summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cryptfs/config_file.go15
-rw-r--r--cryptfs/config_test.go2
-rw-r--r--cryptfs/kdf.go22
-rw-r--r--integration_tests/cli_test.go4
-rw-r--r--main.go8
5 files changed, 36 insertions, 15 deletions
diff --git a/cryptfs/config_file.go b/cryptfs/config_file.go
index a0ab218..be37c60 100644
--- a/cryptfs/config_file.go
+++ b/cryptfs/config_file.go
@@ -35,8 +35,9 @@ type ConfFile struct {
}
// CreateConfFile - create a new config with a random key encrypted with
-// "password" and write it to "filename"
-func CreateConfFile(filename string, password string, plaintextNames bool) error {
+// "password" and write it to "filename".
+// Uses scrypt with cost parameter logN.
+func CreateConfFile(filename string, password string, plaintextNames bool, logN int) error {
var cf ConfFile
cf.filename = filename
@@ -45,7 +46,7 @@ func CreateConfFile(filename string, password string, plaintextNames bool) error
// Encrypt it using the password
// This sets ScryptObject and EncryptedKey
- cf.EncryptKey(key, password)
+ cf.EncryptKey(key, password, logN)
// Set defaults
cf.Version = HEADER_CURRENT_VERSION
@@ -109,10 +110,12 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) {
}
// EncryptKey - encrypt "key" using an scrypt hash generated from "password"
-// and store it in cf.EncryptedKey
-func (cf *ConfFile) EncryptKey(key []byte, password string) {
+// and store it in cf.EncryptedKey.
+// Uses scrypt with cost parameter logN and stores the scrypt parameters in
+// cf.ScryptObject.
+func (cf *ConfFile) EncryptKey(key []byte, password string, logN int) {
// Generate derived key from password
- cf.ScryptObject = NewScryptKdf()
+ cf.ScryptObject = NewScryptKdf(logN)
scryptHash := cf.ScryptObject.DeriveKey(password)
// Lock master key using password-based key
diff --git a/cryptfs/config_test.go b/cryptfs/config_test.go
index e052428..1c5a375 100644
--- a/cryptfs/config_test.go
+++ b/cryptfs/config_test.go
@@ -59,7 +59,7 @@ func TestLoadV2StrangeFeature(t *testing.T) {
}
func TestCreateConfFile(t *testing.T) {
- err := CreateConfFile("config_test/tmp.conf", "test", false)
+ err := CreateConfFile("config_test/tmp.conf", "test", false, 0)
if err != nil {
t.Fatal(err)
}
diff --git a/cryptfs/kdf.go b/cryptfs/kdf.go
index 32870cd..73be0bb 100644
--- a/cryptfs/kdf.go
+++ b/cryptfs/kdf.go
@@ -1,6 +1,8 @@
package cryptfs
import (
+ "os"
+ "math"
"fmt"
"golang.org/x/crypto/scrypt"
)
@@ -8,7 +10,7 @@ import (
const (
// 1 << 16 uses 64MB of memory,
// takes 4 seconds on my Atom Z3735F netbook
- SCRYPT_DEFAULT_N = 1 << 16
+ SCRYPT_DEFAULT_LOGN = 16
)
type scryptKdf struct {
@@ -19,10 +21,18 @@ type scryptKdf struct {
KeyLen int
}
-func NewScryptKdf() scryptKdf {
+func NewScryptKdf(logN int) scryptKdf {
var s scryptKdf
s.Salt = RandBytes(KEY_LEN)
- s.N = SCRYPT_DEFAULT_N
+ if logN <= 0 {
+ s.N = 1 << SCRYPT_DEFAULT_LOGN
+ } else {
+ if logN < 10 {
+ fmt.Printf("Error: scryptn below 10 is too low to make sense. Aborting.")
+ os.Exit(1)
+ }
+ s.N = 1 << uint32(logN)
+ }
s.R = 8 // Always 8
s.P = 1 // Always 1
s.KeyLen = KEY_LEN
@@ -36,3 +46,9 @@ func (s *scryptKdf) DeriveKey(pw string) []byte {
}
return k
}
+
+// LogN - N is saved as 2^LogN, but LogN is much easier to work with.
+// This function gives you LogN = Log2(N).
+func (s *scryptKdf) LogN() int {
+ return int(math.Log2(float64(s.N))+0.5)
+}
diff --git a/integration_tests/cli_test.go b/integration_tests/cli_test.go
index d79b877..7047edb 100644
--- a/integration_tests/cli_test.go
+++ b/integration_tests/cli_test.go
@@ -17,7 +17,7 @@ func TestInit(t *testing.T) {
if err != nil {
t.Fatal(err)
}
- cmd := exec.Command(gocryptfsBinary, "-init", "-extpass", "echo test", dir)
+ cmd := exec.Command(gocryptfsBinary, "-init", "-extpass", "echo test", "-scryptn=10", dir)
if testing.Verbose() {
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
@@ -52,7 +52,7 @@ func TestInitConfig(t *testing.T) {
t.Fatal(err)
}
cmd := exec.Command(gocryptfsBinary, "-init", "-extpass", "echo test",
- "-config", config, dir)
+ "-config", config, "-scryptn=10", dir)
if testing.Verbose() {
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
diff --git a/main.go b/main.go
index ab2c1f1..7184255 100644
--- a/main.go
+++ b/main.go
@@ -37,7 +37,7 @@ type argContainer struct {
debug, init, zerokey, fusedebug, openssl, passwd, foreground, version,
plaintextnames, quiet, diriv bool
masterkey, mountpoint, cipherdir, cpuprofile, config, extpass string
- notifypid int
+ notifypid, scryptn int
}
var flagSet *flag.FlagSet
@@ -62,7 +62,7 @@ func initDir(args *argContainer) {
// Create gocryptfs.conf
cryptfs.Info.Printf("Choose a password for protecting your files.\n")
password := readPasswordTwice(args.extpass)
- err = cryptfs.CreateConfFile(args.config, password, args.plaintextnames)
+ err = cryptfs.CreateConfFile(args.config, password, args.plaintextnames, args.scryptn)
if err != nil {
fmt.Println(err)
os.Exit(ERREXIT_INIT)
@@ -109,7 +109,7 @@ func changePassword(args *argContainer) {
masterkey, confFile := loadConfig(args)
fmt.Printf("Please enter your new password.\n")
newPw := readPasswordTwice(args.extpass)
- confFile.EncryptKey(masterkey, newPw)
+ confFile.EncryptKey(masterkey, newPw, confFile.ScryptObject.LogN())
err := confFile.WriteFile()
if err != nil {
fmt.Println(err)
@@ -151,6 +151,8 @@ func main() {
flagSet.StringVar(&args.extpass, "extpass", "", "Use external program for the password prompt")
flagSet.IntVar(&args.notifypid, "notifypid", 0, "Send USR1 to the specified process after "+
"successful mount - used internally for daemonization")
+ flagSet.IntVar(&args.scryptn, "scryptn", cryptfs.SCRYPT_DEFAULT_LOGN, "scrypt cost parameter logN. "+
+ "Setting this to a lower value speeds up mounting but makes the password susceptible to brute-force attacks")
flagSet.Parse(os.Args[1:])
// By default, let the child handle everything.