2016-07-06 21:51:25 +02:00
|
|
|
// Package contentenc encrypts and decrypts file blocks.
|
2016-02-06 19:20:54 +01:00
|
|
|
package contentenc
|
2015-09-05 20:30:20 +02:00
|
|
|
|
|
|
|
import (
|
2016-02-06 19:20:54 +01:00
|
|
|
"bytes"
|
2016-02-06 20:23:36 +01:00
|
|
|
"encoding/binary"
|
2015-10-03 13:36:49 +02:00
|
|
|
"encoding/hex"
|
2015-10-04 14:36:20 +02:00
|
|
|
"errors"
|
2016-12-10 11:50:16 +01:00
|
|
|
"log"
|
2015-09-05 20:30:20 +02:00
|
|
|
|
2016-06-16 19:02:47 +02:00
|
|
|
"github.com/rfjakob/gocryptfs/internal/cryptocore"
|
2016-06-15 23:30:44 +02:00
|
|
|
"github.com/rfjakob/gocryptfs/internal/tlog"
|
2016-02-06 19:20:54 +01:00
|
|
|
)
|
2015-09-05 20:30:20 +02:00
|
|
|
|
2016-10-02 06:14:18 +02:00
|
|
|
// NonceMode determines how nonces are created.
|
2016-09-20 22:59:10 +02:00
|
|
|
type NonceMode int
|
|
|
|
|
2016-06-16 19:02:47 +02:00
|
|
|
const (
|
2016-10-02 06:14:18 +02:00
|
|
|
// DefaultBS is the default plaintext block size
|
2016-06-16 19:02:47 +02:00
|
|
|
DefaultBS = 4096
|
2016-10-02 06:14:18 +02:00
|
|
|
// DefaultIVBits is the default length of IV, in bits.
|
2016-09-25 18:04:44 +02:00
|
|
|
// We always use 128-bit IVs for file content, but the
|
|
|
|
// key in the config file is encrypted with a 96-bit IV.
|
|
|
|
DefaultIVBits = 128
|
2016-09-20 22:59:10 +02:00
|
|
|
|
2016-10-02 06:14:18 +02:00
|
|
|
_ = iota // skip zero
|
|
|
|
// RandomNonce chooses a random nonce.
|
|
|
|
RandomNonce NonceMode = iota
|
|
|
|
// ReverseDeterministicNonce chooses a deterministic nonce, suitable for
|
|
|
|
// use in reverse mode.
|
2016-09-25 11:20:10 +02:00
|
|
|
ReverseDeterministicNonce NonceMode = iota
|
2016-10-02 06:14:18 +02:00
|
|
|
// ExternalNonce derives a nonce from external sources.
|
|
|
|
ExternalNonce NonceMode = iota
|
2016-06-16 19:02:47 +02:00
|
|
|
)
|
|
|
|
|
2016-10-02 06:14:18 +02:00
|
|
|
// ContentEnc is used to encipher and decipher file content.
|
2016-06-16 19:02:47 +02:00
|
|
|
type ContentEnc struct {
|
|
|
|
// Cryptographic primitives
|
|
|
|
cryptoCore *cryptocore.CryptoCore
|
|
|
|
// Plaintext block size
|
|
|
|
plainBS uint64
|
|
|
|
// Ciphertext block size
|
|
|
|
cipherBS uint64
|
|
|
|
// All-zero block of size cipherBS, for fast compares
|
|
|
|
allZeroBlock []byte
|
2016-09-20 22:59:10 +02:00
|
|
|
// All-zero block of size IVBitLen/8, for fast compares
|
|
|
|
allZeroNonce []byte
|
2016-06-16 19:02:47 +02:00
|
|
|
}
|
|
|
|
|
2016-10-02 06:14:18 +02:00
|
|
|
// New returns an initialized ContentEnc instance.
