main: accept multiple -passfile options

Each file will be read and then concatenated
for the effictive password. This can be used as a
kind of multi-factor authenticiton.

Fixes https://github.com/rfjakob/gocryptfs/issues/288

12 files changed, 98 insertions, 36 deletions

diff --git a/Documentation/MANPAGE.md b/Documentation/MANPAGE.md
index e5a70b8..f9cf728 100644
--- a/Documentation/MANPAGE.md
+++ b/Documentation/MANPAGE.md
@@ -109,7 +109,7 @@ See also `-exclude`, `-exclude-wildcard` and the [EXCLUDING FILES](#excluding-fi
 Enable (`-exec`) or disable (`-noexec`) executables in a gocryptfs mount
 (default: `-exec`). If both are specified, `-noexec` takes precedence.
 
-#### -extpass string
+#### -extpass CMD [-extpass ARG1 ...]
 Use an external program (like ssh-askpass) for the password prompt.
 The program should return the password on stdout, a trailing newline is
 stripped by gocryptfs. If you just want to read from a password file, see `-passfile`.
@@ -302,14 +302,23 @@ built-in crypto is 4x slower unless your CPU has AES instructions and
 you are using Go 1.6+. In mode "auto", gocrypts chooses the faster
 option.
 
-#### -passfile string
-Read password from the specified file. A warning will be printed if there
-is more than one line, and only the first line will be used. A single
+#### -passfile FILE [-passfile FILE2 ...]
+Read password from the specified plain text file. The file should contain exactly
+one line (do not use binary files!).
+A warning will be printed if there is more than one line, and only
+the first line will be used. A single
 trailing newline is allowed and does not cause a warning.
 
-Before gocryptfs v1.7, using `-passfile` was equivant to writing
-`-extpass="/bin/cat -- FILE"`.
-gocryptfs v1.7 and later directly read the file without invoking `cat`.
+Pass this option multiple times to read the first line from multiple
+files. They are concatenated for the effective password.
+
+Example:
+
+    echo hello > hello.txt
+    echo word > world.txt
+    gocryptfs -passfile hello.txt -passfile world.txt
+
+The effective password will be "helloworld".
 
 #### -passwd
 Change the password. Will ask for the old password, check if it is
diff --git a/cli_args.go b/cli_args.go
index e5eebf8..e4073fa 100644
--- a/cli_args.go
+++ b/cli_args.go
@@ -32,9 +32,9 @@ type argContainer struct {
 	// Mount options with opposites
 	dev, nodev, suid, nosuid, exec, noexec, rw, ro bool
 	masterkey, mountpoint, cipherdir, cpuprofile,
-	memprofile, ko, passfile, ctlsock, fsname, force_owner, trace string
-	// -extpass and -badname can be passed multiple times
-	extpass, badname multipleStrings
+	memprofile, ko, ctlsock, fsname, force_owner, trace string
+	// -extpass, -badname, -passfile can be passed multiple times
+	extpass, badname, passfile multipleStrings
 	// For reverse mode, several ways to specify exclusions. All can be specified multiple times.
 	exclude, excludeWildcard, excludeFrom multipleStrings
 	// Configuration file name override
@@ -184,7 +184,6 @@ func parseCliOpts() (args argContainer) {
 	flagSet.StringVar(&args.cpuprofile, "cpuprofile", "", "Write cpu profile to specified file")
 	flagSet.StringVar(&args.memprofile, "memprofile", "", "Write memory profile to specified file")
 	flagSet.StringVar(&args.config, "config", "", "Use specified config file instead of CIPHERDIR/gocryptfs.conf")
-	flagSet.StringVar(&args.passfile, "passfile", "", "Read password from file")
 	flagSet.StringVar(&args.ko, "ko", "", "Pass additional options directly to the kernel, comma-separated list")
 	flagSet.StringVar(&args.ctlsock, "ctlsock", "", "Create control socket at specified path")
 	flagSet.StringVar(&args.fsname, "fsname", "", "Override the filesystem name")
@@ -198,9 +197,10 @@ func parseCliOpts() (args argContainer) {
 	flagSet.Var(&args.excludeWildcard, "exclude-wildcard", "Exclude path from reverse view, supporting wildcards")
 	flagSet.Var(&args.excludeFrom, "exclude-from", "File from which to read exclusion patterns (with -exclude-wildcard syntax)")
 
-	// -extpass
+	// multipleStrings options ([]string)
 	flagSet.Var(&args.extpass, "extpass", "Use external program for the password prompt")
 	flagSet.Var(&args.badname, "badname", "Glob pattern invalid file names that should be shown")
+	flagSet.Var(&args.passfile, "passfile", "Read password from file")
 
 	flagSet.IntVar(&args.notifypid, "notifypid", 0, "Send USR1 to the specified process after "+
 		"successful mount - used internally for daemonization")
@@ -267,11 +267,11 @@ func parseCliOpts() (args argContainer) {
 		args.allow_other = false
 		args.ko = "noexec"
 	}
-	if !args.extpass.Empty() && args.passfile != "" {
+	if !args.extpass.Empty() && len(args.passfile) != 0 {
 		tlog.Fatal.Printf("The options -extpass and -passfile cannot be used at the same time")
 		os.Exit(exitcodes.Usage)
 	}
-	if args.passfile != "" && args.masterkey != "" {
+	if len(args.passfile) != 0 && args.masterkey != "" {
 		tlog.Fatal.Printf("The options -passfile and -masterkey cannot be used at the same time")
 		os.Exit(exitcodes.Usage)
 	}
diff --git a/gocryptfs-xray/xray_main.go b/gocryptfs-xray/xray_main.go
index ea000c0..7e928e7 100644
--- a/gocryptfs-xray/xray_main.go
+++ b/gocryptfs-xray/xray_main.go
@@ -105,7 +105,7 @@ func main() {
 
 func dumpMasterKey(fn string) {
 	tlog.Info.Enabled = false
-	pw := readpassword.Once(nil, "", "")
+	pw := readpassword.Once(nil, nil, "")
 	masterkey, _, err := configfile.LoadAndDecrypt(fn, pw)
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
diff --git a/help.go b/help.go
index 9df25b6..5cd35ac 100644
--- a/help.go
+++ b/help.go
@@ -33,7 +33,7 @@ Common Options (use -hh to show all):
   -masterkey         Mount with explicit master key instead of password
   -nonempty          Allow mounting over non-empty directory
   -nosyslog          Do not redirect log messages to syslog
-  -passfile          Read password from file
+  -passfile          Read password from plain text file(s)
   -passwd            Change password
   -plaintextnames    Do not encrypt file names (with -init)
   -q, -quiet         Silence informational messages
diff --git a/init_dir.go b/init_dir.go
index 1bba59e..5939598 100644
--- a/init_dir.go
+++ b/init_dir.go
@@ -71,7 +71,7 @@ func initDir(args *argContainer) {
 		tlog.Info.Printf("Choose a password for protecting your files.")
 	}
 	{
-		password := readpassword.Twice([]string(args.extpass), args.passfile)
+		password := readpassword.Twice([]string(args.extpass), []string(args.passfile))
 		creator := tlog.ProgramName + " " + GitVersion
 		err = configfile.Create(args.config, password, args.plaintextnames,
 			args.scryptn, creator, args.aessiv, args.devrandom)
diff --git a/internal/readpassword/extpass_test.go b/internal/readpassword/extpass_test.go
index b4ca8fa..9a643a5 100644
--- a/internal/readpassword/extpass_test.go
+++ b/internal/readpassword/extpass_test.go
@@ -26,7 +26,7 @@ func TestExtpass(t *testing.T) {
 
 func TestOnceExtpass(t *testing.T) {
 	p1 := "lkadsf0923rdfi48rqwhdsf"
-	p2 := string(Once([]string{"echo " + p1}, "", ""))
+	p2 := string(Once([]string{"echo " + p1}, nil, ""))
 	if p1 != p2 {
 		t.Errorf("p1=%q != p2=%q", p1, p2)
 	}
@@ -35,7 +35,7 @@ func TestOnceExtpass(t *testing.T) {
 // extpass with two arguments
 func TestOnceExtpass2(t *testing.T) {
 	p1 := "foo"
-	p2 := string(Once([]string{"echo", p1}, "", ""))
+	p2 := string(Once([]string{"echo", p1}, nil, ""))
 	if p1 != p2 {
 		t.Errorf("p1=%q != p2=%q", p1, p2)
 	}
@@ -44,7 +44,7 @@ func TestOnceExtpass2(t *testing.T) {
 // extpass with three arguments
 func TestOnceExtpass3(t *testing.T) {
 	p1 := "foo bar baz"
-	p2 := string(Once([]string{"echo", "foo", "bar", "baz"}, "", ""))
+	p2 := string(Once([]string{"echo", "foo", "bar", "baz"}, nil, ""))
 	if p1 != p2 {
 		t.Errorf("p1=%q != p2=%q", p1, p2)
 	}
@@ -52,7 +52,7 @@ func TestOnceExtpass3(t *testing.T) {
 
 func TestOnceExtpassSpaces(t *testing.T) {
 	p1 := "mypassword"
-	p2 := string(Once([]string{"cat", "passfile_test_files/file with spaces.txt"}, "", ""))
+	p2 := string(Once([]string{"cat", "passfile_test_files/file with spaces.txt"}, nil, ""))
 	if p1 != p2 {
 		t.Errorf("p1=%q != p2=%q", p1, p2)
 	}
@@ -60,7 +60,7 @@ func TestOnceExtpassSpaces(t *testing.T) {
 
 func TestTwiceExtpass(t *testing.T) {
 	p1 := "w5w44t3wfe45srz434"
-	p2 := string(Once([]string{"echo " + p1}, "", ""))
+	p2 := string(Once([]string{"echo " + p1}, nil, ""))
 	if p1 != p2 {
 		t.Errorf("p1=%q != p2=%q", p1, p2)
 	}
diff --git a/internal/readpassword/passfile.go b/internal/readpassword/passfile.go
index 73af279..df6cd4d 100644
--- a/internal/readpassword/passfile.go
+++ b/internal/readpassword/passfile.go
@@ -8,6 +8,16 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )
 
+// readPassFileConcatenate reads the first line from each file name and
+// concatenates the results. The result does not contain any newlines.
+func readPassFileConcatenate(passfileSlice []string) (result []byte) {
+	for _, e := range passfileSlice {
+		result = append(result, readPassFile(e)...)
+	}
+	return result
+}
+
+// readPassFile reads the first line from the passed file name.
 func readPassFile(passfile string) []byte {
 	tlog.Info.Printf("passfile: reading from file %q", passfile)
 	f, err := os.Open(passfile)
@@ -36,7 +46,7 @@ func readPassFile(passfile string) []byte {
 		os.Exit(exitcodes.ReadPassword)
 	}
 	if len(lines) > 1 && len(lines[1]) > 0 {
-		tlog.Warn.Printf("passfile: ignoring trailing garbage (%d bytes) after first line",
+		tlog.Warn.Printf("warning: passfile: ignoring trailing garbage (%d bytes) after first line",
 			len(lines[1]))
 	}
 	return lines[0]
diff --git a/internal/readpassword/passfile_test.go b/internal/readpassword/passfile_test.go
index cb7fa44..dbfe159 100644
--- a/internal/readpassword/passfile_test.go
+++ b/internal/readpassword/passfile_test.go
@@ -21,13 +21,20 @@ func TestPassfile(t *testing.T) {
 		if string(pw) != tc.want {
 			t.Errorf("Wrong result: want=%q have=%q", tc.want, pw)
 		}
+		// Calling readPassFileConcatenate with only one element should give the
+		// same result
+		pw = readPassFileConcatenate([]string{"passfile_test_files/" + tc.file})
+		if string(pw) != tc.want {
+			t.Errorf("Wrong result: want=%q have=%q", tc.want, pw)
+		}
 	}
 }
 
 // readPassFile() should exit instead of returning an empty string.
 //
 // The TEST_SLAVE magic is explained at
-// https://talks.golang.org/2014/testing.slide#23 .
+// https://talks.golang.org/2014/testing.slide#23 , mirror:
+// http://web.archive.org/web/20200426174352/https://talks.golang.org/2014/testing.slide#23
 func TestPassfileEmpty(t *testing.T) {
 	if os.Getenv("TEST_SLAVE") == "1" {
 		readPassFile("passfile_test_files/empty.txt")
@@ -46,7 +53,8 @@ func TestPassfileEmpty(t *testing.T) {
 // readPassFile() should exit instead of returning an empty string.
 //
 // The TEST_SLAVE magic is explained at
-// https://talks.golang.org/2014/testing.slide#23 .
+// https://talks.golang.org/2014/testing.slide#23 , mirror:
+// http://web.archive.org/web/20200426174352/https://talks.golang.org/2014/testing.slide#23
 func TestPassfileNewline(t *testing.T) {
 	if os.Getenv("TEST_SLAVE") == "1" {
 		readPassFile("passfile_test_files/newline.txt")
@@ -65,7 +73,8 @@ func TestPassfileNewline(t *testing.T) {
 // readPassFile() should exit instead of returning an empty string.
 //
 // The TEST_SLAVE magic is explained at
-// https://talks.golang.org/2014/testing.slide#23 .
+// https://talks.golang.org/2014/testing.slide#23 , mirror:
+// http://web.archive.org/web/20200426174352/https://talks.golang.org/2014/testing.slide#23
 func TestPassfileEmptyFirstLine(t *testing.T) {
 	if os.Getenv("TEST_SLAVE") == "1" {
 		readPassFile("passfile_test_files/empty_first_line.txt")
@@ -79,3 +88,15 @@ func TestPassfileEmptyFirstLine(t *testing.T) {
 	}
 	t.Fatal("should have exited")
 }
+
+// TestPassFileConcatenate tests readPassFileConcatenate
+func TestPassFileConcatenate(t *testing.T) {
+	files := []string{
+		"passfile_test_files/file with spaces.txt",
+		"passfile_test_files/mypassword_garbage.txt",
+	}
+	res := string(readPassFileConcatenate(files))
+	if res != "mypasswordmypassword" {
+		t.Errorf("wrong result: %q", res)
+	}
+}
diff --git a/internal/readpassword/read.go b/internal/readpassword/read.go
index 92a0886..e116f0b 100644
--- a/internal/readpassword/read.go
+++ b/internal/readpassword/read.go
@@ -20,11 +20,11 @@ const (
 	maxPasswordLen = 2048
 )
 
-// Once tries to get a password from the user, either from the terminal, extpass
+// Once tries to get a password from the user, either from the terminal, extpass, passfile
 // or stdin. Leave "prompt" empty to use the default "Password: " prompt.
-func Once(extpass []string, passfile string, prompt string) []byte {
-	if passfile != "" {
-		return readPassFile(passfile)
+func Once(extpass []string, passfile []string, prompt string) []byte {
+	if len(passfile) != 0 {
+		return readPassFileConcatenate(passfile)
 	}
 	if len(extpass) != 0 {
 		return readPasswordExtpass(extpass)
@@ -40,9 +40,9 @@ func Once(extpass []string, passfile string, prompt string) []byte {
 
 // Twice is the same as Once but will prompt twice if we get the password from
 // the terminal.
-func Twice(extpass []string, passfile string) []byte {
-	if passfile != "" {
-		return readPassFile(passfile)
+func Twice(extpass []string, passfile []string) []byte {
+	if len(passfile) != 0 {
+		return readPassFileConcatenate(passfile)
 	}
 	if len(extpass) != 0 {
 		return readPasswordExtpass(extpass)
diff --git a/main.go b/main.go
index de627cb..11e15b2 100644
--- a/main.go
+++ b/main.go
@@ -50,7 +50,7 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile,
 	if masterkey != nil {
 		return masterkey, cf, nil
 	}
-	pw := readpassword.Once([]string(args.extpass), args.passfile, "")
+	pw := readpassword.Once([]string(args.extpass), []string(args.passfile), "")
 	tlog.Info.Println("Decrypting master key")
 	masterkey, err = cf.DecryptMasterKey(pw)
 	for i := range pw {
@@ -79,7 +79,7 @@ func changePassword(args *argContainer) {
 			log.Panic("empty masterkey")
 		}
 		tlog.Info.Println("Please enter your new password.")
-		newPw := readpassword.Twice([]string(args.extpass), args.passfile)
+		newPw := readpassword.Twice([]string(args.extpass), []string(args.passfile))
 		logN := confFile.ScryptObject.LogN()
 		if args._explicitScryptn {
 			logN = args.scryptn
diff --git a/masterkey.go b/masterkey.go
index 7b6779d..8d75c75 100644
--- a/masterkey.go
+++ b/masterkey.go
@@ -39,7 +39,7 @@ func unhexMasterKey(masterkey string, fromStdin bool) []byte {
 func handleArgsMasterkey(args *argContainer) (masterkey []byte) {
 	// "-masterkey=stdin"
 	if args.masterkey == "stdin" {
-		in := string(readpassword.Once(nil, "", "Masterkey"))
+		in := string(readpassword.Once(nil, nil, "Masterkey"))
 		return unhexMasterKey(in, true)
 	}
 	// "-masterkey=941a6029-3adc6a1c-..."
diff --git a/tests/cli/cli_test.go b/tests/cli/cli_test.go
index c6e86da..2484cf3 100644
--- a/tests/cli/cli_test.go
+++ b/tests/cli/cli_test.go
@@ -741,3 +741,25 @@ func TestBadname(t *testing.T) {
 		t.Errorf("did not find invalid name %s in %v", invalid_file_name, names)
 	}
 }
+
+// TestPassfile tests the `-passfile` option
+func TestPassfile(t *testing.T) {
+	dir := test_helpers.InitFS(t)
+	mnt := dir + ".mnt"
+	passfile1 := mnt + ".1.txt"
+	ioutil.WriteFile(passfile1, []byte("test"), 0600)
+	test_helpers.MountOrFatal(t, dir, mnt, "-passfile="+passfile1)
+	defer test_helpers.UnmountPanic(mnt)
+}
+
+// TestPassfileX2 tests that the `-passfile` option can be passed twice
+func TestPassfileX2(t *testing.T) {
+	dir := test_helpers.InitFS(t)
+	mnt := dir + ".mnt"
+	passfile1 := mnt + ".1.txt"
+	passfile2 := mnt + ".2.txt"
+	ioutil.WriteFile(passfile1, []byte("te"), 0600)
+	ioutil.WriteFile(passfile2, []byte("st"), 0600)
+	test_helpers.MountOrFatal(t, dir, mnt, "-passfile="+passfile1, "-passfile="+passfile2)
+	defer test_helpers.UnmountPanic(mnt)
+}