View Issue Details

IDProjectCategoryView StatusLast Update
0000192bareos-core[All Projects] file daemonpublic2015-03-25 19:18
ReporterAndiHAssigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSallOS Versionall
Product Version12.4.4 
Fixed in Version12.4.5 
Summary0000192: Restore of PKI encrypted data fails if some of the files should not be replaced
DescriptionWith encrypted data the restore fails with
20-Jun 10:23 buildx64-fd JobId 4235: Error: filed/restore.c:632 Unexpected cryptographic session data stream.

if some files should not be replaced by restored files eg. replace=never is used.
Steps To ReproduceSetup data encryption and save some data within a directory. Remove some of the files and let others in place. Start a restore of this directory with replace=never and the error occurs.
Additional InformationAlso added to Bacula some time ago
http://bugs.bacula.org/view.php?id=1936
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

mvwieringen

mvwieringen

2013-06-20 15:54

developer   ~0000463

As stated already on the mailinglist please add a small summary what already
was determined when looking into this problem for Bacula. Create a small test
set and then capture the output from a filed -f -d 100 to start with. We will
take it from there.
AndiH

AndiH

2013-06-20 17:32

reporter   ~0000464

In the original bug-report a "fix" is included which does add a check like this

 if (rctx.extract) {
 }

around the case STREAM_ENCRYPTED_SESSION_DATA stanza in src/filed/restore.c around line 627 (Bareos source).

But it is not clear to me what kind of status is set with "rctx.extract", so it is for sure not a real fix, it only prevent the error escalating i guess.
AndiH

AndiH

2013-06-20 17:42

reporter   ~0000465

Ah and yes, the error is the same on Linux.
mvwieringen

mvwieringen

2013-06-20 18:57

developer   ~0000466

rctx.extract is set when we are really extracting the file. So it might
be that this is a real fix. As what you say it happens when the file
already exists and then it should skip the file e.g. rctx.extract is set
to false.
mvwieringen

mvwieringen

2013-06-20 19:42

developer   ~0000467

The rctx.cs variable is set by crypto_session_decode() which extracts
the info from the stream and then sets the rctx.cs variable (its passed
as the last argument as pointer to the rctx.cs pointer and filled with
the cryptocontext established there.).

So I think the fix with the rctx.extract is part of the fix but I have to figure
out where rctx.cs gets cleared and maybe we need to clear that earlier or the
patch is enough.
mvwieringen

mvwieringen

2013-06-20 19:54

developer   ~0000468

Ok did some more digging and normally the rctx.cs gets cleared by
close_previous_stream() function but only for files that will be
extracted. So I think the rctx.cs keeps lingering till the next
file gets extracted or when we are done restoring. So I think the
fix you propose is enough. I'll commit it to the 12.4.5 branch.
mvwieringen

mvwieringen

2013-07-12 10:10

developer   ~0000518

Hi,

I was wondering if the fix you proposed and that we implemented in the master
branch worked ? We have bleeding edge binaries available at

http://download.bareos.org/bareos/experimental/nightly/windows/

If you could give that at try (I think those binaries should also
work with 12.4.4 and 13.2.0 although officially they are 13.3.0 e.g
bleeding edge). If we are sure this works I can start the backport to
13.2 and 12.4 so it will be available in the next release of those versions
too.
AndiH

AndiH

2013-07-12 14:57

reporter   ~0000520

Hello,

sorry for the late feedback. With a short test it really looks like the bug is fixed :-)

Many Thanks

Andreas
mvwieringen adm

mvwieringen adm

2013-08-13 03:12

administrator   ~0000582

Fix committed to bareos bareos-13.2 branch with changesetid 1046.
mvwieringen

mvwieringen

2015-03-25 16:51

developer   ~0001369

Fix committed to bareos2015 bareos-14.2 branch with changesetid 5118.
joergs

joergs

2015-03-25 19:18

administrator   ~0001523

Due to the reimport of the Github repository to bugs.bareos.org, the status of some tickets have been changed. These tickets will be closed again.
Sorry for the noise.

Related Changesets

bareos: bareos-13.2 5ef01503

2013-06-20 17:54:23

mvwieringen adm

Ported: N/A

Details Diff
Restore of encrypted data fails when not all files are created.

We should check if a file is actually extracted when checking
if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA.
The rctx.cs is setup by a call to crypto_session_decode()
and that session lingers until its teared down by
close_previous_stream() but that only occurs when the next
file is actually extracted. So if we extract one encrypted
file and not the one after that the rctx.cs will not be cleared
until we hit the next extracted file or the end of the restore.
So we should only handle the session at all when we extract
the file as otherwise it makes absolutely no sense to even
consider the encrypted session data stream at all as we will
be skipping the file extract anyway and skip all encrypted data
blocks.

Fixes 0000192: Restore of PKI encrypted data fails if some of the files
should not be replaced
Affected Issues
0000192
mod - src/filed/restore.c Diff File

bareos: bareos-12.4 ae186120

2013-06-20 17:54:23

mvwieringen adm

Ported: N/A

Details Diff
Restore of encrypted data fails when not all files are created.

We should check if a file is actually extracted when checking
if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA.
The rctx.cs is setup by a call to crypto_session_decode()
and that session lingers until its teared down by
close_previous_stream() but that only occurs when the next
file is actually extracted. So if we extract one encrypted
file and not the one after that the rctx.cs will not be cleared
until we hit the next extracted file or the end of the restore.
So we should only handle the session at all when we extract
the file as otherwise it makes absolutely no sense to even
consider the encrypted session data stream at all as we will
be skipping the file extract anyway and skip all encrypted data
blocks.

Fixes 0000192: Restore of PKI encrypted data fails if some of the files
should not be replaced
Affected Issues
0000192
mod - src/filed/restore.c Diff File

bareos: master 38e8ff91

2013-06-20 17:54:23

mvwieringen adm

Ported: N/A

Details Diff
Restore of encrypted data fails when not all files are created.

We should check if a file is actually extracted when checking
if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA.
The rctx.cs is setup by a call to crypto_session_decode()
and that session lingers until its teared down by
close_previous_stream() but that only occurs when the next
file is actually extracted. So if we extract one encrypted
file and not the one after that the rctx.cs will not be cleared
until we hit the next extracted file or the end of the restore.
So we should only handle the session at all when we extract
the file as otherwise it makes absolutely no sense to even
consider the encrypted session data stream at all as we will
be skipping the file extract anyway and skip all encrypted data
blocks.

Fixes 0000192: Restore of PKI encrypted data fails if some of the files
should not be replaced
Affected Issues
0000192
mod - src/filed/restore.c Diff File

bareos2015: bareos-12.4 603648bb

2013-06-20 19:54:23

mvwieringen

Ported: N/A

Details Diff
Restore of encrypted data fails when not all files are created.

We should check if a file is actually extracted when checking
if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA.
The rctx.cs is setup by a call to crypto_session_decode()
and that session lingers until its teared down by
close_previous_stream() but that only occurs when the next
file is actually extracted. So if we extract one encrypted
file and not the one after that the rctx.cs will not be cleared
until we hit the next extracted file or the end of the restore.
So we should only handle the session at all when we extract
the file as otherwise it makes absolutely no sense to even
consider the encrypted session data stream at all as we will
be skipping the file extract anyway and skip all encrypted data
blocks.

Fixes 0000192: Restore of PKI encrypted data fails if some of the files
should not be replaced
Affected Issues
0000192
mod - src/filed/restore.c Diff File

bareos2015: bareos-13.2 42fd0764

2013-06-20 19:54:23

mvwieringen

Ported: N/A

Details Diff
Restore of encrypted data fails when not all files are created.

We should check if a file is actually extracted when checking
if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA.
The rctx.cs is setup by a call to crypto_session_decode()
and that session lingers until its teared down by
close_previous_stream() but that only occurs when the next
file is actually extracted. So if we extract one encrypted
file and not the one after that the rctx.cs will not be cleared
until we hit the next extracted file or the end of the restore.
So we should only handle the session at all when we extract
the file as otherwise it makes absolutely no sense to even
consider the encrypted session data stream at all as we will
be skipping the file extract anyway and skip all encrypted data
blocks.

