15 Sep
2014
15 Sep
'14
9:05 p.m.
Author: tkreuzer
Date: Mon Sep 15 21:05:38 2014
New Revision: 64163
URL: http://svn.reactos.org/svn/reactos?rev=64163&view=rev
Log:
[KSECDD]
- Implement Encrypt / DecryptMemory in KSecDD (it uses AES for 16 byte aligned sizes, and
3DES for 8 byte aligned sizes)
- Install KSecDD
- Actually use KSecDD for Encryption from advapi32
Added:
trunk/reactos/lib/cryptlib/aes.c
- copied unchanged from r64143, trunk/reactos/dll/win32/rsaenh/aes.c
trunk/reactos/lib/cryptlib/des.c
- copied unchanged from r64143, trunk/reactos/dll/win32/rsaenh/des.c
trunk/reactos/lib/cryptlib/tomcrypt.h
- copied unchanged from r64143, trunk/reactos/dll/win32/rsaenh/tomcrypt.h
Modified:
trunk/reactos/boot/bootdata/hivesys.inf
trunk/reactos/dll/win32/advapi32/misc/sysfunc.c
trunk/reactos/drivers/crypto/ksecdd/crypt.c
trunk/reactos/drivers/crypto/ksecdd/ksecdd.c
trunk/reactos/drivers/crypto/ksecdd/ksecdd.h
trunk/reactos/drivers/crypto/ksecdd/random.c
trunk/reactos/include/psdk/ntsecapi.h
trunk/reactos/lib/cryptlib/CMakeLists.txt
Modified: trunk/reactos/boot/bootdata/hivesys.inf
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/boot/bootdata/hivesys.inf?…
==============================================================================
--- trunk/reactos/boot/bootdata/hivesys.inf [iso-8859-1] (original)
+++ trunk/reactos/boot/bootdata/hivesys.inf [iso-8859-1] Mon Sep 15 21:05:38 2014
@@ -1477,6 +1477,13 @@
HKLM,"SYSTEM\CurrentControlSet\Services\kbdclass","Type",0x00010001,0x00000001
HKLM,"SYSTEM\CurrentControlSet\Services\kbdclass\Parameters","ConnectMultiplePorts",0x00010001,1
HKLM,"SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}","UpperFilters",0x00010000,"kbdclass"
+
+; Kernel Security Support Provider Interface Driver
+HKLM,"SYSTEM\CurrentControlSet\Services\Beep","ErrorControl",0x00010001,0x00000003
+HKLM,"SYSTEM\CurrentControlSet\Services\Beep","Group",0x00000000,"Base"
+HKLM,"SYSTEM\CurrentControlSet\Services\Beep","ImagePath",0x00020000,"system32\drivers\ksecdd.sys"
+HKLM,"SYSTEM\CurrentControlSet\Services\Beep","Start",0x00010001,0x00000000
+HKLM,"SYSTEM\CurrentControlSet\Services\Beep","Type",0x00010001,0x00000001
; MPU-401 MIDI driver
HKLM,"SYSTEM\CurrentControlSet\Services\mpu401","Group",0x00000000,"Base"
Modified: trunk/reactos/dll/win32/advapi32/misc/sysfunc.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/advapi32/misc/sy…
==============================================================================
--- trunk/reactos/dll/win32/advapi32/misc/sysfunc.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/advapi32/misc/sysfunc.c [iso-8859-1] Mon Sep 15 21:05:38 2014
@@ -12,15 +12,11 @@
*/
#include <advapi32.h>
+#include <ntsecapi.h>
#include <ksecioctl.h>
#include <md4.h>
#include <md5.h>
#include <rc4.h>
-
-/* FIXME: this should be in some shared header */
-#define RTL_ENCRYPT_OPTION_SAME_PROCESS 0
-#define RTL_ENCRYPT_OPTION_CROSS_PROCESS 1
-#define RTL_ENCRYPT_OPTION_SAME_LOGON 2
static const unsigned char CRYPT_LMhash_Magic[8] =
{ 'K', 'G', 'S', '!', '@', '#',
'$', '%' };
@@ -635,11 +631,11 @@
InitializeObjectAttributes(&ObjectAttributes,
&DeviceName,
- 0x18,
+ OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = NtOpenFile(&DeviceHandle,
- 0x100001,
+ FILE_READ_DATA | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
@@ -744,9 +740,6 @@
{
ULONG IoControlCode;
- //FIXME("(%p, %x, %x): stub [RtlEncryptMemory]\n", memory, length, flags);
- return STATUS_SUCCESS;
-
if (OptionFlags == RTL_ENCRYPT_OPTION_SAME_PROCESS)
{
IoControlCode = IOCTL_KSEC_ENCRYPT_SAME_PROCESS;
@@ -798,9 +791,6 @@
{
ULONG IoControlCode;
- //FIXME("(%p, %x, %x): stub [RtlDecryptMemory]\n", memory, length, flags);
- return STATUS_SUCCESS;
-
if (OptionFlags == RTL_ENCRYPT_OPTION_SAME_PROCESS)
{
IoControlCode = IOCTL_KSEC_DECRYPT_SAME_PROCESS;
Modified: trunk/reactos/drivers/crypto/ksecdd/crypt.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/crypto/ksecdd/cryp…
==============================================================================
--- trunk/reactos/drivers/crypto/ksecdd/crypt.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/crypto/ksecdd/crypt.c [iso-8859-1] Mon Sep 15 21:05:38 2014
@@ -10,6 +10,258 @@
#include "ksecdd.h"
+MD5_CTX KsecLoadTimeStartMd5s[2];
+DES3_KEY KsecGlobalDes3Key;
+AES_KEY KsecGlobalAesKey;
+
+typedef struct _KSEC_PROCESS_DATA
+{
+ PEPROCESS Process;
+ HANDLE ProcessId;
+ LONGLONG CreateTime;
+ ULONG_PTR DirectoryTableBase;
+} KSEC_PROCESS_DATA, *PKSEC_PROCESS_DATA;
+
+typedef struct _KSEC_LOGON_DATA
+{
+ LUID LogonId;
+} KSEC_LOGON_DATA, *PKSEC_LOGON_DATA;
+
+VOID
+NTAPI
+KsecInitializeEncryptionSupport (
+ VOID)
+{
+ KSEC_ENTROPY_DATA EntropyData;
+ MD5_CTX Md5Context;
+ UCHAR KeyDataBuffer[32];
+
+ KsecGatherEntropyData(&EntropyData);
+ MD5Init(&Md5Context);
+ MD5Update(&Md5Context, (PVOID)&EntropyData, sizeof(EntropyData));
+ KsecLoadTimeStartMd5s[0] = Md5Context;
+ MD5Final(&Md5Context);
+ RtlCopyMemory(KeyDataBuffer, &Md5Context.digest, 16);
+
+ KsecGatherEntropyData(&EntropyData);
+ Md5Context = KsecLoadTimeStartMd5s[0];
+ MD5Update(&Md5Context, (PVOID)&EntropyData, sizeof(EntropyData));
+ KsecLoadTimeStartMd5s[1] = Md5Context;
+ MD5Final(&Md5Context);
+ RtlCopyMemory(&KeyDataBuffer[16], &Md5Context.digest, 16);
+
+ /* Create the global keys */
+ aes_setup(KeyDataBuffer, 32, 0, &KsecGlobalAesKey);
+ des3_setup(KeyDataBuffer, 24, 0, &KsecGlobalDes3Key);
+
+ /* Erase the temp data */
+ RtlSecureZeroMemory(KeyDataBuffer, sizeof(KeyDataBuffer));
+ RtlSecureZeroMemory(&Md5Context, sizeof(Md5Context));
+}
+
+static
+VOID
+KsecGetKeyData (
+ _Out_ UCHAR KeyData[32],
+ _In_ ULONG OptionFlags)
+{
+ MD5_CTX Md5Contexts[2];
+ KSEC_PROCESS_DATA ProcessData;
+ KSEC_LOGON_DATA LogonData;
+ PEPROCESS CurrentProcess;
+ PACCESS_TOKEN Token;
+
+ /* We need to generate the key, start with our load MD5s */
+ Md5Contexts[0] = KsecLoadTimeStartMd5s[0];
+ Md5Contexts[1] = KsecLoadTimeStartMd5s[1];
+
+ /* Get the current process */
+ CurrentProcess = PsGetCurrentProcess();
+
+ if (OptionFlags == RTL_ENCRYPT_OPTION_SAME_PROCESS)
+ {
+ ProcessData.Process = CurrentProcess;
+ ProcessData.ProcessId = CurrentProcess->UniqueProcessId;
+ ProcessData.CreateTime = PsGetProcessCreateTimeQuadPart(CurrentProcess);
+ ProcessData.DirectoryTableBase = CurrentProcess->Pcb.DirectoryTableBase[0];
+ MD5Update(&Md5Contexts[0], (PVOID)&ProcessData, sizeof(ProcessData));
+ MD5Update(&Md5Contexts[1], (PVOID)&ProcessData, sizeof(ProcessData));
+ }
+ else // if (OptionFlags == RTL_ENCRYPT_OPTION_SAME_LOGON)
+ {
+ Token = PsReferencePrimaryToken(CurrentProcess);
+ SeQueryAuthenticationIdToken(Token, &LogonData.LogonId);
+ PsDereferencePrimaryToken(Token);
+ MD5Update(&Md5Contexts[0], (PVOID)&LogonData, sizeof(LogonData));
+ MD5Update(&Md5Contexts[1], (PVOID)&LogonData, sizeof(LogonData));
+ }
+
+ /* Finalize the MD5s */
+ MD5Final(&Md5Contexts[0]);
+ MD5Final(&Md5Contexts[1]);
+
+ /* Copy the md5 data */
+ RtlCopyMemory(KeyData, &Md5Contexts[0].digest, 16);
+ RtlCopyMemory((PUCHAR)KeyData + 16, &Md5Contexts[1].digest, 16);
+
+ /* Erase the temp data */
+ RtlSecureZeroMemory(&Md5Contexts, sizeof(Md5Contexts));
+}
+
+static
+VOID
+KsecGetDes3Key (
+ _Out_ PDES3_KEY Des3Key,
+ _In_ ULONG OptionFlags)
+{
+ UCHAR KeyDataBuffer[32];
+
+ /* Check if the caller allows cross process encryption */
+ if (OptionFlags == RTL_ENCRYPT_OPTION_CROSS_PROCESS)
+ {
+ /* Return our global cached DES3 key */
+ *Des3Key = KsecGlobalDes3Key;
+ }
+ else
+ {
+ /* Setup the key */
+ KsecGetKeyData(KeyDataBuffer, OptionFlags);
+ des3_setup(KeyDataBuffer, 24, 0, Des3Key);
+
+ /* Erase the temp data */
+ RtlSecureZeroMemory(KeyDataBuffer, sizeof(KeyDataBuffer));
+ }
+}
+
+static
+VOID
+KsecGetAesKey (
+ _Out_ PAES_KEY AesKey,
+ _In_ ULONG OptionFlags)
+{
+ UCHAR KeyDataBuffer[32];
+
+ /* Check if the caller allows cross process encryption */
+ if (OptionFlags == RTL_ENCRYPT_OPTION_CROSS_PROCESS)
+ {
+ /* Return our global cached AES key */
+ *AesKey = KsecGlobalAesKey;
+ }
+ else
+ {
+ /* Setup the key */
+ KsecGetKeyData(KeyDataBuffer, OptionFlags);
+ aes_setup(KeyDataBuffer, 32, 0, AesKey);
+
+ /* Erase the temp data */
+ RtlSecureZeroMemory(KeyDataBuffer, sizeof(KeyDataBuffer));
+ }
+}
+
+static
+VOID
+KsecEncryptMemoryDes3 (
+ _Inout_ PVOID Buffer,
+ _In_ ULONG Length,
+ _In_ ULONG OptionFlags)
+{
+ UCHAR EncryptedBlockData[8];
+ DES3_KEY Des3Key;
+
+ /* Get they triple DES key */
+ KsecGetDes3Key(&Des3Key, OptionFlags);
+
+ /* Do the triple DES encryption */
+ while (Length >= sizeof(EncryptedBlockData))
+ {
+ des3_ecb_encrypt(Buffer, EncryptedBlockData, &Des3Key);
+ RtlCopyMemory(Buffer, EncryptedBlockData, sizeof(EncryptedBlockData));
+ Buffer = (PUCHAR)Buffer + sizeof(EncryptedBlockData);
+ Length -= sizeof(EncryptedBlockData);
+ }
+
+ /* Erase the key data */
+ RtlSecureZeroMemory(&Des3Key, sizeof(Des3Key));
+}
+
+static
+VOID
+KsecDecryptMemoryDes3 (
+ _Inout_ PVOID Buffer,
+ _In_ ULONG Length,
+ _In_ ULONG OptionFlags)
+{
+ UCHAR BlockData[8];
+ DES3_KEY Des3Key;
+
+ /* Get they triple DES key */
+ KsecGetDes3Key(&Des3Key, OptionFlags);
+
+ /* Do the triple DES decryption */
+ while (Length >= sizeof(BlockData))
+ {
+ des3_ecb_decrypt(Buffer, BlockData, &Des3Key);
+ RtlCopyMemory(Buffer, BlockData, sizeof(BlockData));
+ Buffer = (PUCHAR)Buffer + sizeof(BlockData);
+ Length -= sizeof(BlockData);
+ }
+
+ /* Erase the key data */
+ RtlSecureZeroMemory(&Des3Key, sizeof(Des3Key));
+}
+
+static
+VOID
+KsecEncryptMemoryAes (
+ _Inout_ PVOID Buffer,
+ _In_ ULONG Length,
+ _In_ ULONG OptionFlags)
+{
+ UCHAR EncryptedBlockData[16];
+ AES_KEY AesKey;
+
+ /* Get they AES key */
+ KsecGetAesKey(&AesKey, OptionFlags);
+
+ /* Do the AES encryption */
+ while (Length >= sizeof(EncryptedBlockData))
+ {
+ aes_ecb_encrypt(Buffer, EncryptedBlockData, &AesKey);
+ RtlCopyMemory(Buffer, EncryptedBlockData, sizeof(EncryptedBlockData));
+ Buffer = (PUCHAR)Buffer + sizeof(EncryptedBlockData);
+ Length -= sizeof(EncryptedBlockData);
+ }
+
+ /* Erase the key data */
+ RtlSecureZeroMemory(&AesKey, sizeof(AesKey));
+}
+
+static
+VOID
+KsecDecryptMemoryAes (
+ _Inout_ PVOID Buffer,
+ _In_ ULONG Length,
+ _In_ ULONG OptionFlags)
+{
+ UCHAR BlockData[16];
+ AES_KEY AesKey;
+
+ /* Get they AES key */
+ KsecGetAesKey(&AesKey, OptionFlags);
+
+ /* Do the AES decryption */
+ while (Length >= sizeof(BlockData))
+ {
+ aes_ecb_decrypt(Buffer, BlockData, &AesKey);
+ RtlCopyMemory(Buffer, BlockData, sizeof(BlockData));
+ Buffer = (PUCHAR)Buffer + sizeof(BlockData);
+ Length -= sizeof(BlockData);
+ }
+
+ /* Erase the key data */
+ RtlSecureZeroMemory(&AesKey, sizeof(AesKey));
+}
+
NTSTATUS
NTAPI
KsecEncryptMemory (
@@ -17,6 +269,31 @@
_In_ ULONG Length,
_In_ ULONG OptionFlags)
{
+ /* Validate parameter */
+ if (OptionFlags > RTL_ENCRYPT_OPTION_SAME_LOGON)
+ {
+ return STATUS_INVALID_PARAMETER;
+ }
+
+ /* Check if the length is not 16 bytes aligned */
+ if (Length & 15)
+ {
+ /* Is it at least 8 bytes aligned? */
+ if (Length & 7)
+ {
+ /* No, we can't deal with it! */
+ return STATUS_INVALID_PARAMETER;
+ }
+
+ /* Use triple DES encryption */
+ KsecEncryptMemoryDes3(Buffer, Length, OptionFlags);
+ }
+ else
+ {
+ /* Use AES encryption */
+ KsecEncryptMemoryAes(Buffer, Length, OptionFlags);
+ }
+
return STATUS_SUCCESS;
}
@@ -27,5 +304,30 @@
_In_ ULONG Length,
_In_ ULONG OptionFlags)
{
+ /* Validate parameter */
+ if (OptionFlags > RTL_ENCRYPT_OPTION_SAME_LOGON)
+ {
+ return STATUS_INVALID_PARAMETER;
+ }
+
+ /* Check if the length is not 16 bytes aligned */
+ if (Length & 15)
+ {
+ /* Is it at least 8 bytes aligned? */
+ if (Length & 7)
+ {
+ /* No, we can't deal with it! */
+ return STATUS_INVALID_PARAMETER;
+ }
+
+ /* Use triple DES encryption */
+ KsecDecryptMemoryDes3(Buffer, Length, OptionFlags);
+ }
+ else
+ {
+ /* Use AES encryption */
+ KsecDecryptMemoryAes(Buffer, Length, OptionFlags);
+ }
+
return STATUS_SUCCESS;
}
Modified: trunk/reactos/drivers/crypto/ksecdd/ksecdd.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/crypto/ksecdd/ksec…
==============================================================================
--- trunk/reactos/drivers/crypto/ksecdd/ksecdd.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/crypto/ksecdd/ksecdd.c [iso-8859-1] Mon Sep 15 21:05:38 2014
@@ -52,5 +52,8 @@
DriverObject->MajorFunction[IRP_MJ_QUERY_VOLUME_INFORMATION] = KsecDdDispatch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = KsecDdDispatch;
+ /* Initialize */
+ KsecInitializeEncryptionSupport();
+
return STATUS_SUCCESS;
}
Modified: trunk/reactos/drivers/crypto/ksecdd/ksecdd.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/crypto/ksecdd/ksec…
==============================================================================
--- trunk/reactos/drivers/crypto/ksecdd/ksecdd.h [iso-8859-1] (original)
+++ trunk/reactos/drivers/crypto/ksecdd/ksecdd.h [iso-8859-1] Mon Sep 15 21:05:38 2014
@@ -8,11 +8,15 @@
#define _NO_KSECDD_IMPORT_
#include <ntifs.h>
-#include <ndk/extypes.h>
-#include <ndk/rtlfuncs.h>
-#include <ndk/lpcfuncs.h>
-#include <ndk/obfuncs.h>
+#include <ndk/exfuncs.h>
+#include <pseh/pseh2.h>
#include <ntstrsafe.h>
+
+#include <md4.h>
+#include <md5.h>
+#include <tomcrypt.h>
+typedef aes_key AES_KEY, *PAES_KEY;
+typedef des3_key DES3_KEY, *PDES3_KEY;
#define STATUS_KSEC_INTERNAL_ERROR ((NTSTATUS)0x80090304)
@@ -70,12 +74,21 @@
PDEVICE_OBJECT DeviceObject,
PIRP Irp);
+NTSTATUS
+NTAPI
+KsecGatherEntropyData(
+ PKSEC_ENTROPY_DATA EntropyData);
NTSTATUS
NTAPI
KsecGenRandom(
PVOID Buffer,
SIZE_T Length);
+
+VOID
+NTAPI
+KsecInitializeEncryptionSupport (
+ VOID);
NTSTATUS
NTAPI
@@ -91,23 +104,3 @@
_In_ ULONG Length,
_In_ ULONG OptionFlags);
-NTSTATUS
-NTAPI
-KsecInitLsaMemory(VOID);
-
-///
-PVOID
-NTAPI
-PsGetProcessSecurityPort(
- PEPROCESS Process);
-
-NTSTATUS
-NTAPI
-PsSetProcessSecurityPort(
- PEPROCESS Process,
- PVOID SecurityPort);
-
-HANDLE
-NTAPI
-PsGetCurrentThreadProcessId(VOID);
-
Modified: trunk/reactos/drivers/crypto/ksecdd/random.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/drivers/crypto/ksecdd/rand…
==============================================================================
--- trunk/reactos/drivers/crypto/ksecdd/random.c [iso-8859-1] (original)
+++ trunk/reactos/drivers/crypto/ksecdd/random.c [iso-8859-1] Mon Sep 15 21:05:38 2014
@@ -9,10 +9,6 @@
/* INCLUDES *******************************************************************/
#include "ksecdd.h"
-#include <ndk/exfuncs.h>
-#include <ndk/kefuncs.h>
-#include <pseh/pseh2.h>
-#include <md4.h>
#define NDEBUG
#include <debug.h>
@@ -69,8 +65,8 @@
}
/* Read the CPU event counter MSRs */
- MachineSpecificCounters->Ctr0 = __readmsr(0x12);
- MachineSpecificCounters->Ctr1 = __readmsr(0x13);
+ //MachineSpecificCounters->Ctr0 = __readmsr(0x12);
+ //MachineSpecificCounters->Ctr1 = __readmsr(0x13);
/* Check if this is an MMX capable CPU */
if (ExIsProcessorFeaturePresent(PF_MMX_INSTRUCTIONS_AVAILABLE))
Modified: trunk/reactos/include/psdk/ntsecapi.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/include/psdk/ntsecapi.h?re…
==============================================================================
--- trunk/reactos/include/psdk/ntsecapi.h [iso-8859-1] (original)
+++ trunk/reactos/include/psdk/ntsecapi.h [iso-8859-1] Mon Sep 15 21:05:38 2014
@@ -666,8 +666,17 @@
} TRUSTED_DOMAIN_FULL_INFORMATION, *PTRUSTED_DOMAIN_FULL_INFORMATION;
#define RtlGenRandom SystemFunction036
+#define RtlEncryptMemory SystemFunction040
+#define RtlDecryptMemory SystemFunction041
BOOLEAN WINAPI RtlGenRandom(PVOID,ULONG);
+NTSTATUS WINAPI RtlEncryptMemory(PVOID Memory, ULONG MemorySize, ULONG OptionFlags);
+NTSTATUS WINAPI RtlDecryptMemory(PVOID Memory, ULONG MemorySize, ULONG OptionFlags);
+
+#define RTL_ENCRYPT_MEMORY_SIZE 8
+#define RTL_ENCRYPT_OPTION_SAME_PROCESS 0x00
+#define RTL_ENCRYPT_OPTION_CROSS_PROCESS 0x01
+#define RTL_ENCRYPT_OPTION_SAME_LOGON 0x02
NTSTATUS NTAPI LsaAddAccountRights(LSA_HANDLE,PSID,PLSA_UNICODE_STRING,ULONG);
NTSTATUS NTAPI LsaAddPrivilegesToAccount(LSA_HANDLE, PPRIVILEGE_SET);
Modified: trunk/reactos/lib/cryptlib/CMakeLists.txt
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/lib/cryptlib/CMakeLists.tx…
==============================================================================
--- trunk/reactos/lib/cryptlib/CMakeLists.txt [iso-8859-1] (original)
+++ trunk/reactos/lib/cryptlib/CMakeLists.txt [iso-8859-1] Mon Sep 15 21:05:38 2014
@@ -1,5 +1,7 @@
add_library(cryptlib
+ aes.c
+ des.c
md4.c
md5.c
mvAesAlg.c