-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for VeraCrypt volumes and extend support for TCRYPT volumes #320
Add support for VeraCrypt volumes and extend support for TCRYPT volumes #320
Conversation
The corresponding udisks pull request: storaged-project/udisks#495. |
This is unfortunately an API change and we can't do that in minor version -- if you need the new options for |
06ff56f
to
074814d
Compare
I see. I moved the new code into a new function in 074814d. |
Thank you. Maybe |
Jenkins, test this please. |
The |
How can I merge your changes on my system? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First of all -- THANKS a lot for these changes! There are a couple small things that can be made better, but other than that the changes are nice.
It would be nice if these changes didn't break git bisect
. IOW, if the API wasn't broken even in the middle of the changes. @segfault3 please try to do that. If the rebase gets ridiculously complicated, feel free to give it up, though. :)
src/lib/plugin_apis/crypto.api
Outdated
@@ -309,6 +309,27 @@ gboolean bd_crypto_luks_resize (const gchar *luks_device, guint64 size, GError * | |||
*/ | |||
gboolean bd_crypto_tc_open (const gchar *device, const gchar *name, const guint8* pass_data, gsize data_len, gboolean read_only, GError **error); | |||
|
|||
/** | |||
* bd_crypto_tc_open2: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest bd_crypto_tc_open_full
as a better name for this function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in 94aca5c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
src/plugins/crypto.c
Outdated
* | ||
* Tech category: %BD_CRYPTO_TECH_TRUECRYPT-%BD_CRYPTO_TECH_MODE_OPEN_CLOSE | ||
*/ | ||
gboolean bd_crypto_tc_open (const gchar *device, const gchar *name, const guint8* pass_data, gsize data_len, gboolean read_only, GError **error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the old function should just call the new more universal one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense. Done in 12841cf.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
src/plugins/crypto.c
Outdated
@@ -959,14 +959,16 @@ gboolean bd_crypto_luks_resize (const gchar *luks_device, guint64 size, GError * | |||
* @pass_data: (array length=data_len): a passphrase for the TrueCrypt/VeraCrypt volume (may contain arbitrary binary data) | |||
* @data_len: length of the @pass_data buffer | |||
* @read_only: whether to open as read-only or not (meaning read-write) | |||
* @keyfiles: (array length=keyfiles_count) paths to the keyfiles for the TrueCrypt/VeraCrypt volume | |||
* @keyfiles_count: length of the @keyfiles array |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do zero/NULL terminated arrays where possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 8f0f434.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is now done in commit 69a3223 after the rebasing.
Done in 08a09b7. |
I'm glad it's appreciated :)
I think I addressed all of them now.
I rewrote git history and think that now none of the commit breaks the API. I squashed some commits to make the rebasing easier. |
Jenkins, ok to test. |
@@ -6,6 +6,10 @@ | |||
|
|||
#define BD_CRYPTO_LUKS_METADATA_SIZE (2 MiB) | |||
|
|||
#define BD_CRYPTO_CHI_SQUARE_LOWER_LIMIT 136 | |||
#define BD_CRYPTO_CHI_SQUARE_UPPER_LIMIT 426 | |||
#define BD_CRYPTO_CHI_SQUARE_BYTES_TO_CHECK 512 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like something that might be better as parameters for bd_crypto_device_seems_encrypted
. I don't know if there is a change that these will change in feature, but it might be better to not have to recompile libblockdev just because you want to change these limits.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mmh, I don't really see the use case for changing these values - especially not in the higher level applications which will use this function. Why do you think they should be changeable without recompiling?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know, but the limits just look like something that users of libblockdev might want to change eventually. But if you think this isn't something that makes sense to change from e.g. udisks, we can keep it this way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see why these values should be changed from udisks. We explained at https://tails.boum.org/blueprint/veracrypt/#detection why, with these values, the chi-squared test should only produce false negatives with negligible probability (1 in 10 billion). And devices with (non-encrypted) filesystem headers will never pass the test. The only reason I can think of to change these values is to handle strange filesystems, which don't have their header at least partly in the first 512 Bytes (I don't know of any such filesystem), but then I think we should handle this in libblockdev and not udisks or similar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, you convinced me, we can keep it this way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me now.
* | ||
* Tech category: %BD_CRYPTO_TECH_TRUECRYPT-%BD_CRYPTO_TECH_MODE_QUERY | ||
*/ | ||
gboolean bd_crypto_device_seems_encrypted (const gchar *device, GError **error); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add the new functions to docs/libblockdev-sections.txt
too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in b8d8bd7.
I fixed a URL in 2d15e2d. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a ton @segfault3!
This adds support for: