main: overwrite keys and let them run out of scope

As soon as we don't need them anymore, overwrite
keys with zeros. Make sure they run out of scope
so we don't create a risk of inadvertedly using
all-zero keys for encryption.

https://github.com/rfjakob/gocryptfs/issues/211
This commit is contained in:
Jakob Unterwurzacher 2018-02-18 12:42:22 +01:00
parent bd78b44389
commit 5b5c7a0a5d
2 changed files with 49 additions and 39 deletions

View File

@ -36,13 +36,18 @@ func initDir(args *argContainer) {
if args.extpass == "" {
tlog.Info.Printf("Choose a password for protecting your files.")
}
password := readpassword.Twice(args.extpass)
readpassword.CheckTrailingGarbage()
creator := tlog.ProgramName + " " + GitVersion
err = configfile.CreateConfFile(args.config, password, args.plaintextnames, args.scryptn, creator, args.aessiv, args.devrandom)
if err != nil {
tlog.Fatal.Println(err)
os.Exit(exitcodes.WriteConf)
{
creator := tlog.ProgramName + " " + GitVersion
password := readpassword.Twice(args.extpass)
readpassword.CheckTrailingGarbage()
err = configfile.CreateConfFile(args.config, password, args.plaintextnames, args.scryptn, creator, args.aessiv, args.devrandom)
if err != nil {
tlog.Fatal.Println(err)
os.Exit(exitcodes.WriteConf)
}
// Note: cannot overwrite password because in Go, strings are
// read-only byte slices.
// password runs out of scope here
}
// Forward mode with filename encryption enabled needs a gocryptfs.diriv
// in the root dir

View File

@ -93,37 +93,47 @@ func doMount(args *argContainer) int {
}
}()
}
// Get master key (may prompt for the password)
var masterkey []byte
var confFile *configfile.ConfFile
if args.masterkey != "" {
// "-masterkey"
masterkey = parseMasterKey(args.masterkey)
} else if args.zerokey {
// "-zerokey"
tlog.Info.Printf("Using all-zero dummy master key.")
tlog.Info.Printf(tlog.ColorYellow +
"ZEROKEY MODE PROVIDES NO SECURITY AT ALL AND SHOULD ONLY BE USED FOR TESTING." +
tlog.ColorReset)
masterkey = make([]byte, cryptocore.KeyLen)
} else {
// Load master key from config file
// Prompts the user for the password
masterkey, confFile, err = loadConfig(args)
if err != nil {
if args._ctlsockFd != nil {
// Close the socket file (which also deletes it)
args._ctlsockFd.Close()
var srv *fuse.Server
var wipeKeys func()
{
// Get master key (may prompt for the password)
var masterkey []byte
if args.masterkey != "" {
// "-masterkey"
masterkey = parseMasterKey(args.masterkey)
} else if args.zerokey {
// "-zerokey"
tlog.Info.Printf("Using all-zero dummy master key.")
tlog.Info.Printf(tlog.ColorYellow +
"ZEROKEY MODE PROVIDES NO SECURITY AT ALL AND SHOULD ONLY BE USED FOR TESTING." +
tlog.ColorReset)
masterkey = make([]byte, cryptocore.KeyLen)
} else {
// Load master key from config file
// Prompts the user for the password
masterkey, confFile, err = loadConfig(args)
if err != nil {
if args._ctlsockFd != nil {
// Close the socket file (which also deletes it)
args._ctlsockFd.Close()
}
exitcodes.Exit(err)
}
exitcodes.Exit(err)
readpassword.CheckTrailingGarbage()
printMasterKey(masterkey)
}
readpassword.CheckTrailingGarbage()
printMasterKey(masterkey)
// We cannot use JSON for pretty-printing as the fields are unexported
tlog.Debug.Printf("cli args: %#v", args)
// Initialize FUSE server
srv, wipeKeys = initFuseFrontend(masterkey, args, confFile)
// fusefrontend / fusefrontend_reverse have initialized their crypto,
// we can purge the master key from memory.
for i := range masterkey {
masterkey[i] = 0
}
// masterkey runs out of scope here
}
// We cannot use JSON for pretty-printing as the fields are unexported
tlog.Debug.Printf("cli args: %#v", args)
// Initialize FUSE server
srv, wipeKeys := initFuseFrontend(masterkey, args, confFile)
tlog.Info.Println(tlog.ColorGreen + "Filesystem mounted and ready." + tlog.ColorReset)
// We have been forked into the background, as evidenced by the set
// "notifypid".
@ -267,11 +277,6 @@ func initFuseFrontend(masterkey []byte, args *argContainer, confFile *configfile
} else {
fs = fusefrontend.NewFS(frontendArgs, cEnc, nameTransform)
}
// fusefrontend / fusefrontend_reverse have initialized their crypto with
// derived keys (HKDF), we can purge the master key from memory.
for i := range masterkey {
masterkey[i] = 0
}
// We have opened the socket early so that we cannot fail here after
// asking the user for the password
if args._ctlsockFd != nil {