#define VC_IOCTL_ENCRYPTION_QUEUE_PARAMS TC_IOCTL (43)

// Undocumented IOCTL sent by Windows 10 when handling EFS data on volumes

#define IOCTL_UNKNOWN_WINDOWS10_EFS_ACCESS 0x455610D8

BOOL RecoveryMode;

int pkcs5_prf;

int ProtectedHidVolPkcs5Prf;

uint32 BytesPerPhysicalSector;

int VolumePim;

int ProtectedHidVolPim;

unsigned __int64 diskLength[26];

int ea[26];

int volumeType[26]; /* Volume type (e.g. PROP_VOL_TYPE_OUTER, PROP_VOL_TYPE_OUTER_VOL_WRITE_PREVENTED, etc.) */

} MOUNT_LIST_STRUCT;

typedef struct

// Initial rescue disk assumes encryption of the drive has been completed (EncryptedAreaLength == volumeSize)

memcpy (RescueVolumeHeader, VolumeHeader, sizeof (RescueVolumeHeader));

throw ParameterIncorrect (SRC_POS);

DecryptBuffer (RescueVolumeHeader + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, cryptoInfo);

PCRYPTO_INFO cryptoInfo = NULL;

finally_do_arg (PCRYPTO_INFO, cryptoInfo, { if (finally_arg) crypto_close (finally_arg); });

if (status != 0)

#endif

{

int nReturnCode = ERR_PASSWORD_WRONG;

int i, effectivePim;

/* Attempt to recognize volume using mount password */

if (password->Length > 0)

{

/* Save mount passwords back into cache if asked to do so */

if (bCache && (nReturnCode == 0 || nReturnCode == ERR_CIPHER_INIT_WEAK_KEY))

#endif

if ((pCurrentPassword->Length > 0) && (pCurrentPassword->Length <= (unsigned int) ((bBoot? MAX_LEGACY_PASSWORD: MAX_PASSWORD))))

{

effectivePim = CachedPim[i];

else

effectivePim = pim;

if (nReturnCode != ERR_PASSWORD_WRONG)

break;

void AddPasswordToCache (Password *password, int pim, BOOL bCachePim);

void AddLegacyPasswordToCache (PasswordLegacy *password, int pim);

void WipeCache (void);

#endif

int noIterations;

int volumePim;

BOOL bProtectHiddenVolume; // Indicates whether the volume contains a hidden volume to be protected against overwriting

BOOL DriverUnload ()

{

int refCount;

int volumesMounted;

DWORD dwResult;

// Test for mounted volumes

bResult = DeviceIoControl (hDriver, TC_IOCTL_IS_ANY_VOLUME_MOUNTED, NULL, 0, &volumesMounted, sizeof (volumesMounted), &dwResult, NULL);

if (bResult)

{

if (volumesMounted != 0)

BOOL bResult = DeviceIoControl (hDriver, TC_IOCTL_GET_DRIVER_VERSION, NULL, 0, &DriverVersion, sizeof (DriverVersion), &dwResult, NULL);

#ifndef SETUP // Don't check version during setup to allow removal of another version

if (bResult == FALSE)

{

case SHA512:

/* PKCS-5 test with HMAC-SHA-512 used as the PRF */

break;

case SHA256:

/* PKCS-5 test with HMAC-SHA-256 used as the PRF */

break;

case BLAKE2S:

/* PKCS-5 test with HMAC-BLAKE2s used as the PRF */

break;

case WHIRLPOOL:

/* PKCS-5 test with HMAC-Whirlpool used as the PRF */

break;

case STREEBOG:

/* PKCS-5 test with HMAC-STREEBOG used as the PRF */

break;

}

}

benchmarkTable[benchmarkTotalItems].encSpeed = performanceCountEnd.QuadPart - performanceCountStart.QuadPart;

benchmarkTable[benchmarkTotalItems].id = thid;

benchmarkTable[benchmarkTotalItems].meanBytesPerSec = (unsigned __int64) (1000 * ((float) benchmarkTable[benchmarkTotalItems].encSpeed / benchmarkPerformanceFrequency.QuadPart / 2));

if (benchmarkPreBoot)

{

return FALSE;

}

void CorrectFileName (wchar_t* fileName)

{

/* replace '/' by '\' */

Password *password,

int pkcs5,

int pim,

BOOL cachePassword,

BOOL cachePim,

BOOL sharedAccess,

else

mount.bMountManager = TRUE;

mount.pkcs5_prf = pkcs5;

mount.VolumePim = pim;

wstring path = volumePath;

burn (&mount.VolumePassword, sizeof (mount.VolumePassword));

burn (&mount.ProtectedHidVolPassword, sizeof (mount.ProtectedHidVolPassword));

burn (&mount.pkcs5_prf, sizeof (mount.pkcs5_prf));

burn (&mount.ProtectedHidVolPkcs5Prf, sizeof (mount.ProtectedHidVolPkcs5Prf));

SetLastError (dwLastError);

#ifndef SETUP

{

int status = ERR_PARAMETER_INCORRECT;

int volumeType;

}

// Decrypt volume header

if (status == ERR_PASSWORD_WRONG)

continue; // Try next volume type

BOOL UpdateDriveCustomLabel (int driveNo, wchar_t* effectiveLabel, BOOL bSetValue);

BOOL CheckCapsLock (HWND hwnd, BOOL quiet);

BOOL CheckFileExtension (wchar_t *fileName);

void CorrectFileName (wchar_t* fileName);

void CorrectURL (wchar_t* fileName);

void IncreaseWrongPwdRetryCount (int count);

BOOL IsDeviceMounted (wchar_t *deviceName);

int DriverUnmountVolume (HWND hwndDlg, int nDosDriveNo, BOOL forced);

void BroadcastDeviceChange (WPARAM message, int nDosDriveNo, DWORD driveMap);

BOOL UnmountVolume (HWND hwndDlg , int nDosDriveNo, BOOL forceUnmount);

BOOL UnmountVolumeAfterFormatExCall (HWND hwndDlg, int nDosDriveNo);

BOOL IsPasswordCacheEmpty (void);

BOOL GetDriveLabel (int driveNo, wchar_t *label, int labelSize);

BOOL GetSysDevicePaths (HWND hwndDlg);

BOOL DoDriverInstall (HWND hwndDlg);

void CloseVolume (OpenVolumeContext *context);

int ReEncryptVolumeHeader (HWND hwndDlg, char *buffer, BOOL bBoot, CRYPTO_INFO *cryptoInfo, Password *password, int pim, BOOL wipeMode);

BOOL IsPagingFileActive (BOOL checkNonWindowsPartitionsOnly);

mountOptions.PartitionInInactiveSysEncScope = FALSE;

mountOptions.UseBackupHeader = FALSE;

{

if (!Silent)

{

return TRUE;

}

{

int nDosLinkCreated = 1, nStatus = ERR_OS_ERROR;

wchar_t szDiskFile[TC_MAX_PATH], szCFDevice[TC_MAX_PATH];

if (oldPassword->Length == 0 || newPassword->Length == 0) return -1;

{

nStatus = ERR_PARAMETER_INCORRECT;

handleError (hwndDlg, nStatus, SRC_POS);

/* Try to decrypt the header */

if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)

nStatus = 0; // We can ignore this error here

(volumeType == TC_VOLUME_TYPE_HIDDEN) ? cryptoInfo->hiddenVolumeSize : 0,

cryptoInfo->EncryptedAreaStart.Value,

cryptoInfo->EncryptedAreaLength.Value,

cryptoInfo->HeaderFlags,

cryptoInfo->SectorSize,

wipePass < wipePassCount - 1);

cryptoInfo->VolumeSize.Value,

cryptoInfo->EncryptedAreaStart.Value,

cryptoInfo->EncryptedAreaLength.Value,

cryptoInfo->HeaderFlags,

cryptoInfo->SectorSize,

wipePass < wipePassCount - 1);

void VerifyPasswordAndUpdate ( HWND hwndDlg , HWND hButton , HWND hPassword , HWND hVerify , unsigned char *szPassword , char *szVerify, BOOL keyFilesEnabled );

BOOL CheckPasswordLength (HWND hwndDlg, unsigned __int32 passwordLength, int pim, BOOL bForBoot, int bootPRF, BOOL bSkipPasswordWarning, BOOL bSkipPimWarning);

BOOL CheckPasswordCharEncoding (HWND hPassword, Password *ptrPw);

#endif // defined(_WIN32) && !defined(TC_WINDOWS_DRIVER) && !defined(_UEFI)

{

if ( (pim < 0)

)

{

return 0;

{

case BLAKE2S:

return bBoot? 200000 : 500000;

else

{

}

case SHA512:

case WHIRLPOOL:

case SHA256:

return bBoot? 200000 : 500000;

else

{

}

case STREEBOG:

return bBoot? 200000 : 500000;

else

{

#endif

}

{

if (pkcs5_prf_id == 0) // auto-detection always supported

return 1;

return 1;

void hmac_streebog (char *k, int32 lk, char *d, int32 ld);

void derive_key_streebog (char *pwd, int pwd_len, char *salt, int salt_len, uint32 iterations, char *dk, int dklen);

wchar_t *get_pkcs5_prf_name (int pkcs5_prf_id);

/* check if given PRF supported.*/

PRF_BOOT_GPT

} PRF_BOOT_TYPE;

#endif

#if defined(__cplusplus)

#define TC_APP_NAME "VeraCrypt"

// Version displayed to user

#ifdef VC_EFI_CUSTOM_MODE

#define VERSION_STRING_SUFFIX "-CustomEFI"

#define VERSION_NUM 0x0126

// Release date

#define TC_RELEASE_DATE_YEAR 2023

#define TC_RELEASE_DATE_MONTH 07

BOOL ReadVolumeHeaderRecoveryMode = FALSE;

{

char header[TC_VOLUME_HEADER_EFFECTIVE_SIZE];

unsigned char* keyInfoBuffer = NULL;

if (pim < 0)

pim = 0;

if (retHeaderCryptoInfo != NULL)

{

cryptoInfo = retHeaderCryptoInfo;

if (selected_pkcs5_prf != 0 && enqPkcs5Prf != selected_pkcs5_prf)

continue;

#if !defined(_UEFI)

if ((selected_pkcs5_prf == 0) && (encryptionThreadCount > 1))

{

EncryptionThreadPoolBeginKeyDerivation (keyDerivationCompletedEvent, noOutstandingWorkItemEvent,

&item->KeyReady, outstandingWorkItemCount, enqPkcs5Prf, keyInfo->userKey,

++queuedWorkItems;

break;

if (!item->Free && InterlockedExchangeAdd (&item->KeyReady, 0) == TRUE)

{

pkcs5_prf = item->Pkcs5Prf;

memcpy (dk, item->DerivedKey, sizeof (dk));

item->Free = TRUE;

#endif // !defined(_UEFI)

{

pkcs5_prf = enqPkcs5Prf;

switch (pkcs5_prf)

{

DecryptBuffer (header + HEADER_ENCRYPTED_DATA_OFFSET, HEADER_ENCRYPTED_DATA_SIZE, cryptoInfo);

continue;

// Header version

// Required program version

cryptoInfo->RequiredProgramVersion = GetHeaderField16 (header, TC_HEADER_OFFSET_REQUIRED_VERSION);

// Check CRC of the key set

if (!ReadVolumeHeaderRecoveryMode

// Now we have the correct password, cipher, hash algorithm, and volume type

// Check the version required to handle this volume

{

status = ERR_NEW_VERSION_REQUIRED;

goto err;

{

cryptoInfo->pkcs5 = pkcs5_prf;

cryptoInfo->noIterations = keyInfo->noIterations;

cryptoInfo->volumePim = pim;

goto ret;

}

// PKCS #5

cryptoInfo->pkcs5 = pkcs5_prf;

cryptoInfo->noIterations = keyInfo->noIterations;

cryptoInfo->volumePim = pim;

// Init the cipher with the decrypted master key

{

memcpy (keyInfo.userKey, password->Text, nUserKeyLen);

keyInfo.keyLength = nUserKeyLen;

}

else

{

// User selected PRF

cryptoInfo->pkcs5 = pkcs5_prf;

cryptoInfo->noIterations = keyInfo.noIterations;

cryptoInfo->volumePim = pim;

#if defined(TC_WINDOWS_BOOT)

int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int pim, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);

#elif defined(_UEFI)

int CreateVolumeHeaderInMemory(BOOL bBoot, char *encryptedHeader, int ea, int mode, Password *password, int pkcs5_prf, int pim, char *masterKeydata, PCRYPTO_INFO *retInfo, unsigned __int64 volumeSize, unsigned __int64 hiddenVolumeSize, unsigned __int64 encryptedAreaStart, unsigned __int64 encryptedAreaLength, uint16 requiredProgramVersion, uint32 headerFlags, uint32 sectorSize, BOOL bWipeMode);

BOOL RandgetBytes(unsigned char *buf, int len, BOOL forceSlowPoll);

#else

#if defined(_WIN32) && !defined(_UEFI)

void ComputeBootloaderFingerprint (byte *bootLoaderBuf, unsigned int bootLoaderSize, byte* fingerprint);

#endif