/src/libbde/libbde/libbde_sector_data.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Sector data functions |
3 | | * |
4 | | * Copyright (C) 2011-2024, Joachim Metz <joachim.metz@gmail.com> |
5 | | * |
6 | | * Refer to AUTHORS for acknowledgements. |
7 | | * |
8 | | * This program is free software: you can redistribute it and/or modify |
9 | | * it under the terms of the GNU Lesser General Public License as published by |
10 | | * the Free Software Foundation, either version 3 of the License, or |
11 | | * (at your option) any later version. |
12 | | * |
13 | | * This program is distributed in the hope that it will be useful, |
14 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | | * GNU General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/>. |
20 | | */ |
21 | | |
22 | | #include <common.h> |
23 | | #include <byte_stream.h> |
24 | | #include <memory.h> |
25 | | #include <types.h> |
26 | | |
27 | | #include "libbde_definitions.h" |
28 | | #include "libbde_encryption_context.h" |
29 | | #include "libbde_io_handle.h" |
30 | | #include "libbde_libbfio.h" |
31 | | #include "libbde_libcerror.h" |
32 | | #include "libbde_libcnotify.h" |
33 | | #include "libbde_sector_data.h" |
34 | | |
35 | | /* Creates sector data |
36 | | * Make sure the value sector_data is referencing, is set to NULL |
37 | | * Returns 1 if successful or -1 on error |
38 | | */ |
39 | | int libbde_sector_data_initialize( |
40 | | libbde_sector_data_t **sector_data, |
41 | | size_t data_size, |
42 | | libcerror_error_t **error ) |
43 | 831 | { |
44 | 831 | static char *function = "libbde_sector_data_initialize"; |
45 | | |
46 | 831 | if( sector_data == NULL ) |
47 | 0 | { |
48 | 0 | libcerror_error_set( |
49 | 0 | error, |
50 | 0 | LIBCERROR_ERROR_DOMAIN_ARGUMENTS, |
51 | 0 | LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, |
52 | 0 | "%s: invalid sector data.", |
53 | 0 | function ); |
54 | |
|
55 | 0 | return( -1 ); |
56 | 0 | } |
57 | 831 | if( *sector_data != NULL ) |
58 | 0 | { |
59 | 0 | libcerror_error_set( |
60 | 0 | error, |
61 | 0 | LIBCERROR_ERROR_DOMAIN_RUNTIME, |
62 | 0 | LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET, |
63 | 0 | "%s: invalid sector data value already set.", |
64 | 0 | function ); |
65 | |
|
66 | 0 | return( -1 ); |
67 | 0 | } |
68 | 831 | if( ( data_size == 0 ) |
69 | 831 | || ( data_size > (size_t) MEMORY_MAXIMUM_ALLOCATION_SIZE ) ) |
70 | 0 | { |
71 | 0 | libcerror_error_set( |
72 | 0 | error, |
73 | 0 | LIBCERROR_ERROR_DOMAIN_ARGUMENTS, |
74 | 0 | LIBCERROR_ARGUMENT_ERROR_VALUE_OUT_OF_BOUNDS, |
75 | 0 | "%s: invalid data size value out of bounds.", |
76 | 0 | function ); |
77 | |
|
78 | 0 | return( -1 ); |
79 | 0 | } |
80 | 831 | *sector_data = memory_allocate_structure( |
81 | 831 | libbde_sector_data_t ); |
82 | | |
83 | 831 | if( *sector_data == NULL ) |
84 | 0 | { |
85 | 0 | libcerror_error_set( |
86 | 0 | error, |
87 | 0 | LIBCERROR_ERROR_DOMAIN_MEMORY, |
88 | 0 | LIBCERROR_MEMORY_ERROR_INSUFFICIENT, |
89 | 0 | "%s: unable to create sector data.", |
90 | 0 | function ); |
91 | |
|
92 | 0 | goto on_error; |
93 | 0 | } |
94 | 831 | if( memory_set( |
95 | 831 | *sector_data, |
96 | 831 | 0, |
97 | 831 | sizeof( libbde_sector_data_t ) ) == NULL ) |
98 | 0 | { |
99 | 0 | libcerror_error_set( |
100 | 0 | error, |
101 | 0 | LIBCERROR_ERROR_DOMAIN_MEMORY, |
102 | 0 | LIBCERROR_MEMORY_ERROR_SET_FAILED, |
103 | 0 | "%s: unable to clear sector data.", |
104 | 0 | function ); |
105 | |
|
106 | 0 | memory_free( |
107 | 0 | *sector_data ); |
108 | |
|
109 | 0 | *sector_data = NULL; |
110 | |
|
111 | 0 | return( -1 ); |
112 | 0 | } |
113 | 831 | ( *sector_data )->data = (uint8_t *) memory_allocate( |
114 | 831 | sizeof( uint8_t ) * data_size ); |
115 | | |
116 | 831 | if( ( *sector_data )->data == NULL ) |
117 | 0 | { |
118 | 0 | libcerror_error_set( |
119 | 0 | error, |
120 | 0 | LIBCERROR_ERROR_DOMAIN_MEMORY, |
121 | 0 | LIBCERROR_MEMORY_ERROR_INSUFFICIENT, |
122 | 0 | "%s: unable to create data.", |
123 | 0 | function ); |
124 | |
|
125 | 0 | goto on_error; |
126 | 0 | } |
127 | 831 | ( *sector_data )->data_size = data_size; |
128 | | |
129 | 831 | return( 1 ); |
130 | | |
131 | 0 | on_error: |
132 | 0 | if( *sector_data != NULL ) |
133 | 0 | { |
134 | 0 | memory_free( |
135 | 0 | *sector_data ); |
136 | |
|
137 | 0 | *sector_data = NULL; |
138 | 0 | } |
139 | 0 | return( -1 ); |
140 | 831 | } |
141 | | |
142 | | /* Frees sector data |
143 | | * Returns 1 if successful or -1 on error |
144 | | */ |
145 | | int libbde_sector_data_free( |
146 | | libbde_sector_data_t **sector_data, |
147 | | libcerror_error_t **error ) |
148 | 831 | { |
149 | 831 | static char *function = "libbde_sector_data_free"; |
150 | 831 | int result = 1; |
151 | | |
152 | 831 | if( sector_data == NULL ) |
153 | 0 | { |
154 | 0 | libcerror_error_set( |
155 | 0 | error, |
156 | 0 | LIBCERROR_ERROR_DOMAIN_ARGUMENTS, |
157 | 0 | LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, |
158 | 0 | "%s: invalid sector data.", |
159 | 0 | function ); |
160 | |
|
161 | 0 | return( -1 ); |
162 | 0 | } |
163 | 831 | if( *sector_data != NULL ) |
164 | 831 | { |
165 | 831 | if( memory_set( |
166 | 831 | ( *sector_data )->data, |
167 | 831 | 0, |
168 | 831 | ( *sector_data )->data_size ) == NULL ) |
169 | 0 | { |
170 | 0 | libcerror_error_set( |
171 | 0 | error, |
172 | 0 | LIBCERROR_ERROR_DOMAIN_MEMORY, |
173 | 0 | LIBCERROR_MEMORY_ERROR_SET_FAILED, |
174 | 0 | "%s: unable to clear data.", |
175 | 0 | function ); |
176 | |
|
177 | 0 | result = -1; |
178 | 0 | } |
179 | 831 | memory_free( |
180 | 831 | ( *sector_data )->data ); |
181 | | |
182 | 831 | memory_free( |
183 | 831 | *sector_data ); |
184 | | |
185 | 831 | *sector_data = NULL; |
186 | 831 | } |
187 | 831 | return( result ); |
188 | 831 | } |
189 | | |
190 | | /* Reads sector data |
191 | | * Returns 1 if successful or -1 on error |
192 | | */ |
193 | | int libbde_sector_data_read_file_io_handle( |
194 | | libbde_sector_data_t *sector_data, |
195 | | libbde_io_handle_t *io_handle, |
196 | | libbfio_handle_t *file_io_handle, |
197 | | off64_t sector_data_offset, |
198 | | libbde_encryption_context_t *encryption_context, |
199 | | uint8_t zero_metadata, |
200 | | libcerror_error_t **error ) |
201 | 831 | { |
202 | 831 | uint8_t *encrypted_data = NULL; |
203 | 831 | uint8_t *read_buffer = 0; |
204 | 831 | static char *function = "libbde_sector_data_read_file_io_handle"; |
205 | 831 | ssize_t read_count = 0; |
206 | 831 | uint64_t block_key = 0; |
207 | | |
208 | 831 | if( sector_data == NULL ) |
209 | 0 | { |
210 | 0 | libcerror_error_set( |
211 | 0 | error, |
212 | 0 | LIBCERROR_ERROR_DOMAIN_ARGUMENTS, |
213 | 0 | LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, |
214 | 0 | "%s: invalid sector data.", |
215 | 0 | function ); |
216 | |
|
217 | 0 | return( -1 ); |
218 | 0 | } |
219 | 831 | if( sector_data->data == NULL ) |
220 | 0 | { |
221 | 0 | libcerror_error_set( |
222 | 0 | error, |
223 | 0 | LIBCERROR_ERROR_DOMAIN_RUNTIME, |
224 | 0 | LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, |
225 | 0 | "%s: invalid sector data - missing data.", |
226 | 0 | function ); |
227 | |
|
228 | 0 | return( -1 ); |
229 | 0 | } |
230 | 831 | if( io_handle == NULL ) |
231 | 0 | { |
232 | 0 | libcerror_error_set( |
233 | 0 | error, |
234 | 0 | LIBCERROR_ERROR_DOMAIN_ARGUMENTS, |
235 | 0 | LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, |
236 | 0 | "%s: invalid IO handle.", |
237 | 0 | function ); |
238 | |
|
239 | 0 | return( -1 ); |
240 | 0 | } |
241 | 831 | if( io_handle->bytes_per_sector == 0 ) |
242 | 0 | { |
243 | 0 | libcerror_error_set( |
244 | 0 | error, |
245 | 0 | LIBCERROR_ERROR_DOMAIN_RUNTIME, |
246 | 0 | LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, |
247 | 0 | "%s: invalid IO handle - missing bytes per sector.", |
248 | 0 | function ); |
249 | |
|
250 | 0 | return( -1 ); |
251 | 0 | } |
252 | 831 | if( encryption_context == NULL ) |
253 | 0 | { |
254 | 0 | libcerror_error_set( |
255 | 0 | error, |
256 | 0 | LIBCERROR_ERROR_DOMAIN_ARGUMENTS, |
257 | 0 | LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, |
258 | 0 | "%s: invalid encryption context.", |
259 | 0 | function ); |
260 | |
|
261 | 0 | return( -1 ); |
262 | 0 | } |
263 | | #if defined( HAVE_DEBUG_OUTPUT ) |
264 | | if( libcnotify_verbose != 0 ) |
265 | | { |
266 | | libcnotify_printf( |
267 | | "%s: reading sector data at offset: %" PRIi64 " (0x%08" PRIx64 ")\n", |
268 | | function, |
269 | | sector_data_offset, |
270 | | sector_data_offset ); |
271 | | } |
272 | | #endif |
273 | 831 | if( zero_metadata != 0 ) |
274 | 0 | { |
275 | | /* The BitLocker metadata areas are represented as zero byte blocks |
276 | | */ |
277 | 0 | if( ( ( sector_data_offset >= io_handle->first_metadata_offset ) |
278 | 0 | && ( sector_data_offset < ( io_handle->first_metadata_offset + (off64_t) io_handle->metadata_size ) ) ) |
279 | 0 | || ( ( sector_data_offset >= io_handle->second_metadata_offset ) |
280 | 0 | && ( sector_data_offset < ( io_handle->second_metadata_offset + (off64_t) io_handle->metadata_size ) ) ) |
281 | 0 | || ( ( sector_data_offset >= io_handle->third_metadata_offset ) |
282 | 0 | && ( sector_data_offset < ( io_handle->third_metadata_offset + (off64_t) io_handle->metadata_size ) ) ) ) |
283 | 0 | { |
284 | 0 | if( memory_set( |
285 | 0 | sector_data->data, |
286 | 0 | 0, |
287 | 0 | sector_data->data_size ) == NULL ) |
288 | 0 | { |
289 | 0 | libcerror_error_set( |
290 | 0 | error, |
291 | 0 | LIBCERROR_ERROR_DOMAIN_MEMORY, |
292 | 0 | LIBCERROR_MEMORY_ERROR_SET_FAILED, |
293 | 0 | "%s: unable to clear data.", |
294 | 0 | function ); |
295 | |
|
296 | 0 | goto on_error; |
297 | 0 | } |
298 | 0 | return( 1 ); |
299 | 0 | } |
300 | 0 | } |
301 | 831 | if( ( io_handle->version == LIBBDE_VERSION_WINDOWS_7 ) |
302 | 831 | || ( io_handle->version == LIBBDE_VERSION_TO_GO ) ) |
303 | 831 | { |
304 | 831 | if( zero_metadata != 0 ) |
305 | 0 | { |
306 | 0 | if( ( sector_data_offset >= io_handle->volume_header_offset ) |
307 | 0 | && ( sector_data_offset < ( io_handle->volume_header_offset + (off64_t) io_handle->volume_header_size ) ) ) |
308 | 0 | { |
309 | 0 | if( memory_set( |
310 | 0 | sector_data->data, |
311 | 0 | 0, |
312 | 0 | sector_data->data_size ) == NULL ) |
313 | 0 | { |
314 | 0 | libcerror_error_set( |
315 | 0 | error, |
316 | 0 | LIBCERROR_ERROR_DOMAIN_MEMORY, |
317 | 0 | LIBCERROR_MEMORY_ERROR_SET_FAILED, |
318 | 0 | "%s: unable to clear data.", |
319 | 0 | function ); |
320 | |
|
321 | 0 | goto on_error; |
322 | 0 | } |
323 | 0 | return( 1 ); |
324 | 0 | } |
325 | 0 | } |
326 | | /* Normally the first 8192 bytes are stored in another location on the volume |
327 | | */ |
328 | 831 | if( (size64_t) sector_data_offset < io_handle->volume_header_size ) |
329 | 675 | { |
330 | | #if defined( HAVE_DEBUG_OUTPUT ) |
331 | | if( libcnotify_verbose != 0 ) |
332 | | { |
333 | | libcnotify_printf( |
334 | | "%s: reading volume header data at offset: %" PRIi64 " (0x%08" PRIx64 ")\n", |
335 | | function, |
336 | | io_handle->volume_header_offset, |
337 | | io_handle->volume_header_offset ); |
338 | | } |
339 | | #endif |
340 | 675 | if( ( io_handle->volume_header_offset < 0 ) |
341 | 675 | || ( sector_data_offset > (off64_t) ( INT64_MAX - io_handle->volume_header_offset ) ) ) |
342 | 67 | { |
343 | 67 | libcerror_error_set( |
344 | 67 | error, |
345 | 67 | LIBCERROR_ERROR_DOMAIN_RUNTIME, |
346 | 67 | LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS, |
347 | 67 | "%s: invalid sector data offset value out of bounds.", |
348 | 67 | function ); |
349 | | |
350 | 67 | goto on_error; |
351 | 67 | } |
352 | 608 | sector_data_offset += io_handle->volume_header_offset; |
353 | 608 | } |
354 | 831 | } |
355 | | /* In Windows Vista the first 16 sectors are unencrypted |
356 | | */ |
357 | 764 | if( ( io_handle->version == LIBBDE_VERSION_WINDOWS_VISTA ) |
358 | 764 | && ( (size64_t) sector_data_offset < 8192 ) ) |
359 | 0 | { |
360 | 0 | read_buffer = sector_data->data; |
361 | 0 | } |
362 | 764 | else if( encryption_context->method == LIBBDE_ENCRYPTION_METHOD_NONE ) |
363 | 569 | { |
364 | 569 | read_buffer = sector_data->data; |
365 | 569 | } |
366 | | /* Check if the offset is outside the encrypted part of the volume |
367 | | */ |
368 | 195 | else if( ( io_handle->encrypted_volume_size != 0 ) |
369 | 195 | && ( sector_data_offset >= (off64_t) io_handle->encrypted_volume_size ) ) |
370 | 102 | { |
371 | 102 | read_buffer = sector_data->data; |
372 | 102 | } |
373 | 93 | else |
374 | 93 | { |
375 | 93 | encrypted_data = (uint8_t *) memory_allocate( |
376 | 93 | sizeof( uint8_t ) * sector_data->data_size ); |
377 | | |
378 | 93 | if( encrypted_data == NULL ) |
379 | 0 | { |
380 | 0 | libcerror_error_set( |
381 | 0 | error, |
382 | 0 | LIBCERROR_ERROR_DOMAIN_MEMORY, |
383 | 0 | LIBCERROR_MEMORY_ERROR_INSUFFICIENT, |
384 | 0 | "%s: unable to create encrypted data.", |
385 | 0 | function ); |
386 | |
|
387 | 0 | goto on_error; |
388 | 0 | } |
389 | 93 | read_buffer = encrypted_data; |
390 | 93 | } |
391 | 764 | read_count = libbfio_handle_read_buffer_at_offset( |
392 | 764 | file_io_handle, |
393 | 764 | read_buffer, |
394 | 764 | sector_data->data_size, |
395 | 764 | sector_data_offset, |
396 | 764 | error ); |
397 | | |
398 | 764 | if( read_count != (ssize_t) sector_data->data_size ) |
399 | 233 | { |
400 | 233 | libcerror_error_set( |
401 | 233 | error, |
402 | 233 | LIBCERROR_ERROR_DOMAIN_IO, |
403 | 233 | LIBCERROR_IO_ERROR_READ_FAILED, |
404 | 233 | "%s: unable to read sector data at offset: %" PRIi64 " (0x%08" PRIx64 ").", |
405 | 233 | function, |
406 | 233 | sector_data_offset, |
407 | 233 | sector_data_offset ); |
408 | | |
409 | 233 | goto on_error; |
410 | 233 | } |
411 | | #if defined( HAVE_DEBUG_OUTPUT ) |
412 | | if( libcnotify_verbose != 0 ) |
413 | | { |
414 | | if( read_buffer == encrypted_data ) |
415 | | { |
416 | | libcnotify_printf( |
417 | | "%s: encrypted sector data:\n", |
418 | | function ); |
419 | | libcnotify_print_data( |
420 | | encrypted_data, |
421 | | sector_data->data_size, |
422 | | 0 ); |
423 | | } |
424 | | } |
425 | | #endif /* defined( HAVE_DEBUG_OUTPUT ) */ |
426 | | |
427 | | /* In Windows Vista the first sector is altered |
428 | | */ |
429 | 531 | if( ( io_handle->version == LIBBDE_VERSION_WINDOWS_VISTA ) |
430 | 531 | && ( (size64_t) sector_data_offset < 512 ) ) |
431 | 0 | { |
432 | | /* Change the volume header signature "-FVE-FS-" |
433 | | * into "NTFS " |
434 | | */ |
435 | 0 | if( memory_copy( |
436 | 0 | &( sector_data->data[ 3 ] ), |
437 | 0 | "NTFS ", |
438 | 0 | 8 ) == NULL ) |
439 | 0 | { |
440 | 0 | libcerror_error_set( |
441 | 0 | error, |
442 | 0 | LIBCERROR_ERROR_DOMAIN_MEMORY, |
443 | 0 | LIBCERROR_MEMORY_ERROR_COPY_FAILED, |
444 | 0 | "%s: unable to copy NTFS signature.", |
445 | 0 | function ); |
446 | |
|
447 | 0 | goto on_error; |
448 | 0 | } |
449 | | /* Change the FVE metadata block 1 cluster block number |
450 | | * into the MFT mirror cluster block number |
451 | | */ |
452 | 0 | byte_stream_copy_from_uint64_little_endian( |
453 | 0 | &( sector_data->data[ 56 ] ), |
454 | 0 | io_handle->mft_mirror_cluster_block_number ); |
455 | 0 | } |
456 | 531 | if( read_buffer == encrypted_data ) |
457 | 60 | { |
458 | 60 | block_key = (uint64_t) sector_data_offset; |
459 | | |
460 | 60 | if( ( encryption_context->method == LIBBDE_ENCRYPTION_METHOD_AES_128_XTS ) |
461 | 60 | || ( encryption_context->method == LIBBDE_ENCRYPTION_METHOD_AES_256_XTS ) ) |
462 | 19 | { |
463 | 19 | block_key /= io_handle->bytes_per_sector; |
464 | 19 | } |
465 | 60 | if( libbde_encryption_context_crypt( |
466 | 60 | encryption_context, |
467 | 60 | LIBBDE_ENCRYPTION_CRYPT_MODE_DECRYPT, |
468 | 60 | encrypted_data, |
469 | 60 | sector_data->data_size, |
470 | 60 | sector_data->data, |
471 | 60 | sector_data->data_size, |
472 | 60 | block_key, |
473 | 60 | error ) != 1 ) |
474 | 0 | { |
475 | 0 | libcerror_error_set( |
476 | 0 | error, |
477 | 0 | LIBCERROR_ERROR_DOMAIN_ENCRYPTION, |
478 | 0 | LIBCERROR_ENCRYPTION_ERROR_GENERIC, |
479 | 0 | "%s: unable to decrypt sector data.", |
480 | 0 | function ); |
481 | |
|
482 | 0 | goto on_error; |
483 | 0 | } |
484 | 60 | memory_free( |
485 | 60 | encrypted_data ); |
486 | | |
487 | 60 | encrypted_data = NULL; |
488 | 60 | } |
489 | | #if defined( HAVE_DEBUG_OUTPUT ) |
490 | | if( libcnotify_verbose != 0 ) |
491 | | { |
492 | | libcnotify_printf( |
493 | | "%s: sector data:\n", |
494 | | function ); |
495 | | libcnotify_print_data( |
496 | | sector_data->data, |
497 | | sector_data->data_size, |
498 | | 0 ); |
499 | | } |
500 | | #endif /* defined( HAVE_DEBUG_OUTPUT ) */ |
501 | | |
502 | 531 | return( 1 ); |
503 | | |
504 | 300 | on_error: |
505 | 300 | if( encrypted_data != NULL ) |
506 | 33 | { |
507 | 33 | memory_free( |
508 | 33 | encrypted_data ); |
509 | 33 | } |
510 | 300 | return( -1 ); |
511 | 531 | } |
512 | | |