0000192: Restore of PKI encrypted data fails if some of the files should not be replaced

ID	Project	Category	View Status	Date Submitted	Last Update

0000192	bareos-core	file daemon	public	2013-06-20 14:38	2015-03-25 19:18

Reporter	AndiH	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Windows	OS	all	OS Version	all
Product Version	12.4.4
Fixed in Version	12.4.5

Summary	0000192: Restore of PKI encrypted data fails if some of the files should not be replaced
Description	With encrypted data the restore fails with 20-Jun 10:23 buildx64-fd JobId 4235: Error: filed/restore.c:632 Unexpected cryptographic session data stream. if some files should not be replaced by restored files eg. replace=never is used.
Steps To Reproduce	Setup data encryption and save some data within a directory. Remove some of the files and let others in place. Start a restore of this directory with replace=never and the error occurs.
Additional Information	Also added to Bacula some time ago http://bugs.bacula.org/view.php?id=1936
Tags	No tags attached.

mvwieringen 2013-06-20 15:54 developer ~0000463	As stated already on the mailinglist please add a small summary what already was determined when looking into this problem for Bacula. Create a small test set and then capture the output from a filed -f -d 100 to start with. We will take it from there.

AndiH 2013-06-20 17:32 reporter ~0000464	In the original bug-report a "fix" is included which does add a check like this if (rctx.extract) { } around the case STREAM_ENCRYPTED_SESSION_DATA stanza in src/filed/restore.c around line 627 (Bareos source). But it is not clear to me what kind of status is set with "rctx.extract", so it is for sure not a real fix, it only prevent the error escalating i guess.

AndiH 2013-06-20 17:42 reporter ~0000465	Ah and yes, the error is the same on Linux.

mvwieringen 2013-06-20 18:57 developer ~0000466	rctx.extract is set when we are really extracting the file. So it might be that this is a real fix. As what you say it happens when the file already exists and then it should skip the file e.g. rctx.extract is set to false.

mvwieringen 2013-06-20 19:42 developer ~0000467	The rctx.cs variable is set by crypto_session_decode() which extracts the info from the stream and then sets the rctx.cs variable (its passed as the last argument as pointer to the rctx.cs pointer and filled with the cryptocontext established there.). So I think the fix with the rctx.extract is part of the fix but I have to figure out where rctx.cs gets cleared and maybe we need to clear that earlier or the patch is enough.

mvwieringen 2013-06-20 19:54 developer ~0000468	Ok did some more digging and normally the rctx.cs gets cleared by close_previous_stream() function but only for files that will be extracted. So I think the rctx.cs keeps lingering till the next file gets extracted or when we are done restoring. So I think the fix you propose is enough. I'll commit it to the 12.4.5 branch.

mvwieringen 2013-07-12 10:10 developer ~0000518	Hi, I was wondering if the fix you proposed and that we implemented in the master branch worked ? We have bleeding edge binaries available at http://download.bareos.org/bareos/experimental/nightly/windows/ If you could give that at try (I think those binaries should also work with 12.4.4 and 13.2.0 although officially they are 13.3.0 e.g bleeding edge). If we are sure this works I can start the backport to 13.2 and 12.4 so it will be available in the next release of those versions too.

AndiH 2013-07-12 14:57 reporter ~0000520	Hello, sorry for the late feedback. With a short test it really looks like the bug is fixed :-) Many Thanks Andreas

~~mvwieringen adm~~ 2013-08-13 03:12 administrator ~0000582	Fix committed to bareos bareos-13.2 branch with changesetid 1046.

mvwieringen 2015-03-25 16:51 developer ~0001369	Fix committed to bareos2015 bareos-14.2 branch with changesetid 5118.

joergs 2015-03-25 19:18 developer ~0001523	Due to the reimport of the Github repository to bugs.bareos.org, the status of some tickets have been changed. These tickets will be closed again. Sorry for the noise.

bareos: master 38e8ff91 2013-06-20 19:54 ~~mvwieringen adm~~ Ported: N/A Details Diff	Restore of encrypted data fails when not all files are created. We should check if a file is actually extracted when checking if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA. The rctx.cs is setup by a call to crypto_session_decode() and that session lingers until its teared down by close_previous_stream() but that only occurs when the next file is actually extracted. So if we extract one encrypted file and not the one after that the rctx.cs will not be cleared until we hit the next extracted file or the end of the restore. So we should only handle the session at all when we extract the file as otherwise it makes absolutely no sense to even consider the encrypted session data stream at all as we will be skipping the file extract anyway and skip all encrypted data blocks. Fixes 0000192: Restore of PKI encrypted data fails if some of the files should not be replaced	Affected Issues 0000192
	mod - src/filed/restore.c	Diff File
bareos: bareos-12.4 ae186120 2013-06-20 19:54 ~~mvwieringen adm~~ Ported: N/A Details Diff	Restore of encrypted data fails when not all files are created. We should check if a file is actually extracted when checking if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA. The rctx.cs is setup by a call to crypto_session_decode() and that session lingers until its teared down by close_previous_stream() but that only occurs when the next file is actually extracted. So if we extract one encrypted file and not the one after that the rctx.cs will not be cleared until we hit the next extracted file or the end of the restore. So we should only handle the session at all when we extract the file as otherwise it makes absolutely no sense to even consider the encrypted session data stream at all as we will be skipping the file extract anyway and skip all encrypted data blocks. Fixes 0000192: Restore of PKI encrypted data fails if some of the files should not be replaced	Affected Issues 0000192
	mod - src/filed/restore.c	Diff File
bareos: bareos-13.2 5ef01503 2013-06-20 19:54 ~~mvwieringen adm~~ Ported: N/A Details Diff	Restore of encrypted data fails when not all files are created. We should check if a file is actually extracted when checking if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA. The rctx.cs is setup by a call to crypto_session_decode() and that session lingers until its teared down by close_previous_stream() but that only occurs when the next file is actually extracted. So if we extract one encrypted file and not the one after that the rctx.cs will not be cleared until we hit the next extracted file or the end of the restore. So we should only handle the session at all when we extract the file as otherwise it makes absolutely no sense to even consider the encrypted session data stream at all as we will be skipping the file extract anyway and skip all encrypted data blocks. Fixes 0000192: Restore of PKI encrypted data fails if some of the files should not be replaced	Affected Issues 0000192
	mod - src/filed/restore.c	Diff File
bareos2015: bareos-12.4 603648bb 2013-06-20 21:54 mvwieringen Ported: N/A Details Diff	Restore of encrypted data fails when not all files are created. We should check if a file is actually extracted when checking if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA. The rctx.cs is setup by a call to crypto_session_decode() and that session lingers until its teared down by close_previous_stream() but that only occurs when the next file is actually extracted. So if we extract one encrypted file and not the one after that the rctx.cs will not be cleared until we hit the next extracted file or the end of the restore. So we should only handle the session at all when we extract the file as otherwise it makes absolutely no sense to even consider the encrypted session data stream at all as we will be skipping the file extract anyway and skip all encrypted data blocks. Fixes 0000192: Restore of PKI encrypted data fails if some of the files should not be replaced	Affected Issues 0000192
	mod - src/filed/restore.c	Diff File
bareos2015: bareos-13.2 42fd0764 2013-06-20 21:54 mvwieringen Ported: N/A Details Diff	Restore of encrypted data fails when not all files are created. We should check if a file is actually extracted when checking if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA. The rctx.cs is setup by a call to crypto_session_decode() and that session lingers until its teared down by close_previous_stream() but that only occurs when the next file is actually extracted. So if we extract one encrypted file and not the one after that the rctx.cs will not be cleared until we hit the next extracted file or the end of the restore. So we should only handle the session at all when we extract the file as otherwise it makes absolutely no sense to even consider the encrypted session data stream at all as we will be skipping the file extract anyway and skip all encrypted data blocks. Fixes 0000192: Restore of PKI encrypted data fails if some of the files should not be replaced	Affected Issues 0000192
	mod - src/filed/restore.c	Diff File
bareos2015: bareos-14.2 9956f672 2013-06-20 21:54 mvwieringen Ported: N/A Details Diff	Restore of encrypted data fails when not all files are created. We should check if a file is actually extracted when checking if we encounter an unexpected STREAM_ENCRYPTED_SESSION_DATA. The rctx.cs is setup by a call to crypto_session_decode() and that session lingers until its teared down by close_previous_stream() but that only occurs when the next file is actually extracted. So if we extract one encrypted file and not the one after that the rctx.cs will not be cleared until we hit the next extracted file or the end of the restore. So we should only handle the session at all when we extract the file as otherwise it makes absolutely no sense to even consider the encrypted session data stream at all as we will be skipping the file extract anyway and skip all encrypted data blocks. Fixes 0000192: Restore of PKI encrypted data fails if some of the files should not be replaced	Affected Issues 0000192
	mod - src/filed/restore.c	Diff File

