[Box Backup-commit] #21: Problems with Box Backup and OpenSSL 0.9.8d/e

boxbackup-dev@fluffy.co.uk boxbackup-dev@fluffy.co.uk
Wed, 02 May 2007 18:19:23 -0000 

#21: Problems with Box Backup and OpenSSL 0.9.8d/e
------------------------------------------------+---------------------------
 Reporter:  chris                               |       Owner:      
     Type:  defect                              |      Status:  new 
 Priority:  normal                              |   Milestone:      
Component:  bbackupctl                          |     Version:  0.10
 Keywords:  openssl Cipher EVPFinalFailure 5/6  |  
------------------------------------------------+---------------------------
 Several users have reported problems with Cipher EVPFinalFailure (5/6)
 errors after upgrading to OpenSSL 0.9.8e:

  * Eric Cronin (1/5/2007, see
 [http://lists.warhead.org.uk/pipermail/boxbackup/2007-May/003469.html] and
 [http://lists.warhead.org.uk/pipermail/boxbackup/2007-May/003470.html])
  * Marco Bartholomew (27/4/2007, see
 [http://lists.warhead.org.uk/pipermail/boxbackup/2007-April/003455.html])

 Marco reports that the bug is listed in Arch Linux at
 [http://archlinux.org/news/313/], which refers to:

  * [http://www.mail-archive.com/openssl-users@openssl.org/msg48671.html]
  * [http://archlinux.org/pipermail/arch-dev-public/2007-April/000322.html]
  * [http://archlinux.org/pipermail/arch-dev-public/2007-April/000336.html]

 On May 1, 2007, at 2:17 PM, Eric Cronin wrote:

  Looking into it more, its not surprising at all, the bug is entirely
 client-side having to do with encryption/decryption of blocks.  Basically
 the bug introduced in 0.9.8e changes EVP_encrypt/EVP_decrypt such that
 they produce incompatible ciphertext from earlier versions or other
 implementations of blowfish.

  The correct solution is NOT what I did, unless you know you are unable to
 upgrade/downgrade openssl for an extended period and need backups in the
 meantime: once a new version of openssl is installed on the client which
 corrects the bug your openssl 0.9.8e encrypted blocks will now be
 unreadable.  The best solution is to downgrade to 0.9.8d or to patch
 0.9.8e's source with [http://cvs.openssl.org/chngview?cn=15978], that one
 line patch is what broke compatibility.

 There may be a separate issue with 0.9.8d, although it looks quite
 obscure:

  *
 [http://lists.warhead.org.uk/pipermail/boxbackup/2007-April/003463.html]

 I believe that this is an external problem (with OpenSSL), but if anyone
 can confirm that it's not, then please let me know.

-- 
Ticket URL: <http://bbdev.fluffy.co.uk/trac/ticket/21>
Box Backup <http://www.fluffy.co.uk/boxbackup/>
An open source, completely automatic on-line backup system for UNIX.