[Bug]: HMAC does not match. Could not decrypt or decode encrypted session data #42157
Comments
AndyXheli
added
0. Needs triage
|
I also get this log when Thunderbird syncs CardDAV/CalDAV via App password (2FA enabled for "normal" account). But not from android / DAVx5 EDIT: Also seems to happen when Browser (Firefox) is freshly opened and I open Nextcloud. Nextcloud Server Version 28.0.0 (upgraded via web updater) OS: Gentoo Linux - Kernel 6.1.67-gentoo PHP 8.2.13 Webserver: Apache DB: Postgres DB user backend No server encryption Log: |
|
I get the same bug using ubuntu 22.04.03 LTS (VM) with mariadb and nginx |
|
I just did a clean install of Nextcloud 28.0.0 on Ubuntu 22.04 LTS using nginx, PHP 8.2, and PostgreSQL as the database. I too have received the exception "HMAC does not match. Could not decrypt or decode encrypted session data" Given the timestamp of the exception, I probably was accessing the server using the Nextcloud iOS app. |
|
@rrose-github that's it. When I open the latest NC iOS App the error gets thrown. Now I know why I have so many of these errors. Hopefully it gets fixed soon. |
|
Hi @marinofaggiana Is this something that needs to be address on iOS app or on the server end ? |
|
I saw this error only one time when trying to open a document in Nextcloud from IOS device over cellular. But it was because I was blocking access to Collabora online port. Once I opened the port to CODE again this error did not reappear. |
|
Hello, I have the same issue. In my case, last version NextCloud/PHP/Nginx installation with Nextcloud mac Legacy client, when I turn off the plugin "End-to-end encryption" everything works again. I think this plugin is not fulling tested with the last NextCloud server version. Have a nice Christmas day ! |
|
Just to update my previous mention of getting the HMAC error when access the Nextcloud server from my iPhone. The version of the Nextcloud iOS app that I have installed is "Nextcloud Liquid for iOS 4.9.6.1". I don't have Collabora or any VPN software installed. Presumably the iPhone was utilizing my WiFi connection, and not cellular. |
|
As an additional follow-up, the HMAC error is seeming to happening when I first attempt to play a MP3 that are on my Nextcloud account. At this time, I'm not sure if that is the only time the HMAC error is generated, but playing a MP3 seems to usually trigger the issue. For anyone else getting this error, the "work-around solution" that I found was to add these lines to the /lib/systemd/system/php8.2-fpm.service file under the [Service] section: After modifying the service file, you also need to execute this statement: When the HMAC error is generated in Nextcloud, php8.2-fpm is being killed with a "oom-kill". The above lines will cause Linux to automatically restart php8.2-fpm, restoring everything to normal. Also, after php8.2-fpm is restarted, the Nextcloud iOS app is able to play the audio file. NOTE: I happen to have version 8.2 of php installed on this system. If you have a different version of php installed, then the version number in the filename will change accordingly. |
|
Nextcloud 28.01, Ubuntu Server 22.04.3, Apache 2.4.58, MariaDB 10.6.12, PHP 8.2.14, Nextcloud Default Encryption Module disabled. I'm getting the exact same problem. However, I can't find a trigger for it. Some of the posts above highlight actions that cause this, but none of them reliably trigger this in the Nextcloud log. When I notice the log entry, the timestamp is always several hours ago, and I can't remember what I was doing at the time. I have the iOS Nextcloud app, but opening and browsing through that doesn't trigger this event. I have Calendar and Contacts synching with my iPhone Calendar and Contacts, but a manual sync doesn't trigger it. I have Joplin on more than one PC, synching via local folders, and also on my iPhone synching via WebDAV URL with an app specific password assigned in Settings-Personal Security-Devices & sessions. I also have Home Assistant (on a Raspberry Pi) that is connected to my Nextcloud with an app specific password. In the raw log entry, there is a reference to iOS, so the problem may be triggered by something on my iPhone. Manually synching any of my connected app/services doesn't trigger this event. |
|
Suspecting that the problem may be related to the iOS Nextcloud app (despite not being able to manually trigger the error), I looked a bit deeper into the app settings. There is a log file created by the app. There is a section in the log that's time stamped with the same time and date as the errors in my Nextcloud server log. Attached to this post is a copy of the relevant section. I'm no expert, but it looks like 'user_status' is causing the issue. Now that reminds me that I've been having problems with my user status within Nextcloud. It's not consistent. It seems to be a random status (Online, Away, Do Not Disturb etc.) despite trying to set it as Online. I remember recently disabling it in the Nextcloud server apps. I don't use this feature, and it's random status was annoying, so I disabled it. Maybe this is the issue? |
|
Just a little addendum to my last post: Nextcloud and PHP have been updated in the meantime: Nextcloud Server Version 28.0.1 (updated via web updater) PHP 8.2.14 Log still appears but it seems like it does not have any negative side effects (aside from the log entry everything seems to be working normally). Response-codes are all normal (200/207) and no PHP error messages. Really only happens when Thunderbird (with Cardbook extension) is freshly opened (NOT on sync when it is still running) and when Firefox is freshly opened and I open Nextcloud (no matter if I open |
|
In my case there is an error when uploading a photo from the android app. |
|
Similar, just on a heartbeat ... from a chromium browser on up to date Gentoo Linux |
|
Getting the same errors for all files I upload using Nextcloud iOS app: |
|
I get the same error entry when I open the iOS app. If it stays open in the background, the error doesn't appear for me. If the app is closed completely and reopened, this error message appears again. |
|
Session is decrypted using the oc_sessionPassphrase cookie value. I think this error happens when the cookie is assigned a new value and the old one is still sent to the backend. This might be a timing problem or race condition. |
|
I get this when trying to upload a file via the android app. More specifically, going to a different app than nextcloud, like CamScan app, pressing the I don't have any encryption enabled, so it is definitely not related to encryption, and definitely not only iOS app. Server is Apache/2.4.37 (CentOS Stream), PHP 8.1, and MariaDB 10.5.23-1.el8.x86_64. |
|
I think it is linked to idle time. Where some cookies expire, and others do not or the generated password is used. |
|
I think @noci2012 is on the right lines. The problem is definitely related to the use of the Nextcloud app. It will trigger four consecutive errors whenever I use the iOS Nextcloud app to authenticate a login on another device. And it will also trigger four consecutive errors if I access a file on the Nextcloud app (it may cause the errors just when opening the app, but I haven't verified this yet). However, the problem is not repeatable. If I use the app and get the errors, using it again within a few tens of minutes does not create more errors. There is definitely a time since last used, after which, re-using the app will cause the errors. I have no idea how long it takes before using the app causes another set of four errors. There is a minor Nextcloud server update due to be released next week. The RC1 doesn't list this error in the list of fixes applied, so I'm guessing nobody has looked into this problem yet, or if they have, they haven't identified or fixed it. There also seems to be a lack of feedback on this chat thread about any positive resolution. I realise the problem may not be with Nextcloud server, but with the Nextcloud app, but some feedback would be reassuring to see. Then at least we know it's being addressed. |
|
Still waiting on the iOS team to respond they where tagged in the a while back from one of my comments |
|
I don't think the problem is with the apps, it happened to me during a fresh installation. Without using the apps. The logins via the web interface fail several times and I have the error message in the logs. The cookies didn't have time to expire at the time either. |
This comment was marked as spam.
This comment was marked as spam.
|
It was worth the try, but the issue persists. 😕 |
|
I also see this issue. I just saw this error when uploading a picture from the Android client, but the picture still got uploaded. The next picture I took and uploaded went fine, without any error. Seems kind of random. I don't know if this error has any consequence. I deleted all old tokens just to be sure, but the error still persist.
|
|
I too have this error, removed the auth tokens as well. |
This comment was marked as outdated.
This comment was marked as outdated.
|
I also has this issue and I'm still on nextcloud 28.
