cryptocore: drop IVLen helper var

The IVLen var seems be a net loss in clarity. Drop it. Also add comments and normalize error messages.
2021-08-21 10:55:20 +02:00 · 2021-08-21 10:55:20 +02:00 · 2da0e13b1d
parent f6be765ef6
commit 2da0e13b1d
1 changed files with 16 additions and 12 deletions
--- a/internal/cryptocore/cryptocore.go
+++ b/internal/cryptocore/cryptocore.go
@ -59,7 +59,8 @@ type CryptoCore struct {
 	AEADBackend AEADTypeEnum
 	// GCM needs unique IVs (nonces)
 	IVGenerator *nonceGenerator
-	IVLen       int
+	// IVLen in bytes
+	IVLen int
 }

 // New returns a new CryptoCore object or panics.
@ -75,10 +76,11 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 		len(key), aeadType, IVBitLen, useHKDF, forceDecode)

 	if len(key) != KeyLen {
-		log.Panic(fmt.Sprintf("Unsupported key length %d", len(key)))
+		log.Panicf("Unsupported key length of %d bytes", len(key))
+	}
+	if IVBitLen != 96 && IVBitLen != 128 {
+		log.Panicf("Unsupported IV length of %d bits", IVBitLen)
 	}
-	// We want the IV size in bytes
-	IVLen := IVBitLen / 8

 	// Initialize EME for filename encryption.
 	var emeCipher *eme.EMECipher
@ -107,12 +109,14 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 		if useHKDF {
 			gcmKey = hkdfDerive(key, hkdfInfoGCMContent, KeyLen)
 		} else {
+			// Filesystems created by gocryptfs v0.7 through v1.2 don't use HKDF.
+			// Example: tests/example_filesystems/v0.9
 			gcmKey = append([]byte{}, key...)
 		}
 		switch aeadType {
 		case BackendOpenSSL:
-			if IVLen != 16 {
-				log.Panic("stupidgcm only supports 128-bit IVs")
+			if IVBitLen != 128 {
+				log.Panicf("stupidgcm only supports 128-bit IVs, you wanted %d", IVBitLen)
 			}
 			aeadCipher = stupidgcm.New(gcmKey, forceDecode)
 		case BackendGoGCM:
@ -120,7 +124,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 			if err != nil {
 				log.Panic(err)
 			}
-			aeadCipher, err = cipher.NewGCMWithNonceSize(goGcmBlockCipher, IVLen)
+			aeadCipher, err = cipher.NewGCMWithNonceSize(goGcmBlockCipher, IVBitLen/8)
 			if err != nil {
 				log.Panic(err)
 			}
@ -129,9 +133,9 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 			gcmKey[i] = 0
 		}
 	} else if aeadType == BackendAESSIV {
-		if IVLen != 16 {
-			// SIV supports any nonce size, but we only use 16.
-			log.Panic("AES-SIV must use 16-byte nonces")
+		if IVBitLen != 128 {
+			// SIV supports any nonce size, but we only use 128.
+			log.Panicf("AES-SIV must use 128-bit IVs, you wanted %d", IVBitLen)
 		}
 		// AES-SIV uses 1/2 of the key for authentication, 1/2 for
 		// encryption, so we need a 64-bytes key for AES-256. Derive it from
@ -156,8 +160,8 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 		EMECipher:   emeCipher,
 		AEADCipher:  aeadCipher,
 		AEADBackend: aeadType,
-		IVGenerator: &nonceGenerator{nonceLen: IVLen},
-		IVLen:       IVLen,
+		IVGenerator: &nonceGenerator{nonceLen: IVBitLen / 8},
+		IVLen:       IVBitLen / 8,
 	}
 }