libgocryptfs/cryptfs/cryptfs_content.go

package cryptfs

// File content encryption / decryption

import (
	"bytes"
	"crypto/cipher"
	"crypto/md5"
	"encoding/binary"
	"encoding/hex"
	"errors"
	"os"
)

// md5sum - debug helper, return md5 hex string
func md5sum(buf []byte) string {
	rawHash := md5.Sum(buf)
	hash := hex.EncodeToString(rawHash[:])
	return hash
}

type CryptFile struct {
	file *os.File
	gcm  cipher.AEAD
}

// DecryptBlocks - Decrypt a number of blocks
func (be *CryptFS) DecryptBlocks(ciphertext []byte, firstBlockNo uint64, fileId []byte) ([]byte, error) {
	cBuf := bytes.NewBuffer(ciphertext)
	var err error
	var pBuf bytes.Buffer
	for cBuf.Len() > 0 {
		cBlock := cBuf.Next(int(be.cipherBS))
		var pBlock []byte
		pBlock, err = be.DecryptBlock(cBlock, firstBlockNo, fileId)
		if err != nil {
			break
		}
		pBuf.Write(pBlock)
		firstBlockNo++
	}
	return pBuf.Bytes(), err
}

// DecryptBlock - Verify and decrypt GCM block
//
// Corner case: A full-sized block of all-zero ciphertext bytes is translated
// to an all-zero plaintext block, i.e. file hole passtrough.
func (be *CryptFS) DecryptBlock(ciphertext []byte, blockNo uint64, fileId []byte) ([]byte, error) {

	// Empty block?
	if len(ciphertext) == 0 {
		return ciphertext, nil
	}

	// All-zero block?
	if bytes.Equal(ciphertext, be.allZeroBlock) {
		Debug.Printf("DecryptBlock: file hole encountered")
		return make([]byte, be.plainBS), nil
	}

	if len(ciphertext) < be.gcmIVLen {
		Warn.Printf("DecryptBlock: Block is too short: %d bytes", len(ciphertext))
		return nil, errors.New("Block is too short")
	}

	// Extract nonce
	nonce := ciphertext[:be.gcmIVLen]
	ciphertextOrig := ciphertext
	ciphertext = ciphertext[be.gcmIVLen:]

	// Decrypt
	var plaintext []byte
	aData := make([]byte, 8)
	aData = append(aData, fileId...)
	binary.BigEndian.PutUint64(aData, blockNo)
	plaintext, err := be.gcm.Open(plaintext, nonce, ciphertext, aData)

	if err != nil {
		Warn.Printf("DecryptBlock: %s, len=%d, md5=%s", err.Error(), len(ciphertextOrig), md5sum(ciphertextOrig))
		Debug.Println(hex.Dump(ciphertextOrig))
		return nil, err
	}

	return plaintext, nil
}

// encryptBlock - Encrypt and add IV and MAC
func (be *CryptFS) EncryptBlock(plaintext []byte, blockNo uint64, fileID []byte) []byte {

	// Empty block?
	if len(plaintext) == 0 {
		return plaintext
	}

	// Get fresh nonce
	nonce := be.gcmIVGen.Get()

	// Authenticate block with block number and file ID
	aData := make([]byte, 8)
	binary.BigEndian.PutUint64(aData, blockNo)
	aData = append(aData, fileID...)

	// Encrypt plaintext and append to nonce
	ciphertext := be.gcm.Seal(nonce, nonce, plaintext, aData)

	return ciphertext
}

// MergeBlocks - Merge newData into oldData at offset
// New block may be bigger than both newData and oldData
func (be *CryptFS) MergeBlocks(oldData []byte, newData []byte, offset int) []byte {

	// Make block of maximum size
	out := make([]byte, be.plainBS)

	// Copy old and new data into it
	copy(out, oldData)
	l := len(newData)
	copy(out[offset:offset+l], newData)

	// Crop to length
	outLen := len(oldData)
	newLen := offset + len(newData)
	if outLen < newLen {
		outLen = newLen
	}
	return out[0:outLen]
}
Cleanup and rename files 2015-09-05 20:30:20 +02:00			`package cryptfs`

			`// File content encryption / decryption`

			`import (`
Bundle up blocks for bigger reads from the backing filesystem 2015-09-06 09:47:01 +02:00			`"bytes"`
Cleanup and rename files 2015-09-05 20:30:20 +02:00			`"crypto/cipher"`
debug: log inode number instead of encrypted filename Makes the log output smaller and more readable. 2015-10-03 13:36:49 +02:00			`"crypto/md5"`
Run go fmt 2015-10-07 22:58:22 +02:00			`"encoding/binary"`
debug: log inode number instead of encrypted filename Makes the log output smaller and more readable. 2015-10-03 13:36:49 +02:00			`"encoding/hex"`
Run go fmt 2015-10-04 14:36:20 +02:00			`"errors"`
			`"os"`
Cleanup and rename files 2015-09-05 20:30:20 +02:00			`)`

debug: log inode number instead of encrypted filename Makes the log output smaller and more readable. 2015-10-03 13:36:49 +02:00			`// md5sum - debug helper, return md5 hex string`
			`func md5sum(buf []byte) string {`
			`rawHash := md5.Sum(buf)`
			`hash := hex.EncodeToString(rawHash[:])`
			`return hash`
			`}`

Cleanup and rename files 2015-09-05 20:30:20 +02:00			`type CryptFile struct {`
			`file *os.File`
Run go fmt 2015-10-04 14:36:20 +02:00			`gcm cipher.AEAD`
Cleanup and rename files 2015-09-05 20:30:20 +02:00			`}`

Bundle up blocks for bigger reads from the backing filesystem 2015-09-06 09:47:01 +02:00			`// DecryptBlocks - Decrypt a number of blocks`
Add file header (on-disk-format change) Format: [ "Version" uint16 big endian ] [ "Id" 16 random bytes ] Quoting SECURITY.md: * Every file has a header that contains a 16-byte random file id * Each block uses the file id and its block number as GCM authentication data * This means the position of the blocks is protected as well. The blocks can not be reordered or copied between different files without causing an decryption error. 2015-11-01 01:32:33 +01:00			`func (be *CryptFS) DecryptBlocks(ciphertext []byte, firstBlockNo uint64, fileId []byte) ([]byte, error) {`
Bundle up blocks for bigger reads from the backing filesystem 2015-09-06 09:47:01 +02:00			`cBuf := bytes.NewBuffer(ciphertext)`
			`var err error`
			`var pBuf bytes.Buffer`
			`for cBuf.Len() > 0 {`
			`cBlock := cBuf.Next(int(be.cipherBS))`
DecryptBlocks: Don't shadow err variable 2015-09-30 20:31:41 +02:00			`var pBlock []byte`
Add file header (on-disk-format change) Format: [ "Version" uint16 big endian ] [ "Id" 16 random bytes ] Quoting SECURITY.md: * Every file has a header that contains a 16-byte random file id * Each block uses the file id and its block number as GCM authentication data * This means the position of the blocks is protected as well. The blocks can not be reordered or copied between different files without causing an decryption error. 2015-11-01 01:32:33 +01:00			`pBlock, err = be.DecryptBlock(cBlock, firstBlockNo, fileId)`
Bundle up blocks for bigger reads from the backing filesystem 2015-09-06 09:47:01 +02:00			`if err != nil {`
			`break`
			`}`
			`pBuf.Write(pBlock)`
Use block number as authentication data 2015-10-06 22:27:37 +02:00			`firstBlockNo++`
Bundle up blocks for bigger reads from the backing filesystem 2015-09-06 09:47:01 +02:00			`}`
			`return pBuf.Bytes(), err`
			`}`

			`// DecryptBlock - Verify and decrypt GCM block`
Implement file hole passtrough Fixes xfstests generic/010 Note that file holes are not authenticated, 2015-10-03 13:34:33 +02:00			`//`
			`// Corner case: A full-sized block of all-zero ciphertext bytes is translated`
			`// to an all-zero plaintext block, i.e. file hole passtrough.`
Add file header (on-disk-format change) Format: [ "Version" uint16 big endian ] [ "Id" 16 random bytes ] Quoting SECURITY.md: * Every file has a header that contains a 16-byte random file id * Each block uses the file id and its block number as GCM authentication data * This means the position of the blocks is protected as well. The blocks can not be reordered or copied between different files without causing an decryption error. 2015-11-01 01:32:33 +01:00			`func (be *CryptFS) DecryptBlock(ciphertext []byte, blockNo uint64, fileId []byte) ([]byte, error) {`
Cleanup and rename files 2015-09-05 20:30:20 +02:00
			`// Empty block?`
			`if len(ciphertext) == 0 {`
			`return ciphertext, nil`
			`}`

Implement file hole passtrough Fixes xfstests generic/010 Note that file holes are not authenticated, 2015-10-03 13:34:33 +02:00			`// All-zero block?`
			`if bytes.Equal(ciphertext, be.allZeroBlock) {`
Convert logging to standard Go log.Logger This is in preparation of logging to syslog. 2016-01-20 20:55:56 +01:00			`Debug.Printf("DecryptBlock: file hole encountered")`
Implement file hole passtrough Fixes xfstests generic/010 Note that file holes are not authenticated, 2015-10-03 13:34:33 +02:00			`return make([]byte, be.plainBS), nil`
			`}`

Increase GCM IV size from 96 to 128 bits This pushes back the birthday bound for collisions to make it virtually irrelevant. 2015-12-19 14:41:39 +01:00			`if len(ciphertext) < be.gcmIVLen {`
Convert logging to standard Go log.Logger This is in preparation of logging to syslog. 2016-01-20 20:55:56 +01:00			`Warn.Printf("DecryptBlock: Block is too short: %d bytes", len(ciphertext))`
Cleanup and rename files 2015-09-05 20:30:20 +02:00			`return nil, errors.New("Block is too short")`
			`}`

			`// Extract nonce`
Increase GCM IV size from 96 to 128 bits This pushes back the birthday bound for collisions to make it virtually irrelevant. 2015-12-19 14:41:39 +01:00			`nonce := ciphertext[:be.gcmIVLen]`
debug: log inode number instead of encrypted filename Makes the log output smaller and more readable. 2015-10-03 13:36:49 +02:00			`ciphertextOrig := ciphertext`
Increase GCM IV size from 96 to 128 bits This pushes back the birthday bound for collisions to make it virtually irrelevant. 2015-12-19 14:41:39 +01:00			`ciphertext = ciphertext[be.gcmIVLen:]`
Cleanup and rename files 2015-09-05 20:30:20 +02:00
			`// Decrypt`
			`var plaintext []byte`
Use block number as authentication data 2015-10-06 22:27:37 +02:00			`aData := make([]byte, 8)`
Add file header (on-disk-format change) Format: [ "Version" uint16 big endian ] [ "Id" 16 random bytes ] Quoting SECURITY.md: * Every file has a header that contains a 16-byte random file id * Each block uses the file id and its block number as GCM authentication data * This means the position of the blocks is protected as well. The blocks can not be reordered or copied between different files without causing an decryption error. 2015-11-01 01:32:33 +01:00			`aData = append(aData, fileId...)`
Use block number as authentication data 2015-10-06 22:27:37 +02:00			`binary.BigEndian.PutUint64(aData, blockNo)`
Activate block number authentication 2015-10-20 20:26:52 +02:00			`plaintext, err := be.gcm.Open(plaintext, nonce, ciphertext, aData)`
Add OpenSSL support for file content encryption/decryption This brings streaming read performance from 30MB/s to 81MB/s (similar improvement for writes) 2015-09-06 10:38:43 +02:00
Cleanup and rename files 2015-09-05 20:30:20 +02:00			`if err != nil {`
Convert logging to standard Go log.Logger This is in preparation of logging to syslog. 2016-01-20 20:55:56 +01:00			`Warn.Printf("DecryptBlock: %s, len=%d, md5=%s", err.Error(), len(ciphertextOrig), md5sum(ciphertextOrig))`
Fix xfstests generic/030 failure The actual fix is oldSize := f.cfs.PlainSize(uint64(fi.Size())) the rest is logging improvements 2015-10-04 00:26:20 +02:00			`Debug.Println(hex.Dump(ciphertextOrig))`
Cleanup and rename files 2015-09-05 20:30:20 +02:00			`return nil, err`
			`}`

