Add "-scryptn" option that sets the cost parameter for scrypt

Use that option to speed up the automated tests by 7 seconds.

Before:
	ok  	github.com/rfjakob/gocryptfs/integration_tests	26.667s
After:
	ok  	github.com/rfjakob/gocryptfs/integration_tests	19.534s
This commit is contained in:
Jakob Unterwurzacher 2015-11-29 18:52:58 +01:00
parent 71bfa1f0fb
commit bb116282b7
5 changed files with 36 additions and 15 deletions

View File

@ -35,8 +35,9 @@ type ConfFile struct {
} }
// CreateConfFile - create a new config with a random key encrypted with // CreateConfFile - create a new config with a random key encrypted with
// "password" and write it to "filename" // "password" and write it to "filename".
func CreateConfFile(filename string, password string, plaintextNames bool) error { // Uses scrypt with cost parameter logN.
func CreateConfFile(filename string, password string, plaintextNames bool, logN int) error {
var cf ConfFile var cf ConfFile
cf.filename = filename cf.filename = filename
@ -45,7 +46,7 @@ func CreateConfFile(filename string, password string, plaintextNames bool) error
// Encrypt it using the password // Encrypt it using the password
// This sets ScryptObject and EncryptedKey // This sets ScryptObject and EncryptedKey
cf.EncryptKey(key, password) cf.EncryptKey(key, password, logN)
// Set defaults // Set defaults
cf.Version = HEADER_CURRENT_VERSION cf.Version = HEADER_CURRENT_VERSION
@ -109,10 +110,12 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) {
} }
// EncryptKey - encrypt "key" using an scrypt hash generated from "password" // EncryptKey - encrypt "key" using an scrypt hash generated from "password"
// and store it in cf.EncryptedKey // and store it in cf.EncryptedKey.
func (cf *ConfFile) EncryptKey(key []byte, password string) { // Uses scrypt with cost parameter logN and stores the scrypt parameters in
// cf.ScryptObject.
func (cf *ConfFile) EncryptKey(key []byte, password string, logN int) {
// Generate derived key from password // Generate derived key from password
cf.ScryptObject = NewScryptKdf() cf.ScryptObject = NewScryptKdf(logN)
scryptHash := cf.ScryptObject.DeriveKey(password) scryptHash := cf.ScryptObject.DeriveKey(password)
// Lock master key using password-based key // Lock master key using password-based key

View File

@ -59,7 +59,7 @@ func TestLoadV2StrangeFeature(t *testing.T) {
} }
func TestCreateConfFile(t *testing.T) { func TestCreateConfFile(t *testing.T) {
err := CreateConfFile("config_test/tmp.conf", "test", false) err := CreateConfFile("config_test/tmp.conf", "test", false, 0)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

View File

@ -1,6 +1,8 @@
package cryptfs package cryptfs
import ( import (
"os"
"math"
"fmt" "fmt"
"golang.org/x/crypto/scrypt" "golang.org/x/crypto/scrypt"
) )
@ -8,7 +10,7 @@ import (
const ( const (
// 1 << 16 uses 64MB of memory, // 1 << 16 uses 64MB of memory,
// takes 4 seconds on my Atom Z3735F netbook // takes 4 seconds on my Atom Z3735F netbook
SCRYPT_DEFAULT_N = 1 << 16 SCRYPT_DEFAULT_LOGN = 16
) )
type scryptKdf struct { type scryptKdf struct {
@ -19,10 +21,18 @@ type scryptKdf struct {
KeyLen int KeyLen int
} }
func NewScryptKdf() scryptKdf { func NewScryptKdf(logN int) scryptKdf {
var s scryptKdf var s scryptKdf
s.Salt = RandBytes(KEY_LEN) s.Salt = RandBytes(KEY_LEN)
s.N = SCRYPT_DEFAULT_N if logN <= 0 {
s.N = 1 << SCRYPT_DEFAULT_LOGN
} else {
if logN < 10 {
fmt.Printf("Error: scryptn below 10 is too low to make sense. Aborting.")
os.Exit(1)
}
s.N = 1 << uint32(logN)
}
s.R = 8 // Always 8 s.R = 8 // Always 8
s.P = 1 // Always 1 s.P = 1 // Always 1
s.KeyLen = KEY_LEN s.KeyLen = KEY_LEN
@ -36,3 +46,9 @@ func (s *scryptKdf) DeriveKey(pw string) []byte {
} }
return k return k
} }
// LogN - N is saved as 2^LogN, but LogN is much easier to work with.
// This function gives you LogN = Log2(N).
func (s *scryptKdf) LogN() int {
return int(math.Log2(float64(s.N))+0.5)
}

View File

@ -17,7 +17,7 @@ func TestInit(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
cmd := exec.Command(gocryptfsBinary, "-init", "-extpass", "echo test", dir) cmd := exec.Command(gocryptfsBinary, "-init", "-extpass", "echo test", "-scryptn=10", dir)
if testing.Verbose() { if testing.Verbose() {
cmd.Stdout = os.Stdout cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr cmd.Stderr = os.Stderr
@ -52,7 +52,7 @@ func TestInitConfig(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
cmd := exec.Command(gocryptfsBinary, "-init", "-extpass", "echo test", cmd := exec.Command(gocryptfsBinary, "-init", "-extpass", "echo test",
"-config", config, dir) "-config", config, "-scryptn=10", dir)
if testing.Verbose() { if testing.Verbose() {
cmd.Stdout = os.Stdout cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr cmd.Stderr = os.Stderr

View File

@ -37,7 +37,7 @@ type argContainer struct {
debug, init, zerokey, fusedebug, openssl, passwd, foreground, version, debug, init, zerokey, fusedebug, openssl, passwd, foreground, version,
plaintextnames, quiet, diriv bool plaintextnames, quiet, diriv bool
masterkey, mountpoint, cipherdir, cpuprofile, config, extpass string masterkey, mountpoint, cipherdir, cpuprofile, config, extpass string
notifypid int notifypid, scryptn int
} }
var flagSet *flag.FlagSet var flagSet *flag.FlagSet
@ -62,7 +62,7 @@ func initDir(args *argContainer) {
// Create gocryptfs.conf // Create gocryptfs.conf
cryptfs.Info.Printf("Choose a password for protecting your files.\n") cryptfs.Info.Printf("Choose a password for protecting your files.\n")
password := readPasswordTwice(args.extpass) password := readPasswordTwice(args.extpass)
err = cryptfs.CreateConfFile(args.config, password, args.plaintextnames) err = cryptfs.CreateConfFile(args.config, password, args.plaintextnames, args.scryptn)
if err != nil { if err != nil {
fmt.Println(err) fmt.Println(err)
os.Exit(ERREXIT_INIT) os.Exit(ERREXIT_INIT)
@ -109,7 +109,7 @@ func changePassword(args *argContainer) {
masterkey, confFile := loadConfig(args) masterkey, confFile := loadConfig(args)
fmt.Printf("Please enter your new password.\n") fmt.Printf("Please enter your new password.\n")
newPw := readPasswordTwice(args.extpass) newPw := readPasswordTwice(args.extpass)
confFile.EncryptKey(masterkey, newPw) confFile.EncryptKey(masterkey, newPw, confFile.ScryptObject.LogN())
err := confFile.WriteFile() err := confFile.WriteFile()
if err != nil { if err != nil {
fmt.Println(err) fmt.Println(err)
@ -151,6 +151,8 @@ func main() {
flagSet.StringVar(&args.extpass, "extpass", "", "Use external program for the password prompt") flagSet.StringVar(&args.extpass, "extpass", "", "Use external program for the password prompt")
flagSet.IntVar(&args.notifypid, "notifypid", 0, "Send USR1 to the specified process after "+ flagSet.IntVar(&args.notifypid, "notifypid", 0, "Send USR1 to the specified process after "+
"successful mount - used internally for daemonization") "successful mount - used internally for daemonization")
flagSet.IntVar(&args.scryptn, "scryptn", cryptfs.SCRYPT_DEFAULT_LOGN, "scrypt cost parameter logN. "+
"Setting this to a lower value speeds up mounting but makes the password susceptible to brute-force attacks")
flagSet.Parse(os.Args[1:]) flagSet.Parse(os.Args[1:])
// By default, let the child handle everything. // By default, let the child handle everything.