn (Ubuntu Jammy):
status: New → In Progress
Lena Voytek (lvoytek)
description: updated
Lena Voytek (lvoytek)
description: updated
Lena Voytek (lvoytek)
description: updated
Changed in openvpn (Ubuntu Focal):
status: New → In Progress
Lena Voytek (lvoytek)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Lena, or anyone else affected,

Accepted openvpn into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openvpn/2.5.8-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openvpn (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Lena Voytek (lvoytek) wrote : Re: MRE Updates 2.5.8 / 2.4.11

Jammy mp was uploaded early on accident without MRE approval. Marking block-proposed until the MRE at https://wiki.ubuntu.com/OpenVPNUpdates is accepted

tags: added: block-proposed
Revision history for this message
Simon Déziel (sdeziel) wrote :

For what it's worth, upgrading a Jammy client (2.5.5 -> 2.5.8) went well:

$ tail -n5 /var/log/apt/history.log
Start-Date: 2023-05-08 18:49:20
Commandline: apt-get install openvpn
Requested-By: sdeziel (1000)
Upgrade: openvpn:amd64 (2.5.5-1ubuntu3.1, 2.5.8-0ubuntu0.22.04.1)
End-Date: 2023-05-08 18:49:22

My single VPN config works the same as before. It uses TLS 1.3 + tls-crypt + client cert and client username/password.

Lena Voytek (lvoytek)
summary: - MRE Updates 2.5.8 / 2.4.11
+ MRE Updates 2.5.9 / 2.4.12
Lena Voytek (lvoytek)
description: updated
Lena Voytek (lvoytek)
summary: - MRE Updates 2.5.9 / 2.4.12
+ MRE Updates 2.5.8 / 2.4.12
Lena Voytek (lvoytek)
description: updated
Lena Voytek (lvoytek)
summary: - MRE Updates 2.5.8 / 2.4.12
+ MRE Updates 2.5.9 / 2.4.12
description: updated
Lena Voytek (lvoytek)
description: updated
Lena Voytek (lvoytek)
Changed in openvpn (Ubuntu Jammy):
status: Fix Committed → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote :

Lena, based on the history here, is there a reason we don't want to go ahead with releasing 2.5.8 which has been in -proposed for a while and has had some user testing, before moving to 2.5.9?

If the changes in 2.5.9 are safe and appropriate, the subset of changes in 2.5.8 should be safer, right?

Revision history for this message
Lena Voytek (lvoytek) wrote :

There’s no reason not to release 2.5.8 first now that the SRU exception for Jammy specifically has been agreed upon. I can unblock it from proposed now.

Also autopkgtests are still succeeding, and my test install is working as intended. So I’ll mark it as verified to.

tags: added: verification-done verification-done-jammy
removed: block-proposed verification-needed verification-needed-jammy
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I went over the changes in openvpn since 2.5.5 all the way to 2.5.9, and I have concerns over this one in particular, in 2.5.7:

    The OpenSSL engine feature ``--engine`` is not enabled by default
    anymore if OpenSSL 3.0 is detected.

And a quick runtime check of 2.5.5 and 2.5.8 (which we have in jammy-proposed at the moment), shows:

2.5.5 (jammy-updates):
$ sudo openvpn --show-engines
OpenSSL Crypto Engines

Intel RDRAND engine [rdrand]
Dynamic engine loading support [dynamic]

2.5.8 (jammy-proposed):
$ sudo openvpn --show-engines
Sorry, OpenSSL hardware crypto engine functionality is not available.

There is a new configure option that could be used to re-enable engines it seems:

  --with-openssl-engine enable engine support with OpenSSL. Default enabled
                          for OpenSSL < 3.0, auto,yes,no [default=auto]

We are not using it in our d/rules, so the default takes place which disables engines.

Now, AFAIK engines are indeed deprecated (disabled?) in openssl 3, and enabling them again with the option above might be an error.

Furthermore, I'm not sure if engines in 2.5.5 with openssl 3 are even working. We had a similar case with a squid SRU[1], where using engines with openssl 3 was an error, and later was made more explicit that it was disabled.

So I guess the way forward here is to check whether openvpn 2.5.5 (jammy-updates) could be using openssl 3 engines, correctly. If not, then this aspect of the SRU would not introduce a regression per se. If, however, engines were available and usable there, then we have to evaluate pros and cons of disabling it as upstream wants, or enabling it via --with-openssl-engine and test that it keeps working.

There are other items from the release notes that I wanted to check, but since I stumbled on the above one first, I didn't yet. They are, from 2.5.7:

- "fix client-pending-auth error msg to say ERROR instead of SUCCESS". I assume it's just a string change, and not an actual exit status.
- "Translate openssl 3 digest names to openssl 1.1 ones". Would this impact algorithm names used in configuration files and command-line options?

1. https://launchpad.net/ubuntu/+source/squid/5.7-0ubuntu0.22.04.1

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'll mark jammy as incomplete pending this investigation from the previous comment.

Changed in openvpn (Ubuntu Jammy):
status: In Progress → Incomplete
Lena Voytek (lvoytek)
tags: added: block-proposed-jammy
Revision history for this message
Lena Voytek (lvoytek) wrote :

I tested openssl engine compatibility with 3.0 using rdrand and it does seem to work still prior to the update. I also tested the update with --with-openssl-engine=yes though and the original functionality is maintained. I have a ppa for that here:

https://launchpad.net/~lvoytek/+archive/ubuntu/openvpn-allow-engine

Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

I'm not sure the rdrand engine is a good test. I was thinking about:

- install the pkcs11 engine: sudo apt install libengine-pkcs11-openssl
- enable it in /etc/ssl/openssl.cnf:
--- /etc/ssl/openssl.cnf.orig 2023-09-25 12:20:32.101311003 +0000
+++ /etc/ssl/openssl.cnf 2023-09-24 15:20:39.949764703 +0000
@@ -53,6 +53,15 @@
 [openssl_init]
 providers = provider_sect
 ssl_conf = ssl_sect
+engines = engine_section
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+engine_id = pkcs11
+MODULE_PATH = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
+init = 0

 # List of providers to load
 [provider_sect]

- confirm it's available:
$ openssl list -engines
Engines:
rdrand
dynamic
pkcs11 <---

- tell openvpn to use it. This is the big one. With the version in jammy currently (2.5.5-1ubuntu3.1), at least pkcs11 is now listed:

$ openvpn --show-engines
OpenSSL Crypto Engines

Intel RDRAND engine [rdrand]
Dynamic engine loading support [dynamic]
pkcs11 engine [pkcs11]

But I don't know yet how to use it. The idea would be to setup an openvpn peer with a certificate for authentication, but using the pkcs11 engine on that side. This involves smart cards, or software emulation of SCs, like done in the libp11 dep8 engine test perhaps. I tried with TPM, but the TPM openssl engine is not working (even found a bug in LP about it), and was deprecated in favor of the TPM provider, which works.

I'll see if I can find some time to try to set this up, but also feel free to start without me :)

Revision history for this message
Andreas Hasenack (ahasenack) wrote (last edit ):

This is the last step in that libp11 dep8 test[1] that we need: generate the certificate request:

echo "With openssl engine, generate a certificate request with the RSA key in the softhsm2 token"
OPENSSL_CONF="${ssl_cnf}" openssl \
    req -engine pkcs11 -new -key "${URI};object=test-key;pin-value=${PIN}" \
    -keyform engine -out ${req_pem} -text -x509 -subj "/${SUBJECT}"

Then we need to go back to the openvpn ca (presumably created with easy-rsa), sign this request, and the resulting signed cert is what has to be used in the openvpn client. And then see what openvpn does with it.

1. https://git.launchpad.net/ubuntu/+source/libp11/tree/debian/tests/engine?h=applied/ubuntu/devel

Revision history for this message
Lena Voytek (lvoytek) wrote :

Alright, added an mp that maintains behavior for openssl engines here:
https://code.launchpad.net/~lvoytek/ubuntu/+source/openvpn/+git/openvpn/+merge/452307

As for the other two commits: I can confirm "fix client-pending-auth error msg to say ERROR instead of SUCCESS" is just a string change that doesn't modify the return value which stays as the value of (*man->persist.callback.client_pending_auth)(man->persist.callback.arg, cid, extra), and is not created dynamically from the string.

"Translate openssl 3 digest names to openssl 1.1 ones" won't cause issues for existing config files as their names are still accepted. If new openssl3 names are used now though they will be accepted as the correct equivalent value using a translation table.

Andreas Hasenack (ahasenack)
Changed in openvpn (Ubuntu Jammy):
status: Incomplete → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.