* Honor --no-size-check when creating file containers via the CLI
The text-mode volume creation path clamps the maximum allowed volume
size to the available free disk space and never consults
ArgDisableFileSizeCheck, so the documented --no-size-check switch has no
effect when creating a file-hosted container with `--text --create`.
The flag is honored by the GUI wizard (Forms/VolumeSizeWizardPage.cpp)
but was missing from the text UI, making it impossible to create a
(sparse) container larger than the current free space from the command
line -- even though such a container is perfectly valid on filesystems
with sparse-file support (e.g. APFS, ext4, NTFS) and is exactly what the
flag exists to allow.
Skip the free-space clamp when --no-size-check is set, mirroring the GUI
behavior.
* Fix max volume size handling with no-size-check
Keep the max size sentinel and interactive max choice bounded by available disk space even when --no-size-check allows explicit sparse container sizes beyond the current free space.
---------
Co-authored-by: Damian Rickard <damian@rickard.us>
Co-authored-by: Mounir IDRASSI <mounir.idrassi@amcrypto.jp>
The privileged CoreService handler for SetFileOwnerRequest passed the
client-supplied path straight to chown() as root with no validation --
unlike the adjacent APFS formatter handler, which strictly validates its
device argument. Every legitimate macOS caller of the elevated
SetFileOwner targets a real disk device node (/dev/[r]diskN[sM]), so a
crafted IPC request, or a symlink planted at the target, could otherwise
make the root process change ownership of an arbitrary path.
Validate the target service-side: require the strict device-path form
already used by the formatter, and lstat() it to confirm a block or
character device (rejecting symlinks rather than following them) before
the chown.
Co-authored-by: Damian Rickard <damian@rickard.us>
The Blake2b hash class (BLAKE2b-512) was fully implemented but never
registered in Hash::GetAvailableAlgorithms(), so it was absent from the
Random Pool Enrichment, Keyfile Generator and Benchmark dialogs on
Linux/macOS. In particular, when Argon2 is selected as the volume PRF,
the RNG pool hash is set to BLAKE2b-512, but the Random Pool Enrichment
dialog could neither display nor pre-select it, diverging from Windows
which offers BLAKE2b-512 in the same dialog.
Register Blake2b after Streebog (matching the Crypto.c PRF order). Its
64-byte digest divides RNG_POOL_SIZE (320), so the HashMixPool size
constraint holds, and blake2b.o is always built in non-wolfCrypt builds.
Also make Pkcs5Kdf::GetAlgorithm(const Hash&) Argon2-aware by removing
the unconditional skip of the Argon2 KDF, so a BLAKE2b-512 hash now maps
to the Argon2 KDF instead of throwing.
Document BLAKE2b-512 and Argon2id usage in the HTML/CHM user guide and Russian/Chinese translations. Clarify Argon2id's non-system scope, PBKDF2-HMAC system encryption behavior, PIM parameters, and regenerate the CHM files.
The fixed-size data pool used by LoadLanguageData() in
src/Common/Language.c stores the embedded English XML strings plus the
selected language's XML strings. When AddPoolData() returns NULL
because the 1 MB DATA_POOL_CAPACITY is exhausted, LoadLanguageData()
aborts and returns FALSE. The callers ignore the return value, so the
dictionary is left partially populated: later XML entries (many
controls, warnings and newer dialogs) are missing while earlier
entries, including most menu items, remain translated.
Since 1.26.24 the XML language files have grown enough that several
languages now overflow the pool (e.g. Corsican, French, German and
Dutch).
Increase DATA_POOL_CAPACITY in src/Common/Dictionary.h from 1 MB to
4 MB to accommodate current and near-future translations.
This regression only affects the Windows version, which uses the
Win32/C localization path with this fixed pool. Linux and macOS use
wxWidgets/wxTranslations and do not use src/Common/Dictionary.c for
GUI localization.
Fixes: GH-1587
Use plain objects for x86 intrinsic helper translation units only when building a local arm64-only macOS development binary. Universal macOS builds on Apple Silicon continue to use feature-specific suffix rules so the x86_64 slice keeps the required compiler flags.
Addresses the Apple Silicon Homebrew build failure reported in PR #1678. Credit to Audrius Buika for the original fix proposal and to Damian Rickard for confirming the issue on current master.
- Remove the redundant TC_STR_RELEASE_DATE define from Common/Tcdefs.h
- Add preprocessor helpers to convert TC_RELEASE_DATE_YEAR/MONTH/DAY into
the same "Month Day, Year" wide string used by TC_STR_RELEASED_BY
- Update source_date_epoch.sh to derive SOURCE_DATE_EPOCH from the three
numeric date defines only, removing the string-date parsing fallback
A SourceForge report pointed out that the password-change and header-KDF dialogs reused the current custom PIM when the user selected a different KDF. That was harmless when all choices used the same PBKDF2 PIM scale, but it is wrong with Argon2 because the same numeric PIM has different security and performance meaning.
Avoid silently carrying a custom PIM across KDF changes in both the Windows and wx dialogs. If the new KDF differs from the current one and the user has not explicitly opened the New PIM field, use the default PIM for the selected KDF instead. Keep preserving the current PIM when the KDF is unchanged.
Enable explicit New PIM entry in the header KDF-only flow, warn before resetting an existing custom PIM to the new KDF default, and validate explicitly entered KDF-only PIM values.
Report the new KDF from the Windows dialog as well as the new PIM so favorite volumes update both stored PIM and pinned KDF metadata after password or header KDF changes, including system favorites. Add translation fallbacks, documentation, and release notes for the new behavior.
Allow reproducible makeself finalization to run with Python 2.6+ or Python 3 by avoiding Python 3-only syntax and probing python3, python, then python2.
Return a structured internal result for favorite mount batches instead of combining a BOOL return value with optional out parameters.
Keep the public MountFavoriteVolumes API unchanged and preserve favorite-on-arrival cancellation and drive-letter handling semantics.
Add a cancel callback and batch abort flag so auto-mount-all stops after dialog cancellation.
Mark MountVolume ERR_USER_ABORT with ERROR_CANCELLED so external /cancelmount also stops the scan.
Add a root-driver abort IOCTL that bypasses the mount control mutex and sets cooperative KDF abort flags for the active mount.
Restrict abort requests to privileged callers or to the user that initiated the pending mount, and retry early wait-dialog cancel requests until the driver has registered the cancellable mount context.
Wire the wait dialog Cancel button to send the abort request through a fresh driver handle, and propagate ERR_USER_ABORT through header/cache processing.
Add a /cancelmount command-line switch that sends the same abort request without displaying UI, so users can cancel hidden-wait-dialog mount operations from another process.
Run the install(SCRIPT) mtime/mode clamp for every CPack generator instead of
only the DEB branch, so the RPM payload staging tree is normalised the same way
before rpmbuild sees it. Payload file timestamps and permissions are therefore
reproducible on any rpm version.
For the RPM header, set the spec %defines that pin BuildTime to
SOURCE_DATE_EPOCH (use_source_date_epoch_as_buildtime, which consumes the
exported environment variable) and BuildHost to a fixed value (_buildhost), and
clamp payload mtimes through both the legacy clamp_mtime_to_source_date_epoch
macro and its modern build_mtime_policy replacement. source_date_epoch_from_changelog
is disabled so CPack's placeholder changelog date cannot hijack the epoch.
These macros only exist on rpm >= 4.14 (buildtime/mtime) and >= 4.18
(buildhost). To make the two header fields reproducible on older rpm as well
(CentOS/RHEL 7, rpm < 4.14), add a small libc-interposition shim
(Build/Tools/repro_buildstamp.c) that pins time() and the build hostname,
LD_PRELOAD'ed onto cpack's rpmbuild child by the RPM packaging wrappers. The
shim calls the real uname() and overwrites only nodename, leaving architecture
detection intact, never overrides monotonic clocks, and defers to the real
time() when SOURCE_DATE_EPOCH is unset so a missing epoch is a no-op rather than
a frozen 1970 clock. It is enabled only after it compiles and loads cleanly;
otherwise packaging proceeds without it, because a preload that fails to load
would emit an ld.so error that rpm's check-buildroot script turns into a fatal
%install error.
Derive and export SOURCE_DATE_EPOCH in the rpm and openSUSE wrappers the same
way the deb wrapper already does, mark both wrappers executable, and note in the
README that .deb and .rpm packages are reproducible including on older rpm.
Keep caller-provided SOURCE_DATE_EPOCH authoritative and derive the automatic default through a shared helper used by the Makefile, direct CMake/CPack packaging, and the deb packaging wrapper.
When repository metadata is available, use the HEAD commit timestamp without relying on git -C. Resolve the source root before probing Git so symlinked source paths still use the checkout HEAD. For source tarballs without .git, derive the fallback timestamp from the release date encoded in Common/Tcdefs.h instead of the stale 2020-01-01 constant.
Add TC_RELEASE_DATE_DAY and validate it together with TC_RELEASE_DATE_YEAR, TC_RELEASE_DATE_MONTH, and TC_STR_RELEASE_DATE. Abort when no valid timestamp can be derived.
For direct CMake invocation, initialize SOURCEPATH when the wrapper has not provided it, use the shared helper for derivation, validate the result, and export it for package targets. Also persist the configured epoch through CPACK_PROJECT_CONFIG_FILE so later standalone cpack --config runs export the same value before invoking package generators.
Document that automatic git-checkout builds and release-tarball builds intentionally use different epochs; release reproducers should build from the tarball or set SOURCE_DATE_EPOCH explicitly.
Add a KDF checklist to the Windows benchmark dialog while keeping all algorithms selected by default.
Filter KDF benchmark execution to the checked algorithms and silently skip when none are selected.
Reuse existing KDF localization strings and keep Language.xml unchanged.
Guard BLAKE2s x86 SIMD dispatch on compiled SSE2 intrinsic support so NOSSE2 builds do not reference missing compressor symbols.
Make Argon2 AVX2/SSE2 stubs fall back to the next available implementation instead of returning ARGON2_INCORRECT_PARAMETER when runtime CPU flags outpace build capabilities.
Emit NASM-compatible .pdata/.xdata records for the x64 table AES routines and AES-NI 32-block paths.
Describe the nonvolatile GP and XMM6-XMM15 saves so kernel stack unwinding can cross these routines reliably.
Gate the metadata on win64 output so ELF and Mach-O builds keep their existing assembly paths.
Only call the one-block assembly helper when one block remains after the three-block loop.
This prevents zero-block and multiple-of-three requests from reading and writing one extra block past the caller buffer.
Add a Twofish multiblock self-test covering block counts 0 through 9.
Align CRYPTO_INFO primary and secondary key-schedule buffers so cipher implementations can safely use word-sized schedule access on VeraCrypt-managed storage.
Keep generic Camellia direct uint64 schedule indexing. Builds that define CRYPTOPP_ALLOW_UNALIGNED_DATA_ACCESS use direct 64-bit key and block byte loads/stores; memcpy is retained only for strict-alignment builds.
Require SSSE3 before using the x64 AESNI 16-way Camellia path because the assembly uses pshufb in addition to AES and AVX.
CRYPTOPP_BOOL_X64 is defined as 0 on non-x64 builds, so #ifdef made HasSSE2() and HasISSE() always true. Use #if so non-x64 builds follow runtime feature detection and DisableCPUExtendedFeatures().
Ensure SHA-256 and SHA-512 PBKDF cancellation paths restore saved extended processor state before cleanup. Remove unnecessary extended-state save/restore around BLAKE2s, which does not use AVX in the current implementation.
Hidden volumes are forced to quick format to avoid rewriting the hidden data area. Keep that behavior while skipping the file-container allocation shortcut that writes plaintext zero sectors at 128 MiB intervals.
The allocation shortcut remains enabled for non-hidden file containers; hidden containers now use only the encrypted formatter write path for sectors that are written.
Enhance build_msi_x64.bat to enumerate installed Windows Kits 10 SDK bin directories matching 10.* and select the newest x86 path that contains the MSI tools.
Keep VC_DIR_PLATFORMSDK as the first override and preserve the existing fixed SDK fallback paths for older installations.
Require MsiInfo.exe during discovery as well as msitran.exe and msidb.exe so the selected SDK path supports the final MSI metadata step.
Replace outdated Visual Studio 2010/2019 and legacy Windows SDK 7.1, WDK 7.1, and Windows 8.1 SDK guidance with the current Visual Studio 2022/v143 toolchain, Windows 10/11 SDK, and WDK requirements.
Document NASM, YASM, WiX Toolset v3.x, signtool.exe, and optional legacy BIOS bootloader tools separately. Update the build flow for x64, ARM64, Win32 setup/helper projects, and explicit Driver project builds.
Align the zh-cn and ru translated guides with the updated English content while preserving their existing translation style. Fix test certificate paths to use src/Signing/TestCertificate.
Route Linux GUI mounted-volume opens through Windows Explorer when WSL interop is available, before falling back to xdg-open and known file managers.
Detect WSL by checking for /usr/bin/wslinfo and /usr/bin/wslpath, build the target path from the WSL root UNC so /mnt/<drive> mount points stay in the WSL VFS overlay, and launch Explorer directly so the folder argument is preserved.
BMI2 support is advertised by CPUID leaf 7, subleaf 0, EBX bit 8. The previous early assignment used CPUID leaf 1 EBX bit 8, which is not the BMI2 feature bit and could leave a bogus fallback value before vendor-specific leaf 7 detection.
Keep BMI2 detection based on the leaf 7 result only. Unlike AVX2, BMI2 is GPR-only and does not require an OS/XCR0 state gate.
Also save the max basic CPUID leaf immediately after CPUID leaf 0. The AMD/Hygon path reuses the cpuid buffer for leaf 0x80000005 before checking whether leaf 7 is available, so using the saved max basic leaf prevents RDSEED, AVX2, and BMI2 detection from being skipped because that buffer was clobbered.
AVX2 support is advertised by CPUID leaf 7, subleaf 0, EBX bit 5. The previous early assignment used cpuid1[1] bit 5, which is CPUID leaf 1 EBX and is not the AVX2 feature bit.
Record the leaf 7 AVX2 bit separately and assign g_hasAVX2 only after vendor-specific detection has completed. The final value is now gated by g_hasAVX, which reflects the OS/XCR0 AVX state check, so AVX2 code is not selected unless both the CPU and OS state support it.
Move the Unmount All mnemonic away from the single-volume Unmount action in the Windows resources and affected language files. This keeps the two main actions reachable through distinct keyboard accelerators across packaged translations.
Fixes https://github.com/veracrypt/VeraCrypt/issues/1751
damianrickard
Mounir IDRASSI
Matthaiks
VastBlast