From 68f16dae244752e8bdf112e8feeb6a0839088a3e Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Tue, 14 Oct 2014 17:14:54 +0200 Subject: Implement support for creating and booting encrypted partition using SHA-256. Support SHA-256 for normal volumes as well. --- src/Common/BootEncryption.cpp | 76 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 66 insertions(+), 10 deletions(-) (limited to 'src/Common/BootEncryption.cpp') diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp index 9f848fc7..be521fd6 100644 --- a/src/Common/BootEncryption.cpp +++ b/src/Common/BootEncryption.cpp @@ -375,6 +375,7 @@ namespace VeraCrypt RescueIsoImage (nullptr), RescueVolumeHeaderValid (false), SelectedEncryptionAlgorithmId (0), + SelectedPrfAlgorithmId (0), VolumeHeaderValid (false) { HiddenOSCandidatePartition.IsGPT = FALSE; @@ -975,11 +976,16 @@ namespace VeraCrypt ZeroMemory (buffer, bufferSize); int ea = 0; + int pkcs5_prf = 0; if (GetStatus().DriveMounted) { try { GetBootEncryptionAlgorithmNameRequest request; + // since we added new field to GetBootEncryptionAlgorithmNameRequest since version 1.0f + // we zero all the structure so that if we are talking to an older driver, the field + // BootPrfAlgorithmName will be an empty string + ZeroMemory(&request, sizeof(request)); CallDriver (TC_IOCTL_GET_BOOT_ENCRYPTION_ALGORITHM_NAME, NULL, 0, &request, sizeof (request)); if (_stricmp (request.BootEncryptionAlgorithmName, "AES") == 0) @@ -988,6 +994,13 @@ namespace VeraCrypt ea = SERPENT; else if (_stricmp (request.BootEncryptionAlgorithmName, "Twofish") == 0) ea = TWOFISH; + + if (_stricmp(request.BootPrfAlgorithmName, "SHA-256") == 0) + pkcs5_prf = SHA256; + else if (_stricmp(request.BootPrfAlgorithmName, "RIPEMD-160") == 0) + pkcs5_prf = RIPEMD160; + else if (strlen(request.BootPrfAlgorithmName) == 0) // case of version < 1.0f + pkcs5_prf = RIPEMD160; } catch (...) { @@ -996,36 +1009,77 @@ namespace VeraCrypt VOLUME_PROPERTIES_STRUCT properties; GetVolumeProperties (&properties); ea = properties.ea; + pkcs5_prf = properties.pkcs5; } catch (...) { } } } else { - if (SelectedEncryptionAlgorithmId == 0) + if (SelectedEncryptionAlgorithmId == 0 || SelectedPrfAlgorithmId == 0) throw ParameterIncorrect (SRC_POS); ea = SelectedEncryptionAlgorithmId; + pkcs5_prf = SelectedPrfAlgorithmId; } - int bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR : IDR_BOOT_SECTOR; - int bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER : IDR_BOOT_LOADER; + // Only RIPEMD160 and SHA-256 are supported for boot loader + if (pkcs5_prf != RIPEMD160 && pkcs5_prf != SHA256) + throw ParameterIncorrect (SRC_POS); + + int bootSectorId = 0; + int bootLoaderId = 0; + + if (pkcs5_prf == SHA256) + { + bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_SHA2 : IDR_BOOT_SECTOR_SHA2; + bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_SHA2 : IDR_BOOT_LOADER_SHA2; + } + else + { + bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR : IDR_BOOT_SECTOR; + bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER : IDR_BOOT_LOADER; + } switch (ea) { case AES: - bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_AES : IDR_BOOT_SECTOR_AES; - bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_AES : IDR_BOOT_LOADER_AES; + if (pkcs5_prf == SHA256) + { + bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_AES_SHA2 : IDR_BOOT_SECTOR_AES_SHA2; + bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_AES_SHA2 : IDR_BOOT_LOADER_AES_SHA2; + } + else + { + bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_AES : IDR_BOOT_SECTOR_AES; + bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_AES : IDR_BOOT_LOADER_AES; + } break; case SERPENT: - bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_SERPENT : IDR_BOOT_SECTOR_SERPENT; - bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_SERPENT : IDR_BOOT_LOADER_SERPENT; + if (pkcs5_prf == SHA256) + { + bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_SERPENT_SHA2 : IDR_BOOT_SECTOR_SERPENT_SHA2; + bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_SERPENT_SHA2 : IDR_BOOT_LOADER_SERPENT_SHA2; + } + else + { + bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_SERPENT : IDR_BOOT_SECTOR_SERPENT; + bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_SERPENT : IDR_BOOT_LOADER_SERPENT; + } break; case TWOFISH: - bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_TWOFISH : IDR_BOOT_SECTOR_TWOFISH; - bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_TWOFISH : IDR_BOOT_LOADER_TWOFISH; + if (pkcs5_prf == SHA256) + { + bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_TWOFISH_SHA2 : IDR_BOOT_SECTOR_TWOFISH_SHA2; + bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_TWOFISH_SHA2 : IDR_BOOT_LOADER_TWOFISH_SHA2; + } + else + { + bootSectorId = rescueDisk ? IDR_RESCUE_BOOT_SECTOR_TWOFISH : IDR_BOOT_SECTOR_TWOFISH; + bootLoaderId = rescueDisk ? IDR_RESCUE_LOADER_TWOFISH : IDR_BOOT_LOADER_TWOFISH; + } break; } @@ -1084,7 +1138,7 @@ namespace VeraCrypt buffer[TC_BOOT_SECTOR_CONFIG_OFFSET] |= TC_BOOT_CFG_FLAG_BACKUP_LOADER_AVAILABLE; } - else if (!rescueDisk && bootLoaderId != IDR_BOOT_LOADER) + else if (!rescueDisk && bootLoaderId != IDR_BOOT_LOADER && bootLoaderId != IDR_BOOT_LOADER_SHA2) { throw ParameterIncorrect (SRC_POS); } @@ -2253,6 +2307,7 @@ namespace VeraCrypt BackupSystemLoader(); SelectedEncryptionAlgorithmId = ea; + SelectedPrfAlgorithmId = pkcs5; } @@ -2307,6 +2362,7 @@ namespace VeraCrypt } SelectedEncryptionAlgorithmId = ea; + SelectedPrfAlgorithmId = pkcs5; CreateVolumeHeader (volumeSize, encryptedAreaStart, &password, ea, mode, pkcs5); if (!rescueIsoImagePath.empty()) -- cgit v1.2.3