VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Common
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2024-08-24 17:53:44 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2024-09-29 21:06:06 +0200
commite5a0bf22b17d7d6c92d7793bed5d63d0e9e72e4c (patch)
treee37884982c93854cd787de63751ebeb0538148c2 /src/Common
parent7735b983bf3794b033406a7bcbfb414faee86c09 (diff)
downloadVeraCrypt-e5a0bf22b17d7d6c92d7793bed5d63d0e9e72e4c.tar.gz
VeraCrypt-e5a0bf22b17d7d6c92d7793bed5d63d0e9e72e4c.zip
Windows: Exclude Argon2 for System Encryption and from automatic detection
Bootloader doesn't support Argon2 yet. We don't want to add overhead to automatic detection for now.
Diffstat (limited to 'src/Common')
-rw-r--r--src/Common/BootEncryption.cpp4
-rw-r--r--src/Common/Crypto.c5
-rw-r--r--src/Common/Crypto.h1
-rw-r--r--src/Common/Dlgcode.c8
-rw-r--r--src/Common/Pkcs5.c4
-rw-r--r--src/Common/Random.c3
-rw-r--r--src/Common/Volumes.c15
7 files changed, 37 insertions, 3 deletions
diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp
index c22e5526..5b11aa72 100644
--- a/src/Common/BootEncryption.cpp
+++ b/src/Common/BootEncryption.cpp
@@ -1741,6 +1741,10 @@ namespace VeraCrypt
if (!bIsGPT && pkcs5_prf != BLAKE2S && pkcs5_prf != SHA256)
throw ParameterIncorrect (SRC_POS);
+ // we don't support Argon2 for system encryption for now
+ if (pkcs5_prf == ARGON2)
+ throw ParameterIncorrect (SRC_POS);
+
int bootSectorId = 0;
int bootLoaderId = 0;
diff --git a/src/Common/Crypto.c b/src/Common/Crypto.c
index 4ed60c03..aea52d42 100644
--- a/src/Common/Crypto.c
+++ b/src/Common/Crypto.c
@@ -822,6 +822,11 @@ BOOL HashForSystemEncryption (int hashId)
}
+BOOL HashIsAvailable (int hashId)
+{
+ return (hashId != ARGON2) && (HashGet(hashId) != 0); // Argon2 is not a hash function
+}
+
// Returns the largest key size needed by an EA for the specified mode of operation
int EAGetLargestKeyForMode (int mode)
{
diff --git a/src/Common/Crypto.h b/src/Common/Crypto.h
index bb66e307..b558e983 100644
--- a/src/Common/Crypto.h
+++ b/src/Common/Crypto.h
@@ -378,6 +378,7 @@ Hash *HashGet (int id);
void HashGetName2 (wchar_t *buf, size_t bufLen, int hashId);
BOOL HashIsDeprecated (int hashId);
BOOL HashForSystemEncryption (int hashId);
+BOOL HashIsAvailable (int hashId);
int GetMaxPkcs5OutSize (void);
#endif
diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c
index a6874e5f..05aa813a 100644
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -6289,6 +6289,10 @@ static BOOL PerformBenchmark(HWND hBenchDlg, HWND hwndDlg)
{
if (benchmarkPreBoot && !benchmarkGPT && !HashForSystemEncryption (thid))
continue;
+
+ // we don't support Argon2 for system encryption
+ if (benchmarkPreBoot && thid == ARGON2)
+ continue;
if (QueryPerformanceCounter (&performanceCountStart) == 0)
goto counter_error;
@@ -6800,7 +6804,7 @@ static BOOL CALLBACK RandomPoolEnrichementDlgProc (HWND hwndDlg, UINT msg, WPARA
SendMessage (hComboBox, CB_RESETCONTENT, 0, 0);
for (hid = FIRST_PRF_ID; hid <= LAST_PRF_ID; hid++)
{
- if (!HashIsDeprecated (hid))
+ if (!HashIsDeprecated (hid) && HashIsAvailable (hid))
AddComboPair (hComboBox, HashGetName(hid), hid);
}
SelectAlgo (hComboBox, &hash_algo);
@@ -6995,7 +6999,7 @@ BOOL CALLBACK KeyfileGeneratorDlgProc (HWND hwndDlg, UINT msg, WPARAM wParam, LP
SendMessage (hComboBox, CB_RESETCONTENT, 0, 0);
for (hid = FIRST_PRF_ID; hid <= LAST_PRF_ID; hid++)
{
- if (!HashIsDeprecated (hid))
+ if (!HashIsDeprecated (hid) && HashIsAvailable (hid))
AddComboPair (hComboBox, HashGetName(hid), hid);
}
SelectAlgo (hComboBox, &hash_algo);
diff --git a/src/Common/Pkcs5.c b/src/Common/Pkcs5.c
index 0369896c..3f237a66 100644
--- a/src/Common/Pkcs5.c
+++ b/src/Common/Pkcs5.c
@@ -1349,6 +1349,9 @@ int is_pkcs5_prf_supported (int pkcs5_prf_id, PRF_BOOT_TYPE bootType)
|| (bootType != PRF_BOOT_MBR && (pkcs5_prf_id < FIRST_PRF_ID || pkcs5_prf_id > LAST_PRF_ID))
)
return 0;
+ // we don't support Argon2 in pre-boot authentication
+ if ((bootType == PRF_BOOT_MBR || bootType == PRF_BOOT_GPT) && pkcs5_prf_id == ARGON2)
+ return 0;
return 1;
@@ -1358,6 +1361,7 @@ void derive_key_argon2(char *pwd, int pwd_len, char *salt, int salt_len, uint32
{
//TODO: Implement Argon2 derivation
// In case of failure, just fill the derived key dk with zeroes
+ memset(dk, 0, dklen);
}
void get_argon2_params(int pim, int* pIterations, int* pMemcost)
diff --git a/src/Common/Random.c b/src/Common/Random.c
index 1cfa6fcf..18292b31 100644
--- a/src/Common/Random.c
+++ b/src/Common/Random.c
@@ -364,7 +364,8 @@ BOOL Randmix ()
break;
#ifndef WOLFCRYPT_BACKEND
- case BLAKE2S:
+ case ARGON2: // in case of Argon2, we use Blake2s
+ case BLAKE2S:
burn (&bctx, sizeof(bctx));
break;
diff --git a/src/Common/Volumes.c b/src/Common/Volumes.c
index a57a8319..0551f0b9 100644
--- a/src/Common/Volumes.c
+++ b/src/Common/Volumes.c
@@ -308,6 +308,14 @@ int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int
// if a PRF is specified, we skip all other PRFs
if (selected_pkcs5_prf != 0 && enqPkcs5Prf != selected_pkcs5_prf)
continue;
+
+ // we don't support Argon2 in pre-boot authentication
+ if (bBoot && (enqPkcs5Prf == ARGON2))
+ continue;
+
+ // For now, we don't included Argon2 in automatic detection
+ if (selected_pkcs5_prf == 0 && enqPkcs5Prf == ARGON2)
+ continue;
#if !defined(_UEFI)
if ((selected_pkcs5_prf == 0) && (encryptionThreadCount > 1))
@@ -923,6 +931,13 @@ int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, char *header, int ea,
if (pim < 0)
pim = 0;
+ // we don't support Argon2 in pre-boot authentication
+ if (bBoot && (pkcs5_prf == ARGON2))
+ {
+ crypto_close (cryptoInfo);
+ return ERR_PARAMETER_INCORRECT;
+ }
+
memset (header, 0, TC_VOLUME_HEADER_EFFECTIVE_SIZE);
#if !defined(_UEFI)
VirtualLock (&keyInfo, sizeof (keyInfo));