Project

General

Profile

Actions
Copy link

Bug #3966

closed

OpenVPN crashes with AES-NI + AES-CBC

Added by Chris Buechler over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
OpenVPN
Target version:
2.2
Start date:
10/29/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

On systems with AES-NI enabled, OpenVPN using AES-128-CBC, AES-192-CBC, and AES-256-CBC crashes on start.

openvpn[43547]: Assertion failed at crypto.c:168
openvpn[43547]: Exiting due to fatal error

test case on 172.27.32.125, see OpenVPN client instance there.

It works using BF-CBC and no encryption.

Related forum thread, I confirmed on the above system.
https://forum.pfsense.org/index.php?topic=83466.0

Actions
Copy link
 #1

Updated by Chris Buechler over 9 years ago

  • Status changed from New to Confirmed
Actions
Copy link
 #2

Updated by Chris Buechler over 9 years ago

  • Assignee set to Ermal Luçi
Actions
Copy link
 #3

Updated by Ermal Luçi over 9 years ago

This seems like an openvpn problem, openssl lib does not show any problem when used with the openssl binary.

Actions
Copy link
 #4

Updated by Ermal Luçi over 9 years ago

OpenVPN is using EVP API so it loads all available engines which by default is cryptodev.

There are two problems here.
1 - The cryptodev interface is a bit slower than direct AESNI implementation in userland. (Though openvpn does not give any choice here)
2 - AESNI module is returning an error somewhere.

Actions
Copy link
 #5

Updated by Ermal Luçi over 9 years ago

  • Status changed from Confirmed to Feedback

The issue seems to be that openvpn setups the crypto before forking.
This makes crypto device unhappy in general and possible right to complain.

The following patch fixes it.
Should this be commited?

root@builder10:/usr/ports/security/openvpn/work/openvpn-2.3.5 # diff -u src/openvpn/init.c ~/init.c
--- src/openvpn/init.c  2014-10-20 10:51:43.000000000 +0200
+++ /root/init.c        2014-11-14 12:40:43.000000000 +0100
@@ -3301,6 +3301,9 @@
     init_query_passwords (c);
 #endif

+  /* do one-time inits, and possibily become a daemon here */
+  do_init_first_time (c);
+
   /* initialize context level 2 --verb/--mute parms */
   init_verb_mute (c, IVM_LEVEL_2);

@@ -3423,8 +3426,6 @@
   if (c->mode == CM_P2P)
     do_init_traffic_shaper (c);

-  /* do one-time inits, and possibily become a daemon here */
-  do_init_first_time (c);

 #ifdef ENABLE_PLUGIN
   /* initialize plugins */
Actions
Copy link
 #6

Updated by Ermal Luçi over 9 years ago

Patch integrated on pfPorts and can be tested on next coming snapshots.

Also reported on https://community.openvpn.net/openvpn/ticket/480#ticket

Actions
Copy link
 #7

Updated by Renato Botelho over 9 years ago

Also submitted to FreeBSD ports tree, if accepted, pfPort can be removed - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195004

Actions
Copy link
 #8

Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Resolved

fixed

Actions
Copy link
 #9

Updated by Jason Ross over 9 years ago

I can confirm that enabling AES-NI and instructing OpenVPN client to use AES-128CBC seems to work perfectly as of 2.2-BETA (amd64)
built on Wed Nov 19 15:33:34 CST 2014 on Intel Haswell.

Actions
Copy link

Also available in: Atom PDF