diff options
| author | Jakob Unterwurzacher | 2015-11-01 01:32:33 +0100 |
|---|---|---|
| committer | Jakob Unterwurzacher | 2015-11-01 01:38:27 +0100 |
| commit | 76311b60f2e208dbd93e1e7b6e9794770c14fede (patch) | |
| tree | fa71d48744fd1ad6de26aaadd03f2440e4d4103d /cryptfs/config_file.go | |
| parent | 73fa8efdb27172210b9751eb86689287db0b1170 (diff) | |
Add file header (on-disk-format change)
Format: [ "Version" uint16 big endian ] [ "Id" 16 random bytes ]
Quoting SECURITY.md:
* Every file has a header that contains a 16-byte random *file id*
* Each block uses the file id and its block number as GCM *authentication data*
* This means the position of the blocks is protected as well. The blocks
can not be reordered or copied between different files without
causing an decryption error.
Diffstat (limited to 'cryptfs/config_file.go')
| -rw-r--r-- | cryptfs/config_file.go | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/cryptfs/config_file.go b/cryptfs/config_file.go index ef426ff..7e762ad 100644 --- a/cryptfs/config_file.go +++ b/cryptfs/config_file.go @@ -1,6 +1,7 @@ package cryptfs import ( + "fmt" "encoding/json" "io/ioutil" ) @@ -19,6 +20,8 @@ type ConfFile struct { EncryptedKey []byte // Stores parameters for scrypt hashing (key derivation) ScryptObject scryptKdf + // The On-Disk-Format version this filesystem uses + Version uint16 } // CreateConfFile - create a new config with a random key encrypted with @@ -31,8 +34,11 @@ func CreateConfFile(filename string, password string) error { key := RandBytes(KEY_LEN) // Encrypt it using the password + // This sets ScryptObject and EncryptedKey cf.EncryptKey(key, password) + cf.Version = HEADER_CURRENT_VERSION + // Write file to disk err := cf.WriteFile() @@ -58,6 +64,10 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) { return nil, nil, err } + if cf.Version != HEADER_CURRENT_VERSION { + return nil, nil, fmt.Errorf("Unsupported version %d", cf.Version) + } + // Generate derived key from password scryptHash := cf.ScryptObject.DeriveKey(password) @@ -65,7 +75,7 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) { // We use stock go GCM instead of OpenSSL here as speed is not important // and we get better error messages cfs := NewCryptFS(scryptHash, false) - key, err := cfs.DecryptBlock(cf.EncryptedKey, 0) + key, err := cfs.DecryptBlock(cf.EncryptedKey, 0, nil) if err != nil { Warn.Printf("failed to unlock master key: %s\n", err.Error()) Warn.Printf("Password incorrect.\n") @@ -84,7 +94,7 @@ func (cf *ConfFile) EncryptKey(key []byte, password string) { // Lock master key using password-based key cfs := NewCryptFS(scryptHash, false) - cf.EncryptedKey = cfs.EncryptBlock(key, 0) + cf.EncryptedKey = cfs.EncryptBlock(key, 0, nil) } // WriteFile - write out config in JSON format to file "filename.tmp" |