Bug #3966: OpenVPN crashes with AES-NI + AES-CBC - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #3966

closed

OpenVPN crashes with AES-NI + AES-CBC

Added by Chris Buechler over 9 years ago. Updated over 9 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Ermal Luçi

Category:

OpenVPN

Target version:

2.2

Start date:

10/29/2014

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.2

Affected Architecture:

Description

On systems with AES-NI enabled, OpenVPN using AES-128-CBC, AES-192-CBC, and AES-256-CBC crashes on start.

openvpn[43547]: Assertion failed at crypto.c:168
openvpn[43547]: Exiting due to fatal error

test case on 172.27.32.125, see OpenVPN client instance there.

It works using BF-CBC and no encryption.

Related forum thread, I confirmed on the above system.
https://forum.pfsense.org/index.php?topic=83466.0

History
Notes
Property changes

Actions

Copy link

Updated by Chris Buechler over 9 years ago

Status changed from New to Confirmed

Actions

Copy link

Updated by Chris Buechler over 9 years ago

Assignee set to Ermal Luçi

Actions

Copy link

Updated by Ermal Luçi over 9 years ago

This seems like an openvpn problem, openssl lib does not show any problem when used with the openssl binary.

Actions

Copy link

Updated by Ermal Luçi over 9 years ago

OpenVPN is using EVP API so it loads all available engines which by default is cryptodev.

There are two problems here.
1 - The cryptodev interface is a bit slower than direct AESNI implementation in userland. (Though openvpn does not give any choice here)
2 - AESNI module is returning an error somewhere.

Actions

Copy link

Updated by Ermal Luçi over 9 years ago

Status changed from Confirmed to Feedback

The issue seems to be that openvpn setups the crypto before forking.
This makes crypto device unhappy in general and possible right to complain.

The following patch fixes it.
Should this be commited?

root@builder10:/usr/ports/security/openvpn/work/openvpn-2.3.5 # diff -u src/openvpn/init.c ~/init.c
--- src/openvpn/init.c  2014-10-20 10:51:43.000000000 +0200
+++ /root/init.c        2014-11-14 12:40:43.000000000 +0100
@@ -3301,6 +3301,9 @@
     init_query_passwords (c);
 #endif

+  /* do one-time inits, and possibily become a daemon here */
+  do_init_first_time (c);
+
   /* initialize context level 2 --verb/--mute parms */
   init_verb_mute (c, IVM_LEVEL_2);

@@ -3423,8 +3426,6 @@
   if (c->mode == CM_P2P)
     do_init_traffic_shaper (c);

-  /* do one-time inits, and possibily become a daemon here */
-  do_init_first_time (c);

 #ifdef ENABLE_PLUGIN
   /* initialize plugins */

Actions

Copy link

Updated by Ermal Luçi over 9 years ago

Patch integrated on pfPorts and can be tested on next coming snapshots.

Also reported on https://community.openvpn.net/openvpn/ticket/480#ticket

Actions

Copy link

Updated by Renato Botelho over 9 years ago

Also submitted to FreeBSD ports tree, if accepted, pfPort can be removed - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195004

Actions

Copy link

Updated by Chris Buechler over 9 years ago

Status changed from Feedback to Resolved

fixed

Actions

Copy link

Updated by Jason Ross over 9 years ago

I can confirm that enabling AES-NI and instructing OpenVPN client to use AES-128CBC seems to work perfectly as of 2.2-BETA (amd64)
built on Wed Nov 19 15:33:34 CST 2014 on Intel Haswell.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #3966

OpenVPN crashes with AES-NI + AES-CBC

Updated by Chris Buechler over 9 years ago

Updated by Chris Buechler over 9 years ago

Updated by Ermal Luçi over 9 years ago

Updated by Ermal Luçi over 9 years ago

Updated by Ermal Luçi over 9 years ago

Updated by Ermal Luçi over 9 years ago

Updated by Renato Botelho over 9 years ago

Updated by Chris Buechler over 9 years ago

Updated by Jason Ross over 9 years ago