Windows: Better implementation of PRF autodetection optimization.

2025-11-11 02:58:02 -06:00 · 2021-08-07 20:44:00 +02:00
parent aeba32ba8b
commit 4b98ff0e98
3 changed files with 80 additions and 54 deletions
--- a/src/Common/Volumes.c
+++ b/src/Common/Volumes.c
@@ -170,7 +170,10 @@ BOOL ReadVolumeHeaderRecoveryMode = FALSE;
 int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int selected_pkcs5_prf, int pim, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
 {
 	char header[TC_VOLUME_HEADER_EFFECTIVE_SIZE];
-	CRYPTOPP_ALIGN_DATA(16) KEY_INFO keyInfo;
+	unsigned char* keyInfoBuffer = NULL;
+	int keyInfoBufferSize = sizeof (KEY_INFO) + 16;
+	size_t keyInfoBufferOffset;
+	PKEY_INFO keyInfo;
 	PCRYPTO_INFO cryptoInfo;
 	CRYPTOPP_ALIGN_DATA(16) char dk[MASTER_KEYDATA_SIZE];
 	int enqPkcs5Prf, pkcs5_prf;
@@ -182,6 +185,7 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
 	TC_EVENT *keyDerivationCompletedEvent = NULL;
 	TC_EVENT *noOutstandingWorkItemEvent = NULL;
 	KeyDerivationWorkItem *keyDerivationWorkItems = NULL;
+	int keyDerivationWorkItemsSize = 0;
 	KeyDerivationWorkItem *item;
 	size_t encryptionThreadCount = GetEncryptionThreadCount();
 	LONG *outstandingWorkItemCount = NULL;
@@ -189,6 +193,17 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
 #endif
 	size_t queuedWorkItems = 0;

+	// allocate 16-bytes aligned buffer to hold KEY_INFO in a portable way
+	keyInfoBuffer = TCalloc(keyInfoBufferSize);
+	if (!keyInfoBuffer)
+		return ERR_OUTOFMEMORY;
+	keyInfoBufferOffset = 16 - (((uint64) keyInfoBuffer) % 16);
+	keyInfo = (PKEY_INFO) (keyInfoBuffer + keyInfoBufferOffset);
+
+#if !defined(DEVICE_DRIVER) && !defined(_UEFI)
+	VirtualLock (keyInfoBuffer, keyInfoBufferSize);
+#endif
+
 	// if no PIM specified, use default value
 	if (pim < 0)
 		pim = 0;
@@ -237,7 +252,8 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
 			return ERR_OUTOFMEMORY;
 		}

-		keyDerivationWorkItems = TCalloc (sizeof (KeyDerivationWorkItem) * pkcs5PrfCount);
+		keyDerivationWorkItemsSize = sizeof (KeyDerivationWorkItem) * pkcs5PrfCount;
+		keyDerivationWorkItems = TCalloc (keyDerivationWorkItemsSize);
 		if (!keyDerivationWorkItems)
 		{
 			TCfree(keyDerivationCompletedEvent);
@@ -274,20 +290,21 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
 			TCfree(outstandingWorkItemCount);
 			return ERR_OUTOFMEMORY;
 		}
+
+		VirtualLock (keyDerivationWorkItems, keyDerivationWorkItemsSize);
 #endif
 	}

 #if !defined(DEVICE_DRIVER) 
-	VirtualLock (&keyInfo, sizeof (keyInfo));
 	VirtualLock (&dk, sizeof (dk));
 	VirtualLock (&header, sizeof (header));
 #endif
 #endif //  !defined(_UEFI)

-	crypto_loadkey (&keyInfo, password->Text, (int) password->Length);
+	crypto_loadkey (keyInfo, password->Text, (int) password->Length);

 	// PKCS5 is used to derive the primary header key(s) and secondary header key(s) (XTS mode) from the password
-	memcpy (keyInfo.salt, encryptedHeader + HEADER_SALT_OFFSET, PKCS5_SALT_SIZE);
+	memcpy (keyInfo->salt, encryptedHeader + HEADER_SALT_OFFSET, PKCS5_SALT_SIZE);

 	// Test all available PKCS5 PRFs
 	for (enqPkcs5Prf = FIRST_PRF_ID; enqPkcs5Prf <= LAST_PRF_ID || queuedWorkItems > 0; ++enqPkcs5Prf)
@@ -315,8 +332,8 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
 						item->Pkcs5Prf = enqPkcs5Prf;

 						EncryptionThreadPoolBeginKeyDerivation (keyDerivationCompletedEvent, noOutstandingWorkItemEvent,
-							&item->KeyReady, outstandingWorkItemCount, enqPkcs5Prf, keyInfo.userKey,
-							keyInfo.keyLength, keyInfo.salt, get_pkcs5_iteration_count (enqPkcs5Prf, pim, truecryptMode, bBoot), item->DerivedKey);
+							&item->KeyReady, outstandingWorkItemCount, enqPkcs5Prf, keyInfo->userKey,
+							keyInfo->keyLength, keyInfo->salt, get_pkcs5_iteration_count (enqPkcs5Prf, pim, truecryptMode, bBoot), item->DerivedKey);

 						++queuedWorkItems;
 						break;
@@ -338,7 +355,7 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
 					if (!item->Free && InterlockedExchangeAdd (&item->KeyReady, 0) == TRUE)
 					{
 						pkcs5_prf = item->Pkcs5Prf;
-						keyInfo.noIterations = get_pkcs5_iteration_count (pkcs5_prf, pim, truecryptMode, bBoot);
+						keyInfo->noIterations = get_pkcs5_iteration_count (pkcs5_prf, pim, truecryptMode, bBoot);
 						memcpy (dk, item->DerivedKey, sizeof (dk));

 						item->Free = TRUE;
@@ -357,33 +374,33 @@ KeyReady:	;
 #endif // !defined(_UEFI)
 		{
 			pkcs5_prf = enqPkcs5Prf;
-			keyInfo.noIterations = get_pkcs5_iteration_count (enqPkcs5Prf, pim, truecryptMode, bBoot);
+			keyInfo->noIterations = get_pkcs5_iteration_count (enqPkcs5Prf, pim, truecryptMode, bBoot);

 			switch (pkcs5_prf)
 			{
 			case RIPEMD160:
-				derive_key_ripemd160 (keyInfo.userKey, keyInfo.keyLength, keyInfo.salt,
-					PKCS5_SALT_SIZE, keyInfo.noIterations, dk, GetMaxPkcs5OutSize());
+				derive_key_ripemd160 (keyInfo->userKey, keyInfo->keyLength, keyInfo->salt,
+					PKCS5_SALT_SIZE, keyInfo->noIterations, dk, GetMaxPkcs5OutSize());
 				break;

 			case SHA512:
-				derive_key_sha512 (keyInfo.userKey, keyInfo.keyLength, keyInfo.salt,
-					PKCS5_SALT_SIZE, keyInfo.noIterations, dk, GetMaxPkcs5OutSize());
+				derive_key_sha512 (keyInfo->userKey, keyInfo->keyLength, keyInfo->salt,
+					PKCS5_SALT_SIZE, keyInfo->noIterations, dk, GetMaxPkcs5OutSize());
 				break;

 			case WHIRLPOOL:
-				derive_key_whirlpool (keyInfo.userKey, keyInfo.keyLength, keyInfo.salt,
-					PKCS5_SALT_SIZE, keyInfo.noIterations, dk, GetMaxPkcs5OutSize());
+				derive_key_whirlpool (keyInfo->userKey, keyInfo->keyLength, keyInfo->salt,
+					PKCS5_SALT_SIZE, keyInfo->noIterations, dk, GetMaxPkcs5OutSize());
 				break;

 			case SHA256:
-				derive_key_sha256 (keyInfo.userKey, keyInfo.keyLength, keyInfo.salt,
-					PKCS5_SALT_SIZE, keyInfo.noIterations, dk, GetMaxPkcs5OutSize());
+				derive_key_sha256 (keyInfo->userKey, keyInfo->keyLength, keyInfo->salt,
+					PKCS5_SALT_SIZE, keyInfo->noIterations, dk, GetMaxPkcs5OutSize());
 				break;

 			case STREEBOG:
-				derive_key_streebog(keyInfo.userKey, keyInfo.keyLength, keyInfo.salt,
-					PKCS5_SALT_SIZE, keyInfo.noIterations, dk, GetMaxPkcs5OutSize());
+				derive_key_streebog(keyInfo->userKey, keyInfo->keyLength, keyInfo->salt,
+					PKCS5_SALT_SIZE, keyInfo->noIterations, dk, GetMaxPkcs5OutSize());
 				break;
 			default:
 				// Unknown/wrong ID
@@ -540,7 +557,7 @@ KeyReady:	;
 					if (retInfo == NULL)
 					{
 						cryptoInfo->pkcs5 = pkcs5_prf;
-						cryptoInfo->noIterations = keyInfo.noIterations;
+						cryptoInfo->noIterations = keyInfo->noIterations;
 						cryptoInfo->bTrueCryptMode = truecryptMode;
 						cryptoInfo->volumePim = pim;
 						goto ret;
@@ -557,34 +574,34 @@ KeyReady:	;
 				}

 				// Master key data
-				memcpy (keyInfo.master_keydata, header + HEADER_MASTER_KEYDATA_OFFSET, MASTER_KEYDATA_SIZE);
+				memcpy (keyInfo->master_keydata, header + HEADER_MASTER_KEYDATA_OFFSET, MASTER_KEYDATA_SIZE);
 #ifdef TC_WINDOWS_DRIVER
 				{
 					RMD160_CTX ctx;
 					RMD160Init (&ctx);
-					RMD160Update (&ctx, keyInfo.master_keydata, MASTER_KEYDATA_SIZE);
+					RMD160Update (&ctx, keyInfo->master_keydata, MASTER_KEYDATA_SIZE);
 					RMD160Update (&ctx, header, sizeof(header));
 					RMD160Final (cryptoInfo->master_keydata_hash, &ctx);
 					burn(&ctx, sizeof (ctx));
 				}
 #else
-				memcpy (cryptoInfo->master_keydata, keyInfo.master_keydata, MASTER_KEYDATA_SIZE);
+				memcpy (cryptoInfo->master_keydata, keyInfo->master_keydata, MASTER_KEYDATA_SIZE);
 #endif
 				// PKCS #5
 				cryptoInfo->pkcs5 = pkcs5_prf;
-				cryptoInfo->noIterations = keyInfo.noIterations;
+				cryptoInfo->noIterations = keyInfo->noIterations;
 				cryptoInfo->bTrueCryptMode = truecryptMode;
 				cryptoInfo->volumePim = pim;

 				// Init the cipher with the decrypted master key
-				status = EAInit (cryptoInfo->ea, keyInfo.master_keydata + primaryKeyOffset, cryptoInfo->ks);
+				status = EAInit (cryptoInfo->ea, keyInfo->master_keydata + primaryKeyOffset, cryptoInfo->ks);
 				if (status == ERR_CIPHER_INIT_FAILURE)
 					goto err;
 #ifndef TC_WINDOWS_DRIVER
 				// The secondary master key (if cascade, multiple concatenated)
-				memcpy (cryptoInfo->k2, keyInfo.master_keydata + EAGetKeySize (cryptoInfo->ea), EAGetKeySize (cryptoInfo->ea));
+				memcpy (cryptoInfo->k2, keyInfo->master_keydata + EAGetKeySize (cryptoInfo->ea), EAGetKeySize (cryptoInfo->ea));
 #endif
-				if (!EAInitMode (cryptoInfo, keyInfo.master_keydata + EAGetKeySize (cryptoInfo->ea)))
+				if (!EAInitMode (cryptoInfo, keyInfo->master_keydata + EAGetKeySize (cryptoInfo->ea)))
 				{
 					status = ERR_MODE_INIT_FAILED;
 					goto err;
@@ -604,13 +621,11 @@ err:
 		*retInfo = NULL;
 	}

-ret:
-	burn (&keyInfo, sizeof (keyInfo));
+ret:	
 	burn (dk, sizeof(dk));
 	burn (header, sizeof(header));

 #if !defined(DEVICE_DRIVER) && !defined(_UEFI)
-	VirtualUnlock (&keyInfo, sizeof (keyInfo));
 	VirtualUnlock (&dk, sizeof (dk));
 	VirtualUnlock (&header, sizeof (header));
 #endif
@@ -618,9 +633,19 @@ ret:
 #if !defined(_UEFI)
 	if ((selected_pkcs5_prf == 0) && (encryptionThreadCount > 1))
 	{
-		EncryptionThreadPoolBeginReadVolumeHeaderFinalization (keyDerivationCompletedEvent, noOutstandingWorkItemEvent, outstandingWorkItemCount, keyDerivationWorkItems, sizeof (KeyDerivationWorkItem) * pkcs5PrfCount);
+		EncryptionThreadPoolBeginReadVolumeHeaderFinalization (keyDerivationCompletedEvent, noOutstandingWorkItemEvent, outstandingWorkItemCount, 
+			keyInfoBuffer, keyInfoBufferSize, 
+			keyDerivationWorkItems, keyDerivationWorkItemsSize);
 	}
+	else
 #endif
+	{
+		burn (keyInfo, sizeof (KEY_INFO));
+#if !defined(DEVICE_DRIVER) && !defined(_UEFI)
+		VirtualUnlock (keyInfoBuffer, keyInfoBufferSize);
+#endif
+		TCfree(keyInfoBuffer);
+	}
 	return status;
 }