BUG_ON(IS_ERR_OR_NULL(tls->xfrm.ciphersuite_info))

[krizhanovsky]

./run_tests.py -n tls.test_tls_handshake.Tls12 (from tempesta-tech/tempesta-test#103) leads to the crash

[  181.052487] ------------[ cut here ]------------
[  181.053703] kernel BUG at /root/tempesta/tls/tls_srv.c:1044!
[  181.055185] invalid opcode: 0000 [#1] SMP PTI
[  181.056328] Modules linked in: tempesta_fw(O) tempesta_db(O) tempesta_tls(O) tempesta_lib(O) binfmt_misc crct10dif_pclmul ppdev bochs_drm ttm drm_kms_helper drm sg button parport_pc fb_sys_fops syscopyarea sysfillrect sysimgblt pcspkr parport serio_raw ip_tables x_tables ext4 crc16 mbcache jbd2 fscrypto sr_mod cdrom sd_mod ata_generic ata_piix psmouse libata e1000 i2c_piix4 scsi_mod
[  181.063407] CPU: 1 PID: 903 Comm: python2 Tainted: G           O    4.14.32-kdump+ #142
[  181.064885] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
[  181.066495] task: ffff9929af78c000 task.stack: ffff9929aef6c000
[  181.067592] RIP: 0010:ttls_handshake_server_step+0x1325/0x1be0 [tempesta_tls]
[  181.068894] RSP: 0018:ffff9929ffd03928 EFLAGS: 00010246
[  181.069868] RAX: 00000000ffffffea RBX: ffff9929aef47ab8 RCX: 0000000000000003
[  181.071168] RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: 0000000000000000
[  181.072487] RBP: 0000000000000000 R08: ffffdf6b7fd18f60 R09: 000000000000000a
[  181.074881] R10: 0000000000000007 R11: 0000000000000000 R12: ffff9929ca1033e4
[  181.076700] R13: ffffffffc06e80a0 R14: ffff9929ca1033e4 R15: ffffffffc06d81e0
[  181.078510] FS:  00007f33ea34f700(0000) GS:ffff9929ffd00000(0000) knlGS:0000000000000000
[  181.080328] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  181.081519] CR2: 000055ddd5e232d0 CR3: 000000002f7b6002 CR4: 00000000003606e0
[  181.082992] Call Trace:
[  181.083538]  <IRQ>
[  181.083962]  ttls_recv+0x2d3/0x790 [tempesta_tls]
[  181.084937]  ? ttls_decrypt+0x560/0x560 [tempesta_tls]
[  181.086155]  ss_skb_process+0x187/0x1f0 [tempesta_fw]
[  181.087319]  tfw_tls_msg_process+0xe3/0x340 [tempesta_fw]
[  181.088501]  ? tfw_tls_msg_process+0x6a/0x340 [tempesta_fw]
[  181.089652]  __gfsm_fsm_exec+0x51/0x90 [tempesta_fw]
[  181.090684]  tfw_connection_recv+0x49/0x70 [tempesta_fw]
[  181.091896]  ? tfw_connection_send+0x20/0x20 [tempesta_fw]
[  181.092991]  ss_tcp_process_data+0x1d6/0x440 [tempesta_fw]
[  181.095752]  ss_tcp_data_ready+0x3e/0x80 [tempesta_fw]
[  181.098390]  tcp_data_queue+0x4f0/0xc50

[krizhanovsky]

Please use key and cert from the tarball to reproduce the issue - I tried it several times and it's 100% reproducable for me.

[i-rinat]

The immediate cause of crashing is the inverted condition in the triggered BUG_ON(). The exact code path with that BUG_ON() is executed because the test tries elliptic curves while the server certificate has only RSA.

I believe, the correct behavior in that case should be to drop connection. (Maybe with a TLS alert. I'm not sure here. This is clearly not a highly expected scenario.)