Hi,
On 08/07/16 16:55, [email protected] wrote:
Please run the OpenVPN instance which core dumps via gdb. When it
segfaults, type the command 'bt' (backtrace) and provide us with the
complete backtrace. Then we can have an idea where in the code it
crashed.
Another alternative is to enable core dump files (a global system
configuration, not an OpenVPN setting), those files can then be
run via
gdb and the backtrace can be captured afterwards.
Without a backtrace it is nearly impossible to understand why it
crashes. Most likely it is related to a NULL pointer, but which
pointer
will be plain guesswork which mostly would be a lot of wasted time.
I can reproduce the exact same thing; the culprit in the code is in
ssl.c, line 1453:
1431 static void
1432 tls1_PRF(uint8_t *label,
1433 int label_len,
1434 const uint8_t *sec,
1435 int slen,
1436 uint8_t *out1,
1437 int olen)
1438 {
1439 struct gc_arena gc = gc_new ();
1440 const md_kt_t *md5 = md_kt_get("MD5");
1441 const md_kt_t *sha1 = md_kt_get("SHA1");
1442 int len,i;
1443 const uint8_t *S1,*S2;
1444 uint8_t *out2;
1445
1446 out2 = (uint8_t *) gc_malloc (olen, false, &gc);
1447
1448 len=slen/2;
1449 S1=sec;
1450 S2= &(sec[len]);
1451 len+=(slen&1); /* add for odd, make longer */
1452
1453 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
1454 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
1455
1456 for (i=0; i<olen; i++)
1457 out1[i]^=out2[i];
1458
1459 memset (out2, 0, olen);
1460
1461 dmsg (D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex
(out1, olen, 0, &gc));
1462
1463 gc_free (&gc);
1464 }
I'm actually not entirely surprised that a FIPS-enabled ssl lib no
longer likes MD5 - but the question is, what can be done about it
without breaking OpenVPN interoperability?
Weirdly enough, the "md5" object does not seem to be NULL
There's a patch from OpenSuSE that adds FIPS support to OpenVPN 2.3.2 -
perhaps we should take a closer look at that:
https://build.opensuse.org/package/view_file/network:vpn/openvpn/openvpn-fips140-2.3.2.patch?expand=1
HTH,
JJK
