VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Mount
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2024-08-02 00:20:53 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2024-08-02 00:20:53 +0200
commited1263bf8c6c678420eb1b9ad3f37d3a6d33af7c (patch)
tree14dfb134969574b7f0d869c455981418c652780e /src/Mount
parent6121ca02397e75fe51b2c76111ef836556fedb49 (diff)
downloadVeraCrypt-ed1263bf8c6c678420eb1b9ad3f37d3a6d33af7c.tar.gz
VeraCrypt-ed1263bf8c6c678420eb1b9ad3f37d3a6d33af7c.zip
Implement detection of volumes with vulnerable XTS master key.
If vulnerability detected, a warning message is displayed during mount or backup/restore header, and changing the password is disallowed since it will not change the master key.
Diffstat (limited to 'src/Mount')
-rw-r--r--src/Mount/Mount.c32
1 files changed, 32 insertions, 0 deletions
diff --git a/src/Mount/Mount.c b/src/Mount/Mount.c
index c3898b72..444e44d7 100644
--- a/src/Mount/Mount.c
+++ b/src/Mount/Mount.c
@@ -1259,6 +1259,20 @@ static BOOL SysEncryptionOrDecryptionRequired (void)
);
}
+// Returns TRUE if system encryption master key is vulnerable
+static BOOL SysEncryptionMasterKeyVulnerable (void)
+{
+ try
+ {
+ BootEncStatus = BootEncObj->GetStatus();
+ return (BootEncStatus.DriveMounted || BootEncStatus.DriveEncrypted) && BootEncStatus.MasterKeyVulnerable;
+ }
+ catch (Exception &)
+ {
+ return FALSE;
+ }
+}
+
// Returns TRUE if the system partition/drive is completely encrypted
static BOOL SysDriveOrPartitionFullyEncrypted (BOOL bSilent)
{
@@ -7435,10 +7449,12 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
if (!Quit) // Do not care about system encryption or in-place encryption if we were launched from the system startup sequence (the wizard was added to it too).
{
+ BOOL bActionPerformed = FALSE;
if (SysEncryptionOrDecryptionRequired ())
{
if (!MutexExistsOnSystem (TC_MUTEX_NAME_SYSENC)) // If no instance of the wizard is currently taking care of system encryption
{
+ bActionPerformed = TRUE;
// We shouldn't block the mutex at this point
if (SystemEncryptionStatus == SYSENC_STATUS_PRETEST
@@ -7465,7 +7481,17 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
{
BOOL bDecrypt = FALSE;
if (AskNonSysInPlaceEncryptionResume(hwndDlg, &bDecrypt) == IDYES)
+ {
+ bActionPerformed = TRUE;
ResumeInterruptedNonSysInplaceEncProcess (bDecrypt);
+ }
+ }
+
+ if (!bActionPerformed)
+ {
+ // display warning if the master key is vulnerable
+ if (SysEncryptionMasterKeyVulnerable())
+ WarningTopMost ("ERR_SYSENC_XTS_MASTERKEY_VULNERABLE", hwndDlg);
}
}
@@ -11447,6 +11473,12 @@ int RestoreVolumeHeader (HWND hwndDlg, const wchar_t *lpszVolume)
handleError (hwndDlg, nStatus, SRC_POS);
}
+ // display a warning if the master key is vulnerable
+ if (restoredCryptoInfo->bVulnerableMasterKey)
+ {
+ Warning ("ERR_XTS_MASTERKEY_VULNERABLE", hwndDlg);
+ }
+
BOOL hiddenVol = restoredCryptoInfo->hiddenVolume;
if (legacyBackup)