libgocryptfs/internal/configfile/config_file.go

354 lines
10 KiB
Go

// Package configfile reads and writes gocryptfs.conf does the key
// wrapping.
package configfile
import (
"encoding/json"
"fmt"
"io/ioutil"
"syscall"
"os"
"libgocryptfs/v2/internal/contentenc"
"libgocryptfs/v2/internal/cryptocore"
"libgocryptfs/v2/internal/exitcodes"
)
const (
// ConfDefaultName is the default configuration file name.
// The dot "." is not used in base64url (RFC4648), hence
// we can never clash with an encrypted file.
ConfDefaultName = "gocryptfs.conf"
// ConfReverseName is the default configuration file name in reverse mode,
// the config file gets stored next to the plain-text files. Make it hidden
// (start with dot) to not annoy the user.
ConfReverseName = ".gocryptfs.reverse.conf"
)
// FIDO2Params is a structure for storing FIDO2 parameters.
type FIDO2Params struct {
// FIDO2 credential
CredentialID []byte
// FIDO2 hmac-secret salt
HMACSalt []byte
}
// ConfFile is the content of a config file.
type ConfFile struct {
// Creator is the gocryptfs version string.
// This only documents the config file for humans who look at it. The actual
// technical info is contained in FeatureFlags.
Creator string
// EncryptedKey holds an encrypted AES key, unlocked using a password
// hashed with scrypt
EncryptedKey []byte
// ScryptObject stores parameters for scrypt hashing (key derivation)
ScryptObject ScryptKDF
// Version is the On-Disk-Format version this filesystem uses
Version uint16
// FeatureFlags is a list of feature flags this filesystem has enabled.
// If gocryptfs encounters a feature flag it does not support, it will refuse
// mounting. This mechanism is analogous to the ext4 feature flags that are
// stored in the superblock.
FeatureFlags []string
// FIDO2 parameters
FIDO2 *FIDO2Params `json:",omitempty"`
// LongNameMax corresponds to the -longnamemax flag
LongNameMax uint8 `json:",omitempty"`
// Filename is the name of the config file. Not exported to JSON.
filename string
}
// CreateArgs exists because the argument list to Create became too long.
type CreateArgs struct {
Filename string
Password []byte
PlaintextNames bool
LogN int
Creator string
AESSIV bool
DeterministicNames bool
XChaCha20Poly1305 bool
LongNameMax uint8
}
// Create - create a new config with a random key encrypted with
// "Password" and write it to "Filename".
// Uses scrypt with cost parameter "LogN".
func Create(args *CreateArgs, returnedScryptHashBuff []byte) error {
cf := ConfFile{
filename: args.Filename,
Creator: args.Creator,
Version: contentenc.CurrentVersion,
}
// Feature flags
cf.setFeatureFlag(FlagHKDF)
if args.XChaCha20Poly1305 {
cf.setFeatureFlag(FlagXChaCha20Poly1305)
} else {
// 128-bit IVs are mandatory for AES-GCM (default is 96!) and AES-SIV,
// XChaCha20Poly1305 uses even an even longer IV of 192 bits.
cf.setFeatureFlag(FlagGCMIV128)
}
if args.PlaintextNames {
cf.setFeatureFlag(FlagPlaintextNames)
} else {
if !args.DeterministicNames {
cf.setFeatureFlag(FlagDirIV)
}
// 0 means to *use* the default (which means we don't have to save it), and
// 255 *is* the default, which means we don't have to save it either.
if args.LongNameMax != 0 && args.LongNameMax != 255 {
cf.LongNameMax = args.LongNameMax
cf.setFeatureFlag(FlagLongNameMax)
}
cf.setFeatureFlag(FlagEMENames)
cf.setFeatureFlag(FlagLongNames)
cf.setFeatureFlag(FlagRaw64)
}
if args.AESSIV {
cf.setFeatureFlag(FlagAESSIV)
}
// Catch bugs and invalid cli flag combinations early
cf.ScryptObject = NewScryptKDF(args.LogN)
if err := cf.Validate(); err != nil {
return err
}
// Catch bugs and invalid cli flag combinations early
cf.ScryptObject = NewScryptKDF(args.LogN)
if err := cf.Validate(); err != nil {
return err
}
{
// Generate new random master key
key := cryptocore.RandBytes(cryptocore.KeyLen)
// Encrypt it using the password
// This sets ScryptObject and EncryptedKey
// Note: this looks at the FeatureFlags, so call it AFTER setting them.
scryptHash := cf.EncryptKey(key, args.Password, args.LogN, len(returnedScryptHashBuff) > 0)
for i := range key {
key[i] = 0
}
for i := range scryptHash {
returnedScryptHashBuff[i] = scryptHash[i]
scryptHash[i] = 0
}
// key runs out of scope here
}
// Write file to disk
return cf.WriteFile()
}
// LoadAndDecrypt - read config file from disk and decrypt the
// contained key using "password".
// Returns the decrypted key and the ConfFile object
//
// If "password" is empty, the config file is read
// but the key is not decrypted (returns nil in its place).
func LoadAndDecrypt(filename string, password []byte) ([]byte, *ConfFile, error) {
cf, err := Load(filename)
if err != nil {
return nil, nil, err
}
if len(password) == 0 {
// We have validated the config file, but without a password we cannot
// decrypt the master key. Return only the parsed config.
return nil, cf, nil
// TODO: Make this an error in gocryptfs v1.7. All code should now call
// Load() instead of calling LoadAndDecrypt() with an empty password.
}
// Decrypt the masterkey using the password
key, _, err := cf.DecryptMasterKey(password, false)
if err != nil {
return nil, nil, err
}
return key, cf, err
}
// Load loads and parses the config file at "filename".
func Load(filename string) (*ConfFile, error) {
var cf ConfFile
cf.filename = filename
// Read from disk
js, err := ioutil.ReadFile(filename)
if err != nil {
return nil, err
}
if len(js) == 0 {
return nil, fmt.Errorf("Config file is empty")
}
// Unmarshal
err = json.Unmarshal(js, &cf)
if err != nil {
return nil, err
}
if err := cf.Validate(); err != nil {
return nil, exitcodes.NewErr(err.Error(), exitcodes.DeprecatedFS)
}
// All good
return &cf, nil
}
func (cf *ConfFile) setFeatureFlag(flag flagIota) {
if cf.IsFeatureFlagSet(flag) {
// Already set, ignore
return
}
cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[flag])
}
// libgocryptfs function to allow masterkey to be directely decrypted using the scrypt hash
func (cf *ConfFile) DecryptMasterKeyWithScryptHash(scryptHash []byte) ([]byte, error) {
useHKDF := cf.IsFeatureFlagSet(FlagHKDF)
ce := getKeyEncrypter(scryptHash, useHKDF)
masterkey, err := ce.DecryptBlock(cf.EncryptedKey, 0, nil)
ce.Wipe()
ce = nil
if err != nil {
return nil, exitcodes.NewErr("Password incorrect.", exitcodes.PasswordIncorrect)
}
return masterkey, nil
}
// DecryptMasterKey decrypts the masterkey stored in cf.EncryptedKey using
// password.
func (cf *ConfFile) DecryptMasterKey(password []byte, giveHash bool) (masterkey, scryptHash []byte, err error) {
// Generate derived key from password
scryptHash = cf.ScryptObject.DeriveKey(password)
// Unlock master key using password-based key
masterkey, err = cf.DecryptMasterKeyWithScryptHash(scryptHash)
if !giveHash {
// Purge scrypt-derived key
for i := range scryptHash {
scryptHash[i] = 0
}
scryptHash = nil
}
return masterkey, scryptHash, err
}
// EncryptKey - encrypt "key" using an scrypt hash generated from "password"
// and store it in cf.EncryptedKey.
// Uses scrypt with cost parameter logN and stores the scrypt parameters in
// cf.ScryptObject.
func (cf *ConfFile) EncryptKey(key []byte, password []byte, logN int, giveHash bool) []byte {
// Generate scrypt-derived key from password
cf.ScryptObject = NewScryptKDF(logN)
scryptHash := cf.ScryptObject.DeriveKey(password)
// Lock master key using password-based key
useHKDF := cf.IsFeatureFlagSet(FlagHKDF)
ce := getKeyEncrypter(scryptHash, useHKDF)
cf.EncryptedKey = ce.EncryptBlock(key, 0, nil)
if !giveHash {
// Purge scrypt-derived key
for i := range scryptHash {
scryptHash[i] = 0
}
scryptHash = nil
}
ce.Wipe()
ce = nil
return scryptHash
}
func (cf *ConfFile) GetMasterkey(password, givenScryptHash, returnedScryptHashBuff []byte) ([]byte, error) {
var masterkey []byte
var err error
if len(givenScryptHash) > 0 { //decrypt with hash
masterkey, err = cf.DecryptMasterKeyWithScryptHash(givenScryptHash)
} else { //decrypt with password
var scryptHash []byte
masterkey, scryptHash, err = cf.DecryptMasterKey(password, len(returnedScryptHashBuff) > 0)
//copy and wipe scryptHash
for i := range scryptHash {
returnedScryptHashBuff[i] = scryptHash[i]
scryptHash[i] = 0
}
}
return masterkey, err
}
// WriteFile - write out config in JSON format to file "filename.tmp"
// then rename over "filename".
// This way a password change atomically replaces the file.
func (cf *ConfFile) WriteFile() error {
if err := cf.Validate(); err != nil {
return err
}
tmp := cf.filename + ".tmp"
// 0400 permissions: gocryptfs.conf should be kept secret and never be written to.
fd, err := os.OpenFile(tmp, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0400)
if err != nil {
return err
}
js, err := json.MarshalIndent(cf, "", "\t")
if err != nil {
return err
}
// For convenience for the user, add a newline at the end.
js = append(js, '\n')
_, err = fd.Write(js)
if err != nil {
return err
}
err = fd.Sync()
if err != nil {
// This can happen on network drives: FRITZ.NAS mounted on MacOS returns
// "operation not supported": https://github.com/rfjakob/gocryptfs/issues/390
// Try sync instead
syscall.Sync()
}
err = fd.Close()
if err != nil {
return err
}
err = os.Rename(tmp, cf.filename)
return err
}
// getKeyEncrypter is a helper function that returns the right ContentEnc
// instance for the "useHKDF" setting.
func getKeyEncrypter(scryptHash []byte, useHKDF bool) *contentenc.ContentEnc {
IVLen := 96
// gocryptfs v1.2 and older used 96-bit IVs for master key encryption.
// v1.3 adds the "HKDF" feature flag, which also enables 128-bit nonces.
if useHKDF {
IVLen = contentenc.DefaultIVBits
}
cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, IVLen, useHKDF)
ce := contentenc.New(cc, 4096)
return ce
}
// ContentEncryption tells us which content encryption algorithm is selected
func (cf *ConfFile) ContentEncryption() (algo cryptocore.AEADTypeEnum, err error) {
if err := cf.Validate(); err != nil {
return cryptocore.AEADTypeEnum{}, err
}
if cf.IsFeatureFlagSet(FlagXChaCha20Poly1305) {
return cryptocore.BackendXChaCha20Poly1305, nil
}
if cf.IsFeatureFlagSet(FlagAESSIV) {
return cryptocore.BackendAESSIV, nil
}
// If neither AES-SIV nor XChaCha are selected, we must be using AES-GCM
return cryptocore.BackendGoGCM, nil
}