Add support for VeraCrypt volumes and extend support for TCRYPT volumes #320
Conversation
|
The corresponding udisks pull request: storaged-project/udisks#495. |
|
This is unfortunately an API change and we can't do that in minor version -- if you need the new options for |
segfault3
force-pushed
the
add_veracrypt
branch
from
06ff56f
to
074814d
Compare
|
I see. I moved the new code into a new function in 074814d. |
|
Thank you. Maybe |
|
Jenkins, test this please. |
|
The |
|
How can I merge your changes on my system? |
There was a problem hiding this comment.
First of all -- THANKS a lot for these changes! There are a couple small things that can be made better, but other than that the changes are nice.
It would be nice if these changes didn't break git bisect. IOW, if the API wasn't broken even in the middle of the changes. @segfault3 please try to do that. If the rebase gets ridiculously complicated, feel free to give it up, though. :)
src/lib/plugin_apis/crypto.api
Outdated
| @@ -309,6 +309,27 @@ gboolean bd_crypto_luks_resize (const gchar *luks_device, guint64 size, GError * | |||
| */ | |||
| gboolean bd_crypto_tc_open (const gchar *device, const gchar *name, const guint8* pass_data, gsize data_len, gboolean read_only, GError **error); | |||
|
|
|||
| /** | |||
| * bd_crypto_tc_open2: | |||
There was a problem hiding this comment.
I suggest bd_crypto_tc_open_full as a better name for this function.
src/plugins/crypto.c
Outdated
| * | ||
| * Tech category: %BD_CRYPTO_TECH_TRUECRYPT-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE | ||
| */ | ||
| gboolean bd_crypto_tc_open (const gchar *device, const gchar *name, const guint8* pass_data, gsize data_len, gboolean read_only, GError **error) { |
There was a problem hiding this comment.
I think the old function should just call the new more universal one.
There was a problem hiding this comment.
Makes sense. Done in 12841cf.
src/plugins/crypto.c
Outdated
| @@ -959,14 +959,16 @@ gboolean bd_crypto_luks_resize (const gchar *luks_device, guint64 size, GError * | |||
| * @pass_data: (array length=data_len): a passphrase for the TrueCrypt/VeraCrypt volume (may contain arbitrary binary data) | |||
| * @data_len: length of the @pass_data buffer | |||
| * @read_only: whether to open as read-only or not (meaning read-write) | |||
| * @keyfiles: (array length=keyfiles_count) paths to the keyfiles for the TrueCrypt/VeraCrypt volume | |||
| * @keyfiles_count: length of the @keyfiles array | |||
There was a problem hiding this comment.
We do zero/NULL terminated arrays where possible.
There was a problem hiding this comment.
That is now done in commit 69a3223 after the rebasing.
Done in 08a09b7. |
I'm glad it's appreciated :)
I think I addressed all of them now.
I rewrote git history and think that now none of the commit breaks the API. I squashed some commits to make the rebasing easier. |
|
Jenkins, ok to test. |
| @@ -6,6 +6,10 @@ | |||
|
|
|||
| #define BD_CRYPTO_LUKS_METADATA_SIZE (2 MiB) | |||
|
|
|||
| #define BD_CRYPTO_CHI_SQUARE_LOWER_LIMIT 136 | |||
| #define BD_CRYPTO_CHI_SQUARE_UPPER_LIMIT 426 | |||
| #define BD_CRYPTO_CHI_SQUARE_BYTES_TO_CHECK 512 | |||
There was a problem hiding this comment.
This looks like something that might be better as parameters for bd_crypto_device_seems_encrypted. I don't know if there is a change that these will change in feature, but it might be better to not have to recompile libblockdev just because you want to change these limits.
There was a problem hiding this comment.
Mmh, I don't really see the use case for changing these values - especially not in the higher level applications which will use this function. Why do you think they should be changeable without recompiling?
There was a problem hiding this comment.
I don't know, but the limits just look like something that users of libblockdev might want to change eventually. But if you think this isn't something that makes sense to change from e.g. udisks, we can keep it this way.
There was a problem hiding this comment.
I don't see why these values should be changed from udisks. We explained at https://tails.boum.org/blueprint/veracrypt/#detection why, with these values, the chi-squared test should only produce false negatives with negligible probability (1 in 10 billion). And devices with (non-encrypted) filesystem headers will never pass the test. The only reason I can think of to change these values is to handle strange filesystems, which don't have their header at least partly in the first 512 Bytes (I don't know of any such filesystem), but then I think we should handle this in libblockdev and not udisks or similar.
There was a problem hiding this comment.
Ok, you convinced me, we can keep it this way.
| * | ||
| * Tech category: %BD_CRYPTO_TECH_TRUECRYPT-%BD_CRYPTO_TECH_MODE_QUERY | ||
| */ | ||
| gboolean bd_crypto_device_seems_encrypted (const gchar *device, GError **error); |
There was a problem hiding this comment.
Please add the new functions to docs/libblockdev-sections.txt too.
|
I fixed a URL in 2d15e2d. |
This adds support for: