From 2e32adf625b0f3ee1e5859163011e81d3f17a89b Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Thu, 15 Jul 2021 00:19:57 +0200
Subject: Windows: Avoid leaking sensitive values in work item of threads pool

---
 src/Common/EncryptionThreadPool.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/Common/EncryptionThreadPool.c b/src/Common/EncryptionThreadPool.c
index 32782bdc..dce01733 100644
--- a/src/Common/EncryptionThreadPool.c
+++ b/src/Common/EncryptionThreadPool.c
@@ -275,6 +275,12 @@ static TC_THREAD_PROC EncryptionThreadProc (void *threadArg)
 				TC_THROW_FATAL_EXCEPTION;
 			}
 
+#if !defined(DEVICE_DRIVER)
+			burn (workItem->KeyDerivation.Password, sizeof(workItem->KeyDerivation.Password));
+			burn (workItem->KeyDerivation.Salt, sizeof(workItem->KeyDerivation.Salt));
+			VirtualUnlock (&workItem->KeyDerivation, sizeof (workItem->KeyDerivation));
+#endif
+
 			InterlockedExchange (workItem->KeyDerivation.CompletionFlag, TRUE);
 			TC_SET_EVENT (*workItem->KeyDerivation.CompletionEvent);
 
@@ -510,6 +516,11 @@ void EncryptionThreadPoolStop ()
 
 	for (i = 0; i < sizeof (WorkItemQueue) / sizeof (WorkItemQueue[0]); ++i)
 	{
+#if !defined(DEVICE_DRIVER)
+		burn (WorkItemQueue[i].KeyDerivation.Password, sizeof(WorkItemQueue[i].KeyDerivation.Password));
+		burn (WorkItemQueue[i].KeyDerivation.Salt, sizeof(WorkItemQueue[i].KeyDerivation.Salt));
+		VirtualUnlock (&WorkItemQueue[i].KeyDerivation, sizeof (WorkItemQueue[i].KeyDerivation));
+#endif
 		if (WorkItemQueue[i].ItemCompletedEvent)
 			CloseHandle (WorkItemQueue[i].ItemCompletedEvent);
 	}
@@ -538,6 +549,9 @@ void EncryptionThreadPoolBeginKeyDerivation (TC_EVENT *completionEvent, TC_EVENT
 	}
 
 	workItem->Type = DeriveKeyWork;
+#if !defined(DEVICE_DRIVER)
+	VirtualLock (&workItem->KeyDerivation, sizeof (workItem->KeyDerivation));
+#endif
 	workItem->KeyDerivation.CompletionEvent = completionEvent;
 	workItem->KeyDerivation.CompletionFlag = completionFlag;
 	workItem->KeyDerivation.DerivedKey = derivedKey;
-- 
cgit v1.2.3