qemu/crypto/block-luks.c
<<
>>
Prefs
   1/*
   2 * QEMU Crypto block device encryption LUKS format
   3 *
   4 * Copyright (c) 2015-2016 Red Hat, Inc.
   5 *
   6 * This library is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU Lesser General Public
   8 * License as published by the Free Software Foundation; either
   9 * version 2.1 of the License, or (at your option) any later version.
  10 *
  11 * This library is distributed in the hope that it will be useful,
  12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 * Lesser General Public License for more details.
  15 *
  16 * You should have received a copy of the GNU Lesser General Public
  17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18 *
  19 */
  20
  21#include "qemu/osdep.h"
  22#include "qapi/error.h"
  23#include "qemu/bswap.h"
  24
  25#include "block-luks.h"
  26#include "block-luks-priv.h"
  27
  28#include "crypto/hash.h"
  29#include "crypto/afsplit.h"
  30#include "crypto/pbkdf.h"
  31#include "crypto/secret.h"
  32#include "crypto/random.h"
  33#include "qemu/uuid.h"
  34
  35#include "qemu/coroutine.h"
  36#include "qemu/bitmap.h"
  37
  38/*
  39 * Reference for the LUKS format implemented here is
  40 *
  41 *   docs/on-disk-format.pdf
  42 *
  43 * in 'cryptsetup' package source code
  44 *
  45 * This file implements the 1.2.1 specification, dated
  46 * Oct 16, 2011.
  47 */
  48
  49typedef struct QCryptoBlockLUKS QCryptoBlockLUKS;
  50
  51typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap;
  52struct QCryptoBlockLUKSNameMap {
  53    const char *name;
  54    int id;
  55};
  56
  57typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap;
  58struct QCryptoBlockLUKSCipherSizeMap {
  59    uint32_t key_bytes;
  60    int id;
  61};
  62typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap;
  63struct QCryptoBlockLUKSCipherNameMap {
  64    const char *name;
  65    const QCryptoBlockLUKSCipherSizeMap *sizes;
  66};
  67
  68
  69static const QCryptoBlockLUKSCipherSizeMap
  70qcrypto_block_luks_cipher_size_map_aes[] = {
  71    { 16, QCRYPTO_CIPHER_ALG_AES_128 },
  72    { 24, QCRYPTO_CIPHER_ALG_AES_192 },
  73    { 32, QCRYPTO_CIPHER_ALG_AES_256 },
  74    { 0, 0 },
  75};
  76
  77static const QCryptoBlockLUKSCipherSizeMap
  78qcrypto_block_luks_cipher_size_map_cast5[] = {
  79    { 16, QCRYPTO_CIPHER_ALG_CAST5_128 },
  80    { 0, 0 },
  81};
  82
  83static const QCryptoBlockLUKSCipherSizeMap
  84qcrypto_block_luks_cipher_size_map_serpent[] = {
  85    { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 },
  86    { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 },
  87    { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 },
  88    { 0, 0 },
  89};
  90
  91static const QCryptoBlockLUKSCipherSizeMap
  92qcrypto_block_luks_cipher_size_map_twofish[] = {
  93    { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 },
  94    { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 },
  95    { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 },
  96    { 0, 0 },
  97};
  98
  99static const QCryptoBlockLUKSCipherNameMap
 100qcrypto_block_luks_cipher_name_map[] = {
 101    { "aes", qcrypto_block_luks_cipher_size_map_aes },
 102    { "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
 103    { "serpent", qcrypto_block_luks_cipher_size_map_serpent },
 104    { "twofish", qcrypto_block_luks_cipher_size_map_twofish },
 105};
 106
 107QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
 108QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592);
 109
 110
 111struct QCryptoBlockLUKS {
 112    QCryptoBlockLUKSHeader header;
 113
 114    /* Main encryption algorithm used for encryption*/
 115    QCryptoCipherAlgorithm cipher_alg;
 116
 117    /* Mode of encryption for the selected encryption algorithm */
 118    QCryptoCipherMode cipher_mode;
 119
 120    /* Initialization vector generation algorithm */
 121    QCryptoIVGenAlgorithm ivgen_alg;
 122
 123    /* Hash algorithm used for IV generation*/
 124    QCryptoHashAlgorithm ivgen_hash_alg;
 125
 126    /*
 127     * Encryption algorithm used for IV generation.
 128     * Usually the same as main encryption algorithm
 129     */
 130    QCryptoCipherAlgorithm ivgen_cipher_alg;
 131
 132    /* Hash algorithm used in pbkdf2 function */
 133    QCryptoHashAlgorithm hash_alg;
 134
 135    /* Name of the secret that was used to open the image */
 136    char *secret;
 137};
 138
 139
 140static int qcrypto_block_luks_cipher_name_lookup(const char *name,
 141                                                 QCryptoCipherMode mode,
 142                                                 uint32_t key_bytes,
 143                                                 Error **errp)
 144{
 145    const QCryptoBlockLUKSCipherNameMap *map =
 146        qcrypto_block_luks_cipher_name_map;
 147    size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
 148    size_t i, j;
 149
 150    if (mode == QCRYPTO_CIPHER_MODE_XTS) {
 151        key_bytes /= 2;
 152    }
 153
 154    for (i = 0; i < maplen; i++) {
 155        if (!g_str_equal(map[i].name, name)) {
 156            continue;
 157        }
 158        for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
 159            if (map[i].sizes[j].key_bytes == key_bytes) {
 160                return map[i].sizes[j].id;
 161            }
 162        }
 163    }
 164
 165    error_setg(errp, "Algorithm '%s' with key size %d bytes not supported",
 166               name, key_bytes);
 167    return 0;
 168}
 169
 170static const char *
 171qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg,
 172                                     Error **errp)
 173{
 174    const QCryptoBlockLUKSCipherNameMap *map =
 175        qcrypto_block_luks_cipher_name_map;
 176    size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
 177    size_t i, j;
 178    for (i = 0; i < maplen; i++) {
 179        for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
 180            if (map[i].sizes[j].id == alg) {
 181                return map[i].name;
 182            }
 183        }
 184    }
 185
 186    error_setg(errp, "Algorithm '%s' not supported",
 187               QCryptoCipherAlgorithm_str(alg));
 188    return NULL;
 189}
 190
 191/* XXX replace with qapi_enum_parse() in future, when we can
 192 * make that function emit a more friendly error message */
 193static int qcrypto_block_luks_name_lookup(const char *name,
 194                                          const QEnumLookup *map,
 195                                          const char *type,
 196                                          Error **errp)
 197{
 198    int ret = qapi_enum_parse(map, name, -1, NULL);
 199
 200    if (ret < 0) {
 201        error_setg(errp, "%s '%s' not supported", type, name);
 202        return 0;
 203    }
 204    return ret;
 205}
 206
 207#define qcrypto_block_luks_cipher_mode_lookup(name, errp)               \
 208    qcrypto_block_luks_name_lookup(name,                                \
 209                                   &QCryptoCipherMode_lookup,           \
 210                                   "Cipher mode",                       \
 211                                   errp)
 212
 213#define qcrypto_block_luks_hash_name_lookup(name, errp)                 \
 214    qcrypto_block_luks_name_lookup(name,                                \
 215                                   &QCryptoHashAlgorithm_lookup,        \
 216                                   "Hash algorithm",                    \
 217                                   errp)
 218
 219#define qcrypto_block_luks_ivgen_name_lookup(name, errp)                \
 220    qcrypto_block_luks_name_lookup(name,                                \
 221                                   &QCryptoIVGenAlgorithm_lookup,       \
 222                                   "IV generator",                      \
 223                                   errp)
 224
 225
 226static bool
 227qcrypto_block_luks_has_format(const uint8_t *buf,
 228                              size_t buf_size)
 229{
 230    const QCryptoBlockLUKSHeader *luks_header = (const void *)buf;
 231
 232    if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) &&
 233        memcmp(luks_header->magic, qcrypto_block_luks_magic,
 234               QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 &&
 235        be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) {
 236        return true;
 237    } else {
 238        return false;
 239    }
 240}
 241
 242
 243/**
 244 * Deal with a quirk of dm-crypt usage of ESSIV.
