VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Mount
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2019-01-12 01:24:25 +0100
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2019-01-14 10:49:05 +0100
commitd3e7ed96f3685d83dcc39a18574be1dd2cc8f2f6 (patch)
treec31143436e3db3164f51fcb4f669ab8e4175610a /src/Mount
parent69cb0bea8197fbb2031371a1f71b9a1c94f93b27 (diff)
downloadVeraCrypt-d3e7ed96f3685d83dcc39a18574be1dd2cc8f2f6.tar.gz
VeraCrypt-d3e7ed96f3685d83dcc39a18574be1dd2cc8f2f6.zip
Windows: Implement feature that enables clearing of encryption keys when a new device is inserted. Better implementation for update of EFI bootloader without usage of drive letters (this can fix random issues encountered during Windows upgrade).
Diffstat (limited to 'src/Mount')
-rw-r--r--src/Mount/Mount.c148
-rw-r--r--src/Mount/Mount.rc30
-rw-r--r--src/Mount/Resource.h3
3 files changed, 160 insertions, 21 deletions
diff --git a/src/Mount/Mount.c b/src/Mount/Mount.c
index 574c3556..473372e1 100644
--- a/src/Mount/Mount.c
+++ b/src/Mount/Mount.c
@@ -51,6 +51,8 @@
#include "../Setup/SelfExtract.h"
#include <Strsafe.h>
+#include <InitGuid.h>
+#include <devguid.h>
#import <msxml6.dll> no_auto_exclude
@@ -9296,6 +9298,10 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine)
static SERVICE_STATUS SystemFavoritesServiceStatus;
static SERVICE_STATUS_HANDLE SystemFavoritesServiceStatusHandle;
+static HANDLE SystemFavoriteServiceStopEvent = NULL;
+static HDEVNOTIFY SystemFavoriteServiceNotify = NULL;
+
+DEFINE_GUID(OCL_GUID_DEVCLASS_SOFTWARECOMPONENT, 0x5c4c3332, 0x344d, 0x483c, 0x87, 0x39, 0x25, 0x9e, 0x93, 0x4c, 0x9c, 0xc8);
static void SystemFavoritesServiceLogMessage (const wstring &errorMessage, WORD wType)
{
@@ -9336,12 +9342,84 @@ static void SystemFavoritesServiceSetStatus (DWORD status, DWORD waitHint = 0)
}
-static VOID WINAPI SystemFavoritesServiceCtrlHandler (DWORD control)
+static DWORD WINAPI SystemFavoritesServiceCtrlHandler ( DWORD dwControl,
+ DWORD dwEventType,
+ LPVOID lpEventData,
+ LPVOID lpContext)
{
- if (control == SERVICE_CONTROL_STOP)
+ switch (dwControl)
+ {
+ case SERVICE_CONTROL_PRESHUTDOWN:
SystemFavoritesServiceSetStatus (SERVICE_STOP_PENDING);
- else
+
+ if (BootEncObj)
+ {
+ try
+ {
+ BootEncryption::UpdateSetupConfigFile (true);
+ // re-install our bootloader again in case the update process has removed it.
+ BootEncryption bootEnc (NULL, true);
+ bootEnc.InstallBootLoader (true);
+ }
+ catch (...)
+ {
+ }
+ }
+
+ /* clear VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION flag */
+ SetDriverConfigurationFlag (VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION, FALSE);
+
+ SetEvent (SystemFavoriteServiceStopEvent);
+ SystemFavoritesServiceSetStatus (SERVICE_STOP_PENDING);
+
+ break;
+ case SERVICE_CONTROL_STOP:
+ SetEvent (SystemFavoriteServiceStopEvent);
+ SystemFavoritesServiceSetStatus (SERVICE_STOP_PENDING);
+ break;
+ case SERVICE_CONTROL_DEVICEEVENT:
+ if (DBT_DEVICEARRIVAL == dwEventType)
+ {
+ DEV_BROADCAST_HDR* pHdr = (DEV_BROADCAST_HDR *) lpEventData;
+ if (pHdr->dbch_devicetype != DBT_DEVTYP_VOLUME && pHdr->dbch_devicetype != DBT_DEVTYP_HANDLE)
+ {
+ SystemFavoritesServiceLogInfo (L"SERVICE_CONTROL_DEVICEEVENT - DBT_DEVICEARRIVAL received");
+
+ if (ReadDriverConfigurationFlags() & VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION)
+ {
+ BOOL bClearKeys = TRUE;
+ if (pHdr->dbch_devicetype == DBT_DEVTYP_DEVICEINTERFACE)
+ {
+ DEV_BROADCAST_DEVICEINTERFACE* pInf = (DEV_BROADCAST_DEVICEINTERFACE*) pHdr;
+
+ if (IsEqualGUID (pInf->dbcc_classguid, OCL_GUID_DEVCLASS_SOFTWARECOMPONENT)
+ || IsEqualGUID (pInf->dbcc_classguid, GUID_DEVCLASS_VOLUME)
+ || IsEqualGUID (pInf->dbcc_classguid, GUID_DEVCLASS_VOLUMESNAPSHOT)
+ )
+ {
+ bClearKeys = FALSE;
+ }
+ }
+
