From a238cc392f8805fb8450b8e08511630c94617535 Mon Sep 17 00:00:00 2001 From: Hardcore Sushi Date: Tue, 2 May 2023 22:30:46 +0200 Subject: [PATCH] libgocryptfs: make gcf_init return error code --- internal/configfile/config_file.go | 47 ++++++++++++++---------------- volume.go | 23 ++++++++------- 2 files changed, 34 insertions(+), 36 deletions(-) diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index cca67ac..3282baa 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -204,6 +204,23 @@ func (cf *ConfFile) setFeatureFlag(flag flagIota) { cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[flag]) } +// libgocryptfs function to allow masterkey to be directely decrypted using the scrypt hash +func (cf *ConfFile) DecryptMasterKeyWithScryptHash(scryptHash []byte) ([]byte, error) { + useHKDF := cf.IsFeatureFlagSet(FlagHKDF) + ce := getKeyEncrypter(scryptHash, useHKDF) + + masterkey, err := ce.DecryptBlock(cf.EncryptedKey, 0, nil) + + ce.Wipe() + ce = nil + + if err != nil { + return nil, exitcodes.NewErr("Password incorrect.", exitcodes.PasswordIncorrect) + } + + return masterkey, nil +} + // DecryptMasterKey decrypts the masterkey stored in cf.EncryptedKey using // password. func (cf *ConfFile) DecryptMasterKey(password []byte, giveHash bool) (masterkey, scryptHash []byte, err error) { @@ -211,10 +228,7 @@ func (cf *ConfFile) DecryptMasterKey(password []byte, giveHash bool) (masterkey, scryptHash = cf.ScryptObject.DeriveKey(password) // Unlock master key using password-based key - useHKDF := cf.IsFeatureFlagSet(FlagHKDF) - ce := getKeyEncrypter(scryptHash, useHKDF) - - masterkey, err = ce.DecryptBlock(cf.EncryptedKey, 0, nil) + masterkey, err = cf.DecryptMasterKeyWithScryptHash(scryptHash) if !giveHash { // Purge scrypt-derived key @@ -223,14 +237,8 @@ func (cf *ConfFile) DecryptMasterKey(password []byte, giveHash bool) (masterkey, } scryptHash = nil } - ce.Wipe() - ce = nil - if err != nil { - return nil, nil, exitcodes.NewErr("Password incorrect.", exitcodes.PasswordIncorrect) - } - - return masterkey, scryptHash, nil + return masterkey, scryptHash, err } // EncryptKey - encrypt "key" using an scrypt hash generated from "password" @@ -260,20 +268,12 @@ func (cf *ConfFile) EncryptKey(key []byte, password []byte, logN int, giveHash b return scryptHash } -// DroidFS function to allow masterkey to be decrypted directely using the scrypt hash and return it if requested -func (cf *ConfFile) GetMasterkey(password, givenScryptHash, returnedScryptHashBuff []byte) []byte { +func (cf *ConfFile) GetMasterkey(password, givenScryptHash, returnedScryptHashBuff []byte) ([]byte, error) { var masterkey []byte var err error var scryptHash []byte if len(givenScryptHash) > 0 { //decrypt with hash - useHKDF := cf.IsFeatureFlagSet(FlagHKDF) - ce := getKeyEncrypter(givenScryptHash, useHKDF) - masterkey, err = ce.DecryptBlock(cf.EncryptedKey, 0, nil) - ce.Wipe() - ce = nil - if err == nil { - return masterkey - } + masterkey, err = cf.DecryptMasterKeyWithScryptHash(scryptHash) } else { //decrypt with password masterkey, scryptHash, err = cf.DecryptMasterKey(password, len(returnedScryptHashBuff) > 0) //copy and wipe scryptHash @@ -281,11 +281,8 @@ func (cf *ConfFile) GetMasterkey(password, givenScryptHash, returnedScryptHashBu returnedScryptHashBuff[i] = scryptHash[i] scryptHash[i] = 0 } - if err == nil { - return masterkey - } } - return nil + return masterkey, err } // WriteFile - write out config in JSON format to file "filename.tmp" diff --git a/volume.go b/volume.go index 6f3ca00..2088325 100644 --- a/volume.go +++ b/volume.go @@ -114,17 +114,18 @@ func registerNewVolume(rootCipherDir string, masterkey []byte, cf *configfile.Co //export gcf_init func gcf_init(rootCipherDir string, password, givenScryptHash, returnedScryptHashBuff []byte) int { - volumeID := -1 + defer wipe(password) cf, err := configfile.Load(filepath.Join(rootCipherDir, configfile.ConfDefaultName)) - if err == nil { - masterkey := cf.GetMasterkey(password, givenScryptHash, returnedScryptHashBuff) - wipe(password) - debug.FreeOSMemory() - if masterkey != nil { - volumeID = registerNewVolume(rootCipherDir, masterkey, cf) - wipe(masterkey) - } + if err != nil { + return -1 } + masterkey, err := cf.GetMasterkey(password, givenScryptHash, returnedScryptHashBuff) + if err != nil { + return -2 + } + debug.FreeOSMemory() + volumeID := registerNewVolume(rootCipherDir, masterkey, cf) + wipe(masterkey) return volumeID } @@ -160,8 +161,8 @@ func gcf_change_password(rootCipherDir string, oldPassword, givenScryptHash, new success := false cf, err := configfile.Load(filepath.Join(rootCipherDir, configfile.ConfDefaultName)) if err == nil { - masterkey := cf.GetMasterkey(oldPassword, givenScryptHash, nil) - if masterkey != nil { + masterkey, err := cf.GetMasterkey(oldPassword, givenScryptHash, nil) + if err == nil { logN := cf.ScryptObject.LogN() scryptHash := cf.EncryptKey(masterkey, newPassword, logN, len(returnedScryptHashBuff) > 0) wipe(masterkey)