Error while deriving the key (kdf_open) while importing Aegis encrypted JSON

[IoSonoPiero]

Hello,
I used OTPClient on Ubuntu without issues until I moved to Fedora 40.
I get the error: "Error while deriving the key (kdf_open)" when I open a file I created on Aegis on my Android smartphone.
I've always used OTPClient and imported the file several times.
I have the latest package for Fedora.

I've attached the screenshot of the error if it can be helpful.
I'm available to do tests so OTPClient can be used again (at least on my machine if it's my issue).
Thanks!

Note: I am having the same error when using the Flatpak version.

[paolostivanin]

Hello,
so you are facing an issue in the following case, correct?

1. open OTPClient. This is a first run, because db is empty
2. import and Aegis backup, the error appears

[IoSonoPiero]

Hello, sorry for the late reply.
Yes, that's precisely what's happened.

[IoSonoPiero]

And ... well, this is new: freshly booted laptop, I got this error:

[WARNING] your operating system's memlock limit may be too low for you (current value: 8388608 bytes).
This may cause issues when importing third parties databases or dealing with tens of tokens.
For information on how to increase the memlock value, please have a look at https://github.com/paolostivanin/OTPClient/wiki/Secure-Memory-Limitations
couldn't lock 16384 bytes of memory (secret_session): Impossibile allocare memoria

(otpclient:12901): GLib-ERROR **: 15:25:26.920: ../glib/gmem.c:139: failed to allocate 18446744073709551600 bytes

I was looking to import any other key and then Aegis to try.

[paolostivanin]

installed from repo or from flatpak?

[IoSonoPiero]

Installed from the repo. My bad; I needed to be more precise in the first post.
I tried flatpak, too.
Same issue.

[IoSonoPiero]

I tried with Twitter 2FA, same error.

[GuilhermeReda]

Same thing here. Installed it from flatpak, and I get this error when importing any type of exported file.

Edit: rolling back to 3.6.0 fixed the issue, then I was able to update to the latest version and preserve all imported keys

[paolostivanin]

@GuilhermeReda wait, what? You upgraded to v4, opened the database, downgraded to v3 and still were able to open the db? The same exact db?

[GuilhermeReda]

other way around. I tried importing from v4, got the error described above. reverted to 3.6, imported my backup, then upgraded to v4 again and the db was there

[paolostivanin]

ah ok, makes sense. Tomorrow I'll look at this bug with high priority, sorry all.

[GuilhermeReda]

I tried andotp_exports.json.aes, andotp_exports.json and aegis_encrypted.json. All failed.
All exported from a second machine running OTPClient

[paolostivanin]

And ... well, this is new: freshly booted laptop, I got this error:

[WARNING] your operating system's memlock limit may be too low for you (current value: 8388608 bytes).
This may cause issues when importing third parties databases or dealing with tens of tokens.
For information on how to increase the memlock value, please have a look at https://github.com/paolostivanin/OTPClient/wiki/Secure-Memory-Limitations
couldn't lock 16384 bytes of memory (secret_session): Impossibile allocare memoria

(otpclient:12901): GLib-ERROR **: 15:25:26.920: ../glib/gmem.c:139: failed to allocate 18446744073709551600 bytes

I was looking to import any other key and then Aegis to try.

That's happening because you don't have enough secure memory available. Please have a look at the wiki on how to increase it.

[paolostivanin]

@GuilhermeReda you're also on Fedora, right?

[paolostivanin]

found and fixed the bug, will make a new release by late morning

[IoSonoPiero]

Grande Paolo!
Thank you very much!

[paolostivanin]

about this

couldn't lock 16384 bytes of memory (secret_session): Impossibile allocare memoria

I can only randomly reproduce it. It's something that happens on the OS when the memlock is insufficient. I will add a stricter check on the memlock value.

[IoSonoPiero]

It may be related to Fedora. I've used OTPClient on Ubuntu, and I've never noticed messages.

[paolostivanin]

You're not the only one having issues on Fedora. I don't know what kind of security they have in place, but on Ubuntu, openSUSE and Arch I've never seen such thing.

Just to compare, could you check ulimit -l on both Ubuntu and Fedora?

[IoSonoPiero]

On my machines, I have:
Fedora 40: 8192
Ubuntu 24.04 LTS: 2033328
Ubuntu 22.04.4 LTS: 3069668

[paolostivanin]

there you go! You have 8 MiB on Fedora (why so low by default?!?!) VS 2 and 3 GB on Ubuntu...

[IoSonoPiero]

Understood.
Please consider that there are default installations with no modifications made by me.

[paolostivanin]

yes, I can confirm that. I've just installed Fedora 40 and I also got 8192. I need to think whether to exit in such case or continue operation, because it's not easy to detect the error you posted above. It comes abruptly without any chance of catching it.

[IoSonoPiero]

Hello, Just a question:
Have you been able to release the new version yet?
I got this update:

 libcotp3        x86_64       3.0.0-1.50         download.opensuse.org_repositories_home_polslinux_otpclient_Fedora_40_
 otpclient       x86_64       4.0.1-1.5          download.opensuse.org_repositories_home_polslinux_otpclient_Fedora_40_ 

but I always get the following error:

[paolostivanin]

@IoSonoPiero not yet. Got caught up with other things.
Tomorrow morning I'll make a new release!

[IoSonoPiero]

No worries at all. I just got the update from the repo.
Thanks for all the support, by the way!

[IoSonoPiero]

It works!
Thank you very much.