----- Original Message -----
From: "Juan Hernandez" <jhernand@redhat.com> To: "Eli Mesika" <emesika@redhat.com> Cc: "Alon Bar-Lev" <alonbl@redhat.com>, "users" <users@ovirt.org> Sent: Tuesday, January 29, 2013 12:03:05 PM Subject: Re: [Users] engine Failed to decrypt Data error
On 01/29/2013 10:00 AM, Eli Mesika wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Eli Mesika" <emesika@redhat.com> Cc: "users" <users@ovirt.org>, "Dead Horse" <deadhorseconsulting@gmail.com> Sent: Tuesday, January 29, 2013 10:40:59 AM Subject: Re: [Users] engine Failed to decrypt Data error
----- Original Message -----
From: "Eli Mesika" <emesika@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "users" <users@ovirt.org>, "Dead Horse" <deadhorseconsulting@gmail.com> Sent: Tuesday, January 29, 2013 10:33:04 AM Subject: Re: [Users] engine Failed to decrypt Data error
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Eli Mesika" <emesika@redhat.com> Cc: "users" <users@ovirt.org>, "Dead Horse" <deadhorseconsulting@gmail.com> Sent: Monday, January 28, 2013 11:20:30 PM Subject: Re: [Users] engine Failed to decrypt Data error
----- Original Message -----
From: "Eli Mesika" <emesika@redhat.com> To: "Dead Horse" <deadhorseconsulting@gmail.com> Cc: "users" <users@ovirt.org>, "Alon Bar-Lev" <alonbl@redhat.com> Sent: Monday, January 28, 2013 11:16:16 PM Subject: Re: [Users] engine Failed to decrypt Data error
----- Original Message ----- > From: "Dead Horse" <deadhorseconsulting@gmail.com> > To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: "users" <users@ovirt.org>, "Eli Mesika" > <emesika@redhat.com> > Sent: Monday, January 28, 2013 11:04:53 PM > Subject: Re: [Users] engine Failed to decrypt Data error > > > psql -U engine -d engine -c "select * from vdc_options where > option_name in ('LocalAdminPassword', 'AdminPassword');" > option_id | option_name | > > option_value > > | version > -----------+--------------------+----------------------------------------------- > -------------------------------------------------------------------------------- > -------------------------------------------------------------------------------- > -------------------------------------------------------------------------------- > -----------------------------------------------------------+--------- > 127 | LocalAdminPassword | > KiG8670o1qXVX6omYsiCdaaXtQc/mGmr0qgLHqc8yykoRz > OwbfZzU9AxBYwYrJEwyqdq8c2ZwfGVvQ1YVIfGRspKLKogl59gBnwcQuk3al1K4Vtmr2hgWDtm5FBYd5 > Nac4WIly4efjMCRjwrpPVkpAX55N8tGJ9LNzX8eRszQ4iVs8zivl0eu9SVhrB8tbHkA/+U5/vss26za8 > X+AV67dtDzoD7ZS0eOT1Vx9vrOGHvDYU8tANEb29Et79CJ0whLOOEeuwTpkK1yZdF3PaWRbnTwXZUsB1 > hMs9NLdo2ZxZOVSIK1E2mPh1WLybgIX1YB0Ra3BZvjAR9wPZz+jdfZng== | > general > 7 | AdminPassword | > AakmoHu69RmCWkSoVXLOv0cwzwGscXaM+HJAONRtSdECEA > VL+bjc1Lis6PHR1vBwdmhITxAvo2998pTJNusvtuTCODra40MTC+9p9+Oev4jWIbkncHH8gRdIKyvHuz > O6fNda50VXeWYhGNFIMavw15PlslutUWEpyNAasjEWyZ7cNyjKK2eFKNDZ3F5PCv9RcQXfXkKSveWm6M > 40zUVOx1ZjCnptNUpB4VYf5vW8LOpSL5NJpfJQmu36QbBRDDo3+3XPb4ELXA4t1rbPYw9Z7hRbk5Mbtq > qvOA7q4+G4nPtxHB7d6dYT2QJ58wgXUSIIoz/odvz5yVYeazIFS3Faww== | > general > (2 rows)
Too long , supported values for encryption should be < 127 characters
Why too long? it should be 2048 RSA key. And it is exactly 256 decoded. OK Didn't you say that practically it should be < 256 ?
The encrypted blob is exactly 256 (keysize/8). The plain text within that blob is at same length. The PKCS#5 padding that we should use (or should have used) takes at lease one byte from suffix, hence the <256, but this applies to the plain text. From the exception we see that the java crypto provider complains we provide a block >256 and key size of 2048, so there is something wrong with the buffer we pass as it must be =256 bytes.
That raises the chance of bug in the EncryptionUtils code , can you take a look ?
As the exceptions are coming from several different threads that are running in parallel I would look for a concurrency problem. In particular I would check the "Encoding" class. It seems to me that it uses the "Base64.decode(...)" method from multiple threads in an unsafe way.
