From 93baadfa9e9c5877688e32fc2441c172f290d7c1 Mon Sep 17 00:00:00 2001 From: aanno Date: Sat, 24 Jun 2023 18:49:12 +0200 Subject: [PATCH 01/25] changed configfile layout, introduced DefaultKey --- go.mod | 4 ++++ gocryptfs-xray/xray_main.go | 3 ++- info.go | 2 +- internal/configfile/config_file.go | 24 ++++++++++++++++-------- internal/contentenc/file_header.go | 2 +- main.go | 3 ++- 6 files changed, 26 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 6aebae91..5267d8da 100644 --- a/go.mod +++ b/go.mod @@ -14,3 +14,7 @@ require ( golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 ) + +replace ( + "github.com/rfjakob/gocryptfs/v2/internal/configfile" => "./internal/configfile" +) diff --git a/gocryptfs-xray/xray_main.go b/gocryptfs-xray/xray_main.go index 534a400f..306a275f 100644 --- a/gocryptfs-xray/xray_main.go +++ b/gocryptfs-xray/xray_main.go @@ -146,7 +146,8 @@ func dumpMasterKey(fn string, fido2Path string) { tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; need to use the --fido2 option.") os.Exit(exitcodes.Usage) } - pw = fido2.Secret(fido2Path, cf.FIDO2.CredentialID, cf.FIDO2.HMACSalt) + var fido2Obj = cf.FIDO2[configfile.DefaultKey] + pw = fido2.Secret(fido2Path, fido2Obj.CredentialID, fido2Obj.HMACSalt) } else { pw, err = readpassword.Once(nil, nil, "") if err != nil { diff --git a/info.go b/info.go index 1ac90344..14d932f5 100644 --- a/info.go +++ b/info.go @@ -23,7 +23,7 @@ func info(filename string) { // Pretty-print fmt.Printf("Creator: %s\n", cf.Creator) fmt.Printf("FeatureFlags: %s\n", strings.Join(cf.FeatureFlags, " ")) - fmt.Printf("EncryptedKey: %dB\n", len(cf.EncryptedKey)) + fmt.Printf("EncryptedKey: %dB\n", len(cf.EncryptedKeys[configfile.DefaultKey])) fmt.Printf("ScryptObject: Salt=%dB N=%d R=%d P=%d KeyLen=%d\n", len(s.Salt), s.N, s.R, s.P, s.KeyLen) fmt.Printf("contentEncryption: %s\n", algo.Algo) // lowercase because not in JSON diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index 2d11346d..0d3b30c5 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -25,6 +25,8 @@ const ( // the config file gets stored next to the plain-text files. Make it hidden // (start with dot) to not annoy the user. ConfReverseName = ".gocryptfs.reverse.conf" + + DefaultKey = "DefaultKey" ) // FIDO2Params is a structure for storing FIDO2 parameters. @@ -35,6 +37,10 @@ type FIDO2Params struct { HMACSalt []byte } +type FIDO2ParamsMap map[string]*FIDO2Params + +type EncryptedKeyMap map[string]([]byte) + // ConfFile is the content of a config file. type ConfFile struct { // Creator is the gocryptfs version string. @@ -43,7 +49,7 @@ type ConfFile struct { Creator string // EncryptedKey holds an encrypted AES key, unlocked using a password // hashed with scrypt - EncryptedKey []byte + EncryptedKeys EncryptedKeyMap // ScryptObject stores parameters for scrypt hashing (key derivation) ScryptObject ScryptKDF // Version is the On-Disk-Format version this filesystem uses @@ -54,7 +60,7 @@ type ConfFile struct { // stored in the superblock. FeatureFlags []string // FIDO2 parameters - FIDO2 *FIDO2Params `json:",omitempty"` + FIDO2 FIDO2ParamsMap `json:",omitempty"` // LongNameMax corresponds to the -longnamemax flag LongNameMax uint8 `json:",omitempty"` // Filename is the name of the config file. Not exported to JSON. @@ -81,9 +87,11 @@ type CreateArgs struct { // Uses scrypt with cost parameter "LogN". func Create(args *CreateArgs) error { cf := ConfFile{ - filename: args.Filename, - Creator: args.Creator, - Version: contentenc.CurrentVersion, + filename: args.Filename, + Creator: args.Creator, + Version: contentenc.CurrentVersion, + EncryptedKeys: make(EncryptedKeyMap), + FIDO2: make(FIDO2ParamsMap), } // Feature flags cf.setFeatureFlag(FlagHKDF) @@ -115,7 +123,7 @@ func Create(args *CreateArgs) error { } if len(args.Fido2CredentialID) > 0 { cf.setFeatureFlag(FlagFIDO2) - cf.FIDO2 = &FIDO2Params{ + cf.FIDO2[DefaultKey] = &FIDO2Params{ CredentialID: args.Fido2CredentialID, HMACSalt: args.Fido2HmacSalt, } @@ -218,7 +226,7 @@ func (cf *ConfFile) DecryptMasterKey(password []byte) (masterkey []byte, err err ce := getKeyEncrypter(scryptHash, useHKDF) tlog.Warn.Enabled = false // Silence DecryptBlock() error messages on incorrect password - masterkey, err = ce.DecryptBlock(cf.EncryptedKey, 0, nil) + masterkey, err = ce.DecryptBlock(cf.EncryptedKeys[DefaultKey], 0, nil) tlog.Warn.Enabled = true // Purge scrypt-derived key @@ -248,7 +256,7 @@ func (cf *ConfFile) EncryptKey(key []byte, password []byte, logN int) { // Lock master key using password-based key useHKDF := cf.IsFeatureFlagSet(FlagHKDF) ce := getKeyEncrypter(scryptHash, useHKDF) - cf.EncryptedKey = ce.EncryptBlock(key, 0, nil) + cf.EncryptedKeys[DefaultKey] = ce.EncryptBlock(key, 0, nil) // Purge scrypt-derived key for i := range scryptHash { diff --git a/internal/contentenc/file_header.go b/internal/contentenc/file_header.go index 8c9c0544..b11c88e9 100644 --- a/internal/contentenc/file_header.go +++ b/internal/contentenc/file_header.go @@ -16,7 +16,7 @@ import ( const ( // CurrentVersion is the current On-Disk-Format version - CurrentVersion = 2 + CurrentVersion = 3 headerVersionLen = 2 // uint16 headerIDLen = 16 // 128 bit random file id diff --git a/main.go b/main.go index 7facf78b..d0df5366 100644 --- a/main.go +++ b/main.go @@ -43,7 +43,8 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile, tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; need to use the --fido2 option.") return nil, nil, exitcodes.NewErr("", exitcodes.Usage) } - pw = fido2.Secret(args.fido2, cf.FIDO2.CredentialID, cf.FIDO2.HMACSalt) + var fido2Obj = cf.FIDO2[configfile.DefaultKey] + pw = fido2.Secret(args.fido2, fido2Obj.CredentialID, fido2Obj.HMACSalt) } else { pw, err = readpassword.Once([]string(args.extpass), []string(args.passfile), "") if err != nil { From 48f7d09c28ae67db788f3c00d77d53e589cfe241 Mon Sep 17 00:00:00 2001 From: aanno Date: Sat, 24 Jun 2023 20:20:30 +0200 Subject: [PATCH 02/25] new flags, implement user for -init --- cli_args.go | 8 ++++++++ gocryptfs-xray/xray_main.go | 8 +++++--- init_dir.go | 3 ++- internal/configfile/config_file.go | 17 +++++++++-------- internal/configfile/config_test.go | 5 +++++ main.go | 4 ++-- 6 files changed, 31 insertions(+), 14 deletions(-) diff --git a/cli_args.go b/cli_args.go index 48f1cdd7..b5bbbef9 100644 --- a/cli_args.go +++ b/cli_args.go @@ -36,6 +36,8 @@ type argContainer struct { dev, nodev, suid, nosuid, exec, noexec, rw, ro, kernel_cache, acl bool masterkey, mountpoint, cipherdir, cpuprofile, memprofile, ko, ctlsock, fsname, force_owner, trace, fido2 string + // more than one encryption of masterkey + user, addUser, deleteUser, addFido2, deleteFido2 string // -extpass, -badname, -passfile can be passed multiple times extpass, badname, passfile []string // For reverse mode, several ways to specify exclusions. All can be specified multiple times. @@ -208,6 +210,12 @@ func parseCliOpts(osArgs []string) (args argContainer) { flagSet.StringVar(&args.force_owner, "force_owner", "", "uid:gid pair to coerce ownership") flagSet.StringVar(&args.trace, "trace", "", "Write execution trace to file") flagSet.StringVar(&args.fido2, "fido2", "", "Protect the masterkey using a FIDO2 token instead of a password") + // more than one encryption of masterkey + flagSet.StringVar(&args.user, "user", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for decryption of masterkey") + flagSet.StringVar(&args.addUser, "addUser", "", "Add encrypted masterkey for using credentials of ") + flagSet.StringVar(&args.deleteUser, "deleteUser", "", "Delete encrypted masterkey for using credentials of ") + flagSet.StringVar(&args.addFido2, "addFido2", "", "Add encrypted masterkey for FIDO2 key ") + flagSet.StringVar(&args.deleteFido2, "deleteFido2", "", "Delete encrypted masterkey for FIDO ") // Exclusion options flagSet.StringArrayVar(&args.exclude, "e", nil, "Alias for -exclude") diff --git a/gocryptfs-xray/xray_main.go b/gocryptfs-xray/xray_main.go index 306a275f..2a34566b 100644 --- a/gocryptfs-xray/xray_main.go +++ b/gocryptfs-xray/xray_main.go @@ -84,6 +84,7 @@ type argContainer struct { sep0 *bool fido2 *string version *bool + user *string } func main() { @@ -96,6 +97,7 @@ func main() { args.xchacha = flag.Bool("xchacha", false, "Assume XChaCha20-Poly1305 mode instead of AES-GCM") args.fido2 = flag.String("fido2", "", "Protect the masterkey using a FIDO2 token instead of a password") args.version = flag.Bool("version", false, "Print version information") + args.user = flag.String("user", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for decryption of masterkey") flag.Usage = usage flag.Parse() @@ -127,13 +129,13 @@ func main() { } defer f.Close() if *args.dumpmasterkey { - dumpMasterKey(fn, *args.fido2) + dumpMasterKey(fn, *args.user, *args.fido2) } else { inspectCiphertext(&args, f) } } -func dumpMasterKey(fn string, fido2Path string) { +func dumpMasterKey(fn string, user string, fido2Path string) { tlog.Info.Enabled = false cf, err := configfile.Load(fn) if err != nil { @@ -155,7 +157,7 @@ func dumpMasterKey(fn string, fido2Path string) { os.Exit(exitcodes.ReadPassword) } } - masterkey, err := cf.DecryptMasterKey(pw) + masterkey, err := cf.DecryptMasterKey(user, pw) // Purge password from memory for i := range pw { pw[i] = 0 diff --git a/init_dir.go b/init_dir.go index 5ade6922..35fed28a 100644 --- a/init_dir.go +++ b/init_dir.go @@ -76,7 +76,7 @@ func initDir(args *argContainer) { } // Choose password for config file if len(args.extpass) == 0 && args.fido2 == "" { - tlog.Info.Printf("Choose a password for protecting your files.") + tlog.Info.Printf("As user %v, choose a password for protecting your files.", args.user) } { var password []byte @@ -98,6 +98,7 @@ func initDir(args *argContainer) { creator := tlog.ProgramName + " " + GitVersion err = configfile.Create(&configfile.CreateArgs{ Filename: args.config, + User: args.user, Password: password, PlaintextNames: args.plaintextnames, LogN: args.scryptn, diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index 0d3b30c5..478b64b9 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -70,6 +70,7 @@ type ConfFile struct { // CreateArgs exists because the argument list to Create became too long. type CreateArgs struct { Filename string + User string Password []byte PlaintextNames bool LogN int @@ -140,7 +141,7 @@ func Create(args *CreateArgs) error { // Encrypt it using the password // This sets ScryptObject and EncryptedKey // Note: this looks at the FeatureFlags, so call it AFTER setting them. - cf.EncryptKey(key, args.Password, args.LogN) + cf.EncryptKey(key, args.User, args.Password, args.LogN) for i := range key { key[i] = 0 } @@ -156,7 +157,7 @@ func Create(args *CreateArgs) error { // // If "password" is empty, the config file is read // but the key is not decrypted (returns nil in its place). -func LoadAndDecrypt(filename string, password []byte) ([]byte, *ConfFile, error) { +func LoadAndDecrypt(filename string, user string, password []byte) ([]byte, *ConfFile, error) { cf, err := Load(filename) if err != nil { return nil, nil, err @@ -170,7 +171,7 @@ func LoadAndDecrypt(filename string, password []byte) ([]byte, *ConfFile, error) } // Decrypt the masterkey using the password - key, err := cf.DecryptMasterKey(password) + key, err := cf.DecryptMasterKey(user, password) if err != nil { return nil, nil, err } @@ -217,7 +218,7 @@ func (cf *ConfFile) setFeatureFlag(flag flagIota) { // DecryptMasterKey decrypts the masterkey stored in cf.EncryptedKey using // password. -func (cf *ConfFile) DecryptMasterKey(password []byte) (masterkey []byte, err error) { +func (cf *ConfFile) DecryptMasterKey(user string, password []byte) (masterkey []byte, err error) { // Generate derived key from password scryptHash := cf.ScryptObject.DeriveKey(password) @@ -226,7 +227,7 @@ func (cf *ConfFile) DecryptMasterKey(password []byte) (masterkey []byte, err err ce := getKeyEncrypter(scryptHash, useHKDF) tlog.Warn.Enabled = false // Silence DecryptBlock() error messages on incorrect password - masterkey, err = ce.DecryptBlock(cf.EncryptedKeys[DefaultKey], 0, nil) + masterkey, err = ce.DecryptBlock(cf.EncryptedKeys[user], 0, nil) tlog.Warn.Enabled = true // Purge scrypt-derived key @@ -245,10 +246,10 @@ func (cf *ConfFile) DecryptMasterKey(password []byte) (masterkey []byte, err err } // EncryptKey - encrypt "key" using an scrypt hash generated from "password" -// and store it in cf.EncryptedKey. +// and store it in cf.EncryptedKey[user]. // Uses scrypt with cost parameter logN and stores the scrypt parameters in // cf.ScryptObject. -func (cf *ConfFile) EncryptKey(key []byte, password []byte, logN int) { +func (cf *ConfFile) EncryptKey(key []byte, user string, password []byte, logN int) { // Generate scrypt-derived key from password cf.ScryptObject = NewScryptKDF(logN) scryptHash := cf.ScryptObject.DeriveKey(password) @@ -256,7 +257,7 @@ func (cf *ConfFile) EncryptKey(key []byte, password []byte, logN int) { // Lock master key using password-based key useHKDF := cf.IsFeatureFlagSet(FlagHKDF) ce := getKeyEncrypter(scryptHash, useHKDF) - cf.EncryptedKeys[DefaultKey] = ce.EncryptBlock(key, 0, nil) + cf.EncryptedKeys[user] = ce.EncryptBlock(key, 0, nil) // Purge scrypt-derived key for i := range scryptHash { diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go index 34074646..7dd68d93 100644 --- a/internal/configfile/config_test.go +++ b/internal/configfile/config_test.go @@ -5,6 +5,7 @@ import ( "testing" "time" + "github.com/rfjakob/gocryptfs/v2/internal/configfile" "github.com/rfjakob/gocryptfs/v2/internal/tlog" ) @@ -64,6 +65,7 @@ func TestLoadV2StrangeFeature(t *testing.T) { func TestCreateConfDefault(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf", + User: configfile.DefaultKey, Password: testPw, LogN: 10, Creator: "test"}) @@ -89,6 +91,7 @@ func TestCreateConfDefault(t *testing.T) { func TestCreateConfPlaintextnames(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf", + User: configfile.DefaultKey, Password: testPw, PlaintextNames: true, LogN: 10, @@ -115,6 +118,7 @@ func TestCreateConfPlaintextnames(t *testing.T) { func TestCreateConfFileAESSIV(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf", + User: configfile.DefaultKey, Password: testPw, LogN: 10, Creator: "test", @@ -134,6 +138,7 @@ func TestCreateConfFileAESSIV(t *testing.T) { func TestCreateConfLongNameMax(t *testing.T) { args := &CreateArgs{ Filename: "config_test/tmp.conf", + User: configfile.DefaultKey, Password: testPw, LogN: 10, Creator: "test", diff --git a/main.go b/main.go index d0df5366..4684ddc0 100644 --- a/main.go +++ b/main.go @@ -53,7 +53,7 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile, } } tlog.Info.Println("Decrypting master key") - masterkey, err = cf.DecryptMasterKey(pw) + masterkey, err = cf.DecryptMasterKey(args.user, pw) for i := range pw { pw[i] = 0 } @@ -93,7 +93,7 @@ func changePassword(args *argContainer) { if args._explicitScryptn { logN = args.scryptn } - confFile.EncryptKey(masterkey, newPw, logN) + confFile.EncryptKey(masterkey, args.user, newPw, logN) for i := range newPw { newPw[i] = 0 } From b0938fbe9e5fce3251fa39ff0668cdc7abfe90e3 Mon Sep 17 00:00:00 2001 From: aanno Date: Sat, 24 Jun 2023 22:02:27 +0200 Subject: [PATCH 03/25] addUser implemented --- cli_args.go | 21 +++++++++++--- main.go | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 94 insertions(+), 7 deletions(-) diff --git a/cli_args.go b/cli_args.go index b5bbbef9..16433498 100644 --- a/cli_args.go +++ b/cli_args.go @@ -210,12 +210,13 @@ func parseCliOpts(osArgs []string) (args argContainer) { flagSet.StringVar(&args.force_owner, "force_owner", "", "uid:gid pair to coerce ownership") flagSet.StringVar(&args.trace, "trace", "", "Write execution trace to file") flagSet.StringVar(&args.fido2, "fido2", "", "Protect the masterkey using a FIDO2 token instead of a password") + // more than one encryption of masterkey flagSet.StringVar(&args.user, "user", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for decryption of masterkey") - flagSet.StringVar(&args.addUser, "addUser", "", "Add encrypted masterkey for using credentials of ") - flagSet.StringVar(&args.deleteUser, "deleteUser", "", "Delete encrypted masterkey for using credentials of ") - flagSet.StringVar(&args.addFido2, "addFido2", "", "Add encrypted masterkey for FIDO2 key ") - flagSet.StringVar(&args.deleteFido2, "deleteFido2", "", "Delete encrypted masterkey for FIDO ") + flagSet.StringVar(&args.addUser, "add-user", "", "Add encrypted masterkey for using credentials of ") + flagSet.StringVar(&args.deleteUser, "delete-user", "", "Delete encrypted masterkey for using credentials of ") + flagSet.StringVar(&args.addFido2, "add-fido2", "", "Add encrypted masterkey for FIDO2 key ") + flagSet.StringVar(&args.deleteFido2, "delete-fido2", "", "Delete encrypted masterkey for FIDO ") // Exclusion options flagSet.StringArrayVar(&args.exclude, "e", nil, "Alias for -exclude") @@ -339,6 +340,18 @@ func countOpFlags(args *argContainer) int { if args.fsck { count++ } + if args.addUser != "" { + count++ + } + if args.deleteUser != "" { + count++ + } + if args.addFido2 != "" { + count++ + } + if args.deleteFido2 != "" { + count++ + } return count } diff --git a/main.go b/main.go index 4684ddc0..28e4cd54 100644 --- a/main.go +++ b/main.go @@ -52,7 +52,7 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile, return nil, nil, exitcodes.NewErr("", exitcodes.ReadPassword) } } - tlog.Info.Println("Decrypting master key") + tlog.Info.Println("Decrypting master key with user " + args.user) masterkey, err = cf.DecryptMasterKey(args.user, pw) for i := range pw { pw[i] = 0 @@ -124,6 +124,61 @@ func changePassword(args *argContainer) { tlog.Info.Printf(tlog.ColorGreen + "Password changed." + tlog.ColorReset) } +// add user from flag to config file "filename" +// Does not return (calls os.Exit both on success and on error). +func addUser(args *argContainer) { + var confFile *configfile.ConfFile + { + var masterkey []byte + var err error + masterkey, confFile, err = loadConfig(args) + if err != nil { + exitcodes.Exit(err) + } + if len(masterkey) == 0 { + log.Panic("empty masterkey") + } + // Are we using "-masterkey"? + if args.masterkey != "" { + log.Panic(" is not allowed in conjunction with '-masterkey'") + } + if args.addUser == "" { + log.Panic("missing argument in addUser") + } + if args.addUser == args.user { + log.Panic(" and must be different") + } + if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) { + tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.") + os.Exit(exitcodes.Usage) + } + tlog.Info.Println("Please enter the password for new user ", args.addUser, ".") + newPw, err := readpassword.Twice([]string(args.extpass), []string(args.passfile)) + if err != nil { + tlog.Fatal.Println(err) + os.Exit(exitcodes.ReadPassword) + } + logN := confFile.ScryptObject.LogN() + if args._explicitScryptn { + logN = args.scryptn + } + confFile.EncryptKey(masterkey, args.addUser, newPw, logN) + for i := range newPw { + newPw[i] = 0 + } + for i := range masterkey { + masterkey[i] = 0 + } + // masterkey and newPw run out of scope here + } + err := confFile.WriteFile() + if err != nil { + tlog.Fatal.Println(err) + os.Exit(exitcodes.WriteConf) + } + tlog.Info.Printf(tlog.ColorGreen+"Password set for user %v."+tlog.ColorReset, args.addUser) +} + func main() { mxp := runtime.GOMAXPROCS(0) if mxp < 4 && os.Getenv("GOMAXPROCS") == "" { @@ -274,11 +329,11 @@ func main() { return } if nOps > 1 { - tlog.Fatal.Printf("At most one of -info, -init, -passwd, -fsck is allowed") + tlog.Fatal.Printf("At most one of -info, -init, -passwd, -fsck, --add-user, --delete-user, --add-fido2, --delete-fido2 is allowed") os.Exit(exitcodes.Usage) } if flagSet.NArg() != 1 { - tlog.Fatal.Printf("The options -info, -init, -passwd, -fsck take exactly one argument, %d given", + tlog.Fatal.Printf("The options -info, -init, -passwd, -fsck, --add-user, --delete-user, --add-fido2, --delete-fido2 take exactly one argument, %d given", flagSet.NArg()) os.Exit(exitcodes.Usage) } @@ -302,4 +357,23 @@ func main() { code := fsck(&args) os.Exit(code) } + // TODO tp + if args.addUser != "" { + addUser(&args) + os.Exit(0) + } + if args.deleteUser != "" { + tlog.Fatal.Printf("not implemented") + os.Exit(0) + } + if args.addFido2 != "" { + tlog.Fatal.Printf("not implemented") + os.Exit(0) + } + if args.deleteFido2 != "" { + tlog.Fatal.Printf("not implemented") + os.Exit(0) + } + tlog.Fatal.Printf("parsing command line failed") + os.Exit(0) } From 465402fdb067552fed755c02cd18a757e35a138c Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 09:48:53 +0200 Subject: [PATCH 04/25] better vscode support --- .vscode/launch.json | 15 +++++++++++++++ gocryptfs.code-workspace | 19 +++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 .vscode/launch.json create mode 100644 gocryptfs.code-workspace diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 00000000..d95d47b0 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,15 @@ +{ + // Verwendet IntelliSense zum Ermitteln möglicher Attribute. + // Zeigen Sie auf vorhandene Attribute, um die zugehörigen Beschreibungen anzuzeigen. + // Weitere Informationen finden Sie unter https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": "Launch Package", + "type": "go", + "request": "launch", + "mode": "auto", + "program": "${fileDirname}" + } + ] +} \ No newline at end of file diff --git a/gocryptfs.code-workspace b/gocryptfs.code-workspace new file mode 100644 index 00000000..75c30a1e --- /dev/null +++ b/gocryptfs.code-workspace @@ -0,0 +1,19 @@ +{ + "folders": [ + { + "path": "." + } + ], + "settings": { + "gopls": { + "ui.semanticTokens": true + } + }, + "extensions": { + "recommendations": [ + "msyrus.go-doc", + "766b.go-outliner" + ], + "unwantedRecommendations": [] + } +} From 84a1e284e8812ae354e5996a85f702688e61770b Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 10:19:09 +0200 Subject: [PATCH 05/25] deleteUser --- main.go | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 53 insertions(+), 3 deletions(-) diff --git a/main.go b/main.go index 28e4cd54..72a3971b 100644 --- a/main.go +++ b/main.go @@ -22,6 +22,8 @@ import ( "github.com/rfjakob/gocryptfs/v2/internal/tlog" ) +const maxUserEntries = 8 + // loadConfig loads the config file `args.config` and decrypts the masterkey, // or gets via the `-masterkey` or `-zerokey` command line options, if specified. func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile, err error) { @@ -66,7 +68,6 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile, } // changePassword - change the password of config file "filename" -// Does not return (calls os.Exit both on success and on error). func changePassword(args *argContainer) { var confFile *configfile.ConfFile { @@ -125,7 +126,6 @@ func changePassword(args *argContainer) { } // add user from flag to config file "filename" -// Does not return (calls os.Exit both on success and on error). func addUser(args *argContainer) { var confFile *configfile.ConfFile { @@ -148,6 +148,9 @@ func addUser(args *argContainer) { if args.addUser == args.user { log.Panic(" and must be different") } + if len(confFile.EncryptedKeys) >= maxUserEntries-1 { + log.Panic("only ", maxUserEntries, " user/pw entries are allowed") + } if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) { tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.") os.Exit(exitcodes.Usage) @@ -179,6 +182,53 @@ func addUser(args *argContainer) { tlog.Info.Printf(tlog.ColorGreen+"Password set for user %v."+tlog.ColorReset, args.addUser) } +// delete user from flag from config file "filename" +func deleteUser(args *argContainer) { + var confFile *configfile.ConfFile + { + var masterkey []byte + var err error + masterkey, confFile, err = loadConfig(args) + if err != nil { + exitcodes.Exit(err) + } + if len(masterkey) == 0 { + log.Panic("empty masterkey") + } + // Are we using "-masterkey"? + if args.masterkey != "" { + log.Panic(" is not allowed in conjunction with '-masterkey'") + } + if args.deleteUser == "" { + log.Panic("missing argument in deleteUser") + } + if args.deleteUser == args.user { + log.Panic(" and must be different") + } + if len(confFile.EncryptedKeys) <= 1 { + log.Panic("tried to delete last user") + } + if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) { + tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.") + os.Exit(exitcodes.Usage) + } + delete(confFile.EncryptedKeys, args.deleteUser) + for i := range masterkey { + masterkey[i] = 0 + } + // masterkey run out of scope here + } + err := confFile.WriteFile() + if err != nil { + tlog.Fatal.Println(err) + os.Exit(exitcodes.WriteConf) + } + tlog.Info.Printf(tlog.ColorGreen+"User %v."+tlog.ColorReset, args.deleteUser) + tlog.Info.Printf(tlog.ColorRed, tlog.ColorGreen+ + "Warning: Deleting a user is unsafe - as the deleted user could have been retrieved the masterkey or copied gocryptfs.conf already"+ + tlog.ColorReset) +} + func main() { mxp := runtime.GOMAXPROCS(0) if mxp < 4 && os.Getenv("GOMAXPROCS") == "" { @@ -363,7 +413,7 @@ func main() { os.Exit(0) } if args.deleteUser != "" { - tlog.Fatal.Printf("not implemented") + deleteUser(&args) os.Exit(0) } if args.addFido2 != "" { From 24e4f9d11686cdf20a206b3540769b20fcd649a8 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 10:57:51 +0200 Subject: [PATCH 06/25] fixes --- main.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/main.go b/main.go index 72a3971b..1973ed1e 100644 --- a/main.go +++ b/main.go @@ -151,6 +151,9 @@ func addUser(args *argContainer) { if len(confFile.EncryptedKeys) >= maxUserEntries-1 { log.Panic("only ", maxUserEntries, " user/pw entries are allowed") } + if _, ok := confFile.EncryptedKeys[args.addUser]; ok { + log.Panic("User ", args.addUser, " does already exist") + } if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) { tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.") os.Exit(exitcodes.Usage) @@ -208,6 +211,9 @@ func deleteUser(args *argContainer) { if len(confFile.EncryptedKeys) <= 1 { log.Panic("tried to delete last user") } + if _, ok := confFile.EncryptedKeys[args.deleteUser]; !ok { + log.Panic("User ", args.deleteUser, " does not exist") + } if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) { tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.") os.Exit(exitcodes.Usage) @@ -224,8 +230,8 @@ func deleteUser(args *argContainer) { os.Exit(exitcodes.WriteConf) } tlog.Info.Printf(tlog.ColorGreen+"User %v."+tlog.ColorReset, args.deleteUser) - tlog.Info.Printf(tlog.ColorRed, tlog.ColorGreen+ - "Warning: Deleting a user is unsafe - as the deleted user could have been retrieved the masterkey or copied gocryptfs.conf already"+ + tlog.Info.Printf(tlog.ColorYellow + + "Warning: Deleting a user is unsafe - as the deleted user could have retrieved the masterkey or copied gocryptfs.conf already" + tlog.ColorReset) } From b3dd88a111b659ab9b9a09401ecb245961e5db11 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 11:57:43 +0200 Subject: [PATCH 07/25] introduced initializeScryptObjectIfNeeded and fixed mount with more than one user --- internal/configfile/config_file.go | 21 +++++++++++++++++++-- internal/configfile/scrypt.go | 5 +++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index 478b64b9..a634be5f 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -130,7 +130,7 @@ func Create(args *CreateArgs) error { } } // Catch bugs and invalid cli flag combinations early - cf.ScryptObject = NewScryptKDF(args.LogN) + initializeScryptObjectIfNeeded(args.LogN, &cf) if err := cf.Validate(); err != nil { return err } @@ -151,6 +151,23 @@ func Create(args *CreateArgs) error { return cf.WriteFile() } +// initialize cf.ScryptObject if needed +func initializeScryptObjectIfNeeded(logN int, cf *ConfFile) { + if ScryptKDFEqual(cf.ScryptObject, ScryptKDF{}) || len(cf.EncryptedKeys) < 1 { + cf.ScryptObject = NewScryptKDF(logN) + } else { + var n int + if logN <= 0 { + n = 1 << ScryptDefaultLogN + } else { + n = 1 << uint32(logN) + } + if n != cf.ScryptObject.N { + tlog.Warn.Println("Warnung: Change of Scrypt logN for more than one user is not supported") + } + } +} + // LoadAndDecrypt - read config file from disk and decrypt the // contained key using "password". // Returns the decrypted key and the ConfFile object @@ -251,7 +268,7 @@ func (cf *ConfFile) DecryptMasterKey(user string, password []byte) (masterkey [] // cf.ScryptObject. func (cf *ConfFile) EncryptKey(key []byte, user string, password []byte, logN int) { // Generate scrypt-derived key from password - cf.ScryptObject = NewScryptKDF(logN) + initializeScryptObjectIfNeeded(logN, cf) scryptHash := cf.ScryptObject.DeriveKey(password) // Lock master key using password-based key diff --git a/internal/configfile/scrypt.go b/internal/configfile/scrypt.go index 0ce87771..8b0d69d1 100644 --- a/internal/configfile/scrypt.go +++ b/internal/configfile/scrypt.go @@ -1,6 +1,7 @@ package configfile import ( + "bytes" "fmt" "log" "math" @@ -46,6 +47,10 @@ type ScryptKDF struct { KeyLen int } +func ScryptKDFEqual(a, b ScryptKDF) bool { + return a.KeyLen == b.KeyLen && a.N == b.N && a.P == b.P && a.R == b.R && bytes.Equal(a.Salt, b.Salt) +} + // NewScryptKDF returns a new instance of ScryptKDF. func NewScryptKDF(logN int) ScryptKDF { var s ScryptKDF From ad453be64aa4f500e9ba9c537d8a113cced9fc49 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 12:49:57 +0200 Subject: [PATCH 08/25] simple fido2 only support working again --- cli_args.go | 3 ++- init_dir.go | 6 ++++++ internal/configfile/config_file.go | 3 ++- main.go | 8 +++++++- 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/cli_args.go b/cli_args.go index 16433498..36c81591 100644 --- a/cli_args.go +++ b/cli_args.go @@ -37,7 +37,7 @@ type argContainer struct { masterkey, mountpoint, cipherdir, cpuprofile, memprofile, ko, ctlsock, fsname, force_owner, trace, fido2 string // more than one encryption of masterkey - user, addUser, deleteUser, addFido2, deleteFido2 string + user, fido2Name, addUser, deleteUser, addFido2, deleteFido2 string // -extpass, -badname, -passfile can be passed multiple times extpass, badname, passfile []string // For reverse mode, several ways to specify exclusions. All can be specified multiple times. @@ -213,6 +213,7 @@ func parseCliOpts(osArgs []string) (args argContainer) { // more than one encryption of masterkey flagSet.StringVar(&args.user, "user", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for decryption of masterkey") + flagSet.StringVar(&args.fido2Name, "fido2-name", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for fido2 device registration or decryption") flagSet.StringVar(&args.addUser, "add-user", "", "Add encrypted masterkey for using credentials of ") flagSet.StringVar(&args.deleteUser, "delete-user", "", "Delete encrypted masterkey for using credentials of ") flagSet.StringVar(&args.addFido2, "add-fido2", "", "Add encrypted masterkey for FIDO2 key ") diff --git a/init_dir.go b/init_dir.go index 35fed28a..09c7f1cb 100644 --- a/init_dir.go +++ b/init_dir.go @@ -80,11 +80,15 @@ func initDir(args *argContainer) { } { var password []byte + var fido2Name string var fido2CredentialID, fido2HmacSalt []byte if args.fido2 != "" { + fido2Name = args.fido2Name fido2CredentialID = fido2.Register(args.fido2, filepath.Base(args.cipherdir)) fido2HmacSalt = cryptocore.RandBytes(32) password = fido2.Secret(args.fido2, fido2CredentialID, fido2HmacSalt) + // overwrite user to match fido2Nam + args.user = fido2Name } else { // normal password entry password, err = readpassword.Twice([]string(args.extpass), []string(args.passfile)) @@ -92,6 +96,7 @@ func initDir(args *argContainer) { tlog.Fatal.Println(err) os.Exit(exitcodes.ReadPassword) } + fido2Name = "" fido2CredentialID = nil fido2HmacSalt = nil } @@ -104,6 +109,7 @@ func initDir(args *argContainer) { LogN: args.scryptn, Creator: creator, AESSIV: args.aessiv, + Fido2Name: fido2Name, Fido2CredentialID: fido2CredentialID, Fido2HmacSalt: fido2HmacSalt, DeterministicNames: args.deterministic_names, diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index a634be5f..87735d0f 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -76,6 +76,7 @@ type CreateArgs struct { LogN int Creator string AESSIV bool + Fido2Name string Fido2CredentialID []byte Fido2HmacSalt []byte DeterministicNames bool @@ -124,7 +125,7 @@ func Create(args *CreateArgs) error { } if len(args.Fido2CredentialID) > 0 { cf.setFeatureFlag(FlagFIDO2) - cf.FIDO2[DefaultKey] = &FIDO2Params{ + cf.FIDO2[args.Fido2Name] = &FIDO2Params{ CredentialID: args.Fido2CredentialID, HMACSalt: args.Fido2HmacSalt, } diff --git a/main.go b/main.go index 1973ed1e..feff6d42 100644 --- a/main.go +++ b/main.go @@ -45,8 +45,14 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile, tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; need to use the --fido2 option.") return nil, nil, exitcodes.NewErr("", exitcodes.Usage) } - var fido2Obj = cf.FIDO2[configfile.DefaultKey] + var fido2Obj = cf.FIDO2[args.fido2Name] + if fido2Obj == nil { + tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; password not found: check your --fido2-name option") + return nil, nil, exitcodes.NewErr("", exitcodes.Usage) + } pw = fido2.Secret(args.fido2, fido2Obj.CredentialID, fido2Obj.HMACSalt) + // overwrite user to match fido2Name + args.user = args.fido2Name } else { pw, err = readpassword.Once([]string(args.extpass), []string(args.passfile), "") if err != nil { From 33c659cea7ae0c89eef3a7b8cc8887ccbc76d6a6 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 13:12:37 +0200 Subject: [PATCH 09/25] support for fido2 init and add-user afterwards --- gocryptfs-xray/xray_main.go | 16 ++++++++++------ init_dir.go | 2 +- main.go | 14 +------------- 3 files changed, 12 insertions(+), 20 deletions(-) diff --git a/gocryptfs-xray/xray_main.go b/gocryptfs-xray/xray_main.go index 2a34566b..6edcae7e 100644 --- a/gocryptfs-xray/xray_main.go +++ b/gocryptfs-xray/xray_main.go @@ -83,6 +83,7 @@ type argContainer struct { xchacha *bool sep0 *bool fido2 *string + fido2Name *string version *bool user *string } @@ -96,6 +97,7 @@ func main() { args.aessiv = flag.Bool("aessiv", false, "Assume AES-SIV mode instead of AES-GCM") args.xchacha = flag.Bool("xchacha", false, "Assume XChaCha20-Poly1305 mode instead of AES-GCM") args.fido2 = flag.String("fido2", "", "Protect the masterkey using a FIDO2 token instead of a password") + args.fido2Name = flag.String("fido2-name", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for fido2 device registration or decryption") args.version = flag.Bool("version", false, "Print version information") args.user = flag.String("user", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for decryption of masterkey") @@ -129,13 +131,13 @@ func main() { } defer f.Close() if *args.dumpmasterkey { - dumpMasterKey(fn, *args.user, *args.fido2) + dumpMasterKey(fn, *args.user, *args.fido2, *args.fido2Name) } else { inspectCiphertext(&args, f) } } -func dumpMasterKey(fn string, user string, fido2Path string) { +func dumpMasterKey(fn string, user string, fido2Path string, fido2Name string) { tlog.Info.Enabled = false cf, err := configfile.Load(fn) if err != nil { @@ -143,13 +145,15 @@ func dumpMasterKey(fn string, user string, fido2Path string) { exitcodes.Exit(err) } var pw []byte - if cf.IsFeatureFlagSet(configfile.FlagFIDO2) { - if fido2Path == "" { - tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; need to use the --fido2 option.") + if cf.IsFeatureFlagSet(configfile.FlagFIDO2) && fido2Path != "" { + var fido2Obj = cf.FIDO2[fido2Name] + if fido2Obj == nil { + tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; password not found: check your --fido2-name option") os.Exit(exitcodes.Usage) } - var fido2Obj = cf.FIDO2[configfile.DefaultKey] pw = fido2.Secret(fido2Path, fido2Obj.CredentialID, fido2Obj.HMACSalt) + // overwrite user to match fido2Name + user = fido2Name } else { pw, err = readpassword.Once(nil, nil, "") if err != nil { diff --git a/init_dir.go b/init_dir.go index 09c7f1cb..ac4448c2 100644 --- a/init_dir.go +++ b/init_dir.go @@ -87,7 +87,7 @@ func initDir(args *argContainer) { fido2CredentialID = fido2.Register(args.fido2, filepath.Base(args.cipherdir)) fido2HmacSalt = cryptocore.RandBytes(32) password = fido2.Secret(args.fido2, fido2CredentialID, fido2HmacSalt) - // overwrite user to match fido2Nam + // overwrite user to match fido2Name args.user = fido2Name } else { // normal password entry diff --git a/main.go b/main.go index feff6d42..f84b186a 100644 --- a/main.go +++ b/main.go @@ -40,11 +40,7 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile, return masterkey, cf, nil } var pw []byte - if cf.IsFeatureFlagSet(configfile.FlagFIDO2) { - if args.fido2 == "" { - tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; need to use the --fido2 option.") - return nil, nil, exitcodes.NewErr("", exitcodes.Usage) - } + if cf.IsFeatureFlagSet(configfile.FlagFIDO2) && args.fido2 != "" { var fido2Obj = cf.FIDO2[args.fido2Name] if fido2Obj == nil { tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; password not found: check your --fido2-name option") @@ -160,10 +156,6 @@ func addUser(args *argContainer) { if _, ok := confFile.EncryptedKeys[args.addUser]; ok { log.Panic("User ", args.addUser, " does already exist") } - if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) { - tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.") - os.Exit(exitcodes.Usage) - } tlog.Info.Println("Please enter the password for new user ", args.addUser, ".") newPw, err := readpassword.Twice([]string(args.extpass), []string(args.passfile)) if err != nil { @@ -220,10 +212,6 @@ func deleteUser(args *argContainer) { if _, ok := confFile.EncryptedKeys[args.deleteUser]; !ok { log.Panic("User ", args.deleteUser, " does not exist") } - if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) { - tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.") - os.Exit(exitcodes.Usage) - } delete(confFile.EncryptedKeys, args.deleteUser) for i := range masterkey { masterkey[i] = 0 From 4989c5634f2da83fa534a6e22a42e6b2a368778e Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 13:23:17 +0200 Subject: [PATCH 10/25] fido2: no more need to use cipherdir as user name --- init_dir.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init_dir.go b/init_dir.go index ac4448c2..9b0ba8e8 100644 --- a/init_dir.go +++ b/init_dir.go @@ -84,7 +84,7 @@ func initDir(args *argContainer) { var fido2CredentialID, fido2HmacSalt []byte if args.fido2 != "" { fido2Name = args.fido2Name - fido2CredentialID = fido2.Register(args.fido2, filepath.Base(args.cipherdir)) + fido2CredentialID = fido2.Register(args.fido2, fido2Name /*filepath.Base(args.cipherdir)*/) fido2HmacSalt = cryptocore.RandBytes(32) password = fido2.Secret(args.fido2, fido2CredentialID, fido2HmacSalt) // overwrite user to match fido2Name From 0178dce0fb4067561c6808cbb0db4a309a7665ea Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 14:32:09 +0200 Subject: [PATCH 11/25] towards support for adding fido2 device --- .vscode/launch.json | 6 ++-- cli_args.go | 9 ++--- main.go | 83 ++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 91 insertions(+), 7 deletions(-) diff --git a/.vscode/launch.json b/.vscode/launch.json index d95d47b0..332d1ac9 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -9,7 +9,9 @@ "type": "go", "request": "launch", "mode": "auto", - "program": "${fileDirname}" + "program": "${fileDirname}/..", + "args": ["-init", "-fido2", "/dev/hidraw3", "-fido2-name", "solo", "cipher2"], + "cwd": "/mnt/home/tpasch/tmp" } ] -} \ No newline at end of file +} diff --git a/cli_args.go b/cli_args.go index 36c81591..198f584e 100644 --- a/cli_args.go +++ b/cli_args.go @@ -37,7 +37,7 @@ type argContainer struct { masterkey, mountpoint, cipherdir, cpuprofile, memprofile, ko, ctlsock, fsname, force_owner, trace, fido2 string // more than one encryption of masterkey - user, fido2Name, addUser, deleteUser, addFido2, deleteFido2 string + user, fido2Name, addUser, deleteUser, addFido2Device, addFido2, deleteFido2 string // -extpass, -badname, -passfile can be passed multiple times extpass, badname, passfile []string // For reverse mode, several ways to specify exclusions. All can be specified multiple times. @@ -216,8 +216,9 @@ func parseCliOpts(osArgs []string) (args argContainer) { flagSet.StringVar(&args.fido2Name, "fido2-name", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for fido2 device registration or decryption") flagSet.StringVar(&args.addUser, "add-user", "", "Add encrypted masterkey for using credentials of ") flagSet.StringVar(&args.deleteUser, "delete-user", "", "Delete encrypted masterkey for using credentials of ") - flagSet.StringVar(&args.addFido2, "add-fido2", "", "Add encrypted masterkey for FIDO2 key ") - flagSet.StringVar(&args.deleteFido2, "delete-fido2", "", "Delete encrypted masterkey for FIDO ") + flagSet.StringVar(&args.addFido2Device, "add-fido2-device", "", "Add FIDO2 device on path for masterkey decryption") + flagSet.StringVar(&args.addFido2, "add-fido2", configfile.DefaultKey, "Add FIDO2 device with name instead of "+configfile.DefaultKey+" for masterkey decryption") + flagSet.StringVar(&args.deleteFido2, "delete-fido2", "", "Delete encrypted masterkey of FIDO2 device with name instead of "+configfile.DefaultKey) // Exclusion options flagSet.StringArrayVar(&args.exclude, "e", nil, "Alias for -exclude") @@ -347,7 +348,7 @@ func countOpFlags(args *argContainer) int { if args.deleteUser != "" { count++ } - if args.addFido2 != "" { + if args.addFido2Device != "" { count++ } if args.deleteFido2 != "" { diff --git a/main.go b/main.go index f84b186a..c57de24d 100644 --- a/main.go +++ b/main.go @@ -15,6 +15,7 @@ import ( "github.com/rfjakob/gocryptfs/v2/internal/configfile" "github.com/rfjakob/gocryptfs/v2/internal/contentenc" + "github.com/rfjakob/gocryptfs/v2/internal/cryptocore" "github.com/rfjakob/gocryptfs/v2/internal/exitcodes" "github.com/rfjakob/gocryptfs/v2/internal/fido2" "github.com/rfjakob/gocryptfs/v2/internal/readpassword" @@ -46,6 +47,7 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile, tlog.Fatal.Printf("Masterkey encrypted using FIDO2 token; password not found: check your --fido2-name option") return nil, nil, exitcodes.NewErr("", exitcodes.Usage) } + tlog.Info.Println("Retrieve pseudo user and password from FIDO2 device ", args.fido2Name, " at ", args.fido2) pw = fido2.Secret(args.fido2, fido2Obj.CredentialID, fido2Obj.HMACSalt) // overwrite user to match fido2Name args.user = args.fido2Name @@ -229,6 +231,85 @@ func deleteUser(args *argContainer) { tlog.ColorReset) } +// add fido2 device from flag to config file "filename" +func addFido2(args *argContainer) { + var confFile *configfile.ConfFile + { + var masterkey []byte + var err error + masterkey, confFile, err = loadConfig(args) + if err != nil { + exitcodes.Exit(err) + } + if len(masterkey) == 0 { + log.Panic("empty masterkey") + } + // Are we using "-masterkey"? + if args.masterkey != "" { + log.Panic(" is not allowed in conjunction with '-masterkey'") + } + if args.addFido2Device == "" { + log.Panic("missing argument in addFido2") + } + if args.addFido2 == "" { + log.Panic("missing argument in addFido2") + } + if args.addFido2 == args.fido2 { + log.Panic(" and must be different") + } + if len(confFile.EncryptedKeys) >= maxUserEntries-1 { + log.Panic("only ", maxUserEntries, " user/pw entries are allowed (including fido2 devices)") + } + if _, ok := confFile.EncryptedKeys[args.addFido2]; ok { + log.Panic("User/Device ", args.addFido2, " does already exist") + } + tlog.Info.Println("Adding new FIDO2 device ", args.addFido2, " at ", args.addFido2Device) + /* + newPw, err := readpassword.Twice([]string(args.extpass), []string(args.passfile)) + if err != nil { + tlog.Fatal.Println(err) + os.Exit(exitcodes.ReadPassword) + } + logN := confFile.ScryptObject.LogN() + if args._explicitScryptn { + logN = args.scryptn + } + confFile.EncryptKey(masterkey, args.addUser, newPw, logN) + for i := range newPw { + newPw[i] = 0 + } + */ + params := configfile.FIDO2Params{ + CredentialID: fido2.Register(args.addFido2Device, args.addFido2), + HMACSalt: cryptocore.RandBytes(32), + } + password := fido2.Secret(args.addFido2, params.CredentialID, params.HMACSalt) + // overwrite user to match fido2Name + args.user = args.addFido2 + + logN := confFile.ScryptObject.LogN() + if args._explicitScryptn { + logN = args.scryptn + } + confFile.EncryptKey(masterkey, args.addUser, password, logN) + confFile.FIDO2[args.addFido2] = ¶ms + + for i := range masterkey { + masterkey[i] = 0 + } + for i := range password { + password[i] = 0 + } + // masterkey and password run out of scope here + } + err := confFile.WriteFile() + if err != nil { + tlog.Fatal.Println(err) + os.Exit(exitcodes.WriteConf) + } + tlog.Info.Printf(tlog.ColorGreen+"Password set for user %v."+tlog.ColorReset, args.addUser) +} + func main() { mxp := runtime.GOMAXPROCS(0) if mxp < 4 && os.Getenv("GOMAXPROCS") == "" { @@ -417,7 +498,7 @@ func main() { os.Exit(0) } if args.addFido2 != "" { - tlog.Fatal.Printf("not implemented") + addFido2(&args) os.Exit(0) } if args.deleteFido2 != "" { From 2aca393ec3b46cf7437d7694ceba5f0304d2ba38 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 14:58:16 +0200 Subject: [PATCH 12/25] support for adding fido2 device --- .vscode/launch.json | 6 ++++-- internal/configfile/config_file.go | 6 +++++- main.go | 13 ++++++++++--- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.vscode/launch.json b/.vscode/launch.json index 332d1ac9..7eadd239 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -10,8 +10,10 @@ "request": "launch", "mode": "auto", "program": "${fileDirname}/..", - "args": ["-init", "-fido2", "/dev/hidraw3", "-fido2-name", "solo", "cipher2"], - "cwd": "/mnt/home/tpasch/tmp" + // "args": ["-init", "-fido2", "/dev/hidraw3", "-fido2-name", "solo", "cipher2"], + "args": ["-user", "testuser", "-add-fido2-device", "/dev/hidraw3", "-add-fido2", "solo", "/mnt/home/tpasch/tmp/cipher2"], + // "cwd": "/mnt/home/tpasch/tmp" + "console": "integratedTerminal" } ] } diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index 87735d0f..01e2a97c 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -124,7 +124,7 @@ func Create(args *CreateArgs) error { cf.setFeatureFlag(FlagAESSIV) } if len(args.Fido2CredentialID) > 0 { - cf.setFeatureFlag(FlagFIDO2) + cf.SetFeatureFlagFIDO2() cf.FIDO2[args.Fido2Name] = &FIDO2Params{ CredentialID: args.Fido2CredentialID, HMACSalt: args.Fido2HmacSalt, @@ -234,6 +234,10 @@ func (cf *ConfFile) setFeatureFlag(flag flagIota) { cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[flag]) } +func (cf *ConfFile) SetFeatureFlagFIDO2() { + cf.setFeatureFlag(FlagFIDO2) +} + // DecryptMasterKey decrypts the masterkey stored in cf.EncryptedKey using // password. func (cf *ConfFile) DecryptMasterKey(user string, password []byte) (masterkey []byte, err error) { diff --git a/main.go b/main.go index c57de24d..cc9b75ad 100644 --- a/main.go +++ b/main.go @@ -264,6 +264,7 @@ func addFido2(args *argContainer) { log.Panic("User/Device ", args.addFido2, " does already exist") } tlog.Info.Println("Adding new FIDO2 device ", args.addFido2, " at ", args.addFido2Device) + confFile.SetFeatureFlagFIDO2() /* newPw, err := readpassword.Twice([]string(args.extpass), []string(args.passfile)) if err != nil { @@ -283,15 +284,21 @@ func addFido2(args *argContainer) { CredentialID: fido2.Register(args.addFido2Device, args.addFido2), HMACSalt: cryptocore.RandBytes(32), } - password := fido2.Secret(args.addFido2, params.CredentialID, params.HMACSalt) - // overwrite user to match fido2Name - args.user = args.addFido2 + password := fido2.Secret(args.addFido2Device, params.CredentialID, params.HMACSalt) + // overwrite addUser to match addFido2 + args.addUser = args.addFido2 logN := confFile.ScryptObject.LogN() if args._explicitScryptn { logN = args.scryptn } confFile.EncryptKey(masterkey, args.addUser, password, logN) + if confFile.FIDO2 == nil { + confFile.FIDO2 = make(configfile.FIDO2ParamsMap) + } + if _, ok := confFile.FIDO2[args.addFido2]; ok { + log.Panic("FIDO2 device ", args.addFido2, " does already exist") + } confFile.FIDO2[args.addFido2] = ¶ms for i := range masterkey { From 98e5c7cf88b179fa4307e0561433920c99d8e783 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 15:13:55 +0200 Subject: [PATCH 13/25] rename flags more consistent --- cli_args.go | 11 ++++++----- main.go | 45 +++++++++++++++------------------------------ 2 files changed, 21 insertions(+), 35 deletions(-) diff --git a/cli_args.go b/cli_args.go index 198f584e..34c11cc7 100644 --- a/cli_args.go +++ b/cli_args.go @@ -37,7 +37,7 @@ type argContainer struct { masterkey, mountpoint, cipherdir, cpuprofile, memprofile, ko, ctlsock, fsname, force_owner, trace, fido2 string // more than one encryption of masterkey - user, fido2Name, addUser, deleteUser, addFido2Device, addFido2, deleteFido2 string + user, fido2Name, addUser, deleteUser, addFido2, addFido2Name, deleteFido2 string // -extpass, -badname, -passfile can be passed multiple times extpass, badname, passfile []string // For reverse mode, several ways to specify exclusions. All can be specified multiple times. @@ -209,15 +209,16 @@ func parseCliOpts(osArgs []string) (args argContainer) { flagSet.StringVar(&args.fsname, "fsname", "", "Override the filesystem name") flagSet.StringVar(&args.force_owner, "force_owner", "", "uid:gid pair to coerce ownership") flagSet.StringVar(&args.trace, "trace", "", "Write execution trace to file") - flagSet.StringVar(&args.fido2, "fido2", "", "Protect the masterkey using a FIDO2 token instead of a password") + flagSet.StringVar(&args.fido2, "fido2", "", "Protect the masterkey using the FIDO2 device at (no password needed in this case)") // more than one encryption of masterkey flagSet.StringVar(&args.user, "user", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for decryption of masterkey") flagSet.StringVar(&args.fido2Name, "fido2-name", configfile.DefaultKey, "Use instead of "+configfile.DefaultKey+" for fido2 device registration or decryption") flagSet.StringVar(&args.addUser, "add-user", "", "Add encrypted masterkey for using credentials of ") flagSet.StringVar(&args.deleteUser, "delete-user", "", "Delete encrypted masterkey for using credentials of ") - flagSet.StringVar(&args.addFido2Device, "add-fido2-device", "", "Add FIDO2 device on path for masterkey decryption") - flagSet.StringVar(&args.addFido2, "add-fido2", configfile.DefaultKey, "Add FIDO2 device with name instead of "+configfile.DefaultKey+" for masterkey decryption") + flagSet.StringVar(&args.addFido2, "add-fido2", "", "Add FIDO2 device on path for masterkey decryption") + flagSet.StringVar(&args.addFido2Name, "add-fido2-name", configfile.DefaultKey, + "Add FIDO2 device with name instead of "+configfile.DefaultKey+" for masterkey decryption") flagSet.StringVar(&args.deleteFido2, "delete-fido2", "", "Delete encrypted masterkey of FIDO2 device with name instead of "+configfile.DefaultKey) // Exclusion options @@ -348,7 +349,7 @@ func countOpFlags(args *argContainer) int { if args.deleteUser != "" { count++ } - if args.addFido2Device != "" { + if args.addFido2 != "" { count++ } if args.deleteFido2 != "" { diff --git a/main.go b/main.go index cc9b75ad..5eb36347 100644 --- a/main.go +++ b/main.go @@ -248,45 +248,30 @@ func addFido2(args *argContainer) { if args.masterkey != "" { log.Panic(" is not allowed in conjunction with '-masterkey'") } - if args.addFido2Device == "" { - log.Panic("missing argument in addFido2") - } if args.addFido2 == "" { log.Panic("missing argument in addFido2") } - if args.addFido2 == args.fido2 { + if args.addFido2Name == "" { + log.Panic("missing argument in addFido2") + } + if args.addFido2Name == args.fido2 { log.Panic(" and must be different") } if len(confFile.EncryptedKeys) >= maxUserEntries-1 { log.Panic("only ", maxUserEntries, " user/pw entries are allowed (including fido2 devices)") } - if _, ok := confFile.EncryptedKeys[args.addFido2]; ok { - log.Panic("User/Device ", args.addFido2, " does already exist") + if _, ok := confFile.EncryptedKeys[args.addFido2Name]; ok { + log.Panic("User/Device ", args.addFido2Name, " does already exist") } - tlog.Info.Println("Adding new FIDO2 device ", args.addFido2, " at ", args.addFido2Device) + tlog.Info.Println("Adding new FIDO2 device ", args.addFido2Name, " at ", args.addFido2) confFile.SetFeatureFlagFIDO2() - /* - newPw, err := readpassword.Twice([]string(args.extpass), []string(args.passfile)) - if err != nil { - tlog.Fatal.Println(err) - os.Exit(exitcodes.ReadPassword) - } - logN := confFile.ScryptObject.LogN() - if args._explicitScryptn { - logN = args.scryptn - } - confFile.EncryptKey(masterkey, args.addUser, newPw, logN) - for i := range newPw { - newPw[i] = 0 - } - */ params := configfile.FIDO2Params{ - CredentialID: fido2.Register(args.addFido2Device, args.addFido2), + CredentialID: fido2.Register(args.addFido2, args.addFido2Name), HMACSalt: cryptocore.RandBytes(32), } - password := fido2.Secret(args.addFido2Device, params.CredentialID, params.HMACSalt) - // overwrite addUser to match addFido2 - args.addUser = args.addFido2 + password := fido2.Secret(args.addFido2, params.CredentialID, params.HMACSalt) + // overwrite addUser to match addFido2Name + args.addUser = args.addFido2Name logN := confFile.ScryptObject.LogN() if args._explicitScryptn { @@ -296,10 +281,10 @@ func addFido2(args *argContainer) { if confFile.FIDO2 == nil { confFile.FIDO2 = make(configfile.FIDO2ParamsMap) } - if _, ok := confFile.FIDO2[args.addFido2]; ok { - log.Panic("FIDO2 device ", args.addFido2, " does already exist") + if _, ok := confFile.FIDO2[args.addFido2Name]; ok { + log.Panic("FIDO2 device ", args.addFido2Name, " does already exist") } - confFile.FIDO2[args.addFido2] = ¶ms + confFile.FIDO2[args.addFido2Name] = ¶ms for i := range masterkey { masterkey[i] = 0 @@ -504,7 +489,7 @@ func main() { deleteUser(&args) os.Exit(0) } - if args.addFido2 != "" { + if args.addFido2Name != "" { addFido2(&args) os.Exit(0) } From f252940770e5517eee5ca3a426412548a85c7d29 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 16:41:32 +0200 Subject: [PATCH 14/25] fixes --- cli_args.go | 20 ++++++++++++++++++++ main.go | 4 ++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/cli_args.go b/cli_args.go index 34c11cc7..7574cf23 100644 --- a/cli_args.go +++ b/cli_args.go @@ -300,6 +300,26 @@ func parseCliOpts(osArgs []string) (args argContainer) { tlog.Fatal.Printf("The options -extpass and -fido2 cannot be used at the same time") os.Exit(exitcodes.Usage) } + if args.user != "" && args.fido2 != "" { + tlog.Fatal.Printf("The options -user and -fido2 cannot be used at the same time") + os.Exit(exitcodes.Usage) + } + if args.addUser != "" && args.addFido2 != "" { + tlog.Fatal.Printf("The options -add-user and -add-fido2 cannot be used at the same time") + os.Exit(exitcodes.Usage) + } + if args.addUser != "" && args.addFido2Name != configfile.DefaultKey { + tlog.Fatal.Printf("The options -add-user and -add-fido2-name cannot be used at the same time") + os.Exit(exitcodes.Usage) + } + if args.addUser != "" && args.deleteUser != "" { + tlog.Fatal.Printf("The options -add-user and -delete-user cannot be used at the same time") + os.Exit(exitcodes.Usage) + } + if args.deleteUser != "" && args.deleteFido2 != "" { + tlog.Fatal.Printf("The options -delete-user and -delete-fido2 cannot be used at the same time") + os.Exit(exitcodes.Usage) + } if args.idle < 0 { tlog.Fatal.Printf("Idle timeout cannot be less than 0") os.Exit(exitcodes.Usage) diff --git a/main.go b/main.go index 5eb36347..bdd4bf05 100644 --- a/main.go +++ b/main.go @@ -84,8 +84,8 @@ func changePassword(args *argContainer) { if len(masterkey) == 0 { log.Panic("empty masterkey") } - if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) { - tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.") + if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) && args.fido2 != "" { + tlog.Fatal.Printf("Password change is not supported in conjunction with --fido2") os.Exit(exitcodes.Usage) } tlog.Info.Println("Please enter your new password.") From 920faee01e011253aa72195908ca1c1aa34917c1 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 17:25:56 +0200 Subject: [PATCH 15/25] support deleting FIDO2 devices --- cli_args.go | 16 ++++++---- main.go | 84 ++++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 84 insertions(+), 16 deletions(-) diff --git a/cli_args.go b/cli_args.go index 7574cf23..87f760fe 100644 --- a/cli_args.go +++ b/cli_args.go @@ -37,7 +37,7 @@ type argContainer struct { masterkey, mountpoint, cipherdir, cpuprofile, memprofile, ko, ctlsock, fsname, force_owner, trace, fido2 string // more than one encryption of masterkey - user, fido2Name, addUser, deleteUser, addFido2, addFido2Name, deleteFido2 string + user, fido2Name, addUser, deleteUser, addFido2, addFido2Name, deleteFido2Name string // -extpass, -badname, -passfile can be passed multiple times extpass, badname, passfile []string // For reverse mode, several ways to specify exclusions. All can be specified multiple times. @@ -219,7 +219,7 @@ func parseCliOpts(osArgs []string) (args argContainer) { flagSet.StringVar(&args.addFido2, "add-fido2", "", "Add FIDO2 device on path for masterkey decryption") flagSet.StringVar(&args.addFido2Name, "add-fido2-name", configfile.DefaultKey, "Add FIDO2 device with name instead of "+configfile.DefaultKey+" for masterkey decryption") - flagSet.StringVar(&args.deleteFido2, "delete-fido2", "", "Delete encrypted masterkey of FIDO2 device with name instead of "+configfile.DefaultKey) + flagSet.StringVar(&args.deleteFido2Name, "delete-fido2-name", "", "Delete encrypted masterkey of FIDO2 device with name instead of "+configfile.DefaultKey) // Exclusion options flagSet.StringArrayVar(&args.exclude, "e", nil, "Alias for -exclude") @@ -300,10 +300,14 @@ func parseCliOpts(osArgs []string) (args argContainer) { tlog.Fatal.Printf("The options -extpass and -fido2 cannot be used at the same time") os.Exit(exitcodes.Usage) } - if args.user != "" && args.fido2 != "" { + if args.user != configfile.DefaultKey && args.fido2 != "" { tlog.Fatal.Printf("The options -user and -fido2 cannot be used at the same time") os.Exit(exitcodes.Usage) } + if args.user != configfile.DefaultKey && args.fido2Name != configfile.DefaultKey { + tlog.Fatal.Printf("The options -user and -fido2-name cannot be used at the same time") + os.Exit(exitcodes.Usage) + } if args.addUser != "" && args.addFido2 != "" { tlog.Fatal.Printf("The options -add-user and -add-fido2 cannot be used at the same time") os.Exit(exitcodes.Usage) @@ -316,8 +320,8 @@ func parseCliOpts(osArgs []string) (args argContainer) { tlog.Fatal.Printf("The options -add-user and -delete-user cannot be used at the same time") os.Exit(exitcodes.Usage) } - if args.deleteUser != "" && args.deleteFido2 != "" { - tlog.Fatal.Printf("The options -delete-user and -delete-fido2 cannot be used at the same time") + if args.deleteUser != "" && args.deleteFido2Name != "" { + tlog.Fatal.Printf("The options -delete-user and -delete-fido2-name cannot be used at the same time") os.Exit(exitcodes.Usage) } if args.idle < 0 { @@ -372,7 +376,7 @@ func countOpFlags(args *argContainer) int { if args.addFido2 != "" { count++ } - if args.deleteFido2 != "" { + if args.deleteFido2Name != "" { count++ } return count diff --git a/main.go b/main.go index bdd4bf05..2972c42b 100644 --- a/main.go +++ b/main.go @@ -126,7 +126,7 @@ func changePassword(args *argContainer) { tlog.Fatal.Println(err) os.Exit(exitcodes.WriteConf) } - tlog.Info.Printf(tlog.ColorGreen + "Password changed." + tlog.ColorReset) + tlog.Info.Printf(tlog.ColorGreen+"Password changed for %v."+tlog.ColorReset, args.user) } // add user from flag to config file "filename" @@ -225,7 +225,7 @@ func deleteUser(args *argContainer) { tlog.Fatal.Println(err) os.Exit(exitcodes.WriteConf) } - tlog.Info.Printf(tlog.ColorGreen+"User %v."+tlog.ColorReset, args.deleteUser) + tlog.Info.Printf(tlog.ColorGreen+"User %v deleted."+tlog.ColorReset, args.deleteUser) tlog.Info.Printf(tlog.ColorYellow + "Warning: Deleting a user is unsafe - as the deleted user could have retrieved the masterkey or copied gocryptfs.conf already" + tlog.ColorReset) @@ -254,8 +254,8 @@ func addFido2(args *argContainer) { if args.addFido2Name == "" { log.Panic("missing argument in addFido2") } - if args.addFido2Name == args.fido2 { - log.Panic(" and must be different") + if args.addFido2Name == args.fido2Name { + log.Panic(" and must be different") } if len(confFile.EncryptedKeys) >= maxUserEntries-1 { log.Panic("only ", maxUserEntries, " user/pw entries are allowed (including fido2 devices)") @@ -299,7 +299,71 @@ func addFido2(args *argContainer) { tlog.Fatal.Println(err) os.Exit(exitcodes.WriteConf) } - tlog.Info.Printf(tlog.ColorGreen+"Password set for user %v."+tlog.ColorReset, args.addUser) + tlog.Info.Printf(tlog.ColorGreen+"FIDO2 device %v at %v registered."+tlog.ColorReset, args.addFido2Name, args.addFido2) +} + +// delete fido2 device from flag to config file "filename" +func deleteFido2Name(args *argContainer) { + var confFile *configfile.ConfFile + { + var masterkey []byte + var err error + masterkey, confFile, err = loadConfig(args) + if err != nil { + exitcodes.Exit(err) + } + if len(masterkey) == 0 { + log.Panic("empty masterkey") + } + // Are we using "-masterkey"? + if args.masterkey != "" { + log.Panic(" is not allowed in conjunction with '-masterkey'") + } + if args.deleteFido2Name == "" { + log.Panic("missing argument in deleteFido2Name") + } + if args.deleteFido2Name == args.fido2Name { + log.Panic(" and must be different") + } + if len(confFile.EncryptedKeys) >= maxUserEntries-1 { + log.Panic("only ", maxUserEntries, " user/pw entries are allowed (including fido2 devices)") + } + if _, ok := confFile.EncryptedKeys[args.deleteFido2Name]; !ok { + log.Panic("User/Device ", args.deleteFido2Name, " does not exist") + } + if confFile.FIDO2 == nil { + confFile.FIDO2 = make(configfile.FIDO2ParamsMap) + } + if _, ok := confFile.FIDO2[args.deleteFido2Name]; !ok { + log.Panic("FIDO2 device ", args.deleteFido2Name, " does not exist") + } + if len(confFile.EncryptedKeys) <= 1 { + log.Panic("tried to delete last user/device") + } + if _, ok := confFile.EncryptedKeys[args.deleteFido2Name]; !ok { + log.Panic("User/device ", args.deleteFido2Name, " does not exist") + } + if _, ok := confFile.FIDO2[args.deleteFido2Name]; !ok { + log.Panic("FIDO2 device ", args.deleteFido2Name, " does not exist") + } + tlog.Info.Println("Deleting FIDO2 device ", args.deleteFido2Name) + delete(confFile.EncryptedKeys, args.deleteFido2Name) + delete(confFile.FIDO2, args.deleteFido2Name) + for i := range masterkey { + masterkey[i] = 0 + } + // masterkey run out of scope here + } + err := confFile.WriteFile() + if err != nil { + tlog.Fatal.Println(err) + os.Exit(exitcodes.WriteConf) + } + tlog.Info.Printf(tlog.ColorGreen+"FIDO device %v deleted."+tlog.ColorReset, args.deleteFido2Name) + tlog.Info.Printf(tlog.ColorYellow + + "Warning: Deleting a FIDO device is unsafe - as the user using the FIDO2 device could have retrieved the masterkey or copied gocryptfs.conf already" + + tlog.ColorReset) + } func main() { @@ -452,11 +516,11 @@ func main() { return } if nOps > 1 { - tlog.Fatal.Printf("At most one of -info, -init, -passwd, -fsck, --add-user, --delete-user, --add-fido2, --delete-fido2 is allowed") + tlog.Fatal.Printf("At most one of -info, -init, -passwd, -fsck, -add-user, -delete-user, -add-fido2, -delete-fido2-name is allowed") os.Exit(exitcodes.Usage) } if flagSet.NArg() != 1 { - tlog.Fatal.Printf("The options -info, -init, -passwd, -fsck, --add-user, --delete-user, --add-fido2, --delete-fido2 take exactly one argument, %d given", + tlog.Fatal.Printf("The options -info, -init, -passwd, -fsck, -add-user, -delete-user, -add-fido2, -delete-fido2-name take exactly one argument, %d given", flagSet.NArg()) os.Exit(exitcodes.Usage) } @@ -489,12 +553,12 @@ func main() { deleteUser(&args) os.Exit(0) } - if args.addFido2Name != "" { + if args.addFido2 != "" { addFido2(&args) os.Exit(0) } - if args.deleteFido2 != "" { - tlog.Fatal.Printf("not implemented") + if args.deleteFido2Name != "" { + deleteFido2Name(&args) os.Exit(0) } tlog.Fatal.Printf("parsing command line failed") From 4c6e3359331a5f3fc442da9a732c6d7d53fff327 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 17:40:51 +0200 Subject: [PATCH 16/25] test complie fixes --- go.mod | 8 +++++--- internal/configfile/config_test.go | 8 ++++---- tests/cli/cli_test.go | 6 +++--- tests/cli/longnamemax_test.go | 4 ++-- tests/cli/xchacha_test.go | 2 +- tests/cluster/cluster_test.go | 4 ++-- tests/deterministic_names/deterministic_names_test.go | 2 +- tests/plaintextnames/plaintextnames_test.go | 2 +- 8 files changed, 19 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 5267d8da..79c8c6b0 100644 --- a/go.mod +++ b/go.mod @@ -15,6 +15,8 @@ require ( golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 ) -replace ( - "github.com/rfjakob/gocryptfs/v2/internal/configfile" => "./internal/configfile" -) + +// replace ( +// "github.com/rfjakob/gocryptfs/v2/internal/configfile" => "./internal/configfile" +//) + diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go index 7dd68d93..94228261 100644 --- a/internal/configfile/config_test.go +++ b/internal/configfile/config_test.go @@ -65,7 +65,7 @@ func TestLoadV2StrangeFeature(t *testing.T) { func TestCreateConfDefault(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf", - User: configfile.DefaultKey, + User: configfile.DefaultKey, Password: testPw, LogN: 10, Creator: "test"}) @@ -91,7 +91,7 @@ func TestCreateConfDefault(t *testing.T) { func TestCreateConfPlaintextnames(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf", - User: configfile.DefaultKey, + User: configfile.DefaultKey, Password: testPw, PlaintextNames: true, LogN: 10, @@ -118,7 +118,7 @@ func TestCreateConfPlaintextnames(t *testing.T) { func TestCreateConfFileAESSIV(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf", - User: configfile.DefaultKey, + User: configfile.DefaultKey, Password: testPw, LogN: 10, Creator: "test", @@ -138,7 +138,7 @@ func TestCreateConfFileAESSIV(t *testing.T) { func TestCreateConfLongNameMax(t *testing.T) { args := &CreateArgs{ Filename: "config_test/tmp.conf", - User: configfile.DefaultKey, + User: configfile.DefaultKey, Password: testPw, LogN: 10, Creator: "test", diff --git a/tests/cli/cli_test.go b/tests/cli/cli_test.go index bbaca51e..37135e87 100644 --- a/tests/cli/cli_test.go +++ b/tests/cli/cli_test.go @@ -37,7 +37,7 @@ func TestMain(m *testing.M) { // Test -init flag func TestInit(t *testing.T) { dir := test_helpers.InitFS(t) - _, c, err := configfile.LoadAndDecrypt(dir+"/"+configfile.ConfDefaultName, testPw) + _, c, err := configfile.LoadAndDecrypt(dir+"/"+configfile.ConfDefaultName, configfile.DefaultKey, testPw) if err != nil { t.Fatal(err) } @@ -76,7 +76,7 @@ func TestInitDevRandom(t *testing.T) { // Test -init with -aessiv func TestInitAessiv(t *testing.T) { dir := test_helpers.InitFS(t, "-aessiv") - _, c, err := configfile.LoadAndDecrypt(dir+"/"+configfile.ConfDefaultName, testPw) + _, c, err := configfile.LoadAndDecrypt(dir+"/"+configfile.ConfDefaultName, configfile.DefaultKey, testPw) if err != nil { t.Fatal(err) } @@ -88,7 +88,7 @@ func TestInitAessiv(t *testing.T) { // Test -init with -reverse func TestInitReverse(t *testing.T) { dir := test_helpers.InitFS(t, "-reverse") - _, c, err := configfile.LoadAndDecrypt(dir+"/"+configfile.ConfReverseName, testPw) + _, c, err := configfile.LoadAndDecrypt(dir+"/"+configfile.ConfReverseName, configfile.DefaultKey, testPw) if err != nil { t.Fatal(err) } diff --git a/tests/cli/longnamemax_test.go b/tests/cli/longnamemax_test.go index e44a84e5..6d6ac7b0 100644 --- a/tests/cli/longnamemax_test.go +++ b/tests/cli/longnamemax_test.go @@ -20,7 +20,7 @@ func TestLongnamemax100(t *testing.T) { pDir := cDir + ".mnt" // Check config file sanity - _, c, err := configfile.LoadAndDecrypt(cDir+"/"+configfile.ConfDefaultName, testPw) + _, c, err := configfile.LoadAndDecrypt(cDir+"/"+configfile.ConfDefaultName, configfile.DefaultKey, testPw) if err != nil { fmt.Println(err) os.Exit(1) @@ -66,7 +66,7 @@ func TestLongnamemax100Reverse(t *testing.T) { mntDir := backingDir + ".mnt" // Check config file sanity - _, c, err := configfile.LoadAndDecrypt(backingDir+"/"+configfile.ConfReverseName, testPw) + _, c, err := configfile.LoadAndDecrypt(backingDir+"/"+configfile.ConfReverseName, configfile.DefaultKey, testPw) if err != nil { fmt.Println(err) os.Exit(1) diff --git a/tests/cli/xchacha_test.go b/tests/cli/xchacha_test.go index 7f24c8b7..cde4bda1 100644 --- a/tests/cli/xchacha_test.go +++ b/tests/cli/xchacha_test.go @@ -16,7 +16,7 @@ import ( func TestInitXchacha(t *testing.T) { cDir := test_helpers.InitFS(nil, "-xchacha") // Check config file sanity - _, c, err := configfile.LoadAndDecrypt(cDir+"/"+configfile.ConfDefaultName, testPw) + _, c, err := configfile.LoadAndDecrypt(cDir+"/"+configfile.ConfDefaultName, "MyUser", testPw) if err != nil { fmt.Println(err) os.Exit(1) diff --git a/tests/cluster/cluster_test.go b/tests/cluster/cluster_test.go index 2e969ce2..af93bc49 100644 --- a/tests/cluster/cluster_test.go +++ b/tests/cluster/cluster_test.go @@ -27,8 +27,8 @@ import ( // > buffered read/write. // // See also: -// * https://lore.kernel.org/linux-xfs/20190325001044.GA23020@dastard/ -// Dave Chinner: XFS is the only linux filesystem that provides this behaviour. +// - https://lore.kernel.org/linux-xfs/20190325001044.GA23020@dastard/ +// Dave Chinner: XFS is the only linux filesystem that provides this behaviour. func TestClusterConcurrentRW(t *testing.T) { if os.Getenv("ENABLE_CLUSTER_TEST") != "1" { t.Skipf("This test is disabled by default because it fails unless on XFS.\n" + diff --git a/tests/deterministic_names/deterministic_names_test.go b/tests/deterministic_names/deterministic_names_test.go index 00d80fcd..a28fc520 100644 --- a/tests/deterministic_names/deterministic_names_test.go +++ b/tests/deterministic_names/deterministic_names_test.go @@ -22,7 +22,7 @@ var testPw = []byte("test") func TestMain(m *testing.M) { cDir = test_helpers.InitFS(nil, "-deterministic-names") // Check config file sanity - _, c, err := configfile.LoadAndDecrypt(cDir+"/"+configfile.ConfDefaultName, testPw) + _, c, err := configfile.LoadAndDecrypt(cDir+"/"+configfile.ConfDefaultName, configfile.DefaultKey, testPw) if err != nil { fmt.Println(err) os.Exit(1) diff --git a/tests/plaintextnames/plaintextnames_test.go b/tests/plaintextnames/plaintextnames_test.go index 8892c393..a218a1d6 100644 --- a/tests/plaintextnames/plaintextnames_test.go +++ b/tests/plaintextnames/plaintextnames_test.go @@ -31,7 +31,7 @@ func TestMain(m *testing.M) { // Only the PlaintextNames feature flag should be set func TestFlags(t *testing.T) { - _, cf, err := configfile.LoadAndDecrypt(cDir+"/gocryptfs.conf", testPw) + _, cf, err := configfile.LoadAndDecrypt(cDir+"/gocryptfs.conf", configfile.DefaultKey, testPw) if err != nil { t.Fatal(err) } From 9ab00e7ea103130dd1ac88a3b484941712251be3 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 17:45:03 +0200 Subject: [PATCH 17/25] tests compile again --- internal/configfile/config_test.go | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go index 94228261..5078d131 100644 --- a/internal/configfile/config_test.go +++ b/internal/configfile/config_test.go @@ -5,14 +5,13 @@ import ( "testing" "time" - "github.com/rfjakob/gocryptfs/v2/internal/configfile" "github.com/rfjakob/gocryptfs/v2/internal/tlog" ) var testPw = []byte("test") func TestLoadV1(t *testing.T) { - _, _, err := LoadAndDecrypt("config_test/v1.conf", testPw) + _, _, err := LoadAndDecrypt("config_test/v1.conf", DefaultKey, testPw) if err == nil { t.Errorf("Outdated v1 config file must fail to load but it didn't") } else if testing.Verbose() { @@ -25,7 +24,7 @@ func TestLoadV1(t *testing.T) { func TestLoadV2(t *testing.T) { t1 := time.Now() - _, _, err := LoadAndDecrypt("config_test/v2.conf", testPw) + _, _, err := LoadAndDecrypt("config_test/v2.conf", DefaultKey, testPw) if err != nil { t.Errorf("Could not load v2 config file: %v", err) } @@ -40,21 +39,21 @@ func TestLoadV2PwdError(t *testing.T) { if !testing.Verbose() { tlog.Warn.Enabled = false } - _, _, err := LoadAndDecrypt("config_test/v2.conf", []byte("wrongpassword")) + _, _, err := LoadAndDecrypt("config_test/v2.conf", DefaultKey, []byte("wrongpassword")) if err == nil { t.Errorf("Loading with wrong password must fail but it didn't") } } func TestLoadV2Feature(t *testing.T) { - _, _, err := LoadAndDecrypt("config_test/PlaintextNames.conf", testPw) + _, _, err := LoadAndDecrypt("config_test/PlaintextNames.conf", DefaultKey, testPw) if err != nil { t.Errorf("Could not load v2 PlaintextNames config file: %v", err) } } func TestLoadV2StrangeFeature(t *testing.T) { - _, _, err := LoadAndDecrypt("config_test/StrangeFeature.conf", testPw) + _, _, err := LoadAndDecrypt("config_test/StrangeFeature.conf", DefaultKey, testPw) if err == nil { t.Errorf("Loading unknown feature must fail but it didn't") } else if testing.Verbose() { @@ -65,14 +64,14 @@ func TestLoadV2StrangeFeature(t *testing.T) { func TestCreateConfDefault(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf", - User: configfile.DefaultKey, + User: DefaultKey, Password: testPw, LogN: 10, Creator: "test"}) if err != nil { t.Fatal(err) } - _, c, err := LoadAndDecrypt("config_test/tmp.conf", testPw) + _, c, err := LoadAndDecrypt("config_test/tmp.conf", DefaultKey, testPw) if err != nil { t.Fatal(err) } @@ -91,7 +90,7 @@ func TestCreateConfDefault(t *testing.T) { func TestCreateConfPlaintextnames(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf", - User: configfile.DefaultKey, + User: DefaultKey, Password: testPw, PlaintextNames: true, LogN: 10, @@ -99,7 +98,7 @@ func TestCreateConfPlaintextnames(t *testing.T) { if err != nil { t.Fatal(err) } - _, c, err := LoadAndDecrypt("config_test/tmp.conf", testPw) + _, c, err := LoadAndDecrypt("config_test/tmp.conf", DefaultKey, testPw) if err != nil { t.Fatal(err) } @@ -118,7 +117,7 @@ func TestCreateConfPlaintextnames(t *testing.T) { func TestCreateConfFileAESSIV(t *testing.T) { err := Create(&CreateArgs{ Filename: "config_test/tmp.conf", - User: configfile.DefaultKey, + User: DefaultKey, Password: testPw, LogN: 10, Creator: "test", @@ -126,7 +125,7 @@ func TestCreateConfFileAESSIV(t *testing.T) { if err != nil { t.Fatal(err) } - _, c, err := LoadAndDecrypt("config_test/tmp.conf", testPw) + _, c, err := LoadAndDecrypt("config_test/tmp.conf", DefaultKey, testPw) if err != nil { t.Fatal(err) } @@ -138,7 +137,7 @@ func TestCreateConfFileAESSIV(t *testing.T) { func TestCreateConfLongNameMax(t *testing.T) { args := &CreateArgs{ Filename: "config_test/tmp.conf", - User: configfile.DefaultKey, + User: DefaultKey, Password: testPw, LogN: 10, Creator: "test", @@ -148,7 +147,7 @@ func TestCreateConfLongNameMax(t *testing.T) { if err != nil { t.Fatal(err) } - _, c, err := LoadAndDecrypt("config_test/tmp.conf", testPw) + _, c, err := LoadAndDecrypt("config_test/tmp.conf", DefaultKey, testPw) if err != nil { t.Fatal(err) } From 1ee0f197ee0d4987662c093ecd9a024a0efd098e Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 17:58:07 +0200 Subject: [PATCH 18/25] 2 folders: config_test.v2 and config_test.v3 --- internal/configfile/config_test.go | 26 +++++++++---------- .../.gitignore | 0 .../PlaintextNames.conf | 0 .../StrangeFeature.conf | 0 .../{config_test => config_test.v2}/v1.conf | 0 .../{config_test => config_test.v2}/v2.conf | 0 internal/configfile/config_test.v3/.gitignore | 1 + .../config_test.v3/PlaintextNames.conf | 18 +++++++++++++ .../config_test.v3/StrangeFeature.conf | 21 +++++++++++++++ internal/configfile/config_test.v3/v1.conf | 13 ++++++++++ internal/configfile/config_test.v3/v2.conf | 20 ++++++++++++++ tests/cli/xchacha_test.go | 2 +- 12 files changed, 87 insertions(+), 14 deletions(-) rename internal/configfile/{config_test => config_test.v2}/.gitignore (100%) rename internal/configfile/{config_test => config_test.v2}/PlaintextNames.conf (100%) rename internal/configfile/{config_test => config_test.v2}/StrangeFeature.conf (100%) rename internal/configfile/{config_test => config_test.v2}/v1.conf (100%) rename internal/configfile/{config_test => config_test.v2}/v2.conf (100%) create mode 100644 internal/configfile/config_test.v3/.gitignore create mode 100644 internal/configfile/config_test.v3/PlaintextNames.conf create mode 100644 internal/configfile/config_test.v3/StrangeFeature.conf create mode 100644 internal/configfile/config_test.v3/v1.conf create mode 100644 internal/configfile/config_test.v3/v2.conf diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go index 5078d131..b9d5ac45 100644 --- a/internal/configfile/config_test.go +++ b/internal/configfile/config_test.go @@ -11,7 +11,7 @@ import ( var testPw = []byte("test") func TestLoadV1(t *testing.T) { - _, _, err := LoadAndDecrypt("config_test/v1.conf", DefaultKey, testPw) + _, _, err := LoadAndDecrypt("config_test.v3/v1.conf", DefaultKey, testPw) if err == nil { t.Errorf("Outdated v1 config file must fail to load but it didn't") } else if testing.Verbose() { @@ -24,7 +24,7 @@ func TestLoadV1(t *testing.T) { func TestLoadV2(t *testing.T) { t1 := time.Now() - _, _, err := LoadAndDecrypt("config_test/v2.conf", DefaultKey, testPw) + _, _, err := LoadAndDecrypt("config_test.v3/v2.conf", DefaultKey, testPw) if err != nil { t.Errorf("Could not load v2 config file: %v", err) } @@ -39,21 +39,21 @@ func TestLoadV2PwdError(t *testing.T) { if !testing.Verbose() { tlog.Warn.Enabled = false } - _, _, err := LoadAndDecrypt("config_test/v2.conf", DefaultKey, []byte("wrongpassword")) + _, _, err := LoadAndDecrypt("config_test.v3/v2.conf", DefaultKey, []byte("wrongpassword")) if err == nil { t.Errorf("Loading with wrong password must fail but it didn't") } } func TestLoadV2Feature(t *testing.T) { - _, _, err := LoadAndDecrypt("config_test/PlaintextNames.conf", DefaultKey, testPw) + _, _, err := LoadAndDecrypt("config_test.v3/PlaintextNames.conf", DefaultKey, testPw) if err != nil { t.Errorf("Could not load v2 PlaintextNames config file: %v", err) } } func TestLoadV2StrangeFeature(t *testing.T) { - _, _, err := LoadAndDecrypt("config_test/StrangeFeature.conf", DefaultKey, testPw) + _, _, err := LoadAndDecrypt("config_test.v3/StrangeFeature.conf", DefaultKey, testPw) if err == nil { t.Errorf("Loading unknown feature must fail but it didn't") } else if testing.Verbose() { @@ -63,7 +63,7 @@ func TestLoadV2StrangeFeature(t *testing.T) { func TestCreateConfDefault(t *testing.T) { err := Create(&CreateArgs{ - Filename: "config_test/tmp.conf", + Filename: "config_test.v3/tmp.conf", User: DefaultKey, Password: testPw, LogN: 10, @@ -71,7 +71,7 @@ func TestCreateConfDefault(t *testing.T) { if err != nil { t.Fatal(err) } - _, c, err := LoadAndDecrypt("config_test/tmp.conf", DefaultKey, testPw) + _, c, err := LoadAndDecrypt("config_test.v3/tmp.conf", DefaultKey, testPw) if err != nil { t.Fatal(err) } @@ -89,7 +89,7 @@ func TestCreateConfDefault(t *testing.T) { func TestCreateConfPlaintextnames(t *testing.T) { err := Create(&CreateArgs{ - Filename: "config_test/tmp.conf", + Filename: "config_test.v3/tmp.conf", User: DefaultKey, Password: testPw, PlaintextNames: true, @@ -98,7 +98,7 @@ func TestCreateConfPlaintextnames(t *testing.T) { if err != nil { t.Fatal(err) } - _, c, err := LoadAndDecrypt("config_test/tmp.conf", DefaultKey, testPw) + _, c, err := LoadAndDecrypt("config_test.v3/tmp.conf", DefaultKey, testPw) if err != nil { t.Fatal(err) } @@ -116,7 +116,7 @@ func TestCreateConfPlaintextnames(t *testing.T) { // Reverse mode uses AESSIV func TestCreateConfFileAESSIV(t *testing.T) { err := Create(&CreateArgs{ - Filename: "config_test/tmp.conf", + Filename: "config_test.v3/tmp.conf", User: DefaultKey, Password: testPw, LogN: 10, @@ -125,7 +125,7 @@ func TestCreateConfFileAESSIV(t *testing.T) { if err != nil { t.Fatal(err) } - _, c, err := LoadAndDecrypt("config_test/tmp.conf", DefaultKey, testPw) + _, c, err := LoadAndDecrypt("config_test.v3/tmp.conf", DefaultKey, testPw) if err != nil { t.Fatal(err) } @@ -136,7 +136,7 @@ func TestCreateConfFileAESSIV(t *testing.T) { func TestCreateConfLongNameMax(t *testing.T) { args := &CreateArgs{ - Filename: "config_test/tmp.conf", + Filename: "config_test.v3/tmp.conf", User: DefaultKey, Password: testPw, LogN: 10, @@ -147,7 +147,7 @@ func TestCreateConfLongNameMax(t *testing.T) { if err != nil { t.Fatal(err) } - _, c, err := LoadAndDecrypt("config_test/tmp.conf", DefaultKey, testPw) + _, c, err := LoadAndDecrypt("config_test.v3/tmp.conf", DefaultKey, testPw) if err != nil { t.Fatal(err) } diff --git a/internal/configfile/config_test/.gitignore b/internal/configfile/config_test.v2/.gitignore similarity index 100% rename from internal/configfile/config_test/.gitignore rename to internal/configfile/config_test.v2/.gitignore diff --git a/internal/configfile/config_test/PlaintextNames.conf b/internal/configfile/config_test.v2/PlaintextNames.conf similarity index 100% rename from internal/configfile/config_test/PlaintextNames.conf rename to internal/configfile/config_test.v2/PlaintextNames.conf diff --git a/internal/configfile/config_test/StrangeFeature.conf b/internal/configfile/config_test.v2/StrangeFeature.conf similarity index 100% rename from internal/configfile/config_test/StrangeFeature.conf rename to internal/configfile/config_test.v2/StrangeFeature.conf diff --git a/internal/configfile/config_test/v1.conf b/internal/configfile/config_test.v2/v1.conf similarity index 100% rename from internal/configfile/config_test/v1.conf rename to internal/configfile/config_test.v2/v1.conf diff --git a/internal/configfile/config_test/v2.conf b/internal/configfile/config_test.v2/v2.conf similarity index 100% rename from internal/configfile/config_test/v2.conf rename to internal/configfile/config_test.v2/v2.conf diff --git a/internal/configfile/config_test.v3/.gitignore b/internal/configfile/config_test.v3/.gitignore new file mode 100644 index 00000000..07201690 --- /dev/null +++ b/internal/configfile/config_test.v3/.gitignore @@ -0,0 +1 @@ +tmp.conf diff --git a/internal/configfile/config_test.v3/PlaintextNames.conf b/internal/configfile/config_test.v3/PlaintextNames.conf new file mode 100644 index 00000000..67c57a33 --- /dev/null +++ b/internal/configfile/config_test.v3/PlaintextNames.conf @@ -0,0 +1,18 @@ +{ + "Creator": "gocryptfs v0.11-13-g96750a7-dirty", + "EncryptedKeys": { + "DefaultKey": "pH6/kgPFrwkuFW/HDN/0UzwC8hLJCMm/upyEnsR1pVTfSJLL/JxfBaVCRyuZhc/S7h2PrxVSMO1xzLrk", + }, + "ScryptObject": { + "Salt": "Hq0BqXXeMGVGfdYE1Y/qcW+pvxJBJymRAVgPUxQiZ8Y=", + "N": 1024, + "R": 8, + "P": 1, + "KeyLen": 32 + }, + "Version": 2, + "FeatureFlags": [ + "GCMIV128", + "PlaintextNames" + ] +} diff --git a/internal/configfile/config_test.v3/StrangeFeature.conf b/internal/configfile/config_test.v3/StrangeFeature.conf new file mode 100644 index 00000000..49bf0544 --- /dev/null +++ b/internal/configfile/config_test.v3/StrangeFeature.conf @@ -0,0 +1,21 @@ +{ + "Creator": "gocryptfs v0.11-13-g96750a7-dirty", + "EncryptedKeys": { + "DefaultKey":"mfN2FITcsLE+8QlpTb3r/D5rAAqEX5mJQuU655tcdwAotUwHkrIdYiKa2BjoocctQC0grwqPyuWxB7SH", + }, + "ScryptObject": { + "Salt": "9G2knR016guT/AJqOKemjusYhqg+mI177Dz6a5RS7ts=", + "N": 1024, + "R": 8, + "P": 1, + "KeyLen": 32 + }, + "Version": 2, + "FeatureFlags": [ + "GCMIV128", + "DirIV", + "EMENames", + "LongNames", + "StrangeFeatureFlag" + ] +} diff --git a/internal/configfile/config_test.v3/v1.conf b/internal/configfile/config_test.v3/v1.conf new file mode 100644 index 00000000..a8328146 --- /dev/null +++ b/internal/configfile/config_test.v3/v1.conf @@ -0,0 +1,13 @@ +{ + "EncryptedKeys": { + "DefaultKey": "t6YAvFQJvbv46c93bHQ5IZnvNz80DA9cohGoSPL/2M257LuIigow6jbr8b9HhnbDqHTCcz7aKkMDzneF", + }, + "ScryptObject": { + "Salt": "yT4yQmmRmVNx2P0tJrUswk5SQzZaL6Z8kUteAoNJkXM=", + "N": 65536, + "R": 8, + "P": 1, + "KeyLen": 32 + }, + "Version": 1 +} diff --git a/internal/configfile/config_test.v3/v2.conf b/internal/configfile/config_test.v3/v2.conf new file mode 100644 index 00000000..ea04067b --- /dev/null +++ b/internal/configfile/config_test.v3/v2.conf @@ -0,0 +1,20 @@ +{ + "Creator": "gocryptfs v0.11-13-g96750a7-dirty", + "EncryptedKeys": { + "DefaultKey": "zY06x2JS0Fi7bkZ/3DppjmWZOI6xTjQ/Bf4Nru1rUzHml+stkAtvcoHT8PpHN4eKqL73ymQ86MmdYz+1", + } + "ScryptObject": { + "Salt": "U5MbvyTmwhEkLqe6XxlrONzPZEf2GLFZCAIixz2Kal0=", + "N": 65536, + "R": 8, + "P": 1, + "KeyLen": 32 + }, + "Version": 2, + "FeatureFlags": [ + "GCMIV128", + "DirIV", + "EMENames", + "LongNames" + ] +} diff --git a/tests/cli/xchacha_test.go b/tests/cli/xchacha_test.go index cde4bda1..9bb66629 100644 --- a/tests/cli/xchacha_test.go +++ b/tests/cli/xchacha_test.go @@ -16,7 +16,7 @@ import ( func TestInitXchacha(t *testing.T) { cDir := test_helpers.InitFS(nil, "-xchacha") // Check config file sanity - _, c, err := configfile.LoadAndDecrypt(cDir+"/"+configfile.ConfDefaultName, "MyUser", testPw) + _, c, err := configfile.LoadAndDecrypt(cDir+"/"+configfile.ConfDefaultName, configfile.DefaultKey, testPw) if err != nil { fmt.Println(err) os.Exit(1) From 403fa27f0a91e0c727c3b8178a04c6af3bbb7b48 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 18:11:36 +0200 Subject: [PATCH 19/25] changed test conf files --- gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf | 4 +++- gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf | 6 ++++-- internal/configfile/config_test.v2/PlaintextNames.conf | 6 ++++-- internal/configfile/config_test.v2/StrangeFeature.conf | 4 +++- internal/configfile/config_test.v2/v1.conf | 2 +- internal/configfile/config_test.v2/v2.conf | 6 ++++-- internal/configfile/config_test.v3/PlaintextNames.conf | 2 +- internal/configfile/config_test.v3/StrangeFeature.conf | 2 +- internal/configfile/config_test.v3/v1.conf | 2 +- internal/configfile/config_test.v3/v2.conf | 2 +- tests/cli/gocryptfs.conf.b9e5ba23 | 6 ++++-- tests/example_filesystems/v0.4/gocryptfs.conf | 6 ++++-- tests/example_filesystems/v0.5/gocryptfs.conf | 4 ++-- .../example_filesystems/v0.6-plaintextnames/gocryptfs.conf | 6 ++++-- tests/example_filesystems/v0.6/gocryptfs.conf | 6 ++++-- .../example_filesystems/v0.7-plaintextnames/gocryptfs.conf | 4 ++-- tests/example_filesystems/v0.7/gocryptfs.conf | 6 ++++-- tests/example_filesystems/v0.9/gocryptfs.conf | 6 ++++-- tests/example_filesystems/v1.1-aessiv/gocryptfs.conf | 4 ++-- .../v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf | 4 ++-- .../v1.1-reverse/.gocryptfs.reverse.conf | 6 ++++-- .../v1.3-reverse/.gocryptfs.reverse.conf | 2 +- tests/example_filesystems/v1.3/gocryptfs.conf | 4 +++- .../v2.2-deterministic-names/gocryptfs.conf | 4 +++- .../v2.2-xchacha-deterministic-names/gocryptfs.conf | 4 +++- tests/example_filesystems/v2.2-xchacha/gocryptfs.conf | 2 +- tests/fsck/broken_fs_v1.4/gocryptfs.conf | 2 +- tests/hkdf_sanity/broken_content/gocryptfs.conf | 4 +++- tests/hkdf_sanity/broken_names/gocryptfs.conf | 2 +- .../reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf | 4 +++- tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf | 4 +++- .../exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames | 4 +++- 32 files changed, 84 insertions(+), 46 deletions(-) diff --git a/gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf b/gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf index f8f288b1..401bd183 100644 --- a/gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf +++ b/gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.7-beta1-11-g8d71f8f-dirty", - "EncryptedKey": "Rp0VYTJ9QK2imhJQH1miFIgAYZbsfv3t1tvPJvsOVy86ogBzKpUuMDFXD+PPawLvZM/TuYl0n3gx1RY5hzFfbg==", + "EncryptedKeys": { + "DefaultKey":"Rp0VYTJ9QK2imhJQH1miFIgAYZbsfv3t1tvPJvsOVy86ogBzKpUuMDFXD+PPawLvZM/TuYl0n3gx1RY5hzFfbg==", + }; "ScryptObject": { "Salt": "mDPjzd+SZpScPYVv/M9AFjNzXcUy6fqKckXay53EQdQ=", "N": 1024, diff --git a/gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf b/gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf index 31b565af..631866f1 100644 --- a/gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf +++ b/gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.7-beta1-11-g8d71f8f-dirty", - "EncryptedKey": "YOxpZ+cImv4HirwuwIUpRmOMlyAFRvEqHOXdgpMcGvIlm70h4q+shSr3RZ19xomnbFZXGfIfKQ2APtVYWOAwuw==", + "EncryptedKeys": { + "DefaultKey":"YOxpZ+cImv4HirwuwIUpRmOMlyAFRvEqHOXdgpMcGvIlm70h4q+shSr3RZ19xomnbFZXGfIfKQ2APtVYWOAwuw==", + }, "ScryptObject": { "Salt": "OzdcVESNmkD0403NHBWezQmq2SyDyLOY2/B4Aev2lHc=", "N": 1024, @@ -8,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "HKDF", diff --git a/internal/configfile/config_test.v2/PlaintextNames.conf b/internal/configfile/config_test.v2/PlaintextNames.conf index 5b9f4f78..aa3f3fb6 100644 --- a/internal/configfile/config_test.v2/PlaintextNames.conf +++ b/internal/configfile/config_test.v2/PlaintextNames.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", - "EncryptedKey": "pH6/kgPFrwkuFW/HDN/0UzwC8hLJCMm/upyEnsR1pVTfSJLL/JxfBaVCRyuZhc/S7h2PrxVSMO1xzLrk", + "EncryptedKeys": { + "DefaultKey": "pH6/kgPFrwkuFW/HDN/0UzwC8hLJCMm/upyEnsR1pVTfSJLL/JxfBaVCRyuZhc/S7h2PrxVSMO1xzLrk", + }, "ScryptObject": { "Salt": "Hq0BqXXeMGVGfdYE1Y/qcW+pvxJBJymRAVgPUxQiZ8Y=", "N": 1024, @@ -13,4 +15,4 @@ "GCMIV128", "PlaintextNames" ] -} \ No newline at end of file +} diff --git a/internal/configfile/config_test.v2/StrangeFeature.conf b/internal/configfile/config_test.v2/StrangeFeature.conf index eadf1689..e4cd1cb7 100644 --- a/internal/configfile/config_test.v2/StrangeFeature.conf +++ b/internal/configfile/config_test.v2/StrangeFeature.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", - "EncryptedKey": "mfN2FITcsLE+8QlpTb3r/D5rAAqEX5mJQuU655tcdwAotUwHkrIdYiKa2BjoocctQC0grwqPyuWxB7SH", + "EncryptedKeys": { + "DefaultKey":"mfN2FITcsLE+8QlpTb3r/D5rAAqEX5mJQuU655tcdwAotUwHkrIdYiKa2BjoocctQC0grwqPyuWxB7SH", + }, "ScryptObject": { "Salt": "9G2knR016guT/AJqOKemjusYhqg+mI177Dz6a5RS7ts=", "N": 1024, diff --git a/internal/configfile/config_test.v2/v1.conf b/internal/configfile/config_test.v2/v1.conf index 588a25ae..8e507671 100644 --- a/internal/configfile/config_test.v2/v1.conf +++ b/internal/configfile/config_test.v2/v1.conf @@ -7,5 +7,5 @@ "P": 1, "KeyLen": 32 }, - "Version": 1 + "Version": 3 } diff --git a/internal/configfile/config_test.v2/v2.conf b/internal/configfile/config_test.v2/v2.conf index d1ca6099..024ff84b 100644 --- a/internal/configfile/config_test.v2/v2.conf +++ b/internal/configfile/config_test.v2/v2.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", - "EncryptedKey": "zY06x2JS0Fi7bkZ/3DppjmWZOI6xTjQ/Bf4Nru1rUzHml+stkAtvcoHT8PpHN4eKqL73ymQ86MmdYz+1", + "EncryptedKeys": { + "DefaultKey":"zY06x2JS0Fi7bkZ/3DppjmWZOI6xTjQ/Bf4Nru1rUzHml+stkAtvcoHT8PpHN4eKqL73ymQ86MmdYz+1", + }, "ScryptObject": { "Salt": "U5MbvyTmwhEkLqe6XxlrONzPZEf2GLFZCAIixz2Kal0=", "N": 65536, @@ -15,4 +17,4 @@ "EMENames", "LongNames" ] -} \ No newline at end of file +} diff --git a/internal/configfile/config_test.v3/PlaintextNames.conf b/internal/configfile/config_test.v3/PlaintextNames.conf index 67c57a33..20c480aa 100644 --- a/internal/configfile/config_test.v3/PlaintextNames.conf +++ b/internal/configfile/config_test.v3/PlaintextNames.conf @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "PlaintextNames" diff --git a/internal/configfile/config_test.v3/StrangeFeature.conf b/internal/configfile/config_test.v3/StrangeFeature.conf index 49bf0544..aefb2bf1 100644 --- a/internal/configfile/config_test.v3/StrangeFeature.conf +++ b/internal/configfile/config_test.v3/StrangeFeature.conf @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "DirIV", diff --git a/internal/configfile/config_test.v3/v1.conf b/internal/configfile/config_test.v3/v1.conf index a8328146..143a759f 100644 --- a/internal/configfile/config_test.v3/v1.conf +++ b/internal/configfile/config_test.v3/v1.conf @@ -9,5 +9,5 @@ "P": 1, "KeyLen": 32 }, - "Version": 1 + "Version": 3 } diff --git a/internal/configfile/config_test.v3/v2.conf b/internal/configfile/config_test.v3/v2.conf index ea04067b..2259adbd 100644 --- a/internal/configfile/config_test.v3/v2.conf +++ b/internal/configfile/config_test.v3/v2.conf @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "DirIV", diff --git a/tests/cli/gocryptfs.conf.b9e5ba23 b/tests/cli/gocryptfs.conf.b9e5ba23 index 9b2e61ac..dbe9bf9b 100644 --- a/tests/cli/gocryptfs.conf.b9e5ba23 +++ b/tests/cli/gocryptfs.conf.b9e5ba23 @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.1-rc1-31-gc487e17-dirty", - "EncryptedKey": "vthRM/vXg3Cn16jld2JxPiRv8OSBSwTYDzOqdlrvD1agJefZhhvDQS7b5fC7B7JRL4UiVUKkNaJRVMRf", + "EncryptedKeys": { + "DefaultKey":"vthRM/vXg3Cn16jld2JxPiRv8OSBSwTYDzOqdlrvD1agJefZhhvDQS7b5fC7B7JRL4UiVUKkNaJRVMRf", + }, "ScryptObject": { "Salt": "uVwNDUMLWktmV0WgvPHztVrmoahfYN8A/22I/uq66sU=", "N": 1024, @@ -15,4 +17,4 @@ "EMENames", "LongNames" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v0.4/gocryptfs.conf b/tests/example_filesystems/v0.4/gocryptfs.conf index 354b4bbc..cb258b09 100644 --- a/tests/example_filesystems/v0.4/gocryptfs.conf +++ b/tests/example_filesystems/v0.4/gocryptfs.conf @@ -1,5 +1,7 @@ { - "EncryptedKey": "He757VFOKOWbMJqJ7HBs67SMSi3Vu8/2vgWNI6j1tVo4JBlNvrQSw6KkCh0lGrHrh6ICbPv4MyoyFdGa", + "EncryptedKeys": { + "DefaultKey": "He757VFOKOWbMJqJ7HBs67SMSi3Vu8/2vgWNI6j1tVo4JBlNvrQSw6KkCh0lGrHrh6ICbPv4MyoyFdGa", + }, "ScryptObject": { "Salt": "MeHSsxsnJwngAwptNzuXQlj7JtF1b0uzZuWvVV3cH3w=", "N": 65536, @@ -9,4 +11,4 @@ }, "Version": 2, "FeatureFlags": null -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v0.5/gocryptfs.conf b/tests/example_filesystems/v0.5/gocryptfs.conf index f8396644..869be11d 100644 --- a/tests/example_filesystems/v0.5/gocryptfs.conf +++ b/tests/example_filesystems/v0.5/gocryptfs.conf @@ -7,8 +7,8 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "DirIV" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v0.6-plaintextnames/gocryptfs.conf b/tests/example_filesystems/v0.6-plaintextnames/gocryptfs.conf index 257b7ee1..dccb4175 100644 --- a/tests/example_filesystems/v0.6-plaintextnames/gocryptfs.conf +++ b/tests/example_filesystems/v0.6-plaintextnames/gocryptfs.conf @@ -1,5 +1,7 @@ { - "EncryptedKey": "SoTMt+DMqVDia42c7cx8YW6KrnzF9EQVYIq5DGR1yFqNKxtOCBIuXEIKJHYSw1Z8VluKRQmkugTOvyTU", + "EncryptedKeys": { + "DefaultKey": "SoTMt+DMqVDia42c7cx8YW6KrnzF9EQVYIq5DGR1yFqNKxtOCBIuXEIKJHYSw1Z8VluKRQmkugTOvyTU", + }, "ScryptObject": { "Salt": "83wR2p5eDPtozsP48vizN1rAbYeXOtksvwoAZ9Y0vn4=", "N": 1024, @@ -11,4 +13,4 @@ "FeatureFlags": [ "PlaintextNames" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v0.6/gocryptfs.conf b/tests/example_filesystems/v0.6/gocryptfs.conf index 1c727812..daf50fe2 100644 --- a/tests/example_filesystems/v0.6/gocryptfs.conf +++ b/tests/example_filesystems/v0.6/gocryptfs.conf @@ -1,5 +1,7 @@ { - "EncryptedKey": "/PhLwDblkFRGfoIA0egXikG0ZSZTWrOOoFZJPPX0R8JgU5+XnT2M2rxUzHIKKeuGoqZN55phgJjhTu0J", + "EncryptedKeys": { + "DefaultKey": "/PhLwDblkFRGfoIA0egXikG0ZSZTWrOOoFZJPPX0R8JgU5+XnT2M2rxUzHIKKeuGoqZN55phgJjhTu0J", + }, "ScryptObject": { "Salt": "YSHRXpcWYp95npMxAy9cf27LoaPR3gvrFpk3Xhg2tM8=", "N": 1024, @@ -12,4 +14,4 @@ "DirIV", "EMENames" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v0.7-plaintextnames/gocryptfs.conf b/tests/example_filesystems/v0.7-plaintextnames/gocryptfs.conf index 9b462a3f..1c7e6a0c 100644 --- a/tests/example_filesystems/v0.7-plaintextnames/gocryptfs.conf +++ b/tests/example_filesystems/v0.7-plaintextnames/gocryptfs.conf @@ -7,9 +7,9 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "PlaintextNames" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v0.7/gocryptfs.conf b/tests/example_filesystems/v0.7/gocryptfs.conf index 80c26731..c336d5ba 100644 --- a/tests/example_filesystems/v0.7/gocryptfs.conf +++ b/tests/example_filesystems/v0.7/gocryptfs.conf @@ -1,5 +1,7 @@ { - "EncryptedKey": "0crm+qEf00XPxQrc8NIMp/0rgfaLb8wzTj+3G1slSytjsLHctj/fOKkGJIFyBk7xzvnWdkhyxxvHgfMS", + "EncryptedKeys": { + "DefaultKey": "0crm+qEf00XPxQrc8NIMp/0rgfaLb8wzTj+3G1slSytjsLHctj/fOKkGJIFyBk7xzvnWdkhyxxvHgfMS", + }, "ScryptObject": { "Salt": "yZn+QMjR2ENZ6MoiURpqEqr8mgnCX8WN87KJafgiXhU=", "N": 1024, @@ -13,4 +15,4 @@ "DirIV", "EMENames" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v0.9/gocryptfs.conf b/tests/example_filesystems/v0.9/gocryptfs.conf index 4d9b0895..6698f59f 100644 --- a/tests/example_filesystems/v0.9/gocryptfs.conf +++ b/tests/example_filesystems/v0.9/gocryptfs.conf @@ -1,5 +1,7 @@ { - "EncryptedKey": "sAB/dsiDbFBbMr7ppsB3Fu81hVr6BBxlcfY1wZYRHlRvRV2uwRdYAACNM39CDxLBHZuNjk9UyWh87McP", + "EncryptedKeys": { + "DefaultKey": "sAB/dsiDbFBbMr7ppsB3Fu81hVr6BBxlcfY1wZYRHlRvRV2uwRdYAACNM39CDxLBHZuNjk9UyWh87McP", + }, "ScryptObject": { "Salt": "3mphl9Hmhzd6exmc8Um0jOOCgR8hAYvbzbEpTnIEMPg=", "N": 1024, @@ -14,4 +16,4 @@ "EMENames", "LongNames" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v1.1-aessiv/gocryptfs.conf b/tests/example_filesystems/v1.1-aessiv/gocryptfs.conf index d16051a3..0f22ddc6 100644 --- a/tests/example_filesystems/v1.1-aessiv/gocryptfs.conf +++ b/tests/example_filesystems/v1.1-aessiv/gocryptfs.conf @@ -8,7 +8,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "DirIV", @@ -16,4 +16,4 @@ "LongNames", "AESSIV" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf b/tests/example_filesystems/v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf index e7ea1a85..7db81fe0 100644 --- a/tests/example_filesystems/v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf +++ b/tests/example_filesystems/v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf @@ -8,10 +8,10 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "PlaintextNames", "AESSIV" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v1.1-reverse/.gocryptfs.reverse.conf b/tests/example_filesystems/v1.1-reverse/.gocryptfs.reverse.conf index 9095ef5d..52d51377 100644 --- a/tests/example_filesystems/v1.1-reverse/.gocryptfs.reverse.conf +++ b/tests/example_filesystems/v1.1-reverse/.gocryptfs.reverse.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.1-beta1-33-gf054353-dirty", - "EncryptedKey": "GD7CQzhKMs4r8B/jc7eNNAffyMn4Z2A0tH9EC50y6v5y6amJdU6NQK5xLPWpWSc45si5L26VOVhT8dhz", + "EncryptedKeys": { + "DefaultKey":"GD7CQzhKMs4r8B/jc7eNNAffyMn4Z2A0tH9EC50y6v5y6amJdU6NQK5xLPWpWSc45si5L26VOVhT8dhz", + }, "ScryptObject": { "Salt": "G/Cpk6TnscJzx1fae9t8guejwoPk1lsGkkcljIMjJdw=", "N": 1024, @@ -16,4 +18,4 @@ "LongNames", "AESSIV" ] -} \ No newline at end of file +} diff --git a/tests/example_filesystems/v1.3-reverse/.gocryptfs.reverse.conf b/tests/example_filesystems/v1.3-reverse/.gocryptfs.reverse.conf index 4241280a..d19396e6 100644 --- a/tests/example_filesystems/v1.3-reverse/.gocryptfs.reverse.conf +++ b/tests/example_filesystems/v1.3-reverse/.gocryptfs.reverse.conf @@ -8,7 +8,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "HKDF", diff --git a/tests/example_filesystems/v1.3/gocryptfs.conf b/tests/example_filesystems/v1.3/gocryptfs.conf index e6b4aec7..54dd1730 100644 --- a/tests/example_filesystems/v1.3/gocryptfs.conf +++ b/tests/example_filesystems/v1.3/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.2.1-23-gd78a8d1-dirty", - "EncryptedKey": "WGhKfCvV/LBZdwpWz3Fs+9UFUJbtTooBiZMuthd8Hz3nq0g+zU7H+68ZkrCLdcC08PUNHVbvDdlGpRh0czbbyA==", + "EncryptedKeys": { + "DefaultKey":"WGhKfCvV/LBZdwpWz3Fs+9UFUJbtTooBiZMuthd8Hz3nq0g+zU7H+68ZkrCLdcC08PUNHVbvDdlGpRh0czbbyA==", + }, "ScryptObject": { "Salt": "LkS43fRGN3SfcFbVhPLo3uKh3h+4LYLNlqEUf+JIWf4=", "N": 1024, diff --git a/tests/example_filesystems/v2.2-deterministic-names/gocryptfs.conf b/tests/example_filesystems/v2.2-deterministic-names/gocryptfs.conf index 6a91dfe4..5bd20a16 100644 --- a/tests/example_filesystems/v2.2-deterministic-names/gocryptfs.conf +++ b/tests/example_filesystems/v2.2-deterministic-names/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v2.1-27-gabaa129-dirty.xchacha", - "EncryptedKey": "RnoIHKZ0FW4hGgovIbo6ictZt6eISBCFAVQjIelO1In5GdWE3j6svtOirIg2xHpT9hwOSplVg8MgV0Y5Qw0TyQ==", + "EncryptedKeys": { + "DefaultKey": "RnoIHKZ0FW4hGgovIbo6ictZt6eISBCFAVQjIelO1In5GdWE3j6svtOirIg2xHpT9hwOSplVg8MgV0Y5Qw0TyQ==", + }, "ScryptObject": { "Salt": "yzBcjuwLGUjscVFL01kZAAfCk+9LpSl1CqDhavxOt+Y=", "N": 1024, diff --git a/tests/example_filesystems/v2.2-xchacha-deterministic-names/gocryptfs.conf b/tests/example_filesystems/v2.2-xchacha-deterministic-names/gocryptfs.conf index d7d9f288..b46720b8 100644 --- a/tests/example_filesystems/v2.2-xchacha-deterministic-names/gocryptfs.conf +++ b/tests/example_filesystems/v2.2-xchacha-deterministic-names/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v2.1-27-gabaa129-dirty.xchacha", - "EncryptedKey": "XKST0+9lmTP7Vam3WpNMuF5RIp78ufCiMgV0W85Z2z46SJYKAqzTEK32wMLw+5y6S/N6tQWFlisR27gy/gBqcg==", + "EncryptedKeys": { + "DefaultKey": "XKST0+9lmTP7Vam3WpNMuF5RIp78ufCiMgV0W85Z2z46SJYKAqzTEK32wMLw+5y6S/N6tQWFlisR27gy/gBqcg==", + }, "ScryptObject": { "Salt": "aD15Xe/HLWjBDvV9hwJGBsfYAHYt5DKlAzy8+flL9SE=", "N": 1024, diff --git a/tests/example_filesystems/v2.2-xchacha/gocryptfs.conf b/tests/example_filesystems/v2.2-xchacha/gocryptfs.conf index a4ac3c2f..dcc494cb 100644 --- a/tests/example_filesystems/v2.2-xchacha/gocryptfs.conf +++ b/tests/example_filesystems/v2.2-xchacha/gocryptfs.conf @@ -8,7 +8,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "HKDF", "XChaCha20Poly1305", diff --git a/tests/fsck/broken_fs_v1.4/gocryptfs.conf b/tests/fsck/broken_fs_v1.4/gocryptfs.conf index cedf5719..aecea7cc 100644 --- a/tests/fsck/broken_fs_v1.4/gocryptfs.conf +++ b/tests/fsck/broken_fs_v1.4/gocryptfs.conf @@ -8,7 +8,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "HKDF", diff --git a/tests/hkdf_sanity/broken_content/gocryptfs.conf b/tests/hkdf_sanity/broken_content/gocryptfs.conf index 205f3ad6..0ce43f73 100644 --- a/tests/hkdf_sanity/broken_content/gocryptfs.conf +++ b/tests/hkdf_sanity/broken_content/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.2.1-32-g14038a1-dirty", - "EncryptedKey": "b3888jnQC5GYem+YGtUkOTS13/YCOfA6J0/bkftfEoNA9fZTN2xMGw4c+LK+emg4L6P2wGvm44RUqCfFfgowxw==", + "EncryptedKeys": { + "DefaultKey": "b3888jnQC5GYem+YGtUkOTS13/YCOfA6J0/bkftfEoNA9fZTN2xMGw4c+LK+emg4L6P2wGvm44RUqCfFfgowxw==", + }, "ScryptObject": { "Salt": "7YnR8bF7TzYNP5mIwmpQ1qj4e/QZkbH92Hx7YQctIZQ=", "N": 1024, diff --git a/tests/hkdf_sanity/broken_names/gocryptfs.conf b/tests/hkdf_sanity/broken_names/gocryptfs.conf index f0b15097..6ab1a888 100644 --- a/tests/hkdf_sanity/broken_names/gocryptfs.conf +++ b/tests/hkdf_sanity/broken_names/gocryptfs.conf @@ -8,7 +8,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "HKDF", diff --git a/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf b/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf index 9bd92599..01a99a4d 100644 --- a/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf +++ b/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.1.1-16-g75ebb28-dirty", - "EncryptedKey": "cE5bhCZl1iL1tn0dNLh8aQy8n55NMbojmmkwM8iM8/y0uChO0CGaK16sNHffAKJ++qH287JlCpk/BFyi", + ""EncryptedKeys": { + "DefaultKey":"cE5bhCZl1iL1tn0dNLh8aQy8n55NMbojmmkwM8iM8/y0uChO0CGaK16sNHffAKJ++qH287JlCpk/BFyi", + }, "ScryptObject": { "Salt": "yUxEmtl4KeUkCxL8b6aYcEGVtFe2NAlwy0WsFLt8p+Y=", "N": 1024, diff --git a/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf b/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf index 835d11c2..4d7a561b 100644 --- a/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf +++ b/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.5-41-gf48b731-dirty", - "EncryptedKey": "FkACqloUeFZesem0UzRD3ezLXtPl8wIAxEHoIEfZxFdLMQeWOxqtw5xopJagDWE/GI1VFSUIrJIIIwwgMipmYA==", + "EncryptedKeys": { + "DefaultKey": "FkACqloUeFZesem0UzRD3ezLXtPl8wIAxEHoIEfZxFdLMQeWOxqtw5xopJagDWE/GI1VFSUIrJIIIwwgMipmYA==", + }, "ScryptObject": { "Salt": "UVfIgV31uj/voHWI4GqGwsTcbVKyYDOWvbleqJKhZbk=", "N": 1024, diff --git a/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames b/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames index 9cb762ca..d13f497f 100644 --- a/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames +++ b/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.5-41-gf48b731-dirty", - "EncryptedKey": "wAmckZb7QsIv/GCdkhb5ep8TwJa44qhnswn5tbER6Tifk8TbUmkwBTceaTtYfHAnTQ48q9mnIlcN9cfbNe5oPw==", + "EncryptedKeys": { + "DefaultKey":"wAmckZb7QsIv/GCdkhb5ep8TwJa44qhnswn5tbER6Tifk8TbUmkwBTceaTtYfHAnTQ48q9mnIlcN9cfbNe5oPw==", + }, "ScryptObject": { "Salt": "o5XJ78TgG85zZXRnU55ZqHhKLbPge6jsyDiqrLvSqe0=", "N": 1024, From 67d7b3a2b3bbb9f16df0b8942b40f3e2cd65ddb8 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 18:32:16 +0200 Subject: [PATCH 20/25] test fixes --- cli_args_test.go | 16 ++++++++++------ .../config_test.v3/PlaintextNames.conf | 2 +- .../config_test.v3/StrangeFeature.conf | 2 +- internal/configfile/config_test.v3/v1.conf | 2 +- internal/configfile/config_test.v3/v2.conf | 2 +- 5 files changed, 14 insertions(+), 10 deletions(-) diff --git a/cli_args_test.go b/cli_args_test.go index 4fb01ac5..89c7ee92 100644 --- a/cli_args_test.go +++ b/cli_args_test.go @@ -4,6 +4,7 @@ import ( "reflect" "testing" + "github.com/rfjakob/gocryptfs/v2/internal/configfile" "github.com/rfjakob/gocryptfs/v2/internal/stupidgcm" ) @@ -116,12 +117,15 @@ func TestConvertToDoubleDash(t *testing.T) { func TestParseCliOpts(t *testing.T) { defaultArgs := argContainer{ - longnames: true, - longnamemax: 255, - raw64: true, - hkdf: true, - openssl: stupidgcm.PreferOpenSSLAES256GCM(), // depends on CPU and build flags - scryptn: 16, + longnames: true, + longnamemax: 255, + raw64: true, + hkdf: true, + openssl: stupidgcm.PreferOpenSSLAES256GCM(), // depends on CPU and build flags + scryptn: 16, + user: configfile.DefaultKey, + fido2Name: configfile.DefaultKey, + addFido2Name: configfile.DefaultKey, } type testcaseContainer struct { diff --git a/internal/configfile/config_test.v3/PlaintextNames.conf b/internal/configfile/config_test.v3/PlaintextNames.conf index 20c480aa..e436aa18 100644 --- a/internal/configfile/config_test.v3/PlaintextNames.conf +++ b/internal/configfile/config_test.v3/PlaintextNames.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", "EncryptedKeys": { - "DefaultKey": "pH6/kgPFrwkuFW/HDN/0UzwC8hLJCMm/upyEnsR1pVTfSJLL/JxfBaVCRyuZhc/S7h2PrxVSMO1xzLrk", + "DefaultKey": "pH6/kgPFrwkuFW/HDN/0UzwC8hLJCMm/upyEnsR1pVTfSJLL/JxfBaVCRyuZhc/S7h2PrxVSMO1xzLrk" }, "ScryptObject": { "Salt": "Hq0BqXXeMGVGfdYE1Y/qcW+pvxJBJymRAVgPUxQiZ8Y=", diff --git a/internal/configfile/config_test.v3/StrangeFeature.conf b/internal/configfile/config_test.v3/StrangeFeature.conf index aefb2bf1..d539bb65 100644 --- a/internal/configfile/config_test.v3/StrangeFeature.conf +++ b/internal/configfile/config_test.v3/StrangeFeature.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", "EncryptedKeys": { - "DefaultKey":"mfN2FITcsLE+8QlpTb3r/D5rAAqEX5mJQuU655tcdwAotUwHkrIdYiKa2BjoocctQC0grwqPyuWxB7SH", + "DefaultKey":"mfN2FITcsLE+8QlpTb3r/D5rAAqEX5mJQuU655tcdwAotUwHkrIdYiKa2BjoocctQC0grwqPyuWxB7SH" }, "ScryptObject": { "Salt": "9G2knR016guT/AJqOKemjusYhqg+mI177Dz6a5RS7ts=", diff --git a/internal/configfile/config_test.v3/v1.conf b/internal/configfile/config_test.v3/v1.conf index 143a759f..6b6df256 100644 --- a/internal/configfile/config_test.v3/v1.conf +++ b/internal/configfile/config_test.v3/v1.conf @@ -1,6 +1,6 @@ { "EncryptedKeys": { - "DefaultKey": "t6YAvFQJvbv46c93bHQ5IZnvNz80DA9cohGoSPL/2M257LuIigow6jbr8b9HhnbDqHTCcz7aKkMDzneF", + "DefaultKey": "t6YAvFQJvbv46c93bHQ5IZnvNz80DA9cohGoSPL/2M257LuIigow6jbr8b9HhnbDqHTCcz7aKkMDzneF" }, "ScryptObject": { "Salt": "yT4yQmmRmVNx2P0tJrUswk5SQzZaL6Z8kUteAoNJkXM=", diff --git a/internal/configfile/config_test.v3/v2.conf b/internal/configfile/config_test.v3/v2.conf index 2259adbd..8a9b2542 100644 --- a/internal/configfile/config_test.v3/v2.conf +++ b/internal/configfile/config_test.v3/v2.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", "EncryptedKeys": { - "DefaultKey": "zY06x2JS0Fi7bkZ/3DppjmWZOI6xTjQ/Bf4Nru1rUzHml+stkAtvcoHT8PpHN4eKqL73ymQ86MmdYz+1", + "DefaultKey": "zY06x2JS0Fi7bkZ/3DppjmWZOI6xTjQ/Bf4Nru1rUzHml+stkAtvcoHT8PpHN4eKqL73ymQ86MmdYz+1" } "ScryptObject": { "Salt": "U5MbvyTmwhEkLqe6XxlrONzPZEf2GLFZCAIixz2Kal0=", From 0f7a6b0fa93e66495613d30e52593d3c7196ead1 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 18:42:23 +0200 Subject: [PATCH 21/25] more conf fixes --- gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf | 4 ++-- gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf | 2 +- internal/configfile/config_test.v2/PlaintextNames.conf | 2 +- internal/configfile/config_test.v2/StrangeFeature.conf | 2 +- internal/configfile/config_test.v2/v2.conf | 2 +- internal/configfile/config_test.v3/StrangeFeature.conf | 2 +- tests/cli/gocryptfs.conf.b9e5ba23 | 4 ++-- tests/example_filesystems/v0.4/gocryptfs.conf | 4 ++-- tests/example_filesystems/v0.6-plaintextnames/gocryptfs.conf | 4 ++-- tests/example_filesystems/v0.6/gocryptfs.conf | 4 ++-- tests/example_filesystems/v0.7/gocryptfs.conf | 4 ++-- tests/example_filesystems/v0.9/gocryptfs.conf | 4 ++-- .../example_filesystems/v1.1-reverse/.gocryptfs.reverse.conf | 4 ++-- tests/example_filesystems/v1.3/gocryptfs.conf | 4 ++-- .../v2.2-deterministic-names/gocryptfs.conf | 4 ++-- .../v2.2-xchacha-deterministic-names/gocryptfs.conf | 4 ++-- tests/hkdf_sanity/broken_content/gocryptfs.conf | 4 ++-- tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf | 4 ++-- tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf | 4 ++-- .../exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames | 4 ++-- 20 files changed, 35 insertions(+), 35 deletions(-) diff --git a/gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf b/gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf index 401bd183..4b815ef8 100644 --- a/gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf +++ b/gocryptfs-xray/xray_tests/aesgcm_fs/gocryptfs.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v1.7-beta1-11-g8d71f8f-dirty", "EncryptedKeys": { - "DefaultKey":"Rp0VYTJ9QK2imhJQH1miFIgAYZbsfv3t1tvPJvsOVy86ogBzKpUuMDFXD+PPawLvZM/TuYl0n3gx1RY5hzFfbg==", + "DefaultKey": "Rp0VYTJ9QK2imhJQH1miFIgAYZbsfv3t1tvPJvsOVy86ogBzKpUuMDFXD+PPawLvZM/TuYl0n3gx1RY5hzFfbg==" }; "ScryptObject": { "Salt": "mDPjzd+SZpScPYVv/M9AFjNzXcUy6fqKckXay53EQdQ=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "HKDF", diff --git a/gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf b/gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf index 631866f1..e37ec906 100644 --- a/gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf +++ b/gocryptfs-xray/xray_tests/aessiv_fs/gocryptfs.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v1.7-beta1-11-g8d71f8f-dirty", "EncryptedKeys": { - "DefaultKey":"YOxpZ+cImv4HirwuwIUpRmOMlyAFRvEqHOXdgpMcGvIlm70h4q+shSr3RZ19xomnbFZXGfIfKQ2APtVYWOAwuw==", + "DefaultKey": "YOxpZ+cImv4HirwuwIUpRmOMlyAFRvEqHOXdgpMcGvIlm70h4q+shSr3RZ19xomnbFZXGfIfKQ2APtVYWOAwuw==" }, "ScryptObject": { "Salt": "OzdcVESNmkD0403NHBWezQmq2SyDyLOY2/B4Aev2lHc=", diff --git a/internal/configfile/config_test.v2/PlaintextNames.conf b/internal/configfile/config_test.v2/PlaintextNames.conf index aa3f3fb6..2db04521 100644 --- a/internal/configfile/config_test.v2/PlaintextNames.conf +++ b/internal/configfile/config_test.v2/PlaintextNames.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", "EncryptedKeys": { - "DefaultKey": "pH6/kgPFrwkuFW/HDN/0UzwC8hLJCMm/upyEnsR1pVTfSJLL/JxfBaVCRyuZhc/S7h2PrxVSMO1xzLrk", + "DefaultKey": "pH6/kgPFrwkuFW/HDN/0UzwC8hLJCMm/upyEnsR1pVTfSJLL/JxfBaVCRyuZhc/S7h2PrxVSMO1xzLrk" }, "ScryptObject": { "Salt": "Hq0BqXXeMGVGfdYE1Y/qcW+pvxJBJymRAVgPUxQiZ8Y=", diff --git a/internal/configfile/config_test.v2/StrangeFeature.conf b/internal/configfile/config_test.v2/StrangeFeature.conf index e4cd1cb7..890a7944 100644 --- a/internal/configfile/config_test.v2/StrangeFeature.conf +++ b/internal/configfile/config_test.v2/StrangeFeature.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", "EncryptedKeys": { - "DefaultKey":"mfN2FITcsLE+8QlpTb3r/D5rAAqEX5mJQuU655tcdwAotUwHkrIdYiKa2BjoocctQC0grwqPyuWxB7SH", + "DefaultKey": "mfN2FITcsLE+8QlpTb3r/D5rAAqEX5mJQuU655tcdwAotUwHkrIdYiKa2BjoocctQC0grwqPyuWxB7SH" }, "ScryptObject": { "Salt": "9G2knR016guT/AJqOKemjusYhqg+mI177Dz6a5RS7ts=", diff --git a/internal/configfile/config_test.v2/v2.conf b/internal/configfile/config_test.v2/v2.conf index 024ff84b..fc40f69f 100644 --- a/internal/configfile/config_test.v2/v2.conf +++ b/internal/configfile/config_test.v2/v2.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", "EncryptedKeys": { - "DefaultKey":"zY06x2JS0Fi7bkZ/3DppjmWZOI6xTjQ/Bf4Nru1rUzHml+stkAtvcoHT8PpHN4eKqL73ymQ86MmdYz+1", + "DefaultKey": "zY06x2JS0Fi7bkZ/3DppjmWZOI6xTjQ/Bf4Nru1rUzHml+stkAtvcoHT8PpHN4eKqL73ymQ86MmdYz+1" }, "ScryptObject": { "Salt": "U5MbvyTmwhEkLqe6XxlrONzPZEf2GLFZCAIixz2Kal0=", diff --git a/internal/configfile/config_test.v3/StrangeFeature.conf b/internal/configfile/config_test.v3/StrangeFeature.conf index d539bb65..31cbcf55 100644 --- a/internal/configfile/config_test.v3/StrangeFeature.conf +++ b/internal/configfile/config_test.v3/StrangeFeature.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v0.11-13-g96750a7-dirty", "EncryptedKeys": { - "DefaultKey":"mfN2FITcsLE+8QlpTb3r/D5rAAqEX5mJQuU655tcdwAotUwHkrIdYiKa2BjoocctQC0grwqPyuWxB7SH" + "DefaultKey": "mfN2FITcsLE+8QlpTb3r/D5rAAqEX5mJQuU655tcdwAotUwHkrIdYiKa2BjoocctQC0grwqPyuWxB7SH" }, "ScryptObject": { "Salt": "9G2knR016guT/AJqOKemjusYhqg+mI177Dz6a5RS7ts=", diff --git a/tests/cli/gocryptfs.conf.b9e5ba23 b/tests/cli/gocryptfs.conf.b9e5ba23 index dbe9bf9b..cd518289 100644 --- a/tests/cli/gocryptfs.conf.b9e5ba23 +++ b/tests/cli/gocryptfs.conf.b9e5ba23 @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v1.1-rc1-31-gc487e17-dirty", "EncryptedKeys": { - "DefaultKey":"vthRM/vXg3Cn16jld2JxPiRv8OSBSwTYDzOqdlrvD1agJefZhhvDQS7b5fC7B7JRL4UiVUKkNaJRVMRf", + "DefaultKey": "vthRM/vXg3Cn16jld2JxPiRv8OSBSwTYDzOqdlrvD1agJefZhhvDQS7b5fC7B7JRL4UiVUKkNaJRVMRf" }, "ScryptObject": { "Salt": "uVwNDUMLWktmV0WgvPHztVrmoahfYN8A/22I/uq66sU=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "DirIV", diff --git a/tests/example_filesystems/v0.4/gocryptfs.conf b/tests/example_filesystems/v0.4/gocryptfs.conf index cb258b09..6d4e2dda 100644 --- a/tests/example_filesystems/v0.4/gocryptfs.conf +++ b/tests/example_filesystems/v0.4/gocryptfs.conf @@ -1,6 +1,6 @@ { "EncryptedKeys": { - "DefaultKey": "He757VFOKOWbMJqJ7HBs67SMSi3Vu8/2vgWNI6j1tVo4JBlNvrQSw6KkCh0lGrHrh6ICbPv4MyoyFdGa", + "DefaultKey": "He757VFOKOWbMJqJ7HBs67SMSi3Vu8/2vgWNI6j1tVo4JBlNvrQSw6KkCh0lGrHrh6ICbPv4MyoyFdGa" }, "ScryptObject": { "Salt": "MeHSsxsnJwngAwptNzuXQlj7JtF1b0uzZuWvVV3cH3w=", @@ -9,6 +9,6 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": null } diff --git a/tests/example_filesystems/v0.6-plaintextnames/gocryptfs.conf b/tests/example_filesystems/v0.6-plaintextnames/gocryptfs.conf index dccb4175..ca345fef 100644 --- a/tests/example_filesystems/v0.6-plaintextnames/gocryptfs.conf +++ b/tests/example_filesystems/v0.6-plaintextnames/gocryptfs.conf @@ -1,6 +1,6 @@ { "EncryptedKeys": { - "DefaultKey": "SoTMt+DMqVDia42c7cx8YW6KrnzF9EQVYIq5DGR1yFqNKxtOCBIuXEIKJHYSw1Z8VluKRQmkugTOvyTU", + "DefaultKey": "SoTMt+DMqVDia42c7cx8YW6KrnzF9EQVYIq5DGR1yFqNKxtOCBIuXEIKJHYSw1Z8VluKRQmkugTOvyTU" }, "ScryptObject": { "Salt": "83wR2p5eDPtozsP48vizN1rAbYeXOtksvwoAZ9Y0vn4=", @@ -9,7 +9,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "PlaintextNames" ] diff --git a/tests/example_filesystems/v0.6/gocryptfs.conf b/tests/example_filesystems/v0.6/gocryptfs.conf index daf50fe2..14a8473c 100644 --- a/tests/example_filesystems/v0.6/gocryptfs.conf +++ b/tests/example_filesystems/v0.6/gocryptfs.conf @@ -1,6 +1,6 @@ { "EncryptedKeys": { - "DefaultKey": "/PhLwDblkFRGfoIA0egXikG0ZSZTWrOOoFZJPPX0R8JgU5+XnT2M2rxUzHIKKeuGoqZN55phgJjhTu0J", + "DefaultKey": "/PhLwDblkFRGfoIA0egXikG0ZSZTWrOOoFZJPPX0R8JgU5+XnT2M2rxUzHIKKeuGoqZN55phgJjhTu0J" }, "ScryptObject": { "Salt": "YSHRXpcWYp95npMxAy9cf27LoaPR3gvrFpk3Xhg2tM8=", @@ -9,7 +9,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "DirIV", "EMENames" diff --git a/tests/example_filesystems/v0.7/gocryptfs.conf b/tests/example_filesystems/v0.7/gocryptfs.conf index c336d5ba..a446176f 100644 --- a/tests/example_filesystems/v0.7/gocryptfs.conf +++ b/tests/example_filesystems/v0.7/gocryptfs.conf @@ -1,6 +1,6 @@ { "EncryptedKeys": { - "DefaultKey": "0crm+qEf00XPxQrc8NIMp/0rgfaLb8wzTj+3G1slSytjsLHctj/fOKkGJIFyBk7xzvnWdkhyxxvHgfMS", + "DefaultKey": "0crm+qEf00XPxQrc8NIMp/0rgfaLb8wzTj+3G1slSytjsLHctj/fOKkGJIFyBk7xzvnWdkhyxxvHgfMS" }, "ScryptObject": { "Salt": "yZn+QMjR2ENZ6MoiURpqEqr8mgnCX8WN87KJafgiXhU=", @@ -9,7 +9,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "DirIV", diff --git a/tests/example_filesystems/v0.9/gocryptfs.conf b/tests/example_filesystems/v0.9/gocryptfs.conf index 6698f59f..b01e9e47 100644 --- a/tests/example_filesystems/v0.9/gocryptfs.conf +++ b/tests/example_filesystems/v0.9/gocryptfs.conf @@ -1,6 +1,6 @@ { "EncryptedKeys": { - "DefaultKey": "sAB/dsiDbFBbMr7ppsB3Fu81hVr6BBxlcfY1wZYRHlRvRV2uwRdYAACNM39CDxLBHZuNjk9UyWh87McP", + "DefaultKey": "sAB/dsiDbFBbMr7ppsB3Fu81hVr6BBxlcfY1wZYRHlRvRV2uwRdYAACNM39CDxLBHZuNjk9UyWh87McP" }, "ScryptObject": { "Salt": "3mphl9Hmhzd6exmc8Um0jOOCgR8hAYvbzbEpTnIEMPg=", @@ -9,7 +9,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "DirIV", diff --git a/tests/example_filesystems/v1.1-reverse/.gocryptfs.reverse.conf b/tests/example_filesystems/v1.1-reverse/.gocryptfs.reverse.conf index 52d51377..1d96c6ac 100644 --- a/tests/example_filesystems/v1.1-reverse/.gocryptfs.reverse.conf +++ b/tests/example_filesystems/v1.1-reverse/.gocryptfs.reverse.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v1.1-beta1-33-gf054353-dirty", "EncryptedKeys": { - "DefaultKey":"GD7CQzhKMs4r8B/jc7eNNAffyMn4Z2A0tH9EC50y6v5y6amJdU6NQK5xLPWpWSc45si5L26VOVhT8dhz", + "DefaultKey": "GD7CQzhKMs4r8B/jc7eNNAffyMn4Z2A0tH9EC50y6v5y6amJdU6NQK5xLPWpWSc45si5L26VOVhT8dhz" }, "ScryptObject": { "Salt": "G/Cpk6TnscJzx1fae9t8guejwoPk1lsGkkcljIMjJdw=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "DirIV", diff --git a/tests/example_filesystems/v1.3/gocryptfs.conf b/tests/example_filesystems/v1.3/gocryptfs.conf index 54dd1730..2c951954 100644 --- a/tests/example_filesystems/v1.3/gocryptfs.conf +++ b/tests/example_filesystems/v1.3/gocryptfs.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v1.2.1-23-gd78a8d1-dirty", "EncryptedKeys": { - "DefaultKey":"WGhKfCvV/LBZdwpWz3Fs+9UFUJbtTooBiZMuthd8Hz3nq0g+zU7H+68ZkrCLdcC08PUNHVbvDdlGpRh0czbbyA==", + "DefaultKey": "WGhKfCvV/LBZdwpWz3Fs+9UFUJbtTooBiZMuthd8Hz3nq0g+zU7H+68ZkrCLdcC08PUNHVbvDdlGpRh0czbbyA==" }, "ScryptObject": { "Salt": "LkS43fRGN3SfcFbVhPLo3uKh3h+4LYLNlqEUf+JIWf4=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "DirIV", diff --git a/tests/example_filesystems/v2.2-deterministic-names/gocryptfs.conf b/tests/example_filesystems/v2.2-deterministic-names/gocryptfs.conf index 5bd20a16..2dd5d502 100644 --- a/tests/example_filesystems/v2.2-deterministic-names/gocryptfs.conf +++ b/tests/example_filesystems/v2.2-deterministic-names/gocryptfs.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v2.1-27-gabaa129-dirty.xchacha", "EncryptedKeys": { - "DefaultKey": "RnoIHKZ0FW4hGgovIbo6ictZt6eISBCFAVQjIelO1In5GdWE3j6svtOirIg2xHpT9hwOSplVg8MgV0Y5Qw0TyQ==", + "DefaultKey": "RnoIHKZ0FW4hGgovIbo6ictZt6eISBCFAVQjIelO1In5GdWE3j6svtOirIg2xHpT9hwOSplVg8MgV0Y5Qw0TyQ==" }, "ScryptObject": { "Salt": "yzBcjuwLGUjscVFL01kZAAfCk+9LpSl1CqDhavxOt+Y=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "HKDF", "GCMIV128", diff --git a/tests/example_filesystems/v2.2-xchacha-deterministic-names/gocryptfs.conf b/tests/example_filesystems/v2.2-xchacha-deterministic-names/gocryptfs.conf index b46720b8..4cd7811a 100644 --- a/tests/example_filesystems/v2.2-xchacha-deterministic-names/gocryptfs.conf +++ b/tests/example_filesystems/v2.2-xchacha-deterministic-names/gocryptfs.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v2.1-27-gabaa129-dirty.xchacha", "EncryptedKeys": { - "DefaultKey": "XKST0+9lmTP7Vam3WpNMuF5RIp78ufCiMgV0W85Z2z46SJYKAqzTEK32wMLw+5y6S/N6tQWFlisR27gy/gBqcg==", + "DefaultKey": "XKST0+9lmTP7Vam3WpNMuF5RIp78ufCiMgV0W85Z2z46SJYKAqzTEK32wMLw+5y6S/N6tQWFlisR27gy/gBqcg==" }, "ScryptObject": { "Salt": "aD15Xe/HLWjBDvV9hwJGBsfYAHYt5DKlAzy8+flL9SE=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "HKDF", "XChaCha20Poly1305", diff --git a/tests/hkdf_sanity/broken_content/gocryptfs.conf b/tests/hkdf_sanity/broken_content/gocryptfs.conf index 0ce43f73..db026b97 100644 --- a/tests/hkdf_sanity/broken_content/gocryptfs.conf +++ b/tests/hkdf_sanity/broken_content/gocryptfs.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v1.2.1-32-g14038a1-dirty", "EncryptedKeys": { - "DefaultKey": "b3888jnQC5GYem+YGtUkOTS13/YCOfA6J0/bkftfEoNA9fZTN2xMGw4c+LK+emg4L6P2wGvm44RUqCfFfgowxw==", + "DefaultKey": "b3888jnQC5GYem+YGtUkOTS13/YCOfA6J0/bkftfEoNA9fZTN2xMGw4c+LK+emg4L6P2wGvm44RUqCfFfgowxw==" }, "ScryptObject": { "Salt": "7YnR8bF7TzYNP5mIwmpQ1qj4e/QZkbH92Hx7YQctIZQ=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "HKDF", diff --git a/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf b/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf index 01a99a4d..f78f4988 100644 --- a/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf +++ b/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v1.1.1-16-g75ebb28-dirty", ""EncryptedKeys": { - "DefaultKey":"cE5bhCZl1iL1tn0dNLh8aQy8n55NMbojmmkwM8iM8/y0uChO0CGaK16sNHffAKJ++qH287JlCpk/BFyi", + "DefaultKey":"cE5bhCZl1iL1tn0dNLh8aQy8n55NMbojmmkwM8iM8/y0uChO0CGaK16sNHffAKJ++qH287JlCpk/BFyi" }, "ScryptObject": { "Salt": "yUxEmtl4KeUkCxL8b6aYcEGVtFe2NAlwy0WsFLt8p+Y=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "DirIV", diff --git a/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf b/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf index 4d7a561b..4637bbc5 100644 --- a/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf +++ b/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v1.5-41-gf48b731-dirty", "EncryptedKeys": { - "DefaultKey": "FkACqloUeFZesem0UzRD3ezLXtPl8wIAxEHoIEfZxFdLMQeWOxqtw5xopJagDWE/GI1VFSUIrJIIIwwgMipmYA==", + "DefaultKey": "FkACqloUeFZesem0UzRD3ezLXtPl8wIAxEHoIEfZxFdLMQeWOxqtw5xopJagDWE/GI1VFSUIrJIIIwwgMipmYA==" }, "ScryptObject": { "Salt": "UVfIgV31uj/voHWI4GqGwsTcbVKyYDOWvbleqJKhZbk=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "HKDF", diff --git a/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames b/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames index d13f497f..a7a8ebfa 100644 --- a/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames +++ b/tests/reverse/exclude_test_fs/.gocryptfs.reverse.conf.plaintextnames @@ -1,7 +1,7 @@ { "Creator": "gocryptfs v1.5-41-gf48b731-dirty", "EncryptedKeys": { - "DefaultKey":"wAmckZb7QsIv/GCdkhb5ep8TwJa44qhnswn5tbER6Tifk8TbUmkwBTceaTtYfHAnTQ48q9mnIlcN9cfbNe5oPw==", + "DefaultKey":"wAmckZb7QsIv/GCdkhb5ep8TwJa44qhnswn5tbER6Tifk8TbUmkwBTceaTtYfHAnTQ48q9mnIlcN9cfbNe5oPw==" }, "ScryptObject": { "Salt": "o5XJ78TgG85zZXRnU55ZqHhKLbPge6jsyDiqrLvSqe0=", @@ -10,7 +10,7 @@ "P": 1, "KeyLen": 32 }, - "Version": 2, + "Version": 3, "FeatureFlags": [ "GCMIV128", "HKDF", From de7d73aad5b66d5dfb17b2ed5b72fe4b69682c3a Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 19:24:01 +0200 Subject: [PATCH 22/25] 1 test fix --- internal/configfile/config_test.go | 6 +++--- internal/configfile/config_test.v3/v3.conf | 20 ++++++++++++++++++++ tests/cli/cli_test.go | 1 + 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 internal/configfile/config_test.v3/v3.conf diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go index b9d5ac45..50c599be 100644 --- a/internal/configfile/config_test.go +++ b/internal/configfile/config_test.go @@ -21,12 +21,12 @@ func TestLoadV1(t *testing.T) { // Load a known-good config file and verify that it takes at least 100ms // (brute-force protection) -func TestLoadV2(t *testing.T) { +func TestLoadV3(t *testing.T) { t1 := time.Now() - _, _, err := LoadAndDecrypt("config_test.v3/v2.conf", DefaultKey, testPw) + _, _, err := LoadAndDecrypt("config_test.v3/v3.conf", DefaultKey, testPw) if err != nil { - t.Errorf("Could not load v2 config file: %v", err) + t.Errorf("Could not load v3 config file: %v", err) } elapsed := time.Since(t1) diff --git a/internal/configfile/config_test.v3/v3.conf b/internal/configfile/config_test.v3/v3.conf new file mode 100644 index 00000000..52714125 --- /dev/null +++ b/internal/configfile/config_test.v3/v3.conf @@ -0,0 +1,20 @@ +{ + "Creator": "gocryptfs v0.11-13-g96750a7-dirty", + "EncryptedKeys": { + "DefaultKey": "zY06x2JS0Fi7bkZ/3DppjmWZOI6xTjQ/Bf4Nru1rUzHml+stkAtvcoHT8PpHN4eKqL73ymQ86MmdYz+1" + }, + "ScryptObject": { + "Salt": "U5MbvyTmwhEkLqe6XxlrONzPZEf2GLFZCAIixz2Kal0=", + "N": 65536, + "R": 8, + "P": 1, + "KeyLen": 32 + }, + "Version": 3, + "FeatureFlags": [ + "GCMIV128", + "DirIV", + "EMENames", + "LongNames" + ] +} diff --git a/tests/cli/cli_test.go b/tests/cli/cli_test.go index 37135e87..d5ac57cc 100644 --- a/tests/cli/cli_test.go +++ b/tests/cli/cli_test.go @@ -300,6 +300,7 @@ func TestPasswdScryptn(t *testing.T) { if err != nil { t.Fatal(err) } + // Warnung: Change of Scrypt logN for more than one user is not supported if cf2.ScryptObject.LogN() != cf.ScryptObject.LogN()+1 { t.Errorf("wrong logN value %d", cf2.ScryptObject.LogN()) } From 30e80a6e827cf0bc690d8e50b61fa54a9d634e6a Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 19:39:36 +0200 Subject: [PATCH 23/25] fixes --- internal/configfile/config_file.go | 10 +++++----- tests/cli/cli_test.go | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index 01e2a97c..a56f27cc 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -131,7 +131,7 @@ func Create(args *CreateArgs) error { } } // Catch bugs and invalid cli flag combinations early - initializeScryptObjectIfNeeded(args.LogN, &cf) + initializeScryptObjectIfNeeded(args.LogN, &cf, 0) if err := cf.Validate(); err != nil { return err } @@ -153,8 +153,8 @@ func Create(args *CreateArgs) error { } // initialize cf.ScryptObject if needed -func initializeScryptObjectIfNeeded(logN int, cf *ConfFile) { - if ScryptKDFEqual(cf.ScryptObject, ScryptKDF{}) || len(cf.EncryptedKeys) < 1 { +func initializeScryptObjectIfNeeded(logN int, cf *ConfFile, maxEncryptedKeys int) { + if ScryptKDFEqual(cf.ScryptObject, ScryptKDF{}) || len(cf.EncryptedKeys) <= maxEncryptedKeys { cf.ScryptObject = NewScryptKDF(logN) } else { var n int @@ -164,7 +164,7 @@ func initializeScryptObjectIfNeeded(logN int, cf *ConfFile) { n = 1 << uint32(logN) } if n != cf.ScryptObject.N { - tlog.Warn.Println("Warnung: Change of Scrypt logN for more than one user is not supported") + tlog.Warn.Println("Warning: Change of Scrypt logN for more than one user is not supported") } } } @@ -273,7 +273,7 @@ func (cf *ConfFile) DecryptMasterKey(user string, password []byte) (masterkey [] // cf.ScryptObject. func (cf *ConfFile) EncryptKey(key []byte, user string, password []byte, logN int) { // Generate scrypt-derived key from password - initializeScryptObjectIfNeeded(logN, cf) + initializeScryptObjectIfNeeded(logN, cf, 1) scryptHash := cf.ScryptObject.DeriveKey(password) // Lock master key using password-based key diff --git a/tests/cli/cli_test.go b/tests/cli/cli_test.go index d5ac57cc..f419c458 100644 --- a/tests/cli/cli_test.go +++ b/tests/cli/cli_test.go @@ -300,7 +300,7 @@ func TestPasswdScryptn(t *testing.T) { if err != nil { t.Fatal(err) } - // Warnung: Change of Scrypt logN for more than one user is not supported + // Warning: Change of Scrypt logN for more than one user is not supported if cf2.ScryptObject.LogN() != cf.ScryptObject.LogN()+1 { t.Errorf("wrong logN value %d", cf2.ScryptObject.LogN()) } From b72fe55675fef072020618a7e0e0c17f3e9bf164 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 20:06:21 +0200 Subject: [PATCH 24/25] test fixes --- internal/configfile/config_file.go | 2 +- tests/hkdf_sanity/sanity_test.go | 2 +- tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go index a56f27cc..00fc7a19 100644 --- a/internal/configfile/config_file.go +++ b/internal/configfile/config_file.go @@ -214,7 +214,7 @@ func Load(filename string) (*ConfFile, error) { // Unmarshal err = json.Unmarshal(js, &cf) if err != nil { - tlog.Warn.Printf("Failed to unmarshal config file") + tlog.Warn.Printf("Failed to unmarshal config file ", filename) return nil, err } diff --git a/tests/hkdf_sanity/sanity_test.go b/tests/hkdf_sanity/sanity_test.go index f221439f..f46c85ad 100644 --- a/tests/hkdf_sanity/sanity_test.go +++ b/tests/hkdf_sanity/sanity_test.go @@ -25,7 +25,7 @@ func TestBrokenContent(t *testing.T) { func TestBrokenNames(t *testing.T) { cDir := "broken_names" pDir := test_helpers.TmpDir + "/" + cDir - test_helpers.MountOrFatal(t, cDir, pDir, "-extpass", "echo test", "-wpanic=false") + test_helpers.MountOrFatal(t, cDir, pDir, "-extpass", "echo test", "-wpanic=false", "-zerokey") _, err := os.Stat(pDir + "/status.txt") if err == nil { t.Error("this should fail") diff --git a/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf b/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf index f78f4988..1c783dca 100644 --- a/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf +++ b/tests/reverse/ctlsock_reverse_test_fs/.gocryptfs.reverse.conf @@ -1,6 +1,6 @@ { "Creator": "gocryptfs v1.1.1-16-g75ebb28-dirty", - ""EncryptedKeys": { + "EncryptedKeys": { "DefaultKey":"cE5bhCZl1iL1tn0dNLh8aQy8n55NMbojmmkwM8iM8/y0uChO0CGaK16sNHffAKJ++qH287JlCpk/BFyi" }, "ScryptObject": { From 2359b2c82955f2459fd766cc2454529b070e6f66 Mon Sep 17 00:00:00 2001 From: aanno Date: Sun, 25 Jun 2023 20:17:20 +0200 Subject: [PATCH 25/25] more test fixes --- internal/configfile/config_test.v2/v1.conf | 4 +++- tests/example_filesystems/v0.5/gocryptfs.conf | 4 +++- tests/example_filesystems/v0.7-plaintextnames/gocryptfs.conf | 4 +++- tests/example_filesystems/v1.1-aessiv/gocryptfs.conf | 4 +++- .../v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf | 4 +++- .../example_filesystems/v1.3-reverse/.gocryptfs.reverse.conf | 4 +++- tests/example_filesystems/v2.2-xchacha/gocryptfs.conf | 4 +++- tests/fsck/broken_fs_v1.4/gocryptfs.conf | 4 +++- tests/hkdf_sanity/broken_names/gocryptfs.conf | 4 +++- 9 files changed, 27 insertions(+), 9 deletions(-) diff --git a/internal/configfile/config_test.v2/v1.conf b/internal/configfile/config_test.v2/v1.conf index 8e507671..4ac0d761 100644 --- a/internal/configfile/config_test.v2/v1.conf +++ b/internal/configfile/config_test.v2/v1.conf @@ -1,5 +1,7 @@ { - "EncryptedKey": "t6YAvFQJvbv46c93bHQ5IZnvNz80DA9cohGoSPL/2M257LuIigow6jbr8b9HhnbDqHTCcz7aKkMDzneF", + "EncryptedKeys": { + "DefaultKey": "t6YAvFQJvbv46c93bHQ5IZnvNz80DA9cohGoSPL/2M257LuIigow6jbr8b9HhnbDqHTCcz7aKkMDzneF" + }, "ScryptObject": { "Salt": "yT4yQmmRmVNx2P0tJrUswk5SQzZaL6Z8kUteAoNJkXM=", "N": 65536, diff --git a/tests/example_filesystems/v0.5/gocryptfs.conf b/tests/example_filesystems/v0.5/gocryptfs.conf index 869be11d..abcc3a6b 100644 --- a/tests/example_filesystems/v0.5/gocryptfs.conf +++ b/tests/example_filesystems/v0.5/gocryptfs.conf @@ -1,5 +1,7 @@ { - "EncryptedKey": "zIY8foMncKrAG8USA1/AQ+R8z+xRge3QZqDpGRIDAeNOkMeQQsnMsJzFJbZHcGlRbUye0CwRghR/UX4R", + "EncryptedKeys": { + "DefaultKey": "zIY8foMncKrAG8USA1/AQ+R8z+xRge3QZqDpGRIDAeNOkMeQQsnMsJzFJbZHcGlRbUye0CwRghR/UX4R" + }, "ScryptObject": { "Salt": "BFQklFzt3j9ZDa8zcR9pwHfa8nDdLqyCzNp5kA+V6Y0=", "N": 1024, diff --git a/tests/example_filesystems/v0.7-plaintextnames/gocryptfs.conf b/tests/example_filesystems/v0.7-plaintextnames/gocryptfs.conf index 1c7e6a0c..51549183 100644 --- a/tests/example_filesystems/v0.7-plaintextnames/gocryptfs.conf +++ b/tests/example_filesystems/v0.7-plaintextnames/gocryptfs.conf @@ -1,5 +1,7 @@ { - "EncryptedKey": "13f9NLdlS20w26T0bukhVrqhumJOHhRyntEJb2y2BJK+K1kulklQGT6gxSWPsjDqw5514h9/euMiKMwc", + "EncryptedKeys": { + "DefaultKey": "13f9NLdlS20w26T0bukhVrqhumJOHhRyntEJb2y2BJK+K1kulklQGT6gxSWPsjDqw5514h9/euMiKMwc" + }, "ScryptObject": { "Salt": "b2ZD+7sN6b/lchJbYT+4K73tscC6WwbGrdxHuFjhOT4=", "N": 1024, diff --git a/tests/example_filesystems/v1.1-aessiv/gocryptfs.conf b/tests/example_filesystems/v1.1-aessiv/gocryptfs.conf index 0f22ddc6..4de43316 100644 --- a/tests/example_filesystems/v1.1-aessiv/gocryptfs.conf +++ b/tests/example_filesystems/v1.1-aessiv/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.1-beta1-33-gf054353-dirty", - "EncryptedKey": "y2ldEXg3Ui0jwic99bqvvrvGRPRDB7gYzvOBwZxcmWqRgcp3BLMShhIXwx3Pewmst5TivqSrK2r9wUIL", + "EncryptedKeys": { + "DefaultKey": "y2ldEXg3Ui0jwic99bqvvrvGRPRDB7gYzvOBwZxcmWqRgcp3BLMShhIXwx3Pewmst5TivqSrK2r9wUIL" + }, "ScryptObject": { "Salt": "oEt1In6W5UD1Pe9CFSz21x5ptTRluU43mmshUtmSwAk=", "N": 1024, diff --git a/tests/example_filesystems/v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf b/tests/example_filesystems/v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf index 7db81fe0..1f7b32fc 100644 --- a/tests/example_filesystems/v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf +++ b/tests/example_filesystems/v1.1-reverse-plaintextnames/.gocryptfs.reverse.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.1-beta1-33-gf054353-dirty", - "EncryptedKey": "bMqEbjtvZek9yAGzhsTYmaDcqnE7wvR+1fWvy+YCMQTwtmvNbpKnfFH3wacPNKttQ7BcpFrOi4Ux+Bw+", + "EncryptedKeys": { + "DefaultKey": "bMqEbjtvZek9yAGzhsTYmaDcqnE7wvR+1fWvy+YCMQTwtmvNbpKnfFH3wacPNKttQ7BcpFrOi4Ux+Bw+" + }, "ScryptObject": { "Salt": "RgvSW4AxpA9z/Gb6RCCmKeA4A2vC+l0vu9DnEKIWQZU=", "N": 1024, diff --git a/tests/example_filesystems/v1.3-reverse/.gocryptfs.reverse.conf b/tests/example_filesystems/v1.3-reverse/.gocryptfs.reverse.conf index d19396e6..54710e6d 100644 --- a/tests/example_filesystems/v1.3-reverse/.gocryptfs.reverse.conf +++ b/tests/example_filesystems/v1.3-reverse/.gocryptfs.reverse.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.3", - "EncryptedKey": "o6yhOpoaToWqs7iZMgx2J+dmrRcL8TOjqd7ntlqy4Y/g/ygNRADJXGITtEIDukf7FbGyn2JNZtWs/4ZOgLNmYw==", + "EncryptedKeys": { + "DefaultKey": "o6yhOpoaToWqs7iZMgx2J+dmrRcL8TOjqd7ntlqy4Y/g/ygNRADJXGITtEIDukf7FbGyn2JNZtWs/4ZOgLNmYw==" + }, "ScryptObject": { "Salt": "8a64zpm0vXFg9uretHuwbxijzQmx2QF4hKOYM0yK/S8=", "N": 65536, diff --git a/tests/example_filesystems/v2.2-xchacha/gocryptfs.conf b/tests/example_filesystems/v2.2-xchacha/gocryptfs.conf index dcc494cb..a45d49b3 100644 --- a/tests/example_filesystems/v2.2-xchacha/gocryptfs.conf +++ b/tests/example_filesystems/v2.2-xchacha/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v2.1-27-gabaa129-dirty.xchacha", - "EncryptedKey": "6pVNGTIq5c4uXu90ZBjg2jKPvSqYc6gEfQ3/dEaMqKhd0CnaEYEm6+4oyrIfQkn0X7/hkW/HaCAqK0G0rcv1nw==", + "EncryptedKeys": { + "DefaultKey": "6pVNGTIq5c4uXu90ZBjg2jKPvSqYc6gEfQ3/dEaMqKhd0CnaEYEm6+4oyrIfQkn0X7/hkW/HaCAqK0G0rcv1nw==" + }, "ScryptObject": { "Salt": "AjIc6CkWvrd4/41pei15ulBKIcptIzvvJuCI+YB8pkA=", "N": 1024, diff --git a/tests/fsck/broken_fs_v1.4/gocryptfs.conf b/tests/fsck/broken_fs_v1.4/gocryptfs.conf index aecea7cc..254611e6 100644 --- a/tests/fsck/broken_fs_v1.4/gocryptfs.conf +++ b/tests/fsck/broken_fs_v1.4/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.4.4-13-ga4f3a7d-dirty", - "EncryptedKey": "yfnIx9uKv2ZX80KXOlfb4fWws3RNqvcjsx/Ajr0x4pRfg8NLqhWRpEUWGk8NSdVFXKWVDgdhSoYkbfVnFXl07g==", + "EncryptedKeys": { + "DefaultKey": "yfnIx9uKv2ZX80KXOlfb4fWws3RNqvcjsx/Ajr0x4pRfg8NLqhWRpEUWGk8NSdVFXKWVDgdhSoYkbfVnFXl07g==" + }, "ScryptObject": { "Salt": "R78m123zJxxO6uU1bg6/0azppry1FoGdH1/Op1xFq+4=", "N": 65536, diff --git a/tests/hkdf_sanity/broken_names/gocryptfs.conf b/tests/hkdf_sanity/broken_names/gocryptfs.conf index 6ab1a888..c8ed3b33 100644 --- a/tests/hkdf_sanity/broken_names/gocryptfs.conf +++ b/tests/hkdf_sanity/broken_names/gocryptfs.conf @@ -1,6 +1,8 @@ { "Creator": "gocryptfs v1.2.1-32-g14038a1-dirty", - "EncryptedKey": "0ymk/BtKEN1KmRLMquLinLIzXDaf+GLuP2f9R4VbLOglim9nXd5WxkCFl0DQg0J2FtCEke9MQBaCfL5OTJdR4g==", + "EncryptedKeys": { + "DefaultKey": "0ymk/BtKEN1KmRLMquLinLIzXDaf+GLuP2f9R4VbLOglim9nXd5WxkCFl0DQg0J2FtCEke9MQBaCfL5OTJdR4g==" + }, "ScryptObject": { "Salt": "tCrF2o5GoOyQt0LAlCWk47hyJsF5K6ID9uPzjTSBbh8=", "N": 1024,