Opened 5 years ago

Closed 3 years ago

#13319 closed defect (fixed)

Unhandled OpenSSL errors found

Reported by: torland Owned by:
Priority: Medium Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version: Tor: 0.2.5.8-rc
Severity: Normal Keywords: tor-client, 025-backport, nickm-patch, tor-03-unspecified-201612
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Just found this error in the log:

Oct 02 05:20:21.000 [warn] Unhandled OpenSSL errors found at ../src/or/buffers.c:819:
Oct 02 05:20:21.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct 02 05:20:21.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct 02 05:20:21.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

Child Tickets

Change History (17)

comment:1 Changed 5 years ago by torland

These errors were logging for both of torland1 and torland2 within a couple of hours.

comment:2 Changed 5 years ago by robink

I have also seen this, running 0.2.5.8-rc non-exit on Ubuntu 12.04 LTS, official tor repo:

Oct 02 01:05:08.000 [notice] Circuit handshake stats since last time: 12872/12872 TAP, 7018/7018 NTor.
Oct 02 04:00:51.000 [warn] Unhandled OpenSSL errors found at ../src/or/buffers.c:978:
Oct 02 04:00:51.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct 02 04:00:51.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct 02 04:00:51.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

comment:3 Changed 5 years ago by cypherpunks

On exit node: hviv104 I see:

Oct 02 03:11:31.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000).
Oct 02 03:55:13.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000).
Oct 02 04:09:51.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000). [2 similar message(s) suppressed in last 600 seconds]
Oct 02 04:21:47.000 [warn] Unhandled OpenSSL errors found at ../src/or/buffers.c:819: 
Oct 02 04:21:47.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct 02 04:21:47.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct 02 04:21:47.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)
Oct 02 04:47:29.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000).

comment:4 Changed 5 years ago by cypherpunks

The timing on this is interesting if we consider the recent libnss PKCS#1 signature validation issue. It seems reasonable to conclude that this OpenSSL code may have issues and that it should be inspected carefully.

comment:5 Changed 5 years ago by gntnbn

on two non-exit relays (0.2.5.8-rc and 0.2.4.23):

Oct 02 06:30:38.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000). [1 similar message(s) suppressed in last 600 seconds]
Oct 02 06:47:19.000 [warn] Unhandled OpenSSL errors found at ../src/or/buffers.c:819:
Oct 02 06:47:19.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct 02 06:47:19.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct 02 06:47:19.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

and

Oct 02 08:01:47.000 [warn] Unhandled OpenSSL errors found at ../src/or/buffers.c:748:
Oct 02 08:01:47.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct 02 08:01:47.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct 02 08:01:47.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

Last edited 5 years ago by gntnbn (previous) (diff)

comment:6 Changed 5 years ago by cypherpunks

Unhandled errors are from failure of X509_verify called by tor_tls_cert_is_valid, from another tls context for another connection even that was already marked for close by channel_tls_process_certs_cell. Errors was handled by read_to_buf_tls because it called often, but could be handled on TLS handshake too. Openssl error queue unique for thread, but not for context.

To fix this situation in general we need:

  1. Handle TLS errors after X509_verify and another possible friends.
  2. To check if call of tls_log_errors need at the end of tls functions, in the name of
      /* This should never get invoked, but let's make sure in case OpenSSL
       * acts unexpectedly. */
    
  3. To check if every TLS IO operation protected by check_no_tls_errors. as example tor_tls_renegotiate need such check for sure.

comment:7 Changed 5 years ago by nickm

Keywords: tor-client added

comment:8 Changed 5 years ago by nickm

Keywords: 025-backport added
Milestone: Tor: 0.2.5.x-finalTor: 0.2.6.x-final

comment:9 Changed 5 years ago by toralf

Well, realized this 1x at 2nd of October too :

Oct 02 04:30:09.000 [warn] Unhandled OpenSSL errors found at src/or/buffers.c:819:
Oct 02 04:30:09.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct 02 04:30:09.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct 02 04:30:09.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

comment:10 Changed 5 years ago by george_cebolla

Also saw this on 2 October on an exit node

Oct  2 04:08:17  Tor[3081]: Unhandled OpenSSL errors found at ../src/or/buffers.c:748:
Oct  2 04:08:17  Tor[3081]: TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct  2 04:08:17  Tor[3081]: TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct  2 04:08:17  Tor[3081]: TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

comment:11 Changed 5 years ago by nickm

Keywords: nickm-patch added
Status: newneeds_review

Untested fix in branch "bug13319" in my public repository. Please revlew. Where does it need improvements? Are all the INFO/WARN choices right?

comment:12 Changed 5 years ago by Nemo_bis

Same on my exit node,

Nov 26 06:40:37.000 [notice] Circuit handshake stats since last time: 2743/2743 TAP, 8275/8275 NTor.
Nov 26 08:37:57.000 [warn] Unhandled OpenSSL errors found at src/or/buffers.c:907:
Nov 26 08:37:57.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Nov 26 08:37:57.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Nov 26 08:37:57.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

with

$ tor --version
Tor version 0.2.4.25 (git-6b2ed1a905ce2ca5).
$ rpm -qa | grep -E '^tor'
tor-0.2.4.25-1.fc20.x86_64
tor-arm-1.4.5.0-6.fc20.noarch
torsocks-1.3-2.fc20.x86_64
Last edited 5 years ago by Nemo_bis (previous) (diff)

comment:13 Changed 5 years ago by reezer

I got something similar on FreeBSD 10.1:

Nov 26 03:39:39.000 [notice] Heartbeat: Tor's uptime is 9 days 12:00 hours, with 26156 circuits open. I've sent 13376.97 GB and received 12909.09 GB.
Nov 26 03:39:39.000 [notice] Average packaged cell fullness: 99.294%
Nov 26 03:39:39.000 [notice] TLS write overhead: 3%
Nov 26 03:39:39.000 [notice] Circuit handshake stats since last time: 640620/640621 TAP, 379406/379406 NTor.
Nov 26 06:27:21.000 [warn] Unhandled OpenSSL errors found at src/or/buffers.c:981: 
Nov 26 06:27:21.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Nov 26 06:27:21.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Nov 26 06:27:21.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)
Nov 26 09:39:39.000 [notice] Heartbeat: Tor's uptime is 9 days 18:00 hours, with 32744 circuits open. I've sent 13758.49 GB and received 13277.18 GB
Tor version 0.2.6.1-alpha (git-5a601dd2901644a5).

Happened only once though with the uptime being 42 days now.

Last edited 5 years ago by reezer (previous) (diff)

comment:14 Changed 5 years ago by nickm

Milestone: Tor: 0.2.6.x-finalTor: 0.2.???
Status: needs_reviewneeds_information

I'm merging my branch, since it's not gotten any review or testing besides me, and I don't know if it will. More importantly, its only likely failure mode is the possibility of logging too loudly, which is easy to detect and fix.

Putting this in "needs_information": the information needed is, did the bug get fixed?

comment:15 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:16 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:17 Changed 3 years ago by nickm

Milestone: Tor: unspecifiedTor: 0.2.6.x-final
Resolution: fixed
Severity: Normal
Status: needs_informationclosed

Calling this "probably fixed in 0.2.6"

Note: See TracTickets for help on using tickets.