1 files changed, 14 insertions, 5 deletions

diff --git a/src/lib/Bcfg2/Encryption.py b/src/lib/Bcfg2/Encryption.py
index b4674d72f..69d40ea37 100755
--- a/src/lib/Bcfg2/Encryption.py
+++ b/src/lib/Bcfg2/Encryption.py
@@ -3,6 +3,7 @@ handling encryption in Bcfg2.  See :ref:`server-encryption` for more
 details. """
 
 import os
+import sys
 from M2Crypto import Rand
 from M2Crypto.EVP import Cipher, EVPError
 from Bcfg2.Compat import StringIO, md5, b64encode, b64decode
@@ -114,13 +115,21 @@ def ssl_decrypt(data, passwd, algorithm=ALGORITHM):
     :returns: string - The decrypted data
     """
     # base64-decode the data
-    data = b64decode(data)
+    try:
+        data = b64decode(data)
+    except TypeError:
+        # we do not include the data in the error message, because one
+        # of the common causes of this is data that claims to be
+        # encrypted but is not.  we don't want to include a plaintext
+        # secret in the error logs.
+        raise TypeError("Could not decode base64 data: %s" %
+                        sys.exc_info()[1])
     salt = data[8:16]
-    # pylint: disable=E1101
+    # pylint: disable=E1101,E1121
     hashes = [md5(passwd + salt).digest()]
     for i in range(1, 3):
         hashes.append(md5(hashes[i - 1] + passwd + salt).digest())
-    # pylint: enable=E1101
+    # pylint: enable=E1101,E1121
     key = hashes[0] + hashes[1]
     iv = hashes[2]
 
@@ -146,11 +155,11 @@ def ssl_encrypt(plaintext, passwd, algorithm=ALGORITHM, salt=None):
     if salt is None:
         salt = Rand.rand_bytes(8)
 
-    # pylint: disable=E1101
+    # pylint: disable=E1101,E1121
     hashes = [md5(passwd + salt).digest()]
     for i in range(1, 3):
         hashes.append(md5(hashes[i - 1] + passwd + salt).digest())
-    # pylint: enable=E1101
+    # pylint: enable=E1101,E1121
     key = hashes[0] + hashes[1]
     iv = hashes[2]