VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Common
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2019-02-07 15:24:56 +0100
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2019-02-08 01:50:03 +0100
commite5b9cee8681dc45340321f759079b344a3b2676c (patch)
tree7e4875ccf109ebd2d2a858ec0368f2d9d46e2a5a /src/Common
parent6bb1f24ed571bccd4d1d247dafdc1dda6eaa3d8d (diff)
downloadVeraCrypt-e5b9cee8681dc45340321f759079b344a3b2676c.tar.gz
VeraCrypt-e5b9cee8681dc45340321f759079b344a3b2676c.zip
Windows: Add option to enable use of CPU RDRAND/RDSEED as source of entropy which is now disabled by default
Diffstat (limited to 'src/Common')
-rw-r--r--src/Common/Apidrvr.h1
-rw-r--r--src/Common/Crypto.c26
-rw-r--r--src/Common/Crypto.h4
-rw-r--r--src/Common/Language.xml1
-rw-r--r--src/Common/Random.c12
5 files changed, 39 insertions, 5 deletions
diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h
index 0298e204..63de40ae 100644
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -417,5 +417,6 @@ typedef struct
#define VC_DRIVER_CONFIG_BLOCK_SYS_TRIM 0x100
#define VC_DRIVER_CONFIG_ALLOW_WINDOWS_DEFRAG 0x200
#define VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION 0x400
+#define VC_DRIVER_CONFIG_ENABLE_CPU_RNG 0x800
#endif /* _WIN32 */
diff --git a/src/Common/Crypto.c b/src/Common/Crypto.c
index 299595bd..a6f3ffb7 100644
--- a/src/Common/Crypto.c
+++ b/src/Common/Crypto.c
@@ -1216,3 +1216,29 @@ BOOL IsHwEncryptionEnabled ()
}
#endif // !TC_WINDOWS_BOOT
+
+#ifndef TC_WINDOWS_BOOT
+
+static BOOL CpuRngDisabled = FALSE;
+
+BOOL IsCpuRngSupport ()
+{
+ if (HasRDSEED() || HasRDSEED())
+ return TRUE;
+ else
+ return FALSE;
+}
+
+void EnableCpuRng (BOOL enable)
+{
+ CpuRngDisabled = !enable;
+}
+
+BOOL IsCpuRngEnabled ()
+{
+ return !CpuRngDisabled;
+}
+
+
+#endif
+
diff --git a/src/Common/Crypto.h b/src/Common/Crypto.h
index a362f5d1..f1b35977 100644
--- a/src/Common/Crypto.h
+++ b/src/Common/Crypto.h
@@ -385,6 +385,10 @@ BOOL IsAesHwCpuSupported ();
void EnableHwEncryption (BOOL enable);
BOOL IsHwEncryptionEnabled ();
+BOOL IsCpuRngSupport ();
+void EnableCpuRng (BOOL enable);
+BOOL IsCpuRngEnabled ();
+
#ifdef __cplusplus
}
#endif
diff --git a/src/Common/Language.xml b/src/Common/Language.xml
index 47d99764..f62421de 100644
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -1432,6 +1432,7 @@
<entry lang="en" key="IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION">Clear encryption keys from memory if a new device is inserted</entry>
<entry lang="en" key="CLEAR_KEYS_ON_DEVICE_INSERTION_WARNING">IMPORTANT NOTES:\n - Please keep in mind that this option will not persist after a shutdown/reboot so you will need to select it again next time the machine is started.\n\n - With this option enabled and after a new device is connected, the machine will freeze and it will eventually crash with a BSOD since Windows can not access the encrypted disk after its keys are cleared from memory.\n</entry>
<entry lang="en" key="STARTING">Starting</entry>
+ <entry lang="en" key="IDC_ENABLE_CPU_RNG">Use CPU hardware random generator as an additional source of entropy</entry>
</localization>
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="VeraCrypt">
diff --git a/src/Common/Random.c b/src/Common/Random.c
index 12e9d9af..c8655b56 100644
--- a/src/Common/Random.c
+++ b/src/Common/Random.c
@@ -777,9 +777,10 @@ BOOL SlowPoll (void)
}
// use RDSEED or RDRAND from CPU as source of entropy if present
- if ( (HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
+ if ( IsCpuRngEnabled() &&
+ ( (HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
|| (HasRDRAND() && RDRAND_getBytes (buffer, sizeof (buffer)))
- )
+ ))
{
RandaddBuf (buffer, sizeof (buffer));
}
@@ -907,10 +908,11 @@ BOOL FastPoll (void)
return FALSE;
}
- // use RDSEED or RDRAND from CPU as source of entropy if present
- if ( (HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
+ // use RDSEED or RDRAND from CPU as source of entropy if enabled
+ if ( IsCpuRngEnabled() &&
+ ( (HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
|| (HasRDRAND() && RDRAND_getBytes (buffer, sizeof (buffer)))
- )
+ ))
{
RandaddBuf (buffer, sizeof (buffer));
}