search

marius-wieschollek / passwords

A simple, yet feature rich password manager for Nextcloud
GNU Affero General Public License v3.0
210 stars 44 forks source link

Exception: HMAC does not match. with php8 #392

Closed leuedaniel closed 3 years ago

leuedaniel commented 3 years ago

System Information

Server:

{
    "version": {
        "server": "21.0.2.1",
        "app": "2021.7.20-build4173",
        "lsr": false,
        "php": "8.0.7"
    },
    "environment": {
        "os": "Linux",
        "architecture": "x86_64",
        "bits": 64,
        "database": "mysql",
        "cron": "cron",
        "proxy": false,
        "sslProxy": false,
        "subdirectory": false
    },
    "legacyApi": {
        "enabled": 0,
        "used": false
    },
    "services": {
        "images": "imagick",
        "favicons": "local",
        "previews": "pageres",
        "security": "hibp",
        "words": "leipzig",
        "previewApi": false,
        "faviconApi": false
    },
    "settings": {
        "channel": "stable",
        "nightlies": true,
        "handbook": false,
        "performance": 5
    },
    "encryption": {
        "sse": {
            "SSEv1r1": false,
            "SSEv1r2": true,
            "SSEv2r1": false,
            "none": true,
            "default": "SSEv1r2"
        },
        "cse": {
            "CSEv1r1": true,
            "none": true,
            "default": "none"
        }
    }
}

Client:

 Browser and Version: Chrome
 Client OS and Version: Win10

Steps to reproduce

  1. Install passwords
  2. Install php8.0.7
  3. reboot nginx

Expected result

No error messages

Actual result

Every 2 hours this error message

Nextcloud log

Nextcloud log ``` {"reqId":"FDxXk2tlWMGlhUvSsm8J","level":4,"time":"2021-06-23T15:05:05+00:00","remoteAddr":"","user":"--","app":"passwords","method":"","url":"--","message":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/html/apps/passwords/lib/Encryption/Object/SseV1Encryption.php","line":158,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Services/EncryptionService.php","line":123,"function":"decryptObject","class":"OCA\\Passwords\\Encryption\\Object\\SseV1Encryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Services/Object/AbstractRevisionService.php","line":138,"function":"decrypt","class":"OCA\\Passwords\\Services\\EncryptionService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":401,"function":"findCurrentRevisionByModel","class":"OCA\\Passwords\\Services\\Object\\AbstractRevisionService","type":"->"},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":325,"function":"createNewPasswordRevision","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->"},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":302,"function":"updateTargetPasswords","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":114,"function":"updatePasswords","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Cron/AbstractTimedJob.php","line":74,"function":"runJob","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->"},{"file":"/var/www/html/lib/private/BackgroundJob/Job.php","line":52,"function":"run","class":"OCA\\Passwords\\Cron\\AbstractTimedJob","type":"->"},{"file":"/var/www/html/lib/private/BackgroundJob/TimedJob.php","line":59,"function":"execute","class":"OC\\BackgroundJob\\Job","type":"->"},{"file":"/var/www/html/cron.php","line":128,"function":"execute","class":"OC\\BackgroundJob\\TimedJob","type":"->"}],"File":"/var/www/html/lib/private/Security/Crypto.php","Line":147,"CustomMessage":"HMAC does not match."},"userAgent":"--","version":"21.0.2.1"} {"reqId":"yoDrfe9nbeO6UkU3Glm5","level":4,"time":"2021-06-23T13:05:04+00:00","remoteAddr":"","user":"--","app":"passwords","method":"","url":"--","message":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/html/apps/passwords/lib/Encryption/Object/SseV1Encryption.php","line":158,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Services/EncryptionService.php","line":123,"function":"decryptObject","class":"OCA\\Passwords\\Encryption\\Object\\SseV1Encryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Services/Object/AbstractRevisionService.php","line":138,"function":"decrypt","class":"OCA\\Passwords\\Services\\EncryptionService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":401,"function":"findCurrentRevisionByModel","class":"OCA\\Passwords\\Services\\Object\\AbstractRevisionService","type":"->"},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":325,"function":"createNewPasswordRevision","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->"},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":302,"function":"updateTargetPasswords","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":114,"function":"updatePasswords","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Cron/AbstractTimedJob.php","line":74,"function":"runJob","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->"},{"file":"/var/www/html/lib/private/BackgroundJob/Job.php","line":52,"function":"run","class":"OCA\\Passwords\\Cron\\AbstractTimedJob","type":"->"},{"file":"/var/www/html/lib/private/BackgroundJob/TimedJob.php","line":59,"function":"execute","class":"OC\\BackgroundJob\\Job","type":"->"},{"file":"/var/www/html/cron.php","line":128,"function":"execute","class":"OC\\BackgroundJob\\TimedJob","type":"->"}],"File":"/var/www/html/lib/private/Security/Crypto.php","Line":147,"CustomMessage":"HMAC does not match."},"userAgent":"--","version":"21.0.2.1"} {"reqId":"Et8r8BNhzUMR3tYSJRP0","level":4,"time":"2021-06-23T11:05:02+00:00","remoteAddr":"","user":"--","app":"passwords","method":"","url":"--","message":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/html/apps/passwords/lib/Encryption/Object/SseV1Encryption.php","line":158,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Services/EncryptionService.php","line":123,"function":"decryptObject","class":"OCA\\Passwords\\Encryption\\Object\\SseV1Encryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Services/Object/AbstractRevisionService.php","line":138,"function":"decrypt","class":"OCA\\Passwords\\Services\\EncryptionService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":401,"function":"findCurrentRevisionByModel","class":"OCA\\Passwords\\Services\\Object\\AbstractRevisionService","type":"->"},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":325,"function":"createNewPasswordRevision","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->"},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":302,"function":"updateTargetPasswords","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Cron/SynchronizeShares.php","line":114,"function":"updatePasswords","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/apps/passwords/lib/Cron/AbstractTimedJob.php","line":74,"function":"runJob","class":"OCA\\Passwords\\Cron\\SynchronizeShares","type":"->"},{"file":"/var/www/html/lib/private/BackgroundJob/Job.php","line":52,"function":"run","class":"OCA\\Passwords\\Cron\\AbstractTimedJob","type":"->"},{"file":"/var/www/html/lib/private/BackgroundJob/TimedJob.php","line":59,"function":"execute","class":"OC\\BackgroundJob\\Job","type":"->"},{"file":"/var/www/html/cron.php","line":128,"function":"execute","class":"OC\\BackgroundJob\\TimedJob","type":"->"}],"File":"/var/www/html/lib/private/Security/Crypto.php","Line":147,"CustomMessage":"HMAC does not match."},"userAgent":"--","version":"21.0.2.1"} ```
marius-wieschollek commented 3 years ago

This sounds like some kind of data corruption. From the exception it seems like the copy of a shared password in the account of the receiver can't be decrypted. If you have access to your database, you can run `SELECT `user_id`, `receiver`, `source_password`, `target_password`, `source_updated`, `target_updated` FROM `oc_passwords_share` WHERE `source_updated` = 1 OR `target_updated` = 1 ` and see which users and passwords are scheduled to be updated. You can then try and see if something was done with the user account or if there are other passwords in that account which can't be read.

Alternatively you can also run php ./occ maintenance:repair to run the database repair job and delete any password which can't be decrypted.

leuedaniel commented 3 years ago

Thank you for the solution

leuedaniel commented 3 years ago

i only made the app available to the admin group and the user is no longer admin, so he no longer has access to the app. this has changed for the user.