1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21#include "qemu/osdep.h"
22#include "qapi/error.h"
23#include "qemu/bswap.h"
24
25#include "block-luks.h"
26#include "block-luks-priv.h"
27
28#include "crypto/hash.h"
29#include "crypto/afsplit.h"
30#include "crypto/pbkdf.h"
31#include "crypto/secret.h"
32#include "crypto/random.h"
33#include "qemu/uuid.h"
34
35#include "qemu/coroutine.h"
36#include "qemu/bitmap.h"
37
38
39
40
41
42
43
44
45
46
47
48
49typedef struct QCryptoBlockLUKS QCryptoBlockLUKS;
50
51typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap;
52struct QCryptoBlockLUKSNameMap {
53 const char *name;
54 int id;
55};
56
57typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap;
58struct QCryptoBlockLUKSCipherSizeMap {
59 uint32_t key_bytes;
60 int id;
61};
62typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap;
63struct QCryptoBlockLUKSCipherNameMap {
64 const char *name;
65 const QCryptoBlockLUKSCipherSizeMap *sizes;
66};
67
68
69static const QCryptoBlockLUKSCipherSizeMap
70qcrypto_block_luks_cipher_size_map_aes[] = {
71 { 16, QCRYPTO_CIPHER_ALG_AES_128 },
72 { 24, QCRYPTO_CIPHER_ALG_AES_192 },
73 { 32, QCRYPTO_CIPHER_ALG_AES_256 },
74 { 0, 0 },
75};
76
77static const QCryptoBlockLUKSCipherSizeMap
78qcrypto_block_luks_cipher_size_map_cast5[] = {
79 { 16, QCRYPTO_CIPHER_ALG_CAST5_128 },
80 { 0, 0 },
81};
82
83static const QCryptoBlockLUKSCipherSizeMap
84qcrypto_block_luks_cipher_size_map_serpent[] = {
85 { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 },
86 { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 },
87 { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 },
88 { 0, 0 },
89};
90
91static const QCryptoBlockLUKSCipherSizeMap
92qcrypto_block_luks_cipher_size_map_twofish[] = {
93 { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 },
94 { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 },
95 { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 },
96 { 0, 0 },
97};
98
99static const QCryptoBlockLUKSCipherNameMap
100qcrypto_block_luks_cipher_name_map[] = {
101 { "aes", qcrypto_block_luks_cipher_size_map_aes },
102 { "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
103 { "serpent", qcrypto_block_luks_cipher_size_map_serpent },
104 { "twofish", qcrypto_block_luks_cipher_size_map_twofish },
105};
106
107QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
108QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592);
109
110
111struct QCryptoBlockLUKS {
112 QCryptoBlockLUKSHeader header;
113
114
115 QCryptoCipherAlgorithm cipher_alg;
116
117
118 QCryptoCipherMode cipher_mode;
119
120
121 QCryptoIVGenAlgorithm ivgen_alg;
122
123
124 QCryptoHashAlgorithm ivgen_hash_alg;
125
126
127
128
129
130 QCryptoCipherAlgorithm ivgen_cipher_alg;
131
132
133 QCryptoHashAlgorithm hash_alg;
134
135
136 char *secret;
137};
138
139
140static int qcrypto_block_luks_cipher_name_lookup(const char *name,
141 QCryptoCipherMode mode,
142 uint32_t key_bytes,
143 Error **errp)
144{
145 const QCryptoBlockLUKSCipherNameMap *map =
146 qcrypto_block_luks_cipher_name_map;
147 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
148 size_t i, j;
149
150 if (mode == QCRYPTO_CIPHER_MODE_XTS) {
151 key_bytes /= 2;
152 }
153
154 for (i = 0; i < maplen; i++) {
155 if (!g_str_equal(map[i].name, name)) {
156 continue;
157 }
158 for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
159 if (map[i].sizes[j].key_bytes == key_bytes) {
160 return map[i].sizes[j].id;
161 }
162 }
163 }
164
165 error_setg(errp, "Algorithm '%s' with key size %d bytes not supported",
166 name, key_bytes);
167 return 0;
168}
169
170static const char *
171qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg,
172 Error **errp)
173{
174 const QCryptoBlockLUKSCipherNameMap *map =
175 qcrypto_block_luks_cipher_name_map;
176 size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
177 size_t i, j;
178 for (i = 0; i < maplen; i++) {
179 for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
180 if (map[i].sizes[j].id == alg) {
181 return map[i].name;
182 }
183 }
184 }
185
186 error_setg(errp, "Algorithm '%s' not supported",
187 QCryptoCipherAlgorithm_str(alg));
188 return NULL;
189}
190
191
192
193static int qcrypto_block_luks_name_lookup(const char *name,
194 const QEnumLookup *map,
195 const char *type,
196 Error **errp)
197{
198 int ret = qapi_enum_parse(map, name, -1, NULL);
199
200 if (ret < 0) {
201 error_setg(errp, "%s '%s' not supported", type, name);
202 return 0;
203 }
204 return ret;
205}
206
207#define qcrypto_block_luks_cipher_mode_lookup(name, errp) \
208 qcrypto_block_luks_name_lookup(name, \
209 &QCryptoCipherMode_lookup, \
210 "Cipher mode", \
211 errp)
212
213#define qcrypto_block_luks_hash_name_lookup(name, errp) \
214 qcrypto_block_luks_name_lookup(name, \
215 &QCryptoHashAlgorithm_lookup, \
216 "Hash algorithm", \
217 errp)
218
219#define qcrypto_block_luks_ivgen_name_lookup(name, errp) \
220 qcrypto_block_luks_name_lookup(name, \
221 &QCryptoIVGenAlgorithm_lookup, \
222 "IV generator", \
223 errp)
224
225
226static bool
227qcrypto_block_luks_has_format(const uint8_t *buf,
228 size_t buf_size)
229{
230 const QCryptoBlockLUKSHeader *luks_header = (const void *)buf;
231
232 if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) &&
233 memcmp(luks_header->magic, qcrypto_block_luks_magic,
234 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 &&
235 be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) {
236 return true;
237 } else {
238 return false;
239 }
240}
241
242
243
244
245
246
247
248
249
250
251
252
253
254static QCryptoCipherAlgorithm
255qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher,
256 QCryptoHashAlgorithm hash,
257 Error **errp)
258{
259 size_t digestlen = qcrypto_hash_digest_len(hash);
260 size_t keylen = qcrypto_cipher_get_key_len(cipher);
261 if (digestlen == keylen) {
262 return cipher;
263 }
264
265 switch (cipher) {
266 case QCRYPTO_CIPHER_ALG_AES_128:
267 case QCRYPTO_CIPHER_ALG_AES_192:
268 case QCRYPTO_CIPHER_ALG_AES_256:
269 if (digestlen == qcrypto_cipher_get_key_len(
270 QCRYPTO_CIPHER_ALG_AES_128)) {
271 return QCRYPTO_CIPHER_ALG_AES_128;
272 } else if (digestlen == qcrypto_cipher_get_key_len(
273 QCRYPTO_CIPHER_ALG_AES_192)) {
274 return QCRYPTO_CIPHER_ALG_AES_192;
275 } else if (digestlen == qcrypto_cipher_get_key_len(
276 QCRYPTO_CIPHER_ALG_AES_256)) {
277 return QCRYPTO_CIPHER_ALG_AES_256;
278 } else {
279 error_setg(errp, "No AES cipher with key size %zu available",
280 digestlen);
281 return 0;
282 }
283 break;
284 case QCRYPTO_CIPHER_ALG_SERPENT_128:
285 case QCRYPTO_CIPHER_ALG_SERPENT_192:
286 case QCRYPTO_CIPHER_ALG_SERPENT_256:
287 if (digestlen == qcrypto_cipher_get_key_len(
288 QCRYPTO_CIPHER_ALG_SERPENT_128)) {
289 return QCRYPTO_CIPHER_ALG_SERPENT_128;
290 } else if (digestlen == qcrypto_cipher_get_key_len(
291 QCRYPTO_CIPHER_ALG_SERPENT_192)) {
292 return QCRYPTO_CIPHER_ALG_SERPENT_192;
293 } else if (digestlen == qcrypto_cipher_get_key_len(
294 QCRYPTO_CIPHER_ALG_SERPENT_256)) {
295 return QCRYPTO_CIPHER_ALG_SERPENT_256;
296 } else {
297 error_setg(errp, "No Serpent cipher with key size %zu available",
298 digestlen);
299 return 0;
300 }
301 break;
302 case QCRYPTO_CIPHER_ALG_TWOFISH_128:
303 case QCRYPTO_CIPHER_ALG_TWOFISH_192:
304 case QCRYPTO_CIPHER_ALG_TWOFISH_256:
305 if (digestlen == qcrypto_cipher_get_key_len(
306 QCRYPTO_CIPHER_ALG_TWOFISH_128)) {
307 return QCRYPTO_CIPHER_ALG_TWOFISH_128;
308 } else if (digestlen == qcrypto_cipher_get_key_len(
309 QCRYPTO_CIPHER_ALG_TWOFISH_192)) {
310 return QCRYPTO_CIPHER_ALG_TWOFISH_192;
311 } else if (digestlen == qcrypto_cipher_get_key_len(
312 QCRYPTO_CIPHER_ALG_TWOFISH_256)) {
313 return QCRYPTO_CIPHER_ALG_TWOFISH_256;
314 } else {
315 error_setg(errp, "No Twofish cipher with key size %zu available",
316 digestlen);
317 return 0;
318 }
319 break;
320 default:
321 error_setg(errp, "Cipher %s not supported with essiv",
322 QCryptoCipherAlgorithm_str(cipher));
323 return 0;
324 }
325}
326
327
328
329
330
331static int
332qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks,
333 unsigned int header_sectors,
334 unsigned int stripes)
335{
336
337
338
339
340
341 size_t splitkeylen = luks->header.master_key_len * stripes;
342
343
344 size_t splitkeylen_sectors =
345 DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE);
346
347
348 return ROUND_UP(splitkeylen_sectors, header_sectors);
349}
350
351
352void
353qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr)
354{
355 size_t i;
356
357
358
359
360
361 cpu_to_be16s(&hdr->version);
362 cpu_to_be32s(&hdr->payload_offset_sector);
363 cpu_to_be32s(&hdr->master_key_len);
364 cpu_to_be32s(&hdr->master_key_iterations);
365
366 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
367 cpu_to_be32s(&hdr->key_slots[i].active);
368 cpu_to_be32s(&hdr->key_slots[i].iterations);
369 cpu_to_be32s(&hdr->key_slots[i].key_offset_sector);
370 cpu_to_be32s(&hdr->key_slots[i].stripes);
371 }
372}
373
374void
375qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr)
376{
377 size_t i;
378
379
380
381
382
383 be16_to_cpus(&hdr->version);
384 be32_to_cpus(&hdr->payload_offset_sector);
385 be32_to_cpus(&hdr->master_key_len);
386 be32_to_cpus(&hdr->master_key_iterations);
387
388 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
389 be32_to_cpus(&hdr->key_slots[i].active);
390 be32_to_cpus(&hdr->key_slots[i].iterations);
391 be32_to_cpus(&hdr->key_slots[i].key_offset_sector);
392 be32_to_cpus(&hdr->key_slots[i].stripes);
393 }
394}
395
396
397
398
399static int
400qcrypto_block_luks_store_header(QCryptoBlock *block,
401 QCryptoBlockWriteFunc writefunc,
402 void *opaque,
403 Error **errp)
404{
405 const QCryptoBlockLUKS *luks = block->opaque;
406 Error *local_err = NULL;
407 g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL;
408
409
410 hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1);
411 memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader));
412
413 qcrypto_block_luks_to_disk_endian(hdr_copy);
414
415
416 writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy),
417 opaque, &local_err);
418
419 if (local_err) {
420 error_propagate(errp, local_err);
421 return -1;
422 }
423 return 0;
424}
425
426
427
428
429
430static int
431qcrypto_block_luks_load_header(QCryptoBlock *block,
432 QCryptoBlockReadFunc readfunc,
433 void *opaque,
434 Error **errp)
435{
436 int rv;
437 QCryptoBlockLUKS *luks = block->opaque;
438
439
440
441
442
443 rv = readfunc(block, 0,
444 (uint8_t *)&luks->header,
445 sizeof(luks->header),
446 opaque,
447 errp);
448 if (rv < 0) {
449 return rv;
450 }
451
452 qcrypto_block_luks_from_disk_endian(&luks->header);
453
454 return 0;
455}
456
457
458
459
460static int
461qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
462{
463 size_t i, j;
464
465 unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
466 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
467
468 if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
469 QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
470 error_setg(errp, "Volume is not in LUKS format");
471 return -1;
472 }
473
474 if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
475 error_setg(errp, "LUKS version %" PRIu32 " is not supported",
476 luks->header.version);
477 return -1;
478 }
479
480 if (!memchr(luks->header.cipher_name, '\0',
481 sizeof(luks->header.cipher_name))) {
482 error_setg(errp, "LUKS header cipher name is not NUL terminated");
483 return -1;
484 }
485
486 if (!memchr(luks->header.cipher_mode, '\0',
487 sizeof(luks->header.cipher_mode))) {
488 error_setg(errp, "LUKS header cipher mode is not NUL terminated");
489 return -1;
490 }
491
492 if (!memchr(luks->header.hash_spec, '\0',
493 sizeof(luks->header.hash_spec))) {
494 error_setg(errp, "LUKS header hash spec is not NUL terminated");
495 return -1;
496 }
497
498 if (luks->header.payload_offset_sector <
499 DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
500 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
501 error_setg(errp, "LUKS payload is overlapping with the header");
502 return -1;
503 }
504
505 if (luks->header.master_key_iterations == 0) {
506 error_setg(errp, "LUKS key iteration count is zero");
507 return -1;
508 }
509
510
511 for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {
512
513 const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i];
514 unsigned int start1 = slot1->key_offset_sector;
515 unsigned int len1 =
516 qcrypto_block_luks_splitkeylen_sectors(luks,
517 header_sectors,
518 slot1->stripes);
519
520 if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) {
521 error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)",
522 i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES);
523 return -1;
524 }
525
526 if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED &&
527 slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
528 error_setg(errp,
529 "Keyslot %zu state (active/disable) is corrupted", i);
530 return -1;
531 }
532
533 if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED &&
534 slot1->iterations == 0) {
535 error_setg(errp, "Keyslot %zu iteration count is zero", i);
536 return -1;
537 }
538
539 if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
540 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
541 error_setg(errp,
542 "Keyslot %zu is overlapping with the LUKS header",
543 i);
544 return -1;
545 }
546
547 if (start1 + len1 > luks->header.payload_offset_sector) {
548 error_setg(errp,
549 "Keyslot %zu is overlapping with the encrypted payload",
550 i);
551 return -1;
552 }
553
554 for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) {
555 const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j];
556 unsigned int start2 = slot2->key_offset_sector;
557 unsigned int len2 =
558 qcrypto_block_luks_splitkeylen_sectors(luks,
559 header_sectors,
560 slot2->stripes);
561
562 if (start1 + len1 > start2 && start2 + len2 > start1) {
563 error_setg(errp,
564 "Keyslots %zu and %zu are overlapping in the header",
565 i, j);
566 return -1;
567 }
568 }
569
570 }
571 return 0;
572}
573
574
575
576
577
578static int
579qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp)
580{
581 g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode);
582 char *ivgen_name, *ivhash_name;
583 Error *local_err = NULL;
584
585
586
587
588
589
590
591
592
593 ivgen_name = strchr(cipher_mode, '-');
594 if (!ivgen_name) {
595 error_setg(errp, "Unexpected cipher mode string format '%s'",
596 luks->header.cipher_mode);
597 return -1;
598 }
599 *ivgen_name = '\0';
600 ivgen_name++;
601
602 ivhash_name = strchr(ivgen_name, ':');
603 if (!ivhash_name) {
604 luks->ivgen_hash_alg = 0;
605 } else {
606 *ivhash_name = '\0';
607 ivhash_name++;
608
609 luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name,
610 &local_err);
611 if (local_err) {
612 error_propagate(errp, local_err);
613 return -1;
614 }
615 }
616
617 luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode,
618 &local_err);
619 if (local_err) {
620 error_propagate(errp, local_err);
621 return -1;
622 }
623
624 luks->cipher_alg =
625 qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
626 luks->cipher_mode,
627 luks->header.master_key_len,
628 &local_err);
629 if (local_err) {
630 error_propagate(errp, local_err);
631 return -1;
632 }
633
634 luks->hash_alg =
635 qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
636 &local_err);
637 if (local_err) {
638 error_propagate(errp, local_err);
639 return -1;
640 }
641
642 luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
643 &local_err);
644 if (local_err) {
645 error_propagate(errp, local_err);
646 return -1;
647 }
648
649 if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
650 if (!ivhash_name) {
651 error_setg(errp, "Missing IV generator hash specification");
652 return -1;
653 }
654 luks->ivgen_cipher_alg =
655 qcrypto_block_luks_essiv_cipher(luks->cipher_alg,
656 luks->ivgen_hash_alg,
657 &local_err);
658 if (local_err) {
659 error_propagate(errp, local_err);
660 return -1;
661 }
662 } else {
663
664
665
666
667
668
669
670
671
672 luks->ivgen_cipher_alg = luks->cipher_alg;
673 }
674 return 0;
675}
676
677
678
679
680
681
682
683
684
685
686
687static int
688qcrypto_block_luks_store_key(QCryptoBlock *block,
689 unsigned int slot_idx,
690 const char *password,
691 uint8_t *masterkey,
692 uint64_t iter_time,
693 QCryptoBlockWriteFunc writefunc,
694 void *opaque,
695 Error **errp)
696{
697 QCryptoBlockLUKS *luks = block->opaque;
698 QCryptoBlockLUKSKeySlot *slot;
699 g_autofree uint8_t *splitkey = NULL;
700 size_t splitkeylen;
701 g_autofree uint8_t *slotkey = NULL;
702 g_autoptr(QCryptoCipher) cipher = NULL;
703 g_autoptr(QCryptoIVGen) ivgen = NULL;
704 Error *local_err = NULL;
705 uint64_t iters;
706 int ret = -1;
707
708 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
709 slot = &luks->header.key_slots[slot_idx];
710 if (qcrypto_random_bytes(slot->salt,
711 QCRYPTO_BLOCK_LUKS_SALT_LEN,
712 errp) < 0) {
713 goto cleanup;
714 }
715
716 splitkeylen = luks->header.master_key_len * slot->stripes;
717
718
719
720
721
722
723 iters = qcrypto_pbkdf2_count_iters(luks->hash_alg,
724 (uint8_t *)password, strlen(password),
725 slot->salt,
726 QCRYPTO_BLOCK_LUKS_SALT_LEN,
727 luks->header.master_key_len,
728 &local_err);
729 if (local_err) {
730 error_propagate(errp, local_err);
731 goto cleanup;
732 }
733
734 if (iters > (ULLONG_MAX / iter_time)) {
735 error_setg_errno(errp, ERANGE,
736 "PBKDF iterations %llu too large to scale",
737 (unsigned long long)iters);
738 goto cleanup;
739 }
740
741
742 iters = iters * iter_time / 1000;
743
744 if (iters > UINT32_MAX) {
745 error_setg_errno(errp, ERANGE,
746 "PBKDF iterations %llu larger than %u",
747 (unsigned long long)iters, UINT32_MAX);
748 goto cleanup;
749 }
750
751 slot->iterations =
752 MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
753
754
755
756
757
758
759 slotkey = g_new0(uint8_t, luks->header.master_key_len);
760 if (qcrypto_pbkdf2(luks->hash_alg,
761 (uint8_t *)password, strlen(password),
762 slot->salt,
763 QCRYPTO_BLOCK_LUKS_SALT_LEN,
764 slot->iterations,
765 slotkey, luks->header.master_key_len,
766 errp) < 0) {
767 goto cleanup;
768 }
769
770
771
772
773
774
775 cipher = qcrypto_cipher_new(luks->cipher_alg,
776 luks->cipher_mode,
777 slotkey, luks->header.master_key_len,
778 errp);
779 if (!cipher) {
780 goto cleanup;
781 }
782
783 ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
784 luks->ivgen_cipher_alg,
785 luks->ivgen_hash_alg,
786 slotkey, luks->header.master_key_len,
787 errp);
788 if (!ivgen) {
789 goto cleanup;
790 }
791
792
793
794
795
796
797 splitkey = g_new0(uint8_t, splitkeylen);
798
799 if (qcrypto_afsplit_encode(luks->hash_alg,
800 luks->header.master_key_len,
801 slot->stripes,
802 masterkey,
803 splitkey,
804 errp) < 0) {
805 goto cleanup;
806 }
807
808
809
810
811
812 if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen,
813 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
814 0,
815 splitkey,
816 splitkeylen,
817 errp) < 0) {
818 goto cleanup;
819 }
820
821
822 if (writefunc(block,
823 slot->key_offset_sector *
824 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
825 splitkey, splitkeylen,
826 opaque,
827 errp) < 0) {
828 goto cleanup;
829 }
830
831 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
832
833 if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) {
834 goto cleanup;
835 }
836
837 ret = 0;
838
839cleanup:
840 if (slotkey) {
841 memset(slotkey, 0, luks->header.master_key_len);
842 }
843 if (splitkey) {
844 memset(splitkey, 0, splitkeylen);
845 }
846 return ret;
847}
848
849
850
851
852
853
854
855
856
857
858
859
860static int
861qcrypto_block_luks_load_key(QCryptoBlock *block,
862 size_t slot_idx,
863 const char *password,
864 uint8_t *masterkey,
865 QCryptoBlockReadFunc readfunc,
866 void *opaque,
867 Error **errp)
868{
869 QCryptoBlockLUKS *luks = block->opaque;
870 const QCryptoBlockLUKSKeySlot *slot;
871 g_autofree uint8_t *splitkey = NULL;
872 size_t splitkeylen;
873 g_autofree uint8_t *possiblekey = NULL;
874 int rv;
875 g_autoptr(QCryptoCipher) cipher = NULL;
876 uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
877 g_autoptr(QCryptoIVGen) ivgen = NULL;
878 size_t niv;
879
880 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
881 slot = &luks->header.key_slots[slot_idx];
882 if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
883 return 0;
884 }
885
886 splitkeylen = luks->header.master_key_len * slot->stripes;
887 splitkey = g_new0(uint8_t, splitkeylen);
888 possiblekey = g_new0(uint8_t, luks->header.master_key_len);
889
890
891
892
893
894
895
896
897 if (qcrypto_pbkdf2(luks->hash_alg,
898 (const uint8_t *)password, strlen(password),
899 slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
900 slot->iterations,
901 possiblekey, luks->header.master_key_len,
902 errp) < 0) {
903 return -1;
904 }
905
906
907
908
909
910
911
912
913 rv = readfunc(block,
914 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
915 splitkey, splitkeylen,
916 opaque,
917 errp);
918 if (rv < 0) {
919 return -1;
920 }
921
922
923
924
925 cipher = qcrypto_cipher_new(luks->cipher_alg,
926 luks->cipher_mode,
927 possiblekey,
928 luks->header.master_key_len,
929 errp);
930 if (!cipher) {
931 return -1;
932 }
933
934 niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
935 luks->cipher_mode);
936
937 ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
938 luks->ivgen_cipher_alg,
939 luks->ivgen_hash_alg,
940 possiblekey,
941 luks->header.master_key_len,
942 errp);
943 if (!ivgen) {
944 return -1;
945 }
946
947
948
949
950
951
952
953
954
955 if (qcrypto_block_cipher_decrypt_helper(cipher,
956 niv,
957 ivgen,
958 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
959 0,
960 splitkey,
961 splitkeylen,
962 errp) < 0) {
963 return -1;
964 }
965
966
967
968
969
970 if (qcrypto_afsplit_decode(luks->hash_alg,
971 luks->header.master_key_len,
972 slot->stripes,
973 splitkey,
974 masterkey,
975 errp) < 0) {
976 return -1;
977 }
978
979
980
981
982
983
984
985
986
987
988 if (qcrypto_pbkdf2(luks->hash_alg,
989 masterkey,
990 luks->header.master_key_len,
991 luks->header.master_key_salt,
992 QCRYPTO_BLOCK_LUKS_SALT_LEN,
993 luks->header.master_key_iterations,
994 keydigest,
995 G_N_ELEMENTS(keydigest),
996 errp) < 0) {
997 return -1;
998 }
999
1000 if (memcmp(keydigest, luks->header.master_key_digest,
1001 QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
1002
1003 return 1;
1004 }
1005
1006
1007
1008 return 0;
1009}
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019static int
1020qcrypto_block_luks_find_key(QCryptoBlock *block,
1021 const char *password,
1022 uint8_t *masterkey,
1023 QCryptoBlockReadFunc readfunc,
1024 void *opaque,
1025 Error **errp)
1026{
1027 size_t i;
1028 int rv;
1029
1030 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1031 rv = qcrypto_block_luks_load_key(block,
1032 i,
1033 password,
1034 masterkey,
1035 readfunc,
1036 opaque,
1037 errp);
1038 if (rv < 0) {
1039 goto error;
1040 }
1041 if (rv == 1) {
1042 return 0;
1043 }
1044 }
1045
1046 error_setg(errp, "Invalid password, cannot unlock any keyslot");
1047 error:
1048 return -1;
1049}
1050
1051
1052
1053
1054
1055static bool
1056qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks,
1057 unsigned int slot_idx)
1058{
1059 uint32_t val;
1060
1061 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1062 val = luks->header.key_slots[slot_idx].active;
1063 return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1064}
1065
1066
1067
1068
1069
1070static unsigned int
1071qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks)
1072{
1073 size_t i = 0;
1074 unsigned int ret = 0;
1075
1076 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1077 if (qcrypto_block_luks_slot_active(luks, i)) {
1078 ret++;
1079 }
1080 }
1081 return ret;
1082}
1083
1084
1085
1086
1087
1088static int
1089qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks)
1090{
1091 size_t i;
1092
1093 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1094 if (!qcrypto_block_luks_slot_active(luks, i)) {
1095 return i;
1096 }
1097 }
1098 return -1;
1099}
1100
1101
1102
1103
1104
1105
1106
1107
1108static int
1109qcrypto_block_luks_erase_key(QCryptoBlock *block,
1110 unsigned int slot_idx,
1111 QCryptoBlockWriteFunc writefunc,
1112 void *opaque,
1113 Error **errp)
1114{
1115 QCryptoBlockLUKS *luks = block->opaque;
1116 QCryptoBlockLUKSKeySlot *slot;
1117 g_autofree uint8_t *garbagesplitkey = NULL;
1118 size_t splitkeylen;
1119 size_t i;
1120 Error *local_err = NULL;
1121 int ret;
1122
1123 assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1124 slot = &luks->header.key_slots[slot_idx];
1125
1126 splitkeylen = luks->header.master_key_len * slot->stripes;
1127 assert(splitkeylen > 0);
1128
1129 garbagesplitkey = g_new0(uint8_t, splitkeylen);
1130
1131
1132 memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN);
1133 slot->iterations = 0;
1134 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1135
1136 ret = qcrypto_block_luks_store_header(block, writefunc,
1137 opaque, &local_err);
1138
1139 if (ret < 0) {
1140 error_propagate(errp, local_err);
1141 }
1142
1143
1144
1145
1146 for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) {
1147 if (qcrypto_random_bytes(garbagesplitkey,
1148 splitkeylen, &local_err) < 0) {
1149
1150
1151
1152
1153 error_propagate(errp, local_err);
1154
1155 if (i > 0) {
1156 return -1;
1157 }
1158 }
1159 if (writefunc(block,
1160 slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1161 garbagesplitkey,
1162 splitkeylen,
1163 opaque,
1164 &local_err) < 0) {
1165 error_propagate(errp, local_err);
1166 return -1;
1167 }
1168 }
1169 return ret;
1170}
1171
1172static int
1173qcrypto_block_luks_open(QCryptoBlock *block,
1174 QCryptoBlockOpenOptions *options,
1175 const char *optprefix,
1176 QCryptoBlockReadFunc readfunc,
1177 void *opaque,
1178 unsigned int flags,
1179 size_t n_threads,
1180 Error **errp)
1181{
1182 QCryptoBlockLUKS *luks = NULL;
1183 g_autofree uint8_t *masterkey = NULL;
1184 g_autofree char *password = NULL;
1185
1186 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1187 if (!options->u.luks.key_secret) {
1188 error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1189 optprefix ? optprefix : "");
1190 return -1;
1191 }
1192 password = qcrypto_secret_lookup_as_utf8(
1193 options->u.luks.key_secret, errp);
1194 if (!password) {
1195 return -1;
1196 }
1197 }
1198
1199 luks = g_new0(QCryptoBlockLUKS, 1);
1200 block->opaque = luks;
1201 luks->secret = g_strdup(options->u.luks.key_secret);
1202
1203 if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) {
1204 goto fail;
1205 }
1206
1207 if (qcrypto_block_luks_check_header(luks, errp) < 0) {
1208 goto fail;
1209 }
1210
1211 if (qcrypto_block_luks_parse_header(luks, errp) < 0) {
1212 goto fail;
1213 }
1214
1215 if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1216
1217
1218
1219
1220 masterkey = g_new0(uint8_t, luks->header.master_key_len);
1221
1222 if (qcrypto_block_luks_find_key(block,
1223 password,
1224 masterkey,
1225 readfunc, opaque,
1226 errp) < 0) {
1227 goto fail;
1228 }
1229
1230
1231
1232
1233 block->kdfhash = luks->hash_alg;
1234 block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
1235 luks->cipher_mode);
1236
1237 block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
1238 luks->ivgen_cipher_alg,
1239 luks->ivgen_hash_alg,
1240 masterkey,
1241 luks->header.master_key_len,
1242 errp);
1243 if (!block->ivgen) {
1244 goto fail;
1245 }
1246
1247 if (qcrypto_block_init_cipher(block,
1248 luks->cipher_alg,
1249 luks->cipher_mode,
1250 masterkey,
1251 luks->header.master_key_len,
1252 n_threads,
1253 errp) < 0) {
1254 goto fail;
1255 }
1256 }
1257
1258 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1259 block->payload_offset = luks->header.payload_offset_sector *
1260 block->sector_size;
1261
1262 return 0;
1263
1264 fail:
1265 qcrypto_block_free_cipher(block);
1266 qcrypto_ivgen_free(block->ivgen);
1267 g_free(luks->secret);
1268 g_free(luks);
1269 return -1;
1270}
1271
1272
1273static void
1274qcrypto_block_luks_uuid_gen(uint8_t *uuidstr)
1275{
1276 QemuUUID uuid;
1277 qemu_uuid_generate(&uuid);
1278 qemu_uuid_unparse(&uuid, (char *)uuidstr);
1279}
1280
1281static int
1282qcrypto_block_luks_create(QCryptoBlock *block,
1283 QCryptoBlockCreateOptions *options,
1284 const char *optprefix,
1285 QCryptoBlockInitFunc initfunc,
1286 QCryptoBlockWriteFunc writefunc,
1287 void *opaque,
1288 Error **errp)
1289{
1290 QCryptoBlockLUKS *luks;
1291 QCryptoBlockCreateOptionsLUKS luks_opts;
1292 Error *local_err = NULL;
1293 g_autofree uint8_t *masterkey = NULL;
1294 size_t header_sectors;
1295 size_t split_key_sectors;
1296 size_t i;
1297 g_autofree char *password = NULL;
1298 const char *cipher_alg;
1299 const char *cipher_mode;
1300 const char *ivgen_alg;
1301 const char *ivgen_hash_alg = NULL;
1302 const char *hash_alg;
1303 g_autofree char *cipher_mode_spec = NULL;
1304 uint64_t iters;
1305
1306 memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
1307 if (!luks_opts.has_iter_time) {
1308 luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1309 }
1310 if (!luks_opts.has_cipher_alg) {
1311 luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
1312 }
1313 if (!luks_opts.has_cipher_mode) {
1314 luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS;
1315 }
1316 if (!luks_opts.has_ivgen_alg) {
1317 luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64;
1318 }
1319 if (!luks_opts.has_hash_alg) {
1320 luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
1321 }
1322 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1323 if (!luks_opts.has_ivgen_hash_alg) {
1324 luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256;
1325 luks_opts.has_ivgen_hash_alg = true;
1326 }
1327 }
1328
1329 luks = g_new0(QCryptoBlockLUKS, 1);
1330 block->opaque = luks;
1331
1332 luks->cipher_alg = luks_opts.cipher_alg;
1333 luks->cipher_mode = luks_opts.cipher_mode;
1334 luks->ivgen_alg = luks_opts.ivgen_alg;
1335 luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg;
1336 luks->hash_alg = luks_opts.hash_alg;
1337
1338
1339
1340
1341
1342
1343 if (!options->u.luks.key_secret) {
1344 error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1345 optprefix ? optprefix : "");
1346 goto error;
1347 }
1348 luks->secret = g_strdup(options->u.luks.key_secret);
1349
1350 password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp);
1351 if (!password) {
1352 goto error;
1353 }
1354
1355
1356 memcpy(luks->header.magic, qcrypto_block_luks_magic,
1357 QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
1358
1359
1360
1361
1362
1363 luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
