diff options
Diffstat (limited to 'src/Common/BootEncryption.cpp')
-rw-r--r-- | src/Common/BootEncryption.cpp | 314 |
1 files changed, 160 insertions, 154 deletions
diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp index 189d5a78..f79e7339 100644 --- a/src/Common/BootEncryption.cpp +++ b/src/Common/BootEncryption.cpp @@ -248,64 +248,64 @@ static unsigned char g_pbEFIDcsKEK[1137] = { 0x0D, 0xC3, 0x9F, 0xEA, 0x37, 0x7B, 0xCB, 0xC3, 0x65, 0x8D, 0x71, 0xBA, 0x97, 0xA8, 0x4F, 0x69, 0x25, 0x36, 0x1D, 0x7F, 0x08, 0x54, 0xB2, 0x9A, 0x56, 0xA0, 0x8B, 0x2F, 0xBC, 0x77, 0x16, 0x89, 0xBF, 0x5C, 0xB0, 0xD2, 0xB1, 0xDA, 0x3C, 0x08, 0xD1, 0x8A, 0xC5, 0xB5, 0xA0, 0xED, 0xD1, 0xDF, 0xB1, 0xAE, 0x5F, 0x82, 0x26, 0xA4, 0x0A, 0x12, 0x1E, 0x1F, 0x18, 0x7D, 0x9E, 0x57, 0xE1, 0xA4, 0xCC, 0x90, 0x15, 0x79, 0xC9, 0x19, 0x95, 0x98, 0xCB, 0x86, 0x75, 0xC1, 0x45, 0x67, 0xD8, 0x1D, 0x02, 0x84, 0xC6, 0xF3, 0x50, 0xD7, 0xB8, 0xAB, 0x92, 0xD2, 0x4E, 0xFB, 0xA0, 0xFF, 0x28, 0xB5, 0x69, 0x17, 0xFD, 0xA9, 0x18, 0x07, 0xAB, 0xD3, 0xCD, 0x3A, 0xE7, 0xE7, 0x54, 0x61, 0x6B, 0x73, 0x88, 0xF0, 0xD9, 0xB9, 0xD6 }; bool ZipAdd (zip_t *z, const char* name, const unsigned char* pbData, DWORD cbData) { zip_error_t zerr; zip_source_t* zin = zip_source_buffer_create (pbData, cbData, 0, &zerr); if (!zin) return false; if (-1 == zip_file_add (z, name, zin, 0)) { zip_source_free (zin); return false; } return true; } -static BOOL IsWindowsMBR (const byte *buffer, size_t bufferSize) +static BOOL IsWindowsMBR (const uint8 *buffer, size_t bufferSize) { BOOL bRet = FALSE; - byte g_pbMsSignature[4] = {0x33, 0xc0, 0x8e, 0xd0}; + uint8 g_pbMsSignature[4] = {0x33, 0xc0, 0x8e, 0xd0}; const char* g_szStr1 = "Invalid partition table"; const char* g_szStr2 = "Error loading operating system"; const char* g_szStr3 = "Missing operating system"; if ((0 == memcmp (buffer, g_pbMsSignature, 4)) && (BufferContainsString (buffer, bufferSize, g_szStr1) || BufferContainsString (buffer, bufferSize, g_szStr2) || BufferContainsString (buffer, bufferSize, g_szStr3) ) ) { bRet = TRUE; } return bRet; } namespace VeraCrypt { #if !defined (SETUP) class Elevator { public: static void AddReference () { ++ReferenceCount; } @@ -363,61 +363,61 @@ namespace VeraCrypt if (result != ERROR_SUCCESS) { SetLastError (result); throw SystemException(SRC_POS); } } static void DeleteFile (const wstring &file) { Elevate(); CComBSTR fileBstr; DWORD result; BSTR bstr = W2BSTR(file.c_str()); if (bstr) { fileBstr.Attach (bstr); result = ElevatedComInstance->DeleteFile (fileBstr); } else { result = ERROR_OUTOFMEMORY; } if (result != ERROR_SUCCESS) { SetLastError (result); throw SystemException(SRC_POS); } } - static void ReadWriteFile (BOOL write, BOOL device, const wstring &filePath, byte *buffer, uint64 offset, uint32 size, DWORD *sizeDone) + static void ReadWriteFile (BOOL write, BOOL device, const wstring &filePath, uint8 *buffer, uint64 offset, uint32 size, DWORD *sizeDone) { Elevate(); DWORD result; CComBSTR bufferBstr, fileBstr; if (bufferBstr.AppendBytes ((const char *) buffer, size) != S_OK) throw ParameterIncorrect (SRC_POS); BSTR bstr = W2BSTR(filePath.c_str()); if (bstr) { fileBstr.Attach (bstr); result = ElevatedComInstance->ReadWriteFile (write, device, fileBstr, &bufferBstr, offset, size, sizeDone); } else { result = ERROR_OUTOFMEMORY; } if (result != ERROR_SUCCESS) { SetLastError (result); throw SystemException(SRC_POS); } if (!write) memcpy (buffer, (BYTE *) bufferBstr.m_str, size); } static void GetFileSize (const wstring &filePath, unsigned __int64* pSize) { @@ -604,61 +604,61 @@ namespace VeraCrypt { SetLastError (ERROR_INVALID_PARAMETER); throw SystemException(SRC_POS); } DWORD result = ElevatedComInstance->GetEfiBootDeviceNumber (&outputBstr); if (pSdn) memcpy (pSdn, *(void **) &outputBstr, sizeof (STORAGE_DEVICE_NUMBER)); if (result != ERROR_SUCCESS) { SetLastError (result); throw SystemException(SRC_POS); } } static void GetSecureBootConfig (BOOL* pSecureBootEnabled, BOOL *pVeraCryptKeysLoaded) { Elevate(); DWORD result = ElevatedComInstance->GetSecureBootConfig (pSecureBootEnabled, pVeraCryptKeysLoaded); if (result != ERROR_SUCCESS) { SetLastError (result); throw SystemException(SRC_POS); } } - static void WriteEfiBootSectorUserConfig (byte userConfig, const string &customUserMessage, int pim, int hashAlg) + static void WriteEfiBootSectorUserConfig (uint8 userConfig, const string &customUserMessage, int pim, int hashAlg) { Elevate(); DWORD result; CComBSTR customUserMessageBstr; BSTR bstr = A2BSTR(customUserMessage.c_str()); if (bstr) { customUserMessageBstr.Attach (bstr); result = ElevatedComInstance->WriteEfiBootSectorUserConfig ((DWORD) userConfig, customUserMessageBstr, pim, hashAlg); } else { result = ERROR_OUTOFMEMORY; } if (result != ERROR_SUCCESS) { SetLastError (result); throw SystemException(SRC_POS); } } static void UpdateSetupConfigFile (bool bForInstall) { Elevate(); DWORD result = ElevatedComInstance->UpdateSetupConfigFile (bForInstall ? TRUE : FALSE); if (result != ERROR_SUCCESS) { @@ -685,145 +685,145 @@ namespace VeraCrypt { ElevatedComInstance->Release(); ElevatedComInstance = nullptr; CoUninitialize (); } } static void SetDriverServiceStartType (DWORD startType) { Elevate(); DWORD result = ElevatedComInstance->SetDriverServiceStartType (startType); if (result != ERROR_SUCCESS) { SetLastError (result); throw SystemException(SRC_POS); } } protected: static void Elevate () { if (IsAdmin()) { SetLastError (ERROR_ACCESS_DENIED); throw SystemException(SRC_POS); } if (!ElevatedComInstance || ElevatedComInstanceThreadId != GetCurrentThreadId()) { - CoInitialize (NULL); + CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE); ElevatedComInstance = GetElevatedInstance (GetActiveWindow() ? GetActiveWindow() : MainDlg); ElevatedComInstanceThreadId = GetCurrentThreadId(); } } #if defined (TCMOUNT) static ITrueCryptMainCom *ElevatedComInstance; #elif defined (VOLFORMAT) static ITrueCryptFormatCom *ElevatedComInstance; #endif static DWORD ElevatedComInstanceThreadId; static int ReferenceCount; }; #if defined (TCMOUNT) ITrueCryptMainCom *Elevator::ElevatedComInstance; #elif defined (VOLFORMAT) ITrueCryptFormatCom *Elevator::ElevatedComInstance; #endif DWORD Elevator::ElevatedComInstanceThreadId; int Elevator::ReferenceCount = 0; #else // SETUP class Elevator { public: static void AddReference () { } static void CallDriver (DWORD ioctl, void *input, DWORD inputSize, void *output, DWORD outputSize) { throw ParameterIncorrect (SRC_POS); } - static void ReadWriteFile (BOOL write, BOOL device, const wstring &filePath, byte *buffer, uint64 offset, uint32 size, DWORD *sizeDone) { throw ParameterIncorrect (SRC_POS); } + static void ReadWriteFile (BOOL write, BOOL device, const wstring &filePath, uint8 *buffer, uint64 offset, uint32 size, DWORD *sizeDone) { throw ParameterIncorrect (SRC_POS); } static void RegisterFilterDriver (bool registerDriver, BootEncryption::FilterType filterType) { throw ParameterIncorrect (SRC_POS); } static void Release () { } static void SetDriverServiceStartType (DWORD startType) { throw ParameterIncorrect (SRC_POS); } static void GetFileSize (const wstring &filePath, unsigned __int64 *pSize) { throw ParameterIncorrect (SRC_POS); } static BOOL DeviceIoControl (BOOL readOnly, BOOL device, const wstring &filePath, DWORD dwIoControlCode, LPVOID input, DWORD inputSize, LPVOID output, DWORD outputSize) { throw ParameterIncorrect (SRC_POS); } static void InstallEfiBootLoader (bool preserveUserConfig, bool hiddenOSCreation, int pim, int hashAlg) { throw ParameterIncorrect (SRC_POS); } static void BackupEfiSystemLoader () { throw ParameterIncorrect (SRC_POS); } static void RestoreEfiSystemLoader () { throw ParameterIncorrect (SRC_POS); } static void GetEfiBootDeviceNumber (PSTORAGE_DEVICE_NUMBER pSdn) { throw ParameterIncorrect (SRC_POS); } - static void WriteEfiBootSectorUserConfig (byte userConfig, const string &customUserMessage, int pim, int hashAlg) { throw ParameterIncorrect (SRC_POS); } + static void WriteEfiBootSectorUserConfig (uint8 userConfig, const string &customUserMessage, int pim, int hashAlg) { throw ParameterIncorrect (SRC_POS); } static void UpdateSetupConfigFile (bool bForInstall) { throw ParameterIncorrect (SRC_POS); } static void GetSecureBootConfig (BOOL* pSecureBootEnabled, BOOL *pVeraCryptKeysLoaded) { throw ParameterIncorrect (SRC_POS); } }; #endif // SETUP File::File (wstring path, bool readOnly, bool create) : Elevated (false), FileOpen (false), ReadOnly (readOnly), LastError(0) { Handle = CreateFile (path.c_str(), readOnly ? GENERIC_READ : GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, create ? CREATE_ALWAYS : OPEN_EXISTING, FILE_FLAG_RANDOM_ACCESS | FILE_FLAG_WRITE_THROUGH, NULL); if (Handle != INVALID_HANDLE_VALUE) { FileOpen = true; } else { LastError = GetLastError(); if (LastError == ERROR_ACCESS_DENIED && IsUacSupported()) { Elevated = true; FileOpen = true; } } FilePointerPosition = 0; IsDevice = false; Path = path; } void File::Close () { if (Handle != INVALID_HANDLE_VALUE) { CloseHandle (Handle); Handle = INVALID_HANDLE_VALUE; } FileOpen = false; } - DWORD File::Read (byte *buffer, DWORD size) + DWORD File::Read (uint8 *buffer, DWORD size) { DWORD bytesRead; if (!FileOpen) { SetLastError (LastError); throw SystemException (SRC_POS); } if (Elevated) { Elevator::ReadWriteFile (false, IsDevice, Path, buffer, FilePointerPosition, size, &bytesRead); FilePointerPosition += bytesRead; return bytesRead; } if (!ReadFile (Handle, buffer, size, &bytesRead, NULL)) { DWORD dwLastError = GetLastError(); if ((dwLastError == ERROR_INVALID_PARAMETER) && IsDevice && (size % 4096)) { DWORD remainingSize = (size % 4096); DWORD alignedSize = size - remainingSize; LARGE_INTEGER offset; if (alignedSize) { if (ReadFile (Handle, buffer, alignedSize, &bytesRead, NULL)) { if (bytesRead < alignedSize) @@ -874,61 +874,61 @@ namespace VeraCrypt } void File::GetFileSize (unsigned __int64& size) { if (!FileOpen) { SetLastError (LastError); throw SystemException (SRC_POS); } if (Elevated) { Elevator::GetFileSize (Path, &size); } else { LARGE_INTEGER lSize; lSize.QuadPart = 0; throw_sys_if (!GetFileSizeEx (Handle, &lSize)); size = (unsigned __int64) lSize.QuadPart; } } void File::GetFileSize (DWORD& dwSize) { unsigned __int64 size64; GetFileSize (size64); dwSize = (DWORD) size64; } - void File::Write (byte *buffer, DWORD size) + void File::Write (uint8 *buffer, DWORD size) { DWORD bytesWritten; if (!FileOpen) { SetLastError (LastError); throw SystemException (SRC_POS); } try { if (Elevated) { Elevator::ReadWriteFile (true, IsDevice, Path, buffer, FilePointerPosition, size, &bytesWritten); FilePointerPosition += bytesWritten; throw_sys_if (bytesWritten != size); } else { if (!WriteFile (Handle, buffer, size, &bytesWritten, NULL)) { DWORD dwLastError = GetLastError (); if ((ERROR_INVALID_PARAMETER == dwLastError) && IsDevice && !ReadOnly && (size % 4096)) { bool bSuccess = false; DWORD remainingSize = (size % 4096); DWORD alignedSize = size - remainingSize; DWORD bytesRead = 0; bytesWritten = 0; if (alignedSize) @@ -1121,61 +1121,61 @@ namespace VeraCrypt } } // Finds the first partition physically located behind the active one and returns its properties Partition BootEncryption::GetPartitionForHiddenOS () { Partition candidatePartition; memset (&candidatePartition, 0, sizeof(candidatePartition)); // The user may have modified/added/deleted partitions since the time the partition table was last scanned InvalidateCachedSysDriveProperties(); SystemDriveConfiguration config = GetSystemDriveConfiguration (); bool activePartitionFound = false; bool candidateForHiddenOSFound = false; if (!config.SystemPartition.IsGPT) { // throw ParameterIncorrect (SRC_POS); // It is assumed that CheckRequirements() had been called // Find the first active partition on the system drive foreach (const Partition &partition, config.Partitions) { if (partition.Info.BootIndicator) { if (partition.Info.PartitionNumber != config.SystemPartition.Number) { // If there is an extra boot partition, the system partition must be located right behind it - if (IsOSAtLeast (WIN_7) && config.ExtraBootPartitionPresent) + if (config.ExtraBootPartitionPresent) { int64 minOffsetFound = config.DrivePartition.Info.PartitionLength.QuadPart; Partition bootPartition = partition; Partition partitionBehindBoot; foreach (const Partition &partition, config.Partitions) { if (partition.Info.StartingOffset.QuadPart > bootPartition.Info.StartingOffset.QuadPart && partition.Info.StartingOffset.QuadPart < minOffsetFound) { minOffsetFound = partition.Info.StartingOffset.QuadPart; partitionBehindBoot = partition; } } if (minOffsetFound != config.DrivePartition.Info.PartitionLength.QuadPart && partitionBehindBoot.Number == config.SystemPartition.Number) { activePartitionFound = true; break; } } throw ErrorException (wstring (GetString ("SYSTEM_PARTITION_NOT_ACTIVE")) + GetRemarksOnHiddenOS(), SRC_POS); } activePartitionFound = true; break; } @@ -1249,86 +1249,63 @@ namespace VeraCrypt wstring BootEncryption::GetRemarksOnHiddenOS () { return (wstring (L"\n\n") + GetString ("TWO_SYSTEMS_IN_ONE_PARTITION_REMARK") + L"\n\n" + GetString ("FOR_MORE_INFO_ON_PARTITIONS")); } void BootEncryption::SetDriverServiceStartType (DWORD startType) { if (!IsAdmin() && IsUacSupported()) { Elevator::SetDriverServiceStartType (startType); return; } BOOL startOnBoot = (startType == SERVICE_BOOT_START); SC_HANDLE serviceManager = OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS); throw_sys_if (!serviceManager); finally_do_arg (SC_HANDLE, serviceManager, { CloseServiceHandle (finally_arg); }); SC_HANDLE service = OpenService (serviceManager, L"veracrypt", SERVICE_CHANGE_CONFIG); throw_sys_if (!service); finally_do_arg (SC_HANDLE, service, { CloseServiceHandle (finally_arg); }); - // Windows versions preceding Vista can be installed on FAT filesystem which does not - // support long filenames during boot. Convert the driver path to short form if required. - wstring driverPath; - if (startOnBoot && !IsOSAtLeast (WIN_VISTA)) - { - wchar_t pathBuf[MAX_PATH]; - wchar_t filesystem[128]; - - wstring path (GetWindowsDirectory()); - path += L"\\drivers\\veracrypt.sys"; - - if (GetVolumePathName (path.c_str(), pathBuf, ARRAYSIZE (pathBuf)) - && GetVolumeInformation (pathBuf, NULL, 0, NULL, NULL, NULL, filesystem, ARRAYSIZE(filesystem)) - && wmemcmp (filesystem, L"FAT", 3) == 0) - { - throw_sys_if (GetShortPathName (path.c_str(), pathBuf, ARRAYSIZE (pathBuf)) == 0); - - // Convert absolute path to relative to the Windows directory - driverPath = pathBuf; - driverPath = driverPath.substr (driverPath.rfind (L"\\", driverPath.rfind (L"\\", driverPath.rfind (L"\\") - 1) - 1) + 1); - } - } - throw_sys_if (!ChangeServiceConfig (service, SERVICE_NO_CHANGE, SERVICE_NO_CHANGE, startOnBoot ? SERVICE_ERROR_SEVERE : SERVICE_ERROR_NORMAL, - driverPath.empty() ? NULL : driverPath.c_str(), + NULL, startOnBoot ? L"Filter" : NULL, NULL, NULL, NULL, NULL, NULL)); // ChangeServiceConfig() rejects SERVICE_BOOT_START with ERROR_INVALID_PARAMETER throw_sys_if (!WriteLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", L"Start", startType)); } void BootEncryption::ProbeRealSystemDriveSize () { if (RealSystemDriveSizeValid) return; GetSystemDriveConfiguration(); ProbeRealDriveSizeRequest request; StringCchCopyW (request.DeviceName, ARRAYSIZE (request.DeviceName), DriveConfig.DrivePartition.DevicePath.c_str()); CallDriver (TC_IOCTL_PROBE_REAL_DRIVE_SIZE, &request, sizeof (request), &request, sizeof (request)); DriveConfig.DrivePartition.Info.PartitionLength = request.RealDriveSize; RealSystemDriveSizeValid = true; if (request.TimeOut) throw TimeOut (SRC_POS); } void BootEncryption::InvalidateCachedSysDriveProperties () { @@ -1419,170 +1396,171 @@ namespace VeraCrypt #ifndef SETUP DISK_GEOMETRY_EX BootEncryption::GetDriveGeometry (int driveNumber) { wstringstream devName; devName << L"\\Device\\Harddisk" << driveNumber << L"\\Partition0"; DISK_GEOMETRY_EX geometry; throw_sys_if (!::GetDriveGeometry (devName.str().c_str(), &geometry)); return geometry; } #endif // !SETUP wstring BootEncryption::GetWindowsDirectory () { wchar_t buf[MAX_PATH]; throw_sys_if (GetSystemDirectory (buf, ARRAYSIZE (buf)) == 0); return wstring (buf); } uint16 BootEncryption::GetInstalledBootLoaderVersion () { uint16 version; CallDriver (TC_IOCTL_GET_BOOT_LOADER_VERSION, NULL, 0, &version, sizeof (version)); return version; } - void BootEncryption::GetInstalledBootLoaderFingerprint (byte fingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE]) + void BootEncryption::GetInstalledBootLoaderFingerprint (uint8 fingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE]) { BootLoaderFingerprintRequest request; CallDriver (VC_IOCTL_GET_BOOT_LOADER_FINGERPRINT, NULL, 0, &request, sizeof (request)); memcpy (fingerprint, request.Fingerprint, sizeof (request.Fingerprint)); } #ifndef SETUP // Note that this does not require admin rights (it just requires the driver to be running) bool BootEncryption::IsBootLoaderOnDrive (wchar_t *devicePath) { try { OPEN_TEST_STRUCT openTestStruct; memset (&openTestStruct, 0, sizeof (openTestStruct)); DWORD dwResult; StringCchCopyW (&openTestStruct.wszFileName[0], ARRAYSIZE(openTestStruct.wszFileName),devicePath); openTestStruct.bDetectTCBootLoader = TRUE; return (DeviceIoControl (hDriver, TC_IOCTL_OPEN_TEST, &openTestStruct, sizeof (OPEN_TEST_STRUCT), &openTestStruct, sizeof (OPEN_TEST_STRUCT), &dwResult, NULL) && openTestStruct.TCBootLoaderDetected); } catch (...) { return false; } } #endif BootEncryptionStatus BootEncryption::GetStatus () { /* IMPORTANT: Do NOT add any potentially time-consuming operations to this function. */ BootEncryptionStatus status; + memset (&status, 0, sizeof(status)); CallDriver (TC_IOCTL_GET_BOOT_ENCRYPTION_STATUS, NULL, 0, &status, sizeof (status)); return status; } void BootEncryption::GetVolumeProperties (VOLUME_PROPERTIES_STRUCT *properties) { if (properties == NULL) throw ParameterIncorrect (SRC_POS); CallDriver (TC_IOCTL_GET_BOOT_DRIVE_VOLUME_PROPERTIES, NULL, 0, properties, sizeof (*properties)); } bool BootEncryption::IsHiddenSystemRunning () { int hiddenSystemStatus; CallDriver (TC_IOCTL_IS_HIDDEN_SYSTEM_RUNNING, nullptr, 0, &hiddenSystemStatus, sizeof (hiddenSystemStatus)); return hiddenSystemStatus != 0; } - bool BootEncryption::SystemDriveContainsPartitionType (byte type) + bool BootEncryption::SystemDriveContainsPartitionType (uint8 type) { Device device (GetSystemDriveConfiguration().DevicePath, true); device.CheckOpened (SRC_POS); - byte mbrBuf[TC_SECTOR_SIZE_BIOS]; + uint8 mbrBuf[TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (mbrBuf, sizeof (mbrBuf)); MBR *mbr = reinterpret_cast <MBR *> (mbrBuf); if (mbr->Signature != 0xaa55) throw ParameterIncorrect (SRC_POS); for (size_t i = 0; i < array_capacity (mbr->Partitions); ++i) { if (mbr->Partitions[i].Type == type) return true; } return false; } bool BootEncryption::SystemDriveContainsExtendedPartition () { return SystemDriveContainsPartitionType (PARTITION_EXTENDED) || SystemDriveContainsPartitionType (PARTITION_XINT13_EXTENDED); } bool BootEncryption::SystemDriveContainsNonStandardPartitions () { for (int partitionType = 1; partitionType <= 0xff; ++partitionType) { switch (partitionType) { case PARTITION_FAT_12: case PARTITION_FAT_16: case PARTITION_EXTENDED: case PARTITION_HUGE: case PARTITION_IFS: case PARTITION_FAT32: case PARTITION_FAT32_XINT13: case PARTITION_XINT13: case PARTITION_XINT13_EXTENDED: continue; } - if (SystemDriveContainsPartitionType ((byte) partitionType)) + if (SystemDriveContainsPartitionType ((uint8) partitionType)) return true; } return false; } bool BootEncryption::SystemDriveIsDynamic () { GetSystemDriveConfigurationRequest request; memset (&request, 0, sizeof (request)); StringCchCopyW (request.DevicePath, ARRAYSIZE (request.DevicePath), GetSystemDriveConfiguration().DeviceKernelPath.c_str()); CallDriver (TC_IOCTL_GET_SYSTEM_DRIVE_CONFIG, &request, sizeof (request), &request, sizeof (request)); return request.DriveIsDynamic ? true : false; } SystemDriveConfiguration BootEncryption::GetSystemDriveConfiguration () { if (DriveConfigValid) return DriveConfig; SystemDriveConfiguration config; wstring winDir = GetWindowsDirectory(); // Scan all drives for (int driveNumber = 0; driveNumber < 32; ++driveNumber) { @@ -1634,127 +1612,129 @@ namespace VeraCrypt config.DrivePartition = partitions.front(); partitions.pop_front(); config.Partitions = partitions; config.InitialUnallocatedSpace = 0x7fffFFFFffffFFFFull; config.TotalUnallocatedSpace = config.DrivePartition.Info.PartitionLength.QuadPart; foreach (const Partition &part, config.Partitions) { if (part.Info.StartingOffset.QuadPart < config.InitialUnallocatedSpace) config.InitialUnallocatedSpace = part.Info.StartingOffset.QuadPart; config.TotalUnallocatedSpace -= part.Info.PartitionLength.QuadPart; } DriveConfig = config; DriveConfigValid = true; return DriveConfig; } } throw ParameterIncorrect (SRC_POS); } bool BootEncryption::SystemPartitionCoversWholeDrive () { SystemDriveConfiguration config = GetSystemDriveConfiguration(); - if (IsOSAtLeast (WIN_7) - && config.Partitions.size() == 2 + if (config.Partitions.size() == 2 && config.ExtraBootPartitionPresent && config.DrivePartition.Info.PartitionLength.QuadPart - config.SystemPartition.Info.PartitionLength.QuadPart < 164 * BYTES_PER_MB) { return true; } return config.Partitions.size() == 1 && config.DrivePartition.Info.PartitionLength.QuadPart - config.SystemPartition.Info.PartitionLength.QuadPart < 64 * BYTES_PER_MB; } - uint32 BootEncryption::GetChecksum (byte *data, size_t size) + uint32 BootEncryption::GetChecksum (uint8 *data, size_t size) { uint32 sum = 0; while (size-- > 0) { sum += *data++; sum = _rotl (sum, 1); } return sum; } - void BootEncryption::CreateBootLoaderInMemory (byte *buffer, size_t bufferSize, bool rescueDisk, bool hiddenOSCreation) + void BootEncryption::CreateBootLoaderInMemory (uint8 *buffer, size_t bufferSize, bool rescueDisk, bool hiddenOSCreation) { if (bufferSize < TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE) throw ParameterIncorrect (SRC_POS); ZeroMemory (buffer, bufferSize); int ea = 0; int pkcs5_prf = 0; BOOL bIsGPT = GetSystemDriveConfiguration().SystemPartition.IsGPT; if (GetStatus().DriveMounted) { try { GetBootEncryptionAlgorithmNameRequest request; // since we added new field to GetBootEncryptionAlgorithmNameRequest since version 1.0f // we zero all the structure so that if we are talking to an older driver, the field // BootPrfAlgorithmName will be an empty string ZeroMemory(&request, sizeof(request)); CallDriver (TC_IOCTL_GET_BOOT_ENCRYPTION_ALGORITHM_NAME, NULL, 0, &request, sizeof (request)); if (_stricmp (request.BootEncryptionAlgorithmName, "AES") == 0) ea = AES; - else if (_stricmp (request.BootEncryptionAlgorithmName, "Serpent") == 0) + #ifndef WOLFCRYPT_BACKEND + else if (_stricmp (request.BootEncryptionAlgorithmName, "Camellia") == 0) + ea = CAMELLIA; + else if (_stricmp (request.BootEncryptionAlgorithmName, "Serpent") == 0) ea = SERPENT; else if (_stricmp (request.BootEncryptionAlgorithmName, "Twofish") == 0) ea = TWOFISH; - else if (_stricmp (request.BootEncryptionAlgorithmName, "Camellia") == 0) - ea = CAMELLIA; - + #endif if (_stricmp(request.BootPrfAlgorithmName, "SHA-256") == 0) pkcs5_prf = SHA256; - else if (_stricmp(request.BootPrfAlgorithmName, "BLAKE2s-256") == 0) - pkcs5_prf = BLAKE2S; - else if (_stricmp(request.BootPrfAlgorithmName, "SHA-512") == 0) + else if (_stricmp(request.BootPrfAlgorithmName, "SHA-512") == 0) pkcs5_prf = SHA512; + #ifndef WOLFCRYPT_BACKEND + else if (_stricmp(request.BootPrfAlgorithmName, "BLAKE2s-256") == 0) + pkcs5_prf = BLAKE2S; else if (_stricmp(request.BootPrfAlgorithmName, "Whirlpool") == 0) pkcs5_prf = WHIRLPOOL; else if (_stricmp(request.BootPrfAlgorithmName, "Streebog") == 0) pkcs5_prf = STREEBOG; + #endif else if (strlen(request.BootPrfAlgorithmName) == 0) // case of version < 1.0f pkcs5_prf = BLAKE2S; } catch (...) { try { VOLUME_PROPERTIES_STRUCT properties; GetVolumeProperties (&properties); ea = properties.ea; pkcs5_prf = properties.pkcs5; } catch (...) { } } if (pkcs5_prf == 0) throw ParameterIncorrect (SRC_POS); } else { if (SelectedEncryptionAlgorithmId == 0 || SelectedPrfAlgorithmId == 0) throw ParameterIncorrect (SRC_POS); ea = SelectedEncryptionAlgorithmId; pkcs5_prf = SelectedPrfAlgorithmId; } // Only BLAKE2s and SHA-256 are supported for MBR boot loader if (!bIsGPT && pkcs5_prf != BLAKE2S && pkcs5_prf != SHA256) throw ParameterIncorrect (SRC_POS); @@ -1803,122 +1783,121 @@ namespace VeraCrypt case TWOFISH: if (pkcs5_prf == SHA256) { bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_TWOFISH_SHA2 : IDR_BOOT_SECTOR_TWOFISH_SHA2; bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_TWOFISH_SHA2 : IDR_BOOT_LOADER_TWOFISH_SHA2; } else { bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_TWOFISH : IDR_BOOT_SECTOR_TWOFISH; bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_TWOFISH : IDR_BOOT_LOADER_TWOFISH; } break; case CAMELLIA: if (pkcs5_prf == SHA256) { bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_CAMELLIA_SHA2 : IDR_BOOT_SECTOR_CAMELLIA_SHA2; bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_CAMELLIA_SHA2 : IDR_BOOT_LOADER_CAMELLIA_SHA2; } else { bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_CAMELLIA : IDR_BOOT_SECTOR_CAMELLIA; bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_CAMELLIA : IDR_BOOT_LOADER_CAMELLIA; } break; } // Boot sector DWORD size; - byte *bootSecResourceImg = MapResource (L"BIN", bootSectorId, &size); + uint8 *bootSecResourceImg = MapResource (L"BIN", bootSectorId, &size); if (!bootSecResourceImg || size != TC_SECTOR_SIZE_BIOS) throw ParameterIncorrect (SRC_POS); memcpy (buffer, bootSecResourceImg, size); *(uint16 *) (buffer + TC_BOOT_SECTOR_VERSION_OFFSET) = BE16 (VERSION_NUM); - if (IsOSAtLeast (WIN_VISTA)) - buffer[TC_BOOT_SECTOR_CONFIG_OFFSET] |= TC_BOOT_CFG_FLAG_WINDOWS_VISTA_OR_LATER; + buffer[TC_BOOT_SECTOR_CONFIG_OFFSET] |= TC_BOOT_CFG_FLAG_WINDOWS_VISTA_OR_LATER; if (rescueDisk && (ReadDriverConfigurationFlags() & TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION)) buffer[TC_BOOT_SECTOR_CONFIG_OFFSET] |= TC_BOOT_CFG_FLAG_RESCUE_DISABLE_HW_ENCRYPTION; // Checksum of the backup header of the outer volume for the hidden system if (hiddenOSCreation) { Device device (GetSystemDriveConfiguration().DevicePath); device.CheckOpened (SRC_POS); - byte headerSector[TC_SECTOR_SIZE_BIOS]; + uint8 headerSector[TC_SECTOR_SIZE_BIOS]; device.SeekAt (HiddenOSCandidatePartition.Info.StartingOffset.QuadPart + HiddenOSCandidatePartition.Info.PartitionLength.QuadPart - TC_VOLUME_HEADER_GROUP_SIZE + TC_VOLUME_HEADER_EFFECTIVE_SIZE); device.Read (headerSector, sizeof (headerSector)); *(uint32 *) (buffer + TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET) = GetCrc32 (headerSector, sizeof (headerSector)); } // Decompressor - byte *decompressor = MapResource (L"BIN", IDR_BOOT_LOADER_DECOMPRESSOR, &size); + uint8 *decompressor = MapResource (L"BIN", IDR_BOOT_LOADER_DECOMPRESSOR, &size); if (!decompressor || size > TC_BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS) throw ParameterIncorrect (SRC_POS); memcpy (buffer + TC_SECTOR_SIZE_BIOS, decompressor, size); // Compressed boot loader - byte *bootLoader = MapResource (L"BIN", bootLoaderId, &size); + uint8 *bootLoader = MapResource (L"BIN", bootLoaderId, &size); if (!bootLoader || size > TC_MAX_BOOT_LOADER_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS) throw ParameterIncorrect (SRC_POS); memcpy (buffer + TC_SECTOR_SIZE_BIOS + TC_BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS, bootLoader, size); // Boot loader and decompressor checksum *(uint16 *) (buffer + TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET) = static_cast <uint16> (size); *(uint32 *) (buffer + TC_BOOT_SECTOR_LOADER_CHECKSUM_OFFSET) = GetChecksum (buffer + TC_SECTOR_SIZE_BIOS, TC_BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS + size); // Backup of decompressor and boot loader if (size + TC_BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS <= TC_BOOT_LOADER_BACKUP_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS) { memcpy (buffer + TC_SECTOR_SIZE_BIOS + TC_BOOT_LOADER_BACKUP_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS, buffer + TC_SECTOR_SIZE_BIOS, TC_BOOT_LOADER_BACKUP_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS); buffer[TC_BOOT_SECTOR_CONFIG_OFFSET] |= TC_BOOT_CFG_FLAG_BACKUP_LOADER_AVAILABLE; } else if (!rescueDisk && bootLoaderId != IDR_BOOT_LOADER && bootLoaderId != IDR_BOOT_LOADER_SHA2) { throw ParameterIncorrect (SRC_POS); } } // return false when the user cancel an elevation request - bool BootEncryption::ReadBootSectorConfig (byte *config, size_t bufLength, byte *userConfig, string *customUserMessage, uint16 *bootLoaderVersion) + bool BootEncryption::ReadBootSectorConfig (uint8 *config, size_t bufLength, uint8 *userConfig, string *customUserMessage, uint16 *bootLoaderVersion) { bool bCanceled = false, bExceptionOccured = false; try { if (GetSystemDriveConfiguration().SystemPartition.IsGPT) { // for now, we don't support any boot config flags, like hidden OS one if (config) memset (config, 0, bufLength); // call ReadESPFile only when needed since it requires elevation if (userConfig || customUserMessage || bootLoaderVersion) { std::string confContent = ReadESPFile (L"\\EFI\\VeraCrypt\\DcsProp", true); EfiBootConf conf; conf.Load ((char*) confContent.c_str()); if (userConfig) { *userConfig = 0; if (!conf.requestPim) *userConfig |= TC_BOOT_USER_CFG_FLAG_DISABLE_PIM; if (!conf.requestHash) *userConfig |= TC_BOOT_USER_CFG_FLAG_STORE_HASH; } if (customUserMessage) customUserMessage->clear(); @@ -1957,176 +1936,176 @@ namespace VeraCrypt } catch (UserAbort&) { bCanceled = true; bExceptionOccured= true; } catch (...) { bExceptionOccured = true; } if (bExceptionOccured) { if (config) *config = 0; if (userConfig) *userConfig = 0; if (customUserMessage) customUserMessage->clear(); if (bootLoaderVersion) *bootLoaderVersion = 0; } return !bCanceled; } - void BootEncryption::WriteBootSectorConfig (const byte newConfig[]) + void BootEncryption::WriteBootSectorConfig (const uint8 newConfig[]) { Device device (GetSystemDriveConfiguration().DevicePath); device.CheckOpened (SRC_POS); - byte mbr[TC_SECTOR_SIZE_BIOS]; + uint8 mbr[TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (mbr, sizeof (mbr)); memcpy (mbr + TC_BOOT_SECTOR_CONFIG_OFFSET, newConfig, TC_BOOT_CFG_FLAG_AREA_SIZE); device.SeekAt (0); device.Write (mbr, sizeof (mbr)); - byte mbrVerificationBuf[TC_SECTOR_SIZE_BIOS]; + uint8 mbrVerificationBuf[TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (mbrVerificationBuf, sizeof (mbr)); if (memcmp (mbr, mbrVerificationBuf, sizeof (mbr)) != 0) throw ErrorException ("ERROR_MBR_PROTECTED", SRC_POS); } - void BootEncryption::WriteEfiBootSectorUserConfig (byte userConfig, const string &customUserMessage, int pim, int hashAlg) + void BootEncryption::WriteEfiBootSectorUserConfig (uint8 userConfig, const string &customUserMessage, int pim, int hashAlg) { if (!IsAdmin() && IsUacSupported()) { Elevator::WriteEfiBootSectorUserConfig (userConfig, customUserMessage, pim, hashAlg); } else { EfiBootInst.PrepareBootPartition(); if (! (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM)) pim = -1; if (! (userConfig & TC_BOOT_USER_CFG_FLAG_STORE_HASH)) hashAlg = -1; EfiBootInst.UpdateConfig (L"\\EFI\\VeraCrypt\\DcsProp", pim, hashAlg, ParentWindow); } } - void BootEncryption::WriteBootSectorUserConfig (byte userConfig, const string &customUserMessage, int pim, int hashAlg) + void BootEncryption::WriteBootSectorUserConfig (uint8 userConfig, const string &customUserMessage, int pim, int hashAlg) { if (GetSystemDriveConfiguration().SystemPartition.IsGPT) { WriteEfiBootSectorUserConfig (userConfig, customUserMessage, pim, hashAlg); } else { Device device (GetSystemDriveConfiguration().DevicePath); device.CheckOpened (SRC_POS); - byte mbr[TC_SECTOR_SIZE_BIOS]; + uint8 mbr[TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (mbr, sizeof (mbr)); if (!BufferContainsString (mbr, sizeof (mbr), TC_APP_NAME) || BE16 (*(uint16 *) (mbr + TC_BOOT_SECTOR_VERSION_OFFSET)) != VERSION_NUM) { return; } mbr[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] = userConfig; memset (mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, 0, TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH); if (!customUserMessage.empty()) { if (customUserMessage.size() > TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH) throw ParameterIncorrect (SRC_POS); memcpy (mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, customUserMessage.c_str(), customUserMessage.size()); } if (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM) { // PIM for pre-boot authentication can be encoded on two bytes since its maximum // value is 65535 (0xFFFF) memcpy (mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &pim, TC_BOOT_SECTOR_PIM_VALUE_SIZE); } else memset (mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, 0, TC_BOOT_SECTOR_PIM_VALUE_SIZE); device.SeekAt (0); device.Write (mbr, sizeof (mbr)); - byte mbrVerificationBuf[TC_SECTOR_SIZE_BIOS]; + uint8 mbrVerificationBuf[TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (mbrVerificationBuf, sizeof (mbr)); if (memcmp (mbr, mbrVerificationBuf, sizeof (mbr)) != 0) throw ErrorException ("ERROR_MBR_PROTECTED", SRC_POS); } } unsigned int BootEncryption::GetHiddenOSCreationPhase () { - byte configFlags [TC_BOOT_CFG_FLAG_AREA_SIZE]; + uint8 configFlags [TC_BOOT_CFG_FLAG_AREA_SIZE]; ReadBootSectorConfig (configFlags, sizeof(configFlags)); return (configFlags[0] & TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE); } void BootEncryption::SetHiddenOSCreationPhase (unsigned int newPhase) { #if TC_BOOT_CFG_FLAG_AREA_SIZE != 1 # error TC_BOOT_CFG_FLAG_AREA_SIZE != 1; revise GetHiddenOSCreationPhase() and SetHiddenOSCreationPhase() #endif - byte configFlags [TC_BOOT_CFG_FLAG_AREA_SIZE]; + uint8 configFlags [TC_BOOT_CFG_FLAG_AREA_SIZE]; ReadBootSectorConfig (configFlags, sizeof(configFlags)); - configFlags[0] &= (byte) ~TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE; + configFlags[0] &= (uint8) ~TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE; configFlags[0] |= newPhase; WriteBootSectorConfig (configFlags); } #ifndef SETUP void BootEncryption::StartDecoyOSWipe (WipeAlgorithmId wipeAlgorithm) { if (!IsHiddenOSRunning()) throw ParameterIncorrect (SRC_POS); WipeDecoySystemRequest request; ZeroMemory (&request, sizeof (request)); request.WipeAlgorithm = wipeAlgorithm; if (Randinit() != ERR_SUCCESS) { if (CryptoAPILastError == ERROR_SUCCESS) throw RandInitFailed (SRC_POS, GetLastError ()); else throw CryptoApiFailed (SRC_POS, CryptoAPILastError); } /* force the display of the random enriching dialog */ SetRandomPoolEnrichedByUserStatus (FALSE); @@ -2149,89 +2128,89 @@ namespace VeraCrypt DecoySystemWipeStatus BootEncryption::GetDecoyOSWipeStatus () { DecoySystemWipeStatus status; CallDriver (TC_IOCTL_GET_DECOY_SYSTEM_WIPE_STATUS, NULL, 0, &status, sizeof (status)); return status; } void BootEncryption::CheckDecoyOSWipeResult () { CallDriver (TC_IOCTL_GET_DECOY_SYSTEM_WIPE_RESULT); } void BootEncryption::WipeHiddenOSCreationConfig () { if (IsHiddenOSRunning()) throw ParameterIncorrect (SRC_POS); if (Randinit() != ERR_SUCCESS) { if (CryptoAPILastError == ERROR_SUCCESS) throw RandInitFailed (SRC_POS, GetLastError ()); else throw CryptoApiFailed (SRC_POS, CryptoAPILastError); } Device device (GetSystemDriveConfiguration().DevicePath); device.CheckOpened(SRC_POS); - byte mbr[TC_SECTOR_SIZE_BIOS]; + uint8 mbr[TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (mbr, sizeof (mbr)); finally_do_arg (BootEncryption *, this, { try { finally_arg->SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_NONE); } catch (...) { } }); #if PRAND_DISK_WIPE_PASSES > RNG_POOL_SIZE # error PRAND_DISK_WIPE_PASSES > RNG_POOL_SIZE #endif - byte randData[PRAND_DISK_WIPE_PASSES]; + uint8 randData[PRAND_DISK_WIPE_PASSES]; if (!RandgetBytes (ParentWindow, randData, sizeof (randData), FALSE)) throw ParameterIncorrect (SRC_POS); for (int wipePass = 0; wipePass < PRAND_DISK_WIPE_PASSES; wipePass++) { for (int i = 0; i < TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE; ++i) { mbr[TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET + i] = randData[wipePass]; } - mbr[TC_BOOT_SECTOR_CONFIG_OFFSET] &= (byte) ~TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE; + mbr[TC_BOOT_SECTOR_CONFIG_OFFSET] &= (uint8) ~TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE; mbr[TC_BOOT_SECTOR_CONFIG_OFFSET] |= randData[wipePass] & TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE; if (wipePass == PRAND_DISK_WIPE_PASSES - 1) memset (mbr + TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET, 0, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE); device.SeekAt (0); device.Write (mbr, sizeof (mbr)); } for (int wipePass = 0; wipePass < PRAND_DISK_WIPE_PASSES/4 + 1; wipePass++) { SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_NONE); SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_CLONING); SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_WIPING); SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_WIPED); } SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_NONE); } #endif // !SETUP EfiBootConf::EfiBootConf() : passwordType (0), passwordMsg ("Password: "), passwordPicture ("login.bmp"), hashMsg ("(0) TEST ALL (1) SHA512 (2) WHIRLPOOL (3) SHA256 (4) BLAKE2S (5) STREEBOG\nHash: "), hashAlgo (0), requestHash (0), pimMsg ("PIM (Leave empty for default): "), pim (0), @@ -2379,61 +2358,61 @@ namespace VeraCrypt XmlWriteHeader (configFile); fputws (L"\n\t<configuration>", configFile); WriteConfigInteger (configFile, configContent, "PasswordType", passwordType); WriteConfigString (configFile, configContent, "PasswordMsg", passwordMsg.c_str()); WriteConfigString (configFile, configContent, "PasswordPicture", passwordPicture.c_str()); WriteConfigString (configFile, configContent, "HashMsg", hashMsg.c_str()); WriteConfigInteger (configFile, configContent, "Hash", hashAlgo); WriteConfigInteger (configFile, configContent, "HashRqt", requestHash); WriteConfigString (configFile, configContent, "PimMsg", pimMsg.c_str()); WriteConfigInteger (configFile, configContent, "Pim", pim); WriteConfigInteger (configFile, configContent, "PimRqt", requestPim); WriteConfigInteger (configFile, configContent, "AuthorizeVisible", authorizeVisible); WriteConfigInteger (configFile, configContent, "AuthorizeRetry", authorizeRetry); WriteConfigInteger (configFile, configContent, "DcsBmlLockFlags", bmlLockFlags); WriteConfigInteger (configFile, configContent, "DcsBmlDriver", bmlDriverEnabled); string fieldValue; if (IsPostExecFileField(actionSuccessValue, fieldValue) && (0 == _stricmp(fieldValue.c_str(), "\\EFI\\Microsoft\\Boot\\bootmgfw.efi"))) { // fix wrong configuration file since bootmgfw.efi is now a copy of VeraCrypt and if we don't fix the DcsProp // file, veraCrypt bootloader will call itself // We first check if bootmgfw.efi is original Microsoft one. If yes, we don't do anything, otherwise we set the field to bootmgfw_ms.vc unsigned __int64 loaderSize = 0; bool bModifiedMsBoot = true; EfiBootInst.GetFileSize(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", loaderSize); if (loaderSize > 32768) { - std::vector<byte> bootLoaderBuf ((size_t) loaderSize); + std::vector<uint8> bootLoaderBuf ((size_t) loaderSize); EfiBootInst.ReadFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", &bootLoaderBuf[0], (DWORD) loaderSize); // look for bootmgfw.efi identifiant string const char* g_szMsBootString = "bootmgfw.pdb"; if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString))) { bModifiedMsBoot = false; } } if (bModifiedMsBoot) actionSuccessValue = "postexec file(EFI\\Microsoft\\Boot\\bootmgfw_ms.vc)"; } WriteConfigString (configFile, configContent, "ActionSuccess", actionSuccessValue.c_str()); // Write unmodified values char* xml = configContent; char key[128], value[2048]; while (xml && (xml = XmlFindElement (xml, "config"))) { XmlGetAttributeText (xml, "key", key, sizeof (key)); XmlGetNodeText (xml, value, sizeof (value)); fwprintf (configFile, L"\n\t\t<config key=\"%hs\">%hs</config>", key, value); xml++; } fputws (L"\n\t</configuration>", configFile); @@ -2630,426 +2609,452 @@ namespace VeraCrypt devicePath += BootVolumePath; Device dev(devicePath.c_str(), TRUE); try { dev.CheckOpened(SRC_POS); } catch (...) { if (!bDisableException) throw; } if (dev.IsOpened()) { bDeviceInfoValid = dev.IoCtl(IOCTL_STORAGE_GET_DEVICE_NUMBER, NULL, 0, &sdn, sizeof(sdn)) && dev.IoCtl(IOCTL_DISK_GET_PARTITION_INFO_EX, NULL, 0, &partInfo, sizeof(partInfo)); DWORD dwLastError = GetLastError (); dev.Close(); if (!bDeviceInfoValid && !bDisableException) { SetLastError (dwLastError); throw SystemException(SRC_POS); } } } bool EfiBoot::IsEfiBoot() { DWORD BootOrderLen; BootOrderLen = GetFirmwareEnvironmentVariable(L"BootOrder", EfiVarGuid, tempBuf, sizeof(tempBuf)); - return BootOrderLen != 0; + return (BootOrderLen != 0) || (GetLastError() != ERROR_INVALID_FUNCTION); } void EfiBoot::DeleteStartExec(uint16 statrtOrderNum, wchar_t* type) { - SetPrivilege(SE_SYSTEM_ENVIRONMENT_NAME, TRUE); + DWORD dwLastError; + BOOL bPrivilegesSet = IsPrivilegeEnabled (SE_SYSTEM_ENVIRONMENT_NAME); + if (!bPrivilegesSet && !SetPrivilege(SE_SYSTEM_ENVIRONMENT_NAME, TRUE)) + { + dwLastError = GetLastError(); + wchar_t szMsg[128]; + StringCchPrintfW(szMsg, ARRAYSIZE(szMsg), L"Failed to set SE_SYSTEM_ENVIRONMENT_NAME privilege (error code 0x%.8X)", dwLastError); + throw ErrorException(szMsg, SRC_POS); + } // Check EFI if (!IsEfiBoot()) { - throw ErrorException(L"can not detect EFI environment", SRC_POS); + if (!bPrivilegesSet) + SetPrivilege(SE_SYSTEM_ENVIRONMENT_NAME, FALSE); + throw ErrorException(L"Failed to detect EFI environment (error ERROR_INVALID_FUNCTION)", SRC_POS); } wchar_t varName[256]; StringCchPrintfW(varName, ARRAYSIZE (varName), L"%s%04X", type == NULL ? L"Boot" : type, statrtOrderNum); SetFirmwareEnvironmentVariable(varName, EfiVarGuid, NULL, 0); wstring order = L"Order"; order.insert(0, type == NULL ? L"Boot" : type); uint32 startOrderLen = GetFirmwareEnvironmentVariable(order.c_str(), EfiVarGuid, tempBuf, sizeof(tempBuf)); uint32 startOrderNumPos = UINT_MAX; bool startOrderUpdate = false; uint16* startOrder = (uint16*)tempBuf; for (uint32 i = 0; i < startOrderLen / 2; i++) { if (startOrder[i] == statrtOrderNum) { startOrderNumPos = i; break; } } // delete entry if present if (startOrderNumPos != UINT_MAX) { for (uint32 i = startOrderNumPos; i < ((startOrderLen / 2) - 1); ++i) { startOrder[i] = startOrder[i + 1]; } startOrderLen -= 2; startOrderUpdate = true; } if (startOrderUpdate) { SetFirmwareEnvironmentVariable(order.c_str(), EfiVarGuid, startOrder, startOrderLen); // remove ourselves from BootNext value uint16 bootNextValue = 0; wstring next = L"Next"; next.insert(0, type == NULL ? L"Boot" : type); if ( (GetFirmwareEnvironmentVariable(next.c_str(), EfiVarGuid, &bootNextValue, 2) == 2) && (bootNextValue == statrtOrderNum) ) { SetFirmwareEnvironmentVariable(next.c_str(), EfiVarGuid, startOrder, 0); } } + + if (!bPrivilegesSet) + SetPrivilege(SE_SYSTEM_ENVIRONMENT_NAME, FALSE); } void EfiBoot::SetStartExec(wstring description, wstring execPath, bool setBootEntry, bool forceFirstBootEntry, bool setBootNext, uint16 statrtOrderNum , wchar_t* type, uint32 attr) { - SetPrivilege(SE_SYSTEM_ENVIRONMENT_NAME, TRUE); + DWORD dwLastError; + BOOL bPrivilegesSet = IsPrivilegeEnabled (SE_SYSTEM_ENVIRONMENT_NAME); + if (!bPrivilegesSet && !SetPrivilege(SE_SYSTEM_ENVIRONMENT_NAME, TRUE)) + { + dwLastError = GetLastError(); + wchar_t szMsg[128]; + StringCchPrintfW(szMsg, ARRAYSIZE(szMsg), L"Failed to set SE_SYSTEM_ENVIRONMENT_NAME privilege (error code 0x%.8X)", dwLastError); + throw ErrorException(szMsg, SRC_POS); + } // Check EFI if (!IsEfiBoot()) { - throw ErrorException(L"can not detect EFI environment", SRC_POS); + if (!bPrivilegesSet) + SetPrivilege(SE_SYSTEM_ENVIRONMENT_NAME, FALSE); + throw ErrorException(L"Failed to detect EFI environment (error ERROR_INVALID_FUNCTION)", SRC_POS); } if (bDeviceInfoValid) { uint32 varSize = 56; varSize += ((uint32) description.length()) * 2 + 2; varSize += ((uint32) execPath.length()) * 2 + 2; - byte *startVar = new byte[varSize]; - byte *pVar = startVar; + uint8 *startVar = new uint8[varSize]; + uint8 *pVar = startVar; // Attributes (1b Active, 1000b - Hidden) *(uint32 *)pVar = attr; pVar += sizeof(uint32); // Size Of device path + file path *(uint16 *)pVar = (uint16)(50 + execPath.length() * 2 + 2); pVar += sizeof(uint16); // description for (uint32 i = 0; i < description.length(); i++) { *(uint16 *)pVar = description[i]; pVar += sizeof(uint16); } *(uint16 *)pVar = 0; pVar += sizeof(uint16); /* EFI_DEVICE_PATH_PROTOCOL (HARDDRIVE_DEVICE_PATH \ FILE_PATH \ END) */ // Type - *(byte *)pVar = 0x04; - pVar += sizeof(byte); + *(uint8 *)pVar = 0x04; + pVar += sizeof(uint8); // SubType - *(byte *)pVar = 0x01; - pVar += sizeof(byte); + *(uint8 *)pVar = 0x01; + pVar += sizeof(uint8); // HDD dev path length *(uint16 *)pVar = 0x2A; // 42 pVar += sizeof(uint16); // PartitionNumber *(uint32 *)pVar = (uint32)partInfo.PartitionNumber; pVar += sizeof(uint32); // PartitionStart *(uint64 *)pVar = partInfo.StartingOffset.QuadPart >> 9; pVar += sizeof(uint64); // PartitiontSize *(uint64 *)pVar = partInfo.PartitionLength.QuadPart >> 9; pVar += sizeof(uint64); // GptGuid memcpy(pVar, &partInfo.Gpt.PartitionId, 16); pVar += 16; // MbrType - *(byte *)pVar = 0x02; - pVar += sizeof(byte); + *(uint8 *)pVar = 0x02; + pVar += sizeof(uint8); // SigType - *(byte *)pVar = 0x02; - pVar += sizeof(byte); + *(uint8 *)pVar = 0x02; + pVar += sizeof(uint8); // Type and sub type 04 04 (file path) *(uint16 *)pVar = 0x0404; pVar += sizeof(uint16); // SizeOfFilePath ((CHAR16)FullPath.length + sizeof(EndOfrecord marker) ) *(uint16 *)pVar = (uint16)(execPath.length() * 2 + 2 + sizeof(uint32)); pVar += sizeof(uint16); // FilePath for (uint32 i = 0; i < execPath.length(); i++) { *(uint16 *)pVar = execPath[i]; pVar += sizeof(uint16); } *(uint16 *)pVar = 0; pVar += sizeof(uint16); // EndOfrecord *(uint32 *)pVar = 0x04ff7f; pVar += sizeof(uint32); // Set variable wchar_t varName[256]; StringCchPrintfW(varName, ARRAYSIZE (varName), L"%s%04X", type == NULL ? L"Boot" : type, statrtOrderNum); // only set value if it doesn't already exist - byte* existingVar = new byte[varSize]; + uint8* existingVar = new uint8[varSize]; DWORD existingVarLen = GetFirmwareEnvironmentVariableW (varName, EfiVarGuid, existingVar, varSize); if ((existingVarLen != varSize) || (0 != memcmp (existingVar, startVar, varSize))) SetFirmwareEnvironmentVariable(varName, EfiVarGuid, startVar, varSize); delete [] startVar; delete [] existingVar; } // Update order wstring order = L"Order"; order.insert(0, type == NULL ? L"Boot" : type); uint32 startOrderLen = GetFirmwareEnvironmentVariable(order.c_str(), EfiVarGuid, tempBuf, sizeof(tempBuf)); uint32 startOrderNumPos = UINT_MAX; bool startOrderUpdate = false; uint16* startOrder = (uint16*)tempBuf; for (uint32 i = 0; i < startOrderLen / 2; i++) { if (startOrder[i] == statrtOrderNum) { startOrderNumPos = i; break; } } if (setBootEntry) { // check if first entry in BootOrder is Windows one bool bFirstEntryIsWindows = false; if (startOrderNumPos != 0) { wchar_t varName[256]; StringCchPrintfW(varName, ARRAYSIZE (varName), L"%s%04X", type == NULL ? L"Boot" : type, startOrder[0]); - byte* existingVar = new byte[512]; + uint8* existingVar = new uint8[512]; DWORD existingVarLen = GetFirmwareEnvironmentVariableW (varName, EfiVarGuid, existingVar, 512); if (existingVarLen > 0) { if (BufferContainsWideString (existingVar, existingVarLen, L"EFI\\Microsoft\\Boot\\bootmgfw.efi")) bFirstEntryIsWindows = true; } delete [] existingVar; } // Create new entry if absent if (startOrderNumPos == UINT_MAX) { if (bDeviceInfoValid) { if (forceFirstBootEntry && bFirstEntryIsWindows) { for (uint32 i = startOrderLen / 2; i > 0; --i) { startOrder[i] = startOrder[i - 1]; } startOrder[0] = statrtOrderNum; } else { startOrder[startOrderLen/2] = statrtOrderNum; } startOrderLen += 2; startOrderUpdate = true; } } else if ((startOrderNumPos > 0) && forceFirstBootEntry && bFirstEntryIsWindows) { for (uint32 i = startOrderNumPos; i > 0; --i) { startOrder[i] = startOrder[i - 1]; } startOrder[0] = statrtOrderNum; startOrderUpdate = true; } if (startOrderUpdate) { SetFirmwareEnvironmentVariable(order.c_str(), EfiVarGuid, startOrder, startOrderLen); } } if (setBootNext) { // set BootNext value wstring next = L"Next"; next.insert(0, type == NULL ? L"Boot" : type); SetFirmwareEnvironmentVariable(next.c_str(), EfiVarGuid, &statrtOrderNum, 2); } + + if (!bPrivilegesSet) + SetPrivilege(SE_SYSTEM_ENVIRONMENT_NAME, FALSE); } bool EfiBoot::CompareFiles (const wchar_t* fileName1, const wchar_t* fileName2) { bool bRet = false; File f1 (fileName1, true); File f2 (fileName2, true); if (f1.IsOpened() && f2.IsOpened()) { try { DWORD size1, size2; f1.GetFileSize (size1); f2.GetFileSize (size2); if (size1 == size2) { // same size, so now we compare content - std::vector<byte> file1Buf (8096); - std::vector<byte> file2Buf (8096); + std::vector<uint8> file1Buf (8096); + std::vector<uint8> file2Buf (8096); DWORD remainingBytes = size1, dataToRead; while (remainingBytes) { dataToRead = VC_MIN (remainingBytes, (DWORD) file1Buf.size()); DWORD f1Bytes = f1.Read (file1Buf.data(), dataToRead); DWORD f2Bytes = f2.Read (file2Buf.data(), dataToRead); if ((f1Bytes != f2Bytes) || memcmp (file1Buf.data(), file2Buf.data(), (size_t) f1Bytes)) { break; } else { remainingBytes -= f1Bytes; } } if (0 == remainingBytes) { // content is the same bRet = true; } } } catch (...) {} } f1.Close(); f2.Close(); return bRet; } - bool EfiBoot::CompareFileData (const wchar_t* fileName, const byte* data, DWORD size) + bool EfiBoot::CompareFileData (const wchar_t* fileName, const uint8* data, DWORD size) { bool bRet = false; File f(fileName, true); if (f.IsOpened ()) { try { // check if the file has the same content // if yes, don't perform any write operation to avoid changing its timestamp DWORD existingSize = 0; f.GetFileSize(existingSize); if (existingSize == size) { - std::vector<byte> fileBuf (8096); + std::vector<uint8> fileBuf (8096); DWORD remainingBytes = size, dataOffset = 0, dataToRead; while (remainingBytes) { dataToRead = VC_MIN (remainingBytes, (DWORD) fileBuf.size()); dataToRead = f.Read (fileBuf.data(), dataToRead); if (memcmp (data + dataOffset, fileBuf.data(), (size_t) dataToRead)) { break; } else { dataOffset += dataToRead; remainingBytes -= dataToRead; } } if (0 == remainingBytes) { // content is the same bRet = true; } } } catch (...){} } f.Close(); return bRet; } - void EfiBoot::SaveFile(const wchar_t* name, byte* data, DWORD size) { + void EfiBoot::SaveFile(const wchar_t* name, uint8* data, DWORD size) { wstring path = EfiBootPartPath; path += name; if (!CompareFileData (path.c_str(), data, size)) { File f(path, false, true); f.Write(data, size); f.Close(); } } bool EfiBoot::FileExists(const wchar_t* name) { wstring path = EfiBootPartPath; path += name; File f(path, true); bool bRet = f.IsOpened (); f.Close(); return bRet; } void EfiBoot::GetFileSize(const wchar_t* name, unsigned __int64& size) { wstring path = EfiBootPartPath; path += name; File f(path, true); f.GetFileSize(size); f.Close(); } - void EfiBoot::ReadFile(const wchar_t* name, byte* data, DWORD size) { + void EfiBoot::ReadFile(const wchar_t* name, uint8* data, DWORD size) { wstring path = EfiBootPartPath; path += name; File f(path, true); f.Read(data, size); f.Close(); } void EfiBoot::CopyFile(const wchar_t* name, const wchar_t* targetName) { wstring path = EfiBootPartPath; path += name; wstring targetPath; if (targetName[0] == L'\\') { targetPath = EfiBootPartPath; targetPath += targetName; } else targetPath = targetName; // if both files are the same, we don't perform copy operation if (!CompareFiles (path.c_str(), targetPath.c_str())) throw_sys_if (!::CopyFileW (path.c_str(), targetPath.c_str(), FALSE)); } BOOL EfiBoot::RenameFile(const wchar_t* name, const wchar_t* nameNew, BOOL bForce) { wstring path = EfiBootPartPath; path += name; wstring pathNew = EfiBootPartPath; pathNew += nameNew; @@ -3292,386 +3297,386 @@ namespace VeraCrypt } } } void BootEncryption::InstallBootLoader (bool preserveUserConfig, bool hiddenOSCreation, int pim, int hashAlg) { Device device (GetSystemDriveConfiguration().DevicePath); device.CheckOpened (SRC_POS); InstallBootLoader (device, preserveUserConfig, hiddenOSCreation, pim, hashAlg); } void BootEncryption::InstallBootLoader (Device& device, bool preserveUserConfig, bool hiddenOSCreation, int pim, int hashAlg) { SystemDriveConfiguration config = GetSystemDriveConfiguration(); if (config.SystemPartition.IsGPT) { if (!IsAdmin()) { if (IsUacSupported()) { Elevator::InstallEfiBootLoader (preserveUserConfig, hiddenOSCreation, pim, hashAlg); return; } else { Warning ("ADMIN_PRIVILEGES_WARN_DEVICES", ParentWindow); } } DWORD sizeDcsBoot; #ifdef _WIN64 - byte *dcsBootImg = MapResource(L"BIN", IDR_EFI_DCSBOOT, &sizeDcsBoot); + uint8 *dcsBootImg = MapResource(L"BIN", IDR_EFI_DCSBOOT, &sizeDcsBoot); #else - byte *dcsBootImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSBOOT : IDR_EFI_DCSBOOT32, &sizeDcsBoot); + uint8 *dcsBootImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSBOOT : IDR_EFI_DCSBOOT32, &sizeDcsBoot); #endif if (!dcsBootImg) throw ErrorException(L"Out of resource DcsBoot", SRC_POS); DWORD sizeDcsInt; #ifdef _WIN64 - byte *dcsIntImg = MapResource(L"BIN", IDR_EFI_DCSINT, &sizeDcsInt); + uint8 *dcsIntImg = MapResource(L"BIN", IDR_EFI_DCSINT, &sizeDcsInt); #else - byte *dcsIntImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSINT: IDR_EFI_DCSINT32, &sizeDcsInt); + uint8 *dcsIntImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSINT: IDR_EFI_DCSINT32, &sizeDcsInt); #endif if (!dcsIntImg) throw ErrorException(L"Out of resource DcsInt", SRC_POS); DWORD sizeDcsCfg; #ifdef _WIN64 - byte *dcsCfgImg = MapResource(L"BIN", IDR_EFI_DCSCFG, &sizeDcsCfg); + uint8 *dcsCfgImg = MapResource(L"BIN", IDR_EFI_DCSCFG, &sizeDcsCfg); #else - byte *dcsCfgImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSCFG: IDR_EFI_DCSCFG32, &sizeDcsCfg); + uint8 *dcsCfgImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSCFG: IDR_EFI_DCSCFG32, &sizeDcsCfg); #endif if (!dcsCfgImg) throw ErrorException(L"Out of resource DcsCfg", SRC_POS); DWORD sizeLegacySpeaker; #ifdef _WIN64 - byte *LegacySpeakerImg = MapResource(L"BIN", IDR_EFI_LEGACYSPEAKER, &sizeLegacySpeaker); + uint8 *LegacySpeakerImg = MapResource(L"BIN", IDR_EFI_LEGACYSPEAKER, &sizeLegacySpeaker); #else - byte *LegacySpeakerImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_LEGACYSPEAKER: IDR_EFI_LEGACYSPEAKER32, &sizeLegacySpeaker); + uint8 *LegacySpeakerImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_LEGACYSPEAKER: IDR_EFI_LEGACYSPEAKER32, &sizeLegacySpeaker); #endif if (!LegacySpeakerImg) throw ErrorException(L"Out of resource LegacySpeaker", SRC_POS); #ifdef VC_EFI_CUSTOM_MODE DWORD sizeBootMenuLocker; #ifdef _WIN64 - byte *BootMenuLockerImg = MapResource(L"BIN", IDR_EFI_DCSBML, &sizeBootMenuLocker); + uint8 *BootMenuLockerImg = MapResource(L"BIN", IDR_EFI_DCSBML, &sizeBootMenuLocker); #else - byte *BootMenuLockerImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSBML: IDR_EFI_DCSBML32, &sizeBootMenuLocker); + uint8 *BootMenuLockerImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSBML: IDR_EFI_DCSBML32, &sizeBootMenuLocker); #endif if (!BootMenuLockerImg) throw ErrorException(L"Out of resource DcsBml", SRC_POS); #endif DWORD sizeDcsInfo; #ifdef _WIN64 - byte *DcsInfoImg = MapResource(L"BIN", IDR_EFI_DCSINFO, &sizeDcsInfo); + uint8 *DcsInfoImg = MapResource(L"BIN", IDR_EFI_DCSINFO, &sizeDcsInfo); #else - byte *DcsInfoImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSINFO: IDR_EFI_DCSINFO32, &sizeDcsInfo); + uint8 *DcsInfoImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSINFO: IDR_EFI_DCSINFO32, &sizeDcsInfo); #endif if (!DcsInfoImg) throw ErrorException(L"Out of resource DcsInfo", SRC_POS); EfiBootInst.PrepareBootPartition(PostOOBEMode); try { // Save modules bool bAlreadyExist; const char* g_szMsBootString = "bootmgfw.pdb"; unsigned __int64 loaderSize = 0; const wchar_t * szStdEfiBootloader = Is64BitOs()? L"\\EFI\\Boot\\bootx64.efi": L"\\EFI\\Boot\\bootia32.efi"; const wchar_t * szBackupEfiBootloader = Is64BitOs()? L"\\EFI\\Boot\\original_bootx64.vc_backup": L"\\EFI\\Boot\\original_bootia32.vc_backup"; if (preserveUserConfig) { bool bModifiedMsBoot = true, bMissingMsBoot = false;; if (EfiBootInst.FileExists (L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi")) EfiBootInst.GetFileSize(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", loaderSize); else bMissingMsBoot = true; // restore boot menu entry in case of PostOOBE if (PostOOBEMode) EfiBootInst.SetStartExec(L"VeraCrypt BootLoader (DcsBoot)", L"\\EFI\\VeraCrypt\\DcsBoot.efi", SetBootEntry, ForceFirstBootEntry, SetBootNext); if (EfiBootInst.FileExists (L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc")) { if (loaderSize > 32768) { - std::vector<byte> bootLoaderBuf ((size_t) loaderSize); + std::vector<uint8> bootLoaderBuf ((size_t) loaderSize); EfiBootInst.ReadFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", &bootLoaderBuf[0], (DWORD) loaderSize); // look for bootmgfw.efi identifiant string if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString))) { bModifiedMsBoot = false; // replace the backup with this version EfiBootInst.RenameFile (L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc", TRUE); } } } else { // DcsBoot.efi is always smaller than 32KB if (loaderSize > 32768) { - std::vector<byte> bootLoaderBuf ((size_t) loaderSize); + std::vector<uint8> bootLoaderBuf ((size_t) loaderSize); EfiBootInst.ReadFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", &bootLoaderBuf[0], (DWORD) loaderSize); // look for bootmgfw.efi identifiant string if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString))) bModifiedMsBoot = false; } if (!bModifiedMsBoot) { EfiBootInst.RenameFile (L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc", TRUE); } else { bool bFound = false; EfiBootConf conf; if (EfiBootInst.ReadConfig (L"\\EFI\\VeraCrypt\\DcsProp", conf) && strlen (conf.actionSuccessValue.c_str())) { wstring loaderPath; if (EfiBootConf::IsPostExecFileField (conf.actionSuccessValue, loaderPath)) { // check that it is not bootmgfw.efi if ( (0 != _wcsicmp (loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi")) && (EfiBootInst.FileExists (loaderPath.c_str())) ) { // look for bootmgfw.efi identifiant string EfiBootInst.GetFileSize(loaderPath.c_str(), loaderSize); - std::vector<byte> bootLoaderBuf ((size_t) loaderSize); + std::vector<uint8> bootLoaderBuf ((size_t) loaderSize); EfiBootInst.ReadFile(loaderPath.c_str(), &bootLoaderBuf[0], (DWORD) loaderSize); // look for bootmgfw.efi identifiant string if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString))) { bFound = true; EfiBootInst.RenameFile(loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc", TRUE); } } } } if (!bFound && !PostOOBEMode) throw ErrorException ("WINDOWS_EFI_BOOT_LOADER_MISSING", SRC_POS); } } if (PostOOBEMode && EfiBootInst.FileExists (L"\\EFI\\VeraCrypt\\DcsBoot.efi")) { // check if bootmgfw.efi has been set again to Microsoft version // if yes, replace it with our bootloader after it was copied to bootmgfw_ms.vc if (!bModifiedMsBoot || bMissingMsBoot) EfiBootInst.CopyFile (L"\\EFI\\VeraCrypt\\DcsBoot.efi", L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi"); if (EfiBootInst.FileExists (szStdEfiBootloader)) { // check if standard bootloader under EFI\Boot has been set to Microsoft version // if yes, replace it with our bootloader EfiBootInst.GetFileSize(szStdEfiBootloader, loaderSize); if (loaderSize > 32768) { - std::vector<byte> bootLoaderBuf ((size_t) loaderSize); + std::vector<uint8> bootLoaderBuf ((size_t) loaderSize); EfiBootInst.ReadFile(szStdEfiBootloader, &bootLoaderBuf[0], (DWORD) loaderSize); // look for bootmgfw.efi identifiant string if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString))) { EfiBootInst.RenameFile (szStdEfiBootloader, szBackupEfiBootloader, TRUE); EfiBootInst.CopyFile (L"\\EFI\\VeraCrypt\\DcsBoot.efi", szStdEfiBootloader); } } } return; } } EfiBootInst.MkDir(L"\\EFI\\VeraCrypt", bAlreadyExist); EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsBoot.efi", dcsBootImg, sizeDcsBoot); EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsInt.dcs", dcsIntImg, sizeDcsInt); EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsCfg.dcs", dcsCfgImg, sizeDcsCfg); EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\LegacySpeaker.dcs", LegacySpeakerImg, sizeLegacySpeaker); #ifdef VC_EFI_CUSTOM_MODE EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsBml.dcs", BootMenuLockerImg, sizeBootMenuLocker); #endif EfiBootInst.SaveFile(L"\\EFI\\VeraCrypt\\DcsInfo.dcs", DcsInfoImg, sizeDcsInfo); if (!preserveUserConfig) EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\PlatformInfo"); EfiBootInst.SetStartExec(L"VeraCrypt BootLoader (DcsBoot)", L"\\EFI\\VeraCrypt\\DcsBoot.efi", SetBootEntry, ForceFirstBootEntry, SetBootNext); if (EfiBootInst.FileExists (szStdEfiBootloader)) { // check if standard bootloader under EFI\Boot is Microsoft one or if it is ours // if both cases, replace it with our bootloader otherwise do nothing EfiBootInst.GetFileSize(szStdEfiBootloader, loaderSize); - std::vector<byte> bootLoaderBuf ((size_t) loaderSize); + std::vector<uint8> bootLoaderBuf ((size_t) loaderSize); EfiBootInst.ReadFile(szStdEfiBootloader, &bootLoaderBuf[0], (DWORD) loaderSize); // look for bootmgfw.efi or VeraCrypt identifiant strings if ( ((loaderSize > 32768) && BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString))) ) { EfiBootInst.RenameFile (szStdEfiBootloader, szBackupEfiBootloader, TRUE); EfiBootInst.SaveFile(szStdEfiBootloader, dcsBootImg, sizeDcsBoot); } if ( ((loaderSize <= 32768) && BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, _T(TC_APP_NAME), strlen (TC_APP_NAME) * 2)) ) { EfiBootInst.SaveFile(szStdEfiBootloader, dcsBootImg, sizeDcsBoot); } } EfiBootInst.SaveFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", dcsBootImg, sizeDcsBoot); // move configuration file from old location (if it exists) to new location // we don't force the move operation if the new location already exists EfiBootInst.RenameFile (L"\\DcsProp", L"\\EFI\\VeraCrypt\\DcsProp", FALSE); EfiBootInst.RenameFile (L"\\DcsBoot", L"\\EFI\\VeraCrypt\\DcsBoot", FALSE); // move the original bootloader backup from old location (if it exists) to new location // we don't force the move operation if the new location already exists if (Is64BitOs()) EfiBootInst.RenameFile (L"\\EFI\\Boot\\original_bootx64_vc_backup.efi", L"\\EFI\\Boot\\original_bootx64.vc_backup", FALSE); else EfiBootInst.RenameFile (L"\\EFI\\Boot\\original_bootia32_vc_backup.efi", L"\\EFI\\Boot\\original_bootia32.vc_backup", FALSE); // Clean beta9 EfiBootInst.DelFile(L"\\DcsBoot.efi"); EfiBootInst.DelFile(L"\\DcsInt.efi"); EfiBootInst.DelFile(L"\\DcsCfg.efi"); EfiBootInst.DelFile(L"\\LegacySpeaker.efi"); EfiBootInst.DelFile(L"\\DcsBoot"); EfiBootInst.DelFile(L"\\DcsProp"); #ifndef VC_EFI_CUSTOM_MODE // remove DcsBml if it exists since we don't use it in non-custom SecureBoot mode EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsBml.dcs"); #endif } catch (...) { throw; } EfiBootInst.WriteConfig (L"\\EFI\\VeraCrypt\\DcsProp", preserveUserConfig, pim, hashAlg, NULL, ParentWindow); } else { try { - byte bootLoaderBuf[TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE] = {0}; + uint8 bootLoaderBuf[TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE] = {0}; CreateBootLoaderInMemory (bootLoaderBuf, sizeof (bootLoaderBuf), false, hiddenOSCreation); // Write MBR - byte mbr[TC_SECTOR_SIZE_BIOS]; + uint8 mbr[TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (mbr, sizeof (mbr)); if (preserveUserConfig && BufferContainsString (mbr, sizeof (mbr), TC_APP_NAME)) { uint16 version = BE16 (*(uint16 *) (mbr + TC_BOOT_SECTOR_VERSION_OFFSET)); if (version != 0) { bootLoaderBuf[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] = mbr[TC_BOOT_SECTOR_USER_CONFIG_OFFSET]; memcpy (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH); if (bootLoaderBuf[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM) { if (pim >= 0) { memcpy (bootLoaderBuf + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &pim, TC_BOOT_SECTOR_PIM_VALUE_SIZE); } else memcpy (bootLoaderBuf + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, TC_BOOT_SECTOR_PIM_VALUE_SIZE); } } } // perform actual write only if content is different and either we are not in PostOOBE mode or the MBR contains VeraCrypt/Windows signature. // this last check is done to avoid interfering with multi-boot configuration where MBR belongs to a boot manager like Grub if (memcmp (mbr, bootLoaderBuf, TC_MAX_MBR_BOOT_CODE_SIZE) && (!PostOOBEMode || BufferContainsString (mbr, sizeof (mbr), TC_APP_NAME) || IsWindowsMBR (mbr, sizeof (mbr)))) { memcpy (mbr, bootLoaderBuf, TC_MAX_MBR_BOOT_CODE_SIZE); device.SeekAt (0); device.Write (mbr, sizeof (mbr)); - byte mbrVerificationBuf[TC_SECTOR_SIZE_BIOS]; + uint8 mbrVerificationBuf[TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (mbrVerificationBuf, sizeof (mbr)); if (memcmp (mbr, mbrVerificationBuf, sizeof (mbr)) != 0) throw ErrorException ("ERROR_MBR_PROTECTED", SRC_POS); } if (!PostOOBEMode) { // Write boot loader device.SeekAt (TC_SECTOR_SIZE_BIOS); device.Write (bootLoaderBuf + TC_SECTOR_SIZE_BIOS, sizeof (bootLoaderBuf) - TC_SECTOR_SIZE_BIOS); } } catch (...) { if (!PostOOBEMode) throw; } } if (!IsAdmin() && IsUacSupported()) { Elevator::UpdateSetupConfigFile (true); } else { UpdateSetupConfigFile (true); } } #ifndef SETUP bool BootEncryption::CheckBootloaderFingerprint (bool bSilent) { SystemDriveConfiguration config = GetSystemDriveConfiguration(); // return true for now when EFI system encryption is used until we implement // a dedicated EFI fingerprinting mechanism in VeraCrypt driver if (config.SystemPartition.IsGPT) return true; - byte bootLoaderBuf[TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE] = {0}; - byte fingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE]; - byte expectedFingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE]; + uint8 bootLoaderBuf[TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE] = {0}; + uint8 fingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE]; + uint8 expectedFingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE]; bool bRet = false; try { // read bootloader fingerprint GetInstalledBootLoaderFingerprint (fingerprint); // compute expected fingerprint CreateBootLoaderInMemory (bootLoaderBuf, sizeof (bootLoaderBuf), false, false); ::ComputeBootloaderFingerprint (bootLoaderBuf, sizeof (bootLoaderBuf), expectedFingerprint); // compare values if (0 == memcmp (fingerprint, expectedFingerprint, sizeof (expectedFingerprint))) { bRet = true; } } catch (SystemException &e) { if (!bSilent && (GetLastError () != ERROR_INVALID_IMAGE_HASH)) e.Show (ParentWindow); } catch (Exception& e) { if (!bSilent) e.Show (ParentWindow); } return bRet; } @@ -3689,113 +3694,113 @@ namespace VeraCrypt return path + L'\\' + TC_SYS_BOOT_LOADER_BACKUP_NAME; } void BootEncryption::RenameDeprecatedSystemLoaderBackup () { WCHAR pathBuf[MAX_PATH]; if (SUCCEEDED (SHGetFolderPath (NULL, CSIDL_COMMON_APPDATA, NULL, 0, pathBuf))) { wstring path = wstring (pathBuf) + L"\\" _T(TC_APP_NAME) + L'\\' + TC_SYS_BOOT_LOADER_BACKUP_NAME_LEGACY; if (FileExists (path.c_str()) && !FileExists (GetSystemLoaderBackupPath().c_str())) throw_sys_if (_wrename (path.c_str(), GetSystemLoaderBackupPath().c_str()) != 0); } } #ifndef SETUP void BootEncryption::CreateRescueIsoImage (bool initialSetup, const wstring &isoImagePath) { BootEncryptionStatus encStatus = GetStatus(); if (encStatus.SetupInProgress) throw ParameterIncorrect (SRC_POS); BOOL bIsGPT = GetSystemDriveConfiguration().SystemPartition.IsGPT; if (bIsGPT) { // create EFI disk structure DWORD sizeDcsBoot; #ifdef _WIN64 - byte *dcsBootImg = MapResource(L"BIN", IDR_EFI_DCSBOOT, &sizeDcsBoot); + uint8 *dcsBootImg = MapResource(L"BIN", IDR_EFI_DCSBOOT, &sizeDcsBoot); #else - byte *dcsBootImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSBOOT : IDR_EFI_DCSBOOT32, &sizeDcsBoot); + uint8 *dcsBootImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSBOOT : IDR_EFI_DCSBOOT32, &sizeDcsBoot); #endif if (!dcsBootImg) throw ParameterIncorrect (SRC_POS); DWORD sizeDcsInt; #ifdef _WIN64 - byte *dcsIntImg = MapResource(L"BIN", IDR_EFI_DCSINT, &sizeDcsInt); + uint8 *dcsIntImg = MapResource(L"BIN", IDR_EFI_DCSINT, &sizeDcsInt); #else - byte *dcsIntImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSINT: IDR_EFI_DCSINT32, &sizeDcsInt); + uint8 *dcsIntImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSINT: IDR_EFI_DCSINT32, &sizeDcsInt); #endif if (!dcsIntImg) throw ParameterIncorrect (SRC_POS); DWORD sizeDcsCfg; #ifdef _WIN64 - byte *dcsCfgImg = MapResource(L"BIN", IDR_EFI_DCSCFG, &sizeDcsCfg); + uint8 *dcsCfgImg = MapResource(L"BIN", IDR_EFI_DCSCFG, &sizeDcsCfg); #else - byte *dcsCfgImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSCFG: IDR_EFI_DCSCFG32, &sizeDcsCfg); + uint8 *dcsCfgImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSCFG: IDR_EFI_DCSCFG32, &sizeDcsCfg); #endif if (!dcsCfgImg) throw ParameterIncorrect (SRC_POS); DWORD sizeLegacySpeaker; #ifdef _WIN64 - byte *LegacySpeakerImg = MapResource(L"BIN", IDR_EFI_LEGACYSPEAKER, &sizeLegacySpeaker); + uint8 *LegacySpeakerImg = MapResource(L"BIN", IDR_EFI_LEGACYSPEAKER, &sizeLegacySpeaker); #else - byte *LegacySpeakerImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_LEGACYSPEAKER: IDR_EFI_LEGACYSPEAKER32, &sizeLegacySpeaker); + uint8 *LegacySpeakerImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_LEGACYSPEAKER: IDR_EFI_LEGACYSPEAKER32, &sizeLegacySpeaker); #endif if (!LegacySpeakerImg) throw ParameterIncorrect (SRC_POS); #ifdef VC_EFI_CUSTOM_MODE DWORD sizeBootMenuLocker; #ifdef _WIN64 - byte *BootMenuLockerImg = MapResource(L"BIN", IDR_EFI_DCSBML, &sizeBootMenuLocker); + uint8 *BootMenuLockerImg = MapResource(L"BIN", IDR_EFI_DCSBML, &sizeBootMenuLocker); #else - byte *BootMenuLockerImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSBML: IDR_EFI_DCSBML32, &sizeBootMenuLocker); + uint8 *BootMenuLockerImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSBML: IDR_EFI_DCSBML32, &sizeBootMenuLocker); #endif if (!BootMenuLockerImg) throw ParameterIncorrect (SRC_POS); #endif DWORD sizeDcsRescue; #ifdef _WIN64 - byte *DcsRescueImg = MapResource(L"BIN", IDR_EFI_DCSRE, &sizeDcsRescue); + uint8 *DcsRescueImg = MapResource(L"BIN", IDR_EFI_DCSRE, &sizeDcsRescue); #else - byte *DcsRescueImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSRE: IDR_EFI_DCSRE32, &sizeDcsRescue); + uint8 *DcsRescueImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSRE: IDR_EFI_DCSRE32, &sizeDcsRescue); #endif if (!DcsRescueImg) throw ParameterIncorrect (SRC_POS); DWORD sizeDcsInfo; #ifdef _WIN64 - byte *DcsInfoImg = MapResource(L"BIN", IDR_EFI_DCSINFO, &sizeDcsInfo); + uint8 *DcsInfoImg = MapResource(L"BIN", IDR_EFI_DCSINFO, &sizeDcsInfo); #else - byte *DcsInfoImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSINFO: IDR_EFI_DCSINFO32, &sizeDcsInfo); + uint8 *DcsInfoImg = MapResource(L"BIN", Is64BitOs()? IDR_EFI_DCSINFO: IDR_EFI_DCSINFO32, &sizeDcsInfo); #endif if (!DcsInfoImg) throw ParameterIncorrect (SRC_POS); WCHAR szTmpPath[MAX_PATH + 1], szTmpFilePath[MAX_PATH + 1]; if (!GetTempPathW (MAX_PATH, szTmpPath)) throw SystemException (SRC_POS); if (!GetTempFileNameW (szTmpPath, L"_vrd", 0, szTmpFilePath)) throw SystemException (SRC_POS); finally_do_arg (WCHAR*, szTmpFilePath, { DeleteFileW (finally_arg);}); int ierr; // convert szTmpFilePath to UTF-8 since this is what zip_open expected char szUtf8Path[2*MAX_PATH + 1]; int utf8Len = WideCharToMultiByte (CP_UTF8, 0, szTmpFilePath, -1, szUtf8Path, sizeof (szUtf8Path), NULL, NULL); if (utf8Len <= 0) throw SystemException (SRC_POS); zip_t* z = zip_open (szUtf8Path, ZIP_CREATE | ZIP_TRUNCATE | ZIP_CHECKCONS, &ierr); if (!z) throw ParameterIncorrect (SRC_POS); finally_do_arg (zip_t**, &z, { if (*finally_arg) zip_discard (*finally_arg);}); if (!ZipAdd (z, Is64BitOs()? "EFI/Boot/bootx64.efi": "EFI/Boot/bootia32.efi", DcsRescueImg, sizeDcsRescue)) throw ParameterIncorrect (SRC_POS); #ifdef VC_EFI_CUSTOM_MODE if (!ZipAdd (z, "EFI/VeraCrypt/DcsBml.dcs", BootMenuLockerImg, sizeBootMenuLocker)) @@ -3861,84 +3866,84 @@ namespace VeraCrypt finally_do_arg (wstring, dcsPropFileName, { DeleteFileW (finally_arg.c_str()); }); if (conf.Save(dcsPropFileName.c_str(), ParentWindow)) { DWORD fileSize = 0; File propFile (dcsPropFileName, true, false); propFile.CheckOpened (SRC_POS); propFile.GetFileSize(fileSize); propBuf.Resize (fileSize); DWORD sizeDcsProp = propFile.Read (propBuf.Ptr (), fileSize); if (!ZipAdd (z, "EFI/VeraCrypt/DcsProp", propBuf.Ptr (), sizeDcsProp)) throw ParameterIncorrect (SRC_POS); } else throw ParameterIncorrect (SRC_POS); // flush the zip content to the temporary file if (zip_close (z) < 0) throw ParameterIncorrect (SRC_POS); z = NULL; // read the zip data from the temporary file FILE* ftmpFile = _wfopen (szTmpFilePath, L"rb"); if (!ftmpFile) throw ParameterIncorrect (SRC_POS); finally_do_arg (FILE*, ftmpFile, { fclose (finally_arg); }); unsigned long ulZipSize = (unsigned long) _filelength (_fileno (ftmpFile)); - RescueZipData = new byte[ulZipSize]; + RescueZipData = new uint8[ulZipSize]; if (!RescueZipData) throw bad_alloc(); if (ulZipSize != fread (RescueZipData, 1, ulZipSize, ftmpFile)) { delete [] RescueZipData; RescueZipData = NULL; throw ParameterIncorrect (SRC_POS); } RescueZipSize = ulZipSize; if (!isoImagePath.empty()) { File isoFile (isoImagePath, false, true); isoFile.Write (RescueZipData, RescueZipSize); } } else { Buffer imageBuf (RescueIsoImageSize); - byte *image = imageBuf.Ptr(); + uint8 *image = imageBuf.Ptr(); memset (image, 0, RescueIsoImageSize); // Primary volume descriptor const char* szPrimVolDesc = "\001CD001\001"; const char* szPrimVolLabel = "VeraCrypt Rescue Disk "; memcpy (image + 0x8000, szPrimVolDesc, strlen(szPrimVolDesc) + 1); memcpy (image + 0x7fff + 41, szPrimVolLabel, strlen(szPrimVolLabel) + 1); *(uint32 *) (image + 0x7fff + 81) = RescueIsoImageSize / 2048; *(uint32 *) (image + 0x7fff + 85) = BE32 (RescueIsoImageSize / 2048); image[0x7fff + 121] = 1; image[0x7fff + 124] = 1; image[0x7fff + 125] = 1; image[0x7fff + 128] = 1; image[0x7fff + 130] = 8; image[0x7fff + 131] = 8; image[0x7fff + 133] = 10; image[0x7fff + 140] = 10; image[0x7fff + 141] = 0x14; image[0x7fff + 157] = 0x22; image[0x7fff + 159] = 0x18; // Boot record volume descriptor const char* szBootRecDesc = "CD001\001EL TORITO SPECIFICATION"; memcpy (image + 0x8801, szBootRecDesc, strlen(szBootRecDesc) + 1); image[0x8800 + 0x47] = 0x19; // Volume descriptor set terminator const char* szVolDescTerm = "\377CD001\001"; memcpy (image + 0x9000, szVolDescTerm, strlen(szVolDescTerm) + 1); @@ -3992,61 +3997,61 @@ namespace VeraCrypt throw ParameterIncorrect (SRC_POS); memcpy (image + TC_CD_BOOTSECTOR_OFFSET + TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET, RescueVolumeHeader, TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE); } else { Device bootDevice (GetSystemDriveConfiguration().DevicePath, true); bootDevice.CheckOpened (SRC_POS); bootDevice.SeekAt (TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET); bootDevice.Read (image + TC_CD_BOOTSECTOR_OFFSET + TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET, TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE); } // Original system loader try { File sysBakFile (GetSystemLoaderBackupPath(), true); sysBakFile.CheckOpened (SRC_POS); sysBakFile.Read (image + TC_CD_BOOTSECTOR_OFFSET + TC_ORIG_BOOT_LOADER_BACKUP_SECTOR_OFFSET, TC_BOOT_LOADER_AREA_SIZE); image[TC_CD_BOOTSECTOR_OFFSET + TC_BOOT_SECTOR_CONFIG_OFFSET] |= TC_BOOT_CFG_FLAG_RESCUE_DISK_ORIG_SYS_LOADER; } catch (Exception &e) { e.Show (ParentWindow); Warning ("SYS_LOADER_UNAVAILABLE_FOR_RESCUE_DISK", ParentWindow); } // Boot loader backup CreateBootLoaderInMemory (image + TC_CD_BOOTSECTOR_OFFSET + TC_BOOT_LOADER_BACKUP_RESCUE_DISK_SECTOR_OFFSET, TC_BOOT_LOADER_AREA_SIZE, false); - RescueIsoImage = new byte[RescueIsoImageSize]; + RescueIsoImage = new uint8[RescueIsoImageSize]; if (!RescueIsoImage) throw bad_alloc(); memcpy (RescueIsoImage, image, RescueIsoImageSize); if (!isoImagePath.empty()) { File isoFile (isoImagePath, false, true); isoFile.Write (image, RescueIsoImageSize); } } } #endif bool BootEncryption::IsCDRecorderPresent () { ICDBurn* pICDBurn; BOOL bHasRecorder = FALSE; if (SUCCEEDED( CoCreateInstance (CLSID_CDBurn, NULL,CLSCTX_INPROC_SERVER,IID_ICDBurn,(LPVOID*)&pICDBurn))) { if (pICDBurn->HasRecordableDrive (&bHasRecorder) != S_OK) { bHasRecorder = FALSE; } pICDBurn->Release(); } return bHasRecorder? true : false; } @@ -4365,186 +4370,186 @@ namespace VeraCrypt } return false; } #ifndef SETUP void BootEncryption::CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5, int pim) { PCRYPTO_INFO cryptoInfo = NULL; if (!IsRandomNumberGeneratorStarted()) throw ParameterIncorrect (SRC_POS); throw_sys_if (CreateVolumeHeaderInMemory (ParentWindow, TRUE, (char *) VolumeHeader, ea, mode, password, pkcs5, pim, NULL, &cryptoInfo, volumeSize, 0, encryptedAreaStart, 0, TC_SYSENC_KEYSCOPE_MIN_REQ_PROG_VERSION, TC_HEADER_FLAG_ENCRYPTED_SYSTEM, TC_SECTOR_SIZE_BIOS, FALSE) != 0); finally_do_arg (PCRYPTO_INFO*, &cryptoInfo, { crypto_close (*finally_arg); }); // Initial rescue disk assumes encryption of the drive has been completed (EncryptedAreaLength == volumeSize) memcpy (RescueVolumeHeader, VolumeHeader, sizeof (RescueVolumeHeader)); if (0 != ReadVolumeHeader (TRUE, (char *) RescueVolumeHeader, password, pkcs5, pim, NULL, cryptoInfo)) throw ParameterIncorrect (SRC_POS); DecryptBuffer (RescueVolumeHeader + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, cryptoInfo); if (GetHeaderField32 (RescueVolumeHeader, TC_HEADER_OFFSET_MAGIC) != 0x56455241) throw ParameterIncorrect (SRC_POS); - byte *fieldPos = RescueVolumeHeader + TC_HEADER_OFFSET_ENCRYPTED_AREA_LENGTH; + uint8 *fieldPos = RescueVolumeHeader + TC_HEADER_OFFSET_ENCRYPTED_AREA_LENGTH; mputInt64 (fieldPos, volumeSize); // CRC of the header fields uint32 crc = GetCrc32 (RescueVolumeHeader + TC_HEADER_OFFSET_MAGIC, TC_HEADER_OFFSET_HEADER_CRC - TC_HEADER_OFFSET_MAGIC); fieldPos = RescueVolumeHeader + TC_HEADER_OFFSET_HEADER_CRC; mputLong (fieldPos, crc); EncryptBuffer (RescueVolumeHeader + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, cryptoInfo); VolumeHeaderValid = true; RescueVolumeHeaderValid = true; } void BootEncryption::InstallVolumeHeader () { if (!VolumeHeaderValid) throw ParameterIncorrect (SRC_POS); Device device (GetSystemDriveConfiguration().DevicePath); device.CheckOpened (SRC_POS); device.SeekAt (TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET); - device.Write ((byte *) VolumeHeader, sizeof (VolumeHeader)); + device.Write ((uint8 *) VolumeHeader, sizeof (VolumeHeader)); } // For synchronous operations use AbortSetupWait() void BootEncryption::AbortSetup () { CallDriver (TC_IOCTL_ABORT_BOOT_ENCRYPTION_SETUP); } // For asynchronous operations use AbortSetup() void BootEncryption::AbortSetupWait () { CallDriver (TC_IOCTL_ABORT_BOOT_ENCRYPTION_SETUP); BootEncryptionStatus encStatus = GetStatus(); while (encStatus.SetupInProgress) { Sleep (TC_ABORT_TRANSFORM_WAIT_INTERVAL); encStatus = GetStatus(); } } void BootEncryption::BackupSystemLoader () { if (GetSystemDriveConfiguration().SystemPartition.IsGPT) { if (!IsAdmin()) { if (IsUacSupported()) { Elevator::BackupEfiSystemLoader (); return; } else { Warning ("ADMIN_PRIVILEGES_WARN_DEVICES", ParentWindow); } } unsigned __int64 loaderSize = 0; - std::vector<byte> bootLoaderBuf; + std::vector<uint8> bootLoaderBuf; const wchar_t * szStdMsBootloader = L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi"; const wchar_t * szBackupMsBootloader = L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc"; const char* g_szMsBootString = "bootmgfw.pdb"; bool bModifiedMsBoot = true; EfiBootInst.PrepareBootPartition(); EfiBootInst.GetFileSize(szStdMsBootloader, loaderSize); bootLoaderBuf.resize ((size_t) loaderSize); EfiBootInst.ReadFile(szStdMsBootloader, &bootLoaderBuf[0], (DWORD) loaderSize); // DcsBoot.efi is always smaller than 32KB if (loaderSize > 32768) { // look for bootmgfw.efi identifiant string if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString))) bModifiedMsBoot = false; } else { if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, _T(TC_APP_NAME), wcslen (_T(TC_APP_NAME)) * 2)) { if (AskWarnNoYes ("TC_BOOT_LOADER_ALREADY_INSTALLED", ParentWindow) == IDNO) throw UserAbort (SRC_POS); // check if backup exists already and if it has bootmgfw signature if (EfiBootInst.FileExists (szBackupMsBootloader)) { EfiBootInst.GetFileSize(szBackupMsBootloader, loaderSize); bootLoaderBuf.resize ((size_t) loaderSize); EfiBootInst.ReadFile(szBackupMsBootloader, &bootLoaderBuf[0], (DWORD) loaderSize); if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString))) { // copy it to original location EfiBootInst.CopyFile (szBackupMsBootloader, szStdMsBootloader); bModifiedMsBoot = false; } } if (bModifiedMsBoot) return; } } if (bModifiedMsBoot) { Error ("WINDOWS_EFI_BOOT_LOADER_MISSING", ParentWindow); throw UserAbort (SRC_POS); } EfiBootInst.CopyFile (szStdMsBootloader, szBackupMsBootloader); EfiBootInst.CopyFile (szStdMsBootloader, GetSystemLoaderBackupPath().c_str()); } else { Device device (GetSystemDriveConfiguration().DevicePath, true); device.CheckOpened (SRC_POS); - byte bootLoaderBuf[TC_BOOT_LOADER_AREA_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS]; + uint8 bootLoaderBuf[TC_BOOT_LOADER_AREA_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (bootLoaderBuf, sizeof (bootLoaderBuf)); // Prevent TrueCrypt loader from being backed up for (size_t i = 0; i < sizeof (bootLoaderBuf) - strlen (TC_APP_NAME); ++i) { if (memcmp (bootLoaderBuf + i, TC_APP_NAME, strlen (TC_APP_NAME)) == 0) { if (AskWarnNoYes ("TC_BOOT_LOADER_ALREADY_INSTALLED", ParentWindow) == IDNO) throw UserAbort (SRC_POS); return; } } File backupFile (GetSystemLoaderBackupPath(), false, true); backupFile.Write (bootLoaderBuf, sizeof (bootLoaderBuf)); } } void BootEncryption::RestoreSystemLoader () { SystemDriveConfiguration config = GetSystemDriveConfiguration(); if (config.SystemPartition.IsGPT) { if (!IsAdmin()) { if (IsUacSupported()) { Elevator::RestoreEfiSystemLoader (); return; @@ -4553,106 +4558,106 @@ namespace VeraCrypt { Warning ("ADMIN_PRIVILEGES_WARN_DEVICES", ParentWindow); } } EfiBootInst.PrepareBootPartition(); EfiBootInst.DeleteStartExec(); EfiBootInst.DeleteStartExec(0xDC5B, L"Driver"); // remove DcsBml boot driver it was installed if (Is64BitOs()) EfiBootInst.RenameFile(L"\\EFI\\Boot\\original_bootx64.vc_backup", L"\\EFI\\Boot\\bootx64.efi", TRUE); else EfiBootInst.RenameFile(L"\\EFI\\Boot\\original_bootia32.vc_backup", L"\\EFI\\Boot\\bootia32.efi", TRUE); if (!EfiBootInst.RenameFile(L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc", L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", TRUE)) { EfiBootConf conf; if (EfiBootInst.ReadConfig (L"\\EFI\\VeraCrypt\\DcsProp", conf) && strlen (conf.actionSuccessValue.c_str())) { wstring loaderPath; if (EfiBootConf::IsPostExecFileField (conf.actionSuccessValue, loaderPath)) { // check that it is not bootmgfw_ms.vc or bootmgfw.efi if ( (0 != _wcsicmp (loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw_ms.vc")) && (0 != _wcsicmp (loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi")) ) { const char* g_szMsBootString = "bootmgfw.pdb"; unsigned __int64 loaderSize = 0; EfiBootInst.GetFileSize(loaderPath.c_str(), loaderSize); - std::vector<byte> bootLoaderBuf ((size_t) loaderSize); + std::vector<uint8> bootLoaderBuf ((size_t) loaderSize); EfiBootInst.ReadFile(loaderPath.c_str(), &bootLoaderBuf[0], (DWORD) loaderSize); // look for bootmgfw.efi identifiant string if (BufferHasPattern (bootLoaderBuf.data (), (size_t) loaderSize, g_szMsBootString, strlen (g_szMsBootString))) { EfiBootInst.RenameFile(loaderPath.c_str(), L"\\EFI\\Microsoft\\Boot\\bootmgfw.efi", TRUE); } } } } } EfiBootInst.DelFile(L"\\DcsBoot.efi"); EfiBootInst.DelFile(L"\\DcsInt.efi"); EfiBootInst.DelFile(L"\\DcsCfg.efi"); EfiBootInst.DelFile(L"\\LegacySpeaker.efi"); EfiBootInst.DelFile(L"\\DcsBoot"); EfiBootInst.DelFile(L"\\DcsProp"); EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsBoot.efi"); EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsInt.dcs"); EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsCfg.dcs"); EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\LegacySpeaker.dcs"); EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsBml.dcs"); EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsBoot"); EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsInfo.dcs"); EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\PlatformInfo"); EfiBootInst.DelFile(L"\\EFI\\VeraCrypt\\DcsProp"); EfiBootInst.DelDir (L"\\EFI\\VeraCrypt"); } else { - byte bootLoaderBuf[TC_BOOT_LOADER_AREA_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS]; + uint8 bootLoaderBuf[TC_BOOT_LOADER_AREA_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS]; File backupFile (GetSystemLoaderBackupPath(), true); backupFile.CheckOpened(SRC_POS); if (backupFile.Read (bootLoaderBuf, sizeof (bootLoaderBuf)) != sizeof (bootLoaderBuf)) throw ParameterIncorrect (SRC_POS); Device device (GetSystemDriveConfiguration().DevicePath); device.CheckOpened (SRC_POS); // Preserve current partition table - byte mbr[TC_SECTOR_SIZE_BIOS]; + uint8 mbr[TC_SECTOR_SIZE_BIOS]; device.SeekAt (0); device.Read (mbr, sizeof (mbr)); memcpy (bootLoaderBuf + TC_MAX_MBR_BOOT_CODE_SIZE, mbr + TC_MAX_MBR_BOOT_CODE_SIZE, sizeof (mbr) - TC_MAX_MBR_BOOT_CODE_SIZE); device.SeekAt (0); device.Write (bootLoaderBuf, sizeof (bootLoaderBuf)); } if (!IsAdmin() && IsUacSupported()) { Elevator::UpdateSetupConfigFile (false); } else { UpdateSetupConfigFile (false); } } #endif // SETUP static bool CompareMultiString (const char* str1, const char* str2) { size_t l1, l2; if (!str1 || !str2) return false; while (true) { l1 = strlen (str1); l2 = strlen (str2); if (l1 == l2) @@ -4718,155 +4723,152 @@ namespace VeraCrypt bRet = true; break; } offset = (DWORD) strlen (mszDest) + 1; mszDest += offset; remainingSize -= offset; } } return bRet; } void BootEncryption::RegisterFilter (bool registerFilter, FilterType filterType, const GUID *deviceClassGuid) { string filter; string filterReg; HKEY regKey; switch (filterType) { case DriveFilter: case VolumeFilter: filter = "veracrypt"; filterReg = "UpperFilters"; regKey = OpenDeviceClassRegKey (deviceClassGuid); throw_sys_if (regKey == INVALID_HANDLE_VALUE); break; case DumpFilter: - if (!IsOSAtLeast (WIN_VISTA)) - return; - filter = "veracrypt.sys"; filterReg = "DumpFilters"; SetLastError (RegOpenKeyEx (HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Control\\CrashControl", 0, KEY_READ | KEY_WRITE, ®Key)); throw_sys_if (GetLastError() != ERROR_SUCCESS); break; default: throw ParameterIncorrect (SRC_POS); } finally_do_arg (HKEY, regKey, { RegCloseKey (finally_arg); }); if (registerFilter) { if (filterType != DumpFilter) { // Register class filter below all other filters in the stack size_t strSize = filter.size() + 1; - byte regKeyBuf[65536]; + uint8 regKeyBuf[65536]; DWORD size = (DWORD) (sizeof (regKeyBuf) - strSize); // SetupInstallFromInfSection() does not