Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1 | /* |
| 2 | * QEMU Crypto block device encryption LUKS format |
| 3 | * |
| 4 | * Copyright (c) 2015-2016 Red Hat, Inc. |
| 5 | * |
| 6 | * This library is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU Lesser General Public |
| 8 | * License as published by the Free Software Foundation; either |
Thomas Huth | b7cbb87 | 2019-02-13 16:54:59 +0100 | [diff] [blame] | 9 | * version 2.1 of the License, or (at your option) any later version. |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 10 | * |
| 11 | * This library is distributed in the hope that it will be useful, |
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 14 | * Lesser General Public License for more details. |
| 15 | * |
| 16 | * You should have received a copy of the GNU Lesser General Public |
| 17 | * License along with this library; if not, see <http://www.gnu.org/licenses/>. |
| 18 | * |
| 19 | */ |
| 20 | |
| 21 | #include "qemu/osdep.h" |
Markus Armbruster | da34e65 | 2016-03-14 09:01:28 +0100 | [diff] [blame] | 22 | #include "qapi/error.h" |
Paolo Bonzini | 58369e2 | 2016-03-15 17:22:36 +0100 | [diff] [blame] | 23 | #include "qemu/bswap.h" |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 24 | |
Michael S. Tsirkin | 986bc8d | 2018-05-03 22:50:23 +0300 | [diff] [blame] | 25 | #include "block-luks.h" |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 26 | |
| 27 | #include "crypto/hash.h" |
| 28 | #include "crypto/afsplit.h" |
| 29 | #include "crypto/pbkdf.h" |
| 30 | #include "crypto/secret.h" |
| 31 | #include "crypto/random.h" |
Fam Zheng | 2ef950f | 2016-09-21 12:27:19 +0800 | [diff] [blame] | 32 | #include "qemu/uuid.h" |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 33 | |
| 34 | #include "qemu/coroutine.h" |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 35 | #include "qemu/bitmap.h" |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 36 | |
| 37 | /* |
| 38 | * Reference for the LUKS format implemented here is |
| 39 | * |
| 40 | * docs/on-disk-format.pdf |
| 41 | * |
| 42 | * in 'cryptsetup' package source code |
| 43 | * |
| 44 | * This file implements the 1.2.1 specification, dated |
| 45 | * Oct 16, 2011. |
| 46 | */ |
| 47 | |
| 48 | typedef struct QCryptoBlockLUKS QCryptoBlockLUKS; |
| 49 | typedef struct QCryptoBlockLUKSHeader QCryptoBlockLUKSHeader; |
| 50 | typedef struct QCryptoBlockLUKSKeySlot QCryptoBlockLUKSKeySlot; |
| 51 | |
| 52 | |
| 53 | /* The following constants are all defined by the LUKS spec */ |
| 54 | #define QCRYPTO_BLOCK_LUKS_VERSION 1 |
| 55 | |
| 56 | #define QCRYPTO_BLOCK_LUKS_MAGIC_LEN 6 |
| 57 | #define QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN 32 |
| 58 | #define QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN 32 |
| 59 | #define QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN 32 |
| 60 | #define QCRYPTO_BLOCK_LUKS_DIGEST_LEN 20 |
| 61 | #define QCRYPTO_BLOCK_LUKS_SALT_LEN 32 |
| 62 | #define QCRYPTO_BLOCK_LUKS_UUID_LEN 40 |
| 63 | #define QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS 8 |
| 64 | #define QCRYPTO_BLOCK_LUKS_STRIPES 4000 |
| 65 | #define QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS 1000 |
| 66 | #define QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS 1000 |
| 67 | #define QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET 4096 |
| 68 | |
| 69 | #define QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED 0x0000DEAD |
| 70 | #define QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED 0x00AC71F3 |
| 71 | |
| 72 | #define QCRYPTO_BLOCK_LUKS_SECTOR_SIZE 512LL |
| 73 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 74 | #define QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS 2000 |
| 75 | #define QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS 40 |
| 76 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 77 | static const char qcrypto_block_luks_magic[QCRYPTO_BLOCK_LUKS_MAGIC_LEN] = { |
| 78 | 'L', 'U', 'K', 'S', 0xBA, 0xBE |
| 79 | }; |
| 80 | |
| 81 | typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap; |
| 82 | struct QCryptoBlockLUKSNameMap { |
| 83 | const char *name; |
| 84 | int id; |
| 85 | }; |
| 86 | |
| 87 | typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap; |
| 88 | struct QCryptoBlockLUKSCipherSizeMap { |
| 89 | uint32_t key_bytes; |
| 90 | int id; |
| 91 | }; |
| 92 | typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap; |
| 93 | struct QCryptoBlockLUKSCipherNameMap { |
| 94 | const char *name; |
| 95 | const QCryptoBlockLUKSCipherSizeMap *sizes; |
| 96 | }; |
| 97 | |
| 98 | |
| 99 | static const QCryptoBlockLUKSCipherSizeMap |
| 100 | qcrypto_block_luks_cipher_size_map_aes[] = { |
| 101 | { 16, QCRYPTO_CIPHER_ALG_AES_128 }, |
| 102 | { 24, QCRYPTO_CIPHER_ALG_AES_192 }, |
| 103 | { 32, QCRYPTO_CIPHER_ALG_AES_256 }, |
| 104 | { 0, 0 }, |
| 105 | }; |
| 106 | |
| 107 | static const QCryptoBlockLUKSCipherSizeMap |
| 108 | qcrypto_block_luks_cipher_size_map_cast5[] = { |
| 109 | { 16, QCRYPTO_CIPHER_ALG_CAST5_128 }, |
| 110 | { 0, 0 }, |
| 111 | }; |
| 112 | |
| 113 | static const QCryptoBlockLUKSCipherSizeMap |
| 114 | qcrypto_block_luks_cipher_size_map_serpent[] = { |
| 115 | { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 }, |
| 116 | { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 }, |
| 117 | { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 }, |
| 118 | { 0, 0 }, |
| 119 | }; |
| 120 | |
| 121 | static const QCryptoBlockLUKSCipherSizeMap |
| 122 | qcrypto_block_luks_cipher_size_map_twofish[] = { |
| 123 | { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 }, |
| 124 | { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 }, |
| 125 | { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 }, |
| 126 | { 0, 0 }, |
| 127 | }; |
| 128 | |
| 129 | static const QCryptoBlockLUKSCipherNameMap |
| 130 | qcrypto_block_luks_cipher_name_map[] = { |
| 131 | { "aes", qcrypto_block_luks_cipher_size_map_aes }, |
| 132 | { "cast5", qcrypto_block_luks_cipher_size_map_cast5 }, |
| 133 | { "serpent", qcrypto_block_luks_cipher_size_map_serpent }, |
| 134 | { "twofish", qcrypto_block_luks_cipher_size_map_twofish }, |
| 135 | }; |
| 136 | |
| 137 | |
| 138 | /* |
| 139 | * This struct is written to disk in big-endian format, |
| 140 | * but operated upon in native-endian format. |
| 141 | */ |
| 142 | struct QCryptoBlockLUKSKeySlot { |
| 143 | /* state of keyslot, enabled/disable */ |
| 144 | uint32_t active; |
| 145 | /* iterations for PBKDF2 */ |
| 146 | uint32_t iterations; |
| 147 | /* salt for PBKDF2 */ |
| 148 | uint8_t salt[QCRYPTO_BLOCK_LUKS_SALT_LEN]; |
| 149 | /* start sector of key material */ |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 150 | uint32_t key_offset_sector; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 151 | /* number of anti-forensic stripes */ |
| 152 | uint32_t stripes; |
Greg Kurz | 5993e3b | 2019-02-28 16:06:06 +0100 | [diff] [blame] | 153 | }; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 154 | |
| 155 | QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48); |
| 156 | |
| 157 | |
| 158 | /* |
| 159 | * This struct is written to disk in big-endian format, |
| 160 | * but operated upon in native-endian format. |
| 161 | */ |
| 162 | struct QCryptoBlockLUKSHeader { |
| 163 | /* 'L', 'U', 'K', 'S', '0xBA', '0xBE' */ |
| 164 | char magic[QCRYPTO_BLOCK_LUKS_MAGIC_LEN]; |
| 165 | |
| 166 | /* LUKS version, currently 1 */ |
| 167 | uint16_t version; |
| 168 | |
| 169 | /* cipher name specification (aes, etc) */ |
| 170 | char cipher_name[QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN]; |
| 171 | |
| 172 | /* cipher mode specification (cbc-plain, xts-essiv:sha256, etc) */ |
| 173 | char cipher_mode[QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN]; |
| 174 | |
| 175 | /* hash specification (sha256, etc) */ |
| 176 | char hash_spec[QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN]; |
| 177 | |
| 178 | /* start offset of the volume data (in 512 byte sectors) */ |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 179 | uint32_t payload_offset_sector; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 180 | |
| 181 | /* Number of key bytes */ |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 182 | uint32_t master_key_len; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 183 | |
| 184 | /* master key checksum after PBKDF2 */ |
| 185 | uint8_t master_key_digest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; |
| 186 | |
| 187 | /* salt for master key PBKDF2 */ |
| 188 | uint8_t master_key_salt[QCRYPTO_BLOCK_LUKS_SALT_LEN]; |
| 189 | |
| 190 | /* iterations for master key PBKDF2 */ |
| 191 | uint32_t master_key_iterations; |
| 192 | |
| 193 | /* UUID of the partition in standard ASCII representation */ |
| 194 | uint8_t uuid[QCRYPTO_BLOCK_LUKS_UUID_LEN]; |
| 195 | |
| 196 | /* key slots */ |
| 197 | QCryptoBlockLUKSKeySlot key_slots[QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS]; |
Greg Kurz | 5993e3b | 2019-02-28 16:06:06 +0100 | [diff] [blame] | 198 | }; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 199 | |
| 200 | QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592); |
| 201 | |
| 202 | |
| 203 | struct QCryptoBlockLUKS { |
| 204 | QCryptoBlockLUKSHeader header; |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 205 | |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 206 | /* Main encryption algorithm used for encryption*/ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 207 | QCryptoCipherAlgorithm cipher_alg; |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 208 | |
| 209 | /* Mode of encryption for the selected encryption algorithm */ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 210 | QCryptoCipherMode cipher_mode; |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 211 | |
| 212 | /* Initialization vector generation algorithm */ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 213 | QCryptoIVGenAlgorithm ivgen_alg; |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 214 | |
| 215 | /* Hash algorithm used for IV generation*/ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 216 | QCryptoHashAlgorithm ivgen_hash_alg; |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 217 | |
| 218 | /* |
| 219 | * Encryption algorithm used for IV generation. |
| 220 | * Usually the same as main encryption algorithm |
| 221 | */ |
| 222 | QCryptoCipherAlgorithm ivgen_cipher_alg; |
| 223 | |
| 224 | /* Hash algorithm used in pbkdf2 function */ |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 225 | QCryptoHashAlgorithm hash_alg; |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 226 | |
| 227 | /* Name of the secret that was used to open the image */ |
| 228 | char *secret; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 229 | }; |
| 230 | |
| 231 | |
| 232 | static int qcrypto_block_luks_cipher_name_lookup(const char *name, |
| 233 | QCryptoCipherMode mode, |
| 234 | uint32_t key_bytes, |
| 235 | Error **errp) |
| 236 | { |
| 237 | const QCryptoBlockLUKSCipherNameMap *map = |
| 238 | qcrypto_block_luks_cipher_name_map; |
| 239 | size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); |
| 240 | size_t i, j; |
| 241 | |
| 242 | if (mode == QCRYPTO_CIPHER_MODE_XTS) { |
| 243 | key_bytes /= 2; |
| 244 | } |
| 245 | |
| 246 | for (i = 0; i < maplen; i++) { |
| 247 | if (!g_str_equal(map[i].name, name)) { |
| 248 | continue; |
| 249 | } |
| 250 | for (j = 0; j < map[i].sizes[j].key_bytes; j++) { |
| 251 | if (map[i].sizes[j].key_bytes == key_bytes) { |
| 252 | return map[i].sizes[j].id; |
| 253 | } |
| 254 | } |
| 255 | } |
| 256 | |
| 257 | error_setg(errp, "Algorithm %s with key size %d bytes not supported", |
| 258 | name, key_bytes); |
| 259 | return 0; |
| 260 | } |
| 261 | |
| 262 | static const char * |
| 263 | qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg, |
| 264 | Error **errp) |
| 265 | { |
| 266 | const QCryptoBlockLUKSCipherNameMap *map = |
| 267 | qcrypto_block_luks_cipher_name_map; |
| 268 | size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map); |
| 269 | size_t i, j; |
| 270 | for (i = 0; i < maplen; i++) { |
| 271 | for (j = 0; j < map[i].sizes[j].key_bytes; j++) { |
| 272 | if (map[i].sizes[j].id == alg) { |
| 273 | return map[i].name; |
| 274 | } |
| 275 | } |
| 276 | } |
| 277 | |
| 278 | error_setg(errp, "Algorithm '%s' not supported", |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 279 | QCryptoCipherAlgorithm_str(alg)); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 280 | return NULL; |
| 281 | } |
| 282 | |
| 283 | /* XXX replace with qapi_enum_parse() in future, when we can |
| 284 | * make that function emit a more friendly error message */ |
| 285 | static int qcrypto_block_luks_name_lookup(const char *name, |
Marc-André Lureau | f7abe0e | 2017-08-24 10:46:10 +0200 | [diff] [blame] | 286 | const QEnumLookup *map, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 287 | const char *type, |
| 288 | Error **errp) |
| 289 | { |
Markus Armbruster | 9ae3307 | 2017-08-24 10:46:04 +0200 | [diff] [blame] | 290 | int ret = qapi_enum_parse(map, name, -1, NULL); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 291 | |
Markus Armbruster | 9ae3307 | 2017-08-24 10:46:04 +0200 | [diff] [blame] | 292 | if (ret < 0) { |
| 293 | error_setg(errp, "%s %s not supported", type, name); |
| 294 | return 0; |
| 295 | } |
| 296 | return ret; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 297 | } |
| 298 | |
| 299 | #define qcrypto_block_luks_cipher_mode_lookup(name, errp) \ |
| 300 | qcrypto_block_luks_name_lookup(name, \ |
Marc-André Lureau | f7abe0e | 2017-08-24 10:46:10 +0200 | [diff] [blame] | 301 | &QCryptoCipherMode_lookup, \ |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 302 | "Cipher mode", \ |
| 303 | errp) |
| 304 | |
| 305 | #define qcrypto_block_luks_hash_name_lookup(name, errp) \ |
| 306 | qcrypto_block_luks_name_lookup(name, \ |
Marc-André Lureau | f7abe0e | 2017-08-24 10:46:10 +0200 | [diff] [blame] | 307 | &QCryptoHashAlgorithm_lookup, \ |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 308 | "Hash algorithm", \ |
| 309 | errp) |
| 310 | |
| 311 | #define qcrypto_block_luks_ivgen_name_lookup(name, errp) \ |
| 312 | qcrypto_block_luks_name_lookup(name, \ |
Marc-André Lureau | f7abe0e | 2017-08-24 10:46:10 +0200 | [diff] [blame] | 313 | &QCryptoIVGenAlgorithm_lookup, \ |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 314 | "IV generator", \ |
| 315 | errp) |
| 316 | |
| 317 | |
| 318 | static bool |
| 319 | qcrypto_block_luks_has_format(const uint8_t *buf, |
| 320 | size_t buf_size) |
| 321 | { |
| 322 | const QCryptoBlockLUKSHeader *luks_header = (const void *)buf; |
| 323 | |
| 324 | if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) && |
| 325 | memcmp(luks_header->magic, qcrypto_block_luks_magic, |
| 326 | QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 && |
| 327 | be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) { |
| 328 | return true; |
| 329 | } else { |
| 330 | return false; |
| 331 | } |
| 332 | } |
| 333 | |
| 334 | |
| 335 | /** |
| 336 | * Deal with a quirk of dm-crypt usage of ESSIV. |
| 337 | * |
| 338 | * When calculating ESSIV IVs, the cipher length used by ESSIV |
| 339 | * may be different from the cipher length used for the block |
| 340 | * encryption, becauses dm-crypt uses the hash digest length |
| 341 | * as the key size. ie, if you have AES 128 as the block cipher |
| 342 | * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as |
| 343 | * the cipher since that gets a key length matching the digest |
| 344 | * size, not AES 128 with truncated digest as might be imagined |
| 345 | */ |
| 346 | static QCryptoCipherAlgorithm |
| 347 | qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher, |
| 348 | QCryptoHashAlgorithm hash, |
| 349 | Error **errp) |
| 350 | { |
| 351 | size_t digestlen = qcrypto_hash_digest_len(hash); |
| 352 | size_t keylen = qcrypto_cipher_get_key_len(cipher); |
| 353 | if (digestlen == keylen) { |
| 354 | return cipher; |
| 355 | } |
| 356 | |
| 357 | switch (cipher) { |
| 358 | case QCRYPTO_CIPHER_ALG_AES_128: |
| 359 | case QCRYPTO_CIPHER_ALG_AES_192: |
| 360 | case QCRYPTO_CIPHER_ALG_AES_256: |
| 361 | if (digestlen == qcrypto_cipher_get_key_len( |
| 362 | QCRYPTO_CIPHER_ALG_AES_128)) { |
| 363 | return QCRYPTO_CIPHER_ALG_AES_128; |
| 364 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 365 | QCRYPTO_CIPHER_ALG_AES_192)) { |
| 366 | return QCRYPTO_CIPHER_ALG_AES_192; |
| 367 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 368 | QCRYPTO_CIPHER_ALG_AES_256)) { |
| 369 | return QCRYPTO_CIPHER_ALG_AES_256; |
| 370 | } else { |
| 371 | error_setg(errp, "No AES cipher with key size %zu available", |
| 372 | digestlen); |
| 373 | return 0; |
| 374 | } |
| 375 | break; |
| 376 | case QCRYPTO_CIPHER_ALG_SERPENT_128: |
| 377 | case QCRYPTO_CIPHER_ALG_SERPENT_192: |
| 378 | case QCRYPTO_CIPHER_ALG_SERPENT_256: |
| 379 | if (digestlen == qcrypto_cipher_get_key_len( |
| 380 | QCRYPTO_CIPHER_ALG_SERPENT_128)) { |
| 381 | return QCRYPTO_CIPHER_ALG_SERPENT_128; |
| 382 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 383 | QCRYPTO_CIPHER_ALG_SERPENT_192)) { |
| 384 | return QCRYPTO_CIPHER_ALG_SERPENT_192; |
| 385 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 386 | QCRYPTO_CIPHER_ALG_SERPENT_256)) { |
| 387 | return QCRYPTO_CIPHER_ALG_SERPENT_256; |
| 388 | } else { |
| 389 | error_setg(errp, "No Serpent cipher with key size %zu available", |
| 390 | digestlen); |
| 391 | return 0; |
| 392 | } |
| 393 | break; |
| 394 | case QCRYPTO_CIPHER_ALG_TWOFISH_128: |
| 395 | case QCRYPTO_CIPHER_ALG_TWOFISH_192: |
| 396 | case QCRYPTO_CIPHER_ALG_TWOFISH_256: |
| 397 | if (digestlen == qcrypto_cipher_get_key_len( |
| 398 | QCRYPTO_CIPHER_ALG_TWOFISH_128)) { |
| 399 | return QCRYPTO_CIPHER_ALG_TWOFISH_128; |
| 400 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 401 | QCRYPTO_CIPHER_ALG_TWOFISH_192)) { |
| 402 | return QCRYPTO_CIPHER_ALG_TWOFISH_192; |
| 403 | } else if (digestlen == qcrypto_cipher_get_key_len( |
| 404 | QCRYPTO_CIPHER_ALG_TWOFISH_256)) { |
| 405 | return QCRYPTO_CIPHER_ALG_TWOFISH_256; |
| 406 | } else { |
| 407 | error_setg(errp, "No Twofish cipher with key size %zu available", |
| 408 | digestlen); |
| 409 | return 0; |
| 410 | } |
| 411 | break; |
| 412 | default: |
| 413 | error_setg(errp, "Cipher %s not supported with essiv", |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 414 | QCryptoCipherAlgorithm_str(cipher)); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 415 | return 0; |
| 416 | } |
| 417 | } |
| 418 | |
| 419 | /* |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 420 | * Returns number of sectors needed to store the key material |
| 421 | * given number of anti forensic stripes |
| 422 | */ |
| 423 | static int |
| 424 | qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks, |
| 425 | unsigned int header_sectors, |
| 426 | unsigned int stripes) |
| 427 | { |
| 428 | /* |
| 429 | * This calculation doesn't match that shown in the spec, |
| 430 | * but instead follows the cryptsetup implementation. |
| 431 | */ |
| 432 | |
| 433 | size_t splitkeylen = luks->header.master_key_len * stripes; |
| 434 | |
| 435 | /* First align the key material size to block size*/ |
| 436 | size_t splitkeylen_sectors = |
| 437 | DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE); |
| 438 | |
| 439 | /* Then also align the key material size to the size of the header */ |
| 440 | return ROUND_UP(splitkeylen_sectors, header_sectors); |
| 441 | } |
| 442 | |
| 443 | /* |
Maxim Levitsky | dde2c5a | 2019-09-26 00:35:22 +0300 | [diff] [blame] | 444 | * Stores the main LUKS header, taking care of endianess |
| 445 | */ |
| 446 | static int |
| 447 | qcrypto_block_luks_store_header(QCryptoBlock *block, |
| 448 | QCryptoBlockWriteFunc writefunc, |
| 449 | void *opaque, |
| 450 | Error **errp) |
| 451 | { |
| 452 | const QCryptoBlockLUKS *luks = block->opaque; |
| 453 | Error *local_err = NULL; |
| 454 | size_t i; |
| 455 | g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL; |
| 456 | |
| 457 | /* Create a copy of the header */ |
| 458 | hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1); |
| 459 | memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader)); |
| 460 | |
| 461 | /* |
| 462 | * Everything on disk uses Big Endian (tm), so flip header fields |
| 463 | * before writing them |
| 464 | */ |
| 465 | cpu_to_be16s(&hdr_copy->version); |
| 466 | cpu_to_be32s(&hdr_copy->payload_offset_sector); |
| 467 | cpu_to_be32s(&hdr_copy->master_key_len); |
| 468 | cpu_to_be32s(&hdr_copy->master_key_iterations); |
| 469 | |
| 470 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 471 | cpu_to_be32s(&hdr_copy->key_slots[i].active); |
| 472 | cpu_to_be32s(&hdr_copy->key_slots[i].iterations); |
| 473 | cpu_to_be32s(&hdr_copy->key_slots[i].key_offset_sector); |
| 474 | cpu_to_be32s(&hdr_copy->key_slots[i].stripes); |
| 475 | } |
| 476 | |
| 477 | /* Write out the partition header and key slot headers */ |
| 478 | writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy), |
| 479 | opaque, &local_err); |
| 480 | |
| 481 | if (local_err) { |
| 482 | error_propagate(errp, local_err); |
| 483 | return -1; |
| 484 | } |
| 485 | return 0; |
| 486 | } |
| 487 | |
| 488 | /* |
| 489 | * Loads the main LUKS header,and byteswaps it to native endianess |
| 490 | * And run basic sanity checks on it |
| 491 | */ |
| 492 | static int |
| 493 | qcrypto_block_luks_load_header(QCryptoBlock *block, |
| 494 | QCryptoBlockReadFunc readfunc, |
| 495 | void *opaque, |
| 496 | Error **errp) |
| 497 | { |
| 498 | ssize_t rv; |
| 499 | size_t i; |
| 500 | QCryptoBlockLUKS *luks = block->opaque; |
| 501 | |
| 502 | /* |
| 503 | * Read the entire LUKS header, minus the key material from |
| 504 | * the underlying device |
| 505 | */ |
| 506 | rv = readfunc(block, 0, |
| 507 | (uint8_t *)&luks->header, |
| 508 | sizeof(luks->header), |
| 509 | opaque, |
| 510 | errp); |
| 511 | if (rv < 0) { |
| 512 | return rv; |
| 513 | } |
| 514 | |
| 515 | /* |
| 516 | * The header is always stored in big-endian format, so |
| 517 | * convert everything to native |
| 518 | */ |
| 519 | be16_to_cpus(&luks->header.version); |
| 520 | be32_to_cpus(&luks->header.payload_offset_sector); |
| 521 | be32_to_cpus(&luks->header.master_key_len); |
| 522 | be32_to_cpus(&luks->header.master_key_iterations); |
| 523 | |
| 524 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 525 | be32_to_cpus(&luks->header.key_slots[i].active); |
| 526 | be32_to_cpus(&luks->header.key_slots[i].iterations); |
| 527 | be32_to_cpus(&luks->header.key_slots[i].key_offset_sector); |
| 528 | be32_to_cpus(&luks->header.key_slots[i].stripes); |
| 529 | } |
| 530 | |
| 531 | return 0; |
| 532 | } |
| 533 | |
| 534 | /* |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 535 | * Does basic sanity checks on the LUKS header |
| 536 | */ |
| 537 | static int |
| 538 | qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp) |
| 539 | { |
Maxim Levitsky | befdba9 | 2019-09-26 00:35:26 +0300 | [diff] [blame] | 540 | size_t i, j; |
| 541 | |
| 542 | unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / |
| 543 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
| 544 | |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 545 | if (memcmp(luks->header.magic, qcrypto_block_luks_magic, |
| 546 | QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) { |
| 547 | error_setg(errp, "Volume is not in LUKS format"); |
| 548 | return -1; |
| 549 | } |
| 550 | |
| 551 | if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) { |
| 552 | error_setg(errp, "LUKS version %" PRIu32 " is not supported", |
| 553 | luks->header.version); |
| 554 | return -1; |
| 555 | } |
Maxim Levitsky | befdba9 | 2019-09-26 00:35:26 +0300 | [diff] [blame] | 556 | |
| 557 | /* Check all keyslots for corruption */ |
| 558 | for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) { |
| 559 | |
| 560 | const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i]; |
| 561 | unsigned int start1 = slot1->key_offset_sector; |
| 562 | unsigned int len1 = |
| 563 | qcrypto_block_luks_splitkeylen_sectors(luks, |
| 564 | header_sectors, |
| 565 | slot1->stripes); |
| 566 | |
| 567 | if (slot1->stripes == 0) { |
| 568 | error_setg(errp, "Keyslot %zu is corrupted (stripes == 0)", i); |
| 569 | return -1; |
| 570 | } |
| 571 | |
| 572 | if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED && |
| 573 | slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { |
| 574 | error_setg(errp, |
| 575 | "Keyslot %zu state (active/disable) is corrupted", i); |
| 576 | return -1; |
| 577 | } |
| 578 | |
| 579 | if (start1 + len1 > luks->header.payload_offset_sector) { |
| 580 | error_setg(errp, |
| 581 | "Keyslot %zu is overlapping with the encrypted payload", |
| 582 | i); |
| 583 | return -1; |
| 584 | } |
| 585 | |
| 586 | for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) { |
| 587 | const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j]; |
| 588 | unsigned int start2 = slot2->key_offset_sector; |
| 589 | unsigned int len2 = |
| 590 | qcrypto_block_luks_splitkeylen_sectors(luks, |
| 591 | header_sectors, |
| 592 | slot2->stripes); |
| 593 | |
| 594 | if (start1 + len1 > start2 && start2 + len2 > start1) { |
| 595 | error_setg(errp, |
| 596 | "Keyslots %zu and %zu are overlapping in the header", |
| 597 | i, j); |
| 598 | return -1; |
| 599 | } |
| 600 | } |
| 601 | |
| 602 | } |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 603 | return 0; |
| 604 | } |
| 605 | |
| 606 | /* |
| 607 | * Parses the crypto parameters that are stored in the LUKS header |
| 608 | */ |
| 609 | |
| 610 | static int |
| 611 | qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp) |
| 612 | { |
| 613 | g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode); |
| 614 | char *ivgen_name, *ivhash_name; |
| 615 | Error *local_err = NULL; |
| 616 | |
| 617 | /* |
| 618 | * The cipher_mode header contains a string that we have |
| 619 | * to further parse, of the format |
| 620 | * |
| 621 | * <cipher-mode>-<iv-generator>[:<iv-hash>] |
| 622 | * |
| 623 | * eg cbc-essiv:sha256, cbc-plain64 |
| 624 | */ |
| 625 | ivgen_name = strchr(cipher_mode, '-'); |
| 626 | if (!ivgen_name) { |
| 627 | error_setg(errp, "Unexpected cipher mode string format %s", |
| 628 | luks->header.cipher_mode); |
| 629 | return -1; |
| 630 | } |
| 631 | *ivgen_name = '\0'; |
| 632 | ivgen_name++; |
| 633 | |
| 634 | ivhash_name = strchr(ivgen_name, ':'); |
| 635 | if (!ivhash_name) { |
| 636 | luks->ivgen_hash_alg = 0; |
| 637 | } else { |
| 638 | *ivhash_name = '\0'; |
| 639 | ivhash_name++; |
| 640 | |
| 641 | luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name, |
| 642 | &local_err); |
| 643 | if (local_err) { |
| 644 | error_propagate(errp, local_err); |
| 645 | return -1; |
| 646 | } |
| 647 | } |
| 648 | |
| 649 | luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode, |
| 650 | &local_err); |
| 651 | if (local_err) { |
| 652 | error_propagate(errp, local_err); |
| 653 | return -1; |
| 654 | } |
| 655 | |
| 656 | luks->cipher_alg = |
| 657 | qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name, |
| 658 | luks->cipher_mode, |
| 659 | luks->header.master_key_len, |
| 660 | &local_err); |
| 661 | if (local_err) { |
| 662 | error_propagate(errp, local_err); |
| 663 | return -1; |
| 664 | } |
| 665 | |
| 666 | luks->hash_alg = |
| 667 | qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec, |
| 668 | &local_err); |
| 669 | if (local_err) { |
| 670 | error_propagate(errp, local_err); |
| 671 | return -1; |
| 672 | } |
| 673 | |
| 674 | luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name, |
| 675 | &local_err); |
| 676 | if (local_err) { |
| 677 | error_propagate(errp, local_err); |
| 678 | return -1; |
| 679 | } |
| 680 | |
| 681 | if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { |
| 682 | if (!ivhash_name) { |
| 683 | error_setg(errp, "Missing IV generator hash specification"); |
| 684 | return -1; |
| 685 | } |
| 686 | luks->ivgen_cipher_alg = |
| 687 | qcrypto_block_luks_essiv_cipher(luks->cipher_alg, |
| 688 | luks->ivgen_hash_alg, |
| 689 | &local_err); |
| 690 | if (local_err) { |
| 691 | error_propagate(errp, local_err); |
| 692 | return -1; |
| 693 | } |
| 694 | } else { |
| 695 | |
| 696 | /* |
| 697 | * Note we parsed the ivhash_name earlier in the cipher_mode |
| 698 | * spec string even with plain/plain64 ivgens, but we |
| 699 | * will ignore it, since it is irrelevant for these ivgens. |
| 700 | * This is for compat with dm-crypt which will silently |
| 701 | * ignore hash names with these ivgens rather than report |
| 702 | * an error about the invalid usage |
| 703 | */ |
| 704 | luks->ivgen_cipher_alg = luks->cipher_alg; |
| 705 | } |
| 706 | return 0; |
| 707 | } |
| 708 | |
| 709 | /* |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 710 | * Given a key slot, user password, and the master key, |
| 711 | * will store the encrypted master key there, and update the |
| 712 | * in-memory header. User must then write the in-memory header |
| 713 | * |
| 714 | * Returns: |
| 715 | * 0 if the keyslot was written successfully |
| 716 | * with the provided password |
| 717 | * -1 if a fatal error occurred while storing the key |
| 718 | */ |
| 719 | static int |
| 720 | qcrypto_block_luks_store_key(QCryptoBlock *block, |
| 721 | unsigned int slot_idx, |
| 722 | const char *password, |
| 723 | uint8_t *masterkey, |
| 724 | uint64_t iter_time, |
| 725 | QCryptoBlockWriteFunc writefunc, |
| 726 | void *opaque, |
| 727 | Error **errp) |
| 728 | { |
| 729 | QCryptoBlockLUKS *luks = block->opaque; |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 730 | QCryptoBlockLUKSKeySlot *slot; |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 731 | g_autofree uint8_t *splitkey = NULL; |
| 732 | size_t splitkeylen; |
| 733 | g_autofree uint8_t *slotkey = NULL; |
| 734 | g_autoptr(QCryptoCipher) cipher = NULL; |
| 735 | g_autoptr(QCryptoIVGen) ivgen = NULL; |
| 736 | Error *local_err = NULL; |
| 737 | uint64_t iters; |
| 738 | int ret = -1; |
| 739 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 740 | assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 741 | slot = &luks->header.key_slots[slot_idx]; |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 742 | if (qcrypto_random_bytes(slot->salt, |
| 743 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 744 | errp) < 0) { |
| 745 | goto cleanup; |
| 746 | } |
| 747 | |
| 748 | splitkeylen = luks->header.master_key_len * slot->stripes; |
| 749 | |
| 750 | /* |
| 751 | * Determine how many iterations are required to |
| 752 | * hash the user password while consuming 1 second of compute |
| 753 | * time |
| 754 | */ |
| 755 | iters = qcrypto_pbkdf2_count_iters(luks->hash_alg, |
| 756 | (uint8_t *)password, strlen(password), |
| 757 | slot->salt, |
| 758 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 759 | luks->header.master_key_len, |
| 760 | &local_err); |
| 761 | if (local_err) { |
| 762 | error_propagate(errp, local_err); |
| 763 | goto cleanup; |
| 764 | } |
| 765 | |
| 766 | if (iters > (ULLONG_MAX / iter_time)) { |
| 767 | error_setg_errno(errp, ERANGE, |
| 768 | "PBKDF iterations %llu too large to scale", |
| 769 | (unsigned long long)iters); |
| 770 | goto cleanup; |
| 771 | } |
| 772 | |
| 773 | /* iter_time was in millis, but count_iters reported for secs */ |
| 774 | iters = iters * iter_time / 1000; |
| 775 | |
| 776 | if (iters > UINT32_MAX) { |
| 777 | error_setg_errno(errp, ERANGE, |
| 778 | "PBKDF iterations %llu larger than %u", |
| 779 | (unsigned long long)iters, UINT32_MAX); |
| 780 | goto cleanup; |
| 781 | } |
| 782 | |
| 783 | slot->iterations = |
| 784 | MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS); |
| 785 | |
| 786 | |
| 787 | /* |
| 788 | * Generate a key that we'll use to encrypt the master |
| 789 | * key, from the user's password |
| 790 | */ |
| 791 | slotkey = g_new0(uint8_t, luks->header.master_key_len); |
| 792 | if (qcrypto_pbkdf2(luks->hash_alg, |
| 793 | (uint8_t *)password, strlen(password), |
| 794 | slot->salt, |
| 795 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 796 | slot->iterations, |
| 797 | slotkey, luks->header.master_key_len, |
| 798 | errp) < 0) { |
| 799 | goto cleanup; |
| 800 | } |
| 801 | |
| 802 | |
| 803 | /* |
| 804 | * Setup the encryption objects needed to encrypt the |
| 805 | * master key material |
| 806 | */ |
| 807 | cipher = qcrypto_cipher_new(luks->cipher_alg, |
| 808 | luks->cipher_mode, |
| 809 | slotkey, luks->header.master_key_len, |
| 810 | errp); |
| 811 | if (!cipher) { |
| 812 | goto cleanup; |
| 813 | } |
| 814 | |
| 815 | ivgen = qcrypto_ivgen_new(luks->ivgen_alg, |
| 816 | luks->ivgen_cipher_alg, |
| 817 | luks->ivgen_hash_alg, |
| 818 | slotkey, luks->header.master_key_len, |
| 819 | errp); |
| 820 | if (!ivgen) { |
| 821 | goto cleanup; |
| 822 | } |
| 823 | |
| 824 | /* |
| 825 | * Before storing the master key, we need to vastly |
| 826 | * increase its size, as protection against forensic |
| 827 | * disk data recovery |
| 828 | */ |
| 829 | splitkey = g_new0(uint8_t, splitkeylen); |
| 830 | |
| 831 | if (qcrypto_afsplit_encode(luks->hash_alg, |
| 832 | luks->header.master_key_len, |
| 833 | slot->stripes, |
| 834 | masterkey, |
| 835 | splitkey, |
| 836 | errp) < 0) { |
| 837 | goto cleanup; |
| 838 | } |
| 839 | |
| 840 | /* |
| 841 | * Now we encrypt the split master key with the key generated |
| 842 | * from the user's password, before storing it |
| 843 | */ |
| 844 | if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen, |
| 845 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 846 | 0, |
| 847 | splitkey, |
| 848 | splitkeylen, |
| 849 | errp) < 0) { |
| 850 | goto cleanup; |
| 851 | } |
| 852 | |
| 853 | /* Write out the slot's master key material. */ |
| 854 | if (writefunc(block, |
| 855 | slot->key_offset_sector * |
| 856 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 857 | splitkey, splitkeylen, |
| 858 | opaque, |
| 859 | errp) != splitkeylen) { |
| 860 | goto cleanup; |
| 861 | } |
| 862 | |
| 863 | slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; |
| 864 | |
| 865 | if (qcrypto_block_luks_store_header(block, writefunc, opaque, errp) < 0) { |
| 866 | goto cleanup; |
| 867 | } |
| 868 | |
| 869 | ret = 0; |
| 870 | |
| 871 | cleanup: |
| 872 | if (slotkey) { |
| 873 | memset(slotkey, 0, luks->header.master_key_len); |
| 874 | } |
| 875 | if (splitkey) { |
| 876 | memset(splitkey, 0, splitkeylen); |
| 877 | } |
| 878 | return ret; |
| 879 | } |
| 880 | |
| 881 | /* |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 882 | * Given a key slot, and user password, this will attempt to unlock |
| 883 | * the master encryption key from the key slot. |
| 884 | * |
| 885 | * Returns: |
| 886 | * 0 if the key slot is disabled, or key could not be decrypted |
| 887 | * with the provided password |
| 888 | * 1 if the key slot is enabled, and key decrypted successfully |
| 889 | * with the provided password |
| 890 | * -1 if a fatal error occurred loading the key |
| 891 | */ |
| 892 | static int |
| 893 | qcrypto_block_luks_load_key(QCryptoBlock *block, |
Maxim Levitsky | 7e60a6f | 2019-09-26 00:35:19 +0300 | [diff] [blame] | 894 | size_t slot_idx, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 895 | const char *password, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 896 | uint8_t *masterkey, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 897 | QCryptoBlockReadFunc readfunc, |
| 898 | void *opaque, |
| 899 | Error **errp) |
| 900 | { |
| 901 | QCryptoBlockLUKS *luks = block->opaque; |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 902 | const QCryptoBlockLUKSKeySlot *slot; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 903 | g_autofree uint8_t *splitkey = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 904 | size_t splitkeylen; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 905 | g_autofree uint8_t *possiblekey = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 906 | ssize_t rv; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 907 | g_autoptr(QCryptoCipher) cipher = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 908 | uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN]; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 909 | g_autoptr(QCryptoIVGen) ivgen = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 910 | size_t niv; |
| 911 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 912 | assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 913 | slot = &luks->header.key_slots[slot_idx]; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 914 | if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) { |
| 915 | return 0; |
| 916 | } |
| 917 | |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 918 | splitkeylen = luks->header.master_key_len * slot->stripes; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 919 | splitkey = g_new0(uint8_t, splitkeylen); |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 920 | possiblekey = g_new0(uint8_t, luks->header.master_key_len); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 921 | |
| 922 | /* |
| 923 | * The user password is used to generate a (possible) |
| 924 | * decryption key. This may or may not successfully |
| 925 | * decrypt the master key - we just blindly assume |
| 926 | * the key is correct and validate the results of |
| 927 | * decryption later. |
| 928 | */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 929 | if (qcrypto_pbkdf2(luks->hash_alg, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 930 | (const uint8_t *)password, strlen(password), |
| 931 | slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 932 | slot->iterations, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 933 | possiblekey, luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 934 | errp) < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 935 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 936 | } |
| 937 | |
| 938 | /* |
| 939 | * We need to read the master key material from the |
| 940 | * LUKS key material header. What we're reading is |
| 941 | * not the raw master key, but rather the data after |
| 942 | * it has been passed through AFSplit and the result |
| 943 | * then encrypted. |
| 944 | */ |
| 945 | rv = readfunc(block, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 946 | slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 947 | splitkey, splitkeylen, |
Daniel P. Berrange | e4a3507 | 2017-04-24 16:33:15 +0100 | [diff] [blame] | 948 | opaque, |
Fam Zheng | 3750923 | 2017-04-21 20:27:02 +0800 | [diff] [blame] | 949 | errp); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 950 | if (rv < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 951 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 952 | } |
| 953 | |
| 954 | |
| 955 | /* Setup the cipher/ivgen that we'll use to try to decrypt |
| 956 | * the split master key material */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 957 | cipher = qcrypto_cipher_new(luks->cipher_alg, |
| 958 | luks->cipher_mode, |
| 959 | possiblekey, |
| 960 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 961 | errp); |
| 962 | if (!cipher) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 963 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 964 | } |
| 965 | |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 966 | niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, |
| 967 | luks->cipher_mode); |
| 968 | |
| 969 | ivgen = qcrypto_ivgen_new(luks->ivgen_alg, |
| 970 | luks->ivgen_cipher_alg, |
| 971 | luks->ivgen_hash_alg, |
| 972 | possiblekey, |
| 973 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 974 | errp); |
| 975 | if (!ivgen) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 976 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 977 | } |
| 978 | |
| 979 | |
| 980 | /* |
| 981 | * The master key needs to be decrypted in the same |
| 982 | * way that the block device payload will be decrypted |
| 983 | * later. In particular we'll be using the IV generator |
| 984 | * to reset the encryption cipher every time the master |
| 985 | * key crosses a sector boundary. |
| 986 | */ |
Vladimir Sementsov-Ogievskiy | 0270417 | 2018-12-07 19:13:49 +0300 | [diff] [blame] | 987 | if (qcrypto_block_cipher_decrypt_helper(cipher, |
| 988 | niv, |
| 989 | ivgen, |
| 990 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 991 | 0, |
| 992 | splitkey, |
| 993 | splitkeylen, |
| 994 | errp) < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 995 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 996 | } |
| 997 | |
| 998 | /* |
| 999 | * Now we've decrypted the split master key, join |
| 1000 | * it back together to get the actual master key. |
| 1001 | */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1002 | if (qcrypto_afsplit_decode(luks->hash_alg, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1003 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1004 | slot->stripes, |
| 1005 | splitkey, |
| 1006 | masterkey, |
| 1007 | errp) < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1008 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1009 | } |
| 1010 | |
| 1011 | |
| 1012 | /* |
| 1013 | * We still don't know that the masterkey we got is valid, |
| 1014 | * because we just blindly assumed the user's password |
| 1015 | * was correct. This is where we now verify it. We are |
| 1016 | * creating a hash of the master key using PBKDF and |
| 1017 | * then comparing that to the hash stored in the key slot |
| 1018 | * header |
| 1019 | */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1020 | if (qcrypto_pbkdf2(luks->hash_alg, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1021 | masterkey, |
| 1022 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1023 | luks->header.master_key_salt, |
| 1024 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 1025 | luks->header.master_key_iterations, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1026 | keydigest, |
| 1027 | G_N_ELEMENTS(keydigest), |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1028 | errp) < 0) { |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1029 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1030 | } |
| 1031 | |
| 1032 | if (memcmp(keydigest, luks->header.master_key_digest, |
| 1033 | QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) { |
| 1034 | /* Success, we got the right master key */ |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1035 | return 1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1036 | } |
| 1037 | |
| 1038 | /* Fail, user's password was not valid for this key slot, |
| 1039 | * tell caller to try another slot */ |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1040 | return 0; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1041 | } |
| 1042 | |
| 1043 | |
| 1044 | /* |
| 1045 | * Given a user password, this will iterate over all key |
| 1046 | * slots and try to unlock each active key slot using the |
| 1047 | * password until it successfully obtains a master key. |
| 1048 | * |
| 1049 | * Returns 0 if a key was loaded, -1 if no keys could be loaded |
| 1050 | */ |
| 1051 | static int |
| 1052 | qcrypto_block_luks_find_key(QCryptoBlock *block, |
| 1053 | const char *password, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1054 | uint8_t *masterkey, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1055 | QCryptoBlockReadFunc readfunc, |
| 1056 | void *opaque, |
| 1057 | Error **errp) |
| 1058 | { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1059 | size_t i; |
| 1060 | int rv; |
| 1061 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1062 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1063 | rv = qcrypto_block_luks_load_key(block, |
Maxim Levitsky | 7e60a6f | 2019-09-26 00:35:19 +0300 | [diff] [blame] | 1064 | i, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1065 | password, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1066 | masterkey, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1067 | readfunc, |
| 1068 | opaque, |
| 1069 | errp); |
| 1070 | if (rv < 0) { |
| 1071 | goto error; |
| 1072 | } |
| 1073 | if (rv == 1) { |
| 1074 | return 0; |
| 1075 | } |
| 1076 | } |
| 1077 | |
| 1078 | error_setg(errp, "Invalid password, cannot unlock any keyslot"); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1079 | error: |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1080 | return -1; |
| 1081 | } |
| 1082 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1083 | /* |
| 1084 | * Returns true if a slot i is marked as active |
| 1085 | * (contains encrypted copy of the master key) |
| 1086 | */ |
| 1087 | static bool |
| 1088 | qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks, |
| 1089 | unsigned int slot_idx) |
| 1090 | { |
| 1091 | uint32_t val; |
| 1092 | |
| 1093 | assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 1094 | val = luks->header.key_slots[slot_idx].active; |
| 1095 | return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; |
| 1096 | } |
| 1097 | |
| 1098 | /* |
| 1099 | * Returns the number of slots that are marked as active |
| 1100 | * (slots that contain encrypted copy of the master key) |
| 1101 | */ |
| 1102 | static unsigned int |
| 1103 | qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks) |
| 1104 | { |
| 1105 | size_t i = 0; |
| 1106 | unsigned int ret = 0; |
| 1107 | |
| 1108 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1109 | if (qcrypto_block_luks_slot_active(luks, i)) { |
| 1110 | ret++; |
| 1111 | } |
| 1112 | } |
| 1113 | return ret; |
| 1114 | } |
| 1115 | |
| 1116 | /* |
| 1117 | * Finds first key slot which is not active |
| 1118 | * Returns the key slot index, or -1 if it doesn't exist |
| 1119 | */ |
| 1120 | static int |
| 1121 | qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks) |
| 1122 | { |
| 1123 | size_t i; |
| 1124 | |
| 1125 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1126 | if (!qcrypto_block_luks_slot_active(luks, i)) { |
| 1127 | return i; |
| 1128 | } |
| 1129 | } |
| 1130 | return -1; |
| 1131 | } |
| 1132 | |
| 1133 | /* |
| 1134 | * Erases an keyslot given its index |
| 1135 | * Returns: |
| 1136 | * 0 if the keyslot was erased successfully |
| 1137 | * -1 if a error occurred while erasing the keyslot |
| 1138 | * |
| 1139 | */ |
| 1140 | static int |
| 1141 | qcrypto_block_luks_erase_key(QCryptoBlock *block, |
| 1142 | unsigned int slot_idx, |
| 1143 | QCryptoBlockWriteFunc writefunc, |
| 1144 | void *opaque, |
| 1145 | Error **errp) |
| 1146 | { |
| 1147 | QCryptoBlockLUKS *luks = block->opaque; |
| 1148 | QCryptoBlockLUKSKeySlot *slot; |
| 1149 | g_autofree uint8_t *garbagesplitkey = NULL; |
| 1150 | size_t splitkeylen; |
| 1151 | size_t i; |
| 1152 | Error *local_err = NULL; |
| 1153 | int ret; |
| 1154 | |
| 1155 | assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 1156 | slot = &luks->header.key_slots[slot_idx]; |
| 1157 | |
| 1158 | splitkeylen = luks->header.master_key_len * slot->stripes; |
| 1159 | assert(splitkeylen > 0); |
| 1160 | |
| 1161 | garbagesplitkey = g_new0(uint8_t, splitkeylen); |
| 1162 | |
| 1163 | /* Reset the key slot header */ |
| 1164 | memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN); |
| 1165 | slot->iterations = 0; |
| 1166 | slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; |
| 1167 | |
| 1168 | ret = qcrypto_block_luks_store_header(block, writefunc, |
| 1169 | opaque, &local_err); |
| 1170 | |
| 1171 | if (ret < 0) { |
| 1172 | error_propagate(errp, local_err); |
| 1173 | } |
| 1174 | /* |
| 1175 | * Now try to erase the key material, even if the header |
| 1176 | * update failed |
| 1177 | */ |
| 1178 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) { |
| 1179 | if (qcrypto_random_bytes(garbagesplitkey, |
| 1180 | splitkeylen, &local_err) < 0) { |
| 1181 | /* |
| 1182 | * If we failed to get the random data, still write |
| 1183 | * at least zeros to the key slot at least once |
| 1184 | */ |
| 1185 | error_propagate(errp, local_err); |
| 1186 | |
| 1187 | if (i > 0) { |
| 1188 | return -1; |
| 1189 | } |
| 1190 | } |
| 1191 | if (writefunc(block, |
| 1192 | slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 1193 | garbagesplitkey, |
| 1194 | splitkeylen, |
| 1195 | opaque, |
| 1196 | &local_err) != splitkeylen) { |
| 1197 | error_propagate(errp, local_err); |
| 1198 | return -1; |
| 1199 | } |
| 1200 | } |
| 1201 | return ret; |
| 1202 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1203 | |
| 1204 | static int |
| 1205 | qcrypto_block_luks_open(QCryptoBlock *block, |
| 1206 | QCryptoBlockOpenOptions *options, |
Daniel P. Berrange | 1cd9a78 | 2017-06-23 17:24:17 +0100 | [diff] [blame] | 1207 | const char *optprefix, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1208 | QCryptoBlockReadFunc readfunc, |
| 1209 | void *opaque, |
| 1210 | unsigned int flags, |
Vladimir Sementsov-Ogievskiy | c972fa1 | 2018-12-07 19:13:51 +0300 | [diff] [blame] | 1211 | size_t n_threads, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1212 | Error **errp) |
| 1213 | { |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1214 | QCryptoBlockLUKS *luks = NULL; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1215 | g_autofree uint8_t *masterkey = NULL; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1216 | g_autofree char *password = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1217 | |
| 1218 | if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { |
| 1219 | if (!options->u.luks.key_secret) { |
Daniel P. Berrange | 1cd9a78 | 2017-06-23 17:24:17 +0100 | [diff] [blame] | 1220 | error_setg(errp, "Parameter '%skey-secret' is required for cipher", |
| 1221 | optprefix ? optprefix : ""); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1222 | return -1; |
| 1223 | } |
| 1224 | password = qcrypto_secret_lookup_as_utf8( |
| 1225 | options->u.luks.key_secret, errp); |
| 1226 | if (!password) { |
| 1227 | return -1; |
| 1228 | } |
| 1229 | } |
| 1230 | |
| 1231 | luks = g_new0(QCryptoBlockLUKS, 1); |
| 1232 | block->opaque = luks; |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1233 | luks->secret = g_strdup(options->u.luks.key_secret); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1234 | |
Maxim Levitsky | dde2c5a | 2019-09-26 00:35:22 +0300 | [diff] [blame] | 1235 | if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1236 | goto fail; |
| 1237 | } |
| 1238 | |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 1239 | if (qcrypto_block_luks_check_header(luks, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1240 | goto fail; |
| 1241 | } |
| 1242 | |
Maxim Levitsky | 9fa9c1c | 2019-09-26 00:35:23 +0300 | [diff] [blame] | 1243 | if (qcrypto_block_luks_parse_header(luks, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1244 | goto fail; |
| 1245 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1246 | |
| 1247 | if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) { |
| 1248 | /* Try to find which key slot our password is valid for |
| 1249 | * and unlock the master key from that slot. |
| 1250 | */ |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1251 | |
| 1252 | masterkey = g_new0(uint8_t, luks->header.master_key_len); |
| 1253 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1254 | if (qcrypto_block_luks_find_key(block, |
| 1255 | password, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1256 | masterkey, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1257 | readfunc, opaque, |
| 1258 | errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1259 | goto fail; |
| 1260 | } |
| 1261 | |
| 1262 | /* We have a valid master key now, so can setup the |
| 1263 | * block device payload decryption objects |
| 1264 | */ |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1265 | block->kdfhash = luks->hash_alg; |
| 1266 | block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg, |
| 1267 | luks->cipher_mode); |
| 1268 | |
| 1269 | block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg, |
| 1270 | luks->ivgen_cipher_alg, |
| 1271 | luks->ivgen_hash_alg, |
Maxim Levitsky | 1ddd52e | 2019-09-26 00:35:18 +0300 | [diff] [blame] | 1272 | masterkey, |
| 1273 | luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1274 | errp); |
| 1275 | if (!block->ivgen) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1276 | goto fail; |
| 1277 | } |
| 1278 | |
Maxim Levitsky | 61dd8a9 | 2019-09-26 00:35:21 +0300 | [diff] [blame] | 1279 | if (qcrypto_block_init_cipher(block, |
| 1280 | luks->cipher_alg, |
| 1281 | luks->cipher_mode, |
| 1282 | masterkey, |
| 1283 | luks->header.master_key_len, |
| 1284 | n_threads, |
| 1285 | errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1286 | goto fail; |
| 1287 | } |
| 1288 | } |
| 1289 | |
Daniel P. Berrange | 850f49d | 2017-09-27 13:53:36 +0100 | [diff] [blame] | 1290 | block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1291 | block->payload_offset = luks->header.payload_offset_sector * |
Daniel P. Berrange | 850f49d | 2017-09-27 13:53:36 +0100 | [diff] [blame] | 1292 | block->sector_size; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1293 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1294 | return 0; |
| 1295 | |
| 1296 | fail: |
Vladimir Sementsov-Ogievskiy | c972fa1 | 2018-12-07 19:13:51 +0300 | [diff] [blame] | 1297 | qcrypto_block_free_cipher(block); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1298 | qcrypto_ivgen_free(block->ivgen); |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1299 | g_free(luks->secret); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1300 | g_free(luks); |
Maxim Levitsky | 61dd8a9 | 2019-09-26 00:35:21 +0300 | [diff] [blame] | 1301 | return -1; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1302 | } |
| 1303 | |
| 1304 | |
Fam Zheng | 2ef950f | 2016-09-21 12:27:19 +0800 | [diff] [blame] | 1305 | static void |
| 1306 | qcrypto_block_luks_uuid_gen(uint8_t *uuidstr) |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1307 | { |
Fam Zheng | 2ef950f | 2016-09-21 12:27:19 +0800 | [diff] [blame] | 1308 | QemuUUID uuid; |
| 1309 | qemu_uuid_generate(&uuid); |
| 1310 | qemu_uuid_unparse(&uuid, (char *)uuidstr); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1311 | } |
| 1312 | |
| 1313 | static int |
| 1314 | qcrypto_block_luks_create(QCryptoBlock *block, |
| 1315 | QCryptoBlockCreateOptions *options, |
Daniel P. Berrange | 1cd9a78 | 2017-06-23 17:24:17 +0100 | [diff] [blame] | 1316 | const char *optprefix, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1317 | QCryptoBlockInitFunc initfunc, |
| 1318 | QCryptoBlockWriteFunc writefunc, |
| 1319 | void *opaque, |
| 1320 | Error **errp) |
| 1321 | { |
| 1322 | QCryptoBlockLUKS *luks; |
| 1323 | QCryptoBlockCreateOptionsLUKS luks_opts; |
| 1324 | Error *local_err = NULL; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1325 | g_autofree uint8_t *masterkey = NULL; |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1326 | size_t header_sectors; |
| 1327 | size_t split_key_sectors; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1328 | size_t i; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1329 | g_autofree char *password = NULL; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1330 | const char *cipher_alg; |
| 1331 | const char *cipher_mode; |
| 1332 | const char *ivgen_alg; |
| 1333 | const char *ivgen_hash_alg = NULL; |
| 1334 | const char *hash_alg; |
Daniel P. Berrangé | 57b9f11 | 2019-07-23 16:22:36 +0100 | [diff] [blame] | 1335 | g_autofree char *cipher_mode_spec = NULL; |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1336 | uint64_t iters; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1337 | |
| 1338 | memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts)); |
Daniel P. Berrange | 3bd1889 | 2016-09-06 18:43:00 +0100 | [diff] [blame] | 1339 | if (!luks_opts.has_iter_time) { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1340 | luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; |
Daniel P. Berrange | 3bd1889 | 2016-09-06 18:43:00 +0100 | [diff] [blame] | 1341 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1342 | if (!luks_opts.has_cipher_alg) { |
| 1343 | luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256; |
| 1344 | } |
| 1345 | if (!luks_opts.has_cipher_mode) { |
| 1346 | luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS; |
| 1347 | } |
| 1348 | if (!luks_opts.has_ivgen_alg) { |
| 1349 | luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64; |
| 1350 | } |
| 1351 | if (!luks_opts.has_hash_alg) { |
| 1352 | luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256; |
| 1353 | } |
Daniel P. Berrange | 8b7cdba | 2016-05-20 17:43:44 +0100 | [diff] [blame] | 1354 | if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { |
| 1355 | if (!luks_opts.has_ivgen_hash_alg) { |
| 1356 | luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256; |
| 1357 | luks_opts.has_ivgen_hash_alg = true; |
| 1358 | } |
| 1359 | } |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1360 | |
| 1361 | luks = g_new0(QCryptoBlockLUKS, 1); |
| 1362 | block->opaque = luks; |
| 1363 | |
| 1364 | luks->cipher_alg = luks_opts.cipher_alg; |
| 1365 | luks->cipher_mode = luks_opts.cipher_mode; |
| 1366 | luks->ivgen_alg = luks_opts.ivgen_alg; |
| 1367 | luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg; |
| 1368 | luks->hash_alg = luks_opts.hash_alg; |
| 1369 | |
| 1370 | |
Daniel P. Berrange | 8b7cdba | 2016-05-20 17:43:44 +0100 | [diff] [blame] | 1371 | /* Note we're allowing ivgen_hash_alg to be set even for |
| 1372 | * non-essiv iv generators that don't need a hash. It will |
| 1373 | * be silently ignored, for compatibility with dm-crypt */ |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1374 | |
| 1375 | if (!options->u.luks.key_secret) { |
Daniel P. Berrange | 1cd9a78 | 2017-06-23 17:24:17 +0100 | [diff] [blame] | 1376 | error_setg(errp, "Parameter '%skey-secret' is required for cipher", |
| 1377 | optprefix ? optprefix : ""); |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1378 | goto error; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1379 | } |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1380 | luks->secret = g_strdup(options->u.luks.key_secret); |
| 1381 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1382 | password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp); |
| 1383 | if (!password) { |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1384 | goto error; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1385 | } |
| 1386 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1387 | |
| 1388 | memcpy(luks->header.magic, qcrypto_block_luks_magic, |
| 1389 | QCRYPTO_BLOCK_LUKS_MAGIC_LEN); |
| 1390 | |
| 1391 | /* We populate the header in native endianness initially and |
| 1392 | * then convert everything to big endian just before writing |
| 1393 | * it out to disk |
| 1394 | */ |
| 1395 | luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION; |
Fam Zheng | 2ef950f | 2016-09-21 12:27:19 +0800 | [diff] [blame] | 1396 | qcrypto_block_luks_uuid_gen(luks->header.uuid); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1397 | |
| 1398 | cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg, |
| 1399 | errp); |
| 1400 | if (!cipher_alg) { |
| 1401 | goto error; |
| 1402 | } |
| 1403 | |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 1404 | cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode); |
| 1405 | ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1406 | if (luks_opts.has_ivgen_hash_alg) { |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 1407 | ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1408 | cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg, |
| 1409 | ivgen_hash_alg); |
| 1410 | } else { |
| 1411 | cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg); |
| 1412 | } |
Markus Armbruster | 977c736 | 2017-08-24 10:46:08 +0200 | [diff] [blame] | 1413 | hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1414 | |
| 1415 | |
| 1416 | if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) { |
| 1417 | error_setg(errp, "Cipher name '%s' is too long for LUKS header", |
| 1418 | cipher_alg); |
| 1419 | goto error; |
| 1420 | } |
| 1421 | if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) { |
| 1422 | error_setg(errp, "Cipher mode '%s' is too long for LUKS header", |
| 1423 | cipher_mode_spec); |
| 1424 | goto error; |
| 1425 | } |
| 1426 | if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) { |
| 1427 | error_setg(errp, "Hash name '%s' is too long for LUKS header", |
| 1428 | hash_alg); |
| 1429 | goto error; |
| 1430 | } |
| 1431 | |
| 1432 | if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1433 | luks->ivgen_cipher_alg = |
| 1434 | qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg, |
| 1435 | luks_opts.ivgen_hash_alg, |
| 1436 | &local_err); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1437 | if (local_err) { |
| 1438 | error_propagate(errp, local_err); |
| 1439 | goto error; |
| 1440 | } |
| 1441 | } else { |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1442 | luks->ivgen_cipher_alg = luks_opts.cipher_alg; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1443 | } |
| 1444 | |
| 1445 | strcpy(luks->header.cipher_name, cipher_alg); |
| 1446 | strcpy(luks->header.cipher_mode, cipher_mode_spec); |
| 1447 | strcpy(luks->header.hash_spec, hash_alg); |
| 1448 | |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1449 | luks->header.master_key_len = |
| 1450 | qcrypto_cipher_get_key_len(luks_opts.cipher_alg); |
| 1451 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1452 | if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) { |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1453 | luks->header.master_key_len *= 2; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1454 | } |
| 1455 | |
| 1456 | /* Generate the salt used for hashing the master key |
| 1457 | * with PBKDF later |
| 1458 | */ |
| 1459 | if (qcrypto_random_bytes(luks->header.master_key_salt, |
| 1460 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 1461 | errp) < 0) { |
| 1462 | goto error; |
| 1463 | } |
| 1464 | |
| 1465 | /* Generate random master key */ |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1466 | masterkey = g_new0(uint8_t, luks->header.master_key_len); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1467 | if (qcrypto_random_bytes(masterkey, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1468 | luks->header.master_key_len, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1469 | goto error; |
| 1470 | } |
| 1471 | |
| 1472 | |
| 1473 | /* Setup the block device payload encryption objects */ |
Vladimir Sementsov-Ogievskiy | c972fa1 | 2018-12-07 19:13:51 +0300 | [diff] [blame] | 1474 | if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg, |
| 1475 | luks_opts.cipher_mode, masterkey, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1476 | luks->header.master_key_len, 1, errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1477 | goto error; |
| 1478 | } |
| 1479 | |
| 1480 | block->kdfhash = luks_opts.hash_alg; |
| 1481 | block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg, |
| 1482 | luks_opts.cipher_mode); |
| 1483 | block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg, |
Maxim Levitsky | 9d80e59 | 2019-09-26 00:35:20 +0300 | [diff] [blame] | 1484 | luks->ivgen_cipher_alg, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1485 | luks_opts.ivgen_hash_alg, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1486 | masterkey, luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1487 | errp); |
| 1488 | |
| 1489 | if (!block->ivgen) { |
| 1490 | goto error; |
| 1491 | } |
| 1492 | |
| 1493 | |
| 1494 | /* Determine how many iterations we need to hash the master |
| 1495 | * key, in order to have 1 second of compute time used |
| 1496 | */ |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1497 | iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1498 | masterkey, luks->header.master_key_len, |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1499 | luks->header.master_key_salt, |
| 1500 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
Daniel P. Berrange | e74aabc | 2016-09-07 12:43:29 +0100 | [diff] [blame] | 1501 | QCRYPTO_BLOCK_LUKS_DIGEST_LEN, |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1502 | &local_err); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1503 | if (local_err) { |
| 1504 | error_propagate(errp, local_err); |
| 1505 | goto error; |
| 1506 | } |
| 1507 | |
Daniel P. Berrange | 3bd1889 | 2016-09-06 18:43:00 +0100 | [diff] [blame] | 1508 | if (iters > (ULLONG_MAX / luks_opts.iter_time)) { |
| 1509 | error_setg_errno(errp, ERANGE, |
| 1510 | "PBKDF iterations %llu too large to scale", |
| 1511 | (unsigned long long)iters); |
| 1512 | goto error; |
| 1513 | } |
| 1514 | |
| 1515 | /* iter_time was in millis, but count_iters reported for secs */ |
| 1516 | iters = iters * luks_opts.iter_time / 1000; |
| 1517 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1518 | /* Why /= 8 ? That matches cryptsetup, but there's no |
| 1519 | * explanation why they chose /= 8... Probably so that |
| 1520 | * if all 8 keyslots are active we only spend 1 second |
| 1521 | * in total time to check all keys */ |
Daniel P. Berrange | 59b060b | 2016-09-12 12:50:12 +0100 | [diff] [blame] | 1522 | iters /= 8; |
| 1523 | if (iters > UINT32_MAX) { |
| 1524 | error_setg_errno(errp, ERANGE, |
| 1525 | "PBKDF iterations %llu larger than %u", |
| 1526 | (unsigned long long)iters, UINT32_MAX); |
| 1527 | goto error; |
| 1528 | } |
| 1529 | iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS); |
| 1530 | luks->header.master_key_iterations = iters; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1531 | |
| 1532 | /* Hash the master key, saving the result in the LUKS |
| 1533 | * header. This hash is used when opening the encrypted |
| 1534 | * device to verify that the user password unlocked a |
| 1535 | * valid master key |
| 1536 | */ |
| 1537 | if (qcrypto_pbkdf2(luks_opts.hash_alg, |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1538 | masterkey, luks->header.master_key_len, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1539 | luks->header.master_key_salt, |
| 1540 | QCRYPTO_BLOCK_LUKS_SALT_LEN, |
| 1541 | luks->header.master_key_iterations, |
| 1542 | luks->header.master_key_digest, |
| 1543 | QCRYPTO_BLOCK_LUKS_DIGEST_LEN, |
| 1544 | errp) < 0) { |
| 1545 | goto error; |
| 1546 | } |
| 1547 | |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1548 | /* start with the sector that follows the header*/ |
| 1549 | header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET / |
| 1550 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1551 | |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1552 | split_key_sectors = |
| 1553 | qcrypto_block_luks_splitkeylen_sectors(luks, |
| 1554 | header_sectors, |
| 1555 | QCRYPTO_BLOCK_LUKS_STRIPES); |
| 1556 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1557 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1558 | QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i]; |
| 1559 | slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1560 | |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1561 | slot->key_offset_sector = header_sectors + i * split_key_sectors; |
| 1562 | slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1563 | } |
| 1564 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1565 | /* The total size of the LUKS headers is the partition header + key |
| 1566 | * slot headers, rounded up to the nearest sector, combined with |
| 1567 | * the size of each master key material region, also rounded up |
| 1568 | * to the nearest sector */ |
Maxim Levitsky | bd56a55 | 2019-09-26 00:35:25 +0300 | [diff] [blame] | 1569 | luks->header.payload_offset_sector = header_sectors + |
| 1570 | QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1571 | |
Daniel P. Berrange | 850f49d | 2017-09-27 13:53:36 +0100 | [diff] [blame] | 1572 | block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1573 | block->payload_offset = luks->header.payload_offset_sector * |
Daniel P. Berrange | 850f49d | 2017-09-27 13:53:36 +0100 | [diff] [blame] | 1574 | block->sector_size; |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1575 | |
| 1576 | /* Reserve header space to match payload offset */ |
Daniel P. Berrange | e4a3507 | 2017-04-24 16:33:15 +0100 | [diff] [blame] | 1577 | initfunc(block, block->payload_offset, opaque, &local_err); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1578 | if (local_err) { |
| 1579 | error_propagate(errp, local_err); |
| 1580 | goto error; |
| 1581 | } |
| 1582 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1583 | |
Maxim Levitsky | 3994a7c | 2019-09-26 00:35:24 +0300 | [diff] [blame] | 1584 | /* populate the slot 0 with the password encrypted master key*/ |
| 1585 | /* This will also store the header */ |
| 1586 | if (qcrypto_block_luks_store_key(block, |
| 1587 | 0, |
| 1588 | password, |
| 1589 | masterkey, |
| 1590 | luks_opts.iter_time, |
| 1591 | writefunc, |
| 1592 | opaque, |
| 1593 | errp) < 0) { |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1594 | goto error; |
| 1595 | } |
| 1596 | |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1597 | memset(masterkey, 0, luks->header.master_key_len); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1598 | |
| 1599 | return 0; |
| 1600 | |
| 1601 | error: |
| 1602 | if (masterkey) { |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1603 | memset(masterkey, 0, luks->header.master_key_len); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1604 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1605 | |
Vladimir Sementsov-Ogievskiy | c972fa1 | 2018-12-07 19:13:51 +0300 | [diff] [blame] | 1606 | qcrypto_block_free_cipher(block); |
Vladimir Sementsov-Ogievskiy | b640adc | 2018-12-07 19:13:47 +0300 | [diff] [blame] | 1607 | qcrypto_ivgen_free(block->ivgen); |
| 1608 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1609 | g_free(luks->secret); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1610 | g_free(luks); |
| 1611 | return -1; |
| 1612 | } |
| 1613 | |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1614 | static int |
| 1615 | qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block, |
| 1616 | QCryptoBlockReadFunc readfunc, |
| 1617 | QCryptoBlockWriteFunc writefunc, |
| 1618 | void *opaque, |
| 1619 | QCryptoBlockAmendOptionsLUKS *opts_luks, |
| 1620 | bool force, |
| 1621 | Error **errp) |
| 1622 | { |
| 1623 | QCryptoBlockLUKS *luks = block->opaque; |
| 1624 | uint64_t iter_time = opts_luks->has_iter_time ? |
| 1625 | opts_luks->iter_time : |
| 1626 | QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS; |
| 1627 | int keyslot; |
| 1628 | g_autofree char *old_password = NULL; |
| 1629 | g_autofree char *new_password = NULL; |
| 1630 | g_autofree uint8_t *master_key = NULL; |
| 1631 | |
| 1632 | char *secret = opts_luks->has_secret ? opts_luks->secret : luks->secret; |
| 1633 | |
| 1634 | if (!opts_luks->has_new_secret) { |
| 1635 | error_setg(errp, "'new-secret' is required to activate a keyslot"); |
| 1636 | return -1; |
| 1637 | } |
| 1638 | if (opts_luks->has_old_secret) { |
| 1639 | error_setg(errp, |
| 1640 | "'old-secret' must not be given when activating keyslots"); |
| 1641 | return -1; |
| 1642 | } |
| 1643 | |
| 1644 | if (opts_luks->has_keyslot) { |
| 1645 | keyslot = opts_luks->keyslot; |
| 1646 | if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { |
| 1647 | error_setg(errp, |
| 1648 | "Invalid keyslot %u specified, must be between 0 and %u", |
| 1649 | keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); |
| 1650 | return -1; |
| 1651 | } |
| 1652 | } else { |
| 1653 | keyslot = qcrypto_block_luks_find_free_keyslot(luks); |
| 1654 | if (keyslot == -1) { |
| 1655 | error_setg(errp, |
| 1656 | "Can't add a keyslot - all keyslots are in use"); |
| 1657 | return -1; |
| 1658 | } |
| 1659 | } |
| 1660 | |
| 1661 | if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) { |
| 1662 | error_setg(errp, |
| 1663 | "Refusing to overwrite active keyslot %i - " |
| 1664 | "please erase it first", |
| 1665 | keyslot); |
| 1666 | return -1; |
| 1667 | } |
| 1668 | |
| 1669 | /* Locate the password that will be used to retrieve the master key */ |
| 1670 | old_password = qcrypto_secret_lookup_as_utf8(secret, errp); |
| 1671 | if (!old_password) { |
| 1672 | return -1; |
| 1673 | } |
| 1674 | |
| 1675 | /* Retrieve the master key */ |
| 1676 | master_key = g_new0(uint8_t, luks->header.master_key_len); |
| 1677 | |
| 1678 | if (qcrypto_block_luks_find_key(block, old_password, master_key, |
| 1679 | readfunc, opaque, errp) < 0) { |
| 1680 | error_append_hint(errp, "Failed to retrieve the master key"); |
| 1681 | return -1; |
| 1682 | } |
| 1683 | |
| 1684 | /* Locate the new password*/ |
| 1685 | new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp); |
| 1686 | if (!new_password) { |
| 1687 | return -1; |
| 1688 | } |
| 1689 | |
| 1690 | /* Now set the new keyslots */ |
| 1691 | if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key, |
| 1692 | iter_time, writefunc, opaque, errp)) { |
| 1693 | error_append_hint(errp, "Failed to write to keyslot %i", keyslot); |
| 1694 | return -1; |
| 1695 | } |
| 1696 | return 0; |
| 1697 | } |
| 1698 | |
| 1699 | static int |
| 1700 | qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block, |
| 1701 | QCryptoBlockReadFunc readfunc, |
| 1702 | QCryptoBlockWriteFunc writefunc, |
| 1703 | void *opaque, |
| 1704 | QCryptoBlockAmendOptionsLUKS *opts_luks, |
| 1705 | bool force, |
| 1706 | Error **errp) |
| 1707 | { |
| 1708 | QCryptoBlockLUKS *luks = block->opaque; |
| 1709 | g_autofree uint8_t *tmpkey = NULL; |
| 1710 | g_autofree char *old_password = NULL; |
| 1711 | |
| 1712 | if (opts_luks->has_new_secret) { |
| 1713 | error_setg(errp, |
| 1714 | "'new-secret' must not be given when erasing keyslots"); |
| 1715 | return -1; |
| 1716 | } |
| 1717 | if (opts_luks->has_iter_time) { |
| 1718 | error_setg(errp, |
| 1719 | "'iter-time' must not be given when erasing keyslots"); |
| 1720 | return -1; |
| 1721 | } |
| 1722 | if (opts_luks->has_secret) { |
| 1723 | error_setg(errp, |
| 1724 | "'secret' must not be given when erasing keyslots"); |
| 1725 | return -1; |
| 1726 | } |
| 1727 | |
| 1728 | /* Load the old password if given */ |
| 1729 | if (opts_luks->has_old_secret) { |
| 1730 | old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret, |
| 1731 | errp); |
| 1732 | if (!old_password) { |
| 1733 | return -1; |
| 1734 | } |
| 1735 | |
| 1736 | /* |
| 1737 | * Allocate a temporary key buffer that we will need when |
| 1738 | * checking if slot matches the given old password |
| 1739 | */ |
| 1740 | tmpkey = g_new0(uint8_t, luks->header.master_key_len); |
| 1741 | } |
| 1742 | |
| 1743 | /* Erase an explicitly given keyslot */ |
| 1744 | if (opts_luks->has_keyslot) { |
| 1745 | int keyslot = opts_luks->keyslot; |
| 1746 | |
| 1747 | if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) { |
| 1748 | error_setg(errp, |
| 1749 | "Invalid keyslot %i specified, must be between 0 and %i", |
| 1750 | keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1); |
| 1751 | return -1; |
| 1752 | } |
| 1753 | |
| 1754 | if (opts_luks->has_old_secret) { |
| 1755 | int rv = qcrypto_block_luks_load_key(block, |
| 1756 | keyslot, |
| 1757 | old_password, |
| 1758 | tmpkey, |
| 1759 | readfunc, |
| 1760 | opaque, |
| 1761 | errp); |
| 1762 | if (rv == -1) { |
| 1763 | return -1; |
| 1764 | } else if (rv == 0) { |
| 1765 | error_setg(errp, |
| 1766 | "Given keyslot %i doesn't contain the given " |
| 1767 | "old password for erase operation", |
| 1768 | keyslot); |
| 1769 | return -1; |
| 1770 | } |
| 1771 | } |
| 1772 | |
| 1773 | if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) { |
| 1774 | error_setg(errp, |
| 1775 | "Given keyslot %i is already erased (inactive) ", |
| 1776 | keyslot); |
| 1777 | return -1; |
| 1778 | } |
| 1779 | |
| 1780 | if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) { |
| 1781 | error_setg(errp, |
| 1782 | "Attempt to erase the only active keyslot %i " |
| 1783 | "which will erase all the data in the image " |
| 1784 | "irreversibly - refusing operation", |
| 1785 | keyslot); |
| 1786 | return -1; |
| 1787 | } |
| 1788 | |
| 1789 | if (qcrypto_block_luks_erase_key(block, keyslot, |
| 1790 | writefunc, opaque, errp)) { |
| 1791 | error_append_hint(errp, "Failed to erase keyslot %i", keyslot); |
| 1792 | return -1; |
| 1793 | } |
| 1794 | |
| 1795 | /* Erase all keyslots that match the given old password */ |
| 1796 | } else if (opts_luks->has_old_secret) { |
| 1797 | |
| 1798 | unsigned long slots_to_erase_bitmap = 0; |
| 1799 | size_t i; |
| 1800 | int slot_count; |
| 1801 | |
| 1802 | assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <= |
| 1803 | sizeof(slots_to_erase_bitmap) * 8); |
| 1804 | |
| 1805 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1806 | int rv = qcrypto_block_luks_load_key(block, |
| 1807 | i, |
| 1808 | old_password, |
| 1809 | tmpkey, |
| 1810 | readfunc, |
| 1811 | opaque, |
| 1812 | errp); |
| 1813 | if (rv == -1) { |
| 1814 | return -1; |
| 1815 | } else if (rv == 1) { |
| 1816 | bitmap_set(&slots_to_erase_bitmap, i, 1); |
| 1817 | } |
| 1818 | } |
| 1819 | |
| 1820 | slot_count = bitmap_count_one(&slots_to_erase_bitmap, |
| 1821 | QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS); |
| 1822 | if (slot_count == 0) { |
| 1823 | error_setg(errp, |
| 1824 | "No keyslots match given (old) password for erase operation"); |
| 1825 | return -1; |
| 1826 | } |
| 1827 | |
| 1828 | if (!force && |
| 1829 | slot_count == qcrypto_block_luks_count_active_slots(luks)) { |
| 1830 | error_setg(errp, |
| 1831 | "All the active keyslots match the (old) password that " |
| 1832 | "was given and erasing them will erase all the data in " |
| 1833 | "the image irreversibly - refusing operation"); |
| 1834 | return -1; |
| 1835 | } |
| 1836 | |
| 1837 | /* Now apply the update */ |
| 1838 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
| 1839 | if (!test_bit(i, &slots_to_erase_bitmap)) { |
| 1840 | continue; |
| 1841 | } |
| 1842 | if (qcrypto_block_luks_erase_key(block, i, writefunc, |
| 1843 | opaque, errp)) { |
| 1844 | error_append_hint(errp, "Failed to erase keyslot %zu", i); |
| 1845 | return -1; |
| 1846 | } |
| 1847 | } |
| 1848 | } else { |
| 1849 | error_setg(errp, |
| 1850 | "To erase keyslot(s), either explicit keyslot index " |
| 1851 | "or the password currently contained in them must be given"); |
| 1852 | return -1; |
| 1853 | } |
| 1854 | return 0; |
| 1855 | } |
| 1856 | |
| 1857 | static int |
| 1858 | qcrypto_block_luks_amend_options(QCryptoBlock *block, |
| 1859 | QCryptoBlockReadFunc readfunc, |
| 1860 | QCryptoBlockWriteFunc writefunc, |
| 1861 | void *opaque, |
| 1862 | QCryptoBlockAmendOptions *options, |
| 1863 | bool force, |
| 1864 | Error **errp) |
| 1865 | { |
| 1866 | QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks; |
| 1867 | |
| 1868 | switch (opts_luks->state) { |
| 1869 | case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE: |
| 1870 | return qcrypto_block_luks_amend_add_keyslot(block, readfunc, |
| 1871 | writefunc, opaque, |
| 1872 | opts_luks, force, errp); |
| 1873 | case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE: |
| 1874 | return qcrypto_block_luks_amend_erase_keyslots(block, readfunc, |
| 1875 | writefunc, opaque, |
| 1876 | opts_luks, force, errp); |
| 1877 | default: |
| 1878 | g_assert_not_reached(); |
| 1879 | } |
| 1880 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1881 | |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1882 | static int qcrypto_block_luks_get_info(QCryptoBlock *block, |
| 1883 | QCryptoBlockInfo *info, |
| 1884 | Error **errp) |
| 1885 | { |
| 1886 | QCryptoBlockLUKS *luks = block->opaque; |
| 1887 | QCryptoBlockInfoLUKSSlot *slot; |
Eric Blake | c3033fd | 2021-01-13 16:10:12 -0600 | [diff] [blame] | 1888 | QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots; |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1889 | size_t i; |
| 1890 | |
| 1891 | info->u.luks.cipher_alg = luks->cipher_alg; |
| 1892 | info->u.luks.cipher_mode = luks->cipher_mode; |
| 1893 | info->u.luks.ivgen_alg = luks->ivgen_alg; |
| 1894 | if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { |
| 1895 | info->u.luks.has_ivgen_hash_alg = true; |
| 1896 | info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg; |
| 1897 | } |
| 1898 | info->u.luks.hash_alg = luks->hash_alg; |
| 1899 | info->u.luks.payload_offset = block->payload_offset; |
| 1900 | info->u.luks.master_key_iters = luks->header.master_key_iterations; |
| 1901 | info->u.luks.uuid = g_strndup((const char *)luks->header.uuid, |
| 1902 | sizeof(luks->header.uuid)); |
| 1903 | |
| 1904 | for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { |
Eric Blake | c3033fd | 2021-01-13 16:10:12 -0600 | [diff] [blame] | 1905 | slot = g_new0(QCryptoBlockInfoLUKSSlot, 1); |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1906 | slot->active = luks->header.key_slots[i].active == |
| 1907 | QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; |
Maxim Levitsky | f0d3c36 | 2019-09-26 00:35:16 +0300 | [diff] [blame] | 1908 | slot->key_offset = luks->header.key_slots[i].key_offset_sector |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1909 | * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; |
| 1910 | if (slot->active) { |
| 1911 | slot->has_iters = true; |
| 1912 | slot->iters = luks->header.key_slots[i].iterations; |
| 1913 | slot->has_stripes = true; |
| 1914 | slot->stripes = luks->header.key_slots[i].stripes; |
| 1915 | } |
| 1916 | |
Eric Blake | c3033fd | 2021-01-13 16:10:12 -0600 | [diff] [blame] | 1917 | QAPI_LIST_APPEND(tail, slot); |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1918 | } |
| 1919 | |
| 1920 | return 0; |
| 1921 | } |
| 1922 | |
| 1923 | |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1924 | static void qcrypto_block_luks_cleanup(QCryptoBlock *block) |
| 1925 | { |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1926 | QCryptoBlockLUKS *luks = block->opaque; |
| 1927 | if (luks) { |
| 1928 | g_free(luks->secret); |
| 1929 | g_free(luks); |
| 1930 | } |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1931 | } |
| 1932 | |
| 1933 | |
| 1934 | static int |
| 1935 | qcrypto_block_luks_decrypt(QCryptoBlock *block, |
Daniel P. Berrange | 4609742 | 2017-09-27 13:53:39 +0100 | [diff] [blame] | 1936 | uint64_t offset, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1937 | uint8_t *buf, |
| 1938 | size_t len, |
| 1939 | Error **errp) |
| 1940 | { |
Daniel P. Berrange | 4609742 | 2017-09-27 13:53:39 +0100 | [diff] [blame] | 1941 | assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); |
| 1942 | assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); |
Vladimir Sementsov-Ogievskiy | 0f0d596 | 2018-12-07 19:13:50 +0300 | [diff] [blame] | 1943 | return qcrypto_block_decrypt_helper(block, |
| 1944 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 1945 | offset, buf, len, errp); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1946 | } |
| 1947 | |
| 1948 | |
| 1949 | static int |
| 1950 | qcrypto_block_luks_encrypt(QCryptoBlock *block, |
Daniel P. Berrange | 4609742 | 2017-09-27 13:53:39 +0100 | [diff] [blame] | 1951 | uint64_t offset, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1952 | uint8_t *buf, |
| 1953 | size_t len, |
| 1954 | Error **errp) |
| 1955 | { |
Daniel P. Berrange | 4609742 | 2017-09-27 13:53:39 +0100 | [diff] [blame] | 1956 | assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); |
| 1957 | assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)); |
Vladimir Sementsov-Ogievskiy | 0f0d596 | 2018-12-07 19:13:50 +0300 | [diff] [blame] | 1958 | return qcrypto_block_encrypt_helper(block, |
| 1959 | QCRYPTO_BLOCK_LUKS_SECTOR_SIZE, |
| 1960 | offset, buf, len, errp); |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1961 | } |
| 1962 | |
| 1963 | |
| 1964 | const QCryptoBlockDriver qcrypto_block_driver_luks = { |
| 1965 | .open = qcrypto_block_luks_open, |
| 1966 | .create = qcrypto_block_luks_create, |
Maxim Levitsky | 557d2bd | 2020-06-25 14:55:37 +0200 | [diff] [blame] | 1967 | .amend = qcrypto_block_luks_amend_options, |
Daniel P. Berrange | 40c8502 | 2016-07-22 13:53:34 +0100 | [diff] [blame] | 1968 | .get_info = qcrypto_block_luks_get_info, |
Daniel P. Berrange | 3e308f2 | 2015-10-24 11:55:48 +0100 | [diff] [blame] | 1969 | .cleanup = qcrypto_block_luks_cleanup, |
| 1970 | .decrypt = qcrypto_block_luks_decrypt, |
| 1971 | .encrypt = qcrypto_block_luks_encrypt, |
| 1972 | .has_format = qcrypto_block_luks_has_format, |
| 1973 | }; |