int pkcs5_prf;

int ProtectedHidVolPkcs5Prf;

BOOL bTrueCryptMode;

uint32 BytesPerPhysicalSector;

} MOUNT_STRUCT;

typedef struct

{

typedef struct

{

Password VolumePassword;

int pkcs5_prf;

} ReopenBootVolumeHeaderRequest;

typedef struct

#ifndef SETUP

{

PCRYPTO_INFO cryptoInfo = NULL;

if (!IsRandomNumberGeneratorStarted())

throw ParameterIncorrect (SRC_POS);

volumeSize, 0, encryptedAreaStart, 0, TC_SYSENC_KEYSCOPE_MIN_REQ_PROG_VERSION, TC_HEADER_FLAG_ENCRYPTED_SYSTEM, TC_SECTOR_SIZE_BIOS, FALSE) != 0);

finally_do_arg (PCRYPTO_INFO*, &cryptoInfo, { crypto_close (*finally_arg); });

// Initial rescue disk assumes encryption of the drive has been completed (EncryptedAreaLength == volumeSize)

memcpy (RescueVolumeHeader, VolumeHeader, sizeof (RescueVolumeHeader));

throw ParameterIncorrect (SRC_POS);

DecryptBuffer (RescueVolumeHeader + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, cryptoInfo);

}

}

{

BootEncryptionStatus encStatus = GetStatus();

if (encStatus.SetupInProgress || (wipePassCount <= 0))

device.Read ((byte *) header, sizeof (header));

PCRYPTO_INFO cryptoInfo = NULL;

finally_do_arg (PCRYPTO_INFO, cryptoInfo, { if (finally_arg) crypto_close (finally_arg); });

if (status != 0)

{

cryptoInfo->ea,

cryptoInfo->mode,

newPassword,

cryptoInfo->pkcs5,

(char *) cryptoInfo->master_keydata,

&tmpCryptoInfo,

cryptoInfo->VolumeSize.Value,

cryptoInfo->hiddenVolumeSize,

{

ReopenBootVolumeHeaderRequest reopenRequest;

reopenRequest.VolumePassword = *newPassword;

reopenRequest.pkcs5_prf = cryptoInfo->pkcs5;

finally_do_arg (ReopenBootVolumeHeaderRequest*, &reopenRequest, { burn (finally_arg, sizeof (*finally_arg)); });

CallDriver (TC_IOCTL_REOPEN_BOOT_VOLUME_HEADER, &reopenRequest, sizeof (reopenRequest));

}

SelectedPrfAlgorithmId = pkcs5;

}

{

BootEncryptionStatus encStatus = GetStatus();

if (encStatus.DriveMounted)

throw ParameterIncorrect (SRC_POS);

}

SelectedEncryptionAlgorithmId = ea;

SelectedPrfAlgorithmId = pkcs5;

if (!rescueIsoImagePath.empty())

CreateRescueIsoImage (true, rescueIsoImagePath);

}

void AbortDecoyOSWipe ();

void AbortSetup ();

void AbortSetupWait ();

void CallDriver (DWORD ioctl, void *input = nullptr, DWORD inputSize = 0, void *output = nullptr, DWORD outputSize = 0);

void CheckDecoyOSWipeResult ();

void CheckEncryptionSetupResult ();

void CheckRequirements ();

void CheckRequirementsHiddenOS ();

bool IsCDDrivePresent ();

bool IsHiddenSystemRunning ();

bool IsPagingFileActive (BOOL checkNonWindowsPartitionsOnly);

void PrepareHiddenOSCreation (int ea, int mode, int pkcs5);

void ProbeRealSystemDriveSize ();

void ReadBootSectorConfig (byte *config, size_t bufLength, byte *userConfig = nullptr, string *customUserMessage = nullptr, uint16 *bootLoaderVersion = nullptr);

uint32 ReadDriverConfigurationFlags ();

void RegisterBootDriver (bool hiddenSystem);

static const uint32 RescueIsoImageSize = 1835008; // Size of ISO9660 image with bootable emulated 1.44MB floppy disk image

void BackupSystemLoader ();

void CreateBootLoaderInMemory (byte *buffer, size_t bufferSize, bool rescueDisk, bool hiddenOSCreation = false);

string GetSystemLoaderBackupPath ();

uint32 GetChecksum (byte *data, size_t size);

DISK_GEOMETRY GetDriveGeometry (int driveNumber);

PartitionList GetDrivePartitions (int driveNumber);

Password CachedPasswords[CACHE_SIZE];

int cacheEmpty = 1;

static int nPasswordIdx = 0;

{

int nReturnCode = ERR_PASSWORD_WRONG;

int i;

/* Attempt to recognize volume using mount password */

if (password->Length > 0)

{

/* Save mount passwords back into cache if asked to do so */

if (bCache && (nReturnCode == 0 || nReturnCode == ERR_CIPHER_INIT_WEAK_KEY))

{

for (i = 0; i < CACHE_SIZE; i++)

{

if (CachedPasswords[i].Length > 0)

{

if (nReturnCode != ERR_PASSWORD_WRONG)

break;

}

extern int cacheEmpty;

void AddPasswordToCache (Password *password);

void WipeCache (void);

Password ProtectedHidVolPassword; /* Password of hidden volume to protect against overwriting */

BOOL UseBackupHeader;

BOOL RecoveryMode;

int ProtectedHidVolPkcs5Prf;

} MountOptions;

#endif

{

int ea; /* Encryption algorithm ID */

int mode; /* Mode of operation (e.g., XTS) */

int pkcs5; /* PRF algorithm */

unsigned __int8 ks[MAX_EXPANDED_KEY]; /* Primary key schedule (if it is a cascade, it conatins multiple concatenated keys) */

unsigned __int8 ks2[MAX_EXPANDED_KEY]; /* Secondary key schedule (if cascade, multiple concatenated) for XTS mode. */

BOOL hiddenVolume; // Indicates whether the volume is mounted/mountable as hidden volume

{

case SHA512:

/* PKCS-5 test with HMAC-SHA-512 used as the PRF */

break;

case SHA256:

/* PKCS-5 test with HMAC-SHA-256 used as the PRF */

break;

case RIPEMD160:

/* PKCS-5 test with HMAC-RIPEMD-160 used as the PRF */

break;

case WHIRLPOOL:

/* PKCS-5 test with HMAC-Whirlpool used as the PRF */

break;

}

}

int driveNo,

char *volumePath,

Password *password,

int pkcs5,

BOOL truecryptMode,

BOOL cachePassword,

BOOL sharedAccess,

const MountOptions* const mountOptions,

{

mount.ProtectedHidVolPassword = mountOptions->ProtectedHidVolPassword;

mount.bProtectHiddenVolume = TRUE;

mount.ProtectedHidVolPkcs5Prf = mountOptions->ProtectedHidVolPkcs5Prf;

}

else

mount.bProtectHiddenVolume = FALSE;

mount.bMountManager = TRUE;

mount.pkcs5_prf = pkcs5;

mount.bTrueCryptMode = truecryptMode;

// Windows 2000 mount manager causes problems with remounted volumes

if (CurrentOSMajor == 5 && CurrentOSMinor == 0)

mount.bMountManager = FALSE;

}

for (int64 i = startOffset; i <= bufLen - strLen; i++)

{

return i;

}

return -1;

BOOL Is64BitOs ()

{

static BOOL isWow64 = FALSE;

static BOOL valid = FALSE;

typedef BOOL (__stdcall *LPFN_ISWOW64PROCESS ) (HANDLE hProcess,PBOOL Wow64Process);

LPFN_ISWOW64PROCESS fnIsWow64Process;

isWow64 = FALSE;

valid = TRUE;

return isWow64;

}

BOOL IsServerOS ()

#ifndef SETUP

{

int status = ERR_PARAMETER_INCORRECT;

int volumeType;

char szDiskFile[TC_MAX_PATH], szCFDevice[TC_MAX_PATH];

memset (buffer, 0, sizeof (buffer));

}

// Decrypt volume header

if (status == ERR_PASSWORD_WRONG)

continue; // Try next volume type

context->VolumeIsOpen = FALSE;

}

{

CRYPTO_INFO *newCryptoInfo = NULL;

RandSetHashFunction (cryptoInfo->pkcs5);

cryptoInfo->ea,

cryptoInfo->mode,

password,

cryptoInfo->pkcs5,

(char *) cryptoInfo->master_keydata,

&newCryptoInfo,

cryptoInfo->VolumeSize.Value,

cryptoInfo->hiddenVolume ? cryptoInfo->hiddenVolumeSize : 0,

return name;

return string (directory) + "\\" + name;

}

BOOL IsDriveAvailable (int driveNo);

BOOL IsDeviceMounted (char *deviceName);

int DriverUnmountVolume (HWND hwndDlg, int nDosDriveNo, BOOL forced);

void BroadcastDeviceChange (WPARAM message, int nDosDriveNo, DWORD driveMap);

BOOL UnmountVolume (HWND hwndDlg , int nDosDriveNo, BOOL forceUnmount);

BOOL IsPasswordCacheEmpty (void);

BOOL IsMountedVolume (const char *volname);

int GetMountedVolumeDriveNo (char *volname);

void AccommodateTextField (HWND hwndDlg, UINT ctrlId, BOOL bFirstUpdate, HFONT hFont);

BOOL GetDriveLabel (int driveNo, wchar_t *label, int labelSize);

BOOL GetSysDevicePaths (HWND hwndDlg);

BOOL DoDriverInstall (HWND hwndDlg);

void CloseVolume (OpenVolumeContext *context);

BOOL IsPagingFileActive (BOOL checkNonWindowsPartitionsOnly);

BOOL IsPagingFileWildcardActive ();

BOOL DisablePagingFile ();

BOOL CALLBACK SecurityTokenPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam);

BOOL VolumePathExists (const char *volumePath);

BOOL IsWindowsIsoBurnerAvailable ();

BOOL LaunchWindowsIsoBurner (HWND hwnd, const char *isoPath);

BOOL IsApplicationInstalled (const char *appName);

#ifdef __cplusplus

}

volParams->ea,

FIRST_MODE_OF_OPERATION_ID,

volParams->password,

volParams->pkcs5,

NULL,

&cryptoInfo,

dataAreaSize,

volParams->hiddenVol ? dataAreaSize : 0,

volParams->ea,

FIRST_MODE_OF_OPERATION_ID,

volParams->password,

volParams->pkcs5,

cryptoInfo->master_keydata,

&cryptoInfo,

dataAreaSize,

volParams->hiddenVol ? dataAreaSize : 0,

mountOptions.PreserveTimestamp = bPreserveTimestamp;

mountOptions.PartitionInInactiveSysEncScope = FALSE;

mountOptions.UseBackupHeader = FALSE;

{

MessageBoxW (volParams->hwndDlg, GetString ("CANT_MOUNT_VOLUME"), lpszTitle, ICON_HAND);

MessageBoxW (volParams->hwndDlg, GetString ("FORMAT_NTFS_STOP"), lpszTitle, ICON_HAND);

nStatus = ERR_VOL_MOUNT_FAILED;

BOOL quickFormat;

int sectorSize;

int *realClusterSize;

Password *password;

HWND hwndDlg;

}

FORMAT_VOL_PARAMETERS;

<string lang="en" key="PASSWORD_OR_KEYFILE_OR_MODE_WRONG">Wrong mount mode, incorrect keyfile(s) and/or password/PRF, or not a valid volume.</string>

<string lang="en" key="PASSWORD_WRONG_AUTOMOUNT">Incorrect password/PRF or no valid volume found.</string>

<string lang="en" key="PASSWORD_OR_KEYFILE_WRONG_AUTOMOUNT">Incorrect keyfile(s)/password/PRF or no valid volume found.</string>

<string lang="en" key="PASSWORD_WRONG_CAPSLOCK_ON">\n\nWarning: Caps Lock is on. This may cause you to enter your password incorrectly.</string>

