cipher none causes "Assertion failed at crypto_openssl.c:523"

[deviantintegral]

I'm using OpenVPN on Ubuntu 12.04, using the OpenVPN repository.

After upgrading to 2.3.5, using "cipher none" throws an assertion the VPN fails to start. Downgrading to OpenVPN 2.3.4 fixes the issue. See the attached log for details.

[deviantintegral]

OpenVPN assertion with cipher none

[Steffan Karger]

Sorry for that. I sent a patch to the mailinglist to fix it:
​http://article.gmane.org/gmane.network.openvpn.devel/9216

Also attached the patch file to this ticket.

[Steffan Karger]

The fix has been applied to the release/2.3 and master branches, and will be included in the next release:
​https://github.com/OpenVPN/openvpn/commit/4429456 (release/2.3)
​https://github.com/OpenVPN/openvpn/commit/4e93e6d (master)

[sven-ola]

Additional fix needed on running server with Cypto=NONO

[sven-ola]

With a running Openvpn instance using Crypto=NONE for speed reasons, the additional patch (see above) is required. This seems to be true for at least two instances, one running on Debian/Squeeze?, the other running on Debian/Wheezy?.

Also, I got an additional compiler quirks. Which requires me to add "-fno-tree-vrp" to CFLAGS, at least when compiling under Debian/Squeeze? with gcc-4.4.real (Debian 4.4.5-8) 4.4. The compiler optimizes out the NULL==cipher test in crypto_openssl.c::cipher_kt_mode_ofb_cfb() which in turn again rises the assert which triggers this bug report. Maybe the crypto_polarssl.c is also affcected, haven't checked that. I'm not sure *why* the compiler is damn sure, that the *cipher never is NULL, maybe a bug with this specific compiler version only.

Reasons enough to re-open this bug.

[sven-ola]

The -fno-tree-vrp is also required with Debian/Wheezy? and gcc (Debian 4.7.2-5) 4.7.2. Tested with

cd src/openvpn;make CFLAGS="-ggdb -O2" clean all

Otherwise triggers Assertion failed at crypto_openssl.c:523 also on an AMD64 machine (ovpn client with cipher-none). Source and patchset avail under ​http://sven-ola.dyndns.org/repo/pool/source/freifunk-openvpn_2.3.6-2.dsc

[Steffan Karger]

Aargh, I forgot to remove the __attribute__((nonnull)) on the functions, making gcc rightfully optimizing out the check in the cipher_kt_mode_ofb_cfb(), which will still result in the assertion. Sorry. Attached a patch that removes the incorrent attributes, and adds a test for --cipher none to the make check tests, to prevent future regressions.

[Gert Döring]

The "really fix cipher none" patch has been merged to release/2.3 and master:

commit 785838614afc20d362b64907b0212e9a779e2287 (release/2.3)
commit 98156e90e1e83133a6a6a020db8e7333ada6156b (master)
Author: Steffan Karger <steffan@…>
Date: Tue Dec 2 21:42:00 2014 +0100

Really fix '--cipher none' regression

so this should be really done for good now :-) - sven-ola, could you please re-test?

[Gert Döring]

Pinging again - sven-ola, is this working for you now? The patch is only in git (release/2.3 branch or master) for now, but we'll ship 2.3.7 "soonish" which will have it - and it would be good to know that it actually works.

[Steffan Karger]

I'm pretty convinced this second attempt did fix it, so I'm closing the ticket. If I somehow messed up again with this, just reopen the ticket.