diff options
| author | Sebastian Lackner | 2017-11-19 13:30:04 +0100 |
|---|---|---|
| committer | rfjakob | 2017-11-21 23:37:06 +0100 |
| commit | f3c777d5eaa682d878c638192311e52f9c204294 (patch) | |
| tree | dc3fcf616371479abec93ab93688f9e2937e7d9d /internal/configfile/config_file.go | |
| parent | 1b0426bcb23a1850f3a03619a15413281dc733e3 (diff) | |
main: Add '-devrandom' commandline option
Allows to use /dev/random for generating the master key instead of the
default Go implementation. When the kernel random generator has been
properly initialized both are considered equally secure, however:
* Versions of Go prior to 1.9 just fall back to /dev/urandom if the
getrandom() syscall would be blocking (Go Bug #19274)
* Kernel versions prior to 3.17 do not support getrandom(), and there
is no check if the random generator has been properly initialized
before reading from /dev/urandom
This is especially useful for embedded hardware with low-entroy. Please
note that generation of the master key might block indefinitely if the
kernel cannot harvest enough entropy.
Diffstat (limited to 'internal/configfile/config_file.go')
| -rw-r--r-- | internal/configfile/config_file.go | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index fea4a84..67d67f0 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -5,7 +5,9 @@ package configfile import ( "encoding/json" "fmt" + "io" "io/ioutil" + "log" "github.com/rfjakob/gocryptfs/internal/contentenc" "github.com/rfjakob/gocryptfs/internal/cryptocore" @@ -47,10 +49,25 @@ type ConfFile struct { filename string } +// randBytesDevRandom gets "n" random bytes from /dev/random or panics +func randBytesDevRandom(n int) []byte { + f, err := os.Open("/dev/random") + if err != nil { + log.Panic("Failed to open /dev/random: " + err.Error()) + } + defer f.Close() + b := make([]byte, n) + _, err = io.ReadFull(f, b) + if err != nil { + log.Panic("Failed to read random bytes: " + err.Error()) + } + return b +} + // CreateConfFile - create a new config with a random key encrypted with // "password" and write it to "filename". // Uses scrypt with cost parameter logN. -func CreateConfFile(filename string, password string, plaintextNames bool, logN int, creator string, aessiv bool) error { +func CreateConfFile(filename string, password string, plaintextNames bool, logN int, creator string, aessiv bool, devrandom bool) error { var cf ConfFile cf.filename = filename cf.Creator = creator @@ -72,7 +89,12 @@ func CreateConfFile(filename string, password string, plaintextNames bool, logN } // Generate new random master key - key := cryptocore.RandBytes(cryptocore.KeyLen) + var key []byte + if devrandom { + key = randBytesDevRandom(cryptocore.KeyLen) + } else { + key = cryptocore.RandBytes(cryptocore.KeyLen) + } // Encrypt it using the password // This sets ScryptObject and EncryptedKey |