Unhandled OpenSSL errors found

changed milestone to %Tor: 0.2.6.x-final

added 025-backport component::core tor/tor milestone::Tor: 0.2.6.x-final nickm-patch priority::medium reporter::torland resolution::fixed severity::normal status::closed tor-03-unspecified-201612 tor-client type::defect version::tor 0.2.5.8-rc labels

These errors were logging for both of torland1 and torland2 within a couple of hours.

Trac:
Username: torland

I have also seen this, running 0.2.5.8-rc non-exit on Ubuntu 12.04 LTS, official tor repo:

Oct 02 01:05:08.000 [notice] Circuit handshake stats since last time: 12872/12872 TAP, 7018/7018 NTor.
Oct 02 04:00:51.000 [warn] Unhandled OpenSSL errors found at ../src/or/buffers.c:978:
Oct 02 04:00:51.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct 02 04:00:51.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct 02 04:00:51.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

Trac:
Username: robink

On exit node: hviv104 I see:

Oct 02 03:11:31.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000).
Oct 02 03:55:13.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000).
Oct 02 04:09:51.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000). [2 similar message(s) suppressed in last 600 seconds]
Oct 02 04:21:47.000 [warn] Unhandled OpenSSL errors found at ../src/or/buffers.c:819: 
Oct 02 04:21:47.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct 02 04:21:47.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct 02 04:21:47.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)
Oct 02 04:47:29.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000).

The timing on this is interesting if we consider the recent libnss PKCS#1 signature validation issue. It seems reasonable to conclude that this OpenSSL code may have issues and that it should be inspected carefully.

on two non-exit relays (0.2.5.8-rc and 0.2.4.23):

Oct 02 06:30:38.000 [warn] Unexpected sendme cell from client. Closing circ (window 1000). [1 similar message(s) suppressed in last 600 seconds] Oct 02 06:47:19.000 [warn] Unhandled OpenSSL errors found at ../src/or/buffers.c:819: Oct 02 06:47:19.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---) Oct 02 06:47:19.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---) Oct 02 06:47:19.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

and

Oct 02 08:01:47.000 [warn] Unhandled OpenSSL errors found at ../src/or/buffers.c:748: Oct 02 08:01:47.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---) Oct 02 08:01:47.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---) Oct 02 08:01:47.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

Trac:
Username: gntnbn

Unhandled errors are from failure of X509_verify called by tor_tls_cert_is_valid, from another tls context for another connection even that was already marked for close by channel_tls_process_certs_cell. Errors was handled by read_to_buf_tls because it called often, but could be handled on TLS handshake too. Openssl error queue unique for thread, but not for context.

To fix this situation in general we need:

Handle TLS errors after X509_verify and another possible friends.
To check if call of tls_log_errors need at the end of tls functions, in the name of

  /* This should never get invoked, but let's make sure in case OpenSSL
   * acts unexpectedly. */

To check if every TLS IO operation protected by check_no_tls_errors. as example tor_tls_renegotiate need such check for sure.

Trac:
Keywords: N/A deleted, tor-client added

Trac:
Milestone: Tor: 0.2.5.x-final to Tor: 0.2.6.x-final
Keywords: tor-client deleted, tor-client 025-backport added

Well, realized this 1x at 2nd of October too :

Oct 02 04:30:09.000 [warn] Unhandled OpenSSL errors found at src/or/buffers.c:819:
Oct 02 04:30:09.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct 02 04:30:09.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct 02 04:30:09.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

Also saw this on 2 October on an exit node

Oct  2 04:08:17  Tor[3081]: Unhandled OpenSSL errors found at ../src/or/buffers.c:748:
Oct  2 04:08:17  Tor[3081]: TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Oct  2 04:08:17  Tor[3081]: TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Oct  2 04:08:17  Tor[3081]: TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

Trac:
Username: george_cebolla

Untested fix in branch "bug13319" in my public repository. Please revlew. Where does it need improvements? Are all the INFO/WARN choices right?

Trac:
Status: new to needs_review
Keywords: tor-client 025-backport deleted, tor-client 025-backport nickm-patch added

Same on my exit node,

Nov 26 06:40:37.000 [notice] Circuit handshake stats since last time: 2743/2743 TAP, 8275/8275 NTor.
Nov 26 08:37:57.000 [warn] Unhandled OpenSSL errors found at src/or/buffers.c:907:
Nov 26 08:37:57.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Nov 26 08:37:57.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Nov 26 08:37:57.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)

with

$ tor --version
Tor version 0.2.4.25 (git-6b2ed1a905ce2ca5).
$ rpm -qa | grep -E '^tor'
tor-0.2.4.25-1.fc20.x86_64
tor-arm-1.4.5.0-6.fc20.noarch
torsocks-1.3-2.fc20.x86_64

Trac:
Username: Nemo_bis

I got something similar on FreeBSD 10.1:

Nov 26 03:39:39.000 [notice] Heartbeat: Tor's uptime is 9 days 12:00 hours, with 26156 circuits open. I've sent 13376.97 GB and received 12909.09 GB.
Nov 26 03:39:39.000 [notice] Average packaged cell fullness: 99.294%
Nov 26 03:39:39.000 [notice] TLS write overhead: 3%
Nov 26 03:39:39.000 [notice] Circuit handshake stats since last time: 640620/640621 TAP, 379406/379406 NTor.
Nov 26 06:27:21.000 [warn] Unhandled OpenSSL errors found at src/or/buffers.c:981: 
Nov 26 06:27:21.000 [warn] TLS error: block type is not 01 (in rsa routines:RSA_padding_check_PKCS1_type_1:---)
Nov 26 06:27:21.000 [warn] TLS error: padding check failed (in rsa routines:RSA_EAY_PUBLIC_DECRYPT:---)
Nov 26 06:27:21.000 [warn] TLS error: EVP lib (in asn1 encoding routines:ASN1_item_verify:---)
Nov 26 09:39:39.000 [notice] Heartbeat: Tor's uptime is 9 days 18:00 hours, with 32744 circuits open. I've sent 13758.49 GB and received 13277.18 GB

Tor version 0.2.6.1-alpha (git-5a601dd2901644a5).

Happened only once though with the uptime being 42 days now.

Trac:
Username: reezer

I'm merging my branch, since it's not gotten any review or testing besides me, and I don't know if it will. More importantly, its only likely failure mode is the possibility of logging too loudly, which is easy to detect and fix.

Putting this in "needs_information": the information needed is, did the bug get fixed?

Trac:
Milestone: Tor: 0.2.6.x-final to Tor: 0.2.???
Status: needs_review to needs_information

Milestone renamed

Trac:
Milestone: Tor: 0.2.??? to Tor: 0.3.???

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

Trac:
Milestone: Tor: 0.3.??? to Tor: unspecified
Keywords: tor-client 025-backport nickm-patch deleted, tor-client, tor-03-unspecified-201612, 025-backport, nickm-patch added

Calling this "probably fixed in 0.2.6"

Trac:
Milestone: Tor: unspecified to Tor: 0.2.6.x-final
Reviewer: N/A to N/A
Severity: N/A to Normal
Sponsor: N/A to N/A
Resolution: N/A to fixed
Status: needs_information to closed

closed

moved to tpo/core/tor#13319 (closed)

Unhandled OpenSSL errors found

Child items 0

Activity