 245 *
 246 * When calculating ESSIV IVs, the cipher length used by ESSIV
 247 * may be different from the cipher length used for the block
 248 * encryption, becauses dm-crypt uses the hash digest length
 249 * as the key size. ie, if you have AES 128 as the block cipher
 250 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as
 251 * the cipher since that gets a key length matching the digest
 252 * size, not AES 128 with truncated digest as might be imagined
 253 */
 254static QCryptoCipherAlgorithm
 255qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher,
 256                                QCryptoHashAlgorithm hash,
 257                                Error **errp)
 258{
 259    size_t digestlen = qcrypto_hash_digest_len(hash);
 260    size_t keylen = qcrypto_cipher_get_key_len(cipher);
 261    if (digestlen == keylen) {
 262        return cipher;
 263    }
 264
 265    switch (cipher) {
 266    case QCRYPTO_CIPHER_ALG_AES_128:
 267    case QCRYPTO_CIPHER_ALG_AES_192:
 268    case QCRYPTO_CIPHER_ALG_AES_256:
 269        if (digestlen == qcrypto_cipher_get_key_len(
 270                QCRYPTO_CIPHER_ALG_AES_128)) {
 271            return QCRYPTO_CIPHER_ALG_AES_128;
 272        } else if (digestlen == qcrypto_cipher_get_key_len(
 273                       QCRYPTO_CIPHER_ALG_AES_192)) {
 274            return QCRYPTO_CIPHER_ALG_AES_192;
 275        } else if (digestlen == qcrypto_cipher_get_key_len(
 276                       QCRYPTO_CIPHER_ALG_AES_256)) {
 277            return QCRYPTO_CIPHER_ALG_AES_256;
 278        } else {
 279            error_setg(errp, "No AES cipher with key size %zu available",
 280                       digestlen);
 281            return 0;
 282        }
 283        break;
 284    case QCRYPTO_CIPHER_ALG_SERPENT_128:
 285    case QCRYPTO_CIPHER_ALG_SERPENT_192:
 286    case QCRYPTO_CIPHER_ALG_SERPENT_256:
 287        if (digestlen == qcrypto_cipher_get_key_len(
 288                QCRYPTO_CIPHER_ALG_SERPENT_128)) {
 289            return QCRYPTO_CIPHER_ALG_SERPENT_128;
 290        } else if (digestlen == qcrypto_cipher_get_key_len(
 291                       QCRYPTO_CIPHER_ALG_SERPENT_192)) {
 292            return QCRYPTO_CIPHER_ALG_SERPENT_192;
 293        } else if (digestlen == qcrypto_cipher_get_key_len(
 294                       QCRYPTO_CIPHER_ALG_SERPENT_256)) {
 295            return QCRYPTO_CIPHER_ALG_SERPENT_256;
 296        } else {
 297            error_setg(errp, "No Serpent cipher with key size %zu available",
 298                       digestlen);
 299            return 0;
 300        }
 301        break;
 302    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
 303    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
 304    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
 305        if (digestlen == qcrypto_cipher_get_key_len(
 306                QCRYPTO_CIPHER_ALG_TWOFISH_128)) {
 307            return QCRYPTO_CIPHER_ALG_TWOFISH_128;
 308        } else if (digestlen == qcrypto_cipher_get_key_len(
 309                       QCRYPTO_CIPHER_ALG_TWOFISH_192)) {
 310            return QCRYPTO_CIPHER_ALG_TWOFISH_192;
 311        } else if (digestlen == qcrypto_cipher_get_key_len(
 312                       QCRYPTO_CIPHER_ALG_TWOFISH_256)) {
 313            return QCRYPTO_CIPHER_ALG_TWOFISH_256;
 314        } else {
 315            error_setg(errp, "No Twofish cipher with key size %zu available",
 316                       digestlen);
 317            return 0;
 318        }
 319        break;
 320    default:
 321        error_setg(errp, "Cipher %s not supported with essiv",
 322                   QCryptoCipherAlgorithm_str(cipher));
 323        return 0;
 324    }
 325}
 326
 327/*
 328 * Returns number of sectors needed to store the key material
 329 * given number of anti forensic stripes
 330 */
 331static int
 332qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks,
 333                                       unsigned int header_sectors,
 334                                       unsigned int stripes)
 335{
 336    /*
 337     * This calculation doesn't match that shown in the spec,
 338     * but instead follows the cryptsetup implementation.
 339     */
 340
 341    size_t splitkeylen = luks->header.master_key_len * stripes;
 342
 343    /* First align the key material size to block size*/
 344    size_t splitkeylen_sectors =
 345        DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE);
 346
 347    /* Then also align the key material size to the size of the header */
 348    return ROUND_UP(splitkeylen_sectors, header_sectors);
 349}
 350
 351
 352void
 353qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr)
 354{
 355    size_t i;
 356
 357    /*
 358     * Everything on disk uses Big Endian (tm), so flip header fields
 359     * before writing them
 360     */
 361    cpu_to_be16s(&hdr->version);
 362    cpu_to_be32s(&hdr->payload_offset_sector);
 363    cpu_to_be32s(&hdr->master_key_len);
 364    cpu_to_be32s(&hdr->master_key_iterations);
 365
 366    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
 367        cpu_to_be32s(&hdr->key_slots[i].active);
 368        cpu_to_be32s(&hdr->key_slots[i].iterations);
 369        cpu_to_be32s(&hdr->key_slots[i].key_offset_sector);
 370        cpu_to_be32s(&hdr->key_slots[i].stripes);
 371    }
 372}
 373
 374void
 375qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr)
 376{
 377    size_t i;
 378
 379    /*
 380     * The header is always stored in big-endian format, so
 381     * convert everything to native
 382     */
 383    be16_to_cpus(&hdr->version);
 384    be32_to_cpus(&hdr->payload_offset_sector);
 385    be32_to_cpus(&hdr->master_key_len);
 386    be32_to_cpus(&hdr->master_key_iterations);
 387
 388    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
 389        be32_to_cpus(&hdr->key_slots[i].active);
 390        be32_to_cpus(&hdr->key_slots[i].iterations);
 391        be32_to_cpus(&hdr->key_slots[i].key_offset_sector);
 392        be32_to_cpus(&hdr->key_slots[i].stripes);
 393    }
 394}
 395
 396/*
 397 * Stores the main LUKS header, taking care of endianess
 398 */
 399static int
 400qcrypto_block_luks_store_header(QCryptoBlock *block,
 401                                QCryptoBlockWriteFunc writefunc,
 402                                void *opaque,
 403                                Error **errp)
 404{
 405    const QCryptoBlockLUKS *luks = block->opaque;
 406    Error *local_err = NULL;
 407    g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL;
 408
 409    /* Create a copy of the header */
 410    hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1);
 411    memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader));
 412
 413    qcrypto_block_luks_to_disk_endian(hdr_copy);
 414
 415    /* Write out the partition header and key slot headers */
 416    writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy),
 417              opaque, &local_err);
 418
 419    if (local_err) {
 420        error_propagate(errp, local_err);
 421        return -1;
 422    }
 423    return 0;
 424}
 425
 426/*
 427 * Loads the main LUKS header,and byteswaps it to native endianess
 428 * And run basic sanity checks on it
 429 */
 430static int
 431qcrypto_block_luks_load_header(QCryptoBlock *block,
 432                                QCryptoBlockReadFunc readfunc,
 433                                void *opaque,
 434                                Error **errp)
 435{
 436    int rv;
 437    QCryptoBlockLUKS *luks = block->opaque;
 438
 439    /*
 440     * Read the entire LUKS header, minus the key material from
 441     * the underlying device
 442     */
 443    rv = readfunc(block, 0,
 444                  (uint8_t *)&luks->header,
 445                  sizeof(luks->header),
 446                  opaque,
 447                  errp);
 448    if (rv < 0) {
 449        return rv;
 450    }
 451
 452    qcrypto_block_luks_from_disk_endian(&luks->header);
 453
 454    return 0;
 455}
 456
 457/*
