Bug 1447297
| Summary: | Unable to use LUKS passphrase that is exactly 16 bytes long | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Daniel Berrangé <berrange> |
| Component: | libvirt | Assignee: | Peter Krempa <pkrempa> |
| Status: | CLOSED ERRATA | QA Contact: | yisun |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | dyuan, jdenemar, jtomko, lmen, pkrempa, rbalakri, xuzhang, yalzhang |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | libvirt-3.2.0-4.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-02 00:08:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit 71890992daf37ec78b00b4ce873369421dc99731
Author: Daniel P. Berrange <berrange>
Date: Tue May 2 11:32:43 2017 +0100
Fix padding of encrypted data
If we are encoding a block of data that is 16 bytes in length,
we cannot leave it as 16 bytes, we must pad it out to the next
block boundary, 32 bytes. Without this padding, the decoder will
incorrectly treat the last byte of plain text as the padding
length, as it can't distinguish padded from non-padded data.
The problem exhibited itself when using a 16 byte passphrase
for a LUKS volume
$ virsh secret-set-value 55806c7d-8e93-456f-829b-607d8c198367 \
$(echo -n 1234567812345678 | base64)
Secret value set
$ virsh start demo
error: Failed to start domain demo
error: internal error: process exited while connecting to monitor: >>>>>>>>>>Len 16
2017-05-02T10:35:40.016390Z qemu-system-x86_64: -object \
secret,id=virtio-disk1-luks-secret0,data=SEtNi5vDUeyseMKHwc1c1Q==,\
keyid=masterKey0,iv=zm7apUB1A6dPcH53VW960Q==,format=base64: \
Incorrect number of padding bytes (56) found on decrypted data
Notice how the padding '56' corresponds to the ordinal value of
the character '8'.
Verified on:
libvirt-3.2.0-5.virtcov.el7.x86_64
qemu-kvm-rhev-2.9.0-5.el7.x86_64
## qemu-img create -f luks -o key-secret=sec0 --object secret,id=sec0,data=1234567812345678 /var/lib/libvirt/images/luks.disk 1G
Formatting '/var/lib/libvirt/images/luks.disk', fmt=luks size=1073741824 key-secret=sec0
## cat sec.xml
<secret ephemeral='no' private='no'>
<uuid>f981dd17-143f-45bc-88e6-ed1fe20ce9da</uuid>
<description>LUKS Secret</description>
<usage type='volume'>
<volume>/var/lib/libvirt/images/luks.disk</volume>
</usage>
</secret>
## virsh secret-define sec.xml
Secret f981dd17-143f-45bc-88e6-ed1fe20ce9da created
## virsh secret-set-value f981dd17-143f-45bc-88e6-ed1fe20ce9da $(echo -n 1234567812345678 | base64)
Secret value set
## virsh dumpxml r | grep disk -a10
...
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/luks.disk'/>
<target dev='vdb' bus='virtio'/>
<encryption format='luks'>
<secret type='passphrase' uuid='f981dd17-143f-45bc-88e6-ed1fe20ce9da'/>
</encryption>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</disk>
...
## virsh start r
Domain r started
also tried with 15/17 bytes password and passed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1846 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1846 |
Description of problem: If using a LUKS passphrase that is exactly 16 bytes, QEMU fails to decode the secret, due to incorrect plain text padding. $ virsh secret-set-value 55806c7d-8e93-456f-829b-607d8c198367 $(echo -n 1234567812345678 | base64) Secret value set $ virsh start demo error: Failed to start domain demo error: internal error: process exited while connecting to monitor: 2017-05-02T10:36:34.219574Z qemu-system-x86_64: -object secret,id=virtio-disk1-luks-secret0,data=RJX5KrWOe+YrAvZggnVkmw==,keyid=masterKey0,iv=Mtj0v/esNFNWoYelGZsCsA==,format=base64: Incorrect number of padding bytes (56) found on decrypted data This is because the libvirt code is failing to correct round-up to the next block size when the plain text is a multiple of block size. Version-Release number of selected component (if applicable): 2.0.0-10.el7_3.2 How reproducible: Always Steps to Reproduce: 1. Create a luks disk $ qemu-img create -f luks -o key-secret=sec0 --object secret,id=sec0,data=1234567812345678 ~/VirtualMachines/demo.luks 1G 2. Add the following XML to a guest <disk type='file' device='disk'> <driver name='qemu' type='raw'/> <source file='/home/berrange/VirtualMachines/demo.luks'/> <target dev='vdb' bus='virtio'/> <encryption format='luks'> <secret type='passphrase' uuid='55806c7d-8e93-456f-829b-607d8c198367'/> </encryption> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </disk> 3. Set the secret value $ virsh secret-set-value 55806c7d-8e93-456f-829b-607d8c198367 $(echo -n 1234567812345678 | base64) Secret value set 4. Start the guest $ virsh start Actual results: Fails with padding error Expected results: Guest launches Additional info: