The passphrase used to encrypt or decrypt volumes was mangled prior to Newton
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Lee Yarwood | ||
os-brick |
Fix Released
|
High
|
Lee Yarwood |
Bug Description
Description
===========
tl;dr hex(x) previously stripped leading 0's from individual hex numbers while encoding the passphrase back to a hex string before use to encrypt/decrypt a luks volume.
Prior to Newton the following method was used to encode passphrases when attempting to use or create a luks volume :
def _get_passphrase
"""Convert raw key to string."""
return ''.join(
This was replaced in Newton with the move to Castellan in the following change that altered both the decoding and encoding steps :
Replace key manager with Castellan
https:/
The original method used the built-in hex() call to convert individual unsigned ints back to hex. This would strip the leading 0 from each hex digit pair, altering the eventual passphrase used to encrypt or decrypt the volume.
For example, the following one liner represents both the initial decode step preformed by ConfKeyManager and the step above to encode the passphrase in the LuksEncryptor class :
>>> ''.join(
'752523eb50c3bf
Original string: 752523eb50c3bf2
New string : 752523eb50c3bf2
The returned string is missing various 0's that have been stripped by the hex() call :
>>> hex(14)
'0xe'
>>> int(0x0e)
14
>>> int(0xe)
14
>>> hex(4)
'0x4'
>>> int(0x04)
4
>>> int(0x4)
4
The following one liner represents the current decode and encode steps, producing the same string as is entered :
>>> import binascii
>>> binascii.
u'752523eb50c3b
Original string: 752523eb50c3bf2
New string : 752523eb50c3bf2
IMHO the way to handle this is to add a simple retry in master and stable/newton when we fail due to a bad passphrase using the mangled passphrase.
We should also improve the testing in this area as it appears all previous testing used zero based passphrases, missing this issue when it landed in Newton.
More notes available downstream in the following bug :
Nova encryption alters the key used
https:/
Steps to reproduce
==================
- Encrypt a volume in Mitaka or earlier.
- Upgrade to Newton or later.
- Attempt to use the volume.
Expected result
===============
Volume is decrypted and usable.
Actual result
=============
Unable to decrypt the volume due to the use of an modified passphrase during initial formatting and use prior to Newton.
Environment
===========
1. Exact version of OpenStack you are running. See the following
list for all releases: http://
Newton and later.
2. Which hypervisor did you use?
Libvirt
2. Which storage type did you use?
N/A
3. Which networking type did you use?
(For example: nova-network, Neutron with OpenVSwitch, ...)
N/A
Logs & Configs
==============
N/A
summary: |
- Passphrase change + The passphrase used to encrypt or decrypt volumes was mangled prior to + Newton |
Changed in os-brick: | |
importance: | Undecided → High |
Changed in nova: | |
importance: | Undecided → Medium |
Changed in nova: | |
assignee: | John Garbutt (johngarbutt) → Lee Yarwood (lyarwood) |
importance: | Medium → High |
Changed in os-brick: | |
assignee: | nobody → Lee Yarwood (lyarwood) |
status: | New → In Progress |
Changed in nova: | |
status: | In Progress → Fix Released |
status: | Fix Released → Fix Committed |
Changed in os-brick: | |
status: | In Progress → Fix Released |
Fix proposed to branch: master /review. openstack. org/386670
Review: https:/