<string lang="en" key="HIDDEN_FILES_PRESENT_IN_KEYFILE_PATH">\n\nWARNING: Hidden file(s) have been found in a keyfile search path. Such hidden files cannot be used as keyfiles. If you need to use them as keyfiles, remove their 'Hidden' attribute (right-click each of them, select 'Properties', uncheck 'Hidden' and click OK). Note: Hidden files are visible only if the corresponding option is enabled (Computer > Organize > 'Folder and search options' > View).</string>

<string lang="en" key="HIDDEN_VOL_PROT_PASSWORD_US_KEYB_LAYOUT">If you are attempting to protect a hidden volume containing a hidden system, please make sure you are using the standard US keyboard layout when typing the password for the hidden volume. This is required due to the fact that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available.</string>

<string lang="en" key="FOUND_NO_PARTITION_W_DEFERRED_INPLACE_ENC">VeraCrypt has not found any volume where the process of encryption/decryption of a non-system volume has been interrupted and where the volume header can be deciphered using the supplied password and/or keyfile(s).\n\nPlease make sure the password and/or keyfile(s) are correct and that the partition/volume is not being used by the system or applications (including antivirus software).</string>

<string lang="en" key="SELECTED_PARTITION_ALREADY_INPLACE_ENC">The selected partition/device is already fully encrypted.\nHeader Flags = 0x%.8X</string>

<string lang="en" key="EXTRA_BOOT_PARTITION_REMOVAL_INSTRUCTIONS">\nThe extra boot partition can be removed before installing Windows. To do so, follow these steps:\n\n1) Boot your Windows installation disc.\n\n2) In the Windows installer screen, click 'Install now' > 'Custom (advanced)'.\n\n3) Click 'Drive Options'.\n\n4) Select the main system partition and delete it by clicking 'Delete' and 'OK'.\n\n5) Select the 'System Reserved' partition, click 'Extend', and increase its size so that the operating system can be installed to it.\n\n6) Click 'Apply' and 'OK'.\n\n7) Install Windows on the 'System Reserved' partition.\n\n\nShould an attacker ask why you removed the extra boot partition, you can answer that you wanted to prevent any possible data leaks to the unencrypted boot partition.\n\nNote: You can print this text by clicking the 'Print' button below. If you save a copy of this text or print it (strongly recommended, unless your printer stores copies of documents it prints on its internal drive), you should destroy any copies of it after removing the extra boot partition (otherwise, if such a copy was found, it might indicate that there is a hidden operating system on this computer).</string>

<string lang="en" key="GAP_BETWEEN_SYS_AND_HIDDEN_OS_PARTITION">Warning: There is unallocated space between the system partition and the first partition behind it. After you create the hidden operating system, you must not create any new partitions in that unallocated space. Otherwise, the hidden operating system will be impossible to boot (until you delete such newly created partitions).</string>

<string lang="en" key="ALGO_NOT_SUPPORTED_FOR_SYS_ENCRYPTION">This algorithm is currently not supported for system encryption.</string>

<string lang="en" key="ALGO_NOT_SUPPORTED_FOR_TRUECRYPT_MODE">This algorithm is not supported for TrueCrypt mode.</string>

<string lang="en" key="KEYFILES_NOT_SUPPORTED_FOR_SYS_ENCRYPTION">Keyfiles are currently not supported for system encryption.</string>

<string lang="en" key="CANNOT_RESTORE_KEYBOARD_LAYOUT">Warning: VeraCrypt could not restore the original keyboard layout. This may cause you to enter a password incorrectly.</string>

<string lang="en" key="CANT_CHANGE_KEYB_LAYOUT_FOR_SYS_ENCRYPTION">Error: Cannot set the keyboard layout for VeraCrypt to the standard US keyboard layout.\n\nNote that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available. Therefore, the password must always be typed using the standard US keyboard layout.</string>

<string lang="en" key="ALT_KEY_CHARS_NOT_FOR_SYS_ENCRYPTION">As VeraCrypt temporarily changed the keyboard layout to the standard US keyboard layout, it is not possible to type characters by pressing keys while the right Alt key is held down. However, you can type most of such characters by pressing appropriate keys while the Shift key is held down.</string>

return TRUE;

