bool readV4Config( const char *configFile,
EncfsConfig &config, ConfigInfo *)
{
bool ok = false;
// use Config to parse the file and query it..
ConfigReader cfgRdr;
if(cfgRdr.load( configFile ))
{
try
{
cfgRdr["cipher"] >> (*config.mutable_cipher());
int blockSize;
cfgRdr["blockSize"] >> blockSize;
config.set_block_size(blockSize);
EncryptedKey *key = config.mutable_key();
cfgRdr["keyData"] >> (*key->mutable_ciphertext());
// fill in default for V4
config.mutable_naming()->MergeFrom( makeInterface("nameio/stream", 1, 0, 0) );
config.set_creator( "EncFS 1.0.x" );
ok = true;
} catch( Error &err)
{
LOG(WARNING) << "Error parsing config file " << configFile
<< ": " << err.what();
ok = false;
}
}
return ok;
}
CipherKey decryptKey(const EncfsConfig &config, const char *password, int passwdLen)
{
const EncryptedKey &key = config.key();
CipherKey userKey;
shared_ptr<CipherV1> cipher = getCipher(config.cipher(), 8 * key.size());
if(!key.salt().empty())
{
int iterations = key.kdf_iterations();
userKey = cipher->newKey(password, passwdLen,
&iterations, key.kdf_duration(),
(const byte *)key.salt().data(),
key.salt().size());
if (iterations != key.kdf_iterations())
{
LOG(ERROR) << "Error in KDF, iteration mismatch";
return userKey;
}
} else
{
// old KDF, no salt..
userKey = cipher->newKey( password, passwdLen );
}
return userKey;
}
/* Passing a copy to rootDir is on purpose here */
static int isValidEncFS(std::string rootDir) {
if( !checkDir( rootDir ))
return EXIT_FAILURE;
#ifdef ENCFS_SVN
EncfsConfig config;
#else
shared_ptr<EncFSConfig> config(new EncFSConfig);
#endif
ConfigType type = readConfig( rootDir, config );
#ifdef ENCFS_SVN
std::string config_creator = config.creator();
int config_revision = config.revision();
#else
std::string config_creator = config->creator;
int config_revision = config->subVersion;
#endif
std::ostringstream info;
// show information stored in config..
switch(type)
{
case Config_None:
info << "Unable to load or parse config file in " << rootDir;
LOGI(info.str().c_str());
return EXIT_FAILURE;
case Config_Prehistoric:
LOGI("A really old EncFS filesystem was found.\n"
"It is not supported in this EncFS build.");
return EXIT_FAILURE;
case Config_V3:
info << "Version 3 configuration; created by " << config_creator.c_str();
break;
case Config_V4:
info << "Version 4 configuration; created by " << config_creator.c_str();
break;
case Config_V5:
info << "Version 5 configuration; created by " << config_creator.c_str()
<< " (revision " << config_revision << ")";
break;
case Config_V6:
info << "Version 6 configuration; created by " << config_creator.c_str()
<< " (revision " << config_revision << ")";
break;
#ifdef ENCFS_SVN
case Config_V7:
info << "Version 7 configuration; created by " << config_creator.c_str()
<< " (revision " << config_revision << ")";
break;
#endif
}
LOGI(info.str().c_str());
showFSInfo( config );
return EXIT_SUCCESS;
}
static int showInfo( int argc, char **argv )
{
(void)argc;
string rootDir = argv[1];
if( !checkDir( rootDir ))
return EXIT_FAILURE;
EncfsConfig config;
ConfigType type = readConfig( rootDir, config );
// show information stored in config..
switch(type)
{
case Config_None:
// xgroup(diag)
cout << _("Unable to load or parse config file\n");
return EXIT_FAILURE;
case Config_Prehistoric:
// xgroup(diag)
cout << _("A really old EncFS filesystem was found. \n"
"It is not supported in this EncFS build.\n");
return EXIT_FAILURE;
case Config_V3:
// xgroup(diag)
cout << "\n" << autosprintf(_("Version 3 configuration; "
"created by %s\n"), config.creator().c_str());
break;
case Config_V4:
// xgroup(diag)
cout << "\n" << autosprintf(_("Version 4 configuration; "
"created by %s\n"), config.creator().c_str());
break;
case Config_V5:
case Config_V6:
case Config_V7:
// xgroup(diag)
cout << "\n" << autosprintf(_("Version %i configuration; "
"created by %s (revision %i)\n"),
type,
config.creator().c_str(),
config.revision());
break;
}
showFSInfo( config );
return EXIT_SUCCESS;
}
CipherKey makeNewKey(EncfsConfig &config, const char *password, int passwdLen) {
CipherKey userKey;
shared_ptr<CipherV1> cipher = getCipher(config);
EncryptedKey *key = config.mutable_key();
unsigned char salt[20];
if (!cipher->pseudoRandomize(salt, sizeof(salt))) {
cout << _("Error creating salt\n");
return userKey;
}
key->set_salt(salt, sizeof(salt));
int iterations = key->kdf_iterations();
userKey = cipher->newKey(password, passwdLen, &iterations,
key->kdf_duration(), salt, sizeof(salt));
key->set_kdf_iterations(iterations);
return userKey;
}
RootPtr createConfig( EncFS_Context *ctx,
const shared_ptr<EncFS_Opts> &opts )
{
const std::string rootDir = opts->rootDir;
bool enableIdleTracking = opts->idleTracking;
bool forceDecode = opts->forceDecode;
const std::string passwordProgram = opts->passwordProgram;
bool useStdin = opts->useStdin;
bool reverseEncryption = opts->reverseEncryption;
ConfigMode configMode = opts->configMode;
bool annotate = opts->annotate;
RootPtr rootInfo;
// creating new volume key.. should check that is what the user is
// expecting...
// xgroup(setup)
cout << _("Creating new encrypted volume.") << endl;
char answer[10] = {0};
if(configMode == Config_Prompt)
{
// xgroup(setup)
cout << _("Please choose from one of the following options:\n"
" enter \"x\" for expert configuration mode,\n"
" enter \"p\" for pre-configured paranoia mode,\n"
" anything else, or an empty line will select standard mode.\n"
"?> ");
if (annotate)
cerr << "$PROMPT$ config_option" << endl;
char *res = fgets( answer, sizeof(answer), stdin );
(void)res;
cout << "\n";
}
int keySize = 0;
int blockSize = 0;
CipherV1::CipherAlgorithm alg;
Interface nameIOIface;
int blockMACBytes = 0;
int blockMACRandBytes = 0;
bool uniqueIV = false;
bool chainedIV = false;
bool externalIV = false;
bool allowHoles = true;
long desiredKDFDuration = NormalKDFDuration;
if (reverseEncryption)
{
uniqueIV = false;
chainedIV = false;
externalIV = false;
blockMACBytes = 0;
blockMACRandBytes = 0;
}
if(configMode == Config_Paranoia || answer[0] == 'p')
{
if (reverseEncryption)
{
LOG(ERROR) << "Paranoia configuration not supported for --reverse";
return rootInfo;
}
// xgroup(setup)
cout << _("Paranoia configuration selected.") << "\n";
// look for AES with 256 bit key..
// Use block filename encryption mode.
// Enable per-block HMAC headers at substantial performance penalty..
// Enable per-file initialization vector headers.
// Enable filename initialization vector chaning
keySize = 256;
blockSize = DefaultBlockSize;
alg = findCipherAlgorithm("AES", keySize);
nameIOIface = BlockNameIO::CurrentInterface();
blockMACBytes = 8;
blockMACRandBytes = 0; // using uniqueIV, so this isn't necessary
uniqueIV = true;
chainedIV = true;
externalIV = true;
desiredKDFDuration = ParanoiaKDFDuration;
} else if(configMode == Config_Standard || answer[0] != 'x')
{
// xgroup(setup)
cout << _("Standard configuration selected.") << "\n";
// AES w/ 192 bit key, block name encoding, per-file initialization
// vectors are all standard.
keySize = 192;
blockSize = DefaultBlockSize;
alg = findCipherAlgorithm("AES", keySize);
blockMACBytes = 0;
externalIV = false;
nameIOIface = BlockNameIO::CurrentInterface();
if (reverseEncryption)
{
cout << _("--reverse specified, not using unique/chained IV")
<< "\n";
} else
{
uniqueIV = true;
chainedIV = true;
}
}
if(answer[0] == 'x' || alg.name.empty())
{
if(answer[0] != 'x')
{
// xgroup(setup)
cout << _("Sorry, unable to locate cipher for predefined "
"configuration...\n"
"Falling through to Manual configuration mode.");
} else
{
// xgroup(setup)
cout << _("Manual configuration mode selected.");
}
cout << endl;
// query user for settings..
alg = selectCipherAlgorithm();
keySize = selectKeySize( alg );
blockSize = selectBlockSize( alg );
nameIOIface = selectNameCoding( alg );
if (reverseEncryption)
{
cout << _("--reverse specified, not using unique/chained IV") << "\n";
} else
{
chainedIV = selectChainedIV();
uniqueIV = selectUniqueIV();
if(chainedIV && uniqueIV)
externalIV = selectExternalChainedIV();
else
{
// xgroup(setup)
cout << _("External chained IV disabled, as both 'IV chaining'\n"
"and 'unique IV' features are required for this option.")
