diff options
Diffstat (limited to 'src/Core')
-rw-r--r-- | src/Core/Core.h | 38 | ||||
-rw-r--r-- | src/Core/CoreBase.cpp | 38 | ||||
-rw-r--r-- | src/Core/CoreBase.h | 15 | ||||
-rw-r--r-- | src/Core/FatFormatter.cpp | 22 | ||||
-rw-r--r-- | src/Core/MountOptions.cpp | 9 | ||||
-rw-r--r-- | src/Core/MountOptions.h | 5 | ||||
-rw-r--r-- | src/Core/RandomNumberGenerator.cpp | 98 | ||||
-rw-r--r-- | src/Core/RandomNumberGenerator.h | 3 | ||||
-rw-r--r-- | src/Core/Unix/CoreService.cpp | 95 | ||||
-rw-r--r-- | src/Core/Unix/CoreService.h | 12 | ||||
-rw-r--r-- | src/Core/Unix/CoreServiceProxy.h | 6 | ||||
-rw-r--r-- | src/Core/Unix/CoreUnix.cpp | 186 | ||||
-rw-r--r-- | src/Core/Unix/FreeBSD/CoreFreeBSD.cpp | 51 | ||||
-rw-r--r-- | src/Core/Unix/Linux/CoreLinux.cpp | 24 | ||||
-rw-r--r-- | src/Core/Unix/MacOSX/CoreMacOSX.cpp | 23 | ||||
-rw-r--r-- | src/Core/Unix/OpenBSD/CoreOpenBSD.cpp | 164 | ||||
-rw-r--r-- | src/Core/Unix/OpenBSD/CoreOpenBSD.h | 44 | ||||
-rw-r--r-- | src/Core/Unix/OpenBSD/System.h | 19 | ||||
-rw-r--r-- | src/Core/Unix/Solaris/CoreSolaris.cpp | 4 | ||||
-rw-r--r-- | src/Core/VolumeCreator.cpp | 19 | ||||
-rw-r--r-- | src/Core/VolumeCreator.h | 71 |
21 files changed, 791 insertions, 155 deletions
diff --git a/src/Core/Core.h b/src/Core/Core.h index 97e35b25..b9e53021 100644 --- a/src/Core/Core.h +++ b/src/Core/Core.h @@ -17,8 +17,8 @@ namespace VeraCrypt { - extern auto_ptr <CoreBase> Core; - extern auto_ptr <CoreBase> CoreDirect; + extern unique_ptr <CoreBase> Core; + extern unique_ptr <CoreBase> CoreDirect; class WaitThreadRoutine { @@ -75,16 +75,20 @@ namespace VeraCrypt shared_ptr <VolumePassword> m_password; int m_pim; shared_ptr <Pkcs5Kdf> m_kdf; - bool m_truecryptMode; shared_ptr <KeyfileList> m_keyfiles; shared_ptr <VolumePassword> m_newPassword; int m_newPim; shared_ptr <KeyfileList> m_newKeyfiles; shared_ptr <Pkcs5Kdf> m_newPkcs5Kdf; int m_wipeCount; - ChangePasswordThreadRoutine(shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, bool truecryptMode, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) : m_volumePath(volumePath), m_preserveTimestamps(preserveTimestamps), m_password(password), m_pim(pim), m_kdf(kdf), m_truecryptMode(truecryptMode), m_keyfiles(keyfiles), m_newPassword(newPassword), m_newPim(newPim), m_newKeyfiles(newKeyfiles), m_newPkcs5Kdf(newPkcs5Kdf), m_wipeCount(wipeCount) {} + bool m_emvSupportEnabled; + bool m_masterKeyVulnerable; + ChangePasswordThreadRoutine(shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount, bool emvSupportEnabled) : m_volumePath(volumePath), m_preserveTimestamps(preserveTimestamps), m_password(password), m_pim(pim), m_kdf(kdf), m_keyfiles(keyfiles), m_newPassword(newPassword), m_newPim(newPim), m_newKeyfiles(newKeyfiles), m_newPkcs5Kdf(newPkcs5Kdf), m_wipeCount(wipeCount), m_emvSupportEnabled(emvSupportEnabled), m_masterKeyVulnerable(false) {} virtual ~ChangePasswordThreadRoutine() { } - virtual void ExecutionCode(void) { Core->ChangePassword(m_volumePath, m_preserveTimestamps, m_password, m_pim, m_kdf, m_truecryptMode, m_keyfiles, m_newPassword, m_newPim, m_newKeyfiles, m_newPkcs5Kdf, m_wipeCount); } + virtual void ExecutionCode(void) { + shared_ptr <Volume> openVolume = Core->ChangePassword(m_volumePath, m_preserveTimestamps, m_password, m_pim, m_kdf, m_keyfiles, m_newPassword, m_newPim, m_newKeyfiles, m_emvSupportEnabled, m_newPkcs5Kdf, m_wipeCount); + m_masterKeyVulnerable = openVolume->IsMasterKeyVulnerable(); + } }; class OpenVolumeThreadRoutine : public WaitThreadRoutine @@ -95,7 +99,6 @@ namespace VeraCrypt shared_ptr <VolumePassword> m_password; int m_pim; shared_ptr<Pkcs5Kdf> m_Kdf; - bool m_truecryptMode; shared_ptr <KeyfileList> m_keyfiles; VolumeProtection::Enum m_protection; shared_ptr <VolumePassword> m_protectionPassword; @@ -107,15 +110,16 @@ namespace VeraCrypt bool m_useBackupHeaders; bool m_partitionInSystemEncryptionScope; shared_ptr <Volume> m_pVolume; + bool m_emvSupportEnabled; - OpenVolumeThreadRoutine(shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr<Pkcs5Kdf> Kdf, bool truecryptMode, shared_ptr <KeyfileList> keyfiles, VolumeProtection::Enum protection = VolumeProtection::None, shared_ptr <VolumePassword> protectionPassword = shared_ptr <VolumePassword> (), int protectionPim = 0, shared_ptr<Pkcs5Kdf> protectionKdf = shared_ptr<Pkcs5Kdf> (), shared_ptr <KeyfileList> protectionKeyfiles = shared_ptr <KeyfileList> (), bool sharedAccessAllowed = false, VolumeType::Enum volumeType = VolumeType::Unknown, bool useBackupHeaders = false, bool partitionInSystemEncryptionScope = false): - m_volumePath(volumePath), m_preserveTimestamps(preserveTimestamps), m_password(password), m_pim(pim), m_Kdf(Kdf), m_truecryptMode(truecryptMode), m_keyfiles(keyfiles), + OpenVolumeThreadRoutine(shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr<Pkcs5Kdf> Kdf, shared_ptr <KeyfileList> keyfiles, bool emvSupportEnabled, VolumeProtection::Enum protection = VolumeProtection::None, shared_ptr <VolumePassword> protectionPassword = shared_ptr <VolumePassword> (), int protectionPim = 0, shared_ptr<Pkcs5Kdf> protectionKdf = shared_ptr<Pkcs5Kdf> (), shared_ptr <KeyfileList> protectionKeyfiles = shared_ptr <KeyfileList> (), bool sharedAccessAllowed = false, VolumeType::Enum volumeType = VolumeType::Unknown, bool useBackupHeaders = false, bool partitionInSystemEncryptionScope = false): + m_volumePath(volumePath), m_preserveTimestamps(preserveTimestamps), m_password(password), m_pim(pim), m_Kdf(Kdf), m_keyfiles(keyfiles), m_protection(protection), m_protectionPassword(protectionPassword), m_protectionPim(protectionPim), m_protectionKdf(protectionKdf), m_protectionKeyfiles(protectionKeyfiles), m_sharedAccessAllowed(sharedAccessAllowed), m_volumeType(volumeType),m_useBackupHeaders(useBackupHeaders), - m_partitionInSystemEncryptionScope(partitionInSystemEncryptionScope) {} + m_partitionInSystemEncryptionScope(partitionInSystemEncryptionScope), m_emvSupportEnabled(emvSupportEnabled) {} ~OpenVolumeThreadRoutine() {} - virtual void ExecutionCode(void) { m_pVolume = Core->OpenVolume(m_volumePath,m_preserveTimestamps,m_password,m_pim,m_Kdf,m_truecryptMode,m_keyfiles, m_protection,m_protectionPassword,m_protectionPim,m_protectionKdf, m_protectionKeyfiles,m_sharedAccessAllowed,m_volumeType,m_useBackupHeaders, m_partitionInSystemEncryptionScope); } + virtual void ExecutionCode(void) { m_pVolume = Core->OpenVolume(m_volumePath,m_preserveTimestamps,m_password,m_pim,m_Kdf,m_keyfiles, m_emvSupportEnabled, m_protection,m_protectionPassword,m_protectionPim,m_protectionKdf, m_protectionKeyfiles,m_sharedAccessAllowed,m_volumeType,m_useBackupHeaders, m_partitionInSystemEncryptionScope); } }; @@ -127,10 +131,11 @@ namespace VeraCrypt shared_ptr <VolumePassword> m_password; int m_pim; shared_ptr <KeyfileList> m_keyfiles; - ReEncryptHeaderThreadRoutine(const BufferPtr &newHeaderBuffer, shared_ptr <VolumeHeader> header, shared_ptr <VolumePassword> password, int pim, shared_ptr <KeyfileList> keyfiles) - : m_newHeaderBuffer(newHeaderBuffer), m_header(header), m_password(password), m_pim(pim), m_keyfiles(keyfiles) {} + bool m_emvSupportEnabled; + ReEncryptHeaderThreadRoutine(const BufferPtr &newHeaderBuffer, shared_ptr <VolumeHeader> header, shared_ptr <VolumePassword> password, int pim, shared_ptr <KeyfileList> keyfiles, bool emvSupportEnabled) + : m_newHeaderBuffer(newHeaderBuffer), m_header(header), m_password(password), m_pim(pim), m_keyfiles(keyfiles), m_emvSupportEnabled(emvSupportEnabled) {} virtual ~ReEncryptHeaderThreadRoutine() { } - virtual void ExecutionCode(void) { Core->ReEncryptVolumeHeaderWithNewSalt (m_newHeaderBuffer, m_header, m_password, m_pim, m_keyfiles); } + virtual void ExecutionCode(void) { Core->ReEncryptVolumeHeaderWithNewSalt (m_newHeaderBuffer, m_header, m_password, m_pim, m_keyfiles, m_emvSupportEnabled); } }; class DecryptThreadRoutine : public WaitThreadRoutine @@ -141,15 +146,14 @@ namespace VeraCrypt const VolumePassword &m_password; int m_pim; shared_ptr <Pkcs5Kdf> m_kdf; - bool m_truecryptMode; const Pkcs5KdfList &m_keyDerivationFunctions; const EncryptionAlgorithmList &m_encryptionAlgorithms; const EncryptionModeList &m_encryptionModes; bool m_bResult; - DecryptThreadRoutine(shared_ptr <VolumeHeader> header, const ConstBufferPtr &encryptedData, const VolumePassword &password, int pim, shared_ptr <Pkcs5Kdf> kdf, bool truecryptMode, const Pkcs5KdfList &keyDerivationFunctions, const EncryptionAlgorithmList &encryptionAlgorithms, const EncryptionModeList &encryptionModes) - : m_pHeader(header), m_encryptedData(encryptedData), m_password(password), m_pim(pim), m_kdf(kdf), m_truecryptMode(truecryptMode), m_keyDerivationFunctions(keyDerivationFunctions), m_encryptionAlgorithms(encryptionAlgorithms), m_encryptionModes(encryptionModes), m_bResult(false){} + DecryptThreadRoutine(shared_ptr <VolumeHeader> header, const ConstBufferPtr &encryptedData, const VolumePassword &password, int pim, shared_ptr <Pkcs5Kdf> kdf, const Pkcs5KdfList &keyDerivationFunctions, const EncryptionAlgorithmList &encryptionAlgorithms, const EncryptionModeList &encryptionModes) + : m_pHeader(header), m_encryptedData(encryptedData), m_password(password), m_pim(pim), m_kdf(kdf), m_keyDerivationFunctions(keyDerivationFunctions), m_encryptionAlgorithms(encryptionAlgorithms), m_encryptionModes(encryptionModes), m_bResult(false){} virtual ~DecryptThreadRoutine() { } - virtual void ExecutionCode(void) { m_bResult = m_pHeader->Decrypt(m_encryptedData, m_password, m_pim, m_kdf, m_truecryptMode, m_keyDerivationFunctions, m_encryptionAlgorithms, m_encryptionModes); } + virtual void ExecutionCode(void) { m_bResult = m_pHeader->Decrypt(m_encryptedData, m_password, m_pim, m_kdf, m_keyDerivationFunctions, m_encryptionAlgorithms, m_encryptionModes); } }; class WaitThreadUI diff --git a/src/Core/CoreBase.cpp b/src/Core/CoreBase.cpp index c22a50c0..0c6d5c9e 100644 --- a/src/Core/CoreBase.cpp +++ b/src/Core/CoreBase.cpp @@ -20,6 +20,9 @@ namespace VeraCrypt { CoreBase::CoreBase () : DeviceChangeInProgress (false) +#if defined(TC_LINUX ) || defined (TC_FREEBSD) + , UseDummySudoPassword (false) +#endif { } @@ -27,20 +30,14 @@ namespace VeraCrypt { } - void CoreBase::ChangePassword (shared_ptr <Volume> openVolume, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) const + void CoreBase::ChangePassword (shared_ptr <Volume> openVolume, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) const { if ((!newPassword || newPassword->Size() < 1) && (!newKeyfiles || newKeyfiles->empty())) throw PasswordEmpty (SRC_POS); if (!newPkcs5Kdf) { - if (openVolume->GetPkcs5Kdf()->GetTrueCryptMode ()) - { - newPkcs5Kdf.reset (openVolume->GetPkcs5Kdf()->Clone()); - newPkcs5Kdf->SetTrueCryptMode (false); - } - else - newPkcs5Kdf = openVolume->GetPkcs5Kdf(); + newPkcs5Kdf = openVolume->GetPkcs5Kdf(); } if ((openVolume->GetHeader()->GetFlags() & TC_HEADER_FLAG_ENCRYPTED_SYSTEM) != 0 @@ -55,7 +52,7 @@ namespace VeraCrypt SecureBuffer newSalt (openVolume->GetSaltSize()); SecureBuffer newHeaderKey (VolumeHeader::GetLargestSerializedKeySize()); - shared_ptr <VolumePassword> password (Keyfile::ApplyListToPassword (newKeyfiles, newPassword)); + shared_ptr <VolumePassword> password (Keyfile::ApplyListToPassword (newKeyfiles, newPassword, emvSupportEnabled)); bool backupHeader = false; while (true) @@ -80,10 +77,11 @@ namespace VeraCrypt } } - void CoreBase::ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, bool truecryptMode, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) const + shared_ptr <Volume> CoreBase::ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf, int wipeCount) const { - shared_ptr <Volume> volume = OpenVolume (volumePath, preserveTimestamps, password, pim, kdf, truecryptMode, keyfiles); - ChangePassword (volume, newPassword, newPim, newKeyfiles, newPkcs5Kdf, wipeCount); + shared_ptr <Volume> volume = OpenVolume (volumePath, preserveTimestamps, password, pim, kdf, keyfiles, emvSupportEnabled); + ChangePassword (volume, newPassword, newPim, newKeyfiles, emvSupportEnabled, newPkcs5Kdf, wipeCount); + return volume; } void CoreBase::CoalesceSlotNumberAndMountPoint (MountOptions &options) const @@ -147,7 +145,7 @@ namespace VeraCrypt outerVolume->ReadSectors (bootSectorBuffer, 0); int fatType; - byte *bootSector = bootSectorBuffer.Ptr(); + uint8 *bootSector = bootSectorBuffer.Ptr(); if (memcmp (bootSector + 54, "FAT12", 5) == 0) fatType = 12; @@ -251,13 +249,17 @@ namespace VeraCrypt bool CoreBase::IsVolumeMounted (const VolumePath &volumePath) const { - return GetMountedVolume (volumePath); + shared_ptr<VolumeInfo> mountedVolume = GetMountedVolume (volumePath); + if (mountedVolume) + return true; + else + return false; } - shared_ptr <Volume> CoreBase::OpenVolume (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr<Pkcs5Kdf> kdf, bool truecryptMode, shared_ptr <KeyfileList> keyfiles, VolumeProtection::Enum protection, shared_ptr <VolumePassword> protectionPassword, int protectionPim, shared_ptr<Pkcs5Kdf> protectionKdf, shared_ptr <KeyfileList> protectionKeyfiles, bool sharedAccessAllowed, VolumeType::Enum volumeType, bool useBackupHeaders, bool partitionInSystemEncryptionScope) const + shared_ptr <Volume> CoreBase::OpenVolume (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr<Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, bool emvSupportEnabled, VolumeProtection::Enum protection, shared_ptr <VolumePassword> protectionPassword, int protectionPim, shared_ptr<Pkcs5Kdf> protectionKdf, shared_ptr <KeyfileList> protectionKeyfiles, bool sharedAccessAllowed, VolumeType::Enum volumeType, bool useBackupHeaders, bool partitionInSystemEncryptionScope) const { make_shared_auto (Volume, volume); - volume->Open (*volumePath, preserveTimestamps, password, pim, kdf, truecryptMode, keyfiles, protection, protectionPassword, protectionPim, protectionKdf, protectionKeyfiles, sharedAccessAllowed, volumeType, useBackupHeaders, partitionInSystemEncryptionScope); + volume->Open (*volumePath, preserveTimestamps, password, pim, kdf, keyfiles, emvSupportEnabled, protection, protectionPassword, protectionPim, protectionKdf, protectionKeyfiles, sharedAccessAllowed, volumeType, useBackupHeaders, partitionInSystemEncryptionScope); return volume; } @@ -272,7 +274,7 @@ namespace VeraCrypt encryptionAlgorithm->GetMode()->SetKey (modeKey); } - void CoreBase::ReEncryptVolumeHeaderWithNewSalt (const BufferPtr &newHeaderBuffer, shared_ptr <VolumeHeader> header, shared_ptr <VolumePassword> password, int pim, shared_ptr <KeyfileList> keyfiles) const + void CoreBase::ReEncryptVolumeHeaderWithNewSalt (const BufferPtr &newHeaderBuffer, shared_ptr <VolumeHeader> header, shared_ptr <VolumePassword> password, int pim, shared_ptr <KeyfileList> keyfiles, bool emvSupportEnabled) const { shared_ptr <Pkcs5Kdf> pkcs5Kdf = header->GetPkcs5Kdf(); @@ -281,7 +283,7 @@ namespace VeraCrypt SecureBuffer newSalt (header->GetSaltSize()); SecureBuffer newHeaderKey (VolumeHeader::GetLargestSerializedKeySize()); - shared_ptr <VolumePassword> passwordKey (Keyfile::ApplyListToPassword (keyfiles, password)); + shared_ptr <VolumePassword> passwordKey (Keyfile::ApplyListToPassword (keyfiles, password, emvSupportEnabled)); RandomNumberGenerator::GetData (newSalt); pkcs5Kdf->DeriveKey (newHeaderKey, *passwordKey, pim, newSalt); diff --git a/src/Core/CoreBase.h b/src/Core/CoreBase.h index eb830ba3..e646fce3 100644 --- a/src/Core/CoreBase.h +++ b/src/Core/CoreBase.h @@ -33,8 +33,8 @@ namespace VeraCrypt public: virtual ~CoreBase (); - virtual void ChangePassword (shared_ptr <Volume> openVolume, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const; - virtual void ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, bool truecryptMode, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const; + virtual void ChangePassword (shared_ptr <Volume> openVolume, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const; + virtual shared_ptr <Volume> ChangePassword (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr <Pkcs5Kdf> kdf, shared_ptr <KeyfileList> keyfiles, shared_ptr <VolumePassword> newPassword, int newPim, shared_ptr <KeyfileList> newKeyfiles, bool emvSupportEnabled, shared_ptr <Pkcs5Kdf> newPkcs5Kdf = shared_ptr <Pkcs5Kdf> (), int wipeCount = PRAND_HEADER_WIPE_PASSES) const; virtual void CheckFilesystem (shared_ptr <VolumeInfo> mountedVolume, bool repair = false) const = 0; virtual void CoalesceSlotNumberAndMountPoint (MountOptions &options) const; virtual void CreateKeyfile (const FilePath &keyfilePath) const; @@ -69,14 +69,18 @@ namespace VeraCrypt virtual bool IsVolumeMounted (const VolumePath &volumePath) const; virtual VolumeSlotNumber MountPointToSlotNumber (const DirectoryPath &mountPoint) const = 0; virtual shared_ptr <VolumeInfo> MountVolume (MountOptions &options) = 0; - virtual shared_ptr <Volume> OpenVolume (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr<Pkcs5Kdf> Kdf, bool truecryptMode, shared_ptr <KeyfileList> keyfiles, VolumeProtection::Enum protection = VolumeProtection::None, shared_ptr <VolumePassword> protectionPassword = shared_ptr <VolumePassword> (), int protectionPim = 0, shared_ptr<Pkcs5Kdf> protectionKdf = shared_ptr<Pkcs5Kdf> (), shared_ptr <KeyfileList> protectionKeyfiles = shared_ptr <KeyfileList> (), bool sharedAccessAllowed = false, VolumeType::Enum volumeType = VolumeType::Unknown, bool useBackupHeaders = false, bool partitionInSystemEncryptionScope = false) const; + virtual shared_ptr <Volume> OpenVolume (shared_ptr <VolumePath> volumePath, bool preserveTimestamps, shared_ptr <VolumePassword> password, int pim, shared_ptr<Pkcs5Kdf> Kdf, shared_ptr <KeyfileList> keyfiles, bool emvSupportEnabled, VolumeProtection::Enum protection = VolumeProtection::None, shared_ptr <VolumePassword> protectionPassword = shared_ptr <VolumePassword> (), int protectionPim = 0, shared_ptr<Pkcs5Kdf> protectionKdf = shared_ptr<Pkcs5Kdf> (), shared_ptr <KeyfileList> protectionKeyfiles = shared_ptr <KeyfileList> (), bool sharedAccessAllowed = false, VolumeType::Enum volumeType = VolumeType::Unknown, bool useBackupHeaders = false, bool partitionInSystemEncryptionScope = false) const; virtual void RandomizeEncryptionAlgorithmKey (shared_ptr <EncryptionAlgorithm> encryptionAlgorithm) const; - virtual void ReEncryptVolumeHeaderWithNewSalt (const BufferPtr &newHeaderBuffer, shared_ptr <VolumeHeader> header, shared_ptr <VolumePassword> password, int pim, shared_ptr <KeyfileList> keyfiles) const; + virtual void ReEncryptVolumeHeaderWithNewSalt (const BufferPtr &newHeaderBuffer, shared_ptr <VolumeHeader> header, shared_ptr <VolumePassword> password, int pim, shared_ptr <KeyfileList> keyfiles, bool emvSupportEnabled) const; virtual void SetAdminPasswordCallback (shared_ptr <GetStringFunctor> functor) { } virtual void SetApplicationExecutablePath (const FilePath &path) { ApplicationExecutablePath = path; } virtual void SetFileOwner (const FilesystemPath &path, const UserId &owner) const = 0; virtual DirectoryPath SlotNumberToMountPoint (VolumeSlotNumber slotNumber) const = 0; virtual void WipePasswordCache () const = 0; +#if defined(TC_LINUX ) || defined (TC_FREEBSD) + virtual void ForceUseDummySudoPassword (bool useDummySudoPassword) { UseDummySudoPassword = useDummySudoPassword;} + virtual bool GetUseDummySudoPassword () const { return UseDummySudoPassword;} +#endif Event VolumeDismountedEvent; Event VolumeMountedEvent; @@ -87,6 +91,9 @@ namespace VeraCrypt bool DeviceChangeInProgress; FilePath ApplicationExecutablePath; +#if defined(TC_LINUX ) || defined (TC_FREEBSD) + bool UseDummySudoPassword; +#endif private: CoreBase (const CoreBase &); diff --git a/src/Core/FatFormatter.cpp b/src/Core/FatFormatter.cpp index fa327837..c8115f9b 100644 --- a/src/Core/FatFormatter.cpp +++ b/src/Core/FatFormatter.cpp @@ -149,7 +149,7 @@ namespace VeraCrypt } } - static void PutBoot (fatparams * ft, byte *boot, uint32 volumeId) + static void PutBoot (fatparams * ft, uint8 *boot, uint32 volumeId) { int cnt = 0; @@ -244,7 +244,7 @@ namespace VeraCrypt /* FAT32 FSInfo */ - static void PutFSInfo (byte *sector, fatparams *ft) + static void PutFSInfo (uint8 *sector, fatparams *ft) { memset (sector, 0, ft->sector_size); sector[3] = 0x41; /* LeadSig */ @@ -294,16 +294,16 @@ namespace VeraCrypt sector.Zero(); uint32 volumeId; - RandomNumberGenerator::GetDataFast (BufferPtr ((byte *) &volumeId, sizeof (volumeId))); + RandomNumberGenerator::GetDataFast (BufferPtr ((uint8 *) &volumeId, sizeof (volumeId))); - PutBoot (ft, (byte *) sector, volumeId); + PutBoot (ft, (uint8 *) sector, volumeId); writeSector (sector); ++sectorNumber; /* fat32 boot area */ if (ft->size_fat == 32) { /* fsinfo */ - PutFSInfo((byte *) sector, ft); + PutFSInfo((uint8 *) sector, ft); writeSector (sector); ++sectorNumber; /* reserved */ @@ -317,10 +317,10 @@ namespace VeraCrypt /* bootsector backup */ sector.Zero(); - PutBoot (ft, (byte *) sector, volumeId); + PutBoot (ft, (uint8 *) sector, volumeId); writeSector (sector); ++sectorNumber; - PutFSInfo((byte *) sector, ft); + PutFSInfo((uint8 *) sector, ft); writeSector (sector); ++sectorNumber; } @@ -340,10 +340,10 @@ namespace VeraCrypt if (n == 0) { - byte fat_sig[12]; + uint8 fat_sig[12]; if (ft->size_fat == 32) { - fat_sig[0] = (byte) ft->media; + fat_sig[0] = (uint8) ft->media; fat_sig[1] = fat_sig[2] = 0xff; fat_sig[3] = 0x0f; fat_sig[4] = fat_sig[5] = fat_sig[6] = 0xff; @@ -354,7 +354,7 @@ namespace VeraCrypt } else if (ft->size_fat == 16) { - fat_sig[0] = (byte) ft->media; + fat_sig[0] = (uint8) ft->media; fat_sig[1] = 0xff; fat_sig[2] = 0xff; fat_sig[3] = 0xff; @@ -362,7 +362,7 @@ namespace VeraCrypt } else if (ft->size_fat == 12) { - fat_sig[0] = (byte) ft->media; + fat_sig[0] = (uint8) ft->media; fat_sig[1] = 0xff; fat_sig[2] = 0xff; fat_sig[3] = 0x00; diff --git a/src/Core/MountOptions.cpp b/src/Core/MountOptions.cpp index 52e12396..2f28c089 100644 --- a/src/Core/MountOptions.cpp +++ b/src/Core/MountOptions.cpp @@ -52,7 +52,6 @@ namespace VeraCrypt TC_CLONE (SharedAccessAllowed); TC_CLONE (SlotNumber); TC_CLONE (UseBackupHeaders); - TC_CLONE (TrueCryptMode); } void MountOptions::Deserialize (shared_ptr <Stream> stream) @@ -101,14 +100,12 @@ namespace VeraCrypt sr.Deserialize ("SlotNumber", SlotNumber); sr.Deserialize ("UseBackupHeaders", UseBackupHeaders); - sr.Deserialize ("TrueCryptMode", TrueCryptMode); - try { if (!sr.DeserializeBool ("KdfNull")) { sr.Deserialize ("Kdf", nameValue); - Kdf = Pkcs5Kdf::GetAlgorithm (nameValue, TrueCryptMode); + Kdf = Pkcs5Kdf::GetAlgorithm (nameValue); } } catch(...) {} @@ -118,7 +115,7 @@ namespace VeraCrypt if (!sr.DeserializeBool ("ProtectionKdfNull")) { sr.Deserialize ("ProtectionKdf", nameValue); - ProtectionKdf = Pkcs5Kdf::GetAlgorithm (nameValue, TrueCryptMode); + ProtectionKdf = Pkcs5Kdf::GetAlgorithm (nameValue); } } catch(...) {} @@ -167,8 +164,6 @@ namespace VeraCrypt sr.Serialize ("SlotNumber", SlotNumber); sr.Serialize ("UseBackupHeaders", UseBackupHeaders); - sr.Serialize ("TrueCryptMode", TrueCryptMode); - sr.Serialize ("KdfNull", Kdf == nullptr); if (Kdf) sr.Serialize ("Kdf", Kdf->GetName()); diff --git a/src/Core/MountOptions.h b/src/Core/MountOptions.h index 83a8bffc..3dcfa599 100644 --- a/src/Core/MountOptions.h +++ b/src/Core/MountOptions.h @@ -37,8 +37,7 @@ namespace VeraCrypt Removable (false), SharedAccessAllowed (false), SlotNumber (0), - UseBackupHeaders (false), - TrueCryptMode (false) + UseBackupHeaders (false) { } @@ -72,7 +71,7 @@ namespace VeraCrypt bool SharedAccessAllowed; VolumeSlotNumber SlotNumber; bool UseBackupHeaders; - bool TrueCryptMode; + bool EMVSupportEnabled; protected: void CopyFrom (const MountOptions &other); diff --git a/src/Core/RandomNumberGenerator.cpp b/src/Core/RandomNumberGenerator.cpp index fffd948a..b60b4eed 100644 --- a/src/Core/RandomNumberGenerator.cpp +++ b/src/Core/RandomNumberGenerator.cpp @@ -14,6 +14,11 @@ #include <sys/types.h> #include <errno.h> #include <fcntl.h> + +#ifndef ERESTART +#define ERESTART EINTR +#endif + #endif #include "RandomNumberGenerator.h" @@ -44,8 +49,38 @@ namespace VeraCrypt throw_sys_sub_if (random == -1, L"/dev/random"); finally_do_arg (int, random, { close (finally_arg); }); - throw_sys_sub_if (read (random, buffer, buffer.Size()) == -1 && errno != EAGAIN, L"/dev/random"); + // ensure that we have