cachepc-qemu

Fork of AMDESE/qemu with changes for cachepc side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-qemu
Log | Files | Refs | Submodules | LICENSE | sfeed.txt

block-luks.c (66777B)


      1/*
      2 * QEMU Crypto block device encryption LUKS format
      3 *
      4 * Copyright (c) 2015-2016 Red Hat, Inc.
      5 *
      6 * This library is free software; you can redistribute it and/or
      7 * modify it under the terms of the GNU Lesser General Public
      8 * License as published by the Free Software Foundation; either
      9 * version 2.1 of the License, or (at your option) any later version.
     10 *
     11 * This library is distributed in the hope that it will be useful,
     12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
     13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     14 * Lesser General Public License for more details.
     15 *
     16 * You should have received a copy of the GNU Lesser General Public
     17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
     18 *
     19 */
     20
     21#include "qemu/osdep.h"
     22#include "qapi/error.h"
     23#include "qemu/bswap.h"
     24
     25#include "block-luks.h"
     26
     27#include "crypto/hash.h"
     28#include "crypto/afsplit.h"
     29#include "crypto/pbkdf.h"
     30#include "crypto/secret.h"
     31#include "crypto/random.h"
     32#include "qemu/uuid.h"
     33
     34#include "qemu/coroutine.h"
     35#include "qemu/bitmap.h"
     36
     37/*
     38 * Reference for the LUKS format implemented here is
     39 *
     40 *   docs/on-disk-format.pdf
     41 *
     42 * in 'cryptsetup' package source code
     43 *
     44 * This file implements the 1.2.1 specification, dated
     45 * Oct 16, 2011.
     46 */
     47
     48typedef struct QCryptoBlockLUKS QCryptoBlockLUKS;
     49typedef struct QCryptoBlockLUKSHeader QCryptoBlockLUKSHeader;
     50typedef struct QCryptoBlockLUKSKeySlot QCryptoBlockLUKSKeySlot;
     51
     52
     53/* The following constants are all defined by the LUKS spec */
     54#define QCRYPTO_BLOCK_LUKS_VERSION 1
     55
     56#define QCRYPTO_BLOCK_LUKS_MAGIC_LEN 6
     57#define QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN 32
     58#define QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN 32
     59#define QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN 32
     60#define QCRYPTO_BLOCK_LUKS_DIGEST_LEN 20
     61#define QCRYPTO_BLOCK_LUKS_SALT_LEN 32
     62#define QCRYPTO_BLOCK_LUKS_UUID_LEN 40
     63#define QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS 8
     64#define QCRYPTO_BLOCK_LUKS_STRIPES 4000
     65#define QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS 1000
     66#define QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS 1000
     67#define QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET 4096
     68
     69#define QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED 0x0000DEAD
     70#define QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED 0x00AC71F3
     71
     72#define QCRYPTO_BLOCK_LUKS_SECTOR_SIZE 512LL
     73
     74#define QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS 2000
     75#define QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS 40
     76
     77static const char qcrypto_block_luks_magic[QCRYPTO_BLOCK_LUKS_MAGIC_LEN] = {
     78    'L', 'U', 'K', 'S', 0xBA, 0xBE
     79};
     80
     81typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap;
     82struct QCryptoBlockLUKSNameMap {
     83    const char *name;
     84    int id;
     85};
     86
     87typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap;
     88struct QCryptoBlockLUKSCipherSizeMap {
     89    uint32_t key_bytes;
     90    int id;
     91};
     92typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap;
     93struct QCryptoBlockLUKSCipherNameMap {
     94    const char *name;
     95    const QCryptoBlockLUKSCipherSizeMap *sizes;
     96};
     97
     98
     99static const QCryptoBlockLUKSCipherSizeMap
    100qcrypto_block_luks_cipher_size_map_aes[] = {
    101    { 16, QCRYPTO_CIPHER_ALG_AES_128 },
    102    { 24, QCRYPTO_CIPHER_ALG_AES_192 },
    103    { 32, QCRYPTO_CIPHER_ALG_AES_256 },
    104    { 0, 0 },
    105};
    106
    107static const QCryptoBlockLUKSCipherSizeMap
    108qcrypto_block_luks_cipher_size_map_cast5[] = {
    109    { 16, QCRYPTO_CIPHER_ALG_CAST5_128 },
    110    { 0, 0 },
    111};
    112
    113static const QCryptoBlockLUKSCipherSizeMap
    114qcrypto_block_luks_cipher_size_map_serpent[] = {
    115    { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 },
    116    { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 },
    117    { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 },
    118    { 0, 0 },
    119};
    120
    121static const QCryptoBlockLUKSCipherSizeMap
    122qcrypto_block_luks_cipher_size_map_twofish[] = {
    123    { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 },
    124    { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 },
    125    { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 },
    126    { 0, 0 },
    127};
    128
    129static const QCryptoBlockLUKSCipherNameMap
    130qcrypto_block_luks_cipher_name_map[] = {
    131    { "aes", qcrypto_block_luks_cipher_size_map_aes },
    132    { "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
    133    { "serpent", qcrypto_block_luks_cipher_size_map_serpent },
    134    { "twofish", qcrypto_block_luks_cipher_size_map_twofish },
    135};
    136
    137
    138/*
    139 * This struct is written to disk in big-endian format,
    140 * but operated upon in native-endian format.
    141 */
    142struct QCryptoBlockLUKSKeySlot {
    143    /* state of keyslot, enabled/disable */
    144    uint32_t active;
    145    /* iterations for PBKDF2 */
    146    uint32_t iterations;
    147    /* salt for PBKDF2 */
    148    uint8_t salt[QCRYPTO_BLOCK_LUKS_SALT_LEN];
    149    /* start sector of key material */
    150    uint32_t key_offset_sector;
    151    /* number of anti-forensic stripes */
    152    uint32_t stripes;
    153};
    154
    155QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
    156
    157
    158/*
    159 * This struct is written to disk in big-endian format,
    160 * but operated upon in native-endian format.
    161 */
    162struct QCryptoBlockLUKSHeader {
    163    /* 'L', 'U', 'K', 'S', '0xBA', '0xBE' */
    164    char magic[QCRYPTO_BLOCK_LUKS_MAGIC_LEN];
    165
    166    /* LUKS version, currently 1 */
    167    uint16_t version;
    168
    169    /* cipher name specification (aes, etc) */
    170    char cipher_name[QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN];
    171
    172    /* cipher mode specification (cbc-plain, xts-essiv:sha256, etc) */
    173    char cipher_mode[QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN];
    174
    175    /* hash specification (sha256, etc) */
    176    char hash_spec[QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN];
    177
    178    /* start offset of the volume data (in 512 byte sectors) */
    179    uint32_t payload_offset_sector;
    180
    181    /* Number of key bytes */
    182    uint32_t master_key_len;
    183
    184    /* master key checksum after PBKDF2 */
    185    uint8_t master_key_digest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
    186
    187    /* salt for master key PBKDF2 */
    188    uint8_t master_key_salt[QCRYPTO_BLOCK_LUKS_SALT_LEN];
    189
    190    /* iterations for master key PBKDF2 */
    191    uint32_t master_key_iterations;
    192
    193    /* UUID of the partition in standard ASCII representation */
    194    uint8_t uuid[QCRYPTO_BLOCK_LUKS_UUID_LEN];
    195
    196    /* key slots */
    197    QCryptoBlockLUKSKeySlot key_slots[QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS];
    198};
    199
    200QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592);
    201
    202
    203struct QCryptoBlockLUKS {
    204    QCryptoBlockLUKSHeader header;
    205
    206    /* Main encryption algorithm used for encryption*/
    207    QCryptoCipherAlgorithm cipher_alg;
    208
    209    /* Mode of encryption for the selected encryption algorithm */
    210    QCryptoCipherMode cipher_mode;
    211
    212    /* Initialization vector generation algorithm */
    213    QCryptoIVGenAlgorithm ivgen_alg;
    214
    215    /* Hash algorithm used for IV generation*/
    216    QCryptoHashAlgorithm ivgen_hash_alg;
    217
    218    /*
    219     * Encryption algorithm used for IV generation.