 458 * Does basic sanity checks on the LUKS header
 459 */
 460static int
 461qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
 462{
 463    size_t i, j;
 464
 465    unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
 466        QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
 467
 468    if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
 469               QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
 470        error_setg(errp, "Volume is not in LUKS format");
 471        return -1;
 472    }
 473
 474    if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
 475        error_setg(errp, "LUKS version %" PRIu32 " is not supported",
 476                   luks->header.version);
 477        return -1;
 478    }
 479
 480    if (!memchr(luks->header.cipher_name, '\0',
 481                sizeof(luks->header.cipher_name))) {
 482        error_setg(errp, "LUKS header cipher name is not NUL terminated");
 483        return -1;
 484    }
 485
 486    if (!memchr(luks->header.cipher_mode, '\0',
 487                sizeof(luks->header.cipher_mode))) {
 488        error_setg(errp, "LUKS header cipher mode is not NUL terminated");
 489        return -1;
 490    }
 491
 492    if (!memchr(luks->header.hash_spec, '\0',
 493                sizeof(luks->header.hash_spec))) {
 494        error_setg(errp, "LUKS header hash spec is not NUL terminated");
 495        return -1;
 496    }
 497
 498    if (luks->header.payload_offset_sector <
 499        DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
 500                     QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
 501        error_setg(errp, "LUKS payload is overlapping with the header");
 502        return -1;
 503    }
 504
 505    if (luks->header.master_key_iterations == 0) {
 506        error_setg(errp, "LUKS key iteration count is zero");
 507        return -1;
 508    }
 509
 510    /* Check all keyslots for corruption  */
 511    for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {
 512
 513        const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i];
 514        unsigned int start1 = slot1->key_offset_sector;
 515        unsigned int len1 =
 516            qcrypto_block_luks_splitkeylen_sectors(luks,
 517                                                   header_sectors,
 518                                                   slot1->stripes);
 519
 520        if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) {
 521            error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)",
 522                       i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES);
 523            return -1;
 524        }
 525
 526        if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED &&
 527            slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
 528            error_setg(errp,
 529                       "Keyslot %zu state (active/disable) is corrupted", i);
 530            return -1;
 531        }
 532
 533        if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED &&
 534            slot1->iterations == 0) {
 535            error_setg(errp, "Keyslot %zu iteration count is zero", i);
 536            return -1;
 537        }
 538
 539        if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
 540                                  QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
 541            error_setg(errp,
 542                       "Keyslot %zu is overlapping with the LUKS header",
 543                       i);
 544            return -1;
 545        }
 546
 547        if (start1 + len1 > luks->header.payload_offset_sector) {
 548            error_setg(errp,
 549                       "Keyslot %zu is overlapping with the encrypted payload",
 550                       i);
 551            return -1;
 552        }
 553
 554        for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) {
 555            const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j];
 556            unsigned int start2 = slot2->key_offset_sector;
 557            unsigned int len2 =
 558                qcrypto_block_luks_splitkeylen_sectors(luks,
 559                                                       header_sectors,
 560                                                       slot2->stripes);
 561
 562            if (start1 + len1 > start2 && start2 + len2 > start1) {
 563                error_setg(errp,
 564                           "Keyslots %zu and %zu are overlapping in the header",
 565                           i, j);
 566                return -1;
 567            }
 568        }
 569
 570    }
 571    return 0;
 572}
 573
 574/*
 575 * Parses the crypto parameters that are stored in the LUKS header
 576 */
 577
 578static int
 579qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp)
 580{
 581    g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode);
 582    char *ivgen_name, *ivhash_name;
 583    Error *local_err = NULL;
 584
 585    /*
 586     * The cipher_mode header contains a string that we have
 587     * to further parse, of the format
 588     *
 589     *    <cipher-mode>-<iv-generator>[:<iv-hash>]
 590     *
 591     * eg  cbc-essiv:sha256, cbc-plain64
 592     */
 593    ivgen_name = strchr(cipher_mode, '-');
 594    if (!ivgen_name) {
 595        error_setg(errp, "Unexpected cipher mode string format '%s'",
 596                   luks->header.cipher_mode);
 597        return -1;
 598    }
 599    *ivgen_name = '\0';
 600    ivgen_name++;
 601
 602    ivhash_name = strchr(ivgen_name, ':');
 603    if (!ivhash_name) {
 604        luks->ivgen_hash_alg = 0;
 605    } else {
 606        *ivhash_name = '\0';
 607        ivhash_name++;
 608
 609        luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name,
 610                                                                   &local_err);
 611        if (local_err) {
 612            error_propagate(errp, local_err);
 613            return -1;
 614        }
 615    }
 616
 617    luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode,
 618                                                              &local_err);
 619    if (local_err) {
 620        error_propagate(errp, local_err);
 621        return -1;
 622    }
 623
 624    luks->cipher_alg =
 625            qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
 626                                                  luks->cipher_mode,
 627                                                  luks->header.master_key_len,
 628                                                  &local_err);
 629    if (local_err) {
 630        error_propagate(errp, local_err);
 631        return -1;
 632    }
 633
 634    luks->hash_alg =
 635            qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
 636                                                &local_err);
 637    if (local_err) {
 638        error_propagate(errp, local_err);
 639        return -1;
 640    }
 641
 642    luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
 643                                                           &local_err);
 644    if (local_err) {
 645        error_propagate(errp, local_err);
 646        return -1;
 647    }
 648
 649    if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
 650        if (!ivhash_name) {
 651            error_setg(errp, "Missing IV generator hash specification");
 652            return -1;
 653        }
 654        luks->ivgen_cipher_alg =
 655                qcrypto_block_luks_essiv_cipher(luks->cipher_alg,
 656                                                luks->ivgen_hash_alg,
 657                                                &local_err);
 658        if (local_err) {
 659            error_propagate(errp, local_err);
 660            return -1;
 661        }
 662    } else {
 663
 664        /*
 665         * Note we parsed the ivhash_name earlier in the cipher_mode
 666         * spec string even with plain/plain64 ivgens, but we
 667         * will ignore it, since it is irrelevant for these ivgens.
 668         * This is for compat with dm-crypt which will silently
 669         * ignore hash names with these ivgens rather than report
 670         * an error about the invalid usage
 671         */
 672        luks->ivgen_cipher_alg = luks->cipher_alg;
 673    }
 674    return 0;
 675}
 676
 677/*
 678 * Given a key slot,  user password, and the master key,
 679 * will store the encrypted master key there, and update the
 680 * in-memory header. User must then write the in-memory header
 681 *
 682 * Returns:
 683 *    0 if the keyslot was written successfully
 684 *      with the provided password
 685 *   -1 if a fatal error occurred while storing the key
 686 */
 687static int
 688qcrypto_block_luks_store_key(QCryptoBlock *block,
 689                             unsigned int slot_idx,
 690                             const char *password,
 691                             uint8_t *masterkey,
 692                             uint64_t iter_time,
 693                             QCryptoBlockWriteFunc writefunc,
 694                             void *opaque,
 695                             Error **errp)
 696{
 697    QCryptoBlockLUKS *luks = block->opaque;
 698    QCryptoBlockLUKSKeySlot *slot;
 699    g_autofree uint8_t *splitkey = NULL;
 700    size_t splitkeylen;
 701    g_autofree uint8_t *slotkey = NULL;
 702    g_autoptr(QCryptoCipher) cipher = NULL;
 703    g_autoptr(QCryptoIVGen) ivgen = NULL;
 704    Error *local_err = NULL;
 705    uint64_t iters;
 706    int ret = -1;
 707
 708    assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
 709    slot = &luks->header.key_slots[slot_idx];
 710    if (qcrypto_random_bytes(slot->salt,
 711                             QCRYPTO_BLOCK_LUKS_SALT_LEN,
 712                             errp) < 0) {
 713        goto cleanup;
 714    }
 715
 716    splitkeylen = luks->header.master_key_len * slot->stripes;
 717
 718    /*
 719     * Determine how many iterations are required to
 720     * hash the user password while consuming 1 second of compute
 721     * time
 722     */
 723    iters = qcrypto_pbkdf2_count_iters(luks->hash_alg,
 724                                       (uint8_t *)password, strlen(password),
 725                                       slot->salt,
 726                                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
 727                                       luks->header.master_key_len,
 728                                       &local_err);
 729    if (local_err) {
 730        error_propagate(errp, local_err);
 731        goto cleanup;
 732    }
 733
 734    if (iters > (ULLONG_MAX / iter_time)) {
 735        error_setg_errno(errp, ERANGE,
 736                         "PBKDF iterations %llu too large to scale",
 737                         (unsigned long long)iters);
 738        goto cleanup;
 739    }
 740
 741    /* iter_time was in millis, but count_iters reported for secs */
 742    iters = iters * iter_time / 1000;
 743
 744    if (iters > UINT32_MAX) {
 745        error_setg_errno(errp, ERANGE,
 746                         "PBKDF iterations %llu larger than %u",
 747                         (unsigned long long)iters, UINT32_MAX);
 748        goto cleanup;
 749    }
 750
 751    slot->iterations =
 752        MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
 753
 754
 755    /*
 756     * Generate a key that we'll use to encrypt the master
 757     * key, from the user's password
 758     */
 759    slotkey = g_new0(uint8_t, luks->header.master_key_len);
 760    if (qcrypto_pbkdf2(luks->hash_alg,
 761                       (uint8_t *)password, strlen(password),
 762                       slot->salt,
 763                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
 764                       slot->iterations,
 765                       slotkey, luks->header.master_key_len,
 766                       errp) < 0) {
 767        goto cleanup;
 768    }
 769
 770
 771    /*
 772     * Setup the encryption objects needed to encrypt the
 773     * master key material
 774     */
 775    cipher = qcrypto_cipher_new(luks->cipher_alg,
 776                                luks->cipher_mode,
 777                                slotkey, luks->header.master_key_len,
 778                                errp);
 779    if (!cipher) {
 780        goto cleanup;
 781    }
 782
 783    ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
 784                              luks->ivgen_cipher_alg,
 785                              luks->ivgen_hash_alg,
 786                              slotkey, luks->header.master_key_len,
 787                              errp);
 788    if (!ivgen) {
 789        goto cleanup;
 790    }
 791
 792    /*
 793     * Before storing the master key, we need to vastly
 794     * increase its size, as protection against forensic
 795     * disk data recovery
 796     */
 797    splitkey = g_new0(uint8_t, splitkeylen);
 798
 799    if (qcrypto_afsplit_encode(luks->hash_alg,
 800                               luks->header.master_key_len,
 801                               slot->stripes,
 802                               masterkey,
 803                               splitkey,
 804                               errp) < 0) {
 805        goto cleanup;
 806    }
 807
 808    /*
 809     * Now we encrypt the split master key with the key generated
 810     * from the user's password, before storing it
 811     */
 812    if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen,
 813                                            QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
 814                                            0,
 815                                            splitkey,
 816                                            splitkeylen,
 817                                            errp) < 0) {
 818        goto cleanup;
 819    }
 820
 821    /* Write out the slot's master key material. */
 822    if (writefunc(block,
 823                  slot->key_offset_sector *
 824                  QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
 825                  splitkey, splitkeylen,
 826                  opaque,
 827                  errp) < 0) {
 828        goto cleanup;
 829    }
 830
 831    slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
 832
 833    if (qcrypto_block_luks_store_header(block,  writefunc, opaque, errp) < 0) {
 834        goto cleanup;
 835    }
 836
 837    ret = 0;
 838
 839cleanup:
 840    if (slotkey) {
 841        memset(slotkey, 0, luks->header.master_key_len);
 842    }
 843    if (splitkey) {
 844        memset(splitkey, 0, splitkeylen);
 845    }
 846    return ret;
 847}
 848
 849/*
 850 * Given a key slot, and user password, this will attempt to unlock
 851 * the master encryption key from the key slot.
 852 *
 853 * Returns:
 854 *    0 if the key slot is disabled, or key could not be decrypted
 855 *      with the provided password
 856 *    1 if the key slot is enabled, and key decrypted successfully
 857 *      with the provided password
 858 *   -1 if a fatal error occurred loading the key
 859 */
 860static int
 861qcrypto_block_luks_load_key(QCryptoBlock *block,
 862                            size_t slot_idx,
 863                            const char *password,
 864                            uint8_t *masterkey,
 865                            QCryptoBlockReadFunc readfunc,
 866                            void *opaque,
 867                            Error **errp)
 868{
 869    QCryptoBlockLUKS *luks = block->opaque;
 870    const QCryptoBlockLUKSKeySlot *slot;
 871    g_autofree uint8_t *splitkey = NULL;
 872    size_t splitkeylen;
 873    g_autofree uint8_t *possiblekey = NULL;
 874    int rv;
 875    g_autoptr(QCryptoCipher) cipher = NULL;
 876    uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
 877    g_autoptr(QCryptoIVGen) ivgen = NULL;
 878    size_t niv;
 879
 880    assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
 881    slot = &luks->header.key_slots[slot_idx];
 882    if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
 883        return 0;
 884    }
 885
 886    splitkeylen = luks->header.master_key_len * slot->stripes;
 887    splitkey = g_new0(uint8_t, splitkeylen);
 888    possiblekey = g_new0(uint8_t, luks->header.master_key_len);
 889
 890    /*
 891     * The user password is used to generate a (possible)
 892     * decryption key. This may or may not successfully
 893     * decrypt the master key - we just blindly assume
 894     * the key is correct and validate the results of
 895     * decryption later.
 896     */
 897    if (qcrypto_pbkdf2(luks->hash_alg,
 898                       (const uint8_t *)password, strlen(password),
 899                       slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
 900                       slot->iterations,
 901                       possiblekey, luks->header.master_key_len,
 902                       errp) < 0) {
 903        return -1;
 904    }
 905
 906    /*
 907     * We need to read the master key material from the
 908     * LUKS key material header. What we're reading is
 909     * not the raw master key, but rather the data after
 910     * it has been passed through AFSplit and the result
 911     * then encrypted.
 912     */
 913    rv = readfunc(block,
 914                  slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
 915                  splitkey, splitkeylen,
 916                  opaque,
 917                  errp);
 918    if (rv < 0) {
 919        return -1;
 920    }
 921
 922
 923    /* Setup the cipher/ivgen that we'll use to try to decrypt
 924     * the split master key material */
 925    cipher = qcrypto_cipher_new(luks->cipher_alg,
 926                                luks->cipher_mode,
 927                                possiblekey,
 928                                luks->header.master_key_len,
 929                                errp);
 930    if (!cipher) {
 931        return -1;
 932    }
 933
 934    niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
 935                                    luks->cipher_mode);
 936
 937    ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
 938                              luks->ivgen_cipher_alg,
 939                              luks->ivgen_hash_alg,
 940                              possiblekey,
 941                              luks->header.master_key_len,
 942                              errp);
 943    if (!ivgen) {
 944        return -1;
 945    }
 946
 947
 948    /*
 949     * The master key needs to be decrypted in the same
 950     * way that the block device payload will be decrypted
 951     * later. In particular we'll be using the IV generator
 952     * to reset the encryption cipher every time the master
 953     * key crosses a sector boundary.
 954     */
 955    if (qcrypto_block_cipher_decrypt_helper(cipher,
 956                                            niv,
 957                                            ivgen,
 958                                            QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
 959                                            0,
 960                                            splitkey,
 961                                            splitkeylen,
 962                                            errp) < 0) {
 963        return -1;
 964    }
 965
 966    /*
 967     * Now we've decrypted the split master key, join
 968     * it back together to get the actual master key.
 969     */
 970    if (qcrypto_afsplit_decode(luks->hash_alg,
 971                               luks->header.master_key_len,
 972                               slot->stripes,
 973                               splitkey,
 974                               masterkey,
 975                               errp) < 0) {
 976        return -1;
 977    }
 978
 979
 980    /*
 981     * We still don't know that the masterkey we got is valid,
 982     * because we just blindly assumed the user's password
 983     * was correct. This is where we now verify it. We are
 984     * creating a hash of the master key using PBKDF and
 985     * then comparing that to the hash stored in the key slot
 986     * header
 987     */
 988    if (qcrypto_pbkdf2(luks->hash_alg,
 989                       masterkey,
 990                       luks->header.master_key_len,
 991                       luks->header.master_key_salt,
 992                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
 993                       luks->header.master_key_iterations,
 994                       keydigest,
 995                       G_N_ELEMENTS(keydigest),
 996                       errp) < 0) {
 997        return -1;
 998    }
 999
1000    if (memcmp(keydigest, luks->header.master_key_digest,
1001               QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
1002        /* Success, we got the right master key */
1003        return 1;
1004    }
1005
1006    /* Fail, user's password was not valid for this key slot,
1007     * tell caller to try another slot */
1008    return 0;
1009}
1010
1011
1012/*
1013 * Given a user password, this will iterate over all key
1014 * slots and try to unlock each active key slot using the
1015 * password until it successfully obtains a master key.
1016 *
1017 * Returns 0 if a key was loaded, -1 if no keys could be loaded
1018 */
1019static int
1020qcrypto_block_luks_find_key(QCryptoBlock *block,
1021                            const char *password,
1022                            uint8_t *masterkey,
1023                            QCryptoBlockReadFunc readfunc,
1024                            void *opaque,
1025                            Error **errp)
1026{
1027    size_t i;
1028    int rv;
1029
1030    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1031        rv = qcrypto_block_luks_load_key(block,
1032                                         i,
1033                                         password,
1034                                         masterkey,
1035                                         readfunc,
1036                                         opaque,
1037                                         errp);
1038        if (rv < 0) {
1039            goto error;
1040        }
1041        if (rv == 1) {
1042            return 0;
1043        }
1044    }
1045
1046    error_setg(errp, "Invalid password, cannot unlock any keyslot");
1047 error:
1048    return -1;
1049}
1050
1051/*
1052 * Returns true if a slot i is marked as active
1053 * (contains encrypted copy of the master key)
1054 */
1055static bool
1056qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks,
1057                               unsigned int slot_idx)
1058{
1059    uint32_t val;
1060
1061    assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1062    val = luks->header.key_slots[slot_idx].active;
1063    return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1064}
1065
1066/*
1067 * Returns the number of slots that are marked as active
1068 * (slots that contain encrypted copy of the master key)
1069 */
1070static unsigned int
1071qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks)
1072{
1073    size_t i = 0;
1074    unsigned int ret = 0;
1075
1076    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1077        if (qcrypto_block_luks_slot_active(luks, i)) {
1078            ret++;
1079        }
1080    }
1081    return ret;
1082}
1083
1084/*
1085 * Finds first key slot which is not active
1086 * Returns the key slot index, or -1 if it doesn't exist
1087 */
1088static int
1089qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks)
1090{
1091    size_t i;
1092
1093    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1094        if (!qcrypto_block_luks_slot_active(luks, i)) {
1095            return i;
1096        }
1097    }
1098    return -1;
1099}
1100
1101/*
1102 * Erases an keyslot given its index
1103 * Returns:
1104 *    0 if the keyslot was erased successfully
1105 *   -1 if a error occurred while erasing the keyslot
1106 *
1107 */
1108static int
1109qcrypto_block_luks_erase_key(QCryptoBlock *block,
1110                             unsigned int slot_idx,
1111                             QCryptoBlockWriteFunc writefunc,
1112                             void *opaque,
1113                             Error **errp)
1114{
1115    QCryptoBlockLUKS *luks = block->opaque;
1116    QCryptoBlockLUKSKeySlot *slot;
1117    g_autofree uint8_t *garbagesplitkey = NULL;
1118    size_t splitkeylen;
1119    size_t i;
1120    Error *local_err = NULL;
1121    int ret;
1122
1123    assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1124    slot = &luks->header.key_slots[slot_idx];
1125
1126    splitkeylen = luks->header.master_key_len * slot->stripes;
1127    assert(splitkeylen > 0);
1128
1129    garbagesplitkey = g_new0(uint8_t, splitkeylen);
1130
1131    /* Reset the key slot header */
1132    memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN);
1133    slot->iterations = 0;
1134    slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1135
1136    ret = qcrypto_block_luks_store_header(block, writefunc,
1137                                          opaque, &local_err);
1138
1139    if (ret < 0) {
1140        error_propagate(errp, local_err);
1141    }
1142    /*
1143     * Now try to erase the key material, even if the header
1144     * update failed
1145     */
1146    for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) {
1147        if (qcrypto_random_bytes(garbagesplitkey,
1148                                 splitkeylen, &local_err) < 0) {
1149            /*
1150             * If we failed to get the random data, still write
1151             * at least zeros to the key slot at least once
1152             */
1153            error_propagate(errp, local_err);
1154
1155            if (i > 0) {
1156                return -1;
1157            }
1158        }
1159        if (writefunc(block,
1160                      slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1161                      garbagesplitkey,
1162                      splitkeylen,
1163                      opaque,
1164                      &local_err) < 0) {
1165            error_propagate(errp, local_err);
1166            return -1;
1167        }
1168    }
1169    return ret;
1170}
1171
1172static int
1173qcrypto_block_luks_open(QCryptoBlock *block,
1174                        QCryptoBlockOpenOptions *options,
1175                        const char *optprefix,
1176                        QCryptoBlockReadFunc readfunc,
1177                        void *opaque,
1178                        unsigned int flags,
1179                        size_t n_threads,
1180                        Error **errp)
1181{
1182    QCryptoBlockLUKS *luks = NULL;
1183    g_autofree uint8_t *masterkey = NULL;
1184    g_autofree char *password = NULL;
1185
1186    if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1187        if (!options->u.luks.key_secret) {
1188            error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1189                       optprefix ? optprefix : "");
1190            return -1;
1191        }
1192        password = qcrypto_secret_lookup_as_utf8(
1193            options->u.luks.key_secret, errp);
1194        if (!password) {
1195            return -1;
1196        }
1197    }
1198
1199    luks = g_new0(QCryptoBlockLUKS, 1);
1200    block->opaque = luks;
1201    luks->secret = g_strdup(options->u.luks.key_secret);
1202
1203    if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) {
1204        goto fail;
1205    }
1206
1207    if (qcrypto_block_luks_check_header(luks, errp) < 0) {
1208        goto fail;
1209    }
1210
1211    if (qcrypto_block_luks_parse_header(luks, errp) < 0) {
1212        goto fail;
1213    }
1214
1215    if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1216        /* Try to find which key slot our password is valid for
1217         * and unlock the master key from that slot.
1218         */
1219
1220        masterkey = g_new0(uint8_t, luks->header.master_key_len);
1221
1222        if (qcrypto_block_luks_find_key(block,
1223                                        password,
1224                                        masterkey,
1225                                        readfunc, opaque,
1226                                        errp) < 0) {
1227            goto fail;
1228        }
1229
1230        /* We have a valid master key now, so can setup the
1231         * block device payload decryption objects
1232         */
1233        block->kdfhash = luks->hash_alg;
1234        block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
1235                                               luks->cipher_mode);
1236
1237        block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
1238                                         luks->ivgen_cipher_alg,
1239                                         luks->ivgen_hash_alg,
1240                                         masterkey,
1241                                         luks->header.master_key_len,
1242                                         errp);
1243        if (!block->ivgen) {
1244            goto fail;
1245        }
1246
1247        if (qcrypto_block_init_cipher(block,
1248                                      luks->cipher_alg,
1249                                      luks->cipher_mode,
1250                                      masterkey,
1251                                      luks->header.master_key_len,
1252                                      n_threads,
1253                                      errp) < 0) {
1254            goto fail;
1255        }
1256    }
1257
1258    block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1259    block->payload_offset = luks->header.payload_offset_sector *
1260        block->sector_size;
1261
1262    return 0;
1263
1264 fail:
1265    qcrypto_block_free_cipher(block);
1266    qcrypto_ivgen_free(block->ivgen);
1267    g_free(luks->secret);
1268    g_free(luks);
1269    return -1;
1270}
1271
1272
1273static void
1274qcrypto_block_luks_uuid_gen(uint8_t *uuidstr)
1275{
1276    QemuUUID uuid;
1277    qemu_uuid_generate(&uuid);
1278    qemu_uuid_unparse(&uuid, (char *)uuidstr);
1279}
1280
1281static int
1282qcrypto_block_luks_create(QCryptoBlock *block,
1283                          QCryptoBlockCreateOptions *options,
1284                          const char *optprefix,
1285                          QCryptoBlockInitFunc initfunc,
1286                          QCryptoBlockWriteFunc writefunc,
1287                          void *opaque,
1288                          Error **errp)
1289{
1290    QCryptoBlockLUKS *luks;
1291    QCryptoBlockCreateOptionsLUKS luks_opts;
1292    Error *local_err = NULL;
1293    g_autofree uint8_t *masterkey = NULL;
1294    size_t header_sectors;
1295    size_t split_key_sectors;
1296    size_t i;
1297    g_autofree char *password = NULL;
1298    const char *cipher_alg;
1299    const char *cipher_mode;
1300    const char *ivgen_alg;
1301    const char *ivgen_hash_alg = NULL;
1302    const char *hash_alg;
1303    g_autofree char *cipher_mode_spec = NULL;
1304    uint64_t iters;
1305
1306    memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
1307    if (!luks_opts.has_iter_time) {
1308        luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1309    }
1310    if (!luks_opts.has_cipher_alg) {
1311        luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
1312    }
1313    if (!luks_opts.has_cipher_mode) {
1314        luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS;
1315    }
1316    if (!luks_opts.has_ivgen_alg) {
1317        luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64;
1318    }
1319    if (!luks_opts.has_hash_alg) {
1320        luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
1321    }
1322    if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1323        if (!luks_opts.has_ivgen_hash_alg) {
1324            luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256;
1325            luks_opts.has_ivgen_hash_alg = true;
1326        }
1327    }
1328
1329    luks = g_new0(QCryptoBlockLUKS, 1);
1330    block->opaque = luks;
1331
1332    luks->cipher_alg = luks_opts.cipher_alg;
1333    luks->cipher_mode = luks_opts.cipher_mode;
1334    luks->ivgen_alg = luks_opts.ivgen_alg;
1335    luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg;
1336    luks->hash_alg = luks_opts.hash_alg;
1337
1338
1339    /* Note we're allowing ivgen_hash_alg to be set even for
1340     * non-essiv iv generators that don't need a hash. It will
1341     * be silently ignored, for compatibility with dm-crypt */
1342
1343    if (!options->u.luks.key_secret) {
1344        error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1345                   optprefix ? optprefix : "");
1346        goto error;
1347    }
1348    luks->secret = g_strdup(options->u.luks.key_secret);
1349
1350    password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp);
1351    if (!password) {
1352        goto error;
1353    }
1354
1355
1356    memcpy(luks->header.magic, qcrypto_block_luks_magic,
1357           QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
1358
1359    /* We populate the header in native endianness initially and
1360     * then convert everything to big endian just before writing
1361     * it out to disk
1362     */
1363    luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
1364    qcrypto_block_luks_uuid_gen(luks->header.uuid);
1365
1366    cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
1367                                                      errp);
1368    if (!cipher_alg) {
1369        goto error;
1370    }
1371
1372    cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode);
1373    ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg);
1374    if (luks_opts.has_ivgen_hash_alg) {
1375        ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg);
1376        cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg,
1377                                           ivgen_hash_alg);
1378    } else {
1379        cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
1380    }
1381    hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg);
1382
1383
1384    if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
1385        error_setg(errp, "Cipher name '%s' is too long for LUKS header",
1386                   cipher_alg);
1387        goto error;
1388    }
1389    if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
1390        error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
1391                   cipher_mode_spec);
1392        goto error;
1393    }
1394    if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
1395        error_setg(errp, "Hash name '%s' is too long for LUKS header",
1396                   hash_alg);
1397        goto error;
1398    }
1399
1400    if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1401        luks->ivgen_cipher_alg =
1402                qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg,
1403                                                luks_opts.ivgen_hash_alg,
1404                                                &local_err);
1405        if (local_err) {
1406            error_propagate(errp, local_err);
1407            goto error;
1408        }
1409    } else {
1410        luks->ivgen_cipher_alg = luks_opts.cipher_alg;
1411    }
1412
1413    strcpy(luks->header.cipher_name, cipher_alg);
1414    strcpy(luks->header.cipher_mode, cipher_mode_spec);
1415    strcpy(luks->header.hash_spec, hash_alg);
1416
1417    luks->header.master_key_len =
1418        qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
1419
1420    if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) {
1421        luks->header.master_key_len *= 2;
1422    }
1423
1424    /* Generate the salt used for hashing the master key
1425     * with PBKDF later
1426     */
1427    if (qcrypto_random_bytes(luks->header.master_key_salt,
1428                             QCRYPTO_BLOCK_LUKS_SALT_LEN,
1429                             errp) < 0) {
1430        goto error;
1431    }
1432
1433    /* Generate random master key */
1434    masterkey = g_new0(uint8_t, luks->header.master_key_len);
1435    if (qcrypto_random_bytes(masterkey,
1436                             luks->header.master_key_len, errp) < 0) {
1437        goto error;
1438    }
1439
1440
1441    /* Setup the block device payload encryption objects */
1442    if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg,
1443                                  luks_opts.cipher_mode, masterkey,
1444                                  luks->header.master_key_len, 1, errp) < 0) {
1445        goto error;
1446    }
1447
1448    block->kdfhash = luks_opts.hash_alg;
1449    block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
1450                                           luks_opts.cipher_mode);
1451    block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
1452                                     luks->ivgen_cipher_alg,
1453                                     luks_opts.ivgen_hash_alg,
1454                                     masterkey, luks->header.master_key_len,
1455                                     errp);
1456
1457    if (!block->ivgen) {
1458        goto error;
1459    }
1460
1461
1462    /* Determine how many iterations we need to hash the master
1463     * key, in order to have 1 second of compute time used
1464     */
1465    iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
1466                                       masterkey, luks->header.master_key_len,
1467                                       luks->header.master_key_salt,
1468                                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
1469                                       QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1470                                       &local_err);
1471    if (local_err) {
1472        error_propagate(errp, local_err);
1473        goto error;
1474    }
1475
1476    if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
1477        error_setg_errno(errp, ERANGE,
1478                         "PBKDF iterations %llu too large to scale",
1479                         (unsigned long long)iters);
1480        goto error;
1481    }
1482
1483    /* iter_time was in millis, but count_iters reported for secs */
1484    iters = iters * luks_opts.iter_time / 1000;
1485
1486    /* Why /= 8 ?  That matches cryptsetup, but there's no
1487     * explanation why they chose /= 8... Probably so that
1488     * if all 8 keyslots are active we only spend 1 second
1489     * in total time to check all keys */
1490    iters /= 8;
1491    if (iters > UINT32_MAX) {
1492        error_setg_errno(errp, ERANGE,
1493                         "PBKDF iterations %llu larger than %u",
1494                         (unsigned long long)iters, UINT32_MAX);
1495        goto error;
1496    }
1497    iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
1498    luks->header.master_key_iterations = iters;
1499
1500    /* Hash the master key, saving the result in the LUKS
1501     * header. This hash is used when opening the encrypted
1502     * device to verify that the user password unlocked a
1503     * valid master key
1504     */
1505    if (qcrypto_pbkdf2(luks_opts.hash_alg,
1506                       masterkey, luks->header.master_key_len,
1507                       luks->header.master_key_salt,
1508                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
1509                       luks->header.master_key_iterations,
1510                       luks->header.master_key_digest,
1511                       QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1512                       errp) < 0) {
1513        goto error;
1514    }
1515
1516    /* start with the sector that follows the header*/
1517    header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
1518        QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1519
1520    split_key_sectors =
1521        qcrypto_block_luks_splitkeylen_sectors(luks,
1522                                               header_sectors,
1523                                               QCRYPTO_BLOCK_LUKS_STRIPES);
1524
1525    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1526        QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i];
1527        slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1528
1529        slot->key_offset_sector = header_sectors + i * split_key_sectors;
1530        slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
1531    }
1532
1533    /* The total size of the LUKS headers is the partition header + key
1534     * slot headers, rounded up to the nearest sector, combined with
1535     * the size of each master key material region, also rounded up
1536     * to the nearest sector */
1537    luks->header.payload_offset_sector = header_sectors +
1538            QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors;
1539
1540    block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1541    block->payload_offset = luks->header.payload_offset_sector *
1542        block->sector_size;
1543
1544    /* Reserve header space to match payload offset */
1545    initfunc(block, block->payload_offset, opaque, &local_err);
1546    if (local_err) {
1547        error_propagate(errp, local_err);
1548        goto error;
1549    }
1550
1551
1552    /* populate the slot 0 with the password encrypted master key*/
1553    /* This will also store the header */
1554    if (qcrypto_block_luks_store_key(block,
1555                                     0,
1556                                     password,
1557                                     masterkey,
1558                                     luks_opts.iter_time,
1559                                     writefunc,
1560                                     opaque,
1561                                     errp) < 0) {
1562        goto error;
1563    }
1564
1565    memset(masterkey, 0, luks->header.master_key_len);
1566
1567    return 0;
1568
1569 error:
1570    if (masterkey) {
1571        memset(masterkey, 0, luks->header.master_key_len);
1572    }
1573
1574    qcrypto_block_free_cipher(block);
1575    qcrypto_ivgen_free(block->ivgen);
1576
1577    g_free(luks->secret);
1578    g_free(luks);
1579    return -1;
1580}
1581
1582static int
1583qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block,
1584                                     QCryptoBlockReadFunc readfunc,
1585                                     QCryptoBlockWriteFunc writefunc,
1586                                     void *opaque,
1587                                     QCryptoBlockAmendOptionsLUKS *opts_luks,
1588                                     bool force,
1589                                     Error **errp)
1590{
1591    QCryptoBlockLUKS *luks = block->opaque;
1592    uint64_t iter_time = opts_luks->has_iter_time ?
1593                         opts_luks->iter_time :
1594                         QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1595    int keyslot;
1596    g_autofree char *old_password = NULL;
1597    g_autofree char *new_password = NULL;
1598    g_autofree uint8_t *master_key = NULL;
1599
1600    char *secret = opts_luks->has_secret ? opts_luks->secret : luks->secret;
1601
1602    if (!opts_luks->has_new_secret) {
1603        error_setg(errp, "'new-secret' is required to activate a keyslot");
1604        return -1;
1605    }
1606    if (opts_luks->has_old_secret) {
1607        error_setg(errp,
1608                   "'old-secret' must not be given when activating keyslots");
1609        return -1;
1610    }
1611
1612    if (opts_luks->has_keyslot) {
1613        keyslot = opts_luks->keyslot;
1614        if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1615            error_setg(errp,
1616                       "Invalid keyslot %u specified, must be between 0 and %u",
1617                       keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1618            return -1;
1619        }
1620    } else {
1621        keyslot = qcrypto_block_luks_find_free_keyslot(luks);
1622        if (keyslot == -1) {
1623            error_setg(errp,
1624                       "Can't add a keyslot - all keyslots are in use");
1625            return -1;
1626        }
1627    }
1628
1629    if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) {
1630        error_setg(errp,
1631                   "Refusing to overwrite active keyslot %i - "
1632                   "please erase it first",
1633                   keyslot);
1634        return -1;
1635    }
1636
1637    /* Locate the password that will be used to retrieve the master key */
1638    old_password = qcrypto_secret_lookup_as_utf8(secret, errp);
1639    if (!old_password) {
1640        return -1;
1641    }
1642
1643    /* Retrieve the master key */
1644    master_key = g_new0(uint8_t, luks->header.master_key_len);
1645
1646    if (qcrypto_block_luks_find_key(block, old_password, master_key,
1647                                    readfunc, opaque, errp) < 0) {
1648        error_append_hint(errp, "Failed to retrieve the master key");
1649        return -1;
1650    }
1651
1652    /* Locate the new password*/
1653    new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp);
1654    if (!new_password) {
1655        return -1;
1656    }
1657
1658    /* Now set the new keyslots */
1659    if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key,
1660                                     iter_time, writefunc, opaque, errp)) {
1661        error_append_hint(errp, "Failed to write to keyslot %i", keyslot);
1662        return -1;
1663    }
1664    return 0;
1665}
1666
1667static int
1668qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block,
1669                                        QCryptoBlockReadFunc readfunc,
1670                                        QCryptoBlockWriteFunc writefunc,
1671                                        void *opaque,
1672                                        QCryptoBlockAmendOptionsLUKS *opts_luks,
1673                                        bool force,
1674                                        Error **errp)
1675{
1676    QCryptoBlockLUKS *luks = block->opaque;
1677    g_autofree uint8_t *tmpkey = NULL;
1678    g_autofree char *old_password = NULL;
1679
1680    if (opts_luks->has_new_secret) {
1681        error_setg(errp,
1682                   "'new-secret' must not be given when erasing keyslots");
1683        return -1;
1684    }
1685    if (opts_luks->has_iter_time) {
1686        error_setg(errp,
1687                   "'iter-time' must not be given when erasing keyslots");
1688        return -1;
1689    }
1690    if (opts_luks->has_secret) {
1691        error_setg(errp,
1692                   "'secret' must not be given when erasing keyslots");
1693        return -1;
1694    }
1695
1696    /* Load the old password if given */
1697    if (opts_luks->has_old_secret) {
1698        old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret,
1699                                                     errp);
1700        if (!old_password) {
1701            return -1;
1702        }
1703
1704        /*
1705         * Allocate a temporary key buffer that we will need when
1706         * checking if slot matches the given old password
1707         */
1708        tmpkey = g_new0(uint8_t, luks->header.master_key_len);
1709    }
1710
1711    /* Erase an explicitly given keyslot */
1712    if (opts_luks->has_keyslot) {
1713        int keyslot = opts_luks->keyslot;
1714
1715        if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1716            error_setg(errp,
1717                       "Invalid keyslot %i specified, must be between 0 and %i",
1718                       keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1719            return -1;
1720        }
1721
1722        if (opts_luks->has_old_secret) {
1723            int rv = qcrypto_block_luks_load_key(block,
1724                                                 keyslot,
1725                                                 old_password,
1726                                                 tmpkey,
1727                                                 readfunc,
1728                                                 opaque,
1729                                                 errp);
1730            if (rv == -1) {
1731                return -1;
1732            } else if (rv == 0) {
1733                error_setg(errp,
1734                           "Given keyslot %i doesn't contain the given "
1735                           "old password for erase operation",
1736                           keyslot);
1737                return -1;
1738            }
1739        }
1740
1741        if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) {
1742            error_setg(errp,
1743                       "Given keyslot %i is already erased (inactive) ",
1744                       keyslot);
1745            return -1;
1746        }
1747
1748        if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) {
1749            error_setg(errp,
1750                       "Attempt to erase the only active keyslot %i "
1751                       "which will erase all the data in the image "
1752                       "irreversibly - refusing operation",
1753                       keyslot);
1754            return -1;
1755        }
1756
1757        if (qcrypto_block_luks_erase_key(block, keyslot,
1758                                         writefunc, opaque, errp)) {
1759            error_append_hint(errp, "Failed to erase keyslot %i", keyslot);
1760            return -1;
1761        }
1762
1763    /* Erase all keyslots that match the given old password */
1764    } else if (opts_luks->has_old_secret) {
1765
1766        unsigned long slots_to_erase_bitmap = 0;
1767        size_t i;
1768        int slot_count;
1769
1770        assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <=
1771               sizeof(slots_to_erase_bitmap) * 8);
1772
1773        for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1774            int rv = qcrypto_block_luks_load_key(block,
1775                                                 i,
1776                                                 old_password,
1777                                                 tmpkey,
1778                                                 readfunc,
1779                                                 opaque,
1780                                                 errp);
1781            if (rv == -1) {
1782                return -1;
1783            } else if (rv == 1) {
1784                bitmap_set(&slots_to_erase_bitmap, i, 1);
1785            }
1786        }
1787
1788        slot_count = bitmap_count_one(&slots_to_erase_bitmap,
1789                                      QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1790        if (slot_count == 0) {
1791            error_setg(errp,
1792                       "No keyslots match given (old) password for erase operation");
1793            return -1;
1794        }
1795
1796        if (!force &&
1797            slot_count == qcrypto_block_luks_count_active_slots(luks)) {
1798            error_setg(errp,
1799                       "All the active keyslots match the (old) password that "
1800                       "was given and erasing them will erase all the data in "
1801                       "the image irreversibly - refusing operation");
1802            return -1;
1803        }
1804
1805        /* Now apply the update */
1806        for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1807            if (!test_bit(i, &slots_to_erase_bitmap)) {
1808                continue;
1809            }
1810            if (qcrypto_block_luks_erase_key(block, i, writefunc,
1811                opaque, errp)) {
1812                error_append_hint(errp, "Failed to erase keyslot %zu", i);
1813                return -1;
1814            }
1815        }
1816    } else {
1817        error_setg(errp,
1818                   "To erase keyslot(s), either explicit keyslot index "
1819                   "or the password currently contained in them must be given");
1820        return -1;
1821    }
1822    return 0;
1823}
1824
1825static int
1826qcrypto_block_luks_amend_options(QCryptoBlock *block,
1827                                 QCryptoBlockReadFunc readfunc,
1828                                 QCryptoBlockWriteFunc writefunc,
1829                                 void *opaque,
1830                                 QCryptoBlockAmendOptions *options,
1831                                 bool force,
1832                                 Error **errp)
1833{
1834    QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks;
1835
1836    switch (opts_luks->state) {
1837    case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE:
1838        return qcrypto_block_luks_amend_add_keyslot(block, readfunc,
1839                                                    writefunc, opaque,
1840                                                    opts_luks, force, errp);
1841    case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE:
1842        return qcrypto_block_luks_amend_erase_keyslots(block, readfunc,
1843                                                       writefunc, opaque,
1844                                                       opts_luks, force, errp);
1845    default:
1846        g_assert_not_reached();
1847    }
1848}
1849
1850static int qcrypto_block_luks_get_info(QCryptoBlock *block,
1851                                       QCryptoBlockInfo *info,
1852                                       Error **errp)
1853{
1854    QCryptoBlockLUKS *luks = block->opaque;
1855    QCryptoBlockInfoLUKSSlot *slot;
1856    QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots;
1857    size_t i;
1858
1859    info->u.luks.cipher_alg = luks->cipher_alg;
1860    info->u.luks.cipher_mode = luks->cipher_mode;
1861    info->u.luks.ivgen_alg = luks->ivgen_alg;
1862    if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1863        info->u.luks.has_ivgen_hash_alg = true;
1864        info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg;
1865    }
1866    info->u.luks.hash_alg = luks->hash_alg;
1867    info->u.luks.payload_offset = block->payload_offset;
1868    info->u.luks.master_key_iters = luks->header.master_key_iterations;
1869    info->u.luks.uuid = g_strndup((const char *)luks->header.uuid,
1870                                  sizeof(luks->header.uuid));
1871
1872    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1873        slot = g_new0(QCryptoBlockInfoLUKSSlot, 1);
1874        slot->active = luks->header.key_slots[i].active ==
1875            QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1876        slot->key_offset = luks->header.key_slots[i].key_offset_sector
1877             * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1878        if (slot->active) {
1879            slot->has_iters = true;
1880            slot->iters = luks->header.key_slots[i].iterations;
1881            slot->has_stripes = true;
1882            slot->stripes = luks->header.key_slots[i].stripes;
1883        }
1884
1885        QAPI_LIST_APPEND(tail, slot);
1886    }
1887
1888    return 0;
1889}
1890
1891
1892static void qcrypto_block_luks_cleanup(QCryptoBlock *block)
1893{
1894    QCryptoBlockLUKS *luks = block->opaque;
1895    if (luks) {
1896        g_free(luks->secret);
1897        g_free(luks);
1898    }
1899}
1900
1901
1902static int
1903qcrypto_block_luks_decrypt(QCryptoBlock *block,
1904                           uint64_t offset,
1905                           uint8_t *buf,
1906                           size_t len,
1907                           Error **errp)
1908{
1909    assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1910    assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1911    return qcrypto_block_decrypt_helper(block,
1912                                        QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1913                                        offset, buf, len, errp);
1914}
1915
1916
1917static int
1918qcrypto_block_luks_encrypt(QCryptoBlock *block,
1919                           uint64_t offset,
1920                           uint8_t *buf,
1921                           size_t len,
1922                           Error **errp)
1923{
1924    assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1925    assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1926    return qcrypto_block_encrypt_helper(block,
1927                                        QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1928                                        offset, buf, len, errp);
1929}
1930
1931
1932const QCryptoBlockDriver qcrypto_block_driver_luks = {
1933    .open = qcrypto_block_luks_open,
1934    .create = qcrypto_block_luks_create,
1935    .amend = qcrypto_block_luks_amend_options,
1936    .get_info = qcrypto_block_luks_get_info,
1937    .cleanup = qcrypto_block_luks_cleanup,
1938    .decrypt = qcrypto_block_luks_decrypt,
1939    .encrypt = qcrypto_block_luks_encrypt,
1940    .has_format = qcrypto_block_luks_has_format,
1941};
1942