1364 qcrypto_block_luks_uuid_gen(luks->header.uuid);
1365
1366 cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
1367 errp);
1368 if (!cipher_alg) {
1369 goto error;
1370 }
1371
1372 cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode);
1373 ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg);
1374 if (luks_opts.has_ivgen_hash_alg) {
1375 ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg);
1376 cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg,
1377 ivgen_hash_alg);
1378 } else {
1379 cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
1380 }
1381 hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg);
1382
1383
1384 if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
1385 error_setg(errp, "Cipher name '%s' is too long for LUKS header",
1386 cipher_alg);
1387 goto error;
1388 }
1389 if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
1390 error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
1391 cipher_mode_spec);
1392 goto error;
1393 }
1394 if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
1395 error_setg(errp, "Hash name '%s' is too long for LUKS header",
1396 hash_alg);
1397 goto error;
1398 }
1399
1400 if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1401 luks->ivgen_cipher_alg =
1402 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg,
1403 luks_opts.ivgen_hash_alg,
1404 &local_err);
1405 if (local_err) {
1406 error_propagate(errp, local_err);
1407 goto error;
1408 }
1409 } else {
1410 luks->ivgen_cipher_alg = luks_opts.cipher_alg;
1411 }
1412
1413 strcpy(luks->header.cipher_name, cipher_alg);
1414 strcpy(luks->header.cipher_mode, cipher_mode_spec);
1415 strcpy(luks->header.hash_spec, hash_alg);
1416
1417 luks->header.master_key_len =
1418 qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
1419
1420 if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) {
1421 luks->header.master_key_len *= 2;
1422 }
1423
1424
1425
1426
1427 if (qcrypto_random_bytes(luks->header.master_key_salt,
1428 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1429 errp) < 0) {
1430 goto error;
1431 }
1432
1433
1434 masterkey = g_new0(uint8_t, luks->header.master_key_len);
1435 if (qcrypto_random_bytes(masterkey,
1436 luks->header.master_key_len, errp) < 0) {
1437 goto error;
1438 }
1439
1440
1441
1442 if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg,
1443 luks_opts.cipher_mode, masterkey,
1444 luks->header.master_key_len, 1, errp) < 0) {
1445 goto error;
1446 }
1447
1448 block->kdfhash = luks_opts.hash_alg;
1449 block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
1450 luks_opts.cipher_mode);
1451 block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
1452 luks->ivgen_cipher_alg,
1453 luks_opts.ivgen_hash_alg,
1454 masterkey, luks->header.master_key_len,
1455 errp);
1456
1457 if (!block->ivgen) {
1458 goto error;
1459 }
1460
1461
1462
1463
1464
1465 iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
1466 masterkey, luks->header.master_key_len,
1467 luks->header.master_key_salt,
1468 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1469 QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1470 &local_err);
1471 if (local_err) {
1472 error_propagate(errp, local_err);
1473 goto error;
1474 }
1475
1476 if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
1477 error_setg_errno(errp, ERANGE,
1478 "PBKDF iterations %llu too large to scale",
1479 (unsigned long long)iters);
1480 goto error;
1481 }
1482
1483
1484 iters = iters * luks_opts.iter_time / 1000;
1485
1486
1487
1488
1489
1490 iters /= 8;
1491 if (iters > UINT32_MAX) {
1492 error_setg_errno(errp, ERANGE,
1493 "PBKDF iterations %llu larger than %u",
1494 (unsigned long long)iters, UINT32_MAX);
1495 goto error;
1496 }
1497 iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
1498 luks->header.master_key_iterations = iters;
1499
1500
1501
1502
1503
1504
1505 if (qcrypto_pbkdf2(luks_opts.hash_alg,
1506 masterkey, luks->header.master_key_len,
1507 luks->header.master_key_salt,
1508 QCRYPTO_BLOCK_LUKS_SALT_LEN,
1509 luks->header.master_key_iterations,
1510 luks->header.master_key_digest,
1511 QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1512 errp) < 0) {
1513 goto error;
1514 }
1515
1516
1517 header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
1518 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1519
1520 split_key_sectors =
1521 qcrypto_block_luks_splitkeylen_sectors(luks,
1522 header_sectors,
1523 QCRYPTO_BLOCK_LUKS_STRIPES);
1524
1525 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1526 QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i];
1527 slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1528
1529 slot->key_offset_sector = header_sectors + i * split_key_sectors;
1530 slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
1531 }
1532
1533
1534
1535
1536
1537 luks->header.payload_offset_sector = header_sectors +
1538 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors;
1539
1540 block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1541 block->payload_offset = luks->header.payload_offset_sector *
1542 block->sector_size;
1543
1544
1545 initfunc(block, block->payload_offset, opaque, &local_err);
1546 if (local_err) {
1547 error_propagate(errp, local_err);
1548 goto error;
1549 }
1550
1551
1552
1553
1554 if (qcrypto_block_luks_store_key(block,
1555 0,
1556 password,
1557 masterkey,
1558 luks_opts.iter_time,
1559 writefunc,
1560 opaque,
1561 errp) < 0) {
1562 goto error;
1563 }
1564
1565 memset(masterkey, 0, luks->header.master_key_len);
1566
1567 return 0;
1568
1569 error:
1570 if (masterkey) {
1571 memset(masterkey, 0, luks->header.master_key_len);
1572 }
1573
1574 qcrypto_block_free_cipher(block);
1575 qcrypto_ivgen_free(block->ivgen);
1576
1577 g_free(luks->secret);
1578 g_free(luks);
1579 return -1;
1580}
1581
1582static int
1583qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block,
1584 QCryptoBlockReadFunc readfunc,
1585 QCryptoBlockWriteFunc writefunc,
1586 void *opaque,
1587 QCryptoBlockAmendOptionsLUKS *opts_luks,
1588 bool force,
1589 Error **errp)
1590{
1591 QCryptoBlockLUKS *luks = block->opaque;
1592 uint64_t iter_time = opts_luks->has_iter_time ?
1593 opts_luks->iter_time :
1594 QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1595 int keyslot;
1596 g_autofree char *old_password = NULL;
1597 g_autofree char *new_password = NULL;
1598 g_autofree uint8_t *master_key = NULL;
1599
1600 char *secret = opts_luks->has_secret ? opts_luks->secret : luks->secret;
1601
1602 if (!opts_luks->has_new_secret) {
1603 error_setg(errp, "'new-secret' is required to activate a keyslot");
1604 return -1;
1605 }
1606 if (opts_luks->has_old_secret) {
1607 error_setg(errp,
1608 "'old-secret' must not be given when activating keyslots");
1609 return -1;
1610 }
1611
1612 if (opts_luks->has_keyslot) {
1613 keyslot = opts_luks->keyslot;
1614 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1615 error_setg(errp,
1616 "Invalid keyslot %u specified, must be between 0 and %u",
1617 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1618 return -1;
1619 }
1620 } else {
1621 keyslot = qcrypto_block_luks_find_free_keyslot(luks);
1622 if (keyslot == -1) {
1623 error_setg(errp,
1624 "Can't add a keyslot - all keyslots are in use");
1625 return -1;
1626 }
1627 }
1628
1629 if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) {
1630 error_setg(errp,
1631 "Refusing to overwrite active keyslot %i - "
1632 "please erase it first",
1633 keyslot);
1634 return -1;
1635 }
1636
1637
1638 old_password = qcrypto_secret_lookup_as_utf8(secret, errp);
1639 if (!old_password) {
1640 return -1;
1641 }
1642
1643
1644 master_key = g_new0(uint8_t, luks->header.master_key_len);
1645
1646 if (qcrypto_block_luks_find_key(block, old_password, master_key,
1647 readfunc, opaque, errp) < 0) {
1648 error_append_hint(errp, "Failed to retrieve the master key");
1649 return -1;
1650 }
1651
1652
1653 new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp);
1654 if (!new_password) {
1655 return -1;
1656 }
1657
1658
1659 if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key,
1660 iter_time, writefunc, opaque, errp)) {
1661 error_append_hint(errp, "Failed to write to keyslot %i", keyslot);
1662 return -1;
1663 }
1664 return 0;
1665}
1666
1667static int
1668qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block,
1669 QCryptoBlockReadFunc readfunc,
1670 QCryptoBlockWriteFunc writefunc,
1671 void *opaque,
1672 QCryptoBlockAmendOptionsLUKS *opts_luks,
1673 bool force,
1674 Error **errp)
1675{
1676 QCryptoBlockLUKS *luks = block->opaque;
1677 g_autofree uint8_t *tmpkey = NULL;
1678 g_autofree char *old_password = NULL;
1679
1680 if (opts_luks->has_new_secret) {
1681 error_setg(errp,
1682 "'new-secret' must not be given when erasing keyslots");
1683 return -1;
1684 }
1685 if (opts_luks->has_iter_time) {
1686 error_setg(errp,
1687 "'iter-time' must not be given when erasing keyslots");
1688 return -1;
1689 }
1690 if (opts_luks->has_secret) {
1691 error_setg(errp,
1692 "'secret' must not be given when erasing keyslots");
1693 return -1;
1694 }
1695
1696
1697 if (opts_luks->has_old_secret) {
1698 old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret,
1699 errp);
1700 if (!old_password) {
1701 return -1;
1702 }
1703
1704
1705
1706
1707
1708 tmpkey = g_new0(uint8_t, luks->header.master_key_len);
1709 }
1710
1711
1712 if (opts_luks->has_keyslot) {
1713 int keyslot = opts_luks->keyslot;
1714
1715 if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1716 error_setg(errp,
1717 "Invalid keyslot %i specified, must be between 0 and %i",
1718 keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1719 return -1;
1720 }
1721
1722 if (opts_luks->has_old_secret) {
1723 int rv = qcrypto_block_luks_load_key(block,
1724 keyslot,
1725 old_password,
1726 tmpkey,
1727 readfunc,
1728 opaque,
1729 errp);
1730 if (rv == -1) {
1731 return -1;
1732 } else if (rv == 0) {
1733 error_setg(errp,
1734 "Given keyslot %i doesn't contain the given "
1735 "old password for erase operation",
1736 keyslot);
1737 return -1;
1738 }
1739 }
1740
1741 if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) {
1742 error_setg(errp,
1743 "Given keyslot %i is already erased (inactive) ",
1744 keyslot);
1745 return -1;
1746 }
1747
1748 if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) {
1749 error_setg(errp,
1750 "Attempt to erase the only active keyslot %i "
1751 "which will erase all the data in the image "
1752 "irreversibly - refusing operation",
1753 keyslot);
1754 return -1;
1755 }
1756
1757 if (qcrypto_block_luks_erase_key(block, keyslot,
1758 writefunc, opaque, errp)) {
1759 error_append_hint(errp, "Failed to erase keyslot %i", keyslot);
1760 return -1;
1761 }
1762
1763
1764 } else if (opts_luks->has_old_secret) {
1765
1766 unsigned long slots_to_erase_bitmap = 0;
1767 size_t i;
1768 int slot_count;
1769
1770 assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <=
1771 sizeof(slots_to_erase_bitmap) * 8);
1772
1773 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1774 int rv = qcrypto_block_luks_load_key(block,
1775 i,
1776 old_password,
1777 tmpkey,
1778 readfunc,
1779 opaque,
1780 errp);
1781 if (rv == -1) {
1782 return -1;
1783 } else if (rv == 1) {
1784 bitmap_set(&slots_to_erase_bitmap, i, 1);
1785 }
1786 }
1787
1788 slot_count = bitmap_count_one(&slots_to_erase_bitmap,
1789 QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1790 if (slot_count == 0) {
1791 error_setg(errp,
1792 "No keyslots match given (old) password for erase operation");
1793 return -1;
1794 }
1795
1796 if (!force &&
1797 slot_count == qcrypto_block_luks_count_active_slots(luks)) {
1798 error_setg(errp,
1799 "All the active keyslots match the (old) password that "
1800 "was given and erasing them will erase all the data in "
1801 "the image irreversibly - refusing operation");
1802 return -1;
1803 }
1804
1805
1806 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1807 if (!test_bit(i, &slots_to_erase_bitmap)) {
1808 continue;
1809 }
1810 if (qcrypto_block_luks_erase_key(block, i, writefunc,
1811 opaque, errp)) {
1812 error_append_hint(errp, "Failed to erase keyslot %zu", i);
1813 return -1;
1814 }
1815 }
1816 } else {
1817 error_setg(errp,
1818 "To erase keyslot(s), either explicit keyslot index "
1819 "or the password currently contained in them must be given");
1820 return -1;
1821 }
1822 return 0;
1823}
1824
1825static int
1826qcrypto_block_luks_amend_options(QCryptoBlock *block,
1827 QCryptoBlockReadFunc readfunc,
1828 QCryptoBlockWriteFunc writefunc,
1829 void *opaque,
1830 QCryptoBlockAmendOptions *options,
1831 bool force,
1832 Error **errp)
1833{
1834 QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks;
1835
1836 switch (opts_luks->state) {
1837 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE:
1838 return qcrypto_block_luks_amend_add_keyslot(block, readfunc,
1839 writefunc, opaque,
1840 opts_luks, force, errp);
1841 case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE:
1842 return qcrypto_block_luks_amend_erase_keyslots(block, readfunc,
1843 writefunc, opaque,
1844 opts_luks, force, errp);
1845 default:
1846 g_assert_not_reached();
1847 }
1848}
1849
1850static int qcrypto_block_luks_get_info(QCryptoBlock *block,
1851 QCryptoBlockInfo *info,
1852 Error **errp)
1853{
1854 QCryptoBlockLUKS *luks = block->opaque;
1855 QCryptoBlockInfoLUKSSlot *slot;
1856 QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots;
1857 size_t i;
1858
1859 info->u.luks.cipher_alg = luks->cipher_alg;
1860 info->u.luks.cipher_mode = luks->cipher_mode;
1861 info->u.luks.ivgen_alg = luks->ivgen_alg;
1862 if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1863 info->u.luks.has_ivgen_hash_alg = true;
1864 info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg;
1865 }
1866 info->u.luks.hash_alg = luks->hash_alg;
1867 info->u.luks.payload_offset = block->payload_offset;
1868 info->u.luks.master_key_iters = luks->header.master_key_iterations;
1869 info->u.luks.uuid = g_strndup((const char *)luks->header.uuid,
1870 sizeof(luks->header.uuid));
1871
1872 for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1873 slot = g_new0(QCryptoBlockInfoLUKSSlot, 1);
1874 slot->active = luks->header.key_slots[i].active ==
1875 QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1876 slot->key_offset = luks->header.key_slots[i].key_offset_sector
1877 * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1878 if (slot->active) {
1879 slot->has_iters = true;
1880 slot->iters = luks->header.key_slots[i].iterations;
1881 slot->has_stripes = true;
1882 slot->stripes = luks->header.key_slots[i].stripes;
1883 }
1884
1885 QAPI_LIST_APPEND(tail, slot);
1886 }
1887
1888 return 0;
1889}
1890
1891
1892static void qcrypto_block_luks_cleanup(QCryptoBlock *block)
1893{
1894 QCryptoBlockLUKS *luks = block->opaque;
1895 if (luks) {
1896 g_free(luks->secret);
1897 g_free(luks);
1898 }
1899}
1900
1901
1902static int
1903qcrypto_block_luks_decrypt(QCryptoBlock *block,
1904 uint64_t offset,
1905 uint8_t *buf,
1906 size_t len,
1907 Error **errp)
1908{
1909 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1910 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1911 return qcrypto_block_decrypt_helper(block,
1912 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1913 offset, buf, len, errp);
1914}
1915
1916
1917static int
1918qcrypto_block_luks_encrypt(QCryptoBlock *block,
1919 uint64_t offset,
1920 uint8_t *buf,
1921 size_t len,
1922 Error **errp)
1923{
1924 assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1925 assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1926 return qcrypto_block_encrypt_helper(block,
1927 QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1928 offset, buf, len, errp);
1929}
1930
1931
1932const QCryptoBlockDriver qcrypto_block_driver_luks = {
1933 .open = qcrypto_block_luks_open,
1934 .create = qcrypto_block_luks_create,
1935 .amend = qcrypto_block_luks_amend_options,
1936 .get_info = qcrypto_block_luks_get_info,
1937 .cleanup = qcrypto_block_luks_cleanup,
1938 .decrypt = qcrypto_block_luks_decrypt,
1939 .encrypt = qcrypto_block_luks_encrypt,
1940 .has_format = qcrypto_block_luks_has_format,
1941};
1942