New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migration keychain decryption failing for some users #192

Closed
orthecreedence opened this Issue Oct 9, 2018 · 9 comments

Comments

Projects
None yet
3 participants
@orthecreedence
Member

orthecreedence commented Oct 9, 2018

2018-10-09T11:32:55 - [INFO][migrate] migrate::get_profile() -- got profile, processing
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [INFO][migrate] migrate::get_profile() -- profile processed (got 10 items, 0 files)
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165b6b32959fab258f7e62a4d2083dc9906238a774726c012c35f403dc7fa5bc7257cb29a5f034c
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165b6c37490fab258f7e62a4d2083dc9906238a774726c012c35f403dc7fa5bc7257cb29a5f04a0
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165b6ab1034fab258f7e62a4d2083dc9906238a774726c012c35f403dc7fa5bc7257cb29a5f016b
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165b74fd5246bd3c6d7d08eb8148c5f40d371b89cc2ff826e0c8f4bd414c4d27c5afe03b69d0071
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165b6abde1ffab258f7e62a4d2083dc9906238a774726c012c35f403dc7fa5bc7257cb29a5f01c1
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165b7502e4e6bd3c6d7d08eb8148c5f40d371b89cc2ff826e0c8f4bd414c4d27c5afe03b69d00b5
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165b750035e6bd3c6d7d08eb8148c5f40d371b89cc2ff826e0c8f4bd414c4d27c5afe03b69d008b
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165b6efce1ffab258f7e62a4d2083dc9906238a774726c012c35f403dc7fa5bc7257cb29a5f00cf
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165c037ffaf6bd3c6d7d08eb8148c5f40d371b89cc2ff826e0c8f4bd414c4d27c5afe03b69d00bf
2018-10-09T11:32:55 - [INFO][turtl_core::messaging] messaging::ui_event() -- migration-event
2018-10-09T11:32:55 - [WARN][migrate] migrate::decrypt_profile() -- error decrypting keychain entry: 0165c03629966bd3c6d7d08eb8148c5f40d371b89cc2ff826e0c8f4bd414c4d27c5afe03b69d0097

Looks like a master key issue? Could this possibly be related to #190?

@orthecreedence

This comment has been minimized.

Member

orthecreedence commented Oct 10, 2018

Of course, the one place I don't log encryption error reasons is keychain decrypt errors. God damnit. I'll have to assume it's an auth error, unless I can get more info from one of our heroic users...

@dogfuntom

This comment has been minimized.

dogfuntom commented Oct 11, 2018

I don't have any login issues but after login there's a migration and it won't finish even after hours of waiting. I suppose my issue belongs here? I found logs and there are repeated warning and errors that look like this:

2018-10-10T21:45:23 - [INFO][migrate] migrate::download_file() -- grabbing file https://s3.amazonaws.com/turtl.it/files/015fc750f841a769baaf1936ca7f269e7ebcb3d50eddb695370c4d3fe1f9723bb372daa395520ef2?AWSAccessKeyId=AKIAIGYLSXFGXZ5KLBYA&Expires=1539197186&Signature=mQp9j4p7LGMPxvIOjBFwoSxnx5o%3D
2018-10-10T21:45:24 - [WARN][migrate] migrate::download_file() -- download error: api error (Not Found): <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>files/015fc750f841a769baaf1936ca7f269e7ebcb3d50eddb695370c4d3fe1f9723bb372daa395520ef2</Key><RequestId>DB6439B0B0152943</RequestId><HostId>8Gc2I7HQ5xwgG61ASnINTjy8ZW/vcBtP9f3DYR6IuM4ap1LRM9Un2lsdANh6VFcEpB0l/HGZShM=</HostId></Error>
2018-10-10T21:45:24 - [ERROR][migrate] migrate::get_profile() -- error downloading file (note 015fc750f841a769baaf1936ca7f269e7ebcb3d50eddb695370c4d3fe1f9723bb372daa395520ef2): api error (Not Found): <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>files/015fc750f841a769baaf1936ca7f269e7ebcb3d50eddb695370c4d3fe1f9723bb372daa395520ef2</Key><RequestId>DB6439B0B0152943</RequestId><HostId>8Gc2I7HQ5xwgG61ASnINTjy8ZW/vcBtP9f3DYR6IuM4ap1LRM9Un2lsdANh6VFcEpB0l/HGZShM=</HostId></Error>
@orthecreedence

This comment has been minimized.

Member

orthecreedence commented Oct 11, 2018

Weird, the migration is supposed to give up on files after ~3 failed download attempts.

Also, odd that the files are not being found. Thanks for the log, this is helpful. I might open a new issue for this since it is a bit different than the migration keychain bug.

@lambd0x

This comment has been minimized.

lambd0x commented Oct 12, 2018

@orthecreedence what's a way to reproduce this problem?

@orthecreedence

This comment has been minimized.

Member

orthecreedence commented Oct 12, 2018

@lambd0x I haven't found a way yet, and I've run many migrations at this point.

There were two instances of users reporting this issue. One of them attempted the migration again with a client that had better logging, but the migration worked a second time so I didn't get any useful logs about the problem. The second user may or may not care enough to attempt the migration process again and mentioned maybe just moving everything over by hand.

So at this point, not only can I not reproduce it, but it seems to fix itself after a second attempt.

This is an odd one, though. We generate the (old, v0.6) master key from their username/password, use that key to create an auth token, and if the old server accepts the auth token, we continue the migration with that generated key. The keychain entries are all encrypted directly with that master key. So if the auth token matches, it means the key is correct, and I'm not able to explain why the correct master key would not be able to decrypt the keychain entries.

So, something must have happened in between the key being generated and using it to decrypt the keychain, although the rust code is pretty explicit about not allowing that key to be changed after it's generated.

In other words, I cannot explain how this happened, especially not without more data/logs.

@lambd0x

This comment has been minimized.

lambd0x commented Oct 12, 2018

What about trying to migrate an account which uses all of Turtl 0.6 features?
Create two accounts, A and B. Over the first, A, create this scenario:

  • notes.
  • boards
  • different types of notes, some using images from the internet and from the saved data(through the storage option) and even links.
  • sharing notes through boards with B.
    Over B, perform the very same steps.

And then try over the two accounts to perform the migration process.

Likely something will pop-up. But it won't be easy to narrow down the issue just yet, so from now on you just remove the features in use within the accounts until the problem is mitigated. Hence allowing to identify the culprit. And creating an account with just the culprit feature and confirming the theory in practice.

@orthecreedence

This comment has been minimized.

Member

orthecreedence commented Oct 13, 2018

Good idea, I might try this.

orthecreedence added a commit to turtl/core-rs that referenced this issue Oct 16, 2018

migration: if more than half the keychain entries fail to decrypt, ju…
…st bail and ask the user to try again (why bother creating an account with a failed migration??). this should mitigate turtl/tracker#192 (does not fix, but at least makes them try again)
@orthecreedence

This comment has been minimized.

Member

orthecreedence commented Oct 16, 2018

Still not able to reproduce this, however in 100% of the cases users have brought to my attention, trying a second time works.

I've introduced a change tot he migration system that detects the failure of keychain entries to decrypt. If it senses this, it bails from the migration and asks the user to try again. This is probably the best I can do until we get more details.

@orthecreedence

This comment has been minimized.

Member

orthecreedence commented Oct 26, 2018

I am closing this for now. I can't see a way of fixing it, especially if the app detects the problem and has the user retry. I have not had any more reports of this occurring. I will definitely keep it in mind if the issue comes up again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment