From c19936170cf8b385687cf40f5a9507d87ae08267 Mon Sep 17 00:00:00 2001

From: "Richard W.M. Jones" <rjones@redhat.com>

Date: Sat, 30 Apr 2022 12:35:07 +0100

Subject: [PATCH] New filter: luks

This filter allows you to open, read and write LUKSv1 disk images,

compatible with the ones used by dm-crypt and qemu.

(cherry picked from commit 468919dce6c5eb57503eacac0f67e5dd87c58e6c)

---

 TODO                                |   11 +-

 configure.ac                        |    6 +-

 docs/nbdkit-tls.pod                 |    1 +

 filters/luks/Makefile.am            |   77 ++

 filters/luks/luks.c                 | 1263 +++++++++++++++++++++++++++

 filters/luks/nbdkit-luks-filter.pod |  120 +++

 plugins/file/nbdkit-file-plugin.pod |    1 +

 tests/Makefile.am                   |   12 +

 tests/test-luks-copy.sh             |  125 +++

 tests/test-luks-info.sh             |   56 ++

 10 files changed, 1668 insertions(+), 4 deletions(-)

 create mode 100644 filters/luks/Makefile.am

 create mode 100644 filters/luks/luks.c

 create mode 100644 filters/luks/nbdkit-luks-filter.pod

 create mode 100755 tests/test-luks-copy.sh

 create mode 100755 tests/test-luks-info.sh

diff --git a/TODO b/TODO

index 4d2a9796..0f5dc41d 100644

--- a/TODO

+++ b/TODO

@@ -195,9 +195,6 @@ Suggestions for filters

   connections.  This may even allow a filter to offer a more parallel

   threading model than the underlying plugin.

-* LUKS encrypt/decrypt filter, bonus points if compatible with qemu

-  LUKS-encrypted disk images

-

 * CBT filter to track dirty blocks.  See these links for inspiration:

   https://www.cloudandheat.com/block-level-data-tracking-using-davice-mappers-dm-era/

   https://github.com/qemu/qemu/blob/master/docs/interop/bitmaps.rst

@@ -232,6 +229,14 @@ Suggestions for filters

   could inject a flush after pausing.  However this requires that

   filter background threads have access to the plugin (see above).

+nbdkit-luks-filter:

+

+* This filter should also support LUKSv2 (and so should qemu).

+

+* There are some missing features: ESSIV, more ciphers.

+

+* Implement trim and zero if possible.

+

 nbdkit-readahead-filter:

 * The filter should open a new connection to the plugin per background

diff --git a/configure.ac b/configure.ac

index a402921b..de85b4da 100644

--- a/configure.ac

+++ b/configure.ac

@@ -127,6 +127,7 @@ filters="\

         ip \

         limit \

         log \

+        luks \

         multi-conn \

         nocache \

         noextents \

@@ -614,8 +615,9 @@ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [

 ], [

     AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])

 ])

+AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])

-AS_IF([test "$GNUTLS_LIBS" != ""],[

+AS_IF([test "x$GNUTLS_LIBS" != "x"],[

     AC_MSG_CHECKING([for default TLS session priority string])

     AC_ARG_WITH([tls-priority],

         [AS_HELP_STRING([--with-tls-priority=...],

@@ -1383,6 +1385,7 @@ AC_CONFIG_FILES([Makefile

                  filters/ip/Makefile

                  filters/limit/Makefile

                  filters/log/Makefile

+                 filters/luks/Makefile

                  filters/multi-conn/Makefile

                  filters/nocache/Makefile

                  filters/noextents/Makefile

@@ -1481,6 +1484,7 @@ echo "Optional filters:"

 echo

 feature "ext2"                test "x$HAVE_EXT2_TRUE" = "x"

 feature "gzip"                test "x$HAVE_ZLIB_TRUE" = "x"

+feature "LUKS"                test "x$HAVE_GNUTLS_TRUE" != "x"

 feature "xz"                  test "x$HAVE_LIBLZMA_TRUE" = "x"

 echo

diff --git a/docs/nbdkit-tls.pod b/docs/nbdkit-tls.pod

index 86f5f984..4d0dc14c 100644

--- a/docs/nbdkit-tls.pod

+++ b/docs/nbdkit-tls.pod

@@ -364,6 +364,7 @@ More information can be found in L<gnutls_priority_init(3)>.

 =head1 SEE ALSO

 L<nbdkit(1)>,

+L<nbdkit-luks-filter(1)>,

 L<nbdkit-tls-fallback-filter(1)>,

 L<nbdcopy(1)>,

 L<nbdfuse(1)>,

diff --git a/filters/luks/Makefile.am b/filters/luks/Makefile.am

new file mode 100644

index 00000000..30089621

--- /dev/null

+++ b/filters/luks/Makefile.am

@@ -0,0 +1,77 @@

+# nbdkit

+# Copyright (C) 2019-2022 Red Hat Inc.

+#

+# Redistribution and use in source and binary forms, with or without

+# modification, are permitted provided that the following conditions are

+# met:

+#

+# * Redistributions of source code must retain the above copyright

+# notice, this list of conditions and the following disclaimer.

+#

+# * Redistributions in binary form must reproduce the above copyright

+# notice, this list of conditions and the following disclaimer in the

+# documentation and/or other materials provided with the distribution.

+#

+# * Neither the name of Red Hat nor the names of its contributors may be

+# used to endorse or promote products derived from this software without

+# specific prior written permission.

+#

+# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND

+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,

+# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

+# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR

+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF

+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT

+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

+# SUCH DAMAGE.

+

+include $(top_srcdir)/common-rules.mk

+

+EXTRA_DIST = nbdkit-luks-filter.pod

+

+if HAVE_GNUTLS

+

+filter_LTLIBRARIES = nbdkit-luks-filter.la

+

+nbdkit_luks_filter_la_SOURCES = \

+	luks.c \

+	$(top_srcdir)/include/nbdkit-filter.h \

+	$(NULL)

+

+nbdkit_luks_filter_la_CPPFLAGS = \

+	-I$(top_srcdir)/include \

+	-I$(top_srcdir)/common/include \

+	-I$(top_srcdir)/common/utils \

+	$(NULL)

+nbdkit_luks_filter_la_CFLAGS = \

+	$(WARNINGS_CFLAGS) \

+	$(GNUTLS_CFLAGS) \

+	$(NULL)

+nbdkit_luks_filter_la_LIBADD = \

+	$(top_builddir)/common/utils/libutils.la \

+	$(IMPORT_LIBRARY_ON_WINDOWS) \

+	$(GNUTLS_LIBS) \

+	$(NULL)

+nbdkit_luks_filter_la_LDFLAGS = \

+	-module -avoid-version -shared $(NO_UNDEFINED_ON_WINDOWS) \

+	-Wl,--version-script=$(top_srcdir)/filters/filters.syms \

+	$(NULL)

+

+if HAVE_POD

+

+man_MANS = nbdkit-luks-filter.1

+CLEANFILES += $(man_MANS)

+

+nbdkit-luks-filter.1: nbdkit-luks-filter.pod \

+		$(top_builddir)/podwrapper.pl

+	$(PODWRAPPER) --section=1 --man $@ \

+	    --html $(top_builddir)/html/$@.html \

+	    $<

+

+endif HAVE_POD

+

+endif

diff --git a/filters/luks/luks.c b/filters/luks/luks.c

new file mode 100644

index 00000000..706a9bd2

--- /dev/null

+++ b/filters/luks/luks.c

@@ -0,0 +1,1263 @@

+/* nbdkit

+ * Copyright (C) 2018-2022 Red Hat Inc.

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions are

+ * met:

+ *

+ * * Redistributions of source code must retain the above copyright

+ * notice, this list of conditions and the following disclaimer.

+ *

+ * * Redistributions in binary form must reproduce the above copyright

+ * notice, this list of conditions and the following disclaimer in the

+ * documentation and/or other materials provided with the distribution.

+ *

+ * * Neither the name of Red Hat nor the names of its contributors may be

+ * used to endorse or promote products derived from this software without

+ * specific prior written permission.

+ *

+ * THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND

+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,

+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR

+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF

+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,

+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT

+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

+ * SUCH DAMAGE.

+ */

+

+#include <config.h>

+

+#include <stdio.h>

+#include <stdlib.h>

+#include <stdint.h>

+#include <inttypes.h>

+#include <string.h>

+#include <limits.h>

+#include <assert.h>

+#include <pthread.h>

+

+#include <gnutls/crypto.h>

+

+#include <nbdkit-filter.h>

+

+#include "byte-swapping.h"

+#include "cleanup.h"

+#include "isaligned.h"

+#include "minmax.h"

+#include "rounding.h"

+

+/* LUKSv1 constants. */

+#define LUKS_MAGIC { 'L', 'U', 'K', 'S', 0xBA, 0xBE }

+#define LUKS_MAGIC_LEN 6

+#define LUKS_DIGESTSIZE 20

+#define LUKS_SALTSIZE 32

+#define LUKS_NUMKEYS 8

+#define LUKS_KEY_DISABLED 0x0000DEAD

+#define LUKS_KEY_ENABLED  0x00AC71F3

+#define LUKS_STRIPES 4000

+#define LUKS_ALIGN_KEYSLOTS 4096

+#define LUKS_SECTOR_SIZE 512

+

+/* Key slot. */

+struct luks_keyslot {

+  uint32_t active;              /* LUKS_KEY_DISABLED|LUKS_KEY_ENABLED */

+  uint32_t password_iterations;

+  char password_salt[LUKS_SALTSIZE];

+  uint32_t key_material_offset;

+  uint32_t stripes;

+} __attribute__((__packed__));

+

+/* LUKS superblock. */

+struct luks_phdr {

+  char magic[LUKS_MAGIC_LEN];   /* LUKS_MAGIC */

+  uint16_t version;             /* Only 1 is supported. */

+  char cipher_name[32];

+  char cipher_mode[32];

+  char hash_spec[32];

+  uint32_t payload_offset;

+  uint32_t master_key_len;

+  uint8_t master_key_digest[LUKS_DIGESTSIZE];

+  uint8_t master_key_salt[LUKS_SALTSIZE];

+  uint32_t master_key_digest_iterations;

+  uint8_t uuid[40];

+

+  struct luks_keyslot keyslot[LUKS_NUMKEYS]; /* Key slots. */

+} __attribute__((__packed__));

+

+static char *passphrase = NULL;

+

+static void

+luks_unload (void)

+{

+  /* XXX We should really store the passphrase (and master key)

+   * in mlock-ed memory.

+   */

+  if (passphrase) {

+    memset (passphrase, 0, strlen (passphrase));

+    free (passphrase);

+  }

+}

+

+static int

+luks_thread_model (void)

+{

+  return NBDKIT_THREAD_MODEL_PARALLEL;

+}

+

+static int

+luks_config (nbdkit_next_config *next, nbdkit_backend *nxdata,

+             const char *key, const char *value)

+{

+  if (strcmp (key, "passphrase") == 0) {

+    if (nbdkit_read_password (value, &passphrase) == -1)

+      return -1;

+    return 0;

+  }

+

+  return next (nxdata, key, value);

+}

+

+static int

+luks_config_complete (nbdkit_next_config_complete *next, nbdkit_backend *nxdata)

+{

+  if (passphrase == NULL) {

+    nbdkit_error ("LUKS \"passphrase\" parameter is missing");

+    return -1;

+  }

+  return next (nxdata);

+}

+

+#define luks_config_help \

+  "passphrase=<SECRET>      Secret passphrase."

+

+enum cipher_mode {

+  CIPHER_MODE_ECB, CIPHER_MODE_CBC, CIPHER_MODE_XTS, CIPHER_MODE_CTR,

+};

+

+static enum cipher_mode

+lookup_cipher_mode (const char *str)

+{

+  if (strcmp (str, "ecb") == 0)

+    return CIPHER_MODE_ECB;

+  if (strcmp (str, "cbc") == 0)

+    return CIPHER_MODE_CBC;

+  if (strcmp (str, "xts") == 0)

+    return CIPHER_MODE_XTS;

+  if (strcmp (str, "ctr") == 0)

+    return CIPHER_MODE_CTR;

+  nbdkit_error ("unknown cipher mode: %s "

+                "(expecting \"ecb\", \"cbc\", \"xts\" or \"ctr\")", str);

+  return -1;

+}

+

+static const char *

+cipher_mode_to_string (enum cipher_mode v)

+{

+  switch (v) {

+  case CIPHER_MODE_ECB: return "ecb";

+  case CIPHER_MODE_CBC: return "cbc";

+  case CIPHER_MODE_XTS: return "xts";

+  case CIPHER_MODE_CTR: return "ctr";

+  default: abort ();

+  }

+}

+

+enum ivgen {

+  IVGEN_PLAIN, IVGEN_PLAIN64, /* IVGEN_ESSIV, */

+};

+

+static enum ivgen

+lookup_ivgen (const char *str)

+{

+  if (strcmp (str, "plain") == 0)

+    return IVGEN_PLAIN;

+  if (strcmp (str, "plain64") == 0)

+    return IVGEN_PLAIN64;

+/*

+  if (strcmp (str, "essiv") == 0)

+    return IVGEN_ESSIV;

+*/

+  nbdkit_error ("unknown IV generation algorithm: %s "

+                "(expecting \"plain\", \"plain64\" etc)", str);

+  return -1;

+}

+

+static const char *

+ivgen_to_string (enum ivgen v)

+{

+  switch (v) {

+  case IVGEN_PLAIN: return "plain";

+  case IVGEN_PLAIN64: return "plain64";

+  /*case IVGEN_ESSIV: return "essiv";*/

+  default: abort ();

+  }

+}

+

+static void

+calculate_iv (enum ivgen v, uint8_t *iv, size_t ivlen, uint64_t sector)

+{

+  size_t prefixlen;

+  uint32_t sector32;

+

+  switch (v) {

+  case IVGEN_PLAIN:

+    prefixlen = 4; /* 32 bits */

+    if (prefixlen > ivlen)

+      prefixlen = ivlen;

+    sector32 = (uint32_t) sector; /* truncate to only lower bits */

+    sector32 = htole32 (sector32);

+    memcpy (iv, &sector32, prefixlen);

+    memset (iv + prefixlen, 0, ivlen - prefixlen);

+    break;

+

+  case IVGEN_PLAIN64:

+    prefixlen = 8; /* 64 bits */

+    if (prefixlen > ivlen)

+      prefixlen = ivlen;

+    sector = htole64 (sector);

+    memcpy (iv, &sector, prefixlen);

+    memset (iv + prefixlen, 0, ivlen - prefixlen);

+    break;

+

+  /*case IVGEN_ESSIV:*/

+  default: abort ();

+  }

+}

+

+enum cipher_alg {

+  CIPHER_ALG_AES_128, CIPHER_ALG_AES_192, CIPHER_ALG_AES_256,

+};

+

+static enum cipher_alg

+lookup_cipher_alg (const char *str, enum cipher_mode mode, int key_bytes)

+{

+  if (mode == CIPHER_MODE_XTS)

+    key_bytes /= 2;

+

+  if (strcmp (str, "aes") == 0) {

+    if (key_bytes == 16)

+      return CIPHER_ALG_AES_128;

+    if (key_bytes == 24)

+      return CIPHER_ALG_AES_192;

+    if (key_bytes == 32)

+      return CIPHER_ALG_AES_256;

+  }

+  nbdkit_error ("unknown cipher algorithm: %s (expecting \"aes\", etc)", str);

+  return -1;

+}

+

+static const char *

+cipher_alg_to_string (enum cipher_alg v)

+{

+  switch (v) {

+  case CIPHER_ALG_AES_128: return "aes-128";

+  case CIPHER_ALG_AES_192: return "aes-192";

+  case CIPHER_ALG_AES_256: return "aes-256";

+  default: abort ();

+  }

+}

+

+#if 0

+static int

+cipher_alg_key_bytes (enum cipher_alg v)

+{

+  switch (v) {

+  case CIPHER_ALG_AES_128: return 16;

+  case CIPHER_ALG_AES_192: return 24;

+  case CIPHER_ALG_AES_256: return 32;

+  default: abort ();

+  }

+}

+#endif

+

+static int

+cipher_alg_iv_len (enum cipher_alg v, enum cipher_mode mode)

+{

+  if (CIPHER_MODE_ECB)

+    return 0;                   /* Don't need an IV in this mode. */

+

+  switch (v) {

+  case CIPHER_ALG_AES_128:

+  case CIPHER_ALG_AES_192:

+  case CIPHER_ALG_AES_256:

+    return 16;

+  default: abort ();

+  }

+}

+

+static gnutls_digest_algorithm_t

+lookup_hash (const char *str)

+{

+  if (strcmp (str, "md5") == 0)

+    return GNUTLS_DIG_MD5;

+  if (strcmp (str, "sha1") == 0)

+    return GNUTLS_DIG_SHA1;

+  if (strcmp (str, "sha224") == 0)

+    return GNUTLS_DIG_SHA224;

+  if (strcmp (str, "sha256") == 0)

+    return GNUTLS_DIG_SHA256;

+  if (strcmp (str, "sha384") == 0)

+    return GNUTLS_DIG_SHA384;

+  if (strcmp (str, "sha512") == 0)

+    return GNUTLS_DIG_SHA512;

+  if (strcmp (str, "ripemd160") == 0)

+    return GNUTLS_DIG_RMD160;

+  nbdkit_error ("unknown hash algorithm: %s "

+                "(expecting \"md5\", \"sha1\", \"sha224\", etc)", str);

+  return -1;

+}

+

+static const char *

+hash_to_string (gnutls_digest_algorithm_t v)

+{

+  switch (v) {

+  case GNUTLS_DIG_UNKNOWN: return "unknown";

+  case GNUTLS_DIG_MD5: return "md5";

+  case GNUTLS_DIG_SHA1: return "sha1";

+  case GNUTLS_DIG_SHA224: return "sha224";

+  case GNUTLS_DIG_SHA256: return "sha256";

+  case GNUTLS_DIG_SHA384: return "sha384";

+  case GNUTLS_DIG_SHA512: return "sha512";

+  case GNUTLS_DIG_RMD160: return "ripemd160";

+  default: abort ();

+  }

+}

+

+#if 0

+/* See qemu & dm-crypt implementations for an explanation of what's

+ * going on here.

+ */

+static enum cipher_alg

+lookup_essiv_cipher (enum cipher_alg cipher_alg,

+                     gnutls_digest_algorithm_t ivgen_hash_alg)

+{

+  int digest_bytes = gnutls_hash_get_len (ivgen_hash_alg);

+  int key_bytes = cipher_alg_key_bytes (cipher_alg);

+

+  if (digest_bytes == key_bytes)

+    return cipher_alg;

+

+  switch (cipher_alg) {

+  case CIPHER_ALG_AES_128:

+  case CIPHER_ALG_AES_192:

+  case CIPHER_ALG_AES_256:

+    if (digest_bytes == 16) return CIPHER_ALG_AES_128;

+    if (digest_bytes == 24) return CIPHER_ALG_AES_192;

+    if (digest_bytes == 32) return CIPHER_ALG_AES_256;

+    nbdkit_error ("no %s cipher available with key size %d",

+                  "AES", digest_bytes);

+    return -1;

+  default:

+    nbdkit_error ("ESSIV does not support cipher %s",

+                  cipher_alg_to_string (cipher_alg));

+    return -1;

+  }

+}

+#endif

+

+/* Per-connection handle. */

+struct handle {

+  /* LUKS header, if necessary byte-swapped into host order. */

+  struct luks_phdr phdr;

+

+  /* Decoded algorithm etc. */

+  enum cipher_alg cipher_alg;

+  enum cipher_mode cipher_mode;

+  gnutls_digest_algorithm_t hash_alg;

+  enum ivgen ivgen_alg;

+  gnutls_digest_algorithm_t ivgen_hash_alg;

+  enum cipher_alg ivgen_cipher_alg;

+

+  /* GnuTLS algorithm. */

+  gnutls_cipher_algorithm_t gnutls_cipher;

+

+  /* If we managed to decrypt one of the keyslots using the passphrase

+   * then this contains the master key, otherwise NULL.

+   */

+  uint8_t *masterkey;

+};

+

+static void *

+luks_open (nbdkit_next_open *next, nbdkit_context *nxdata,

+           int readonly, const char *exportname, int is_tls)

+{

+  struct handle *h;

+

+  if (next (nxdata, readonly, exportname) == -1)

+    return NULL;

+

+  h = calloc (1, sizeof *h);

+  if (h == NULL) {

+    nbdkit_error ("calloc: %m");

+    return NULL;

+  }

+

+  return h;

+}

+

+static void

+luks_close (void *handle)

+{

+  struct handle *h = handle;

+

+  if (h->masterkey) {

+    memset (h->masterkey, 0, h->phdr.master_key_len);

+    free (h->masterkey);

+  }

+  free (h);

+}

+

+/* Perform decryption of a block of data in memory. */

+static int

+do_decrypt (struct handle *h, gnutls_cipher_hd_t cipher,

+            uint64_t offset, uint8_t *buf, size_t len)

+{

+  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);

+  uint64_t sector = offset / LUKS_SECTOR_SIZE;

+  CLEANUP_FREE uint8_t *iv = malloc (ivlen);

+  int r;

+

+  assert (IS_ALIGNED (offset, LUKS_SECTOR_SIZE));

+  assert (IS_ALIGNED (len, LUKS_SECTOR_SIZE));

+

+  while (len) {

+    calculate_iv (h->ivgen_alg, iv, ivlen, sector);

+    gnutls_cipher_set_iv (cipher, iv, ivlen);

+    r = gnutls_cipher_decrypt2 (cipher,

+                                buf, LUKS_SECTOR_SIZE, /* ciphertext */

+                                buf, LUKS_SECTOR_SIZE  /* plaintext */);

+    if (r != 0) {

+      nbdkit_error ("gnutls_cipher_decrypt2: %s", gnutls_strerror (r));

+      return -1;

+    }

+

+    buf += LUKS_SECTOR_SIZE;

+    offset += LUKS_SECTOR_SIZE;

+    len -= LUKS_SECTOR_SIZE;

+    sector++;

+  }

+

+  return 0;

+}

+

+/* Perform encryption of a block of data in memory. */

+static int

+do_encrypt (struct handle *h, gnutls_cipher_hd_t cipher,

+            uint64_t offset, uint8_t *buf, size_t len)

+{

+  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);

+  uint64_t sector = offset / LUKS_SECTOR_SIZE;

+  CLEANUP_FREE uint8_t *iv = malloc (ivlen);

+  int r;

+

+  assert (IS_ALIGNED (offset, LUKS_SECTOR_SIZE));

+  assert (IS_ALIGNED (len, LUKS_SECTOR_SIZE));

+

+  while (len) {

+    calculate_iv (h->ivgen_alg, iv, ivlen, sector);

+    gnutls_cipher_set_iv (cipher, iv, ivlen);

+    r = gnutls_cipher_encrypt2 (cipher,

+                                buf, LUKS_SECTOR_SIZE, /* plaintext */

+                                buf, LUKS_SECTOR_SIZE  /* ciphertext */);

+    if (r != 0) {

+      nbdkit_error ("gnutls_cipher_decrypt2: %s", gnutls_strerror (r));

+      return -1;

+    }

+

+    buf += LUKS_SECTOR_SIZE;

+    offset += LUKS_SECTOR_SIZE;

+    len -= LUKS_SECTOR_SIZE;

+    sector++;

+  }

+

+  return 0;

+}

+

+/* Parse the header fields containing cipher algorithm, mode, etc. */

+static int

+parse_cipher_strings (struct handle *h)

+{

+  char cipher_name[33], cipher_mode[33], hash_spec[33];

+  char *ivgen, *ivhash;

+

+  /* Copy the header fields locally and ensure they are \0 terminated. */

+  memcpy (cipher_name, h->phdr.cipher_name, 32);

+  cipher_name[32] = 0;

+  memcpy (cipher_mode, h->phdr.cipher_mode, 32);

+  cipher_mode[32] = 0;

+  memcpy (hash_spec, h->phdr.hash_spec, 32);

+  hash_spec[32] = 0;

+

+  nbdkit_debug ("LUKS v%" PRIu16 " cipher: %s mode: %s hash: %s "

+                "master key: %" PRIu32 " bits",

+                h->phdr.version, cipher_name, cipher_mode, hash_spec,

+                h->phdr.master_key_len * 8);

+

+  /* The cipher_mode header has the form: "ciphermode-ivgen[:ivhash]"

+   * QEmu writes: "xts-plain64"

+   */

+  ivgen = strchr (cipher_mode, '-');

+  if (!ivgen) {

+    nbdkit_error ("incorrect cipher_mode header, "

+                  "expecting mode-ivgenerator but got \"%s\"", cipher_mode);

+    return -1;

+  }

+  *ivgen = '\0';

+  ivgen++;

+

+  ivhash = strchr (ivgen, ':');

+  if (!ivhash)

+    h->ivgen_hash_alg = GNUTLS_DIG_UNKNOWN;

+  else {

+    *ivhash = '\0';

+    ivhash++;

+

+    h->ivgen_hash_alg = lookup_hash (ivhash);

+    if (h->ivgen_hash_alg == -1)

+      return -1;

+  }