Vault 0.3.11: ArgumentError (key must be 16 bytes)

[rg-ac]

Today I noticed that the vault plugin 0.3.11 is not running anymore. I don't know when/why it started to give a server error. The error log says:

Started GET "/projects/****/keys" for 10.1.1.116 at 2019-04-11 12:45:02 +0200 Processing by KeysController#index as HTML Parameters: {"project_id"=>"****"} Current user: ***** (id=24) Completed 500 Internal Server Error in 37ms (ActiveRecord: 5.9ms)

ArgumentError (key must be 16 bytes): plugins/vault/lib/vault_cipher.rb:22:in key=' plugins/vault/lib/vault_cipher.rb:22:indecrypt_text' plugins/vault/lib/encryptor.rb:11:in decrypt' plugins/vault/app/models/vault/password.rb:14:indecrypt!' plugins/vault/app/controllers/keys_controller.rb:66:in map' plugins/vault/app/controllers/keys_controller.rb:66:inindex' lib/redmine/sudo_mode.rb:63:in `sudo_mode'

The current setup is: Environment: Redmine version 3.4.8.stable Ruby version 2.4.6-p354 (2019-04-01) [x86_64-linux] Rails version 4.2.11 Environment production Database adapter Mysql2

Because of the error I upgraded today from ruby 2.4.5 to 2.4.6. But it does not help.

[MatCat]

I am also getting the 16 byte key error on 4.0.2 of redmine, I get an internal server error when I try to add a key, and looking at the redmine log I see the 16 byte error.

[MatCat]

An update, I get the error regardless of what I do, so basically plugin does not work as it's impossible to add any keys of any sort.

[noshutdown-ru-user]

We will try to reproduce this bug asap

[noshutdown-ru-user]

looks your encryption key changed or small key must be 16 bytes or you switched from Redmine encryption to Vault

[MatCat]

In fact I just figured that out, I had a 64 byte key, it should not be so picky to have to be exactly 16 bytes

[noshutdown-ru-user]

In fact I just figured that out, I had a 64 byte key, it should not be so picky to have to be exactly 16 bytes

we agree, we will fix this issue

[rg-ac]

We didn't change the key but the key is 24 characters. May be old versions accepted this length of key?

[rg-ac]

NoShutdown, any news about this issue? Or is there a work around to get back to the keys in the vault?

[noshutdown-ru-user]

Sorry not investigated, yet, will push this task forward

[kpitn]

If you want to quick fix this issues, change line 22

cipher.key = cipher_key[0..15]

[noshutdown-ru-user]

Sorry for this delay, we checked issue, encryption key must be at least 16 symbols, we will append alert. Also 64 symbols keys should work.

[noshutdown-ru-user]

https://github.com/noshutdown-ru/vault/tree/%2348

[rg-ac]

The quick fix didn't work for me. Our master key is 24 chars in length. I changed line 22 in lib/vault_cipher.rb from cipher.key = cipher_key to cipher.key = cipher_key[0..23] Restartet the Redmine and still have the following error:

ArgumentError (key must be 16 bytes): plugins/vault/lib/vault_cipher.rb:22:in key=' plugins/vault/lib/vault_cipher.rb:22:indecrypt_text' plugins/vault/lib/encryptor.rb:11:in decrypt' plugins/vault/app/models/vault/password.rb:14:indecrypt!' plugins/vault/app/controllers/keys_controller.rb:66:in map' plugins/vault/app/controllers/keys_controller.rb:66:inindex' lib/redmine/sudo_mode.rb:63:in `sudo_mode'

I would like to get my passwords back :-)

[noshutdown-ru-user]

why you decide try fix ? this is not a bug, for encryption you shouldn't use short password

[noshutdown-ru-user]

can you provide more info for help you

[noshutdown-ru-user]

The quick fix didn't work for me. Our master key is 24 chars in length. I changed line 22 in lib/vault_cipher.rb from cipher.key = cipher_key to cipher.key = cipher_key[0..23] Restartet the Redmine and still have the following error:

ArgumentError (key must be 16 bytes): plugins/vault/lib/vault_cipher.rb:22:in key=' plugins/vault/lib/vault_cipher.rb:22:indecrypt_text' plugins/vault/lib/encryptor.rb:11:in decrypt' plugins/vault/app/models/vault/password.rb:14:indecrypt!' plugins/vault/app/controllers/keys_controller.rb:66:in map' plugins/vault/app/controllers/keys_controller.rb:66:inindex' lib/redmine/sudo_mode.rb:63:in `sudo_mode'

I would like to get my passwords back :-)

Can you revert changes back. And can you tell what type of encryption do you use and what lengths of encryption key ?

[rg-ac]

We use a 24 chars key (didn't change for long time - I think so). The key is defined in the web gui of redmine inside the vault plugin configuration area. But vault seems to fail after upgrade to 0.3.11 - don't know the last version which was working fine - may be 0.3.10? Everything else (redmine version and so on) you see at the beginning of this issue. If I revert to the 'cipher.key = cipher_key' variant it's still the same error.

