Bug 195004 - [PATCH] security/openvpn: Fix openvpn with aesni.ko loaded
Summary: [PATCH] security/openvpn: Fix openvpn with aesni.ko loaded
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Matthias Andree
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-14 13:59 UTC by Renato Botelho
Modified: 2015-05-04 23:41 UTC (History)
4 users (show)

See Also:


Attachments
Backport fix for openvpn with aesni.ko loaded (1.57 KB, patch)
2014-11-14 13:59 UTC, Renato Botelho
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Renato Botelho freebsd_committer 2014-11-14 13:59:05 UTC
Created attachment 149397 [details]
Backport fix for openvpn with aesni.ko loaded

The issue is referenced here:

https://community.openvpn.net/openvpn/ticket/480#ticket

and here:

https://redmine.pfsense.org/issues/3966

Whenever aesni.ko module is loaded, openvpn doesn't work. Patch was sent to upstream but it would be good to have it available on ports.
Comment 1 Bugzilla Automation freebsd_committer 2014-11-14 13:59:05 UTC
Auto-assigned to maintainer mandree@FreeBSD.org
Comment 2 Matthias Andree freebsd_committer 2014-11-18 22:52:11 UTC
I just forwarded this to the openvpn-devel mailing list because there does not seem to be relevant traffic on that topic, nor relevant Git commits on master nor release/2.3; however, the sourceforge.net site is currently and "temporarily" in static maintenance mode, so I expect delays.  https://twitter.com/sfnet_ops
Comment 3 Matthias Andree freebsd_committer 2014-12-13 19:31:37 UTC
please watch https://community.openvpn.net/openvpn/ticket/480 for the interim progress
Comment 4 Matthias Andree freebsd_committer 2015-03-29 09:31:01 UTC
There is a patch against the upstream OpenVPN code, because yours seems to have caused some concern and issues.

Renato, could you give that patch a spin and see if it works for you, too, without breaking too many other things?  It's listed between comments #7 and #8 on https://community.openvpn.net/openvpn/ticket/480#comment:7
Comment 5 Renato Botelho freebsd_committer 2015-03-30 17:29:38 UTC
(In reply to Matthias Andree from comment #4)

Ermal is going to test it ASAP.
Comment 6 commit-hook freebsd_committer 2015-03-30 18:37:58 UTC
A commit references this bug:

Author: mandree
Date: Mon Mar 30 18:37:25 UTC 2015
New revision: 382705
URL: https://svnweb.freebsd.org/changeset/ports/382705

Log:
  Add an experimental patch for bug #195004.
  Needs to be enabled through a port option.

  PR: 195004

Changes:
  head/security/openvpn/Makefile
  head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch
Comment 7 Renato Botelho freebsd_committer 2015-04-02 15:36:24 UTC
Patch doesn't work, I updated openvpn ticket.
Comment 8 Matthias Andree freebsd_committer 2015-04-02 15:51:30 UTC
Obrigado! We'll see what we get from the OpenVPN developers.
Comment 9 Steffan Karger 2015-04-04 09:49:54 UTC
Hi, OpenVPN developer (without decent FreeBSD experience) here.

I wanted to mention that I think it is a bug that OpenSSL on FreeBSD by default prefers AES-NI through cryptodev over user-land AES-NI. Going through cryptodev is slower and arguably less secure than using AES-NI directly (using cryptodev increases the attack surface). Now, I'm not familiar with the platform, nor with the bug reporting procedures, so could any of you perhaps evaluate whether you agree with me, and in that case create a ticket to fix that behaviour?

(I realize the openvpn issue is broader than AES-NI through cryptodev, so I will keep looking for a proper fix for the openvpn issue. I'll use the openvpn bugtracker to keep track of that.)
Comment 10 Matthias Andree freebsd_committer 2015-04-07 16:27:57 UTC
There is a new v2 of the patch on the OpenVPN tracker, 
https://community.openvpn.net/openvpn/raw-attachment/ticket/480/150406-Reload-OpenSSL-engines-after-forking-v2.patch

please try and report back.
Comment 11 commit-hook freebsd_committer 2015-05-04 23:08:37 UTC
A commit references this bug:

Author: mandree
Date: Mon May  4 23:08:06 UTC 2015
New revision: 385432
URL: https://svnweb.freebsd.org/changeset/ports/385432

Log:
  + Update patch set for crypto engine fix [1].
    Change option name so it is presented anew, default disabled.

  + Add openvpn-client wrapper script and up/down scripts to trigger
    resolvconf, with minor edits. [2]

  + Set proper PLUGIN_LIBDIR so that plugins in the default directory can
    be found with relative paths.

  + Compile shipped plugins with -fPIC.

  PR:		195004 [1]
  PR:		199529 [2]
  Submitted by:	yuri@rawbw.com [2]
  Obtained from:	https://community.openvpn.net/openvpn/ticket/480#comment:21

Changes:
  head/security/openvpn/Makefile
  head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch
  head/security/openvpn/files/EF1.patch
  head/security/openvpn/files/EF2.patch
  head/security/openvpn/files/EF3.patch
  head/security/openvpn/files/openvpn-client.in
  head/security/openvpn/files/patch-sample__sample-config-files__loopback-client
  head/security/openvpn/files/patch-sample__sample-config-files__loopback-server
  head/security/openvpn/files/patch-tests__t_cltsrv.sh
  head/security/openvpn/files/pkg-message.in
  head/security/openvpn/pkg-plist
Comment 12 Matthias Andree freebsd_committer 2015-05-04 23:14:52 UTC
Renato, can you please check (or have checked) that this works?
Comment 13 Matthias Andree freebsd_committer 2015-05-04 23:41:16 UTC
Fixed per https://community.openvpn.net/openvpn/ticket/480#comment:26