readpassword: convert from string to []byte

This will allows us to overwrite the password with zeros once we are done with it. https://github.com/rfjakob/gocryptfs/issues/211
author: Jakob Unterwurzacher 2018-02-18 14:26:54 +0100
committer: Jakob Unterwurzacher 2018-02-18 14:26:54 +0100
commit: 3b8f5cbb17c964224456bb36b096feafb0e24f44 (patch)
tree: 1caae8dbf736510b971790b94c1975b325dfe377 /internal/configfile
parent: 14c063428dcded6a1060395bb45bf7bd5d185738 (diff)
4 files changed, 21 insertions, 19 deletions
diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go
index 01e3b80..3fd16c7 100644
--- a/internal/configfile/config_file.go
+++ b/internal/configfile/config_file.go
@@ -67,7 +67,7 @@ func randBytesDevRandom(n int) []byte {
 // CreateConfFile - create a new config with a random key encrypted with
 // "password" and write it to "filename".
 // Uses scrypt with cost parameter logN.
-func CreateConfFile(filename string, password string, plaintextNames bool, logN int, creator string, aessiv bool, devrandom bool) error {
+func CreateConfFile(filename string, password []byte, plaintextNames bool, logN int, creator string, aessiv bool, devrandom bool) error {
 	var cf ConfFile
 	cf.filename = filename
 	cf.Creator = creator
@@ -114,7 +114,7 @@ func CreateConfFile(filename string, password string, plaintextNames bool, logN
 //
 // If "password" is empty, the config file is read
 // but the key is not decrypted (returns nil in its place).
-func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) {
+func LoadConfFile(filename string, password []byte) ([]byte, *ConfFile, error) {
 	var cf ConfFile
 	cf.filename = filename
 
@@ -171,7 +171,7 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) {
 
 		return nil, nil, fmt.Errorf("Deprecated filesystem")
 	}
-	if password == "" {
+	if len(password) == 0 {
 		// We have validated the config file, but without a password we cannot
 		// decrypt the master key. Return only the parsed config.
 		return nil, &cf, nil
@@ -199,7 +199,7 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) {
 // and store it in cf.EncryptedKey.
 // Uses scrypt with cost parameter logN and stores the scrypt parameters in
 // cf.ScryptObject.
-func (cf *ConfFile) EncryptKey(key []byte, password string, logN int) {
+func (cf *ConfFile) EncryptKey(key []byte, password []byte, logN int) {
 	// Generate scrypt-derived key from password
 	cf.ScryptObject = NewScryptKDF(logN)
 	scryptHash := cf.ScryptObject.DeriveKey(password)
diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go
index b984a37..15728c6 100644
--- a/internal/configfile/config_test.go
+++ b/internal/configfile/config_test.go
@@ -8,8 +8,10 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )
 
+var testPw = []byte("test")
+
 func TestLoadV1(t *testing.T) {
-	_, _, err := LoadConfFile("config_test/v1.conf", "test")
+	_, _, err := LoadConfFile("config_test/v1.conf", testPw)
 	if err == nil {
 		t.Errorf("Outdated v1 config file must fail to load but it didn't")
 	} else if testing.Verbose() {
@@ -22,7 +24,7 @@ func TestLoadV1(t *testing.T) {
 func TestLoadV2(t *testing.T) {
 	t1 := time.Now()
 
-	_, _, err := LoadConfFile("config_test/v2.conf", "test")
+	_, _, err := LoadConfFile("config_test/v2.conf", testPw)
 	if err != nil {
 		t.Errorf("Could not load v2 config file: %v", err)
 	}
@@ -37,21 +39,21 @@ func TestLoadV2PwdError(t *testing.T) {
 	if !testing.Verbose() {
 		tlog.Warn.Enabled = false
 	}
-	_, _, err := LoadConfFile("config_test/v2.conf", "wrongpassword")
+	_, _, err := LoadConfFile("config_test/v2.conf", []byte("wrongpassword"))
 	if err == nil {
 		t.Errorf("Loading with wrong password must fail but it didn't")
 	}
 }
 
 func TestLoadV2Feature(t *testing.T) {
-	_, _, err := LoadConfFile("config_test/PlaintextNames.conf", "test")
+	_, _, err := LoadConfFile("config_test/PlaintextNames.conf", testPw)
 	if err != nil {
 		t.Errorf("Could not load v2 PlaintextNames config file: %v", err)
 	}
 }
 
 func TestLoadV2StrangeFeature(t *testing.T) {
-	_, _, err := LoadConfFile("config_test/StrangeFeature.conf", "test")
+	_, _, err := LoadConfFile("config_test/StrangeFeature.conf", testPw)
 	if err == nil {
 		t.Errorf("Loading unknown feature must fail but it didn't")
 	} else if testing.Verbose() {
@@ -60,11 +62,11 @@ func TestLoadV2StrangeFeature(t *testing.T) {
 }
 
 func TestCreateConfDefault(t *testing.T) {
-	err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", false, false)
+	err := CreateConfFile("config_test/tmp.conf", testPw, false, 10, "test", false, false)
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, c, err := LoadConfFile("config_test/tmp.conf", "test")
+	_, c, err := LoadConfFile("config_test/tmp.conf", testPw)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -81,18 +83,18 @@ func TestCreateConfDefault(t *testing.T) {
 }
 
 func TestCreateConfDevRandom(t *testing.T) {
-	err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", false, true)
+	err := CreateConfFile("config_test/tmp.conf", testPw, false, 10, "test", false, true)
 	if err != nil {
 		t.Fatal(err)
 	}
 }
 
 func TestCreateConfPlaintextnames(t *testing.T) {
-	err := CreateConfFile("config_test/tmp.conf", "test", true, 10, "test", false, false)
+	err := CreateConfFile("config_test/tmp.conf", testPw, true, 10, "test", false, false)
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, c, err := LoadConfFile("config_test/tmp.conf", "test")
+	_, c, err := LoadConfFile("config_test/tmp.conf", testPw)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -109,11 +111,11 @@ func TestCreateConfPlaintextnames(t *testing.T) {
 
 // Reverse mode uses AESSIV
 func TestCreateConfFileAESSIV(t *testing.T) {
-	err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", true, false)
+	err := CreateConfFile("config_test/tmp.conf", testPw, false, 10, "test", true, false)
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, c, err := LoadConfFile("config_test/tmp.conf", "test")
+	_, c, err := LoadConfFile("config_test/tmp.conf", testPw)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/internal/configfile/scrypt.go b/internal/configfile/scrypt.go
index b5a3edb..a1caf06 100644
--- a/internal/configfile/scrypt.go
+++ b/internal/configfile/scrypt.go
@@ -61,10 +61,10 @@ func NewScryptKDF(logN int) ScryptKDF {
 }
 
 // DeriveKey returns a new key from a supplied password.
-func (s *ScryptKDF) DeriveKey(pw string) []byte {
+func (s *ScryptKDF) DeriveKey(pw []byte) []byte {
 	s.validateParams()
 
-	k, err := scrypt.Key([]byte(pw), s.Salt, s.N, s.R, s.P, s.KeyLen)
+	k, err := scrypt.Key(pw, s.Salt, s.N, s.R, s.P, s.KeyLen)
 	if err != nil {
 		log.Panicf("DeriveKey failed: %v", err)
 	}
diff --git a/internal/configfile/scrypt_test.go b/internal/configfile/scrypt_test.go
index c1a656a..8f7a5c8 100644
--- a/internal/configfile/scrypt_test.go
+++ b/internal/configfile/scrypt_test.go
@@ -23,7 +23,7 @@ ok  	github.com/rfjakob/gocryptfs/cryptfs	18.772s
 func benchmarkScryptN(n int, b *testing.B) {
 	kdf := NewScryptKDF(n)
 	for i := 0; i < b.N; i++ {
-		kdf.DeriveKey("test")
+		kdf.DeriveKey(testPw)
 	}
 }
author	Jakob Unterwurzacher	2018-02-18 14:26:54 +0100
committer	Jakob Unterwurzacher	2018-02-18 14:26:54 +0100
commit	3b8f5cbb17c964224456bb36b096feafb0e24f44 (patch)
tree	1caae8dbf736510b971790b94c1975b325dfe377 /internal/configfile
parent	14c063428dcded6a1060395bb45bf7bd5d185738 (diff)