Corrupted MAC Pulling via SSH

[Will DeBerry]

This happens on random patch sets and doesn't seem to be narrowed down to how the end user is uploading to the gerrit instance. When you try to pick the patch set you get the following:

[rainbow manifests]$ git fetch ssh://hillbill...@gerrit.aokp.co:29418/AOKP/platform_manifest refs/changes/38/15438/1 && git cherry-pick FETCH_HEAD

Corrupted MAC on input.

I have checked the SSH and Error logs on gerrit and neither is producing anything helpful or anything at all at times. At this point I have reindexed, ran gc on the projects and restarted gerrit. I saw that this was resolved back in 2.1.x days by updating the version of jsch being used, but looks like the master branch is already using the latest revision out.

Any other recommendations for this would be welcome.

[Shawn Pearce]

This is a disagreement between the SSH client, and the MINA SSHD
software in the server. It has nothing to do with the version of JSch
used by Gerrit. Its possible/probable there is a bug in the MINA SSHD
server library that miscomputes a packet to the client, resulting in
the client seeing a MAC error and aborting the transfer.

:-(

Quickest workaround is to use HTTPS rather than SSH, but we may need
to look at updating MINA SSHD again. Perhaps there is an upstream bug
fixed. Or maybe the bug isn't fixed...

[Will DeBerry]

On Wednesday, January 22, 2014 2:47:15 PM UTC-5, Shawn Pearce wrote:

On Wed, Jan 22, 2014 at 10:07 AM, Will DeBerry <willd...@gmail.com> wrote:
> This happens on random patch sets and doesn't seem to be narrowed down to
> how the end user is uploading to the gerrit instance. When you try to pick
> the patch set you get the following:
>
> [rainbow manifests]$ git fetch

> ssh://hillbillyhacker86@gerrit.aokp.co:29418/AOKP/platform_manifest

> refs/changes/38/15438/1 && git cherry-pick FETCH_HEAD
> Corrupted MAC on input.
>
> I have checked the SSH and Error logs on gerrit and neither is producing
> anything helpful or anything at all at times. At this point I have
> reindexed, ran gc on the projects and restarted gerrit. I saw that this was
> resolved back in 2.1.x days by updating the version of jsch being used, but
> looks like the master branch is already using the latest revision out.
>
> Any other recommendations for this would be welcome.

This is a disagreement between the SSH client, and the MINA SSHD
software in the server. It has nothing to do with the version of JSch
used by Gerrit. Its possible/probable there is a bug in the MINA SSHD
server library that miscomputes a packet to the client, resulting in
the client seeing a MAC error and aborting the transfer.

:-(

Quickest workaround is to use HTTPS rather than SSH, but we may need
to look at updating MINA SSHD again. Perhaps there is an upstream bug
fixed. Or maybe the bug isn't fixed...

Wasn't sure how to apply locally and test before posting, but looks like possible fix upstream - https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;h=74946f1b68ffdd207af5b6102693030e39693340 

[David Ostrovsky]

Am Mittwoch, 22. Januar 2014 19:07:29 UTC+1 schrieb Will DeBerry:

This happens on random patch sets and doesn't seem to be narrowed down to how the end user is uploading to the gerrit instance. When you try to pick the patch set you get the following:

[rainbow manifests]$ git fetch ssh://hillbillyhacker86@gerrit.aokp.co:29418/AOKP/platform_manifest refs/changes/38/15438/1 && git cherry-pick FETCH_HEAD

Corrupted MAC on input.

Have you tried to set this in gerrit.config:

  git config --file $site_path/etc/gerrit.config sshd.backend nio2

[Will DeBerry]

Yes, this has been set for a good bit now. Although now that you brought that up, i switched it back to MINA and error is gone. So definitely looks like that patch is needed for NIO2 to be used. 

[David Ostrovsky]

Thanks for letting us know. Let's drop nio2 backend for now, then [1].

[1] https://gerrit-review.googlesource.com/53973

[Doug Kelly]

Something tells me this is related to the Java 7 changes to JCE.  I know JSch had a similar problem, and I think so did MINA, until we bumped its version number a few months back?