From 16bb1de3a6addec1c07b9ffc3fcd616744a3f15c Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Sat, 5 Aug 2023 10:55:46 +0200
Subject: Security: ensure that XTS primary key is different from secondary key
 when creating volumes

This is unlikely to happen thanks to random generator properties but we much add this check to prevent an attack described in page 3 of https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38e-initial-public-comments-2021.pdf
---
 src/Core/VolumeCreator.cpp | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/Core')

diff --git a/src/Core/VolumeCreator.cpp b/src/Core/VolumeCreator.cpp
index d5caa846..5f19a66d 100644
--- a/src/Core/VolumeCreator.cpp
+++ b/src/Core/VolumeCreator.cpp
@@ -298,6 +298,11 @@ namespace VeraCrypt
 			// Master data key
 			MasterKey.Allocate (options->EA->GetKeySize() * 2);
 			RandomNumberGenerator::GetData (MasterKey);
+			// check that first half of MasterKey is different from its second half. If they are the same, through an exception
+			// cf CCSS,NSA comment at page 3: https://csrc.nist.gov/csrc/media/Projects/crypto-publication-review-project/documents/initial-comments/sp800-38e-initial-public-comments-2021.pdf
+			if (memcmp (MasterKey.Ptr(), MasterKey.Ptr() + MasterKey.Size() / 2, MasterKey.Size() / 2) == 0)
+				throw AssertionFailed (SRC_POS);
+
 			headerOptions.DataKey = MasterKey;
 
 			// PKCS5 salt
-- 
cgit v1.2.3