contentenc: add "ExternalNonce" mode

This will be used for strong symlink encryption in reverse mode.

internal/configfile/config_file.go

@@ -168,7 +168,7 @@ func (cf *ConfFile) EncryptKey(key []byte, password string, logN int) {
 	// Lock master key using password-based key
 	cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, 96)
 	ce := contentenc.New(cc, 4096)
-	cf.EncryptedKey = ce.EncryptBlock(key, 0, nil, contentenc.RandomNonce)
+	cf.EncryptedKey = ce.EncryptBlock(key, 0, nil, contentenc.RandomNonce, nil)
 }
 
 // WriteFile - write out config in JSON format to file "filename.tmp"

internal/contentenc/content.go

@@ -22,6 +22,7 @@ const (
 	_                                   = iota // skip zero
 	RandomNonce               NonceMode = iota
 	ReverseDeterministicNonce NonceMode = iota
+	ExternalNonce             NonceMode = iota
 )
 
 type ContentEnc struct {
@@ -46,7 +47,7 @@ func New(cc *cryptocore.CryptoCore, plainBS uint64) *ContentEnc {
 		plainBS:      plainBS,
 		cipherBS:     cipherBS,
 		allZeroBlock: make([]byte, cipherBS),
-		allZeroNonce: make([]byte, IVBitLen/8),
+		allZeroNonce: make([]byte, cc.IVLen),
 	}
 }
 
@@ -132,14 +133,14 @@ func (be *ContentEnc) EncryptBlocks(plaintext []byte, firstBlockNo uint64, fileI
 	var outBuf bytes.Buffer
 	for blockNo := firstBlockNo; inBuf.Len() > 0; blockNo++ {
 		inBlock := inBuf.Next(int(be.plainBS))
-		outBlock := be.EncryptBlock(inBlock, blockNo, fileId, nMode)
+		outBlock := be.EncryptBlock(inBlock, blockNo, fileId, nMode, nil)
 		outBuf.Write(outBlock)
 	}
 	return outBuf.Bytes()
 }
 
 // encryptBlock - Encrypt and add IV and MAC
-func (be *ContentEnc) EncryptBlock(plaintext []byte, blockNo uint64, fileID []byte, nMode NonceMode) []byte {
+func (be *ContentEnc) EncryptBlock(plaintext []byte, blockNo uint64, fileID []byte, nMode NonceMode, externalNonce []byte) []byte {
 	// Empty block?
 	if len(plaintext) == 0 {
 		return plaintext
@@ -147,11 +148,16 @@ func (be *ContentEnc) EncryptBlock(plaintext []byte, blockNo uint64, fileID []by
 
 	var nonce []byte
 	switch nMode {
+	case ExternalNonce:
+		if be.cryptoCore.AEADBackend != cryptocore.BackendGCMSIV {
+			panic("MUST NOT use deterministic nonces unless in GCMSIV mode!")
+		}
+		nonce = externalNonce
 	case ReverseDeterministicNonce:
 		if be.cryptoCore.AEADBackend != cryptocore.BackendGCMSIV {
 			panic("MUST NOT use deterministic nonces unless in GCMSIV mode!")
 		}
-		l := IVBitLen / 8
+		l := be.cryptoCore.IVLen
 		nonce = make([]byte, l)
 		copy(nonce, fileID)
 		// Add the block number to the last 8 byte. Plus one so the block-zero
@@ -164,6 +170,9 @@ func (be *ContentEnc) EncryptBlock(plaintext []byte, blockNo uint64, fileID []by
 	default:
 		panic("invalid nonce mode")
 	}
+	if len(nonce) != be.cryptoCore.IVLen {
+		panic("wrong nonce length")
+	}
 
 	// Authenticate block with block number and file ID
 	aData := make([]byte, 8)

internal/fusefrontend/file.go

@@ -256,7 +256,7 @@ func (f *file) doWrite(data []byte, off int64) (uint32, fuse.Status) {
 
 		// Encrypt
 		blockOffset := b.BlockCipherOff()
-		blockData = f.contentEnc.EncryptBlock(blockData, b.BlockNo, f.header.Id, contentenc.RandomNonce)
+		blockData = f.contentEnc.EncryptBlock(blockData, b.BlockNo, f.header.Id, contentenc.RandomNonce, nil)
 		tlog.Debug.Printf("ino%d: Writing %d bytes to block #%d",
 			f.ino, uint64(len(blockData))-f.contentEnc.BlockOverhead(), b.BlockNo)
 

internal/fusefrontend/fs.go

@@ -326,7 +326,7 @@ func (fs *FS) Symlink(target string, linkName string, context *fuse.Context) (co
 		return fuse.ToStatus(err)
 	}
 	// Symlinks are encrypted like file contents (GCM) and base64-encoded
-	cBinTarget := fs.contentEnc.EncryptBlock([]byte(target), 0, nil, contentenc.RandomNonce)
+	cBinTarget := fs.contentEnc.EncryptBlock([]byte(target), 0, nil, contentenc.RandomNonce, nil)
 	cTarget := base64.URLEncoding.EncodeToString(cBinTarget)
 
 	// Handle long file name