    220     * Usually the same as main encryption algorithm
    221     */
    222    QCryptoCipherAlgorithm ivgen_cipher_alg;
    223
    224    /* Hash algorithm used in pbkdf2 function */
    225    QCryptoHashAlgorithm hash_alg;
    226
    227    /* Name of the secret that was used to open the image */
    228    char *secret;
    229};
    230
    231
    232static int qcrypto_block_luks_cipher_name_lookup(const char *name,
    233                                                 QCryptoCipherMode mode,
    234                                                 uint32_t key_bytes,
    235                                                 Error **errp)
    236{
    237    const QCryptoBlockLUKSCipherNameMap *map =
    238        qcrypto_block_luks_cipher_name_map;
    239    size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
    240    size_t i, j;
    241
    242    if (mode == QCRYPTO_CIPHER_MODE_XTS) {
    243        key_bytes /= 2;
    244    }
    245
    246    for (i = 0; i < maplen; i++) {
    247        if (!g_str_equal(map[i].name, name)) {
    248            continue;
    249        }
    250        for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
    251            if (map[i].sizes[j].key_bytes == key_bytes) {
    252                return map[i].sizes[j].id;
    253            }
    254        }
    255    }
    256
    257    error_setg(errp, "Algorithm %s with key size %d bytes not supported",
    258               name, key_bytes);
    259    return 0;
    260}
    261
    262static const char *
    263qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg,
    264                                     Error **errp)
    265{
    266    const QCryptoBlockLUKSCipherNameMap *map =
    267        qcrypto_block_luks_cipher_name_map;
    268    size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
    269    size_t i, j;
    270    for (i = 0; i < maplen; i++) {
    271        for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
    272            if (map[i].sizes[j].id == alg) {
    273                return map[i].name;
    274            }
    275        }
    276    }
    277
    278    error_setg(errp, "Algorithm '%s' not supported",
    279               QCryptoCipherAlgorithm_str(alg));
    280    return NULL;
    281}
    282
    283/* XXX replace with qapi_enum_parse() in future, when we can
    284 * make that function emit a more friendly error message */
    285static int qcrypto_block_luks_name_lookup(const char *name,
    286                                          const QEnumLookup *map,
    287                                          const char *type,
    288                                          Error **errp)
    289{
    290    int ret = qapi_enum_parse(map, name, -1, NULL);
    291
    292    if (ret < 0) {
    293        error_setg(errp, "%s %s not supported", type, name);
    294        return 0;
    295    }
    296    return ret;
    297}
    298
    299#define qcrypto_block_luks_cipher_mode_lookup(name, errp)               \
    300    qcrypto_block_luks_name_lookup(name,                                \
    301                                   &QCryptoCipherMode_lookup,           \
    302                                   "Cipher mode",                       \
    303                                   errp)
    304
    305#define qcrypto_block_luks_hash_name_lookup(name, errp)                 \
    306    qcrypto_block_luks_name_lookup(name,                                \
    307                                   &QCryptoHashAlgorithm_lookup,        \
    308                                   "Hash algorithm",                    \
    309                                   errp)
    310
    311#define qcrypto_block_luks_ivgen_name_lookup(name, errp)                \
    312    qcrypto_block_luks_name_lookup(name,                                \
    313                                   &QCryptoIVGenAlgorithm_lookup,       \
    314                                   "IV generator",                      \
    315                                   errp)
    316
    317
    318static bool
    319qcrypto_block_luks_has_format(const uint8_t *buf,
    320                              size_t buf_size)
    321{
    322    const QCryptoBlockLUKSHeader *luks_header = (const void *)buf;
    323
    324    if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) &&
    325        memcmp(luks_header->magic, qcrypto_block_luks_magic,
    326               QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 &&
    327        be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) {
    328        return true;
    329    } else {
    330        return false;
    331    }
    332}
    333
    334
    335/**
    336 * Deal with a quirk of dm-crypt usage of ESSIV.
    337 *
    338 * When calculating ESSIV IVs, the cipher length used by ESSIV
    339 * may be different from the cipher length used for the block
    340 * encryption, becauses dm-crypt uses the hash digest length
    341 * as the key size. ie, if you have AES 128 as the block cipher
    342 * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as
    343 * the cipher since that gets a key length matching the digest
    344 * size, not AES 128 with truncated digest as might be imagined
    345 */
    346static QCryptoCipherAlgorithm
    347qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher,
    348                                QCryptoHashAlgorithm hash,
    349                                Error **errp)
    350{
    351    size_t digestlen = qcrypto_hash_digest_len(hash);
    352    size_t keylen = qcrypto_cipher_get_key_len(cipher);
    353    if (digestlen == keylen) {
    354        return cipher;
    355    }
    356
    357    switch (cipher) {
    358    case QCRYPTO_CIPHER_ALG_AES_128:
    359    case QCRYPTO_CIPHER_ALG_AES_192:
    360    case QCRYPTO_CIPHER_ALG_AES_256:
    361        if (digestlen == qcrypto_cipher_get_key_len(
    362                QCRYPTO_CIPHER_ALG_AES_128)) {
    363            return QCRYPTO_CIPHER_ALG_AES_128;
    364        } else if (digestlen == qcrypto_cipher_get_key_len(
    365                       QCRYPTO_CIPHER_ALG_AES_192)) {
    366            return QCRYPTO_CIPHER_ALG_AES_192;
    367        } else if (digestlen == qcrypto_cipher_get_key_len(
    368                       QCRYPTO_CIPHER_ALG_AES_256)) {
    369            return QCRYPTO_CIPHER_ALG_AES_256;
    370        } else {
    371            error_setg(errp, "No AES cipher with key size %zu available",
    372                       digestlen);
    373            return 0;
    374        }
    375        break;
    376    case QCRYPTO_CIPHER_ALG_SERPENT_128:
    377    case QCRYPTO_CIPHER_ALG_SERPENT_192:
    378    case QCRYPTO_CIPHER_ALG_SERPENT_256:
    379        if (digestlen == qcrypto_cipher_get_key_len(
    380                QCRYPTO_CIPHER_ALG_SERPENT_128)) {
    381            return QCRYPTO_CIPHER_ALG_SERPENT_128;
    382        } else if (digestlen == qcrypto_cipher_get_key_len(
    383                       QCRYPTO_CIPHER_ALG_SERPENT_192)) {
    384            return QCRYPTO_CIPHER_ALG_SERPENT_192;
    385        } else if (digestlen == qcrypto_cipher_get_key_len(
    386                       QCRYPTO_CIPHER_ALG_SERPENT_256)) {
    387            return QCRYPTO_CIPHER_ALG_SERPENT_256;
    388        } else {
    389            error_setg(errp, "No Serpent cipher with key size %zu available",
    390                       digestlen);
    391            return 0;
    392        }
    393        break;
    394    case QCRYPTO_CIPHER_ALG_TWOFISH_128:
    395    case QCRYPTO_CIPHER_ALG_TWOFISH_192:
    396    case QCRYPTO_CIPHER_ALG_TWOFISH_256:
    397        if (digestlen == qcrypto_cipher_get_key_len(
    398                QCRYPTO_CIPHER_ALG_TWOFISH_128)) {
    399            return QCRYPTO_CIPHER_ALG_TWOFISH_128;
    400        } else if (digestlen == qcrypto_cipher_get_key_len(
    401                       QCRYPTO_CIPHER_ALG_TWOFISH_192)) {
    402            return QCRYPTO_CIPHER_ALG_TWOFISH_192;
    403        } else if (digestlen == qcrypto_cipher_get_key_len(
    404                       QCRYPTO_CIPHER_ALG_TWOFISH_256)) {
    405            return QCRYPTO_CIPHER_ALG_TWOFISH_256;
    406        } else {
    407            error_setg(errp, "No Twofish cipher with key size %zu available",
    408                       digestlen);
    409            return 0;
    410        }
    411        break;
    412    default:
    413        error_setg(errp, "Cipher %s not supported with essiv",
    414                   QCryptoCipherAlgorithm_str(cipher));
    415        return 0;
    416    }
    417}
    418
    419/*
    420 * Returns number of sectors needed to store the key material
    421 * given number of anti forensic stripes
    422 */
    423static int
    424qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks,
    425                                       unsigned int header_sectors,
    426                                       unsigned int stripes)
    427{
    428    /*
    429     * This calculation doesn't match that shown in the spec,
    430     * but instead follows the cryptsetup implementation.
    431     */
    432
    433    size_t splitkeylen = luks->header.master_key_len * stripes;
    434
    435    /* First align the key material size to block size*/
    436    size_t splitkeylen_sectors =
    437        DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE);
    438
    439    /* Then also align the key material size to the size of the header */
    440    return ROUND_UP(splitkeylen_sectors, header_sectors);
    441}
    442
    443/*
    444 * Stores the main LUKS header, taking care of endianess
    445 */
    446static int
    447qcrypto_block_luks_store_header(QCryptoBlock *block,
    448                                QCryptoBlockWriteFunc writefunc,
    449                                void *opaque,
    450                                Error **errp)
    451{
    452    const QCryptoBlockLUKS *luks = block->opaque;
    453    Error *local_err = NULL;
    454    size_t i;
    455    g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL;
    456
    457    /* Create a copy of the header */
    458    hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1);
    459    memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader));
    460
    461    /*
    462     * Everything on disk uses Big Endian (tm), so flip header fields
    463     * before writing them
    464     */
    465    cpu_to_be16s(&hdr_copy->version);
    466    cpu_to_be32s(&hdr_copy->payload_offset_sector);
    467    cpu_to_be32s(&hdr_copy->master_key_len);
    468    cpu_to_be32s(&hdr_copy->master_key_iterations);
    469
    470    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
    471        cpu_to_be32s(&hdr_copy->key_slots[i].active);
    472        cpu_to_be32s(&hdr_copy->key_slots[i].iterations);
    473        cpu_to_be32s(&hdr_copy->key_slots[i].key_offset_sector);
    474        cpu_to_be32s(&hdr_copy->key_slots[i].stripes);
    475    }
    476
    477    /* Write out the partition header and key slot headers */
    478    writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy),
    479              opaque, &local_err);
    480
    481    if (local_err) {
    482        error_propagate(errp, local_err);
    483        return -1;
    484    }
    485    return 0;
    486}
    487
    488/*
    489 * Loads the main LUKS header,and byteswaps it to native endianess
    490 * And run basic sanity checks on it
    491 */
    492static int
    493qcrypto_block_luks_load_header(QCryptoBlock *block,
    494                                QCryptoBlockReadFunc readfunc,
    495                                void *opaque,
    496                                Error **errp)
    497{
    498    ssize_t rv;
    499    size_t i;
    500    QCryptoBlockLUKS *luks = block->opaque;
    501
    502    /*
    503     * Read the entire LUKS header, minus the key material from
    504     * the underlying device
    505     */
    506    rv = readfunc(block, 0,
    507                  (uint8_t *)&luks->header,
    508                  sizeof(luks->header),
    509                  opaque,
    510                  errp);
    511    if (rv < 0) {
    512        return rv;
    513    }
    514
    515    /*
    516     * The header is always stored in big-endian format, so
    517     * convert everything to native
    518     */
    519    be16_to_cpus(&luks->header.version);
    520    be32_to_cpus(&luks->header.payload_offset_sector);
    521    be32_to_cpus(&luks->header.master_key_len);
    522    be32_to_cpus(&luks->header.master_key_iterations);
    523
    524    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
    525        be32_to_cpus(&luks->header.key_slots[i].active);
    526        be32_to_cpus(&luks->header.key_slots[i].iterations);
    527        be32_to_cpus(&luks->header.key_slots[i].key_offset_sector);
    528        be32_to_cpus(&luks->header.key_slots[i].stripes);
    529    }
    530
    531    return 0;
    532}
    533
    534/*
    535 * Does basic sanity checks on the LUKS header
    536 */
    537static int
    538qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
    539{
    540    size_t i, j;
    541
    542    unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
    543        QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
    544
    545    if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
    546               QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
    547        error_setg(errp, "Volume is not in LUKS format");
    548        return -1;
    549    }
    550
    551    if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
    552        error_setg(errp, "LUKS version %" PRIu32 " is not supported",
    553                   luks->header.version);
    554        return -1;
    555    }
    556
    557    /* Check all keyslots for corruption  */
    558    for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {
    559
    560        const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i];
    561        unsigned int start1 = slot1->key_offset_sector;
    562        unsigned int len1 =
    563            qcrypto_block_luks_splitkeylen_sectors(luks,
    564                                                   header_sectors,
    565                                                   slot1->stripes);
    566
    567        if (slot1->stripes == 0) {
    568            error_setg(errp, "Keyslot %zu is corrupted (stripes == 0)", i);
    569            return -1;
    570        }
    571
    572        if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED &&
    573            slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
    574            error_setg(errp,
    575                       "Keyslot %zu state (active/disable) is corrupted", i);
    576            return -1;
    577        }
    578
    579        if (start1 + len1 > luks->header.payload_offset_sector) {
    580            error_setg(errp,
    581                       "Keyslot %zu is overlapping with the encrypted payload",
    582                       i);
    583            return -1;
    584        }
    585
    586        for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) {
    587            const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j];
    588            unsigned int start2 = slot2->key_offset_sector;
    589            unsigned int len2 =
    590                qcrypto_block_luks_splitkeylen_sectors(luks,
    591                                                       header_sectors,
    592                                                       slot2->stripes);
    593
    594            if (start1 + len1 > start2 && start2 + len2 > start1) {
    595                error_setg(errp,
    596                           "Keyslots %zu and %zu are overlapping in the header",
    597                           i, j);
    598                return -1;
    599            }
    600        }
    601
    602    }
    603    return 0;
    604}
    605
    606/*
    607 * Parses the crypto parameters that are stored in the LUKS header
    608 */
    609
    610static int
    611qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp)
    612{
    613    g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode);
    614    char *ivgen_name, *ivhash_name;
    615    Error *local_err = NULL;
    616
    617    /*
    618     * The cipher_mode header contains a string that we have
    619     * to further parse, of the format
    620     *
    621     *    <cipher-mode>-<iv-generator>[:<iv-hash>]
    622     *
    623     * eg  cbc-essiv:sha256, cbc-plain64
    624     */
    625    ivgen_name = strchr(cipher_mode, '-');
    626    if (!ivgen_name) {
    627        error_setg(errp, "Unexpected cipher mode string format %s",
    628                   luks->header.cipher_mode);
    629        return -1;
    630    }
    631    *ivgen_name = '\0';
    632    ivgen_name++;
    633
    634    ivhash_name = strchr(ivgen_name, ':');
    635    if (!ivhash_name) {
    636        luks->ivgen_hash_alg = 0;
    637    } else {
    638        *ivhash_name = '\0';
    639        ivhash_name++;
    640
    641        luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name,
    642                                                                   &local_err);
    643        if (local_err) {
    644            error_propagate(errp, local_err);
    645            return -1;
    646        }
    647    }
    648
    649    luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode,
    650                                                              &local_err);
    651    if (local_err) {
    652        error_propagate(errp, local_err);
    653        return -1;
    654    }
    655
    656    luks->cipher_alg =
    657            qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
    658                                                  luks->cipher_mode,
    659                                                  luks->header.master_key_len,
    660                                                  &local_err);
    661    if (local_err) {
    662        error_propagate(errp, local_err);
    663        return -1;
    664    }
    665
    666    luks->hash_alg =
    667            qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
    668                                                &local_err);
    669    if (local_err) {
    670        error_propagate(errp, local_err);
    671        return -1;
    672    }
    673
    674    luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
    675                                                           &local_err);
    676    if (local_err) {
    677        error_propagate(errp, local_err);
    678        return -1;
    679    }
    680
    681    if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
    682        if (!ivhash_name) {
    683            error_setg(errp, "Missing IV generator hash specification");
    684            return -1;
    685        }
    686        luks->ivgen_cipher_alg =
    687                qcrypto_block_luks_essiv_cipher(luks->cipher_alg,
    688                                                luks->ivgen_hash_alg,
    689                                                &local_err);
    690        if (local_err) {
    691            error_propagate(errp, local_err);
    692            return -1;
    693        }
    694    } else {
    695
    696        /*
    697         * Note we parsed the ivhash_name earlier in the cipher_mode
    698         * spec string even with plain/plain64 ivgens, but we
    699         * will ignore it, since it is irrelevant for these ivgens.
    700         * This is for compat with dm-crypt which will silently
    701         * ignore hash names with these ivgens rather than report
    702         * an error about the invalid usage
    703         */
    704        luks->ivgen_cipher_alg = luks->cipher_alg;
    705    }
    706    return 0;
    707}
    708
    709/*
    710 * Given a key slot,  user password, and the master key,
    711 * will store the encrypted master key there, and update the
    712 * in-memory header. User must then write the in-memory header
    713 *
    714 * Returns:
    715 *    0 if the keyslot was written successfully
    716 *      with the provided password
    717 *   -1 if a fatal error occurred while storing the key
    718 */
    719static int
    720qcrypto_block_luks_store_key(QCryptoBlock *block,
    721                             unsigned int slot_idx,
    722                             const char *password,
    723                             uint8_t *masterkey,
    724                             uint64_t iter_time,
    725                             QCryptoBlockWriteFunc writefunc,
    726                             void *opaque,
    727                             Error **errp)
    728{
    729    QCryptoBlockLUKS *luks = block->opaque;
    730    QCryptoBlockLUKSKeySlot *slot;
    731    g_autofree uint8_t *splitkey = NULL;
    732    size_t splitkeylen;
    733    g_autofree uint8_t *slotkey = NULL;
    734    g_autoptr(QCryptoCipher) cipher = NULL;
    735    g_autoptr(QCryptoIVGen) ivgen = NULL;
    736    Error *local_err = NULL;
    737    uint64_t iters;
    738    int ret = -1;
    739
    740    assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
    741    slot = &luks->header.key_slots[slot_idx];
    742    if (qcrypto_random_bytes(slot->salt,
    743                             QCRYPTO_BLOCK_LUKS_SALT_LEN,
    744                             errp) < 0) {
    745        goto cleanup;
    746    }
    747
    748    splitkeylen = luks->header.master_key_len * slot->stripes;
    749
    750    /*
    751     * Determine how many iterations are required to
    752     * hash the user password while consuming 1 second of compute
    753     * time
    754     */
    755    iters = qcrypto_pbkdf2_count_iters(luks->hash_alg,
    756                                       (uint8_t *)password, strlen(password),
    757                                       slot->salt,
    758                                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
    759                                       luks->header.master_key_len,
    760                                       &local_err);
    761    if (local_err) {
    762        error_propagate(errp, local_err);
    763        goto cleanup;
    764    }
    765
    766    if (iters > (ULLONG_MAX / iter_time)) {
    767        error_setg_errno(errp, ERANGE,
    768                         "PBKDF iterations %llu too large to scale",
    769                         (unsigned long long)iters);
    770        goto cleanup;
    771    }
    772
    773    /* iter_time was in millis, but count_iters reported for secs */
    774    iters = iters * iter_time / 1000;
    775
    776    if (iters > UINT32_MAX) {
    777        error_setg_errno(errp, ERANGE,
    778                         "PBKDF iterations %llu larger than %u",
    779                         (unsigned long long)iters, UINT32_MAX);
    780        goto cleanup;
    781    }
    782
    783    slot->iterations =
    784        MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
    785
    786
    787    /*
    788     * Generate a key that we'll use to encrypt the master
    789     * key, from the user's password
    790     */
    791    slotkey = g_new0(uint8_t, luks->header.master_key_len);
    792    if (qcrypto_pbkdf2(luks->hash_alg,
    793                       (uint8_t *)password, strlen(password),
    794                       slot->salt,
    795                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
    796                       slot->iterations,
    797                       slotkey, luks->header.master_key_len,
    798                       errp) < 0) {
    799        goto cleanup;
    800    }
    801
    802
    803    /*
    804     * Setup the encryption objects needed to encrypt the
    805     * master key material
    806     */
    807    cipher = qcrypto_cipher_new(luks->cipher_alg,
    808                                luks->cipher_mode,
    809                                slotkey, luks->header.master_key_len,
    810                                errp);
    811    if (!cipher) {
    812        goto cleanup;
    813    }
    814
    815    ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
    816                              luks->ivgen_cipher_alg,
    817                              luks->ivgen_hash_alg,
    818                              slotkey, luks->header.master_key_len,
    819                              errp);
    820    if (!ivgen) {
    821        goto cleanup;
    822    }
    823
    824    /*
    825     * Before storing the master key, we need to vastly
    826     * increase its size, as protection against forensic
    827     * disk data recovery
    828     */
    829    splitkey = g_new0(uint8_t, splitkeylen);
    830
    831    if (qcrypto_afsplit_encode(luks->hash_alg,
    832                               luks->header.master_key_len,
    833                               slot->stripes,
    834                               masterkey,
    835                               splitkey,
    836                               errp) < 0) {
    837        goto cleanup;
    838    }
    839
    840    /*
    841     * Now we encrypt the split master key with the key generated
    842     * from the user's password, before storing it
    843     */
    844    if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen,
    845                                            QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
    846                                            0,
    847                                            splitkey,
    848                                            splitkeylen,
    849                                            errp) < 0) {
    850        goto cleanup;
    851    }
    852
    853    /* Write out the slot's master key material. */
    854    if (writefunc(block,
    855                  slot->key_offset_sector *
    856                  QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
    857                  splitkey, splitkeylen,
    858                  opaque,
    859                  errp) != splitkeylen) {
    860        goto cleanup;
    861    }
    862
    863    slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
    864
    865    if (qcrypto_block_luks_store_header(block,  writefunc, opaque, errp) < 0) {
    866        goto cleanup;
    867    }
    868
    869    ret = 0;
    870
    871cleanup:
    872    if (slotkey) {
    873        memset(slotkey, 0, luks->header.master_key_len);
    874    }
    875    if (splitkey) {
    876        memset(splitkey, 0, splitkeylen);
    877    }
    878    return ret;
    879}
    880
    881/*
    882 * Given a key slot, and user password, this will attempt to unlock
    883 * the master encryption key from the key slot.
    884 *
    885 * Returns:
    886 *    0 if the key slot is disabled, or key could not be decrypted
    887 *      with the provided password
    888 *    1 if the key slot is enabled, and key decrypted successfully
    889 *      with the provided password
    890 *   -1 if a fatal error occurred loading the key
    891 */
    892static int
    893qcrypto_block_luks_load_key(QCryptoBlock *block,
    894                            size_t slot_idx,
    895                            const char *password,
    896                            uint8_t *masterkey,
    897                            QCryptoBlockReadFunc readfunc,
    898                            void *opaque,
    899                            Error **errp)
    900{
    901    QCryptoBlockLUKS *luks = block->opaque;
    902    const QCryptoBlockLUKSKeySlot *slot;
    903    g_autofree uint8_t *splitkey = NULL;
    904    size_t splitkeylen;
    905    g_autofree uint8_t *possiblekey = NULL;
    906    ssize_t rv;
    907    g_autoptr(QCryptoCipher) cipher = NULL;
    908    uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
    909    g_autoptr(QCryptoIVGen) ivgen = NULL;
    910    size_t niv;
    911
    912    assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
    913    slot = &luks->header.key_slots[slot_idx];
    914    if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
    915        return 0;
    916    }
    917
    918    splitkeylen = luks->header.master_key_len * slot->stripes;
    919    splitkey = g_new0(uint8_t, splitkeylen);
    920    possiblekey = g_new0(uint8_t, luks->header.master_key_len);
    921
    922    /*
    923     * The user password is used to generate a (possible)
    924     * decryption key. This may or may not successfully
    925     * decrypt the master key - we just blindly assume
    926     * the key is correct and validate the results of
    927     * decryption later.
    928     */
    929    if (qcrypto_pbkdf2(luks->hash_alg,
    930                       (const uint8_t *)password, strlen(password),
    931                       slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
    932                       slot->iterations,
    933                       possiblekey, luks->header.master_key_len,
    934                       errp) < 0) {
    935        return -1;
    936    }
    937
    938    /*
    939     * We need to read the master key material from the
    940     * LUKS key material header. What we're reading is
    941     * not the raw master key, but rather the data after
    942     * it has been passed through AFSplit and the result
    943     * then encrypted.
    944     */
    945    rv = readfunc(block,
    946                  slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
    947                  splitkey, splitkeylen,
    948                  opaque,
    949                  errp);
    950    if (rv < 0) {
    951        return -1;
    952    }
    953
    954
    955    /* Setup the cipher/ivgen that we'll use to try to decrypt
    956     * the split master key material */
    957    cipher = qcrypto_cipher_new(luks->cipher_alg,
    958                                luks->cipher_mode,
    959                                possiblekey,
    960                                luks->header.master_key_len,
    961                                errp);
    962    if (!cipher) {
    963        return -1;
    964    }
    965
    966    niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
    967                                    luks->cipher_mode);
    968
    969    ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
    970                              luks->ivgen_cipher_alg,
    971                              luks->ivgen_hash_alg,
    972                              possiblekey,
    973                              luks->header.master_key_len,
    974                              errp);
    975    if (!ivgen) {
    976        return -1;
    977    }
    978
    979
    980    /*
    981     * The master key needs to be decrypted in the same
    982     * way that the block device payload will be decrypted
    983     * later. In particular we'll be using the IV generator
    984     * to reset the encryption cipher every time the master
    985     * key crosses a sector boundary.
    986     */
    987    if (qcrypto_block_cipher_decrypt_helper(cipher,
    988                                            niv,
    989                                            ivgen,
    990                                            QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
    991                                            0,
    992                                            splitkey,
    993                                            splitkeylen,
    994                                            errp) < 0) {
    995        return -1;
    996    }
    997
    998    /*
    999     * Now we've decrypted the split master key, join
   1000     * it back together to get the actual master key.
   1001     */
   1002    if (qcrypto_afsplit_decode(luks->hash_alg,
   1003                               luks->header.master_key_len,
   1004                               slot->stripes,
   1005                               splitkey,
   1006                               masterkey,
   1007                               errp) < 0) {
   1008        return -1;
   1009    }
   1010
   1011
   1012    /*
   1013     * We still don't know that the masterkey we got is valid,
   1014     * because we just blindly assumed the user's password
   1015     * was correct. This is where we now verify it. We are
   1016     * creating a hash of the master key using PBKDF and
   1017     * then comparing that to the hash stored in the key slot
   1018     * header
   1019     */
   1020    if (qcrypto_pbkdf2(luks->hash_alg,
   1021                       masterkey,
   1022                       luks->header.master_key_len,
   1023                       luks->header.master_key_salt,
   1024                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
   1025                       luks->header.master_key_iterations,
   1026                       keydigest,
   1027                       G_N_ELEMENTS(keydigest),
   1028                       errp) < 0) {
   1029        return -1;
   1030    }
   1031
   1032    if (memcmp(keydigest, luks->header.master_key_digest,
   1033               QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
   1034        /* Success, we got the right master key */
   1035        return 1;
   1036    }
   1037
   1038    /* Fail, user's password was not valid for this key slot,
   1039     * tell caller to try another slot */
   1040    return 0;
   1041}
   1042
   1043
   1044/*
   1045 * Given a user password, this will iterate over all key
   1046 * slots and try to unlock each active key slot using the
   1047 * password until it successfully obtains a master key.
   1048 *
   1049 * Returns 0 if a key was loaded, -1 if no keys could be loaded
   1050 */
   1051static int
   1052qcrypto_block_luks_find_key(QCryptoBlock *block,
   1053                            const char *password,
   1054                            uint8_t *masterkey,
   1055                            QCryptoBlockReadFunc readfunc,
   1056                            void *opaque,
   1057                            Error **errp)
   1058{
   1059    size_t i;
   1060    int rv;
   1061
   1062    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
   1063        rv = qcrypto_block_luks_load_key(block,
   1064                                         i,
   1065                                         password,
   1066                                         masterkey,
   1067                                         readfunc,
   1068                                         opaque,
   1069                                         errp);
   1070        if (rv < 0) {
   1071            goto error;
   1072        }
   1073        if (rv == 1) {
   1074            return 0;
   1075        }
   1076    }
   1077
   1078    error_setg(errp, "Invalid password, cannot unlock any keyslot");
   1079 error:
   1080    return -1;
   1081}
   1082
   1083/*
   1084 * Returns true if a slot i is marked as active
   1085 * (contains encrypted copy of the master key)
   1086 */
   1087static bool
   1088qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks,
   1089                               unsigned int slot_idx)
   1090{
   1091    uint32_t val;
   1092
   1093    assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
   1094    val = luks->header.key_slots[slot_idx].active;
   1095    return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
   1096}
   1097
   1098/*
   1099 * Returns the number of slots that are marked as active
   1100 * (slots that contain encrypted copy of the master key)
   1101 */
   1102static unsigned int
   1103qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks)
   1104{
   1105    size_t i = 0;
   1106    unsigned int ret = 0;
   1107
   1108    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
   1109        if (qcrypto_block_luks_slot_active(luks, i)) {
   1110            ret++;
   1111        }
   1112    }
   1113    return ret;
   1114}
   1115
   1116/*
   1117 * Finds first key slot which is not active
   1118 * Returns the key slot index, or -1 if it doesn't exist
   1119 */
   1120static int
   1121qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks)
   1122{
   1123    size_t i;
   1124
   1125    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
   1126        if (!qcrypto_block_luks_slot_active(luks, i)) {
   1127            return i;
   1128        }
   1129    }
   1130    return -1;
   1131}
   1132
   1133/*
   1134 * Erases an keyslot given its index
   1135 * Returns:
   1136 *    0 if the keyslot was erased successfully
   1137 *   -1 if a error occurred while erasing the keyslot
   1138 *
   1139 */
   1140static int
   1141qcrypto_block_luks_erase_key(QCryptoBlock *block,
   1142                             unsigned int slot_idx,
   1143                             QCryptoBlockWriteFunc writefunc,
   1144                             void *opaque,
   1145                             Error **errp)
   1146{
   1147    QCryptoBlockLUKS *luks = block->opaque;
   1148    QCryptoBlockLUKSKeySlot *slot;
   1149    g_autofree uint8_t *garbagesplitkey = NULL;
   1150    size_t splitkeylen;
   1151    size_t i;
   1152    Error *local_err = NULL;
   1153    int ret;
   1154
   1155    assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
   1156    slot = &luks->header.key_slots[slot_idx];
   1157
   1158    splitkeylen = luks->header.master_key_len * slot->stripes;
   1159    assert(splitkeylen > 0);
   1160
   1161    garbagesplitkey = g_new0(uint8_t, splitkeylen);
   1162
   1163    /* Reset the key slot header */
   1164    memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN);
   1165    slot->iterations = 0;
   1166    slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
   1167
   1168    ret = qcrypto_block_luks_store_header(block, writefunc,
   1169                                          opaque, &local_err);
   1170
   1171    if (ret < 0) {
   1172        error_propagate(errp, local_err);
   1173    }
   1174    /*
   1175     * Now try to erase the key material, even if the header
   1176     * update failed
   1177     */
   1178    for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) {
   1179        if (qcrypto_random_bytes(garbagesplitkey,
   1180                                 splitkeylen, &local_err) < 0) {
   1181            /*
   1182             * If we failed to get the random data, still write
   1183             * at least zeros to the key slot at least once
   1184             */
   1185            error_propagate(errp, local_err);
   1186
   1187            if (i > 0) {
   1188                return -1;
   1189            }
   1190        }
   1191        if (writefunc(block,
   1192                      slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
   1193                      garbagesplitkey,
   1194                      splitkeylen,
   1195                      opaque,
   1196                      &local_err) != splitkeylen) {
   1197            error_propagate(errp, local_err);
   1198            return -1;
   1199        }
   1200    }
   1201    return ret;
   1202}
   1203
   1204static int
   1205qcrypto_block_luks_open(QCryptoBlock *block,
   1206                        QCryptoBlockOpenOptions *options,
   1207                        const char *optprefix,
   1208                        QCryptoBlockReadFunc readfunc,
   1209                        void *opaque,
   1210                        unsigned int flags,
   1211                        size_t n_threads,
   1212                        Error **errp)
   1213{
   1214    QCryptoBlockLUKS *luks = NULL;
   1215    g_autofree uint8_t *masterkey = NULL;
   1216    g_autofree char *password = NULL;
   1217
   1218    if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
   1219        if (!options->u.luks.key_secret) {
   1220            error_setg(errp, "Parameter '%skey-secret' is required for cipher",
   1221                       optprefix ? optprefix : "");
   1222            return -1;
   1223        }
   1224        password = qcrypto_secret_lookup_as_utf8(
   1225            options->u.luks.key_secret, errp);
   1226        if (!password) {
   1227            return -1;
   1228        }
   1229    }
   1230
   1231    luks = g_new0(QCryptoBlockLUKS, 1);
   1232    block->opaque = luks;
   1233    luks->secret = g_strdup(options->u.luks.key_secret);
   1234
   1235    if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) {
   1236        goto fail;
   1237    }
   1238
   1239    if (qcrypto_block_luks_check_header(luks, errp) < 0) {
   1240        goto fail;
   1241    }
   1242
   1243    if (qcrypto_block_luks_parse_header(luks, errp) < 0) {
   1244        goto fail;
   1245    }
   1246
   1247    if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
   1248        /* Try to find which key slot our password is valid for
   1249         * and unlock the master key from that slot.
   1250         */
   1251
   1252        masterkey = g_new0(uint8_t, luks->header.master_key_len);
   1253
   1254        if (qcrypto_block_luks_find_key(block,
   1255                                        password,
   1256                                        masterkey,
   1257                                        readfunc, opaque,
   1258                                        errp) < 0) {
   1259            goto fail;
   1260        }
   1261
   1262        /* We have a valid master key now, so can setup the
   1263         * block device payload decryption objects
   1264         */
   1265        block->kdfhash = luks->hash_alg;
   1266        block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
   1267                                               luks->cipher_mode);
   1268
   1269        block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
   1270                                         luks->ivgen_cipher_alg,
   1271                                         luks->ivgen_hash_alg,
   1272                                         masterkey,
   1273                                         luks->header.master_key_len,
   1274                                         errp);
   1275        if (!block->ivgen) {
   1276            goto fail;
   1277        }
   1278
   1279        if (qcrypto_block_init_cipher(block,
   1280                                      luks->cipher_alg,
   1281                                      luks->cipher_mode,
   1282                                      masterkey,
   1283                                      luks->header.master_key_len,
   1284                                      n_threads,
   1285                                      errp) < 0) {
   1286            goto fail;
   1287        }
   1288    }
   1289
   1290    block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
   1291    block->payload_offset = luks->header.payload_offset_sector *
   1292        block->sector_size;
   1293
   1294    return 0;
   1295
   1296 fail:
   1297    qcrypto_block_free_cipher(block);
   1298    qcrypto_ivgen_free(block->ivgen);
   1299    g_free(luks->secret);
   1300    g_free(luks);
   1301    return -1;
   1302}
   1303
   1304
   1305static void
   1306qcrypto_block_luks_uuid_gen(uint8_t *uuidstr)
   1307{
   1308    QemuUUID uuid;
   1309    qemu_uuid_generate(&uuid);
   1310    qemu_uuid_unparse(&uuid, (char *)uuidstr);
   1311}
   1312
   1313static int
   1314qcrypto_block_luks_create(QCryptoBlock *block,
   1315                          QCryptoBlockCreateOptions *options,
   1316                          const char *optprefix,
   1317                          QCryptoBlockInitFunc initfunc,
   1318                          QCryptoBlockWriteFunc writefunc,
   1319                          void *opaque,
   1320                          Error **errp)
   1321{
   1322    QCryptoBlockLUKS *luks;
   1323    QCryptoBlockCreateOptionsLUKS luks_opts;
   1324    Error *local_err = NULL;
   1325    g_autofree uint8_t *masterkey = NULL;
   1326    size_t header_sectors;
   1327    size_t split_key_sectors;
   1328    size_t i;
   1329    g_autofree char *password = NULL;
   1330    const char *cipher_alg;
   1331    const char *cipher_mode;
   1332    const char *ivgen_alg;
   1333    const char *ivgen_hash_alg = NULL;
   1334    const char *hash_alg;
   1335    g_autofree char *cipher_mode_spec = NULL;
   1336    uint64_t iters;
   1337
   1338    memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
   1339    if (!luks_opts.has_iter_time) {
   1340        luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
   1341    }
   1342    if (!luks_opts.has_cipher_alg) {
   1343        luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
   1344    }
   1345    if (!luks_opts.has_cipher_mode) {
   1346        luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS;
   1347    }
   1348    if (!luks_opts.has_ivgen_alg) {
   1349        luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64;
   1350    }
   1351    if (!luks_opts.has_hash_alg) {
   1352        luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
   1353    }
   1354    if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
   1355        if (!luks_opts.has_ivgen_hash_alg) {
   1356            luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256;
   1357            luks_opts.has_ivgen_hash_alg = true;
   1358        }
   1359    }
   1360
   1361    luks = g_new0(QCryptoBlockLUKS, 1);
   1362    block->opaque = luks;
   1363
   1364    luks->cipher_alg = luks_opts.cipher_alg;
   1365    luks->cipher_mode = luks_opts.cipher_mode;
   1366    luks->ivgen_alg = luks_opts.ivgen_alg;
   1367    luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg;
   1368    luks->hash_alg = luks_opts.hash_alg;
   1369
   1370
   1371    /* Note we're allowing ivgen_hash_alg to be set even for
   1372     * non-essiv iv generators that don't need a hash. It will
   1373     * be silently ignored, for compatibility with dm-crypt */
   1374
   1375    if (!options->u.luks.key_secret) {
   1376        error_setg(errp, "Parameter '%skey-secret' is required for cipher",
   1377                   optprefix ? optprefix : "");
   1378        goto error;
   1379    }
   1380    luks->secret = g_strdup(options->u.luks.key_secret);
   1381
   1382    password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp);
   1383    if (!password) {
   1384        goto error;
   1385    }
   1386
   1387
   1388    memcpy(luks->header.magic, qcrypto_block_luks_magic,
   1389           QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
   1390
   1391    /* We populate the header in native endianness initially and
   1392     * then convert everything to big endian just before writing
   1393     * it out to disk
   1394     */
   1395    luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
   1396    qcrypto_block_luks_uuid_gen(luks->header.uuid);
   1397
   1398    cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
   1399                                                      errp);
   1400    if (!cipher_alg) {
   1401        goto error;
   1402    }
   1403
   1404    cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode);
   1405    ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg);
   1406    if (luks_opts.has_ivgen_hash_alg) {
   1407        ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg);
   1408        cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg,
   1409                                           ivgen_hash_alg);
   1410    } else {
   1411        cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
   1412    }
   1413    hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg);
   1414
   1415
   1416    if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
   1417        error_setg(errp, "Cipher name '%s' is too long for LUKS header",
   1418                   cipher_alg);
   1419        goto error;
   1420    }
   1421    if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
   1422        error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
   1423                   cipher_mode_spec);
   1424        goto error;
   1425    }
   1426    if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
   1427        error_setg(errp, "Hash name '%s' is too long for LUKS header",
   1428                   hash_alg);
   1429        goto error;
   1430    }
   1431
   1432    if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
   1433        luks->ivgen_cipher_alg =
   1434                qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg,
   1435                                                luks_opts.ivgen_hash_alg,
   1436                                                &local_err);
   1437        if (local_err) {
   1438            error_propagate(errp, local_err);
   1439            goto error;
   1440        }
   1441    } else {
   1442        luks->ivgen_cipher_alg = luks_opts.cipher_alg;
   1443    }
   1444
   1445    strcpy(luks->header.cipher_name, cipher_alg);
   1446    strcpy(luks->header.cipher_mode, cipher_mode_spec);
   1447    strcpy(luks->header.hash_spec, hash_alg);
   1448
   1449    luks->header.master_key_len =
   1450        qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
   1451
   1452    if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) {
   1453        luks->header.master_key_len *= 2;
   1454    }
   1455
   1456    /* Generate the salt used for hashing the master key
   1457     * with PBKDF later
   1458     */
   1459    if (qcrypto_random_bytes(luks->header.master_key_salt,
   1460                             QCRYPTO_BLOCK_LUKS_SALT_LEN,
   1461                             errp) < 0) {
   1462        goto error;
   1463    }
   1464
   1465    /* Generate random master key */
   1466    masterkey = g_new0(uint8_t, luks->header.master_key_len);
   1467    if (qcrypto_random_bytes(masterkey,
   1468                             luks->header.master_key_len, errp) < 0) {
   1469        goto error;
   1470    }
   1471
   1472
   1473    /* Setup the block device payload encryption objects */
   1474    if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg,
   1475                                  luks_opts.cipher_mode, masterkey,
   1476                                  luks->header.master_key_len, 1, errp) < 0) {
   1477        goto error;
   1478    }
   1479
   1480    block->kdfhash = luks_opts.hash_alg;
   1481    block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
   1482                                           luks_opts.cipher_mode);
   1483    block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
   1484                                     luks->ivgen_cipher_alg,
   1485                                     luks_opts.ivgen_hash_alg,
   1486                                     masterkey, luks->header.master_key_len,
   1487                                     errp);
   1488
   1489    if (!block->ivgen) {
   1490        goto error;
   1491    }
   1492
   1493
   1494    /* Determine how many iterations we need to hash the master
   1495     * key, in order to have 1 second of compute time used
   1496     */
   1497    iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
   1498                                       masterkey, luks->header.master_key_len,
   1499                                       luks->header.master_key_salt,
   1500                                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
   1501                                       QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
   1502                                       &local_err);
   1503    if (local_err) {
   1504        error_propagate(errp, local_err);
   1505        goto error;
   1506    }
   1507
   1508    if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
   1509        error_setg_errno(errp, ERANGE,
   1510                         "PBKDF iterations %llu too large to scale",
   1511                         (unsigned long long)iters);
   1512        goto error;
   1513    }
   1514
   1515    /* iter_time was in millis, but count_iters reported for secs */
   1516    iters = iters * luks_opts.iter_time / 1000;
   1517
   1518    /* Why /= 8 ?  That matches cryptsetup, but there's no
   1519     * explanation why they chose /= 8... Probably so that
   1520     * if all 8 keyslots are active we only spend 1 second
   1521     * in total time to check all keys */
   1522    iters /= 8;
   1523    if (iters > UINT32_MAX) {
   1524        error_setg_errno(errp, ERANGE,
   1525                         "PBKDF iterations %llu larger than %u",
   1526                         (unsigned long long)iters, UINT32_MAX);
   1527        goto error;
   1528    }
   1529    iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
   1530    luks->header.master_key_iterations = iters;
   1531
   1532    /* Hash the master key, saving the result in the LUKS
   1533     * header. This hash is used when opening the encrypted
   1534     * device to verify that the user password unlocked a
   1535     * valid master key
   1536     */
   1537    if (qcrypto_pbkdf2(luks_opts.hash_alg,
   1538                       masterkey, luks->header.master_key_len,
   1539                       luks->header.master_key_salt,
   1540                       QCRYPTO_BLOCK_LUKS_SALT_LEN,
   1541                       luks->header.master_key_iterations,
   1542                       luks->header.master_key_digest,
   1543                       QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
   1544                       errp) < 0) {
   1545        goto error;
   1546    }
   1547
   1548    /* start with the sector that follows the header*/
   1549    header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
   1550        QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
   1551
   1552    split_key_sectors =
   1553        qcrypto_block_luks_splitkeylen_sectors(luks,
   1554                                               header_sectors,
   1555                                               QCRYPTO_BLOCK_LUKS_STRIPES);
   1556
   1557    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
   1558        QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i];
   1559        slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
   1560
   1561        slot->key_offset_sector = header_sectors + i * split_key_sectors;
   1562        slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
   1563    }
   1564
   1565    /* The total size of the LUKS headers is the partition header + key
   1566     * slot headers, rounded up to the nearest sector, combined with
   1567     * the size of each master key material region, also rounded up
   1568     * to the nearest sector */
   1569    luks->header.payload_offset_sector = header_sectors +
   1570            QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors;
   1571
   1572    block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
   1573    block->payload_offset = luks->header.payload_offset_sector *
   1574        block->sector_size;
   1575
   1576    /* Reserve header space to match payload offset */
   1577    initfunc(block, block->payload_offset, opaque, &local_err);
   1578    if (local_err) {
   1579        error_propagate(errp, local_err);
   1580        goto error;
   1581    }
   1582
   1583
   1584    /* populate the slot 0 with the password encrypted master key*/
   1585    /* This will also store the header */
   1586    if (qcrypto_block_luks_store_key(block,
   1587                                     0,
   1588                                     password,
   1589                                     masterkey,
   1590                                     luks_opts.iter_time,
   1591                                     writefunc,
   1592                                     opaque,
   1593                                     errp) < 0) {
   1594        goto error;
   1595    }
   1596
   1597    memset(masterkey, 0, luks->header.master_key_len);
   1598
   1599    return 0;
   1600
   1601 error:
   1602    if (masterkey) {
   1603        memset(masterkey, 0, luks->header.master_key_len);
   1604    }
   1605
   1606    qcrypto_block_free_cipher(block);
   1607    qcrypto_ivgen_free(block->ivgen);
   1608
   1609    g_free(luks->secret);
   1610    g_free(luks);
   1611    return -1;
   1612}
   1613
   1614static int
   1615qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block,
   1616                                     QCryptoBlockReadFunc readfunc,
   1617                                     QCryptoBlockWriteFunc writefunc,
   1618                                     void *opaque,
   1619                                     QCryptoBlockAmendOptionsLUKS *opts_luks,
   1620                                     bool force,
   1621                                     Error **errp)
   1622{
   1623    QCryptoBlockLUKS *luks = block->opaque;
   1624    uint64_t iter_time = opts_luks->has_iter_time ?
   1625                         opts_luks->iter_time :
   1626                         QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
   1627    int keyslot;
   1628    g_autofree char *old_password = NULL;
   1629    g_autofree char *new_password = NULL;
   1630    g_autofree uint8_t *master_key = NULL;
   1631
   1632    char *secret = opts_luks->has_secret ? opts_luks->secret : luks->secret;
   1633
   1634    if (!opts_luks->has_new_secret) {
   1635        error_setg(errp, "'new-secret' is required to activate a keyslot");
   1636        return -1;
   1637    }
   1638    if (opts_luks->has_old_secret) {
   1639        error_setg(errp,
   1640                   "'old-secret' must not be given when activating keyslots");
   1641        return -1;
   1642    }
   1643
   1644    if (opts_luks->has_keyslot) {
   1645        keyslot = opts_luks->keyslot;
   1646        if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
   1647            error_setg(errp,
   1648                       "Invalid keyslot %u specified, must be between 0 and %u",
   1649                       keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
   1650            return -1;
   1651        }
   1652    } else {
   1653        keyslot = qcrypto_block_luks_find_free_keyslot(luks);
   1654        if (keyslot == -1) {
   1655            error_setg(errp,
   1656                       "Can't add a keyslot - all keyslots are in use");
   1657            return -1;
   1658        }
   1659    }
   1660
   1661    if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) {
   1662        error_setg(errp,
   1663                   "Refusing to overwrite active keyslot %i - "
   1664                   "please erase it first",
   1665                   keyslot);
   1666        return -1;
   1667    }
   1668
   1669    /* Locate the password that will be used to retrieve the master key */
   1670    old_password = qcrypto_secret_lookup_as_utf8(secret, errp);
   1671    if (!old_password) {
   1672        return -1;
   1673    }
   1674
   1675    /* Retrieve the master key */
   1676    master_key = g_new0(uint8_t, luks->header.master_key_len);
   1677
   1678    if (qcrypto_block_luks_find_key(block, old_password, master_key,
   1679                                    readfunc, opaque, errp) < 0) {
   1680        error_append_hint(errp, "Failed to retrieve the master key");
   1681        return -1;
   1682    }
   1683
   1684    /* Locate the new password*/
   1685    new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp);
   1686    if (!new_password) {
   1687        return -1;
   1688    }
   1689
   1690    /* Now set the new keyslots */
   1691    if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key,
   1692                                     iter_time, writefunc, opaque, errp)) {
   1693        error_append_hint(errp, "Failed to write to keyslot %i", keyslot);
   1694        return -1;
   1695    }
   1696    return 0;
   1697}
   1698
   1699static int
   1700qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block,
   1701                                        QCryptoBlockReadFunc readfunc,
   1702                                        QCryptoBlockWriteFunc writefunc,
   1703                                        void *opaque,
   1704                                        QCryptoBlockAmendOptionsLUKS *opts_luks,
   1705                                        bool force,
   1706                                        Error **errp)
   1707{
   1708    QCryptoBlockLUKS *luks = block->opaque;
   1709    g_autofree uint8_t *tmpkey = NULL;
   1710    g_autofree char *old_password = NULL;
   1711
   1712    if (opts_luks->has_new_secret) {
   1713        error_setg(errp,
   1714                   "'new-secret' must not be given when erasing keyslots");
   1715        return -1;
   1716    }
   1717    if (opts_luks->has_iter_time) {
   1718        error_setg(errp,
   1719                   "'iter-time' must not be given when erasing keyslots");
   1720        return -1;
   1721    }
   1722    if (opts_luks->has_secret) {
   1723        error_setg(errp,
   1724                   "'secret' must not be given when erasing keyslots");
   1725        return -1;
   1726    }
   1727
   1728    /* Load the old password if given */
   1729    if (opts_luks->has_old_secret) {
   1730        old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret,
   1731                                                     errp);
   1732        if (!old_password) {
   1733            return -1;
   1734        }
   1735
   1736        /*
   1737         * Allocate a temporary key buffer that we will need when
   1738         * checking if slot matches the given old password
   1739         */
   1740        tmpkey = g_new0(uint8_t, luks->header.master_key_len);
   1741    }
   1742
   1743    /* Erase an explicitly given keyslot */
   1744    if (opts_luks->has_keyslot) {
   1745        int keyslot = opts_luks->keyslot;
   1746
   1747        if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
   1748            error_setg(errp,
   1749                       "Invalid keyslot %i specified, must be between 0 and %i",
   1750                       keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
   1751            return -1;
   1752        }
   1753
   1754        if (opts_luks->has_old_secret) {
   1755            int rv = qcrypto_block_luks_load_key(block,
   1756                                                 keyslot,
   1757                                                 old_password,
   1758                                                 tmpkey,
   1759                                                 readfunc,
   1760                                                 opaque,
   1761                                                 errp);
   1762            if (rv == -1) {
   1763                return -1;
   1764            } else if (rv == 0) {
   1765                error_setg(errp,
   1766                           "Given keyslot %i doesn't contain the given "
   1767                           "old password for erase operation",
   1768                           keyslot);
   1769                return -1;
   1770            }
   1771        }
   1772
   1773        if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) {
   1774            error_setg(errp,
   1775                       "Given keyslot %i is already erased (inactive) ",
   1776                       keyslot);
   1777            return -1;
   1778        }
   1779
   1780        if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) {
   1781            error_setg(errp,
   1782                       "Attempt to erase the only active keyslot %i "
   1783                       "which will erase all the data in the image "
   1784                       "irreversibly - refusing operation",
   1785                       keyslot);
   1786            return -1;
   1787        }
   1788
   1789        if (qcrypto_block_luks_erase_key(block, keyslot,
   1790                                         writefunc, opaque, errp)) {
   1791            error_append_hint(errp, "Failed to erase keyslot %i", keyslot);
   1792            return -1;
   1793        }
   1794
   1795    /* Erase all keyslots that match the given old password */
   1796    } else if (opts_luks->has_old_secret) {
   1797
   1798        unsigned long slots_to_erase_bitmap = 0;
   1799        size_t i;
   1800        int slot_count;
   1801
   1802        assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <=
   1803               sizeof(slots_to_erase_bitmap) * 8);
   1804
   1805        for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
   1806            int rv = qcrypto_block_luks_load_key(block,
   1807                                                 i,
   1808                                                 old_password,
   1809                                                 tmpkey,
   1810                                                 readfunc,
   1811                                                 opaque,
   1812                                                 errp);
   1813            if (rv == -1) {
   1814                return -1;
   1815            } else if (rv == 1) {
   1816                bitmap_set(&slots_to_erase_bitmap, i, 1);
   1817            }
   1818        }
   1819
   1820        slot_count = bitmap_count_one(&slots_to_erase_bitmap,
   1821                                      QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
   1822        if (slot_count == 0) {
   1823            error_setg(errp,
   1824                       "No keyslots match given (old) password for erase operation");
   1825            return -1;
   1826        }
   1827
   1828        if (!force &&
   1829            slot_count == qcrypto_block_luks_count_active_slots(luks)) {
   1830            error_setg(errp,
   1831                       "All the active keyslots match the (old) password that "
   1832                       "was given and erasing them will erase all the data in "
   1833                       "the image irreversibly - refusing operation");
   1834            return -1;
   1835        }
   1836
   1837        /* Now apply the update */
   1838        for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
   1839            if (!test_bit(i, &slots_to_erase_bitmap)) {
   1840                continue;
   1841            }
   1842            if (qcrypto_block_luks_erase_key(block, i, writefunc,
   1843                opaque, errp)) {
   1844                error_append_hint(errp, "Failed to erase keyslot %zu", i);
   1845                return -1;
   1846            }
   1847        }
   1848    } else {
   1849        error_setg(errp,
   1850                   "To erase keyslot(s), either explicit keyslot index "
   1851                   "or the password currently contained in them must be given");
   1852        return -1;
   1853    }
   1854    return 0;
   1855}
   1856
   1857static int
   1858qcrypto_block_luks_amend_options(QCryptoBlock *block,
   1859                                 QCryptoBlockReadFunc readfunc,
   1860                                 QCryptoBlockWriteFunc writefunc,
   1861                                 void *opaque,
   1862                                 QCryptoBlockAmendOptions *options,
   1863                                 bool force,
   1864                                 Error **errp)
   1865{
   1866    QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks;
   1867
   1868    switch (opts_luks->state) {
   1869    case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE:
   1870        return qcrypto_block_luks_amend_add_keyslot(block, readfunc,
   1871                                                    writefunc, opaque,
   1872                                                    opts_luks, force, errp);
   1873    case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE:
   1874        return qcrypto_block_luks_amend_erase_keyslots(block, readfunc,
   1875                                                       writefunc, opaque,
   1876                                                       opts_luks, force, errp);
   1877    default:
   1878        g_assert_not_reached();
   1879    }
   1880}
   1881
   1882static int qcrypto_block_luks_get_info(QCryptoBlock *block,
   1883                                       QCryptoBlockInfo *info,
   1884                                       Error **errp)
   1885{
   1886    QCryptoBlockLUKS *luks = block->opaque;
   1887    QCryptoBlockInfoLUKSSlot *slot;
   1888    QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots;
   1889    size_t i;
   1890
   1891    info->u.luks.cipher_alg = luks->cipher_alg;
   1892    info->u.luks.cipher_mode = luks->cipher_mode;
   1893    info->u.luks.ivgen_alg = luks->ivgen_alg;
   1894    if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
   1895        info->u.luks.has_ivgen_hash_alg = true;
   1896        info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg;
   1897    }
   1898    info->u.luks.hash_alg = luks->hash_alg;
   1899    info->u.luks.payload_offset = block->payload_offset;
   1900    info->u.luks.master_key_iters = luks->header.master_key_iterations;
   1901    info->u.luks.uuid = g_strndup((const char *)luks->header.uuid,
   1902                                  sizeof(luks->header.uuid));
   1903
   1904    for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
   1905        slot = g_new0(QCryptoBlockInfoLUKSSlot, 1);
   1906        slot->active = luks->header.key_slots[i].active ==
   1907            QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
   1908        slot->key_offset = luks->header.key_slots[i].key_offset_sector
   1909             * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
   1910        if (slot->active) {
   1911            slot->has_iters = true;
   1912            slot->iters = luks->header.key_slots[i].iterations;
   1913            slot->has_stripes = true;
   1914            slot->stripes = luks->header.key_slots[i].stripes;
   1915        }
   1916
   1917        QAPI_LIST_APPEND(tail, slot);
   1918    }
   1919
   1920    return 0;
   1921}
   1922
   1923
   1924static void qcrypto_block_luks_cleanup(QCryptoBlock *block)
   1925{
   1926    QCryptoBlockLUKS *luks = block->opaque;
   1927    if (luks) {
   1928        g_free(luks->secret);
   1929        g_free(luks);
   1930    }
   1931}
   1932
   1933
   1934static int
   1935qcrypto_block_luks_decrypt(QCryptoBlock *block,
   1936                           uint64_t offset,
   1937                           uint8_t *buf,
   1938                           size_t len,
   1939                           Error **errp)
   1940{
   1941    assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
   1942    assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
   1943    return qcrypto_block_decrypt_helper(block,
   1944                                        QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
   1945                                        offset, buf, len, errp);
   1946}
   1947
   1948
   1949static int
   1950qcrypto_block_luks_encrypt(QCryptoBlock *block,
   1951                           uint64_t offset,
   1952                           uint8_t *buf,
   1953                           size_t len,
   1954                           Error **errp)
   1955{
   1956    assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
   1957    assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
   1958    return qcrypto_block_encrypt_helper(block,
   1959                                        QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
   1960                                        offset, buf, len, errp);
   1961}
   1962
   1963
   1964const QCryptoBlockDriver qcrypto_block_driver_luks = {
   1965    .open = qcrypto_block_luks_open,
   1966    .create = qcrypto_block_luks_create,
   1967    .amend = qcrypto_block_luks_amend_options,
   1968    .get_info = qcrypto_block_luks_get_info,
   1969    .cleanup = qcrypto_block_luks_cleanup,
   1970    .decrypt = qcrypto_block_luks_decrypt,
   1971    .encrypt = qcrypto_block_luks_encrypt,
   1972    .has_format = qcrypto_block_luks_has_format,
   1973};