Document fixed Argon2id header key size

Argon2id includes the requested output length in its computation, so deriving 192 bytes and using a prefix is not equivalent to deriving only the selected cipher's key material length. This differs from PBKDF2, where the prefix property made this detail invisible.

VeraCrypt derives the maximum header key material currently needed by the supported cipher/cascade set, which is 192 bytes, and then uses the required prefix for the selected encryption algorithm. For AES-XTS this means the first 64 bytes of the 192-byte Argon2id output are used.

Make this design rule explicit in code and documentation by introducing ARGON2_HEADER_KEYDATA_SIZE instead of relying implicitly on GetMaxPkcs5OutSize. If a future cipher or cascade requires more than 192 bytes, that must be handled as an explicit format/design change.

Document the 192-byte Argon2id header KDF output requirement so third-party implementations derive the same header key material.

References: https://github.com/veracrypt/VeraCrypt/issues/1614

src/Volume/VolumeHeader.cpp

@@ -100,13 +100,13 @@ namespace VeraCrypt
 
 		ConstBufferPtr salt (encryptedData.GetRange (SaltOffset, SaltSize));
 		SecureBuffer header (EncryptedHeaderDataSize);
-		SecureBuffer headerKey (GetLargestSerializedKeySize());
 
 		foreach (shared_ptr <Pkcs5Kdf> pkcs5, keyDerivationFunctions)
 		{
 			if (kdf && (kdf->GetName() != pkcs5->GetName()))
 				continue;
 
+			SecureBuffer headerKey (GetHeaderKeyDerivationSize (pkcs5));
 			int derivationResult = pkcs5->DeriveKey (headerKey, password, pim, salt);
 			if (derivationResult != 0)
 			{
@@ -118,26 +118,32 @@ namespace VeraCrypt
 
 			foreach (shared_ptr <EncryptionMode> mode, encryptionModes)
 			{
-                            #ifdef WOLFCRYPT_BACKEND
-                                if (typeid (*mode) != typeid (EncryptionModeWolfCryptXTS))
-                            #else
-                                if (typeid (*mode) != typeid (EncryptionModeXTS))
-                            #endif
-                                    mode->SetKey (headerKey.GetRange (0, mode->GetKeySize()));
+				#ifdef WOLFCRYPT_BACKEND
+				bool xtsMode = typeid (*mode) == typeid (EncryptionModeWolfCryptXTS);
+				#else
+				bool xtsMode = typeid (*mode) == typeid (EncryptionModeXTS);
+				#endif
+
+				if (!xtsMode)
+				{
+					if (mode->GetKeySize() > headerKey.Size())
+						continue;
+					mode->SetKey (headerKey.GetRange (0, mode->GetKeySize()));
+				}
 
 				foreach (shared_ptr <EncryptionAlgorithm> ea, encryptionAlgorithms)
 				{
 					if (!ea->IsModeSupported (mode))
 						continue;
 
-                                    #ifndef WOLFCRYPT_BACKEND
-					if (typeid (*mode) == typeid (EncryptionModeXTS))
+					size_t requiredHeaderKeySize = xtsMode ? ea->GetKeySize() * 2 : LegacyEncryptionModeKeyAreaSize + ea->GetKeySize();
+					if (requiredHeaderKeySize > headerKey.Size())
+						continue;
+
+					if (xtsMode)
 					{
-                                           ea->SetKey (headerKey.GetRange (0, ea->GetKeySize()));
-                                    #else
-					if (typeid (*mode) == typeid (EncryptionModeWolfCryptXTS))
-					{
-                                              ea->SetKey (headerKey.GetRange (0, ea->GetKeySize()));
+						ea->SetKey (headerKey.GetRange (0, ea->GetKeySize()));
+                                    #ifdef WOLFCRYPT_BACKEND
 						ea->SetKeyXTS (headerKey.GetRange (ea->GetKeySize(), ea->GetKeySize()));
                                     #endif
 
@@ -319,6 +325,16 @@ namespace VeraCrypt
 			Pkcs5 = newPkcs5Kdf;
 	}
 
+	size_t VolumeHeader::GetHeaderKeyDerivationSize (shared_ptr <Pkcs5Kdf> kdf)
+	{
+	#ifndef VC_DCS_DISABLE_ARGON2
+		if (kdf && kdf->IsArgon2())
+			return ARGON2_HEADER_KEYDATA_SIZE;
+	#endif
+
+		return GetLargestSerializedKeySize();
+	}
+
 	size_t VolumeHeader::GetLargestSerializedKeySize ()
 	{
 		size_t largestKey = EncryptionAlgorithm::GetLargestKeySize (EncryptionAlgorithm::GetAvailableAlgorithms());