OpenVPN + AESNI + AES-CBC causes crash



  • I just upgraded from 2.1.5. to pfSense-Full-Update-2.2-BETA-amd64-20141017-1127.tgz

    I'm using a system that has atom processors with aesni instructions and I have the aesni option enabled system_advanced_misc.php.

    Openvpn throws a fatal error and crashes if I use the following AES-128-CBC, AES-192-CBC, and AES-256-CBC.  But works if I use BF-CBC or no encryption.

    The error is:
    openvpn[43547]: Assertion failed at crypto.c:168
    openvpn[43547]: Exiting due to fatal error

    However i'm able to run a crypto test which succeeds:  openvpn –test-crypto --secret secret.key --cipher AES-256-CBC

    If I turn off the aesni option in system_advanced_misc.php reboot, and try an AES CBC cipher like AES-256-CBC,  it works as expected, but without any hardware encryption of course.



  • confirmed, thanks for the report.
    https://redmine.pfsense.org/issues/3966



  • Are you by any change using cryptodev as acceleration engine?



  • I am on
    2.2-BETA (amd64)
    built on Tue Oct 28 15:34:19 CDT 2014

    I am running OpenVPN Client (BSD Cryptodev enabled):

    Oct 29 20:55:15 openvpn[71118]: MANAGEMENT: Client disconnected
    Oct 29 20:55:15 openvpn[71118]: MANAGEMENT: CMD 'status 2'
    Oct 29 20:55:15 openvpn[71118]: MANAGEMENT: CMD 'state 1'
    Oct 29 20:55:15 openvpn[71118]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Oct 29 20:50:14 openvpn[71118]: MANAGEMENT: Client disconnected
    Oct 29 20:50:14 openvpn[71118]: MANAGEMENT: CMD 'status 2'
    Oct 29 20:50:14 openvpn[71118]: MANAGEMENT: CMD 'state 1'
    Oct 29 20:50:14 openvpn[71118]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Oct 29 20:26:14 openvpn[71118]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
    Oct 29 20:26:14 openvpn[71118]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 29 20:26:14 openvpn[71118]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Oct 29 20:26:14 openvpn[71118]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Oct 29 20:26:14 openvpn[71118]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

    My unit is based on Supermicro ASRi-2558, AES-NI enabled and working, no crash reported.



  • In the vpn client settings I tried with both cryptodev and none.  I was unable to get any of the ciphers that AESNI supports to work until I disabled the AES NI in the advanced settings.

    If I did BF-CBC or AES-256-HMAC-SHA1 those didn't crash the client when AESNI was enabled.

    I'm running on very similar hardware to the previous post.
    Supermicro A1SAi-2750F



  • @jeffbearer:

    In the vpn client settings I tried with both cryptodev and none.  I was unable to get any of the ciphers that AESNI supports to work until I disabled the AES NI in the advanced settings.

    If I did BF-CBC or AES-256-HMAC-SHA1 those didn't crash the client when AESNI was enabled.

    I'm running on very similar hardware to the previous post.
    Supermicro A1SAi-2750F

    I am unsure what you mean here.
    If you disable cryptodev openssl will use its own aesni implementation module.
    It will use the kernel version only if its using cryptodev afaik.



  • I'm sorry,  what I was trying to say is that in the client config for Hardware Crypto I tried two options from the pulldown. 
    "No hardware crypto acceleration" AND "BSD Cryptodev Engine" they both caused crashes in openvpn when using any of the ciphers AES ciphers listed to the right of "BSD Cryptodev Engine" as long as I had AES-NI enabled under system_advanced_misc.php



  • With AESNI enabled in system_advanced_misc.php, same deal as Jeff mentioned on the test system I noted in the ticket, Ermal. Doesn't matter what OpenVPN's crypto hardware config is, it crashes the same way.



  • @jeffbearer:

    I just upgraded from 2.1.5. to pfSense-Full-Update-2.2-BETA-amd64-20141017-1127.tgz

    I'm using a system that has atom processors with aesni instructions and I have the aesni option enabled system_advanced_misc.php.

    Openvpn throws a fatal error and crashes if I use the following AES-128-CBC, AES-192-CBC, and AES-256-CBC.  But works if I use BF-CBC or no encryption.

    The error is:
    openvpn[43547]: Assertion failed at crypto.c:168
    openvpn[43547]: Exiting due to fatal error

    However i'm able to run a crypto test which succeeds:  openvpn –test-crypto --secret secret.key --cipher AES-256-CBC

    If I turn off the aesni option in system_advanced_misc.php reboot, and try an AES CBC cipher like AES-256-CBC,  it works as expected, but without any hardware encryption of course.

    I ran into the same thing. Definitely a bug.



  • It was confirmed fixed a couple days ago.