tcrypt: Support --hash and --cipher options to limit opening time.

If user knows which particular PBKDF2 hash or cipher is used for True/VeraCrypt container, using --hash of --cipher option in tcryptDump and tcryptOpen can scan only these variants. Note for the cipher it means substring (all cipher chains containing the cipher are tried). For example, you can use cryptsetup tcryptDump --hash sha512 <container> Note: for speed up, usually the hash option matters, cipher variants are scanned very quickly. Use witch care, in a script it can reveal some sensitive attribute of the container. Fixes #608.
2025-12-15 12:50:06 +01:00 · 2020-12-29 15:05:12 +01:00
parent eddc3b0381
commit 3c886ccff8
4 changed files with 24 additions and 7 deletions
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -453,6 +453,8 @@ static int action_open_tcrypt(void)
 		.flags = CRYPT_TCRYPT_LEGACY_MODES |
 			 (ARG_SET(OPT_VERACRYPT_ID) ? CRYPT_TCRYPT_VERA_MODES : 0),
 		.veracrypt_pim = ARG_UINT32(OPT_VERACRYPT_PIM_ID),
+		.hash_name = ARG_STR(OPT_HASH_ID),
+		.cipher = ARG_STR(OPT_CIPHER_ID),
 	};
 	const char *activated_name;
 	uint32_t activate_flags = 0;
@@ -588,7 +590,9 @@ static int action_tcryptDump(void)
 		.keyfiles_count = keyfiles_count,
 		.flags = CRYPT_TCRYPT_LEGACY_MODES |
 			 (ARG_SET(OPT_VERACRYPT_ID) ? CRYPT_TCRYPT_VERA_MODES : 0),
-		.veracrypt_pim = ARG_UINT32(OPT_VERACRYPT_PIM_ID)
+		.veracrypt_pim = ARG_UINT32(OPT_VERACRYPT_PIM_ID),
+		.hash_name = ARG_STR(OPT_HASH_ID),
+		.cipher = ARG_STR(OPT_CIPHER_ID),
 	};
 	int r;
 	r = crypt_init_data_device(&cd, ARG_STR(OPT_HEADER_ID) ?: action_argv[0], action_argv[0]);