Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-06-09 22:36:59 -05:00
Code Activity

Windows bootloader: Add EFI DCS guard for Argon2 support

Browse Source 
We don't support yet Argon2 for EFI booloader build
This commit is contained in:
Mounir IDRASSI
2026-04-17 16:03:42 +09:00
parent 9ae7cb1914
commit da2198831f
5 changed files with 32 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Common/Crypto.c
+2
View File
@@ -133,7 +133,9 @@ static Hash Hashes[] =
{ BLAKE2S, L"BLAKE2s-256", FALSE, TRUE }, { BLAKE2S, L"BLAKE2s-256", FALSE, TRUE },
{ WHIRLPOOL, L"Whirlpool", FALSE, FALSE }, { WHIRLPOOL, L"Whirlpool", FALSE, FALSE },
{ STREEBOG, L"Streebog", FALSE, FALSE }, { STREEBOG, L"Streebog", FALSE, FALSE },
#ifndef VC_DCS_DISABLE_ARGON2
{ ARGON2, L"BLAKE2b-512", FALSE, FALSE }, { ARGON2, L"BLAKE2b-512", FALSE, FALSE },
#endif
#endif #endif
{ 0, 0, 0 } { 0, 0, 0 }
}; };
src/Common/Crypto.h
+4
View File
@@ -55,7 +55,9 @@ enum
SHA256, SHA256,
BLAKE2S, BLAKE2S,
STREEBOG, STREEBOG,
#ifndef VC_DCS_DISABLE_ARGON2
ARGON2, ARGON2,
#endif
HASH_ENUM_END_ID HASH_ENUM_END_ID
}; };
@@ -204,8 +206,10 @@ typedef struct
#ifndef TC_WINDOWS_BOOT #ifndef TC_WINDOWS_BOOT
# include "Sha2.h" # include "Sha2.h"
# include "Whirlpool.h" # include "Whirlpool.h"
#ifndef VC_DCS_DISABLE_ARGON2
# include "argon2.h" # include "argon2.h"
# include "Crypto/Argon2/src/blake2/blake2b.h" # include "Crypto/Argon2/src/blake2/blake2b.h"
#endif
# include "Streebog.h" # include "Streebog.h"
# include "kuznyechik.h" # include "kuznyechik.h"
# include "Camellia.h" # include "Camellia.h"
src/Common/Pkcs5.c
+8
View File
@@ -1254,8 +1254,10 @@ wchar_t *get_kdf_name (int kdf_id)
case STREEBOG: case STREEBOG:
return L"STREEBOG-PBKDF2"; return L"STREEBOG-PBKDF2";
#ifndef VC_DCS_DISABLE_ARGON2
case ARGON2: case ARGON2:
return L"Argon2"; return L"Argon2";
#endif
default: default:
return L"(Unknown)"; return L"(Unknown)";
@@ -1302,9 +1304,11 @@ int get_pkcs5_iteration_count(int pkcs5_prf_id, int pim, BOOL bBoot, int* pMemor
iteration_count = bBoot ? pim * 2048 : 15000 + pim * 1000; iteration_count = bBoot ? pim * 2048 : 15000 + pim * 1000;
break; break;
#ifndef VC_DCS_DISABLE_ARGON2
case ARGON2: case ARGON2:
get_argon2_params (pim, &iteration_count, pMemoryCost); get_argon2_params (pim, &iteration_count, pMemoryCost);
break; break;
#endif
default: default:
TC_THROW_FATAL_EXCEPTION; // Unknown/wrong ID TC_THROW_FATAL_EXCEPTION; // Unknown/wrong ID
@@ -1323,13 +1327,16 @@ int is_pkcs5_prf_supported (int pkcs5_prf_id, PRF_BOOT_TYPE bootType)
|| (bootType != PRF_BOOT_MBR && (pkcs5_prf_id < FIRST_PRF_ID || pkcs5_prf_id > LAST_PRF_ID)) || (bootType != PRF_BOOT_MBR && (pkcs5_prf_id < FIRST_PRF_ID || pkcs5_prf_id > LAST_PRF_ID))
) )
return 0; return 0;
#ifndef VC_DCS_DISABLE_ARGON2
// we don't support Argon2 in pre-boot authentication // we don't support Argon2 in pre-boot authentication
if ((bootType == PRF_BOOT_MBR || bootType == PRF_BOOT_GPT) && pkcs5_prf_id == ARGON2) if ((bootType == PRF_BOOT_MBR || bootType == PRF_BOOT_GPT) && pkcs5_prf_id == ARGON2)
return 0; return 0;
#endif
return 1; return 1;
} }
#ifndef VC_DCS_DISABLE_ARGON2
void derive_key_argon2(const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, uint32 memcost, unsigned char *dk, int dklen, volatile long *pAbortKeyDerivation) void derive_key_argon2(const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, uint32 memcost, unsigned char *dk, int dklen, volatile long *pAbortKeyDerivation)
{ {
#if defined (DEVICE_DRIVER) && !defined(_M_ARM64) #if defined (DEVICE_DRIVER) && !defined(_M_ARM64)
@@ -1438,5 +1445,6 @@ void get_argon2_params(int pim, int* pIterations, int* pMemcost)
*pIterations = 13 + (pim - 31); *pIterations = 13 + (pim - 31);
} }
} }
#endif
#endif //!TC_WINDOWS_BOOT #endif //!TC_WINDOWS_BOOT
src/Common/Pkcs5.h
+2
View File
@@ -44,8 +44,10 @@ void derive_key_streebog (const unsigned char *pwd, int pwd_len, const unsigned
int get_pkcs5_iteration_count (int pkcs5_prf_id, int pim, BOOL bBoot, int* pMemoryCost); int get_pkcs5_iteration_count (int pkcs5_prf_id, int pim, BOOL bBoot, int* pMemoryCost);
wchar_t *get_kdf_name (int kdf_id); wchar_t *get_kdf_name (int kdf_id);
#ifndef VC_DCS_DISABLE_ARGON2
void derive_key_argon2(const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, uint32 memcost, unsigned char *dk, int dklen, long volatile *pAbortKeyDerivation); void derive_key_argon2(const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, uint32 memcost, unsigned char *dk, int dklen, long volatile *pAbortKeyDerivation);
void get_argon2_params(int pim, int* pIterations, int* pMemcost); void get_argon2_params(int pim, int* pIterations, int* pMemcost);
#endif
/* check if given PRF supported.*/ /* check if given PRF supported.*/
typedef enum typedef enum
src/Common/Volumes.c
+16 -4
View File
@@ -183,6 +183,9 @@ int ReadVolumeHeader (BOOL bBoot, unsigned char *encryptedHeader, Password *pass
int status = ERR_PARAMETER_INCORRECT; int status = ERR_PARAMETER_INCORRECT;
int primaryKeyOffset; int primaryKeyOffset;
int pkcs5PrfCount = LAST_PRF_ID - FIRST_PRF_ID + 1; int pkcs5PrfCount = LAST_PRF_ID - FIRST_PRF_ID + 1;
int iterationsCount = 0;
int memoryCost = 0;
LONG volatile abortKeyDerivation = 0;
#if !defined(_UEFI) #if !defined(_UEFI)
TC_EVENT *keyDerivationCompletedEvent = NULL; TC_EVENT *keyDerivationCompletedEvent = NULL;
TC_EVENT *noOutstandingWorkItemEvent = NULL; TC_EVENT *noOutstandingWorkItemEvent = NULL;
@@ -192,9 +195,6 @@ int ReadVolumeHeader (BOOL bBoot, unsigned char *encryptedHeader, Password *pass
size_t encryptionThreadCount = GetEncryptionThreadCount(); size_t encryptionThreadCount = GetEncryptionThreadCount();
LONG *outstandingWorkItemCount = NULL; LONG *outstandingWorkItemCount = NULL;
int i; int i;
int iterationsCount = 0;
int memoryCost = 0;
LONG volatile abortKeyDerivation = 0;
#endif #endif
size_t queuedWorkItems = 0; size_t queuedWorkItems = 0;
@@ -310,9 +310,11 @@ int ReadVolumeHeader (BOOL bBoot, unsigned char *encryptedHeader, Password *pass
if (selected_pkcs5_prf != 0 && enqPkcs5Prf != selected_pkcs5_prf) if (selected_pkcs5_prf != 0 && enqPkcs5Prf != selected_pkcs5_prf)
continue; continue;
#ifndef VC_DCS_DISABLE_ARGON2
// we don't support Argon2 in pre-boot authentication // we don't support Argon2 in pre-boot authentication
if (bBoot && (enqPkcs5Prf == ARGON2)) if (bBoot && (enqPkcs5Prf == ARGON2))
continue; continue;
#endif
#if !defined(_UEFI) #if !defined(_UEFI)
if ((selected_pkcs5_prf == 0) && (encryptionThreadCount > 1)) if ((selected_pkcs5_prf == 0) && (encryptionThreadCount > 1))
@@ -409,10 +411,12 @@ KeyReady: ;
break; break;
#ifndef VC_DCS_DISABLE_ARGON2
case ARGON2: case ARGON2:
derive_key_argon2(keyInfo->userKey, keyInfo->keyLength, keyInfo->salt, derive_key_argon2(keyInfo->userKey, keyInfo->keyLength, keyInfo->salt,
PKCS5_SALT_SIZE, keyInfo->noIterations, keyInfo->memoryCost, dk, GetMaxPkcs5OutSize(), &abortKeyDerivation); PKCS5_SALT_SIZE, keyInfo->noIterations, keyInfo->memoryCost, dk, GetMaxPkcs5OutSize(), &abortKeyDerivation);
break; break;
#endif
#endif #endif
default: default:
// Unknown/wrong ID // Unknown/wrong ID
@@ -617,11 +621,13 @@ KeyReady: ;
status = ERR_SUCCESS; status = ERR_SUCCESS;
#if !defined(_UEFI)
if ((selected_pkcs5_prf == 0) && (encryptionThreadCount > 1)) if ((selected_pkcs5_prf == 0) && (encryptionThreadCount > 1))
{ {
// Signal other threads to stop // Signal other threads to stop
InterlockedExchange(&abortKeyDerivation, 1); InterlockedExchange(&abortKeyDerivation, 1);
} }
#endif
goto ret; goto ret;
} }
} }
@@ -629,8 +635,10 @@ KeyReady: ;
status = ERR_PASSWORD_WRONG; status = ERR_PASSWORD_WRONG;
err: err:
#if !defined(_UEFI)
// Signal threads to stop // Signal threads to stop
InterlockedExchange(&abortKeyDerivation, 1); InterlockedExchange(&abortKeyDerivation, 1);
#endif
if (cryptoInfo != retHeaderCryptoInfo) if (cryptoInfo != retHeaderCryptoInfo)
{ {
crypto_close(cryptoInfo); crypto_close(cryptoInfo);
@@ -672,7 +680,7 @@ ret:
#endif #endif
burn (keyInfo, sizeof (KEY_INFO)); burn (keyInfo, sizeof (KEY_INFO));
#if !defined(DEVICE_DRIVER) #if !defined(DEVICE_DRIVER) && !defined(_UEFI)
VirtualUnlock (keyInfoBuffer, keyInfoBufferSize); VirtualUnlock (keyInfoBuffer, keyInfoBufferSize);
#endif #endif
TCfree(keyInfoBuffer); TCfree(keyInfoBuffer);
@@ -942,12 +950,14 @@ int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, unsigned char *header,
if (pim < 0) if (pim < 0)
pim = 0; pim = 0;
#ifndef VC_DCS_DISABLE_ARGON2
// we don't support Argon2 in pre-boot authentication // we don't support Argon2 in pre-boot authentication
if (bBoot && (pkcs5_prf == ARGON2)) if (bBoot && (pkcs5_prf == ARGON2))
{ {
crypto_close (cryptoInfo); crypto_close (cryptoInfo);
return ERR_PARAMETER_INCORRECT; return ERR_PARAMETER_INCORRECT;
} }
#endif
memset (header, 0, TC_VOLUME_HEADER_EFFECTIVE_SIZE); memset (header, 0, TC_VOLUME_HEADER_EFFECTIVE_SIZE);
#if !defined(_UEFI) #if !defined(_UEFI)
@@ -1065,10 +1075,12 @@ int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, unsigned char *header,
PKCS5_SALT_SIZE, keyInfo.noIterations, dk, GetMaxPkcs5OutSize(), NULL); PKCS5_SALT_SIZE, keyInfo.noIterations, dk, GetMaxPkcs5OutSize(), NULL);
break; break;
#ifndef VC_DCS_DISABLE_ARGON2
case ARGON2: case ARGON2:
derive_key_argon2(keyInfo.userKey, keyInfo.keyLength, keyInfo.salt, derive_key_argon2(keyInfo.userKey, keyInfo.keyLength, keyInfo.salt,
PKCS5_SALT_SIZE, keyInfo.noIterations, keyInfo.memoryCost, dk, GetMaxPkcs5OutSize(), NULL); PKCS5_SALT_SIZE, keyInfo.noIterations, keyInfo.memoryCost, dk, GetMaxPkcs5OutSize(), NULL);
break; break;
#endif
#endif #endif
default: default:
// Unknown/wrong ID // Unknown/wrong ID