Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN + AESNI + AES-CBC causes crash

    2.2 Snapshot Feedback and Problems - RETIRED
    5
    10
    4561
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffbearer last edited by

      I just upgraded from 2.1.5. to pfSense-Full-Update-2.2-BETA-amd64-20141017-1127.tgz

      I'm using a system that has atom processors with aesni instructions and I have the aesni option enabled system_advanced_misc.php.

      Openvpn throws a fatal error and crashes if I use the following AES-128-CBC, AES-192-CBC, and AES-256-CBC.  But works if I use BF-CBC or no encryption.

      The error is:
      openvpn[43547]: Assertion failed at crypto.c:168
      openvpn[43547]: Exiting due to fatal error

      However i'm able to run a crypto test which succeeds:  openvpn –test-crypto --secret secret.key --cipher AES-256-CBC

      If I turn off the aesni option in system_advanced_misc.php reboot, and try an AES CBC cipher like AES-256-CBC,  it works as expected, but without any hardware encryption of course.

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        confirmed, thanks for the report.
        https://redmine.pfsense.org/issues/3966

        1 Reply Last reply Reply Quote 0
        • E
          eri-- last edited by

          Are you by any change using cryptodev as acceleration engine?

          1 Reply Last reply Reply Quote 0
          • W
            Wolf666 last edited by

            I am on
            2.2-BETA (amd64)
            built on Tue Oct 28 15:34:19 CDT 2014

            I am running OpenVPN Client (BSD Cryptodev enabled):

            Oct 29 20:55:15 openvpn[71118]: MANAGEMENT: Client disconnected
            Oct 29 20:55:15 openvpn[71118]: MANAGEMENT: CMD 'status 2'
            Oct 29 20:55:15 openvpn[71118]: MANAGEMENT: CMD 'state 1'
            Oct 29 20:55:15 openvpn[71118]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
            Oct 29 20:50:14 openvpn[71118]: MANAGEMENT: Client disconnected
            Oct 29 20:50:14 openvpn[71118]: MANAGEMENT: CMD 'status 2'
            Oct 29 20:50:14 openvpn[71118]: MANAGEMENT: CMD 'state 1'
            Oct 29 20:50:14 openvpn[71118]: MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
            Oct 29 20:26:14 openvpn[71118]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
            Oct 29 20:26:14 openvpn[71118]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
            Oct 29 20:26:14 openvpn[71118]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
            Oct 29 20:26:14 openvpn[71118]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
            Oct 29 20:26:14 openvpn[71118]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

            My unit is based on Supermicro ASRi-2558, AES-NI enabled and working, no crash reported.

            Modem Draytek Vigor 130
            pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
            Switch Cisco SG350-10
            AP Netgear R7000 (Stock FW)
            HTPC Intel NUC5i3RYH
            NAS Synology DS1515+
            NAS Synology DS213+

            1 Reply Last reply Reply Quote 0
            • J
              jeffbearer last edited by

              In the vpn client settings I tried with both cryptodev and none.  I was unable to get any of the ciphers that AESNI supports to work until I disabled the AES NI in the advanced settings.

              If I did BF-CBC or AES-256-HMAC-SHA1 those didn't crash the client when AESNI was enabled.

              I'm running on very similar hardware to the previous post.
              Supermicro A1SAi-2750F

              1 Reply Last reply Reply Quote 0
              • E
                eri-- last edited by

                @jeffbearer:

                In the vpn client settings I tried with both cryptodev and none.  I was unable to get any of the ciphers that AESNI supports to work until I disabled the AES NI in the advanced settings.

                If I did BF-CBC or AES-256-HMAC-SHA1 those didn't crash the client when AESNI was enabled.

                I'm running on very similar hardware to the previous post.
                Supermicro A1SAi-2750F

                I am unsure what you mean here.
                If you disable cryptodev openssl will use its own aesni implementation module.
                It will use the kernel version only if its using cryptodev afaik.

                1 Reply Last reply Reply Quote 0
                • J
                  jeffbearer last edited by

                  I'm sorry,  what I was trying to say is that in the client config for Hardware Crypto I tried two options from the pulldown. 
                  "No hardware crypto acceleration" AND "BSD Cryptodev Engine" they both caused crashes in openvpn when using any of the ciphers AES ciphers listed to the right of "BSD Cryptodev Engine" as long as I had AES-NI enabled under system_advanced_misc.php

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb last edited by

                    With AESNI enabled in system_advanced_misc.php, same deal as Jeff mentioned on the test system I noted in the ticket, Ermal. Doesn't matter what OpenVPN's crypto hardware config is, it crashes the same way.

                    1 Reply Last reply Reply Quote 0
                    • D
                      Douglas Haber last edited by

                      @jeffbearer:

                      I just upgraded from 2.1.5. to pfSense-Full-Update-2.2-BETA-amd64-20141017-1127.tgz

                      I'm using a system that has atom processors with aesni instructions and I have the aesni option enabled system_advanced_misc.php.

                      Openvpn throws a fatal error and crashes if I use the following AES-128-CBC, AES-192-CBC, and AES-256-CBC.  But works if I use BF-CBC or no encryption.

                      The error is:
                      openvpn[43547]: Assertion failed at crypto.c:168
                      openvpn[43547]: Exiting due to fatal error

                      However i'm able to run a crypto test which succeeds:  openvpn –test-crypto --secret secret.key --cipher AES-256-CBC

                      If I turn off the aesni option in system_advanced_misc.php reboot, and try an AES CBC cipher like AES-256-CBC,  it works as expected, but without any hardware encryption of course.

                      I ran into the same thing. Definitely a bug.

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb last edited by

                        It was confirmed fixed a couple days ago.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post