libgocryptfs/gocryptfs-xray/xray_main.go

176 lines
4.5 KiB
Go

package main
import (
"encoding/hex"
"flag"
"fmt"
"io"
"os"
"github.com/rfjakob/gocryptfs/internal/configfile"
"github.com/rfjakob/gocryptfs/internal/contentenc"
"github.com/rfjakob/gocryptfs/internal/cryptocore"
"github.com/rfjakob/gocryptfs/internal/exitcodes"
"github.com/rfjakob/gocryptfs/internal/fido2"
"github.com/rfjakob/gocryptfs/internal/readpassword"
"github.com/rfjakob/gocryptfs/internal/tlog"
)
const (
ivLen = contentenc.DefaultIVBits / 8
authTagLen = cryptocore.AuthTagLen
blockSize = contentenc.DefaultBS + ivLen + cryptocore.AuthTagLen
myName = "gocryptfs-xray"
)
func errExit(err error) {
fmt.Println(err)
os.Exit(1)
}
func prettyPrintHeader(h *contentenc.FileHeader, aessiv bool) {
id := hex.EncodeToString(h.ID)
msg := "Header: Version: %d, Id: %s"
if aessiv {
msg += ", assuming AES-SIV mode"
} else {
msg += ", assuming AES-GCM mode"
}
fmt.Printf(msg+"\n", h.Version, id)
}
func usage() {
fmt.Fprintf(os.Stderr, "Usage: %s [OPTIONS] FILE\n"+
"\n"+
"Options:\n", myName)
flag.PrintDefaults()
fmt.Fprintf(os.Stderr, "\n"+
"Examples:\n"+
" gocryptfs-xray myfs/mCXnISiv7nEmyc0glGuhTQ\n"+
" gocryptfs-xray -dumpmasterkey myfs/gocryptfs.conf\n"+
" gocryptfs-xray -encrypt-paths myfs.sock\n")
}
// sum counts the number of true values
func sum(x ...*bool) (s int) {
for _, v := range x {
if *v {
s++
}
}
return s
}
func main() {
var args struct {
dumpmasterkey *bool
decryptPaths *bool
encryptPaths *bool
aessiv *bool
sep0 *bool
fido2 *string
}
args.dumpmasterkey = flag.Bool("dumpmasterkey", false, "Decrypt and dump the master key")
args.decryptPaths = flag.Bool("decrypt-paths", false, "Decrypt file paths using gocryptfs control socket")
args.encryptPaths = flag.Bool("encrypt-paths", false, "Encrypt file paths using gocryptfs control socket")
args.sep0 = flag.Bool("0", false, "Use \\0 instead of \\n as separator")
args.aessiv = flag.Bool("aessiv", false, "Assume AES-SIV mode instead of AES-GCM")
args.fido2 = flag.String("fido2", "", "Protect the masterkey using a FIDO2 token instead of a password")
flag.Usage = usage
flag.Parse()
s := sum(args.dumpmasterkey, args.decryptPaths, args.encryptPaths)
if s > 1 {
fmt.Printf("fatal: %d operations were requested\n", s)
os.Exit(1)
}
if flag.NArg() != 1 {
usage()
os.Exit(1)
}
fn := flag.Arg(0)
if *args.decryptPaths {
decryptPaths(fn, *args.sep0)
}
if *args.encryptPaths {
encryptPaths(fn, *args.sep0)
}
fd, err := os.Open(fn)
if err != nil {
errExit(err)
}
defer fd.Close()
if *args.dumpmasterkey {
dumpMasterKey(fn, *args.fido2)
} else {
inspectCiphertext(fd, *args.aessiv)
}
}
func dumpMasterKey(fn string, fido2Path string) {
tlog.Info.Enabled = false
cf, err := configfile.Load(fn)
if err != nil {
fmt.Fprintln(os.Stderr, err)
exitcodes.Exit(err)
}
var pw []byte
if cf.IsFeatureFlagSet(configfile.FlagFIDO2) {
if fido2Path == "" {
tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; need to use the --fido2 option.")
os.Exit(exitcodes.Usage)
}
pw = fido2.Secret(fido2Path, cf.FIDO2.CredentialID, cf.FIDO2.HMACSalt)
} else {
pw = readpassword.Once(nil, nil, "")
}
masterkey, err := cf.DecryptMasterKey(pw)
fmt.Println(hex.EncodeToString(masterkey))
for i := range pw {
pw[i] = 0
}
}
func inspectCiphertext(fd *os.File, aessiv bool) {
headerBytes := make([]byte, contentenc.HeaderLen)
n, err := fd.ReadAt(headerBytes, 0)
if err == io.EOF && n == 0 {
fmt.Println("empty file")
os.Exit(0)
} else if err == io.EOF {
fmt.Printf("incomplete file header: read %d bytes, want %d\n", n, contentenc.HeaderLen)
os.Exit(1)
} else if err != nil {
errExit(err)
}
header, err := contentenc.ParseHeader(headerBytes)
if err != nil {
errExit(err)
}
prettyPrintHeader(header, aessiv)
var i int64
buf := make([]byte, blockSize)
for i = 0; ; i++ {
off := contentenc.HeaderLen + i*blockSize
n, err := fd.ReadAt(buf, off)
if err != nil && err != io.EOF {
errExit(err)
}
if n == 0 && err == io.EOF {
break
}
// A block contains at least the IV, the Auth Tag and 1 data byte
if n < ivLen+authTagLen+1 {
errExit(fmt.Errorf("corrupt block: truncated data, len=%d", n))
}
data := buf[:n]
// Parse block data
iv := data[:ivLen]
tag := data[len(data)-authTagLen:]
if aessiv {
tag = data[ivLen : ivLen+authTagLen]
}
fmt.Printf("Block %2d: IV: %s, Tag: %s, Offset: %5d Len: %d\n",
i, hex.EncodeToString(iv), hex.EncodeToString(tag), off, len(data))
}
}