Exemple #1
0
RootPtr initFS( EncFS_Context *ctx, const shared_ptr<EncFS_Opts> &opts )
{
  RootPtr rootInfo;
  EncfsConfig config;

  if(readConfig( opts->rootDir, config ) != Config_None)
  {
    if(opts->reverseEncryption)
    {
      if (config.block_mac_bytes() != 0 || config.block_mac_rand_bytes() != 0
          || config.unique_iv() || config.external_iv()
          || config.chained_iv() )
      {  
        cout << _("The configuration loaded is not compatible with --reverse\n");
        return rootInfo;
      }
    }

    // first, instanciate the cipher.
    shared_ptr<CipherV1> cipher = getCipher(config);
    if(!cipher)
    {
      Interface iface = config.cipher();
      LOG(ERROR) << "Unable to find cipher " << iface.name()
          << ", version " << iface.major()
          << ":" << iface.minor() << ":" << iface.age();
      // xgroup(diag)
      cout << _("The requested cipher interface is not available\n");
      return rootInfo;
    }

    // get user key
    CipherKey userKey;

    if(opts->passwordProgram.empty())
    {
      if (opts->annotate)
        cerr << "$PROMPT$ passwd" << endl;
      userKey = getUserKey( config, opts->useStdin );
    } else
      userKey = getUserKey( config, opts->passwordProgram, opts->rootDir );

    if(!userKey.valid())
      return rootInfo;

    cipher->setKey(userKey); 

    VLOG(1) << "cipher encoded key size = " << cipher->encodedKeySize();
    // decode volume key..
    CipherKey volumeKey = cipher->readKey(
        (const unsigned char *)config.key().ciphertext().data(), opts->checkKey);
    userKey.reset();

    if(!volumeKey.valid())
    {
      // xgroup(diag)
      cout << _("Error decoding volume key, password incorrect\n");
      return rootInfo;
    }

    cipher->setKey(volumeKey);

    shared_ptr<NameIO> nameCoder = NameIO::New( config.naming(), cipher );
    if(!nameCoder)
    {
      Interface iface = config.naming();
      LOG(ERROR) << "Unable to find nameio interface " << iface.name()
          << ", version " << iface.major()
          << ":" << iface.minor() << ":" << iface.age();
      // xgroup(diag)
      cout << _("The requested filename coding interface is "
          "not available\n");
      return rootInfo;
    }

    nameCoder->setChainedNameIV( config.chained_iv() );
    nameCoder->setReverseEncryption( opts->reverseEncryption );

    FSConfigPtr fsConfig( new FSConfig );
    fsConfig->cipher = cipher;
    fsConfig->key = volumeKey;
    fsConfig->nameCoding = nameCoder;
    fsConfig->config = shared_ptr<EncfsConfig>(new EncfsConfig(config));
    fsConfig->forceDecode = opts->forceDecode;
    fsConfig->reverseEncryption = opts->reverseEncryption;
    fsConfig->opts = opts;

    rootInfo = RootPtr( new EncFS_Root );
    rootInfo->cipher = cipher;
    rootInfo->volumeKey = volumeKey;
    rootInfo->root = shared_ptr<DirNode>( 
        new DirNode( ctx, opts->rootDir, fsConfig ));
  } else
  {
    if(opts->createIfNotFound)
    {
      // creating a new encrypted filesystem
      rootInfo = createConfig( ctx, opts );
    }
  }

  return rootInfo;
}
Exemple #2
0
RootPtr createConfig( EncFS_Context *ctx,
    const shared_ptr<EncFS_Opts> &opts )
{
  const std::string rootDir = opts->rootDir;
  bool enableIdleTracking = opts->idleTracking;
  bool forceDecode = opts->forceDecode;
  const std::string passwordProgram = opts->passwordProgram;
  bool useStdin = opts->useStdin;
  bool reverseEncryption = opts->reverseEncryption;
  ConfigMode configMode = opts->configMode;
  bool annotate = opts->annotate;

  RootPtr rootInfo;