|
2016-06-16 19:02:47 +02:00
|
|
|
func New(cc *cryptocore.CryptoCore, plainBS uint64) *ContentEnc {
|
|
|
|
cipherBS := plainBS + uint64(cc.IVLen) + cryptocore.AuthTagLen
|
|
|
|
|
|
|
|
return &ContentEnc{
|
|
|
|
cryptoCore: cc,
|
|
|
|
plainBS: plainBS,
|
|
|
|
cipherBS: cipherBS,
|
|
|
|
allZeroBlock: make([]byte, cipherBS),
|
2016-09-25 17:42:59 +02:00
|
|
|
allZeroNonce: make([]byte, cc.IVLen),
|
2016-06-16 19:02:47 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-07-02 00:12:36 +02:00
|
|
|
// PlainBS returns the plaintext block size
|
2016-06-16 19:02:47 +02:00
|
|
|
func (be *ContentEnc) PlainBS() uint64 {
|
|
|
|
return be.plainBS
|
|
|
|
}
|
|
|
|
|
2016-07-02 00:12:36 +02:00
|
|
|
// CipherBS returns the ciphertext block size
|
|
|
|
func (be *ContentEnc) CipherBS() uint64 {
|
|
|
|
return be.cipherBS
|
|
|
|
}
|
|
|
|
|
2016-10-02 06:14:18 +02:00
|
|
|
// DecryptBlocks decrypts a number of blocks
|
2016-08-30 00:20:31 +02:00
|
|
|
// TODO refactor to three-param for
|
2016-10-02 06:14:18 +02:00
|
|
|
func (be *ContentEnc) DecryptBlocks(ciphertext []byte, firstBlockNo uint64, fileID []byte) ([]byte, error) {
|
2015-09-06 09:47:01 +02:00
|
|
|
cBuf := bytes.NewBuffer(ciphertext)
|
|
|
|
var err error
|
|
|
|
var pBuf bytes.Buffer
|
|
|
|
for cBuf.Len() > 0 {
|
|
|
|
cBlock := cBuf.Next(int(be.cipherBS))
|
2015-09-30 20:31:41 +02:00
|
|
|
var pBlock []byte
|
2016-10-02 06:14:18 +02:00
|
|
|
pBlock, err = be.DecryptBlock(cBlock, firstBlockNo, fileID)
|
2015-09-06 09:47:01 +02:00
|
|
|
if err != nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
pBuf.Write(pBlock)
|
2015-10-06 22:27:37 +02:00
|
|
|
firstBlockNo++
|
2015-09-06 09:47:01 +02:00
|
|
|
}
|
|
|
|
return pBuf.Bytes(), err
|
|
|
|
}
|
|
|
|
|
|
|
|
// DecryptBlock - Verify and decrypt GCM block
|
2015-10-03 13:34:33 +02:00
|
|
|
//
|
|
|
|
// Corner case: A full-sized block of all-zero ciphertext bytes is translated
|
|
|
|
// to an all-zero plaintext block, i.e. file hole passtrough.
|
2016-10-02 06:14:18 +02:00
|
|
|
func (be *ContentEnc) DecryptBlock(ciphertext []byte, blockNo uint64, fileID []byte) ([]byte, error) {
|
2015-09-05 20:30:20 +02:00
|
|
|
|
|
|
|
// Empty block?
|
|
|
|
if len(ciphertext) == 0 {
|
|
|
|
return ciphertext, nil
|
|
|
|
}
|
|
|
|
|
2015-10-03 13:34:33 +02:00
|
|
|
// All-zero block?
|
|
|
|
if bytes.Equal(ciphertext, be.allZeroBlock) {
|
2016-06-15 23:30:44 +02:00
|
|
|
tlog.Debug.Printf("DecryptBlock: file hole encountered")
|
2015-10-03 13:34:33 +02:00
|
|
|
return make([]byte, be.plainBS), nil
|
|
|
|
}
|
|
|
|
|
2016-02-06 19:20:54 +01:00
|
|
|
if len(ciphertext) < be.cryptoCore.IVLen {
|
2016-06-15 23:30:44 +02:00
|
|
|
tlog.Warn.Printf("DecryptBlock: Block is too short: %d bytes", len(ciphertext))
|
2015-09-05 20:30:20 +02:00
|
|
|
return nil, errors.New("Block is too short")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Extract nonce
|
2016-02-06 19:20:54 +01:00
|
|
|
nonce := ciphertext[:be.cryptoCore.IVLen]
|
2016-09-26 23:25:13 +02:00
|
|
|
if bytes.Equal(nonce, be.allZeroNonce) {
|
2016-10-28 20:05:57 +02:00
|
|
|
// Bug in tmpfs?
|
|
|
|
// https://github.com/rfjakob/gocryptfs/issues/56
|
|
|
|
// http://www.spinics.net/lists/kernel/msg2370127.html
|
|
|
|
return nil, errors.New("all-zero nonce")
|
2016-09-20 22:59:10 +02:00
|
|
|
}
|
2015-10-03 13:36:49 +02:00
|
|
|
ciphertextOrig := ciphertext
|
2016-02-06 19:20:54 +01:00
|
|
|
ciphertext = ciphertext[be.cryptoCore.IVLen:]
|
2015-09-05 20:30:20 +02:00
|
|
|
|
|
|
|
// Decrypt
|
|
|
|
var plaintext []byte
|
2015-10-06 22:27:37 +02:00
|
|
|
aData := make([]byte, 8)
|
2016-10-02 06:14:18 +02:00
|
|
|
aData = append(aData, fileID...)
|
2015-10-06 22:27:37 +02:00
|
|
|
binary.BigEndian.PutUint64(aData, blockNo)
|
2016-09-20 21:58:04 +02:00
|
|
|
plaintext, err := be.cryptoCore.AEADCipher.Open(plaintext, nonce, ciphertext, aData)
|
2015-09-06 10:38:43 +02:00
|
|
|
|
2015-09-05 20:30:20 +02:00
|
|
|
if err != nil {
|
2016-06-15 23:30:44 +02:00
|
|
|
tlog.Warn.Printf("DecryptBlock: %s, len=%d", err.Error(), len(ciphertextOrig))
|
|
|
|
tlog.Debug.Println(hex.Dump(ciphertextOrig))
|
2015-09-05 20:30:20 +02:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return plaintext, nil
|
|
|
|
}
|
|
|
|
|
2016-09-29 21:29:45 +02:00
|
|
|
// EncryptBlock - Encrypt plaintext using a random nonce.
|
|
|
|
// blockNo and fileID are used as associated data.
|
|
|
|
// The output is nonce + ciphertext + tag.
|
|
|
|
func (be *ContentEnc) EncryptBlock(plaintext []byte, blockNo uint64, fileID []byte) []byte {
|
|
|
|
// Get a fresh random nonce
|
|
|
|
nonce := be.cryptoCore.IVGenerator.Get()
|
|
|
|
return be.doEncryptBlock(plaintext, blockNo, fileID, nonce)
|
|
|
|
}
|
|
|
|
|
|
|
|
// EncryptBlockNonce - Encrypt plaintext using a nonce chosen by the caller.
|
|
|
|
// blockNo and fileID are used as associated data.
|
|
|
|
// The output is nonce + ciphertext + tag.
|
|
|
|
// This function can only be used in SIV mode.
|
|
|
|
func (be *ContentEnc) EncryptBlockNonce(plaintext []byte, blockNo uint64, fileID []byte, nonce []byte) []byte {
|
|
|
|
if be.cryptoCore.AEADBackend != cryptocore.BackendAESSIV {
|
2016-12-10 11:50:16 +01:00
|
|
|
log.Panic("deterministic nonces are only secure in SIV mode")
|
2016-08-30 00:20:31 +02:00
|
|
|
}
|
2016-09-29 21:29:45 +02:00
|
|
|
return be.doEncryptBlock(plaintext, blockNo, fileID, nonce)
|
2016-08-30 00:20:31 +02:00
|
|
|
}
|
|
|
|
|
2016-09-29 21:29:45 +02:00
|
|
|
// doEncryptBlock is the backend for EncryptBlock and EncryptBlockNonce.
|
|
|
|
// blockNo and fileID are used as associated data.
|
|
|
|
// The output is nonce + ciphertext + tag.
|
|
|
|
func (be *ContentEnc) doEncryptBlock(plaintext []byte, blockNo uint64, fileID []byte, nonce []byte) []byte {
|
2015-09-05 20:30:20 +02:00
|
|
|
// Empty block?
|
|
|
|
if len(plaintext) == 0 {
|
|
|
|
return plaintext
|
|
|
|
}
|
2016-09-25 17:42:59 +02:00
|
|
|
if len(nonce) != be.cryptoCore.IVLen {
|
2016-12-10 11:50:16 +01:00
|
|
|
log.Panic("wrong nonce length")
|
2016-09-25 17:42:59 +02:00
|
|
|
}
|
2015-09-05 20:30:20 +02:00
|
|
|
|
2015-12-13 20:10:52 +01:00
|
|
|
// Authenticate block with block number and file ID
|
2015-10-06 22:27:37 +02:00
|
|
|
aData := make([]byte, 8)
|
|
|
|
binary.BigEndian.PutUint64(aData, blockNo)
|
2015-12-13 20:10:52 +01:00
|
|
|
aData = append(aData, fileID...)
|
|
|
|
|
|
|
|
// Encrypt plaintext and append to nonce
|
2016-09-20 21:58:04 +02:00
|
|
|
ciphertext := be.cryptoCore.AEADCipher.Seal(nonce, nonce, plaintext, aData)
|
2015-09-05 20:30:20 +02:00
|
|
|
|
|
|
|
return ciphertext
|
|
|
|
}
|
|
|
|
|
2015-09-08 00:54:24 +02:00
|
|
|
// MergeBlocks - Merge newData into oldData at offset
|
|
|
|
// New block may be bigger than both newData and oldData
|
2016-02-06 19:20:54 +01:00
|
|
|
func (be *ContentEnc) MergeBlocks(oldData []byte, newData []byte, offset int) []byte {
|
2015-09-08 00:54:24 +02:00
|
|
|
|
|
|
|
// Make block of maximum size
|
|
|
|
out := make([]byte, be.plainBS)
|
|
|
|
|
|
|
|
// Copy old and new data into it
|
|
|
|
copy(out, oldData)
|
|
|
|
l := len(newData)
|
2015-10-04 14:36:20 +02:00
|
|
|
copy(out[offset:offset+l], newData)
|
2015-09-08 00:54:24 +02:00
|
|
|
|
|
|
|
// Crop to length
|
|
|
|
outLen := len(oldData)
|
|
|
|
newLen := offset + len(newData)
|
|
|
|
if outLen < newLen {
|
|
|
|
outLen = newLen
|
|
|
|
}
|
|
|
|
return out[0:outLen]
|
|
|
|
}
|