Windows: Add option to enable use of CPU RDRAND/RDSEED as source of entropy which is now disabled by default

2026-01-03 04:18:10 -06:00 · 2019-02-07 15:24:56 +01:00
parent 6bb1f24ed5
commit e5b9cee868
48 changed files with 108 additions and 15 deletions
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -417,5 +417,6 @@ typedef struct
 #define VC_DRIVER_CONFIG_BLOCK_SYS_TRIM								0x100
 #define VC_DRIVER_CONFIG_ALLOW_WINDOWS_DEFRAG						0x200
 #define VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION			0x400
+#define VC_DRIVER_CONFIG_ENABLE_CPU_RNG								0x800

 #endif		/* _WIN32 */
--- a/src/Common/Crypto.c
+++ b/src/Common/Crypto.c
@@ -1216,3 +1216,29 @@ BOOL IsHwEncryptionEnabled ()
 }

 #endif // !TC_WINDOWS_BOOT
+
+#ifndef TC_WINDOWS_BOOT
+
+static BOOL CpuRngDisabled = FALSE;
+
+BOOL IsCpuRngSupport ()
+{
+	if (HasRDSEED() || HasRDSEED())
+		return TRUE;
+	else
+		return FALSE;
+}
+
+void EnableCpuRng (BOOL enable)
+{
+	CpuRngDisabled = !enable;
+}
+
+BOOL IsCpuRngEnabled ()
+{
+	return !CpuRngDisabled;
+}
+
+
+#endif
+
--- a/src/Common/Crypto.h
+++ b/src/Common/Crypto.h
@@ -385,6 +385,10 @@ BOOL IsAesHwCpuSupported ();
 void EnableHwEncryption (BOOL enable);
 BOOL IsHwEncryptionEnabled ();

+BOOL IsCpuRngSupport ();
+void EnableCpuRng (BOOL enable);
+BOOL IsCpuRngEnabled ();
+
 #ifdef __cplusplus
 }
 #endif
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -1432,6 +1432,7 @@
    <entry lang="en" key="IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION">Clear encryption keys from memory if a new device is inserted</entry>
    <entry lang="en" key="CLEAR_KEYS_ON_DEVICE_INSERTION_WARNING">IMPORTANT NOTES:\n - Please keep in mind that this option will not persist after a shutdown/reboot so you will need to select it again next time the machine is started.\n\n - With this option enabled and after a new device is connected, the machine will freeze and it will eventually crash with a BSOD since Windows can not access the encrypted disk after its keys are cleared from memory.\n</entry>
    <entry lang="en" key="STARTING">Starting</entry>
+    <entry lang="en" key="IDC_ENABLE_CPU_RNG">Use CPU hardware random generator as an additional source of entropy</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
--- a/src/Common/Random.c
+++ b/src/Common/Random.c
@@ -777,9 +777,10 @@ BOOL SlowPoll (void)
 	}

 	// use RDSEED or RDRAND from CPU as source of entropy if present
-	if (	(HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
+	if (	IsCpuRngEnabled() && 
+		(	(HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
 		||	(HasRDRAND() && RDRAND_getBytes (buffer, sizeof (buffer)))
-		)
+		))
 	{
 		RandaddBuf (buffer, sizeof (buffer));
 	}
@@ -907,10 +908,11 @@ BOOL FastPoll (void)
 		return FALSE;
 	}

-	// use RDSEED or RDRAND from CPU as source of entropy if present
-	if (	(HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
+	// use RDSEED or RDRAND from CPU as source of entropy if enabled
+	if (	IsCpuRngEnabled() && 
+		(	(HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
 		||	(HasRDRAND() && RDRAND_getBytes (buffer, sizeof (buffer)))
-		)
+		))
 	{
 		RandaddBuf (buffer, sizeof (buffer));
 	}