xref: /openbmc/qemu/crypto/block-luks.c (revision 87d67ffe)
1 /*
2  * QEMU Crypto block device encryption LUKS format
3  *
4  * Copyright (c) 2015-2016 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu/bswap.h"
24 
25 #include "block-luks.h"
26 #include "block-luks-priv.h"
27 
28 #include "crypto/hash.h"
29 #include "crypto/afsplit.h"
30 #include "crypto/pbkdf.h"
31 #include "crypto/secret.h"
32 #include "crypto/random.h"
33 #include "qemu/uuid.h"
34 
35 #include "qemu/coroutine.h"
36 #include "qemu/bitmap.h"
37 
38 /*
39  * Reference for the LUKS format implemented here is
40  *
41  *   docs/on-disk-format.pdf
42  *
43  * in 'cryptsetup' package source code
44  *
45  * This file implements the 1.2.1 specification, dated
46  * Oct 16, 2011.
47  */
48 
49 typedef struct QCryptoBlockLUKS QCryptoBlockLUKS;
50 
51 typedef struct QCryptoBlockLUKSNameMap QCryptoBlockLUKSNameMap;
52 struct QCryptoBlockLUKSNameMap {
53     const char *name;
54     int id;
55 };
56 
57 typedef struct QCryptoBlockLUKSCipherSizeMap QCryptoBlockLUKSCipherSizeMap;
58 struct QCryptoBlockLUKSCipherSizeMap {
59     uint32_t key_bytes;
60     int id;
61 };
62 typedef struct QCryptoBlockLUKSCipherNameMap QCryptoBlockLUKSCipherNameMap;
63 struct QCryptoBlockLUKSCipherNameMap {
64     const char *name;
65     const QCryptoBlockLUKSCipherSizeMap *sizes;
66 };
67 
68 
69 static const QCryptoBlockLUKSCipherSizeMap
70 qcrypto_block_luks_cipher_size_map_aes[] = {
71     { 16, QCRYPTO_CIPHER_ALG_AES_128 },
72     { 24, QCRYPTO_CIPHER_ALG_AES_192 },
73     { 32, QCRYPTO_CIPHER_ALG_AES_256 },
74     { 0, 0 },
75 };
76 
77 static const QCryptoBlockLUKSCipherSizeMap
78 qcrypto_block_luks_cipher_size_map_cast5[] = {
79     { 16, QCRYPTO_CIPHER_ALG_CAST5_128 },
80     { 0, 0 },
81 };
82 
83 static const QCryptoBlockLUKSCipherSizeMap
84 qcrypto_block_luks_cipher_size_map_serpent[] = {
85     { 16, QCRYPTO_CIPHER_ALG_SERPENT_128 },
86     { 24, QCRYPTO_CIPHER_ALG_SERPENT_192 },
87     { 32, QCRYPTO_CIPHER_ALG_SERPENT_256 },
88     { 0, 0 },
89 };
90 
91 static const QCryptoBlockLUKSCipherSizeMap
92 qcrypto_block_luks_cipher_size_map_twofish[] = {
93     { 16, QCRYPTO_CIPHER_ALG_TWOFISH_128 },
94     { 24, QCRYPTO_CIPHER_ALG_TWOFISH_192 },
95     { 32, QCRYPTO_CIPHER_ALG_TWOFISH_256 },
96     { 0, 0 },
97 };
98 
99 static const QCryptoBlockLUKSCipherNameMap
100 qcrypto_block_luks_cipher_name_map[] = {
101     { "aes", qcrypto_block_luks_cipher_size_map_aes },
102     { "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
103     { "serpent", qcrypto_block_luks_cipher_size_map_serpent },
104     { "twofish", qcrypto_block_luks_cipher_size_map_twofish },
105 };
106 
107 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
108 QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592);
109 
110 
111 struct QCryptoBlockLUKS {
112     QCryptoBlockLUKSHeader header;
113 
114     /* Main encryption algorithm used for encryption*/
115     QCryptoCipherAlgorithm cipher_alg;
116 
117     /* Mode of encryption for the selected encryption algorithm */
118     QCryptoCipherMode cipher_mode;
119 
120     /* Initialization vector generation algorithm */
121     QCryptoIVGenAlgorithm ivgen_alg;
122 
123     /* Hash algorithm used for IV generation*/
124     QCryptoHashAlgorithm ivgen_hash_alg;
125 
126     /*
127      * Encryption algorithm used for IV generation.
128      * Usually the same as main encryption algorithm
129      */
130     QCryptoCipherAlgorithm ivgen_cipher_alg;
131 
132     /* Hash algorithm used in pbkdf2 function */
133     QCryptoHashAlgorithm hash_alg;
134 
135     /* Name of the secret that was used to open the image */
136     char *secret;
137 };
138 
139 
140 static int qcrypto_block_luks_cipher_name_lookup(const char *name,
141                                                  QCryptoCipherMode mode,
142                                                  uint32_t key_bytes,
143                                                  Error **errp)
144 {
145     const QCryptoBlockLUKSCipherNameMap *map =
146         qcrypto_block_luks_cipher_name_map;
147     size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
148     size_t i, j;
149 
150     if (mode == QCRYPTO_CIPHER_MODE_XTS) {
151         key_bytes /= 2;
152     }
153 
154     for (i = 0; i < maplen; i++) {
155         if (!g_str_equal(map[i].name, name)) {
156             continue;
157         }
158         for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
159             if (map[i].sizes[j].key_bytes == key_bytes) {
160                 return map[i].sizes[j].id;
161             }
162         }
163     }
164 
165     error_setg(errp, "Algorithm '%s' with key size %d bytes not supported",
166                name, key_bytes);
167     return 0;
168 }
169 
170 static const char *
171 qcrypto_block_luks_cipher_alg_lookup(QCryptoCipherAlgorithm alg,
172                                      Error **errp)
173 {
174     const QCryptoBlockLUKSCipherNameMap *map =
175         qcrypto_block_luks_cipher_name_map;
176     size_t maplen = G_N_ELEMENTS(qcrypto_block_luks_cipher_name_map);
177     size_t i, j;
178     for (i = 0; i < maplen; i++) {
179         for (j = 0; j < map[i].sizes[j].key_bytes; j++) {
180             if (map[i].sizes[j].id == alg) {
181                 return map[i].name;
182             }
183         }
184     }
185 
186     error_setg(errp, "Algorithm '%s' not supported",
187                QCryptoCipherAlgorithm_str(alg));
188     return NULL;
189 }
190 
191 /* XXX replace with qapi_enum_parse() in future, when we can
192  * make that function emit a more friendly error message */
193 static int qcrypto_block_luks_name_lookup(const char *name,
194                                           const QEnumLookup *map,
195                                           const char *type,
196                                           Error **errp)
197 {
198     int ret = qapi_enum_parse(map, name, -1, NULL);
199 
200     if (ret < 0) {
201         error_setg(errp, "%s '%s' not supported", type, name);
202         return 0;
203     }
204     return ret;
205 }
206 
207 #define qcrypto_block_luks_cipher_mode_lookup(name, errp)               \
208     qcrypto_block_luks_name_lookup(name,                                \
209                                    &QCryptoCipherMode_lookup,           \
210                                    "Cipher mode",                       \
211                                    errp)
212 
213 #define qcrypto_block_luks_hash_name_lookup(name, errp)                 \
214     qcrypto_block_luks_name_lookup(name,                                \
215                                    &QCryptoHashAlgorithm_lookup,        \
216                                    "Hash algorithm",                    \
217                                    errp)
218 
219 #define qcrypto_block_luks_ivgen_name_lookup(name, errp)                \
220     qcrypto_block_luks_name_lookup(name,                                \
221                                    &QCryptoIVGenAlgorithm_lookup,       \
222                                    "IV generator",                      \
223                                    errp)
224 
225 
226 static bool
227 qcrypto_block_luks_has_format(const uint8_t *buf,
228                               size_t buf_size)
229 {
230     const QCryptoBlockLUKSHeader *luks_header = (const void *)buf;
231 
232     if (buf_size >= offsetof(QCryptoBlockLUKSHeader, cipher_name) &&
233         memcmp(luks_header->magic, qcrypto_block_luks_magic,
234                QCRYPTO_BLOCK_LUKS_MAGIC_LEN) == 0 &&
235         be16_to_cpu(luks_header->version) == QCRYPTO_BLOCK_LUKS_VERSION) {
236         return true;
237     } else {
238         return false;
239     }
240 }
241 
242 
243 /**
244  * Deal with a quirk of dm-crypt usage of ESSIV.
