diff options
| author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2024-08-02 00:20:53 +0200 |
|---|---|---|
| committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2024-08-02 00:20:53 +0200 |
| commit | ed1263bf8c6c678420eb1b9ad3f37d3a6d33af7c (patch) | |
| tree | 14dfb134969574b7f0d869c455981418c652780e /src/Mount | |
| parent | 6121ca02397e75fe51b2c76111ef836556fedb49 (diff) | |
| download | VeraCrypt-ed1263bf8c6c678420eb1b9ad3f37d3a6d33af7c.tar.gz VeraCrypt-ed1263bf8c6c678420eb1b9ad3f37d3a6d33af7c.zip | |
Implement detection of volumes with vulnerable XTS master key.
If vulnerability detected, a warning message is displayed during mount or backup/restore header, and changing the password is disallowed since it will not change the master key.
Diffstat (limited to 'src/Mount')
| -rw-r--r-- | src/Mount/Mount.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/src/Mount/Mount.c b/src/Mount/Mount.c index c3898b72..444e44d7 100644 --- a/src/Mount/Mount.c +++ b/src/Mount/Mount.c @@ -1259,6 +1259,20 @@ static BOOL SysEncryptionOrDecryptionRequired (void) ); } +// Returns TRUE if system encryption master key is vulnerable +static BOOL SysEncryptionMasterKeyVulnerable (void) +{ + try + { + BootEncStatus = BootEncObj->GetStatus(); + return (BootEncStatus.DriveMounted || BootEncStatus.DriveEncrypted) && BootEncStatus.MasterKeyVulnerable; + } + catch (Exception &) + { + return FALSE; + } +} + // Returns TRUE if the system partition/drive is completely encrypted static BOOL SysDriveOrPartitionFullyEncrypted (BOOL bSilent) { @@ -7435,10 +7449,12 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa if (!Quit) // Do not care about system encryption or in-place encryption if we were launched from the system startup sequence (the wizard was added to it too). { + BOOL bActionPerformed = FALSE; if (SysEncryptionOrDecryptionRequired ()) { if (!MutexExistsOnSystem (TC_MUTEX_NAME_SYSENC)) // If no instance of the wizard is currently taking care of system encryption { + bActionPerformed = TRUE; // We shouldn't block the mutex at this point if (SystemEncryptionStatus == SYSENC_STATUS_PRETEST @@ -7465,7 +7481,17 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa { BOOL bDecrypt = FALSE; if (AskNonSysInPlaceEncryptionResume(hwndDlg, &bDecrypt) == IDYES) + { + bActionPerformed = TRUE; ResumeInterruptedNonSysInplaceEncProcess (bDecrypt); + } + } + + if (!bActionPerformed) + { + // display warning if the master key is vulnerable + if (SysEncryptionMasterKeyVulnerable()) + WarningTopMost ("ERR_SYSENC_XTS_MASTERKEY_VULNERABLE", hwndDlg); } } @@ -11447,6 +11473,12 @@ int RestoreVolumeHeader (HWND hwndDlg, const wchar_t *lpszVolume) handleError (hwndDlg, nStatus, SRC_POS); } + // display a warning if the master key is vulnerable + if (restoredCryptoInfo->bVulnerableMasterKey) + { + Warning ("ERR_XTS_MASTERKEY_VULNERABLE", hwndDlg); + } + BOOL hiddenVol = restoredCryptoInfo->hiddenVolume; if (legacyBackup) |