VeraCrypt
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2023-08-05 10:55:46 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2023-08-05 10:55:46 +0200
commit16bb1de3a6addec1c07b9ffc3fcd616744a3f15c (patch)
tree88b097e6b92adab798638d337d3f9cc77ac221b7
parente8f83544ead2011112788d48bff610574f5d6395 (diff)
downloadVeraCrypt-16bb1de3a6addec1c07b9ffc3fcd616744a3f15c.tar.gz
VeraCrypt-16bb1de3a6addec1c07b9ffc3fcd616744a3f15c.zip
Security: ensure that XTS primary key is different from secondary key when creating volumes
This is unlikely to happen thanks to random generator properties but we much add this check to prevent an attack described in page 3 of https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38e-initial-public-comments-2021.pdf
-rw-r--r--src/Common/Volumes.c9
-rw-r--r--src/Core/VolumeCreator.cpp5
2 files changed, 14 insertions, 0 deletions
diff --git a/src/Common/Volumes.c b/src/Common/Volumes.c
index 40be21c8..5b1d4065 100644
--- a/src/Common/Volumes.c
+++ b/src/Common/Volumes.c
@@ -909,6 +909,15 @@ int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *header, int ea,
retVal = ERR_CIPHER_INIT_WEAK_KEY;
goto err;
}
+
+ // check that first half of keyInfo.master_keydata is different from the second half. If they are the same return error
+ // cf CCSS,NSA comment at page 3: https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38e-initial-public-comments-2021.pdf
+ if (memcmp (keyInfo.master_keydata, &keyInfo.master_keydata[bytesNeeded/2], bytesNeeded/2) == 0)
+ {
+ crypto_close (cryptoInfo);
+ retVal = ERR_CIPHER_INIT_WEAK_KEY;
+ goto err;
+ }
}
else
{
diff --git a/src/Core/VolumeCreator.cpp b/src/Core/VolumeCreator.cpp
index d5caa846..5f19a66d 100644
--- a/src/Core/VolumeCreator.cpp
+++ b/src/Core/VolumeCreator.cpp
@@ -298,6 +298,11 @@ namespace VeraCrypt
// Master data key
MasterKey.Allocate (options->EA->GetKeySize() * 2);
RandomNumberGenerator::GetData (MasterKey);
+ // check that first half of MasterKey is different from its second half. If they are the same, through an exception
+ // cf CCSS,NSA comment at page 3: https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38e-initial-public-comments-2021.pdf
+ if (memcmp (MasterKey.Ptr(), MasterKey.Ptr() + MasterKey.Size() / 2, MasterKey.Size() / 2) == 0)
+ throw AssertionFailed (SRC_POS);
+
headerOptions.DataKey = MasterKey;
// PKCS5 salt