Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rekey fails with no error message #164

Closed
rogerbinns opened this issue Jun 2, 2024 · 3 comments
Closed

rekey fails with no error message #164

rogerbinns opened this issue Jun 2, 2024 · 3 comments

Comments

@rogerbinns
Copy link

I was trying to change the page size for testing. The rekey pragma fails with SQLITE_ERROR and doesn't set any error message.

import apsw

con = apsw.Connection("testdb")
con.pragma("key", "hello")
con.execute("create table x(y); insert into x values(randomblob(32768))")

# rekey
con.pragma("cipher", "aes128cbc")
con.pragma("legacy", "1")
con.pragma("legacy_page_size", 16384)
con.pragma("rekey", "hello")

Traceback (most recent call last):
  File "/space/mc/issue.py", line 11, in <module>
    con.pragma("rekey", "hello")
  File "src/cursor.c", line 959, in APSWCursor_execute.sqlite3_prepare_v3
    AddTraceBackHere(__FILE__, __LINE__, "APSWCursor_execute.sqlite3_prepare_v3", "{s: O, s: O}",
apsw.SQLError: SQLError: SQL logic error
@utelle
Copy link
Owner

utelle commented Jun 2, 2024

I was trying to change the page size for testing.

Changing the page size is not possible for encrypted databases. The only way to change the page size is to decrypt the database, change the page size, run vacuum, and to reencrypt the database.

The real problem is that changing the page size and then running VACUUM for an encrypted database results in a corrupted database. VACUUM does not report an error.

AFAICR prior SQLite versions (before the SQLITE_HAS_CODEC feature was removed) included a check for encrypted databases, but now this is no longer the case.

The rekey pragma fails with SQLITE_ERROR and doesn't set any error message.

If I use the pragma in a SQLite shell, error messages are reported. But maybe the messages don't come from the pragma return value, but from the last error message. I have to check the code of the pragma handling.

@rogerbinns
Copy link
Author

Changing the page size is not possible for encrypted databases

I was specifically changing the legacy page size cipher parameter. This was doing brute force testing constantly changing parameters and rekeying.

SQLITE_ERROR is definitely being returned by executing the pragma - ie the call the sqlite3_prepare_v3 is returning SQLITE_ERROR and sqlite3_errmsg is returning SQL logic error. sqlite3_log was called with SQL logic error in "pragma rekey='hello'". which you were probably seeing.

Just like with the backup case refusing bad operations is a good idea, and a helpful error message is ideal.

@rogerbinns rogerbinns mentioned this issue Jun 6, 2024
Closed
utelle added a commit that referenced this issue Jun 7, 2024
@utelle
Fix issue #164
02b69ad 
- Incorrect number of reserved bytes values could cause assertions
- Check for valid values of config parameter plaintext_header_size
- Use correct HMAC size for SQLCipher HMAC algorithm SHA256
- Ensure that error messages are returnde correctly from rekey
@utelle
Copy link
Owner

utelle commented Jun 7, 2024

Commit 02b69ad enforces the return of correct error messages.

Additionally, legacy page size and plaintext header size are now checked for valued values.

@utelle utelle closed this as completed Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rogerbinns @utelle