+ if (bClearKeys)
+ {
+ DWORD cbBytesReturned = 0;
+ BOOL bResult = DeviceIoControl (hDriver, VC_IOCTL_EMERGENCY_CLEAR_ALL_KEYS, NULL, 0, NULL, 0, &cbBytesReturned, NULL);
+ if (bResult)
+ SystemFavoritesServiceLogInfo (L"New device insertion detected - encryption keys cleared");
+ else
+ SystemFavoritesServiceLogInfo (L"New device insertion detected - failed to clear encryption keys");
+ }
+ }
+ }
+ }
+ break;
+ default:
SystemFavoritesServiceSetStatus (SystemFavoritesServiceStatus.dwCurrentState);
+ break;
+ }
+
+ return NO_ERROR;
}
static LONG WINAPI SystemFavoritesServiceExceptionHandler (EXCEPTION_POINTERS *ep)
@@ -9363,13 +9441,27 @@ static void SystemFavoritesServiceInvalidParameterHandler (const wchar_t *expres
static VOID WINAPI SystemFavoritesServiceMain (DWORD argc, LPTSTR *argv)
{
BOOL status = FALSE;
+ DEV_BROADCAST_DEVICEINTERFACE hdr;
memset (&SystemFavoritesServiceStatus, 0, sizeof (SystemFavoritesServiceStatus));
SystemFavoritesServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
+ SystemFavoritesServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP;
+ if (IsOSAtLeast (WIN_VISTA) && BootEncObj && BootEncStatus.DriveMounted && BootEncObj->GetSystemDriveConfiguration().SystemPartition.IsGPT)
+ SystemFavoritesServiceStatus.dwControlsAccepted |= SERVICE_ACCEPT_PRESHUTDOWN;
+
+ ZeroMemory (&hdr, sizeof(hdr));
+ hdr.dbcc_size = sizeof (hdr);
+ hdr.dbcc_devicetype = DBT_DEVTYP_DEVICEINTERFACE;
- SystemFavoritesServiceStatusHandle = RegisterServiceCtrlHandler (TC_SYSTEM_FAVORITES_SERVICE_NAME, SystemFavoritesServiceCtrlHandler);
+ SystemFavoritesServiceStatusHandle = RegisterServiceCtrlHandlerEx (TC_SYSTEM_FAVORITES_SERVICE_NAME, SystemFavoritesServiceCtrlHandler, NULL);
if (!SystemFavoritesServiceStatusHandle)
return;
+ SystemFavoriteServiceStopEvent = CreateEvent (NULL, FALSE, FALSE, NULL);
+ if (!SystemFavoriteServiceStopEvent)
+ return;
+
+ SystemFavoriteServiceNotify = RegisterDeviceNotification (SystemFavoritesServiceStatusHandle, &hdr,DEVICE_NOTIFY_SERVICE_HANDLE | DEVICE_NOTIFY_ALL_INTERFACE_CLASSES);
+
InitGlobalLocks ();
SetUnhandledExceptionFilter (SystemFavoritesServiceExceptionHandler);
@@ -9400,7 +9492,22 @@ static VOID WINAPI SystemFavoritesServiceMain (DWORD argc, LPTSTR *argv)
FinalizeGlobalLocks ();
+ if (!(ReadDriverConfigurationFlags() & TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD))
+ WipeCache (NULL, TRUE);
+
SystemFavoritesServiceSetStatus (SERVICE_RUNNING);
+
+ WaitForSingleObject (SystemFavoriteServiceStopEvent, INFINITE);
+
+ if (SystemFavoriteServiceNotify)
+ {
+ UnregisterDeviceNotification (SystemFavoriteServiceNotify);
+ SystemFavoriteServiceNotify = NULL;
+ }
+
+ CloseHandle (SystemFavoriteServiceStopEvent);
+ SystemFavoriteServiceStopEvent = NULL;
+
SystemFavoritesServiceSetStatus (SERVICE_STOPPED);
}
@@ -9419,6 +9526,16 @@ static BOOL StartSystemFavoritesService ()
if (DriverAttach() != ERR_SUCCESS)
return FALSE;
+ try
+ {
+ BootEncObj = new BootEncryption (NULL);
+ BootEncStatus = BootEncObj->GetStatus();
+ }
+ catch (Exception &)
+ {
+ BootEncStatus.DriveMounted = FALSE;
+ }
+
SERVICE_TABLE_ENTRY serviceTable[2];
serviceTable[0].lpServiceName = TC_SYSTEM_FAVORITES_SERVICE_NAME;
serviceTable[0].lpServiceProc = SystemFavoritesServiceMain;
@@ -9428,8 +9545,11 @@ static BOOL StartSystemFavoritesService ()
BOOL result = StartServiceCtrlDispatcher (serviceTable);
- if (!(ReadDriverConfigurationFlags() & TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD))
- WipeCache (NULL, TRUE);
+ if (BootEncObj != NULL)
+ {
+ delete BootEncObj;
+ BootEncObj = NULL;
+ }
return result;
}
@@ -10919,7 +11039,8 @@ error:
void SetDriverConfigurationFlag (uint32 flag, BOOL state)
{
- BootEncObj->SetDriverConfigurationFlag (flag, state ? true : false);
+ if (BootEncObj)
+ BootEncObj->SetDriverConfigurationFlag (flag, state ? true : false);
}
@@ -11380,6 +11501,7 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
BOOL bPasswordCacheEnabled = (driverConfig & TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD)? TRUE : FALSE;
BOOL bPimCacheEnabled = (driverConfig & TC_DRIVER_CONFIG_CACHE_BOOT_PIM)? TRUE : FALSE;
BOOL bBlockSysEncTrimEnabled = (driverConfig & VC_DRIVER_CONFIG_BLOCK_SYS_TRIM)? TRUE : FALSE;
+ BOOL bClearKeysEnabled = (driverConfig & VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION)? TRUE : FALSE;
BOOL bIsHiddenOS = IsHiddenOSRunning ();
if (!BootEncObj->ReadBootSectorConfig (nullptr, 0, &userConfig, &customUserMessage, &bootLoaderVersion))
@@ -11422,6 +11544,8 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD, bPasswordCacheEnabled ? BST_CHECKED : BST_UNCHECKED);
EnableWindow (GetDlgItem (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM), bPasswordCacheEnabled);
CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM, (bPasswordCacheEnabled && bPimCacheEnabled)? BST_CHECKED : BST_UNCHECKED);
+ CheckDlgButton (hwndDlg, IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION, bClearKeysEnabled? BST_CHECKED : BST_UNCHECKED);
+
if (bIsHiddenOS)
{
// we always block TRIM command on hidden OS regardless of the configuration
@@ -11542,10 +11666,12 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
BOOL bPasswordCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD);
BOOL bPimCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM);
BOOL bBlockSysEncTrimEnabled = IsDlgButtonChecked (hwndDlg, IDC_BLOCK_SYSENC_TRIM);
+ BOOL bClearKeysEnabled = IsDlgButtonChecked (hwndDlg, IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION);
BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage, prop.volumePim, prop.pkcs5);
SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD, bPasswordCacheEnabled);
SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PIM, (bPasswordCacheEnabled && bPimCacheEnabled)? TRUE : FALSE);
SetDriverConfigurationFlag (TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION, IsDlgButtonChecked (hwndDlg, IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION));
+ SetDriverConfigurationFlag (VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION, bClearKeysEnabled);
if (!IsHiddenOSRunning ()) /* we don't need to update TRIM config for hidden OS since it's always blocked */
SetDriverConfigurationFlag (VC_DRIVER_CONFIG_BLOCK_SYS_TRIM, bBlockSysEncTrimEnabled);
}
@@ -11589,6 +11715,14 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
}
break;
+
+ case IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION:
+ if (IsDlgButtonChecked (hwndDlg, IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION))
+ {
+ Warning ("CLEAR_KEYS_ON_DEVICE_INSERTION_WARNING", hwndDlg);
+ }
+
+ break;
}
return 0;
}
diff --git a/src/Mount/Mount.rc b/src/Mount/Mount.rc
index 3011b5d9..4a7fe101 100644
--- a/src/Mount/Mount.rc
+++ b/src/Mount/Mount.rc
@@ -285,7 +285,7 @@ BEGIN
LTEXT "",IDT_PKCS11_LIB_HELP,16,63,286,65
END
-IDD_EFI_SYSENC_SETTINGS DIALOGEX 0, 0, 375, 182
+IDD_EFI_SYSENC_SETTINGS DIALOGEX 0, 0, 375, 194
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "VeraCrypt - System Encryption Settings"
FONT 8, "MS Shell Dlg", 400, 0, 0x1
@@ -295,18 +295,20 @@ BEGIN
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,20,339,9
CONTROL "Do not request Hash algorithm in the pre-boot authentication screen",IDC_DISABLE_BOOT_LOADER_HASH_PROMPT,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,35,339,9
- GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,7,53,355,61
+ GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,7,53,355,75
