VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Common
diff options
context:
space:
mode:
Diffstat (limited to 'src/Common')
-rw-r--r--src/Common/Apidrvr.h3
-rw-r--r--src/Common/BootEncryption.cpp16
-rw-r--r--src/Common/BootEncryption.h6
-rw-r--r--src/Common/Cache.c6
-rw-r--r--src/Common/Cache.h2
-rw-r--r--src/Common/Common.h1
-rw-r--r--src/Common/Crypto.h1
-rw-r--r--src/Common/Dlgcode.c39
-rw-r--r--src/Common/Dlgcode.h7
-rw-r--r--src/Common/Format.c4
-rw-r--r--src/Common/Format.h1
-rw-r--r--src/Common/Language.xml5
-rw-r--r--src/Common/Password.c21
-rw-r--r--src/Common/Password.h7
-rw-r--r--src/Common/Pkcs5.c67
-rw-r--r--src/Common/Pkcs5.h10
-rw-r--r--src/Common/Volumes.c21
-rw-r--r--src/Common/Volumes.h6
18 files changed, 152 insertions, 71 deletions
diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h
index 83d30595..d168cf74 100644
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -103,8 +103,10 @@ typedef struct
int pkcs5_prf;
int ProtectedHidVolPkcs5Prf;
BOOL bTrueCryptMode;
uint32 BytesPerPhysicalSector;
+ int VolumePin;
+ int ProtectedHidVolPin;
} MOUNT_STRUCT;
typedef struct
{
@@ -240,8 +242,9 @@ typedef struct
typedef struct
{
Password VolumePassword;
int pkcs5_prf;
+ int pin;
} ReopenBootVolumeHeaderRequest;
typedef struct
diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp
index 3678bc71..9f080f18 100644
--- a/src/Common/BootEncryption.cpp
+++ b/src/Common/BootEncryption.cpp
@@ -1736,23 +1736,23 @@ namespace VeraCrypt
#ifndef SETUP
- void BootEncryption::CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5)
+ void BootEncryption::CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5, int pin)
{
PCRYPTO_INFO cryptoInfo = NULL;
if (!IsRandomNumberGeneratorStarted())
throw ParameterIncorrect (SRC_POS);
- throw_sys_if (CreateVolumeHeaderInMemory (ParentWindow, TRUE, (char *) VolumeHeader, ea, mode, password, pkcs5, NULL, &cryptoInfo,
+ throw_sys_if (CreateVolumeHeaderInMemory (ParentWindow, TRUE, (char *) VolumeHeader, ea, mode, password, pkcs5, pin, NULL, &cryptoInfo,
volumeSize, 0, encryptedAreaStart, 0, TC_SYSENC_KEYSCOPE_MIN_REQ_PROG_VERSION, TC_HEADER_FLAG_ENCRYPTED_SYSTEM, TC_SECTOR_SIZE_BIOS, FALSE) != 0);
finally_do_arg (PCRYPTO_INFO*, &cryptoInfo, { crypto_close (*finally_arg); });
// Initial rescue disk assumes encryption of the drive has been completed (EncryptedAreaLength == volumeSize)
memcpy (RescueVolumeHeader, VolumeHeader, sizeof (RescueVolumeHeader));
- if (0 != ReadVolumeHeader (TRUE, (char *) RescueVolumeHeader, password, pkcs5, FALSE, NULL, cryptoInfo))
+ if (0 != ReadVolumeHeader (TRUE, (char *) RescueVolumeHeader, password, pkcs5, pin, FALSE, NULL, cryptoInfo))
throw ParameterIncorrect (SRC_POS);
DecryptBuffer (RescueVolumeHeader + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, cryptoInfo);
@@ -2233,9 +2233,9 @@ namespace VeraCrypt
}
}
- int BootEncryption::ChangePassword (Password *oldPassword, int old_pkcs5,Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg)
+ int BootEncryption::ChangePassword (Password *oldPassword, int old_pkcs5, int old_pin, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg)
{
BootEncryptionStatus encStatus = GetStatus();
if (encStatus.SetupInProgress || (wipePassCount <= 0))
@@ -2276,9 +2276,9 @@ namespace VeraCrypt
device.Read ((byte *) header, sizeof (header));
PCRYPTO_INFO cryptoInfo = NULL;
- int status = ReadVolumeHeader (!encStatus.HiddenSystem, header, oldPassword, old_pkcs5, FALSE, &cryptoInfo, NULL);
+ int status = ReadVolumeHeader (!encStatus.HiddenSystem, header, oldPassword, old_pkcs5, old_pin, FALSE, &cryptoInfo, NULL);
finally_do_arg (PCRYPTO_INFO, cryptoInfo, { if (finally_arg) crypto_close (finally_arg); });
if (status != 0)
{
@@ -2338,8 +2338,9 @@ namespace VeraCrypt
cryptoInfo->ea,
cryptoInfo->mode,
newPassword,
cryptoInfo->pkcs5,
+ pin,
(char *) cryptoInfo->master_keydata,
&tmpCryptoInfo,
cryptoInfo->VolumeSize.Value,
cryptoInfo->hiddenVolumeSize,
@@ -2381,8 +2382,9 @@ namespace VeraCrypt
{
ReopenBootVolumeHeaderRequest reopenRequest;
reopenRequest.VolumePassword = *newPassword;
reopenRequest.pkcs5_prf = cryptoInfo->pkcs5;
+ reopenRequest.pin = pin;
finally_do_arg (ReopenBootVolumeHeaderRequest*, &reopenRequest, { burn (finally_arg, sizeof (*finally_arg)); });
CallDriver (TC_IOCTL_REOPEN_BOOT_VOLUME_HEADER, &reopenRequest, sizeof (reopenRequest));
}
@@ -2441,9 +2443,9 @@ namespace VeraCrypt
SelectedPrfAlgorithmId = pkcs5;
}
- void BootEncryption::PrepareInstallation (bool systemPartitionOnly, Password &password, int ea, int mode, int pkcs5, const string &rescueIsoImagePath)
+ void BootEncryption::PrepareInstallation (bool systemPartitionOnly, Password &password, int ea, int mode, int pkcs5, int pin, const string &rescueIsoImagePath)
{
BootEncryptionStatus encStatus = GetStatus();
if (encStatus.DriveMounted)
throw ParameterIncorrect (SRC_POS);
@@ -2494,9 +2496,9 @@ namespace VeraCrypt
}
SelectedEncryptionAlgorithmId = ea;
SelectedPrfAlgorithmId = pkcs5;
- CreateVolumeHeader (volumeSize, encryptedAreaStart, &password, ea, mode, pkcs5);
+ CreateVolumeHeader (volumeSize, encryptedAreaStart, &password, ea, mode, pkcs5, pin);
if (!rescueIsoImagePath.empty())
CreateRescueIsoImage (true, rescueIsoImagePath);
}
diff --git a/src/Common/BootEncryption.h b/src/Common/BootEncryption.h
index 3665a9bc..a73ce6fc 100644
--- a/src/Common/BootEncryption.h
+++ b/src/Common/BootEncryption.h
