[Box Backup] Exception: Cipher EVPFinalFailure (5/6)

Chris Wilson boxbackup@fluffy.co.uk
Wed, 2 May 2007 18:42:03 +0100 (BST)

Hi Eric,

On Tue, 1 May 2007, Eric Cronin wrote:

> I was bitten by the mysterious Cipher EVPFinalFailure (5/6) error about 
> 3 weeks ago also, which coincides with when I updated OpenSSL on both 
> the client and server to 0.9.8e I wasn't able to get a precise time as 
> to when it started due to log rotation).  As I was the only one 
> experiencing the errors, I chalked it up to something getting majorly 
> broken with my keys and the encrypted blocks on disk, and created a new 
> account on the same server and started backing up from scratch to it. 
> Very strangely, this has been working fine for about 5 days now, which 
> seems odd if it was and openssl bug.

Thank you for reminding us that this is not the first time that this bug 
has been seen.

I don't claim to understand much about the internals of OpenSSL, but I 
think that the bug is in the padding of certain data, and regenerating 
your certificates might well have changed the length of some encrypted 
data which results in the error being bypassed/worked around.

I still think that there may be a bug in OpenSSL 0.9.8d and above, or else 
some change in functionality which has exposed a previously hidden bug in 
Box Backup.

In any case, I think that since we have seen two independent bug reports, 
this now counts as a confirmed bug, so I will add it to the bug tracker 
and try to fix it as soon as I can.

Do you, by any chance, have a copy of your old certificates and private 
keys (not encryption keys) that you could send me? Since reproducing the 
bug appears to depend on these factors, a copy of the keys and certs would 
be very helpful in reproducing and debugging it.

> For me at least it was far more than just a cosmetic error: bbackupquery 
> could issue usage and cd, but list or restore operations errored out. 
> Also, based on the statistics lines and traffic graphs on the boxbackup 
> port, 0 bytes were successfully being backed up the entire period when I 
> was seeing this error.

That's good to know as well, that should help me to narrow down the bug 
and produce a test case.

Cheers, Chris.
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |