OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [NETCONF-1115] Handle unencrypted password in login-password for topology node https://jira.opendaylight.org/browse/NETCONF-1115 netconf <p><tt>netconf-node-topology:login-password/password</tt> is supposed to keep the encrypted password of a NETCONF device. However, in some cases a password saved in field may work even if it's not properly encrypted because <tt>AAAEncryptionService.decrypt</tt> may return the original password when decryption fails.</p> <p>For example, the following request with unencrypted password</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>PUT /rests/data/network-topology:network-topology/topology=topology-netconf/node=netconf-mdsal { "network-topology:node": [ { "node-id": "netconf-mdsal", "netconf-node-topology:concurrent-rpc-limit": 0, "netconf-node-topology:schema-cache-directory": "netconf-mdsal", "netconf-node-topology:login-password": { "username": "admin", "password": "adminadmin" }, "netconf-node-topology:default-request-timeout-millis": 1800000, "netconf-node-topology:port": 2830, "netconf-node-topology:tcp-only": false, "netconf-node-topology:host": "127.0.0.1", "netconf-node-topology:actor-response-wait-time": 600, "netconf-node-topology:keepalive-delay": 600 } ] } </pre> </div></div> <p>makes controller attempt to establish a NETCONF session with <tt>adminadmin</tt> as the password after failing to decrypt the password:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>02:03:07.828 ERROR [opendaylight-cluster-data-notification-dispatcher-58] Failed to decrypt encoded data javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher at com.sun.crypto.provider.CipherCore.prepareInputBuffer(CipherCore.java:888) ~[?:?] at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:730) ~[?:?] at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436) ~[?:?] at javax.crypto.Cipher.doFinal(Cipher.java:2205) ~[?:?] at org.opendaylight.aaa.encrypt.impl.AAAEncryptionServiceImpl.decrypt(AAAEncryptionServiceImpl.java:154) ~[?:?] at org.opendaylight.netconf.topology.spi.DefaultNetconfClientConfigurationBuilderFactory.getHandlerFromCredentials(DefaultNetconfClientConfigurationBuilderFactory.java:96) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.DefaultNetconfClientConfigurationBuilderFactory.createClientConfigurationBuilder(DefaultNetconfClientConfigurationBuilderFactory.java:68) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.NetconfNodeHandler.&lt;init&gt;(NetconfNodeHandler.java:143) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.setupConnection(AbstractNetconfTopology.java:142) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.lockedEnsureNode(AbstractNetconfTopology.java:108) ~[bundleFile:?] at org.opendaylight.netconf.topology.spi.AbstractNetconfTopology.ensureNode(AbstractNetconfTopology.java:96) ~[bundleFile:?] at org.opendaylight.netconf.topology.impl.NetconfTopologyImpl.onDataTreeChanged(NetconfTopologyImpl.java:145) ~[?:?] at org.opendaylight.mdsal.binding.dom.adapter.BindingDOMDataTreeChangeListenerAdapter.onDataTreeChanged(BindingDOMDataTreeChangeListenerAdapter.java:44) ~[bundleFile:?] at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.dataTreeChanged(DataTreeChangeListenerActor.java:90) ~[bundleFile:?] at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.handleReceive(DataTreeChangeListenerActor.java:45) ~[bundleFile:?] at akka.japi.pf.UnitCaseStatement.apply(CaseStatements.scala:24) ~[bundleFile:?] at akka.japi.pf.UnitCaseStatement.apply(CaseStatements.scala:20) ~[bundleFile:?] at scala.PartialFunction.applyOrElse(PartialFunction.scala:214) ~[bundleFile:?] at scala.PartialFunction.applyOrElse$(PartialFunction.scala:213) ~[bundleFile:?] at akka.japi.pf.UnitCaseStatement.applyOrElse(CaseStatements.scala:20) ~[bundleFile:?] at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:269) ~[bundleFile:?] at scala.PartialFunction$OrElse.applyOrElse(PartialFunction.scala:270) ~[bundleFile:?] at akka.actor.Actor.aroundReceive(Actor.scala:537) ~[bundleFile:?] at akka.actor.Actor.aroundReceive$(Actor.scala:535) ~[bundleFile:?] at akka.actor.AbstractActor.aroundReceive(AbstractActor.scala:220) ~[bundleFile:?] at akka.actor.ActorCell.receiveMessage(ActorCell.scala:579) ~[bundleFile:?] at akka.actor.ActorCell.invoke(ActorCell.scala:547) ~[bundleFile:?] at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:270) ~[bundleFile:?] at akka.dispatch.Mailbox.run(Mailbox.scala:231) ~[bundleFile:?] at akka.dispatch.Mailbox.exec(Mailbox.scala:243) ~[bundleFile:?] at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373) ~[?:?] at java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182) ~[?:?] at java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655) ~[?:?] at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622) ~[?:?] at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165) ~[?:?] 02:03:07.855 WARN [sshd-NetconfSshClient[2914912]-nio2-thread-3] Server at /127.0.0.1:2830 presented unverified EC key: SHA256:3kA4ClemSJjEhFPu1EdCQnWku+XYuWQi33bFFRK90G8 </pre> </div></div> <p>In this case the connection failed because the password is incorrect. But there are many cases where the correct unencrypted password works.</p> <p>This behavior encourages keeping unencrypted password in the configuration because it may not discovered or it may be simply ignored because it works. Also, this may cause confusion since some may work but some may not.</p> <p>So the device should not be activated when decryption fails to mitigate the issue.</p> NETCONF-1115 Handle unencrypted password in login-password for topology node Improvement Medium Confirmed Unresolved Ivan Hrasko Sangwook Ha Thu, 3 Aug 2023 01:49:37 +0000 Wed, 7 Feb 2024 14:30:37 +0000 7.0.0 netconf 0 4 <p>Cause:</p> <ul> <li>According to <a href="https://github.com/opendaylight/netconf/blob/3c5e8fedc83a64aafa24bd760bff50e2c9b9fa96/plugins/netconf-client-mdsal/src/main/yang/odl-netconf-device.yang#L28" class="external-link" target="_blank" rel="nofollow noopener">odl-netconf-device</a> model (used in <a href="https://github.com/opendaylight/netconf/blob/3c5e8fedc83a64aafa24bd760bff50e2c9b9fa96/apps/netconf-topology/src/main/yang/netconf-node-topology.yang#L8" class="external-link" target="_blank" rel="nofollow noopener">netconf-node-topology-node</a>) <ins>login-password</ins> container expected to contain encrypted <ins>password</ins> value</li> <li>Encrypted value handling is served by <ins>aaa-encrypt-service</ins> which provides both encryption for persistence and decryption for usage in ssh connection</li> <li>Due to <ins>aaa-encrypt-service</ins> is an OSGi component with own configuration having no API exposed to end user, the password encryption is performed dynamically on input processing, encrypted value is not expected to be provided by user</li> <li>Dynamic password value encryption is implemented for <a href="https://github.com/opendaylight/netconf/blob/3c5e8fedc83a64aafa24bd760bff50e2c9b9fa96/apps/netconf-topology/src/main/java/org/opendaylight/netconf/topology/spi/NetconfTopologyRPCProvider.java#L72" class="external-link" target="_blank" rel="nofollow noopener">netconf-node-topology:create-device</a> RPC processing, but not for direct data insert/update</li> <li>Once node data is updated in configuration datastore the device connection is triggered with assumption password value is properly encrypted</li> </ul> <p>Non-encrypted password value as a case of incorrect configuration to be handled via <a href="https://jira.opendaylight.org/browse/NETCONF-1114" title="Incorrect operational state of device configuration with Invalid encrypted password" class="issue-link" data-issue-key="NETCONF-1114">NETCONF-1114</a>. The expected resolution is no connection to device performed if configuration processing fails with immediate failure status to be set for device.</p> <p>Delegating password value encryption to user requires at least encryption service API exposed so user would have the ability to encrypt the password value by himself with assurance this value will be properly decrypted (because same service will use same parameters). However this approach requires shared component update, which complicates and delays solution delivery.</p> <p>The suggested approach is to add dynamic password encryption to direct data update via dedicated DataTreeChangeListener implementation:</p> <ul> <li>Scope is configuration datastore</li> <li>Monitor nodes having encrypted password values</li> <li>if encrypted password value added/changed check if the <ins>aaa-encrypt-service</ins> can perform the value decryption</li> <li>if decryption fails assume the value is not encrypted, then encrypt and override it</li> </ul> <p>We are going from different approach:</p> <p>Enforce base64 encoding for odl-netconf-device model for of all leafs that are claiming its their type by YANG string type pattern. Analyze RPCs which can be used to create such data, realize that we want to allow user to use plain strings in RPC payloads and adapt payloads YANG definition accordingly.</p> <p>If needed to modify odl-netconf-device or netconf-node-topology create new revisions in that case.</p> <p>Enforcing base64 encoding will prevent many invalid password values but it's still possible to pass the pattern checking without being actually base64 encoded.<br/> Since <a href="https://github.com/opendaylight/aaa/blob/master/aaa-encrypt-service/impl/src/main/java/org/opendaylight/aaa/encrypt/impl/AAAEncryptionServiceImpl.java#L145" class="external-link" target="_blank" rel="nofollow noopener">AAAEncryptionServiceImpl.decrypt()</a> returns original value when decryption fails and there is no checking of decryption failure in netconf, many plaintext passwords can be put into the field and successfully used as long as the pattern matches the base64 encode format - e.g. any password composed of alphanumeric characters whose length is multiples of 4.</p> <p>It seems problematic that the decrypt function does not have clear API contract that can signal decryption failure, not even documentation, when it's a public API used by other downstream projects - and also inconsistent in that it catches decryption errors but not that of base64 decoding.</p> <p>I will investigate the potential consequences of AAAEncryptionServiceImpl throwing an exception in case of encryption or decryption failure. IMHO, the primary concept is to delegate the validation of password values to the data store, relieving upper layers of this responsibility.</p> <p>The issue is blocked by <a href="https://jira.opendaylight.org/browse/NETCONF-1216" title="Input length must be multiple of 16 when decrypting with padded cipher" class="issue-link" data-issue-key="NETCONF-1216"><del>NETCONF-1216</del></a> and <a href="https://jira.opendaylight.org/browse/NETCONF-1217" title="Given final block not properly padded. Such issues can arise if a bad key is used during decryption" class="issue-link" data-issue-key="NETCONF-1217"><del>NETCONF-1217</del></a>. The change type to binary does not solve those as the only way to reliably use encryption service is via RPC. Needs more investigation.</p> Blocks NETCONF-1216 NETCONF-1217 Issue split NETCONF-1186 Relates AAA-266 Development Rank 0|i0462n: