static int
qcrypto_afalg_cipher_setiv(QCryptoCipher *cipher,
const uint8_t *iv,
size_t niv, Error **errp)
{
struct af_alg_iv *alg_iv;
size_t expect_niv;
QCryptoAFAlg *afalg = cipher->opaque;
expect_niv = qcrypto_cipher_get_iv_len(cipher->alg, cipher->mode);
if (niv != expect_niv) {
error_setg(errp, "Set IV len(%zu) not match expected(%zu)",
niv, expect_niv);
return -1;
}
/* move ->cmsg to next msghdr, for IV-info */
afalg->cmsg = CMSG_NXTHDR(afalg->msg, afalg->cmsg);
/* build setiv msg */
afalg->cmsg->cmsg_level = SOL_ALG;
alg_iv = (struct af_alg_iv *)CMSG_DATA(afalg->cmsg);
alg_iv->ivlen = niv;
memcpy(alg_iv->iv, iv, niv);
return 0;
}
QCryptoAFAlg *
qcrypto_afalg_cipher_ctx_new(QCryptoCipherAlgorithm alg,
QCryptoCipherMode mode,
const uint8_t *key,
size_t nkey, Error **errp)
{
QCryptoAFAlg *afalg;
size_t expect_niv;
char *name;
name = qcrypto_afalg_cipher_format_name(alg, mode, errp);
if (!name) {
return NULL;
}
afalg = qcrypto_afalg_comm_alloc(AFALG_TYPE_CIPHER, name, errp);
if (!afalg) {
g_free(name);
return NULL;
}
g_free(name);
/* setkey */
if (qemu_setsockopt(afalg->tfmfd, SOL_ALG, ALG_SET_KEY, key,
nkey) != 0) {
error_setg_errno(errp, errno, "Set key failed");
qcrypto_afalg_comm_free(afalg);
return NULL;
}
/* prepare msg header */
afalg->msg = g_new0(struct msghdr, 1);
afalg->msg->msg_controllen += CMSG_SPACE(ALG_OPTYPE_LEN);
expect_niv = qcrypto_cipher_get_iv_len(alg, mode);
if (expect_niv) {
afalg->msg->msg_controllen += CMSG_SPACE(ALG_MSGIV_LEN(expect_niv));
}
afalg->msg->msg_control = g_new0(uint8_t, afalg->msg->msg_controllen);
/* We use 1st msghdr for crypto-info and 2nd msghdr for IV-info */
afalg->cmsg = CMSG_FIRSTHDR(afalg->msg);
afalg->cmsg->cmsg_type = ALG_SET_OP;
afalg->cmsg->cmsg_len = CMSG_SPACE(ALG_OPTYPE_LEN);
if (expect_niv) {
afalg->cmsg = CMSG_NXTHDR(afalg->msg, afalg->cmsg);
afalg->cmsg->cmsg_type = ALG_SET_IV;
afalg->cmsg->cmsg_len = CMSG_SPACE(ALG_MSGIV_LEN(expect_niv));
}
afalg->cmsg = CMSG_FIRSTHDR(afalg->msg);
return afalg;
}
static int
qcrypto_block_luks_create(QCryptoBlock *block,
QCryptoBlockCreateOptions *options,
QCryptoBlockInitFunc initfunc,
QCryptoBlockWriteFunc writefunc,
void *opaque,
Error **errp)
{
QCryptoBlockLUKS *luks;
QCryptoBlockCreateOptionsLUKS luks_opts;
Error *local_err = NULL;
uint8_t *masterkey = NULL;
uint8_t *slotkey = NULL;
uint8_t *splitkey = NULL;
size_t splitkeylen = 0;
size_t i;
QCryptoCipher *cipher = NULL;
QCryptoIVGen *ivgen = NULL;
char *password;
const char *cipher_alg;
const char *cipher_mode;
const char *ivgen_alg;
const char *ivgen_hash_alg = NULL;
const char *hash_alg;
char *cipher_mode_spec = NULL;
QCryptoCipherAlgorithm ivcipheralg = 0;
uint64_t iters;
memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
if (!luks_opts.has_iter_time) {
luks_opts.iter_time = 2000;
}
if (!luks_opts.has_cipher_alg) {
luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
}
if (!luks_opts.has_cipher_mode) {
luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS;
}
if (!luks_opts.has_ivgen_alg) {
luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64;
}
if (!luks_opts.has_hash_alg) {
luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
}
if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
if (!luks_opts.has_ivgen_hash_alg) {
luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256;
luks_opts.has_ivgen_hash_alg = true;
}
}
/* Note we're allowing ivgen_hash_alg to be set even for
* non-essiv iv generators that don't need a hash. It will
* be silently ignored, for compatibility with dm-crypt */
if (!options->u.luks.key_secret) {
error_setg(errp, "Parameter 'key-secret' is required for cipher");
return -1;
}
password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp);
if (!password) {
return -1;
}
luks = g_new0(QCryptoBlockLUKS, 1);
block->opaque = luks;
memcpy(luks->header.magic, qcrypto_block_luks_magic,
QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
/* We populate the header in native endianness initially and
* then convert everything to big endian just before writing
* it out to disk
*/
luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
qcrypto_block_luks_uuid_gen(luks->header.uuid);
cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
errp);
if (!cipher_alg) {
goto error;
}
cipher_mode = QCryptoCipherMode_lookup[luks_opts.cipher_mode];
ivgen_alg = QCryptoIVGenAlgorithm_lookup[luks_opts.ivgen_alg];
if (luks_opts.has_ivgen_hash_alg) {
ivgen_hash_alg = QCryptoHashAlgorithm_lookup[luks_opts.ivgen_hash_alg];
cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg,
ivgen_hash_alg);
} else {
cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
}
hash_alg = QCryptoHashAlgorithm_lookup[luks_opts.hash_alg];
if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
error_setg(errp, "Cipher name '%s' is too long for LUKS header",
cipher_alg);
goto error;
}
if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
cipher_mode_spec);
goto error;
}
if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
error_setg(errp, "Hash name '%s' is too long for LUKS header",
hash_alg);
goto error;
}
if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
ivcipheralg = qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg,
luks_opts.ivgen_hash_alg,
&local_err);
if (local_err) {
error_propagate(errp, local_err);
goto error;
}
} else {
ivcipheralg = luks_opts.cipher_alg;
}
strcpy(luks->header.cipher_name, cipher_alg);
strcpy(luks->header.cipher_mode, cipher_mode_spec);
strcpy(luks->header.hash_spec, hash_alg);
luks->header.key_bytes = qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) {
luks->header.key_bytes *= 2;
}
/* Generate the salt used for hashing the master key
* with PBKDF later
*/
if (qcrypto_random_bytes(luks->header.master_key_salt,
QCRYPTO_BLOCK_LUKS_SALT_LEN,
errp) < 0) {
goto error;
}
/* Generate random master key */
masterkey = g_new0(uint8_t, luks->header.key_bytes);
if (qcrypto_random_bytes(masterkey,
luks->header.key_bytes, errp) < 0) {
goto error;
}
/* Setup the block device payload encryption objects */
block->cipher = qcrypto_cipher_new(luks_opts.cipher_alg,
luks_opts.cipher_mode,
masterkey, luks->header.key_bytes,
errp);
if (!block->cipher) {
goto error;
}
block->kdfhash = luks_opts.hash_alg;
block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
luks_opts.cipher_mode);
block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
ivcipheralg,
luks_opts.ivgen_hash_alg,
masterkey, luks->header.key_bytes,
errp);
if (!block->ivgen) {
goto error;
}
/* Determine how many iterations we need to hash the master
* key, in order to have 1 second of compute time used
*/
iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
masterkey, luks->header.key_bytes,
luks->header.master_key_salt,
QCRYPTO_BLOCK_LUKS_SALT_LEN,
QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
&local_err);
if (local_err) {
error_propagate(errp, local_err);
goto error;
}
if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
error_setg_errno(errp, ERANGE,
"PBKDF iterations %llu too large to scale",
(unsigned long long)iters);
goto error;
}
/* iter_time was in millis, but count_iters reported for secs */
iters = iters * luks_opts.iter_time / 1000;
/* Why /= 8 ? That matches cryptsetup, but there's no
* explanation why they chose /= 8... Probably so that
* if all 8 keyslots are active we only spend 1 second
* in total time to check all keys */
iters /= 8;
if (iters > UINT32_MAX) {
error_setg_errno(errp, ERANGE,
"PBKDF iterations %llu larger than %u",
(unsigned long long)iters, UINT32_MAX);
goto error;
}
iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
luks->header.master_key_iterations = iters;
/* Hash the master key, saving the result in the LUKS
* header. This hash is used when opening the encrypted
* device to verify that the user password unlocked a
* valid master key
*/
if (qcrypto_pbkdf2(luks_opts.hash_alg,
masterkey, luks->header.key_bytes,
luks->header.master_key_salt,
QCRYPTO_BLOCK_LUKS_SALT_LEN,
luks->header.master_key_iterations,
luks->header.master_key_digest,
QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
errp) < 0) {
goto error;
}
/* Although LUKS has multiple key slots, we're just going
* to use the first key slot */
splitkeylen = luks->header.key_bytes * QCRYPTO_BLOCK_LUKS_STRIPES;
for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
luks->header.key_slots[i].active = i == 0 ?
QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED :
QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
luks->header.key_slots[i].stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
/* This calculation doesn't match that shown in the spec,
* but instead follows the cryptsetup implementation.
*/
luks->header.key_slots[i].key_offset =
(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
QCRYPTO_BLOCK_LUKS_SECTOR_SIZE) +
(ROUND_UP(DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE),
(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) * i);
}
if (qcrypto_random_bytes(luks->header.key_slots[0].salt,
QCRYPTO_BLOCK_LUKS_SALT_LEN,
errp) < 0) {
goto error;
}
/* Again we determine how many iterations are required to
* hash the user password while consuming 1 second of compute
* time */
iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
(uint8_t *)password, strlen(password),
luks->header.key_slots[0].salt,
QCRYPTO_BLOCK_LUKS_SALT_LEN,
luks->header.key_bytes,
&local_err);
if (local_err) {
error_propagate(errp, local_err);
goto error;
}
if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
error_setg_errno(errp, ERANGE,
"PBKDF iterations %llu too large to scale",
(unsigned long long)iters);
goto error;
}
/* iter_time was in millis, but count_iters reported for secs */
iters = iters * luks_opts.iter_time / 1000;
if (iters > UINT32_MAX) {
error_setg_errno(errp, ERANGE,
"PBKDF iterations %llu larger than %u",
(unsigned long long)iters, UINT32_MAX);
goto error;
}
luks->header.key_slots[0].iterations =
MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
/* Generate a key that we'll use to encrypt the master
* key, from the user's password
*/
slotkey = g_new0(uint8_t, luks->header.key_bytes);
if (qcrypto_pbkdf2(luks_opts.hash_alg,
(uint8_t *)password, strlen(password),
luks->header.key_slots[0].salt,
QCRYPTO_BLOCK_LUKS_SALT_LEN,
luks->header.key_slots[0].iterations,
slotkey, luks->header.key_bytes,
errp) < 0) {
goto error;
}
/* Setup the encryption objects needed to encrypt the
* master key material
*/
cipher = qcrypto_cipher_new(luks_opts.cipher_alg,
luks_opts.cipher_mode,
slotkey, luks->header.key_bytes,
errp);
if (!cipher) {
goto error;
}
ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
ivcipheralg,
luks_opts.ivgen_hash_alg,
slotkey, luks->header.key_bytes,
errp);
if (!ivgen) {
goto error;
}
/* Before storing the master key, we need to vastly
* increase its size, as protection against forensic
* disk data recovery */
splitkey = g_new0(uint8_t, splitkeylen);
if (qcrypto_afsplit_encode(luks_opts.hash_alg,
luks->header.key_bytes,
luks->header.key_slots[0].stripes,
masterkey,
splitkey,
errp) < 0) {
goto error;
}
/* Now we encrypt the split master key with the key generated
* from the user's password, before storing it */
if (qcrypto_block_encrypt_helper(cipher, block->niv, ivgen,
QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
0,
splitkey,
splitkeylen,
errp) < 0) {
goto error;
}
/* The total size of the LUKS headers is the partition header + key
* slot headers, rounded up to the nearest sector, combined with
* the size of each master key material region, also rounded up
* to the nearest sector */
luks->header.payload_offset =
(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
QCRYPTO_BLOCK_LUKS_SECTOR_SIZE) +
(ROUND_UP(DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE),
(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) *
QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
block->payload_offset = luks->header.payload_offset *
QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
/* Reserve header space to match payload offset */
initfunc(block, block->payload_offset, opaque, &local_err);
if (local_err) {
error_propagate(errp, local_err);
goto error;
}
/* Everything on disk uses Big Endian, so flip header fields
* before writing them */
cpu_to_be16s(&luks->header.version);
cpu_to_be32s(&luks->header.payload_offset);
cpu_to_be32s(&luks->header.key_bytes);
cpu_to_be32s(&luks->header.master_key_iterations);
for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
cpu_to_be32s(&luks->header.key_slots[i].active);
cpu_to_be32s(&luks->header.key_slots[i].iterations);
cpu_to_be32s(&luks->header.key_slots[i].key_offset);
cpu_to_be32s(&luks->header.key_slots[i].stripes);
}
/* Write out the partition header and key slot headers */
writefunc(block, 0,
(const uint8_t *)&luks->header,
sizeof(luks->header),
opaque,
&local_err);
/* Delay checking local_err until we've byte-swapped */
/* Byte swap the header back to native, in case we need
* to read it again later */
be16_to_cpus(&luks->header.version);
be32_to_cpus(&luks->header.payload_offset);
be32_to_cpus(&luks->header.key_bytes);
be32_to_cpus(&luks->header.master_key_iterations);
for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
be32_to_cpus(&luks->header.key_slots[i].active);
be32_to_cpus(&luks->header.key_slots[i].iterations);
be32_to_cpus(&luks->header.key_slots[i].key_offset);
be32_to_cpus(&luks->header.key_slots[i].stripes);
}
if (local_err) {
error_propagate(errp, local_err);
goto error;
}
/* Write out the master key material, starting at the
* sector immediately following the partition header. */
if (writefunc(block,
luks->header.key_slots[0].key_offset *
QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
splitkey, splitkeylen,
opaque,
errp) != splitkeylen) {
goto error;
}
luks->cipher_alg = luks_opts.cipher_alg;
luks->cipher_mode = luks_opts.cipher_mode;
luks->ivgen_alg = luks_opts.ivgen_alg;
luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg;
luks->hash_alg = luks_opts.hash_alg;
memset(masterkey, 0, luks->header.key_bytes);
g_free(masterkey);
memset(slotkey, 0, luks->header.key_bytes);
g_free(slotkey);
g_free(splitkey);
g_free(password);
g_free(cipher_mode_spec);
qcrypto_ivgen_free(ivgen);
qcrypto_cipher_free(cipher);
return 0;
error:
if (masterkey) {
memset(masterkey, 0, luks->header.key_bytes);
}
g_free(masterkey);
if (slotkey) {
memset(slotkey, 0, luks->header.key_bytes);
}
g_free(slotkey);
g_free(splitkey);
g_free(password);
g_free(cipher_mode_spec);
qcrypto_ivgen_free(ivgen);
qcrypto_cipher_free(cipher);
g_free(luks);
return -1;
}
static int
qcrypto_block_luks_open(QCryptoBlock *block,
QCryptoBlockOpenOptions *options,
QCryptoBlockReadFunc readfunc,
void *opaque,
unsigned int flags,
Error **errp)
{
QCryptoBlockLUKS *luks;
Error *local_err = NULL;
int ret = 0;
size_t i;
ssize_t rv;
uint8_t *masterkey = NULL;
size_t masterkeylen;
char *ivgen_name, *ivhash_name;
QCryptoCipherMode ciphermode;
QCryptoCipherAlgorithm cipheralg;
QCryptoIVGenAlgorithm ivalg;
QCryptoCipherAlgorithm ivcipheralg;
QCryptoHashAlgorithm hash;
QCryptoHashAlgorithm ivhash;
char *password = NULL;
if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
if (!options->u.luks.key_secret) {
error_setg(errp, "Parameter 'key-secret' is required for cipher");
return -1;
}
password = qcrypto_secret_lookup_as_utf8(
options->u.luks.key_secret, errp);
if (!password) {
return -1;
}
}
luks = g_new0(QCryptoBlockLUKS, 1);
block->opaque = luks;
/* Read the entire LUKS header, minus the key material from
* the underlying device */
rv = readfunc(block, 0,
(uint8_t *)&luks->header,
sizeof(luks->header),
opaque,
errp);
if (rv < 0) {
ret = rv;
goto fail;
}
/* The header is always stored in big-endian format, so
* convert everything to native */
be16_to_cpus(&luks->header.version);
be32_to_cpus(&luks->header.payload_offset);
be32_to_cpus(&luks->header.key_bytes);
be32_to_cpus(&luks->header.master_key_iterations);
for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
be32_to_cpus(&luks->header.key_slots[i].active);
be32_to_cpus(&luks->header.key_slots[i].iterations);
be32_to_cpus(&luks->header.key_slots[i].key_offset);
be32_to_cpus(&luks->header.key_slots[i].stripes);
}
if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
error_setg(errp, "Volume is not in LUKS format");
ret = -EINVAL;
goto fail;
}
if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
error_setg(errp, "LUKS version %" PRIu32 " is not supported",
luks->header.version);
ret = -ENOTSUP;
goto fail;
}
/*
* The cipher_mode header contains a string that we have
* to further parse, of the format
*
* <cipher-mode>-<iv-generator>[:<iv-hash>]
*
* eg cbc-essiv:sha256, cbc-plain64
*/
ivgen_name = strchr(luks->header.cipher_mode, '-');
if (!ivgen_name) {
ret = -EINVAL;
error_setg(errp, "Unexpected cipher mode string format %s",
luks->header.cipher_mode);
goto fail;
}
*ivgen_name = '\0';
ivgen_name++;
ivhash_name = strchr(ivgen_name, ':');
if (!ivhash_name) {
ivhash = 0;
} else {
*ivhash_name = '\0';
ivhash_name++;
ivhash = qcrypto_block_luks_hash_name_lookup(ivhash_name,
&local_err);
if (local_err) {
ret = -ENOTSUP;
error_propagate(errp, local_err);
goto fail;
}
}
ciphermode = qcrypto_block_luks_cipher_mode_lookup(luks->header.cipher_mode,
&local_err);
if (local_err) {
ret = -ENOTSUP;
error_propagate(errp, local_err);
goto fail;
}
cipheralg = qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
ciphermode,
luks->header.key_bytes,
&local_err);
if (local_err) {
ret = -ENOTSUP;
error_propagate(errp, local_err);
goto fail;
}
hash = qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
&local_err);
if (local_err) {
ret = -ENOTSUP;
error_propagate(errp, local_err);
goto fail;
}
ivalg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
&local_err);
if (local_err) {
ret = -ENOTSUP;
error_propagate(errp, local_err);
goto fail;
}
if (ivalg == QCRYPTO_IVGEN_ALG_ESSIV) {
if (!ivhash_name) {
ret = -EINVAL;
error_setg(errp, "Missing IV generator hash specification");
goto fail;
}
ivcipheralg = qcrypto_block_luks_essiv_cipher(cipheralg,
ivhash,
&local_err);
if (local_err) {
ret = -ENOTSUP;
error_propagate(errp, local_err);
goto fail;
}
} else {
/* Note we parsed the ivhash_name earlier in the cipher_mode
* spec string even with plain/plain64 ivgens, but we
* will ignore it, since it is irrelevant for these ivgens.
* This is for compat with dm-crypt which will silently
* ignore hash names with these ivgens rather than report
* an error about the invalid usage
*/
ivcipheralg = cipheralg;
}
if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
/* Try to find which key slot our password is valid for
* and unlock the master key from that slot.
*/
if (qcrypto_block_luks_find_key(block,
password,
cipheralg, ciphermode,
hash,
ivalg,
ivcipheralg,
ivhash,
&masterkey, &masterkeylen,
readfunc, opaque,
errp) < 0) {
ret = -EACCES;
goto fail;
}
/* We have a valid master key now, so can setup the
* block device payload decryption objects
*/
block->kdfhash = hash;
block->niv = qcrypto_cipher_get_iv_len(cipheralg,
ciphermode);
block->ivgen = qcrypto_ivgen_new(ivalg,
ivcipheralg,
ivhash,
masterkey, masterkeylen,
errp);
if (!block->ivgen) {
ret = -ENOTSUP;
goto fail;
}
block->cipher = qcrypto_cipher_new(cipheralg,
ciphermode,
masterkey, masterkeylen,
errp);
if (!block->cipher) {
ret = -ENOTSUP;
goto fail;
}
}
block->payload_offset = luks->header.payload_offset *
QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
luks->cipher_alg = cipheralg;
luks->cipher_mode = ciphermode;
luks->ivgen_alg = ivalg;
luks->ivgen_hash_alg = ivhash;
luks->hash_alg = hash;
g_free(masterkey);
g_free(password);
return 0;
fail:
g_free(masterkey);
qcrypto_cipher_free(block->cipher);
qcrypto_ivgen_free(block->ivgen);
g_free(luks);
g_free(password);
return ret;
}
/*
* Given a key slot, and user password, this will attempt to unlock
* the master encryption key from the key slot.
*
* Returns:
* 0 if the key slot is disabled, or key could not be decrypted
* with the provided password
* 1 if the key slot is enabled, and key decrypted successfully
* with the provided password
* -1 if a fatal error occurred loading the key
*/
static int
qcrypto_block_luks_load_key(QCryptoBlock *block,
QCryptoBlockLUKSKeySlot *slot,
const char *password,
QCryptoCipherAlgorithm cipheralg,
QCryptoCipherMode ciphermode,
QCryptoHashAlgorithm hash,
QCryptoIVGenAlgorithm ivalg,
QCryptoCipherAlgorithm ivcipheralg,
QCryptoHashAlgorithm ivhash,
uint8_t *masterkey,
size_t masterkeylen,
QCryptoBlockReadFunc readfunc,
void *opaque,
Error **errp)
{
QCryptoBlockLUKS *luks = block->opaque;
uint8_t *splitkey;
size_t splitkeylen;
uint8_t *possiblekey;
int ret = -1;
ssize_t rv;
QCryptoCipher *cipher = NULL;
uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
QCryptoIVGen *ivgen = NULL;
size_t niv;
if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
return 0;
}
splitkeylen = masterkeylen * slot->stripes;
splitkey = g_new0(uint8_t, splitkeylen);
possiblekey = g_new0(uint8_t, masterkeylen);
/*
* The user password is used to generate a (possible)
* decryption key. This may or may not successfully
* decrypt the master key - we just blindly assume
* the key is correct and validate the results of
* decryption later.
*/
if (qcrypto_pbkdf2(hash,
(const uint8_t *)password, strlen(password),
slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
slot->iterations,
possiblekey, masterkeylen,
errp) < 0) {
goto cleanup;
}
/*
* We need to read the master key material from the
* LUKS key material header. What we're reading is
* not the raw master key, but rather the data after
* it has been passed through AFSplit and the result
* then encrypted.
*/
rv = readfunc(block,
slot->key_offset * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
splitkey, splitkeylen,
opaque,
errp);
if (rv < 0) {
goto cleanup;
}
/* Setup the cipher/ivgen that we'll use to try to decrypt
* the split master key material */
cipher = qcrypto_cipher_new(cipheralg, ciphermode,
possiblekey, masterkeylen,
errp);
if (!cipher) {
goto cleanup;
}
niv = qcrypto_cipher_get_iv_len(cipheralg,
ciphermode);
ivgen = qcrypto_ivgen_new(ivalg,
ivcipheralg,
ivhash,
possiblekey, masterkeylen,
errp);
if (!ivgen) {
goto cleanup;
}
/*
* The master key needs to be decrypted in the same
* way that the block device payload will be decrypted
* later. In particular we'll be using the IV generator
* to reset the encryption cipher every time the master
* key crosses a sector boundary.
*/
if (qcrypto_block_decrypt_helper(cipher,
niv,
ivgen,
QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
0,
splitkey,
splitkeylen,
errp) < 0) {
goto cleanup;
}
/*
* Now we've decrypted the split master key, join
* it back together to get the actual master key.
*/
if (qcrypto_afsplit_decode(hash,
masterkeylen,
slot->stripes,
splitkey,
masterkey,
errp) < 0) {
goto cleanup;
}
/*
* We still don't know that the masterkey we got is valid,
* because we just blindly assumed the user's password
* was correct. This is where we now verify it. We are
* creating a hash of the master key using PBKDF and
* then comparing that to the hash stored in the key slot
* header
*/
if (qcrypto_pbkdf2(hash,
masterkey, masterkeylen,
luks->header.master_key_salt,
QCRYPTO_BLOCK_LUKS_SALT_LEN,
luks->header.master_key_iterations,
keydigest, G_N_ELEMENTS(keydigest),
errp) < 0) {
goto cleanup;
}
if (memcmp(keydigest, luks->header.master_key_digest,
QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
/* Success, we got the right master key */
ret = 1;
goto cleanup;
}
/* Fail, user's password was not valid for this key slot,
* tell caller to try another slot */
ret = 0;
cleanup:
qcrypto_ivgen_free(ivgen);
qcrypto_cipher_free(cipher);
g_free(splitkey);
g_free(possiblekey);
return ret;
}
