Implement detection of volumes with vulnerable XTS master key.

If vulnerability detected, a warning message is displayed during mount or backup/restore header, and changing the password is disallowed since it will not change the master key.
2025-11-11 11:08:02 -06:00 · 2024-08-02 00:20:53 +02:00
parent 6121ca0239
commit ed1263bf8c
24 changed files with 186 additions and 7 deletions
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -177,6 +177,7 @@ typedef struct
 	ULONG MaximumTransferLength;
 	ULONG MaximumPhysicalPages;
 	ULONG AlignmentMask;
+	BOOL VolumeMasterKeyVulnerable;
 } MOUNT_STRUCT;

 typedef struct
@@ -316,6 +317,8 @@ typedef struct
 	// is read-only (or mounted an outer/normal TrueCrypt volume as read only)
 	uint32 HiddenSysLeakProtectionCount;

+	BOOL MasterKeyVulnerable;
+
 } BootEncryptionStatus;


--- a/src/Common/BootEncryption.cpp
+++ b/src/Common/BootEncryption.cpp
@@ -1462,6 +1462,7 @@ namespace VeraCrypt
 		/* IMPORTANT: Do NOT add any potentially time-consuming operations to this function. */

 		BootEncryptionStatus status;
+		memset (&status, 0, sizeof(status));
 		CallDriver (TC_IOCTL_GET_BOOT_ENCRYPTION_STATUS, NULL, 0, &status, sizeof (status));
 		return status;
 	}
@@ -5401,6 +5402,10 @@ namespace VeraCrypt
 		int status = ReadVolumeHeader (!encStatus.HiddenSystem, header, oldPassword, old_pkcs5, old_pim, &cryptoInfo, NULL);
 		finally_do_arg (PCRYPTO_INFO, cryptoInfo, { if (finally_arg) crypto_close (finally_arg); });

+		// if the XTS master key is vulnerable, return error and do not allow the user to change the password since the master key will not be changed
+		if (cryptoInfo->bVulnerableMasterKey)
+			status = ERR_SYSENC_XTS_MASTERKEY_VULNERABLE;
+
 		if (status != 0)
 		{
 			handleError (hwndDlg, status, SRC_POS);
--- a/src/Common/Crypto.h
+++ b/src/Common/Crypto.h
@@ -277,6 +277,8 @@ typedef struct CRYPTO_INFO_t

 	uint32 SectorSize;

+	BOOL bVulnerableMasterKey; // TRUE if XTS primary key is identical to secondary key (i.e. the volume is vulnerable to attack on XTS mode)
+
 #endif // !TC_WINDOWS_BOOT

 	UINT64_STRUCT VolumeSize;
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -5577,6 +5577,14 @@ void handleError (HWND hwndDlg, int code, const char* srcPos)
 		break;
 #endif

+	case ERR_XTS_MASTERKEY_VULNERABLE:
+		MessageBoxW (hwndDlg, AppendSrcPos (GetString ("ERR_XTS_MASTERKEY_VULNERABLE"), srcPos).c_str(), lpszTitle, ICON_HAND);
+		break;
+
+	case ERR_SYSENC_XTS_MASTERKEY_VULNERABLE:
+		MessageBoxW (hwndDlg, AppendSrcPos (GetString ("ERR_SYSENC_XTS_MASTERKEY_VULNERABLE"), srcPos).c_str(), lpszTitle, ICON_HAND);
+		break;
+
 	default:
 		StringCbPrintfW (szTmp, sizeof(szTmp), GetString ("ERR_UNKNOWN"), code);
 		MessageBoxW (hwndDlg, AppendSrcPos (szTmp, srcPos).c_str(), lpszTitle, ICON_HAND);
@@ -8953,6 +8961,12 @@ retry:
 	
 	LastMountedVolumeDirty = mount.FilesystemDirty;

+	if (mount.VolumeMasterKeyVulnerable
+		&& !Silent)
+	{
+		Warning ("ERR_XTS_MASTERKEY_VULNERABLE", hwndDlg);
+	}
+
 	if (mount.FilesystemDirty)
 	{
 		wchar_t msg[1024];
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -1638,6 +1638,9 @@
    <entry lang="en" key="LINUX_LANGUAGE">Language</entry>
    <entry lang="en" key="LINUX_SELECT_SYS_DEFAULT_LANG">Select system's default language</entry>
    <entry lang="en" key="LINUX_RESTART_FOR_LANGUAGE_CHANGE">For the language change to come into effect, VeraCrypt needs to be restarted.</entry>
+    <entry lang="en" key="ERR_XTS_MASTERKEY_VULNERABLE">WARNING: The volume's master key is vulnerable to an attack that compromises data security.\n\nPlease create a new volume and transfer the data to it.</entry>
+    <entry lang="en" key="ERR_SYSENC_XTS_MASTERKEY_VULNERABLE">WARNING: The encrypted system's master key is vulnerable to an attack that compromises data security.\nPlease decrypt the system partition/drive and then re-encrypt it.</entry>
+    <entry lang="en" key="ERR_XTS_MASTERKEY_VULNERABLE_SHORT">WARNING: The volume's master key has a security vulnerability.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
--- a/src/Common/Password.c
+++ b/src/Common/Password.c
@@ -371,6 +371,10 @@ int ChangePwd (const wchar_t *lpszVolume, Password *oldPassword, int old_pkcs5,
 		if (nStatus == ERR_CIPHER_INIT_WEAK_KEY)
 			nStatus = 0;	// We can ignore this error here

+		// if the XTS master key is vulnerable, return error and do not allow the user to change the password since the master key will not be changed
+		if (cryptoInfo->bVulnerableMasterKey)
+			nStatus = ERR_XTS_MASTERKEY_VULNERABLE;
+
 		if (nStatus == ERR_PASSWORD_WRONG)
 		{
 			continue;		// Try next volume type
--- a/src/Common/Tcdefs.h
+++ b/src/Common/Tcdefs.h
@@ -494,7 +494,9 @@ enum
 	ERR_NONSYS_INPLACE_ENC_INCOMPLETE		= 32,
 	ERR_USER_ABORT							= 33,
 	ERR_RAND_INIT_FAILED					= 34,
-	ERR_CAPI_INIT_FAILED					= 35
+	ERR_CAPI_INIT_FAILED					= 35,
+	ERR_XTS_MASTERKEY_VULNERABLE			= 36,
+	ERR_SYSENC_XTS_MASTERKEY_VULNERABLE			= 37
 };

 #endif 	// #ifndef TCDEFS_H
--- a/src/Common/Volumes.c
+++ b/src/Common/Volumes.c
@@ -597,6 +597,14 @@ KeyReady:	;
 					goto err;
 				}

+				// check that first half of keyInfo.master_keydata is different from the second half. If they are the same return error
+				if (memcmp (keyInfo->master_keydata, keyInfo->master_keydata + EAGetKeySize (cryptoInfo->ea), EAGetKeySize (cryptoInfo->ea)) == 0)
+				{
+					cryptoInfo->bVulnerableMasterKey = TRUE;
+					if (retHeaderCryptoInfo)
+						retHeaderCryptoInfo->bVulnerableMasterKey = TRUE;
+				}
+
 				status = ERR_SUCCESS;
 				goto ret;
 			}