@@ -143,9 +143,9 @@ namespace VeraCrypt
void AbortDecoyOSWipe ();
void AbortSetup ();
void AbortSetupWait ();
void CallDriver (DWORD ioctl, void *input = nullptr, DWORD inputSize = 0, void *output = nullptr, DWORD outputSize = 0);
- int ChangePassword (Password *oldPassword, int old_pkcs5, Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg);
+ int ChangePassword (Password *oldPassword, int old_pkcs5, int old_pin, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg);
void CheckDecoyOSWipeResult ();
void CheckEncryptionSetupResult ();
void CheckRequirements ();
void CheckRequirementsHiddenOS ();
@@ -169,9 +169,9 @@ namespace VeraCrypt
bool IsCDDrivePresent ();
bool IsHiddenSystemRunning ();
bool IsPagingFileActive (BOOL checkNonWindowsPartitionsOnly);
void PrepareHiddenOSCreation (int ea, int mode, int pkcs5);
- void PrepareInstallation (bool systemPartitionOnly, Password &password, int ea, int mode, int pkcs5, const string &rescueIsoImagePath);
+ void PrepareInstallation (bool systemPartitionOnly, Password &password, int ea, int mode, int pkcs5, int pin, const string &rescueIsoImagePath);
void ProbeRealSystemDriveSize ();
void ReadBootSectorConfig (byte *config, size_t bufLength, byte *userConfig = nullptr, string *customUserMessage = nullptr, uint16 *bootLoaderVersion = nullptr);
uint32 ReadDriverConfigurationFlags ();
void RegisterBootDriver (bool hiddenSystem);
@@ -203,9 +203,9 @@ namespace VeraCrypt
static const uint32 RescueIsoImageSize = 1835008; // Size of ISO9660 image with bootable emulated 1.44MB floppy disk image
void BackupSystemLoader ();
void CreateBootLoaderInMemory (byte *buffer, size_t bufferSize, bool rescueDisk, bool hiddenOSCreation = false);
- void CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5);
+ void CreateVolumeHeader (uint64 volumeSize, uint64 encryptedAreaStart, Password *password, int ea, int mode, int pkcs5, int pin);
string GetSystemLoaderBackupPath ();
uint32 GetChecksum (byte *data, size_t size);
DISK_GEOMETRY GetDriveGeometry (int driveNumber);
PartitionList GetDrivePartitions (int driveNumber);
diff --git a/src/Common/Cache.c b/src/Common/Cache.c
index 33043f78..f4489ccf 100644
--- a/src/Common/Cache.c
+++ b/src/Common/Cache.c
@@ -20,17 +20,17 @@
Password CachedPasswords[CACHE_SIZE];
int cacheEmpty = 1;
static int nPasswordIdx = 0;
-int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, BOOL truecryptMode, PCRYPTO_INFO *retInfo)
+int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, PCRYPTO_INFO *retInfo)
{
int nReturnCode = ERR_PASSWORD_WRONG;
int i;
/* Attempt to recognize volume using mount password */
if (password->Length > 0)
{
- nReturnCode = ReadVolumeHeader (bBoot, header, password, pkcs5_prf, truecryptMode, retInfo, NULL);
+ nReturnCode = ReadVolumeHeader (bBoot, header, password, pkcs5_prf, pin, truecryptMode, retInfo, NULL);
/* Save mount passwords back into cache if asked to do so */
if (bCache && (nReturnCode == 0 || nReturnCode == ERR_CIPHER_INIT_WEAK_KEY))
{
@@ -58,9 +58,9 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *pas
for (i = 0; i < CACHE_SIZE; i++)
{
if (CachedPasswords[i].Length > 0)
{
- nReturnCode = ReadVolumeHeader (bBoot, header, &CachedPasswords[i], pkcs5_prf, truecryptMode, retInfo, NULL);
+ nReturnCode = ReadVolumeHeader (bBoot, header, &CachedPasswords[i], pkcs5_prf, pin, truecryptMode, retInfo, NULL);
if (nReturnCode != ERR_PASSWORD_WRONG)
break;
}
diff --git a/src/Common/Cache.h b/src/Common/Cache.h
index 10f120b0..bdd96e98 100644
--- a/src/Common/Cache.h
+++ b/src/Common/Cache.h
@@ -18,6 +18,6 @@
extern int cacheEmpty;
void AddPasswordToCache (Password *password);
-int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, BOOL truecryptMode, PCRYPTO_INFO *retInfo);
+int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, char *header, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, PCRYPTO_INFO *retInfo);
void WipeCache (void);
diff --git a/src/Common/Common.h b/src/Common/Common.h
index 3e68f402..5893a268 100644
--- a/src/Common/Common.h
+++ b/src/Common/Common.h
@@ -75,7 +75,8 @@ typedef struct
Password ProtectedHidVolPassword; /* Password of hidden volume to protect against overwriting */
BOOL UseBackupHeader;
BOOL RecoveryMode;
int ProtectedHidVolPkcs5Prf;
+ int ProtectedHidVolPin;
} MountOptions;
#endif
diff --git a/src/Common/Crypto.h b/src/Common/Crypto.h
index 208e72a1..038e5430 100644
--- a/src/Common/Crypto.h
+++ b/src/Common/Crypto.h
@@ -196,8 +196,9 @@ typedef struct CRYPTO_INFO_t
{
int ea; /* Encryption algorithm ID */
int mode; /* Mode of operation (e.g., XTS) */
int pkcs5; /* PRF algorithm */
+
unsigned __int8 ks[MAX_EXPANDED_KEY]; /* Primary key schedule (if it is a cascade, it conatins multiple concatenated keys) */
unsigned __int8 ks2[MAX_EXPANDED_KEY]; /* Secondary key schedule (if cascade, multiple concatenated) for XTS mode. */
BOOL hiddenVolume; // Indicates whether the volume is mounted/mountable as hidden volume
diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c
index a6700e29..5cf6dbaf 100644
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -4679,24 +4679,24 @@ static BOOL PerformBenchmark(HWND hBenchDlg, HWND hwndDlg)
{
case SHA512:
/* PKCS-5 test with HMAC-SHA-512 used as the PRF */
- derive_key_sha512 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
+ derive_key_sha512 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, 0, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
break;
case SHA256:
/* PKCS-5 test with HMAC-SHA-256 used as the PRF */
- derive_key_sha256 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
+ derive_key_sha256 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, 0, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
break;
case RIPEMD160:
/* PKCS-5 test with HMAC-RIPEMD-160 used as the PRF */
- derive_key_ripemd160 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
+ derive_key_ripemd160 ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, 0, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
break;
case WHIRLPOOL:
/* PKCS-5 test with HMAC-Whirlpool used as the PRF */
- derive_key_whirlpool ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
+ derive_key_whirlpool ("passphrase-1234567890", 21, tmp_salt, 64, get_pkcs5_iteration_count(thid, 0, FALSE, FALSE), dk, MASTER_KEYDATA_SIZE);
break;
}
}
@@ -6521,8 +6521,9 @@ int MountVolume (HWND hwndDlg,
int driveNo,
char *volumePath,
Password *password,
int pkcs5,
+ int pin,
BOOL truecryptMode,
BOOL cachePassword,
BOOL sharedAccess,
const MountOptions* const mountOptions,
@@ -6583,8 +6584,9 @@ retry:
{
mount.ProtectedHidVolPassword = mountOptions->ProtectedHidVolPassword;
mount.bProtectHiddenVolume = TRUE;
mount.ProtectedHidVolPkcs5Prf = mountOptions->ProtectedHidVolPkcs5Prf;
+ mount.ProtectedHidVolPin = mountOptions->ProtectedHidVolPin;
}
else
mount.bProtectHiddenVolume = FALSE;
@@ -6594,8 +6596,9 @@ retry:
mount.bMountManager = TRUE;
mount.pkcs5_prf = pkcs5;
mount.bTrueCryptMode = truecryptMode;
+ mount.VolumePin = pin;
// Windows 2000 mount manager causes problems with remounted volumes
if (CurrentOSMajor == 5 && CurrentOSMinor == 0)
mount.bMountManager = FALSE;
@@ -7314,9 +7317,9 @@ int64 FindString (const char *buf, const char *str, int64 bufLen, int64 strLen,
}
for (int64 i = startOffset; i <= bufLen - strLen; i++)
{
- if (memcmp (buf + i, str, strLen) == 0)
+ if (memcmp (buf + i, str, (size_t) strLen) == 0)
return i;
}
return -1;
@@ -8802,8 +8805,11 @@ BOOL IsOSVersionAtLeast (OSVersionEnum reqMinOS, int reqMinServicePack)
BOOL Is64BitOs ()
{
+#ifdef _WIN64
+ return TRUE;
+#else
static BOOL isWow64 = FALSE;
static BOOL valid = FALSE;
typedef BOOL (__stdcall *LPFN_ISWOW64PROCESS ) (HANDLE hProcess,PBOOL Wow64Process);
LPFN_ISWOW64PROCESS fnIsWow64Process;
@@ -8818,8 +8824,9 @@ BOOL Is64BitOs ()
isWow64 = FALSE;
valid = TRUE;
return isWow64;
+#endif
}
BOOL IsServerOS ()
@@ -9246,9 +9253,9 @@ void ReportUnexpectedState (char *techInfo)
#ifndef SETUP
-int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *password, int pkcs5_prf, BOOL truecryptMode, BOOL write, BOOL preserveTimestamps, BOOL useBackupHeader)
+int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, BOOL write, BOOL preserveTimestamps, BOOL useBackupHeader)
{
int status = ERR_PARAMETER_INCORRECT;
int volumeType;
char szDiskFile[TC_MAX_PATH], szCFDevice[TC_MAX_PATH];
@@ -9396,9 +9403,9 @@ int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *pa
memset (buffer, 0, sizeof (buffer));
}
// Decrypt volume header
- status = ReadVolumeHeader (FALSE, buffer, password, pkcs5_prf, truecryptMode, &context->CryptoInfo, NULL);
+ status = ReadVolumeHeader (FALSE, buffer, password, pkcs5_prf, pin, truecryptMode, &context->CryptoInfo, NULL);
if (status == ERR_PASSWORD_WRONG)
continue; // Try next volume type
@@ -9441,9 +9448,9 @@ void CloseVolume (OpenVolumeContext *context)
context->VolumeIsOpen = FALSE;
}
-int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *cryptoInfo, Password *password, BOOL wipeMode)
+int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *cryptoInfo, Password *password, int pin, BOOL wipeMode)
{
CRYPTO_INFO *newCryptoInfo = NULL;
RandSetHashFunction (cryptoInfo->pkcs5);
@@ -9463,8 +9470,9 @@ int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *
cryptoInfo->ea,
cryptoInfo->mode,
password,
cryptoInfo->pkcs5,
+ pin,
(char *) cryptoInfo->master_keydata,
&newCryptoInfo,
cryptoInfo->VolumeSize.Value,
cryptoInfo->hiddenVolume ? cryptoInfo->hiddenVolumeSize : 0,
@@ -10692,4 +10700,19 @@ std::string FindLatestFileOrDirectory (const std::string &directory, const char
return name;
return string (directory) + "\\" + name;
}
+
+int GetPin (HWND hwndDlg, UINT ctrlId)
+{
+ int pin = 0;
+ char szTmp[MAX_PIN + 1] = {0};
+ GetDlgItemText (hwndDlg, ctrlId, szTmp, MAX_PIN + 1);
+ if (strlen(szTmp))
+ {
+ char* endPtr = NULL;
+ pin = strtol(szTmp, &endPtr, 0);
+ if (pin < 0 || endPtr == szTmp || !endPtr || *endPtr != '\0')
+ pin = 0;
+ }
+ return pin;
+}
diff --git a/src/Common/Dlgcode.h b/src/Common/Dlgcode.h
index e45a9b87..1fd12d40 100644
--- a/src/Common/Dlgcode.h
+++ b/src/Common/Dlgcode.h
@@ -331,9 +331,9 @@ int GetLastAvailableDrive ();
BOOL IsDriveAvailable (int driveNo);
BOOL IsDeviceMounted (char *deviceName);
int DriverUnmountVolume (HWND hwndDlg, int nDosDriveNo, BOOL forced);
void BroadcastDeviceChange (WPARAM message, int nDosDriveNo, DWORD driveMap);
-int MountVolume (HWND hwndDlg, int driveNo, char *volumePath, Password *password, int pkcs5, BOOL truecryptMode, BOOL cachePassword, BOOL sharedAccess, const MountOptions* const mountOptions, BOOL quiet, BOOL bReportWrongPassword);
+int MountVolume (HWND hwndDlg, int driveNo, char *volumePath, Password *password, int pkcs5, int pin, BOOL truecryptMode, BOOL cachePassword, BOOL sharedAccess, const MountOptions* const mountOptions, BOOL quiet, BOOL bReportWrongPassword);
