summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGeorge Hilliard <thirtythreeforty@gmail.com>2016-10-30 09:25:31 -0500
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-10-30 10:25:31 -0400
commit52028838a1bc5f55f623f5f0344ee685d87d1fd0 (patch)
tree8ebd524d4b96795db060caab19e6ca1c5c40449e
parent0470289b6e93be7a65b1b3b2a2cc829bd20e08c8 (diff)
Implement VeraCrypt volume handling in crypttab (#4501)
This introduces a new option, `tcrypt-veracrypt`, that sets the corresponding VeraCrypt flag in the flags passed to cryptsetup.
-rw-r--r--man/crypttab.xml11
-rw-r--r--src/cryptsetup/cryptsetup.c14
2 files changed, 25 insertions, 0 deletions
diff --git a/man/crypttab.xml b/man/crypttab.xml
index 4b8d4aa3d6..17976f3704 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -327,6 +327,17 @@
</varlistentry>
<varlistentry>
+ <term><option>tcrypt-veracrypt</option></term>
+
+ <listitem><para>Check for a VeraCrypt volume. VeraCrypt is a fork of
+ TrueCrypt that is mostly compatible, but uses different, stronger key
+ derivation algorithms that cannot be detected without this flag.
+ Enabling this option could substantially slow down unlocking, because
+ VeraCrypt's key derivation takes much longer than TrueCrypt's. This
+ option implies <option>tcrypt</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>timeout=</option></term>
<listitem><para>Specifies the timeout for querying for a
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 9927621ea0..ff5a3f36fb 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -52,6 +52,7 @@ static bool arg_verify = false;
static bool arg_discards = false;
static bool arg_tcrypt_hidden = false;
static bool arg_tcrypt_system = false;
+static bool arg_tcrypt_veracrypt = false;
static char **arg_tcrypt_keyfiles = NULL;
static uint64_t arg_offset = 0;
static uint64_t arg_skip = 0;
@@ -179,6 +180,14 @@ static int parse_one_option(const char *option) {
} else if (streq(option, "tcrypt-system")) {
arg_type = CRYPT_TCRYPT;
arg_tcrypt_system = true;
+ } else if (streq(option, "tcrypt-veracrypt")) {
+#ifdef CRYPT_TCRYPT_VERA_MODES
+ arg_type = CRYPT_TCRYPT;
+ arg_tcrypt_veracrypt = true;
+#else
+ log_error("This version of cryptsetup does not support tcrypt-veracrypt; refusing.");
+ return -EINVAL;
+#endif
} else if (STR_IN_SET(option, "plain", "swap", "tmp"))
arg_type = CRYPT_PLAIN;
else if (startswith(option, "timeout=")) {
@@ -441,6 +450,11 @@ static int attach_tcrypt(
if (arg_tcrypt_system)
params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;
+#ifdef CRYPT_TCRYPT_VERA_MODES
+ if (arg_tcrypt_veracrypt)
+ params.flags |= CRYPT_TCRYPT_VERA_MODES;
+#endif
+
if (key_file) {
r = read_one_line_file(key_file, &passphrase);
if (r < 0) {