Corrupted MAC on input

Darren Tucker dtucker at zip.com.au
Mon May 3 17:51:10 EST 2004 

Deron Meranda wrote:
> Darren Tucker wrote:
> 
>> If the encrypted packets are identical but decrypt differently that 
>> sounds like a problem in the crypto itself.  Which algorithm were you 
>> using?  Are you using the HP ANSI C compiler to compile OpenSSL?
> 
> No, I used gcc 3.3 for everything except for one hand-coded
> assembly file "crypto/bn/asm/pa-risc2.s" for which I used
> HP's assembler.  My ssh sessions are all SSH version 2, and
> negotiate the AES crypto algorithm.

OpenSSL will automatically build that when configured with the HP ANSI C 
compiler, right?  If so, that's a common point (but it the bignum stuff 
isn't used during the the session unless it gets rekeyed...)

Can you try it without that?  I know it's significantly slower, but 
there's been some speedups on the OpenSSH which should help compensate:
http://www.openssh.com/faq.html#3.3

> My OpenSSL binaries passed all self-tests, and I also use
> the same libraries with Apache.  And since I use Mozilla, the
> AES algos also get a good workout in the context of the webserver.
> I've yet to see any type of peculiar behavior, except for the
> MAC errors in OpenSSH.

Do any of the others use hmac-md5?  Perhaps you can try alternative MAC 
and cipher algorigthms?

> I should also mention that I also use this same ssh server
> all day long while at work (on the same 100 Mbps LAN).  I work
> it really hard there and NEVER see any problem.  But all the
> corrupted MAC errors I've seen only occur while working from home,
> over an ADSL connection.  I can't explain how that may make any
> difference.

I've only once had problems with MAC failures over my ADSL link, and it 
seemed to correspond to an equipment failure upstream.  MAC failures got 
more and more frequent over the course of several hours (other traffic 
was affected too, but I noticed ssh first), then the link went offline 
completely for several hours.  When it came back up, it was fine again.

> I did not have any sort of debugging enabled this time, but I
> may have noticed another pattern.  I only seem to get a
> corrupted MAC when a burst of traffic occurs, never when just
> typing or something slow.  Also it seems to occur more readily
> when the data stream contains a lot of repetitive patterns.
[...]
> This got me thinking that perhaps this could also be a
> compression issue.  I do have compression turned on.

Good thought, but the MAC is computed on the compressed data, so it's 
applied after compression for sending, and checked before decompression, 
so I don't think SSH's compression is the cause.

I could buy flaky link compression somewhere on the path if you had 
compression off.

Anyway thanks for the info, it's given some more food for though.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list