read at least 32 bytes from /dev/random before allowing it to fail gracefully + while (true) + { + int rndCount = read (random, buffer, buffer.Size()); + throw_sys_sub_if ((rndCount == -1) && errno != EAGAIN && errno != ERESTART && errno != EINTR, L"/dev/random"); + if (rndCount != -1) { + // We count returned bytes until 32-bytes threshold reached + if (DevRandomBytesCount < 32) + DevRandomBytesCount += rndCount; + break; + } + else if (DevRandomBytesCount >= 32) { + // allow /dev/random to fail gracefully since we have enough bytes + break; + } + else { + // wait 250ms before querying /dev/random again + ::usleep (250 * 1000); + } + } + AddToPool (buffer); + + /* use JitterEntropy library to get good quality random bytes based on CPU timing jitter */ + if (JitterRngCtx) + { + ssize_t rndLen = jent_read_entropy (JitterRngCtx, (char*) buffer.Ptr(), buffer.Size()); + if (rndLen > 0) + { + AddToPool (buffer); + } + } } #endif } @@ -79,7 +114,13 @@ namespace VeraCrypt ScopeLock lock (AccessMutex); size_t bufferLen = buffer.Size(), loopLen; - byte* pbBuffer = buffer.Get(); + uint8* pbBuffer = buffer.Get(); + + // Initialize JitterEntropy RNG for this call + if (0 == jent_entropy_init ()) + { + JitterRngCtx = jent_entropy_collector_alloc (1, 0); + } // Poll system for data AddSystemDataToPool (fast); @@ -127,6 +168,12 @@ namespace VeraCrypt pbBuffer += loopLen; } + + if (JitterRngCtx) + { + jent_entropy_collector_free (JitterRngCtx); + JitterRngCtx = NULL; + } } shared_ptr <Hash> RandomNumberGenerator::GetHash () @@ -138,18 +185,26 @@ namespace VeraCrypt void RandomNumberGenerator::HashMixPool () { BytesAddedSincePoolHashMix = 0; - - for (size_t poolPos = 0; poolPos < Pool.Size(); ) + size_t digestSize = PoolHash->GetDigestSize(); + size_t poolSize = Pool.Size(); + // pool size must be multiple of digest size + // this is always the case with default pool size value (320 bytes) + if (poolSize % digestSize) + throw AssertionFailed (SRC_POS); + + for (size_t poolPos = 0; poolPos < poolSize; poolPos += digestSize) { // Compute the message digest of the entire pool using the selected hash function - SecureBuffer digest (PoolHash->GetDigestSize()); + SecureBuffer digest (digestSize); + PoolHash->Init(); PoolHash->ProcessData (Pool); PoolHash->GetDigest (digest); - // Add the message digest to the pool - for (size_t digestPos = 0; digestPos < digest.Size() && poolPos < Pool.Size(); ++digestPos) + /* XOR the resultant message digest to the pool at the poolIndex position. */ + /* this matches the documentation: https://veracrypt.fr/en/Random%20Number%20Generator.html */ + for (size_t digestIndex = 0; digestIndex < digestSize; digestIndex++) { - Pool[poolPos++] += digest[digestPos]; + Pool [poolPos + digestIndex] ^= digest [digestIndex]; } } } @@ -196,30 +251,43 @@ namespace VeraCrypt EnrichedByUser = false; Running = false; + DevRandomBytesCount = 0; } void RandomNumberGenerator::Test () { shared_ptr <Hash> origPoolHash = PoolHash; - PoolHash.reset (new Ripemd160()); + #ifndef WOLFCRYPT_BACKEND + PoolHash.reset (new Blake2s()); + #else + PoolHash.reset (new Sha256()); + #endif Pool.Zero(); Buffer buffer (1); for (size_t i = 0; i < PoolSize * 10; ++i) { - buffer[0] = (byte) i; + buffer[0] = (uint8) i; AddToPool (buffer); } - if (Crc32::ProcessBuffer (Pool) != 0x2de46d17) - throw TestFailed (SRC_POS); + #ifndef WOLFCRYPT_BACKEND + if (Crc32::ProcessBuffer (Pool) != 0x9c743238) + #else + if (Crc32::ProcessBuffer (Pool) != 0xac95ac1a) + #endif + throw TestFailed (SRC_POS); buffer.Allocate (PoolSize); buffer.CopyFrom (PeekPool()); AddToPool (buffer); - if (Crc32::ProcessBuffer (Pool) != 0xcb88e019) - throw TestFailed (SRC_POS); + #ifndef WOLFCRYPT_BACKEND + if (Crc32::ProcessBuffer (Pool) != 0xd2d09c8d) + #else + if (Crc32::ProcessBuffer (Pool) != 0xb79f3c12) + #endif + throw TestFailed (SRC_POS); PoolHash = origPoolHash; } @@ -232,4 +300,6 @@ namespace VeraCrypt size_t RandomNumberGenerator::ReadOffset; bool RandomNumberGenerator::Running = false; size_t RandomNumberGenerator::WriteOffset; + struct rand_data *RandomNumberGenerator::JitterRngCtx = NULL; + int RandomNumberGenerator::DevRandomBytesCount = 0; } diff --git a/src/Core/RandomNumberGenerator.h b/src/Core/RandomNumberGenerator.h index 2d1d314a..333a8e36 100644 --- a/src/Core/RandomNumberGenerator.h +++ b/src/Core/RandomNumberGenerator.h @@ -16,6 +16,7 @@ #include "Platform/Platform.h" #include "Volume/Hash.h" #include "Common/Random.h" +#include "Crypto/jitterentropy.h" namespace VeraCrypt { @@ -53,6 +54,8 @@ namespace VeraCrypt static size_t ReadOffset; static bool Running; static size_t WriteOffset; + static struct rand_data *JitterRngCtx; + static int DevRandomBytesCount; }; } diff --git a/src/Core/Unix/CoreService.cpp b/src/Core/Unix/CoreService.cpp index 77d55b21..6d0f05e5 100644 --- a/src/Core/Unix/CoreService.cpp +++ b/src/Core/Unix/CoreService.cpp @@ -13,6 +13,7 @@ #include "CoreService.h" #include <fcntl.h> #include <sys/wait.h> +#include <stdio.h> #include "Platform/FileStream.h" #include "Platform/MemoryStream.h" #include "Platform/Serializable.h" @@ -27,9 +28,9 @@ namespace VeraCrypt { template <class T> - auto_ptr <T> CoreService::GetResponse () + unique_ptr <T> CoreService::GetResponse () { - auto_ptr <Serializable> deserializedObject (Serializable::DeserializeNew (ServiceOutputStream)); + unique_ptr <Serializable> deserializedObject (Serializable::DeserializeNew (ServiceOutputStream)); Exception *deserializedException = dynamic_cast <Exception*> (deserializedObject.get()); if (deserializedException) @@ -38,7 +39,7 @@ namespace VeraCrypt if (dynamic_cast <T *> (deserializedObject.get()) == nullptr) throw ParameterIncorrect (SRC_POS); - return auto_ptr <T> (dynamic_cast <T *> (deserializedObject.release())); + return unique_ptr <T> (dynamic_cast <T *> (deserializedObject.release())); } void CoreService::ProcessElevatedRequests () @@ -56,7 +57,7 @@ namespace VeraCrypt // Wait for sync code while (true) { - byte b; + uint8 b; throw_sys_if (read (STDIN_FILENO, &b, 1) != 1); if (b != 0x00) continue; @@ -89,7 +90,7 @@ namespace VeraCrypt { try { - Core = CoreDirect; + Core = move_ptr(CoreDirect); shared_ptr <Stream> inputStream (new FileStream (inputFD != -1 ? inputFD : InputPipe->GetReadFD())); shared_ptr <Stream> outputStream (new FileStream (outputFD != -1 ? outputFD : OutputPipe->GetWriteFD())); @@ -277,7 +278,7 @@ namespace VeraCrypt } template <class T> - auto_ptr <T> CoreService::SendRequest (CoreServiceRequest &request) + unique_ptr <T> CoreService::SendRequest (CoreServiceRequest &request) { static Mutex mutex; ScopeLock lock (mutex); @@ -290,10 +291,56 @@ namespace VeraCrypt while (!ElevatedServiceAvailable) { + // Test if the user has an active "sudo" session. + // This is only done under Linux / FreeBSD by executing the command 'sudo -n uptime'. + // In case a "sudo" session is active, the result of the command contains the string 'load average'. + // Otherwise, the result contains "sudo: a password is required". + // This may not work on all OSX versions because of a bug in sudo in its version 1.7.10, + // therefore we keep the old behaviour of sending a 'dummy' password under OSX. + // See : https://superuser.com/questions/902826/why-does-sudo-n-on-mac-os-x-always-return-0 + // + // If for some reason we are getting empty output from pipe, we revert to old behavior + // We also use the old way if the user is forcing the use of dummy password for sudo + +#if defined(TC_LINUX ) || defined (TC_FREEBSD) + bool authCheckDone = false; + if (!Core->GetUseDummySudoPassword ()) + { + std::vector<char> buffer(128, 0); + std::string result; + + FILE* pipe = popen("sudo -n uptime 2>&1 | grep 'load average' | wc -l | tr -d '[:blank:]'", "r"); // We redirect stderr to stdout (2>&1) to be able to catch the result of the command + if (pipe) + { + while (!feof(pipe)) + { + if (fgets(buffer.data(), 128, pipe) != nullptr) + result += buffer.data(); + } + + fflush(pipe); + pclose(pipe); + pipe = NULL; + + if (!result.empty() && strlen(result.c_str()) != 0) + { + authCheckDone = true; + if (result[0] == '0') // no line found with "load average" text, rerquest admin password + (*AdminPasswordCallback) (request.AdminPassword); + } + } + + if (authCheckDone) + { + // Set to false to force the 'WarningEvent' to be raised in case of and elevation exception. + request.FastElevation = false; + } + } +#endif try { request.Serialize (ServiceInputStream); - auto_ptr <T> response (GetResponse <T>()); + unique_ptr <T> response (GetResponse <T>()); ElevatedServiceAvailable = true; return response; } @@ -306,7 +353,10 @@ namespace VeraCrypt } request.FastElevation = false; - (*AdminPasswordCallback) (request.AdminPassword); +#if defined(TC_LINUX ) || defined (TC_FREEBSD) + if(!authCheckDone) +#endif + (*AdminPasswordCallback) (request.AdminPassword); } } } @@ -342,8 +392,8 @@ namespace VeraCrypt void CoreService::StartElevated (const CoreServiceRequest &request) { - auto_ptr <Pipe> inPipe (new Pipe()); - auto_ptr <Pipe> outPipe (new Pipe()); + unique_ptr <Pipe> inPipe (new Pipe()); + unique_ptr <Pipe> outPipe (new Pipe()); Pipe errPipe; int forkedPid = fork(); @@ -396,6 +446,7 @@ namespace VeraCrypt vector <char> adminPassword (request.AdminPassword.size() + 1); int timeout = 6000; + // 'request.FastElevation' is always false under Linux / FreeBSD when "sudo -n" works properly if (request.FastElevation) { string dummyPassword = "dummy\n"; @@ -409,9 +460,12 @@ namespace VeraCrypt adminPassword[request.AdminPassword.size()] = '\n'; } +#if defined(TC_LINUX ) + Thread::Sleep (1000); // wait 1 second for the forked sudo to start +#endif if (write (inPipe->GetWriteFD(), &adminPassword.front(), adminPassword.size())) { } // Errors ignored - Memory::Erase (&adminPassword.front(), adminPassword.size()); + burn (&adminPassword.front(), adminPassword.size()); throw_sys_if (fcntl (outPipe->GetReadFD(), F_SETFL, O_NONBLOCK) == -1); throw_sys_if (fcntl (errPipe.GetReadFD(), F_SETFL, O_NONBLOCK) == -1); @@ -457,6 +511,7 @@ namespace VeraCrypt outPipe->Close(); errPipe.Close(); + // 'request.FastElevation' is always false under Linux / FreeBSD if (request.FastElevation) { // Prevent defunct process @@ -483,12 +538,12 @@ namespace VeraCrypt if (!errOutput.empty()) { - auto_ptr <Serializable> deserializedObject; + unique_ptr <Serializable> deserializedObject; Exception *deserializedException = nullptr; try { - shared_ptr <Stream> stream (new MemoryStream (ConstBufferPtr ((byte *) &errOutput[0], errOutput.size()))); + shared_ptr <Stream> stream (new MemoryStream (ConstBufferPtr ((uint8 *) &errOutput[0], errOutput.size()))); deserializedObject.reset (Serializable::DeserializeNew (stream)); deserializedException = dynamic_cast <Exception*> (deserializedObject.get()); } @@ -520,11 +575,11 @@ namespace VeraCrypt ServiceOutputStream = shared_ptr <Stream> (new FileStream (outPipe->GetReadFD())); // Send sync code - byte sync[] = { 0, 0x11, 0x22 }; + uint8 sync[] = { 0, 0x11, 0x22 }; ServiceInputStream->Write (ConstBufferPtr (sync, array_capacity (sync))); - AdminInputPipe = inPipe; - AdminOutputPipe = outPipe; + AdminInputPipe = move_ptr(inPipe); + AdminOutputPipe = move_ptr(outPipe); } void CoreService::Stop () @@ -535,11 +590,11 @@ namespace VeraCrypt shared_ptr <GetStringFunctor> CoreService::AdminPasswordCallback; - auto_ptr <Pipe> CoreService::AdminInputPipe; - auto_ptr <Pipe> CoreService::AdminOutputPipe; + unique_ptr <Pipe> CoreService::AdminInputPipe; + unique_ptr <Pipe> CoreService::AdminOutputPipe; - auto_ptr <Pipe> CoreService::InputPipe; - auto_ptr <Pipe> CoreService::OutputPipe; + unique_ptr <Pipe> CoreService::InputPipe; + unique_ptr <Pipe> CoreService::OutputPipe; shared_ptr <Stream> CoreService::ServiceInputStream; shared_ptr <Stream> CoreService::ServiceOutputStream; diff --git a/src/Core/Unix/CoreService.h b/src/Core/Unix/CoreService.h index e25b856a..dfb8b350 100644 --- a/src/Core/Unix/CoreService.h +++ b/src/Core/Unix/CoreService.h @@ -39,17 +39,17 @@ namespace VeraCrypt static void Stop (); protected: - template <class T> static auto_ptr <T> GetResponse (); - template <class T> static auto_ptr <T> SendRequest (CoreServiceRequest &request); + template <class T> static unique_ptr <T> GetResponse (); + template <class T> static unique_ptr <T> SendRequest (CoreServiceRequest &request); static void StartElevated (const CoreServiceRequest &request); static shared_ptr <GetStringFunctor> AdminPasswordCallback; - static auto_ptr <Pipe> AdminInputPipe; - static auto_ptr <Pipe> AdminOutputPipe; + static unique_ptr <Pipe> AdminInputPipe; + static unique_ptr <Pipe> AdminOutputPipe; - static auto_ptr <Pipe> InputPipe; - static auto_ptr <Pipe> OutputPipe; + static unique_ptr <Pipe> InputPipe; + static unique_ptr <Pipe> OutputPipe; static shared_ptr <Stream> ServiceInputStream; static shared_ptr <Stream> ServiceOutputStream; diff --git a/src/Core/Unix/CoreServiceProxy.h b/src/Core/Unix/CoreServiceProxy.h index f5bbae3d..d57d8163 100644 --- a/src/Core/Unix/CoreServiceProxy.h +++ b/src/Core/Unix/CoreServiceProxy.h @@ -98,11 +98,11 @@ namespace VeraCrypt { MountOptions newOptions = options; - newOptions.Password = Keyfile::ApplyListToPassword (options.Keyfiles, options.Password); + newOptions.Password = Keyfile::ApplyListToPassword (options.Keyfiles, options.Password, options.EMVSupportEnabled); if (newOptions.Keyfiles) newOptions.Keyfiles->clear(); - newOptions.ProtectionPassword = Keyfile::ApplyListToPassword (options.ProtectionKeyfiles, options.ProtectionPassword); + newOptions.ProtectionPassword = Keyfile::ApplyListToPassword (options.ProtectionKeyfiles, options.ProtectionPassword, options.EMVSupportEnabled); if (newOptions.ProtectionKeyfiles) newOptions.ProtectionKeyfiles->clear(); @@ -126,7 +126,7 @@ namespace VeraCrypt if (options.CachePassword && ((options.Password && !options.Password->IsEmpty()) || (options.Keyfiles && !options.Keyfiles->empty()))) { - VolumePasswordCache::Store (*Keyfile::ApplyListToPassword (options.Keyfiles, options.Password)); + VolumePasswordCache::Store (*Keyfile::ApplyListToPassword (options.Keyfiles, options.Password, options.EMVSupportEnabled)); } } diff --git a/src/Core/Unix/CoreUnix.cpp b/src/Core/Unix/CoreUnix.cpp index 0fc69eec..1868eb6d 100644 --- a/src/Core/Unix/CoreUnix.cpp +++ b/src/Core/Unix/CoreUnix.cpp @@ -24,6 +24,11 @@ namespace VeraCrypt { +#ifdef TC_LINUX + static string GetTmpUser (); + static bool SamePath (const string& path1, const string& path2); +#endif + CoreUnix::CoreUnix () { signal (SIGPIPE, SIG_IGN); @@ -73,10 +78,8 @@ namespace VeraCrypt if (stat("/usr/bin/konsole", &sb) == 0) { args.clear (); - args.push_back ("--title"); - args.push_back ("fsck"); - args.push_back ("--caption"); - args.push_back ("fsck"); + args.push_back ("-p"); + args.push_back ("tabtitle=fsck"); args.push_back ("-e"); args.push_back ("sh"); args.push_back ("-c"); @@ -86,8 +89,22 @@ namespace VeraCrypt Process::Execute ("konsole", args, 1000); } catch (TimeOut&) { } } + else if (stat("/usr/bin/gnome-terminal", &sb) == 0 && stat("/usr/bin/dbus-launch", &sb) == 0) + { + args.clear (); + args.push_back ("--title"); + args.push_back ("fsck"); + args.push_back ("--"); + args.push_back ("sh"); + args.push_back ("-c"); + args.push_back (xargs); + try + { + Process::Execute ("gnome-terminal", args, 1000); + } catch (TimeOut&) { } + } else - throw; + throw TerminalNotFound(); } #endif } @@ -224,7 +241,7 @@ namespace VeraCrypt device.SeekAt (0); device.ReadCompleteBuffer (bootSector); - byte *b = bootSector.Ptr(); + uint8 *b = bootSector.Ptr(); return memcmp (b + 3, "NTFS", 4) != 0 && memcmp (b + 54, "FAT", 3) != 0 @@ -286,17 +303,45 @@ namespace VeraCrypt continue; shared_ptr <VolumeInfo> mountedVol; - try + // Introduce a retry mechanism with a timeout for control file access + // This workaround is limited to FUSE-T mounted volume under macOS for + // which md.Device starts with "fuse-t:" +#ifdef VC_MACOSX_FUSET + bool isFuseT = wstring(mf.Device).find(L"fuse-t:") == 0; + int controlFileRetries = 10; // 10 retries with 500ms sleep each, total 5 seconds + while (!mountedVol && (controlFileRetries-- > 0)) +#endif { - shared_ptr <File> controlFile (new File); - controlFile->Open (string (mf.MountPoint) + FuseService::GetControlPath()); + try + { + shared_ptr <File> controlFile (new File); + controlFile->Open (string (mf.MountPoint) + FuseService::GetControlPath()); - shared_ptr <Stream> controlFileStream (new FileStream (controlFile)); - mountedVol = Serializable::DeserializeNew <VolumeInfo> (controlFileStream); + shared_ptr <Stream> controlFileStream (new FileStream (controlFile)); + mountedVol = Serializable::DeserializeNew <VolumeInfo> (controlFileStream); + } + catch (const std::exception& e) + { +#ifdef VC_MACOSX_FUSET + // if exception starts with "VeraCrypt::Serializer::ValidateName", then + // serialization is not ready yet and we need to wait before retrying + // this happens when FUSE-T is used under macOS and if it is the first time + // the volume is mounted + if (isFuseT && string (e.what()).find ("VeraCrypt::Serializer::ValidateName") != string::npos) + { + Thread::Sleep(500); // Wait before retrying + } + else + { + break; // Control file not found or other error + } +#endif + } } - catch (...) + + if (!mountedVol) { - continue; + continue; // Skip to the next mounted filesystem } if (!volumePath.IsEmpty() && wstring (mountedVol->Path).compare (volumePath) != 0) @@ -355,10 +400,99 @@ namespace VeraCrypt string CoreUnix::GetTempDirectory () const { - char *envDir = getenv ("TMPDIR"); - return envDir ? envDir : "/tmp"; + const char *tmpdir = getenv ("TMPDIR"); + string envDir = tmpdir ? tmpdir : "/tmp"; + +#ifdef TC_LINUX + /* + * If pam_tmpdir.so is in use, a different temporary directory is + * allocated for each user ID. We need to mount to the directory used + * by the non-root user. + */ + if (getuid () == 0 && envDir.size () >= 2 + && envDir.substr (envDir.size () - 2) == "/0") { + string tmpuser = GetTmpUser (); + if (SamePath (envDir, tmpuser + "/0")) { + /* Substitute the sudo'ing user for 0 */ + char uid[40]; + FILE *fp = fopen ("/proc/self/loginuid", "r"); + if (fp != NULL) { + if (fgets (uid, sizeof (uid), fp) != nullptr) { + envDir = tmpuser + "/" + uid; + } + fclose (fp); + } + } + } +#endif + + return envDir; + } + +#ifdef TC_LINUX + static string GetTmpUser () + { + string tmpuser = "/tmp/user"; + FILE *fp = fopen ("/etc/security/tmpdir.conf", "r"); + if (fp == NULL) { + return tmpuser; + } + while (true) { + /* Parses the same way as pam_tmpdir */ + char line[1024]; + if (fgets (line, sizeof (line), fp) == nullptr) { + break; + } + if (line[0] == '#') { + continue; + } + size_t len = strlen (line); + if (len > 0 && line[len-1] == '\n') { + line[len-1] = '\0'; + } + char *eq = strchr (line, '='); + if (eq == nullptr) { + continue; + } + *eq = '\0'; + const char *key = line; + const char *value = eq + 1; + if (strcmp (key, "tmpdir") == 0) { + tmpuser = value; + break; + } + } + fclose (fp); + return tmpuser; } + static bool SamePath (const string& path1, const string& path2) + { + size_t i1 = 0; + size_t i2 = 0; + while (i1 < path1.size () && i2 < path2.size ()) { + if (path1[i1] != path2[i2]) { + return false; + } + /* Any two substrings consisting entirely of slashes compare equal */ + if (path1[i1] == '/') { + while (i1 < path1.size () && path1[i1] == '/') { + ++i1; + } + while (i2 < path2.size () && path2[i2] == '/') { + ++i2; + } + } + else + { + ++i1; + ++i2; + } + } + return (i1 == path1.size () && i2 == path2.size ()); + } +#endif + bool CoreUnix::IsMountPointAvailable (const DirectoryPath &mountPoint) const { return GetMountedFilesystems (DevicePath(), mountPoint).size() == 0; @@ -440,8 +574,8 @@ namespace VeraCrypt options.Password, options.Pim, options.Kdf, - options.TrueCryptMode, options.Keyfiles, + options.EMVSupportEnabled, options.Protection, options.ProtectionPassword, options.ProtectionPim, @@ -465,6 +599,7 @@ namespace VeraCrypt continue; } + options.Password.reset(); throw; } @@ -473,19 +608,10 @@ namespace VeraCrypt if (options.Path->IsDevice()) { - if (volume->GetFile()->GetDeviceSectorSize() != volume->GetSectorSize()) - throw ParameterIncorrect (SRC_POS); - -#if defined (TC_LINUX) - if (volume->GetSectorSize() != TC_SECTOR_SIZE_LEGACY) - { - if (options.Protection == VolumeProtection::HiddenVolumeReadOnly) - throw UnsupportedSectorSizeHiddenVolumeProtection(); - - if (options.NoKernelCrypto) - throw UnsupportedSectorSizeNoKernelCrypto(); - } -#endif + const uint32 devSectorSize = volume->GetFile()->GetDeviceSectorSize(); + const size_t volSectorSize = volume->GetSectorSize(); + if (devSectorSize != volSectorSize) + throw DeviceSectorSizeMismatch (SRC_POS, StringConverter::ToWide(devSectorSize) + L" != " + StringConverter::ToWide((uint32) volSectorSize)); } // Find a free mount point for FUSE service @@ -593,7 +719,7 @@ namespace VeraCrypt { try { - chown (mountPoint.c_str(), GetRealUserId(), GetRealGroupId()); + throw_sys_sub_if (chown (mountPoint.c_str(), GetRealUserId(), GetRealGroupId()) == -1, mountPoint); } catch (...) { } } } diff --git a/src/Core/Unix/FreeBSD/CoreFreeBSD.cpp b/src/Core/Unix/FreeBSD/CoreFreeBSD.cpp index ff3e04bc..05520274 100644 --- a/src/Core/Unix/FreeBSD/CoreFreeBSD.cpp +++ b/src/Core/Unix/FreeBSD/CoreFreeBSD.cpp @@ -83,7 +83,7 @@ namespace VeraCrypt #ifdef TC_MACOSX const string busType = "rdisk"; #else - foreach (const string &busType, StringConverter::Split ("ad da")) + foreach (const string &busType, StringConverter::Split ("ad da vtbd")) #endif { for (int devNumber = 0; devNumber < 64; devNumber++) @@ -185,10 +185,51 @@ namespace VeraCrypt void CoreFreeBSD::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const { + std::string chosenFilesystem = "msdos"; + std::string modifiedMountOptions = systemMountOptions; + + if (filesystemType.empty() && modifiedMountOptions.find("mountprog") == string::npos) { + // No filesystem type specified through CLI, attempt to identify with blkid + // as mount is unable to probe filesystem type on BSD + // Make sure we don't override user defined mountprog + std::vector<char> buffer(128,0); + std::string cmd = "blkid -o value -s TYPE " + static_cast<std::string>(devicePath) + " 2>/dev/null"; + std::string result; + + FILE* pipe = popen(cmd.c_str(), "r"); + if (pipe) { + while (!feof(pipe)) { + if (fgets(buffer.data(), 128, pipe) != nullptr) + result += buffer.data(); + } + fflush(pipe); + pclose(pipe); + pipe = nullptr; + } + + if (result.find("ext") == 0 || StringConverter::ToLower(filesystemType).find("ext") == 0) { + chosenFilesystem = "ext2fs"; + } + else if (result.find("exfat") == 0 || StringConverter::ToLower(filesystemType) == "exfat") { + chosenFilesystem = "exfat"; + modifiedMountOptions += string(!systemMountOptions.empty() ? "," : "") + + "mountprog=/usr/local/sbin/mount.exfat"; + } + else if (result.find("ntfs") == 0 || StringConverter::ToLower(filesystemType) == "ntfs") { + chosenFilesystem = "ntfs"; + modifiedMountOptions += string(!systemMountOptions.empty() ? "," : "") + + "mountprog=/usr/local/bin/ntfs-3g"; + } + else if (!filesystemType.empty()) { + // Filesystem is specified but is none of the above, then supply as is + chosenFilesystem = filesystemType; + } + } else + chosenFilesystem = filesystemType; + try { - // Try to mount FAT by default as mount is unable to probe filesystem type on BSD - CoreUnix::MountFilesystem (devicePath, mountPoint, filesystemType.empty() ? "msdos" : filesystemType, readOnly, systemMountOptions); + CoreUnix::MountFilesystem (devicePath, mountPoint, chosenFilesystem, readOnly, modifiedMountOptions); } catch (ExecutedProcessFailed&) { @@ -200,7 +241,7 @@ namespace VeraCrypt } #ifdef TC_FREEBSD - auto_ptr <CoreBase> Core (new CoreServiceProxy <CoreFreeBSD>); - auto_ptr <CoreBase> CoreDirect (new CoreFreeBSD); + unique_ptr <CoreBase> Core (new CoreServiceProxy <CoreFreeBSD>); + unique_ptr <CoreBase> CoreDirect (new CoreFreeBSD); #endif } diff --git a/src/Core/Unix/Linux/CoreLinux.cpp b/src/Core/Unix/Linux/CoreLinux.cpp index 0840d243..cd4be80f 100644 --- a/src/Core/Unix/Linux/CoreLinux.cpp +++ b/src/Core/Unix/Linux/CoreLinux.cpp @@ -22,6 +22,9 @@ #include "Platform/SystemInfo.h" #include "Platform/TextReader.h" #include "Volume/EncryptionModeXTS.h" +#ifdef WOLFCRYPT_BACKEND +#include "Volume/EncryptionModeWolfCryptXTS.h" +#endif #include "Driver/Fuse/FuseService.h" #include "Core/Unix/CoreServiceProxy.h" @@ -302,13 +305,22 @@ namespace VeraCrypt void CoreLinux::MountVolumeNative (shared_ptr <Volume> volume, MountOptions &options, const DirectoryPath &auxMountPoint) const { - bool xts = (typeid (*volume->GetEncryptionMode()) == typeid (EncryptionModeXTS)); - bool algoNotSupported = (typeid (*volume->GetEncryptionAlgorithm()) == typeid (GOST89)) - || (typeid (*volume->GetEncryptionAlgorithm()) == typeid (Kuznyechik)); + bool xts = (typeid (*volume->GetEncryptionMode()) == + #ifdef WOLFCRYPT_BACKEND + typeid (EncryptionModeWolfCryptXTS)); + #else + typeid (EncryptionModeXTS)); + #endif + bool algoNotSupported = (typeid (*volume->GetEncryptionAlgorithm()) == typeid (Kuznyechik)) + || (typeid (*volume->GetEncryptionAlgorithm()) == typeid (CamelliaKuznyechik)) + || (typeid (*volume->GetEncryptionAlgorithm()) == typeid (KuznyechikTwofish)) + || (typeid (*volume->GetEncryptionAlgorithm()) == typeid (KuznyechikAES)) + || (typeid (*volume->GetEncryptionAlgorithm()) == typeid (KuznyechikSerpentCamellia)); if (options.NoKernelCrypto || !xts || algoNotSupported + || volume->IsEncryptionNotCompleted () || volume->GetProtectionType() == VolumeProtection::HiddenVolumeReadOnly) { throw NotApplicable (SRC_POS); @@ -374,7 +386,7 @@ namespace VeraCrypt dmCreateArgs << nativeDevPath << " 0"; SecureBuffer dmCreateArgsBuf (dmCreateArgs.str().size()); - dmCreateArgsBuf.CopyFrom (ConstBufferPtr ((byte *) dmCreateArgs.str().c_str(), dmCreateArgs.str().size())); + dmCreateArgsBuf.CopyFrom (ConstBufferPtr ((uint8 *) dmCreateArgs.str().c_str(), dmCreateArgs.str().size())); // Keys const SecureBuffer &cipherKey = cipher.GetKey(); @@ -484,6 +496,6 @@ namespace VeraCrypt } } - auto_ptr <CoreBase> Core (new CoreServiceProxy <CoreLinux>); - auto_ptr <CoreBase> CoreDirect (new CoreLinux); + unique_ptr <CoreBase> Core (new CoreServiceProxy <CoreLinux>); + unique_ptr <CoreBase> CoreDirect (new CoreLinux); } diff --git a/src/Core/Unix/MacOSX/CoreMacOSX.cpp b/src/Core/Unix/MacOSX/CoreMacOSX.cpp index 251e4c65..cfd34072 100644 --- a/src/Core/Unix/MacOSX/CoreMacOSX.cpp +++ b/src/Core/Unix/MacOSX/CoreMacOSX.cpp @@ -107,12 +107,19 @@ namespace VeraCrypt void CoreMacOSX::CheckFilesystem (shared_ptr <VolumeInfo> mountedVolume, bool repair) const { list <string> args; - args.push_back ("/Applications/Utilities/Disk Utility.app"); + struct stat sb; + + if (stat("/Applications/Utilities/Disk Utility.app", &sb) == 0) + args.push_back ("/Applications/Utilities/Disk Utility.app"); + else + args.push_back ("/System/Applications/Utilities/Disk Utility.app"); + Process::Execute ("open", args); } void CoreMacOSX::MountAuxVolumeImage (const DirectoryPath &auxMountPoint, const MountOptions &options) const { +#ifndef VC_MACOSX_FUSET // Check FUSE version char fuseVersionString[MAXHOSTNAMELEN + 1] = { 0 }; size_t fuseVersionStringLength = MAXHOSTNAMELEN; @@ -123,13 +130,17 @@ namespace VeraCrypt fuseVersionStringLength = MAXHOSTNAMELEN; if ((status = sysctlbyname ("vfs.generic.osxfuse.version.number", fuseVersionString, &fuseVersionStringLength, NULL, 0)) != 0) { - throw HigherFuseVersionRequired (SRC_POS); + fuseVersionStringLength = MAXHOSTNAMELEN; + if ((status = sysctlbyname ("vfs.generic.macfuse.version.number", fuseVersionString, &fuseVersionStringLength, NULL, 0)) != 0) + { + throw HigherFuseVersionRequired (SRC_POS); + } } } // look for OSXFuse dynamic library struct stat sb; - if (0 != stat("/usr/local/lib/libosxfuse_i64.2.dylib", &sb)) + if (0 != stat("/usr/local/lib/libosxfuse_i64.2.dylib", &sb) && 0 != stat("/usr/local/lib/libfuse.dylib", &sb)) { throw HigherFuseVersionRequired (SRC_POS); } @@ -143,7 +154,7 @@ namespace VeraCrypt if (fuseVersionMajor < 2 || (fuseVersionMajor == 2 && fuseVersionMinor < 5)) throw HigherFuseVersionRequired (SRC_POS); - +#endif // Mount volume image string volImage = string (auxMountPoint) + FuseService::GetVolumeImagePath(); @@ -229,6 +240,6 @@ namespace VeraCrypt } } - auto_ptr <CoreBase> Core (new CoreServiceProxy <CoreMacOSX>); - auto_ptr <CoreBase> CoreDirect (new CoreMacOSX); + unique_ptr <CoreBase> Core (new CoreServiceProxy <CoreMacOSX>); + unique_ptr <CoreBase> CoreDirect (new CoreMacOSX); } diff --git a/src/Core/Unix/OpenBSD/CoreOpenBSD.cpp b/src/Core/Unix/OpenBSD/CoreOpenBSD.cpp new file mode 100644 index 00000000..3064103b --- /dev/null +++ b/src/Core/Unix/OpenBSD/CoreOpenBSD.cpp @@ -0,0 +1,164 @@ +/* $OpenBSD$ */ +/* + Based on FreeBSD/CoreFreeBSD.cpp + + Derived from source code of TrueCrypt 7.1a, which is + Copyright (c) 2008-2012 TrueCrypt Developers Association and which is governed + by the TrueCrypt License 3.0. + + Modifications and additions to the original source code (contained in this file) + and all other portions of this file are Copyright (c) 2013-2017 IDRIX + and are governed by the Apache License 2.0 the full text of which is + contained in the file License.txt included in VeraCrypt binary and source + code distribution packages. +*/ + +#include <fstream> +#include <iostream> +#include <stdio.h> +#include <unistd.h> +#include <sys/param.h> +#include <sys/ucred.h> +#include <sys/mount.h> +#include <sys/wait.h> +#include "CoreOpenBSD.h" +#include "Core/Unix/CoreServiceProxy.h" + +namespace VeraCrypt +{ + CoreOpenBSD::CoreOpenBSD () + { + } + + CoreOpenBSD::~CoreOpenBSD () + { + } + + DevicePath CoreOpenBSD::AttachFileToLoopDevice (const FilePath &filePath, bool readOnly) const + { + list <string> args; + + if (readOnly) + { + throw; + } + + // find an available vnd + int freeVnd = -1; + for (int vnd = 0; vnd <= 3; vnd++) + { + stringstream devPath; + devPath << "/dev/vnd" << vnd << "c"; + + if (FilesystemPath (devPath.str()).IsBlockDevice() || FilesystemPath (devPath.str()).IsCharacterDevice()) + { + make_shared_auto (HostDevice, device); + device->Path = devPath.str(); + try + { + GetDeviceSize (device->Path); + } + catch (...) + { + freeVnd = vnd; + break; + } + } + } + + if (freeVnd == -1) + throw "couldn't find free vnd"; + + stringstream freePath; + freePath << "vnd" << freeVnd; + args.push_back (freePath.str()); + + args.push_back (filePath); + + Process::Execute ("vnconfig", args); + + return "/dev/" + freePath.str() + "c"; + } + + void CoreOpenBSD::DetachLoopDevice (const DevicePath &devicePath) const + { + list <string> args; + args.push_back ("-u"); + args.push_back (devicePath); + + for (int t = 0; true; t++) + { + try + { + Process::Execute ("vnconfig", args); + break; + } + catch (ExecutedProcessFailed&) + { + if (t > 5) + throw; + Thread::Sleep (200); + } + } + } + + // not sure what this is used for + HostDeviceList CoreOpenBSD::GetHostDevices (bool pathListOnly) const + { + throw; + } + + MountedFilesystemList CoreOpenBSD::GetMountedFilesystems (const DevicePath &devicePath, const DirectoryPath &mountPoint) const + { + + static Mutex mutex; + ScopeLock sl (mutex); + + struct statfs *sysMountList; + int count = getmntinfo (&sysMountList, MNT_NOWAIT); + throw_sys_if (count == 0); + + MountedFilesystemList mountedFilesystems; + + for (int i = 0; i < count; i++) + { + make_shared_auto (MountedFilesystem, mf); + + if (sysMountList[i].f_mntfromname[0]) + mf->Device = DevicePath (sysMountList[i].f_mntfromname); + else + continue; + + if (sysMountList[i].f_mntonname[0]) + mf->MountPoint = DirectoryPath (sysMountList[i].f_mntonname); + + mf->Type = sysMountList[i].f_fstypename; + + if ((devicePath.IsEmpty() || devicePath == mf->Device) && (mountPoint.IsEmpty() || mountPoint == mf->MountPoint)) + mountedFilesystems.push_back (mf); + } + + return mountedFilesystems; + } + + void CoreOpenBSD::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const + { + try + { + // Try to mount FAT by default as mount is unable to probe filesystem type on BSD + CoreUnix::MountFilesystem (devicePath, mountPoint, filesystemType.empty() ? "msdos" : filesystemType, readOnly, systemMountOptions); + } + catch (ExecutedProcessFailed&) + { + if (!filesystemType.empty()) + throw; + + CoreUnix::MountFilesystem (devicePath, mountPoint, filesystemType, readOnly, systemMountOptions); + } + } + +#ifdef TC_OPENBSD + unique_ptr <CoreBase> Core (new CoreServiceProxy <CoreOpenBSD>); + unique_ptr <CoreBase> CoreDirect (new CoreOpenBSD); +#endif +} diff --git a/src/Core/Unix/OpenBSD/CoreOpenBSD.h b/src/Core/Unix/OpenBSD/CoreOpenBSD.h new file mode 100644 index 00000000..3f6c48b5 --- /dev/null +++ b/src/Core/Unix/OpenBSD/CoreOpenBSD.h @@ -0,0 +1,44 @@ +/* $OpenBSD$ */ +/* + Based on FreeBSD/CoreFreeBSD.h + + Derived from source code of TrueCrypt 7.1a, which is + Copyright (c) 2008-2012 TrueCrypt Developers Association and which is governed + by the TrueCrypt License 3.0. + + Modifications and additions to the original source code (contained in this file) + and all other portions of this file are Copyright (c) 2013-2017 IDRIX + and are governed by the Apache License 2.0 the full text of which is + contained in the file License.txt included in VeraCrypt binary and source + code distribution packages. +*/ + +#ifndef TC_HEADER_Core_CoreOpenBSD +#define TC_HEADER_Core_CoreOpenBSD + +#include "System.h" +#include "Core/Unix/CoreUnix.h" + +namespace VeraCrypt +{ + class CoreOpenBSD : public CoreUnix + { + public: + CoreOpenBSD (); + virtual ~CoreOpenBSD (); + + virtual HostDeviceList GetHostDevices (bool pathListOnly = false) const; + + protected: + virtual DevicePath AttachFileToLoopDevice (const FilePath &filePath, bool readOnly) const; + virtual void DetachLoopDevice (const DevicePath &devicePath) const; + virtual MountedFilesystemList GetMountedFilesystems (const DevicePath &devicePath = DevicePath(), const DirectoryPath &mountPoint = DirectoryPath()) const; + virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const; + + private: + CoreOpenBSD (const CoreOpenBSD &); + CoreOpenBSD &operator= (const CoreOpenBSD &); + }; +} + +#endif // TC_HEADER_Core_CoreOpenBSD diff --git a/src/Core/Unix/OpenBSD/System.h b/src/Core/Unix/OpenBSD/System.h new file mode 100644 index 00000000..90b24b2a --- /dev/null +++ b/src/Core/Unix/OpenBSD/System.h @@ -0,0 +1,19 @@ +/* $OpenBSD$ */ +/* + Based on FreeBSD/System.h + + Derived from source code of TrueCrypt 7.1a, which is + Copyright (c) 2008-2012 TrueCrypt Developers Association and which is governed + by the TrueCrypt License 3.0. + + Modifications and additions to the original source code (contained in this file) + and all other portions of this file are Copyright (c) 2013-2017 IDRIX + and are governed by the Apache License 2.0 the full text of which is + contained in the file License.txt included in VeraCrypt binary and source + code distribution packages. +*/ + +#ifndef TC_HEADER_Platform_OpenBSD_System +#define TC_HEADER_Platform_OpenBSD_System + +#endif // TC_HEADER_Platform_OpenBSD_System diff --git a/src/Core/Unix/Solaris/CoreSolaris.cpp b/src/Core/Unix/Solaris/CoreSolaris.cpp index 5705e1c6..15a79c49 100644 --- a/src/Core/Unix/Solaris/CoreSolaris.cpp +++ b/src/Core/Unix/Solaris/CoreSolaris.cpp @@ -173,6 +173,6 @@ namespace VeraCrypt } } - auto_ptr <CoreBase> Core (new CoreServiceProxy <CoreSolaris>); - auto_ptr <CoreBase> CoreDirect (new CoreSolaris); + unique_ptr <CoreBase> Core (new CoreServiceProxy <CoreSolaris>); + unique_ptr <CoreBase> CoreDirect (new CoreSolaris); } diff --git a/src/Core/VolumeCreator.cpp b/src/Core/VolumeCreator.cpp index 1cc45b27..fefbddde 100644 --- a/src/Core/VolumeCreator.cpp +++ b/src/Core/VolumeCreator.cpp @@ -12,6 +12,9 @@ #include "Volume/EncryptionTest.h" #include "Volume/EncryptionModeXTS.h" +#ifdef WOLFCRYPT_BACKEND +#include "Volume/EncryptionModeWolfCryptXTS.h" +#endif #include "Core.h" #ifdef TC_UNIX @@ -298,6 +301,11 @@ namespace VeraCrypt // Master data key MasterKey.Allocate (options->EA->GetKeySize() * 2); RandomNumberGenerator::GetData (MasterKey); + // check that first half of MasterKey is different from its second half. If they are the same, through an exception + // cf CCSS,NSA comment at page 3: https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38e-initial-public-comments-2021.pdf + if (memcmp (MasterKey.Ptr(), MasterKey.Ptr() + MasterKey.Size() / 2, MasterKey.Size() / 2) == 0) + throw AssertionFailed (SRC_POS); + headerOptions.DataKey = MasterKey; // PKCS5 salt @@ -307,7 +315,7 @@ namespace VeraCrypt // Header key HeaderKey.Allocate (VolumeHeader::GetLargestSerializedKeySize()); - PasswordKey = Keyfile::ApplyListToPassword (options->Keyfiles, options->Password); + PasswordKey = Keyfile::ApplyListToPassword (options->Keyfiles, options->Password, options->EMVSupportEnabled); options->VolumeHeaderKdf->DeriveKey (HeaderKey, *PasswordKey, options->Pim, salt); headerOptions.HeaderKey = HeaderKey; @@ -355,8 +363,13 @@ namespace VeraCrypt // Data area keys options->EA->SetKey (MasterKey.GetRange (0, options->EA->GetKeySize())); - shared_ptr <EncryptionMode> mode (new EncryptionModeXTS ()); - mode->SetKey (MasterKey.GetRange (options->EA->GetKeySize(), options->EA->GetKeySize())); + #ifdef WOLFCRYPT_BACKEND + shared_ptr <EncryptionMode> mode (new EncryptionModeWolfCryptXTS ()); + options->EA->SetKeyXTS (MasterKey.GetRange (options->EA->GetKeySize(), options->EA->GetKeySize())); + #else + shared_ptr <EncryptionMode> mode (new EncryptionModeXTS ()); + #endif + mode->SetKey (MasterKey.GetRange (options->EA->GetKeySize(), options->EA->GetKeySize())); options->EA->SetMode (mode); Options = options; diff --git a/src/Core/VolumeCreator.h b/src/Core/VolumeCreator.h index 4f56308f..781354b9 100644 --- a/src/Core/VolumeCreator.h +++ b/src/Core/VolumeCreator.h @@ -16,6 +16,13 @@ #include "Platform/Platform.h" #include "Volume/Volume.h" #include "RandomNumberGenerator.h" +#if defined (TC_LINUX) +#include "Platform/Unix/Process.h" +#include <errno.h> +#endif + +#define VC_MIN_LARGE_BTRFS_VOLUME_SIZE 114294784ULL +#define VC_MIN_SMALL_BTRFS_VOLUME_SIZE 16777216ULL namespace VeraCrypt { @@ -31,6 +38,7 @@ namespace VeraCrypt shared_ptr <Pkcs5Kdf> VolumeHeaderKdf; shared_ptr <EncryptionAlgorithm> EA; bool Quick; + bool EMVSupportEnabled; struct FilesystemType { @@ -44,7 +52,9 @@ namespace VeraCrypt Ext2, Ext3, Ext4, + Btrfs, MacOsExt, + APFS, UFS }; @@ -62,6 +72,67 @@ namespace VeraCrypt return VolumeCreationOptions::FilesystemType::FAT; #endif } + + static const char* GetFsFormatter (VolumeCreationOptions::FilesystemType::Enum fsType) + { + switch (fsType) + { + #if defined (TC_LINUX) + case VolumeCreationOptions::FilesystemType::Ext2: return "mkfs.ext2"; + case VolumeCreationOptions::FilesystemType::Ext3: return "mkfs.ext3"; + case VolumeCreationOptions::FilesystemType::Ext4: return "mkfs.ext4"; + case VolumeCreationOptions::FilesystemType::NTFS: return "mkfs.ntfs"; + case VolumeCreationOptions::FilesystemType::exFAT: return "mkfs.exfat"; + case VolumeCreationOptions::FilesystemType::Btrfs: return "mkfs.btrfs"; + #elif defined (TC_MACOSX) + case VolumeCreationOptions::FilesystemType::MacOsExt: return "newfs_hfs"; + case VolumeCreationOptions::FilesystemType::exFAT: return "newfs_exfat"; + case VolumeCreationOptions::FilesystemType::APFS: return "newfs_apfs"; + #elif defined (TC_FREEBSD) || defined (TC_SOLARIS) + case VolumeCreationOptions::FilesystemType::UFS: return "newfs" ; + #endif + default: return NULL; + } + } + + static bool IsFsFormatterPresent (VolumeCreationOptions::FilesystemType::Enum fsType) + { + bool bRet = false; + const char* fsFormatter = GetFsFormatter (fsType); + if (fsFormatter) + { +#if defined (TC_LINUX) + try + { + list <string> args; + + args.push_back ("-V"); + Process::Execute (fsFormatter, args); + + bRet = true; + } + catch (ExecutedProcessFailed& epe) + { + // only permission error is accepted in case of failure of the command + if (epe.GetExitCode () == EPERM || epe.GetExitCode () == EACCES) + bRet = true; + } + catch (SystemException& se) + { + // if a permission error occured, then we consider that the command exists + if (se.GetErrorCode () == EPERM || se.GetErrorCode () == EACCES) + bRet = true; + } + catch (exception &e) + { + } +#else + bRet = true; +#endif + } + + return bRet; + } }; FilesystemType::Enum Filesystem; |