The volume size page populates the unit wxChoice after the generated base class has already fit the empty control. On macOS this can leave the closed choice too narrow, truncating MiB to .... Measure the localized unit labels after appending them and set a sufficient minimum width.
On Unix and macOS, the hidden volume wizard estimates the available space for non-FAT outer filesystems using statvfs(). The previous calculation used f_bsize with f_bavail, which can overstate available bytes on macOS exFAT because f_bsize may be the preferred I/O size instead of the fragment size associated with the block counts.
Use f_frsize when it is reported, fall back to f_bsize, and clamp the non-FAT estimate to the actual outer VeraCrypt data size before applying the existing 80% safety heuristic.
Also harden hidden volume creation in both the cross-platform VolumeCreator path and the Windows/common formatting path by rejecting sizes that would exceed the hidden host data area and overlap volume header space.
Fixes#1037
Bundle the FUSE2 userspace library inside the AppImage AppDir and make AppRun prefer APPDIR/usr/lib. This lets the bundled VeraCrypt binary resolve libfuse.so.2 on systems where FUSE2 userspace packages are no longer installed by default.
Name AppImage artifacts according to the GTK backend detected during the build. GTK3 builds keep the default VeraCrypt-<version>-<arch>.AppImage name, while GTK2 builds use a gtk2-legacy suffix to distinguish the legacy compatibility artifact.
Include immintrin.h in the Argon2 AVX2 implementation so GCC toolchains such as the one on CentOS 7 see the AVX2 intrinsic types when compiling with -mavx2.
Refs: https://github.com/veracrypt/VeraCrypt/issues/1595
CentOS 6 builds VeraCrypt with GCC 4.4.7 and -std=c++0x. That compiler does not support range-based for loops, and its libstdc++ does not provide std::string::back() or std::string::pop_back().
Avoid those constructs in the affected Unix/Linux code paths: use VeraCrypt's existing foreach helper when iterating PKCS#11 object handles, and use indexing plus erase() when trimming trailing slashes from PATH entries.
This keeps the code valid for newer Linux toolchains while restoring compatibility with the CentOS 6 build environment.
Stage VeraCrypt and wxWidgets sources under the SDK package directory before rendering the OpenWrt package Makefile. The generated recipe now refers only to fixed package-local paths, so checkout and work directory names are no longer parsed as GNU Make syntax or passed unquoted through recipe source arguments.
Validate VeraCrypt and wxWidgets version tokens before substituting them into generated package metadata. This prevents unexpected Make metacharacters from entering the generated OpenWrt recipe while preserving normal dotted release versions.
Quote OpenWrt QEMU test container-size values with the existing shell quoting helper, matching the password handling and preventing user-supplied size text from being split or interpreted by the guest shell.
OpenBSD builds were relying on ggod to generate embedded resource
headers. That tool is not available on a stock OpenBSD 7.9 install,
and using base od directly is not a safe substitute because it emits
zero-padded decimal values such as 060 and 098. Those tokens are then
included in C++ source and parsed as octal constants, which either
changes values or fails compilation.
Use hexdump with an explicit unsigned-byte format for OpenBSD. It is
part of the base system and emits unpadded decimal byte values suitable
for the existing resource-header pipeline.
The text-mode binary also crashed on normal process exit on OpenBSD,
including after --version, --test, create, mount, list, and dismount.
GDB showed the crash in libpcsclite_real during SCardReleaseContext(),
called from the static SCardManager destructor. This happened even for
commands that did not use EMV or security-token support because the
static manager constructor eagerly initialized PC/SC at startup.
Avoid eager PC/SC initialization and exit-time finalization on OpenBSD.
The existing call sites still initialize PC/SC lazily when EMV/token
operations need it, while ordinary CLI commands no longer touch
pcsc-lite and no longer crash during static destruction.
Validated on OpenBSD 7.9 amd64 with:
- gmake NOGUI=1 -j2
- veracrypt --text --version
- veracrypt --text --test
- device-hosted create/mount/list/dismount smoke test through doas/vnd
Refs #1589.
Refs #1593.
VeraCrypt derives the real (non-root) user from SUDO_UID/SUDO_GID
to set default mount-point ownership and the FUSE service access
filter. On OpenBSD, privileged commands are normally run through doas,
which exposes the invoking login name via DOAS_USER and does not set
the sudo variables. As a result, VeraCrypt launched through doas
attributes both to root instead of the invoking user.
When the sudo identity variables are absent, resolve DOAS_USER through
the password database and use that uid/gid for default mount-point
ownership and the VeraCrypt FUSE service access filter. sudo behavior
is unchanged.
This is a correctness fix for the doas launch path. It is not confirmed
to resolve the non-root ext2fs EACCES reported in the linked issues:
that failure occurs at the ext2fs layer reached through vnd, whose
backing-image I/O runs as root and is therefore already permitted by
the access filter.
Refs #1589.
Refs #1593.
OpenBSD device length detection was returning the raw disk sector count from DIOCGPDINFO directly. That value is not bytes and it describes the physical/default disk label, which caused VeraCrypt to expose an incorrectly sized FUSE backing image through vnd for device-hosted volumes.
Use the current disklabel from DIOCGDINFO, derive the opened partition from the device minor number, and return the selected partition size in bytes. Keep the raw c partition on the whole-disk path by using DL_GETDSIZE there.
Also reject sector-misaligned device-hosted sizes during volume creation so new malformed OpenBSD device-hosted volumes are not created. Do not reject existing malformed headers at mount time, so users can still mount old OpenBSD-created volumes for recovery.
Refs #1589.
Refs #1593.
Add OpenWrt SDK packaging under src/Build for console-only x86/64 builds. The build helper prepares the SDK, renders a local package recipe, builds VeraCrypt with the OpenWrt musl toolchain, uses wxWidgets 3.2.10 as static wxBase, enables FUSE3, and skips release self-tests during cross compilation.
Add a package template that installs the console binary, mount.veracrypt, and license files only. The package declares bash for mount.veracrypt and keeps runtime dependencies focused on the direct userland requirements.
Add a documented QEMU runtime test path that boots the matching OpenWrt image, installs the locally built package set with opkg, runs the VeraCrypt version and algorithm self-tests, and exercises a small filesystem=none container mount/unmount flow.
Allow wxbuild callers to pass WX_CONFIGURE_EXTRA_FLAGS so OpenWrt cross configure flags can be passed into the wxWidgets build without carrying an OpenWrt-specific source patch.
Extend the Unix encryption thread pool to run key-derivation work items and use it when mounting volumes without an explicitly selected KDF. This brings Linux/macOS header PRF autodetection closer to the Windows path while keeping selected-KDF mounts unchanged.
Fixes#1610.
When preparing UEFI system encryption, check for the standard Windows bootmgfw.efi path before reading it. If it is absent, show the existing VeraCrypt diagnostic instead of surfacing a generic file-not-found error from the elevated COM path.
Clarify that Windows startup-managed VHD/VHDX files, including Dev Drive backing images, cannot live on system favorite volumes because they are accessed before those volumes are mounted.
Document that native-boot VHD/VHDX files also cannot live on system favorite volumes and remain subject to the existing VeraCrypt pre-boot authentication limitation for operating systems installed within VHD/VHDX files.
Mention a delayed/retrying attach workaround for non-boot-critical VHD/VHDX files after VeraCryptSystemFavorites mounts the host volume.
Closes#1605.
Use a stable VeraCrypt Start Menu folder for MSI installs instead of deriving it from the versioned product name. Refresh the shortcut component identities for the new folder location and add upgrade-time cleanup for old versioned VeraCrypt Start Menu folders while preserving folders that contain non-VeraCrypt content.
Fixes#1631.
Fixes#1624
The language file path was hardcoded to /usr/share/veracrypt/languages/
which doesn't exist inside an AppImage runtime. Language files are
actually located under $APPDIR/usr/share/veracrypt/languages/ when
running from an AppImage.
This affected both the language file loading in Resources.cpp and the
language enumeration in PreferencesDialog.cpp, causing the language
selection to show only "System default" and "English" regardless of
which translations were packaged in the AppImage.
When a second GUI process successfully notifies the running instance through the show-request FIFO, the handoff is not an error. Avoid showing the informational modal before exiting, and let the running instance restore the main window on any show request.
Also initialize the GTK indicator menu item pointers to NULL and guard the show/hide label update, preventing a latent crash in SetBackgroundMode when the indicator menu has not been built (e.g. background task disabled in preferences) -- a path made more reachable by the FIFO timer now invoking SetBackgroundMode unconditionally on incoming show requests.
Fixes#1447.
Closes#1745.
Refs #461.
Route IRP_MJ_FLUSH_BUFFERS through EncryptedIoQueue for mounted writable non-system volumes. Flushes are represented as zero-length queue items handled by the I/O thread, so ZwFlushBuffersFile runs after earlier encrypted write fragments before completing to the caller.
Also perform a best-effort ZwFlushBuffersFile before closing writable mounted-volume host handles, after the encrypted I/O queue has drained, so clean dismount/shutdown paths push the host file or raw device before close.
This keeps the change focused on ordinary mounted-volume flush ordering and avoids system-encryption, boot-drive, and header-update paths.
Allow normal file-hosted containers to use quick format in the Unix volume creation path by sizing the host file with ftruncate before backup headers are written.
Enable the GUI checkbox for normal file containers and honor --quick in text mode. Update the Unix HTML documentation for the weaker deniability properties of sparse or unwritten host regions.
Argon2id includes the requested output length in its computation, so deriving 192 bytes and using a prefix is not equivalent to deriving only the selected cipher's key material length. This differs from PBKDF2, where the prefix property made this detail invisible.
VeraCrypt derives the maximum header key material currently needed by the supported cipher/cascade set, which is 192 bytes, and then uses the required prefix for the selected encryption algorithm. For AES-XTS this means the first 64 bytes of the 192-byte Argon2id output are used.
Make this design rule explicit in code and documentation by introducing ARGON2_HEADER_KEYDATA_SIZE instead of relying implicitly on GetMaxPkcs5OutSize. If a future cipher or cascade requires more than 192 bytes, that must be handled as an explicit format/design change.
Document the 192-byte Argon2id header KDF output requirement so third-party implementations derive the same header key material.
References: https://github.com/veracrypt/VeraCrypt/issues/1614
Embed both Microsoft UEFI CA 2011 and 2023 signed DCS EFI sets and select the 2023 set only when the firmware db trusts the required 2023 third-party CAs.
Fall back to the 2011 EFI set when firmware db state cannot be determined, preserving pre-existing compatibility behavior and recording the reason in HKLM diagnostics.
Refresh installed ESP modules during PostOOBE repair, keep backups before replacing existing DCS modules, and use the selected EFI set when creating rescue media.
Record the selected EFI bootloader resource set and selection reason in HKLM, allow larger firmware db variables on systems with many Secure Boot certificates, and remove diagnostic registry keys on uninstall.
Fix MSI SetupDLL COM typelib version constants so unregister targets the current Main and Format COM typelib versions.
References: https://github.com/veracrypt/VeraCrypt/issues/1655
Keep the NTFS kernel-driver option as a generic in-kernel NTFS path rather than an ntfs3-specific path. Add --filesystem=kernel-ntfs and -m kernelntfs routes that select a registered or loadable kernel NTFS driver and mount with -i so mount.ntfs/ntfs-3g helpers are not invoked.
Preserve --filesystem=ntfs3 as a literal pin to the ntfs3 driver. Treat both ntfs3 and kernel-ntfs as mount-only selectors; volume creation continues to use filesystem type NTFS.
The preference and -m kernelntfs path only select an in-kernel NTFS driver when no explicit filesystem type was supplied and blkid detects NTFS.
Treat ntfs as the preferred in-kernel driver on Linux 7.1 and later, where the upstream read/write driver is expected. On earlier kernels, select ntfs only when module metadata identifies the standalone read/write driver and /sys/module confirms it loaded, avoiding ntfs3 read-only ntfs compatibility registrations. Fall back to ntfs3 otherwise, and report a generic kernel-driver error if neither supported driver is available or loadable.
Rename the internal preference/config field to MountNtfsWithKernelDriver, migrate the old MountNtfsWithNtfs3 preference key, and update UI strings, CLI help, documentation, release notes, and translation placeholders accordingly.
Reference: https://github.com/veracrypt/VeraCrypt/issues/1735
* ensure reproducible builds
* improve patch
* improve patch
* Narrow reproducibility scope to legacy and DEB
Keep the verified Linux legacy Makefile and DEB reproducibility paths, but remove the unverified RPM/openSUSE timestamp changes and AppImage reproducibility behavior from this PR.
The CPack mtime/mode clamp is now installed only for Debian/Ubuntu packaging, matching the scope covered by the provided reproducibility logs.
Retain umask 022 in the RPM/openSUSE wrappers so staged package permissions do not depend on a restrictive caller umask.
* Harden reproducible build cleanup
Validate SOURCE_DATE_EPOCH before interpolating it into Make, CMake or shell packaging paths.
Refuse live DESTDIR values in the CPack mtime clamp and pass makeself options through normal argv construction instead of eval.
---------
Co-authored-by: curious-rabbit <curious-rabbit@local>
Co-authored-by: Mounir IDRASSI <mounir.idrassi@amcrypto.jp>
Replace the Linux ntfs3 help icon paint lambda with a small wxWindow
subclass and regular paint event handler.
GCC 4.4, used on CentOS 6, builds with -std=c++0x but does not support
the lambda syntax used in PreferencesDialog.cpp, causing compilation to
fail at the ntfs3 help icon handler.
The drawing behavior is unchanged.
Keep the executable requirement at CMake 2.8.12 for legacy CentOS 6 package builders while using the version-range syntax to declare policy compatibility up to 3.10. Newer CMake versions use the policy maximum to avoid CMake 4 failures, and older CMake versions ignore the suffix and continue to configure as before.
Enable use_ino for Linux FUSE mounts so stable inode numbers returned by getattr and readdir are reported to userspace. For FUSE3, set fuse_config.use_ino from init; for FUSE2, pass -o use_ino because there is no fuse_config init hook.
Also map otherwise unhandled FUSE exceptions to EIO instead of EINTR, since these failures are not signal interruptions and should not encourage retry loops.
Prefer hdiutil plist entities that carry a mount-point when recording the virtual device. This fixes APFS images where the first dev-entry is not the mounted volume.
Add a macOS mounted-volume refresh hook that recovers VirtualDevice and MountPoint from hdiutil info when FUSE-T SMB auxiliary metadata is missing or stale.
APFS volume creation can still fail with Permission denied after preparing the raw and block device aliases because newfs_apfs performs privileged APFS container and volume operations beyond opening the device nodes.
Route APFS formatting through the elevated CoreService path for non-root macOS runs. Keep the elevated interface narrow by sending only the target device and invoking user UID/GID, validate the device path on the privileged side, rebuild the formatter arguments there, and execute /sbin/newfs_apfs by absolute path to avoid PATH shadowing.
Pass -U/-G so the created filesystem preserves the invoking user ownership. Apply the same path to GUI and text-mode creation.
When creating an APFS filesystem inside a newly created device-hosted volume, VeraCrypt prepared only the raw hdiutil device path before invoking newfs_apfs. On macOS, newfs_apfs may resolve or reopen the corresponding block device path, which can fail with Permission denied for non-root GUI runs.
Prepare both raw and block aliases for the temporary formatter device, restore changed owners afterward, and share the helper between GUI and text-mode volume creation. Restore each changed alias independently so one restore failure does not skip the rest.
Add a -t option to build_veracrypt_macosx.sh so VC_OSX_TARGET can be set explicitly while preserving the existing defaults for source and Homebrew builds.
Fixes#1726.
