[Users] engine Failed to decrypt Data error

Alon Bar-Lev alonbl at redhat.com
Tue Jan 29 13:04:58 UTC 2013



----- Original Message -----
> From: "Juan Hernandez" <jhernand at redhat.com>
> To: "Eli Mesika" <emesika at redhat.com>
> Cc: "Alon Bar-Lev" <alonbl at redhat.com>, "users" <users at ovirt.org>
> Sent: Tuesday, January 29, 2013 12:03:05 PM
> Subject: Re: [Users] engine Failed to decrypt Data error
> 
> On 01/29/2013 10:00 AM, Eli Mesika wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Alon Bar-Lev" <alonbl at redhat.com>
> >> To: "Eli Mesika" <emesika at redhat.com>
> >> Cc: "users" <users at ovirt.org>, "Dead Horse"
> >> <deadhorseconsulting at gmail.com>
> >> Sent: Tuesday, January 29, 2013 10:40:59 AM
> >> Subject: Re: [Users] engine Failed to decrypt Data error
> >>
> >>
> >>
> >> ----- Original Message -----
> >>> From: "Eli Mesika" <emesika at redhat.com>
> >>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>> Cc: "users" <users at ovirt.org>, "Dead Horse"
> >>> <deadhorseconsulting at gmail.com>
> >>> Sent: Tuesday, January 29, 2013 10:33:04 AM
> >>> Subject: Re: [Users] engine Failed to decrypt Data error
> >>>
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>> To: "Eli Mesika" <emesika at redhat.com>
> >>>> Cc: "users" <users at ovirt.org>, "Dead Horse"
> >>>> <deadhorseconsulting at gmail.com>
> >>>> Sent: Monday, January 28, 2013 11:20:30 PM
> >>>> Subject: Re: [Users] engine Failed to decrypt Data error
> >>>>
> >>>>
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Eli Mesika" <emesika at redhat.com>
> >>>>> To: "Dead Horse" <deadhorseconsulting at gmail.com>
> >>>>> Cc: "users" <users at ovirt.org>, "Alon Bar-Lev"
> >>>>> <alonbl at redhat.com>
> >>>>> Sent: Monday, January 28, 2013 11:16:16 PM
> >>>>> Subject: Re: [Users] engine Failed to decrypt Data error
> >>>>>
> >>>>>
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Dead Horse" <deadhorseconsulting at gmail.com>
> >>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>>> Cc: "users" <users at ovirt.org>, "Eli Mesika"
> >>>>>> <emesika at redhat.com>
> >>>>>> Sent: Monday, January 28, 2013 11:04:53 PM
> >>>>>> Subject: Re: [Users] engine Failed to decrypt Data error
> >>>>>>
> >>>>>>
> >>>>>> psql -U engine -d engine -c "select * from vdc_options where
> >>>>>> option_name in ('LocalAdminPassword', 'AdminPassword');"
> >>>>>> option_id | option_name |
> >>>>>>
> >>>>>> option_value
> >>>>>>
> >>>>>> | version
> >>>>>> -----------+--------------------+-----------------------------------------------
> >>>>>> --------------------------------------------------------------------------------
> >>>>>> --------------------------------------------------------------------------------
> >>>>>> --------------------------------------------------------------------------------
> >>>>>> -----------------------------------------------------------+---------
> >>>>>> 127 | LocalAdminPassword |
> >>>>>> KiG8670o1qXVX6omYsiCdaaXtQc/mGmr0qgLHqc8yykoRz
> >>>>>> OwbfZzU9AxBYwYrJEwyqdq8c2ZwfGVvQ1YVIfGRspKLKogl59gBnwcQuk3al1K4Vtmr2hgWDtm5FBYd5
> >>>>>> Nac4WIly4efjMCRjwrpPVkpAX55N8tGJ9LNzX8eRszQ4iVs8zivl0eu9SVhrB8tbHkA/+U5/vss26za8
> >>>>>> X+AV67dtDzoD7ZS0eOT1Vx9vrOGHvDYU8tANEb29Et79CJ0whLOOEeuwTpkK1yZdF3PaWRbnTwXZUsB1
> >>>>>> hMs9NLdo2ZxZOVSIK1E2mPh1WLybgIX1YB0Ra3BZvjAR9wPZz+jdfZng== |
> >>>>>> general
> >>>>>> 7 | AdminPassword |
> >>>>>> AakmoHu69RmCWkSoVXLOv0cwzwGscXaM+HJAONRtSdECEA
> >>>>>> VL+bjc1Lis6PHR1vBwdmhITxAvo2998pTJNusvtuTCODra40MTC+9p9+Oev4jWIbkncHH8gRdIKyvHuz
> >>>>>> O6fNda50VXeWYhGNFIMavw15PlslutUWEpyNAasjEWyZ7cNyjKK2eFKNDZ3F5PCv9RcQXfXkKSveWm6M
> >>>>>> 40zUVOx1ZjCnptNUpB4VYf5vW8LOpSL5NJpfJQmu36QbBRDDo3+3XPb4ELXA4t1rbPYw9Z7hRbk5Mbtq
> >>>>>> qvOA7q4+G4nPtxHB7d6dYT2QJ58wgXUSIIoz/odvz5yVYeazIFS3Faww== |
> >>>>>> general
> >>>>>> (2 rows)
> >>>>>
> >>>>> Too long , supported values for encryption should be < 127
> >>>>> characters
> >>>>
> >>>> Why too long? it should be 2048 RSA key.
> >>>> And it is exactly 256 decoded.
> >>> OK
> >>> Didn't you say that practically it should be < 256 ?
> >>
> >> The encrypted blob is exactly 256 (keysize/8).
> >> The plain text within that blob is at same length.
> >> The PKCS#5 padding that we should use (or should have used) takes
> >> at
> >> lease one byte from suffix, hence the <256, but this applies to
> >> the
> >> plain text.
> >>  From the exception we see that the java crypto provider complains
> >>  we
> >> provide a block >256 and key size of 2048, so there is something
> >> wrong with the buffer we pass as it must be =256 bytes.
> >
> > That raises the chance of bug in the EncryptionUtils code , can you
> > take a look ?
> 
> As the exceptions are coming from several different threads that are
> running in parallel I would look for a concurrency problem. In
> particular I would check the "Encoding" class. It seems to me that it
> uses the "Base64.decode(...)" method from multiple threads in an
> unsafe way.

Right, we should really need to remove the legacy code.

http://gerrit.ovirt.org/11495
http://gerrit.ovirt.org/11496
http://gerrit.ovirt.org/11497
http://gerrit.ovirt.org/11498

> 
> >
> >>
> >>>>
> >>>>>
> >>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Mon, Jan 28, 2013 at 2:38 PM, Alon Bar-Lev <
> >>>>>> alonbl at redhat.com
> >>>>>>>
> >>>>>> wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Dead Horse" < deadhorseconsulting at gmail.com >
> >>>>>>> To: "Alon Bar-Lev" < alonbl at redhat.com >
> >>>>>>> Cc: "users" < users at ovirt.org >, "Eli Mesika" <
> >>>>>>> emesika at redhat.com
> >>>>>>>>
> >>>>>>
> >>>>>>> Sent: Monday, January 28, 2013 10:35:34 PM
> >>>>>>> Subject: Re: [Users] engine Failed to decrypt Data error
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>> was in the middle of a fresh engine setup which did not
> >>>>>>> exhibit
> >>>>>>> the
> >>>>>>> symptom. However after running: "engine-config -s
> >>>>>>> AdminPassword=interactive" and restarting the engine
> >>>>>>> service
> >>>>>>> on
> >>>>>>> the
> >>>>>>> clean setup the error message now shows up.
> >>>>>>>
> >>>>>>> - DHC
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> OK, at least it is related to the admin password.
> >>>>>>
> >>>>>> Please send me the output of:
> >>>>>>
> >>>>>> psql -U engine -d engine -c "select * from vdc_options where
> >>>>>> option_name in ('LocalAdminPassword', 'AdminPassword');"
> >>>>>>
> >>>>>>
> >>>>>> Thanks!
> >>>>>>
> >>>>>>>
> >>>>>>> On Mon, Jan 28, 2013 at 1:55 PM, Alon Bar-Lev <
> >>>>>>> alonbl at redhat.com
> >>>>>>>>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Dead Horse" < deadhorseconsulting at gmail.com >
> >>>>>>>> To: "Alon Bar-Lev" < alonbl at redhat.com >
> >>>>>>>> Cc: "users" < users at ovirt.org >, "Eli Mesika" <
> >>>>>>>> emesika at redhat.com
> >>>>>>>>>
> >>>>>>>
> >>>>>>>> Sent: Monday, January 28, 2013 9:46:53 PM
> >>>>>>>> Subject: Re: [Users] engine Failed to decrypt Data error
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>> Current running engine build --> commit:
> >>>>>>>> 61c11aecc40e755d08b6c34c6fe1c0a07fa94de8
> >>>>>>>>
> >>>>>>>> ran engine upgrade against the built rpms from that
> >>>>>>>> commit.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Thus I applied it as an upgrade against prior running
> >>>>>>>> build
> >>>>>>>> -->
> >>>>>>>> commit:
> >>>>>>>> 1eb895355239bbcb7a7ceda172405f0b68f18f35
> >>>>>>>
> >>>>>>> [Please use plain text mails in lists.]
> >>>>>>>
> >>>>>>>
> >>>>>>> Can you please patch EncryptionUtils.decrypt() with the
> >>>>>>> following,
> >>>>>>> so
> >>>>>>> I can see what source is? source is encrypted blob, should
> >>>>>>> not
> >>>>>>> be
> >>>>>>> a
> >>>>>>> problem to send it.
> >>>>>>>
> >>>>>>> if (!StringHelper.isNullOrEmpty(source.trim())) {
> >>>>>>> KeyStore store = EncryptionUtils.getKeyStore(keyFile,
> >>>>>>> passwd,
> >>>>>>> certType);
> >>>>>>> Key key = store.getKey(alias, passwd.toCharArray());
> >>>>>>> + log.info ("DEBUG001 " + source);
> >>>>>>
> >>>>>>
> >>>>>>> result = decrypt(source, key);
> >>>>>>>
> >>>>>>>
> >>>>>>> }
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Mon, Jan 28, 2013 at 1:28 PM, Alon Bar-Lev <
> >>>>>>>> alonbl at redhat.com
> >>>>>>>>>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> How do you installed the engine? you built?
> >>>>>>>> Which exact version?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ----- Original Message -----
> >>>>>>>>> From: "Dead Horse" < deadhorseconsulting at gmail.com >
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> To: "Alon Bar-Lev" < alonbl at redhat.com >
> >>>>>>>>> Cc: "users" < users at ovirt.org >, "Eli Mesika" <
> >>>>>>>>> emesika at redhat.com
> >>>>>>>>>>
> >>>>>>>>> Sent: Monday, January 28, 2013 9:26:44 PM
> >>>>>>>>> Subject: Re: [Users] engine Failed to decrypt Data
> >>>>>>>>> error
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Password length is 11 characters and consists of Upper,
> >>>>>>>>> Lower
> >>>>>>>>> case
> >>>>>>>>> and one special character.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Mon, Jan 28, 2013 at 1:20 PM, Alon Bar-Lev <
> >>>>>>>>> alonbl at redhat.com
> >>>>>>>>>>
> >>>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> We tried to reproduce this.
> >>>>>>>>> What password do you use? is there one with some great
> >>>>>>>>> length?
> >>>>>>>>> If not, Eli, we should send a debug patch for this.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> ----- Original Message -----
> >>>>>>>>>> From: "Dead Horse" < deadhorseconsulting at gmail.com >
> >>>>>>>>>> To: "< users at ovirt.org >" < users at ovirt.org >
> >>>>>>>>>> Sent: Monday, January 28, 2013 9:16:20 PM
> >>>>>>>>>> Subject: [Users] engine Failed to decrypt Data error
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> I see this repeating error in the engine logs quite a
> >>>>>>>>>> bit,
> >>>>>>>>>> any
> >>>>>>>>>> ideas
> >>>>>>>>>> on what causes it?
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> 2013-01-28 13:13:40,483 ERROR
> >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> >>>>>>>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data
> >>>>>>>>>> must
> >>>>>>>>>> not
> >>>>>>>>>> be
> >>>>>>>>>> longer than 256 bytes
> >>>>>>>>>> 2013-01-28 13:13:52,747 ERROR
> >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> >>>>>>>>>> (QuartzScheduler_Worker-81) Failed to decrypt Data
> >>>>>>>>>> must
> >>>>>>>>>> not
> >>>>>>>>>> be
> >>>>>>>>>> longer than 256 bytes
> >>>>>>>>>> 2013-01-28 13:13:52,747 ERROR
> >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> >>>>>>>>>> (QuartzScheduler_Worker-84) Failed to decrypt
> >>>>>>>>>> Blocktype
> >>>>>>>>>> mismatch:
> >>>>>>>>>> 0
> >>>>>>>>>> 2013-01-28 13:13:52,761 ERROR
> >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> >>>>>>>>>> (QuartzScheduler_Worker-85) Failed to decrypt Data
> >>>>>>>>>> must
> >>>>>>>>>> start
> >>>>>>>>>> with
> >>>>>>>>>> zero
> >>>>>>>>>> 2013-01-28 13:14:00,964 ERROR
> >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> >>>>>>>>>> (QuartzScheduler_Worker-23) Failed to decrypt Data
> >>>>>>>>>> must
> >>>>>>>>>> not
> >>>>>>>>>> be
> >>>>>>>>>> longer than 256 bytes
> >>>>>>>>>> 2013-01-28 13:14:00,964 ERROR
> >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> >>>>>>>>>> (QuartzScheduler_Worker-20) Failed to decrypt Data
> >>>>>>>>>> must
> >>>>>>>>>> not
> >>>>>>>>>> be
> >>>>>>>>>> longer than 256 bytes
> >>>>>>>>>> 2013-01-28 13:14:02,983 ERROR
> >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> >>>>>>>>>> (QuartzScheduler_Worker-29) Failed to decrypt Data
> >>>>>>>>>> must
> >>>>>>>>>> not
> >>>>>>>>>> be
> >>>>>>>>>> longer than 256 bytes
> >>>>>>>>>> 2013-01-28 13:14:02,983 ERROR
> >>>>>>>>>> [org.ovirt.engine.core.engineencryptutils.EncryptionUtils]
> >>>>>>>>>> (QuartzScheduler_Worker-34) Failed to decrypt Data
> >>>>>>>>>> must
> >>>>>>>>>> not
> >>>>>>>>>> be
> >>>>>>>>>> longer than 256 bytes
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> - DHC
> >>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> Users mailing list
> >>>>>>>>>> Users at ovirt.org
> >>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> 
> 
> --
> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
> 3ºD, 28016 Madrid, Spain
> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat
> S.L.
> 



More information about the Users mailing list