+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ bool m_masterKeyVulnerable;

+ ChangePasswordThreadRoutine(shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount, bool emvSupportEnabled) : m_volumePath(volumePath), m_preserveTimestamps(preserveTimestamps), m_password(password), m_pim(pim), m_kdf(kdf), m_keyfiles(keyfiles), m_newPassword(newPassword), m_newPim(newPim), m_newKeyfiles(newKeyfiles), m_newPkcs5Kdf(newPkcs5Kdf), m_wipeCount(wipeCount), m_emvSupportEnabled(emvSupportEnabled), m_masterKeyVulnerable(false) {}

+ virtual void ExecutionCode(void) {

+ shared_ptr <Volume> openVolume = Core->ChangePassword(m_volumePath, m_preserveTimestamps, m_password, m_pim, m_kdf, m_keyfiles, m_newPassword, m_newPim, m_newKeyfiles, m_emvSupportEnabled, m_newPkcs5Kdf, m_wipeCount);

+ m_masterKeyVulnerable = openVolume->IsMasterKeyVulnerable();

+ }

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+#if defined(TC_UNIX)

+ ,AllowInsecureMount (false)

+#endif

+ shared_ptr <Volume> CoreBase::ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) const

+ return volume;

+ uint8 *bootSector = bootSectorBuffer.Ptr();

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ virtual shared_ptr <Volume> ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const;

+

+#if defined(TC_UNIX)

+ virtual bool IsProtectedSystemDirectory (const DirectoryPath &directory) const = 0;

+ virtual bool IsDirectoryOnUserPath(const DirectoryPath &directory) const = 0;

+ virtual void SetAllowInsecureMount (bool allowInsecureMount) { AllowInsecureMount = allowInsecureMount; }

+ virtual bool GetAllowInsecureMount () const { return AllowInsecureMount; }

+ virtual void SetUserEnvPATH (const string &path) { UserEnvPATH = path; }

+ virtual string GetUserEnvPATH () const { return UserEnvPATH; }

+

+ string UserEnvPATH;

+

+#if defined(TC_UNIX)

+ bool AllowInsecureMount;

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ static void PutBoot (fatparams * ft, uint8 *boot, uint32 volumeId)

+ static void PutFSInfo (uint8 *sector, fatparams *ft)

+ RandomNumberGenerator::GetDataFast (BufferPtr ((uint8 *) &volumeId, sizeof (volumeId)));

+ PutBoot (ft, (uint8 *) sector, volumeId);

+ PutFSInfo((uint8 *) sector, ft);

+ PutBoot (ft, (uint8 *) sector, volumeId);

+ PutFSInfo((uint8 *) sector, ft);

+ uint8 fat_sig[12];

+ fat_sig[0] = (uint8) ft->media;

+ fat_sig[0] = (uint8) ft->media;

+ fat_sig[0] = (uint8) ft->media;

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ uint8* pbBuffer = buffer.Get();

+ #ifndef WOLFCRYPT_BACKEND

+ PoolHash.reset (new Blake2s());

+ #else

+ PoolHash.reset (new Sha256());

+ #endif

+ buffer[0] = (uint8) i;

+ #ifndef WOLFCRYPT_BACKEND

+ #else

+ if (Crc32::ProcessBuffer (Pool) != 0xac95ac1a)

+ #endif

+ throw TestFailed (SRC_POS);

+ #ifndef WOLFCRYPT_BACKEND

+ if (Crc32::ProcessBuffer (Pool) != 0xd2d09c8d)

+ #else

+ if (Crc32::ProcessBuffer (Pool) != 0xb79f3c12)

+ #endif

+ throw TestFailed (SRC_POS);

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ uint8 b;

+ // Update Core properties based on the received request

+ Core->SetUserEnvPATH (request->UserEnvPATH);

+ Core->ForceUseDummySudoPassword(request->UseDummySudoPassword);

+ Core->SetAllowInsecureMount(request->AllowInsecureMount);

+

+ // Copy Core properties to the request so that they can be transferred to the elevated process

+ request.ApplicationExecutablePath = Core->GetApplicationExecutablePath();

+ request.UserEnvPATH = Core->GetUserEnvPATH();

+ request.UseDummySudoPassword = Core->GetUseDummySudoPassword();

+ request.AllowInsecureMount = Core->GetAllowInsecureMount();

+

+

+ {

+ // We are using -n to avoid prompting the user for a password.

+ // We are redirecting stderr to stdout and discarding both to avoid any output.

+ // This approach also works on newer macOS versions (12.0 and later).

+ std::string errorMsg;

+

+ string sudoAbsolutePath = Process::FindSystemBinary("sudo", errorMsg);

+ if (sudoAbsolutePath.empty())

+ throw SystemException(SRC_POS, errorMsg);

+

+ string trueAbsolutePath = Process::FindSystemBinary("true", errorMsg);

+ if (trueAbsolutePath.empty())

+ throw SystemException(SRC_POS, errorMsg);

+

+ std::string popenCommand = sudoAbsolutePath + " -n " + trueAbsolutePath + " > /dev/null 2>&1"; // We redirect stderr to stdout (2>&1) to be able to catch the result of the command

+ FILE* pipe = popen(popenCommand.c_str(), "r");

+ // We only care about the exit code

+ char buf[128];

+ while (!feof(pipe))

+ {

+ if (fgets(buf, sizeof(buf), pipe) == NULL)

+ break;

+ }

+ int status = pclose(pipe);

+ authCheckDone = true;

+

+ // If exit code != 0, user does NOT have an active session => request password

+ if (status != 0)

+ {

+ (*AdminPasswordCallback)(request.AdminPassword);

+

+

+ // Throw exception if sudo is not found in secure locations

+ std::string errorMsg;

+ string sudoPath = Process::FindSystemBinary("sudo", errorMsg);

+ if (sudoPath.empty())

+ throw SystemException(SRC_POS, errorMsg);

+

+ string appPath = request.ApplicationExecutablePath;

+ // if appPath is empty or not absolute, use FindSystemBinary to get the full path of veracrpyt executable

+ if (appPath.empty() || appPath[0] != '/')

+ {

+ appPath = Process::FindSystemBinary("veracrypt", errorMsg);

+ if (appPath.empty())

+ throw SystemException(SRC_POS, errorMsg);

+ }

+

+ const char *args[] = { sudoPath.c_str(), "-S", "-p", "", appPath.c_str(), TC_CORE_SERVICE_CMDLINE_OPTION, nullptr };

+ shared_ptr <Stream> stream (new MemoryStream (ConstBufferPtr ((uint8 *) &errOutput[0], errOutput.size())));

+ uint8 sync[] = { 0, 0x11, 0x22 };

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ sr.Deserialize ("UserEnvPATH", UserEnvPATH);

+ sr.Deserialize ("UseDummySudoPassword", UseDummySudoPassword);

+ sr.Deserialize ("AllowInsecureMount", AllowInsecureMount);

+ sr.Serialize ("UserEnvPATH", UserEnvPATH);

+ sr.Serialize ("UseDummySudoPassword", UseDummySudoPassword);

+ sr.Serialize ("AllowInsecureMount", AllowInsecureMount);

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ CoreServiceRequest () : ElevateUserPrivileges (false), FastElevation (false), UseDummySudoPassword (false), AllowInsecureMount (false) { }

+ string UserEnvPATH;

+ bool UseDummySudoPassword;

+ bool AllowInsecureMount;

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ // Struct to hold terminal emulator information

+ struct TerminalInfo {

+ const char* name;

+ const char** args;

+ const char** dependency_path;

+ };

+

+ // Popular terminal emulators data and arguments

+ static const char* xterm_args[] = {"-T", "fsck", "-e", NULL};

+

+ static const char* gnome_args[] = {"--title", "fsck", "--", "sh", "-c", NULL};

+ static const char* gnome_deps[] = {"dbus-launch", NULL};

+

+ static const char* konsole_args[] = {"--hold", "-p", "tabtitle=fsck", "-e", "sh", "-c", NULL};

+ static const char* xfce4_args[] = {"--title=fsck", "-x", "sh", "-c", NULL};

+ static const char* mate_args[] = {"--title", "fsck", "--", "sh", "-c", NULL};