CONTROL "&Cache pre-boot authentication password in driver memory (for mounting of non-system volumes)",IDC_BOOT_LOADER_CACHE_PASSWORD,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,68,339,10
CONTROL "Include PIM when caching pre-boot authentication password",IDC_BOOT_LOADER_CACHE_PIM,
"Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,16,83,340,10
CONTROL "Block TRIM command on system partition/drive",IDC_BLOCK_SYSENC_TRIM,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,98,340,10
- GROUPBOX "Advanced Options",IDT_ADVANCED_OPTIONS,7,116,355,36
- PUSHBUTTON "Edit Boot Loader Configuration",IDC_EDIT_DCSPROP,10,129,173,14
- PUSHBUTTON "Display EFI Platform Information",IDC_SHOW_PLATFORMINFO,187,129,173,14
- PUSHBUTTON "Cancel",IDCANCEL,313,158,50,14
- DEFPUSHBUTTON "OK",IDOK,255,158,50,14
+ GROUPBOX "Advanced Options",IDT_ADVANCED_OPTIONS,7,131,355,36
+ PUSHBUTTON "Edit Boot Loader Configuration",IDC_EDIT_DCSPROP,10,144,173,14
+ PUSHBUTTON "Display EFI Platform Information",IDC_SHOW_PLATFORMINFO,187,144,173,14
+ PUSHBUTTON "Cancel",IDCANCEL,313,170,50,14
+ DEFPUSHBUTTON "OK",IDOK,255,170,50,14
+ CONTROL "Clear encryption keys from memory if a new device is inserted",IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION,
+ "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,112,340,10
END
IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 265
@@ -393,7 +395,7 @@ BEGIN
CONTROL "TrueCrypt Mode",IDC_TRUECRYPT_MODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,7,76,10
END
-IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 371, 297
+IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 371, 310
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "VeraCrypt - System Encryption Settings"
FONT 8, "MS Shell Dlg", 400, 0, 0x1
@@ -413,12 +415,14 @@ BEGIN
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,237,340,10
CONTROL "Block TRIM command on system partition/drive",IDC_BLOCK_SYSENC_TRIM,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,251,340,10
- PUSHBUTTON "Cancel",IDCANCEL,314,273,50,14
- DEFPUSHBUTTON "OK",IDOK,257,273,50,14
+ PUSHBUTTON "Cancel",IDCANCEL,314,286,50,14
+ DEFPUSHBUTTON "OK",IDOK,257,286,50,14
LTEXT "Display this custom message in the pre-boot authentication screen (24 characters maximum):",IDT_CUSTOM_BOOT_LOADER_MESSAGE,18,39,337,8
GROUPBOX "Boot Loader Screen Options",IDT_BOOT_LOADER_SCREEN_OPTIONS,9,7,355,165
- GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,9,177,355,92
+ GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,9,177,355,105
LTEXT "",IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP,18,72,337,73
+ CONTROL "Clear encryption keys from memory if a new device is inserted",IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION,
+ "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,265,340,10
END
/////////////////////////////////////////////////////////////////////////////
@@ -494,7 +498,7 @@ BEGIN
LEFTMARGIN, 7
RIGHTMARGIN, 368
TOPMARGIN, 7
- BOTTOMMARGIN, 172
+ BOTTOMMARGIN, 184
END
IDD_PERFORMANCE_SETTINGS, DIALOG
@@ -526,7 +530,7 @@ BEGIN
LEFTMARGIN, 7
RIGHTMARGIN, 364
TOPMARGIN, 7
- BOTTOMMARGIN, 287
+ BOTTOMMARGIN, 300
END
END
#endif // APSTUDIO_INVOKED
diff --git a/src/Mount/Resource.h b/src/Mount/Resource.h
index 48451638..0eaf357a 100644
--- a/src/Mount/Resource.h
+++ b/src/Mount/Resource.h
@@ -191,6 +191,7 @@
#define IDC_BLOCK_SYSENC_TRIM 1168
#define IDC_ALLOW_WINDOWS_DEFRAG 1169
#define IDC_LOWER_BOX 1170
+#define IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION 1171
#define IDM_HELP 40001
#define IDM_ABOUT 40002
#define IDM_UNMOUNT_VOLUME 40003
@@ -267,7 +268,7 @@
#define _APS_NO_MFC 1
#define _APS_NEXT_RESOURCE_VALUE 120
#define _APS_NEXT_COMMAND_VALUE 40069
-#define _APS_NEXT_CONTROL_VALUE 1171
+#define _APS_NEXT_CONTROL_VALUE 1172
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif