https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162014-10-29T00:39:22ZpfSense bugtrackerpfSense - Bug #3966: OpenVPN crashes with AES-NI + AES-CBC https://redmine.pfsense.org/issues/3966?journal_id=153812014-10-29T00:39:22ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Confirmed</i></li></ul> pfSense - Bug #3966: OpenVPN crashes with AES-NI + AES-CBC https://redmine.pfsense.org/issues/3966?journal_id=156322014-11-11T17:16:34ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Assignee</strong> set to <i>Ermal Luçi</i></li></ul> pfSense - Bug #3966: OpenVPN crashes with AES-NI + AES-CBC https://redmine.pfsense.org/issues/3966?journal_id=156692014-11-13T13:17:12ZErmal Luçieri@pfsense.org
<ul></ul><p>This seems like an openvpn problem, openssl lib does not show any problem when used with the openssl binary.</p> pfSense - Bug #3966: OpenVPN crashes with AES-NI + AES-CBC https://redmine.pfsense.org/issues/3966?journal_id=156702014-11-13T15:15:43ZErmal Luçieri@pfsense.org
<ul></ul><p>OpenVPN is using EVP API so it loads all available engines which by default is cryptodev.</p>
<p>There are two problems here.<br />1 - The cryptodev interface is a bit slower than direct AESNI implementation in userland. (Though openvpn does not give any choice here)<br />2 - AESNI module is returning an error somewhere.</p> pfSense - Bug #3966: OpenVPN crashes with AES-NI + AES-CBC https://redmine.pfsense.org/issues/3966?journal_id=156892014-11-14T05:40:11ZErmal Luçieri@pfsense.org
<ul><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Feedback</i></li></ul><p>The issue seems to be that openvpn setups the crypto before forking.<br />This makes crypto device unhappy in general and possible right to complain.</p>
<p>The following patch fixes it.<br />Should this be commited?</p>
<pre>
root@builder10:/usr/ports/security/openvpn/work/openvpn-2.3.5 # diff -u src/openvpn/init.c ~/init.c
--- src/openvpn/init.c 2014-10-20 10:51:43.000000000 +0200
+++ /root/init.c 2014-11-14 12:40:43.000000000 +0100
@@ -3301,6 +3301,9 @@
init_query_passwords (c);
#endif
+ /* do one-time inits, and possibily become a daemon here */
+ do_init_first_time (c);
+
/* initialize context level 2 --verb/--mute parms */
init_verb_mute (c, IVM_LEVEL_2);
@@ -3423,8 +3426,6 @@
if (c->mode == CM_P2P)
do_init_traffic_shaper (c);
- /* do one-time inits, and possibily become a daemon here */
- do_init_first_time (c);
#ifdef ENABLE_PLUGIN
/* initialize plugins */
</pre> pfSense - Bug #3966: OpenVPN crashes with AES-NI + AES-CBC https://redmine.pfsense.org/issues/3966?journal_id=156912014-11-14T07:27:57ZErmal Luçieri@pfsense.org
<ul></ul><p>Patch integrated on pfPorts and can be tested on next coming snapshots.</p>
<p>Also reported on <a class="external" href="https://community.openvpn.net/openvpn/ticket/480#ticket">https://community.openvpn.net/openvpn/ticket/480#ticket</a></p> pfSense - Bug #3966: OpenVPN crashes with AES-NI + AES-CBC https://redmine.pfsense.org/issues/3966?journal_id=156942014-11-14T08:11:12ZRenato Botelhorenato@netgate.com
<ul></ul><p>Also submitted to FreeBSD ports tree, if accepted, pfPort can be removed - <a class="external" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195004">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195004</a></p> pfSense - Bug #3966: OpenVPN crashes with AES-NI + AES-CBC https://redmine.pfsense.org/issues/3966?journal_id=157172014-11-16T16:23:32ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>fixed</p> pfSense - Bug #3966: OpenVPN crashes with AES-NI + AES-CBC https://redmine.pfsense.org/issues/3966?journal_id=157982014-11-19T23:34:06ZJason Rossbinaryjay@gmail.com
<ul></ul><p>I can confirm that enabling AES-NI and instructing OpenVPN client to use AES-128CBC seems to work perfectly as of 2.2-BETA (amd64) <br />built on Wed Nov 19 15:33:34 CST 2014 on Intel Haswell.</p>