Project

General

Profile

Actions

Bug #3966

closed

OpenVPN crashes with AES-NI + AES-CBC

Added by Chris Buechler about 10 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
OpenVPN
Target version:
Start date:
10/29/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

On systems with AES-NI enabled, OpenVPN using AES-128-CBC, AES-192-CBC, and AES-256-CBC crashes on start.

openvpn[43547]: Assertion failed at crypto.c:168
openvpn[43547]: Exiting due to fatal error

test case on 172.27.32.125, see OpenVPN client instance there.

It works using BF-CBC and no encryption.

Related forum thread, I confirmed on the above system.
https://forum.pfsense.org/index.php?topic=83466.0

Actions #1

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Confirmed
Actions #2

Updated by Chris Buechler about 10 years ago

  • Assignee set to Ermal Luçi
Actions #3

Updated by Ermal Luçi about 10 years ago

This seems like an openvpn problem, openssl lib does not show any problem when used with the openssl binary.

Actions #4

Updated by Ermal Luçi about 10 years ago

OpenVPN is using EVP API so it loads all available engines which by default is cryptodev.

There are two problems here.
1 - The cryptodev interface is a bit slower than direct AESNI implementation in userland. (Though openvpn does not give any choice here)
2 - AESNI module is returning an error somewhere.

Actions #5

Updated by Ermal Luçi about 10 years ago

  • Status changed from Confirmed to Feedback

The issue seems to be that openvpn setups the crypto before forking.
This makes crypto device unhappy in general and possible right to complain.

The following patch fixes it.
Should this be commited?

root@builder10:/usr/ports/security/openvpn/work/openvpn-2.3.5 # diff -u src/openvpn/init.c ~/init.c
--- src/openvpn/init.c  2014-10-20 10:51:43.000000000 +0200
+++ /root/init.c        2014-11-14 12:40:43.000000000 +0100
@@ -3301,6 +3301,9 @@
     init_query_passwords (c);
 #endif

+  /* do one-time inits, and possibily become a daemon here */
+  do_init_first_time (c);
+
   /* initialize context level 2 --verb/--mute parms */
   init_verb_mute (c, IVM_LEVEL_2);

@@ -3423,8 +3426,6 @@
   if (c->mode == CM_P2P)
     do_init_traffic_shaper (c);

-  /* do one-time inits, and possibily become a daemon here */
-  do_init_first_time (c);

 #ifdef ENABLE_PLUGIN
   /* initialize plugins */
Actions #6

Updated by Ermal Luçi about 10 years ago

Patch integrated on pfPorts and can be tested on next coming snapshots.

Also reported on https://community.openvpn.net/openvpn/ticket/480#ticket

Actions #7

Updated by Renato Botelho about 10 years ago

Also submitted to FreeBSD ports tree, if accepted, pfPort can be removed - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195004

Actions #8

Updated by Chris Buechler about 10 years ago

  • Status changed from Feedback to Resolved

fixed

Actions #9

Updated by Jason Ross about 10 years ago

I can confirm that enabling AES-NI and instructing OpenVPN client to use AES-128CBC seems to work perfectly as of 2.2-BETA (amd64)
built on Wed Nov 19 15:33:34 CST 2014 on Intel Haswell.

Actions

Also available in: Atom PDF