diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2019-02-07 15:24:56 +0100 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2019-02-08 01:50:03 +0100 |
commit | e5b9cee8681dc45340321f759079b344a3b2676c (patch) | |
tree | 7e4875ccf109ebd2d2a858ec0368f2d9d46e2a5a /src/Common | |
parent | 6bb1f24ed571bccd4d1d247dafdc1dda6eaa3d8d (diff) | |
download | VeraCrypt-e5b9cee8681dc45340321f759079b344a3b2676c.tar.gz VeraCrypt-e5b9cee8681dc45340321f759079b344a3b2676c.zip |
Windows: Add option to enable use of CPU RDRAND/RDSEED as source of entropy which is now disabled by default
Diffstat (limited to 'src/Common')
-rw-r--r-- | src/Common/Apidrvr.h | 1 | ||||
-rw-r--r-- | src/Common/Crypto.c | 26 | ||||
-rw-r--r-- | src/Common/Crypto.h | 4 | ||||
-rw-r--r-- | src/Common/Language.xml | 1 | ||||
-rw-r--r-- | src/Common/Random.c | 12 |
5 files changed, 39 insertions, 5 deletions
diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h index 0298e204..63de40ae 100644 --- a/src/Common/Apidrvr.h +++ b/src/Common/Apidrvr.h @@ -417,5 +417,6 @@ typedef struct #define VC_DRIVER_CONFIG_BLOCK_SYS_TRIM 0x100 #define VC_DRIVER_CONFIG_ALLOW_WINDOWS_DEFRAG 0x200 #define VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION 0x400 +#define VC_DRIVER_CONFIG_ENABLE_CPU_RNG 0x800 #endif /* _WIN32 */ diff --git a/src/Common/Crypto.c b/src/Common/Crypto.c index 299595bd..a6f3ffb7 100644 --- a/src/Common/Crypto.c +++ b/src/Common/Crypto.c @@ -1216,3 +1216,29 @@ BOOL IsHwEncryptionEnabled () } #endif // !TC_WINDOWS_BOOT + +#ifndef TC_WINDOWS_BOOT + +static BOOL CpuRngDisabled = FALSE; + +BOOL IsCpuRngSupport () +{ + if (HasRDSEED() || HasRDSEED()) + return TRUE; + else + return FALSE; +} + +void EnableCpuRng (BOOL enable) +{ + CpuRngDisabled = !enable; +} + +BOOL IsCpuRngEnabled () +{ + return !CpuRngDisabled; +} + + +#endif + diff --git a/src/Common/Crypto.h b/src/Common/Crypto.h index a362f5d1..f1b35977 100644 --- a/src/Common/Crypto.h +++ b/src/Common/Crypto.h @@ -385,6 +385,10 @@ BOOL IsAesHwCpuSupported (); void EnableHwEncryption (BOOL enable); BOOL IsHwEncryptionEnabled (); +BOOL IsCpuRngSupport (); +void EnableCpuRng (BOOL enable); +BOOL IsCpuRngEnabled (); + #ifdef __cplusplus } #endif diff --git a/src/Common/Language.xml b/src/Common/Language.xml index 47d99764..f62421de 100644 --- a/src/Common/Language.xml +++ b/src/Common/Language.xml @@ -1432,6 +1432,7 @@ <entry lang="en" key="IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION">Clear encryption keys from memory if a new device is inserted</entry> <entry lang="en" key="CLEAR_KEYS_ON_DEVICE_INSERTION_WARNING">IMPORTANT NOTES:\n - Please keep in mind that this option will not persist after a shutdown/reboot so you will need to select it again next time the machine is started.\n\n - With this option enabled and after a new device is connected, the machine will freeze and it will eventually crash with a BSOD since Windows can not access the encrypted disk after its keys are cleared from memory.\n</entry> <entry lang="en" key="STARTING">Starting</entry> + <entry lang="en" key="IDC_ENABLE_CPU_RNG">Use CPU hardware random generator as an additional source of entropy</entry> </localization> <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="VeraCrypt"> diff --git a/src/Common/Random.c b/src/Common/Random.c index 12e9d9af..c8655b56 100644 --- a/src/Common/Random.c +++ b/src/Common/Random.c @@ -777,9 +777,10 @@ BOOL SlowPoll (void) } // use RDSEED or RDRAND from CPU as source of entropy if present - if ( (HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer))) + if ( IsCpuRngEnabled() && + ( (HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer))) || (HasRDRAND() && RDRAND_getBytes (buffer, sizeof (buffer))) - ) + )) { RandaddBuf (buffer, sizeof (buffer)); } @@ -907,10 +908,11 @@ BOOL FastPoll (void) return FALSE; } - // use RDSEED or RDRAND from CPU as source of entropy if present - if ( (HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer))) + // use RDSEED or RDRAND from CPU as source of entropy if enabled + if ( IsCpuRngEnabled() && + ( (HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer))) || (HasRDRAND() && RDRAND_getBytes (buffer, sizeof (buffer))) - ) + )) { RandaddBuf (buffer, sizeof (buffer)); } |