I found an interesting fact of this issue. There are many people try to guess the cause of this issue but all failed for now. I guess this issue must be very non-sense for developers because it seems that the developers left this issue developed by users' try and error.
|
|
I'm reading the ticket |
|
My thoughts on this are that the error message people are seeing is a symptom of a fault, not the fault in itself. Nextcloud is receiving a request that does not match the accompanying HMAC verification code sent with it. This is the first point where NC code can identify that something has gone wrong. The problem is that there is no context available to identify what has gone wrong, and reporting the 'HMAC error' in isolation is meaningless. In my case, the problem was caused by an upstream reverse proxy truncating or dropping some requests. That says that the symptom can be cause by network errors, caching or a large number of other things outside of NC as well as the possibility that something within NC is at fault, but without further investigation of surrounding factors unique to each environment, it is impossible to say. Imagine you are trying to make a telephone call to your friend. Every time you dial their number, someone answers and says you have the wrong number. There could be many reasons for this - you may have the wrong number, your friend my have changed their number, there may be a routing fault in the phone network, you could be misdialling, some prankster may have swapped around the number keys on your phone etc. etc. There is only one of these scenarios that your phone company can help with, if there isn't a detectable fault on the network, eventually they are going to stop responding to your 'wrong number' complaints to them. |
|
Actually, I'm not a technical guy, but I understand the difficulties of the developers as you said. Though the 'HMAC error' in isolation is meaningless (not non-sense), how about the developers show users light to make it meaningful. We have many technical people here who try to identify the cause of this error. If possible, IMHO, developers could co-work with these people to isolate this issue to find out whether it's "wrong number" or "routing fault in the phone network" or others. Have a nice day ! :) |
This comment was marked as duplicate.
This comment was marked as duplicate.
|
Would it be possible to stop posting unnecessary stuff and/or opinions or speculations, and let the developers work on the issue and fix it? If they need additional information from those affected, I'm sure they will ask. But github issues should be used for reporting, not for further discussing about things that won't interest those affected by the bug. Thanks in advance! |
|
You are right, I should not post unnecessary stuff and/or opinions or speculations. I apologize. I found steps that can always trigger this "HMAC error" issue in my environment. My nextclound server is 28.0.7.4 installed in Linux. PHP 8.3, MariaDB 10.3.39, Apache web server 2.4.41. No proxy at all. I use iPhone 13 iOS 17.5.1. Nextcloud-ios 5.3.2, autoupload disabled. The steps are:
That's it. This will always triger the "HMAC error" I have both nextcloud logs[1] and nextcloud-ios logs[2] for your reference. Actually the steps above will trigger 1~3 nextcloud "HMAC error" logs, I only paste the first one here. According to these logs, my steps triger the "HMAC error" for session init phase. While nextcloud-ios wants to get the user status [1] Below is the logs from nextcloud [2] Below is the logs from nextcloud-ios |
@jaark are you able to share with us how you fixed this problem with the reverse proxy? I am using nginx as my upstream reverse proxy and suspect this might be the root cause of the problem. |
|
we are working on it |
|
There has been a slight change for me with the errors that are reported when accessing my Nextcloud instance from the iOS app. Up until recently, sometimes when using the iOS app, Nextcloud would report between three and five "Exception |
|
Here are more details on #42157 (comment). Background info: PHP sessions are tracked with cookies. Nextcloud's PHP sessions are encrypted. The passphraze is stored in a cookie. Therefore a Nextcloud process always sends two cookies: session identifier + session passphraze. The problematic detail lies in requests that do not send any cookies. Then a PHP session is started for each request, and a session passphraze is generated for each request. When requests are sent concurrently, the order in which the requests finish determines the session and passphraze cookies that survive. Older values are always overwritten. It seems possible that the session and passphraze cookies go out of sync. That is, you have a session cookie and a passphraze that do not belong together. Possible remedy 1: distinct session passphraze per sessionRight now the session passphraze cookie name is the same for every session. If you are in PHP session abc and session def you get the same passphraze cookie. To eliminate the conflict we could use distinct cookie names, e.g. with the (hashed) session id inside the cookie name. E.g. session_passphraze_abc for the passphraze of session abc. Session def gets its own cookie session_passphraze_def and the conflict is eliminated. Possible remedy 2: custom PHP session handler and atomic session id + passphraze cookieInstead of two cookies for the session ID and the passphraze we could try to combine them in one cookie and extract the two parts in something like a custom PHP session handler. |
ChristophWurst
added
1. to develop
|
Hello, |
|
Hello everyone, this error in the log only appears for me when opening the iOS app and I suspect it is a race condition conflict as already mentioned. The functionality does not seem to be impaired so far, but it still looks unattractive in the log.
|
|
No definitive solution yet as far as I am aware. I use the Android Talk app and that's the only thing that causes it for me. Most of the time but 'not always'. I currently just clear the log every few days.
…On 19 August 2024 08:44:49 BST, janhenrlk ***@***.***> wrote:
Hello everyone,
this error in the log only appears for me when opening the iOS app and I suspect it is a race condition conflict as already mentioned.
Is there already a solution for this?
I am using the Nextcloud AIO instance.
--
Reply to this email directly or view it on GitHub:
#42157 (comment)
You are receiving this because you commented.
Message ID: ***@***.***>
|
ChristophWurst
added
2. developing
|
Im not 100% sure, but somewhat confident in thinking what caused this HMAC error for me is:
Also I should note that in a separate chrome instance I launched before windows restored chrome, I had already logged back into the site. |
I'm no macOS and used to have the same issue happening to me, so I don't think it is specific to Windows 11. Since the 29.0.7 update the issue is gone for me. |
|
I had trouble using the oauth2 app to authenticate my Grafana instance on the weekend and saw similar messages like yours:
After some digging, I found lots of entries in the table oc_oauth2_access_tokens. After deleting mine with: I was able to use oauth2 again. I know the problem here is different, but perhaps it sparks some ideas on where to look... |
and others
Bug description
Getting following error on NC 28 RC4. Might be the same as #41254 (comment)
Steps to reproduce
Not Sure
Expected behavior
Not Sure
Installation method
Community Manual installation with Archive
Nextcloud Server version
28
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
Configuration report
No response
List of activated Apps
No response
Nextcloud Signing status
No response
Nextcloud Logs
{"reqId":"FuMPRjC8eJRqt0MgX7ET","level":3,"time":"2023-12-10T16:02:10-06:00","remoteAddr":"172.58.164.60","user":"--","app":"no app in context","method":"REPORT","url":"/remote.php/dav/files/axheli","message":"Could not decrypt or decode encrypted session data","userAgent":"Mozilla/5.0 (iOS) Nextcloud-iOS/4.9.3","version":"28.0.0.10","exception":{"Exception":"Exception","Message":"HMAC does not match.","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Security/Crypto.php","line":119,"function":"decryptWithoutSecret","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Session/CryptoSessionData.php","line":90,"function":"decrypt","class":"OC\\Security\\Crypto","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Session/CryptoSessionData.php","line":67,"function":"initializeSession","class":"OC\\Session\\CryptoSessionData","type":"->"},{"file":"/var/www/nextcloud/lib/private/Session/CryptoWrapper.php","line":112,"function":"__construct","class":"OC\\Session\\CryptoSessionData","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":449,"function":"wrapSession","class":"OC\\Session\\CryptoWrapper","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":705,"function":"initSession","class":"OC","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1200,"function":"init","class":"OC","type":"::"},{"file":"/var/www/nextcloud/remote.php","line":119,"args":["/var/www/nextcloud/lib/base.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Security/Crypto.php","Line":158,"message":"Could not decrypt or decode encrypted session data","exception":[],"CustomMessage":"Could not decrypt or decode encrypted session data"},"id":"6577154851e3b"}Additional info
No response
The text was updated successfully, but these errors were encountered: