Blame SOURCES/0008-luks-Refactor-the-filter.patch

3cdd4c
From e8279107801bb93303b22e1b927929ce18279dc5 Mon Sep 17 00:00:00 2001
3cdd4c
From: "Richard W.M. Jones" <rjones@redhat.com>
3cdd4c
Date: Sun, 8 May 2022 16:13:13 +0100
3cdd4c
Subject: [PATCH] luks: Refactor the filter
3cdd4c
3cdd4c
Move the LUKS-specific code out into a separate file.  This is mostly
3cdd4c
pure refactoring to tidy things up.
3cdd4c
3cdd4c
(cherry picked from commit 2159d85e0bed1943542da58b43c91f2caa096d6c)
3cdd4c
---
3cdd4c
 filters/luks/Makefile.am       |   2 +
3cdd4c
 filters/luks/luks-encryption.c | 926 +++++++++++++++++++++++++++++++++
3cdd4c
 filters/luks/luks-encryption.h |  78 +++
3cdd4c
 filters/luks/luks.c            | 874 ++-----------------------------
3cdd4c
 4 files changed, 1037 insertions(+), 843 deletions(-)
3cdd4c
 create mode 100644 filters/luks/luks-encryption.c
3cdd4c
 create mode 100644 filters/luks/luks-encryption.h
3cdd4c
3cdd4c
diff --git a/filters/luks/Makefile.am b/filters/luks/Makefile.am
3cdd4c
index 2688f696..0894ac8b 100644
3cdd4c
--- a/filters/luks/Makefile.am
3cdd4c
+++ b/filters/luks/Makefile.am
3cdd4c
@@ -38,6 +38,8 @@ if HAVE_GNUTLS_PBKDF2
3cdd4c
 filter_LTLIBRARIES = nbdkit-luks-filter.la
3cdd4c
 
3cdd4c
 nbdkit_luks_filter_la_SOURCES = \
3cdd4c
+	luks-encryption.c \
3cdd4c
+	luks-encryption.h \
3cdd4c
 	luks.c \
3cdd4c
 	$(top_srcdir)/include/nbdkit-filter.h \
3cdd4c
 	$(NULL)
3cdd4c
diff --git a/filters/luks/luks-encryption.c b/filters/luks/luks-encryption.c
3cdd4c
new file mode 100644
3cdd4c
index 00000000..8ee0eb35
3cdd4c
--- /dev/null
3cdd4c
+++ b/filters/luks/luks-encryption.c
3cdd4c
@@ -0,0 +1,926 @@
3cdd4c
+/* nbdkit
3cdd4c
+ * Copyright (C) 2018-2022 Red Hat Inc.
3cdd4c
+ *
3cdd4c
+ * Redistribution and use in source and binary forms, with or without
3cdd4c
+ * modification, are permitted provided that the following conditions are
3cdd4c
+ * met:
3cdd4c
+ *
3cdd4c
+ * * Redistributions of source code must retain the above copyright
3cdd4c
+ * notice, this list of conditions and the following disclaimer.
3cdd4c
+ *
3cdd4c
+ * * Redistributions in binary form must reproduce the above copyright
3cdd4c
+ * notice, this list of conditions and the following disclaimer in the
3cdd4c
+ * documentation and/or other materials provided with the distribution.
3cdd4c
+ *
3cdd4c
+ * * Neither the name of Red Hat nor the names of its contributors may be
3cdd4c
+ * used to endorse or promote products derived from this software without
3cdd4c
+ * specific prior written permission.
3cdd4c
+ *
3cdd4c
+ * THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
3cdd4c
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
3cdd4c
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
3cdd4c
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
3cdd4c
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
3cdd4c
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
3cdd4c
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
3cdd4c
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
3cdd4c
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
3cdd4c
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
3cdd4c
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3cdd4c
+ * SUCH DAMAGE.
3cdd4c
+ */
3cdd4c
+
3cdd4c
+#include <config.h>
3cdd4c
+
3cdd4c
+#include <stdio.h>
3cdd4c
+#include <stdlib.h>
3cdd4c
+#include <stdint.h>
3cdd4c
+#include <inttypes.h>
3cdd4c
+#include <string.h>
3cdd4c
+#include <limits.h>
3cdd4c
+#include <assert.h>
3cdd4c
+
3cdd4c
+#include <gnutls/crypto.h>
3cdd4c
+
3cdd4c
+#include <nbdkit-filter.h>
3cdd4c
+
3cdd4c
+#include "luks-encryption.h"
3cdd4c
+
3cdd4c
+#include "byte-swapping.h"
3cdd4c
+#include "cleanup.h"
3cdd4c
+#include "isaligned.h"
3cdd4c
+#include "rounding.h"
3cdd4c
+
3cdd4c
+/* LUKSv1 constants. */
3cdd4c
+#define LUKS_MAGIC { 'L', 'U', 'K', 'S', 0xBA, 0xBE }
3cdd4c
+#define LUKS_MAGIC_LEN 6
3cdd4c
+#define LUKS_DIGESTSIZE 20
3cdd4c
+#define LUKS_SALTSIZE 32
3cdd4c
+#define LUKS_NUMKEYS 8
3cdd4c
+#define LUKS_KEY_DISABLED 0x0000DEAD
3cdd4c
+#define LUKS_KEY_ENABLED  0x00AC71F3
3cdd4c
+#define LUKS_STRIPES 4000
3cdd4c
+#define LUKS_ALIGN_KEYSLOTS 4096
3cdd4c
+
3cdd4c
+/* Key slot. */
3cdd4c
+struct luks_keyslot {
3cdd4c
+  uint32_t active;              /* LUKS_KEY_DISABLED|LUKS_KEY_ENABLED */
3cdd4c
+  uint32_t password_iterations;
3cdd4c
+  char password_salt[LUKS_SALTSIZE];
3cdd4c
+  uint32_t key_material_offset;
3cdd4c
+  uint32_t stripes;
3cdd4c
+} __attribute__((__packed__));
3cdd4c
+
3cdd4c
+/* LUKS superblock. */
3cdd4c
+struct luks_phdr {
3cdd4c
+  char magic[LUKS_MAGIC_LEN];   /* LUKS_MAGIC */
3cdd4c
+  uint16_t version;             /* Only 1 is supported. */
3cdd4c
+  char cipher_name[32];
3cdd4c
+  char cipher_mode[32];
3cdd4c
+  char hash_spec[32];
3cdd4c
+  uint32_t payload_offset;
3cdd4c
+  uint32_t master_key_len;
3cdd4c
+  uint8_t master_key_digest[LUKS_DIGESTSIZE];
3cdd4c
+  uint8_t master_key_salt[LUKS_SALTSIZE];
3cdd4c
+  uint32_t master_key_digest_iterations;
3cdd4c
+  uint8_t uuid[40];
3cdd4c
+
3cdd4c
+  struct luks_keyslot keyslot[LUKS_NUMKEYS]; /* Key slots. */
3cdd4c
+} __attribute__((__packed__));
3cdd4c
+
3cdd4c
+/* Block cipher mode of operation.
3cdd4c
+ * https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
3cdd4c
+ */
3cdd4c
+enum cipher_mode {
3cdd4c
+  CIPHER_MODE_ECB, CIPHER_MODE_CBC, CIPHER_MODE_XTS, CIPHER_MODE_CTR,
3cdd4c
+};
3cdd4c
+
3cdd4c
+static enum cipher_mode
3cdd4c
+lookup_cipher_mode (const char *str)
3cdd4c
+{
3cdd4c
+  if (strcmp (str, "ecb") == 0)
3cdd4c
+    return CIPHER_MODE_ECB;
3cdd4c
+  if (strcmp (str, "cbc") == 0)
3cdd4c
+    return CIPHER_MODE_CBC;
3cdd4c
+  if (strcmp (str, "xts") == 0)
3cdd4c
+    return CIPHER_MODE_XTS;
3cdd4c
+  if (strcmp (str, "ctr") == 0)
3cdd4c
+    return CIPHER_MODE_CTR;
3cdd4c
+  nbdkit_error ("unknown cipher mode: %s "
3cdd4c
+                "(expecting \"ecb\", \"cbc\", \"xts\" or \"ctr\")", str);
3cdd4c
+  return -1;
3cdd4c
+}
3cdd4c
+
3cdd4c
+static const char *
3cdd4c
+cipher_mode_to_string (enum cipher_mode v)
3cdd4c
+{
3cdd4c
+  switch (v) {
3cdd4c
+  case CIPHER_MODE_ECB: return "ecb";
3cdd4c
+  case CIPHER_MODE_CBC: return "cbc";
3cdd4c
+  case CIPHER_MODE_XTS: return "xts";
3cdd4c
+  case CIPHER_MODE_CTR: return "ctr";
3cdd4c
+  default: abort ();
3cdd4c
+  }
3cdd4c
+}
3cdd4c
+
3cdd4c
+/* Methods used by LUKS to generate initial vectors.
3cdd4c
+ *
3cdd4c
+ * ESSIV is a bit more complicated to implement.  It is supported by
3cdd4c
+ * qemu but not by us.
3cdd4c
+ */
3cdd4c
+enum ivgen {
3cdd4c
+  IVGEN_PLAIN, IVGEN_PLAIN64, /* IVGEN_ESSIV, */
3cdd4c
+};
3cdd4c
+
3cdd4c
+static enum ivgen
3cdd4c
+lookup_ivgen (const char *str)
3cdd4c
+{
3cdd4c
+  if (strcmp (str, "plain") == 0)
3cdd4c
+    return IVGEN_PLAIN;
3cdd4c
+  if (strcmp (str, "plain64") == 0)
3cdd4c
+    return IVGEN_PLAIN64;
3cdd4c
+/*
3cdd4c
+  if (strcmp (str, "essiv") == 0)
3cdd4c
+    return IVGEN_ESSIV;
3cdd4c
+*/
3cdd4c
+  nbdkit_error ("unknown IV generation algorithm: %s "
3cdd4c
+                "(expecting \"plain\", \"plain64\" etc)", str);
3cdd4c
+  return -1;
3cdd4c
+}
3cdd4c
+
3cdd4c
+static const char *
3cdd4c
+ivgen_to_string (enum ivgen v)
3cdd4c
+{
3cdd4c
+  switch (v) {
3cdd4c
+  case IVGEN_PLAIN: return "plain";
3cdd4c
+  case IVGEN_PLAIN64: return "plain64";
3cdd4c
+  /*case IVGEN_ESSIV: return "essiv";*/
3cdd4c
+  default: abort ();
3cdd4c
+  }
3cdd4c
+}
3cdd4c
+
3cdd4c
+static void
3cdd4c
+calculate_iv (enum ivgen v, uint8_t *iv, size_t ivlen, uint64_t sector)
3cdd4c
+{
3cdd4c
+  size_t prefixlen;
3cdd4c
+  uint32_t sector32;
3cdd4c
+
3cdd4c
+  switch (v) {
3cdd4c
+  case IVGEN_PLAIN:
3cdd4c
+    prefixlen = 4; /* 32 bits */
3cdd4c
+    if (prefixlen > ivlen)
3cdd4c
+      prefixlen = ivlen;
3cdd4c
+    sector32 = (uint32_t) sector; /* truncate to only lower bits */
3cdd4c
+    sector32 = htole32 (sector32);
3cdd4c
+    memcpy (iv, &sector32, prefixlen);
3cdd4c
+    memset (iv + prefixlen, 0, ivlen - prefixlen);
3cdd4c
+    break;
3cdd4c
+
3cdd4c
+  case IVGEN_PLAIN64:
3cdd4c
+    prefixlen = 8; /* 64 bits */
3cdd4c
+    if (prefixlen > ivlen)
3cdd4c
+      prefixlen = ivlen;
3cdd4c
+    sector = htole64 (sector);
3cdd4c
+    memcpy (iv, &sector, prefixlen);
3cdd4c
+    memset (iv + prefixlen, 0, ivlen - prefixlen);
3cdd4c
+    break;
3cdd4c
+
3cdd4c
+  /*case IVGEN_ESSIV:*/
3cdd4c
+  default: abort ();
3cdd4c
+  }
3cdd4c
+}
3cdd4c
+
3cdd4c
+/* Cipher algorithm.
3cdd4c
+ *
3cdd4c
+ * qemu in theory supports many more, but with the GnuTLS backend only
3cdd4c
+ * AES is supported.  The kernel seems to only support AES for LUKSv1.
3cdd4c
+ */
3cdd4c
+enum cipher_alg {
3cdd4c
+  CIPHER_ALG_AES_128, CIPHER_ALG_AES_192, CIPHER_ALG_AES_256,
3cdd4c
+};
3cdd4c
+
3cdd4c
+static enum cipher_alg
3cdd4c
+lookup_cipher_alg (const char *str, enum cipher_mode mode, int key_bytes)
3cdd4c
+{
3cdd4c
+  if (mode == CIPHER_MODE_XTS)
3cdd4c
+    key_bytes /= 2;
3cdd4c
+
3cdd4c
+  if (strcmp (str, "aes") == 0) {
3cdd4c
+    if (key_bytes == 16)
3cdd4c
+      return CIPHER_ALG_AES_128;
3cdd4c
+    if (key_bytes == 24)
3cdd4c
+      return CIPHER_ALG_AES_192;
3cdd4c
+    if (key_bytes == 32)
3cdd4c
+      return CIPHER_ALG_AES_256;
3cdd4c
+  }
3cdd4c
+  nbdkit_error ("unknown cipher algorithm: %s (expecting \"aes\", etc)", str);
3cdd4c
+  return -1;
3cdd4c
+}
3cdd4c
+
3cdd4c
+static const char *
3cdd4c
+cipher_alg_to_string (enum cipher_alg v)
3cdd4c
+{
3cdd4c
+  switch (v) {
3cdd4c
+  case CIPHER_ALG_AES_128: return "aes-128";
3cdd4c
+  case CIPHER_ALG_AES_192: return "aes-192";
3cdd4c
+  case CIPHER_ALG_AES_256: return "aes-256";
3cdd4c
+  default: abort ();
3cdd4c
+  }
3cdd4c
+}
3cdd4c
+
3cdd4c
+#if 0
3cdd4c
+static int
3cdd4c
+cipher_alg_key_bytes (enum cipher_alg v)
3cdd4c
+{
3cdd4c
+  switch (v) {
3cdd4c
+  case CIPHER_ALG_AES_128: return 16;
3cdd4c
+  case CIPHER_ALG_AES_192: return 24;
3cdd4c
+  case CIPHER_ALG_AES_256: return 32;
3cdd4c
+  default: abort ();
3cdd4c
+  }
3cdd4c
+}
3cdd4c
+#endif
3cdd4c
+
3cdd4c
+static int
3cdd4c
+cipher_alg_iv_len (enum cipher_alg v, enum cipher_mode mode)
3cdd4c
+{
3cdd4c
+  if (CIPHER_MODE_ECB)
3cdd4c
+    return 0;                   /* Don't need an IV in this mode. */
3cdd4c
+
3cdd4c
+  switch (v) {
3cdd4c
+  case CIPHER_ALG_AES_128:
3cdd4c
+  case CIPHER_ALG_AES_192:
3cdd4c
+  case CIPHER_ALG_AES_256:
3cdd4c
+    return 16;
3cdd4c
+  default: abort ();
3cdd4c
+  }
3cdd4c
+}
3cdd4c
+
3cdd4c
+/* Hash, eg.MD5, SHA1 etc.
3cdd4c
+ *
3cdd4c
+ * We reuse the GnuTLS digest algorithm enum here since it supports at
3cdd4c
+ * least all the ones that LUKSv1 does.
3cdd4c
+ */
3cdd4c
+static gnutls_digest_algorithm_t
3cdd4c
+lookup_hash (const char *str)
3cdd4c
+{
3cdd4c
+  if (strcmp (str, "md5") == 0)
3cdd4c
+    return GNUTLS_DIG_MD5;
3cdd4c
+  if (strcmp (str, "sha1") == 0)
3cdd4c
+    return GNUTLS_DIG_SHA1;
3cdd4c
+  if (strcmp (str, "sha224") == 0)
3cdd4c
+    return GNUTLS_DIG_SHA224;
3cdd4c
+  if (strcmp (str, "sha256") == 0)
3cdd4c
+    return GNUTLS_DIG_SHA256;
3cdd4c
+  if (strcmp (str, "sha384") == 0)
3cdd4c
+    return GNUTLS_DIG_SHA384;
3cdd4c
+  if (strcmp (str, "sha512") == 0)
3cdd4c
+    return GNUTLS_DIG_SHA512;
3cdd4c
+  if (strcmp (str, "ripemd160") == 0)
3cdd4c
+    return GNUTLS_DIG_RMD160;
3cdd4c
+  nbdkit_error ("unknown hash algorithm: %s "
3cdd4c
+                "(expecting \"md5\", \"sha1\", \"sha224\", etc)", str);
3cdd4c
+  return -1;
3cdd4c
+}
3cdd4c
+
3cdd4c
+static const char *
3cdd4c
+hash_to_string (gnutls_digest_algorithm_t v)
3cdd4c
+{
3cdd4c
+  switch (v) {
3cdd4c
+  case GNUTLS_DIG_UNKNOWN: return "unknown";
3cdd4c
+  case GNUTLS_DIG_MD5: return "md5";
3cdd4c
+  case GNUTLS_DIG_SHA1: return "sha1";
3cdd4c
+  case GNUTLS_DIG_SHA224: return "sha224";
3cdd4c
+  case GNUTLS_DIG_SHA256: return "sha256";
3cdd4c
+  case GNUTLS_DIG_SHA384: return "sha384";
3cdd4c
+  case GNUTLS_DIG_SHA512: return "sha512";
3cdd4c
+  case GNUTLS_DIG_RMD160: return "ripemd160";
3cdd4c
+  default: abort ();
3cdd4c
+  }
3cdd4c
+}
3cdd4c
+
3cdd4c
+#if 0
3cdd4c
+/* See qemu & dm-crypt implementations for an explanation of what's
3cdd4c
+ * going on here.
3cdd4c
+ */
3cdd4c
+enum cipher_alg
3cdd4c
+lookup_essiv_cipher (enum cipher_alg cipher_alg,
3cdd4c
+                     gnutls_digest_algorithm_t ivgen_hash_alg)
3cdd4c
+{
3cdd4c
+  int digest_bytes = gnutls_hash_get_len (ivgen_hash_alg);
3cdd4c
+  int key_bytes = cipher_alg_key_bytes (cipher_alg);
3cdd4c
+
3cdd4c
+  if (digest_bytes == key_bytes)
3cdd4c
+    return cipher_alg;
3cdd4c
+
3cdd4c
+  switch (cipher_alg) {
3cdd4c
+  case CIPHER_ALG_AES_128:
3cdd4c
+  case CIPHER_ALG_AES_192:
3cdd4c
+  case CIPHER_ALG_AES_256:
3cdd4c
+    if (digest_bytes == 16) return CIPHER_ALG_AES_128;
3cdd4c
+    if (digest_bytes == 24) return CIPHER_ALG_AES_192;
3cdd4c
+    if (digest_bytes == 32) return CIPHER_ALG_AES_256;
3cdd4c
+    nbdkit_error ("no %s cipher available with key size %d",
3cdd4c
+                  "AES", digest_bytes);
3cdd4c
+    return -1;
3cdd4c
+  default:
3cdd4c
+    nbdkit_error ("ESSIV does not support cipher %s",
3cdd4c
+                  cipher_alg_to_string (cipher_alg));
3cdd4c
+    return -1;
3cdd4c
+  }
3cdd4c
+}
3cdd4c
+#endif
3cdd4c
+
3cdd4c
+/* Per-connection data. */
3cdd4c
+struct luks_data {
3cdd4c
+  /* LUKS header, if necessary byte-swapped into host order. */
3cdd4c
+  struct luks_phdr phdr;
3cdd4c
+
3cdd4c
+  /* Decoded algorithm etc. */
3cdd4c
+  enum cipher_alg cipher_alg;
3cdd4c
+  enum cipher_mode cipher_mode;
3cdd4c
+  gnutls_digest_algorithm_t hash_alg;
3cdd4c
+  enum ivgen ivgen_alg;
3cdd4c
+  gnutls_digest_algorithm_t ivgen_hash_alg;
3cdd4c
+  enum cipher_alg ivgen_cipher_alg;
3cdd4c
+
3cdd4c
+  /* GnuTLS algorithm. */
3cdd4c
+  gnutls_cipher_algorithm_t gnutls_cipher;
3cdd4c
+
3cdd4c
+  /* If we managed to decrypt one of the keyslots using the passphrase
3cdd4c
+   * then this contains the master key, otherwise NULL.
3cdd4c
+   */
3cdd4c
+  uint8_t *masterkey;
3cdd4c
+};
3cdd4c
+
3cdd4c
+/* Parse the header fields containing cipher algorithm, mode, etc. */
3cdd4c
+static int
3cdd4c
+parse_cipher_strings (struct luks_data *h)
3cdd4c
+{
3cdd4c
+  char cipher_name[33], cipher_mode[33], hash_spec[33];
3cdd4c
+  char *ivgen, *ivhash;
3cdd4c
+
3cdd4c
+  /* Copy the header fields locally and ensure they are \0 terminated. */
3cdd4c
+  memcpy (cipher_name, h->phdr.cipher_name, 32);
3cdd4c
+  cipher_name[32] = 0;
3cdd4c
+  memcpy (cipher_mode, h->phdr.cipher_mode, 32);
3cdd4c
+  cipher_mode[32] = 0;
3cdd4c
+  memcpy (hash_spec, h->phdr.hash_spec, 32);
3cdd4c
+  hash_spec[32] = 0;
3cdd4c
+
3cdd4c
+  nbdkit_debug ("LUKS v%" PRIu16 " cipher: %s mode: %s hash: %s "
3cdd4c
+                "master key: %" PRIu32 " bits",
3cdd4c
+                h->phdr.version, cipher_name, cipher_mode, hash_spec,
3cdd4c
+                h->phdr.master_key_len * 8);
3cdd4c
+
3cdd4c
+  /* The cipher_mode header has the form: "ciphermode-ivgen[:ivhash]"
3cdd4c
+   * QEmu writes: "xts-plain64"
3cdd4c
+   */
3cdd4c
+  ivgen = strchr (cipher_mode, '-');
3cdd4c
+  if (!ivgen) {
3cdd4c
+    nbdkit_error ("incorrect cipher_mode header, "
3cdd4c
+                  "expecting mode-ivgenerator but got \"%s\"", cipher_mode);
3cdd4c
+    return -1;
3cdd4c
+  }
3cdd4c
+  *ivgen = '\0';
3cdd4c
+  ivgen++;
3cdd4c
+
3cdd4c
+  ivhash = strchr (ivgen, ':');
3cdd4c
+  if (!ivhash)
3cdd4c
+    h->ivgen_hash_alg = GNUTLS_DIG_UNKNOWN;
3cdd4c
+  else {
3cdd4c
+    *ivhash = '\0';
3cdd4c
+    ivhash++;
3cdd4c
+
3cdd4c
+    h->ivgen_hash_alg = lookup_hash (ivhash);
3cdd4c
+    if (h->ivgen_hash_alg == -1)
3cdd4c
+      return -1;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  h->cipher_mode = lookup_cipher_mode (cipher_mode);
3cdd4c
+  if (h->cipher_mode == -1)
3cdd4c
+    return -1;
3cdd4c
+
3cdd4c
+  h->cipher_alg = lookup_cipher_alg (cipher_name, h->cipher_mode,
3cdd4c
+                                     h->phdr.master_key_len);
3cdd4c
+  if (h->cipher_alg == -1)
3cdd4c
+    return -1;
3cdd4c
+
3cdd4c
+  h->hash_alg = lookup_hash (hash_spec);
3cdd4c
+  if (h->hash_alg == -1)
3cdd4c
+    return -1;
3cdd4c
+
3cdd4c
+  h->ivgen_alg = lookup_ivgen (ivgen);
3cdd4c
+  if (h->ivgen_alg == -1)
3cdd4c
+    return -1;
3cdd4c
+
3cdd4c
+#if 0
3cdd4c
+  if (h->ivgen_alg == IVGEN_ESSIV) {
3cdd4c
+    if (!ivhash) {
3cdd4c
+      nbdkit_error ("incorrect IV generator hash specification");
3cdd4c
+      return -1;
3cdd4c
+    }
3cdd4c
+    h->ivgen_cipher_alg = lookup_essiv_cipher (h->cipher_alg,
3cdd4c
+                                               h->ivgen_hash_alg);
3cdd4c
+    if (h->ivgen_cipher_alg == -1)
3cdd4c
+      return -1;
3cdd4c
+  }
3cdd4c
+  else
3cdd4c
+#endif
3cdd4c
+  h->ivgen_cipher_alg = h->cipher_alg;
3cdd4c
+
3cdd4c
+  nbdkit_debug ("LUKS parsed ciphers: %s %s %s %s %s %s",
3cdd4c
+                cipher_alg_to_string (h->cipher_alg),
3cdd4c
+                cipher_mode_to_string (h->cipher_mode),
3cdd4c
+                hash_to_string (h->hash_alg),
3cdd4c
+                ivgen_to_string (h->ivgen_alg),
3cdd4c
+                hash_to_string (h->ivgen_hash_alg),
3cdd4c
+                cipher_alg_to_string (h->ivgen_cipher_alg));
3cdd4c
+
3cdd4c
+  /* GnuTLS combines cipher and block mode into a single value.  Not
3cdd4c
+   * all possible combinations are available in GnuTLS.  See:
3cdd4c
+   * https://www.gnutls.org/manual/html_node/Supported-ciphersuites.html
3cdd4c
+   */
3cdd4c
+  h->gnutls_cipher = GNUTLS_CIPHER_NULL;
3cdd4c
+  switch (h->cipher_mode) {
3cdd4c
+  case CIPHER_MODE_XTS:
3cdd4c
+    switch (h->cipher_alg) {
3cdd4c
+    case CIPHER_ALG_AES_128:
3cdd4c
+      h->gnutls_cipher = GNUTLS_CIPHER_AES_128_XTS;
3cdd4c
+      break;
3cdd4c
+    case CIPHER_ALG_AES_256:
3cdd4c
+      h->gnutls_cipher = GNUTLS_CIPHER_AES_256_XTS;
3cdd4c
+      break;
3cdd4c
+    default: break;
3cdd4c
+    }
3cdd4c
+    break;
3cdd4c
+  case CIPHER_MODE_CBC:
3cdd4c
+    switch (h->cipher_alg) {
3cdd4c
+    case CIPHER_ALG_AES_128:
3cdd4c
+      h->gnutls_cipher = GNUTLS_CIPHER_AES_128_CBC;
3cdd4c
+      break;
3cdd4c
+    case CIPHER_ALG_AES_192:
3cdd4c
+      h->gnutls_cipher = GNUTLS_CIPHER_AES_192_CBC;
3cdd4c
+      break;
3cdd4c
+    case CIPHER_ALG_AES_256:
3cdd4c
+      h->gnutls_cipher = GNUTLS_CIPHER_AES_256_CBC;
3cdd4c
+      break;
3cdd4c
+    default: break;
3cdd4c
+    }
3cdd4c
+  default: break;
3cdd4c
+  }
3cdd4c
+  if (h->gnutls_cipher == GNUTLS_CIPHER_NULL) {
3cdd4c
+    nbdkit_error ("cipher algorithm %s in mode %s is not supported by GnuTLS",
3cdd4c
+                  cipher_alg_to_string (h->cipher_alg),
3cdd4c
+                  cipher_mode_to_string (h->cipher_mode));
3cdd4c
+    return -1;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  return 0;
3cdd4c
+}
3cdd4c
+
3cdd4c
+/* Anti-Forensic merge operation. */
3cdd4c
+static void
3cdd4c
+xor (const uint8_t *in1, const uint8_t *in2, uint8_t *out, size_t len)
3cdd4c
+{
3cdd4c
+  size_t i;
3cdd4c
+
3cdd4c
+  for (i = 0; i < len; ++i)
3cdd4c
+    out[i] = in1[i] ^ in2[i];
3cdd4c
+}
3cdd4c
+
3cdd4c
+static int
3cdd4c
+af_hash (gnutls_digest_algorithm_t hash_alg, uint8_t *block, size_t len)
3cdd4c
+{
3cdd4c
+  size_t digest_bytes = gnutls_hash_get_len (hash_alg);
3cdd4c
+  size_t nr_blocks, last_block_len;
3cdd4c
+  size_t i;
3cdd4c
+  CLEANUP_FREE uint8_t *temp = malloc (digest_bytes);
3cdd4c
+  int r;
3cdd4c
+  gnutls_hash_hd_t hash;
3cdd4c
+
3cdd4c
+  nr_blocks = len / digest_bytes;
3cdd4c
+  last_block_len = len % digest_bytes;
3cdd4c
+  if (last_block_len != 0)
3cdd4c
+    nr_blocks++;
3cdd4c
+  else
3cdd4c
+    last_block_len = digest_bytes;
3cdd4c
+
3cdd4c
+  for (i = 0; i < nr_blocks; ++i) {
3cdd4c
+    const uint32_t iv = htobe32 (i);
3cdd4c
+    const size_t blen = i < nr_blocks - 1 ? digest_bytes : last_block_len;
3cdd4c
+
3cdd4c
+    /* Hash iv + i'th block into temp. */
3cdd4c
+    r = gnutls_hash_init (&hash, hash_alg);
3cdd4c
+    if (r != 0) {
3cdd4c
+      nbdkit_error ("gnutls_hash_init: %s", gnutls_strerror (r));
3cdd4c
+      return -1;
3cdd4c
+    }
3cdd4c
+    gnutls_hash (hash, &iv, sizeof iv);
3cdd4c
+    gnutls_hash (hash, &block[i*digest_bytes], blen);
3cdd4c
+    gnutls_hash_deinit (hash, temp);
3cdd4c
+
3cdd4c
+    memcpy (&block[i*digest_bytes], temp, blen);
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  return 0;
3cdd4c
+}
3cdd4c
+
3cdd4c
+static int
3cdd4c
+afmerge (gnutls_digest_algorithm_t hash_alg, uint32_t stripes,
3cdd4c
+         const uint8_t *in, uint8_t *out, size_t outlen)
3cdd4c
+{
3cdd4c
+  CLEANUP_FREE uint8_t *block = calloc (1, outlen);
3cdd4c
+  size_t i;
3cdd4c
+
3cdd4c
+  /* NB: input size is stripes * master_key_len where
3cdd4c
+   * master_key_len == outlen
3cdd4c
+   */
3cdd4c
+  for (i = 0; i < stripes-1; ++i) {
3cdd4c
+    xor (&in[i*outlen], block, block, outlen);
3cdd4c
+    if (af_hash (hash_alg, block, outlen) == -1)
3cdd4c
+      return -1;
3cdd4c
+  }
3cdd4c
+  xor (&in[i*outlen], block, out, outlen);
3cdd4c
+  return 0;
3cdd4c
+}
3cdd4c
+
3cdd4c
+/* Length of key material in key slot i (sectors).
3cdd4c
+ *
3cdd4c
+ * This is basically copied from qemu because the spec description is
3cdd4c
+ * unintelligible and apparently doesn't match reality.
3cdd4c
+ */
3cdd4c
+static uint64_t
3cdd4c
+key_material_length_in_sectors (struct luks_data *h, size_t i)
3cdd4c
+{
3cdd4c
+  uint64_t len, r;
3cdd4c
+
3cdd4c
+  len = h->phdr.master_key_len * h->phdr.keyslot[i].stripes;
3cdd4c
+  r = DIV_ROUND_UP (len, LUKS_SECTOR_SIZE);
3cdd4c
+  r = ROUND_UP (r, LUKS_ALIGN_KEYSLOTS / LUKS_SECTOR_SIZE);
3cdd4c
+  return r;
3cdd4c
+}
3cdd4c
+
3cdd4c
+/* Try the passphrase in key slot i.  If this returns true then the
3cdd4c
+ * passphrase was able to decrypt the master key, and the master key
3cdd4c
+ * has been stored in h->masterkey.
3cdd4c
+ */
3cdd4c
+static int
3cdd4c
+try_passphrase_in_keyslot (nbdkit_next *next, struct luks_data *h,
3cdd4c
+                           size_t i, const char *passphrase)
3cdd4c
+{
3cdd4c
+  /* I believe this is supposed to be safe, looking at the GnuTLS
3cdd4c
+   * header file.
3cdd4c
+   */
3cdd4c
+  const gnutls_mac_algorithm_t mac = (gnutls_mac_algorithm_t) h->hash_alg;
3cdd4c
+  struct luks_keyslot *ks = &h->phdr.keyslot[i];
3cdd4c
+  size_t split_key_len;
3cdd4c
+  CLEANUP_FREE uint8_t *split_key = NULL;
3cdd4c
+  CLEANUP_FREE uint8_t *masterkey = NULL;
3cdd4c
+  const gnutls_datum_t key =
3cdd4c
+    { (unsigned char *) passphrase, strlen (passphrase) };
3cdd4c
+  const gnutls_datum_t salt =
3cdd4c
+    { (unsigned char *) ks->password_salt, LUKS_SALTSIZE };
3cdd4c
+  const gnutls_datum_t msalt =
3cdd4c
+    { (unsigned char *) h->phdr.master_key_salt, LUKS_SALTSIZE };
3cdd4c
+  gnutls_datum_t mkey;
3cdd4c
+  gnutls_cipher_hd_t cipher;
3cdd4c
+  int r, err = 0;
3cdd4c
+  uint64_t start;
3cdd4c
+  uint8_t key_digest[LUKS_DIGESTSIZE];
3cdd4c
+
3cdd4c
+  if (ks->active != LUKS_KEY_ENABLED)
3cdd4c
+    return 0;
3cdd4c
+
3cdd4c
+  split_key_len = h->phdr.master_key_len * ks->stripes;
3cdd4c
+  split_key = malloc (split_key_len);
3cdd4c
+  if (split_key == NULL) {
3cdd4c
+    nbdkit_error ("malloc: %m");
3cdd4c
+    return -1;
3cdd4c
+  }
3cdd4c
+  masterkey = malloc (h->phdr.master_key_len);
3cdd4c
+  if (masterkey == NULL) {
3cdd4c
+    nbdkit_error ("malloc: %m");
3cdd4c
+    return -1;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Hash the passphrase to make a possible masterkey. */
3cdd4c
+  r = gnutls_pbkdf2 (mac, &key, &salt, ks->password_iterations,
3cdd4c
+                     masterkey, h->phdr.master_key_len);
3cdd4c
+  if (r != 0) {
3cdd4c
+    nbdkit_error ("gnutls_pbkdf2: %s", gnutls_strerror (r));
3cdd4c
+    return -1;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Read master key material from plugin. */
3cdd4c
+  start = ks->key_material_offset * LUKS_SECTOR_SIZE;
3cdd4c
+  if (next->pread (next, split_key, split_key_len, start, 0, &err) == -1) {
3cdd4c
+    errno = err;
3cdd4c
+    return -1;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Decrypt the (still AFsplit) master key material. */
3cdd4c
+  mkey.data = (unsigned char *) masterkey;
3cdd4c
+  mkey.size = h->phdr.master_key_len;
3cdd4c
+  r = gnutls_cipher_init (&cipher, h->gnutls_cipher, &mkey, NULL);
3cdd4c
+  if (r != 0) {
3cdd4c
+    nbdkit_error ("gnutls_cipher_init: %s", gnutls_strerror (r));
3cdd4c
+    return -1;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  r = do_decrypt (h, cipher, 0, split_key, split_key_len / LUKS_SECTOR_SIZE);
3cdd4c
+  gnutls_cipher_deinit (cipher);
3cdd4c
+  if (r == -1)
3cdd4c
+    return -1;
3cdd4c
+
3cdd4c
+  /* Decode AFsplit key to a possible masterkey. */
3cdd4c
+  if (afmerge (h->hash_alg, ks->stripes, split_key,
3cdd4c
+               masterkey, h->phdr.master_key_len) == -1)
3cdd4c
+    return -1;
3cdd4c
+
3cdd4c
+  /* Check if the masterkey is correct by comparing hash of the
3cdd4c
+   * masterkey with LUKS header.
3cdd4c
+   */
3cdd4c
+  r = gnutls_pbkdf2 (mac, &mkey, &msalt,
3cdd4c
+                     h->phdr.master_key_digest_iterations,
3cdd4c
+                     key_digest, LUKS_DIGESTSIZE);
3cdd4c
+  if (r != 0) {
3cdd4c
+    nbdkit_error ("gnutls_pbkdf2: %s", gnutls_strerror (r));
3cdd4c
+    return -1;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  if (memcmp (key_digest, h->phdr.master_key_digest, LUKS_DIGESTSIZE) == 0) {
3cdd4c
+    /* The passphrase is correct so save the master key in the handle. */
3cdd4c
+    h->masterkey = malloc (h->phdr.master_key_len);
3cdd4c
+    if (h->masterkey == NULL) {
3cdd4c
+      nbdkit_error ("malloc: %m");
3cdd4c
+      return -1;
3cdd4c
+    }
3cdd4c
+    memcpy (h->masterkey, masterkey, h->phdr.master_key_len);
3cdd4c
+    return 1;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  return 0;
3cdd4c
+}
3cdd4c
+
3cdd4c
+struct luks_data *
3cdd4c
+load_header (nbdkit_next *next, const char *passphrase)
3cdd4c
+{
3cdd4c
+  static const char expected_magic[] = LUKS_MAGIC;
3cdd4c
+  struct luks_data *h;
3cdd4c
+  int64_t size;
3cdd4c
+  int err = 0, r;
3cdd4c
+  size_t i;
3cdd4c
+  struct luks_keyslot *ks;
3cdd4c
+  char uuid[41];
3cdd4c
+
3cdd4c
+  h = calloc (1, sizeof *h);
3cdd4c
+  if (h == NULL) {
3cdd4c
+    nbdkit_error ("calloc: %m");
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Check the struct size matches the documentation. */
3cdd4c
+  assert (sizeof (struct luks_phdr) == 592);
3cdd4c
+
3cdd4c
+  /* Check this is a LUKSv1 disk. */
3cdd4c
+  size = next->get_size (next);
3cdd4c
+  if (size == -1) {
3cdd4c
+    free (h);
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+  if (size < 16384) {
3cdd4c
+    nbdkit_error ("disk is too small to be LUKS-encrypted");
3cdd4c
+    free (h);
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Read the phdr. */
3cdd4c
+  if (next->pread (next, &h->phdr, sizeof h->phdr, 0, 0, &err) == -1) {
3cdd4c
+    free (h);
3cdd4c
+    errno = err;
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  if (memcmp (h->phdr.magic, expected_magic, LUKS_MAGIC_LEN) != 0) {
3cdd4c
+    nbdkit_error ("this disk does not contain a LUKS header");
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+  h->phdr.version = be16toh (h->phdr.version);
3cdd4c
+  if (h->phdr.version != 1) {
3cdd4c
+    nbdkit_error ("this disk contains a LUKS version %" PRIu16 " header, "
3cdd4c
+                  "but this filter only supports LUKSv1",
3cdd4c
+                  h->phdr.version);
3cdd4c
+    free (h);
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Byte-swap the rest of the header. */
3cdd4c
+  h->phdr.payload_offset = be32toh (h->phdr.payload_offset);
3cdd4c
+  h->phdr.master_key_len = be32toh (h->phdr.master_key_len);
3cdd4c
+  h->phdr.master_key_digest_iterations =
3cdd4c
+    be32toh (h->phdr.master_key_digest_iterations);
3cdd4c
+
3cdd4c
+  for (i = 0; i < LUKS_NUMKEYS; ++i) {
3cdd4c
+    ks = &h->phdr.keyslot[i];
3cdd4c
+    ks->active = be32toh (ks->active);
3cdd4c
+    ks->password_iterations = be32toh (ks->password_iterations);
3cdd4c
+    ks->key_material_offset = be32toh (ks->key_material_offset);
3cdd4c
+    ks->stripes = be32toh (ks->stripes);
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Sanity check some fields. */
3cdd4c
+  if (h->phdr.payload_offset >= size / LUKS_SECTOR_SIZE) {
3cdd4c
+    nbdkit_error ("bad LUKSv1 header: payload offset points beyond "
3cdd4c
+                  "the end of the disk");
3cdd4c
+    free (h);
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* We derive several allocations from master_key_len so make sure
3cdd4c
+   * it's not insane.
3cdd4c
+   */
3cdd4c
+  if (h->phdr.master_key_len > 1024) {
3cdd4c
+    nbdkit_error ("bad LUKSv1 header: master key is too long");
3cdd4c
+    free (h);
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  for (i = 0; i < LUKS_NUMKEYS; ++i) {
3cdd4c
+    uint64_t start, len;
3cdd4c
+
3cdd4c
+    ks = &h->phdr.keyslot[i];
3cdd4c
+    switch (ks->active) {
3cdd4c
+    case LUKS_KEY_ENABLED:
3cdd4c
+      if (!ks->stripes) {
3cdd4c
+        nbdkit_error ("bad LUKSv1 header: key slot %zu is corrupted", i);
3cdd4c
+        free (h);
3cdd4c
+        return NULL;
3cdd4c
+      }
3cdd4c
+      if (ks->stripes >= 10000) {
3cdd4c
+        nbdkit_error ("bad LUKSv1 header: key slot %zu stripes too large", i);
3cdd4c
+        return NULL;
3cdd4c
+      }
3cdd4c
+      start = ks->key_material_offset;
3cdd4c
+      len = key_material_length_in_sectors (h, i);
3cdd4c
+      if (len > 4096) /* bound it at something reasonable */ {
3cdd4c
+        nbdkit_error ("bad LUKSv1 header: key slot %zu key material length "
3cdd4c
+                      "is too large", i);
3cdd4c
+        free (h);
3cdd4c
+        return NULL;
3cdd4c
+      }
3cdd4c
+      if (start * LUKS_SECTOR_SIZE >= size ||
3cdd4c
+          (start + len) * LUKS_SECTOR_SIZE >= size) {
3cdd4c
+        nbdkit_error ("bad LUKSv1 header: key slot %zu key material offset "
3cdd4c
+                      "points beyond the end of the disk", i);
3cdd4c
+        free (h);
3cdd4c
+        return NULL;
3cdd4c
+      }
3cdd4c
+      /*FALLTHROUGH*/
3cdd4c
+    case LUKS_KEY_DISABLED:
3cdd4c
+      break;
3cdd4c
+
3cdd4c
+    default:
3cdd4c
+      nbdkit_error ("bad LUKSv1 header: key slot %zu has "
3cdd4c
+                    "an invalid active flag", i);
3cdd4c
+      return NULL;
3cdd4c
+    }
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Decode the ciphers. */
3cdd4c
+  if (parse_cipher_strings (h) == -1) {
3cdd4c
+    free (h);
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Dump some information about the header. */
3cdd4c
+  memcpy (uuid, h->phdr.uuid, 40);
3cdd4c
+  uuid[40] = 0;
3cdd4c
+  nbdkit_debug ("LUKS UUID: %s", uuid);
3cdd4c
+
3cdd4c
+  for (i = 0; i < LUKS_NUMKEYS; ++i) {
3cdd4c
+    uint64_t start, len;
3cdd4c
+
3cdd4c
+    ks = &h->phdr.keyslot[i];
3cdd4c
+    if (ks->active == LUKS_KEY_ENABLED) {
3cdd4c
+      start = ks->key_material_offset;
3cdd4c
+      len = key_material_length_in_sectors (h, i);
3cdd4c
+      nbdkit_debug ("LUKS key slot %zu: key material in sectors %" PRIu64
3cdd4c
+                    "..%" PRIu64,
3cdd4c
+                    i, start, start+len-1);
3cdd4c
+    }
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  /* Now try to unlock the master key. */
3cdd4c
+  for (i = 0; i < LUKS_NUMKEYS; ++i) {
3cdd4c
+    r = try_passphrase_in_keyslot (next, h, i, passphrase);
3cdd4c
+    if (r == -1) {
3cdd4c
+      free (h);
3cdd4c
+      return NULL;
3cdd4c
+    }
3cdd4c
+    if (r > 0)
3cdd4c
+      goto unlocked;
3cdd4c
+  }
3cdd4c
+  nbdkit_error ("LUKS passphrase is not correct, "
3cdd4c
+                "no key slot could be unlocked");
3cdd4c
+  free (h);
3cdd4c
+  return NULL;
3cdd4c
+
3cdd4c
+ unlocked:
3cdd4c
+  assert (h->masterkey != NULL);
3cdd4c
+  nbdkit_debug ("LUKS unlocked block device with passphrase");
3cdd4c
+
3cdd4c
+  return h;
3cdd4c
+}
3cdd4c
+
3cdd4c
+/* Free fields in the handle that might have been set by load_header. */
3cdd4c
+void
3cdd4c
+free_luks_data (struct luks_data *h)
3cdd4c
+{
3cdd4c
+  if (h->masterkey) {
3cdd4c
+    memset (h->masterkey, 0, h->phdr.master_key_len);
3cdd4c
+    free (h->masterkey);
3cdd4c
+  }
3cdd4c
+  free (h);
3cdd4c
+}
3cdd4c
+
3cdd4c
+uint64_t
3cdd4c
+get_payload_offset (struct luks_data *h)
3cdd4c
+{
3cdd4c
+  return h->phdr.payload_offset;
3cdd4c
+}
3cdd4c
+
3cdd4c
+gnutls_cipher_hd_t
3cdd4c
+create_cipher (struct luks_data *h)
3cdd4c
+{
3cdd4c
+  gnutls_datum_t mkey;
3cdd4c
+  gnutls_cipher_hd_t cipher;
3cdd4c
+  int r;
3cdd4c
+
3cdd4c
+  assert (h->masterkey != NULL);
3cdd4c
+
3cdd4c
+  mkey.data = (unsigned char *) h->masterkey;
3cdd4c
+  mkey.size = h->phdr.master_key_len;
3cdd4c
+  r = gnutls_cipher_init (&cipher, h->gnutls_cipher, &mkey, NULL);
3cdd4c
+  if (r != 0) {
3cdd4c
+    nbdkit_error ("gnutls_cipher_init: %s", gnutls_strerror (r));
3cdd4c
+    return NULL;
3cdd4c
+  }
3cdd4c
+  return cipher;
3cdd4c
+}
3cdd4c
+
3cdd4c
+/* Perform decryption of a block of data in memory. */
3cdd4c
+int
3cdd4c
+do_decrypt (struct luks_data *h, gnutls_cipher_hd_t cipher,
3cdd4c
+            uint64_t sector, uint8_t *buf, size_t nr_sectors)
3cdd4c
+{
3cdd4c
+  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);
3cdd4c
+  CLEANUP_FREE uint8_t *iv = malloc (ivlen);
3cdd4c
+  int r;
3cdd4c
+
3cdd4c
+  while (nr_sectors) {
3cdd4c
+    calculate_iv (h->ivgen_alg, iv, ivlen, sector);
3cdd4c
+    gnutls_cipher_set_iv (cipher, iv, ivlen);
3cdd4c
+    r = gnutls_cipher_decrypt2 (cipher,
3cdd4c
+                                buf, LUKS_SECTOR_SIZE, /* ciphertext */
3cdd4c
+                                buf, LUKS_SECTOR_SIZE  /* plaintext */);
3cdd4c
+    if (r != 0) {
3cdd4c
+      nbdkit_error ("gnutls_cipher_decrypt2: %s", gnutls_strerror (r));
3cdd4c
+      return -1;
3cdd4c
+    }
3cdd4c
+
3cdd4c
+    buf += LUKS_SECTOR_SIZE;
3cdd4c
+    nr_sectors--;
3cdd4c
+    sector++;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  return 0;
3cdd4c
+}
3cdd4c
+
3cdd4c
+/* Perform encryption of a block of data in memory. */
3cdd4c
+int
3cdd4c
+do_encrypt (struct luks_data *h, gnutls_cipher_hd_t cipher,
3cdd4c
+            uint64_t sector, uint8_t *buf, size_t nr_sectors)
3cdd4c
+{
3cdd4c
+  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);
3cdd4c
+  CLEANUP_FREE uint8_t *iv = malloc (ivlen);
3cdd4c
+  int r;
3cdd4c
+
3cdd4c
+  while (nr_sectors) {
3cdd4c
+    calculate_iv (h->ivgen_alg, iv, ivlen, sector);
3cdd4c
+    gnutls_cipher_set_iv (cipher, iv, ivlen);
3cdd4c
+    r = gnutls_cipher_encrypt2 (cipher,
3cdd4c
+                                buf, LUKS_SECTOR_SIZE, /* plaintext */
3cdd4c
+                                buf, LUKS_SECTOR_SIZE  /* ciphertext */);
3cdd4c
+    if (r != 0) {
3cdd4c
+      nbdkit_error ("gnutls_cipher_decrypt2: %s", gnutls_strerror (r));
3cdd4c
+      return -1;
3cdd4c
+    }
3cdd4c
+
3cdd4c
+    buf += LUKS_SECTOR_SIZE;
3cdd4c
+    nr_sectors--;
3cdd4c
+    sector++;
3cdd4c
+  }
3cdd4c
+
3cdd4c
+  return 0;
3cdd4c
+}
3cdd4c
diff --git a/filters/luks/luks-encryption.h b/filters/luks/luks-encryption.h
3cdd4c
new file mode 100644
3cdd4c
index 00000000..3f8b9c9e
3cdd4c
--- /dev/null
3cdd4c
+++ b/filters/luks/luks-encryption.h
3cdd4c
@@ -0,0 +1,78 @@
3cdd4c
+/* nbdkit
3cdd4c
+ * Copyright (C) 2013-2022 Red Hat Inc.
3cdd4c
+ *
3cdd4c
+ * Redistribution and use in source and binary forms, with or without
3cdd4c
+ * modification, are permitted provided that the following conditions are
3cdd4c
+ * met:
3cdd4c
+ *
3cdd4c
+ * * Redistributions of source code must retain the above copyright
3cdd4c
+ * notice, this list of conditions and the following disclaimer.
3cdd4c
+ *
3cdd4c
+ * * Redistributions in binary form must reproduce the above copyright
3cdd4c
+ * notice, this list of conditions and the following disclaimer in the
3cdd4c
+ * documentation and/or other materials provided with the distribution.
3cdd4c
+ *
3cdd4c
+ * * Neither the name of Red Hat nor the names of its contributors may be
3cdd4c
+ * used to endorse or promote products derived from this software without
3cdd4c
+ * specific prior written permission.
3cdd4c
+ *
3cdd4c
+ * THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
3cdd4c
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
3cdd4c
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
3cdd4c
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
3cdd4c
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
3cdd4c
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
3cdd4c
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
3cdd4c
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
3cdd4c
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
3cdd4c
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
3cdd4c
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3cdd4c
+ * SUCH DAMAGE.
3cdd4c
+ */
3cdd4c
+
3cdd4c
+/* This header file defines the file format used by LUKSv1.  See also:
3cdd4c
+ * https://gitlab.com/cryptsetup/cryptsetup/-/wikis/LUKS-standard/on-disk-format.pdf
3cdd4c
+ * Note we do not yet support LUKSv2.
3cdd4c
+ */
3cdd4c
+
3cdd4c
+#ifndef NBDKIT_LUKS_ENCRYPTION_H
3cdd4c
+#define NBDKIT_LUKS_ENCRYPTION_H
3cdd4c
+
3cdd4c
+#include <stdint.h>
3cdd4c
+#include <gnutls/crypto.h>
3cdd4c
+
3cdd4c
+#define LUKS_SECTOR_SIZE 512
3cdd4c
+
3cdd4c
+/* Per-connection data. */
3cdd4c
+struct luks_data;
3cdd4c
+
3cdd4c
+/* Load the LUKS header, parse the algorithms, unlock the masterkey
3cdd4c
+ * using the passphrase, initialize all the fields in the handle.
3cdd4c
+ *
3cdd4c
+ * This function may call next->pread (many times).
3cdd4c
+ */
3cdd4c
+extern struct luks_data *load_header (nbdkit_next *next,
3cdd4c
+                                      const char *passphrase);
3cdd4c
+
3cdd4c
+/* Free the handle and all fields inside it. */
3cdd4c
+extern void free_luks_data (struct luks_data *h);
3cdd4c
+
3cdd4c
+/* Get the offset where the encrypted data starts (in sectors). */
3cdd4c
+extern uint64_t get_payload_offset (struct luks_data *h);
3cdd4c
+
3cdd4c
+/* Create an GnuTLS cipher, initialized with the master key.  Must be
3cdd4c
+ * freed by the caller using gnutls_cipher_deinit.
3cdd4c
+ */
3cdd4c
+extern gnutls_cipher_hd_t create_cipher (struct luks_data *h);
3cdd4c
+
3cdd4c
+/* Perform decryption/encryption of a block of memory in-place.
3cdd4c
+ *
3cdd4c
+ * 'sector' is the sector number on disk, used to calculate IVs.  (The
3cdd4c
+ * keyslots also use these functions, but sector must be 0).
3cdd4c
+ */
3cdd4c
+extern int do_decrypt (struct luks_data *h, gnutls_cipher_hd_t cipher,
3cdd4c
+                       uint64_t sector, uint8_t *buf, size_t nr_sectors);
3cdd4c
+extern int do_encrypt (struct luks_data *h, gnutls_cipher_hd_t cipher,
3cdd4c
+                       uint64_t sector, uint8_t *buf, size_t nr_sectors);
3cdd4c
+
3cdd4c
+#endif /* NBDKIT_LUKS_ENCRYPTION_H */
3cdd4c
diff --git a/filters/luks/luks.c b/filters/luks/luks.c
3cdd4c
index cc619698..8ad3f4ec 100644
3cdd4c
--- a/filters/luks/luks.c
3cdd4c
+++ b/filters/luks/luks.c
3cdd4c
@@ -45,49 +45,11 @@
3cdd4c
 
3cdd4c
 #include <nbdkit-filter.h>
3cdd4c
 
3cdd4c
-#include "byte-swapping.h"
3cdd4c
+#include "luks-encryption.h"
3cdd4c
+
3cdd4c
 #include "cleanup.h"
3cdd4c
 #include "isaligned.h"
3cdd4c
 #include "minmax.h"
3cdd4c
-#include "rounding.h"
3cdd4c
-
3cdd4c
-/* LUKSv1 constants. */
3cdd4c
-#define LUKS_MAGIC { 'L', 'U', 'K', 'S', 0xBA, 0xBE }
3cdd4c
-#define LUKS_MAGIC_LEN 6
3cdd4c
-#define LUKS_DIGESTSIZE 20
3cdd4c
-#define LUKS_SALTSIZE 32
3cdd4c
-#define LUKS_NUMKEYS 8
3cdd4c
-#define LUKS_KEY_DISABLED 0x0000DEAD
3cdd4c
-#define LUKS_KEY_ENABLED  0x00AC71F3
3cdd4c
-#define LUKS_STRIPES 4000
3cdd4c
-#define LUKS_ALIGN_KEYSLOTS 4096
3cdd4c
-#define LUKS_SECTOR_SIZE 512
3cdd4c
-
3cdd4c
-/* Key slot. */
3cdd4c
-struct luks_keyslot {
3cdd4c
-  uint32_t active;              /* LUKS_KEY_DISABLED|LUKS_KEY_ENABLED */
3cdd4c
-  uint32_t password_iterations;
3cdd4c
-  char password_salt[LUKS_SALTSIZE];
3cdd4c
-  uint32_t key_material_offset;
3cdd4c
-  uint32_t stripes;
3cdd4c
-} __attribute__((__packed__));
3cdd4c
-
3cdd4c
-/* LUKS superblock. */
3cdd4c
-struct luks_phdr {
3cdd4c
-  char magic[LUKS_MAGIC_LEN];   /* LUKS_MAGIC */
3cdd4c
-  uint16_t version;             /* Only 1 is supported. */
3cdd4c
-  char cipher_name[32];
3cdd4c
-  char cipher_mode[32];
3cdd4c
-  char hash_spec[32];
3cdd4c
-  uint32_t payload_offset;
3cdd4c
-  uint32_t master_key_len;
3cdd4c
-  uint8_t master_key_digest[LUKS_DIGESTSIZE];
3cdd4c
-  uint8_t master_key_salt[LUKS_SALTSIZE];
3cdd4c
-  uint32_t master_key_digest_iterations;
3cdd4c
-  uint8_t uuid[40];
3cdd4c
-
3cdd4c
-  struct luks_keyslot keyslot[LUKS_NUMKEYS]; /* Key slots. */
3cdd4c
-} __attribute__((__packed__));
3cdd4c
 
3cdd4c
 static char *passphrase = NULL;
3cdd4c
 
3cdd4c
@@ -135,251 +97,9 @@ luks_config_complete (nbdkit_next_config_complete *next, nbdkit_backend *nxdata)
3cdd4c
 #define luks_config_help \
3cdd4c
   "passphrase=<SECRET>      Secret passphrase."
3cdd4c
 
3cdd4c
-enum cipher_mode {
3cdd4c
-  CIPHER_MODE_ECB, CIPHER_MODE_CBC, CIPHER_MODE_XTS, CIPHER_MODE_CTR,
3cdd4c
-};
3cdd4c
-
3cdd4c
-static enum cipher_mode
3cdd4c
-lookup_cipher_mode (const char *str)
3cdd4c
-{
3cdd4c
-  if (strcmp (str, "ecb") == 0)
3cdd4c
-    return CIPHER_MODE_ECB;
3cdd4c
-  if (strcmp (str, "cbc") == 0)
3cdd4c
-    return CIPHER_MODE_CBC;
3cdd4c
-  if (strcmp (str, "xts") == 0)
3cdd4c
-    return CIPHER_MODE_XTS;
3cdd4c
-  if (strcmp (str, "ctr") == 0)
3cdd4c
-    return CIPHER_MODE_CTR;
3cdd4c
-  nbdkit_error ("unknown cipher mode: %s "
3cdd4c
-                "(expecting \"ecb\", \"cbc\", \"xts\" or \"ctr\")", str);
3cdd4c
-  return -1;
3cdd4c
-}
3cdd4c
-
3cdd4c
-static const char *
3cdd4c
-cipher_mode_to_string (enum cipher_mode v)
3cdd4c
-{
3cdd4c
-  switch (v) {
3cdd4c
-  case CIPHER_MODE_ECB: return "ecb";
3cdd4c
-  case CIPHER_MODE_CBC: return "cbc";
3cdd4c
-  case CIPHER_MODE_XTS: return "xts";
3cdd4c
-  case CIPHER_MODE_CTR: return "ctr";
3cdd4c
-  default: abort ();
3cdd4c
-  }
3cdd4c
-}
3cdd4c
-
3cdd4c
-enum ivgen {
3cdd4c
-  IVGEN_PLAIN, IVGEN_PLAIN64, /* IVGEN_ESSIV, */
3cdd4c
-};
3cdd4c
-
3cdd4c
-static enum ivgen
3cdd4c
-lookup_ivgen (const char *str)
3cdd4c
-{
3cdd4c
-  if (strcmp (str, "plain") == 0)
3cdd4c
-    return IVGEN_PLAIN;
3cdd4c
-  if (strcmp (str, "plain64") == 0)
3cdd4c
-    return IVGEN_PLAIN64;
3cdd4c
-/*
3cdd4c
-  if (strcmp (str, "essiv") == 0)
3cdd4c
-    return IVGEN_ESSIV;
3cdd4c
-*/
3cdd4c
-  nbdkit_error ("unknown IV generation algorithm: %s "
3cdd4c
-                "(expecting \"plain\", \"plain64\" etc)", str);
3cdd4c
-  return -1;
3cdd4c
-}
3cdd4c
-
3cdd4c
-static const char *
3cdd4c
-ivgen_to_string (enum ivgen v)
3cdd4c
-{
3cdd4c
-  switch (v) {
3cdd4c
-  case IVGEN_PLAIN: return "plain";
3cdd4c
-  case IVGEN_PLAIN64: return "plain64";
3cdd4c
-  /*case IVGEN_ESSIV: return "essiv";*/
3cdd4c
-  default: abort ();
3cdd4c
-  }
3cdd4c
-}
3cdd4c
-
3cdd4c
-static void
3cdd4c
-calculate_iv (enum ivgen v, uint8_t *iv, size_t ivlen, uint64_t sector)
3cdd4c
-{
3cdd4c
-  size_t prefixlen;
3cdd4c
-  uint32_t sector32;
3cdd4c
-
3cdd4c
-  switch (v) {
3cdd4c
-  case IVGEN_PLAIN:
3cdd4c
-    prefixlen = 4; /* 32 bits */
3cdd4c
-    if (prefixlen > ivlen)
3cdd4c
-      prefixlen = ivlen;
3cdd4c
-    sector32 = (uint32_t) sector; /* truncate to only lower bits */
3cdd4c
-    sector32 = htole32 (sector32);
3cdd4c
-    memcpy (iv, &sector32, prefixlen);
3cdd4c
-    memset (iv + prefixlen, 0, ivlen - prefixlen);
3cdd4c
-    break;
3cdd4c
-
3cdd4c
-  case IVGEN_PLAIN64:
3cdd4c
-    prefixlen = 8; /* 64 bits */
3cdd4c
-    if (prefixlen > ivlen)
3cdd4c
-      prefixlen = ivlen;
3cdd4c
-    sector = htole64 (sector);
3cdd4c
-    memcpy (iv, &sector, prefixlen);
3cdd4c
-    memset (iv + prefixlen, 0, ivlen - prefixlen);
3cdd4c
-    break;
3cdd4c
-
3cdd4c
-  /*case IVGEN_ESSIV:*/
3cdd4c
-  default: abort ();
3cdd4c
-  }
3cdd4c
-}
3cdd4c
-
3cdd4c
-enum cipher_alg {
3cdd4c
-  CIPHER_ALG_AES_128, CIPHER_ALG_AES_192, CIPHER_ALG_AES_256,
3cdd4c
-};
3cdd4c
-
3cdd4c
-static enum cipher_alg
3cdd4c
-lookup_cipher_alg (const char *str, enum cipher_mode mode, int key_bytes)
3cdd4c
-{
3cdd4c
-  if (mode == CIPHER_MODE_XTS)
3cdd4c
-    key_bytes /= 2;
3cdd4c
-
3cdd4c
-  if (strcmp (str, "aes") == 0) {
3cdd4c
-    if (key_bytes == 16)
3cdd4c
-      return CIPHER_ALG_AES_128;
3cdd4c
-    if (key_bytes == 24)
3cdd4c
-      return CIPHER_ALG_AES_192;
3cdd4c
-    if (key_bytes == 32)
3cdd4c
-      return CIPHER_ALG_AES_256;
3cdd4c
-  }
3cdd4c
-  nbdkit_error ("unknown cipher algorithm: %s (expecting \"aes\", etc)", str);
3cdd4c
-  return -1;
3cdd4c
-}
3cdd4c
-
3cdd4c
-static const char *
3cdd4c
-cipher_alg_to_string (enum cipher_alg v)
3cdd4c
-{
3cdd4c
-  switch (v) {
3cdd4c
-  case CIPHER_ALG_AES_128: return "aes-128";
3cdd4c
-  case CIPHER_ALG_AES_192: return "aes-192";
3cdd4c
-  case CIPHER_ALG_AES_256: return "aes-256";
3cdd4c
-  default: abort ();
3cdd4c
-  }
3cdd4c
-}
3cdd4c
-
3cdd4c
-#if 0
3cdd4c
-static int
3cdd4c
-cipher_alg_key_bytes (enum cipher_alg v)
3cdd4c
-{
3cdd4c
-  switch (v) {
3cdd4c
-  case CIPHER_ALG_AES_128: return 16;
3cdd4c
-  case CIPHER_ALG_AES_192: return 24;
3cdd4c
-  case CIPHER_ALG_AES_256: return 32;
3cdd4c
-  default: abort ();
3cdd4c
-  }
3cdd4c
-}
3cdd4c
-#endif
3cdd4c
-
3cdd4c
-static int
3cdd4c
-cipher_alg_iv_len (enum cipher_alg v, enum cipher_mode mode)
3cdd4c
-{
3cdd4c
-  if (CIPHER_MODE_ECB)
3cdd4c
-    return 0;                   /* Don't need an IV in this mode. */
3cdd4c
-
3cdd4c
-  switch (v) {
3cdd4c
-  case CIPHER_ALG_AES_128:
3cdd4c
-  case CIPHER_ALG_AES_192:
3cdd4c
-  case CIPHER_ALG_AES_256:
3cdd4c
-    return 16;
3cdd4c
-  default: abort ();
3cdd4c
-  }
3cdd4c
-}
3cdd4c
-
3cdd4c
-static gnutls_digest_algorithm_t
3cdd4c
-lookup_hash (const char *str)
3cdd4c
-{
3cdd4c
-  if (strcmp (str, "md5") == 0)
3cdd4c
-    return GNUTLS_DIG_MD5;
3cdd4c
-  if (strcmp (str, "sha1") == 0)
3cdd4c
-    return GNUTLS_DIG_SHA1;
3cdd4c
-  if (strcmp (str, "sha224") == 0)
3cdd4c
-    return GNUTLS_DIG_SHA224;
3cdd4c
-  if (strcmp (str, "sha256") == 0)
3cdd4c
-    return GNUTLS_DIG_SHA256;
3cdd4c
-  if (strcmp (str, "sha384") == 0)
3cdd4c
-    return GNUTLS_DIG_SHA384;
3cdd4c
-  if (strcmp (str, "sha512") == 0)
3cdd4c
-    return GNUTLS_DIG_SHA512;
3cdd4c
-  if (strcmp (str, "ripemd160") == 0)
3cdd4c
-    return GNUTLS_DIG_RMD160;
3cdd4c
-  nbdkit_error ("unknown hash algorithm: %s "
3cdd4c
-                "(expecting \"md5\", \"sha1\", \"sha224\", etc)", str);
3cdd4c
-  return -1;
3cdd4c
-}
3cdd4c
-
3cdd4c
-static const char *
3cdd4c
-hash_to_string (gnutls_digest_algorithm_t v)
3cdd4c
-{
3cdd4c
-  switch (v) {
3cdd4c
-  case GNUTLS_DIG_UNKNOWN: return "unknown";
3cdd4c
-  case GNUTLS_DIG_MD5: return "md5";
3cdd4c
-  case GNUTLS_DIG_SHA1: return "sha1";
3cdd4c
-  case GNUTLS_DIG_SHA224: return "sha224";
3cdd4c
-  case GNUTLS_DIG_SHA256: return "sha256";
3cdd4c
-  case GNUTLS_DIG_SHA384: return "sha384";
3cdd4c
-  case GNUTLS_DIG_SHA512: return "sha512";
3cdd4c
-  case GNUTLS_DIG_RMD160: return "ripemd160";
3cdd4c
-  default: abort ();
3cdd4c
-  }
3cdd4c
-}
3cdd4c
-
3cdd4c
-#if 0
3cdd4c
-/* See qemu & dm-crypt implementations for an explanation of what's
3cdd4c
- * going on here.
3cdd4c
- */
3cdd4c
-static enum cipher_alg
3cdd4c
-lookup_essiv_cipher (enum cipher_alg cipher_alg,
3cdd4c
-                     gnutls_digest_algorithm_t ivgen_hash_alg)
3cdd4c
-{
3cdd4c
-  int digest_bytes = gnutls_hash_get_len (ivgen_hash_alg);
3cdd4c
-  int key_bytes = cipher_alg_key_bytes (cipher_alg);
3cdd4c
-
3cdd4c
-  if (digest_bytes == key_bytes)
3cdd4c
-    return cipher_alg;
3cdd4c
-
3cdd4c
-  switch (cipher_alg) {
3cdd4c
-  case CIPHER_ALG_AES_128:
3cdd4c
-  case CIPHER_ALG_AES_192:
3cdd4c
-  case CIPHER_ALG_AES_256:
3cdd4c
-    if (digest_bytes == 16) return CIPHER_ALG_AES_128;
3cdd4c
-    if (digest_bytes == 24) return CIPHER_ALG_AES_192;
3cdd4c
-    if (digest_bytes == 32) return CIPHER_ALG_AES_256;
3cdd4c
-    nbdkit_error ("no %s cipher available with key size %d",
3cdd4c
-                  "AES", digest_bytes);
3cdd4c
-    return -1;
3cdd4c
-  default:
3cdd4c
-    nbdkit_error ("ESSIV does not support cipher %s",
3cdd4c
-                  cipher_alg_to_string (cipher_alg));
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-}
3cdd4c
-#endif
3cdd4c
-
3cdd4c
 /* Per-connection handle. */
3cdd4c
 struct handle {
3cdd4c
-  /* LUKS header, if necessary byte-swapped into host order. */
3cdd4c
-  struct luks_phdr phdr;
3cdd4c
-
3cdd4c
-  /* Decoded algorithm etc. */
3cdd4c
-  enum cipher_alg cipher_alg;
3cdd4c
-  enum cipher_mode cipher_mode;
3cdd4c
-  gnutls_digest_algorithm_t hash_alg;
3cdd4c
-  enum ivgen ivgen_alg;
3cdd4c
-  gnutls_digest_algorithm_t ivgen_hash_alg;
3cdd4c
-  enum cipher_alg ivgen_cipher_alg;
3cdd4c
-
3cdd4c
-  /* GnuTLS algorithm. */
3cdd4c
-  gnutls_cipher_algorithm_t gnutls_cipher;
3cdd4c
-
3cdd4c
-  /* If we managed to decrypt one of the keyslots using the passphrase
3cdd4c
-   * then this contains the master key, otherwise NULL.
3cdd4c
-   */
3cdd4c
-  uint8_t *masterkey;
3cdd4c
+  struct luks_data *h;
3cdd4c
 };
3cdd4c
 
3cdd4c
 static void *
3cdd4c
@@ -405,536 +125,21 @@ luks_close (void *handle)
3cdd4c
 {
3cdd4c
   struct handle *h = handle;
3cdd4c
 
3cdd4c
-  if (h->masterkey) {
3cdd4c
-    memset (h->masterkey, 0, h->phdr.master_key_len);
3cdd4c
-    free (h->masterkey);
3cdd4c
-  }
3cdd4c
+  free_luks_data (h->h);
3cdd4c
   free (h);
3cdd4c
 }
3cdd4c
 
3cdd4c
-/* Perform decryption of a block of data in memory. */
3cdd4c
-static int
3cdd4c
-do_decrypt (struct handle *h, gnutls_cipher_hd_t cipher,
3cdd4c
-            uint64_t offset, uint8_t *buf, size_t len)
3cdd4c
-{
3cdd4c
-  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);
3cdd4c
-  uint64_t sector = offset / LUKS_SECTOR_SIZE;
3cdd4c
-  CLEANUP_FREE uint8_t *iv = malloc (ivlen);
3cdd4c
-  int r;
3cdd4c
-
3cdd4c
-  assert (IS_ALIGNED (offset, LUKS_SECTOR_SIZE));
3cdd4c
-  assert (IS_ALIGNED (len, LUKS_SECTOR_SIZE));
3cdd4c
-
3cdd4c
-  while (len) {
3cdd4c
-    calculate_iv (h->ivgen_alg, iv, ivlen, sector);
3cdd4c
-    gnutls_cipher_set_iv (cipher, iv, ivlen);
3cdd4c
-    r = gnutls_cipher_decrypt2 (cipher,
3cdd4c
-                                buf, LUKS_SECTOR_SIZE, /* ciphertext */
3cdd4c
-                                buf, LUKS_SECTOR_SIZE  /* plaintext */);
3cdd4c
-    if (r != 0) {
3cdd4c
-      nbdkit_error ("gnutls_cipher_decrypt2: %s", gnutls_strerror (r));
3cdd4c
-      return -1;
3cdd4c
-    }
3cdd4c
-
3cdd4c
-    buf += LUKS_SECTOR_SIZE;
3cdd4c
-    offset += LUKS_SECTOR_SIZE;
3cdd4c
-    len -= LUKS_SECTOR_SIZE;
3cdd4c
-    sector++;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  return 0;
3cdd4c
-}
3cdd4c
-
3cdd4c
-/* Perform encryption of a block of data in memory. */
3cdd4c
-static int
3cdd4c
-do_encrypt (struct handle *h, gnutls_cipher_hd_t cipher,
3cdd4c
-            uint64_t offset, uint8_t *buf, size_t len)
3cdd4c
-{
3cdd4c
-  const size_t ivlen = cipher_alg_iv_len (h->cipher_alg, h->cipher_mode);
3cdd4c
-  uint64_t sector = offset / LUKS_SECTOR_SIZE;
3cdd4c
-  CLEANUP_FREE uint8_t *iv = malloc (ivlen);
3cdd4c
-  int r;
3cdd4c
-
3cdd4c
-  assert (IS_ALIGNED (offset, LUKS_SECTOR_SIZE));
3cdd4c
-  assert (IS_ALIGNED (len, LUKS_SECTOR_SIZE));
3cdd4c
-
3cdd4c
-  while (len) {
3cdd4c
-    calculate_iv (h->ivgen_alg, iv, ivlen, sector);
3cdd4c
-    gnutls_cipher_set_iv (cipher, iv, ivlen);
3cdd4c
-    r = gnutls_cipher_encrypt2 (cipher,
3cdd4c
-                                buf, LUKS_SECTOR_SIZE, /* plaintext */
3cdd4c
-                                buf, LUKS_SECTOR_SIZE  /* ciphertext */);
3cdd4c
-    if (r != 0) {
3cdd4c
-      nbdkit_error ("gnutls_cipher_decrypt2: %s", gnutls_strerror (r));
3cdd4c
-      return -1;
3cdd4c
-    }
3cdd4c
-
3cdd4c
-    buf += LUKS_SECTOR_SIZE;
3cdd4c
-    offset += LUKS_SECTOR_SIZE;
3cdd4c
-    len -= LUKS_SECTOR_SIZE;
3cdd4c
-    sector++;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  return 0;
3cdd4c
-}
3cdd4c
-
3cdd4c
-/* Parse the header fields containing cipher algorithm, mode, etc. */
3cdd4c
-static int
3cdd4c
-parse_cipher_strings (struct handle *h)
3cdd4c
-{
3cdd4c
-  char cipher_name[33], cipher_mode[33], hash_spec[33];
3cdd4c
-  char *ivgen, *ivhash;
3cdd4c
-
3cdd4c
-  /* Copy the header fields locally and ensure they are \0 terminated. */
3cdd4c
-  memcpy (cipher_name, h->phdr.cipher_name, 32);
3cdd4c
-  cipher_name[32] = 0;
3cdd4c
-  memcpy (cipher_mode, h->phdr.cipher_mode, 32);
3cdd4c
-  cipher_mode[32] = 0;
3cdd4c
-  memcpy (hash_spec, h->phdr.hash_spec, 32);
3cdd4c
-  hash_spec[32] = 0;
3cdd4c
-
3cdd4c
-  nbdkit_debug ("LUKS v%" PRIu16 " cipher: %s mode: %s hash: %s "
3cdd4c
-                "master key: %" PRIu32 " bits",
3cdd4c
-                h->phdr.version, cipher_name, cipher_mode, hash_spec,
3cdd4c
-                h->phdr.master_key_len * 8);
3cdd4c
-
3cdd4c
-  /* The cipher_mode header has the form: "ciphermode-ivgen[:ivhash]"
3cdd4c
-   * QEmu writes: "xts-plain64"
3cdd4c
-   */
3cdd4c
-  ivgen = strchr (cipher_mode, '-');
3cdd4c
-  if (!ivgen) {
3cdd4c
-    nbdkit_error ("incorrect cipher_mode header, "
3cdd4c
-                  "expecting mode-ivgenerator but got \"%s\"", cipher_mode);
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-  *ivgen = '\0';
3cdd4c
-  ivgen++;
3cdd4c
-
3cdd4c
-  ivhash = strchr (ivgen, ':');
3cdd4c
-  if (!ivhash)
3cdd4c
-    h->ivgen_hash_alg = GNUTLS_DIG_UNKNOWN;
3cdd4c
-  else {
3cdd4c
-    *ivhash = '\0';
3cdd4c
-    ivhash++;
3cdd4c
-
3cdd4c
-    h->ivgen_hash_alg = lookup_hash (ivhash);
3cdd4c
-    if (h->ivgen_hash_alg == -1)
3cdd4c
-      return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  h->cipher_mode = lookup_cipher_mode (cipher_mode);
3cdd4c
-  if (h->cipher_mode == -1)
3cdd4c
-    return -1;
3cdd4c
-
3cdd4c
-  h->cipher_alg = lookup_cipher_alg (cipher_name, h->cipher_mode,
3cdd4c
-                                     h->phdr.master_key_len);
3cdd4c
-  if (h->cipher_alg == -1)
3cdd4c
-    return -1;
3cdd4c
-
3cdd4c
-  h->hash_alg = lookup_hash (hash_spec);
3cdd4c
-  if (h->hash_alg == -1)
3cdd4c
-    return -1;
3cdd4c
-
3cdd4c
-  h->ivgen_alg = lookup_ivgen (ivgen);
3cdd4c
-  if (h->ivgen_alg == -1)
3cdd4c
-    return -1;
3cdd4c
-
3cdd4c
-#if 0
3cdd4c
-  if (h->ivgen_alg == IVGEN_ESSIV) {
3cdd4c
-    if (!ivhash) {
3cdd4c
-      nbdkit_error ("incorrect IV generator hash specification");
3cdd4c
-      return -1;
3cdd4c
-    }
3cdd4c
-    h->ivgen_cipher_alg = lookup_essiv_cipher (h->cipher_alg,
3cdd4c
-                                               h->ivgen_hash_alg);
3cdd4c
-    if (h->ivgen_cipher_alg == -1)
3cdd4c
-      return -1;
3cdd4c
-  }
3cdd4c
-  else
3cdd4c
-#endif
3cdd4c
-  h->ivgen_cipher_alg = h->cipher_alg;
3cdd4c
-
3cdd4c
-  nbdkit_debug ("LUKS parsed ciphers: %s %s %s %s %s %s",
3cdd4c
-                cipher_alg_to_string (h->cipher_alg),
3cdd4c
-                cipher_mode_to_string (h->cipher_mode),
3cdd4c
-                hash_to_string (h->hash_alg),
3cdd4c
-                ivgen_to_string (h->ivgen_alg),
3cdd4c
-                hash_to_string (h->ivgen_hash_alg),
3cdd4c
-                cipher_alg_to_string (h->ivgen_cipher_alg));
3cdd4c
-
3cdd4c
-  /* GnuTLS combines cipher and block mode into a single value.  Not
3cdd4c
-   * all possible combinations are available in GnuTLS.  See:
3cdd4c
-   * https://www.gnutls.org/manual/html_node/Supported-ciphersuites.html
3cdd4c
-   */
3cdd4c
-  h->gnutls_cipher = GNUTLS_CIPHER_NULL;
3cdd4c
-  switch (h->cipher_mode) {
3cdd4c
-  case CIPHER_MODE_XTS:
3cdd4c
-    switch (h->cipher_alg) {
3cdd4c
-    case CIPHER_ALG_AES_128:
3cdd4c
-      h->gnutls_cipher = GNUTLS_CIPHER_AES_128_XTS;
3cdd4c
-      break;
3cdd4c
-    case CIPHER_ALG_AES_256:
3cdd4c
-      h->gnutls_cipher = GNUTLS_CIPHER_AES_256_XTS;
3cdd4c
-      break;
3cdd4c
-    default: break;
3cdd4c
-    }
3cdd4c
-    break;
3cdd4c
-  case CIPHER_MODE_CBC:
3cdd4c
-    switch (h->cipher_alg) {
3cdd4c
-    case CIPHER_ALG_AES_128:
3cdd4c
-      h->gnutls_cipher = GNUTLS_CIPHER_AES_128_CBC;
3cdd4c
-      break;
3cdd4c
-    case CIPHER_ALG_AES_192:
3cdd4c
-      h->gnutls_cipher = GNUTLS_CIPHER_AES_192_CBC;
3cdd4c
-      break;
3cdd4c
-    case CIPHER_ALG_AES_256:
3cdd4c
-      h->gnutls_cipher = GNUTLS_CIPHER_AES_256_CBC;
3cdd4c
-      break;
3cdd4c
-    default: break;
3cdd4c
-    }
3cdd4c
-  default: break;
3cdd4c
-  }
3cdd4c
-  if (h->gnutls_cipher == GNUTLS_CIPHER_NULL) {
3cdd4c
-    nbdkit_error ("cipher algorithm %s in mode %s is not supported by GnuTLS",
3cdd4c
-                  cipher_alg_to_string (h->cipher_alg),
3cdd4c
-                  cipher_mode_to_string (h->cipher_mode));
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  return 0;
3cdd4c
-}
3cdd4c
-
3cdd4c
-/* Anti-Forensic merge operation. */
3cdd4c
-static void
3cdd4c
-xor (const uint8_t *in1, const uint8_t *in2, uint8_t *out, size_t len)
3cdd4c
-{
3cdd4c
-  size_t i;
3cdd4c
-
3cdd4c
-  for (i = 0; i < len; ++i)
3cdd4c
-    out[i] = in1[i] ^ in2[i];
3cdd4c
-}
3cdd4c
-
3cdd4c
-static int
3cdd4c
-af_hash (gnutls_digest_algorithm_t hash_alg, uint8_t *block, size_t len)
3cdd4c
-{
3cdd4c
-  size_t digest_bytes = gnutls_hash_get_len (hash_alg);
3cdd4c
-  size_t nr_blocks, last_block_len;
3cdd4c
-  size_t i;
3cdd4c
-  CLEANUP_FREE uint8_t *temp = malloc (digest_bytes);
3cdd4c
-  int r;
3cdd4c
-  gnutls_hash_hd_t hash;
3cdd4c
-
3cdd4c
-  nr_blocks = len / digest_bytes;
3cdd4c
-  last_block_len = len % digest_bytes;
3cdd4c
-  if (last_block_len != 0)
3cdd4c
-    nr_blocks++;
3cdd4c
-  else
3cdd4c
-    last_block_len = digest_bytes;
3cdd4c
-
3cdd4c
-  for (i = 0; i < nr_blocks; ++i) {
3cdd4c
-    const uint32_t iv = htobe32 (i);
3cdd4c
-    const size_t blen = i < nr_blocks - 1 ? digest_bytes : last_block_len;
3cdd4c
-
3cdd4c
-    /* Hash iv + i'th block into temp. */
3cdd4c
-    r = gnutls_hash_init (&hash, hash_alg);
3cdd4c
-    if (r != 0) {
3cdd4c
-      nbdkit_error ("gnutls_hash_init: %s", gnutls_strerror (r));
3cdd4c
-      return -1;
3cdd4c
-    }
3cdd4c
-    gnutls_hash (hash, &iv, sizeof iv);
3cdd4c
-    gnutls_hash (hash, &block[i*digest_bytes], blen);
3cdd4c
-    gnutls_hash_deinit (hash, temp);
3cdd4c
-
3cdd4c
-    memcpy (&block[i*digest_bytes], temp, blen);
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  return 0;
3cdd4c
-}
3cdd4c
-
3cdd4c
-static int
3cdd4c
-afmerge (gnutls_digest_algorithm_t hash_alg, uint32_t stripes,
3cdd4c
-         const uint8_t *in, uint8_t *out, size_t outlen)
3cdd4c
-{
3cdd4c
-  CLEANUP_FREE uint8_t *block = calloc (1, outlen);
3cdd4c
-  size_t i;
3cdd4c
-
3cdd4c
-  /* NB: input size is stripes * master_key_len where
3cdd4c
-   * master_key_len == outlen
3cdd4c
-   */
3cdd4c
-  for (i = 0; i < stripes-1; ++i) {
3cdd4c
-    xor (&in[i*outlen], block, block, outlen);
3cdd4c
-    if (af_hash (hash_alg, block, outlen) == -1)
3cdd4c
-      return -1;
3cdd4c
-  }
3cdd4c
-  xor (&in[i*outlen], block, out, outlen);
3cdd4c
-  return 0;
3cdd4c
-}
3cdd4c
-
3cdd4c
-/* Length of key material in key slot i (sectors).
3cdd4c
- *
3cdd4c
- * This is basically copied from qemu because the spec description is
3cdd4c
- * unintelligible and apparently doesn't match reality.
3cdd4c
- */
3cdd4c
-static uint64_t
3cdd4c
-key_material_length_in_sectors (struct handle *h, size_t i)
3cdd4c
-{
3cdd4c
-  uint64_t len, r;
3cdd4c
-
3cdd4c
-  len = h->phdr.master_key_len * h->phdr.keyslot[i].stripes;
3cdd4c
-  r = DIV_ROUND_UP (len, LUKS_SECTOR_SIZE);
3cdd4c
-  r = ROUND_UP (r, LUKS_ALIGN_KEYSLOTS / LUKS_SECTOR_SIZE);
3cdd4c
-  return r;
3cdd4c
-}
3cdd4c
-
3cdd4c
-/* Try the passphrase in key slot i.  If this returns true then the
3cdd4c
- * passphrase was able to decrypt the master key, and the master key
3cdd4c
- * has been stored in h->masterkey.
3cdd4c
- */
3cdd4c
-static int
3cdd4c
-try_passphrase_in_keyslot (nbdkit_next *next, struct handle *h, size_t i)
3cdd4c
-{
3cdd4c
-  /* I believe this is supposed to be safe, looking at the GnuTLS
3cdd4c
-   * header file.
3cdd4c
-   */
3cdd4c
-  const gnutls_mac_algorithm_t mac = (gnutls_mac_algorithm_t) h->hash_alg;
3cdd4c
-  struct luks_keyslot *ks = &h->phdr.keyslot[i];
3cdd4c
-  size_t split_key_len;
3cdd4c
-  CLEANUP_FREE uint8_t *split_key = NULL;
3cdd4c
-  CLEANUP_FREE uint8_t *masterkey = NULL;
3cdd4c
-  const gnutls_datum_t key =
3cdd4c
-    { (unsigned char *) passphrase, strlen (passphrase) };
3cdd4c
-  const gnutls_datum_t salt =
3cdd4c
-    { (unsigned char *) ks->password_salt, LUKS_SALTSIZE };
3cdd4c
-  const gnutls_datum_t msalt =
3cdd4c
-    { (unsigned char *) h->phdr.master_key_salt, LUKS_SALTSIZE };
3cdd4c
-  gnutls_datum_t mkey;
3cdd4c
-  gnutls_cipher_hd_t cipher;
3cdd4c
-  int r, err = 0;
3cdd4c
-  uint64_t start;
3cdd4c
-  uint8_t key_digest[LUKS_DIGESTSIZE];
3cdd4c
-
3cdd4c
-  if (ks->active != LUKS_KEY_ENABLED)
3cdd4c
-    return 0;
3cdd4c
-
3cdd4c
-  split_key_len = h->phdr.master_key_len * ks->stripes;
3cdd4c
-  split_key = malloc (split_key_len);
3cdd4c
-  if (split_key == NULL) {
3cdd4c
-    nbdkit_error ("malloc: %m");
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-  masterkey = malloc (h->phdr.master_key_len);
3cdd4c
-  if (masterkey == NULL) {
3cdd4c
-    nbdkit_error ("malloc: %m");
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  /* Hash the passphrase to make a possible masterkey. */
3cdd4c
-  r = gnutls_pbkdf2 (mac, &key, &salt, ks->password_iterations,
3cdd4c
-                     masterkey, h->phdr.master_key_len);
3cdd4c
-  if (r != 0) {
3cdd4c
-    nbdkit_error ("gnutls_pbkdf2: %s", gnutls_strerror (r));
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  /* Read master key material from plugin. */
3cdd4c
-  start = ks->key_material_offset * LUKS_SECTOR_SIZE;
3cdd4c
-  if (next->pread (next, split_key, split_key_len, start, 0, &err) == -1) {
3cdd4c
-    errno = err;
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  /* Decrypt the (still AFsplit) master key material. */
3cdd4c
-  mkey.data = (unsigned char *) masterkey;
3cdd4c
-  mkey.size = h->phdr.master_key_len;
3cdd4c
-  r = gnutls_cipher_init (&cipher, h->gnutls_cipher, &mkey, NULL);
3cdd4c
-  if (r != 0) {
3cdd4c
-    nbdkit_error ("gnutls_cipher_init: %s", gnutls_strerror (r));
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  r = do_decrypt (h, cipher, 0, split_key, split_key_len);
3cdd4c
-  gnutls_cipher_deinit (cipher);
3cdd4c
-  if (r == -1)
3cdd4c
-    return -1;
3cdd4c
-
3cdd4c
-  /* Decode AFsplit key to a possible masterkey. */
3cdd4c
-  if (afmerge (h->hash_alg, ks->stripes, split_key,
3cdd4c
-               masterkey, h->phdr.master_key_len) == -1)
3cdd4c
-    return -1;
3cdd4c
-
3cdd4c
-  /* Check if the masterkey is correct by comparing hash of the
3cdd4c
-   * masterkey with LUKS header.
3cdd4c
-   */
3cdd4c
-  r = gnutls_pbkdf2 (mac, &mkey, &msalt,
3cdd4c
-                     h->phdr.master_key_digest_iterations,
3cdd4c
-                     key_digest, LUKS_DIGESTSIZE);
3cdd4c
-  if (r != 0) {
3cdd4c
-    nbdkit_error ("gnutls_pbkdf2: %s", gnutls_strerror (r));
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  if (memcmp (key_digest, h->phdr.master_key_digest, LUKS_DIGESTSIZE) == 0) {
3cdd4c
-    /* The passphrase is correct so save the master key in the handle. */
3cdd4c
-    h->masterkey = malloc (h->phdr.master_key_len);
3cdd4c
-    if (h->masterkey == NULL) {
3cdd4c
-      nbdkit_error ("malloc: %m");
3cdd4c
-      return -1;
3cdd4c
-    }
3cdd4c
-    memcpy (h->masterkey, masterkey, h->phdr.master_key_len);
3cdd4c
-    return 1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  return 0;
3cdd4c
-}
3cdd4c
-
3cdd4c
 static int
3cdd4c
 luks_prepare (nbdkit_next *next, void *handle, int readonly)
3cdd4c
 {
3cdd4c
-  static const char expected_magic[] = LUKS_MAGIC;
3cdd4c
   struct handle *h = handle;
3cdd4c
-  int64_t size;
3cdd4c
-  int err = 0, r;
3cdd4c
-  size_t i;
3cdd4c
-  struct luks_keyslot *ks;
3cdd4c
-  char uuid[41];
3cdd4c
 
3cdd4c
   /* Check we haven't been called before, this should never happen. */
3cdd4c
-  assert (h->phdr.version == 0);
3cdd4c
+  assert (h->h == NULL);
3cdd4c
 
3cdd4c
-  /* Check the struct size matches the documentation. */
3cdd4c
-  assert (sizeof (struct luks_phdr) == 592);
3cdd4c
-
3cdd4c
-  /* Check this is a LUKSv1 disk. */
3cdd4c
-  size = next->get_size (next);
3cdd4c
-  if (size == -1)
3cdd4c
-    return -1;
3cdd4c
-  if (size < 16384) {
3cdd4c
-    nbdkit_error ("disk is too small to be LUKS-encrypted");
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  /* Read the phdr. */
3cdd4c
-  if (next->pread (next, &h->phdr, sizeof h->phdr, 0, 0, &err) == -1) {
3cdd4c
-    errno = err;
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  if (memcmp (h->phdr.magic, expected_magic, LUKS_MAGIC_LEN) != 0) {
3cdd4c
-    nbdkit_error ("this disk does not contain a LUKS header");
3cdd4c
+  h->h = load_header (next, passphrase);
3cdd4c
+  if (h->h == NULL)
3cdd4c
     return -1;
3cdd4c
-  }
3cdd4c
-  h->phdr.version = be16toh (h->phdr.version);
3cdd4c
-  if (h->phdr.version != 1) {
3cdd4c
-    nbdkit_error ("this disk contains a LUKS version %" PRIu16 " header, "
3cdd4c
-                  "but this filter only supports LUKSv1",
3cdd4c
-                  h->phdr.version);
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  /* Byte-swap the rest of the header. */
3cdd4c
-  h->phdr.payload_offset = be32toh (h->phdr.payload_offset);
3cdd4c
-  h->phdr.master_key_len = be32toh (h->phdr.master_key_len);
3cdd4c
-  h->phdr.master_key_digest_iterations =
3cdd4c
-    be32toh (h->phdr.master_key_digest_iterations);
3cdd4c
-
3cdd4c
-  for (i = 0; i < LUKS_NUMKEYS; ++i) {
3cdd4c
-    ks = &h->phdr.keyslot[i];
3cdd4c
-    ks->active = be32toh (ks->active);
3cdd4c
-    ks->password_iterations = be32toh (ks->password_iterations);
3cdd4c
-    ks->key_material_offset = be32toh (ks->key_material_offset);
3cdd4c
-    ks->stripes = be32toh (ks->stripes);
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  /* Sanity check some fields. */
3cdd4c
-  if (h->phdr.payload_offset >= size / LUKS_SECTOR_SIZE) {
3cdd4c
-    nbdkit_error ("bad LUKSv1 header: payload offset points beyond "
3cdd4c
-                  "the end of the disk");
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  /* We derive several allocations from master_key_len so make sure
3cdd4c
-   * it's not insane.
3cdd4c
-   */
3cdd4c
-  if (h->phdr.master_key_len > 1024) {
3cdd4c
-    nbdkit_error ("bad LUKSv1 header: master key is too long");
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  for (i = 0; i < LUKS_NUMKEYS; ++i) {
3cdd4c
-    uint64_t start, len;
3cdd4c
-
3cdd4c
-    ks = &h->phdr.keyslot[i];
3cdd4c
-    switch (ks->active) {
3cdd4c
-    case LUKS_KEY_ENABLED:
3cdd4c
-      if (!ks->stripes) {
3cdd4c
-        nbdkit_error ("bad LUKSv1 header: key slot %zu is corrupted", i);
3cdd4c
-        return -1;
3cdd4c
-      }
3cdd4c
-      if (ks->stripes >= 10000) {
3cdd4c
-        nbdkit_error ("bad LUKSv1 header: key slot %zu stripes too large", i);
3cdd4c
-        return -1;
3cdd4c
-      }
3cdd4c
-      start = ks->key_material_offset;
3cdd4c
-      len = key_material_length_in_sectors (h, i);
3cdd4c
-      if (len > 4096) /* bound it at something reasonable */ {
3cdd4c
-        nbdkit_error ("bad LUKSv1 header: key slot %zu key material length "
3cdd4c
-                      "is too large", i);
3cdd4c
-        return -1;
3cdd4c
-      }
3cdd4c
-      if (start * LUKS_SECTOR_SIZE >= size ||
3cdd4c
-          (start + len) * LUKS_SECTOR_SIZE >= size) {
3cdd4c
-        nbdkit_error ("bad LUKSv1 header: key slot %zu key material offset "
3cdd4c
-                      "points beyond the end of the disk", i);
3cdd4c
-        return -1;
3cdd4c
-      }
3cdd4c
-      /*FALLTHROUGH*/
3cdd4c
-    case LUKS_KEY_DISABLED:
3cdd4c
-      break;
3cdd4c
-
3cdd4c
-    default:
3cdd4c
-      nbdkit_error ("bad LUKSv1 header: key slot %zu has "
3cdd4c
-                    "an invalid active flag", i);
3cdd4c
-      return -1;
3cdd4c
-    }
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  /* Decode the ciphers. */
3cdd4c
-  if (parse_cipher_strings (h) == -1)
3cdd4c
-    return -1;
3cdd4c
-
3cdd4c
-  /* Dump some information about the header. */
3cdd4c
-  memcpy (uuid, h->phdr.uuid, 40);
3cdd4c
-  uuid[40] = 0;
3cdd4c
-  nbdkit_debug ("LUKS UUID: %s", uuid);
3cdd4c
-
3cdd4c
-  for (i = 0; i < LUKS_NUMKEYS; ++i) {
3cdd4c
-    uint64_t start, len;
3cdd4c
-
3cdd4c
-    ks = &h->phdr.keyslot[i];
3cdd4c
-    if (ks->active == LUKS_KEY_ENABLED) {
3cdd4c
-      start = ks->key_material_offset;
3cdd4c
-      len = key_material_length_in_sectors (h, i);
3cdd4c
-      nbdkit_debug ("LUKS key slot %zu: key material in sectors %" PRIu64
3cdd4c
-                    "..%" PRIu64,
3cdd4c
-                    i, start, start+len-1);
3cdd4c
-    }
3cdd4c
-  }
3cdd4c
-
3cdd4c
-  /* Now try to unlock the master key. */
3cdd4c
-  for (i = 0; i < LUKS_NUMKEYS; ++i) {
3cdd4c
-    r = try_passphrase_in_keyslot (next, h, i);
3cdd4c
-    if (r == -1)
3cdd4c
-      return -1;
3cdd4c
-    if (r > 0)
3cdd4c
-      goto unlocked;
3cdd4c
-  }
3cdd4c
-  nbdkit_error ("LUKS passphrase is not correct, "
3cdd4c
-                "no key slot could be unlocked");
3cdd4c
-  return -1;
3cdd4c
-
3cdd4c
- unlocked:
3cdd4c
-  assert (h->masterkey != NULL);
3cdd4c
-  nbdkit_debug ("LUKS unlocked block device with passphrase");
3cdd4c
 
3cdd4c
   return 0;
3cdd4c
 }
3cdd4c
@@ -946,19 +151,20 @@ luks_get_size (nbdkit_next *next, void *handle)
3cdd4c
   int64_t size;
3cdd4c
 
3cdd4c
   /* Check that prepare has been called already. */
3cdd4c
-  assert (h->phdr.version > 0);
3cdd4c
+  assert (h->h != NULL);
3cdd4c
+
3cdd4c
+  const uint64_t payload_offset = get_payload_offset (h->h) * LUKS_SECTOR_SIZE;
3cdd4c
 
3cdd4c
   size = next->get_size (next);
3cdd4c
   if (size == -1)
3cdd4c
     return -1;
3cdd4c
 
3cdd4c
-  if (size < h->phdr.payload_offset * LUKS_SECTOR_SIZE) {
3cdd4c
+  if (size < payload_offset) {
3cdd4c
     nbdkit_error ("disk too small, or contains an incomplete LUKS partition");
3cdd4c
     return -1;
3cdd4c
   }
3cdd4c
 
3cdd4c
-  size -= h->phdr.payload_offset * LUKS_SECTOR_SIZE;
3cdd4c
-  return size;
3cdd4c
+  return size - payload_offset;
3cdd4c
 }
3cdd4c
 
3cdd4c
 /* Whatever the plugin says, several operations are not supported by
3cdd4c
@@ -1031,15 +237,12 @@ luks_pread (nbdkit_next *next, void *handle,
3cdd4c
             uint32_t flags, int *err)
3cdd4c
 {
3cdd4c
   struct handle *h = handle;
3cdd4c
-  const uint64_t payload_offset = h->phdr.payload_offset * LUKS_SECTOR_SIZE;
3cdd4c
+  const uint64_t payload_offset = get_payload_offset (h->h) * LUKS_SECTOR_SIZE;
3cdd4c
   CLEANUP_FREE uint8_t *sector = NULL;
3cdd4c
   uint64_t sectnum, sectoffs;
3cdd4c
-  const gnutls_datum_t mkey =
3cdd4c
-    { (unsigned char *) h->masterkey, h->phdr.master_key_len };
3cdd4c
   gnutls_cipher_hd_t cipher;
3cdd4c
-  int r;
3cdd4c
 
3cdd4c
-  if (!h->masterkey) {
3cdd4c
+  if (!h->h) {
3cdd4c
     *err = EIO;
3cdd4c
     return -1;
3cdd4c
   }
3cdd4c
@@ -1053,16 +256,13 @@ luks_pread (nbdkit_next *next, void *handle,
3cdd4c
     }
3cdd4c
   }
3cdd4c
 
3cdd4c
-  r = gnutls_cipher_init (&cipher, h->gnutls_cipher, &mkey, NULL);
3cdd4c
-  if (r != 0) {
3cdd4c
-    nbdkit_error ("gnutls_cipher_init: %s", gnutls_strerror (r));
3cdd4c
-    *err = EIO;
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
   sectnum = offset / LUKS_SECTOR_SIZE;  /* sector number */
3cdd4c
   sectoffs = offset % LUKS_SECTOR_SIZE; /* offset within the sector */
3cdd4c
 
3cdd4c
+  cipher = create_cipher (h->h);
3cdd4c
+  if (!cipher)
3cdd4c
+    return -1;
3cdd4c
+
3cdd4c
   /* Unaligned head */
3cdd4c
   if (sectoffs) {
3cdd4c
     uint64_t n = MIN (LUKS_SECTOR_SIZE - sectoffs, count);
3cdd4c
@@ -1073,15 +273,13 @@ luks_pread (nbdkit_next *next, void *handle,
3cdd4c
                      flags, err) == -1)
3cdd4c
       goto err;
3cdd4c
 
3cdd4c
-    if (do_decrypt (h, cipher, offset & ~LUKS_SECTOR_SIZE,
3cdd4c
-                    sector, LUKS_SECTOR_SIZE) == -1)
3cdd4c
+    if (do_decrypt (h->h, cipher, sectnum, sector, 1) == -1)
3cdd4c
       goto err;
3cdd4c
 
3cdd4c
     memcpy (buf, &sector[sectoffs], n);
3cdd4c
 
3cdd4c
     buf += n;
3cdd4c
     count -= n;
3cdd4c
-    offset += n;
3cdd4c
     sectnum++;
3cdd4c
   }
3cdd4c
 
3cdd4c
@@ -1092,12 +290,11 @@ luks_pread (nbdkit_next *next, void *handle,
3cdd4c
                      flags, err) == -1)
3cdd4c
       goto err;
3cdd4c
 
3cdd4c
-    if (do_decrypt (h, cipher, offset, buf, LUKS_SECTOR_SIZE) == -1)
3cdd4c
+    if (do_decrypt (h->h, cipher, sectnum, buf, 1) == -1)
3cdd4c
       goto err;
3cdd4c
 
3cdd4c
     buf += LUKS_SECTOR_SIZE;
3cdd4c
     count -= LUKS_SECTOR_SIZE;
3cdd4c
-    offset += LUKS_SECTOR_SIZE;
3cdd4c
     sectnum++;
3cdd4c
   }
3cdd4c
 
3cdd4c
@@ -1109,7 +306,7 @@ luks_pread (nbdkit_next *next, void *handle,
3cdd4c
                      flags, err) == -1)
3cdd4c
       goto err;
3cdd4c
 
3cdd4c
-    if (do_decrypt (h, cipher, offset, sector, LUKS_SECTOR_SIZE) == -1)
3cdd4c
+    if (do_decrypt (h->h, cipher, sectnum, sector, 1) == -1)
3cdd4c
       goto err;
3cdd4c
 
3cdd4c
     memcpy (buf, sector, count);
3cdd4c
@@ -1120,7 +317,7 @@ luks_pread (nbdkit_next *next, void *handle,
3cdd4c
 
3cdd4c
  err:
3cdd4c
   gnutls_cipher_deinit (cipher);
3cdd4c
-  return -1;
3cdd4c
+  goto err;
3cdd4c
 }
3cdd4c
 
3cdd4c
 /* Lock preventing read-modify-write cycles from overlapping. */
3cdd4c
@@ -1133,15 +330,12 @@ luks_pwrite (nbdkit_next *next, void *handle,
3cdd4c
              uint32_t flags, int *err)
3cdd4c
 {
3cdd4c
   struct handle *h = handle;
3cdd4c
-  const uint64_t payload_offset = h->phdr.payload_offset * LUKS_SECTOR_SIZE;
3cdd4c
+  const uint64_t payload_offset = get_payload_offset (h->h) * LUKS_SECTOR_SIZE;
3cdd4c
   CLEANUP_FREE uint8_t *sector = NULL;
3cdd4c
   uint64_t sectnum, sectoffs;
3cdd4c
-  const gnutls_datum_t mkey =
3cdd4c
-    { (unsigned char *) h->masterkey, h->phdr.master_key_len };
3cdd4c
   gnutls_cipher_hd_t cipher;
3cdd4c
-  int r;
3cdd4c
 
3cdd4c
-  if (!h->masterkey) {
3cdd4c
+  if (!h->h) {
3cdd4c
     *err = EIO;
3cdd4c
     return -1;
3cdd4c
   }
3cdd4c
@@ -1153,16 +347,13 @@ luks_pwrite (nbdkit_next *next, void *handle,
3cdd4c
     return -1;
3cdd4c
   }
3cdd4c
 
3cdd4c
-  r = gnutls_cipher_init (&cipher, h->gnutls_cipher, &mkey, NULL);
3cdd4c
-  if (r != 0) {
3cdd4c
-    nbdkit_error ("gnutls_cipher_init: %s", gnutls_strerror (r));
3cdd4c
-    *err = EIO;
3cdd4c
-    return -1;
3cdd4c
-  }
3cdd4c
-
3cdd4c
   sectnum = offset / LUKS_SECTOR_SIZE;  /* sector number */
3cdd4c
   sectoffs = offset % LUKS_SECTOR_SIZE; /* offset within the sector */
3cdd4c
 
3cdd4c
+  cipher = create_cipher (h->h);
3cdd4c
+  if (!cipher)
3cdd4c
+    return -1;
3cdd4c
+
3cdd4c
   /* Unaligned head */
3cdd4c
   if (sectoffs) {
3cdd4c
     ACQUIRE_LOCK_FOR_CURRENT_SCOPE (&read_modify_write_lock);
3cdd4c
@@ -1176,8 +367,7 @@ luks_pwrite (nbdkit_next *next, void *handle,
3cdd4c
 
3cdd4c
     memcpy (&sector[sectoffs], buf, n);
3cdd4c
 
3cdd4c
-    if (do_encrypt (h, cipher, offset & ~LUKS_SECTOR_SIZE,
3cdd4c
-                    sector, LUKS_SECTOR_SIZE) == -1)
3cdd4c
+    if (do_encrypt (h->h, cipher, sectnum, sector, 1) == -1)
3cdd4c
       goto err;
3cdd4c
 
3cdd4c
     if (next->pwrite (next, sector, LUKS_SECTOR_SIZE,
3cdd4c
@@ -1187,7 +377,6 @@ luks_pwrite (nbdkit_next *next, void *handle,
3cdd4c
 
3cdd4c
     buf += n;
3cdd4c
     count -= n;
3cdd4c
-    offset += n;
3cdd4c
     sectnum++;
3cdd4c
   }
3cdd4c
 
3cdd4c
@@ -1195,7 +384,7 @@ luks_pwrite (nbdkit_next *next, void *handle,
3cdd4c
   while (count >= LUKS_SECTOR_SIZE) {
3cdd4c
     memcpy (sector, buf, LUKS_SECTOR_SIZE);
3cdd4c
 
3cdd4c
-    if (do_encrypt (h, cipher, offset, sector, LUKS_SECTOR_SIZE) == -1)
3cdd4c
+    if (do_encrypt (h->h, cipher, sectnum, sector, 1) == -1)
3cdd4c
       goto err;
3cdd4c
 
3cdd4c
     if (next->pwrite (next, sector, LUKS_SECTOR_SIZE,
3cdd4c
@@ -1205,7 +394,6 @@ luks_pwrite (nbdkit_next *next, void *handle,
3cdd4c
 
3cdd4c
     buf += LUKS_SECTOR_SIZE;
3cdd4c
     count -= LUKS_SECTOR_SIZE;
3cdd4c
-    offset += LUKS_SECTOR_SIZE;
3cdd4c
     sectnum++;
3cdd4c
   }
3cdd4c
 
3cdd4c
@@ -1220,7 +408,7 @@ luks_pwrite (nbdkit_next *next, void *handle,
3cdd4c
 
3cdd4c
     memcpy (sector, buf, count);
3cdd4c
 
3cdd4c
-    if (do_encrypt (h, cipher, offset, sector, LUKS_SECTOR_SIZE) == -1)
3cdd4c
+    if (do_encrypt (h->h, cipher, sectnum, sector, 1) == -1)
3cdd4c
       goto err;
3cdd4c
 
3cdd4c
     if (next->pwrite (next, sector, LUKS_SECTOR_SIZE,
3cdd4c
-- 
3cdd4c
2.31.1
3cdd4c