Subject: Re: ATTENTION CGD(4) USERS - blowfish change committed
To: Daniel Carosone <>
From: Daniel Carosone <>
List: tech-security
Date: 03/18/2004 21:44:17
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Mar 18, 2004 at 10:54:08AM +1100, Daniel Carosone wrote:

> A flag day is still required for the blowfish issue.  These changes
> will be committed today, around 8 hours from now, and a followup
> message sent when its done.

This change has been committed.

> This issue ONLY affects cgd users with the blowfish cipher. These
> users will need to take special steps before next updating their
> kernels. See below for further details.


> =09
> I believe this affects a very small number of users other than myself;
> indeed since several previous alert mails in an attempt to find them,
> only 2 such users have come forward. They have both agreed the
> requirement for backwards compatibility does not warrant the effort
> nor the mess in the code.  This code does exist, if it should later
> prove to be needed, but will not be in the tree.
> Further, by the nature of the issue, I have strong reasons to believe
> that, even if they missed these mails, there would be few other users
> of blowfish who update their systems with any regularity; any such
> users would have tripped over the problem in the same way I did when
> it was first found over a year ago.
> The fix is a kernel change, but the problem can be (was) exposed by
> userland changes in the cgdconfig binary, compiler, libraries, etc.
> The problem stems from two issues with the underlying blowfish
> encryption routines used by cgd:
>  - they take key length arguments counted in bytes, rather than bits
>    like all the opther ciphers.
>  - they silently truncate any keys longer than an internal limit,
>    rather than returning an error (which would have exposed the=20
>    previous discrepancy immediately).=20
> As a result, the kernel reads too much data as the key from cgdconfig,
> and then truncates most of it. This can easily be demonstrated/tested.
> Currently, Blowfish users will find that if they mis-enter the cgd
> passphrase on the first attempt, when validation fails and cgdconfig
> prompts for the passphrase again, the cgd will not correctly configure
> even when given a correct passphrase.
> Blowfish users will need to dump their cgd's prior to installing a
> kernel with the change, reboot into single user with a new kernel,
> recreate the cgd and restore their filesystems. Once they have done
> so, they will not be able to use the cgd with an old kernel, and will
> not be able to use an old cgd image with a new kernel.
> The current rev of src/sys/dev/cgd.c is 1.14; it will be 1.15 after
> the change is committed.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.4 (NetBSD)