Fixes 0000192: Restore of PKI encrypted data fails if some of the files
should not be replaced
Affected Issues
0000192
mod - src/filed/restore.c Diff File

bareos2015: bareos-14.2 9956f672

2013-06-20 19:54:23

mvwieringen

Ported: N/A

Details Diff
Restore of encrypted data fails when not all files are created.

We should check if a file is actually extracted when checking
if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA.
The rctx.cs is setup by a call to crypto_session_decode()
and that session lingers until its teared down by
close_previous_stream() but that only occurs when the next
file is actually extracted. So if we extract one encrypted
file and not the one after that the rctx.cs will not be cleared
until we hit the next extracted file or the end of the restore.
So we should only handle the session at all when we extract
the file as otherwise it makes absolutely no sense to even
consider the encrypted session data stream at all as we will
be skipping the file extract anyway and skip all encrypted data
blocks.

Fixes 0000192: Restore of PKI encrypted data fails if some of the files
should not be replaced
Affected Issues
0000192
mod - src/filed/restore.c Diff File

Issue History

Date Modified Username Field Change
2013-06-20 14:38 AndiH New Issue
2013-06-20 15:54 mvwieringen Note Added: 0000463
2013-06-20 15:54 mvwieringen Assigned To => mvwieringen
2013-06-20 15:54 mvwieringen Status new => feedback
2013-06-20 17:32 AndiH Note Added: 0000464
2013-06-20 17:32 AndiH Status feedback => assigned
2013-06-20 17:42 AndiH Note Added: 0000465
2013-06-20 18:57 mvwieringen Note Added: 0000466
2013-06-20 18:57 mvwieringen Status assigned => feedback
2013-06-20 19:42 mvwieringen Note Added: 0000467
2013-06-20 19:54 mvwieringen Note Added: 0000468
2013-06-20 21:43 mvwieringen Changeset attached => bareos master 2ef2c5a7
2013-06-20 21:43 mvwieringen Status feedback => resolved
2013-06-20 21:43 mvwieringen Resolution open => fixed
2013-06-26 21:43 mvwieringen Changeset attached => bareos master a9db1764
2013-06-26 21:48 mvwieringen adm Changeset removed bareos master a9db1764 =>
2013-07-12 10:06 mvwieringen adm Status resolved => assigned
2013-07-12 10:10 mvwieringen Note Added: 0000518
2013-07-12 10:10 mvwieringen Status assigned => feedback
2013-07-12 14:57 AndiH Note Added: 0000520
2013-07-12 14:57 AndiH Status feedback => assigned
2013-07-12 15:09 mvwieringen Changeset attached => bareos bareos-13.2 8c151804
2013-07-12 15:09 mvwieringen Status assigned => resolved
2013-07-12 15:09 mvwieringen Changeset attached => bareos bareos-12.4 2817158e
2013-07-12 15:13 mvwieringen adm Assigned To mvwieringen =>
2013-07-12 15:13 mvwieringen adm Status resolved => closed
2013-07-12 15:13 mvwieringen adm Fixed in Version => 12.4.5
2013-08-13 03:12 mvwieringen adm Changeset attached => bareos master 38e8ff91
2013-08-13 03:12 mvwieringen adm Changeset attached => bareos bareos-12.4 ae186120
2013-08-13 03:12 mvwieringen adm Changeset attached => bareos bareos-13.2 5ef01503
2013-08-13 03:12 mvwieringen adm Note Added: 0000582
2013-08-13 03:12 mvwieringen adm Assigned To => mvwieringen adm
2013-08-13 03:12 mvwieringen adm Status closed => resolved
2013-08-13 09:35 mvwieringen adm Assigned To mvwieringen adm =>
2013-08-13 09:35 mvwieringen adm Status resolved => closed
2015-03-25 16:51 mvwieringen Changeset attached => bareos2015 bareos-12.4 603648bb
2015-03-25 16:51 mvwieringen Changeset attached => bareos2015 bareos-13.2 42fd0764
2015-03-25 16:51 mvwieringen Changeset attached => bareos2015 bareos-14.2 9956f672
2015-03-25 16:51 mvwieringen Note Added: 0001369
2015-03-25 16:51 mvwieringen Status closed => resolved
2015-03-25 19:18 joergs Note Added: 0001523
2015-03-25 19:18 joergs Status resolved => closed