diff --git a/Documentation/MANPAGE.md b/Documentation/MANPAGE.md index b9aa51b..acb0ff0 100644 --- a/Documentation/MANPAGE.md +++ b/Documentation/MANPAGE.md @@ -114,11 +114,10 @@ leaks information about identical file names across directories The resulting `gocryptfs.conf` has "DirIV" missing from "FeatureFlags". #### -devrandom -Use `/dev/random` for generating the master key instead of the default Go -implementation. This is especially useful on embedded systems with Go versions -prior to 1.9, which fall back to weak random data when the getrandom syscall -is blocking. Using this option can block indefinitely when the kernel cannot -harvest enough entropy. +Obsolete and ignored on gocryptfs v2.2 and later. + +See https://github.com/rfjakob/gocryptfs/commit/f3c777d5eaa682d878c638192311e52f9c204294 +and https://github.com/rfjakob/gocryptfs/issues/596 for background info. #### -hkdf Use HKDF to derive separate keys for content and name encryption from diff --git a/cli_args.go b/cli_args.go index 3eb92b2..0287741 100644 --- a/cli_args.go +++ b/cli_args.go @@ -30,7 +30,7 @@ type argContainer struct { plaintextnames, quiet, nosyslog, wpanic, longnames, allow_other, reverse, aessiv, nonempty, raw64, noprealloc, speed, hkdf, serialize_reads, forcedecode, hh, info, - sharedstorage, devrandom, fsck, one_file_system, deterministic_names, + sharedstorage, fsck, one_file_system, deterministic_names, xchacha bool // Mount options with opposites dev, nodev, suid, nosuid, exec, noexec, rw, ro, kernel_cache, acl bool @@ -177,7 +177,6 @@ func parseCliOpts(osArgs []string) (args argContainer) { flagSet.BoolVar(&args.hh, "hh", false, "Show this long help text") flagSet.BoolVar(&args.info, "info", false, "Display information about CIPHERDIR") flagSet.BoolVar(&args.sharedstorage, "sharedstorage", false, "Make concurrent access to a shared CIPHERDIR safer") - flagSet.BoolVar(&args.devrandom, "devrandom", false, "Use /dev/random for generating master key") flagSet.BoolVar(&args.fsck, "fsck", false, "Run a filesystem check on CIPHERDIR") flagSet.BoolVar(&args.one_file_system, "one-file-system", false, "Don't cross filesystem boundaries") flagSet.BoolVar(&args.deterministic_names, "deterministic-names", false, "Disable diriv file name randomisation") @@ -228,11 +227,16 @@ func parseCliOpts(osArgs []string) (args argContainer) { flagSet.DurationVar(&args.idle, "idle", 0, "Auto-unmount after specified idle duration (ignored in reverse mode). "+ "Durations are specified like \"500s\" or \"2h45m\". 0 means stay mounted indefinitely.") - var nofail bool - flagSet.BoolVar(&nofail, "nofail", false, "Ignored for /etc/fstab compatibility") - var dummyString string flagSet.StringVar(&dummyString, "o", "", "For compatibility with mount(1), options can be also passed as a comma-separated list to -o on the end.") + + // Ignored flags + { + var tmp bool + flagSet.BoolVar(&tmp, "nofail", false, "Ignored for /etc/fstab compatibility") + flagSet.BoolVar(&tmp, "devrandom", false, "Deprecated (ignored for compatibility)") + } + // Actual parsing err = flagSet.Parse(osArgsPreprocessed[1:]) if err == flag.ErrHelp { diff --git a/init_dir.go b/init_dir.go index c6539c8..00fb390 100644 --- a/init_dir.go +++ b/init_dir.go @@ -93,7 +93,6 @@ func initDir(args *argContainer) { LogN: args.scryptn, Creator: creator, AESSIV: args.aessiv, - Devrandom: args.devrandom, Fido2CredentialID: fido2CredentialID, Fido2HmacSalt: fido2HmacSalt, DeterministicNames: args.deterministic_names, diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index c1f93af..951dce8 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -5,9 +5,7 @@ package configfile import ( "encoding/json" "fmt" - "io" "io/ioutil" - "log" "syscall" "os" @@ -61,21 +59,6 @@ type ConfFile struct { filename string } -// randBytesDevRandom gets "n" random bytes from /dev/random or panics -func randBytesDevRandom(n int) []byte { - f, err := os.Open("/dev/random") - if err != nil { - log.Panic("Failed to open /dev/random: " + err.Error()) - } - defer f.Close() - b := make([]byte, n) - _, err = io.ReadFull(f, b) - if err != nil { - log.Panic("Failed to read random bytes: " + err.Error()) - } - return b -} - // CreateArgs exists because the argument list to Create became too long. type CreateArgs struct { Filename string @@ -84,7 +67,6 @@ type CreateArgs struct { LogN int Creator string AESSIV bool - Devrandom bool Fido2CredentialID []byte Fido2HmacSalt []byte DeterministicNames bool @@ -136,12 +118,7 @@ func Create(args *CreateArgs) error { } { // Generate new random master key - var key []byte - if args.Devrandom { - key = randBytesDevRandom(cryptocore.KeyLen) - } else { - key = cryptocore.RandBytes(cryptocore.KeyLen) - } + key := cryptocore.RandBytes(cryptocore.KeyLen) tlog.PrintMasterkeyReminder(key) // Encrypt it using the password // This sets ScryptObject and EncryptedKey diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go index 021b6c1..b8012d3 100644 --- a/internal/configfile/config_test.go +++ b/internal/configfile/config_test.go @@ -86,18 +86,6 @@ func TestCreateConfDefault(t *testing.T) { } } -func TestCreateConfDevRandom(t *testing.T) { - err := Create(&CreateArgs{ - Filename: "config_test/tmp.conf", - Password: testPw, - LogN: 10, - Creator: "test", - Devrandom: true}) - if err != nil { - t.Fatal(err) - } -} - func TestCreateConfPlaintextnames(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf",