Add PIV smart card keyfile encryption

.github/workflows/build-macos.yml

@@ -0,0 +1,124 @@
+name: Build and test macOS
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  create:
+    tags:
+      - '*'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+env:
+  WX_BUILD_DIR: ${{ github.workspace }}/wxbuild
+  WX_ROOT: ${{ github.workspace }}/wxsrc
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ${{matrix.runner}}
+    strategy:
+      matrix:
+        runner: [macos-13]
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      - name: Download Packages
+        uses: carlosperate/[email protected]
+        id: download-packages
+        with:
+          file-url: 'http://s.sudre.free.fr/Software/files/Packages.dmg'
+          file-name: 'Packages.dmg'
+          location: '.'
+
+      - name: Download macFUSE
+        uses: carlosperate/[email protected]
+        id: download-macfuse
+        with:
+          file-url: 'https://github.com/osxfuse/osxfuse/releases/download/macfuse-4.5.0/macfuse-4.5.0.dmg'
+          file-name: 'macfuse.dmg'
+          location: '.'
+
+      - name: Download pkg-config
+        uses: carlosperate/[email protected]
+        id: download-pkg-config
+        with:
+          file-url: 'https://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz'
+          file-name: pkg-config-0.28.tar.gz
+          location: '.'
+
+      - name: Mount Packages
+        run: sudo hdiutil attach Packages.dmg
+
+      - name: Mount macFUSE
+        run: sudo hdiutil attach macfuse.dmg 
+
+      - name: List Volumes directory context
+        run: ls -latr /Volumes || true
+
+      - name: Install Packages
+        run: sudo installer -pkg "/Volumes/Packages 1.2.10/Install Packages.pkg" -target /
+
+      - name: Install macFUSE
+        run: sudo installer -pkg "/Volumes/macFUSE/Install macFUSE.pkg" -target /     
+
+      - name: Build and install pkg-config
+        run: tar xvf pkg-config-0.28.tar.gz && cd pkg-config-0.28 && ./configure && make && sudo make install
+
+      - name: Install yasm
+        run: brew install yasm
+
+      - uses: actions/cache@v2
+        name: Cache/restore wxWidgets
+        id: cache-wxwidgets
+        with:
+          path: |
+            ${{ env.WX_ROOT }}
+            ${{ env.WX_BUILD_DIR }}
+          key: wxwidgets
+
+      - uses: maxim-lobanov/setup-xcode@v1
+        with:
+          xcode-version: latest-stable
+
+      - uses: actions/checkout@v2
+        name: Checkout wxWidgets
+        with:
+          repository: 'wxWidgets/wxWidgets'
+          ref: 'v3.2.5'
+          path: ${{ env.WX_ROOT }}
+          submodules: 'recursive'
+
+      - name: Show Xcode used
+        run: |
+          SDK_VERSION=$(xcrun --show-sdk-version); xcrun --show-sdk-path; xcrun --sdk macosx${SDK_VERSION} --show-sdk-path
+          
+      - name: Build wxWidgets
+        if: steps.cache-wxwidgets.outputs.cache-hit != 'true'
+        run: |
+          ls -l ${{env.WX_ROOT}}
+          (cd src && make WXSTATIC=FULL WX_ROOT=${{env.WX_ROOT}} WX_BUILD_DIR=${{env.WX_BUILD_DIR}} wxbuild); cat ${{ env.WX_BUILD_DIR }}/config.log
+
+      - name: Build Veracrypt
+        run: cd src && make LOCAL_DEVELOPMENT_BUILD=true WXSTATIC=FULL WX_ROOT=${{env.WX_ROOT}} WX_BUILD_DIR=${{env.WX_BUILD_DIR}} && make LOCAL_DEVELOPMENT_BUILD=true WXSTATIC=1 package
+
+      - name: Show directory structure
+        run: |
+          ls -R .
+          ls -l src || true
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: '**/VeraCrypt*.dmg'
+
+

.github/workflows/main.yml

@@ -0,0 +1,128 @@
+# This is a basic workflow to help you get started with Actions
+
+name: CI
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the master branch
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  create:
+    tags:
+      - '*'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+env:
+  WX_BUILD_DIR: ${{ github.workspace }}/wxbuild
+  WX_ROOT: ${{ github.workspace }}/wxsrc
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ${{matrix.runner}}
+    strategy:
+      matrix:
+        runner: [macos-13]
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      - name: Download Packages
+        uses: carlosperate/[email protected]
+        id: download-packages
+        with:
+          file-url: 'http://s.sudre.free.fr/Software/files/Packages.dmg'
+          file-name: 'Packages.dmg'
+          location: '.'
+
+      - name: Download macFUSE
+        uses: carlosperate/[email protected]
+        id: download-macfuse
+        with:
+          file-url: 'https://github.com/osxfuse/osxfuse/releases/download/macfuse-4.5.0/macfuse-4.5.0.dmg'
+          file-name: 'macfuse.dmg'
+          location: '.'
+
+      - name: Download pkg-config
+        uses: carlosperate/[email protected]
+        id: download-pkg-config
+        with:
+          file-url: 'https://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz'
+          file-name: pkg-config-0.28.tar.gz
+          location: '.'
+
+      - name: Mount Packages
+        run: sudo hdiutil attach Packages.dmg
+
+      - name: Mount macFUSE
+        run: sudo hdiutil attach macfuse.dmg 
+
+      - name: List Volumes directory context
+        run: ls -latr /Volumes || true
+
+      - name: Install Packages
+        run: sudo installer -pkg "/Volumes/Packages 1.2.10/Install Packages.pkg" -target /
+
+      - name: Install macFUSE
+        run: sudo installer -pkg "/Volumes/macFUSE/Install macFUSE.pkg" -target /     
+
+      - name: Build and install pkg-config
+        run: tar xvf pkg-config-0.28.tar.gz && cd pkg-config-0.28 && ./configure && make && sudo make install
+
+      - name: Install yasm
+        run: brew install yasm
+
+      - uses: actions/cache@v2
+        name: Cache/restore wxWidgets
+        id: cache-wxwidgets
+        with:
+          path: |
+            ${{ env.WX_ROOT }}
+            ${{ env.WX_BUILD_DIR }}
+          key: wxwidgets
+
+      - uses: maxim-lobanov/setup-xcode@v1
+        with:
+          xcode-version: latest-stable
+
+      - uses: actions/checkout@v2
+        name: Checkout wxWidgets
+        with:
+          repository: 'wxWidgets/wxWidgets'
+          ref: 'v3.2.5'
+          path: ${{ env.WX_ROOT }}
+          submodules: 'recursive'
+
+      - name: Show Xcode used
+        run: |
+          SDK_VERSION=$(xcrun --show-sdk-version); xcrun --show-sdk-path; xcrun --sdk macosx${SDK_VERSION} --show-sdk-path
+          
+      - name: Build wxWidgets
+        if: steps.cache-wxwidgets.outputs.cache-hit != 'true'
+        run: |
+          ls -l ${{env.WX_ROOT}}
+          (cd src && make WXSTATIC=FULL WX_ROOT=${{env.WX_ROOT}} WX_BUILD_DIR=${{env.WX_BUILD_DIR}} wxbuild); cat ${{ env.WX_BUILD_DIR }}/config.log
+
+      - name: Build Veracrypt
+        run: cd src && make LOCAL_DEVELOPMENT_BUILD=true WXSTATIC=FULL WX_ROOT=${{env.WX_ROOT}} WX_BUILD_DIR=${{env.WX_BUILD_DIR}} && make LOCAL_DEVELOPMENT_BUILD=true WXSTATIC=1 package
+
+      - name: Show directory structure
+        run: |
+          ls -R .
+          ls -l src || true
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: '**/VeraCrypt*.dmg'
+
+

.gitignore

@@ -1,6 +1,16 @@
 # For those using Visual Studio Code for development
 .vscode/
 
+# Testing artifacts
+Tests/**/*.raw
+Tests/**/*.vol
+Tests/**/*.bin
+Tests/**/*.dmg
+Tests/**/*.vc
+Tests/**/*.key
+**/*Testing
+!src/Testing
+
 # CLion
 .idea/
 

README.md

@@ -1,3 +1,5 @@
+![build](./actions/workflows/build-macos.yml/badge.svg)
+
 This archive contains the source code of VeraCrypt.
 It is based on the original TrueCrypt 7.1a with security enhancements and modifications.
 

doc/html/Bluekeys.html

@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<title>VeraCrypt - Free Open source disk encryption with strong security for the Paranoid</title>
+<meta name="description" content="VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files."/>
+<meta name="keywords" content="encryption, security"/>
+<link href="styles.css" rel="stylesheet" type="text/css" />
+</head>
+<body>
+
+<div>                      
+<a href="https://www.veracrypt.fr/en/Home.html"><img src="VeraCrypt128x128.png" alt="VeraCrypt"/></a>
+</div>
+
+<div id="menu">
+	<ul>
+	  <li><a href="Home.html">Home</a></li>
+	  <li><a href="/code/">Source Code</a></li>
+	  <li><a href="Downloads.html">Downloads</a></li>
+	  <li><a class="active" href="Documentation.html">Documentation</a></li>
+	  <li><a href="Donation.html">Donate</a></li>
+	  <li><a href="https://sourceforge.net/p/veracrypt/discussion/" target="_blank">Forums</a></li>
+	</ul>
+</div>
+
+<div>
+<p>
+<a href="Documentation.html">Documentation</a>           
+<img src="arrow_right.gif" alt=">>" style="margin-top: 5px">
+<a href="Bluekeys.html">Bluekeys</a>
+</p></div>
+
+<div class="wikidoc">
+<h1>Bluekeys</h1>
+<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
+Security Tokens and Smart Cards, which support encryption (e.g. there are assymetric cryptography key on the card), can be used to issue blue key. 
+Blue key is just an ordinary keyfile encrypted using key stored on the smart card. Because usually it is not possible to extract the key from the smart card, 
+such a file could not be used independently from the card to decrypt the volume.<br><p>Please note that security tokens and smart cards are currently not 
+supported for Pre-Boot authentication of system encryption.</p></div>
+</div><div class="ClearBoth"></div></body></html>

doc/html/Keyfiles.html

@@ -80,6 +80,15 @@ <h1>Keyfiles</h1>
           smart cards protected by multiple PIN codes (which can be entered
           either using a hardware PIN pad or via the VeraCrypt GUI).
         </p>
+        <p>Optionally, keyfiles can be encrypted using PKCS-11 compliant security
+          tokens and smart cards. This provides additional level of security:
+          knowing the keyfile content is not enough, you also need a 
+          security token or smart card. See chapter
+          <a href="Bluekeys.html"
+             style="text-align: left; color: #0080c0; text-decoration: none.html"
+          ><em style="text-align: left;">Bluekeys</em></a
+          >.
+        </p>
         <p>
           EMV-compliant smart cards' data can be used as keyfile, see chapter
           <a

doc/html/Security Tokens & Smart Cards.html

@@ -35,7 +35,10 @@
 <div class="wikidoc">
 <h1>Security Tokens &amp; Smart Cards</h1>
 <div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
-VeraCrypt supports security (or cryptographic) tokens and smart cards that can be accessed using the PKCS&nbsp;#11 (2.0 or later) protocol [23]. For more information, please see the section
+VeraCrypt supports security (or cryptographic) tokens and smart cards that can be accessed using the PKCS&nbsp;#11 (2.0 or later) protocol [23]. There are two way these devices can be used with VeraCrypt.
+<ul><li>As a secured storage for keyfiles. For more information, please see the section
 <em style="text-align:left">Security Tokens and Smart Cards</em> in the chapter <a href="Keyfiles%20in%20VeraCrypt.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
-<em style="text-align:left">Keyfiles</em></a>.<br><p>Please note that security tokens and smart cards are currently not supported for Pre-Boot authentication of system encryption.</p></div>
+<em style="text-align:left">Keyfiles</em></a></li>
+<li>As an additional encryption layer. For more infromation, please see <a href="Bluekeys.html" style="text-align:left; color:#0080c0; text-decoration:none"><em style="text-align:left">Bluekeys</em></a></li>
+</ul>.<br><p>Please note that security tokens and smart cards are currently not supported for Pre-Boot authentication of system encryption.</p></div>
 </div><div class="ClearBoth"></div></body></html>