[Box Backup-commit] Re: #21: Problems with Box Backup and OpenSSL 0.9.8d/e

boxbackup-dev at fluffy.co.uk boxbackup-dev at fluffy.co.uk
Wed May 2 19:19:50 BST 2007


#21: Problems with Box Backup and OpenSSL 0.9.8d/e
-------------------------+--------------------------------------------------
  Reporter:  chris       |       Owner:                                    
      Type:  defect      |      Status:  new                               
  Priority:  normal      |   Milestone:                                    
 Component:  bbackupctl  |     Version:  0.10                              
Resolution:              |    Keywords:  openssl Cipher EVPFinalFailure 5/6
-------------------------+--------------------------------------------------
Old description:

> Several users have reported problems with Cipher EVPFinalFailure (5/6)
> errors after upgrading to OpenSSL 0.9.8e:
>
>  * Eric Cronin (1/5/2007, see
> [http://lists.warhead.org.uk/pipermail/boxbackup/2007-May/003469.html]
> and
> [http://lists.warhead.org.uk/pipermail/boxbackup/2007-May/003470.html])
>  * Marco Bartholomew (27/4/2007, see
> [http://lists.warhead.org.uk/pipermail/boxbackup/2007-April/003455.html])
>
> Marco reports that the bug is listed in Arch Linux at
> [http://archlinux.org/news/313/], which refers to:
>
>  * [http://www.mail-archive.com/openssl-users@openssl.org/msg48671.html]
>  * [http://archlinux.org/pipermail/arch-dev-
> public/2007-April/000322.html]
>  * [http://archlinux.org/pipermail/arch-dev-
> public/2007-April/000336.html]
>
> On May 1, 2007, at 2:17 PM, Eric Cronin wrote:
>
>  Looking into it more, its not surprising at all, the bug is entirely
> client-side having to do with encryption/decryption of blocks.  Basically
> the bug introduced in 0.9.8e changes EVP_encrypt/EVP_decrypt such that
> they produce incompatible ciphertext from earlier versions or other
> implementations of blowfish.
>
>  The correct solution is NOT what I did, unless you know you are unable
> to upgrade/downgrade openssl for an extended period and need backups in
> the meantime: once a new version of openssl is installed on the client
> which corrects the bug your openssl 0.9.8e encrypted blocks will now be
> unreadable.  The best solution is to downgrade to 0.9.8d or to patch
> 0.9.8e's source with [http://cvs.openssl.org/chngview?cn=15978], that one
> line patch is what broke compatibility.
>
> There may be a separate issue with 0.9.8d, although it looks quite
> obscure:
>
>  *
> [http://lists.warhead.org.uk/pipermail/boxbackup/2007-April/003463.html]
>
> I believe that this is an external problem (with OpenSSL), but if anyone
> can confirm that it's not, then please let me know.

New description:

 Several users have reported problems with Cipher EVPFinalFailure (5/6)
 errors after upgrading to OpenSSL 0.9.8e:

  * Eric Cronin (1/5/2007, see
 [http://lists.warhead.org.uk/pipermail/boxbackup/2007-May/003469.html] and
 [http://lists.warhead.org.uk/pipermail/boxbackup/2007-May/003470.html])
  * Marco Bartholomew (27/4/2007, see
 [http://lists.warhead.org.uk/pipermail/boxbackup/2007-April/003455.html])

 Marco reports that the bug is listed in Arch Linux at
 [http://archlinux.org/news/313/], which refers to:

  * [http://www.mail-archive.com/openssl-users@openssl.org/msg48671.html]
  * [http://archlinux.org/pipermail/arch-dev-public/2007-April/000322.html]
  * [http://archlinux.org/pipermail/arch-dev-public/2007-April/000336.html]

 On May 1, 2007, at 2:17 PM, Eric Cronin wrote:

  Looking into it more, its not surprising at all, the bug is entirely
 client-side having to do with encryption/decryption of blocks.  Basically
 the bug introduced in 0.9.8e changes EVP_encrypt/EVP_decrypt such that
 they produce incompatible ciphertext from earlier versions or other
 implementations of blowfish.

  The correct solution is NOT what I did, unless you know you are unable to
 upgrade/downgrade openssl for an extended period and need backups in the
 meantime: once a new version of openssl is installed on the client which
 corrects the bug your openssl 0.9.8e encrypted blocks will now be
 unreadable.  The best solution is to downgrade to 0.9.8d or to patch
 0.9.8e's source with [http://cvs.openssl.org/chngview?cn=15978], that one
 line patch is what broke compatibility.

 There may be a separate issue with 0.9.8d, although it looks quite
 obscure:

  *
 [http://lists.warhead.org.uk/pipermail/boxbackup/2007-April/003463.html]

 I believe that this is an external problem (with OpenSSL), but if anyone
 can confirm that it's not, then please let me know.

-- 
Ticket URL: <http://bbdev.fluffy.co.uk/trac/ticket/21#comment:1>
Box Backup <http://www.fluffy.co.uk/boxbackup/>
An open source, completely automatic on-line backup system for UNIX.



More information about the Boxbackup-commit mailing list