diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c index ed03e5b4df..42d427492b 100644 --- a/src/Common/Dlgcode.c +++ b/src/Common/Dlgcode.c @@ -5748,11 +5748,11 @@ BOOL BrowseDirectories(HWND hwndDlg, char *lpszDlgTitle, wchar_t *dirName, const return bOK; } -std::wstring GetWrongPasswordErrorMessage (HWND hwndDlg) +static std::wstring GetWrongPasswordErrorMessageEx (HWND hwndDlg, BOOL hiddenVolumeProtection) { WCHAR szTmp[8192]; - StringCbPrintfW (szTmp, sizeof(szTmp), GetString (KeyFilesEnable ? "PASSWORD_OR_KEYFILE_WRONG" : "PASSWORD_WRONG")); + StringCbPrintfW (szTmp, sizeof(szTmp), GetString (hiddenVolumeProtection ? "HIDVOL_PROT_PASSWORD_OR_KEYFILE_WRONG" : (KeyFilesEnable ? "PASSWORD_OR_KEYFILE_WRONG" : "PASSWORD_WRONG"))); if (CheckCapsLock (hwndDlg, TRUE)) StringCbCatW (szTmp, sizeof(szTmp), GetString ("PASSWORD_WRONG_CAPSLOCK_ON")); @@ -5760,7 +5760,7 @@ std::wstring GetWrongPasswordErrorMessage (HWND hwndDlg) wchar_t szDevicePath [TC_MAX_PATH+1] = {0}; GetWindowText (GetDlgItem (MainDlg, IDC_VOLUME), szDevicePath, ARRAYSIZE (szDevicePath)); - if (TCBootLoaderOnInactiveSysEncDrive (szDevicePath)) + if (!hiddenVolumeProtection && TCBootLoaderOnInactiveSysEncDrive (szDevicePath)) { StringCbPrintfW (szTmp, sizeof(szTmp), GetString (KeyFilesEnable ? "PASSWORD_OR_KEYFILE_OR_MODE_WRONG" : "PASSWORD_OR_MODE_WRONG")); @@ -5784,6 +5784,11 @@ std::wstring GetWrongPasswordErrorMessage (HWND hwndDlg) return msg; } +std::wstring GetWrongPasswordErrorMessage (HWND hwndDlg) +{ + return GetWrongPasswordErrorMessageEx (hwndDlg, FALSE); +} + void handleError (HWND hwndDlg, int code, const char* srcPos) { @@ -9577,24 +9582,33 @@ int MountVolume (HWND hwndDlg, goto retry; } - if (bDevice && mount.bProtectHiddenVolume) + if (mount.bProtectHiddenVolume) { - int diskNo; + BOOL passwordErrorMessageShown = FALSE; - if (swscanf (volumePath, L"\\Device\\Harddisk%d\\Partition", &diskNo) == 1) + if (bDevice) { - OPEN_TEST_STRUCT openTestStruct; - memset (&openTestStruct, 0, sizeof (openTestStruct)); + int diskNo; + + if (swscanf (volumePath, L"\\Device\\Harddisk%d\\Partition", &diskNo) == 1) + { + OPEN_TEST_STRUCT openTestStruct; + memset (&openTestStruct, 0, sizeof (openTestStruct)); - openTestStruct.bDetectTCBootLoader = TRUE; - StringCchPrintfW ((wchar_t *) openTestStruct.wszFileName, array_capacity (openTestStruct.wszFileName), L"\\Device\\Harddisk%d\\Partition0", diskNo); + openTestStruct.bDetectTCBootLoader = TRUE; + StringCchPrintfW ((wchar_t *) openTestStruct.wszFileName, array_capacity (openTestStruct.wszFileName), L"\\Device\\Harddisk%d\\Partition0", diskNo); - DWORD cbBytesReturned; - if (DeviceIoControl (hDriver, TC_IOCTL_OPEN_TEST, &openTestStruct, sizeof (OPEN_TEST_STRUCT), &openTestStruct, sizeof (OPEN_TEST_STRUCT), &cbBytesReturned, NULL) && openTestStruct.TCBootLoaderDetected) - WarningDirect ((GetWrongPasswordErrorMessage (hwndDlg) + L"\n\n" + GetString ("HIDDEN_VOL_PROT_PASSWORD_US_KEYB_LAYOUT")).c_str(), hwndDlg); - else - handleError (hwndDlg, mount.nReturnCode, SRC_POS); + DWORD cbBytesReturned; + if (DeviceIoControl (hDriver, TC_IOCTL_OPEN_TEST, &openTestStruct, sizeof (OPEN_TEST_STRUCT), &openTestStruct, sizeof (OPEN_TEST_STRUCT), &cbBytesReturned, NULL) && openTestStruct.TCBootLoaderDetected) + { + WarningDirect ((GetWrongPasswordErrorMessageEx (hwndDlg, TRUE) + L"\n\n" + GetString ("HIDDEN_VOL_PROT_PASSWORD_US_KEYB_LAYOUT")).c_str(), hwndDlg); + passwordErrorMessageShown = TRUE; + } + } } + + if (!passwordErrorMessageShown) + MessageBoxW (hwndDlg, AppendSrcPos (GetWrongPasswordErrorMessageEx (hwndDlg, TRUE).c_str(), SRC_POS).c_str(), lpszTitle, MB_ICONWARNING); } else handleError (hwndDlg, mount.nReturnCode, SRC_POS); diff --git a/src/Common/Language.xml b/src/Common/Language.xml index b981636fc5..35b72a8e1b 100644 --- a/src/Common/Language.xml +++ b/src/Common/Language.xml @@ -350,8 +350,6 @@ Speed is affected by CPU load and storage device characteristics.\n\nThese tests take place in RAM. Buffer Size: Cipher: - P&assword to hidden volume:\n(if empty, cache is used) - Hidden Volume Protection Key size: IMPORTANT: Move your mouse as randomly as possible within this window. The longer you move it, the better. This significantly increases the cryptographic strength of the keyfile. WARNING: If you lose a keyfile or if any bit of its first 1024 kilobytes changes, it will be impossible to mount volumes that use the keyfile! @@ -1690,6 +1688,11 @@ A Terminal window will open after you press 'OK' and attempt to repair the file system on the selected VeraCrypt volume using 'diskutil'. The result will be shown in that window.\n\nIf the repair cannot be started, Disk Utility will be launched instead. Warning: Secure Boot is enabled, but the Microsoft UEFI CA that signs the installed VeraCrypt EFI bootloader was not found in the firmware Secure Boot database (db). The firmware may refuse to start VeraCrypt at the next reboot, so Windows will not start until Secure Boot is disabled or the trusted certificates/loader set are repaired.\n\nBefore restarting this computer, do not disable or remove Microsoft Corporation UEFI CA 2011 unless the firmware db contains both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 and VeraCrypt has been repaired/reinstalled so the 2023-signed loader set is installed. Enable the required Microsoft certificates in the BIOS/UEFI settings if needed, then run VeraCrypt Repair/Reinstall. Make sure you have an up-to-date VeraCrypt Rescue Disk before restarting. Warning: Secure Boot is enabled, but the Microsoft CA that signs the Windows Boot Manager copy used by VeraCrypt (bootmgfw_ms.vc) was not found in the firmware Secure Boot database (db). After successful pre-boot authentication, the handoff to Windows may fail and the computer may return to the VeraCrypt password prompt.\n\nBefore restarting this computer, do not disable or revoke Microsoft Windows Production PCA 2011 unless Windows Boot Manager has migrated to a Windows UEFI CA 2023-signed version and the firmware db contains Windows UEFI CA 2023. Apply the Windows Secure Boot certificate updates, then run VeraCrypt Repair/Reinstall if needed. Make sure you have an up-to-date VeraCrypt Rescue Disk before restarting. + Outer p&assword: + Hidden volume p&assword:\n(if empty, cache is used) + Hidden Volume Protection (Hidden Credentials) + Operation failed while hidden volume protection was enabled.\n\nUse the OUTER (decoy) volume password, PIM, PRF, and keyfile(s), if any, in the main password dialog. Use the HIDDEN volume password, PIM, PRF, and keyfile(s), if any, in Mount Options > Hidden Volume Protection.\n\nOne or more credentials may be incorrect, or the selected volume may be invalid or unsupported. + Use OUTER (decoy) volume password, PIM, PRF/KDF, and keyfile(s) here. Use HIDDEN credentials in Mount Options > Hidden Volume Protection. diff --git a/src/Mount/Mount.c b/src/Mount/Mount.c index 88a720334f..b0e0416f62 100644 --- a/src/Mount/Mount.c +++ b/src/Mount/Mount.c @@ -3572,6 +3572,25 @@ static wchar_t PasswordDlgVolume[MAX_PATH + 1]; static BOOL PasswordDialogDisableMountOptions; static char *PasswordDialogTitleStringId; +static void UpdatePasswordDlgPasswordLabel (HWND hwndDlg) +{ + SetDlgItemTextW (hwndDlg, IDT_PASSWORD, + GetString (!PasswordDialogDisableMountOptions && mountOptions.ProtectHiddenVolume ? "IDT_OUTER_VOL_PASSWORD" : "IDT_PASSWORD")); + + if (!PasswordDialogDisableMountOptions && mountOptions.ProtectHiddenVolume) + { + EDITBALLOONTIP ebt; + ebt.cbStruct = sizeof (EDITBALLOONTIP); + ebt.pszText = GetString ("HIDVOL_PROT_OUTER_CREDENTIALS_NOTE"); + ebt.pszTitle = GetString ("IDT_HIDDEN_VOL_PROTECTION"); + ebt.ttiIcon = TTI_INFO_LARGE; + + SendMessage (GetDlgItem (hwndDlg, IDC_PASSWORD), EM_SHOWBALLOONTIP, 0, (LPARAM) &ebt); + } + else + SendMessage (GetDlgItem (hwndDlg, IDC_PASSWORD), EM_HIDEBALLOONTIP, 0, 0); +} + /* Except in response to the WM_INITDIALOG message, the dialog box procedure should return nonzero if it processes the message, and zero if it does not. - see DialogProc */ @@ -3639,6 +3658,7 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa SendMessage (hComboBox, CB_SETCURSEL, defaultPrfIndex, 0); ToNormalPwdField (hwndDlg, IDC_PASSWORD); + UpdatePasswordDlgPasswordLabel (hwndDlg); SendMessage (GetDlgItem (hwndDlg, IDC_CACHE), BM_SETCHECK, bCacheInDriver ? BST_CHECKED:BST_UNCHECKED, 0); SendMessage (GetDlgItem (hwndDlg, IDC_PIM), EM_LIMITTEXT, MAX_PIM, 0); @@ -3842,6 +3862,7 @@ BOOL CALLBACK PasswordDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LPARAM lPa DialogBoxParamW (hInst, MAKEINTRESOURCEW (IDD_MOUNT_OPTIONS), hwndDlg, (DLGPROC) MountOptionsDlgProc, (LPARAM) &mountOptions); + UpdatePasswordDlgPasswordLabel (hwndDlg); if (!bPrebootPasswordDlgMode && mountOptions.PartitionInInactiveSysEncScope) SendMessage (hwndDlg, TC_APPMSG_PREBOOT_PASSWORD_MODE, 0, 0); @@ -6618,7 +6639,8 @@ static BOOL MountAllDevicesThreadCode (HWND hwndDlg, MountAllDevicesThreadParam* { WCHAR szTmp[4096]; - StringCbPrintfW (szTmp, sizeof(szTmp), GetString (KeyFilesEnable || FirstCmdKeyFile ? "PASSWORD_OR_KEYFILE_WRONG_AUTOMOUNT" : "PASSWORD_WRONG_AUTOMOUNT")); + StringCbPrintfW (szTmp, sizeof(szTmp), + GetString (mountOptions.ProtectHiddenVolume ? "HIDVOL_PROT_PASSWORD_OR_KEYFILE_WRONG" : (KeyFilesEnable || FirstCmdKeyFile ? "PASSWORD_OR_KEYFILE_WRONG_AUTOMOUNT" : "PASSWORD_WRONG_AUTOMOUNT"))); if (CheckCapsLock (hwndDlg, TRUE)) StringCbCatW (szTmp, sizeof(szTmp), GetString ("PASSWORD_WRONG_CAPSLOCK_ON"));