remove Trezor support

Documentation/MANPAGE.md

@@ -405,16 +405,6 @@ You need root permissions to use `-suid`.
 #### -trace string
 Write execution trace to file. View the trace using "go tool trace FILE".
 
-#### -trezor
-With `-init`: Protect the masterkey using a SatoshiLabs Trezor instead of a password.
-
-This feature is disabled by default and must be enabled at compile time using:
-
-    ./build.bash -tags enable_trezor
-
-You can determine if your gocryptfs binary has Trezor support enabled checking
-if the `gocryptfs -version` output contains the string `enable_trezor`.
-
 #### -version
 Print version and exit. The output contains three fields separated by ";".
 Example: "gocryptfs v1.1.1-5-g75b776c; go-fuse 6b801d3; 2016-11-01 go1.7.3".

cli_args.go

@@ -18,7 +18,6 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/configfile"
 	"github.com/rfjakob/gocryptfs/internal/exitcodes"
 	"github.com/rfjakob/gocryptfs/internal/prefer_openssl"
-	"github.com/rfjakob/gocryptfs/internal/readpassword"
 	"github.com/rfjakob/gocryptfs/internal/stupidgcm"
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )
@@ -29,7 +28,7 @@ type argContainer struct {
 	plaintextnames, quiet, nosyslog, wpanic,
 	longnames, allow_other, reverse, aessiv, nonempty, raw64,
 	noprealloc, speed, hkdf, serialize_reads, forcedecode, hh, info,
-	sharedstorage, devrandom, fsck, trezor bool
+	sharedstorage, devrandom, fsck bool
 	// Mount options with opposites
 	dev, nodev, suid, nosuid, exec, noexec, rw, ro bool
 	masterkey, mountpoint, cipherdir, cpuprofile,
@@ -170,9 +169,6 @@ func parseCliOpts() (args argContainer) {
 	flagSet.BoolVar(&args.sharedstorage, "sharedstorage", false, "Make concurrent access to a shared CIPHERDIR safer")
 	flagSet.BoolVar(&args.devrandom, "devrandom", false, "Use /dev/random for generating master key")
 	flagSet.BoolVar(&args.fsck, "fsck", false, "Run a filesystem check on CIPHERDIR")
-	if readpassword.TrezorSupport {
-		flagSet.BoolVar(&args.trezor, "trezor", false, "Protect the masterkey using a SatoshiLabs Trezor instead of a password")
-	}
 
 	// Mount options with opposites
 	flagSet.BoolVar(&args.dev, "dev", false, "Allow device files")
@@ -282,10 +278,6 @@ func parseCliOpts() (args argContainer) {
 		tlog.Fatal.Printf("The options -extpass and -masterkey cannot be used at the same time")
 		os.Exit(exitcodes.Usage)
 	}
-	if !args.extpass.Empty() && args.trezor {
-		tlog.Fatal.Printf("The options -extpass and -trezor cannot be used at the same time")
-		os.Exit(exitcodes.Usage)
-	}
 	if args.idle < 0 {
 		tlog.Fatal.Printf("Idle timeout cannot be less than 0")
 		os.Exit(exitcodes.Usage)

init_dir.go

@@ -9,7 +9,6 @@ import (
 	"syscall"
 
 	"github.com/rfjakob/gocryptfs/internal/configfile"
-	"github.com/rfjakob/gocryptfs/internal/cryptocore"
 	"github.com/rfjakob/gocryptfs/internal/exitcodes"
 	"github.com/rfjakob/gocryptfs/internal/nametransform"
 	"github.com/rfjakob/gocryptfs/internal/readpassword"
@@ -72,19 +71,10 @@ func initDir(args *argContainer) {
 		tlog.Info.Printf("Choose a password for protecting your files.")
 	}
 	{
-		var password []byte
-		var trezorPayload []byte
-		if args.trezor {
-			trezorPayload = cryptocore.RandBytes(readpassword.TrezorPayloadLen)
-			// Get binary data from from Trezor
-			password = readpassword.Trezor(trezorPayload)
-		} else {
-			// Normal password entry
-			password = readpassword.Twice([]string(args.extpass), args.passfile)
-		}
+		password := readpassword.Twice([]string(args.extpass), args.passfile)
 		creator := tlog.ProgramName + " " + GitVersion
 		err = configfile.Create(args.config, password, args.plaintextnames,
-			args.scryptn, creator, args.aessiv, args.devrandom, trezorPayload)
+			args.scryptn, creator, args.aessiv, args.devrandom)
 		if err != nil {
 			tlog.Fatal.Println(err)
 			os.Exit(exitcodes.WriteConf)

internal/configfile/config_file.go

@@ -46,10 +46,6 @@ type ConfFile struct {
 	// mounting. This mechanism is analogous to the ext4 feature flags that are
 	// stored in the superblock.
 	FeatureFlags []string
-	// TrezorPayload stores 32 random bytes used for unlocking the master key using
-	// a Trezor security module. The randomness makes sure that a unique unlock
-	// value is used for each gocryptfs filesystem.
-	TrezorPayload []byte `json:",omitempty"`
 	// Filename is the name of the config file. Not exported to JSON.
 	filename string
 }
@@ -73,7 +69,7 @@ func randBytesDevRandom(n int) []byte {
 // "password" and write it to "filename".
 // Uses scrypt with cost parameter logN.
 func Create(filename string, password []byte, plaintextNames bool,
-	logN int, creator string, aessiv bool, devrandom bool, trezorPayload []byte) error {
+	logN int, creator string, aessiv bool, devrandom bool) error {
 	var cf ConfFile
 	cf.filename = filename
 	cf.Creator = creator
@@ -93,10 +89,6 @@ func Create(filename string, password []byte, plaintextNames bool,
 	if aessiv {
 		cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagAESSIV])
 	}
-	if len(trezorPayload) > 0 {
-		cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagTrezor])
-		cf.TrezorPayload = trezorPayload
-	}
 	{
 		// Generate new random master key
 		var key []byte

internal/configfile/config_test.go

@@ -62,7 +62,7 @@ func TestLoadV2StrangeFeature(t *testing.T) {
 }
 
 func TestCreateConfDefault(t *testing.T) {
-	err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, false, nil)
+	err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -83,14 +83,14 @@ func TestCreateConfDefault(t *testing.T) {
 }
 
 func TestCreateConfDevRandom(t *testing.T) {
-	err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, true, nil)
+	err := Create("config_test/tmp.conf", testPw, false, 10, "test", false, true)
 	if err != nil {
 		t.Fatal(err)
 	}
 }
 
 func TestCreateConfPlaintextnames(t *testing.T) {
-	err := Create("config_test/tmp.conf", testPw, true, 10, "test", false, false, nil)
+	err := Create("config_test/tmp.conf", testPw, true, 10, "test", false, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -111,7 +111,7 @@ func TestCreateConfPlaintextnames(t *testing.T) {
 
 // Reverse mode uses AESSIV
 func TestCreateConfFileAESSIV(t *testing.T) {
-	err := Create("config_test/tmp.conf", testPw, false, 10, "test", true, false, nil)
+	err := Create("config_test/tmp.conf", testPw, false, 10, "test", true, false)
 	if err != nil {
 		t.Fatal(err)
 	}

internal/configfile/feature_flags.go

@@ -25,9 +25,6 @@ const (
 	// Note that this flag does not change the password hashing algorithm
 	// which always is scrypt.
 	FlagHKDF
-	// FlagTrezor means that "-trezor" was used when creating the filesystem.
-	// The masterkey is protected using a Trezor device instead of a password.
-	FlagTrezor
 )
 
 // knownFlags stores the known feature flags and their string representation
@@ -40,7 +37,6 @@ var knownFlags = map[flagIota]string{
 	FlagAESSIV:         "AESSIV",
 	FlagRaw64:          "Raw64",
 	FlagHKDF:           "HKDF",
-	FlagTrezor:         "Trezor",
 }
 
 // Filesystems that do not have these feature flags set are deprecated.

internal/exitcodes/exitcodes.go

@@ -65,9 +65,7 @@ const (
 	FsckErrors = 26
 	// DeprecatedFS - this filesystem is deprecated
 	DeprecatedFS = 27
-	// TrezorError - an error was encountered while interacting with a Trezor
-	// device
-	TrezorError = 28
+	// skip 28
 	// ExcludeError - an error occurred while processing "-exclude"
 	ExcludeError = 29
 	// DevNull means that /dev/null could not be opened