BOOL UnmountVolume (HWND hwndDlg , int nDosDriveNo, BOOL forceUnmount);
BOOL IsPasswordCacheEmpty (void);
BOOL IsMountedVolume (const char *volname);
int GetMountedVolumeDriveNo (char *volname);
@@ -458,11 +458,11 @@ void ToBootPwdField (HWND hwndDlg, UINT ctrlId);
void AccommodateTextField (HWND hwndDlg, UINT ctrlId, BOOL bFirstUpdate, HFONT hFont);
BOOL GetDriveLabel (int driveNo, wchar_t *label, int labelSize);
BOOL GetSysDevicePaths (HWND hwndDlg);
BOOL DoDriverInstall (HWND hwndDlg);
-int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *password, int pkcs5_prf, BOOL truecryptMode, BOOL write, BOOL preserveTimestamps, BOOL useBackupHeader);
+int OpenVolume (OpenVolumeContext *context, const char *volumePath, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, BOOL write, BOOL preserveTimestamps, BOOL useBackupHeader);
void CloseVolume (OpenVolumeContext *context);
-int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *cryptoInfo, Password *password, BOOL wipeMode);
+int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *cryptoInfo, Password *password, int pin, BOOL wipeMode);
BOOL IsPagingFileActive (BOOL checkNonWindowsPartitionsOnly);
BOOL IsPagingFileWildcardActive ();
BOOL DisablePagingFile ();
BOOL CALLBACK SecurityTokenPasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lParam);
@@ -479,8 +479,9 @@ BOOL DisableFileCompression (HANDLE file);
BOOL VolumePathExists (const char *volumePath);
BOOL IsWindowsIsoBurnerAvailable ();
BOOL LaunchWindowsIsoBurner (HWND hwnd, const char *isoPath);
BOOL IsApplicationInstalled (const char *appName);
+int GetPin (HWND hwndDlg, UINT ctrlId);
#ifdef __cplusplus
}
diff --git a/src/Common/Format.c b/src/Common/Format.c
index 54dddf64..37fa38da 100644
--- a/src/Common/Format.c
+++ b/src/Common/Format.c
@@ -145,8 +145,9 @@ int TCFormatVolume (volatile FORMAT_VOL_PARAMETERS *volParams)
volParams->ea,
FIRST_MODE_OF_OPERATION_ID,
volParams->password,
volParams->pkcs5,
+ volParams->pin,
NULL,
&cryptoInfo,
dataAreaSize,
volParams->hiddenVol ? dataAreaSize : 0,
@@ -537,8 +538,9 @@ begin_format:
volParams->ea,
FIRST_MODE_OF_OPERATION_ID,
volParams->password,
volParams->pkcs5,
+ volParams->pin,
cryptoInfo->master_keydata,
&cryptoInfo,
dataAreaSize,
volParams->hiddenVol ? dataAreaSize : 0,
@@ -623,9 +625,9 @@ error:
mountOptions.PreserveTimestamp = bPreserveTimestamp;
mountOptions.PartitionInInactiveSysEncScope = FALSE;
mountOptions.UseBackupHeader = FALSE;
- if (MountVolume (volParams->hwndDlg, driveNo, volParams->volumePath, volParams->password, volParams->pkcs5, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
+ if (MountVolume (volParams->hwndDlg, driveNo, volParams->volumePath, volParams->password, volParams->pkcs5, volParams->pin, FALSE, FALSE, TRUE, &mountOptions, FALSE, TRUE) < 1)
{
MessageBoxW (volParams->hwndDlg, GetString ("CANT_MOUNT_VOLUME"), lpszTitle, ICON_HAND);
MessageBoxW (volParams->hwndDlg, GetString ("FORMAT_NTFS_STOP"), lpszTitle, ICON_HAND);
nStatus = ERR_VOL_MOUNT_FAILED;
diff --git a/src/Common/Format.h b/src/Common/Format.h
index 584d98d9..c636e3a6 100644
--- a/src/Common/Format.h
+++ b/src/Common/Format.h
@@ -38,8 +38,9 @@ typedef struct
BOOL quickFormat;
int sectorSize;
int *realClusterSize;
Password *password;
+ int pin;
HWND hwndDlg;
}
FORMAT_VOL_PARAMETERS;
diff --git a/src/Common/Language.xml b/src/Common/Language.xml
index 3feb51dd..9ae289d9 100644
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -611,8 +611,10 @@
<string lang="en" key="PASSWORD_OR_KEYFILE_OR_MODE_WRONG">Wrong mount mode, incorrect keyfile(s) and/or password/PRF, or not a valid volume.</string>
<string lang="en" key="PASSWORD_WRONG_AUTOMOUNT">Incorrect password/PRF or no valid volume found.</string>
<string lang="en" key="PASSWORD_OR_KEYFILE_WRONG_AUTOMOUNT">Incorrect keyfile(s)/password/PRF or no valid volume found.</string>
<string lang="en" key="PASSWORD_WRONG_CAPSLOCK_ON">\n\nWarning: Caps Lock is on. This may cause you to enter your password incorrectly.</string>
+ <string lang="en" key="PIN_SMALL_WARNING">You have chosen a Personal Iteration Number (PIN) that is smaller than the default VeraCrypt value. Please note that if your password is not strong enough, this could lead to a weaker security.\n\nDo you confirm that you are using a strong password?</string>
+ <string lang="en" key="PIN_SYSENC_TOO_BIG">Personal Iteration Number (PIN) maximum value for system encryption is 65535.</string>
<string lang="en" key="HIDDEN_FILES_PRESENT_IN_KEYFILE_PATH">\n\nWARNING: Hidden file(s) have been found in a keyfile search path. Such hidden files cannot be used as keyfiles. If you need to use them as keyfiles, remove their 'Hidden' attribute (right-click each of them, select 'Properties', uncheck 'Hidden' and click OK). Note: Hidden files are visible only if the corresponding option is enabled (Computer > Organize > 'Folder and search options' > View).</string>
<string lang="en" key="HIDDEN_VOL_PROT_PASSWORD_US_KEYB_LAYOUT">If you are attempting to protect a hidden volume containing a hidden system, please make sure you are using the standard US keyboard layout when typing the password for the hidden volume. This is required due to the fact that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available.</string>