[noshutdown-ru-user]

We use a 24 chars key (didn't change for long time - I think so). The key is defined in the web gui of redmine inside the vault plugin configuration area. But vault seems to fail after upgrade to 0.3.11 - don't know the last version which was working fine - may be 0.3.10? Everything else (redmine version and so on) you see at the beginning of this issue. If I revert to the 'cipher.key = cipher_key' variant it's still the same error.

can you create new project and in new project create test key, will it work ?

[noshutdown-ru-user]

it is possible what you used before Redmine encryption ? it is possible what encryption password was changed ?

[rg-ac]

We use a 24 chars key (didn't change for long time - I think so). The key is defined in the web gui of redmine inside the vault plugin configuration area. But vault seems to fail after upgrade to 0.3.11 - don't know the last version which was working fine - may be 0.3.10? Everything else (redmine version and so on) you see at the beginning of this issue. If I revert to the 'cipher.key = cipher_key' variant it's still the same error.

can you create new project and in new project create test key, will it work ? Created new project, added new key -> same error as soon as I press save.

[rg-ac]

it is possible what you used before Redmine encryption ? it is possible what encryption password was changed ? 99,9% -> No to both questions.

[rg-ac]

Is there a script to test the decryption of an exported encrypted password with the master key?

[noshutdown-ru-user]

can you try make backup ? can you update encryption key, remove/paste same again ?

[rg-ac]

I've a second redmine instance with the vault plugin. Here I have the same error. But there are still no real production passwords saved. So I shortened the master key to 16 characters and then I was able to save und modify passwords.

[rg-ac]

I've a second redmine instance with the vault plugin. Here I have the same error. But there are still no real production passwords saved. So I shortened the master key to 16 characters and then I was able to save und modify passwords.

I increased the master key to 17 characters and again: saving passwords fails.

[noshutdown-ru-user]

strange, can you show me list of installed gem's ?

[rg-ac]

Btw. when I shorten the master key on the production system to 16 characters I can access my allready stored passwords :-) Does it mean only the first 16 characters are used for encryption? How can a generate the gem list?

[noshutdown-ru-user]

Btw. when I shorten the master key on the production system to 16 characters I can access my allready stored passwords :-) Does it mean only the first 16 characters are used for encryption? How can a generate the gem list?

it shouldn't be so we will check it you can get list of installed gem's by this command gem list

[noshutdown-ru-user]

strange, on our test installation, we tried secret key with 16,17 symbols and it working

[noshutdown-ru-user]

@rg-artcom so for you it working properly with 16 symbols key ?

[rg-ac]

Yes, it's working with 16 symbols. Here the gem list: LOCAL GEMS

actionmailer (4.2.11) actionpack (4.2.11) actionpack-xml_parser (1.0.2) actionview (4.2.11) activejob (4.2.11) activemodel (4.2.11) activerecord (4.2.11) activesupport (4.2.11) addressable (2.6.0) arel (6.0.4) bigdecimal (default: 1.3.2) builder (3.2.3) bundler (default: 1.17.3) bundler-unload (1.0.2) coderay (1.1.2) concurrent-ruby (1.1.4) crass (1.0.4) css_parser (1.6.0) did_you_mean (1.1.0) erubis (2.7.0) executable-hooks (1.6.0) gem-wrappers (1.4.0) globalid (0.4.2) htmlentities (4.3.4) i18n (0.7.0) iconv (1.0.8) io-console (default: 0.4.6) jquery-rails (3.1.5) json (default: 2.0.4) liquid (2.6.3) loofah (2.2.3) mail (2.6.6) mime-types (3.2.2) mime-types-data (3.2018.0812) mimemagic (0.3.3) mini_portile2 (2.3.0) minitest (5.11.3, 5.10.1) mysql2 (0.4.10) net-ldap (0.12.1) net-telnet (0.1.1) nokogiri (1.8.5) openssl (default: 2.0.9) passenger (6.0.2) power_assert (0.4.1) protected_attributes (1.1.4) psych (default: 2.2.2) public_suffix (3.0.3) rack (1.6.11) rack-openid (1.4.2) rack-test (0.6.3) rails (4.2.11) rails-deprecated_sanitizer (1.0.3) rails-dom-testing (1.0.9) rails-html-sanitizer (1.0.4) railties (4.2.11) rake (12.3.2, 12.0.0) rbpdf (1.19.8) rbpdf-font (1.19.1) rdoc (default: 5.0.0) redcarpet (3.4.0) RedCloth (4.3.2) redmine_crm (0.0.42) request_store (1.0.5) rmagick (2.16.0) roadie (3.2.2) roadie-rails (1.1.1) roo (2.8.2) ruby-openid (2.3.0) rubygems-bundler (1.4.5) rubyzip (1.2.2) rvm (1.11.3.9) slim (4.0.1) slim-rails (3.2.0) sprockets (3.7.2) sprockets-rails (3.2.1) temple (0.8.0) test-unit (3.2.3) thor (0.20.3) thread_safe (0.3.6) tilt (2.0.9) tzinfo (1.2.5) validate_url (1.0.2) xmlrpc (0.2.1)