summaryrefslogtreecommitdiff
path: root/internal
diff options
context:
space:
mode:
Diffstat (limited to 'internal')
-rw-r--r--internal/configfile/config_file.go10
-rw-r--r--internal/configfile/config_test.go8
-rw-r--r--internal/configfile/feature_flags.go4
-rw-r--r--internal/exitcodes/exitcodes.go4
-rw-r--r--internal/readpassword/trezor.go.broken119
-rw-r--r--internal/readpassword/trezor_disabled.go25
6 files changed, 6 insertions, 164 deletions
diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go
index e93affd..c27ecd4 100644
--- a/internal/configfile/config_file.go
+++ b/internal/configfile/config_file.go
@@ -46,10 +46,6 @@ type ConfFile struct {
// mounting. This mechanism is analogous to the ext4 feature flags that are
// stored in the superblock.
FeatureFlags []string
- // TrezorPayload stores 32 random bytes used for unlocking the master key using
- // a Trezor security module. The randomness makes sure that a unique unlock
- // value is used for each gocryptfs filesystem.
- TrezorPayload []byte `json:",omitempty"`
// Filename is the name of the config file. Not exported to JSON.
filename string
}
@@ -73,7 +69,7 @@ func randBytesDevRandom(n int) []byte {
// "password" and write it to "filename".
// Uses scrypt with cost parameter logN.
func Create(filename string, password []byte, plaintextNames bool,
- logN int, creator string, aessiv bool, devrandom bool, trezorPayload []byte) error {
+ logN int, creator string, aessiv bool, devrandom bool) error {
var cf ConfFile
cf.filename = filename
cf.Creator = creator
@@ -93,10 +89,6 @@ func Create(filename string, password []byte, plaintextNames bool,
if aessiv {
cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagAESSIV])
}
- if len(trezorPayload) > 0 {
- cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagTrezor])
- cf.TrezorPayload = trezorPayload
- }
{
// Generate new random master key
var key []byte
diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go
index 0dd081c..832867c 100644
--- a/internal/configfile/config_test.go
+++ b/internal/configfile/config_test.go
@@ -62,7 +62,7 @@ func TestLoadV2StrangeFeature(t *testing.T) {
}
func TestCreateConfDefault(t *testing.T) {
- err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, false, nil)
+ err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, false)
if err != nil {
t.Fatal(err)
}
@@ -83,14 +83,14 @@ func TestCreateConfDefault(t *testing.T) {
}
func TestCreateConfDevRandom(t *testing.T) {
- err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, true, nil)
+ err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, true)
if err != nil {
t.Fatal(err)
}
}
func TestCreateConfPlaintextnames(t *testing.T) {
- err := Create("config_test/tmp.conf", testPw, true, 10, "test", false, false, nil)
+ err := Create("config_test/tmp.conf", testPw, true, 10, "test", false, false)
if err != nil {
t.Fatal(err)
}
@@ -111,7 +111,7 @@ func TestCreateConfPlaintextnames(t *testing.T) {
// Reverse mode uses AESSIV
func TestCreateConfFileAESSIV(t *testing.T) {
- err := Create("config_test/tmp.conf", testPw, false, 10, "test", true, false, nil)
+ err := Create("config_test/tmp.conf", testPw, false, 10, "test", true, false)
if err != nil {
t.Fatal(err)
}
diff --git a/internal/configfile/feature_flags.go b/internal/configfile/feature_flags.go
index 141b007..2d609f2 100644
--- a/internal/configfile/feature_flags.go
+++ b/internal/configfile/feature_flags.go
@@ -25,9 +25,6 @@ const (
// Note that this flag does not change the password hashing algorithm
// which always is scrypt.
FlagHKDF
- // FlagTrezor means that "-trezor" was used when creating the filesystem.
- // The masterkey is protected using a Trezor device instead of a password.
- FlagTrezor
)
// knownFlags stores the known feature flags and their string representation
@@ -40,7 +37,6 @@ var knownFlags = map[flagIota]string{
FlagAESSIV: "AESSIV",
FlagRaw64: "Raw64",
FlagHKDF: "HKDF",
- FlagTrezor: "Trezor",
}
// Filesystems that do not have these feature flags set are deprecated.
diff --git a/internal/exitcodes/exitcodes.go b/internal/exitcodes/exitcodes.go
index cd36988..b876333 100644
--- a/internal/exitcodes/exitcodes.go
+++ b/internal/exitcodes/exitcodes.go
@@ -65,9 +65,7 @@ const (
FsckErrors = 26
// DeprecatedFS - this filesystem is deprecated
DeprecatedFS = 27
- // TrezorError - an error was encountered while interacting with a Trezor
- // device
- TrezorError = 28
+ // skip 28
// ExcludeError - an error occurred while processing "-exclude"
ExcludeError = 29
// DevNull means that /dev/null could not be opened
diff --git a/internal/readpassword/trezor.go.broken b/internal/readpassword/trezor.go.broken
deleted file mode 100644
index a4d32cf..0000000
--- a/internal/readpassword/trezor.go.broken
+++ /dev/null
@@ -1,119 +0,0 @@
-// +build enable_trezor
-
-package readpassword
-
-import (
- "bytes"
- "log"
- "os"
-
- "github.com/rfjakob/gocryptfs/internal/exitcodes"
- "github.com/rfjakob/gocryptfs/internal/tlog"
-
- "github.com/xaionaro-go/cryptoWallet"
- "github.com/xaionaro-go/cryptoWallet/vendors"
-)
-
-const (
- // TrezorPayloadLen is the length of the payload data passed to Trezor's
- // CipherKeyValue function.
- TrezorPayloadLen = 32
- trezorNonce = "" // the "nonce" is optional and has no use in here
- trezorKeyName = "gocryptfs"
- trezorKeyDerivationPath = `m/10019'/0'`
- // TrezorSupport is true when gocryptfs has been compile with -tags enable_trezor
- TrezorSupport = true
-)
-
-func trezorGetPin(title, description, ok, cancel string) ([]byte, error) {
- return Once("", title), nil
-}
-func trezorGetConfirm(title, description, ok, cancel string) (bool, error) {
- return false, nil // do not retry on connection failure
-}
-
-// Trezor reads 32 deterministically derived bytes from a
-// SatoshiLabs Trezor USB security module.
-// The bytes are pseudorandom binary data and may contain null bytes.
-// This function either succeeds and returns 32 bytes or calls os.Exit to end
-// the application.
-func Trezor(payload []byte) []byte {
- if len(payload) != TrezorPayloadLen {
- tlog.Fatal.Printf("Invalid TrezorPayload length: wanted %d, got %d bytes\n", TrezorPayloadLen, len(payload))
- os.Exit(exitcodes.LoadConf)
- }
-
- // Find all trezor devices
- trezors := cryptoWallet.Find(cryptoWallet.Filter{
- VendorID: &[]uint16{vendors.GetVendorID("satoshilabs")}[0],
- ProductIDs: []uint16{1 /* Trezor One */},
- })
-
- // ATM, we require to one and only one trezor device to be connected.
- // The support of multiple trezor devices is not implemented, yet.
- if len(trezors) == 0 {
- tlog.Fatal.Printf("Trezor device is not found. Check the connection.")
- os.Exit(exitcodes.TrezorError)
- }
- if len(trezors) > 1 {
- tlog.Fatal.Printf("It's more than one Trezor device connected. This case is not implemented, yet. The number of currently connected devices: %v.", len(trezors))
- os.Exit(exitcodes.TrezorError)
- }
-
- // Using the first found device
- trezor := trezors[0]
-
- // Trezor may ask for PIN or Passphrase. Setting the handler for this case.
- trezor.SetGetPinFunc(trezorGetPin)
-
- // In some cases (like lost connection to the Trezor device and cannot
- // reconnect) it's required to get a confirmation from the user to
- // retry to reconnect. Setting the handler for this case.
- trezor.SetGetConfirmFunc(trezorGetConfirm)
-
- // To reset the state of the device and check if it's initialized.
- // If device is not initialized then trezor.Reset() will return an
- // error.
- err := trezor.Reset()
- if err != nil {
- tlog.Fatal.Printf("Cannot reset the Trezor device. Error: %v", err.Error())
- os.Exit(exitcodes.TrezorError)
- }
-
- // To generate a deterministic key we trying to decrypt our
- // predefined constant key using the Trezor device. The resulting key
- // will depend on next variables:
- // * the Trezor master key;
- // * the passphrase (passed to the Trezor).
- //
- // The right key will be received only if both values (mentioned
- // above) are correct.
- //
- // Note:
- // Also the resulting key depends on this values (that we defined as
- // constants above):
- // * the key derivation path;
- // * the "encrypted" payload;
- // * the nonce;
- // * the key name.
- key, err := trezor.DecryptKey(trezorKeyDerivationPath, payload, []byte(trezorNonce), trezorKeyName)
- if err != nil {
- tlog.Fatal.Printf("Cannot get the key from the Trezor device. Error description:\n\t%v", err.Error())
- os.Exit(exitcodes.TrezorError)
- }
-
- // Sanity checks
- if len(key) != TrezorPayloadLen {
- log.Panicf("BUG: decrypted value has wrong length %d", len(key))
- }
- if bytes.Equal(key, payload) {
- log.Panicf("BUG: payload and decrypted value are identical")
- }
- zero := make([]byte, TrezorPayloadLen)
- if bytes.Equal(key, zero) {
- log.Panicf("BUG: decrypted value is all-zero")
- }
-
- // Everything ok
- return key
-}
diff --git a/internal/readpassword/trezor_disabled.go b/internal/readpassword/trezor_disabled.go
deleted file mode 100644
index 96a6082..0000000
--- a/internal/readpassword/trezor_disabled.go
+++ /dev/null
@@ -1,25 +0,0 @@
-// +build !enable_trezor
-
-package readpassword
-
-import (
- "os"
-
- "github.com/rfjakob/gocryptfs/internal/tlog"
-)
-
-const (
- // TrezorPayloadLen is the length of the payload data passed to Trezor's
- // CipherKeyValue function.
- TrezorPayloadLen = 32
- // TrezorSupport is true when gocryptfs has been compile with -tags enable_trezor
- TrezorSupport = false
-)
-
-// Trezor determinitically derives 32 bytes from the payload and the connected
-// USB security module.
-func Trezor(payload []byte) []byte {
- tlog.Fatal.Printf("This binary has been compiled without Trezor support")
- os.Exit(1)
- return nil
-}