main: purge masterkey from memory as soon as possible

Remove the "Masterkey" field from fusefrontend.Args because it
should not be stored longer than neccessary. Instead pass the
masterkey as a separate argument to the filesystem initializers.

Then overwrite it with zeros immediately so we don't have
to wait for garbage collection.

Note that the crypto implementation still stores at least a
masterkey-derived value, so this change makes it harder, but not
impossible, to extract the encryption keys from memory.

Suggested at https://github.com/rfjakob/gocryptfs/issues/137

1 files changed, 8 insertions, 2 deletions

diff --git a/internal/cryptocore/cryptocore.go b/internal/cryptocore/cryptocore.go
index 1ad928d..aafe12b 100644
--- a/internal/cryptocore/cryptocore.go
+++ b/internal/cryptocore/cryptocore.go
@@ -72,7 +72,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 		emeCipher = eme.New(emeBlockCipher)
 	}
 
-	// Initilize an AEAD cipher for file content encryption.
+	// Initialize an AEAD cipher for file content encryption.
 	var aeadCipher cipher.AEAD
 	if aeadType == BackendOpenSSL || aeadType == BackendGoGCM {
 		gcmKey := key
@@ -84,7 +84,13 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 			if IVLen != 16 {
 				log.Panic("stupidgcm only supports 128-bit IVs")
 			}
-			aeadCipher = stupidgcm.New(gcmKey, forceDecode)
+			// stupidgcm does not create a private copy of the key, so things
+			// break when initFuseFrontend() overwrites it with zeros. Create
+			// a copy here. This is unneccessary when useHKDF == true, but
+			// does no harm.
+			var stupidgcmKey []byte
+			stupidgcmKey = append(stupidgcmKey, gcmKey...)
+			aeadCipher = stupidgcm.New(stupidgcmKey, forceDecode)
 		case BackendGoGCM:
 			goGcmBlockCipher, err := aes.NewCipher(gcmKey)
 			if err != nil {