245  *
246  * When calculating ESSIV IVs, the cipher length used by ESSIV
247  * may be different from the cipher length used for the block
248  * encryption, becauses dm-crypt uses the hash digest length
249  * as the key size. ie, if you have AES 128 as the block cipher
250  * and SHA 256 as ESSIV hash, then ESSIV will use AES 256 as
251  * the cipher since that gets a key length matching the digest
252  * size, not AES 128 with truncated digest as might be imagined
253  */
254 static QCryptoCipherAlgorithm
255 qcrypto_block_luks_essiv_cipher(QCryptoCipherAlgorithm cipher,
256                                 QCryptoHashAlgorithm hash,
257                                 Error **errp)
258 {
259     size_t digestlen = qcrypto_hash_digest_len(hash);
260     size_t keylen = qcrypto_cipher_get_key_len(cipher);
261     if (digestlen == keylen) {
262         return cipher;
263     }
264 
265     switch (cipher) {
266     case QCRYPTO_CIPHER_ALG_AES_128:
267     case QCRYPTO_CIPHER_ALG_AES_192:
268     case QCRYPTO_CIPHER_ALG_AES_256:
269         if (digestlen == qcrypto_cipher_get_key_len(
270                 QCRYPTO_CIPHER_ALG_AES_128)) {
271             return QCRYPTO_CIPHER_ALG_AES_128;
272         } else if (digestlen == qcrypto_cipher_get_key_len(
273                        QCRYPTO_CIPHER_ALG_AES_192)) {
274             return QCRYPTO_CIPHER_ALG_AES_192;
275         } else if (digestlen == qcrypto_cipher_get_key_len(
276                        QCRYPTO_CIPHER_ALG_AES_256)) {
277             return QCRYPTO_CIPHER_ALG_AES_256;
278         } else {
279             error_setg(errp, "No AES cipher with key size %zu available",
280                        digestlen);
281             return 0;
282         }
283         break;
284     case QCRYPTO_CIPHER_ALG_SERPENT_128:
285     case QCRYPTO_CIPHER_ALG_SERPENT_192:
286     case QCRYPTO_CIPHER_ALG_SERPENT_256:
287         if (digestlen == qcrypto_cipher_get_key_len(
288                 QCRYPTO_CIPHER_ALG_SERPENT_128)) {
289             return QCRYPTO_CIPHER_ALG_SERPENT_128;
290         } else if (digestlen == qcrypto_cipher_get_key_len(
291                        QCRYPTO_CIPHER_ALG_SERPENT_192)) {
292             return QCRYPTO_CIPHER_ALG_SERPENT_192;
293         } else if (digestlen == qcrypto_cipher_get_key_len(
294                        QCRYPTO_CIPHER_ALG_SERPENT_256)) {
295             return QCRYPTO_CIPHER_ALG_SERPENT_256;
296         } else {
297             error_setg(errp, "No Serpent cipher with key size %zu available",
298                        digestlen);
299             return 0;
300         }
301         break;
302     case QCRYPTO_CIPHER_ALG_TWOFISH_128:
303     case QCRYPTO_CIPHER_ALG_TWOFISH_192:
304     case QCRYPTO_CIPHER_ALG_TWOFISH_256:
305         if (digestlen == qcrypto_cipher_get_key_len(
306                 QCRYPTO_CIPHER_ALG_TWOFISH_128)) {
307             return QCRYPTO_CIPHER_ALG_TWOFISH_128;
308         } else if (digestlen == qcrypto_cipher_get_key_len(
309                        QCRYPTO_CIPHER_ALG_TWOFISH_192)) {
310             return QCRYPTO_CIPHER_ALG_TWOFISH_192;
311         } else if (digestlen == qcrypto_cipher_get_key_len(
312                        QCRYPTO_CIPHER_ALG_TWOFISH_256)) {
313             return QCRYPTO_CIPHER_ALG_TWOFISH_256;
314         } else {
315             error_setg(errp, "No Twofish cipher with key size %zu available",
316                        digestlen);
317             return 0;
318         }
319         break;
320     default:
321         error_setg(errp, "Cipher %s not supported with essiv",
322                    QCryptoCipherAlgorithm_str(cipher));
323         return 0;
324     }
325 }
326 
327 /*
328  * Returns number of sectors needed to store the key material
329  * given number of anti forensic stripes
330  */
331 static int
332 qcrypto_block_luks_splitkeylen_sectors(const QCryptoBlockLUKS *luks,
333                                        unsigned int header_sectors,
334                                        unsigned int stripes)
335 {
336     /*
337      * This calculation doesn't match that shown in the spec,
338      * but instead follows the cryptsetup implementation.
339      */
340 
341     size_t splitkeylen = luks->header.master_key_len * stripes;
342 
343     /* First align the key material size to block size*/
344     size_t splitkeylen_sectors =
345         DIV_ROUND_UP(splitkeylen, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE);
346 
347     /* Then also align the key material size to the size of the header */
348     return ROUND_UP(splitkeylen_sectors, header_sectors);
349 }
350 
351 
352 void
353 qcrypto_block_luks_to_disk_endian(QCryptoBlockLUKSHeader *hdr)
354 {
355     size_t i;
356 
357     /*
358      * Everything on disk uses Big Endian (tm), so flip header fields
359      * before writing them
360      */
361     cpu_to_be16s(&hdr->version);
362     cpu_to_be32s(&hdr->payload_offset_sector);
363     cpu_to_be32s(&hdr->master_key_len);
364     cpu_to_be32s(&hdr->master_key_iterations);
365 
366     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
367         cpu_to_be32s(&hdr->key_slots[i].active);
368         cpu_to_be32s(&hdr->key_slots[i].iterations);
369         cpu_to_be32s(&hdr->key_slots[i].key_offset_sector);
370         cpu_to_be32s(&hdr->key_slots[i].stripes);
371     }
372 }
373 
374 void
375 qcrypto_block_luks_from_disk_endian(QCryptoBlockLUKSHeader *hdr)
376 {
377     size_t i;
378 
379     /*
380      * The header is always stored in big-endian format, so
381      * convert everything to native
382      */
383     be16_to_cpus(&hdr->version);
384     be32_to_cpus(&hdr->payload_offset_sector);
385     be32_to_cpus(&hdr->master_key_len);
386     be32_to_cpus(&hdr->master_key_iterations);
387 
388     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
389         be32_to_cpus(&hdr->key_slots[i].active);
390         be32_to_cpus(&hdr->key_slots[i].iterations);
391         be32_to_cpus(&hdr->key_slots[i].key_offset_sector);
392         be32_to_cpus(&hdr->key_slots[i].stripes);
393     }
394 }
395 
396 /*
397  * Stores the main LUKS header, taking care of endianess
398  */
399 static int
400 qcrypto_block_luks_store_header(QCryptoBlock *block,
401                                 QCryptoBlockWriteFunc writefunc,
402                                 void *opaque,
403                                 Error **errp)
404 {
405     const QCryptoBlockLUKS *luks = block->opaque;
406     Error *local_err = NULL;
407     g_autofree QCryptoBlockLUKSHeader *hdr_copy = NULL;
408 
409     /* Create a copy of the header */
410     hdr_copy = g_new0(QCryptoBlockLUKSHeader, 1);
411     memcpy(hdr_copy, &luks->header, sizeof(QCryptoBlockLUKSHeader));
412 
413     qcrypto_block_luks_to_disk_endian(hdr_copy);
414 
415     /* Write out the partition header and key slot headers */
416     writefunc(block, 0, (const uint8_t *)hdr_copy, sizeof(*hdr_copy),
417               opaque, &local_err);
418 
419     if (local_err) {
420         error_propagate(errp, local_err);
421         return -1;
422     }
423     return 0;
424 }
425 
426 /*
427  * Loads the main LUKS header,and byteswaps it to native endianess
428  * And run basic sanity checks on it
429  */
430 static int
431 qcrypto_block_luks_load_header(QCryptoBlock *block,
432                                 QCryptoBlockReadFunc readfunc,
433                                 void *opaque,
434                                 Error **errp)
435 {
436     int rv;
437     QCryptoBlockLUKS *luks = block->opaque;
438 
439     /*
440      * Read the entire LUKS header, minus the key material from
441      * the underlying device
442      */
443     rv = readfunc(block, 0,
444                   (uint8_t *)&luks->header,
445                   sizeof(luks->header),
446                   opaque,
447                   errp);
448     if (rv < 0) {
449         return rv;
450     }
451 
452     qcrypto_block_luks_from_disk_endian(&luks->header);
453 
454     return 0;
455 }
456 
457 /*
458  * Does basic sanity checks on the LUKS header
459  */
460 static int
461 qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
462 {
463     size_t i, j;
464 
465     unsigned int header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
466         QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
467 
468     if (memcmp(luks->header.magic, qcrypto_block_luks_magic,
469                QCRYPTO_BLOCK_LUKS_MAGIC_LEN) != 0) {
470         error_setg(errp, "Volume is not in LUKS format");
471         return -1;
472     }
473 
474     if (luks->header.version != QCRYPTO_BLOCK_LUKS_VERSION) {
475         error_setg(errp, "LUKS version %" PRIu32 " is not supported",
476                    luks->header.version);
477         return -1;
478     }
479 
480     if (!memchr(luks->header.cipher_name, '\0',
481                 sizeof(luks->header.cipher_name))) {
482         error_setg(errp, "LUKS header cipher name is not NUL terminated");
483         return -1;
484     }
485 
486     if (!memchr(luks->header.cipher_mode, '\0',
487                 sizeof(luks->header.cipher_mode))) {
488         error_setg(errp, "LUKS header cipher mode is not NUL terminated");
489         return -1;
490     }
491 
492     if (!memchr(luks->header.hash_spec, '\0',
493                 sizeof(luks->header.hash_spec))) {
494         error_setg(errp, "LUKS header hash spec is not NUL terminated");
495         return -1;
496     }
497 
498     if (luks->header.payload_offset_sector <
499         DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
500                      QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
501         error_setg(errp, "LUKS payload is overlapping with the header");
502         return -1;
503     }
504 
505     if (luks->header.master_key_iterations == 0) {
506         error_setg(errp, "LUKS key iteration count is zero");
507         return -1;
508     }
509 
510     /* Check all keyslots for corruption  */
511     for (i = 0 ; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; i++) {
512 
513         const QCryptoBlockLUKSKeySlot *slot1 = &luks->header.key_slots[i];
514         unsigned int start1 = slot1->key_offset_sector;
515         unsigned int len1 =
516             qcrypto_block_luks_splitkeylen_sectors(luks,
517                                                    header_sectors,
518                                                    slot1->stripes);
519 
520         if (slot1->stripes != QCRYPTO_BLOCK_LUKS_STRIPES) {
521             error_setg(errp, "Keyslot %zu is corrupted (stripes %d != %d)",
522                        i, slot1->stripes, QCRYPTO_BLOCK_LUKS_STRIPES);
523             return -1;
524         }
525 
526         if (slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED &&
527             slot1->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
528             error_setg(errp,
529                        "Keyslot %zu state (active/disable) is corrupted", i);
530             return -1;
531         }
532 
533         if (slot1->active == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED &&
534             slot1->iterations == 0) {
535             error_setg(errp, "Keyslot %zu iteration count is zero", i);
536             return -1;
537         }
538 
539         if (start1 < DIV_ROUND_UP(QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET,
540                                   QCRYPTO_BLOCK_LUKS_SECTOR_SIZE)) {
541             error_setg(errp,
542                        "Keyslot %zu is overlapping with the LUKS header",
543                        i);
544             return -1;
545         }
546 
547         if (start1 + len1 > luks->header.payload_offset_sector) {
548             error_setg(errp,
549                        "Keyslot %zu is overlapping with the encrypted payload",
550                        i);
551             return -1;
552         }
553 
554         for (j = i + 1 ; j < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS ; j++) {
555             const QCryptoBlockLUKSKeySlot *slot2 = &luks->header.key_slots[j];
556             unsigned int start2 = slot2->key_offset_sector;
557             unsigned int len2 =
558                 qcrypto_block_luks_splitkeylen_sectors(luks,
559                                                        header_sectors,
560                                                        slot2->stripes);
561 
562             if (start1 + len1 > start2 && start2 + len2 > start1) {
563                 error_setg(errp,
564                            "Keyslots %zu and %zu are overlapping in the header",
565                            i, j);
566                 return -1;
567             }
568         }
569 
570     }
571     return 0;
572 }
573 
574 /*
575  * Parses the crypto parameters that are stored in the LUKS header
576  */
577 
578 static int
579 qcrypto_block_luks_parse_header(QCryptoBlockLUKS *luks, Error **errp)
580 {
581     g_autofree char *cipher_mode = g_strdup(luks->header.cipher_mode);
582     char *ivgen_name, *ivhash_name;
583     Error *local_err = NULL;
584 
585     /*
586      * The cipher_mode header contains a string that we have
587      * to further parse, of the format
588      *
589      *    <cipher-mode>-<iv-generator>[:<iv-hash>]
590      *
591      * eg  cbc-essiv:sha256, cbc-plain64
592      */
593     ivgen_name = strchr(cipher_mode, '-');
594     if (!ivgen_name) {
595         error_setg(errp, "Unexpected cipher mode string format '%s'",
596                    luks->header.cipher_mode);
597         return -1;
598     }
599     *ivgen_name = '\0';
600     ivgen_name++;
601 
602     ivhash_name = strchr(ivgen_name, ':');
603     if (!ivhash_name) {
604         luks->ivgen_hash_alg = 0;
605     } else {
606         *ivhash_name = '\0';
607         ivhash_name++;
608 
609         luks->ivgen_hash_alg = qcrypto_block_luks_hash_name_lookup(ivhash_name,
610                                                                    &local_err);
611         if (local_err) {
612             error_propagate(errp, local_err);
613             return -1;
614         }
615     }
616 
617     luks->cipher_mode = qcrypto_block_luks_cipher_mode_lookup(cipher_mode,
618                                                               &local_err);
619     if (local_err) {
620         error_propagate(errp, local_err);
621         return -1;
622     }
623 
624     luks->cipher_alg =
625             qcrypto_block_luks_cipher_name_lookup(luks->header.cipher_name,
626                                                   luks->cipher_mode,
627                                                   luks->header.master_key_len,
628                                                   &local_err);
629     if (local_err) {
630         error_propagate(errp, local_err);
631         return -1;
632     }
633 
634     luks->hash_alg =
635             qcrypto_block_luks_hash_name_lookup(luks->header.hash_spec,
636                                                 &local_err);
637     if (local_err) {
638         error_propagate(errp, local_err);
639         return -1;
640     }
641 
642     luks->ivgen_alg = qcrypto_block_luks_ivgen_name_lookup(ivgen_name,
643                                                            &local_err);
644     if (local_err) {
645         error_propagate(errp, local_err);
646         return -1;
647     }
648 
649     if (luks->ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
650         if (!ivhash_name) {
651             error_setg(errp, "Missing IV generator hash specification");
652             return -1;
653         }
654         luks->ivgen_cipher_alg =
655                 qcrypto_block_luks_essiv_cipher(luks->cipher_alg,
656                                                 luks->ivgen_hash_alg,
657                                                 &local_err);
658         if (local_err) {
659             error_propagate(errp, local_err);
660             return -1;
661         }
662     } else {
663 
664         /*
665          * Note we parsed the ivhash_name earlier in the cipher_mode
666          * spec string even with plain/plain64 ivgens, but we
667          * will ignore it, since it is irrelevant for these ivgens.
668          * This is for compat with dm-crypt which will silently
669          * ignore hash names with these ivgens rather than report
670          * an error about the invalid usage
671          */
672         luks->ivgen_cipher_alg = luks->cipher_alg;
673     }
674     return 0;
675 }
676 
677 /*
678  * Given a key slot,  user password, and the master key,
679  * will store the encrypted master key there, and update the
680  * in-memory header. User must then write the in-memory header
681  *
682  * Returns:
683  *    0 if the keyslot was written successfully
684  *      with the provided password
685  *   -1 if a fatal error occurred while storing the key
686  */
687 static int
688 qcrypto_block_luks_store_key(QCryptoBlock *block,
689                              unsigned int slot_idx,
690                              const char *password,
691                              uint8_t *masterkey,
692                              uint64_t iter_time,
693                              QCryptoBlockWriteFunc writefunc,
694                              void *opaque,
695                              Error **errp)
696 {
697     QCryptoBlockLUKS *luks = block->opaque;
698     QCryptoBlockLUKSKeySlot *slot;
699     g_autofree uint8_t *splitkey = NULL;
700     size_t splitkeylen;
701     g_autofree uint8_t *slotkey = NULL;
702     g_autoptr(QCryptoCipher) cipher = NULL;
703     g_autoptr(QCryptoIVGen) ivgen = NULL;
704     Error *local_err = NULL;
705     uint64_t iters;
706     int ret = -1;
707 
708     assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
709     slot = &luks->header.key_slots[slot_idx];
710     if (qcrypto_random_bytes(slot->salt,
711                              QCRYPTO_BLOCK_LUKS_SALT_LEN,
712                              errp) < 0) {
713         goto cleanup;
714     }
715 
716     splitkeylen = luks->header.master_key_len * slot->stripes;
717 
718     /*
719      * Determine how many iterations are required to
720      * hash the user password while consuming 1 second of compute
721      * time
722      */
723     iters = qcrypto_pbkdf2_count_iters(luks->hash_alg,
724                                        (uint8_t *)password, strlen(password),
725                                        slot->salt,
726                                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
727                                        luks->header.master_key_len,
728                                        &local_err);
729     if (local_err) {
730         error_propagate(errp, local_err);
731         goto cleanup;
732     }
733 
734     if (iters > (ULLONG_MAX / iter_time)) {
735         error_setg_errno(errp, ERANGE,
736                          "PBKDF iterations %llu too large to scale",
737                          (unsigned long long)iters);
738         goto cleanup;
739     }
740 
741     /* iter_time was in millis, but count_iters reported for secs */
742     iters = iters * iter_time / 1000;
743 
744     if (iters > UINT32_MAX) {
745         error_setg_errno(errp, ERANGE,
746                          "PBKDF iterations %llu larger than %u",
747                          (unsigned long long)iters, UINT32_MAX);
748         goto cleanup;
749     }
750 
751     slot->iterations =
752         MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_SLOT_KEY_ITERS);
753 
754 
755     /*
756      * Generate a key that we'll use to encrypt the master
757      * key, from the user's password
758      */
759     slotkey = g_new0(uint8_t, luks->header.master_key_len);
760     if (qcrypto_pbkdf2(luks->hash_alg,
761                        (uint8_t *)password, strlen(password),
762                        slot->salt,
763                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
764                        slot->iterations,
765                        slotkey, luks->header.master_key_len,
766                        errp) < 0) {
767         goto cleanup;
768     }
769 
770 
771     /*
772      * Setup the encryption objects needed to encrypt the
773      * master key material
774      */
775     cipher = qcrypto_cipher_new(luks->cipher_alg,
776                                 luks->cipher_mode,
777                                 slotkey, luks->header.master_key_len,
778                                 errp);
779     if (!cipher) {
780         goto cleanup;
781     }
782 
783     ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
784                               luks->ivgen_cipher_alg,
785                               luks->ivgen_hash_alg,
786                               slotkey, luks->header.master_key_len,
787                               errp);
788     if (!ivgen) {
789         goto cleanup;
790     }
791 
792     /*
793      * Before storing the master key, we need to vastly
794      * increase its size, as protection against forensic
795      * disk data recovery
796      */
797     splitkey = g_new0(uint8_t, splitkeylen);
798 
799     if (qcrypto_afsplit_encode(luks->hash_alg,
800                                luks->header.master_key_len,
801                                slot->stripes,
802                                masterkey,
803                                splitkey,
804                                errp) < 0) {
805         goto cleanup;
806     }
807 
808     /*
809      * Now we encrypt the split master key with the key generated
810      * from the user's password, before storing it
811      */
812     if (qcrypto_block_cipher_encrypt_helper(cipher, block->niv, ivgen,
813                                             QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
814                                             0,
815                                             splitkey,
816                                             splitkeylen,
817                                             errp) < 0) {
818         goto cleanup;
819     }
820 
821     /* Write out the slot's master key material. */
822     if (writefunc(block,
823                   slot->key_offset_sector *
824                   QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
825                   splitkey, splitkeylen,
826                   opaque,
827                   errp) < 0) {
828         goto cleanup;
829     }
830 
831     slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
832 
833     if (qcrypto_block_luks_store_header(block,  writefunc, opaque, errp) < 0) {
834         goto cleanup;
835     }
836 
837     ret = 0;
838 
839 cleanup:
840     if (slotkey) {
841         memset(slotkey, 0, luks->header.master_key_len);
842     }
843     if (splitkey) {
844         memset(splitkey, 0, splitkeylen);
845     }
846     return ret;
847 }
848 
849 /*
850  * Given a key slot, and user password, this will attempt to unlock
851  * the master encryption key from the key slot.
852  *
853  * Returns:
854  *    0 if the key slot is disabled, or key could not be decrypted
855  *      with the provided password
856  *    1 if the key slot is enabled, and key decrypted successfully
857  *      with the provided password
858  *   -1 if a fatal error occurred loading the key
859  */
860 static int
861 qcrypto_block_luks_load_key(QCryptoBlock *block,
862                             size_t slot_idx,
863                             const char *password,
864                             uint8_t *masterkey,
865                             QCryptoBlockReadFunc readfunc,
866                             void *opaque,
867                             Error **errp)
868 {
869     QCryptoBlockLUKS *luks = block->opaque;
870     const QCryptoBlockLUKSKeySlot *slot;
871     g_autofree uint8_t *splitkey = NULL;
872     size_t splitkeylen;
873     g_autofree uint8_t *possiblekey = NULL;
874     int rv;
875     g_autoptr(QCryptoCipher) cipher = NULL;
876     uint8_t keydigest[QCRYPTO_BLOCK_LUKS_DIGEST_LEN];
877     g_autoptr(QCryptoIVGen) ivgen = NULL;
878     size_t niv;
879 
880     assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
881     slot = &luks->header.key_slots[slot_idx];
882     if (slot->active != QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED) {
883         return 0;
884     }
885 
886     splitkeylen = luks->header.master_key_len * slot->stripes;
887     splitkey = g_new0(uint8_t, splitkeylen);
888     possiblekey = g_new0(uint8_t, luks->header.master_key_len);
889 
890     /*
891      * The user password is used to generate a (possible)
892      * decryption key. This may or may not successfully
893      * decrypt the master key - we just blindly assume
894      * the key is correct and validate the results of
895      * decryption later.
896      */
897     if (qcrypto_pbkdf2(luks->hash_alg,
898                        (const uint8_t *)password, strlen(password),
899                        slot->salt, QCRYPTO_BLOCK_LUKS_SALT_LEN,
900                        slot->iterations,
901                        possiblekey, luks->header.master_key_len,
902                        errp) < 0) {
903         return -1;
904     }
905 
906     /*
907      * We need to read the master key material from the
908      * LUKS key material header. What we're reading is
909      * not the raw master key, but rather the data after
910      * it has been passed through AFSplit and the result
911      * then encrypted.
912      */
913     rv = readfunc(block,
914                   slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
915                   splitkey, splitkeylen,
916                   opaque,
917                   errp);
918     if (rv < 0) {
919         return -1;
920     }
921 
922 
923     /* Setup the cipher/ivgen that we'll use to try to decrypt
924      * the split master key material */
925     cipher = qcrypto_cipher_new(luks->cipher_alg,
926                                 luks->cipher_mode,
927                                 possiblekey,
928                                 luks->header.master_key_len,
929                                 errp);
930     if (!cipher) {
931         return -1;
932     }
933 
934     niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
935                                     luks->cipher_mode);
936 
937     ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
938                               luks->ivgen_cipher_alg,
939                               luks->ivgen_hash_alg,
940                               possiblekey,
941                               luks->header.master_key_len,
942                               errp);
943     if (!ivgen) {
944         return -1;
945     }
946 
947 
948     /*
949      * The master key needs to be decrypted in the same
950      * way that the block device payload will be decrypted
951      * later. In particular we'll be using the IV generator
952      * to reset the encryption cipher every time the master
953      * key crosses a sector boundary.
954      */
955     if (qcrypto_block_cipher_decrypt_helper(cipher,
956                                             niv,
957                                             ivgen,
958                                             QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
959                                             0,
960                                             splitkey,
961                                             splitkeylen,
962                                             errp) < 0) {
963         return -1;
964     }
965 
966     /*
967      * Now we've decrypted the split master key, join
968      * it back together to get the actual master key.
969      */
970     if (qcrypto_afsplit_decode(luks->hash_alg,
971                                luks->header.master_key_len,
972                                slot->stripes,
973                                splitkey,
974                                masterkey,
975                                errp) < 0) {
976         return -1;
977     }
978 
979 
980     /*
981      * We still don't know that the masterkey we got is valid,
982      * because we just blindly assumed the user's password
983      * was correct. This is where we now verify it. We are
984      * creating a hash of the master key using PBKDF and
985      * then comparing that to the hash stored in the key slot
986      * header
987      */
988     if (qcrypto_pbkdf2(luks->hash_alg,
989                        masterkey,
990                        luks->header.master_key_len,
991                        luks->header.master_key_salt,
992                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
993                        luks->header.master_key_iterations,
994                        keydigest,
995                        G_N_ELEMENTS(keydigest),
996                        errp) < 0) {
997         return -1;
998     }
999 
1000     if (memcmp(keydigest, luks->header.master_key_digest,
1001                QCRYPTO_BLOCK_LUKS_DIGEST_LEN) == 0) {
1002         /* Success, we got the right master key */
1003         return 1;
1004     }
1005 
1006     /* Fail, user's password was not valid for this key slot,
1007      * tell caller to try another slot */
1008     return 0;
1009 }
1010 
1011 
1012 /*
1013  * Given a user password, this will iterate over all key
1014  * slots and try to unlock each active key slot using the
1015  * password until it successfully obtains a master key.
1016  *
1017  * Returns 0 if a key was loaded, -1 if no keys could be loaded
1018  */
1019 static int
1020 qcrypto_block_luks_find_key(QCryptoBlock *block,
1021                             const char *password,
1022                             uint8_t *masterkey,
1023                             QCryptoBlockReadFunc readfunc,
1024                             void *opaque,
1025                             Error **errp)
1026 {
1027     size_t i;
1028     int rv;
1029 
1030     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1031         rv = qcrypto_block_luks_load_key(block,
1032                                          i,
1033                                          password,
1034                                          masterkey,
1035                                          readfunc,
1036                                          opaque,
1037                                          errp);
1038         if (rv < 0) {
1039             goto error;
1040         }
1041         if (rv == 1) {
1042             return 0;
1043         }
1044     }
1045 
1046     error_setg(errp, "Invalid password, cannot unlock any keyslot");
1047  error:
1048     return -1;
1049 }
1050 
1051 /*
1052  * Returns true if a slot i is marked as active
1053  * (contains encrypted copy of the master key)
1054  */
1055 static bool
1056 qcrypto_block_luks_slot_active(const QCryptoBlockLUKS *luks,
1057                                unsigned int slot_idx)
1058 {
1059     uint32_t val;
1060 
1061     assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1062     val = luks->header.key_slots[slot_idx].active;
1063     return val == QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1064 }
1065 
1066 /*
1067  * Returns the number of slots that are marked as active
1068  * (slots that contain encrypted copy of the master key)
1069  */
1070 static unsigned int
1071 qcrypto_block_luks_count_active_slots(const QCryptoBlockLUKS *luks)
1072 {
1073     size_t i = 0;
1074     unsigned int ret = 0;
1075 
1076     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1077         if (qcrypto_block_luks_slot_active(luks, i)) {
1078             ret++;
1079         }
1080     }
1081     return ret;
1082 }
1083 
1084 /*
1085  * Finds first key slot which is not active
1086  * Returns the key slot index, or -1 if it doesn't exist
1087  */
1088 static int
1089 qcrypto_block_luks_find_free_keyslot(const QCryptoBlockLUKS *luks)
1090 {
1091     size_t i;
1092 
1093     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1094         if (!qcrypto_block_luks_slot_active(luks, i)) {
1095             return i;
1096         }
1097     }
1098     return -1;
1099 }
1100 
1101 /*
1102  * Erases an keyslot given its index
1103  * Returns:
1104  *    0 if the keyslot was erased successfully
1105  *   -1 if a error occurred while erasing the keyslot
1106  *
1107  */
1108 static int
1109 qcrypto_block_luks_erase_key(QCryptoBlock *block,
1110                              unsigned int slot_idx,
1111                              QCryptoBlockWriteFunc writefunc,
1112                              void *opaque,
1113                              Error **errp)
1114 {
1115     QCryptoBlockLUKS *luks = block->opaque;
1116     QCryptoBlockLUKSKeySlot *slot;
1117     g_autofree uint8_t *garbagesplitkey = NULL;
1118     size_t splitkeylen;
1119     size_t i;
1120     Error *local_err = NULL;
1121     int ret;
1122 
1123     assert(slot_idx < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1124     slot = &luks->header.key_slots[slot_idx];
1125 
1126     splitkeylen = luks->header.master_key_len * slot->stripes;
1127     assert(splitkeylen > 0);
1128 
1129     garbagesplitkey = g_new0(uint8_t, splitkeylen);
1130 
1131     /* Reset the key slot header */
1132     memset(slot->salt, 0, QCRYPTO_BLOCK_LUKS_SALT_LEN);
1133     slot->iterations = 0;
1134     slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1135 
1136     ret = qcrypto_block_luks_store_header(block, writefunc,
1137                                           opaque, &local_err);
1138 
1139     if (ret < 0) {
1140         error_propagate(errp, local_err);
1141     }
1142     /*
1143      * Now try to erase the key material, even if the header
1144      * update failed
1145      */
1146     for (i = 0; i < QCRYPTO_BLOCK_LUKS_ERASE_ITERATIONS; i++) {
1147         if (qcrypto_random_bytes(garbagesplitkey,
1148                                  splitkeylen, &local_err) < 0) {
1149             /*
1150              * If we failed to get the random data, still write
1151              * at least zeros to the key slot at least once
1152              */
1153             error_propagate(errp, local_err);
1154 
1155             if (i > 0) {
1156                 return -1;
1157             }
1158         }
1159         if (writefunc(block,
1160                       slot->key_offset_sector * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1161                       garbagesplitkey,
1162                       splitkeylen,
1163                       opaque,
1164                       &local_err) < 0) {
1165             error_propagate(errp, local_err);
1166             return -1;
1167         }
1168     }
1169     return ret;
1170 }
1171 
1172 static int
1173 qcrypto_block_luks_open(QCryptoBlock *block,
1174                         QCryptoBlockOpenOptions *options,
1175                         const char *optprefix,
1176                         QCryptoBlockReadFunc readfunc,
1177                         void *opaque,
1178                         unsigned int flags,
1179                         size_t n_threads,
1180                         Error **errp)
1181 {
1182     QCryptoBlockLUKS *luks = NULL;
1183     g_autofree uint8_t *masterkey = NULL;
1184     g_autofree char *password = NULL;
1185 
1186     if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1187         if (!options->u.luks.key_secret) {
1188             error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1189                        optprefix ? optprefix : "");
1190             return -1;
1191         }
1192         password = qcrypto_secret_lookup_as_utf8(
1193             options->u.luks.key_secret, errp);
1194         if (!password) {
1195             return -1;
1196         }
1197     }
1198 
1199     luks = g_new0(QCryptoBlockLUKS, 1);
1200     block->opaque = luks;
1201     luks->secret = g_strdup(options->u.luks.key_secret);
1202 
1203     if (qcrypto_block_luks_load_header(block, readfunc, opaque, errp) < 0) {
1204         goto fail;
1205     }
1206 
1207     if (qcrypto_block_luks_check_header(luks, errp) < 0) {
1208         goto fail;
1209     }
1210 
1211     if (qcrypto_block_luks_parse_header(luks, errp) < 0) {
1212         goto fail;
1213     }
1214 
1215     if (!(flags & QCRYPTO_BLOCK_OPEN_NO_IO)) {
1216         /* Try to find which key slot our password is valid for
1217          * and unlock the master key from that slot.
1218          */
1219 
1220         masterkey = g_new0(uint8_t, luks->header.master_key_len);
1221 
1222         if (qcrypto_block_luks_find_key(block,
1223                                         password,
1224                                         masterkey,
1225                                         readfunc, opaque,
1226                                         errp) < 0) {
1227             goto fail;
1228         }
1229 
1230         /* We have a valid master key now, so can setup the
1231          * block device payload decryption objects
1232          */
1233         block->kdfhash = luks->hash_alg;
1234         block->niv = qcrypto_cipher_get_iv_len(luks->cipher_alg,
1235                                                luks->cipher_mode);
1236 
1237         block->ivgen = qcrypto_ivgen_new(luks->ivgen_alg,
1238                                          luks->ivgen_cipher_alg,
1239                                          luks->ivgen_hash_alg,
1240                                          masterkey,
1241                                          luks->header.master_key_len,
1242                                          errp);
1243         if (!block->ivgen) {
1244             goto fail;
1245         }
1246 
1247         if (qcrypto_block_init_cipher(block,
1248                                       luks->cipher_alg,
1249                                       luks->cipher_mode,
1250                                       masterkey,
1251                                       luks->header.master_key_len,
1252                                       n_threads,
1253                                       errp) < 0) {
1254             goto fail;
1255         }
1256     }
1257 
1258     block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1259     block->payload_offset = luks->header.payload_offset_sector *
1260         block->sector_size;
1261 
1262     return 0;
1263 
1264  fail:
1265     qcrypto_block_free_cipher(block);
1266     qcrypto_ivgen_free(block->ivgen);
1267     g_free(luks->secret);
1268     g_free(luks);
1269     return -1;
1270 }
1271 
1272 
1273 static void
1274 qcrypto_block_luks_uuid_gen(uint8_t *uuidstr)
1275 {
1276     QemuUUID uuid;
1277     qemu_uuid_generate(&uuid);
1278     qemu_uuid_unparse(&uuid, (char *)uuidstr);
1279 }
1280 
1281 static int
1282 qcrypto_block_luks_create(QCryptoBlock *block,
1283                           QCryptoBlockCreateOptions *options,
1284                           const char *optprefix,
1285                           QCryptoBlockInitFunc initfunc,
1286                           QCryptoBlockWriteFunc writefunc,
1287                           void *opaque,
1288                           Error **errp)
1289 {
1290     QCryptoBlockLUKS *luks;
1291     QCryptoBlockCreateOptionsLUKS luks_opts;
1292     Error *local_err = NULL;
1293     g_autofree uint8_t *masterkey = NULL;
1294     size_t header_sectors;
1295     size_t split_key_sectors;
1296     size_t i;
1297     g_autofree char *password = NULL;
1298     const char *cipher_alg;
1299     const char *cipher_mode;
1300     const char *ivgen_alg;
1301     const char *ivgen_hash_alg = NULL;
1302     const char *hash_alg;
1303     g_autofree char *cipher_mode_spec = NULL;
1304     uint64_t iters;
1305 
1306     memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
1307     if (!luks_opts.has_iter_time) {
1308         luks_opts.iter_time = QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1309     }
1310     if (!luks_opts.has_cipher_alg) {
1311         luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;
1312     }
1313     if (!luks_opts.has_cipher_mode) {
1314         luks_opts.cipher_mode = QCRYPTO_CIPHER_MODE_XTS;
1315     }
1316     if (!luks_opts.has_ivgen_alg) {
1317         luks_opts.ivgen_alg = QCRYPTO_IVGEN_ALG_PLAIN64;
1318     }
1319     if (!luks_opts.has_hash_alg) {
1320         luks_opts.hash_alg = QCRYPTO_HASH_ALG_SHA256;
1321     }
1322     if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1323         if (!luks_opts.has_ivgen_hash_alg) {
1324             luks_opts.ivgen_hash_alg = QCRYPTO_HASH_ALG_SHA256;
1325             luks_opts.has_ivgen_hash_alg = true;
1326         }
1327     }
1328 
1329     luks = g_new0(QCryptoBlockLUKS, 1);
1330     block->opaque = luks;
1331 
1332     luks->cipher_alg = luks_opts.cipher_alg;
1333     luks->cipher_mode = luks_opts.cipher_mode;
1334     luks->ivgen_alg = luks_opts.ivgen_alg;
1335     luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg;
1336     luks->hash_alg = luks_opts.hash_alg;
1337 
1338 
1339     /* Note we're allowing ivgen_hash_alg to be set even for
1340      * non-essiv iv generators that don't need a hash. It will
1341      * be silently ignored, for compatibility with dm-crypt */
1342 
1343     if (!options->u.luks.key_secret) {
1344         error_setg(errp, "Parameter '%skey-secret' is required for cipher",
1345                    optprefix ? optprefix : "");
1346         goto error;
1347     }
1348     luks->secret = g_strdup(options->u.luks.key_secret);
1349 
1350     password = qcrypto_secret_lookup_as_utf8(luks_opts.key_secret, errp);
1351     if (!password) {
1352         goto error;
1353     }
1354 
1355 
1356     memcpy(luks->header.magic, qcrypto_block_luks_magic,
1357            QCRYPTO_BLOCK_LUKS_MAGIC_LEN);
1358 
1359     /* We populate the header in native endianness initially and
1360      * then convert everything to big endian just before writing
1361      * it out to disk
1362      */
1363     luks->header.version = QCRYPTO_BLOCK_LUKS_VERSION;
1364     qcrypto_block_luks_uuid_gen(luks->header.uuid);
1365 
1366     cipher_alg = qcrypto_block_luks_cipher_alg_lookup(luks_opts.cipher_alg,
1367                                                       errp);
1368     if (!cipher_alg) {
1369         goto error;
1370     }
1371 
1372     cipher_mode = QCryptoCipherMode_str(luks_opts.cipher_mode);
1373     ivgen_alg = QCryptoIVGenAlgorithm_str(luks_opts.ivgen_alg);
1374     if (luks_opts.has_ivgen_hash_alg) {
1375         ivgen_hash_alg = QCryptoHashAlgorithm_str(luks_opts.ivgen_hash_alg);
1376         cipher_mode_spec = g_strdup_printf("%s-%s:%s", cipher_mode, ivgen_alg,
1377                                            ivgen_hash_alg);
1378     } else {
1379         cipher_mode_spec = g_strdup_printf("%s-%s", cipher_mode, ivgen_alg);
1380     }
1381     hash_alg = QCryptoHashAlgorithm_str(luks_opts.hash_alg);
1382 
1383 
1384     if (strlen(cipher_alg) >= QCRYPTO_BLOCK_LUKS_CIPHER_NAME_LEN) {
1385         error_setg(errp, "Cipher name '%s' is too long for LUKS header",
1386                    cipher_alg);
1387         goto error;
1388     }
1389     if (strlen(cipher_mode_spec) >= QCRYPTO_BLOCK_LUKS_CIPHER_MODE_LEN) {
1390         error_setg(errp, "Cipher mode '%s' is too long for LUKS header",
1391                    cipher_mode_spec);
1392         goto error;
1393     }
1394     if (strlen(hash_alg) >= QCRYPTO_BLOCK_LUKS_HASH_SPEC_LEN) {
1395         error_setg(errp, "Hash name '%s' is too long for LUKS header",
1396                    hash_alg);
1397         goto error;
1398     }
1399 
1400     if (luks_opts.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1401         luks->ivgen_cipher_alg =
1402                 qcrypto_block_luks_essiv_cipher(luks_opts.cipher_alg,
1403                                                 luks_opts.ivgen_hash_alg,
1404                                                 &local_err);
1405         if (local_err) {
1406             error_propagate(errp, local_err);
1407             goto error;
1408         }
1409     } else {
1410         luks->ivgen_cipher_alg = luks_opts.cipher_alg;
1411     }
1412 
1413     strcpy(luks->header.cipher_name, cipher_alg);
1414     strcpy(luks->header.cipher_mode, cipher_mode_spec);
1415     strcpy(luks->header.hash_spec, hash_alg);
1416 
1417     luks->header.master_key_len =
1418         qcrypto_cipher_get_key_len(luks_opts.cipher_alg);
1419 
1420     if (luks_opts.cipher_mode == QCRYPTO_CIPHER_MODE_XTS) {
1421         luks->header.master_key_len *= 2;
1422     }
1423 
1424     /* Generate the salt used for hashing the master key
1425      * with PBKDF later
1426      */
1427     if (qcrypto_random_bytes(luks->header.master_key_salt,
1428                              QCRYPTO_BLOCK_LUKS_SALT_LEN,
1429                              errp) < 0) {
1430         goto error;
1431     }
1432 
1433     /* Generate random master key */
1434     masterkey = g_new0(uint8_t, luks->header.master_key_len);
1435     if (qcrypto_random_bytes(masterkey,
1436                              luks->header.master_key_len, errp) < 0) {
1437         goto error;
1438     }
1439 
1440 
1441     /* Setup the block device payload encryption objects */
1442     if (qcrypto_block_init_cipher(block, luks_opts.cipher_alg,
1443                                   luks_opts.cipher_mode, masterkey,
1444                                   luks->header.master_key_len, 1, errp) < 0) {
1445         goto error;
1446     }
1447 
1448     block->kdfhash = luks_opts.hash_alg;
1449     block->niv = qcrypto_cipher_get_iv_len(luks_opts.cipher_alg,
1450                                            luks_opts.cipher_mode);
1451     block->ivgen = qcrypto_ivgen_new(luks_opts.ivgen_alg,
1452                                      luks->ivgen_cipher_alg,
1453                                      luks_opts.ivgen_hash_alg,
1454                                      masterkey, luks->header.master_key_len,
1455                                      errp);
1456 
1457     if (!block->ivgen) {
1458         goto error;
1459     }
1460 
1461 
1462     /* Determine how many iterations we need to hash the master
1463      * key, in order to have 1 second of compute time used
1464      */
1465     iters = qcrypto_pbkdf2_count_iters(luks_opts.hash_alg,
1466                                        masterkey, luks->header.master_key_len,
1467                                        luks->header.master_key_salt,
1468                                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
1469                                        QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1470                                        &local_err);
1471     if (local_err) {
1472         error_propagate(errp, local_err);
1473         goto error;
1474     }
1475 
1476     if (iters > (ULLONG_MAX / luks_opts.iter_time)) {
1477         error_setg_errno(errp, ERANGE,
1478                          "PBKDF iterations %llu too large to scale",
1479                          (unsigned long long)iters);
1480         goto error;
1481     }
1482 
1483     /* iter_time was in millis, but count_iters reported for secs */
1484     iters = iters * luks_opts.iter_time / 1000;
1485 
1486     /* Why /= 8 ?  That matches cryptsetup, but there's no
1487      * explanation why they chose /= 8... Probably so that
1488      * if all 8 keyslots are active we only spend 1 second
1489      * in total time to check all keys */
1490     iters /= 8;
1491     if (iters > UINT32_MAX) {
1492         error_setg_errno(errp, ERANGE,
1493                          "PBKDF iterations %llu larger than %u",
1494                          (unsigned long long)iters, UINT32_MAX);
1495         goto error;
1496     }
1497     iters = MAX(iters, QCRYPTO_BLOCK_LUKS_MIN_MASTER_KEY_ITERS);
1498     luks->header.master_key_iterations = iters;
1499 
1500     /* Hash the master key, saving the result in the LUKS
1501      * header. This hash is used when opening the encrypted
1502      * device to verify that the user password unlocked a
1503      * valid master key
1504      */
1505     if (qcrypto_pbkdf2(luks_opts.hash_alg,
1506                        masterkey, luks->header.master_key_len,
1507                        luks->header.master_key_salt,
1508                        QCRYPTO_BLOCK_LUKS_SALT_LEN,
1509                        luks->header.master_key_iterations,
1510                        luks->header.master_key_digest,
1511                        QCRYPTO_BLOCK_LUKS_DIGEST_LEN,
1512                        errp) < 0) {
1513         goto error;
1514     }
1515 
1516     /* start with the sector that follows the header*/
1517     header_sectors = QCRYPTO_BLOCK_LUKS_KEY_SLOT_OFFSET /
1518         QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1519 
1520     split_key_sectors =
1521         qcrypto_block_luks_splitkeylen_sectors(luks,
1522                                                header_sectors,
1523                                                QCRYPTO_BLOCK_LUKS_STRIPES);
1524 
1525     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1526         QCryptoBlockLUKSKeySlot *slot = &luks->header.key_slots[i];
1527         slot->active = QCRYPTO_BLOCK_LUKS_KEY_SLOT_DISABLED;
1528 
1529         slot->key_offset_sector = header_sectors + i * split_key_sectors;
1530         slot->stripes = QCRYPTO_BLOCK_LUKS_STRIPES;
1531     }
1532 
1533     /* The total size of the LUKS headers is the partition header + key
1534      * slot headers, rounded up to the nearest sector, combined with
1535      * the size of each master key material region, also rounded up
1536      * to the nearest sector */
1537     luks->header.payload_offset_sector = header_sectors +
1538             QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS * split_key_sectors;
1539 
1540     block->sector_size = QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1541     block->payload_offset = luks->header.payload_offset_sector *
1542         block->sector_size;
1543 
1544     /* Reserve header space to match payload offset */
1545     initfunc(block, block->payload_offset, opaque, &local_err);
1546     if (local_err) {
1547         error_propagate(errp, local_err);
1548         goto error;
1549     }
1550 
1551 
1552     /* populate the slot 0 with the password encrypted master key*/
1553     /* This will also store the header */
1554     if (qcrypto_block_luks_store_key(block,
1555                                      0,
1556                                      password,
1557                                      masterkey,
1558                                      luks_opts.iter_time,
1559                                      writefunc,
1560                                      opaque,
1561                                      errp) < 0) {
1562         goto error;
1563     }
1564 
1565     memset(masterkey, 0, luks->header.master_key_len);
1566 
1567     return 0;
1568 
1569  error:
1570     if (masterkey) {
1571         memset(masterkey, 0, luks->header.master_key_len);
1572     }
1573 
1574     qcrypto_block_free_cipher(block);
1575     qcrypto_ivgen_free(block->ivgen);
1576 
1577     g_free(luks->secret);
1578     g_free(luks);
1579     return -1;
1580 }
1581 
1582 static int
1583 qcrypto_block_luks_amend_add_keyslot(QCryptoBlock *block,
1584                                      QCryptoBlockReadFunc readfunc,
1585                                      QCryptoBlockWriteFunc writefunc,
1586                                      void *opaque,
1587                                      QCryptoBlockAmendOptionsLUKS *opts_luks,
1588                                      bool force,
1589                                      Error **errp)
1590 {
1591     QCryptoBlockLUKS *luks = block->opaque;
1592     uint64_t iter_time = opts_luks->has_iter_time ?
1593                          opts_luks->iter_time :
1594                          QCRYPTO_BLOCK_LUKS_DEFAULT_ITER_TIME_MS;
1595     int keyslot;
1596     g_autofree char *old_password = NULL;
1597     g_autofree char *new_password = NULL;
1598     g_autofree uint8_t *master_key = NULL;
1599 
1600     char *secret = opts_luks->secret ?: luks->secret;
1601 
1602     if (!opts_luks->new_secret) {
1603         error_setg(errp, "'new-secret' is required to activate a keyslot");
1604         return -1;
1605     }
1606     if (opts_luks->old_secret) {
1607         error_setg(errp,
1608                    "'old-secret' must not be given when activating keyslots");
1609         return -1;
1610     }
1611 
1612     if (opts_luks->has_keyslot) {
1613         keyslot = opts_luks->keyslot;
1614         if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1615             error_setg(errp,
1616                        "Invalid keyslot %u specified, must be between 0 and %u",
1617                        keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1618             return -1;
1619         }
1620     } else {
1621         keyslot = qcrypto_block_luks_find_free_keyslot(luks);
1622         if (keyslot == -1) {
1623             error_setg(errp,
1624                        "Can't add a keyslot - all keyslots are in use");
1625             return -1;
1626         }
1627     }
1628 
1629     if (!force && qcrypto_block_luks_slot_active(luks, keyslot)) {
1630         error_setg(errp,
1631                    "Refusing to overwrite active keyslot %i - "
1632                    "please erase it first",
1633                    keyslot);
1634         return -1;
1635     }
1636 
1637     /* Locate the password that will be used to retrieve the master key */
1638     old_password = qcrypto_secret_lookup_as_utf8(secret, errp);
1639     if (!old_password) {
1640         return -1;
1641     }
1642 
1643     /* Retrieve the master key */
1644     master_key = g_new0(uint8_t, luks->header.master_key_len);
1645 
1646     if (qcrypto_block_luks_find_key(block, old_password, master_key,
1647                                     readfunc, opaque, errp) < 0) {
1648         error_append_hint(errp, "Failed to retrieve the master key");
1649         return -1;
1650     }
1651 
1652     /* Locate the new password*/
1653     new_password = qcrypto_secret_lookup_as_utf8(opts_luks->new_secret, errp);
1654     if (!new_password) {
1655         return -1;
1656     }
1657 
1658     /* Now set the new keyslots */
1659     if (qcrypto_block_luks_store_key(block, keyslot, new_password, master_key,
1660                                      iter_time, writefunc, opaque, errp)) {
1661         error_append_hint(errp, "Failed to write to keyslot %i", keyslot);
1662         return -1;
1663     }
1664     return 0;
1665 }
1666 
1667 static int
1668 qcrypto_block_luks_amend_erase_keyslots(QCryptoBlock *block,
1669                                         QCryptoBlockReadFunc readfunc,
1670                                         QCryptoBlockWriteFunc writefunc,
1671                                         void *opaque,
1672                                         QCryptoBlockAmendOptionsLUKS *opts_luks,
1673                                         bool force,
1674                                         Error **errp)
1675 {
1676     QCryptoBlockLUKS *luks = block->opaque;
1677     g_autofree uint8_t *tmpkey = NULL;
1678     g_autofree char *old_password = NULL;
1679 
1680     if (opts_luks->new_secret) {
1681         error_setg(errp,
1682                    "'new-secret' must not be given when erasing keyslots");
1683         return -1;
1684     }
1685     if (opts_luks->has_iter_time) {
1686         error_setg(errp,
1687                    "'iter-time' must not be given when erasing keyslots");
1688         return -1;
1689     }
1690     if (opts_luks->secret) {
1691         error_setg(errp,
1692                    "'secret' must not be given when erasing keyslots");
1693         return -1;
1694     }
1695 
1696     /* Load the old password if given */
1697     if (opts_luks->old_secret) {
1698         old_password = qcrypto_secret_lookup_as_utf8(opts_luks->old_secret,
1699                                                      errp);
1700         if (!old_password) {
1701             return -1;
1702         }
1703 
1704         /*
1705          * Allocate a temporary key buffer that we will need when
1706          * checking if slot matches the given old password
1707          */
1708         tmpkey = g_new0(uint8_t, luks->header.master_key_len);
1709     }
1710 
1711     /* Erase an explicitly given keyslot */
1712     if (opts_luks->has_keyslot) {
1713         int keyslot = opts_luks->keyslot;
1714 
1715         if (keyslot < 0 || keyslot >= QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS) {
1716             error_setg(errp,
1717                        "Invalid keyslot %i specified, must be between 0 and %i",
1718                        keyslot, QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS - 1);
1719             return -1;
1720         }
1721 
1722         if (opts_luks->old_secret) {
1723             int rv = qcrypto_block_luks_load_key(block,
1724                                                  keyslot,
1725                                                  old_password,
1726                                                  tmpkey,
1727                                                  readfunc,
1728                                                  opaque,
1729                                                  errp);
1730             if (rv == -1) {
1731                 return -1;
1732             } else if (rv == 0) {
1733                 error_setg(errp,
1734                            "Given keyslot %i doesn't contain the given "
1735                            "old password for erase operation",
1736                            keyslot);
1737                 return -1;
1738             }
1739         }
1740 
1741         if (!force && !qcrypto_block_luks_slot_active(luks, keyslot)) {
1742             error_setg(errp,
1743                        "Given keyslot %i is already erased (inactive) ",
1744                        keyslot);
1745             return -1;
1746         }
1747 
1748         if (!force && qcrypto_block_luks_count_active_slots(luks) == 1) {
1749             error_setg(errp,
1750                        "Attempt to erase the only active keyslot %i "
1751                        "which will erase all the data in the image "
1752                        "irreversibly - refusing operation",
1753                        keyslot);
1754             return -1;
1755         }
1756 
1757         if (qcrypto_block_luks_erase_key(block, keyslot,
1758                                          writefunc, opaque, errp)) {
1759             error_append_hint(errp, "Failed to erase keyslot %i", keyslot);
1760             return -1;
1761         }
1762 
1763     /* Erase all keyslots that match the given old password */
1764     } else if (opts_luks->old_secret) {
1765 
1766         unsigned long slots_to_erase_bitmap = 0;
1767         size_t i;
1768         int slot_count;
1769 
1770         assert(QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS <=
1771                sizeof(slots_to_erase_bitmap) * 8);
1772 
1773         for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1774             int rv = qcrypto_block_luks_load_key(block,
1775                                                  i,
1776                                                  old_password,
1777                                                  tmpkey,
1778                                                  readfunc,
1779                                                  opaque,
1780                                                  errp);
1781             if (rv == -1) {
1782                 return -1;
1783             } else if (rv == 1) {
1784                 bitmap_set(&slots_to_erase_bitmap, i, 1);
1785             }
1786         }
1787 
1788         slot_count = bitmap_count_one(&slots_to_erase_bitmap,
1789                                       QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS);
1790         if (slot_count == 0) {
1791             error_setg(errp,
1792                        "No keyslots match given (old) password for erase operation");
1793             return -1;
1794         }
1795 
1796         if (!force &&
1797             slot_count == qcrypto_block_luks_count_active_slots(luks)) {
1798             error_setg(errp,
1799                        "All the active keyslots match the (old) password that "
1800                        "was given and erasing them will erase all the data in "
1801                        "the image irreversibly - refusing operation");
1802             return -1;
1803         }
1804 
1805         /* Now apply the update */
1806         for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1807             if (!test_bit(i, &slots_to_erase_bitmap)) {
1808                 continue;
1809             }
1810             if (qcrypto_block_luks_erase_key(block, i, writefunc,
1811                 opaque, errp)) {
1812                 error_append_hint(errp, "Failed to erase keyslot %zu", i);
1813                 return -1;
1814             }
1815         }
1816     } else {
1817         error_setg(errp,
1818                    "To erase keyslot(s), either explicit keyslot index "
1819                    "or the password currently contained in them must be given");
1820         return -1;
1821     }
1822     return 0;
1823 }
1824 
1825 static int
1826 qcrypto_block_luks_amend_options(QCryptoBlock *block,
1827                                  QCryptoBlockReadFunc readfunc,
1828                                  QCryptoBlockWriteFunc writefunc,
1829                                  void *opaque,
1830                                  QCryptoBlockAmendOptions *options,
1831                                  bool force,
1832                                  Error **errp)
1833 {
1834     QCryptoBlockAmendOptionsLUKS *opts_luks = &options->u.luks;
1835 
1836     switch (opts_luks->state) {
1837     case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_ACTIVE:
1838         return qcrypto_block_luks_amend_add_keyslot(block, readfunc,
1839                                                     writefunc, opaque,
1840                                                     opts_luks, force, errp);
1841     case Q_CRYPTO_BLOCKLUKS_KEYSLOT_STATE_INACTIVE:
1842         return qcrypto_block_luks_amend_erase_keyslots(block, readfunc,
1843                                                        writefunc, opaque,
1844                                                        opts_luks, force, errp);
1845     default:
1846         g_assert_not_reached();
1847     }
1848 }
1849 
1850 static int qcrypto_block_luks_get_info(QCryptoBlock *block,
1851                                        QCryptoBlockInfo *info,
1852                                        Error **errp)
1853 {
1854     QCryptoBlockLUKS *luks = block->opaque;
1855     QCryptoBlockInfoLUKSSlot *slot;
1856     QCryptoBlockInfoLUKSSlotList **tail = &info->u.luks.slots;
1857     size_t i;
1858 
1859     info->u.luks.cipher_alg = luks->cipher_alg;
1860     info->u.luks.cipher_mode = luks->cipher_mode;
1861     info->u.luks.ivgen_alg = luks->ivgen_alg;
1862     if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) {
1863         info->u.luks.has_ivgen_hash_alg = true;
1864         info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg;
1865     }
1866     info->u.luks.hash_alg = luks->hash_alg;
1867     info->u.luks.payload_offset = block->payload_offset;
1868     info->u.luks.master_key_iters = luks->header.master_key_iterations;
1869     info->u.luks.uuid = g_strndup((const char *)luks->header.uuid,
1870                                   sizeof(luks->header.uuid));
1871 
1872     for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) {
1873         slot = g_new0(QCryptoBlockInfoLUKSSlot, 1);
1874         slot->active = luks->header.key_slots[i].active ==
1875             QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED;
1876         slot->key_offset = luks->header.key_slots[i].key_offset_sector
1877              * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE;
1878         if (slot->active) {
1879             slot->has_iters = true;
1880             slot->iters = luks->header.key_slots[i].iterations;
1881             slot->has_stripes = true;
1882             slot->stripes = luks->header.key_slots[i].stripes;
1883         }
1884 
1885         QAPI_LIST_APPEND(tail, slot);
1886     }
1887 
1888     return 0;
1889 }
1890 
1891 
1892 static void qcrypto_block_luks_cleanup(QCryptoBlock *block)
1893 {
1894     QCryptoBlockLUKS *luks = block->opaque;
1895     if (luks) {
1896         g_free(luks->secret);
1897         g_free(luks);
1898     }
1899 }
1900 
1901 
1902 static int
1903 qcrypto_block_luks_decrypt(QCryptoBlock *block,
1904                            uint64_t offset,
1905                            uint8_t *buf,
1906                            size_t len,
1907                            Error **errp)
1908 {
1909     assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1910     assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1911     return qcrypto_block_decrypt_helper(block,
1912                                         QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1913                                         offset, buf, len, errp);
1914 }
1915 
1916 
1917 static int
1918 qcrypto_block_luks_encrypt(QCryptoBlock *block,
1919                            uint64_t offset,
1920                            uint8_t *buf,
1921                            size_t len,
1922                            Error **errp)
1923 {
1924     assert(QEMU_IS_ALIGNED(offset, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1925     assert(QEMU_IS_ALIGNED(len, QCRYPTO_BLOCK_LUKS_SECTOR_SIZE));
1926     return qcrypto_block_encrypt_helper(block,
1927                                         QCRYPTO_BLOCK_LUKS_SECTOR_SIZE,
1928                                         offset, buf, len, errp);
1929 }
1930 
1931 
1932 const QCryptoBlockDriver qcrypto_block_driver_luks = {
1933     .open = qcrypto_block_luks_open,
1934     .create = qcrypto_block_luks_create,
1935     .amend = qcrypto_block_luks_amend_options,
1936     .get_info = qcrypto_block_luks_get_info,
1937     .cleanup = qcrypto_block_luks_cleanup,
1938     .decrypt = qcrypto_block_luks_decrypt,
1939     .encrypt = qcrypto_block_luks_encrypt,
1940     .has_format = qcrypto_block_luks_has_format,
1941 };
1942