support prepending of values so we have to modify the registry directly StringCchCopyA ((char *) regKeyBuf, ARRAYSIZE(regKeyBuf), filter.c_str()); if (RegQueryValueExA (regKey, filterReg.c_str(), NULL, NULL, regKeyBuf + strSize, &size) != ERROR_SUCCESS) size = 1; SetLastError (RegSetValueExA (regKey, filterReg.c_str(), 0, REG_MULTI_SZ, regKeyBuf, (DWORD) strSize + size)); throw_sys_if (GetLastError() != ERROR_SUCCESS); } else { // workaround rare SetupInstallFromInfSection which overwrite value instead of appending new value // read initial value DWORD strSize = (DWORD) filter.size() + 1, expectedSize; Buffer expectedRegKeyBuf(65536), outputRegKeyBuf(65536); - byte* pbExpectedRegKeyBuf = expectedRegKeyBuf.Ptr (); - byte* pbOutputRegKeyBuf = outputRegKeyBuf.Ptr (); + uint8* pbExpectedRegKeyBuf = expectedRegKeyBuf.Ptr (); + uint8* pbOutputRegKeyBuf = outputRegKeyBuf.Ptr (); DWORD initialSize = (DWORD) (expectedRegKeyBuf.Size() - strSize - 2); if (RegQueryValueExA (regKey, filterReg.c_str(), NULL, NULL, pbExpectedRegKeyBuf, &initialSize) != ERROR_SUCCESS) { StringCchCopyA ((char *) pbExpectedRegKeyBuf, expectedRegKeyBuf.Size(), filter.c_str()); pbExpectedRegKeyBuf [strSize] = 0; expectedSize = strSize + 1; } else { expectedSize = initialSize; AppendToMultiString ((char *) pbExpectedRegKeyBuf, (DWORD) expectedRegKeyBuf.Size(), expectedSize, filter.c_str()); } RegisterDriverInf (registerFilter, filter, filterReg, ParentWindow, regKey); // check if operation successful initialSize = (DWORD) outputRegKeyBuf.Size() - 2; if (RegQueryValueExA (regKey, filterReg.c_str(), NULL, NULL, pbOutputRegKeyBuf, &initialSize) != ERROR_SUCCESS) { pbOutputRegKeyBuf [0] = 0; pbOutputRegKeyBuf [1] = 0; } else { // append two \0 at the end if they are missing if (pbOutputRegKeyBuf [initialSize - 1] != 0) { pbOutputRegKeyBuf [initialSize] = 0; pbOutputRegKeyBuf [initialSize + 1] = 0; } else if (pbOutputRegKeyBuf [initialSize - 2] != 0) { pbOutputRegKeyBuf [initialSize] = 0; } } if (!CompareMultiString ((char *) pbExpectedRegKeyBuf, (char *) pbOutputRegKeyBuf)) { // Set value manually SetLastError (RegSetValueExA (regKey, filterReg.c_str(), 0, REG_MULTI_SZ, pbExpectedRegKeyBuf, expectedSize)); throw_sys_if (GetLastError() != ERROR_SUCCESS); } } } else { RegisterDriverInf (registerFilter, filter, filterReg, ParentWindow, regKey); // remove value in case it was not done properly Buffer regKeyBuf(65536); - byte* pbRegKeyBuf = regKeyBuf.Ptr (); + uint8* pbRegKeyBuf = regKeyBuf.Ptr (); DWORD initialSize = (DWORD) regKeyBuf.Size() - 2; if ( (RegQueryValueExA (regKey, filterReg.c_str(), NULL, NULL, pbRegKeyBuf, &initialSize) == ERROR_SUCCESS) && (initialSize >= ((DWORD) filter.size())) ) { // append two \0 at the end if they are missing if (pbRegKeyBuf [initialSize - 1] != 0) { pbRegKeyBuf [initialSize] = 0; pbRegKeyBuf [initialSize + 1] = 0; initialSize += 2; } else if (pbRegKeyBuf [initialSize - 2] != 0) { pbRegKeyBuf [initialSize] = 0; initialSize ++; } if (RemoveFromMultiString ((char*) pbRegKeyBuf, initialSize, filter.c_str())) { // Set value manually SetLastError (RegSetValueExA (regKey, filterReg.c_str(), 0, REG_MULTI_SZ, pbRegKeyBuf, initialSize)); throw_sys_if (GetLastError() != ERROR_SUCCESS); } } } } @@ -5054,61 +5056,61 @@ namespace VeraCrypt NULL, NULL, NULL, NULL, _T(TC_APP_NAME) L" System Favorites")); } else { RegisterSystemFavoritesService (TRUE, TRUE); } } void BootEncryption::SetDriverConfigurationFlag (uint32 flag, bool state) { DWORD configMap = ReadDriverConfigurationFlags(); if (state) configMap |= flag; else configMap &= ~flag; #ifdef SETUP WriteLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", TC_DRIVER_CONFIG_REG_VALUE_NAME, configMap); #else WriteLocalMachineRegistryDwordValue (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", TC_DRIVER_CONFIG_REG_VALUE_NAME, configMap); #endif } void BootEncryption::SetServiceConfigurationFlag (uint32 flag, bool state) { - DWORD configMap = ReadDriverConfigurationFlags(); + DWORD configMap = ReadServiceConfigurationFlags(); if (state) configMap |= flag; else configMap &= ~flag; #ifdef SETUP WriteLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\" TC_SYSTEM_FAVORITES_SERVICE_NAME, TC_SYSTEM_FAVORITES_SERVICE_NAME L"Config", configMap); #else WriteLocalMachineRegistryDwordValue (L"SYSTEM\\CurrentControlSet\\Services\\" TC_SYSTEM_FAVORITES_SERVICE_NAME, TC_SYSTEM_FAVORITES_SERVICE_NAME L"Config", configMap); #endif } #ifndef SETUP void BootEncryption::RegisterSystemFavoritesService (BOOL registerService) { if (!IsAdmin() && IsUacSupported()) { Elevator::RegisterSystemFavoritesService (registerService); return; } RegisterSystemFavoritesService (registerService, FALSE); } void BootEncryption::GetEfiBootDeviceNumber (PSTORAGE_DEVICE_NUMBER pSdn) { SystemDriveConfiguration config = GetSystemDriveConfiguration (); if (config.SystemPartition.IsGPT && pSdn) { @@ -5300,66 +5302,66 @@ namespace VeraCrypt throw ErrorException (wstring (GetString ("USER_PROFILE_NOT_ON_SYS_PARTITION")) + GetString ("LEAKS_OUTSIDE_SYSPART_UNIVERSAL_EXPLANATION"), SRC_POS); } // Temporary files if (towupper (GetTempPathString()[0]) != windowsDrive) { throw ErrorException (wstring (GetString ("TEMP_NOT_ON_SYS_PARTITION")) + GetString ("LEAKS_OUTSIDE_SYSPART_UNIVERSAL_EXPLANATION"), SRC_POS); } } // This operation may take a long time when an antivirus is installed and its real-time protection enabled. // Therefore, if calling it without the wizard displayed, it should be called with displayWaitDialog set to true. void BootEncryption::Deinstall (bool displayWaitDialog) { BootEncryptionStatus encStatus = GetStatus(); if (encStatus.DriveEncrypted || encStatus.DriveMounted) throw ParameterIncorrect (SRC_POS); SystemDriveConfiguration config = GetSystemDriveConfiguration (); if (!config.SystemPartition.IsGPT) { if (encStatus.VolumeHeaderPresent) { // Verify CRC of header salt Device device(config.DevicePath, true); device.CheckOpened(SRC_POS); - byte header[TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE]; + uint8 header[TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE]; device.SeekAt(TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET); device.Read(header, sizeof(header)); - if (encStatus.VolumeHeaderSaltCrc32 != GetCrc32((byte *)header, PKCS5_SALT_SIZE)) + if (encStatus.VolumeHeaderSaltCrc32 != GetCrc32((uint8 *)header, PKCS5_SALT_SIZE)) throw ParameterIncorrect(SRC_POS); } } try { RegisterFilterDriver (false, DriveFilter); RegisterFilterDriver (false, VolumeFilter); RegisterFilterDriver (false, DumpFilter); SetDriverServiceStartType (SERVICE_SYSTEM_START); } catch (...) { try { RegisterBootDriver (IsHiddenSystemRunning()); } catch (...) { } throw; } SetHiddenOSCreationPhase (TC_HIDDEN_OS_CREATION_PHASE_NONE); // In case RestoreSystemLoader() fails try { RegisterSystemFavoritesService (FALSE); } catch (...) { } @@ -5392,67 +5394,71 @@ namespace VeraCrypt char header[TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE]; Device device (config.DevicePath); device.CheckOpened (SRC_POS); // Only one algorithm is currently supported if (pkcs5 != 0) throw ParameterIncorrect (SRC_POS); int64 headerOffset = TC_BOOT_VOLUME_HEADER_SECTOR_OFFSET; int64 backupHeaderOffset = -1; if (encStatus.HiddenSystem) { headerOffset = encStatus.HiddenSystemPartitionStart + TC_HIDDEN_VOLUME_HEADER_OFFSET; // Find hidden system partition foreach (const Partition &partition, config.Partitions) { if (partition.Info.StartingOffset.QuadPart == encStatus.HiddenSystemPartitionStart) { backupHeaderOffset = partition.Info.StartingOffset.QuadPart + partition.Info.PartitionLength.QuadPart - TC_VOLUME_HEADER_SIZE; break; } } if (backupHeaderOffset == -1) throw ParameterIncorrect (SRC_POS); } device.SeekAt (headerOffset); - device.Read ((byte *) header, sizeof (header)); + device.Read ((uint8 *) header, sizeof (header)); PCRYPTO_INFO cryptoInfo = NULL; int status = ReadVolumeHeader (!encStatus.HiddenSystem, header, oldPassword, old_pkcs5, old_pim, &cryptoInfo, NULL); finally_do_arg (PCRYPTO_INFO, cryptoInfo, { if (finally_arg) crypto_close (finally_arg); }); + // if the XTS master key is vulnerable, return error and do not allow the user to change the password since the master key will not be changed + if ((status == 0) && cryptoInfo->bVulnerableMasterKey) + status = ERR_SYSENC_XTS_MASTERKEY_VULNERABLE; + if (status != 0) { handleError (hwndDlg, status, SRC_POS); return status; } // Change the PKCS-5 PRF if requested by user if (pkcs5 != 0) { cryptoInfo->pkcs5 = pkcs5; RandSetHashFunction (pkcs5); } if (Randinit() != 0) { if (CryptoAPILastError == ERROR_SUCCESS) throw RandInitFailed (SRC_POS, GetLastError ()); else throw CryptoApiFailed (SRC_POS, CryptoAPILastError); } finally_do ({ RandStop (FALSE); }); /* force the display of the random enriching dialog */ SetRandomPoolEnrichedByUserStatus (FALSE); NormalCursor(); UserEnrichRandomPool (hwndDlg); WaitCursor(); /* The header will be re-encrypted wipePassCount times to prevent adversaries from using @@ -5480,92 +5486,92 @@ namespace VeraCrypt PCRYPTO_INFO tmpCryptoInfo = NULL; status = CreateVolumeHeaderInMemory (hwndDlg, !encStatus.HiddenSystem, header, cryptoInfo->ea, cryptoInfo->mode, newPassword, cryptoInfo->pkcs5, pim, (char *) cryptoInfo->master_keydata, &tmpCryptoInfo, cryptoInfo->VolumeSize.Value, cryptoInfo->hiddenVolumeSize, cryptoInfo->EncryptedAreaStart.Value, cryptoInfo->EncryptedAreaLength.Value, cryptoInfo->RequiredProgramVersion, cryptoInfo->HeaderFlags | TC_HEADER_FLAG_ENCRYPTED_SYSTEM, cryptoInfo->SectorSize, wipePass < wipePassCount - 1); if (tmpCryptoInfo) crypto_close (tmpCryptoInfo); if (status != 0) { handleError (hwndDlg, status, SRC_POS); return status; } device.SeekAt (headerOffset); - device.Write ((byte *) header, sizeof (header)); + device.Write ((uint8 *) header, sizeof (header)); headerUpdated = true; } if (!encStatus.HiddenSystem || backupHeader) break; backupHeader = TRUE; headerOffset = backupHeaderOffset; } } catch (Exception &e) { e.Show (hwndDlg); result = ERR_OS_ERROR; } if (headerUpdated) { bool storedPimUpdateNeeded = false; ReopenBootVolumeHeaderRequest reopenRequest; reopenRequest.VolumePassword = *newPassword; reopenRequest.pkcs5_prf = cryptoInfo->pkcs5; reopenRequest.pim = pim; finally_do_arg (ReopenBootVolumeHeaderRequest*, &reopenRequest, { burn (finally_arg, sizeof (*finally_arg)); }); if (old_pim != pim) { try { // check if PIM is stored in MBR - byte userConfig = 0; + uint8 userConfig = 0; if ( ReadBootSectorConfig (nullptr, 0, &userConfig) && (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM) ) { storedPimUpdateNeeded = true; } } catch (...) { } } try { // force update of bootloader if fingerprint doesn't match or if the stored PIM changed if (storedPimUpdateNeeded || !CheckBootloaderFingerprint (true)) InstallBootLoader (device, true, false, pim, cryptoInfo->pkcs5); } catch (...) {} CallDriver (TC_IOCTL_REOPEN_BOOT_VOLUME_HEADER, &reopenRequest, sizeof (reopenRequest)); } return result; } void BootEncryption::CheckEncryptionSetupResult () { @@ -5788,61 +5794,61 @@ namespace VeraCrypt void BootEncryption::DeleteFileAdmin (const wstring &file) { if (!IsAdmin() && IsUacSupported()) Elevator::DeleteFile (file); else throw_sys_if (!::DeleteFile (file.c_str())); } #endif // !SETUP uint32 BootEncryption::ReadDriverConfigurationFlags () { DWORD configMap; if (!ReadLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\veracrypt", TC_DRIVER_CONFIG_REG_VALUE_NAME, &configMap)) configMap = 0; return configMap; } uint32 BootEncryption::ReadServiceConfigurationFlags () { DWORD configMap; if (!ReadLocalMachineRegistryDword (L"SYSTEM\\CurrentControlSet\\Services\\" TC_SYSTEM_FAVORITES_SERVICE_NAME, TC_SYSTEM_FAVORITES_SERVICE_NAME L"Config", &configMap)) configMap = 0; return configMap; } - void BootEncryption::WriteBootDriveSector (uint64 offset, byte *data) + void BootEncryption::WriteBootDriveSector (uint64 offset, uint8 *data) { WriteBootDriveSectorRequest request; request.Offset.QuadPart = offset; memcpy (request.Data, data, sizeof (request.Data)); CallDriver (TC_IOCTL_WRITE_BOOT_DRIVE_SECTOR, &request, sizeof (request), NULL, 0); } void BootEncryption::RegisterBootDriver (bool hiddenSystem) { SetDriverServiceStartType (SERVICE_BOOT_START); try { RegisterFilterDriver (false, DriveFilter); RegisterFilterDriver (false, VolumeFilter); RegisterFilterDriver (false, DumpFilter); } catch (...) { } try { RegisterFilterDriver (true, DriveFilter); if (hiddenSystem) RegisterFilterDriver (true, VolumeFilter); RegisterFilterDriver (true, DumpFilter); } catch (...) |