]> git.proxmox.com Git - mirror_qemu.git/blame - crypto/block-luks.c
projects / mirror_qemu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
crypto: Introduce SM4 symmetric cipher algorithm
[mirror_qemu.git] / crypto / block-luks.c
CommitLineData
3e308f20
DB		 1/*
2 * QEMU Crypto block device encryption LUKS format
3 *
4 * Copyright (c) 2015-2016 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
b7cbb874 9 * version 2.1 of the License, or (at your option) any later version.
3e308f20
DB		 10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
20
21#include "qemu/osdep.h"
da34e65c 22#include "qapi/error.h"
58369e22 23#include "qemu/bswap.h"
3e308f20 24
986bc8de 25#include "block-luks.h"
36445ace 26#include "block-luks-priv.h"
3e308f20
DB		 27
28#include "crypto/hash.h"
29#include "crypto/afsplit.h"
30#include "crypto/pbkdf.h"
31#include "crypto/secret.h"
32#include "crypto/random.h"
2ef950f9 33#include "qemu/uuid.h"
3e308f20 34
557d2bdc 35#include "qemu/bitmap.h"
3e308f20
DB		 36
37/*
38 * Reference for the LUKS format implemented here is
39 *
40 * docs/on-disk-format.pdf
41 *
42 * in 'cryptsetup' package source code
43 *
44 * This file implements the 1.2.1 specification, dated
45 * Oct 16, 2011.
46 */
47
48typedef struct QCryptoBlockLUKS QCryptoBlockLUKS;
3e308f20
DB		 49
50typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap;
51struct QCryptoBlockLUKSNameMap {
52 const char *name;
53 int id;
54};
55
56typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap;
57struct QCryptoBlockLUKSCipherSizeMap {
58 uint32_t key_bytes;
59 int id;
60};
61typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap;
62struct QCryptoBlockLUKSCipherNameMap {
63 const char *name;
64 const QCryptoBlockLUKSCipherSizeMap *sizes;
65};
66
67
68static const QCryptoBlockLUKSCipherSizeMap
69qcrypto_block_luks_cipher_size_map_aes[] = {
70 { 16, QCRYPTO_CIPHER_ALG_AES_128 },
71 { 24, QCRYPTO_CIPHER_ALG_AES_192 },
72 { 32, QCRYPTO_CIPHER_ALG_AES_256 },
73 { 0, 0 },
74};
75
76static const QCryptoBlockLUKSCipherSizeMap
77qcrypto_block_luks_cipher_size_map_cast5[] = {
78 { 16, QCRYPTO_CIPHER_ALG_CAST5_128 },
79 { 0, 0 },
80};
81
82static const QCryptoBlockLUKSCipherSizeMap
83qcrypto_block_luks_cipher_size_map_serpent[] = {
84 { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 },
85 { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 },
86 { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 },
87 { 0, 0 },
88};
89
90static const QCryptoBlockLUKSCipherSizeMap
91qcrypto_block_luks_cipher_size_map_twofish[] = {
92 { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 },
93 { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 },
94 { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 },
95 { 0, 0 },
96};
97
52ed9f45
HH		 98#ifdef CONFIG_CRYPTO_SM4
99static const QCryptoBlockLUKSCipherSizeMap
100qcrypto_block_luks_cipher_size_map_sm4[] = {
101 { 16, QCRYPTO_CIPHER_ALG_SM4},
102 { 0, 0 },
103};
104#endif
105
3e308f20
DB		 106static const QCryptoBlockLUKSCipherNameMap
107qcrypto_block_luks_cipher_name_map[] = {
108 { "aes", qcrypto_block_luks_cipher_size_map_aes },
109 { "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
110 { "serpent", qcrypto_block_luks_cipher_size_map_serpent },
111 { "twofish", qcrypto_block_luks_cipher_size_map_twofish },
52ed9f45
HH		 112#ifdef CONFIG_CRYPTO_SM4
113 { "sm4", qcrypto_block_luks_cipher_size_map_sm4},
114#endif
3e308f20
DB		 115};
116
3e308f20 117QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
3e308f20
DB		 118QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592);
119
120
121struct QCryptoBlockLUKS {
122 QCryptoBlockLUKSHeader header;
40c85028 123
9d80e59d 124 /* Main encryption algorithm used for encryption*/
40c85028 125 QCryptoCipherAlgorithm cipher_alg;
9d80e59d
ML		 126
127 /* Mode of encryption for the selected encryption algorithm */
40c85028 128 QCryptoCipherMode cipher_mode;
9d80e59d
ML		 129
130 /* Initialization vector generation algorithm */
40c85028 131 QCryptoIVGenAlgorithm ivgen_alg;
9d80e59d
ML		 132
133 /* Hash algorithm used for IV generation*/
40c85028 134 QCryptoHashAlgorithm ivgen_hash_alg;
9d80e59d
ML		 135
136 /*
137 * Encryption algorithm used for IV generation.
138 * Usually the same as main encryption algorithm
139 */
140 QCryptoCipherAlgorithm ivgen_cipher_alg;
141
142 /* Hash algorithm used in pbkdf2 function */
40c85028 143 QCryptoHashAlgorithm hash_alg;
557d2bdc
ML		 144
145 /* Name of the secret that was used to open the image */
146 char *secret;
3e308f20
DB		 147};
148
149
150static int qcrypto_block_luks_cipher_name_lookup(const char *name,
151 QCryptoCipherMode mode,
152 uint32_t key_bytes,
153 Error **errp)
154{
155 const QCryptoBlockLUKSCipherNameMap *map =
156 qcrypto_block_luks_cipher_name_map;
157 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
158 size_t i, j;
159
160 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
161 key_bytes /= 2;
162 }
163
164 for (i = 0; i < maplen; i++) {
165 if (!g_str_equal(map[i].name, name)) {
166 continue;
167 }
168 for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
169 if (map[i].sizes[j].key_bytes == key_bytes) {
170 return map[i].sizes[j].id;
171 }
172 }
173 }
174
6c198932 175 error_setg(errp, "Algorithm '%s' with key size %d bytes not supported",
3e308f20
DB		 176 name, key_bytes);
177 return 0;
178}
179
180static const char *
181qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg,
182 Error **errp)
183{
184 const QCryptoBlockLUKSCipherNameMap *map =
185 qcrypto_block_luks_cipher_name_map;
186 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
187 size_t i, j;
188 for (i = 0; i < maplen; i++) {
189 for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
190 if (map[i].sizes[j].id == alg) {
191 return map[i].name;
192 }
193 }
194 }
195
196 error_setg(errp, "Algorithm '%s' not supported",
977c736f 197 QCryptoCipherAlgorithm_str(alg));
3e308f20
DB		 198 return NULL;
199}
200
201/* XXX replace with qapi_enum_parse() in future, when we can
202 * make that function emit a more friendly error message */
203static int qcrypto_block_luks_name_lookup(const char *name,
f7abe0ec 204 const QEnumLookup *map,
3e308f20
DB		 205 const char *type,
206 Error **errp)
207{
9ae33079 208 int ret = qapi_enum_parse(map, name, -1, NULL);
3e308f20 209
9ae33079 210 if (ret < 0) {
6c198932 211 error_setg(errp, "%s '%s' not supported", type, name);
9ae33079
MA		 212 return 0;
213 }
214 return ret;
3e308f20
DB		 215}
216
217#define qcrypto_block_luks_cipher_mode_lookup(name, errp) \
218 qcrypto_block_luks_name_lookup(name, \
f7abe0ec 219 &QCryptoCipherMode_lookup, \
3e308f20
DB		 220 "Cipher mode", \
221 errp)
222
223#define qcrypto_block_luks_hash_name_lookup(name, errp) \
224 qcrypto_block_luks_name_lookup(name, \
f7abe0ec 225 &QCryptoHashAlgorithm_lookup, \
3e308f20
DB		 226 "Hash algorithm", \
227 errp)
228
229#define qcrypto_block_luks_ivgen_name_lookup(name, errp) \
230 qcrypto_block_luks_name_lookup(name, \
f7abe0ec 231 &QCryptoIVGenAlgorithm_lookup, \
3e308f20
DB		 232 "IV generator", \
233 errp)
234
235
236static bool
237qcrypto_block_luks_has_format(const uint8_t *buf,
238 size_t buf_size)
239{
240 const QCryptoBlockLUKSHeader *luks_header = (const void *)buf;
241
242 if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) &&
243 memcmp(luks_header->magic, qcrypto_block_luks_magic,
244 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 &&
245 be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) {
246 return true;
247 } else {
248 return false;
249 }
250}
251
252
253/**
254 * Deal with a quirk of dm-crypt usage of ESSIV.
255 *
256 * When calculating ESSIV IVs, the cipher length used by ESSIV
257 * may be different from the cipher length used for the block
0a19d879 258 * encryption, because dm-crypt uses the hash digest length
3e308f20
DB		 259 * as the key size. ie, if you have AES 128 as the block cipher
260 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as
261 * the cipher since that gets a key length matching the digest
262 * size, not AES 128 with truncated digest as might be imagined
263 */
264static QCryptoCipherAlgorithm
265qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher,
266 QCryptoHashAlgorithm hash,
267 Error **errp)
268{
269 size_t digestlen = qcrypto_hash_digest_len(hash);
270 size_t keylen = qcrypto_cipher_get_key_len(cipher);
271 if (digestlen == keylen) {
272 return cipher;
273 }
274
275 switch (cipher) {
276 case QCRYPTO_CIPHER_ALG_AES_128:
277 case QCRYPTO_CIPHER_ALG_AES_192:
278 case QCRYPTO_CIPHER_ALG_AES_256:
279 if (digestlen == qcrypto_cipher_get_key_len(
280 QCRYPTO_CIPHER_ALG_AES_128)) {
281 return QCRYPTO_CIPHER_ALG_AES_128;
282 } else if (digestlen == qcrypto_cipher_get_key_len(
283 QCRYPTO_CIPHER_ALG_AES_192)) {
284 return QCRYPTO_CIPHER_ALG_AES_192;
285 } else if (digestlen == qcrypto_cipher_get_key_len(
286 QCRYPTO_CIPHER_ALG_AES_256)) {
287 return QCRYPTO_CIPHER_ALG_AES_256;
288 } else {
289 error_setg(errp, "No AES cipher with key size %zu available",
290 digestlen);
291 return 0;
292 }
293 break;
294 case QCRYPTO_CIPHER_ALG_SERPENT_128:
295 case QCRYPTO_CIPHER_ALG_SERPENT_192:
296 case QCRYPTO_CIPHER_ALG_SERPENT_256:
297 if (digestlen == qcrypto_cipher_get_key_len(
298 QCRYPTO_CIPHER_ALG_SERPENT_128)) {
299 return QCRYPTO_CIPHER_ALG_SERPENT_128;
300 } else if (digestlen == qcrypto_cipher_get_key_len(
301 QCRYPTO_CIPHER_ALG_SERPENT_192)) {
302 return QCRYPTO_CIPHER_ALG_SERPENT_192;
303 } else if (digestlen == qcrypto_cipher_get_key_len(
304 QCRYPTO_CIPHER_ALG_SERPENT_256)) {
305 return QCRYPTO_CIPHER_ALG_SERPENT_256;
306 } else {
307 error_setg(errp, "No Serpent cipher with key size %zu available",
308 digestlen);
309 return 0;
310 }
311 break;
312 case QCRYPTO_CIPHER_ALG_TWOFISH_128:
313 case QCRYPTO_CIPHER_ALG_TWOFISH_192:
314 case QCRYPTO_CIPHER_ALG_TWOFISH_256:
315 if (digestlen == qcrypto_cipher_get_key_len(
316 QCRYPTO_CIPHER_ALG_TWOFISH_128)) {
317 return QCRYPTO_CIPHER_ALG_TWOFISH_128;
318 } else if (digestlen == qcrypto_cipher_get_key_len(
319 QCRYPTO_CIPHER_ALG_TWOFISH_192)) {
320 return QCRYPTO_CIPHER_ALG_TWOFISH_192;
321 } else if (digestlen == qcrypto_cipher_get_key_len(
322 QCRYPTO_CIPHER_ALG_TWOFISH_256)) {
323 return QCRYPTO_CIPHER_ALG_TWOFISH_256;
324 } else {
325 error_setg(errp, "No Twofish cipher with key size %zu available",
326 digestlen);
327 return 0;
328 }
329 break;
330 default:
331 error_setg(errp, "Cipher %s not supported with essiv",
977c736f 332 QCryptoCipherAlgorithm_str(cipher));
3e308f20
DB		 333 return 0;
334 }
335}
336
bd56a55a
ML		 337/*
338 * Returns number of sectors needed to store the key material
339 * given number of anti forensic stripes
340 */
341static int
342qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks,
343 unsigned int header_sectors,
344 unsigned int stripes)
345{
346 /*
347 * This calculation doesn't match that shown in the spec,
348 * but instead follows the cryptsetup implementation.
349 */
350
351 size_t splitkeylen = luks->header.master_key_len * stripes;
352
353 /* First align the key material size to block size*/
354 size_t splitkeylen_sectors =
355 DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE);
356
357 /* Then also align the key material size to the size of the header */
358 return ROUND_UP(splitkeylen_sectors, header_sectors);
359}
360
98c72dfb
DB		 361
362void
363qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr)
364{
365 size_t i;
366
367 /*
368 * Everything on disk uses Big Endian (tm), so flip header fields
369 * before writing them
370 */
371 cpu_to_be16s(&hdr->version);
372 cpu_to_be32s(&hdr->payload_offset_sector);
373 cpu_to_be32s(&hdr->master_key_len);
374 cpu_to_be32s(&hdr->master_key_iterations);
375
376 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
377 cpu_to_be32s(&hdr->key_slots[i].active);
378 cpu_to_be32s(&hdr->key_slots[i].iterations);
379 cpu_to_be32s(&hdr->key_slots[i].key_offset_sector);
380 cpu_to_be32s(&hdr->key_slots[i].stripes);
381 }
382}
383
384void
385qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr)
386{
387 size_t i;
388
389 /*
390 * The header is always stored in big-endian format, so
391 * convert everything to native
392 */
393 be16_to_cpus(&hdr->version);
394 be32_to_cpus(&hdr->payload_offset_sector);
395 be32_to_cpus(&hdr->master_key_len);
396 be32_to_cpus(&hdr->master_key_iterations);
397
398 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
399 be32_to_cpus(&hdr->key_slots[i].active);
400 be32_to_cpus(&hdr->key_slots[i].iterations);
401 be32_to_cpus(&hdr->key_slots[i].key_offset_sector);
402 be32_to_cpus(&hdr->key_slots[i].stripes);
403 }
404}
405
dde2c5af 406/*
0a19d879 407 * Stores the main LUKS header, taking care of endianness
dde2c5af
ML		 408 */
409static int
410qcrypto_block_luks_store_header(QCryptoBlock *block,
411 QCryptoBlockWriteFunc writefunc,
412 void *opaque,
413 Error **errp)
414{
415 const QCryptoBlockLUKS *luks = block->opaque;
416 Error *local_err = NULL;
dde2c5af
ML		 417 g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL;
418
419 /* Create a copy of the header */
420 hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1);
421 memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader));
422
98c72dfb 423 qcrypto_block_luks_to_disk_endian(hdr_copy);
dde2c5af
ML		 424
425 /* Write out the partition header and key slot headers */
426 writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy),
427 opaque, &local_err);
428
429 if (local_err) {
430 error_propagate(errp, local_err);
431 return -1;
432 }
433 return 0;
434}
435
436/*
0a19d879 437 * Loads the main LUKS header, and byteswaps it to native endianness
dde2c5af
ML		 438 * And run basic sanity checks on it
439 */
440static int
441qcrypto_block_luks_load_header(QCryptoBlock *block,
442 QCryptoBlockReadFunc readfunc,
443 void *opaque,
444 Error **errp)
445{
757dda54 446 int rv;
dde2c5af
ML		 447 QCryptoBlockLUKS *luks = block->opaque;
448
449 /*
450 * Read the entire LUKS header, minus the key material from
451 * the underlying device
452 */
453 rv = readfunc(block, 0,
454 (uint8_t *)&luks->header,
455 sizeof(luks->header),
456 opaque,
457 errp);
458 if (rv < 0) {
459 return rv;
460 }
461
98c72dfb 462 qcrypto_block_luks_from_disk_endian(&luks->header);
dde2c5af
ML		 463
464 return 0;
465}
466
9fa9c1c2
ML		 467/*
468 * Does basic sanity checks on the LUKS header
469 */
470static int
471qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
472{
befdba9e
ML		 473 size_t i, j;
474
475 unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
476 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
477
9fa9c1c2
ML		 478 if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
479 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
480 error_setg(errp, "Volume is not in LUKS format");
481 return -1;
482 }
483
484 if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
485 error_setg(errp, "LUKS version %" PRIu32 " is not supported",
486 luks->header.version);
487 return -1;
488 }
befdba9e 489
c1d8634c
DB		 490 if (!memchr(luks->header.cipher_name, '\0',
491 sizeof(luks->header.cipher_name))) {
492 error_setg(errp, "LUKS header cipher name is not NUL terminated");
493 return -1;
494 }
495
496 if (!memchr(luks->header.cipher_mode, '\0',
497 sizeof(luks->header.cipher_mode))) {
498 error_setg(errp, "LUKS header cipher mode is not NUL terminated");
499 return -1;
500 }
501
502 if (!memchr(luks->header.hash_spec, '\0',
503 sizeof(luks->header.hash_spec))) {
504 error_setg(errp, "LUKS header hash spec is not NUL terminated");
505 return -1;
506 }
507
d233fbc3
DB		 508 if (luks->header.payload_offset_sector <
509 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
510 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
511 error_setg(errp, "LUKS payload is overlapping with the header");
512 return -1;
513 }
514
b57151ac
DB		 515 if (luks->header.master_key_iterations == 0) {
516 error_setg(errp, "LUKS key iteration count is zero");
517 return -1;
518 }
519
befdba9e
ML		 520 /* Check all keyslots for corruption */
521 for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {
522
523 const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i];
524 unsigned int start1 = slot1->key_offset_sector;
525 unsigned int len1 =
526 qcrypto_block_luks_splitkeylen_sectors(luks,
527 header_sectors,
528 slot1->stripes);
529
f1195961
DB		 530 if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) {
531 error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)",
532 i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES);
befdba9e
ML		 533 return -1;
534 }
535
536 if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED &&
537 slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
538 error_setg(errp,
539 "Keyslot %zu state (active/disable) is corrupted", i);
540 return -1;
541 }
542
b57151ac
DB		 543 if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED &&
544 slot1->iterations == 0) {
545 error_setg(errp, "Keyslot %zu iteration count is zero", i);
546 return -1;
547 }
548
c5f69628 549 if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
93569c37
DB		 550 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
551 error_setg(errp,
552 "Keyslot %zu is overlapping with the LUKS header",
553 i);
554 return -1;
555 }
556
befdba9e
ML		 557 if (start1 + len1 > luks->header.payload_offset_sector) {
558 error_setg(errp,
559 "Keyslot %zu is overlapping with the encrypted payload",
560 i);
561 return -1;
562 }
563
564 for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) {
565 const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j];
566 unsigned int start2 = slot2->key_offset_sector;
567 unsigned int len2 =
568 qcrypto_block_luks_splitkeylen_sectors(luks,
569 header_sectors,
570 slot2->stripes);
571
572 if (start1 + len1 > start2 && start2 + len2 > start1) {
573 error_setg(errp,
574 "Keyslots %zu and %zu are overlapping in the header",
575 i, j);
576 return -1;
577 }
578 }
579
580 }
9fa9c1c2
ML		 581 return 0;
582}
583
584/*
585 * Parses the crypto parameters that are stored in the LUKS header
586 */
587
588static int
589qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp)
590{
591 g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode);
592 char *ivgen_name, *ivhash_name;
593 Error *local_err = NULL;
594
595 /*
596 * The cipher_mode header contains a string that we have
597 * to further parse, of the format
598 *
599 * <cipher-mode>-<iv-generator>[:<iv-hash>]
600 *
601 * eg cbc-essiv:sha256, cbc-plain64
602 */
603 ivgen_name = strchr(cipher_mode, '-');
604 if (!ivgen_name) {
6c198932 605 error_setg(errp, "Unexpected cipher mode string format '%s'",
9fa9c1c2
ML		 606 luks->header.cipher_mode);
607 return -1;
608 }
609 *ivgen_name = '\0';
610 ivgen_name++;
611
612 ivhash_name = strchr(ivgen_name, ':');
613 if (!ivhash_name) {
614 luks->ivgen_hash_alg = 0;
615 } else {
616 *ivhash_name = '\0';
617 ivhash_name++;
618
619 luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name,
620 &local_err);
621 if (local_err) {
622 error_propagate(errp, local_err);
623 return -1;
624 }
625 }
626
627 luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode,
628 &local_err);
629 if (local_err) {
630 error_propagate(errp, local_err);
631 return -1;
632 }
633
634 luks->cipher_alg =
635 qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
636 luks->cipher_mode,
637 luks->header.master_key_len,
638 &local_err);
639 if (local_err) {
640 error_propagate(errp, local_err);
641 return -1;
642 }
643
644 luks->hash_alg =
645 qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
646 &local_err);
647 if (local_err) {
648 error_propagate(errp, local_err);
649 return -1;
650 }
651
652 luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
653 &local_err);
654 if (local_err) {
655 error_propagate(errp, local_err);
656 return -1;
657 }
658
659 if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
660 if (!ivhash_name) {
661 error_setg(errp, "Missing IV generator hash specification");
662 return -1;
663 }
664 luks->ivgen_cipher_alg =
665 qcrypto_block_luks_essiv_cipher(luks->cipher_alg,
666 luks->ivgen_hash_alg,
667 &local_err);
668 if (local_err) {
669 error_propagate(errp, local_err);
670 return -1;
671 }
672 } else {
673
674 /*
675 * Note we parsed the ivhash_name earlier in the cipher_mode
676 * spec string even with plain/plain64 ivgens, but we
677 * will ignore it, since it is irrelevant for these ivgens.
678 * This is for compat with dm-crypt which will silently
679 * ignore hash names with these ivgens rather than report
680 * an error about the invalid usage
681 */
682 luks->ivgen_cipher_alg = luks->cipher_alg;
683 }
684 return 0;
685}
686
3994a7c9
ML		 687/*
688 * Given a key slot, user password, and the master key,
689 * will store the encrypted master key there, and update the
690 * in-memory header. User must then write the in-memory header
691 *
692 * Returns:
693 * 0 if the keyslot was written successfully
694 * with the provided password
695 * -1 if a fatal error occurred while storing the key
696 */
697static int
698qcrypto_block_luks_store_key(QCryptoBlock *block,
699 unsigned int slot_idx,
700 const char *password,
701 uint8_t *masterkey,
702 uint64_t iter_time,
703 QCryptoBlockWriteFunc writefunc,
704 void *opaque,
705 Error **errp)
706{
707 QCryptoBlockLUKS *luks = block->opaque;
557d2bdc 708 QCryptoBlockLUKSKeySlot *slot;
3994a7c9
ML		 709 g_autofree uint8_t *splitkey = NULL;
710 size_t splitkeylen;
711 g_autofree uint8_t *slotkey = NULL;
712 g_autoptr(QCryptoCipher) cipher = NULL;
713 g_autoptr(QCryptoIVGen) ivgen = NULL;
714 Error *local_err = NULL;
715 uint64_t iters;
716 int ret = -1;
717
557d2bdc
ML		 718 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
719 slot = &luks->header.key_slots[slot_idx];
55a01cab
AO		 720 splitkeylen = luks->header.master_key_len * slot->stripes;
721
3994a7c9
ML		 722 if (qcrypto_random_bytes(slot->salt,
723 QCRYPTO_BLOCK_LUKS_SALT_LEN,
724 errp) < 0) {
725 goto cleanup;
726 }
727
3994a7c9
ML		 728 /*
729 * Determine how many iterations are required to
730 * hash the user password while consuming 1 second of compute
731 * time
732 */
733 iters = qcrypto_pbkdf2_count_iters(luks->hash_alg,
734 (uint8_t *)password, strlen(password),
735 slot->salt,
736 QCRYPTO_BLOCK_LUKS_SALT_LEN,
737 luks->header.master_key_len,
738 &local_err);
739 if (local_err) {
740 error_propagate(errp, local_err);
741 goto cleanup;
742 }
743
744 if (iters > (ULLONG_MAX / iter_time)) {
745 error_setg_errno(errp, ERANGE,
746 "PBKDF iterations %llu too large to scale",
747 (unsigned long long)iters);
748 goto cleanup;
749 }
750
751 /* iter_time was in millis, but count_iters reported for secs */
752 iters = iters * iter_time / 1000;
753
754 if (iters > UINT32_MAX) {
755 error_setg_errno(errp, ERANGE,
756 "PBKDF iterations %llu larger than %u",
757 (unsigned long long)iters, UINT32_MAX);
758 goto cleanup;
759 }
760
761 slot->iterations =
762 MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
763
764
765 /*
766 * Generate a key that we'll use to encrypt the master
767 * key, from the user's password
768 */
769 slotkey = g_new0(uint8_t, luks->header.master_key_len);
770 if (qcrypto_pbkdf2(luks->hash_alg,
771 (uint8_t *)password, strlen(password),
772 slot->salt,
773 QCRYPTO_BLOCK_LUKS_SALT_LEN,
774 slot->iterations,
775 slotkey, luks->header.master_key_len,
776 errp) < 0) {
777 goto cleanup;
778 }
779
780
781 /*
782 * Setup the encryption objects needed to encrypt the
783 * master key material
784 */
785 cipher = qcrypto_cipher_new(luks->cipher_alg,
786 luks->cipher_mode,
787 slotkey, luks->header.master_key_len,
788 errp);
789 if (!cipher) {
790 goto cleanup;
791 }
792
793 ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
794 luks->ivgen_cipher_alg,
795 luks->ivgen_hash_alg,
796 slotkey, luks->header.master_key_len,
797 errp);
798 if (!ivgen) {
799 goto cleanup;
800 }
801
802 /*
803 * Before storing the master key, we need to vastly
804 * increase its size, as protection against forensic
805 * disk data recovery
806 */
807 splitkey = g_new0(uint8_t, splitkeylen);
808
809 if (qcrypto_afsplit_encode(luks->hash_alg,
810 luks->header.master_key_len,
811 slot->stripes,
812 masterkey,
813 splitkey,
814 errp) < 0) {
815 goto cleanup;
816 }
817
818 /*
819 * Now we encrypt the split master key with the key generated
820 * from the user's password, before storing it
821 */
822 if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen,
823 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
824 0,
825 splitkey,
826 splitkeylen,
827 errp) < 0) {
828 goto cleanup;
829 }
830
831 /* Write out the slot's master key material. */
832 if (writefunc(block,
833 slot->key_offset_sector *
834 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
835 splitkey, splitkeylen,
836 opaque,
757dda54 837 errp) < 0) {
3994a7c9
ML		 838 goto cleanup;
839 }
840
841 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
842
843 if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) {
844 goto cleanup;
845 }
846
847 ret = 0;
848
849cleanup:
850 if (slotkey) {
851 memset(slotkey, 0, luks->header.master_key_len);
852 }
853 if (splitkey) {
854 memset(splitkey, 0, splitkeylen);
855 }
856 return ret;
857}
858
3e308f20
DB		 859/*
860 * Given a key slot, and user password, this will attempt to unlock
861 * the master encryption key from the key slot.
862 *
863 * Returns:
864 * 0 if the key slot is disabled, or key could not be decrypted
865 * with the provided password
866 * 1 if the key slot is enabled, and key decrypted successfully
867 * with the provided password
868 * -1 if a fatal error occurred loading the key
869 */
870static int
871qcrypto_block_luks_load_key(QCryptoBlock *block,
7e60a6f5 872 size_t slot_idx,
3e308f20 873 const char *password,
3e308f20 874 uint8_t *masterkey,
3e308f20
DB		 875 QCryptoBlockReadFunc readfunc,
876 void *opaque,
877 Error **errp)
878{
879 QCryptoBlockLUKS *luks = block->opaque;
557d2bdc 880 const QCryptoBlockLUKSKeySlot *slot;
57b9f113 881 g_autofree uint8_t *splitkey = NULL;
3e308f20 882 size_t splitkeylen;
57b9f113 883 g_autofree uint8_t *possiblekey = NULL;
757dda54 884 int rv;
57b9f113 885 g_autoptr(QCryptoCipher) cipher = NULL;
3e308f20 886 uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
57b9f113 887 g_autoptr(QCryptoIVGen) ivgen = NULL;
3e308f20
DB		 888 size_t niv;
889
557d2bdc
ML		 890 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
891 slot = &luks->header.key_slots[slot_idx];
3e308f20
DB		 892 if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
893 return 0;
894 }
895
1ddd52e4 896 splitkeylen = luks->header.master_key_len * slot->stripes;
3e308f20 897 splitkey = g_new0(uint8_t, splitkeylen);
1ddd52e4 898 possiblekey = g_new0(uint8_t, luks->header.master_key_len);
3e308f20
DB		 899
900 /*
901 * The user password is used to generate a (possible)
902 * decryption key. This may or may not successfully
903 * decrypt the master key - we just blindly assume
904 * the key is correct and validate the results of
905 * decryption later.
906 */
9d80e59d 907 if (qcrypto_pbkdf2(luks->hash_alg,
3e308f20
DB		 908 (const uint8_t *)password, strlen(password),
909 slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
910 slot->iterations,
1ddd52e4 911 possiblekey, luks->header.master_key_len,
3e308f20 912 errp) < 0) {
57b9f113 913 return -1;
3e308f20
DB		 914 }
915
916 /*
917 * We need to read the master key material from the
918 * LUKS key material header. What we're reading is
919 * not the raw master key, but rather the data after
920 * it has been passed through AFSplit and the result
921 * then encrypted.
922 */
923 rv = readfunc(block,
f0d3c362 924 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
3e308f20 925 splitkey, splitkeylen,
e4a3507e 926 opaque,
37509233 927 errp);
3e308f20 928 if (rv < 0) {
57b9f113 929 return -1;
3e308f20
DB		 930 }
931
932
933 /* Setup the cipher/ivgen that we'll use to try to decrypt
934 * the split master key material */
9d80e59d
ML		 935 cipher = qcrypto_cipher_new(luks->cipher_alg,
936 luks->cipher_mode,
937 possiblekey,
938 luks->header.master_key_len,
3e308f20
DB		 939 errp);
940 if (!cipher) {
57b9f113 941 return -1;
3e308f20
DB		 942 }
943
9d80e59d
ML		 944 niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
945 luks->cipher_mode);
946
947 ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
948 luks->ivgen_cipher_alg,
949 luks->ivgen_hash_alg,
950 possiblekey,
951 luks->header.master_key_len,
3e308f20
DB		 952 errp);
953 if (!ivgen) {
57b9f113 954 return -1;
3e308f20
DB		 955 }
956
957
958 /*
959 * The master key needs to be decrypted in the same
960 * way that the block device payload will be decrypted
961 * later. In particular we'll be using the IV generator
962 * to reset the encryption cipher every time the master
963 * key crosses a sector boundary.
964 */
0270417c
VSO		 965 if (qcrypto_block_cipher_decrypt_helper(cipher,
966 niv,
967 ivgen,
968 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
969 0,
970 splitkey,
971 splitkeylen,
972 errp) < 0) {
57b9f113 973 return -1;
3e308f20
DB		 974 }
975
976 /*
977 * Now we've decrypted the split master key, join
978 * it back together to get the actual master key.
979 */
9d80e59d 980 if (qcrypto_afsplit_decode(luks->hash_alg,
1ddd52e4 981 luks->header.master_key_len,
3e308f20
DB		 982 slot->stripes,
983 splitkey,
984 masterkey,
985 errp) < 0) {
57b9f113 986 return -1;
3e308f20
DB		 987 }
988
989
990 /*
991 * We still don't know that the masterkey we got is valid,
992 * because we just blindly assumed the user's password
993 * was correct. This is where we now verify it. We are
994 * creating a hash of the master key using PBKDF and
995 * then comparing that to the hash stored in the key slot
996 * header
997 */
9d80e59d 998 if (qcrypto_pbkdf2(luks->hash_alg,
1ddd52e4
ML		 999 masterkey,
1000 luks->header.master_key_len,
3e308f20
DB		 1001 luks->header.master_key_salt,
1002 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1003 luks->header.master_key_iterations,
1ddd52e4
ML		 1004 keydigest,
1005 G_N_ELEMENTS(keydigest),
3e308f20 1006 errp) < 0) {
57b9f113 1007 return -1;
3e308f20
DB		 1008 }
1009
1010 if (memcmp(keydigest, luks->header.master_key_digest,
1011 QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
1012 /* Success, we got the right master key */
57b9f113 1013 return 1;
3e308f20
DB		 1014 }
1015
1016 /* Fail, user's password was not valid for this key slot,
1017 * tell caller to try another slot */
57b9f113 1018 return 0;
3e308f20
DB		 1019}
1020
1021
1022/*
1023 * Given a user password, this will iterate over all key
1024 * slots and try to unlock each active key slot using the
1025 * password until it successfully obtains a master key.
1026 *
1027 * Returns 0 if a key was loaded, -1 if no keys could be loaded
1028 */
1029static int
1030qcrypto_block_luks_find_key(QCryptoBlock *block,
1031 const char *password,
1ddd52e4 1032 uint8_t *masterkey,
3e308f20
DB		 1033 QCryptoBlockReadFunc readfunc,
1034 void *opaque,
1035 Error **errp)
1036{
3e308f20
DB		 1037 size_t i;
1038 int rv;
1039
3e308f20
DB		 1040 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1041 rv = qcrypto_block_luks_load_key(block,
7e60a6f5 1042 i,
3e308f20 1043 password,
1ddd52e4 1044 masterkey,
3e308f20
DB		 1045 readfunc,
1046 opaque,
1047 errp);
1048 if (rv < 0) {
1049 goto error;
1050 }
1051 if (rv == 1) {
1052 return 0;
1053 }
1054 }
1055
1056 error_setg(errp, "Invalid password, cannot unlock any keyslot");
3e308f20 1057 error:
3e308f20
DB		 1058 return -1;
1059}
1060
557d2bdc
ML		 1061/*
1062 * Returns true if a slot i is marked as active
1063 * (contains encrypted copy of the master key)
1064 */
1065static bool
1066qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks,
1067 unsigned int slot_idx)
1068{
1069 uint32_t val;
1070
1071 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1072 val = luks->header.key_slots[slot_idx].active;
1073 return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1074}
1075
1076/*
1077 * Returns the number of slots that are marked as active
1078 * (slots that contain encrypted copy of the master key)
1079 */
1080static unsigned int
1081qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks)
1082{
1083 size_t i = 0;
1084 unsigned int ret = 0;
1085
1086 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1087 if (qcrypto_block_luks_slot_active(luks, i)) {
1088 ret++;
1089 }
1090 }
1091 return ret;
1092}
1093
1094/*
1095 * Finds first key slot which is not active
1096 * Returns the key slot index, or -1 if it doesn't exist
1097 */
1098static int
1099qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks)
1100{
1101 size_t i;
1102
1103 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1104 if (!qcrypto_block_luks_slot_active(luks, i)) {
1105 return i;
1106 }
1107 }
1108 return -1;
1109}
1110
1111/*
1112 * Erases an keyslot given its index
1113 * Returns:
1114 * 0 if the keyslot was erased successfully
1115 * -1 if a error occurred while erasing the keyslot
1116 *
1117 */
1118static int
1119qcrypto_block_luks_erase_key(QCryptoBlock *block,
1120 unsigned int slot_idx,
1121 QCryptoBlockWriteFunc writefunc,
1122 void *opaque,
1123 Error **errp)
1124{
1125 QCryptoBlockLUKS *luks = block->opaque;
1126 QCryptoBlockLUKSKeySlot *slot;
1127 g_autofree uint8_t *garbagesplitkey = NULL;
1128 size_t splitkeylen;
1129 size_t i;
1130 Error *local_err = NULL;
1131 int ret;
1132
1133 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1134 slot = &luks->header.key_slots[slot_idx];
1135
1136 splitkeylen = luks->header.master_key_len * slot->stripes;
1137 assert(splitkeylen > 0);
1138
1139 garbagesplitkey = g_new0(uint8_t, splitkeylen);
1140
1141 /* Reset the key slot header */
1142 memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN);
1143 slot->iterations = 0;
1144 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1145
1146 ret = qcrypto_block_luks_store_header(block, writefunc,
1147 opaque, &local_err);
1148
1149 if (ret < 0) {
1150 error_propagate(errp, local_err);
1151 }
1152 /*
1153 * Now try to erase the key material, even if the header
1154 * update failed
1155 */
1156 for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) {
1157 if (qcrypto_random_bytes(garbagesplitkey,
1158 splitkeylen, &local_err) < 0) {
1159 /*
1160 * If we failed to get the random data, still write
1161 * at least zeros to the key slot at least once
1162 */
1163 error_propagate(errp, local_err);
1164
1165 if (i > 0) {
1166 return -1;
1167 }
1168 }
1169 if (writefunc(block,
1170 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1171 garbagesplitkey,
1172 splitkeylen,
1173 opaque,
757dda54 1174 &local_err) < 0) {
557d2bdc
ML		 1175 error_propagate(errp, local_err);
1176 return -1;
1177 }
1178 }
1179 return ret;
1180}
3e308f20
DB		 1181
1182static int
1183qcrypto_block_luks_open(QCryptoBlock *block,
1184 QCryptoBlockOpenOptions *options,
1cd9a787 1185 const char *optprefix,
3e308f20
DB		 1186 QCryptoBlockReadFunc readfunc,
1187 void *opaque,
1188 unsigned int flags,
c972fa12 1189 size_t n_threads,
3e308f20
DB		 1190 Error **errp)
1191{
9d80e59d 1192 QCryptoBlockLUKS *luks = NULL;
57b9f113 1193 g_autofree uint8_t *masterkey = NULL;
57b9f113 1194 g_autofree char *password = NULL;
3e308f20
DB		 1195
1196 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1197 if (!options->u.luks.key_secret) {
1cd9a787
DB		 1198 error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1199 optprefix ? optprefix : "");
3e308f20
DB		 1200 return -1;
1201 }
1202 password = qcrypto_secret_lookup_as_utf8(
1203 options->u.luks.key_secret, errp);
1204 if (!password) {
1205 return -1;
1206 }
1207 }
1208
1209 luks = g_new0(QCryptoBlockLUKS, 1);
1210 block->opaque = luks;
557d2bdc 1211 luks->secret = g_strdup(options->u.luks.key_secret);
3e308f20 1212
dde2c5af 1213 if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) {
3e308f20
DB		 1214 goto fail;
1215 }
1216
9fa9c1c2 1217 if (qcrypto_block_luks_check_header(luks, errp) < 0) {
3e308f20
DB		 1218 goto fail;
1219 }
1220
9fa9c1c2 1221 if (qcrypto_block_luks_parse_header(luks, errp) < 0) {
3e308f20
DB		 1222 goto fail;
1223 }
3e308f20
DB		 1224
1225 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1226 /* Try to find which key slot our password is valid for
1227 * and unlock the master key from that slot.
1228 */
1ddd52e4
ML		 1229
1230 masterkey = g_new0(uint8_t, luks->header.master_key_len);
1231
3e308f20
DB		 1232 if (qcrypto_block_luks_find_key(block,
1233 password,
1ddd52e4 1234 masterkey,
3e308f20
DB		 1235 readfunc, opaque,
1236 errp) < 0) {
3e308f20
DB		 1237 goto fail;
1238 }
1239
1240 /* We have a valid master key now, so can setup the
1241 * block device payload decryption objects
1242 */
9d80e59d
ML		 1243 block->kdfhash = luks->hash_alg;
1244 block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
1245 luks->cipher_mode);
1246
1247 block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
1248 luks->ivgen_cipher_alg,
1249 luks->ivgen_hash_alg,
1ddd52e4
ML		 1250 masterkey,
1251 luks->header.master_key_len,
3e308f20
DB		 1252 errp);
1253 if (!block->ivgen) {
3e308f20
DB		 1254 goto fail;
1255 }
1256
61dd8a9a
ML		 1257 if (qcrypto_block_init_cipher(block,
1258 luks->cipher_alg,
1259 luks->cipher_mode,
1260 masterkey,
1261 luks->header.master_key_len,
1262 n_threads,
1263 errp) < 0) {
3e308f20
DB		 1264 goto fail;
1265 }
1266 }
1267
850f49de 1268 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
f0d3c362 1269 block->payload_offset = luks->header.payload_offset_sector *
850f49de 1270 block->sector_size;
3e308f20 1271
3e308f20
DB		 1272 return 0;
1273
1274 fail:
c972fa12 1275 qcrypto_block_free_cipher(block);
3e308f20 1276 qcrypto_ivgen_free(block->ivgen);
557d2bdc 1277 g_free(luks->secret);
3e308f20 1278 g_free(luks);
61dd8a9a 1279 return -1;
3e308f20
DB		 1280}
1281
1282
2ef950f9
FZ		 1283static void
1284qcrypto_block_luks_uuid_gen(uint8_t *uuidstr)
3e308f20 1285{
2ef950f9
FZ		 1286 QemuUUID uuid;
1287 qemu_uuid_generate(&uuid);
1288 qemu_uuid_unparse(&uuid, (char *)uuidstr);
3e308f20
DB		 1289}
1290
1291static int
1292qcrypto_block_luks_create(QCryptoBlock *block,
1293 QCryptoBlockCreateOptions *options,
1cd9a787 1294 const char *optprefix,
3e308f20
DB		 1295 QCryptoBlockInitFunc initfunc,
1296 QCryptoBlockWriteFunc writefunc,
1297 void *opaque,
1298 Error **errp)
1299{
1300 QCryptoBlockLUKS *luks;
1301 QCryptoBlockCreateOptionsLUKS luks_opts;
1302 Error *local_err = NULL;
57b9f113 1303 g_autofree uint8_t *masterkey = NULL;
bd56a55a
ML		 1304 size_t header_sectors;
1305 size_t split_key_sectors;
3e308f20 1306 size_t i;
57b9f113 1307 g_autofree char *password = NULL;
3e308f20
DB		 1308 const char *cipher_alg;
1309 const char *cipher_mode;
1310 const char *ivgen_alg;
1311 const char *ivgen_hash_alg = NULL;
1312 const char *hash_alg;
57b9f113 1313 g_autofree char *cipher_mode_spec = NULL;
59b060be 1314 uint64_t iters;
3e308f20
DB		 1315
1316 memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
3bd18890 1317 if (!luks_opts.has_iter_time) {
557d2bdc 1318 luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
3bd18890 1319 }
3e308f20
DB		 1320 if (!luks_opts.has_cipher_alg) {
1321 luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
1322 }
1323 if (!luks_opts.has_cipher_mode) {
1324 luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS;
1325 }
1326 if (!luks_opts.has_ivgen_alg) {
1327 luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64;
1328 }
1329 if (!luks_opts.has_hash_alg) {
1330 luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
1331 }
8b7cdba3
DB		 1332 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1333 if (!luks_opts.has_ivgen_hash_alg) {
1334 luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256;
1335 luks_opts.has_ivgen_hash_alg = true;
1336 }
1337 }
9d80e59d
ML		 1338
1339 luks = g_new0(QCryptoBlockLUKS, 1);
1340 block->opaque = luks;
1341
1342 luks->cipher_alg = luks_opts.cipher_alg;
1343 luks->cipher_mode = luks_opts.cipher_mode;
1344 luks->ivgen_alg = luks_opts.ivgen_alg;
1345 luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg;
1346 luks->hash_alg = luks_opts.hash_alg;
1347
1348
8b7cdba3
DB		 1349 /* Note we're allowing ivgen_hash_alg to be set even for
1350 * non-essiv iv generators that don't need a hash. It will
1351 * be silently ignored, for compatibility with dm-crypt */
3e308f20
DB		 1352
1353 if (!options->u.luks.key_secret) {
1cd9a787
DB		 1354 error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1355 optprefix ? optprefix : "");
9d80e59d 1356 goto error;
3e308f20 1357 }
557d2bdc
ML		 1358 luks->secret = g_strdup(options->u.luks.key_secret);
1359
3e308f20
DB		 1360 password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp);
1361 if (!password) {
9d80e59d 1362 goto error;
3e308f20
DB		 1363 }
1364
3e308f20
DB		 1365
1366 memcpy(luks->header.magic, qcrypto_block_luks_magic,
1367 QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
1368
1369 /* We populate the header in native endianness initially and
1370 * then convert everything to big endian just before writing
1371 * it out to disk
1372 */
1373 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
2ef950f9 1374 qcrypto_block_luks_uuid_gen(luks->header.uuid);
3e308f20
DB		 1375
1376 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
1377 errp);
1378 if (!cipher_alg) {
1379 goto error;
1380 }
1381
977c736f
MA		 1382 cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode);
1383 ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg);
3e308f20 1384 if (luks_opts.has_ivgen_hash_alg) {
977c736f 1385 ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg);
3e308f20
DB		 1386 cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg,
1387 ivgen_hash_alg);
1388 } else {
1389 cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
1390 }
977c736f 1391 hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg);
3e308f20
DB		 1392
1393
1394 if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
1395 error_setg(errp, "Cipher name '%s' is too long for LUKS header",
1396 cipher_alg);
1397 goto error;
1398 }
1399 if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
1400 error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
1401 cipher_mode_spec);
1402 goto error;
1403 }
1404 if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
1405 error_setg(errp, "Hash name '%s' is too long for LUKS header",
1406 hash_alg);
1407 goto error;
1408 }
1409
1410 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
9d80e59d
ML		 1411 luks->ivgen_cipher_alg =
1412 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg,
1413 luks_opts.ivgen_hash_alg,
1414 &local_err);
3e308f20
DB		 1415 if (local_err) {
1416 error_propagate(errp, local_err);
1417 goto error;
1418 }
1419 } else {
9d80e59d 1420 luks->ivgen_cipher_alg = luks_opts.cipher_alg;
3e308f20
DB		 1421 }
1422
1423 strcpy(luks->header.cipher_name, cipher_alg);
1424 strcpy(luks->header.cipher_mode, cipher_mode_spec);
1425 strcpy(luks->header.hash_spec, hash_alg);
1426
f0d3c362
ML		 1427 luks->header.master_key_len =
1428 qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
1429
3e308f20 1430 if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) {
f0d3c362 1431 luks->header.master_key_len *= 2;
3e308f20
DB		 1432 }
1433
1434 /* Generate the salt used for hashing the master key
1435 * with PBKDF later
1436 */
1437 if (qcrypto_random_bytes(luks->header.master_key_salt,
1438 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1439 errp) < 0) {
1440 goto error;
1441 }
1442
1443 /* Generate random master key */
f0d3c362 1444 masterkey = g_new0(uint8_t, luks->header.master_key_len);
3e308f20 1445 if (qcrypto_random_bytes(masterkey,
f0d3c362 1446 luks->header.master_key_len, errp) < 0) {
3e308f20
DB		 1447 goto error;
1448 }
1449
1450
1451 /* Setup the block device payload encryption objects */
c972fa12
VSO		 1452 if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg,
1453 luks_opts.cipher_mode, masterkey,
f0d3c362 1454 luks->header.master_key_len, 1, errp) < 0) {
3e308f20
DB		 1455 goto error;
1456 }
1457
1458 block->kdfhash = luks_opts.hash_alg;
1459 block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
1460 luks_opts.cipher_mode);
1461 block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
9d80e59d 1462 luks->ivgen_cipher_alg,
3e308f20 1463 luks_opts.ivgen_hash_alg,
f0d3c362 1464 masterkey, luks->header.master_key_len,
3e308f20
DB		 1465 errp);
1466
1467 if (!block->ivgen) {
1468 goto error;
1469 }
1470
1471
1472 /* Determine how many iterations we need to hash the master
1473 * key, in order to have 1 second of compute time used
1474 */
59b060be 1475 iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
f0d3c362 1476 masterkey, luks->header.master_key_len,
59b060be
DB		 1477 luks->header.master_key_salt,
1478 QCRYPTO_BLOCK_LUKS_SALT_LEN,
e74aabcf 1479 QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
59b060be 1480 &local_err);
3e308f20
DB		 1481 if (local_err) {
1482 error_propagate(errp, local_err);
1483 goto error;
1484 }
1485
3bd18890
DB		 1486 if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
1487 error_setg_errno(errp, ERANGE,
1488 "PBKDF iterations %llu too large to scale",
1489 (unsigned long long)iters);
1490 goto error;
1491 }
1492
1493 /* iter_time was in millis, but count_iters reported for secs */
1494 iters = iters * luks_opts.iter_time / 1000;
1495
3e308f20
DB		 1496 /* Why /= 8 ? That matches cryptsetup, but there's no
1497 * explanation why they chose /= 8... Probably so that
1498 * if all 8 keyslots are active we only spend 1 second
1499 * in total time to check all keys */
59b060be
DB		 1500 iters /= 8;
1501 if (iters > UINT32_MAX) {
1502 error_setg_errno(errp, ERANGE,
1503 "PBKDF iterations %llu larger than %u",
1504 (unsigned long long)iters, UINT32_MAX);
1505 goto error;
1506 }
1507 iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
1508 luks->header.master_key_iterations = iters;
3e308f20
DB		 1509
1510 /* Hash the master key, saving the result in the LUKS
1511 * header. This hash is used when opening the encrypted
1512 * device to verify that the user password unlocked a
1513 * valid master key
1514 */
1515 if (qcrypto_pbkdf2(luks_opts.hash_alg,
f0d3c362 1516 masterkey, luks->header.master_key_len,
3e308f20
DB		 1517 luks->header.master_key_salt,
1518 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1519 luks->header.master_key_iterations,
1520 luks->header.master_key_digest,
1521 QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1522 errp) < 0) {
1523 goto error;
1524 }
1525
bd56a55a
ML		 1526 /* start with the sector that follows the header*/
1527 header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
1528 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1529
1530 split_key_sectors =
1531 qcrypto_block_luks_splitkeylen_sectors(luks,
1532 header_sectors,
1533 QCRYPTO_BLOCK_LUKS_STRIPES);
3e308f20 1534
3e308f20 1535 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
bd56a55a
ML		 1536 QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i];
1537 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
3e308f20 1538
bd56a55a
ML		 1539 slot->key_offset_sector = header_sectors + i * split_key_sectors;
1540 slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
3e308f20
DB		 1541 }
1542
3e308f20
DB		 1543 /* The total size of the LUKS headers is the partition header + key
1544 * slot headers, rounded up to the nearest sector, combined with
1545 * the size of each master key material region, also rounded up
1546 * to the nearest sector */
bd56a55a
ML		 1547 luks->header.payload_offset_sector = header_sectors +
1548 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors;
3e308f20 1549
850f49de 1550 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
f0d3c362 1551 block->payload_offset = luks->header.payload_offset_sector *
850f49de 1552 block->sector_size;
3e308f20
DB		 1553
1554 /* Reserve header space to match payload offset */
e4a3507e 1555 initfunc(block, block->payload_offset, opaque, &local_err);
3e308f20
DB		 1556 if (local_err) {
1557 error_propagate(errp, local_err);
1558 goto error;
1559 }
1560
3e308f20 1561
3994a7c9
ML		 1562 /* populate the slot 0 with the password encrypted master key*/
1563 /* This will also store the header */
1564 if (qcrypto_block_luks_store_key(block,
1565 0,
1566 password,
1567 masterkey,
1568 luks_opts.iter_time,
1569 writefunc,
1570 opaque,
1571 errp) < 0) {
3e308f20
DB		 1572 goto error;
1573 }
1574
f0d3c362 1575 memset(masterkey, 0, luks->header.master_key_len);
3e308f20
DB		 1576
1577 return 0;
1578
1579 error:
1580 if (masterkey) {
f0d3c362 1581 memset(masterkey, 0, luks->header.master_key_len);
3e308f20 1582 }
3e308f20 1583
c972fa12 1584 qcrypto_block_free_cipher(block);
b640adca
VSO		 1585 qcrypto_ivgen_free(block->ivgen);
1586
557d2bdc 1587 g_free(luks->secret);
3e308f20
DB		 1588 g_free(luks);
1589 return -1;
1590}
1591
557d2bdc
ML		 1592static int
1593qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block,
1594 QCryptoBlockReadFunc readfunc,
1595 QCryptoBlockWriteFunc writefunc,
1596 void *opaque,
1597 QCryptoBlockAmendOptionsLUKS *opts_luks,
1598 bool force,
1599 Error **errp)
1600{
1601 QCryptoBlockLUKS *luks = block->opaque;
1602 uint64_t iter_time = opts_luks->has_iter_time ?
1603 opts_luks->iter_time :
1604 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1605 int keyslot;
1606 g_autofree char *old_password = NULL;
1607 g_autofree char *new_password = NULL;
1608 g_autofree uint8_t *master_key = NULL;
1609
16110c8b 1610 char *secret = opts_luks->secret ?: luks->secret;
557d2bdc 1611
16110c8b 1612 if (!opts_luks->new_secret) {
557d2bdc
ML		 1613 error_setg(errp, "'new-secret' is required to activate a keyslot");
1614 return -1;
1615 }
16110c8b 1616 if (opts_luks->old_secret) {
557d2bdc
ML		 1617 error_setg(errp,
1618 "'old-secret' must not be given when activating keyslots");
1619 return -1;
1620 }
1621
1622 if (opts_luks->has_keyslot) {
1623 keyslot = opts_luks->keyslot;
1624 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1625 error_setg(errp,
1626 "Invalid keyslot %u specified, must be between 0 and %u",
1627 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1628 return -1;
1629 }
1630 } else {
1631 keyslot = qcrypto_block_luks_find_free_keyslot(luks);
1632 if (keyslot == -1) {
1633 error_setg(errp,
1634 "Can't add a keyslot - all keyslots are in use");
1635 return -1;
1636 }
1637 }
1638
1639 if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) {
1640 error_setg(errp,
1641 "Refusing to overwrite active keyslot %i - "
1642 "please erase it first",
1643 keyslot);
1644 return -1;
1645 }
1646
1647 /* Locate the password that will be used to retrieve the master key */
1648 old_password = qcrypto_secret_lookup_as_utf8(secret, errp);
1649 if (!old_password) {
1650 return -1;
1651 }
1652
1653 /* Retrieve the master key */
1654 master_key = g_new0(uint8_t, luks->header.master_key_len);
1655
1656 if (qcrypto_block_luks_find_key(block, old_password, master_key,
1657 readfunc, opaque, errp) < 0) {
1658 error_append_hint(errp, "Failed to retrieve the master key");
1659 return -1;
1660 }
1661
1662 /* Locate the new password*/
1663 new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp);
1664 if (!new_password) {
1665 return -1;
1666 }
1667
1668 /* Now set the new keyslots */
1669 if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key,
1670 iter_time, writefunc, opaque, errp)) {
1671 error_append_hint(errp, "Failed to write to keyslot %i", keyslot);
1672 return -1;
1673 }
1674 return 0;
1675}
1676
1677static int
1678qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block,
1679 QCryptoBlockReadFunc readfunc,
1680 QCryptoBlockWriteFunc writefunc,
1681 void *opaque,
1682 QCryptoBlockAmendOptionsLUKS *opts_luks,
1683 bool force,
1684 Error **errp)
1685{
1686 QCryptoBlockLUKS *luks = block->opaque;
1687 g_autofree uint8_t *tmpkey = NULL;
1688 g_autofree char *old_password = NULL;
1689
16110c8b 1690 if (opts_luks->new_secret) {
557d2bdc
ML		 1691 error_setg(errp,
1692 "'new-secret' must not be given when erasing keyslots");
1693 return -1;
1694 }
1695 if (opts_luks->has_iter_time) {
1696 error_setg(errp,
1697 "'iter-time' must not be given when erasing keyslots");
1698 return -1;
1699 }
16110c8b 1700 if (opts_luks->secret) {
557d2bdc
ML		 1701 error_setg(errp,
1702 "'secret' must not be given when erasing keyslots");
1703 return -1;
1704 }
1705
1706 /* Load the old password if given */
16110c8b 1707 if (opts_luks->old_secret) {
557d2bdc
ML		 1708 old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret,
1709 errp);
1710 if (!old_password) {
1711 return -1;
1712 }
1713
1714 /*
1715 * Allocate a temporary key buffer that we will need when
1716 * checking if slot matches the given old password
1717 */
1718 tmpkey = g_new0(uint8_t, luks->header.master_key_len);
1719 }
1720
1721 /* Erase an explicitly given keyslot */
1722 if (opts_luks->has_keyslot) {
1723 int keyslot = opts_luks->keyslot;
1724
1725 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1726 error_setg(errp,
1727 "Invalid keyslot %i specified, must be between 0 and %i",
1728 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1729 return -1;
1730 }
1731
16110c8b 1732 if (opts_luks->old_secret) {
557d2bdc
ML		 1733 int rv = qcrypto_block_luks_load_key(block,
1734 keyslot,
1735 old_password,
1736 tmpkey,
1737 readfunc,
1738 opaque,
1739 errp);
1740 if (rv == -1) {
1741 return -1;
1742 } else if (rv == 0) {
1743 error_setg(errp,
1744 "Given keyslot %i doesn't contain the given "
1745 "old password for erase operation",
1746 keyslot);
1747 return -1;
1748 }
1749 }
1750
1751 if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) {
1752 error_setg(errp,
1753 "Given keyslot %i is already erased (inactive) ",
1754 keyslot);
1755 return -1;
1756 }
1757
1758 if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) {
1759 error_setg(errp,
1760 "Attempt to erase the only active keyslot %i "
1761 "which will erase all the data in the image "
1762 "irreversibly - refusing operation",
1763 keyslot);
1764 return -1;
1765 }
1766
1767 if (qcrypto_block_luks_erase_key(block, keyslot,
1768 writefunc, opaque, errp)) {
1769 error_append_hint(errp, "Failed to erase keyslot %i", keyslot);
1770 return -1;
1771 }
1772
1773 /* Erase all keyslots that match the given old password */
16110c8b 1774 } else if (opts_luks->old_secret) {
557d2bdc
ML		 1775
1776 unsigned long slots_to_erase_bitmap = 0;
1777 size_t i;
1778 int slot_count;
1779
1780 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <=
1781 sizeof(slots_to_erase_bitmap) * 8);
1782
1783 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1784 int rv = qcrypto_block_luks_load_key(block,
1785 i,
1786 old_password,
1787 tmpkey,
1788 readfunc,
1789 opaque,
1790 errp);
1791 if (rv == -1) {
1792 return -1;
1793 } else if (rv == 1) {
1794 bitmap_set(&slots_to_erase_bitmap, i, 1);
1795 }
1796 }
1797
1798 slot_count = bitmap_count_one(&slots_to_erase_bitmap,
1799 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1800 if (slot_count == 0) {
1801 error_setg(errp,
1802 "No keyslots match given (old) password for erase operation");
1803 return -1;
1804 }
1805
1806 if (!force &&
1807 slot_count == qcrypto_block_luks_count_active_slots(luks)) {
1808 error_setg(errp,
1809 "All the active keyslots match the (old) password that "
1810 "was given and erasing them will erase all the data in "
1811 "the image irreversibly - refusing operation");
1812 return -1;
1813 }
1814
1815 /* Now apply the update */
1816 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1817 if (!test_bit(i, &slots_to_erase_bitmap)) {
1818 continue;
1819 }
1820 if (qcrypto_block_luks_erase_key(block, i, writefunc,
1821 opaque, errp)) {
1822 error_append_hint(errp, "Failed to erase keyslot %zu", i);
1823 return -1;
1824 }
1825 }
1826 } else {
1827 error_setg(errp,
1828 "To erase keyslot(s), either explicit keyslot index "
1829 "or the password currently contained in them must be given");
1830 return -1;
1831 }
1832 return 0;
1833}
1834
1835static int
1836qcrypto_block_luks_amend_options(QCryptoBlock *block,
1837 QCryptoBlockReadFunc readfunc,
1838 QCryptoBlockWriteFunc writefunc,
1839 void *opaque,
1840 QCryptoBlockAmendOptions *options,
1841 bool force,
1842 Error **errp)
1843{
1844 QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks;
1845
1846 switch (opts_luks->state) {
1847 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE:
1848 return qcrypto_block_luks_amend_add_keyslot(block, readfunc,
1849 writefunc, opaque,
1850 opts_luks, force, errp);
1851 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE:
1852 return qcrypto_block_luks_amend_erase_keyslots(block, readfunc,
1853 writefunc, opaque,
1854 opts_luks, force, errp);
1855 default:
1856 g_assert_not_reached();
1857 }
1858}
3e308f20 1859
40c85028
DB		 1860static int qcrypto_block_luks_get_info(QCryptoBlock *block,
1861 QCryptoBlockInfo *info,
1862 Error **errp)
1863{
1864 QCryptoBlockLUKS *luks = block->opaque;
1865 QCryptoBlockInfoLUKSSlot *slot;
c3033fd3 1866 QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots;
40c85028
DB		 1867 size_t i;
1868
1869 info->u.luks.cipher_alg = luks->cipher_alg;
1870 info->u.luks.cipher_mode = luks->cipher_mode;
1871 info->u.luks.ivgen_alg = luks->ivgen_alg;
1872 if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1873 info->u.luks.has_ivgen_hash_alg = true;
1874 info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg;
1875 }
1876 info->u.luks.hash_alg = luks->hash_alg;
1877 info->u.luks.payload_offset = block->payload_offset;
1878 info->u.luks.master_key_iters = luks->header.master_key_iterations;
1879 info->u.luks.uuid = g_strndup((const char *)luks->header.uuid,
1880 sizeof(luks->header.uuid));
1881
1882 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
c3033fd3 1883 slot = g_new0(QCryptoBlockInfoLUKSSlot, 1);
40c85028
DB		 1884 slot->active = luks->header.key_slots[i].active ==
1885 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
f0d3c362 1886 slot->key_offset = luks->header.key_slots[i].key_offset_sector
40c85028
DB		 1887 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1888 if (slot->active) {
1889 slot->has_iters = true;
1890 slot->iters = luks->header.key_slots[i].iterations;
1891 slot->has_stripes = true;
1892 slot->stripes = luks->header.key_slots[i].stripes;
1893 }
1894
c3033fd3 1895 QAPI_LIST_APPEND(tail, slot);
40c85028
DB		 1896 }
1897
1898 return 0;
1899}
1900
1901
3e308f20
DB		 1902static void qcrypto_block_luks_cleanup(QCryptoBlock *block)
1903{
557d2bdc
ML		 1904 QCryptoBlockLUKS *luks = block->opaque;
1905 if (luks) {
1906 g_free(luks->secret);
1907 g_free(luks);
1908 }
3e308f20
DB		 1909}
1910
1911
1912static int
1913qcrypto_block_luks_decrypt(QCryptoBlock *block,
4609742a 1914 uint64_t offset,
3e308f20
DB		 1915 uint8_t *buf,
1916 size_t len,
1917 Error **errp)
1918{
4609742a
DB		 1919 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1920 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
0f0d596c
VSO		 1921 return qcrypto_block_decrypt_helper(block,
1922 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1923 offset, buf, len, errp);
3e308f20
DB		 1924}
1925
1926
1927static int
1928qcrypto_block_luks_encrypt(QCryptoBlock *block,
4609742a 1929 uint64_t offset,
3e308f20
DB		 1930 uint8_t *buf,
1931 size_t len,
1932 Error **errp)
1933{
4609742a
DB		 1934 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1935 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
0f0d596c
VSO		 1936 return qcrypto_block_encrypt_helper(block,
1937 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1938 offset, buf, len, errp);
3e308f20
DB		 1939}
1940
1941
1942const QCryptoBlockDriver qcrypto_block_driver_luks = {
1943 .open = qcrypto_block_luks_open,
1944 .create = qcrypto_block_luks_create,
557d2bdc 1945 .amend = qcrypto_block_luks_amend_options,
40c85028 1946 .get_info = qcrypto_block_luks_get_info,
3e308f20
DB		 1947 .cleanup = qcrypto_block_luks_cleanup,
1948 .decrypt = qcrypto_block_luks_decrypt,
1949 .encrypt = qcrypto_block_luks_encrypt,
1950 .has_format = qcrypto_block_luks_has_format,
1951};
QEMU mirror