2016-07-06 21:51:25 +02:00
|
|
|
// Package cryptocore wraps OpenSSL and Go GCM crypto and provides
|
|
|
|
// a nonce generator.
|
2016-02-06 19:20:54 +01:00
|
|
|
package cryptocore
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/aes"
|
2016-02-06 20:23:36 +01:00
|
|
|
"crypto/cipher"
|
2016-10-04 00:12:29 +02:00
|
|
|
"crypto/sha512"
|
2016-02-06 19:20:54 +01:00
|
|
|
"fmt"
|
2016-05-04 19:09:14 +02:00
|
|
|
|
2016-09-26 23:25:13 +02:00
|
|
|
"github.com/rfjakob/gocryptfs/internal/siv_aead"
|
2016-05-04 19:09:14 +02:00
|
|
|
"github.com/rfjakob/gocryptfs/internal/stupidgcm"
|
2016-02-06 19:20:54 +01:00
|
|
|
)
|
|
|
|
|
2016-10-02 06:14:18 +02:00
|
|
|
// BackendTypeEnum indicates the type of backend in use.
|
2016-09-20 21:58:04 +02:00
|
|
|
type BackendTypeEnum int
|
|
|
|
|
2016-02-06 19:20:54 +01:00
|
|
|
const (
|
2016-10-02 06:14:18 +02:00
|
|
|
// KeyLen is the cipher key length in bytes. 32 for AES-256.
|
|
|
|
KeyLen = 32
|
|
|
|
// AuthTagLen is the length of a GCM auth tag in bytes.
|
2016-02-06 20:23:36 +01:00
|
|
|
AuthTagLen = 16
|
2016-09-20 21:58:04 +02:00
|
|
|
|
2016-10-02 06:14:18 +02:00
|
|
|
_ = iota // Skip zero
|
|
|
|
// BackendOpenSSL specifies the OpenSSL backend.
|
2016-09-20 21:58:04 +02:00
|
|
|
BackendOpenSSL BackendTypeEnum = iota
|
2016-10-02 06:14:18 +02:00
|
|
|
// BackendGoGCM specifies the Go based GCM backend.
|
|
|
|
BackendGoGCM BackendTypeEnum = iota
|
|
|
|
// BackendAESSIV specifies an AESSIV backend.
|
|
|
|
BackendAESSIV BackendTypeEnum = iota
|
2016-02-06 19:20:54 +01:00
|
|
|
)
|
|
|
|
|
2016-10-02 06:14:18 +02:00
|
|
|
// CryptoCore is the low level crypto implementation.
|
2016-02-06 19:20:54 +01:00
|
|
|
type CryptoCore struct {
|
2016-09-20 21:58:04 +02:00
|
|
|
// AES-256 block cipher. This is used for EME filename encryption.
|
2016-02-06 19:20:54 +01:00
|
|
|
BlockCipher cipher.Block
|
2016-09-26 23:25:13 +02:00
|
|
|
// GCM or AES-SIV. This is used for content encryption.
|
2016-09-20 21:58:04 +02:00
|
|
|
AEADCipher cipher.AEAD
|
2016-09-20 22:59:10 +02:00
|
|
|
// Which backend is behind AEADCipher?
|
|
|
|
AEADBackend BackendTypeEnum
|
2016-09-20 21:58:04 +02:00
|
|
|
// GCM needs unique IVs (nonces)
|
|
|
|
IVGenerator *nonceGenerator
|
2016-02-06 20:23:36 +01:00
|
|
|
IVLen int
|
2016-02-06 19:20:54 +01:00
|
|
|
}
|
|
|
|
|
2016-10-02 06:14:18 +02:00
|
|
|
// New returns a new CryptoCore object or panics.
|
2016-07-31 13:36:38 +02:00
|
|
|
//
|
|
|
|
// Even though the "GCMIV128" feature flag is now mandatory, we must still
|
|
|
|
// support 96-bit IVs here because they are used for encrypting the master
|
|
|
|
// key in gocryptfs.conf.
|
2016-09-20 21:58:04 +02:00
|
|
|
func New(key []byte, backend BackendTypeEnum, IVBitLen int) *CryptoCore {
|
2016-02-06 19:20:54 +01:00
|
|
|
if len(key) != KeyLen {
|
|
|
|
panic(fmt.Sprintf("Unsupported key length %d", len(key)))
|
|
|
|
}
|
|
|
|
// We want the IV size in bytes
|
2016-09-20 21:58:04 +02:00
|
|
|
IVLen := IVBitLen / 8
|
2016-02-06 19:20:54 +01:00
|
|
|
|
2016-07-31 13:36:38 +02:00
|
|
|
// Name encryption always uses built-in Go AES through BlockCipher.
|
|
|
|
// Content encryption uses BlockCipher only if useOpenssl=false.
|
2016-02-06 19:20:54 +01:00
|
|
|
blockCipher, err := aes.NewCipher(key)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
2016-10-04 00:15:27 +02:00
|
|
|
var aeadCipher cipher.AEAD
|
2016-09-20 21:58:04 +02:00
|
|
|
switch backend {
|
|
|
|
case BackendOpenSSL:
|
|
|
|
if IVLen != 16 {
|
|
|
|
panic("stupidgcm only supports 128-bit IVs")
|
|
|
|
}
|
2016-10-04 00:15:27 +02:00
|
|
|
aeadCipher = stupidgcm.New(key)
|
2016-09-20 21:58:04 +02:00
|
|
|
case BackendGoGCM:
|
2016-10-04 00:15:27 +02:00
|
|
|
aeadCipher, err = goGCMWrapper(blockCipher, IVLen)
|
2016-09-26 23:25:13 +02:00
|
|
|
case BackendAESSIV:
|
2016-10-09 17:05:12 +02:00
|
|
|
if IVLen != 16 {
|
|
|
|
// SIV supports any nonce size, but we only use 16.
|
|
|
|
panic("AES-SIV must use 16-byte nonces")
|
|
|
|
}
|
2016-10-04 00:12:29 +02:00
|
|
|
// AES-SIV uses 1/2 of the key for authentication, 1/2 for
|
|
|
|
// encryption, so we need a 64-bytes key for AES-256. Derive it from
|
|
|
|
// the master key by hashing it with SHA-512.
|
|
|
|
key64 := sha512.Sum512(key)
|
2016-10-04 00:15:27 +02:00
|
|
|
aeadCipher = siv_aead.New(key64[:])
|
2016-09-20 21:58:04 +02:00
|
|
|
default:
|
|
|
|
panic("unknown backend cipher")
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
2016-02-06 19:20:54 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return &CryptoCore{
|
|
|
|
BlockCipher: blockCipher,
|
2016-10-04 00:15:27 +02:00
|
|
|
AEADCipher: aeadCipher,
|
2016-09-20 22:59:10 +02:00
|
|
|
AEADBackend: backend,
|
2016-09-20 21:58:04 +02:00
|
|
|
IVGenerator: &nonceGenerator{nonceLen: IVLen},
|
2016-02-06 20:23:36 +01:00
|
|
|
IVLen: IVLen,
|
2016-02-06 19:20:54 +01:00
|
|
|
}
|
|
|
|
}
|