Right, we should really need to remove the legacy code. http://gerrit.ovirt.org/11495 http://gerrit.ovirt.org/11496 http://gerrit.ovirt.org/11497 http://gerrit.ovirt.org/11498
> > > > > On Mon, Jan 28, 2013 at 2:38 PM, Alon Bar-Lev < > alonbl@redhat.com >> > wrote: > > > > ----- Original Message ----- >> From: "Dead Horse" < deadhorseconsulting@gmail.com > >> To: "Alon Bar-Lev" < alonbl@redhat.com > >> Cc: "users" < users@ovirt.org >, "Eli Mesika" < >> emesika@redhat.com >>> > >> Sent: Monday, January 28, 2013 10:35:34 PM >> Subject: Re: [Users] engine Failed to decrypt Data error >> >> >> > >> was in the middle of a fresh engine setup which did not >> exhibit >> the >> symptom. However after running: "engine-config -s >> AdminPassword=interactive" and restarting the engine >> service >> on >> the >> clean setup the error message now shows up. >> >> - DHC >> >> >> > > OK, at least it is related to the admin password. > > Please send me the output of: > > psql -U engine -d engine -c "select * from vdc_options where > option_name in ('LocalAdminPassword', 'AdminPassword');" > > > Thanks! > >> >> On Mon, Jan 28, 2013 at 1:55 PM, Alon Bar-Lev < >> alonbl@redhat.com >>> >> wrote: >> >> >> >> >> >> ----- Original Message ----- >>> From: "Dead Horse" < deadhorseconsulting@gmail.com > >>> To: "Alon Bar-Lev" < alonbl@redhat.com > >>> Cc: "users" < users@ovirt.org >, "Eli Mesika" < >>> emesika@redhat.com >>>> >> >>> Sent: Monday, January 28, 2013 9:46:53 PM >>> Subject: Re: [Users] engine Failed to decrypt Data error >>> >>> >>> >>> >> >>> Current running engine build --> commit: >>> 61c11aecc40e755d08b6c34c6fe1c0a07fa94de8 >>> >>> ran engine upgrade against the built rpms from that >>> commit. >>> >>> >>> Thus I applied it as an upgrade against prior running >>> build >>> --> >>> commit: >>> 1eb895355239bbcb7a7ceda172405f0b68f18f35 >> >> [Please use plain text mails in lists.] >> >> >> Can you please patch EncryptionUtils.decrypt() with the >> following, >> so >> I can see what source is? source is encrypted blob, should >> not >> be >> a >> problem to send it. >> >> if (!StringHelper.isNullOrEmpty(source.trim())) { >> KeyStore store = EncryptionUtils.getKeyStore(keyFile, >> passwd, >> certType); >> Key key = store.getKey(alias, passwd.toCharArray()); >> + log.info ("DEBUG001 " + source); > > >> result = decrypt(source, key); >> >> >> } >> >> >>> >>> >>> >>> On Mon, Jan 28, 2013 at 1:28 PM, Alon Bar-Lev < >>> alonbl@redhat.com >>>> >>> wrote: >>> >>> >>> How do you installed the engine? you built? >>> Which exact version? >>> >>> >>> ----- Original Message ----- >>>> From: "Dead Horse" < deadhorseconsulting@gmail.com > >>> >>> >>>> To: "Alon Bar-Lev" < alonbl@redhat.com > >>>> Cc: "users" < users@ovirt.org >, "Eli Mesika" < >>>> emesika@redhat.com >>>>> >>>> Sent: Monday, January 28, 2013 9:26:44 PM >>>> Subject: Re: [Users] engine Failed to decrypt Data >>>> error >>>> >>>> >>>> Password length is 11 characters and consists of Upper, >>>> Lower >>>> case >>>> and one special character. >>>> >>>> >>>> >>>> >>>> On Mon, Jan 28, 2013 at 1:20 PM, Alon Bar-Lev < >>>> alonbl@redhat.com >>>>> >>>> wrote: >>>> >>>> >>>> We tried to reproduce this. >>>> What password do you use? is there one with some great >>>> length? >>>> If not, Eli, we should send a debug patch for this. >>>> >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Dead Horse" < deadhorseconsulting@gmail.com > >>>>> To: "< users@ovirt.org >" < users@ovirt.org > >>>>> Sent: Monday, January 28, 2013 9:16:20 PM >>>>> Subject: [Users] engine Failed to decrypt Data error >>>>> >>>>> >>>>> >>>>> I see this repeating error in the engine logs quite a >>>>> bit, >>>>> any >>>>> ideas >>>>> on what causes it? >>>>> >>>>> >>>>> 2013-01-28 13:13:40,483 ERROR >>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data >>>>> must >>>>> not >>>>> be >>>>> longer than 256 bytes >>>>> 2013-01-28 13:13:52,747 ERROR >>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>> (QuartzScheduler_Worker-81) Failed to decrypt Data >>>>> must >>>>> not >>>>> be >>>>> longer than 256 bytes >>>>> 2013-01-28 13:13:52,747 ERROR >>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>> (QuartzScheduler_Worker-84) Failed to decrypt >>>>> Blocktype >>>>> mismatch: >>>>> 0 >>>>> 2013-01-28 13:13:52,761 ERROR >>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>> (QuartzScheduler_Worker-85) Failed to decrypt Data >>>>> must >>>>> start >>>>> with >>>>> zero >>>>> 2013-01-28 13:14:00,964 ERROR >>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data >>>>> must >>>>> not >>>>> be >>>>> longer than 256 bytes >>>>> 2013-01-28 13:14:00,964 ERROR >>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>> (QuartzScheduler_Worker-20) Failed to decrypt Data >>>>> must >>>>> not >>>>> be >>>>> longer than 256 bytes >>>>> 2013-01-28 13:14:02,983 ERROR >>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>> (QuartzScheduler_Worker-29) Failed to decrypt Data >>>>> must >>>>> not >>>>> be >>>>> longer than 256 bytes >>>>> 2013-01-28 13:14:02,983 ERROR >>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] >>>>> (QuartzScheduler_Worker-34) Failed to decrypt Data >>>>> must >>>>> not >>>>> be >>>>> longer than 256 bytes >>>>> >>>>> >>>>> - DHC >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users@ovirt.org >>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>> >>>> >>> >>> >> >> > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta 3ºD, 28016 Madrid, Spain Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.