Use VeraCrypt option by default; add --disable-veracrypt option.

While TrueCrypt is no longer developed and supported since 2014, VeraCrypt devices (as a successor of TrueCrypt) are much more used today. This patch switch default to scan for VeraCrypt signature, making --veracrypt option obsolete (ignored by default as it is default). If you need to disable VeraCrypt support, use new option --disable-veracrypt.
2025-12-19 14:50:09 +01:00 · 2021-06-14 22:46:34 +02:00
parent df5e54545e
commit 05a4d3fe0a
6 changed files with 43 additions and 29 deletions
--- a/man/cryptsetup.8
+++ b/man/cryptsetup.8
@@ -645,8 +645,7 @@ See also section 7 of the FAQ and \fBhttp://loop-aes.sourceforge.net\fR
 for more information regarding loop-AES.
 .SH TCRYPT (TrueCrypt-compatible and VeraCrypt) EXTENSION
 cryptsetup supports mapping of TrueCrypt, tcplay or VeraCrypt
-(with \fB\-\-veracrypt\fR option) encrypted partition
-using a native Linux kernel API.
+encrypted partition using a native Linux kernel API.
 Header formatting and TCRYPT header change is not supported, cryptsetup
 never changes TCRYPT header on-device.

@@ -663,20 +662,21 @@ Cryptsetup should recognize all header variants, except legacy cipher chains
 using LRW encryption mode with 64 bits encryption block (namely Blowfish
 in LRW mode is not recognized, this is limitation of kernel crypto API).

-To recognize a VeraCrypt device use the \fB\-\-veracrypt\fR option.
 VeraCrypt is just extension of TrueCrypt header with increased
 iteration count so unlocking can take quite a lot of time (in comparison
 with TCRYPT device).

 To open a VeraCrypt device with a custom Personal Iteration Multiplier (PIM)
-value, \fBadditionally to \-\-veracrypt \fR use either the
-\fB\-\-veracrypt\-pim=<PIM>\fR option to directly specify the PIM on the command-
-line or use \fB\-\-veracrypt\-query\-pim\fR to be prompted for the PIM.
+value, use either the \fB\-\-veracrypt\-pim=<PIM>\fR option to directly specify
+the PIM on the command- line or use \fB\-\-veracrypt\-query\-pim\fR to be
+prompted for the PIM.

 The PIM value affects the number of iterations applied during key derivation. Please refer to
 \fBhttps://www.veracrypt.fr/en/Personal%20Iterations%20Multiplier%20%28PIM%29.html\fR
 for more detailed information.

+If you need to disable VeraCrypt device support, use \fB\-\-disable\-veracrypt\fR option.
+
 \fBNOTE:\fR Activation with \fBtcryptOpen\fR is supported only for cipher chains
 using LRW or XTS encryption modes.

@@ -720,7 +720,7 @@ a mapping <name>.

 \fB<options>\fR can be [\-\-key\-file, \-\-tcrypt\-hidden,
 \-\-tcrypt\-system, \-\-tcrypt\-backup, \-\-readonly, \-\-test\-passphrase,
-\-\-allow-discards, \-\-veracrypt, \-\-veracrypt\-pim, \-\-veracrypt\-query\-pim,
+\-\-allow-discards, \-\-disable\-veracrypt, \-\-veracrypt\-pim, \-\-veracrypt\-query\-pim,
 \-\-header, \-\-cipher, \-\-hash].

 The keyfile parameter allows a combination of file content with the
@@ -1450,8 +1450,11 @@ Specify which TrueCrypt on-disk header will be used to open the device.
 See \fITCRYPT\fR section for more info.
 .TP
 .B "\-\-veracrypt"
-Allow VeraCrypt compatible mode. Only for TCRYPT extension.
-See \fITCRYPT\fR section for more info.
+This option is ignored as VeraCrypt compatible mode is supported by default.
+.TP
+.B "\-\-disable\-veracrypt"
+This option can be used to disable VeraCrypt compatible mode (only TrueCrypt devices
+are recognized). Only for TCRYPT extension. See \fITCRYPT\fR section for more info.
 .TP
 .B "\-\-veracrypt\-pim"
 .B "\-\-veracrypt\-query\-pim"
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -448,7 +448,7 @@ static int action_open_tcrypt(void)
 		.keyfiles = CONST_CAST(const char **)keyfiles,
 		.keyfiles_count = keyfiles_count,
 		.flags = CRYPT_TCRYPT_LEGACY_MODES |
-			 (ARG_SET(OPT_VERACRYPT_ID) ? CRYPT_TCRYPT_VERA_MODES : 0),
+			 (ARG_SET(OPT_DISABLE_VERACRYPT_ID) ? 0 : CRYPT_TCRYPT_VERA_MODES),
 		.veracrypt_pim = ARG_UINT32(OPT_VERACRYPT_PIM_ID),
 		.hash_name = ARG_STR(OPT_HASH_ID),
 		.cipher = ARG_STR(OPT_CIPHER_ID),
@@ -586,7 +586,7 @@ static int action_tcryptDump(void)
 		.keyfiles = CONST_CAST(const char **)keyfiles,
 		.keyfiles_count = keyfiles_count,
 		.flags = CRYPT_TCRYPT_LEGACY_MODES |
-			 (ARG_SET(OPT_VERACRYPT_ID) ? CRYPT_TCRYPT_VERA_MODES : 0),
+			 (ARG_SET(OPT_DISABLE_VERACRYPT_ID) ? 0: CRYPT_TCRYPT_VERA_MODES),
 		.veracrypt_pim = ARG_UINT32(OPT_VERACRYPT_PIM_ID),
 		.hash_name = ARG_STR(OPT_HASH_ID),
 		.cipher = ARG_STR(OPT_CIPHER_ID),
@@ -3877,18 +3877,18 @@ int main(int argc, const char **argv)
 		_("Option --tcrypt-hidden cannot be combined with --allow-discards."),
 		poptGetInvocationName(popt_context));

