bugzilla-daemon at mindrot.org
2007-Mar-03 15:58 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 Summary: aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e Product: Portable OpenSSH Version: 4.5p1 Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: sshd AssignedTo: bitbucket at mindrot.org ReportedBy: bjh21 at bjh21.me.uk Connections from "OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006" to "OpenSSH_4.5p1, OpenSSL 0.9.8e 23 Feb 2007" using "aes256-ctr" fail with "Bad packet length". The same problem occurs when using PuTTY 0.59 against the newer server. PuTTY users have reported this problem too, with servers on both FreeBSD and Linux, and with OpenSSH versions back to 4.0. The problem occurs with the "aes256-ctr", "aes192-ctr", and "archfour256" ciphers, but not with "aes128-ctr", "aes256-cbc", "aes192-cbc", or "arcfour128". ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-03 16:00 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #1 from bjh21 at bjh21.me.uk 2007-03-04 03:00 ------- Created an attachment (id=1244) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1244&action=view) debug messages from sshd On my test system, running NetBSD/macppc 2.1 and compiling with default settings (apart from directory prefixes), I get these log messages from the server. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-03 16:01 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #2 from bjh21 at bjh21.me.uk 2007-03-04 03:01 ------- Created an attachment (id=1245) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1245&action=view) client debug messages ... and these messages on the client. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-03 16:02 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 bjh21 at bjh21.me.uk changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1244|application/octet-stream |text/plain mime type| | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-03 16:04 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 bjh21 at bjh21.me.uk changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |http://www.chiark.greenend.o | |rg.uk/~sgtatham/putty/wishli | |st/ssh2-aesctr-openssh ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-03 21:01 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #3 from bjh21 at bjh21.me.uk 2007-03-04 08:01 ------- It looks to me like the set of broken ciphers is precisely the set for which the key_len in the Cipher structure doesn't match that in the EVP. I suspect this is significant. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-03 23:55 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #4 from dtucker at zip.com.au 2007-03-04 10:55 ------- Between 0.9.8d and 0.9.8e, EVP_CIPHER_CTX_key_length changed from #define EVP_CIPHER_CTX_key_length(e) ((e)->key_len) to int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) { return ctx->cipher->key_len; } so it seems that it's now returning the default key length of the cipher rather than that of the context. If I add a debug print of the key length you can see that it doesn't change even though EVP_CIPHER_CTX_set_key_length has been called: debug2: set_newkeys: mode 1 debug1: key len 16 debug2: cipher_init: set keylen (16 -> 32) debug1: key len 16 If I then change "return ctx->cipher->key_len" to "return ctx->key_len" in and recompile then everything seems to be peachy. So it would appear to be an OpenSSL bug. I'll file it upstream. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-04 04:56 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #5 from dtucker at zip.com.au 2007-03-04 15:56 ------- Created an attachment (id=1246) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1246&action=view) Work around openssl 0.9.8e bug in compat layer We can also work around this in the compat layer without too much trouble. Is this worth doing for the 4.6p1 release? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-04 16:28 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 jacobn+mindrot at chiark.greenend.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jacobn+mindrot at chiark.greene | |nd.org.uk ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-04 16:31 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #6 from jacobn+mindrot at chiark.greenend.org.uk 2007-03-05 03:31 ------- This bug bites with PuTTY's default configuration, so I expect we'd like it to go away ASAP to reduce the size of our mailboxes ;) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-04 20:51 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #7 from dtucker at zip.com.au 2007-03-05 07:51 ------- The OpenSSL folks confirmed the problem and that it's already been fixed in their CVS. So the remaining question is whether or not it's safe to apply the patch so close to release. I think it is since the patch is specific to the OpenSSL version that is known to have the problem. Damien? Tim? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-04 22:32 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #8 from djm at mindrot.org 2007-03-05 09:31 ------- (From update of attachment 1246)>Index: openbsd-compat/openssl-compat.h >==================================================================>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/openssl-compat.h,v >retrieving revision 1.6 >diff -u -p -r1.6 openssl-compat.h >--- openbsd-compat/openssl-compat.h 22 Feb 2006 11:24:47 -0000 1.6 >+++ openbsd-compat/openssl-compat.h 4 Mar 2007 03:31:09 -0000 >@@ -46,6 +46,11 @@ extern const EVP_CIPHER *evp_acss(void); > # endif > #endif > >+/* OpenSSL 0.9.8e returns cipher key len not context key len */ >+#if (OPENSSL_VERSION_NUMBER == 0x0090805fL) >+# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) >+#endifTwo question: 1. should there be a #undef here? 2. Have OpenSSL acknowledged that this is a bug? If not, perhaps this needs to run of a configure test? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-04 23:09 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #9 from dtucker at zip.com.au 2007-03-05 10:09 ------- (In reply to comment #8)> 1. should there be a #undef here?Not as long as it targets only 0.9.8e as EVP_CIPHER_CTX_key_length is a function not a macro in that version.> 2. Have OpenSSL acknowledged that this is a bug?Yes, I got a response from Lutz Jaenicke saying that my suggested change in comment #4 was correct and that it had already been applied to OpenSSL's CVS within the last week.> If not, perhaps this needs to run of a configure test?Maybe, but I would be concerned that it may interact something else in future. The proposed patch targets only the known problem version and is a no-op for every other version. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-04 23:18 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1246| |ok+ Flag| | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-05 00:07 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED OtherBugsDependingO| |1274 nThis| | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-05 07:31 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Comment #10 from dtucker at zip.com.au 2007-03-05 18:31 ------- (In reply to comment #6)> This bug bites with PuTTY's default configuration, so I expect we'd > like it to go away ASAP to reduce the size of our mailboxes ;)Well then, in the interests of mailbox reduction (ours as well as yours :-) the patch has been committed and will be in 4.6p1. Thanks for the report. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-13 10:15 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #11 from dtucker at zip.com.au 2007-03-13 21:15 ------- Created an attachment (id=1252) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1252&action=view) key_len fix for Protocol 1 3des cipher Juan Gallego points out that this also affects the Protocol 1 3des cipher, which causes this: debug2: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. This is what Corinna saw on Cygwin (http://lists.mindrot.org/pipermail/openssh-unix-dev/2007-March/025179.html) but I got the wrong cipher in my suggested workaround. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-15 14:34 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #12 from svallet at genoscope.cns.fr 2007-03-16 01:34 ------- The Cygwin bug also concerns 4.6 client connections to older Cisco devices, which use SSHv1/3des The patch in #11 fixes the problem here, thanks -- any chance for a 4.6p2 ? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2007-Mar-15 21:32 UTC
[Bug 1291] aes256-ctr, aes192-ctr, arcfour256 broken with OpenSSL 0.9.8e
http://bugzilla.mindrot.org/show_bug.cgi?id=1291 ------- Comment #13 from djm at mindrot.org 2007-03-16 08:32 ------- We will probably make a release in the near future (~1.5 months), but I don't think this warrants rushing a portable release out the door sooner. I think you should be chasing the OpenSSL people to make a release, as this is completely their bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Maybe Matching Threads
- [Bug 1395] New: "session_input_channel_req: no session" should be a debug message
- Is cipher "3des-ctr" supported by openssh?
- [Bug 697] ending slash is not used
- [Bug 1274] Bugs intended to be fixed for 4.6/4.6p1
- [Bug 769] dh-group-exchange should be configurable off in client and server