VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Main/Unix/Main.cpp
blob: 5372fd317a5b21448aab60520e0d7790fbe621bf (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

/*
 Copyright (c) 2008-2009 TrueCrypt Developers Association. All rights reserved.

 Governed by the TrueCrypt License 3.0 the full text of which is contained in
 the file License.txt included in TrueCrypt binary and source code distribution
 packages.
*/

#include "System.h"
#include <sys/mman.h>

#include "Platform/Platform.h"
#include "Platform/SystemLog.h"
#include "Volume/EncryptionThreadPool.h"
#include "Core/Unix/CoreService.h"
#include "Main/Application.h"
#include "Main/Main.h"
#include "Main/UserInterface.h"

#if defined (TC_MACOSX) && !defined (TC_NO_GUI)
#include <ApplicationServices/ApplicationServices.h>
#endif

using namespace VeraCrypt;

int main (int argc, char **argv)
{
	try
	{
		// Make sure all required commands can be executed via default search path
		string sysPathStr = "/usr/sbin:/sbin:/usr/bin:/bin";
		
		char *sysPath = getenv ("PATH");
		if (sysPath)
		{
			sysPathStr += ":";
			sysPathStr += sysPath;
		}

		setenv ("PATH", sysPathStr.c_str(), 1);

		if (argc > 1 && strcmp (argv[1], TC_CORE_SERVICE_CMDLINE_OPTION) == 0)
		{
			// Process elevated requests
			try
			{
				CoreService::ProcessElevatedRequests();
				return 0;
			}
			catch (exception &e)
			{
#ifdef DEBUG
				SystemLog::WriteException (e);
#endif
			}
			catch (...)	{ }
			return 1;
		}

		// Start core service
		CoreService::Start();
		finally_do ({ CoreService::Stop(); });

		// Start encryption thread pool
		EncryptionThreadPool::Start();
		finally_do ({ EncryptionThreadPool::Stop(); });

#ifdef TC_NO_GUI
		bool forceTextUI = true;
#else
		bool forceTextUI = false;
#endif

#ifdef __WXGTK__
		if (!getenv ("DISPLAY"))
			forceTextUI = true;
#endif

		// Initialize application
		if (forceTextUI || (argc > 1 && (strcmp (argv[1], "-t") == 0 || strcmp (argv[1], "--text") == 0)))
		{
			Application::Initialize (UserInterfaceType::Text);
		}
		else
		{
#if defined (TC_MACOSX) && !defined (TC_NO_GUI)
			if (argc > 1 && !(argc == 2 && strstr (argv[1], "-psn_") == argv[1]))
			{
				ProcessSerialNumber p;
				if (GetCurrentProcess (&p) == noErr)
				{
					TransformProcessType (&p, kProcessTransformToForegroundApplication);
					SetFrontProcess (&p);
				}
			}
#endif
			Application::Initialize (UserInterfaceType::Graphic);
		}

		Application::SetExitCode (1);

		// Start application
		if (::wxEntry (argc, argv) == 0)
			Application::SetExitCode (0);
	}
	catch (ErrorMessage &e)
	{
		wcerr << wstring (e) << endl;
	}
	catch (SystemException &e)
	{
		wstringstream s;
		if (e.GetSubject().empty())
			s << e.what() << endl << e.SystemText();
		else
			s << e.what() << endl << e.SystemText() << endl << e.GetSubject();
		wcerr << s.str() << endl;
	}
	catch (exception &e)
	{
		stringstream s;
		s << StringConverter::GetTypeName (typeid (e)) << endl << e.what();
		cerr << s.str() << endl;
	}

	return Application::GetExitCode();
}
security tokens and smart cards protected by multiple PIN codes (which can be entered either using a hardware PIN pad or via the VeraCrypt GUI). </p> <p> EMV-compliant smart cards' data can be used as keyfile, see chapter <a href="EMV%20Smart%20Cards.html" style="text-align: left; color: #0080c0; text-decoration: none.html" > <em style="text-align: left">EMV Smart Cards</em></a >. </p> <p> Keyfiles are processed and applied to a password using the following method: </p> <ol> <li> Let <em>P</em> be a VeraCrypt volume password supplied by user (may be empty) </li> <li>Let <em>KP</em> be the keyfile pool</li> <li> Let <em>kpl</em> be the size of the keyfile pool <em>KP</em>, in bytes (64, i.e., 512 bits); <p> kpl must be a multiple of the output size of a hash function H </p> </li> <li> Let <em>pl</em> be the length of the password <em>P</em>, in bytes (in the current version: 0 &le; <em>pl</em> &le; 64) </li> <li> if <em>kpl &gt; pl</em>, append (<em>kpl &ndash; pl</em>) zero bytes to the password <em>P</em> (thus <em>pl = kpl</em>) </li> <li> Fill the keyfile pool <em>KP</em> with <em>kpl</em> zero bytes. </li> <li> For each keyfile perform the following steps: <ol type="a"> <li> Set the position of the keyfile pool cursor to the beginning of the pool </li> <li>Initialize the hash function <em>H</em></li> <li> Load all bytes of the keyfile one by one, and for each loaded byte perform the following steps: <ol type="i"> <li> Hash the loaded byte using the hash function <em>H</em> without initializing the hash, to obtain an intermediate hash (state) <em>M.</em> Do not finalize the hash (the state is retained for next round). </li> <li> Divide the state <em>M</em> into individual bytes.<br /> For example, if the hash output size is 4 bytes, (<em>T</em ><sub>0</sub> || <em>T</em><sub>1</sub> || <em>T</em ><sub>2</sub> || <em>T</em><sub>3</sub>) = <em>M</em> </li> <li> Write these bytes (obtained in step 7.c.ii) individually to the keyfile pool with the modulo 2<sup>8</sup> addition operation (not by replacing the old values in the pool) at the position of the pool cursor. After a byte is written, the pool cursor position is advanced by one byte. When the cursor reaches the end of the pool, its position is set to the beginning of the pool. </li> </ol> </li> </ol> </li> <li> Apply the content of the keyfile pool to the password <em>P</em> using the following method: <ol type="a"> <li> Divide the password <em>P</em> into individual bytes <em>B</em ><sub>0</sub>...<em>B</em><sub>pl-1</sub>.<br /> Note that if the password was shorter than the keyfile pool, then the password was padded with zero bytes to the length of the pool in Step 5 (hence, at this point the length of the password is always greater than or equal to the length of the keyfile pool). </li> <li> Divide the keyfile pool <em>KP</em> into individual bytes <em>G</em><sub>0</sub>...<em>G</em><sub>kpl-1</sub> </li> <li>For 0 &le; i &lt; kpl perform: Bi = Bi &oplus; Gi</li> <li> <em>P</em> = <em>B</em><sub>0</sub> || <em>B</em><sub>1</sub> || ... || <em>B</em><sub>pl-2</sub> || <em>B</em><sub>pl-1</sub> </li> </ol> </li> <li> The password <em>P</em> (after the keyfile pool content has been applied to it) is now passed to the header key derivation function PBKDF2 (PKCS #5 v2), which processes it (along with salt and other data) using a cryptographically secure hash algorithm selected by the user (e.g., SHA-512). See the section <a href="Header%20Key%20Derivation.html"> <em>Header Key Derivation, Salt, and Iteration Count</em></a > for more information. </li> </ol> <p> The role of the hash function <em>H</em> is merely to perform diffusion [2]. CRC-32 is used as the hash function <em>H</em>. Note that the output of CRC-32 is subsequently processed using a cryptographically secure hash algorithm: The keyfile pool content (in addition to being hashed using CRC-32) is applied to the password, which is then passed to the header key derivation function PBKDF2 (PKCS #5 v2), which processes it (along with salt and other data) using a cryptographically secure hash algorithm selected by the user (e.g., SHA-512). The resultant values are used to form the header key and the secondary header key (XTS mode). </p> <p>&nbsp;</p> <p> <a href="Personal%20Iterations%20Multiplier%20%28PIM%29.html" style=" text-align: left; color: #0080c0; text-decoration: none; font-weight: bold.html; " >Next Section &gt;&gt;</a > </p> </div> </div> <div class="ClearBoth"></div> </body> </html>