  // creating new volume key.. should check that is what the user is
  // expecting...
  // xgroup(setup)
  cout << _("Creating new encrypted volume.") << endl;

  char answer[10] = {0};
  if(configMode == Config_Prompt)
  {
    // xgroup(setup)
    cout << _("Please choose from one of the following options:\n"
        " enter \"x\" for expert configuration mode,\n"
        " enter \"p\" for pre-configured paranoia mode,\n"
        " anything else, or an empty line will select standard mode.\n"
        "?> ");

    if (annotate)
      cerr << "$PROMPT$ config_option" << endl;

    char *res = fgets( answer, sizeof(answer), stdin );
    (void)res;
    cout << "\n";
  }

  int keySize = 0;
  int blockSize = 0;
  CipherV1::CipherAlgorithm alg;
  Interface nameIOIface;
  int blockMACBytes = 0;
  int blockMACRandBytes = 0;
  bool uniqueIV = false;
  bool chainedIV = false;
  bool externalIV = false;
  bool allowHoles = true;
  long desiredKDFDuration = NormalKDFDuration;

  if (reverseEncryption)
  {
    uniqueIV = false;
    chainedIV = false;
    externalIV = false;
    blockMACBytes = 0;
    blockMACRandBytes = 0;
  }

  if(configMode == Config_Paranoia || answer[0] == 'p')
  {
    if (reverseEncryption)
    {
      LOG(ERROR) << "Paranoia configuration not supported for --reverse";
      return rootInfo;
    }

    // xgroup(setup)
    cout << _("Paranoia configuration selected.") << "\n";
    // look for AES with 256 bit key..
    // Use block filename encryption mode.
    // Enable per-block HMAC headers at substantial performance penalty..
    // Enable per-file initialization vector headers.
    // Enable filename initialization vector chaning
    keySize = 256;
    blockSize = DefaultBlockSize;
    alg = findCipherAlgorithm("AES", keySize);
    nameIOIface = BlockNameIO::CurrentInterface();
    blockMACBytes = 8;
    blockMACRandBytes = 0; // using uniqueIV, so this isn't necessary
    uniqueIV = true;
    chainedIV = true;
    externalIV = true;
    desiredKDFDuration = ParanoiaKDFDuration;
  } else if(configMode == Config_Standard || answer[0] != 'x')
  {
    // xgroup(setup)
    cout << _("Standard configuration selected.") << "\n";
    // AES w/ 192 bit key, block name encoding, per-file initialization
    // vectors are all standard.
    keySize = 192;
    blockSize = DefaultBlockSize;
    alg = findCipherAlgorithm("AES", keySize);
    blockMACBytes = 0;
    externalIV = false;
    nameIOIface = BlockNameIO::CurrentInterface();

    if (reverseEncryption)
    {
      cout << _("--reverse specified, not using unique/chained IV") 
        << "\n";
    } else
    {
      uniqueIV = true;
      chainedIV = true;
    }
  }

  if(answer[0] == 'x' || alg.name.empty())
  {
    if(answer[0] != 'x')
    {
      // xgroup(setup)
      cout << _("Sorry, unable to locate cipher for predefined "
          "configuration...\n"
          "Falling through to Manual configuration mode.");
    } else
    {
      // xgroup(setup)
      cout << _("Manual configuration mode selected.");
    }
    cout << endl;

    // query user for settings..
    alg = selectCipherAlgorithm();
    keySize = selectKeySize( alg );
    blockSize = selectBlockSize( alg );
    nameIOIface = selectNameCoding( alg );
    if (reverseEncryption)
    {
      cout << _("--reverse specified, not using unique/chained IV") << "\n";
    } else
    {
      chainedIV = selectChainedIV();
      uniqueIV = selectUniqueIV();
      if(chainedIV && uniqueIV)
        externalIV = selectExternalChainedIV();
      else
      {
        // xgroup(setup)
        cout << _("External chained IV disabled, as both 'IV chaining'\n"
            "and 'unique IV' features are required for this option.") 
          << "\n";
        externalIV = false;
      }
      selectBlockMAC(&blockMACBytes, &blockMACRandBytes);
      allowHoles = selectZeroBlockPassThrough();
    }
    desiredKDFDuration = selectKDFDuration();
  }

  shared_ptr<CipherV1> cipher = CipherV1::New( alg.iface, keySize );
  if(!cipher)
  {
    LOG(ERROR) << "Unable to instanciate cipher " << alg.name
      << ", key size " << keySize << ", block size " << blockSize;
    return rootInfo;
  } else
  {
    VLOG(1) << "Using cipher " << alg.name
      << ", key size " << keySize << ", block size " << blockSize;
  }

  EncfsConfig config;

  config.mutable_cipher()->MergeFrom( cipher->interface() );
  config.set_block_size( blockSize );
  config.mutable_naming()->MergeFrom( nameIOIface );
  config.set_creator( "EncFS " VERSION );
  config.set_revision( ProtoSubVersion );
  config.set_block_mac_bytes( blockMACBytes );
  config.set_block_mac_rand_bytes( blockMACRandBytes );
  config.set_unique_iv( uniqueIV );
  config.set_chained_iv( chainedIV );
  config.set_external_iv( externalIV );
  config.set_allow_holes( allowHoles );

  EncryptedKey *key = config.mutable_key();
  key->clear_salt();
  key->clear_kdf_iterations(); // filled in by keying function
  key->set_kdf_duration( desiredKDFDuration );
  key->set_size(keySize / 8);

  cout << "\n";
  // xgroup(setup)
  cout << _("Configuration finished.  The filesystem to be created has\n"
      "the following properties:") << endl;
  showFSInfo( config );

  if( config.external_iv() )
  {
    cout << 
      _("-------------------------- WARNING --------------------------\n")
      <<
      _("The external initialization-vector chaining option has been\n"
          "enabled.  This option disables the use of hard links on the\n"
          "filesystem. Without hard links, some programs may not work.\n"
          "The programs 'mutt' and 'procmail' are known to fail.  For\n"
          "more information, please see the encfs mailing list.\n"
          "If you would like to choose another configuration setting,\n"
          "please press CTRL-C now to abort and start over.") << endl;
    cout << endl;
  }

  // xgroup(setup)
  cout << _("Now you will need to enter a password for your filesystem.\n"
      "You will need to remember this password, as there is absolutely\n"
      "no recovery mechanism.  However, the password can be changed\n"
      "later using encfsctl.\n\n");

  int encodedKeySize = cipher->encodedKeySize();
  unsigned char *encodedKey = new unsigned char[ encodedKeySize ];

  CipherKey volumeKey = cipher->newRandomKey();

  // get user key and use it to encode volume key
  CipherKey userKey;
  VLOG(1) << "useStdin: " << useStdin;
  if(useStdin)
  {
    if (annotate)
      cerr << "$PROMPT$ new_passwd" << endl;
  }
  userKey = getNewUserKey( config, useStdin, passwordProgram, rootDir );

  cipher->setKey( userKey );
  cipher->writeKey( volumeKey, encodedKey );
  userKey.reset();

  key->set_ciphertext(encodedKey, encodedKeySize);
  delete[] encodedKey;

  if(!volumeKey.valid())
  {
    LOG(ERROR) << "Failure generating new volume key! "
      << "Please report this error.";
    return rootInfo;
  }

  cipher->setKey( volumeKey );
  if(!saveConfig( rootDir, config ))
    return rootInfo;

  // fill in config struct
  shared_ptr<NameIO> nameCoder = NameIO::New( config.naming(), cipher );
  if(!nameCoder)
  {
    LOG(WARNING) << "Name coding interface not supported";
    cout << _("The filename encoding interface requested is not available") 
      << endl;
    return rootInfo;
  }

  nameCoder->setChainedNameIV( config.chained_iv() );
  nameCoder->setReverseEncryption( reverseEncryption );

  FSConfigPtr fsConfig (new FSConfig);
  fsConfig->cipher = cipher;
  fsConfig->key = volumeKey;
  fsConfig->nameCoding = nameCoder;
  fsConfig->config = shared_ptr<EncfsConfig>(new EncfsConfig(config));
  fsConfig->forceDecode = forceDecode;
  fsConfig->reverseEncryption = reverseEncryption;
  fsConfig->idleTracking = enableIdleTracking;
  fsConfig->opts = opts;

  rootInfo = RootPtr( new EncFS_Root );
  rootInfo->cipher = cipher;
  rootInfo->volumeKey = volumeKey;
  rootInfo->root = shared_ptr<DirNode>( 
      new DirNode( ctx, rootDir, fsConfig ));

  return rootInfo;
}
Exemple #3
0
void showFSInfo( const EncfsConfig &config )
{
  shared_ptr<CipherV1> cipher = CipherV1::New( config.cipher(), 
        config.key().size() );
  {
    cout << autosprintf(
        // xgroup(diag)
        _("Filesystem cipher: \"%s\", version %i:%i:%i"),
        config.cipher().name().c_str(), config.cipher().major(),
        config.cipher().minor(), config.cipher().age());
    // check if we support this interface..
    if(!cipher)
      cout << _(" (NOT supported)\n");
    else
    {
      // if we're using a newer interface, show the version number
      if( config.cipher() != cipher->interface() )
      {
        Interface iface = cipher->interface();
        // xgroup(diag)
        cout << autosprintf(_(" (using %i:%i:%i)\n"),
            iface.major(), iface.minor(), iface.age());
      } else
        cout << "\n";
    }
  }

  // xgroup(diag)
  cout << autosprintf(_("Filename encoding: \"%s\", version %i:%i:%i"),
          config.naming().name().c_str(), config.naming().major(),
          config.naming().minor(), config.naming().age());
    
  if (!cipher)
  {
      cout <<  "\n";
  } else
  {
    // check if we support the filename encoding interface..
    shared_ptr<NameIO> nameCoder = NameIO::New( config.naming(), cipher );
    if(!nameCoder)
    {
      // xgroup(diag)
      cout << _(" (NOT supported)\n");
    } else
    {
      // if we're using a newer interface, show the version number
      if( config.naming() != nameCoder->interface() )
      {
        Interface iface = nameCoder->interface();
        cout << autosprintf(_(" (using %i:%i:%i)\n"),
            iface.major(), iface.minor(), iface.age());
      } else
        cout << "\n";
    }
  }
  const EncryptedKey &key = config.key();
  {
    cout << autosprintf(_("Key Size: %i bits"), 8 * key.size());
    cipher = getCipher(config);
    if(!cipher)
    {
      // xgroup(diag)
      cout << _(" (NOT supported)\n");
    } else
      cout << "\n";
  }
  if(key.kdf_iterations() > 0 && key.salt().size() > 0)
  {
    cout << autosprintf(_("Using PBKDF2, with %i iterations"), 
        key.kdf_iterations()) << "\n";
    cout << autosprintf(_("Salt Size: %i bits"), 
        8*(int)key.salt().size()) << "\n";
  }
  if(config.block_mac_bytes() || config.block_mac_rand_bytes())
  {
    if(config.revision() < V5Latest)
    {
      cout << autosprintf(
          // xgroup(diag)
          _("Block Size: %i bytes + %i byte MAC header"),
          config.block_size(),
          config.block_mac_bytes() + config.block_mac_rand_bytes()) << endl;
    } else
    {
      // new version stores the header as part of that block size..
      cout << autosprintf(
          // xgroup(diag)
          _("Block Size: %i bytes, including %i byte MAC header"),
          config.block_size(),
          config.block_mac_bytes() + config.block_mac_rand_bytes()) << endl;
    }
  } else
  {
    // xgroup(diag)
    cout << autosprintf(_("Block Size: %i bytes"), config.block_size());
    cout << "\n";
  }

  if(config.unique_iv())
  {
    // xgroup(diag)
    cout << _("Each file contains 8 byte header with unique IV data.\n");
  }
  if(config.chained_iv())
  {
    // xgroup(diag)
    cout << _("Filenames encoded using IV chaining mode.\n");
  }
  if(config.external_iv())
  {
    // xgroup(diag)
    cout << _("File data IV is chained to filename IV.\n");
  }
  if(config.allow_holes())
  {
    // xgroup(diag)
    cout << _("File holes passed through to ciphertext.\n");
  }
  cout << "\n";
}