Feature #15216: Iteration 1: Support unlocking VeraCrypt partitions in libblockdev

Feature #15216

Iteration 1: Support unlocking VeraCrypt partitions in libblockdev

Added by segfault 2018-01-22 17:32:43 . Updated 2018-03-26 16:06:23 .

Status:

Resolved

Priority:

Normal

Assignee:

segfault

Category:

Target version:

Tails_3.7

Start date:

2018-01-22

Due date:

% Done:

100%

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

299

Description

Development repository: https://github.com/segfault3/libblockdev
Branch: add_veracrypt

Subtasks

Related issues

Blocks Tails - ~~Feature #15219~~: Iteration 1: Upstream unlocking VeraCrypt partitions in libblockdev

Resolved

2018-01-25

History

#1 Updated by segfault 2018-01-22 18:03:03

blocks ~~Feature #15219~~: Iteration 1: Upstream unlocking VeraCrypt partitions in libblockdev added

#2 Updated by segfault 2018-01-22 22:48:43

Description updated
Assignee changed from segfault to anonym
QA Check set to Ready for QA
Feature Branch deleted (~~https://github.com/segfault3/libblockdev.git~~)

I added support for unlocking VeraCrypt containers, including hidden containers, and using keyfiles.

#3 Updated by segfault 2018-01-22 22:48:50

% Done changed from 0 to 50

#4 Updated by segfault 2018-01-22 22:49:39

Target version set to Tails_3.6
Deliverable for set to 299

#5 Updated by anonym 2018-01-25 13:39:50

Status changed from Confirmed to In Progress
Assignee changed from anonym to segfault
QA Check deleted (~~Ready for QA~~)

LGTM! Good job!

#6 Updated by segfault 2018-01-25 16:01:05

Subject changed from Support unlocking VeraCrypt partitions in libblockdev to Iteration 1: Support unlocking VeraCrypt partitions in libblockdev

#7 Updated by segfault 2018-02-08 10:43:12

Assignee changed from segfault to anonym
QA Check set to Ready for QA

I forgot to add support for TCRYPT system volumes. Did that now in commit 24fc34a8adfaab140ec36efe79e3c58e7fc8566a.

#8 Updated by anonym 2018-02-08 10:55:56

Assignee changed from anonym to segfault
QA Check deleted (~~Ready for QA~~)

LGTM!

#9 Updated by segfault 2018-02-09 15:29:33

As discussed, I cleaned up the git history and rebased on upstream master.

#10 Updated by segfault 2018-02-09 20:03:37

Assignee changed from segfault to anonym
QA Check set to Ready for QA

I also forgot to add support for VeraCrypt’s PIM value. Did that now.

#11 Updated by anonym 2018-02-11 16:45:55

Assignee changed from anonym to segfault
QA Check deleted (~~Ready for QA~~)

LGTM!

#12 Updated by intrigeri 2018-02-26 14:58:52

https://github.com/storaged-project/libblockdev/pull/320

#13 Updated by segfault 2018-03-09 13:36:57

libblockdev with our current patches doesn’t compile with cryptsetup < 2.0.0 (see this comment on the pull request

I guess we need to find a way to check during preprocessing whether the cryptsetup version is at least 2.0.0, and in that case ignore the VeraCrypt PIM (and probably print a warning).

I found that libblockdev has code to check the version of its dependencies, but I don’t think this will help us, because we have to check the version during preprocessing.

In cryptsetup version 1.7.5 (the one before 2.0.0) there is also a PACKAGE_VERSION macro in cryptsetup’s config.h, but the same macro is also set by libblockdev, overwriting the value from cryptsetup.

Another solution would be if we could check at compile time whether the crypt_params_tcrypt struct contains the veracrypt_pim member, but I couldn’t figure out a way to do this, I doubt that this is possible in C.

#14 Updated by segfault 2018-03-09 13:38:03

Assignee changed from segfault to anonym
QA Check set to Info Needed

anonym offered to take a look at this issue

#15 Updated by anonym 2018-03-09 18:40:05

Assignee changed from anonym to segfault
QA Check changed from Info Needed to Dev Needed

I think the simplest is something like this (untested):

diff --git a/configure.ac b/configure.ac
index d41a307..9827ab5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -153,6 +153,8 @@ LIBBLOCKDEV_PKG_CHECK_MODULES([KMOD], [libkmod >= 19])

 AS_IF([test "x$with_crypto" != "xno"],
       [LIBBLOCKDEV_PKG_CHECK_MODULES([CRYPTSETUP], [libcryptsetup >= 1.6.7])
+       AS_IF([$PKG_CONFIG --atleast-version=2.0 libcryptsetup],
+             [AC_DEFINE([LIBCRYPTSETUP_PIM_SUPPORT])], [])
        LIBBLOCKDEV_PKG_CHECK_MODULES([NSS], [nss >= 3.18.0])
        LIBBLOCKDEV_CHECK_HEADER([volume_key/libvolume_key.h], [$GLIB_CFLAGS $NSS_CFLAGS], [libvolume_key.h not available])
       ],
diff --git a/src/plugins/crypto.c b/src/plugins/crypto.c
index 8f954fc..5942f3d 100644
--- a/src/plugins/crypto.c
+++ b/src/plugins/crypto.c
@@ -964,7 +964,7 @@ gboolean bd_crypto_luks_resize (const gchar *luks_device, guint64 size, GError *
  * @hidden: whether a hidden volume inside the volume should be opened
  * @system: whether to try opening as an encrypted system (with boot loader)
  * @veracrypt: whether to try VeraCrypt modes (TrueCrypt modes are tried anyway)
- * @veracrypt_pim: VeraCrypt PIM value
+ * @veracrypt_pim: VeraCrypt PIM value (does nothing when compiled against libcryptsetup < 2.0)
  * @error: (out): place to store error (if any)
  *
  * Returns: whether the @device was successfully opened or not
@@ -1009,8 +1009,10 @@ gboolean bd_crypto_tc_open (const gchar *device, const gchar *name, const guint8
     if (system)
         params.flags |= CRYPT_TCRYPT_SYSTEM_HEADER;

+#ifdef LIBCRYPTSETUP_PIM_SUPPORT
     if (veracrypt && veracrypt_pim != 0)
         params.veracrypt_pim = veracrypt_pim;
+#endif

     ret = crypt_load (cd, CRYPT_TCRYPT, &params);
     if (ret != 0) {

#16 Updated by segfault 2018-03-09 19:59:34

anonym wrote:
> I think the simplest is something like this (untested):
> […]

Perfect!

#17 Updated by bertagaz 2018-03-14 11:32:20

Target version changed from Tails_3.6 to Tails_3.7

#18 Updated by segfault 2018-03-26 16:06:23

Status changed from In Progress to Resolved
% Done changed from 50 to 100
QA Check deleted (~~Dev Needed~~)