[NETCONF-1216] Input length must be multiple of 16 when decrypting with padded cipher Created: 05/Jan/24  Updated: 24/Jan/24  Resolved: 24/Jan/24

Status: Resolved
Project: netconf
Component/s: netconf
Affects Version/s: None
Fix Version/s: 7.0.0

Type: Bug Priority: Medium
Reporter: Ivan Hrasko Assignee: Yaroslav Lastivka
Resolution: Won't Do Votes: 0
Labels: pt
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Blocks
blocks NETCONF-1115 Handle unencrypted password in login-... Confirmed

 Description   

Invoke PUT request to:

http://192.168.56.25:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=17830-sim-device

with payload:

{
    "node": [
        {
            "node-id": "17830-sim-device",
            "netconf-node-topology:login-password": {
                "username": "admin",
                "password": "YWRtaW4K"
            },
            "netconf-node-topology:schemaless": false,
            "netconf-node-topology:port": 17830,
            "netconf-node-topology:tcp-only": false,
            "netconf-node-topology:keepalive-delay": 0,
            "netconf-node-topology:host": "192.168.56.25"
        }
    ]
}

You can see error in karaf console:

10:06:07.667 INFO [CM Configuration Updater (Update: pid=org.ops4j.pax.logging)] Logging configuration changed. (Event Admin service unavailable - no notification sent).
10:06:15.792 INFO [opendaylight-cluster-data-notification-dispatcher-66] RemoteDevice{Uri{value=17830-sim-device}} was already configured, disconnecting
10:06:15.799 INFO [opendaylight-cluster-data-notification-dispatcher-66] Connecting RemoteDevice{Uri{value=17830-sim-device}}, with config Node{nodeId=Uri
{value=17830-sim-device}
, augmentation=[NetconfNode{actorResponseWaitTime=5, betweenAttemptsTimeoutMillis=2000, concurrentRpcLimit=0, connectionTimeoutMillis=20000, credentials=***, defaultRequestTimeoutMillis=60000, host=Host{ipAddress=IpAddress{ipv4Address=Ipv4Address
{value=192.168.56.25}
}}, keepaliveDelay=0, lockDatastore=true, maxConnectionAttempts=0, port=PortNumber{value=17830}, reconnectOnChangedSchema=false, schemaCacheDirectory=schema, schemaless=false, sleepFactor=1.5, tcpOnly=false}]}
10:06:15.802 INFO [opendaylight-cluster-data-notification-dispatcher-66] Concurrent rpc limit is smaller than 1, no limit will be enforced for device RemoteDeviceId[name=17830-sim-device, address=/192.168.56.25:17830]
10:06:15.803 ERROR [opendaylight-cluster-data-notification-dispatcher-66] Failed to decrypt encoded data
javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher
        at com.sun.crypto.provider.CipherCore.prepareInputBuffer(CipherCore.java:891) ~[?:?]
        at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:730) ~[?:?]
        at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436) ~[?:?]
        at javax.crypto.Cipher.doFinal(Cipher.java:2205) ~[?:?]
        at org.opendaylight.aaa.encrypt.impl.AAAEncryptionServiceImpl.decrypt(AAAEncryptionServiceImpl.java:154) ~[?:?]
        at org.opendaylight.netconf.topology.spi.NetconfClientConfigurationBuilderFactoryImpl.setSshParametersFromCredentials(NetconfClientConfigurationBuilderFactoryImpl.java:106) ~[bundleFile:?]
        at org.opendaylight.netconf.topology.spi.NetconfClientConfigurationBuilderFactoryImpl.createClientConfigurationBuilder(NetconfClientConfigurationBuilderFactoryImpl.java:74) ~[bundleFile:?]
        at org.opendaylight.netconf.topology.spi.NetconfNodeHandler.<init>(NetconfNodeHandler.java:193) ~[bundleFile:?]
        at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.lockedEnsureNode(AbstractNetconfTopology.java:124) ~[bundleFile:?]
        at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.ensureNode(AbstractNetconfTopology.java:91) ~[bundleFile:?]
        at org.opendaylight.netconf.topology.impl.NetconfTopologyImpl.ensureNode(NetconfTopologyImpl.java:143) ~[?:?]
        at org.opendaylight.netconf.topology.impl.NetconfTopologyImpl.onDataTreeChanged(NetconfTopologyImpl.java:129) ~[?:?]
        at org.opendaylight.mdsal.binding.dom.adapter.BindingDOMDataTreeChangeListenerAdapter.onDataTreeChanged(BindingDOMDataTreeChangeListenerAdapter.java:44) ~[bundleFile:?]
        at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.dataTreeChanged(DataTreeChangeListenerActor.java:90) ~[bundleFile:?]
        at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.handleReceive(DataTreeChangeListenerActor.java:45) ~[bundleFile:?]
        at akka.japi.pf.UnitCaseStatement.apply(CaseStatements.scala:24) [bundleFile:?]
        at akka.japi.pf.UnitCaseStatement.apply(CaseStatements.scala:20) [bundleFile:?]
        at scala.PartialFunction.applyOrElse(PartialFunction.scala:214) [bundleFile:?]
        at scala.PartialFunction.applyOrElse$(PartialFunction.scala:213) [bundleFile:?]
        at akka.japi.pf.UnitCaseStatement.applyOrElse(CaseStatements.scala:20) [bundleFile:?]
        at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:269) [bundleFile:?]
        at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:270) [bundleFile:?]
        at akka.actor.Actor.aroundReceive(Actor.scala:537) [bundleFile:?]
        at akka.actor.Actor.aroundReceive$(Actor.scala:535) [bundleFile:?]
        at akka.actor.AbstractActor.aroundReceive(AbstractActor.scala:220) [bundleFile:?]
        at akka.actor.ActorCell.receiveMessage(ActorCell.scala:579) [bundleFile:?]
        at akka.actor.ActorCell.invoke(ActorCell.scala:547) [bundleFile:?]
        at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:270) [bundleFile:?]
        at akka.dispatch.Mailbox.run(Mailbox.scala:231) [bundleFile:?]
        at akka.dispatch.Mailbox.exec(Mailbox.scala:243) [bundleFile:?]
        at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373) [?:?]
        at java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182) [?:?]
        at java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655) [?:?]
        at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622) [?:?]
        at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165) [?:?]

Note that the password when fails to decrypt is returned untouched, the revision on which bug is present is: 

fedba3cac1c141c2b2bfb61ccf8a5622977254d4

 Comments   
Comment by Ivan Hrasko [ 17/Jan/24 ]

Create unit test that proves that when using padding we are not going to have padding exception, see: https://www.baeldung.com/java-crypto-apis-exceptions.

Comment by Ivan Hrasko [ 24/Jan/24 ]

We are getting exception regardless padding usage. See https://git.opendaylight.org/gerrit/c/aaa/+/109834.

Comment by Ivan Hrasko [ 24/Jan/24 ]

Its a responsibility of the user to provide correctly encrypted password. See also NETCONF-1217.

Generated at Wed Feb 07 20:16:57 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.