Add PIV smart card keyfile encryption

.github/workflows/build-macos.yml

@@ -0,0 +1,124 @@
+name: Build and test macOS
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  create:
+    tags:
+      - '*'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+env:
+  WX_BUILD_DIR: ${{ github.workspace }}/wxbuild
+  WX_ROOT: ${{ github.workspace }}/wxsrc
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ${{matrix.runner}}
+    strategy:
+      matrix:
+        runner: [macos-13]
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      - name: Download Packages
+        uses: carlosperate/[email protected]
+        id: download-packages
+        with:
+          file-url: 'http://s.sudre.free.fr/Software/files/Packages.dmg'
+          file-name: 'Packages.dmg'
+          location: '.'
+
+      - name: Download macFUSE
+        uses: carlosperate/[email protected]
+        id: download-macfuse
+        with:
+          file-url: 'https://github.com/osxfuse/osxfuse/releases/download/macfuse-4.5.0/macfuse-4.5.0.dmg'
+          file-name: 'macfuse.dmg'
+          location: '.'
+
+      - name: Download pkg-config
+        uses: carlosperate/[email protected]
+        id: download-pkg-config
+        with:
+          file-url: 'https://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz'
+          file-name: pkg-config-0.28.tar.gz
+          location: '.'
+
+      - name: Mount Packages
+        run: sudo hdiutil attach Packages.dmg
+
+      - name: Mount macFUSE
+        run: sudo hdiutil attach macfuse.dmg 
+
+      - name: List Volumes directory context
+        run: ls -latr /Volumes || true
+
+      - name: Install Packages
+        run: sudo installer -pkg "/Volumes/Packages 1.2.10/Install Packages.pkg" -target /
+
+      - name: Install macFUSE
+        run: sudo installer -pkg "/Volumes/macFUSE/Install macFUSE.pkg" -target /     
+
+      - name: Build and install pkg-config
+        run: tar xvf pkg-config-0.28.tar.gz && cd pkg-config-0.28 && ./configure && make && sudo make install
+
+      - name: Install yasm
+        run: brew install yasm
+
+      - uses: actions/cache@v2
+        name: Cache/restore wxWidgets
+        id: cache-wxwidgets
+        with:
+          path: |
+            ${{ env.WX_ROOT }}
+            ${{ env.WX_BUILD_DIR }}
+          key: wxwidgets
+
+      - uses: maxim-lobanov/setup-xcode@v1
+        with:
+          xcode-version: latest-stable
+
+      - uses: actions/checkout@v2
+        name: Checkout wxWidgets
+        with:
+          repository: 'wxWidgets/wxWidgets'
+          ref: 'v3.2.5'
+          path: ${{ env.WX_ROOT }}
+          submodules: 'recursive'
+
+      - name: Show Xcode used
+        run: |
+          SDK_VERSION=$(xcrun --show-sdk-version); xcrun --show-sdk-path; xcrun --sdk macosx${SDK_VERSION} --show-sdk-path
+
+      - name: Build wxWidgets
+        if: steps.cache-wxwidgets.outputs.cache-hit != 'true'
+        run: |
+          ls -l ${{env.WX_ROOT}}
+          (cd src && make WXSTATIC=FULL WX_ROOT=${{env.WX_ROOT}} WX_BUILD_DIR=${{env.WX_BUILD_DIR}} wxbuild); cat ${{ env.WX_BUILD_DIR }}/config.log
+
+      - name: Build Veracrypt
+        run: cd src && make LOCAL_DEVELOPMENT_BUILD=true WXSTATIC=FULL WX_ROOT=${{env.WX_ROOT}} WX_BUILD_DIR=${{env.WX_BUILD_DIR}} && make LOCAL_DEVELOPMENT_BUILD=true WXSTATIC=1 package
+
+      - name: Show directory structure
+        run: |
+          ls -R .
+          ls -l src || true
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: '**/VeraCrypt*.dmg'
+
+

.gitignore

@@ -1,6 +1,16 @@
 # For those using Visual Studio Code for development
 .vscode/
 
+# Testing artifacts
+Tests/**/*.raw
+Tests/**/*.vol
+Tests/**/*.bin
+Tests/**/*.dmg
+Tests/**/*.vc
+Tests/**/*.key
+**/*Testing
+!src/Testing
+
 # CLion
 .idea/
 

README.md

@@ -1,3 +1,5 @@
+![build](./actions/workflows/build-macos.yml/badge.svg)
+
 This archive contains the source code of VeraCrypt.
 It is based on the original TrueCrypt 7.1a with security enhancements and modifications.
 

doc/html/Bluekeys.html

@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
+<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
+<meta name="keywords" content="encryption, security"/>
+<link href="styles.css" rel="stylesheet" type="text/css" />
+</head>
+<body>
+
+<div>                      
+<a href="https://www.veracrypt.fr/en/Home.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
+</div>
+
+<div id="menu">
+	<ul>
+	  <li><a href="Home.html">Home</a></li>
+	  <li><a href="/code/">Source Code</a></li>
+	  <li><a href="Downloads.html">Downloads</a></li>
+	  <li><a class="active" href="Documentation.html">Documentation</a></li>
+	  <li><a href="Donation.html">Donate</a></li>
+	  <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
+	</ul>
+</div>
+
+<div>
+<p>
+<a href="Documentation.html">Documentation</a>           
+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
+<a href="Bluekeys.html">Bluekeys</a>
+</p></div>
+
+<div class="wikidoc">
+<h1>Bluekeys</h1>
+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
+Security Tokens and Smart Cards, which support encryption (e.g. there are assymetric cryptography key on the card), can be used to issue blue key. 
+Blue key is just an ordinary keyfile encrypted using key stored on the smart card. Because usually it is not possible to extract the key from the smart card, 
+such a file could not be used independently from the card to decrypt the volume.<br><p>Please note that security tokens and smart cards are currently not 
+supported for Pre-Boot authentication of system encryption.</p></div>
+</div><div class="ClearBoth"></div></body></html>

doc/html/Keyfiles.html

@@ -80,6 +80,15 @@ <h1>Keyfiles</h1>
           smart cards protected by multiple PIN codes (which can be entered
           either using a hardware PIN pad or via the VeraCrypt GUI).
         </p>
+        <p>Optionally, keyfiles can be encrypted using PKCS-11 compliant security
+          tokens and smart cards. This provides additional level of security:
+          knowing the keyfile content is not enough, you also need a 
+          security token or smart card. See chapter
+          <a href="Bluekeys.html"
+             style="text-align: left; color: #0080c0; text-decoration: none.html"
+          ><em style="text-align: left;">Bluekeys</em></a
+          >.
+        </p>
         <p>
           EMV-compliant smart cards' data can be used as keyfile, see chapter
           <a

doc/html/Security Tokens & Smart Cards.html

@@ -35,7 +35,10 @@
 <div class="wikidoc">
 <h1>Security Tokens &amp; Smart Cards</h1>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-VeraCrypt supports security (or cryptographic) tokens and smart cards that can be accessed using the PKCS&nbsp;#11 (2.0 or later) protocol [23]. For more information, please see the section
+VeraCrypt supports security (or cryptographic) tokens and smart cards that can be accessed using the PKCS&nbsp;#11 (2.0 or later) protocol [23]. There are two way these devices can be used with VeraCrypt.
+<ul><li>As a secured storage for keyfiles. For more information, please see the section
 <em style="text-align:left">Security Tokens and Smart Cards</em> in the chapter <a href="Keyfiles%20in%20VeraCrypt.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
-<em style="text-align:left">Keyfiles</em></a>.<br><p>Please note that security tokens and smart cards are currently not supported for Pre-Boot authentication of system encryption.</p></div>
+<em style="text-align:left">Keyfiles</em></a></li>
+<li>As an additional encryption layer. For more infromation, please see <a href="Bluekeys.html" style="text-align:left; color:#0080c0; text-decoration:none"><em style="text-align:left">Bluekeys</em></a></li>
+</ul>.<br><p>Please note that security tokens and smart cards are currently not supported for Pre-Boot authentication of system encryption.</p></div>
 </div><div class="ClearBoth"></div></body></html>

src/Build/Include/Makefile.inc

@@ -10,11 +10,21 @@
 # code distribution packages.
 #
 
-$(NAME): $(NAME).a
+.PHONY: test-only lib $(NAME)
+
+ifeq "$(OBJS)" ""
+$(NAME): test-only
+else
+$(NAME): lib
+endif
+
+test-only: $(NAME)Testing $(NAME)Test.a
+lib: $(NAME).a $(NAME)Test.a $(NAME)Testing
 
 clean:
 	@echo Cleaning $(NAME)
 	rm -f $(APPNAME) $(NAME).a $(OBJS) $(OBJSEX) $(OBJSNOOPT) $(OBJSHANI) $(OBJSSSE41) $(OBJSSSSE3) $(OBJARMV8CRYPTO) $(OBJS:.o=.d) $(OBJSEX:.oo=.d) $(OBJSNOOPT:.o0=.d) $(OBJSHANI:.oshani=.d) $(OBJSSSE41:.osse41=.d) $(OBJSSSSE3:.ossse3=.d) $(OBJARMV8CRYPTO:.oarmv8crypto=.d) *.gch
+	rm -f $(NAME)Testing.a $(NAME)Test.a $(TEST_OBJS)
 
 %.o: %.c
 	@echo Compiling $(<F)
@@ -36,6 +46,10 @@ clean:
 	@echo Compiling $(<F)
 	$(CC) $(CFLAGS) -mssse3 -c $< -o $@
 
+%Test.o: %Test.cpp
+	@echo Compiling test $(<F)
+	$(CXX) $(CXXFLAGS) -I$(BASE_DIR)/Testing -c $< -o $@
+
 %.oarmv8crypto: %.c
 	@echo Compiling $(<F)
 	$(CC) $(CFLAGS) -march=armv8-a+crypto -c $< -o $@
@@ -65,6 +79,8 @@ ifeq "$(PLATFORM)" "MacOSX"
 	@echo Assembling $(<F)
 	$(AS) $(ASFLAGS32) -f macho32 -o [email protected] $<
 	$(AS) $(ASFLAGS64) -f macho64 -o [email protected] $<
+	$(AS) $(ASFLAGS32) -f macho32 -o [email protected] $<
+	$(AS) $(ASFLAGS64) -f macho64 -o [email protected] $<
 	lipo -create [email protected] [email protected] -output $@
 else
 %.o: %.asm
@@ -104,6 +120,24 @@ TR_SED_BIN := tr '\n' ' ' | tr -s ' ' ',' | sed -e 's/^,//g' -e 's/,$$/n/' | tr
 
 
 $(NAME).a: $(OBJS) $(OBJSEX) $(OBJSNOOPT) $(OBJSHANI) $(OBJSSSE41) $(OBJSSSSE3) $(OBJARMV8CRYPTO)
+ifneq "$(OBJS)" ""
 	@echo Updating library $@
 	$(AR) $(AFLAGS) -rc $@ $(OBJS) $(OBJSEX) $(OBJSNOOPT) $(OBJSHANI) $(OBJSSSE41) $(OBJSSSSE3) $(OBJARMV8CRYPTO)
 	$(RANLIB) $@
+endif
+
+$(NAME)Test.a: $(TEST_OBJS)
+ifneq "$(TEST_OBJS)" ""
+	@echo Updating test library $@
+	$(AR) $(AFLAGS) -rcu $@ $(TEST_OBJS)
+	$(RANLIB) $@
+endif
+
+$(NAME)Testing: $(TEST_EXECS) $(OBJS) $(OBJSEX) $(OBJSNOOPT) $(LIBS) $(TEST_LIBS) $(TEST_OBJS)
+ifneq "$(TEST_EXECS)" ""
+	@for TE in $(TEST_EXECS); do \
+			export EXEC_NAME=`basename "$$TE" .o`; \
+			echo Compiling $${EXEC_NAME}Run; \
+			$(CXX) -o $${EXEC_NAME}Run $${TE} $(TEST_LIBS) $(TEST_OBJS) $(OBJS) $(LIBS) $(TEST_EXT_LIBS) $(LFLAGS) $(TEST_LFLAGS); \
+	done
+endif

src/Common/EMVCard.h

@@ -30,7 +30,7 @@ namespace VeraCrypt
         // object will be considered invalid and will not be included in the list of available cards
         // of EMVToken.
         vector<uint8> m_aid;
-        vector<vector<uint8>> m_supportedAids;
+        vector<vector<uint8> > m_supportedAids;
         vector<uint8> m_iccCert;
         vector<uint8> m_issuerCert;
         vector<uint8> m_cplcData;
@@ -44,7 +44,7 @@ namespace VeraCrypt
 		const static uint8 AMEX_AID[7];
 		const static uint8 MASTERCARD_AID[7];
 		const static uint8 VISA_AID[7];
-		const static map<EMVCardType, vector<uint8>> SUPPORTED_AIDS;
+		const static map<EMVCardType, vector<uint8> > SUPPORTED_AIDS;
 
         EMVCard();
 		EMVCard(size_t slotId);

src/Common/EMVToken.h

@@ -35,7 +35,7 @@ namespace VeraCrypt
 
 		friend void EMVTokenKeyfile::GetKeyfileData(vector <uint8>& keyfileData) const;
 
-		static map <unsigned long int, shared_ptr<EMVCard>> EMVCards;
+		static map <unsigned long int, shared_ptr<EMVCard> > EMVCards;
 	};
 }
 

src/Common/Language.xml

@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <VeraCrypt>
   <localization prog-version="1.24-Update8">
     <language langid="en" name="English" en-name="English" version="0.0.0" translators="TrueCrypt/VeraCrypt Teams" />
@@ -1644,6 +1644,17 @@
     <entry lang="en" key="MOUNTPOINT_BLOCKED">ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point.</entry>
     <entry lang="en" key="MOUNTPOINT_NOTALLOWED">ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point.</entry>
     <entry lang="en" key="INSECURE_MODE">[INSECURE MODE]</entry>
+    <entry lang="en" key="IDC_SECURITY_TOKEN_KEY">Security token key</entry>
+    <entry lang="en" key="IDT_SECURITY_TOKENS">Security Tokens...</entry>
+    <entry lang="en" key="TOKEN_SLOT_ID">Slot ID</entry>
+    <entry lang="en" key="SELECT_TOKEN_KEYS">Select token keys</entry>
+    <entry lang="en" key="TOKEN_NAME">Token name</entry>
+    <entry lang="en" key="TOKEN_KEY_LABEL">Key label</entry>
+    <entry lang="en" key="IDM_REVEAL_REDKEY">Reveal Red Key...</entry>
+    <entry lang="en" key="REVEAL_REDKEY_INFO">This will produce decrypted keyfile which can be used without using the smart card, thus reducing security to two factors. This keyfile should be stored securely. Are you sure to continue?</entry>
+    <entry lang="en" key="REVEAL_REDKEY_DONE">Red key is saved</entry>
+    <entry lang="en" key="REVEAL_REDKEY_PATH">Choose file to save red key to</entry>
+    <entry lang="en" key="TOKEN_KEY_MECHANISM_LABEL">Mechanism</entry>
   </localization>
   <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
     <xs:element name="VeraCrypt">