Bug 1055

Summary: Problem with arcfour cipher and OpenSSL 0.9.7g
Product: Portable OpenSSH Reporter: Iain Morgan <imorgan>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: major CC: t8m
Priority: P2    
Version: 4.1p1   
Hardware: Itanium2   
OS: Linux   

Description Iain Morgan 2005-06-14 08:43:51 AEST 
When building OpenSSH 4.1p1 against OpenSSL 0.9.7g, 'make tests'
indicates that the arcfour cipher fails in regress/try-ciphers.sh. All
other ciphers are successful.

The ssh client can successfully use arcfour when talking to previous
builds of OpenSSH compiled against OpenSSL 0.9.7e. However, when connecting
to the newly built sshd with either the newly built ssh or the previous
(OpwnSSH 3.9p1) build, the connection is broken immediately after
authentication with a "Bad packet length" message.

Note that OpenSSL 0.9.7f introduced assembler code for the RC4 algorithm
on the IA64 architecture. Building OpenSSL with the 'no_asm' flag eliminates
the issue, but also kills performance. Running OpenSSL's 'make test'
shows no problem with the RC4 algorithm. Further, comparing the output
from 'make test' for version 0.9.7g against 0.9.7e shows no difference
in regards to RC4.

A slightly more elegant workaround for this issue is to set the RC4_CHAR
flage _and_ edit crypto/rc4/asm/rc4-ia64.S; changing SZ=4 to SZ=1.

Since this problem seems to only affect sshd and only occurs after
authentication, I'm wondering if there could be an issue with the key
exchange that appears to occur after authentication.
Comment 1 Damien Miller 2005-06-14 09:10:09 AEST 
Have you filed a bug with the OpenSSL developers. If so, could you please
provide a link or tracking number?
Comment 2 Iain Morgan 2005-06-15 07:47:24 AEST 
The issue has also been filed with openssl.org as bug #1114.
Comment 3 Iain Morgan 2005-06-17 05:08:44 AEST 
Correction: The two workarounds mentioned in the initial bug report were
erroneous. I had temporarily removed the reference to arcfour in
try-ciphers.sh in order to see if there were any issues with any of the
other regression tests. Apparently, I forgot to clean up after myself.

I started over from scratch and tried the 'no-asm' workaround and the
RC4_CHAR workaround. Both failed.

Even using the no-asm flag and setting RC4_CHAR when building OpenSSL
does not fix the issue.OB
Comment 4 Iain Morgan 2005-06-29 01:45:22 AEST 
Bug resolved by Andy Polyakov at openssl.org:

Summary can be found at http://cvs.openssl.org/chngview?cn=14145. Point
is that I assumed that RC4_KEY structure initialized by RC4_set_key is
passed down to RC4 verbatim in its original memory location, while
OpenSSH takes freedom to swap the structures initialized in different
locations. One can argue that the latter is inappropriate design choice,
but it works on too many other platforms to argue. And so IA64 was
"reduced" to common denominator. Case dismissed. A.
Comment 5 Darren Tucker 2005-07-14 14:32:52 AEST 
Since this has been addressed in OpenSSL, closing this bug.
Comment 6 Darren Tucker 2006-10-07 11:40:57 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.