+ static const char* lxterminal_args[] = {"--title=fsck", "-e", "sh", "-c", NULL};

+ static const char* terminator_args[] = {"-T", "fsck", "-x", "sh", "-c", NULL};

+ static const char* urxvt_args[] = {"-title", "fsck", "-e", "sh", "-c", NULL};

+ static const char* st_args[] = {"-t", "fsck", "-e", "sh", "-c", NULL};

+

+ // List of popular terminal emulators

+ static const TerminalInfo TERMINALS[] = {

+ {"xterm", xterm_args, NULL},

+ {"gnome-terminal", gnome_args, gnome_deps},

+ {"konsole", konsole_args, NULL},

+ {"xfce4-terminal", xfce4_args, NULL},

+ {"mate-terminal", mate_args, NULL},

+ {"lxterminal", lxterminal_args, NULL},

+ {"terminator", terminator_args, NULL},

+ {"urxvt", urxvt_args, NULL},

+ {"st", st_args, NULL},

+ {NULL, NULL, NULL}

+ };

+

+ // Find system fsck first

+ std::string errorMsg;

+ std::string fsckPath = Process::FindSystemBinary("fsck", errorMsg);

+ if (fsckPath.empty()) {

+ throw SystemException(SRC_POS, errorMsg);

+ }

+ list <string> args;

+ string xargs = fsckPath + " "; // Use absolute fsck path

+ // Try each terminal

+ for (const TerminalInfo* term = TERMINALS; term->name != NULL; ++term) {

+ errno = 0;

+ std::string termPath = Process::FindSystemBinary(term->name, errorMsg);

+ if (termPath.length() > 0) {

+ // check dependencies

+ if (term->dependency_path) {

+ bool depFound = true;

+ for (const char** dep = term->dependency_path; *dep != NULL; ++dep) {

+ string depPath = Process::FindSystemBinary(*dep, errorMsg);

+ if (depPath.empty()) {

+ depFound = false;

+ break;

+ }

+ }

+ if (!depFound) {

+ continue; // dependency not found, skip

+ }

+ }

+

+ // Build args

+ std::list<std::string> args;

+ for (const char** arg = term->args; *arg != NULL; ++arg) {

+ args.push_back(*arg);

+ }

+ args.push_back(xargs);

+

+ try {

+ Process::Execute (termPath, args, 1000);

+ return;

+ }

+ catch (TimeOut&) {

+ return;

+ }

+ catch (SystemException&) {

+ // Continue to next terminal

+ }

+

+ throw TerminalNotFound();

+ uint8 *b = bootSector.Ptr();

+ // Introduce a retry mechanism with a timeout for control file access

+ // This workaround is limited to FUSE-T mounted volume under macOS for

+ // which md.Device starts with "fuse-t:"

+#ifdef VC_MACOSX_FUSET

+ bool isFuseT = wstring(mf.Device).find(L"fuse-t:") == 0;

+ int controlFileRetries = 10; // 10 retries with 500ms sleep each, total 5 seconds

+ while (!mountedVol && (controlFileRetries-- > 0))

+#endif

+ try

+ {

+ shared_ptr <File> controlFile (new File);

+ controlFile->Open (string (mf.MountPoint) + FuseService::GetControlPath());

+ shared_ptr <Stream> controlFileStream (new FileStream (controlFile));

+ mountedVol = Serializable::DeserializeNew <VolumeInfo> (controlFileStream);

+ }

+ catch (const std::exception& e)

+ {

+#ifdef VC_MACOSX_FUSET

+ // if exception starts with "VeraCrypt::Serializer::ValidateName", then

+ // serialization is not ready yet and we need to wait before retrying

+ // this happens when FUSE-T is used under macOS and if it is the first time

+ // the volume is mounted

+ if (isFuseT && string (e.what()).find ("VeraCrypt::Serializer::ValidateName") != string::npos)

+ {

+ Thread::Sleep(500); // Wait before retrying

+ }

+ else

+ {

+ break; // Control file not found or other error

+ }

+#endif

+ }

+

+ if (!mountedVol)

+ continue; // Skip to the next mounted filesystem

+ if (options.MountPoint && !options.MountPoint->IsEmpty())

+ {

+ // Reject if the mount point is a system directory

+ if (IsProtectedSystemDirectory(*options.MountPoint))

+ throw MountPointBlocked (SRC_POS);

+

+ // Reject if the mount point is in the user's PATH and the user has not explicitly allowed insecure mount points

+ if (!GetAllowInsecureMount() && IsDirectoryOnUserPath(*options.MountPoint))

+ throw MountPointNotAllowed (SRC_POS);

+ }

+

+

+ bool CoreUnix::IsProtectedSystemDirectory (const DirectoryPath &directory) const

+ {

+ static const char* systemDirs[] = {

+ "/usr",

+ "/bin",

+ "/sbin",

+ "/lib",

+#ifdef TC_LINUX

+ "/lib32",

+ "/lib64",

+ "/libx32",

+#endif

+ "/etc",

+ "/boot",

+ "/root",

+ "/proc",

+ "/sys",

+ "/dev",

+ NULL

+ };

+

+ // Resolve any symlinks in the path

+ string path(directory);

+ char* resolvedPathCStr = realpath(path.c_str(), NULL);

+ if (resolvedPathCStr)

+ {

+ path = resolvedPathCStr;

+ free(resolvedPathCStr); // Free the allocated memory

+ }

+

+ // reject of the path is the root directory "/"

+ if (path == "/")

+ return true;

+

+ // Check if resolved path matches any system directory

+ for (int i = 0; systemDirs[i] != NULL; ++i)

+ {

+ if (path == systemDirs[i] || path.find(string(systemDirs[i]) + "/") == 0)

+ return true;

+ }

+

+ return false;

+ }

+

+ bool CoreUnix::IsDirectoryOnUserPath(const DirectoryPath &directory) const

+ {

+ // Obtain the PATH environment variable

+ const char* pathEnv = UserEnvPATH.c_str();

+ if (!pathEnv[0])

+ return false;

+

+ // Resolve the given directory

+ string dirPath(directory);

+ char* resolvedDir = realpath(dirPath.c_str(), NULL);

+ if (resolvedDir)

+ {

+ dirPath = resolvedDir;

+ free(resolvedDir);

+ }

+

+ // Split PATH and compare each entry

+ stringstream ss(pathEnv);

+ string token;

+ while (getline(ss, token, ':'))

+ {

+ // remove any trailing slashes from the token

+ while (!token.empty() && token.back() == '/')

+ token.pop_back();

+

+ if (token.empty())

+ continue;

+

+ // check if the directory is the same as the entry or a subdirectory

+ if (dirPath == token || dirPath.find(token + "/") == 0)

+ return true;

+

+ // handle the case where the PATH entry is a symlink

+ char* resolvedEntry = realpath(token.c_str(), NULL);

+ if (!resolvedEntry)

+ continue; // skip to the next entry since the path does not exist

+

+ string entryPath(resolvedEntry);

+ free(resolvedEntry);

+

+ // remove any trailing slashes from the token

+ while (!entryPath.empty() && entryPath.back() == '/')

+ entryPath.pop_back();

+

+ // perform check again if the resolved path is different from the original (symlink)

+ if (dirPath == entryPath || dirPath.find(entryPath + "/") == 0)

+ return true;

+ }

+

+ return false;

+ }

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ virtual bool IsProtectedSystemDirectory (const DirectoryPath &directory) const;

+ virtual bool IsDirectoryOnUserPath(const DirectoryPath &directory) const;

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ string dev = StringConverter::Trim (Process::Execute ("/sbin/mdconfig", args));

+ Process::Execute ("/sbin/mdconfig", args);

+ foreach (const string &busType, StringConverter::Split ("ad da vtbd"))

+ std::string chosenFilesystem = "msdos";

+ std::string modifiedMountOptions = systemMountOptions;

+

+ if (filesystemType.empty() && modifiedMountOptions.find("mountprog") == string::npos) {

+ // No filesystem type specified through CLI, attempt to identify with blkid

+ // as mount is unable to probe filesystem type on BSD

+ // Make sure we don't override user defined mountprog

+ std::vector<char> buffer(128,0);

+ std::string cmd = "blkid -o value -s TYPE " + static_cast<std::string>(devicePath) + " 2>/dev/null";

+ std::string result;

+

+ FILE* pipe = popen(cmd.c_str(), "r");

+ if (pipe) {

+ while (!feof(pipe)) {

+ if (fgets(buffer.data(), 128, pipe) != nullptr)

+ result += buffer.data();

+ }

+ fflush(pipe);

+ pclose(pipe);

+ pipe = nullptr;

+ }

+

+ if (result.find("ext") == 0 || StringConverter::ToLower(filesystemType).find("ext") == 0) {

+ chosenFilesystem = "ext2fs";

+ }

+ else if (result.find("exfat") == 0 || StringConverter::ToLower(filesystemType) == "exfat") {

+ chosenFilesystem = "exfat";

+ modifiedMountOptions += string(!systemMountOptions.empty() ? "," : "")

+ + "mountprog=/usr/local/sbin/mount.exfat";

+ }

+ else if (result.find("ntfs") == 0 || StringConverter::ToLower(filesystemType) == "ntfs") {

+ chosenFilesystem = "ntfs";

+ modifiedMountOptions += string(!systemMountOptions.empty() ? "," : "")

+ + "mountprog=/usr/local/bin/ntfs-3g";

+ }

+ else if (!filesystemType.empty()) {

+ // Filesystem is specified but is none of the above, then supply as is

+ chosenFilesystem = filesystemType;

+ }

+ } else

+ chosenFilesystem = filesystemType;

+

+ CoreUnix::MountFilesystem (devicePath, mountPoint, chosenFilesystem, readOnly, modifiedMountOptions);

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+#ifdef WOLFCRYPT_BACKEND

+#include "Volume/EncryptionModeWolfCryptXTS.h"

+#endif

+ bool xts = (typeid (*volume->GetEncryptionMode()) ==

+ #ifdef WOLFCRYPT_BACKEND

+ typeid (EncryptionModeWolfCryptXTS));

+ #else

+ typeid (EncryptionModeXTS));

+ #endif

+ bool algoNotSupported = (typeid (*volume->GetEncryptionAlgorithm()) == typeid (Kuznyechik))

+ dmCreateArgsBuf.CopyFrom (ConstBufferPtr ((uint8 *) dmCreateArgs.str().c_str(), dmCreateArgs.str().size()));

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ Process::Execute ("/usr/bin/hdiutil", args);

+ Process::Execute ("/sbin/umount", args);

+ struct stat sb;

+

+ if (stat("/Applications/Utilities/Disk Utility.app", &sb) == 0)

+ args.push_back ("/Applications/Utilities/Disk Utility.app");

+ else

+ args.push_back ("/System/Applications/Utilities/Disk Utility.app");

+

+ Process::Execute ("/usr/bin/open", args);

+#ifndef VC_MACOSX_FUSET

+#endif

+ xml = Process::Execute ("/usr/bin/hdiutil", args);

+ Process::Execute ("/usr/bin/hdiutil", args);

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ Process::Execute ("/sbin/vnconfig", args);

+ Process::Execute ("/sbin/vnconfig", args);

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ return StringConverter::Trim (Process::Execute ("/usr/sbin/lofiadm", args));

+ Process::Execute ("/usr/sbin/lofiadm", args);

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX

+#ifdef WOLFCRYPT_BACKEND

+#include "Volume/EncryptionModeWolfCryptXTS.h"

+#endif

+ #ifdef WOLFCRYPT_BACKEND

+ shared_ptr <EncryptionMode> mode (new EncryptionModeWolfCryptXTS ());

+ options->EA->SetKeyXTS (MasterKey.GetRange (options->EA->GetKeySize(), options->EA->GetKeySize()));

+ #else

+ shared_ptr <EncryptionMode> mode (new EncryptionModeXTS ());

+ #endif

+ mode->SetKey (MasterKey.GetRange (options->EA->GetKeySize(), options->EA->GetKeySize()));

+ and all other portions of this file are Copyright (c) 2013-2025 IDRIX