#714 closed Bug / Defect (notabug)
segfault in openvpn-polarssl (2.3.11) on openwrt (DD, 49831)
Reported by: | krzee king | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.11 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description (last modified by )
root@OpenWrt:/etc/openvpn# openvpn server.conf
Mon Jul 25 09:15:04 2016 us=463243 OpenVPN 2.3.11 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] Mon Jul 25 09:15:04 2016 us=464103 library versions: PolarSSL 1.3.16, LZO 2.09 Mon Jul 25 09:15:04 2016 us=465734 WARNING: --keepalive option is missing from server config Mon Jul 25 09:15:04 2016 us=467722 Diffie-Hellman initialized with 4096 bit key Segmentation fault
but i dont have a crash if i do:
/usr/sbin/openvpn --secret /etc/openvpn/failover.key --float --dev tun41 --port 1197 --ifconfig 10.0.21.1 10.0.21.2 --keepalive 5 45 --comp-lzo no
root@OpenWrt:/etc/openvpn# cat server.conf
port 1194 proto udp dev tun0 ca ca.crt cert server.crt key server.key dh dh4096.pem server 10.8.10.0 255.255.255.0 verb 9
strace:
open("ca.crt", O_RDONLY|O_LARGEFILE) = 3 _llseek(3, 0, [2269], SEEK_END) = 0 _llseek(3, 0, [2269], SEEK_CUR) = 0 _llseek(3, 0, [0], SEEK_SET) = 0 readv(3, [{"-----BEGIN CERTIFICATE-----\nMIIG"..., 2268}, {"\n", 1024}], 2) = 2269 close(3) = 0 clock_gettime(CLOCK_REALTIME, {1469436902, 619553104}) = 0 clock_gettime(CLOCK_REALTIME, {1469436902, 620658045}) = 0 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} --- +++ killed by SIGSEGV +++ Segmentation faul
Note, I'm using 4096 bit keys but i tested the following keys as well:
ca.crt + client.crt + client.key
from https://sourceforge.net/p/openvpn-gui/openvpn/ci/master/tree/sample/sample-keys/
Change History (10)
comment:1 Changed 8 years ago by
Description: | modified (diff) |
---|
comment:2 Changed 8 years ago by
Description: | modified (diff) |
---|
comment:3 Changed 8 years ago by
comment:4 Changed 8 years ago by
unfortunately no.
openwrt uses opkg which uses .ipk files which are binaries
all i can really say is where it came from:
root@OpenWrt:/etc/vpn# opkg install openvpn-polarssl
Installing openvpn-polarssl (2.3.11-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/base/openvpn-polarssl_2.3.11-1_ar71xx.ipk.
Installing kmod-tun (4.4.14-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/kernel/kmod-tun_4.4.14-1_ar71xx.ipk.
Installing liblzo (2.09-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/base/liblzo_2.09-1_ar71xx.ipk.
Installing libpolarssl (1.3.17-1) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/base/libpolarssl_1.3.17-1_ar71xx.ipk.
I would be happy to test an ipk from you and take the problem to them if yours works... would that work?
comment:5 Changed 8 years ago by
I dove into the openwrt git, and it seems they disable polarssl's version reporting:
@@ -2160,8 +2160,8 @@ * Module: library/version.c * * This module provides run-time version information. - */ #define POLARSSL_VERSION_C + */
However, OpenVPN calls mbedtls_version_get_number()
, which is now no longer available. I think run time version checking is very useful, so don't like the idea of making that optional in the OpenVPN code. So openwrt should either path their openvpn package to deal with their polarssl config, or just enable POLARSSL_VERSION_C. (How many bytes can three tiny functions possibly cost?)
comment:6 Changed 8 years ago by
Why is it SIGSEGV'ing, instead of being killed by ld.so with "symbol not found"??
comment:7 Changed 8 years ago by
nice, want to test it?
i have a different version of the router as well (841 v11) that has a bug in trunk where it mounts the ramdisk instead of the overlay, so while it forgets everything on reboot i do get a lot more storage to work with :D
that means that now I can install gdb, but unfortunately I do not have debug symbols.
If you could provide an ipk to test, i can test if it still crashes, and if it does i can use gdb now (assuming the test ipk comes with debug symbols)
comment:8 Changed 8 years ago by
Gert is right, this does not have to do with the runtime version checking. They made the required changes for that in OpenVPN too.
Unfortunately I'm not able to build ipkg packages. Maybe the openwrt maintainer can build one with debug symbols for you?
As soon as someone provides me with a stack strace, I'll look into it.
comment:9 Changed 8 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
sounds like this problem has nothing to do with us, and lives completely in openwrt. If I figure out anything more I will update this for completeness sake. Thank you for the offer to help if we can get a stack trace, I will let you know if I find a way.
comment:10 Changed 8 years ago by
from their dev chan (thank you dangole):
<dangole> https://bugs.lede-project.org/index.php?do=details&task_id=33
<dangole> ah, it's the cipher-suite which needs to be specified explicitely when using polarssl
<dangole> see
<dangole> https://git.lede-project.org/?p=source.git;a=commit;h=f98f4601de762251c4644047786affd34d5fb10c
<dangole> krzee: probably mirko should back-port the fix above for OpenWrt's Chaos Calmer release
So it seems that they have a bug in openvpn-polarssl that is only triggered when not manually specifying --tls-cipher
I will test this and report back.
Would it be possible to extract the config.h of polarssl as built on the box? Maybe this is reproducible with a similarly configured polarssl.