			`return plaintext, nil`
			`}`

Add file header (on-disk-format change) Format: [ "Version" uint16 big endian ] [ "Id" 16 random bytes ] Quoting SECURITY.md: * Every file has a header that contains a 16-byte random file id * Each block uses the file id and its block number as GCM authentication data * This means the position of the blocks is protected as well. The blocks can not be reordered or copied between different files without causing an decryption error. 2015-11-01 01:32:33 +01:00			`// encryptBlock - Encrypt and add IV and MAC`
go fmt ...and minimal comment changes. 2015-12-13 20:10:52 +01:00			`func (be *CryptFS) EncryptBlock(plaintext []byte, blockNo uint64, fileID []byte) []byte {`
Cleanup and rename files 2015-09-05 20:30:20 +02:00
			`// Empty block?`
			`if len(plaintext) == 0 {`
			`return plaintext`
			`}`

			`// Get fresh nonce`
Increase GCM IV size from 96 to 128 bits This pushes back the birthday bound for collisions to make it virtually irrelevant. 2015-12-19 14:41:39 +01:00			`nonce := be.gcmIVGen.Get()`
Cleanup and rename files 2015-09-05 20:30:20 +02:00
go fmt ...and minimal comment changes. 2015-12-13 20:10:52 +01:00			`// Authenticate block with block number and file ID`
Use block number as authentication data 2015-10-06 22:27:37 +02:00			`aData := make([]byte, 8)`
			`binary.BigEndian.PutUint64(aData, blockNo)`
go fmt ...and minimal comment changes. 2015-12-13 20:10:52 +01:00			`aData = append(aData, fileID...)`

			`// Encrypt plaintext and append to nonce`
Activate block number authentication 2015-10-20 20:26:52 +02:00			`ciphertext := be.gcm.Seal(nonce, nonce, plaintext, aData)`
Cleanup and rename files 2015-09-05 20:30:20 +02:00
			`return ciphertext`
			`}`

Add pathfs frontend (uses go-fuse instead of bazil-fuse), part I Currently fails main_test.go, will be fixed in part II 2015-09-08 00:54:24 +02:00			`// MergeBlocks - Merge newData into oldData at offset`
			`// New block may be bigger than both newData and oldData`
			`func (be *CryptFS) MergeBlocks(oldData []byte, newData []byte, offset int) []byte {`

			`// Make block of maximum size`
			`out := make([]byte, be.plainBS)`

			`// Copy old and new data into it`
			`copy(out, oldData)`
			`l := len(newData)`
Run go fmt 2015-10-04 14:36:20 +02:00			`copy(out[offset:offset+l], newData)`
Add pathfs frontend (uses go-fuse instead of bazil-fuse), part I Currently fails main_test.go, will be fixed in part II 2015-09-08 00:54:24 +02:00
			`// Crop to length`
			`outLen := len(oldData)`
			`newLen := offset + len(newData)`
			`if outLen < newLen {`
			`outLen = newLen`
			`}`
			`return out[0:outLen]`
			`}`