Date Modified	Username	Field	Change
2013-06-20 14:38	AndiH	New Issue
2013-06-20 15:54	mvwieringen	Note Added: 0000463
2013-06-20 15:54	mvwieringen	Assigned To	=> mvwieringen
2013-06-20 15:54	mvwieringen	Status	new => feedback
2013-06-20 17:32	AndiH	Note Added: 0000464
2013-06-20 17:32	AndiH	Status	feedback => assigned
2013-06-20 17:42	AndiH	Note Added: 0000465
2013-06-20 18:57	mvwieringen	Note Added: 0000466
2013-06-20 18:57	mvwieringen	Status	assigned => feedback
2013-06-20 19:42	mvwieringen	Note Added: 0000467
2013-06-20 19:54	mvwieringen	Note Added: 0000468
2013-06-20 21:43	mvwieringen	Changeset attached	=> bareos master 2ef2c5a7
2013-06-20 21:43	mvwieringen	Status	feedback => resolved
2013-06-20 21:43	mvwieringen	Resolution	open => fixed
2013-06-26 21:43	mvwieringen	Changeset attached	=> bareos master a9db1764
2013-06-26 21:48	~~mvwieringen adm~~	Changeset removed	bareos master a9db1764 =>
2013-07-12 10:06	~~mvwieringen adm~~	Status	resolved => assigned
2013-07-12 10:10	mvwieringen	Note Added: 0000518
2013-07-12 10:10	mvwieringen	Status	assigned => feedback
2013-07-12 14:57	AndiH	Note Added: 0000520
2013-07-12 14:57	AndiH	Status	feedback => assigned
2013-07-12 15:09	mvwieringen	Changeset attached	=> bareos bareos-13.2 8c151804
2013-07-12 15:09	mvwieringen	Status	assigned => resolved
2013-07-12 15:09	mvwieringen	Changeset attached	=> bareos bareos-12.4 2817158e
2013-07-12 15:13	~~mvwieringen adm~~	Assigned To	mvwieringen =>
2013-07-12 15:13	~~mvwieringen adm~~	Status	resolved => closed
2013-07-12 15:13	~~mvwieringen adm~~	Fixed in Version	=> 12.4.5
2013-08-13 03:12	~~mvwieringen adm~~	Changeset attached	=> bareos master 38e8ff91
2013-08-13 03:12	~~mvwieringen adm~~	Changeset attached	=> bareos bareos-12.4 ae186120
2013-08-13 03:12	~~mvwieringen adm~~	Changeset attached	=> bareos bareos-13.2 5ef01503
2013-08-13 03:12	~~mvwieringen adm~~	Note Added: 0000582
2013-08-13 03:12	~~mvwieringen adm~~	Assigned To	=> mvwieringen adm
2013-08-13 03:12	~~mvwieringen adm~~	Status	closed => resolved
2013-08-13 09:35	~~mvwieringen adm~~	Assigned To	mvwieringen adm =>
2013-08-13 09:35	~~mvwieringen adm~~	Status	resolved => closed
2015-03-25 16:51	mvwieringen	Changeset attached	=> bareos2015 bareos-12.4 603648bb
2015-03-25 16:51	mvwieringen	Changeset attached	=> bareos2015 bareos-13.2 42fd0764
2015-03-25 16:51	mvwieringen	Changeset attached	=> bareos2015 bareos-14.2 9956f672
2015-03-25 16:51	mvwieringen	Note Added: 0001369
2015-03-25 16:51	mvwieringen	Status	closed => resolved
2015-03-25 19:18	joergs	Note Added: 0001523
2015-03-25 19:18	joergs	Status	resolved => closed

Reporting new Issues is disabled, please Report new Issues at https://github.com/bareos/bareos/issues

View Issue Details

Activities

Related Changesets

Issue History