This patch adds the --veracrypt-pim=INT and --veracrypt-query-pim command-
line parameters to support specification of or being queried for a custom
Personal Iteration Multiplier respectively. This affects the number of
iterations for key derivation from the entered password. The manpage is
also updated accordingly.
Fixes Issue #307.
Batch mode should enable no-query keyslot wipe but only if user
did not provided password or keyfile explicitely.
Fixes issue #265.
Signed-off-by: Milan Broz <gmazyland@gmail.com>
The previous PBKDF2 benchmark code did not take into account
output key length.
For SHA1 (with 160-bits output) and 256-bit keys (and longer)
it means that the final value was higher than it should be.
For other hash algorithms (like SHA256 or SHA512) it caused
that iteration count was smaller (in comparison to SHA1) than
expected for the requested time period.
This patch fixes the code to use key size for the formatted device
(or default LUKS key size if running in informational benchmark mode).
Thanks to A.Visconti, S.Bossi, A.Calo and H.Ragab
(http://www.club.di.unimi.it/) for point this out.
(Based on "What users should know about Full Disk Encryption
based on LUKS" paper to be presented on CANS2015).
The patch adds the two options
--perf-same_cpu_crypt
--perf-submit_from_crypt_cpus
that set the same named options inside dmcrypt
(available in Linux kernel 3.20 and later).
For historic reasons, in the plain mode the hashing is not used
if keyfile is used (with exception of --key-file=-).
Print warning if the parameters are ignored.
For other cases, uses keyfile offset, keyfile size and hash
as psecified on commandline.
Partially fixes issue#243
If AddKey was called with master key argument, the code always asked
for a passphrase ignoring the keyfile argument.
Now it is properly processed as the same as if no master key is specified.
The --header always takes precedence over positional device argument.
Also allow specify UUID= for luksSuspend and luksResume if used with
detached header.
- we need a way to notify an user about running misconfigured system which
will turn to be unusable in real FIPS mode. For more details look at:
http://bugzilla.redhat.com/show_bug.cgi?id=1009707#c25
- also fixes invisble verbose log about running in FIPS mode due to its misplacement
Using getrusage seems toi give not adequate precision,
so use clock_gettime and try to scale buffer size a bit
on high performance systems.
If it still fail, return ERANGE error instead calculating
completely unreliable numbers.
Should fix Issue#186.
If password is entered through terminal (no keyfile specified)
and cryptsetup is compiled with --enable-pwquality, default
system pwquality settings are used to check password quality.
