diff --git a/src/Common/Crypto.c b/src/Common/Crypto.c index 6b497bc9..4b1767c9 100644 --- a/src/Common/Crypto.c +++ b/src/Common/Crypto.c @@ -133,7 +133,9 @@ static Hash Hashes[] = { BLAKE2S, L"BLAKE2s-256", FALSE, TRUE }, { WHIRLPOOL, L"Whirlpool", FALSE, FALSE }, { STREEBOG, L"Streebog", FALSE, FALSE }, +#ifndef VC_DCS_DISABLE_ARGON2 { ARGON2, L"BLAKE2b-512", FALSE, FALSE }, +#endif #endif { 0, 0, 0 } }; diff --git a/src/Common/Crypto.h b/src/Common/Crypto.h index 85f7cbea..84ab4b79 100644 --- a/src/Common/Crypto.h +++ b/src/Common/Crypto.h @@ -55,7 +55,9 @@ enum SHA256, BLAKE2S, STREEBOG, +#ifndef VC_DCS_DISABLE_ARGON2 ARGON2, +#endif HASH_ENUM_END_ID }; @@ -204,8 +206,10 @@ typedef struct #ifndef TC_WINDOWS_BOOT # include "Sha2.h" # include "Whirlpool.h" +#ifndef VC_DCS_DISABLE_ARGON2 # include "argon2.h" # include "Crypto/Argon2/src/blake2/blake2b.h" +#endif # include "Streebog.h" # include "kuznyechik.h" # include "Camellia.h" diff --git a/src/Common/Pkcs5.c b/src/Common/Pkcs5.c index 1d80ea63..24dfce10 100644 --- a/src/Common/Pkcs5.c +++ b/src/Common/Pkcs5.c @@ -1254,8 +1254,10 @@ wchar_t *get_kdf_name (int kdf_id) case STREEBOG: return L"STREEBOG-PBKDF2"; +#ifndef VC_DCS_DISABLE_ARGON2 case ARGON2: return L"Argon2"; +#endif default: return L"(Unknown)"; @@ -1302,9 +1304,11 @@ int get_pkcs5_iteration_count(int pkcs5_prf_id, int pim, BOOL bBoot, int* pMemor iteration_count = bBoot ? pim * 2048 : 15000 + pim * 1000; break; +#ifndef VC_DCS_DISABLE_ARGON2 case ARGON2: get_argon2_params (pim, &iteration_count, pMemoryCost); break; +#endif default: TC_THROW_FATAL_EXCEPTION; // Unknown/wrong ID @@ -1323,13 +1327,16 @@ int is_pkcs5_prf_supported (int pkcs5_prf_id, PRF_BOOT_TYPE bootType) || (bootType != PRF_BOOT_MBR && (pkcs5_prf_id < FIRST_PRF_ID || pkcs5_prf_id > LAST_PRF_ID)) ) return 0; +#ifndef VC_DCS_DISABLE_ARGON2 // we don't support Argon2 in pre-boot authentication if ((bootType == PRF_BOOT_MBR || bootType == PRF_BOOT_GPT) && pkcs5_prf_id == ARGON2) return 0; +#endif return 1; } +#ifndef VC_DCS_DISABLE_ARGON2 void derive_key_argon2(const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, uint32 memcost, unsigned char *dk, int dklen, volatile long *pAbortKeyDerivation) { #if defined (DEVICE_DRIVER) && !defined(_M_ARM64) @@ -1438,5 +1445,6 @@ void get_argon2_params(int pim, int* pIterations, int* pMemcost) *pIterations = 13 + (pim - 31); } } +#endif #endif //!TC_WINDOWS_BOOT diff --git a/src/Common/Pkcs5.h b/src/Common/Pkcs5.h index 3f7d9409..cbd23940 100644 --- a/src/Common/Pkcs5.h +++ b/src/Common/Pkcs5.h @@ -44,8 +44,10 @@ void derive_key_streebog (const unsigned char *pwd, int pwd_len, const unsigned int get_pkcs5_iteration_count (int pkcs5_prf_id, int pim, BOOL bBoot, int* pMemoryCost); wchar_t *get_kdf_name (int kdf_id); +#ifndef VC_DCS_DISABLE_ARGON2 void derive_key_argon2(const unsigned char *pwd, int pwd_len, const unsigned char *salt, int salt_len, uint32 iterations, uint32 memcost, unsigned char *dk, int dklen, long volatile *pAbortKeyDerivation); void get_argon2_params(int pim, int* pIterations, int* pMemcost); +#endif /* check if given PRF supported.*/ typedef enum diff --git a/src/Common/Volumes.c b/src/Common/Volumes.c index 2b098d8f..8e249e35 100644 --- a/src/Common/Volumes.c +++ b/src/Common/Volumes.c @@ -183,6 +183,9 @@ int ReadVolumeHeader (BOOL bBoot, unsigned char *encryptedHeader, Password *pass int status = ERR_PARAMETER_INCORRECT; int primaryKeyOffset; int pkcs5PrfCount = LAST_PRF_ID - FIRST_PRF_ID + 1; + int iterationsCount = 0; + int memoryCost = 0; + LONG volatile abortKeyDerivation = 0; #if !defined(_UEFI) TC_EVENT *keyDerivationCompletedEvent = NULL; TC_EVENT *noOutstandingWorkItemEvent = NULL; @@ -192,9 +195,6 @@ int ReadVolumeHeader (BOOL bBoot, unsigned char *encryptedHeader, Password *pass size_t encryptionThreadCount = GetEncryptionThreadCount(); LONG *outstandingWorkItemCount = NULL; int i; - int iterationsCount = 0; - int memoryCost = 0; - LONG volatile abortKeyDerivation = 0; #endif size_t queuedWorkItems = 0; @@ -310,9 +310,11 @@ int ReadVolumeHeader (BOOL bBoot, unsigned char *encryptedHeader, Password *pass if (selected_pkcs5_prf != 0 && enqPkcs5Prf != selected_pkcs5_prf) continue; +#ifndef VC_DCS_DISABLE_ARGON2 // we don't support Argon2 in pre-boot authentication if (bBoot && (enqPkcs5Prf == ARGON2)) continue; +#endif #if !defined(_UEFI) if ((selected_pkcs5_prf == 0) && (encryptionThreadCount > 1)) @@ -409,10 +411,12 @@ KeyReady: ; break; +#ifndef VC_DCS_DISABLE_ARGON2 case ARGON2: derive_key_argon2(keyInfo->userKey, keyInfo->keyLength, keyInfo->salt, PKCS5_SALT_SIZE, keyInfo->noIterations, keyInfo->memoryCost, dk, GetMaxPkcs5OutSize(), &abortKeyDerivation); break; +#endif #endif default: // Unknown/wrong ID @@ -617,11 +621,13 @@ KeyReady: ; status = ERR_SUCCESS; +#if !defined(_UEFI) if ((selected_pkcs5_prf == 0) && (encryptionThreadCount > 1)) { // Signal other threads to stop InterlockedExchange(&abortKeyDerivation, 1); } +#endif goto ret; } } @@ -629,8 +635,10 @@ KeyReady: ; status = ERR_PASSWORD_WRONG; err: +#if !defined(_UEFI) // Signal threads to stop InterlockedExchange(&abortKeyDerivation, 1); +#endif if (cryptoInfo != retHeaderCryptoInfo) { crypto_close(cryptoInfo); @@ -672,7 +680,7 @@ ret: #endif burn (keyInfo, sizeof (KEY_INFO)); -#if !defined(DEVICE_DRIVER) +#if !defined(DEVICE_DRIVER) && !defined(_UEFI) VirtualUnlock (keyInfoBuffer, keyInfoBufferSize); #endif TCfree(keyInfoBuffer); @@ -942,12 +950,14 @@ int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, unsigned char *header, if (pim < 0) pim = 0; +#ifndef VC_DCS_DISABLE_ARGON2 // we don't support Argon2 in pre-boot authentication if (bBoot && (pkcs5_prf == ARGON2)) { crypto_close (cryptoInfo); return ERR_PARAMETER_INCORRECT; } +#endif memset (header, 0, TC_VOLUME_HEADER_EFFECTIVE_SIZE); #if !defined(_UEFI) @@ -1065,10 +1075,12 @@ int CreateVolumeHeaderInMemory (HWND hwndDlg, BOOL bBoot, unsigned char *header, PKCS5_SALT_SIZE, keyInfo.noIterations, dk, GetMaxPkcs5OutSize(), NULL); break; +#ifndef VC_DCS_DISABLE_ARGON2 case ARGON2: derive_key_argon2(keyInfo.userKey, keyInfo.keyLength, keyInfo.salt, PKCS5_SALT_SIZE, keyInfo.noIterations, keyInfo.memoryCost, dk, GetMaxPkcs5OutSize(), NULL); break; +#endif #endif default: // Unknown/wrong ID