VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Driver
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2024-08-02 00:20:53 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2024-08-02 00:20:53 +0200
commited1263bf8c6c678420eb1b9ad3f37d3a6d33af7c (patch)
tree14dfb134969574b7f0d869c455981418c652780e /src/Driver
parent6121ca02397e75fe51b2c76111ef836556fedb49 (diff)
downloadVeraCrypt-ed1263bf8c6c678420eb1b9ad3f37d3a6d33af7c.tar.gz
VeraCrypt-ed1263bf8c6c678420eb1b9ad3f37d3a6d33af7c.zip
Implement detection of volumes with vulnerable XTS master key.
If vulnerability detected, a warning message is displayed during mount or backup/restore header, and changing the password is disallowed since it will not change the master key.
Diffstat (limited to 'src/Driver')
-rw-r--r--src/Driver/DriveFilter.c9
-rw-r--r--src/Driver/Ntvol.c4
2 files changed, 12 insertions, 1 deletions
diff --git a/src/Driver/DriveFilter.c b/src/Driver/DriveFilter.c
index a615797a..6fda3c37 100644
--- a/src/Driver/DriveFilter.c
+++ b/src/Driver/DriveFilter.c
@@ -522,10 +522,16 @@ static NTSTATUS MountDrive (DriveFilterExtension *Extension, Password *password,
if (ReadVolumeHeader (!hiddenVolume, header, password, pkcs5_prf, pim, &Extension->Queue.CryptoInfo, Extension->HeaderCryptoInfo) == 0)
{
- // Header decrypted
+ // Header decrypted
status = STATUS_SUCCESS;
Dump ("Header decrypted\n");
+ if (Extension->HeaderCryptoInfo->bVulnerableMasterKey)
+ {
+ // The volume header master key is vulnerable
+ Dump ("The volume header master key is vulnerable\n");
+ }
+
// calculate Fingerprint
ComputeBootLoaderFingerprint (Extension->LowerDeviceObject, header);
@@ -2017,6 +2023,7 @@ void GetBootEncryptionStatus (PIRP irp, PIO_STACK_LOCATION irpSp)
bootEncStatus->ConfiguredEncryptedAreaStart = Extension->ConfiguredEncryptedAreaStart;
bootEncStatus->ConfiguredEncryptedAreaEnd = Extension->ConfiguredEncryptedAreaEnd;
bootEncStatus->EncryptedAreaStart = Extension->Queue.EncryptedAreaStart;
+ bootEncStatus->MasterKeyVulnerable = Extension->HeaderCryptoInfo->bVulnerableMasterKey;
if (SetupInProgress)
{
diff --git a/src/Driver/Ntvol.c b/src/Driver/Ntvol.c
index c26fcebf..68f63f16 100644
--- a/src/Driver/Ntvol.c
+++ b/src/Driver/Ntvol.c
@@ -89,6 +89,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
mount->VolumeMountedReadOnlyAfterDeviceWriteProtected = FALSE;
mount->VolumeMountedReadOnlyAfterPartialSysEnc = FALSE;
+ mount->VolumeMasterKeyVulnerable = FALSE;
// If we are opening a device, query its size first
if (bRawDevice)
@@ -648,6 +649,9 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
Dump ("Volume header decrypted\n");
Dump ("Required program version = %x\n", (int) Extension->cryptoInfo->RequiredProgramVersion);
Dump ("Legacy volume = %d\n", (int) Extension->cryptoInfo->LegacyVolume);
+ Dump ("Master key vulnerable = %d\n", (int) Extension->cryptoInfo->bVulnerableMasterKey);
+
+ mount->VolumeMasterKeyVulnerable = Extension->cryptoInfo->bVulnerableMasterKey;
if (IsHiddenSystemRunning() && !Extension->cryptoInfo->hiddenVolume)
{