summaryrefslogtreecommitdiff
path: root/internal/configfile
diff options
context:
space:
mode:
Diffstat (limited to 'internal/configfile')
-rw-r--r--internal/configfile/config_file.go24
-rw-r--r--internal/configfile/feature_flags.go18
-rw-r--r--internal/configfile/kdf.go14
-rw-r--r--internal/configfile/kdf_test.go2
4 files changed, 37 insertions, 21 deletions
diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go
index 9152523..79960e4 100644
--- a/internal/configfile/config_file.go
+++ b/internal/configfile/config_file.go
@@ -14,31 +14,35 @@ import (
import "os"
const (
+ // ConfDefaultName is the default configuration file name.
// The dot "." is not used in base64url (RFC4648), hence
// we can never clash with an encrypted file.
ConfDefaultName = "gocryptfs.conf"
- // In reverse mode, the config file gets stored next to the plain-text
- // files. Make it hidden (start with dot) to not annoy the user.
+ // ConfReverseName is the default configuration file name in reverse mode,
+ // the config file gets stored next to the plain-text files. Make it hidden
+ // (start with dot) to not annoy the user.
ConfReverseName = ".gocryptfs.reverse.conf"
)
+// ConfFile is the content of a config file.
type ConfFile struct {
- // gocryptfs version string
+ // Creator is the gocryptfs version string.
// This only documents the config file for humans who look at it. The actual
// technical info is contained in FeatureFlags.
Creator string
- // Encrypted AES key, unlocked using a password hashed with scrypt
+ // EncryptedKey holds an encrypted AES key, unlocked using a password
+ // hashed with scrypt
EncryptedKey []byte
- // Stores parameters for scrypt hashing (key derivation)
- ScryptObject scryptKdf
- // The On-Disk-Format version this filesystem uses
+ // ScryptObject stores parameters for scrypt hashing (key derivation)
+ ScryptObject ScryptKDF
+ // Version is the On-Disk-Format version this filesystem uses
Version uint16
- // List of feature flags this filesystem has enabled.
+ // FeatureFlags is a list of feature flags this filesystem has enabled.
// If gocryptfs encounters a feature flag it does not support, it will refuse
// mounting. This mechanism is analogous to the ext4 feature flags that are
// stored in the superblock.
FeatureFlags []string
- // File the config is saved to. Not exported to JSON.
+ // Filename is the name of the config file. Not exported to JSON.
filename string
}
@@ -162,7 +166,7 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) {
// cf.ScryptObject.
func (cf *ConfFile) EncryptKey(key []byte, password string, logN int) {
// Generate derived key from password
- cf.ScryptObject = NewScryptKdf(logN)
+ cf.ScryptObject = NewScryptKDF(logN)
scryptHash := cf.ScryptObject.DeriveKey(password)
// Lock master key using password-based key
diff --git a/internal/configfile/feature_flags.go b/internal/configfile/feature_flags.go
index ad7bec1..d3601b1 100644
--- a/internal/configfile/feature_flags.go
+++ b/internal/configfile/feature_flags.go
@@ -3,16 +3,24 @@ package configfile
type flagIota int
const (
+ // FlagPlaintextNames indicates that filenames are unencrypted.
FlagPlaintextNames flagIota = iota
+ // FlagDirIV indicates that a per-directory IV file is used.
FlagDirIV
+ // FlagEMENames indicates EME (ECB-Mix-ECB) filename encryption.
+ // This flag is mandatory since gocryptfs v1.0.
FlagEMENames
+ // FlagGCMIV128 indicates 128-bit GCM IVs.
+ // This flag is mandatory since gocryptfs v1.0.
FlagGCMIV128
+ // FlagLongNames allows file names longer than 176 bytes.
FlagLongNames
+ // FlagAESSIV selects an AES-SIV based crypto backend.
FlagAESSIV
)
// knownFlags stores the known feature flags and their string representation
-var knownFlags map[flagIota]string = map[flagIota]string{
+var knownFlags = map[flagIota]string{
FlagPlaintextNames: "PlaintextNames",
FlagDirIV: "DirIV",
FlagEMENames: "EMENames",
@@ -22,7 +30,7 @@ var knownFlags map[flagIota]string = map[flagIota]string{
}
// Filesystems that do not have these feature flags set are deprecated.
-var requiredFlagsNormal []flagIota = []flagIota{
+var requiredFlagsNormal = []flagIota{
FlagDirIV,
FlagEMENames,
FlagGCMIV128,
@@ -30,11 +38,11 @@ var requiredFlagsNormal []flagIota = []flagIota{
// Filesystems without filename encryption obviously don't have or need the
// filename related feature flags.
-var requiredFlagsPlaintextNames []flagIota = []flagIota{
+var requiredFlagsPlaintextNames = []flagIota{
FlagGCMIV128,
}
-// isFeatureFlagKnown verifies that we understand a feature flag
+// isFeatureFlagKnown verifies that we understand a feature flag.
func (cf *ConfFile) isFeatureFlagKnown(flag string) bool {
for _, knownFlag := range knownFlags {
if knownFlag == flag {
@@ -44,7 +52,7 @@ func (cf *ConfFile) isFeatureFlagKnown(flag string) bool {
return false
}
-// isFeatureFlagSet - is the feature flag "flagWant" enabled?
+// IsFeatureFlagSet returns true if the feature flag "flagWant" is enabled.
func (cf *ConfFile) IsFeatureFlagSet(flagWant flagIota) bool {
flagString := knownFlags[flagWant]
for _, flag := range cf.FeatureFlags {
diff --git a/internal/configfile/kdf.go b/internal/configfile/kdf.go
index ca87975..31bcbe4 100644
--- a/internal/configfile/kdf.go
+++ b/internal/configfile/kdf.go
@@ -12,12 +12,14 @@ import (
)
const (
+ // ScryptDefaultLogN is the default scrypt logN configuration parameter.
// 1 << 16 uses 64MB of memory,
// takes 4 seconds on my Atom Z3735F netbook
ScryptDefaultLogN = 16
)
-type scryptKdf struct {
+// ScryptKDF is an instance of the scrypt key deriviation function.
+type ScryptKDF struct {
Salt []byte
N int
R int
@@ -25,8 +27,9 @@ type scryptKdf struct {
KeyLen int
}
-func NewScryptKdf(logN int) scryptKdf {
- var s scryptKdf
+// NewScryptKDF returns a new instance of ScryptKDF.
+func NewScryptKDF(logN int) ScryptKDF {
+ var s ScryptKDF
s.Salt = cryptocore.RandBytes(cryptocore.KeyLen)
if logN <= 0 {
s.N = 1 << ScryptDefaultLogN
@@ -43,7 +46,8 @@ func NewScryptKdf(logN int) scryptKdf {
return s
}
-func (s *scryptKdf) DeriveKey(pw string) []byte {
+// DeriveKey returns a new key from a supplied password.
+func (s *ScryptKDF) DeriveKey(pw string) []byte {
k, err := scrypt.Key([]byte(pw), s.Salt, s.N, s.R, s.P, s.KeyLen)
if err != nil {
log.Panicf("DeriveKey failed: %v", err)
@@ -53,6 +57,6 @@ func (s *scryptKdf) DeriveKey(pw string) []byte {
// LogN - N is saved as 2^LogN, but LogN is much easier to work with.
// This function gives you LogN = Log2(N).
-func (s *scryptKdf) LogN() int {
+func (s *ScryptKDF) LogN() int {
return int(math.Log2(float64(s.N)) + 0.5)
}
diff --git a/internal/configfile/kdf_test.go b/internal/configfile/kdf_test.go
index bc095ab..c1a656a 100644
--- a/internal/configfile/kdf_test.go
+++ b/internal/configfile/kdf_test.go
@@ -21,7 +21,7 @@ ok github.com/rfjakob/gocryptfs/cryptfs 18.772s
*/
func benchmarkScryptN(n int, b *testing.B) {
- kdf := NewScryptKdf(n)
+ kdf := NewScryptKDF(n)
for i := 0; i < b.N; i++ {
kdf.DeriveKey("test")
}