-	if (ARG_SET(OPT_VERACRYPT_ID) && (!device_type || strcmp(device_type, "tcrypt")))
+	if ((ARG_SET(OPT_VERACRYPT_ID) || ARG_SET(OPT_DISABLE_VERACRYPT_ID)) && (!device_type || strcmp(device_type, "tcrypt")))
 		usage(popt_context, EXIT_FAILURE,
-		_("Option --veracrypt is supported only for TCRYPT device type."),
+		_("Option --veracrypt or --disable-veracrypt is supported only for TCRYPT device type."),
 		poptGetInvocationName(popt_context));

-	if (ARG_SET(OPT_VERACRYPT_PIM_ID) && !ARG_SET(OPT_VERACRYPT_ID))
+	if (ARG_SET(OPT_VERACRYPT_PIM_ID) && ARG_SET(OPT_DISABLE_VERACRYPT_ID))
 		usage(popt_context, EXIT_FAILURE,
 		_("Option --veracrypt-pim is supported only for VeraCrypt compatible devices."),
 		poptGetInvocationName(popt_context));

 	if (ARG_SET(OPT_VERACRYPT_QUERY_PIM_ID)) {
-		if (!ARG_SET(OPT_VERACRYPT_ID)) {
+		if (ARG_SET(OPT_DISABLE_VERACRYPT_ID)) {
 			usage(popt_context, EXIT_FAILURE,
 			_("Option --veracrypt-query-pim is supported only for VeraCrypt compatible devices."),
 			poptGetInvocationName(popt_context));
--- a/src/cryptsetup_arg_list.h
+++ b/src/cryptsetup_arg_list.h
@@ -49,6 +49,8 @@ ARG(OPT_DISABLE_KEYRING, '\0', POPT_ARG_NONE, N_("Disable loading volume keys vi

 ARG(OPT_DISABLE_LOCKS, '\0', POPT_ARG_NONE, N_("Disable locking of on-disk metadata"), NULL, CRYPT_ARG_BOOL, {}, {})

+ARG(OPT_DISABLE_VERACRYPT, '\0', POPT_ARG_NONE, N_("Do not scan for VeraCrypt compatible device"), NULL, CRYPT_ARG_BOOL, {}, {})
+
 ARG(OPT_DUMP_JSON, '\0', POPT_ARG_NONE, N_("Dump info in JSON format (LUKS2 only)"), NULL, CRYPT_ARG_BOOL, {}, {})

 ARG(OPT_DUMP_MASTER_KEY, '\0', POPT_ARG_NONE, N_("Dump volume (master) key instead of keyslots info"), NULL, CRYPT_ARG_BOOL, {}, {})
--- a/src/utils_arg_names.h
+++ b/src/utils_arg_names.h
@@ -44,6 +44,7 @@
 #define OPT_DISABLE_EXTERNAL_TOKENS	"disable-external-tokens"
 #define OPT_DISABLE_KEYRING		"disable-keyring"
 #define OPT_DISABLE_LOCKS		"disable-locks"
+#define OPT_DISABLE_VERACRYPT		"disable-veracrypt"
 #define OPT_DUMP_JSON			"dump-json-metadata"
 #define OPT_DUMP_MASTER_KEY		"dump-master-key"
 #define OPT_ENCRYPT			"encrypt"
--- a/tests/compat-test-args
+++ b/tests/compat-test-args
@@ -208,12 +208,11 @@ exp_fail open DEV NAME --veracrypt
 exp_pass open DEV NAME --type tcrypt --veracrypt
 exp_pass open DEV NAME --type tcrypt --veracrypt --veracrypt-pim 1
 exp_fail open DEV NAME --type tcrypt --veracrypt --veracrypt-pim -2
-exp_fail open DEV NAME --type tcrypt --veracrypt-pim 1
-# bug
-# exp_fail open DEV NAME --type tcrypt --veracrypt --veracrypt-pim -1
-exp_fail open DEV NAME --type tcrypt --veracrypt-query-pim
-exp_fail open DEV NAME --type tcrypt --veracrypt-query-pim --veracrypt-pim 1
-exp_fail open DEV NAME --veracrypt-query-pim
+exp_fail open DEV NAME --type tcrypt --disable-veracrypt --veracrypt-pim 1
+exp_fail open DEV NAME --type tcrypt --veracrypt --veracrypt-pim -1
+exp_fail open DEV NAME --type tcrypt --disable-veracrypt --veracrypt-query-pim
+exp_fail open DEV NAME --type tcrypt --disable-veracrypt --veracrypt-query-pim --veracrypt-pim 1
+exp_fail open DEV NAME --disable-veracrypt --veracrypt-query-pim

 # bug
 # exp_fail open DEV NAME --priority normal
--- a/tests/tcrypt-compat-test
+++ b/tests/tcrypt-compat-test
@@ -128,19 +128,28 @@ for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_* $TST_DIR/sys_[tv]c_*) ; do
 	[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
 	SYS_OPT=""
 	[[ $file =~ sys_.* ]] && SYS_OPT="--tcrypt-system"
-	echo $PASSWORD | $CRYPTSETUP tcryptDump --veracrypt $SYS_OPT $PIM_OPT $file >/dev/null || fail
+	echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT $file >/dev/null || fail
 	if [[ $file =~ .*-sha512-xts-aes$ ]] ; then
-		echo $PASSWORD | $CRYPTSETUP tcryptDump --veracrypt $SYS_OPT $PIM_OPT -h sha512 -c aes $file >/dev/null || fail
-		echo $PASSWORD | $CRYPTSETUP tcryptDump --veracrypt $SYS_OPT $PIM_OPT -h xxxx $file 2>/dev/null && fail
-		echo $PASSWORD | $CRYPTSETUP tcryptDump --veracrypt $SYS_OPT $PIM_OPT -h sha512 -c xxx $file 2>/dev/null && fail
+		echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h sha512 -c aes $file >/dev/null || fail
+		echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h xxxx $file 2>/dev/null && fail
+		echo $PASSWORD | $CRYPTSETUP tcryptDump $SYS_OPT $PIM_OPT -h sha512 -c xxx $file 2>/dev/null && fail
 	fi
 	echo " [OK]"
 done

+echo "HEADER CHECK (TCRYPT only)"
+for file in $(ls $TST_DIR/vc_* $TST_DIR/vcpim_*) ; do
+	echo -n " $file"
+	PIM_OPT=""
+	[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
+	echo $PASSWORD | $CRYPTSETUP tcryptDump --disable-veracrypt $PIM_OPT $file >/dev/null 2>&1 && fail
+	echo " [OK]"
+done
+
 echo "HEADER CHECK (HIDDEN)"
 for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do
 	echo -n " $file (hidden)"
-	echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden --veracrypt $file >/dev/null || fail
+	echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptDump --tcrypt-hidden $file >/dev/null || fail
 	echo " [OK]"
 done

@@ -150,7 +159,7 @@ for file in $(ls $TST_DIR/[tv]ck_*) ; do
 	PWD=$PASSWORD
 	[[ $file =~ vck_1_nopw.* ]] && PWD=""
 	[[ $file =~ vck_1_pw72.* ]] && PWD=$PASSWORD_72C
-	echo $PWD | $CRYPTSETUP tcryptDump --veracrypt -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
+	echo $PWD | $CRYPTSETUP tcryptDump -d $TST_DIR/keyfile1 -d $TST_DIR/keyfile2 $file >/dev/null || fail
 	echo " [OK]"
 done

@@ -167,7 +176,7 @@ for file in $(ls $TST_DIR/[tv]c_* $TST_DIR/vcpim_* $TST_DIR/sys_[tv]c_*) ; do
 	[[ $file =~ vcpim.* ]] && PIM_OPT="--veracrypt-pim $PIM"
 	SYS_OPT=""
 	[[ $file =~ sys_.* ]] && SYS_OPT="--tcrypt-system"
-	out=$(echo $PASSWORD | $CRYPTSETUP tcryptOpen --veracrypt $SYS_OPT $PIM_OPT -r $file $MAP 2>&1)
+	out=$(echo $PASSWORD | $CRYPTSETUP tcryptOpen $SYS_OPT $PIM_OPT -r $file $MAP 2>&1)
 	ret=$?
 	[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
 	[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue
@@ -183,7 +192,7 @@ done
 echo "ACTIVATION FS UUID (HIDDEN) CHECK"
 for file in $(ls $TST_DIR/[tv]c_*-hidden) ; do
 	echo -n " $file"
-	out=$(echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen --veracrypt -r $file $MAP --tcrypt-hidden 2>&1)
+	out=$(echo $PASSWORD_HIDDEN | $CRYPTSETUP tcryptOpen -r $file $MAP --tcrypt-hidden 2>&1)
 	ret=$?
 	[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT legacy mode" ) && echo " [N/A]" && continue
 	[ $ret -eq 1 ] && ( echo "$out" | grep -q -e "TCRYPT compatible mapping" ) && echo " [N/A]" && continue