diff options
author | Jakob Unterwurzacher | 2018-02-18 14:26:54 +0100 |
---|---|---|
committer | Jakob Unterwurzacher | 2018-02-18 14:26:54 +0100 |
commit | 3b8f5cbb17c964224456bb36b096feafb0e24f44 (patch) | |
tree | 1caae8dbf736510b971790b94c1975b325dfe377 /internal/configfile | |
parent | 14c063428dcded6a1060395bb45bf7bd5d185738 (diff) |
readpassword: convert from string to []byte
This will allows us to overwrite the password
with zeros once we are done with it.
https://github.com/rfjakob/gocryptfs/issues/211
Diffstat (limited to 'internal/configfile')
-rw-r--r-- | internal/configfile/config_file.go | 8 | ||||
-rw-r--r-- | internal/configfile/config_test.go | 26 | ||||
-rw-r--r-- | internal/configfile/scrypt.go | 4 | ||||
-rw-r--r-- | internal/configfile/scrypt_test.go | 2 |
4 files changed, 21 insertions, 19 deletions
diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index 01e3b80..3fd16c7 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -67,7 +67,7 @@ func randBytesDevRandom(n int) []byte { // CreateConfFile - create a new config with a random key encrypted with // "password" and write it to "filename". // Uses scrypt with cost parameter logN. -func CreateConfFile(filename string, password string, plaintextNames bool, logN int, creator string, aessiv bool, devrandom bool) error { +func CreateConfFile(filename string, password []byte, plaintextNames bool, logN int, creator string, aessiv bool, devrandom bool) error { var cf ConfFile cf.filename = filename cf.Creator = creator @@ -114,7 +114,7 @@ func CreateConfFile(filename string, password string, plaintextNames bool, logN // // If "password" is empty, the config file is read // but the key is not decrypted (returns nil in its place). -func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) { +func LoadConfFile(filename string, password []byte) ([]byte, *ConfFile, error) { var cf ConfFile cf.filename = filename @@ -171,7 +171,7 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) { return nil, nil, fmt.Errorf("Deprecated filesystem") } - if password == "" { + if len(password) == 0 { // We have validated the config file, but without a password we cannot // decrypt the master key. Return only the parsed config. return nil, &cf, nil @@ -199,7 +199,7 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) { // and store it in cf.EncryptedKey. // Uses scrypt with cost parameter logN and stores the scrypt parameters in // cf.ScryptObject. -func (cf *ConfFile) EncryptKey(key []byte, password string, logN int) { +func (cf *ConfFile) EncryptKey(key []byte, password []byte, logN int) { // Generate scrypt-derived key from password cf.ScryptObject = NewScryptKDF(logN) scryptHash := cf.ScryptObject.DeriveKey(password) diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go index b984a37..15728c6 100644 --- a/internal/configfile/config_test.go +++ b/internal/configfile/config_test.go @@ -8,8 +8,10 @@ import ( "github.com/rfjakob/gocryptfs/internal/tlog" ) +var testPw = []byte("test") + func TestLoadV1(t *testing.T) { - _, _, err := LoadConfFile("config_test/v1.conf", "test") + _, _, err := LoadConfFile("config_test/v1.conf", testPw) if err == nil { t.Errorf("Outdated v1 config file must fail to load but it didn't") } else if testing.Verbose() { @@ -22,7 +24,7 @@ func TestLoadV1(t *testing.T) { func TestLoadV2(t *testing.T) { t1 := time.Now() - _, _, err := LoadConfFile("config_test/v2.conf", "test") + _, _, err := LoadConfFile("config_test/v2.conf", testPw) if err != nil { t.Errorf("Could not load v2 config file: %v", err) } @@ -37,21 +39,21 @@ func TestLoadV2PwdError(t *testing.T) { if !testing.Verbose() { tlog.Warn.Enabled = false } - _, _, err := LoadConfFile("config_test/v2.conf", "wrongpassword") + _, _, err := LoadConfFile("config_test/v2.conf", []byte("wrongpassword")) if err == nil { t.Errorf("Loading with wrong password must fail but it didn't") } } func TestLoadV2Feature(t *testing.T) { - _, _, err := LoadConfFile("config_test/PlaintextNames.conf", "test") + _, _, err := LoadConfFile("config_test/PlaintextNames.conf", testPw) if err != nil { t.Errorf("Could not load v2 PlaintextNames config file: %v", err) } } func TestLoadV2StrangeFeature(t *testing.T) { - _, _, err := LoadConfFile("config_test/StrangeFeature.conf", "test") + _, _, err := LoadConfFile("config_test/StrangeFeature.conf", testPw) if err == nil { t.Errorf("Loading unknown feature must fail but it didn't") } else if testing.Verbose() { @@ -60,11 +62,11 @@ func TestLoadV2StrangeFeature(t *testing.T) { } func TestCreateConfDefault(t *testing.T) { - err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", false, false) + err := CreateConfFile("config_test/tmp.conf", testPw, false, 10, "test", false, false) if err != nil { t.Fatal(err) } - _, c, err := LoadConfFile("config_test/tmp.conf", "test") + _, c, err := LoadConfFile("config_test/tmp.conf", testPw) if err != nil { t.Fatal(err) } @@ -81,18 +83,18 @@ func TestCreateConfDefault(t *testing.T) { } func TestCreateConfDevRandom(t *testing.T) { - err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", false, true) + err := CreateConfFile("config_test/tmp.conf", testPw, false, 10, "test", false, true) if err != nil { t.Fatal(err) } } func TestCreateConfPlaintextnames(t *testing.T) { - err := CreateConfFile("config_test/tmp.conf", "test", true, 10, "test", false, false) + err := CreateConfFile("config_test/tmp.conf", testPw, true, 10, "test", false, false) if err != nil { t.Fatal(err) } - _, c, err := LoadConfFile("config_test/tmp.conf", "test") + _, c, err := LoadConfFile("config_test/tmp.conf", testPw) if err != nil { t.Fatal(err) } @@ -109,11 +111,11 @@ func TestCreateConfPlaintextnames(t *testing.T) { // Reverse mode uses AESSIV func TestCreateConfFileAESSIV(t *testing.T) { - err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", true, false) + err := CreateConfFile("config_test/tmp.conf", testPw, false, 10, "test", true, false) if err != nil { t.Fatal(err) } - _, c, err := LoadConfFile("config_test/tmp.conf", "test") + _, c, err := LoadConfFile("config_test/tmp.conf", testPw) if err != nil { t.Fatal(err) } diff --git a/internal/configfile/scrypt.go b/internal/configfile/scrypt.go index b5a3edb..a1caf06 100644 --- a/internal/configfile/scrypt.go +++ b/internal/configfile/scrypt.go @@ -61,10 +61,10 @@ func NewScryptKDF(logN int) ScryptKDF { } // DeriveKey returns a new key from a supplied password. -func (s *ScryptKDF) DeriveKey(pw string) []byte { +func (s *ScryptKDF) DeriveKey(pw []byte) []byte { s.validateParams() - k, err := scrypt.Key([]byte(pw), s.Salt, s.N, s.R, s.P, s.KeyLen) + k, err := scrypt.Key(pw, s.Salt, s.N, s.R, s.P, s.KeyLen) if err != nil { log.Panicf("DeriveKey failed: %v", err) } diff --git a/internal/configfile/scrypt_test.go b/internal/configfile/scrypt_test.go index c1a656a..8f7a5c8 100644 --- a/internal/configfile/scrypt_test.go +++ b/internal/configfile/scrypt_test.go @@ -23,7 +23,7 @@ ok github.com/rfjakob/gocryptfs/cryptfs 18.772s func benchmarkScryptN(n int, b *testing.B) { kdf := NewScryptKDF(n) for i := 0; i < b.N; i++ { - kdf.DeriveKey("test") + kdf.DeriveKey(testPw) } } |