]>
Commit | Line | Data |
---|---|---|
3e308f20 DB |
1 | /* |
2 | * QEMU Crypto block device encryption LUKS format | |
3 | * | |
4 | * Copyright (c) 2015-2016 Red Hat, Inc. | |
5 | * | |
6 | * This library is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU Lesser General Public | |
8 | * License as published by the Free Software Foundation; either | |
9 | * version 2 of the License, or (at your option) any later version. | |
10 | * | |
11 | * This library is distributed in the hope that it will be useful, | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 | * Lesser General Public License for more details. | |
15 | * | |
16 | * You should have received a copy of the GNU Lesser General Public | |
17 | * License along with this library; if not, see <http://www.gnu.org/licenses/>. | |
18 | * | |
19 | */ | |
20 | ||
21 | #include "qemu/osdep.h" | |
22 | ||
23 | #include "crypto/block-luks.h" | |
24 | ||
25 | #include "crypto/hash.h" | |
26 | #include "crypto/afsplit.h" | |
27 | #include "crypto/pbkdf.h" | |
28 | #include "crypto/secret.h" | |
29 | #include "crypto/random.h" | |
30 | ||
31 | #ifdef CONFIG_UUID | |
32 | #include <uuid/uuid.h> | |
33 | #endif | |
34 | ||
35 | #include "qemu/coroutine.h" | |
36 | ||
37 | /* | |
38 | * Reference for the LUKS format implemented here is | |
39 | * | |
40 | * docs/on-disk-format.pdf | |
41 | * | |
42 | * in 'cryptsetup' package source code | |
43 | * | |
44 | * This file implements the 1.2.1 specification, dated | |
45 | * Oct 16, 2011. | |
46 | */ | |
47 | ||
48 | typedef struct QCryptoBlockLUKS QCryptoBlockLUKS; | |
49 | typedef struct QCryptoBlockLUKSHeader QCryptoBlockLUKSHeader; | |
50 | typedef struct QCryptoBlockLUKSKeySlot QCryptoBlockLUKSKeySlot; | |
51 | ||
52 | ||
53 | /* The following constants are all defined by the LUKS spec */ | |
54 | #define QCRYPTO_BLOCK_LUKS_VERSION 1 | |
55 | ||
56 | #define QCRYPTO_BLOCK_LUKS_MAGIC_LEN 6 | |
57 | #define QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN 32 | |
58 | #define QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN 32 | |
59 | #define QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN 32 | |
60 | #define QCRYPTO_BLOCK_LUKS_DIGEST_LEN 20 | |
61 | #define QCRYPTO_BLOCK_LUKS_SALT_LEN 32 | |
62 | #define QCRYPTO_BLOCK_LUKS_UUID_LEN 40 | |
63 | #define QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS 8 | |
64 | #define QCRYPTO_BLOCK_LUKS_STRIPES 4000 | |
65 | #define QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS 1000 | |
66 | #define QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS 1000 | |
67 | #define QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET 4096 | |
68 | ||
69 | #define QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED 0x0000DEAD | |
70 | #define QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED 0x00AC71F3 | |
71 | ||
72 | #define QCRYPTO_BLOCK_LUKS_SECTOR_SIZE 512LL | |
73 | ||
74 | static const char qcrypto_block_luks_magic[QCRYPTO_BLOCK_LUKS_MAGIC_LEN] = { | |
75 | 'L', 'U', 'K', 'S', 0xBA, 0xBE | |
76 | }; | |
77 | ||
78 | typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap; | |
79 | struct QCryptoBlockLUKSNameMap { | |
80 | const char *name; | |
81 | int id; | |
82 | }; | |
83 | ||
84 | typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap; | |
85 | struct QCryptoBlockLUKSCipherSizeMap { | |
86 | uint32_t key_bytes; | |
87 | int id; | |
88 | }; | |
89 | typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap; | |
90 | struct QCryptoBlockLUKSCipherNameMap { | |
91 | const char *name; | |
92 | const QCryptoBlockLUKSCipherSizeMap *sizes; | |
93 | }; | |
94 | ||
95 | ||
96 | static const QCryptoBlockLUKSCipherSizeMap | |
97 | qcrypto_block_luks_cipher_size_map_aes[] = { | |
98 | { 16, QCRYPTO_CIPHER_ALG_AES_128 }, | |
99 | { 24, QCRYPTO_CIPHER_ALG_AES_192 }, | |
100 | { 32, QCRYPTO_CIPHER_ALG_AES_256 }, | |
101 | { 0, 0 }, | |
102 | }; | |
103 | ||
104 | static const QCryptoBlockLUKSCipherSizeMap | |
105 | qcrypto_block_luks_cipher_size_map_cast5[] = { | |
106 | { 16, QCRYPTO_CIPHER_ALG_CAST5_128 }, | |
107 | { 0, 0 }, | |
108 | }; | |
109 | ||
110 | static const QCryptoBlockLUKSCipherSizeMap | |
111 | qcrypto_block_luks_cipher_size_map_serpent[] = { | |
112 | { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 }, | |
113 | { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 }, | |
114 | { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 }, | |
115 | { 0, 0 }, | |
116 | }; | |
117 | ||
118 | static const QCryptoBlockLUKSCipherSizeMap | |
119 | qcrypto_block_luks_cipher_size_map_twofish[] = { | |
120 | { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 }, | |
121 | { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 }, | |
122 | { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 }, | |
123 | { 0, 0 }, | |
124 | }; | |
125 | ||
126 | static const QCryptoBlockLUKSCipherNameMap | |
127 | qcrypto_block_luks_cipher_name_map[] = { | |
128 | { "aes", qcrypto_block_luks_cipher_size_map_aes }, | |
129 | { "cast5", qcrypto_block_luks_cipher_size_map_cast5 }, | |
130 | { "serpent", qcrypto_block_luks_cipher_size_map_serpent }, | |
131 | { "twofish", qcrypto_block_luks_cipher_size_map_twofish }, | |
132 | }; | |
133 | ||
134 | ||
135 | /* | |
136 | * This struct is written to disk in big-endian format, | |
137 | * but operated upon in native-endian format. | |
138 | */ | |
139 | struct QCryptoBlockLUKSKeySlot { | |
140 | /* state of keyslot, enabled/disable */ | |
141 | uint32_t active; | |
142 | /* iterations for PBKDF2 */ | |
143 | uint32_t iterations; | |
144 | /* salt for PBKDF2 */ | |
145 | uint8_t salt[QCRYPTO_BLOCK_LUKS_SALT_LEN]; | |
146 | /* start sector of key material */ | |
147 | uint32_t key_offset; | |
148 | /* number of anti-forensic stripes */ | |
149 | uint32_t stripes; | |
150 | } QEMU_PACKED; | |
151 | ||
152 | QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48); | |
153 | ||
154 | ||
155 | /* | |
156 | * This struct is written to disk in big-endian format, | |
157 | * but operated upon in native-endian format. | |
158 | */ | |
159 | struct QCryptoBlockLUKSHeader { | |
160 | /* 'L', 'U', 'K', 'S', '0xBA', '0xBE' */ | |
161 | char magic[QCRYPTO_BLOCK_LUKS_MAGIC_LEN]; | |
162 | ||
163 | /* LUKS version, currently 1 */ | |
164 | uint16_t version; | |
165 | ||
166 | /* cipher name specification (aes, etc) */ | |
167 | char cipher_name[QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN]; | |
168 | ||
169 | /* cipher mode specification (cbc-plain, xts-essiv:sha256, etc) */ | |
170 | char cipher_mode[QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN]; | |
171 | ||
172 | /* hash specification (sha256, etc) */ | |
173 | char hash_spec[QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN]; | |
174 | ||
175 | /* start offset of the volume data (in 512 byte sectors) */ | |
176 | uint32_t payload_offset; | |
177 | ||
178 | /* Number of key bytes */ | |
179 | uint32_t key_bytes; | |
180 | ||
181 | /* master key checksum after PBKDF2 */ | |
182 | uint8_t master_key_digest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; | |
183 | ||
184 | /* salt for master key PBKDF2 */ | |
185 | uint8_t master_key_salt[QCRYPTO_BLOCK_LUKS_SALT_LEN]; | |
186 | ||
187 | /* iterations for master key PBKDF2 */ | |
188 | uint32_t master_key_iterations; | |
189 | ||
190 | /* UUID of the partition in standard ASCII representation */ | |
191 | uint8_t uuid[QCRYPTO_BLOCK_LUKS_UUID_LEN]; | |
192 | ||
193 | /* key slots */ | |
194 | QCryptoBlockLUKSKeySlot key_slots[QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS]; | |
195 | } QEMU_PACKED; | |
196 | ||
197 | QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592); | |
198 | ||
199 | ||
200 | struct QCryptoBlockLUKS { | |
201 | QCryptoBlockLUKSHeader header; | |
202 | }; | |
203 | ||
204 | ||
205 | static int qcrypto_block_luks_cipher_name_lookup(const char *name, | |
206 | QCryptoCipherMode mode, | |
207 | uint32_t key_bytes, | |
208 | Error **errp) | |
209 | { | |
210 | const QCryptoBlockLUKSCipherNameMap *map = | |
211 | qcrypto_block_luks_cipher_name_map; | |
212 | size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); | |
213 | size_t i, j; | |
214 | ||
215 | if (mode == QCRYPTO_CIPHER_MODE_XTS) { | |
216 | key_bytes /= 2; | |
217 | } | |
218 | ||
219 | for (i = 0; i < maplen; i++) { | |
220 | if (!g_str_equal(map[i].name, name)) { | |
221 | continue; | |
222 | } | |
223 | for (j = 0; j < map[i].sizes[j].key_bytes; j++) { | |
224 | if (map[i].sizes[j].key_bytes == key_bytes) { | |
225 | return map[i].sizes[j].id; | |
226 | } | |
227 | } | |
228 | } | |
229 | ||
230 | error_setg(errp, "Algorithm %s with key size %d bytes not supported", | |
231 | name, key_bytes); | |
232 | return 0; | |
233 | } | |
234 | ||
235 | static const char * | |
236 | qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg, | |
237 | Error **errp) | |
238 | { | |
239 | const QCryptoBlockLUKSCipherNameMap *map = | |
240 | qcrypto_block_luks_cipher_name_map; | |
241 | size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); | |
242 | size_t i, j; | |
243 | for (i = 0; i < maplen; i++) { | |
244 | for (j = 0; j < map[i].sizes[j].key_bytes; j++) { | |
245 | if (map[i].sizes[j].id == alg) { | |
246 | return map[i].name; | |
247 | } | |
248 | } | |
249 | } | |
250 | ||
251 | error_setg(errp, "Algorithm '%s' not supported", | |
252 | QCryptoCipherAlgorithm_lookup[alg]); | |
253 | return NULL; | |
254 | } | |
255 | ||
256 | /* XXX replace with qapi_enum_parse() in future, when we can | |
257 | * make that function emit a more friendly error message */ | |
258 | static int qcrypto_block_luks_name_lookup(const char *name, | |
259 | const char *const *map, | |
260 | size_t maplen, | |
261 | const char *type, | |
262 | Error **errp) | |
263 | { | |
264 | size_t i; | |
265 | for (i = 0; i < maplen; i++) { | |
266 | if (g_str_equal(map[i], name)) { | |
267 | return i; | |
268 | } | |
269 | } | |
270 | ||
271 | error_setg(errp, "%s %s not supported", type, name); | |
272 | return 0; | |
273 | } | |
274 | ||
275 | #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \ | |
276 | qcrypto_block_luks_name_lookup(name, \ | |
277 | QCryptoCipherMode_lookup, \ | |
278 | QCRYPTO_CIPHER_MODE__MAX, \ | |
279 | "Cipher mode", \ | |
280 | errp) | |
281 | ||
282 | #define qcrypto_block_luks_hash_name_lookup(name, errp) \ | |
283 | qcrypto_block_luks_name_lookup(name, \ | |
284 | QCryptoHashAlgorithm_lookup, \ | |
285 | QCRYPTO_HASH_ALG__MAX, \ | |
286 | "Hash algorithm", \ | |
287 | errp) | |
288 | ||
289 | #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \ | |
290 | qcrypto_block_luks_name_lookup(name, \ | |
291 | QCryptoIVGenAlgorithm_lookup, \ | |
292 | QCRYPTO_IVGEN_ALG__MAX, \ | |
293 | "IV generator", \ | |
294 | errp) | |
295 | ||
296 | ||
297 | static bool | |
298 | qcrypto_block_luks_has_format(const uint8_t *buf, | |
299 | size_t buf_size) | |
300 | { | |
301 | const QCryptoBlockLUKSHeader *luks_header = (const void *)buf; | |
302 | ||
303 | if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) && | |
304 | memcmp(luks_header->magic, qcrypto_block_luks_magic, | |
305 | QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 && | |
306 | be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) { | |
307 | return true; | |
308 | } else { | |
309 | return false; | |
310 | } | |
311 | } | |
312 | ||
313 | ||
314 | /** | |
315 | * Deal with a quirk of dm-crypt usage of ESSIV. | |
316 | * | |
317 | * When calculating ESSIV IVs, the cipher length used by ESSIV | |
318 | * may be different from the cipher length used for the block | |
319 | * encryption, becauses dm-crypt uses the hash digest length | |
320 | * as the key size. ie, if you have AES 128 as the block cipher | |
321 | * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as | |
322 | * the cipher since that gets a key length matching the digest | |
323 | * size, not AES 128 with truncated digest as might be imagined | |
324 | */ | |
325 | static QCryptoCipherAlgorithm | |
326 | qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher, | |
327 | QCryptoHashAlgorithm hash, | |
328 | Error **errp) | |
329 | { | |
330 | size_t digestlen = qcrypto_hash_digest_len(hash); | |
331 | size_t keylen = qcrypto_cipher_get_key_len(cipher); | |
332 | if (digestlen == keylen) { | |
333 | return cipher; | |
334 | } | |
335 | ||
336 | switch (cipher) { | |
337 | case QCRYPTO_CIPHER_ALG_AES_128: | |
338 | case QCRYPTO_CIPHER_ALG_AES_192: | |
339 | case QCRYPTO_CIPHER_ALG_AES_256: | |
340 | if (digestlen == qcrypto_cipher_get_key_len( | |
341 | QCRYPTO_CIPHER_ALG_AES_128)) { | |
342 | return QCRYPTO_CIPHER_ALG_AES_128; | |
343 | } else if (digestlen == qcrypto_cipher_get_key_len( | |
344 | QCRYPTO_CIPHER_ALG_AES_192)) { | |
345 | return QCRYPTO_CIPHER_ALG_AES_192; | |
346 | } else if (digestlen == qcrypto_cipher_get_key_len( | |
347 | QCRYPTO_CIPHER_ALG_AES_256)) { | |
348 | return QCRYPTO_CIPHER_ALG_AES_256; | |
349 | } else { | |
350 | error_setg(errp, "No AES cipher with key size %zu available", | |
351 | digestlen); | |
352 | return 0; | |
353 | } | |
354 | break; | |
355 | case QCRYPTO_CIPHER_ALG_SERPENT_128: | |
356 | case QCRYPTO_CIPHER_ALG_SERPENT_192: | |
357 | case QCRYPTO_CIPHER_ALG_SERPENT_256: | |
358 | if (digestlen == qcrypto_cipher_get_key_len( | |
359 | QCRYPTO_CIPHER_ALG_SERPENT_128)) { | |
360 | return QCRYPTO_CIPHER_ALG_SERPENT_128; | |
361 | } else if (digestlen == qcrypto_cipher_get_key_len( | |
362 | QCRYPTO_CIPHER_ALG_SERPENT_192)) { | |
363 | return QCRYPTO_CIPHER_ALG_SERPENT_192; | |
364 | } else if (digestlen == qcrypto_cipher_get_key_len( | |
365 | QCRYPTO_CIPHER_ALG_SERPENT_256)) { | |
366 | return QCRYPTO_CIPHER_ALG_SERPENT_256; | |
367 | } else { | |
368 | error_setg(errp, "No Serpent cipher with key size %zu available", | |
369 | digestlen); | |
370 | return 0; | |
371 | } | |
372 | break; | |
373 | case QCRYPTO_CIPHER_ALG_TWOFISH_128: | |
374 | case QCRYPTO_CIPHER_ALG_TWOFISH_192: | |
375 | case QCRYPTO_CIPHER_ALG_TWOFISH_256: | |
376 | if (digestlen == qcrypto_cipher_get_key_len( | |
377 | QCRYPTO_CIPHER_ALG_TWOFISH_128)) { | |
378 | return QCRYPTO_CIPHER_ALG_TWOFISH_128; | |
379 | } else if (digestlen == qcrypto_cipher_get_key_len( | |
380 | QCRYPTO_CIPHER_ALG_TWOFISH_192)) { | |
381 | return QCRYPTO_CIPHER_ALG_TWOFISH_192; | |
382 | } else if (digestlen == qcrypto_cipher_get_key_len( | |
383 | QCRYPTO_CIPHER_ALG_TWOFISH_256)) { | |
384 | return QCRYPTO_CIPHER_ALG_TWOFISH_256; | |
385 | } else { | |
386 | error_setg(errp, "No Twofish cipher with key size %zu available", | |
387 | digestlen); | |
388 | return 0; | |
389 | } | |
390 | break; | |
391 | default: | |
392 | error_setg(errp, "Cipher %s not supported with essiv", | |
393 | QCryptoCipherAlgorithm_lookup[cipher]); | |
394 | return 0; | |
395 | } | |
396 | } | |
397 | ||
398 | /* | |
399 | * Given a key slot, and user password, this will attempt to unlock | |
400 | * the master encryption key from the key slot. | |
401 | * | |
402 | * Returns: | |
403 | * 0 if the key slot is disabled, or key could not be decrypted | |
404 | * with the provided password | |
405 | * 1 if the key slot is enabled, and key decrypted successfully | |
406 | * with the provided password | |
407 | * -1 if a fatal error occurred loading the key | |
408 | */ | |
409 | static int | |
410 | qcrypto_block_luks_load_key(QCryptoBlock *block, | |
411 | QCryptoBlockLUKSKeySlot *slot, | |
412 | const char *password, | |
413 | QCryptoCipherAlgorithm cipheralg, | |
414 | QCryptoCipherMode ciphermode, | |
415 | QCryptoHashAlgorithm hash, | |
416 | QCryptoIVGenAlgorithm ivalg, | |
417 | QCryptoCipherAlgorithm ivcipheralg, | |
418 | QCryptoHashAlgorithm ivhash, | |
419 | uint8_t *masterkey, | |
420 | size_t masterkeylen, | |
421 | QCryptoBlockReadFunc readfunc, | |
422 | void *opaque, | |
423 | Error **errp) | |
424 | { | |
425 | QCryptoBlockLUKS *luks = block->opaque; | |
426 | uint8_t *splitkey; | |
427 | size_t splitkeylen; | |
428 | uint8_t *possiblekey; | |
429 | int ret = -1; | |
430 | ssize_t rv; | |
431 | QCryptoCipher *cipher = NULL; | |
432 | uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; | |
433 | QCryptoIVGen *ivgen = NULL; | |
434 | size_t niv; | |
435 | ||
436 | if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { | |
437 | return 0; | |
438 | } | |
439 | ||
440 | splitkeylen = masterkeylen * slot->stripes; | |
441 | splitkey = g_new0(uint8_t, splitkeylen); | |
442 | possiblekey = g_new0(uint8_t, masterkeylen); | |
443 | ||
444 | /* | |
445 | * The user password is used to generate a (possible) | |
446 | * decryption key. This may or may not successfully | |
447 | * decrypt the master key - we just blindly assume | |
448 | * the key is correct and validate the results of | |
449 | * decryption later. | |
450 | */ | |
451 | if (qcrypto_pbkdf2(hash, | |
452 | (const uint8_t *)password, strlen(password), | |
453 | slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN, | |
454 | slot->iterations, | |
455 | possiblekey, masterkeylen, | |
456 | errp) < 0) { | |
457 | goto cleanup; | |
458 | } | |
459 | ||
460 | /* | |
461 | * We need to read the master key material from the | |
462 | * LUKS key material header. What we're reading is | |
463 | * not the raw master key, but rather the data after | |
464 | * it has been passed through AFSplit and the result | |
465 | * then encrypted. | |
466 | */ | |
467 | rv = readfunc(block, | |
468 | slot->key_offset * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, | |
469 | splitkey, splitkeylen, | |
470 | errp, | |
471 | opaque); | |
472 | if (rv < 0) { | |
473 | goto cleanup; | |
474 | } | |
475 | ||
476 | ||
477 | /* Setup the cipher/ivgen that we'll use to try to decrypt | |
478 | * the split master key material */ | |
479 | cipher = qcrypto_cipher_new(cipheralg, ciphermode, | |
480 | possiblekey, masterkeylen, | |
481 | errp); | |
482 | if (!cipher) { | |
483 | goto cleanup; | |
484 | } | |
485 | ||
486 | niv = qcrypto_cipher_get_iv_len(cipheralg, | |
487 | ciphermode); | |
488 | ivgen = qcrypto_ivgen_new(ivalg, | |
489 | ivcipheralg, | |
490 | ivhash, | |
491 | possiblekey, masterkeylen, | |
492 | errp); | |
493 | if (!ivgen) { | |
494 | goto cleanup; | |
495 | } | |
496 | ||
497 | ||
498 | /* | |
499 | * The master key needs to be decrypted in the same | |
500 | * way that the block device payload will be decrypted | |
501 | * later. In particular we'll be using the IV generator | |
502 | * to reset the encryption cipher every time the master | |
503 | * key crosses a sector boundary. | |
504 | */ | |
505 | if (qcrypto_block_decrypt_helper(cipher, | |
506 | niv, | |
507 | ivgen, | |
508 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, | |
509 | 0, | |
510 | splitkey, | |
511 | splitkeylen, | |
512 | errp) < 0) { | |
513 | goto cleanup; | |
514 | } | |
515 | ||
516 | /* | |
517 | * Now we've decrypted the split master key, join | |
518 | * it back together to get the actual master key. | |
519 | */ | |
520 | if (qcrypto_afsplit_decode(hash, | |
521 | masterkeylen, | |
522 | slot->stripes, | |
523 | splitkey, | |
524 | masterkey, | |
525 | errp) < 0) { | |
526 | goto cleanup; | |
527 | } | |
528 | ||
529 | ||
530 | /* | |
531 | * We still don't know that the masterkey we got is valid, | |
532 | * because we just blindly assumed the user's password | |
533 | * was correct. This is where we now verify it. We are | |
534 | * creating a hash of the master key using PBKDF and | |
535 | * then comparing that to the hash stored in the key slot | |
536 | * header | |
537 | */ | |
538 | if (qcrypto_pbkdf2(hash, | |
539 | masterkey, masterkeylen, | |
540 | luks->header.master_key_salt, | |
541 | QCRYPTO_BLOCK_LUKS_SALT_LEN, | |
542 | luks->header.master_key_iterations, | |
543 | keydigest, G_N_ELEMENTS(keydigest), | |
544 | errp) < 0) { | |
545 | goto cleanup; | |
546 | } | |
547 | ||
548 | if (memcmp(keydigest, luks->header.master_key_digest, | |
549 | QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) { | |
550 | /* Success, we got the right master key */ | |
551 | ret = 1; | |
552 | goto cleanup; | |
553 | } | |
554 | ||
555 | /* Fail, user's password was not valid for this key slot, | |
556 | * tell caller to try another slot */ | |
557 | ret = 0; | |
558 | ||
559 | cleanup: | |
560 | qcrypto_ivgen_free(ivgen); | |
561 | qcrypto_cipher_free(cipher); | |
562 | g_free(splitkey); | |
563 | g_free(possiblekey); | |
564 | return ret; | |
565 | } | |
566 | ||
567 | ||
568 | /* | |
569 | * Given a user password, this will iterate over all key | |
570 | * slots and try to unlock each active key slot using the | |
571 | * password until it successfully obtains a master key. | |
572 | * | |
573 | * Returns 0 if a key was loaded, -1 if no keys could be loaded | |
574 | */ | |
575 | static int | |
576 | qcrypto_block_luks_find_key(QCryptoBlock *block, | |
577 | const char *password, | |
578 | QCryptoCipherAlgorithm cipheralg, | |
579 | QCryptoCipherMode ciphermode, | |
580 | QCryptoHashAlgorithm hash, | |
581 | QCryptoIVGenAlgorithm ivalg, | |
582 | QCryptoCipherAlgorithm ivcipheralg, | |
583 | QCryptoHashAlgorithm ivhash, | |
584 | uint8_t **masterkey, | |
585 | size_t *masterkeylen, | |
586 | QCryptoBlockReadFunc readfunc, | |
587 | void *opaque, | |
588 | Error **errp) | |
589 | { | |
590 | QCryptoBlockLUKS *luks = block->opaque; | |
591 | size_t i; | |
592 | int rv; | |
593 | ||
594 | *masterkey = g_new0(uint8_t, luks->header.key_bytes); | |
595 | *masterkeylen = luks->header.key_bytes; | |
596 | ||
597 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { | |
598 | rv = qcrypto_block_luks_load_key(block, | |
599 | &luks->header.key_slots[i], | |
600 | password, | |
601 | cipheralg, | |
602 | ciphermode, | |
603 | hash, | |
604 | ivalg, | |
605 | ivcipheralg, | |
606 | ivhash, | |
607 | *masterkey, | |
608 | *masterkeylen, | |
609 | readfunc, | |
610 | opaque, | |
611 | errp); | |
612 | if (rv < 0) { | |
613 | goto error; | |
614 | } | |
615 | if (rv == 1) { | |
616 | return 0; | |
617 | } | |
618 | } | |
619 | ||
620 | error_setg(errp, "Invalid password, cannot unlock any keyslot"); | |
621 | ||
622 | error: | |
623 | g_free(*masterkey); | |
624 | *masterkey = NULL; | |
625 | *masterkeylen = 0; | |
626 | return -1; | |
627 | } | |
628 | ||
629 | ||
630 | static int | |
631 | qcrypto_block_luks_open(QCryptoBlock *block, | |
632 | QCryptoBlockOpenOptions *options, | |
633 | QCryptoBlockReadFunc readfunc, | |
634 | void *opaque, | |
635 | unsigned int flags, | |
636 | Error **errp) | |
637 | { | |
638 | QCryptoBlockLUKS *luks; | |
639 | Error *local_err = NULL; | |
640 | int ret = 0; | |
641 | size_t i; | |
642 | ssize_t rv; | |
643 | uint8_t *masterkey = NULL; | |
644 | size_t masterkeylen; | |
645 | char *ivgen_name, *ivhash_name; | |
646 | QCryptoCipherMode ciphermode; | |
647 | QCryptoCipherAlgorithm cipheralg; | |
648 | QCryptoIVGenAlgorithm ivalg; | |
649 | QCryptoCipherAlgorithm ivcipheralg; | |
650 | QCryptoHashAlgorithm hash; | |
651 | QCryptoHashAlgorithm ivhash; | |
652 | char *password = NULL; | |
653 | ||
654 | if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { | |
655 | if (!options->u.luks.key_secret) { | |
656 | error_setg(errp, "Parameter 'key-secret' is required for cipher"); | |
657 | return -1; | |
658 | } | |
659 | password = qcrypto_secret_lookup_as_utf8( | |
660 | options->u.luks.key_secret, errp); | |
661 | if (!password) { | |
662 | return -1; | |
663 | } | |
664 | } | |
665 | ||
666 | luks = g_new0(QCryptoBlockLUKS, 1); | |
667 | block->opaque = luks; | |
668 | ||
669 | /* Read the entire LUKS header, minus the key material from | |
670 | * the underlying device */ | |
671 | rv = readfunc(block, 0, | |
672 | (uint8_t *)&luks->header, | |
673 | sizeof(luks->header), | |
674 | errp, | |
675 | opaque); | |
676 | if (rv < 0) { | |
677 | ret = rv; | |
678 | goto fail; | |
679 | } | |
680 | ||
681 | /* The header is always stored in big-endian format, so | |
682 | * convert everything to native */ | |
683 | be16_to_cpus(&luks->header.version); | |
684 | be32_to_cpus(&luks->header.payload_offset); | |
685 | be32_to_cpus(&luks->header.key_bytes); | |
686 | be32_to_cpus(&luks->header.master_key_iterations); | |
687 | ||
688 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { | |
689 | be32_to_cpus(&luks->header.key_slots[i].active); | |
690 | be32_to_cpus(&luks->header.key_slots[i].iterations); | |
691 | be32_to_cpus(&luks->header.key_slots[i].key_offset); | |
692 | be32_to_cpus(&luks->header.key_slots[i].stripes); | |
693 | } | |
694 | ||
695 | if (memcmp(luks->header.magic, qcrypto_block_luks_magic, | |
696 | QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) { | |
697 | error_setg(errp, "Volume is not in LUKS format"); | |
698 | ret = -EINVAL; | |
699 | goto fail; | |
700 | } | |
701 | if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) { | |
702 | error_setg(errp, "LUKS version %" PRIu32 " is not supported", | |
703 | luks->header.version); | |
704 | ret = -ENOTSUP; | |
705 | goto fail; | |
706 | } | |
707 | ||
708 | /* | |
709 | * The cipher_mode header contains a string that we have | |
710 | * to further parse, of the format | |
711 | * | |
712 | * <cipher-mode>-<iv-generator>[:<iv-hash>] | |
713 | * | |
714 | * eg cbc-essiv:sha256, cbc-plain64 | |
715 | */ | |
716 | ivgen_name = strchr(luks->header.cipher_mode, '-'); | |
717 | if (!ivgen_name) { | |
718 | ret = -EINVAL; | |
719 | error_setg(errp, "Unexpected cipher mode string format %s", | |
720 | luks->header.cipher_mode); | |
721 | goto fail; | |
722 | } | |
723 | *ivgen_name = '\0'; | |
724 | ivgen_name++; | |
725 | ||
726 | ivhash_name = strchr(ivgen_name, ':'); | |
727 | if (!ivhash_name) { | |
728 | ivhash = 0; | |
729 | } else { | |
730 | *ivhash_name = '\0'; | |
731 | ivhash_name++; | |
732 | ||
733 | ivhash = qcrypto_block_luks_hash_name_lookup(ivhash_name, | |
734 | &local_err); | |
735 | if (local_err) { | |
736 | ret = -ENOTSUP; | |
737 | error_propagate(errp, local_err); | |
738 | goto fail; | |
739 | } | |
740 | } | |
741 | ||
742 | ciphermode = qcrypto_block_luks_cipher_mode_lookup(luks->header.cipher_mode, | |
743 | &local_err); | |
744 | if (local_err) { | |
745 | ret = -ENOTSUP; | |
746 | error_propagate(errp, local_err); | |
747 | goto fail; | |
748 | } | |
749 | ||
750 | cipheralg = qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name, | |
751 | ciphermode, | |
752 | luks->header.key_bytes, | |
753 | &local_err); | |
754 | if (local_err) { | |
755 | ret = -ENOTSUP; | |
756 | error_propagate(errp, local_err); | |
757 | goto fail; | |
758 | } | |
759 | ||
760 | hash = qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec, | |
761 | &local_err); | |
762 | if (local_err) { | |
763 | ret = -ENOTSUP; | |
764 | error_propagate(errp, local_err); | |
765 | goto fail; | |
766 | } | |
767 | ||
768 | ivalg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name, | |
769 | &local_err); | |
770 | if (local_err) { | |
771 | ret = -ENOTSUP; | |
772 | error_propagate(errp, local_err); | |
773 | goto fail; | |
774 | } | |
775 | ||
776 | if (ivalg == QCRYPTO_IVGEN_ALG_ESSIV) { | |
777 | ivcipheralg = qcrypto_block_luks_essiv_cipher(cipheralg, | |
778 | ivhash, | |
779 | &local_err); | |
780 | if (local_err) { | |
781 | ret = -ENOTSUP; | |
782 | error_propagate(errp, local_err); | |
783 | goto fail; | |
784 | } | |
785 | } else { | |
786 | ivcipheralg = cipheralg; | |
787 | } | |
788 | ||
789 | if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { | |
790 | /* Try to find which key slot our password is valid for | |
791 | * and unlock the master key from that slot. | |
792 | */ | |
793 | if (qcrypto_block_luks_find_key(block, | |
794 | password, | |
795 | cipheralg, ciphermode, | |
796 | hash, | |
797 | ivalg, | |
798 | ivcipheralg, | |
799 | ivhash, | |
800 | &masterkey, &masterkeylen, | |
801 | readfunc, opaque, | |
802 | errp) < 0) { | |
803 | ret = -EACCES; | |
804 | goto fail; | |
805 | } | |
806 | ||
807 | /* We have a valid master key now, so can setup the | |
808 | * block device payload decryption objects | |
809 | */ | |
810 | block->kdfhash = hash; | |
811 | block->niv = qcrypto_cipher_get_iv_len(cipheralg, | |
812 | ciphermode); | |
813 | block->ivgen = qcrypto_ivgen_new(ivalg, | |
814 | ivcipheralg, | |
815 | ivhash, | |
816 | masterkey, masterkeylen, | |
817 | errp); | |
818 | if (!block->ivgen) { | |
819 | ret = -ENOTSUP; | |
820 | goto fail; | |
821 | } | |
822 | ||
823 | block->cipher = qcrypto_cipher_new(cipheralg, | |
824 | ciphermode, | |
825 | masterkey, masterkeylen, | |
826 | errp); | |
827 | if (!block->cipher) { | |
828 | ret = -ENOTSUP; | |
829 | goto fail; | |
830 | } | |
831 | } | |
832 | ||
833 | block->payload_offset = luks->header.payload_offset * | |
834 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; | |
835 | ||
836 | g_free(masterkey); | |
837 | g_free(password); | |
838 | ||
839 | return 0; | |
840 | ||
841 | fail: | |
842 | g_free(masterkey); | |
843 | qcrypto_cipher_free(block->cipher); | |
844 | qcrypto_ivgen_free(block->ivgen); | |
845 | g_free(luks); | |
846 | g_free(password); | |
847 | return ret; | |
848 | } | |
849 | ||
850 | ||
851 | static int | |
852 | qcrypto_block_luks_uuid_gen(uint8_t *uuidstr, Error **errp) | |
853 | { | |
854 | #ifdef CONFIG_UUID | |
855 | uuid_t uuid; | |
856 | uuid_generate(uuid); | |
857 | uuid_unparse(uuid, (char *)uuidstr); | |
858 | return 0; | |
859 | #else | |
860 | error_setg(errp, "Unable to generate uuids on this platform"); | |
861 | return -1; | |
862 | #endif | |
863 | } | |
864 | ||
865 | static int | |
866 | qcrypto_block_luks_create(QCryptoBlock *block, | |
867 | QCryptoBlockCreateOptions *options, | |
868 | QCryptoBlockInitFunc initfunc, | |
869 | QCryptoBlockWriteFunc writefunc, | |
870 | void *opaque, | |
871 | Error **errp) | |
872 | { | |
873 | QCryptoBlockLUKS *luks; | |
874 | QCryptoBlockCreateOptionsLUKS luks_opts; | |
875 | Error *local_err = NULL; | |
876 | uint8_t *masterkey = NULL; | |
877 | uint8_t *slotkey = NULL; | |
878 | uint8_t *splitkey = NULL; | |
879 | size_t splitkeylen = 0; | |
880 | size_t i; | |
881 | QCryptoCipher *cipher = NULL; | |
882 | QCryptoIVGen *ivgen = NULL; | |
883 | char *password; | |
884 | const char *cipher_alg; | |
885 | const char *cipher_mode; | |
886 | const char *ivgen_alg; | |
887 | const char *ivgen_hash_alg = NULL; | |
888 | const char *hash_alg; | |
889 | char *cipher_mode_spec = NULL; | |
890 | QCryptoCipherAlgorithm ivcipheralg = 0; | |
891 | ||
892 | memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts)); | |
893 | if (!luks_opts.has_cipher_alg) { | |
894 | luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256; | |
895 | } | |
896 | if (!luks_opts.has_cipher_mode) { | |
897 | luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS; | |
898 | } | |
899 | if (!luks_opts.has_ivgen_alg) { | |
900 | luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64; | |
901 | } | |
902 | if (!luks_opts.has_hash_alg) { | |
903 | luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256; | |
904 | } | |
905 | ||
906 | if (!options->u.luks.key_secret) { | |
907 | error_setg(errp, "Parameter 'key-secret' is required for cipher"); | |
908 | return -1; | |
909 | } | |
910 | password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp); | |
911 | if (!password) { | |
912 | return -1; | |
913 | } | |
914 | ||
915 | luks = g_new0(QCryptoBlockLUKS, 1); | |
916 | block->opaque = luks; | |
917 | ||
918 | memcpy(luks->header.magic, qcrypto_block_luks_magic, | |
919 | QCRYPTO_BLOCK_LUKS_MAGIC_LEN); | |
920 | ||
921 | /* We populate the header in native endianness initially and | |
922 | * then convert everything to big endian just before writing | |
923 | * it out to disk | |
924 | */ | |
925 | luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION; | |
926 | if (qcrypto_block_luks_uuid_gen(luks->header.uuid, | |
927 | errp) < 0) { | |
928 | goto error; | |
929 | } | |
930 | ||
931 | cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg, | |
932 | errp); | |
933 | if (!cipher_alg) { | |
934 | goto error; | |
935 | } | |
936 | ||
937 | cipher_mode = QCryptoCipherMode_lookup[luks_opts.cipher_mode]; | |
938 | ivgen_alg = QCryptoIVGenAlgorithm_lookup[luks_opts.ivgen_alg]; | |
939 | if (luks_opts.has_ivgen_hash_alg) { | |
940 | ivgen_hash_alg = QCryptoHashAlgorithm_lookup[luks_opts.ivgen_hash_alg]; | |
941 | cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg, | |
942 | ivgen_hash_alg); | |
943 | } else { | |
944 | cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg); | |
945 | } | |
946 | hash_alg = QCryptoHashAlgorithm_lookup[luks_opts.hash_alg]; | |
947 | ||
948 | ||
949 | if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) { | |
950 | error_setg(errp, "Cipher name '%s' is too long for LUKS header", | |
951 | cipher_alg); | |
952 | goto error; | |
953 | } | |
954 | if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) { | |
955 | error_setg(errp, "Cipher mode '%s' is too long for LUKS header", | |
956 | cipher_mode_spec); | |
957 | goto error; | |
958 | } | |
959 | if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) { | |
960 | error_setg(errp, "Hash name '%s' is too long for LUKS header", | |
961 | hash_alg); | |
962 | goto error; | |
963 | } | |
964 | ||
965 | if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { | |
966 | ivcipheralg = qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg, | |
967 | luks_opts.ivgen_hash_alg, | |
968 | &local_err); | |
969 | if (local_err) { | |
970 | error_propagate(errp, local_err); | |
971 | goto error; | |
972 | } | |
973 | } else { | |
974 | ivcipheralg = luks_opts.cipher_alg; | |
975 | } | |
976 | ||
977 | strcpy(luks->header.cipher_name, cipher_alg); | |
978 | strcpy(luks->header.cipher_mode, cipher_mode_spec); | |
979 | strcpy(luks->header.hash_spec, hash_alg); | |
980 | ||
981 | luks->header.key_bytes = qcrypto_cipher_get_key_len(luks_opts.cipher_alg); | |
982 | if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) { | |
983 | luks->header.key_bytes *= 2; | |
984 | } | |
985 | ||
986 | /* Generate the salt used for hashing the master key | |
987 | * with PBKDF later | |
988 | */ | |
989 | if (qcrypto_random_bytes(luks->header.master_key_salt, | |
990 | QCRYPTO_BLOCK_LUKS_SALT_LEN, | |
991 | errp) < 0) { | |
992 | goto error; | |
993 | } | |
994 | ||
995 | /* Generate random master key */ | |
996 | masterkey = g_new0(uint8_t, luks->header.key_bytes); | |
997 | if (qcrypto_random_bytes(masterkey, | |
998 | luks->header.key_bytes, errp) < 0) { | |
999 | goto error; | |
1000 | } | |
1001 | ||
1002 | ||
1003 | /* Setup the block device payload encryption objects */ | |
1004 | block->cipher = qcrypto_cipher_new(luks_opts.cipher_alg, | |
1005 | luks_opts.cipher_mode, | |
1006 | masterkey, luks->header.key_bytes, | |
1007 | errp); | |
1008 | if (!block->cipher) { | |
1009 | goto error; | |
1010 | } | |
1011 | ||
1012 | block->kdfhash = luks_opts.hash_alg; | |
1013 | block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg, | |
1014 | luks_opts.cipher_mode); | |
1015 | block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg, | |
1016 | ivcipheralg, | |
1017 | luks_opts.ivgen_hash_alg, | |
1018 | masterkey, luks->header.key_bytes, | |
1019 | errp); | |
1020 | ||
1021 | if (!block->ivgen) { | |
1022 | goto error; | |
1023 | } | |
1024 | ||
1025 | ||
1026 | /* Determine how many iterations we need to hash the master | |
1027 | * key, in order to have 1 second of compute time used | |
1028 | */ | |
1029 | luks->header.master_key_iterations = | |
1030 | qcrypto_pbkdf2_count_iters(luks_opts.hash_alg, | |
1031 | masterkey, luks->header.key_bytes, | |
1032 | luks->header.master_key_salt, | |
1033 | QCRYPTO_BLOCK_LUKS_SALT_LEN, | |
1034 | &local_err); | |
1035 | if (local_err) { | |
1036 | error_propagate(errp, local_err); | |
1037 | goto error; | |
1038 | } | |
1039 | ||
1040 | /* Why /= 8 ? That matches cryptsetup, but there's no | |
1041 | * explanation why they chose /= 8... Probably so that | |
1042 | * if all 8 keyslots are active we only spend 1 second | |
1043 | * in total time to check all keys */ | |
1044 | luks->header.master_key_iterations /= 8; | |
1045 | luks->header.master_key_iterations = MAX( | |
1046 | luks->header.master_key_iterations, | |
1047 | QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS); | |
1048 | ||
1049 | ||
1050 | /* Hash the master key, saving the result in the LUKS | |
1051 | * header. This hash is used when opening the encrypted | |
1052 | * device to verify that the user password unlocked a | |
1053 | * valid master key | |
1054 | */ | |
1055 | if (qcrypto_pbkdf2(luks_opts.hash_alg, | |
1056 | masterkey, luks->header.key_bytes, | |
1057 | luks->header.master_key_salt, | |
1058 | QCRYPTO_BLOCK_LUKS_SALT_LEN, | |
1059 | luks->header.master_key_iterations, | |
1060 | luks->header.master_key_digest, | |
1061 | QCRYPTO_BLOCK_LUKS_DIGEST_LEN, | |
1062 | errp) < 0) { | |
1063 | goto error; | |
1064 | } | |
1065 | ||
1066 | ||
1067 | /* Although LUKS has multiple key slots, we're just going | |
1068 | * to use the first key slot */ | |
1069 | splitkeylen = luks->header.key_bytes * QCRYPTO_BLOCK_LUKS_STRIPES; | |
1070 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { | |
1071 | luks->header.key_slots[i].active = i == 0 ? | |
1072 | QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED : | |
1073 | QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; | |
1074 | luks->header.key_slots[i].stripes = QCRYPTO_BLOCK_LUKS_STRIPES; | |
1075 | ||
1076 | /* This calculation doesn't match that shown in the spec, | |
1077 | * but instead follows the cryptsetup implementation. | |
1078 | */ | |
1079 | luks->header.key_slots[i].key_offset = | |
1080 | (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / | |
1081 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE) + | |
1082 | (ROUND_UP(((splitkeylen + (QCRYPTO_BLOCK_LUKS_SECTOR_SIZE - 1)) / | |
1083 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE), | |
1084 | (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / | |
1085 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) * i); | |
1086 | } | |
1087 | ||
1088 | if (qcrypto_random_bytes(luks->header.key_slots[0].salt, | |
1089 | QCRYPTO_BLOCK_LUKS_SALT_LEN, | |
1090 | errp) < 0) { | |
1091 | goto error; | |
1092 | } | |
1093 | ||
1094 | /* Again we determine how many iterations are required to | |
1095 | * hash the user password while consuming 1 second of compute | |
1096 | * time */ | |
1097 | luks->header.key_slots[0].iterations = | |
1098 | qcrypto_pbkdf2_count_iters(luks_opts.hash_alg, | |
1099 | (uint8_t *)password, strlen(password), | |
1100 | luks->header.key_slots[0].salt, | |
1101 | QCRYPTO_BLOCK_LUKS_SALT_LEN, | |
1102 | &local_err); | |
1103 | if (local_err) { | |
1104 | error_propagate(errp, local_err); | |
1105 | goto error; | |
1106 | } | |
1107 | /* Why /= 2 ? That matches cryptsetup, but there's no | |
1108 | * explanation why they chose /= 2... */ | |
1109 | luks->header.key_slots[0].iterations /= 2; | |
1110 | luks->header.key_slots[0].iterations = MAX( | |
1111 | luks->header.key_slots[0].iterations, | |
1112 | QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS); | |
1113 | ||
1114 | ||
1115 | /* Generate a key that we'll use to encrypt the master | |
1116 | * key, from the user's password | |
1117 | */ | |
1118 | slotkey = g_new0(uint8_t, luks->header.key_bytes); | |
1119 | if (qcrypto_pbkdf2(luks_opts.hash_alg, | |
1120 | (uint8_t *)password, strlen(password), | |
1121 | luks->header.key_slots[0].salt, | |
1122 | QCRYPTO_BLOCK_LUKS_SALT_LEN, | |
1123 | luks->header.key_slots[0].iterations, | |
1124 | slotkey, luks->header.key_bytes, | |
1125 | errp) < 0) { | |
1126 | goto error; | |
1127 | } | |
1128 | ||
1129 | ||
1130 | /* Setup the encryption objects needed to encrypt the | |
1131 | * master key material | |
1132 | */ | |
1133 | cipher = qcrypto_cipher_new(luks_opts.cipher_alg, | |
1134 | luks_opts.cipher_mode, | |
1135 | slotkey, luks->header.key_bytes, | |
1136 | errp); | |
1137 | if (!cipher) { | |
1138 | goto error; | |
1139 | } | |
1140 | ||
1141 | ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg, | |
1142 | ivcipheralg, | |
1143 | luks_opts.ivgen_hash_alg, | |
1144 | slotkey, luks->header.key_bytes, | |
1145 | errp); | |
1146 | if (!ivgen) { | |
1147 | goto error; | |
1148 | } | |
1149 | ||
1150 | /* Before storing the master key, we need to vastly | |
1151 | * increase its size, as protection against forensic | |
1152 | * disk data recovery */ | |
1153 | splitkey = g_new0(uint8_t, splitkeylen); | |
1154 | ||
1155 | if (qcrypto_afsplit_encode(luks_opts.hash_alg, | |
1156 | luks->header.key_bytes, | |
1157 | luks->header.key_slots[0].stripes, | |
1158 | masterkey, | |
1159 | splitkey, | |
1160 | errp) < 0) { | |
1161 | goto error; | |
1162 | } | |
1163 | ||
1164 | /* Now we encrypt the split master key with the key generated | |
1165 | * from the user's password, before storing it */ | |
1166 | if (qcrypto_block_encrypt_helper(cipher, block->niv, ivgen, | |
1167 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, | |
1168 | 0, | |
1169 | splitkey, | |
1170 | splitkeylen, | |
1171 | errp) < 0) { | |
1172 | goto error; | |
1173 | } | |
1174 | ||
1175 | ||
1176 | /* The total size of the LUKS headers is the partition header + key | |
1177 | * slot headers, rounded up to the nearest sector, combined with | |
1178 | * the size of each master key material region, also rounded up | |
1179 | * to the nearest sector */ | |
1180 | luks->header.payload_offset = | |
1181 | (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / | |
1182 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE) + | |
1183 | (ROUND_UP(((splitkeylen + (QCRYPTO_BLOCK_LUKS_SECTOR_SIZE - 1)) / | |
1184 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE), | |
1185 | (QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / | |
1186 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) * | |
1187 | QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); | |
1188 | ||
1189 | block->payload_offset = luks->header.payload_offset * | |
1190 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; | |
1191 | ||
1192 | /* Reserve header space to match payload offset */ | |
1193 | initfunc(block, block->payload_offset, &local_err, opaque); | |
1194 | if (local_err) { | |
1195 | error_propagate(errp, local_err); | |
1196 | goto error; | |
1197 | } | |
1198 | ||
1199 | /* Everything on disk uses Big Endian, so flip header fields | |
1200 | * before writing them */ | |
1201 | cpu_to_be16s(&luks->header.version); | |
1202 | cpu_to_be32s(&luks->header.payload_offset); | |
1203 | cpu_to_be32s(&luks->header.key_bytes); | |
1204 | cpu_to_be32s(&luks->header.master_key_iterations); | |
1205 | ||
1206 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { | |
1207 | cpu_to_be32s(&luks->header.key_slots[i].active); | |
1208 | cpu_to_be32s(&luks->header.key_slots[i].iterations); | |
1209 | cpu_to_be32s(&luks->header.key_slots[i].key_offset); | |
1210 | cpu_to_be32s(&luks->header.key_slots[i].stripes); | |
1211 | } | |
1212 | ||
1213 | ||
1214 | /* Write out the partition header and key slot headers */ | |
1215 | writefunc(block, 0, | |
1216 | (const uint8_t *)&luks->header, | |
1217 | sizeof(luks->header), | |
1218 | &local_err, | |
1219 | opaque); | |
1220 | ||
1221 | /* Delay checking local_err until we've byte-swapped */ | |
1222 | ||
1223 | /* Byte swap the header back to native, in case we need | |
1224 | * to read it again later */ | |
1225 | be16_to_cpus(&luks->header.version); | |
1226 | be32_to_cpus(&luks->header.payload_offset); | |
1227 | be32_to_cpus(&luks->header.key_bytes); | |
1228 | be32_to_cpus(&luks->header.master_key_iterations); | |
1229 | ||
1230 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { | |
1231 | be32_to_cpus(&luks->header.key_slots[i].active); | |
1232 | be32_to_cpus(&luks->header.key_slots[i].iterations); | |
1233 | be32_to_cpus(&luks->header.key_slots[i].key_offset); | |
1234 | be32_to_cpus(&luks->header.key_slots[i].stripes); | |
1235 | } | |
1236 | ||
1237 | if (local_err) { | |
1238 | error_propagate(errp, local_err); | |
1239 | goto error; | |
1240 | } | |
1241 | ||
1242 | /* Write out the master key material, starting at the | |
1243 | * sector immediately following the partition header. */ | |
1244 | if (writefunc(block, | |
1245 | luks->header.key_slots[0].key_offset * | |
1246 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, | |
1247 | splitkey, splitkeylen, | |
1248 | errp, | |
1249 | opaque) != splitkeylen) { | |
1250 | goto error; | |
1251 | } | |
1252 | ||
1253 | memset(masterkey, 0, luks->header.key_bytes); | |
1254 | g_free(masterkey); | |
1255 | memset(slotkey, 0, luks->header.key_bytes); | |
1256 | g_free(slotkey); | |
1257 | g_free(splitkey); | |
1258 | g_free(password); | |
1259 | g_free(cipher_mode_spec); | |
1260 | ||
1261 | qcrypto_ivgen_free(ivgen); | |
1262 | qcrypto_cipher_free(cipher); | |
1263 | ||
1264 | return 0; | |
1265 | ||
1266 | error: | |
1267 | if (masterkey) { | |
1268 | memset(masterkey, 0, luks->header.key_bytes); | |
1269 | } | |
1270 | g_free(masterkey); | |
1271 | if (slotkey) { | |
1272 | memset(slotkey, 0, luks->header.key_bytes); | |
1273 | } | |
1274 | g_free(slotkey); | |
1275 | g_free(splitkey); | |
1276 | g_free(password); | |
1277 | g_free(cipher_mode_spec); | |
1278 | ||
1279 | qcrypto_ivgen_free(ivgen); | |
1280 | qcrypto_cipher_free(cipher); | |
1281 | ||
1282 | g_free(luks); | |
1283 | return -1; | |
1284 | } | |
1285 | ||
1286 | ||
1287 | static void qcrypto_block_luks_cleanup(QCryptoBlock *block) | |
1288 | { | |
1289 | g_free(block->opaque); | |
1290 | } | |
1291 | ||
1292 | ||
1293 | static int | |
1294 | qcrypto_block_luks_decrypt(QCryptoBlock *block, | |
1295 | uint64_t startsector, | |
1296 | uint8_t *buf, | |
1297 | size_t len, | |
1298 | Error **errp) | |
1299 | { | |
1300 | return qcrypto_block_decrypt_helper(block->cipher, | |
1301 | block->niv, block->ivgen, | |
1302 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, | |
1303 | startsector, buf, len, errp); | |
1304 | } | |
1305 | ||
1306 | ||
1307 | static int | |
1308 | qcrypto_block_luks_encrypt(QCryptoBlock *block, | |
1309 | uint64_t startsector, | |
1310 | uint8_t *buf, | |
1311 | size_t len, | |
1312 | Error **errp) | |
1313 | { | |
1314 | return qcrypto_block_encrypt_helper(block->cipher, | |
1315 | block->niv, block->ivgen, | |
1316 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, | |
1317 | startsector, buf, len, errp); | |
1318 | } | |
1319 | ||
1320 | ||
1321 | const QCryptoBlockDriver qcrypto_block_driver_luks = { | |
1322 | .open = qcrypto_block_luks_open, | |
1323 | .create = qcrypto_block_luks_create, | |
1324 | .cleanup = qcrypto_block_luks_cleanup, | |
1325 | .decrypt = qcrypto_block_luks_decrypt, | |
1326 | .encrypt = qcrypto_block_luks_encrypt, | |
1327 | .has_format = qcrypto_block_luks_has_format, | |
1328 | }; |