-deterministic-names: accept flag on -init

And store it in gocryptfs.conf (=remove DirIV feature flag).
This commit is contained in:
Jakob Unterwurzacher 2021-08-20 15:57:40 +02:00
parent 195d9d18a9
commit 2a9dea2973
8 changed files with 39 additions and 14 deletions

View File

@ -103,6 +103,14 @@ Defaults are fine.
Use the AES-SIV encryption mode. This is slower than GCM but is Use the AES-SIV encryption mode. This is slower than GCM but is
secure with deterministic nonces as used in "-reverse" mode. secure with deterministic nonces as used in "-reverse" mode.
#### -deterministic-names
Disable file name randomisation and creation of `gocryptfs.diriv` files.
This can prevent sync conflicts conflicts when synchronising files, but
leaks information about identical file names across directories
("Identical names leak" in https://nuetzlich.net/gocryptfs/comparison/#file-names ).
The resulting `gocryptfs.conf` has "DirIV" missing from "FeatureFlags".
#### -devrandom #### -devrandom
Use `/dev/random` for generating the master key instead of the default Go Use `/dev/random` for generating the master key instead of the default Go
implementation. This is especially useful on embedded systems with Go versions implementation. This is especially useful on embedded systems with Go versions
@ -545,11 +553,6 @@ useful in regression testing.
Applies to: all actions. Applies to: all actions.
#### -zerodiriv
Create diriv as all-zero files
Applies to: all actions without `-plaintextnames`.
#### \-\- #### \-\-
Stop option parsing. Helpful when CIPHERDIR may start with a Stop option parsing. Helpful when CIPHERDIR may start with a
dash "-". dash "-".

View File

@ -87,7 +87,8 @@ func initDir(args *argContainer) {
} }
creator := tlog.ProgramName + " " + GitVersion creator := tlog.ProgramName + " " + GitVersion
err = configfile.Create(args.config, password, args.plaintextnames, err = configfile.Create(args.config, password, args.plaintextnames,
args.scryptn, creator, args.aessiv, args.devrandom, fido2CredentialID, fido2HmacSalt) args.scryptn, creator, args.aessiv, args.devrandom, fido2CredentialID, fido2HmacSalt,
args.deterministic_names)
if err != nil { if err != nil {
tlog.Fatal.Println(err) tlog.Fatal.Println(err)
os.Exit(exitcodes.WriteConf) os.Exit(exitcodes.WriteConf)

View File

@ -80,7 +80,8 @@ func randBytesDevRandom(n int) []byte {
// "password" and write it to "filename". // "password" and write it to "filename".
// Uses scrypt with cost parameter logN. // Uses scrypt with cost parameter logN.
func Create(filename string, password []byte, plaintextNames bool, func Create(filename string, password []byte, plaintextNames bool,
logN int, creator string, aessiv bool, devrandom bool, fido2CredentialID []byte, fido2HmacSalt []byte) error { logN int, creator string, aessiv bool, devrandom bool,
fido2CredentialID []byte, fido2HmacSalt []byte, deterministicNames bool) error {
var cf ConfFile var cf ConfFile
cf.filename = filename cf.filename = filename
cf.Creator = creator cf.Creator = creator
@ -92,7 +93,9 @@ func Create(filename string, password []byte, plaintextNames bool,
if plaintextNames { if plaintextNames {
cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagPlaintextNames]) cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagPlaintextNames])
} else { } else {
if !deterministicNames {
cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagDirIV]) cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagDirIV])
}
cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagEMENames]) cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagEMENames])
cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagLongNames]) cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagLongNames])
cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagRaw64]) cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagRaw64])

View File

@ -62,7 +62,7 @@ func TestLoadV2StrangeFeature(t *testing.T) {
} }
func TestCreateConfDefault(t *testing.T) { func TestCreateConfDefault(t *testing.T) {
err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, false, nil, nil) err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, false, nil, nil, false)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -83,14 +83,14 @@ func TestCreateConfDefault(t *testing.T) {
} }
func TestCreateConfDevRandom(t *testing.T) { func TestCreateConfDevRandom(t *testing.T) {
err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, true, nil, nil) err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, true, nil, nil, false)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
} }
func TestCreateConfPlaintextnames(t *testing.T) { func TestCreateConfPlaintextnames(t *testing.T) {
err := Create("config_test/tmp.conf", testPw, true, 10, "test", false, false, nil, nil) err := Create("config_test/tmp.conf", testPw, true, 10, "test", false, false, nil, nil, false)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -111,7 +111,7 @@ func TestCreateConfPlaintextnames(t *testing.T) {
// Reverse mode uses AESSIV // Reverse mode uses AESSIV
func TestCreateConfFileAESSIV(t *testing.T) { func TestCreateConfFileAESSIV(t *testing.T) {
err := Create("config_test/tmp.conf", testPw, false, 10, "test", true, false, nil, nil) err := Create("config_test/tmp.conf", testPw, false, 10, "test", true, false, nil, nil, false)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

View File

@ -45,7 +45,6 @@ var knownFlags = map[flagIota]string{
// Filesystems that do not have these feature flags set are deprecated. // Filesystems that do not have these feature flags set are deprecated.
var requiredFlagsNormal = []flagIota{ var requiredFlagsNormal = []flagIota{
FlagDirIV,
FlagEMENames, FlagEMENames,
FlagGCMIV128, FlagGCMIV128,
} }

View File

@ -282,6 +282,7 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
if confFile != nil { if confFile != nil {
// Settings from the config file override command line args // Settings from the config file override command line args
frontendArgs.PlaintextNames = confFile.IsFeatureFlagSet(configfile.FlagPlaintextNames) frontendArgs.PlaintextNames = confFile.IsFeatureFlagSet(configfile.FlagPlaintextNames)
frontendArgs.DeterministicNames = !confFile.IsFeatureFlagSet(configfile.FlagDirIV)
args.raw64 = confFile.IsFeatureFlagSet(configfile.FlagRaw64) args.raw64 = confFile.IsFeatureFlagSet(configfile.FlagRaw64)
args.hkdf = confFile.IsFeatureFlagSet(configfile.FlagHKDF) args.hkdf = confFile.IsFeatureFlagSet(configfile.FlagHKDF)
if confFile.IsFeatureFlagSet(configfile.FlagAESSIV) { if confFile.IsFeatureFlagSet(configfile.FlagAESSIV) {

View File

@ -995,3 +995,9 @@ func TestMountCreat(t *testing.T) {
test_helpers.UnmountPanic(mnt) test_helpers.UnmountPanic(mnt)
} }
} }
// Test -init -deterministic-names
func TestInitDeterministicNames(t *testing.T) {
dir := test_helpers.InitFS(t, "-deterministic-names")
}

View File

@ -3,11 +3,13 @@ package deterministic_names
// integration tests that target "-deterministic-names" specifically // integration tests that target "-deterministic-names" specifically
import ( import (
"fmt"
"io/ioutil" "io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
"testing" "testing"
"github.com/rfjakob/gocryptfs/internal/configfile"
"github.com/rfjakob/gocryptfs/tests/test_helpers" "github.com/rfjakob/gocryptfs/tests/test_helpers"
) )
@ -19,8 +21,18 @@ var testPw = []byte("test")
// Create and mount "-deterministic-names" fs // Create and mount "-deterministic-names" fs
func TestMain(m *testing.M) { func TestMain(m *testing.M) {
cDir = test_helpers.InitFS(nil, "-deterministic-names") cDir = test_helpers.InitFS(nil, "-deterministic-names")
// Check config file sanity
_, c, err := configfile.LoadAndDecrypt(cDir+"/"+configfile.ConfDefaultName, testPw)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
if c.IsFeatureFlagSet(configfile.FlagDirIV) {
fmt.Println("DirIV flag should be off")
os.Exit(1)
}
pDir = cDir + ".mnt" pDir = cDir + ".mnt"
test_helpers.MountOrExit(cDir, pDir, "-deterministic-names", "-extpass", "echo test") test_helpers.MountOrExit(cDir, pDir, "-extpass", "echo test")
r := m.Run() r := m.Run()
test_helpers.UnmountPanic(pDir) test_helpers.UnmountPanic(pDir)
os.Exit(r) os.Exit(r)