<< "\n";
externalIV = false;
}
selectBlockMAC(&blockMACBytes, &blockMACRandBytes);
allowHoles = selectZeroBlockPassThrough();
}
desiredKDFDuration = selectKDFDuration();
}
shared_ptr<CipherV1> cipher = CipherV1::New( alg.iface, keySize );
if(!cipher)
{
LOG(ERROR) << "Unable to instanciate cipher " << alg.name
<< ", key size " << keySize << ", block size " << blockSize;
return rootInfo;
} else
{
VLOG(1) << "Using cipher " << alg.name
<< ", key size " << keySize << ", block size " << blockSize;
}
EncfsConfig config;
config.mutable_cipher()->MergeFrom( cipher->interface() );
config.set_block_size( blockSize );
config.mutable_naming()->MergeFrom( nameIOIface );
config.set_creator( "EncFS " VERSION );
config.set_revision( ProtoSubVersion );
config.set_block_mac_bytes( blockMACBytes );
config.set_block_mac_rand_bytes( blockMACRandBytes );
config.set_unique_iv( uniqueIV );
config.set_chained_iv( chainedIV );
config.set_external_iv( externalIV );
config.set_allow_holes( allowHoles );
EncryptedKey *key = config.mutable_key();
key->clear_salt();
key->clear_kdf_iterations(); // filled in by keying function
key->set_kdf_duration( desiredKDFDuration );
key->set_size(keySize / 8);
cout << "\n";
// xgroup(setup)
cout << _("Configuration finished. The filesystem to be created has\n"
"the following properties:") << endl;
showFSInfo( config );
if( config.external_iv() )
{
cout <<
_("-------------------------- WARNING --------------------------\n")
<<
_("The external initialization-vector chaining option has been\n"
"enabled. This option disables the use of hard links on the\n"
"filesystem. Without hard links, some programs may not work.\n"
"The programs 'mutt' and 'procmail' are known to fail. For\n"
"more information, please see the encfs mailing list.\n"
"If you would like to choose another configuration setting,\n"
"please press CTRL-C now to abort and start over.") << endl;
cout << endl;
}
// xgroup(setup)
cout << _("Now you will need to enter a password for your filesystem.\n"
"You will need to remember this password, as there is absolutely\n"
"no recovery mechanism. However, the password can be changed\n"
"later using encfsctl.\n\n");
int encodedKeySize = cipher->encodedKeySize();
unsigned char *encodedKey = new unsigned char[ encodedKeySize ];
CipherKey volumeKey = cipher->newRandomKey();
// get user key and use it to encode volume key
CipherKey userKey;
VLOG(1) << "useStdin: " << useStdin;
if(useStdin)
{
if (annotate)
cerr << "$PROMPT$ new_passwd" << endl;
}
userKey = getNewUserKey( config, useStdin, passwordProgram, rootDir );
cipher->setKey( userKey );
cipher->writeKey( volumeKey, encodedKey );
userKey.reset();
key->set_ciphertext(encodedKey, encodedKeySize);
delete[] encodedKey;
if(!volumeKey.valid())
{
LOG(ERROR) << "Failure generating new volume key! "
<< "Please report this error.";
return rootInfo;
}
cipher->setKey( volumeKey );
if(!saveConfig( rootDir, config ))
return rootInfo;
// fill in config struct
shared_ptr<NameIO> nameCoder = NameIO::New( config.naming(), cipher );
if(!nameCoder)
{
LOG(WARNING) << "Name coding interface not supported";
cout << _("The filename encoding interface requested is not available")
<< endl;
return rootInfo;
}
nameCoder->setChainedNameIV( config.chained_iv() );
nameCoder->setReverseEncryption( reverseEncryption );
FSConfigPtr fsConfig (new FSConfig);
fsConfig->cipher = cipher;
fsConfig->key = volumeKey;
fsConfig->nameCoding = nameCoder;
fsConfig->config = shared_ptr<EncfsConfig>(new EncfsConfig(config));
fsConfig->forceDecode = forceDecode;
fsConfig->reverseEncryption = reverseEncryption;
fsConfig->idleTracking = enableIdleTracking;
fsConfig->opts = opts;
rootInfo = RootPtr( new EncFS_Root );
rootInfo->cipher = cipher;
rootInfo->volumeKey = volumeKey;
rootInfo->root = shared_ptr<DirNode>(
new DirNode( ctx, rootDir, fsConfig ));
return rootInfo;
}
// Read a v5 archive, which is a proprietary binary format.
bool readV5Config( const char *configFile,
EncfsConfig &config, ConfigInfo *)
{
bool ok = false;
// use Config to parse the file and query it..
ConfigReader cfgRdr;
if(cfgRdr.load( configFile ))
{
try
{
config.set_revision(cfgRdr["subVersion"].readInt(0));
if(config.revision() > V5Latest)
{
/* config file specifies a version outside our supported
range.. */
LOG(ERROR) << "Config subversion " << config.revision()
<< " found, but this version of encfs only supports up to version "
<< V5Latest;
return false;
}
if( config.revision() < V5Latest )
{
LOG(ERROR) << "This version of EncFS doesn't support "
<< "filesystems created with EncFS releases before 2004-08-13";
return false;
}
cfgRdr["creator"] >> (*config.mutable_creator());
cfgRdr["cipher"] >> (*config.mutable_cipher());
cfgRdr["naming"] >> (*config.mutable_naming());
int blockSize;
cfgRdr["blockSize"] >> blockSize;
config.set_block_size(blockSize);
EncryptedKey *encryptedKey = config.mutable_key();
int keySize;
cfgRdr["keySize"] >> keySize;
encryptedKey->set_size(keySize / 8);
cfgRdr["keyData"] >> (*encryptedKey->mutable_ciphertext());
config.set_unique_iv( cfgRdr["uniqueIV"].readBool( false ) );
config.set_chained_iv( cfgRdr["chainedIV"].readBool( false ) );
config.set_external_iv( cfgRdr["externalIV"].readBool( false ) );
config.set_block_mac_bytes( cfgRdr["blockMACBytes"].readInt(0) );
config.set_block_mac_rand_bytes( cfgRdr["blockMACRandBytes"].readInt(0) );
ok = true;
} catch( Error &err)
{
LOG(WARNING) << "Error parsing data in config file " << configFile
<< "; " << err.what();
ok = false;
}
}
return ok;
}
// Read a boost::serialization config file using an Xml reader..
bool readV6Config( const char *configFile,
EncfsConfig &cfg, ConfigInfo *info)
{
(void)info;
XmlReader rdr;
if (!rdr.load(configFile))
{
LOG(ERROR) << "Failed to load config file " << configFile;
return false;
}
XmlValuePtr serialization = rdr["boost_serialization"];
XmlValuePtr config = (*serialization)["cfg"];
if (!config) {
config = (*serialization)["config"];
}
if (!config) {
LOG(ERROR) << "Unable to find XML configuration in file " << configFile;
return false;
}
int version;
if (!config->read("version", &version) &&
!config->read("@version", &version)) {
LOG(ERROR) << "Unable to find version in config file";
return false;
}
// version numbering was complicated by boost::archive
if (version == 20 || version >= 20100713)
{
VLOG(1) << "found new serialization format";
cfg.set_revision(version);
} else if (version == 26800)
{
VLOG(1) << "found 20080816 version";
cfg.set_revision(20080816);
} else if (version == 26797)
{
VLOG(1) << "found 20080813";
cfg.set_revision(20080813);
} else if (version < V5Latest)
{
LOG(ERROR) << "Invalid version " << version
<< " - please fix config file";
} else
{
LOG(INFO) << "Boost <= 1.41 compatibility mode";
cfg.set_revision(version);
}
VLOG(1) << "subVersion = " << cfg.revision();
config->read("creator", cfg.mutable_creator());
config->read("cipherAlg", cfg.mutable_cipher());
config->read("nameAlg", cfg.mutable_naming());
//(*config)["keySize"] >> cfg.keySize;
int blockSize, blockMacBytes, blockMacRandBytes;
bool uniqueIv, chainedNameIv, externalIv, allowHoles;
config->read("blockSize", &blockSize);
config->read("uniqueIV", &uniqueIv);
config->read("chainedNameIV", &chainedNameIv);
config->read("externalIVChaining", &externalIv);
config->read("blockMACBytes", &blockMacBytes);
config->read("blockMACRandBytes", &blockMacRandBytes);
config->read("allowHoles", &allowHoles);
cfg.set_block_size(blockSize);
cfg.set_unique_iv(uniqueIv);
cfg.set_chained_iv(chainedNameIv);
cfg.set_external_iv(externalIv);
cfg.set_block_mac_bytes(blockMacBytes);
cfg.set_block_mac_rand_bytes(blockMacRandBytes);
cfg.set_allow_holes(allowHoles);
EncryptedKey *encryptedKey = cfg.mutable_key();
int encodedSize;
config->read("encodedKeySize", &encodedSize);
unsigned char *key = new unsigned char[encodedSize];
config->readB64("encodedKeyData", key, encodedSize);
encryptedKey->set_ciphertext(key, encodedSize);
delete[] key;
int keySize;
config->read("keySize", &keySize);
encryptedKey->set_size(keySize / 8); // save as size in bytes
if(cfg.revision() >= 20080816)
{
int saltLen;
config->read("saltLen", &saltLen);
unsigned char *salt = new unsigned char[saltLen];
config->readB64("saltData", salt, saltLen);
encryptedKey->set_salt(salt, saltLen);
delete[] salt;
int kdfIterations, desiredKDFDuration;
config->read("kdfIterations", &kdfIterations);
config->read("desiredKDFDuration", &desiredKDFDuration);
encryptedKey->set_kdf_iterations(kdfIterations);
encryptedKey->set_kdf_duration(desiredKDFDuration);
} else
{
encryptedKey->clear_salt();
encryptedKey->set_kdf_iterations(16);
encryptedKey->clear_kdf_duration();
}
return true;
}
RootPtr initFS( EncFS_Context *ctx, const shared_ptr<EncFS_Opts> &opts )
{
RootPtr rootInfo;
EncfsConfig config;
if(readConfig( opts->rootDir, config ) != Config_None)
{
if(opts->reverseEncryption)
{
if (config.block_mac_bytes() != 0 || config.block_mac_rand_bytes() != 0
|| config.unique_iv() || config.external_iv()
|| config.chained_iv() )
{
cout << _("The configuration loaded is not compatible with --reverse\n");
return rootInfo;
}
}
// first, instanciate the cipher.
shared_ptr<CipherV1> cipher = getCipher(config);
if(!cipher)
{
Interface iface = config.cipher();
LOG(ERROR) << "Unable to find cipher " << iface.name()
<< ", version " << iface.major()
<< ":" << iface.minor() << ":" << iface.age();
// xgroup(diag)
cout << _("The requested cipher interface is not available\n");
return rootInfo;
}
// get user key
CipherKey userKey;
if(opts->passwordProgram.empty())
{
if (opts->annotate)
cerr << "$PROMPT$ passwd" << endl;
userKey = getUserKey( config, opts->useStdin );
} else
userKey = getUserKey( config, opts->passwordProgram, opts->rootDir );
if(!userKey.valid())
return rootInfo;
cipher->setKey(userKey);
VLOG(1) << "cipher encoded key size = " << cipher->encodedKeySize();
// decode volume key..
CipherKey volumeKey = cipher->readKey(
(const unsigned char *)config.key().ciphertext().data(), opts->checkKey);
userKey.reset();
if(!volumeKey.valid())
{
// xgroup(diag)
cout << _("Error decoding volume key, password incorrect\n");
return rootInfo;
}
cipher->setKey(volumeKey);
shared_ptr<NameIO> nameCoder = NameIO::New( config.naming(), cipher );
if(!nameCoder)
{
Interface iface = config.naming();
LOG(ERROR) << "Unable to find nameio interface " << iface.name()
<< ", version " << iface.major()
<< ":" << iface.minor() << ":" << iface.age();
// xgroup(diag)
cout << _("The requested filename coding interface is "
"not available\n");
return rootInfo;
}
nameCoder->setChainedNameIV( config.chained_iv() );
nameCoder->setReverseEncryption( opts->reverseEncryption );
FSConfigPtr fsConfig( new FSConfig );
fsConfig->cipher = cipher;
fsConfig->key = volumeKey;
fsConfig->nameCoding = nameCoder;
fsConfig->config = shared_ptr<EncfsConfig>(new EncfsConfig(config));
fsConfig->forceDecode = opts->forceDecode;
fsConfig->reverseEncryption = opts->reverseEncryption;
fsConfig->opts = opts;
rootInfo = RootPtr( new EncFS_Root );
rootInfo->cipher = cipher;
rootInfo->volumeKey = volumeKey;
rootInfo->root = shared_ptr<DirNode>(
new DirNode( ctx, opts->rootDir, fsConfig ));
} else
{
if(opts->createIfNotFound)
{
// creating a new encrypted filesystem
rootInfo = createConfig( ctx, opts );
}
}
return rootInfo;
}
shared_ptr<CipherV1> getCipher(const EncfsConfig &config)
{
return getCipher(config.cipher(), 8 * config.key().size());
}
void showFSInfo( const EncfsConfig &config )
{
shared_ptr<CipherV1> cipher = CipherV1::New( config.cipher(),
config.key().size() );
{
cout << autosprintf(
// xgroup(diag)
_("Filesystem cipher: \"%s\", version %i:%i:%i"),
config.cipher().name().c_str(), config.cipher().major(),
config.cipher().minor(), config.cipher().age());
// check if we support this interface..
if(!cipher)
cout << _(" (NOT supported)\n");
else
{
// if we're using a newer interface, show the version number
if( config.cipher() != cipher->interface() )
{
Interface iface = cipher->interface();
// xgroup(diag)
cout << autosprintf(_(" (using %i:%i:%i)\n"),
iface.major(), iface.minor(), iface.age());
} else
cout << "\n";
}
}
// xgroup(diag)
cout << autosprintf(_("Filename encoding: \"%s\", version %i:%i:%i"),
config.naming().name().c_str(), config.naming().major(),
config.naming().minor(), config.naming().age());
if (!cipher)
{
cout << "\n";
} else
{
// check if we support the filename encoding interface..
shared_ptr<NameIO> nameCoder = NameIO::New( config.naming(), cipher );
if(!nameCoder)
{
// xgroup(diag)
cout << _(" (NOT supported)\n");
} else
{
// if we're using a newer interface, show the version number
if( config.naming() != nameCoder->interface() )
{
Interface iface = nameCoder->interface();
cout << autosprintf(_(" (using %i:%i:%i)\n"),
iface.major(), iface.minor(), iface.age());
} else
cout << "\n";
}
}
const EncryptedKey &key = config.key();
{
cout << autosprintf(_("Key Size: %i bits"), 8 * key.size());
cipher = getCipher(config);
if(!cipher)
{
// xgroup(diag)
cout << _(" (NOT supported)\n");
} else
cout << "\n";
}
if(key.kdf_iterations() > 0 && key.salt().size() > 0)
{
cout << autosprintf(_("Using PBKDF2, with %i iterations"),
key.kdf_iterations()) << "\n";
cout << autosprintf(_("Salt Size: %i bits"),
8*(int)key.salt().size()) << "\n";
}
if(config.block_mac_bytes() || config.block_mac_rand_bytes())
{
if(config.revision() < V5Latest)
{
cout << autosprintf(
// xgroup(diag)
_("Block Size: %i bytes + %i byte MAC header"),
config.block_size(),
config.block_mac_bytes() + config.block_mac_rand_bytes()) << endl;
} else
{
// new version stores the header as part of that block size..
cout << autosprintf(
// xgroup(diag)
_("Block Size: %i bytes, including %i byte MAC header"),
config.block_size(),
config.block_mac_bytes() + config.block_mac_rand_bytes()) << endl;
}
} else
{
// xgroup(diag)
cout << autosprintf(_("Block Size: %i bytes"), config.block_size());
cout << "\n";
}
if(config.unique_iv())
{
// xgroup(diag)
cout << _("Each file contains 8 byte header with unique IV data.\n");
}
if(config.chained_iv())
{
// xgroup(diag)
cout << _("Filenames encoded using IV chaining mode.\n");
}
if(config.external_iv())
{
// xgroup(diag)
cout << _("File data IV is chained to filename IV.\n");
}
if(config.allow_holes())
{
// xgroup(diag)
cout << _("File holes passed through to ciphertext.\n");
}
cout << "\n";
}
bool runTests(const shared_ptr<Cipher> &cipher, bool verbose)
{
// create a random key
if(verbose)
cerr << "Generating new key, output will be different on each run\n\n";
CipherKey key = cipher->newRandomKey();
if(verbose)
cerr << "Testing key save / restore :";
{
CipherKey encodingKey = cipher->newRandomKey();
int encodedKeySize = cipher->encodedKeySize();
unsigned char *keyBuf = new unsigned char [ encodedKeySize ];
cipher->writeKey( key, keyBuf, encodingKey );
CipherKey key2 = cipher->readKey( keyBuf, encodingKey );
if(!key2)
{
if(verbose)
cerr << " FAILED (decode error)\n";
return false;
}
if(cipher->compareKey( key, key2 ))
{
if(verbose)
cerr << " OK\n";
} else
{
if(verbose)
cerr << " FAILED\n";
return false;
}
}
if(verbose)
cerr << "Testing Config interface load / store :";
{
CipherKey encodingKey = cipher->newRandomKey();
int encodedKeySize = cipher->encodedKeySize();
unsigned char *keyBuf = new unsigned char [ encodedKeySize ];
cipher->writeKey( key, keyBuf, encodingKey );
// store in config struct..
EncfsConfig cfg;
cfg.mutable_cipher()->MergeFrom(cipher->interface());
EncryptedKey *encryptedKey = cfg.mutable_key();
encryptedKey->set_size(8 * cipher->keySize());
encryptedKey->set_ciphertext( keyBuf, encodedKeySize );
cfg.set_block_size(FSBlockSize);
// save config
string data;
google::protobuf::TextFormat::PrintToString(cfg, &data);
// read back in and check everything..
EncfsConfig cfg2;
google::protobuf::TextFormat::ParseFromString(data, &cfg2);
// check..
rAssert( implements(cfg.cipher(),cfg2.cipher()) );
rAssert( cfg.key().size() == cfg2.key().size() );
rAssert( cfg.block_size() == cfg2.block_size() );
// try decoding key..
CipherKey key2 = cipher->readKey( (unsigned char *)cfg2.key().ciphertext().data(), encodingKey );
if(!key2)
{
if(verbose)
cerr << " FAILED (decode error)\n";
return false;
}
if(cipher->compareKey( key, key2 ))
{
if(verbose)
cerr << " OK\n";
} else
{
if(verbose)
cerr << " FAILED\n";
return false;
}
}
FSConfigPtr fsCfg = FSConfigPtr(new FSConfig);
fsCfg->cipher = cipher;
fsCfg->key = key;
fsCfg->config.reset(new EncfsConfig);
fsCfg->config->set_block_size(FSBlockSize);
fsCfg->opts.reset(new EncFS_Opts);
if(verbose)
cerr << "Testing name encode/decode (stream coding w/ IV chaining)\n";
if (cipher->hasStreamMode())
{
fsCfg->opts->idleTracking = false;
fsCfg->config->set_unique_iv(false);
fsCfg->nameCoding.reset( new StreamNameIO(
StreamNameIO::CurrentInterface(), cipher, key ) );
fsCfg->nameCoding->setChainedNameIV( true );
DirNode dirNode( NULL, TEST_ROOTDIR, fsCfg );
if(!testNameCoding( dirNode, verbose ))
return false;
}
if(verbose)
cerr << "Testing name encode/decode (block coding w/ IV chaining)\n";
{
fsCfg->opts->idleTracking = false;
fsCfg->config->set_unique_iv(false);
fsCfg->nameCoding.reset( new BlockNameIO(
BlockNameIO::CurrentInterface(), cipher, key ) );
fsCfg->nameCoding->setChainedNameIV( true );
DirNode dirNode( NULL, TEST_ROOTDIR, fsCfg );
if(!testNameCoding( dirNode, verbose ))
return false;
}
if(verbose)
cerr << "Testing name encode/decode (block coding w/ IV chaining, base32)\n";
{
fsCfg->opts->idleTracking = false;
fsCfg->config->set_unique_iv(false);
fsCfg->nameCoding.reset( new BlockNameIO(
BlockNameIO::CurrentInterface(), cipher, key, true ) );
fsCfg->nameCoding->setChainedNameIV( true );
DirNode dirNode( NULL, TEST_ROOTDIR, fsCfg );
if(!testNameCoding( dirNode, verbose ))
return false;
}
if(!verbose)
{
if (cipher->hasStreamMode())
{
// test stream mode, this time without IV chaining
fsCfg->nameCoding =
shared_ptr<NameIO>( new StreamNameIO(
StreamNameIO::CurrentInterface(), cipher, key ) );
fsCfg->nameCoding->setChainedNameIV( false );
DirNode dirNode( NULL, TEST_ROOTDIR, fsCfg );
if(!testNameCoding( dirNode, verbose ))
return false;
}
{
// test block mode, this time without IV chaining
fsCfg->nameCoding = shared_ptr<NameIO>( new BlockNameIO(
BlockNameIO::CurrentInterface(), cipher, key ) );
fsCfg->nameCoding->setChainedNameIV( false );
DirNode dirNode( NULL, TEST_ROOTDIR, fsCfg );
if(!testNameCoding( dirNode, verbose ))
return false;
}
}
if(verbose)
cerr << "Testing block encode/decode on full block - ";
{
int numErrors = checkErrorPropogation( cipher,
FSBlockSize, -1, key );
if(numErrors)
{
if(verbose)
cerr << " FAILED!\n";
return false;
} else
{
if(verbose)
cerr << " OK\n";
}
}
if(verbose)
cerr << "Testing block encode/decode on partial block - ";
if (cipher->hasStreamMode())
{
int numErrors = checkErrorPropogation( cipher,
FSBlockSize-1, -1, key );
if(numErrors)
{
if(verbose)
cerr << " FAILED!\n";
return false;
} else
{
if(verbose)
cerr << " OK\n";
}
}
if(verbose)
cerr << "Checking error propogation in partial block:\n";
if (cipher->hasStreamMode())
{
int minChanges = FSBlockSize-1;
int maxChanges = 0;
int minAt = 0;
int maxAt = 0;
for(int i=0; i<FSBlockSize-1; ++i)
{
int numErrors = checkErrorPropogation( cipher,
FSBlockSize-1, i, key );
if(numErrors < minChanges)
{
minChanges = numErrors;
minAt = i;
}
if(numErrors > maxChanges)
{
maxChanges = numErrors;
maxAt = i;
}
}
if(verbose)
{
cerr << "modification of 1 byte affected between " << minChanges
<< " and " << maxChanges << " decoded bytes\n";
cerr << "minimum change at byte " << minAt
<< " and maximum at byte " << maxAt << "\n";
}
}
if(verbose)
cerr << "Checking error propogation on full block:\n";
{
int minChanges = FSBlockSize;
int maxChanges = 0;
int minAt = 0;
int maxAt = 0;
for(int i=0; i<FSBlockSize; ++i)
{
int numErrors = checkErrorPropogation( cipher,
FSBlockSize, i, key );
if(numErrors < minChanges)
{
minChanges = numErrors;
minAt = i;
}
if(numErrors > maxChanges)
{
maxChanges = numErrors;
maxAt = i;
}
}
if(verbose)
{
cerr << "modification of 1 byte affected between " << minChanges
<< " and " << maxChanges << " decoded bytes\n";
cerr << "minimum change at byte " << minAt
<< " and maximum at byte " << maxAt << "\n";
}
}
return true;
}
static int do_chpasswd( bool useStdin, bool annotate, int argc, char **argv )
{
(void)argc;
string rootDir = argv[1];
if( !checkDir( rootDir ))
return EXIT_FAILURE;
EncfsConfig config;
ConfigType cfgType = readConfig( rootDir, config );
if(cfgType == Config_None)
{
cout << _("Unable to load or parse config file\n");
return EXIT_FAILURE;
}
// instanciate proper cipher
shared_ptr<Cipher> cipher = getCipher(config);
if(!cipher)
{
cout << autosprintf(_("Unable to find specified cipher \"%s\"\n"),
config.cipher().name().c_str());
return EXIT_FAILURE;
}
// ask for existing password
cout << _("Enter current Encfs password\n");
if (annotate)
cerr << "$PROMPT$ passwd" << endl;
CipherKey userKey = getUserKey( config, useStdin );
if(!userKey)
return EXIT_FAILURE;
// decode volume key using user key -- at this point we detect an incorrect
// password if the key checksum does not match (causing readKey to fail).
CipherKey volumeKey = cipher->readKey(
(const unsigned char *)config.key().ciphertext().data(), userKey );
if(!volumeKey)
{
cout << _("Invalid password\n");
return EXIT_FAILURE;
}
// Now, get New user key..
userKey.reset();
cout << _("Enter new Encfs password\n");
// create new key
if( useStdin )
{
if (annotate)
cerr << "$PROMPT$ new_passwd" << endl;
}
userKey = getNewUserKey( config, useStdin, string(), string() );
// re-encode the volume key using the new user key and write it out..
int result = EXIT_FAILURE;
if(userKey)
{
int encodedKeySize = cipher->encodedKeySize();
unsigned char *keyBuf = new unsigned char[ encodedKeySize ];
// encode volume key with new user key
cipher->writeKey( volumeKey, keyBuf, userKey );
userKey.reset();
EncryptedKey *key = config.mutable_key();
key->set_ciphertext( keyBuf, encodedKeySize );
delete[] keyBuf;
if(saveConfig( rootDir, config ))
{
// password modified -- changes volume key of filesystem..
cout << _("Volume Key successfully updated.\n");
result = EXIT_SUCCESS;
} else
{
cout << _("Error saving modified config file.\n");
}
} else
{
cout << _("Error creating key\n");
}
volumeKey.reset();
return result;
}
