Public bug reported: I'm using libvirt to attach luks encrypted disk to a running VM. The qemu-monitor-command like the
following: {"execute":"object-add","arguments":{"qom-type":"secret","id":"virtio- disk11-luks- secret0","props":{"data":"El7jOYLCZwrij2Mue0q2tA==","keyid":"masterKey0","iv":"J2je0WJjCa89L3iKc1lceg==","format":"base64"}} the masterKey0 specify the secret which has been created before. command above return with error message "Incorrect number of padding bytes XXX found on decrypted data". This is triggered by the following code snippets in qemu/crypto/secret.c: if (plaintext[ciphertextlen - 1] > 16 || plaintext[ciphertextlen - 1] > ciphertextlen) { error_setg(errp, "Incorrect number of padding bytes (%d) " "found on decrypted data", (int)plaintext[ciphertextlen - 1]); … } The bug is: There is on padding in plaintext if the actual length of the plaintext decrypted is equal to ciphertext. In this case, the last element in plaintext array may be one of the character in base64 code table or other. I would like to know why length of padding bytes cannot exceed 16 and whether i can remove judement: “plaintext[ciphertextlen - 1] > 16” so that I can eliminate the error above. Much appreciate it if doubts above is cleared up. libvirt/qemu version: # virsh version Compiled against library: libvirt 3.0.0 Using library: libvirt 3.0.0 Using API: QEMU 3.0.0 Running hypervisor: QEMU 2.7.1 OS: Ubuntu 12.04 LTS ** Affects: qemu Importance: Undecided Status: New -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1712027 Title: qemu: Cryptography adding encrypted disk with luks format failed Status in QEMU: New Bug description: I'm using libvirt to attach luks encrypted disk to a running VM. The qemu-monitor-command like the following: {"execute":"object-add","arguments":{"qom-type":"secret","id":"virtio- disk11-luks- secret0","props":{"data":"El7jOYLCZwrij2Mue0q2tA==","keyid":"masterKey0","iv":"J2je0WJjCa89L3iKc1lceg==","format":"base64"}} the masterKey0 specify the secret which has been created before. command above return with error message "Incorrect number of padding bytes XXX found on decrypted data". This is triggered by the following code snippets in qemu/crypto/secret.c: if (plaintext[ciphertextlen - 1] > 16 || plaintext[ciphertextlen - 1] > ciphertextlen) { error_setg(errp, "Incorrect number of padding bytes (%d) " "found on decrypted data", (int)plaintext[ciphertextlen - 1]); … } The bug is: There is on padding in plaintext if the actual length of the plaintext decrypted is equal to ciphertext. In this case, the last element in plaintext array may be one of the character in base64 code table or other. I would like to know why length of padding bytes cannot exceed 16 and whether i can remove judement: “plaintext[ciphertextlen - 1] > 16” so that I can eliminate the error above. Much appreciate it if doubts above is cleared up. libvirt/qemu version: # virsh version Compiled against library: libvirt 3.0.0 Using library: libvirt 3.0.0 Using API: QEMU 3.0.0 Running hypervisor: QEMU 2.7.1 OS: Ubuntu 12.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1712027/+subscriptions