}

{

if (GetWindowTextLength (hwndItem) < PASSWORD_LEN_WARNING)

{

#ifndef _DEBUG

if (MessageBoxW (hwndDlg, GetString ("PASSWORD_LENGTH_WARNING"), lpszTitle, MB_YESNO|MB_ICONWARNING|MB_DEFBUTTON2) != IDYES)

return FALSE;

#endif

}

return TRUE;

}

{

int nDosLinkCreated = 1, nStatus = ERR_OS_ERROR;

char szDiskFile[TC_MAX_PATH], szCFDevice[TC_MAX_PATH];

char szDosDevice[TC_MAX_PATH];

}

/* Try to decrypt the header */

if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)

nStatus = 0; // We can ignore this error here

if (nStatus == ERR_PASSWORD_WRONG)

cryptoInfo->ea,

cryptoInfo->mode,

newPassword,

cryptoInfo->pkcs5,

cryptoInfo->master_keydata,

&ci,

cryptoInfo->VolumeSize.Value,

(volumeType == TC_VOLUME_TYPE_HIDDEN) ? cryptoInfo->hiddenVolumeSize : 0,

// User text input limits

#define MIN_PASSWORD 1 // Minimum possible password length

#define MAX_PASSWORD 64 // Maximum possible password length

#define PASSWORD_LEN_WARNING 20 // Display a warning when a password is shorter than this

#ifdef __cplusplus

#if defined(_WIN32) && !defined(TC_WINDOWS_DRIVER)

void VerifyPasswordAndUpdate ( HWND hwndDlg , HWND hButton , HWND hPassword , HWND hVerify , unsigned char *szPassword , char *szVerify, BOOL keyFilesEnabled );

BOOL CheckPasswordCharEncoding (HWND hPassword, Password *ptrPw);

#endif // defined(_WIN32) && !defined(TC_WINDOWS_DRIVER)

#ifdef __cplusplus

burn(key, sizeof(key));

}

#endif

{

char* k = hmac->k;

char* u = hmac->u;

uint32 c;

int i;

#ifdef TC_WINDOWS_BOOT

* This enables us to save code space needed for implementing other features.

*/

else

#else

c = iterations;

#endif

}

}

{

hmac_sha256_ctx hmac;

int b, l, r;

#ifndef TC_WINDOWS_BOOT

burn (&hmac, sizeof(hmac));

burn (key, sizeof(key));

}

{

char* k = hmac->k;

char* u = hmac->u;

/* iteration 1 */

memcpy (k, salt, salt_len); /* salt */

/* big-endian block number */

}

}

{

hmac_sha512_ctx hmac;

int b, l, r;

char key[SHA512_DIGESTSIZE];

}

#endif

{

char* k = hmac->k;

char* u = hmac->u;

uint32 c;

int i;

#ifdef TC_WINDOWS_BOOT

* This enables us to save code space needed for implementing other features.

*/

else

#else

c = iterations;

#endif

c--;

}

}

{

int b, l, r;

hmac_ripemd160_ctx hmac;

#ifndef TC_WINDOWS_BOOT

/* Prevent leaks */

burn(&hmac, sizeof(hmac));

}

{

char* u = hmac->u;

char* k = hmac->k;

/* iteration 1 */

memcpy (k, salt, salt_len); /* salt */

/* big-endian block number */

}

}

}

{

hmac_whirlpool_ctx hmac;

char key[WHIRLPOOL_DIGESTSIZE];

int b, l, r;

}

{

switch (pkcs5_prf_id)

{

case RIPEMD160:

if (truecryptMode)

return bBoot ? 1000 : 2000;

return bBoot? 327661 : 655331;

case SHA512:

case WHIRLPOOL:

case SHA256:

if (truecryptMode)

return 0; // SHA-256 not supported by TrueCrypt

return bBoot? 200000 : 500000;

default:

TC_THROW_FATAL_EXCEPTION; // Unknown/wrong ID

}

{

#endif

/* output written to d which must be at lease 32 bytes long */

void hmac_sha256 (char *k, int lk, char *d, int ld);

/* output written to d which must be at lease 64 bytes long */

void hmac_sha512 (char *k, int lk, char *d, int ld);

/* output written to input_digest which must be at lease 20 bytes long */

void hmac_ripemd160 (char *key, int keylen, char *input_digest, int len);

/* output written to d which must be at lease 64 bytes long */

void hmac_whirlpool (char *k, int lk, char *d, int ld);

char *get_pkcs5_prf_name (int pkcs5_prf_id);

#if defined(__cplusplus)

}

BOOL ReadVolumeHeaderRecoveryMode = FALSE;

{

char header[TC_VOLUME_HEADER_EFFECTIVE_SIZE];

KEY_INFO keyInfo;

PCRYPTO_INFO cryptoInfo;

item->Pkcs5Prf = enqPkcs5Prf;

EncryptionThreadPoolBeginKeyDerivation (&keyDerivationCompletedEvent, &noOutstandingWorkItemEvent,

&item->KeyReady, &outstandingWorkItemCount, enqPkcs5Prf, keyInfo.userKey,

++queuedWorkItems;

break;

}

item = &keyDerivationWorkItems[i];

if (!item->Free && InterlockedExchangeAdd (&item->KeyReady, 0) == TRUE)

{

pkcs5_prf = item->Pkcs5Prf;

memcpy (dk, item->DerivedKey, sizeof (dk));

item->Free = TRUE;

--queuedWorkItems;

}

else

{

pkcs5_prf = enqPkcs5Prf;

switch (pkcs5_prf)

{

case RIPEMD160:

}

#else // TC_WINDOWS_BOOT

{

#ifdef TC_WINDOWS_BOOT_SINGLE_CIPHER_MODE

char dk[32 * 2]; // 2 * 256-bit key

#else

#endif

PCRYPTO_INFO cryptoInfo;

int status = ERR_SUCCESS;

if (retHeaderCryptoInfo != NULL)

cryptoInfo = retHeaderCryptoInfo;

else

// PKCS5 PRF

#ifdef TC_WINDOWS_BOOT_SHA2

derive_key_sha256 (password->Text, (int) password->Length, header + HEADER_SALT_OFFSET,

#else

derive_key_ripemd160 (password->Text, (int) password->Length, header + HEADER_SALT_OFFSET,

#endif

// Mode of operation

cryptoInfo->mode = FIRST_MODE_OF_OPERATION_ID;

#endif

// Creates a volume header in memory

int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *header, int ea, int mode, Password *password,

unsigned __int64 volumeSize, unsigned __int64 hiddenVolumeSize,

unsigned __int64 encryptedAreaStart, unsigned __int64 encryptedAreaLength, uint16 requiredProgramVersion, uint32 headerFlags, uint32 sectorSize, BOOL bWipeMode)

{

unsigned char *p = (unsigned char *) header;

// User key

memcpy (keyInfo.userKey, password->Text, nUserKeyLen);

keyInfo.keyLength = nUserKeyLen;

// User selected encryption algorithm

cryptoInfo->ea = ea;

uint16 GetHeaderField16 (byte *header, int offset);

uint32 GetHeaderField32 (byte *header, int offset);

UINT64_STRUCT GetHeaderField64 (byte *header, int offset);

#ifdef TC_WINDOWS_BOOT

#else

#endif

#if !defined (DEVICE_DRIVER) && !defined (TC_WINDOWS_BOOT)

BOOL ReadEffectiveVolumeHeader (BOOL device, HANDLE fileHandle, byte *header, DWORD *bytesRead);

BOOL WriteEffectiveVolumeHeader (BOOL device, HANDLE fileHandle, byte *header);

int WriteRandomDataToReservedHeaderAreas (HWND hwndDlg, HANDLE dev, CRYPTO_INFO *cryptoInfo, uint64 dataAreaSize, BOOL bPrimaryOnly, BOOL bBackupOnly);

#endif