Windows Driver: Implement RAM encryption for cached passwords
This commit is contained in:
parent
ae5eb73f93
commit
954bfd45d0
|
@ -24,6 +24,25 @@ int CachedPim[CACHE_SIZE];
|
||||||
int cacheEmpty = 1;
|
int cacheEmpty = 1;
|
||||||
static int nPasswordIdx = 0;
|
static int nPasswordIdx = 0;
|
||||||
|
|
||||||
|
#ifdef _WIN64
|
||||||
|
|
||||||
|
uint64 VcGetPasswordEncryptionID (Password* pPassword)
|
||||||
|
{
|
||||||
|
return ((uint64) pPassword->Text) + ((uint64) pPassword);
|
||||||
|
}
|
||||||
|
|
||||||
|
void VcProtectPassword (Password* pPassword, uint64 encID)
|
||||||
|
{
|
||||||
|
VcProtectMemory (encID, (unsigned char*) pPassword->Text, sizeof(pPassword->Text), (unsigned char*) &pPassword->Length, sizeof (pPassword->Length));
|
||||||
|
}
|
||||||
|
|
||||||
|
void VcUnprotectPassword (Password* pPassword, uint64 encID)
|
||||||
|
{
|
||||||
|
VcProtectPassword (pPassword, encID);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, BOOL bCachePim, char *header, Password *password, int pkcs5_prf, int pim, BOOL truecryptMode, PCRYPTO_INFO *retInfo)
|
int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, BOOL bCachePim, char *header, Password *password, int pkcs5_prf, int pim, BOOL truecryptMode, PCRYPTO_INFO *retInfo)
|
||||||
{
|
{
|
||||||
int nReturnCode = ERR_PASSWORD_WRONG;
|
int nReturnCode = ERR_PASSWORD_WRONG;
|
||||||
|
@ -37,16 +56,37 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, BOOL bCachePim, char *heade
|
||||||
/* Save mount passwords back into cache if asked to do so */
|
/* Save mount passwords back into cache if asked to do so */
|
||||||
if (bCache && (nReturnCode == 0 || nReturnCode == ERR_CIPHER_INIT_WEAK_KEY))
|
if (bCache && (nReturnCode == 0 || nReturnCode == ERR_CIPHER_INIT_WEAK_KEY))
|
||||||
{
|
{
|
||||||
|
#ifdef _WIN64
|
||||||
|
Password tmpPass;
|
||||||
|
#endif
|
||||||
for (i = 0; i < CACHE_SIZE; i++)
|
for (i = 0; i < CACHE_SIZE; i++)
|
||||||
{
|
{
|
||||||
if (memcmp (&CachedPasswords[i], password, sizeof (Password)) == 0)
|
Password* pCurrentPassword = &CachedPasswords[i];
|
||||||
|
#ifdef _WIN64
|
||||||
|
if (IsRamEncryptionEnabled())
|
||||||
|
{
|
||||||
|
memcpy (&tmpPass, pCurrentPassword, sizeof (Password));
|
||||||
|
VcUnprotectPassword (&tmpPass, VcGetPasswordEncryptionID (pCurrentPassword));
|
||||||
|
pCurrentPassword = &tmpPass;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if (memcmp (pCurrentPassword, password, sizeof (Password)) == 0)
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef _WIN64
|
||||||
|
if (IsRamEncryptionEnabled())
|
||||||
|
burn (&tmpPass, sizeof (Password));
|
||||||
|
#endif
|
||||||
|
|
||||||
if (i == CACHE_SIZE)
|
if (i == CACHE_SIZE)
|
||||||
{
|
{
|
||||||
/* Store the password */
|
/* Store the password */
|
||||||
CachedPasswords[nPasswordIdx] = *password;
|
CachedPasswords[nPasswordIdx] = *password;
|
||||||
|
#ifdef _WIN64
|
||||||
|
if (IsRamEncryptionEnabled ())
|
||||||
|
VcProtectPassword (&CachedPasswords[nPasswordIdx], VcGetPasswordEncryptionID (&CachedPasswords[nPasswordIdx]));
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Store also PIM if requested, otherwise set to default */
|
/* Store also PIM if requested, otherwise set to default */
|
||||||
if (bCachePim && (pim > 0))
|
if (bCachePim && (pim > 0))
|
||||||
|
@ -67,10 +107,22 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, BOOL bCachePim, char *heade
|
||||||
}
|
}
|
||||||
else if (!cacheEmpty)
|
else if (!cacheEmpty)
|
||||||
{
|
{
|
||||||
|
#ifdef _WIN64
|
||||||
|
Password tmpPass;
|
||||||
|
#endif
|
||||||
/* Attempt to recognize volume using cached passwords */
|
/* Attempt to recognize volume using cached passwords */
|
||||||
for (i = 0; i < CACHE_SIZE; i++)
|
for (i = 0; i < CACHE_SIZE; i++)
|
||||||
{
|
{
|
||||||
if (CachedPasswords[i].Length > 0)
|
Password* pCurrentPassword = &CachedPasswords[i];
|
||||||
|
#ifdef _WIN64
|
||||||
|
if (IsRamEncryptionEnabled())
|
||||||
|
{
|
||||||
|
memcpy (&tmpPass, pCurrentPassword, sizeof (Password));
|
||||||
|
VcUnprotectPassword (&tmpPass, VcGetPasswordEncryptionID (pCurrentPassword));
|
||||||
|
pCurrentPassword = &tmpPass;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if ((pCurrentPassword->Length > 0) && (pCurrentPassword->Length <= (unsigned int) ((bBoot? MAX_LEGACY_PASSWORD: MAX_PASSWORD))))
|
||||||
{
|
{
|
||||||
if (truecryptMode)
|
if (truecryptMode)
|
||||||
effectivePim = 0;
|
effectivePim = 0;
|
||||||
|
@ -78,12 +130,16 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, BOOL bCachePim, char *heade
|
||||||
effectivePim = CachedPim[i];
|
effectivePim = CachedPim[i];
|
||||||
else
|
else
|
||||||
effectivePim = pim;
|
effectivePim = pim;
|
||||||
nReturnCode = ReadVolumeHeader (bBoot, header, &CachedPasswords[i], pkcs5_prf, effectivePim, truecryptMode, retInfo, NULL);
|
nReturnCode = ReadVolumeHeader (bBoot, header, pCurrentPassword, pkcs5_prf, effectivePim, truecryptMode, retInfo, NULL);
|
||||||
|
|
||||||
if (nReturnCode != ERR_PASSWORD_WRONG)
|
if (nReturnCode != ERR_PASSWORD_WRONG)
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#ifdef _WIN64
|
||||||
|
if (IsRamEncryptionEnabled())
|
||||||
|
burn (&tmpPass, sizeof (Password));
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
return nReturnCode;
|
return nReturnCode;
|
||||||
|
@ -92,17 +148,40 @@ int ReadVolumeHeaderWCache (BOOL bBoot, BOOL bCache, BOOL bCachePim, char *heade
|
||||||
|
|
||||||
void AddPasswordToCache (Password *password, int pim)
|
void AddPasswordToCache (Password *password, int pim)
|
||||||
{
|
{
|
||||||
|
#ifdef _WIN64
|
||||||
|
Password tmpPass;
|
||||||
|
#endif
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < CACHE_SIZE; i++)
|
for (i = 0; i < CACHE_SIZE; i++)
|
||||||
{
|
{
|
||||||
if (memcmp (&CachedPasswords[i], password, sizeof (Password)) == 0)
|
Password* pCurrentPassword = &CachedPasswords[i];
|
||||||
return;
|
#ifdef _WIN64
|
||||||
|
if (IsRamEncryptionEnabled())
|
||||||
|
{
|
||||||
|
memcpy (&tmpPass, pCurrentPassword, sizeof (Password));
|
||||||
|
VcUnprotectPassword (&tmpPass, VcGetPasswordEncryptionID (pCurrentPassword));
|
||||||
|
pCurrentPassword = &tmpPass;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if (memcmp (pCurrentPassword, password, sizeof (Password)) == 0)
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
CachedPasswords[nPasswordIdx] = *password;
|
if (i == CACHE_SIZE)
|
||||||
CachedPim[nPasswordIdx] = pim > 0? pim : 0;
|
{
|
||||||
nPasswordIdx = (nPasswordIdx + 1) % CACHE_SIZE;
|
CachedPasswords[nPasswordIdx] = *password;
|
||||||
cacheEmpty = 0;
|
#ifdef _WIN64
|
||||||
|
if (IsRamEncryptionEnabled ())
|
||||||
|
VcProtectPassword (&CachedPasswords[nPasswordIdx], VcGetPasswordEncryptionID (&CachedPasswords[nPasswordIdx]));
|
||||||
|
#endif
|
||||||
|
CachedPim[nPasswordIdx] = pim > 0? pim : 0;
|
||||||
|
nPasswordIdx = (nPasswordIdx + 1) % CACHE_SIZE;
|
||||||
|
cacheEmpty = 0;
|
||||||
|
}
|
||||||
|
#ifdef _WIN64
|
||||||
|
if (IsRamEncryptionEnabled())
|
||||||
|
burn (&tmpPass, sizeof (Password));
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
void AddLegacyPasswordToCache (PasswordLegacy *password, int pim)
|
void AddLegacyPasswordToCache (PasswordLegacy *password, int pim)
|
||||||
|
|
|
@ -1388,9 +1388,9 @@ void ClearSecurityParameters()
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef TC_WINDOWS_DRIVER
|
#ifdef TC_WINDOWS_DRIVER
|
||||||
static void VcProtectMemory (uint64 encID, unsigned char* pbData, size_t cbData, unsigned char* pbData2, size_t cbData2)
|
void VcProtectMemory (uint64 encID, unsigned char* pbData, size_t cbData, unsigned char* pbData2, size_t cbData2)
|
||||||
#else
|
#else
|
||||||
static void VcProtectMemory (uint64 encID, unsigned char* pbData, size_t cbData,
|
void VcProtectMemory (uint64 encID, unsigned char* pbData, size_t cbData,
|
||||||
unsigned char* pbData2, size_t cbData2,
|
unsigned char* pbData2, size_t cbData2,
|
||||||
unsigned char* pbData3, size_t cbData3,
|
unsigned char* pbData3, size_t cbData3,
|
||||||
unsigned char* pbData4, size_t cbData4)
|
unsigned char* pbData4, size_t cbData4)
|
||||||
|
|
|
@ -388,6 +388,7 @@ void DecryptBuffer (unsigned __int8 *buf, TC_LARGEST_COMPILER_UINT len, PCRYPTO_
|
||||||
#if defined(_WIN64) && !defined (_UEFI) && defined(TC_WINDOWS_DRIVER)
|
#if defined(_WIN64) && !defined (_UEFI) && defined(TC_WINDOWS_DRIVER)
|
||||||
BOOL InitializeSecurityParameters(GetRandSeedFn rngCallback);
|
BOOL InitializeSecurityParameters(GetRandSeedFn rngCallback);
|
||||||
void ClearSecurityParameters();
|
void ClearSecurityParameters();
|
||||||
|
void VcProtectMemory (uint64 encID, unsigned char* pbData, size_t cbData, unsigned char* pbData2, size_t cbData2);
|
||||||
uint64 VcGetEncryptionID (PCRYPTO_INFO pCryptoInfo);
|
uint64 VcGetEncryptionID (PCRYPTO_INFO pCryptoInfo);
|
||||||
void VcProtectKeys (PCRYPTO_INFO pCryptoInfo, uint64 encID);
|
void VcProtectKeys (PCRYPTO_INFO pCryptoInfo, uint64 encID);
|
||||||
void VcUnprotectKeys (PCRYPTO_INFO pCryptoInfo, uint64 encID);
|
void VcUnprotectKeys (PCRYPTO_INFO pCryptoInfo, uint64 encID);
|
||||||
|
|
Loading…
Reference in New Issue