<string lang="en" key="FOUND_NO_PARTITION_W_DEFERRED_INPLACE_ENC">VeraCrypt has not found any volume where the process of encryption/decryption of a non-system volume has been interrupted and where the volume header can be deciphered using the supplied password and/or keyfile(s).\n\nPlease make sure the password and/or keyfile(s) are correct and that the partition/volume is not being used by the system or applications (including antivirus software).</string>
<string lang="en" key="SELECTED_PARTITION_ALREADY_INPLACE_ENC">The selected partition/device is already fully encrypted.\nHeader Flags = 0x%.8X</string>
@@ -1061,8 +1063,11 @@
<string lang="en" key="EXTRA_BOOT_PARTITION_REMOVAL_INSTRUCTIONS">\nThe extra boot partition can be removed before installing Windows. To do so, follow these steps:\n\n1) Boot your Windows installation disc.\n\n2) In the Windows installer screen, click 'Install now' > 'Custom (advanced)'.\n\n3) Click 'Drive Options'.\n\n4) Select the main system partition and delete it by clicking 'Delete' and 'OK'.\n\n5) Select the 'System Reserved' partition, click 'Extend', and increase its size so that the operating system can be installed to it.\n\n6) Click 'Apply' and 'OK'.\n\n7) Install Windows on the 'System Reserved' partition.\n\n\nShould an attacker ask why you removed the extra boot partition, you can answer that you wanted to prevent any possible data leaks to the unencrypted boot partition.\n\nNote: You can print this text by clicking the 'Print' button below. If you save a copy of this text or print it (strongly recommended, unless your printer stores copies of documents it prints on its internal drive), you should destroy any copies of it after removing the extra boot partition (otherwise, if such a copy was found, it might indicate that there is a hidden operating system on this computer).</string>
<string lang="en" key="GAP_BETWEEN_SYS_AND_HIDDEN_OS_PARTITION">Warning: There is unallocated space between the system partition and the first partition behind it. After you create the hidden operating system, you must not create any new partitions in that unallocated space. Otherwise, the hidden operating system will be impossible to boot (until you delete such newly created partitions).</string>
<string lang="en" key="ALGO_NOT_SUPPORTED_FOR_SYS_ENCRYPTION">This algorithm is currently not supported for system encryption.</string>
<string lang="en" key="ALGO_NOT_SUPPORTED_FOR_TRUECRYPT_MODE">This algorithm is not supported for TrueCrypt mode.</string>
+ <string lang="en" key="PIN_NOT_SUPPORTED_FOR_TRUECRYPT_MODE">PIN (Personal Iteration Count) not supported for TrueCrypt mode.</string>
+ <string lang="en" key="PIN_REQUIRE_LONG_PASSWORD">Password must contain more than 20 characters in order to use the specified PIN.\nShorter passwords can only be used if the PIN is greater than 485.</string>
+ <string lang="en" key="BOOT_PIN_REQUIRE_LONG_PASSWORD">Pre-boot authentication Password must contain more than 20 characters in order to use the specified PIN.\nShorter passwords can only be used if the PIN is greater than 98.</string>
<string lang="en" key="KEYFILES_NOT_SUPPORTED_FOR_SYS_ENCRYPTION">Keyfiles are currently not supported for system encryption.</string>
<string lang="en" key="CANNOT_RESTORE_KEYBOARD_LAYOUT">Warning: VeraCrypt could not restore the original keyboard layout. This may cause you to enter a password incorrectly.</string>
<string lang="en" key="CANT_CHANGE_KEYB_LAYOUT_FOR_SYS_ENCRYPTION">Error: Cannot set the keyboard layout for VeraCrypt to the standard US keyboard layout.\n\nNote that the password needs to be typed in the pre-boot environment (before Windows starts) where non-US Windows keyboard layouts are not available. Therefore, the password must always be typed using the standard US keyboard layout.</string>
<string lang="en" key="ALT_KEY_CHARS_NOT_FOR_SYS_ENCRYPTION">As VeraCrypt temporarily changed the keyboard layout to the standard US keyboard layout, it is not possible to type characters by pressing keys while the right Alt key is held down. However, you can type most of such characters by pressing appropriate keys while the Shift key is held down.</string>
diff --git a/src/Common/Password.c b/src/Common/Password.c
index 8014713c..63b099b4 100644
--- a/src/Common/Password.c
+++ b/src/Common/Password.c
@@ -106,21 +106,35 @@ BOOL CheckPasswordCharEncoding (HWND hPassword, Password *ptrPw)
return TRUE;
}
-BOOL CheckPasswordLength (HWND hwndDlg, HWND hwndItem)
+BOOL CheckPasswordLength (HWND hwndDlg, HWND hwndItem, int pin, BOOL bForBoot)
{
+ BOOL bCustomPinSmall = ((pin != 0) && (pin < (bForBoot? 98 : 485)))? TRUE : FALSE;
if (GetWindowTextLength (hwndItem) < PASSWORD_LEN_WARNING)
{
+ if (bCustomPinSmall)
+ {
+ Error (bForBoot? "BOOT_PIN_REQUIRE_LONG_PASSWORD": "PIN_REQUIRE_LONG_PASSWORD", hwndDlg);
+ return FALSE;
+ }
+
#ifndef _DEBUG
if (MessageBoxW (hwndDlg, GetString ("PASSWORD_LENGTH_WARNING"), lpszTitle, MB_YESNO|MB_ICONWARNING|MB_DEFBUTTON2) != IDYES)
return FALSE;
#endif
}
+#ifndef _DEBUG
+ else if (bCustomPinSmall)
+ {
+ if (MessageBoxW (hwndDlg, GetString ("PIN_SMALL_WARNING"), lpszTitle, MB_YESNO|MB_ICONWARNING|MB_DEFBUTTON2) != IDYES)
+ return FALSE;
+ }
+#endif
return TRUE;
}
-int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, BOOL truecryptMode, Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg)
+int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, int old_pin, BOOL truecryptMode, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg)
{
int nDosLinkCreated = 1, nStatus = ERR_OS_ERROR;
char szDiskFile[TC_MAX_PATH], szCFDevice[TC_MAX_PATH];
char szDosDevice[TC_MAX_PATH];
@@ -286,9 +300,9 @@ int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, BOO
}
/* Try to decrypt the header */
- nStatus = ReadVolumeHeader (FALSE, buffer, oldPassword, old_pkcs5, truecryptMode, &cryptoInfo, NULL);
+ nStatus = ReadVolumeHeader (FALSE, buffer, oldPassword, old_pkcs5, old_pin, truecryptMode, &cryptoInfo, NULL);
if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)
nStatus = 0; // We can ignore this error here
if (nStatus == ERR_PASSWORD_WRONG)
@@ -352,8 +366,9 @@ int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, BOO
cryptoInfo->ea,
cryptoInfo->mode,
newPassword,
cryptoInfo->pkcs5,
+ pin,
cryptoInfo->master_keydata,
&ci,
cryptoInfo->VolumeSize.Value,
(volumeType == TC_VOLUME_TYPE_HIDDEN) ? cryptoInfo->hiddenVolumeSize : 0,
diff --git a/src/Common/Password.h b/src/Common/Password.h
index 62fe23a7..5ccc44b3 100644
--- a/src/Common/Password.h
+++ b/src/Common/Password.h
@@ -14,8 +14,11 @@
// User text input limits
#define MIN_PASSWORD 1 // Minimum possible password length
#define MAX_PASSWORD 64 // Maximum possible password length
+#define MAX_PIN 10 // Maximum allowed digits in a PIN (enough for 32-bit value)
+#define MAX_BOOT_PIN 5 // Maximum allowed digits in a PIN for boot (enough for 16-bit value)
+#define MAX_BOOT_PIN_VALUE 65535
#define PASSWORD_LEN_WARNING 20 // Display a warning when a password is shorter than this
#ifdef __cplusplus
@@ -32,11 +35,11 @@ typedef struct
#if defined(_WIN32) && !defined(TC_WINDOWS_DRIVER)
void VerifyPasswordAndUpdate ( HWND hwndDlg , HWND hButton , HWND hPassword , HWND hVerify , unsigned char *szPassword , char *szVerify, BOOL keyFilesEnabled );
-BOOL CheckPasswordLength (HWND hwndDlg, HWND hwndItem);
+BOOL CheckPasswordLength (HWND hwndDlg, HWND hwndItem, int pin, BOOL bForBoot);
BOOL CheckPasswordCharEncoding (HWND hPassword, Password *ptrPw);
-int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, BOOL truecryptMode, Password *newPassword, int pkcs5, int wipePassCount, HWND hwndDlg);
+int ChangePwd (const char *lpszVolume, Password *oldPassword, int old_pkcs5, int old_pin, BOOL truecryptMode, Password *newPassword, int pkcs5, int pin, int wipePassCount, HWND hwndDlg);
#endif // defined(_WIN32) && !defined(TC_WINDOWS_DRIVER)
#ifdef __cplusplus
diff --git a/src/Common/Pkcs5.c b/src/Common/Pkcs5.c
index 6585704c..adce567b 100644
--- a/src/Common/Pkcs5.c
+++ b/src/Common/Pkcs5.c
@@ -119,23 +119,26 @@ void hmac_sha256
burn(key, sizeof(key));
}
#endif
-static void derive_u_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, int b, hmac_sha256_ctx* hmac)
+static void derive_u_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, int b, hmac_sha256_ctx* hmac)
{
char* k = hmac->k;
char* u = hmac->u;
uint32 c;
int i;
#ifdef TC_WINDOWS_BOOT
- /* In bootloader, iterations is a boolean : TRUE for boot derivation mode, FALSE otherwise
+ /* In bootloader mode, least significant bit of iterations is a boolean (TRUE for boot derivation mode, FALSE otherwise)
+ * and the most significant 16 bits hold the pin value
* This enables us to save code space needed for implementing other features.
*/
- if (iterations)
- c = 200000;
+ c = iterations >> 16;
+ i = ((int) iterations) & 0x01;
+ if (i)
+ c = (c == 0)? 200000 : c << 11;
else
- c = 500000;
+ c = (c == 0)? 500000 : 15000 + c * 1000;
#else
c = iterations;
#endif
@@ -161,9 +164,9 @@ static void derive_u_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, i
}
}
-void derive_key_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen)
+void derive_key_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen)
{
hmac_sha256_ctx hmac;
int b, l, r;
#ifndef TC_WINDOWS_BOOT
@@ -304,13 +307,13 @@ void hmac_sha512
burn (&hmac, sizeof(hmac));
burn (key, sizeof(key));
}
-static void derive_u_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, int b, hmac_sha512_ctx* hmac)
+static void derive_u_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, int b, hmac_sha512_ctx* hmac)
{
char* k = hmac->k;
char* u = hmac->u;
- int c, i;
+ uint32 c, i;
/* iteration 1 */
memcpy (k, salt, salt_len); /* salt */
/* big-endian block number */
@@ -331,9 +334,9 @@ static void derive_u_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, i
}
}
-void derive_key_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen)
+void derive_key_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen)
{
hmac_sha512_ctx hmac;
int b, l, r;
char key[SHA512_DIGESTSIZE];
@@ -470,23 +473,26 @@ void hmac_ripemd160 (char *key, int keylen, char *input_digest, int len)
}
#endif
-static void derive_u_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, int b, hmac_ripemd160_ctx* hmac)
+static void derive_u_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, int b, hmac_ripemd160_ctx* hmac)
{
char* k = hmac->k;
char* u = hmac->u;
uint32 c;
int i;
#ifdef TC_WINDOWS_BOOT
- /* In bootloader, iterations is a boolean : TRUE for boot derivation mode, FALSE otherwise
+ /* In bootloader mode, least significant bit of iterations is a boolean (TRUE for boot derivation mode, FALSE otherwise)
+ * and the most significant 16 bits hold the pin value
* This enables us to save code space needed for implementing other features.
*/
- if (iterations)
- c = 327661;
+ c = iterations >> 16;
+ i = ((int) iterations) & 0x01;
+ if (i)
+ c = (c == 0)? 327661 : c << 11;
else
- c = 655331;
+ c = (c == 0)? 655331 : 15000 + c * 1000;
#else
c = iterations;
#endif
@@ -511,9 +517,9 @@ static void derive_u_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len
c--;
}
}
-void derive_key_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen)
+void derive_key_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen)
{
int b, l, r;
hmac_ripemd160_ctx hmac;
#ifndef TC_WINDOWS_BOOT
@@ -650,13 +656,13 @@ void hmac_whirlpool
/* Prevent leaks */
burn(&hmac, sizeof(hmac));
}
-static void derive_u_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, int b, hmac_whirlpool_ctx* hmac)
+static void derive_u_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, int b, hmac_whirlpool_ctx* hmac)
{
char* u = hmac->u;
char* k = hmac->k;
- int c, i;
+ uint32 c, i;
/* iteration 1 */
memcpy (k, salt, salt_len); /* salt */
/* big-endian block number */
@@ -676,9 +682,9 @@ static void derive_u_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len
}
}
}
-void derive_key_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen)
+void derive_key_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen)
{
hmac_whirlpool_ctx hmac;
char key[WHIRLPOOL_DIGESTSIZE];
int b, l, r;
@@ -750,30 +756,45 @@ char *get_pkcs5_prf_name (int pkcs5_prf_id)
}
-int get_pkcs5_iteration_count (int pkcs5_prf_id, BOOL truecryptMode, BOOL bBoot)
+int get_pkcs5_iteration_count (int pkcs5_prf_id, int pin, BOOL truecryptMode, BOOL bBoot)
{
+ if ( (pin < 0)
+ || (truecryptMode && pin > 0) /* No PIN for TrueCrypt mode */
+ )
+ {
+ return 0;
+ }
+
switch (pkcs5_prf_id)
{
case RIPEMD160:
if (truecryptMode)
return bBoot ? 1000 : 2000;
- else
+ else if (pin == 0)
return bBoot? 327661 : 655331;
+ else
+ {
+ return bBoot? pin * 2048 : 15000 + pin * 1000;
+ }
case SHA512:
- return truecryptMode? 1000 : 500000;
+ return truecryptMode? 1000 : ((pin == 0)? 500000 : 15000 + pin * 1000);
case WHIRLPOOL:
- return truecryptMode? 1000 : 500000;
+ return truecryptMode? 1000 : ((pin == 0)? 500000 : 15000 + pin * 1000);
case SHA256:
if (truecryptMode)
return 0; // SHA-256 not supported by TrueCrypt
- else
+ else if (pin == 0)
return bBoot? 200000 : 500000;
+ else
+ {
+ return bBoot? pin * 2048 : 15000 + pin * 1000;
+ }
default:
TC_THROW_FATAL_EXCEPTION; // Unknown/wrong ID
}
diff --git a/src/Common/Pkcs5.h b/src/Common/Pkcs5.h
index ef931397..d1dca7e3 100644
--- a/src/Common/Pkcs5.h
+++ b/src/Common/Pkcs5.h
@@ -19,23 +19,23 @@ extern "C"
{
#endif
/* output written to d which must be at lease 32 bytes long */
void hmac_sha256 (char *k, int lk, char *d, int ld);
-void derive_key_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen);
+void derive_key_sha256 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen);
/* output written to d which must be at lease 64 bytes long */
void hmac_sha512 (char *k, int lk, char *d, int ld);
-void derive_key_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen);
+void derive_key_sha512 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen);
/* output written to input_digest which must be at lease 20 bytes long */
void hmac_ripemd160 (char *key, int keylen, char *input_digest, int len);
-void derive_key_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen);
+void derive_key_ripemd160 (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen);
/* output written to d which must be at lease 64 bytes long */
void hmac_whirlpool (char *k, int lk, char *d, int ld);
-void derive_key_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, int iterations, char *dk, int dklen);
+void derive_key_whirlpool (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen);
-int get_pkcs5_iteration_count (int pkcs5_prf_id, BOOL truecryptMode, BOOL bBoot);
+int get_pkcs5_iteration_count (int pkcs5_prf_id, int pin, BOOL truecryptMode, BOOL bBoot);
char *get_pkcs5_prf_name (int pkcs5_prf_id);
#if defined(__cplusplus)
}
diff --git a/src/Common/Volumes.c b/src/Common/Volumes.c
index 73598c64..567df7ee 100644
--- a/src/Common/Volumes.c
+++ b/src/Common/Volumes.c
@@ -162,9 +162,9 @@ typedef struct
BOOL ReadVolumeHeaderRecoveryMode = FALSE;
-int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int selected_pkcs5_prf, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
+int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int selected_pkcs5_prf, int pin, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
{
char header[TC_VOLUME_HEADER_EFFECTIVE_SIZE];
KEY_INFO keyInfo;
PCRYPTO_INFO cryptoInfo;
@@ -273,9 +273,9 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
item->Pkcs5Prf = enqPkcs5Prf;
EncryptionThreadPoolBeginKeyDerivation (&keyDerivationCompletedEvent, &noOutstandingWorkItemEvent,
&item->KeyReady, &outstandingWorkItemCount, enqPkcs5Prf, keyInfo.userKey,
- keyInfo.keyLength, keyInfo.salt, get_pkcs5_iteration_count (enqPkcs5Prf, truecryptMode, bBoot), item->DerivedKey);
+ keyInfo.keyLength, keyInfo.salt, get_pkcs5_iteration_count (enqPkcs5Prf, pin, truecryptMode, bBoot), item->DerivedKey);
++queuedWorkItems;
break;
}
@@ -295,9 +295,9 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
item = &keyDerivationWorkItems[i];
if (!item->Free && InterlockedExchangeAdd (&item->KeyReady, 0) == TRUE)
{
pkcs5_prf = item->Pkcs5Prf;
- keyInfo.noIterations = get_pkcs5_iteration_count (pkcs5_prf, truecryptMode, bBoot);
+ keyInfo.noIterations = get_pkcs5_iteration_count (pkcs5_prf, pin, truecryptMode, bBoot);
memcpy (dk, item->DerivedKey, sizeof (dk));
item->Free = TRUE;
--queuedWorkItems;
@@ -313,9 +313,9 @@ KeyReady: ;
}
else
{
pkcs5_prf = enqPkcs5Prf;
- keyInfo.noIterations = get_pkcs5_iteration_count (enqPkcs5Prf, truecryptMode, bBoot);
+ keyInfo.noIterations = get_pkcs5_iteration_count (enqPkcs5Prf, pin, truecryptMode, bBoot);
switch (pkcs5_prf)
{
case RIPEMD160:
@@ -577,9 +577,9 @@ ret:
}
#else // TC_WINDOWS_BOOT
-int ReadVolumeHeader (BOOL bBoot, char *header, Password *password, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
+int ReadVolumeHeader (BOOL bBoot, char *header, Password *password, int pin, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
{
#ifdef TC_WINDOWS_BOOT_SINGLE_CIPHER_MODE
char dk[32 * 2]; // 2 * 256-bit key
#else
@@ -587,8 +587,11 @@ int ReadVolumeHeader (BOOL bBoot, char *header, Password *password, PCRYPTO_INFO
#endif
PCRYPTO_INFO cryptoInfo;
int status = ERR_SUCCESS;
+ uint32 iterations = pin;
+ iterations <<= 16;
+ iterations |= bBoot;
if (retHeaderCryptoInfo != NULL)
cryptoInfo = retHeaderCryptoInfo;
else
@@ -596,12 +599,12 @@ int ReadVolumeHeader (BOOL bBoot, char *header, Password *password, PCRYPTO_INFO
// PKCS5 PRF
#ifdef TC_WINDOWS_BOOT_SHA2
derive_key_sha256 (password->Text, (int) password->Length, header + HEADER_SALT_OFFSET,
- PKCS5_SALT_SIZE, bBoot, dk, sizeof (dk));
+ PKCS5_SALT_SIZE, iterations, dk, sizeof (dk));
#else
derive_key_ripemd160 (password->Text, (int) password->Length, header + HEADER_SALT_OFFSET,
- PKCS5_SALT_SIZE, bBoot, dk, sizeof (dk));
+ PKCS5_SALT_SIZE, iterations, dk, sizeof (dk));
#endif
// Mode of operation
cryptoInfo->mode = FIRST_MODE_OF_OPERATION_ID;
@@ -744,9 +747,9 @@ ret:
#endif
// Creates a volume header in memory
int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *header, int ea, int mode, Password *password,
- int pkcs5_prf, char *masterKeydata, PCRYPTO_INFO *retInfo,
+ int pkcs5_prf, int pin, char *masterKeydata, PCRYPTO_INFO *retInfo,
unsigned __int64 volumeSize, unsigned __int64 hiddenVolumeSize,
unsigned __int64 encryptedAreaStart, unsigned __int64 encryptedAreaLength, uint16 requiredProgramVersion, uint32 headerFlags, uint32 sectorSize, BOOL bWipeMode)
{
unsigned char *p = (unsigned char *) header;
@@ -793,9 +796,9 @@ int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *header, int ea,
// User key
memcpy (keyInfo.userKey, password->Text, nUserKeyLen);
keyInfo.keyLength = nUserKeyLen;
- keyInfo.noIterations = get_pkcs5_iteration_count (pkcs5_prf, FALSE, bBoot);
+ keyInfo.noIterations = get_pkcs5_iteration_count (pkcs5_prf, pin, FALSE, bBoot);
// User selected encryption algorithm
cryptoInfo->ea = ea;
diff --git a/src/Common/Volumes.h b/src/Common/Volumes.h
index 7021ab86..080589ff 100644
--- a/src/Common/Volumes.h
+++ b/src/Common/Volumes.h
@@ -126,15 +126,15 @@ extern BOOL ReadVolumeHeaderRecoveryMode;
uint16 GetHeaderField16 (byte *header, int offset);
uint32 GetHeaderField32 (byte *header, int offset);
UINT64_STRUCT GetHeaderField64 (byte *header, int offset);
#ifdef TC_WINDOWS_BOOT
-int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
+int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int pin, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
#else
-int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int pkcs5_prf, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
+int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int pkcs5_prf, int pin, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
#endif
#if !defined (DEVICE_DRIVER) && !defined (TC_WINDOWS_BOOT)
-int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *encryptedHeader, int ea, int mode, Password *password, int pkcs5_prf, char *masterKeydata, PCRYPTO_INFO *retInfo, unsigned __int64 volumeSize, unsigned __int64 hiddenVolumeSize, unsigned __int64 encryptedAreaStart, unsigned __int64 encryptedAreaLength, uint16 requiredProgramVersion, uint32 headerFlags, uint32 sectorSize, BOOL bWipeMode);
+int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *encryptedHeader, int ea, int mode, Password *password, int pkcs5_prf, int pin, char *masterKeydata, PCRYPTO_INFO *retInfo, unsigned __int64 volumeSize, unsigned __int64 hiddenVolumeSize, unsigned __int64 encryptedAreaStart, unsigned __int64 encryptedAreaLength, uint16 requiredProgramVersion, uint32 headerFlags, uint32 sectorSize, BOOL bWipeMode);
BOOL ReadEffectiveVolumeHeader (BOOL device, HANDLE fileHandle, byte *header, DWORD *bytesRead);
BOOL WriteEffectiveVolumeHeader (BOOL device, HANDLE fileHandle, byte *header);
int WriteRandomDataToReservedHeaderAreas (HWND hwndDlg, HANDLE dev, CRYPTO_INFO *cryptoInfo, uint64 dataAreaSize, BOOL bPrimaryOnly, BOOL bBackupOnly);
#endif