Add OpenSSL support for file content encryption/decryption

This brings streaming read performance from 30MB/s to 81MB/s
(similar improvement for writes)
This commit is contained in:
Jakob Unterwurzacher 2015-09-06 10:38:43 +02:00
parent ad3a1a8899
commit 58d1e24b7c
5 changed files with 110 additions and 8 deletions

View File

@ -20,21 +20,26 @@ type CryptFS struct {
cipherBS uint64 cipherBS uint64
} }
func NewCryptFS(key [16]byte) *CryptFS { func NewCryptFS(key [16]byte, useOpenssl bool) *CryptFS {
b, err := aes.NewCipher(key[:]) b, err := aes.NewCipher(key[:])
if err != nil { if err != nil {
panic(err) panic(err)
} }
g, err := cipher.NewGCM(b) var gcm cipher.AEAD
if useOpenssl {
gcm = opensslGCM{key}
} else {
gcm, err = cipher.NewGCM(b)
if err != nil { if err != nil {
panic(err) panic(err)
} }
}
return &CryptFS{ return &CryptFS{
blockCipher: b, blockCipher: b,
gcm: g, gcm: gcm,
plainBS: DEFAULT_PLAINBS, plainBS: DEFAULT_PLAINBS,
cipherBS: DEFAULT_PLAINBS + NONCE_LEN + AUTH_TAG_LEN, cipherBS: DEFAULT_PLAINBS + NONCE_LEN + AUTH_TAG_LEN,
} }

View File

@ -49,8 +49,11 @@ func (be *CryptFS) DecryptBlock(ciphertext []byte) ([]byte, error) {
// Decrypt // Decrypt
var plaintext []byte var plaintext []byte
plaintext, err := be.gcm.Open(plaintext, nonce, ciphertext, nil) plaintext, err := be.gcm.Open(plaintext, nonce, ciphertext, nil)
if err != nil { if err != nil {
Warn.Printf("DecryptBlock: %s\n", err.Error())
return nil, err return nil, err
} }

93
cryptfs/openssl_aead.go Normal file
View File

@ -0,0 +1,93 @@
package cryptfs
// Implements cipher.AEAD with OpenSSL backend
import (
"bytes"
"github.com/spacemonkeygo/openssl"
)
type opensslGCM struct {
key [16]byte
}
func (be opensslGCM) Overhead() int {
return AUTH_TAG_LEN
}
func (be opensslGCM) NonceSize() int {
return NONCE_LEN
}
// Seal encrypts and authenticates plaintext, authenticates the
// additional data and appends the result to dst, returning the updated
// slice. The nonce must be NonceSize() bytes long and unique for all
// time, for a given key.
//
// The plaintext and dst may alias exactly or not at all.
func (be opensslGCM) Seal(dst, nonce, plaintext, data []byte) []byte {
cipherBuf := bytes.NewBuffer(dst)
ectx, err := openssl.NewGCMEncryptionCipherCtx(128, nil, be.key[:], nonce[:])
if err != nil {
panic(err)
}
part, err := ectx.EncryptUpdate(plaintext)
if err != nil {
panic(err)
}
cipherBuf.Write(part)
part, err = ectx.EncryptFinal()
if err != nil {
panic(err)
}
cipherBuf.Write(part)
part, err = ectx.GetTag()
if err != nil {
panic(err)
}
cipherBuf.Write(part)
return cipherBuf.Bytes()
}
// Open decrypts and authenticates ciphertext, authenticates the
// additional data and, if successful, appends the resulting plaintext
// to dst, returning the updated slice. The nonce must be NonceSize()
// bytes long and both it and the additional data must match the
// value passed to Seal.
//
// The ciphertext and dst may alias exactly or not at all.
func (be opensslGCM) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
if len(data) > 0 {
panic("Extra data is not supported")
}
l := len(ciphertext)
tag := ciphertext[l-AUTH_TAG_LEN:l]
ciphertext = ciphertext[0:l-AUTH_TAG_LEN]
plainBuf := bytes.NewBuffer(dst)
dctx, err := openssl.NewGCMDecryptionCipherCtx(128, nil, be.key[:], nonce[:])
if err != nil {
return nil, err
}
part, err := dctx.DecryptUpdate(ciphertext)
if err != nil {
return nil, err
}
plainBuf.Write(part)
err = dctx.SetTag(tag)
if err != nil {
return nil, err
}
part, err = dctx.DecryptFinal()
if err != nil {
return nil, err
}
plainBuf.Write(part)
return plainBuf.Bytes(), nil
}

View File

@ -27,14 +27,14 @@ type nullTracer struct {}
func (nullTracer) Trace(op cluefs.FsOperTracer) {} func (nullTracer) Trace(op cluefs.FsOperTracer) {}
func NewFS(key [16]byte, backing string) *FS { func NewFS(key [16]byte, backing string, useOpenssl bool) *FS {
var nt nullTracer var nt nullTracer
clfs, err := cluefs.NewClueFS(backing, nt) clfs, err := cluefs.NewClueFS(backing, nt)
if err != nil { if err != nil {
panic(err) panic(err)
} }
return &FS { return &FS {
CryptFS: cryptfs.NewCryptFS(key), CryptFS: cryptfs.NewCryptFS(key, useOpenssl),
ClueFS: clfs, ClueFS: clfs,
backing: backing, backing: backing,
} }

View File

@ -11,6 +11,7 @@ import (
const ( const (
PROGRAM_NAME = "gocryptfs" PROGRAM_NAME = "gocryptfs"
USE_OPENSSL = true
) )
func main() { func main() {
@ -22,7 +23,7 @@ func main() {
// Create the file system object // Create the file system object
var key [16]byte var key [16]byte
cfs := frontend.NewFS(key, conf.GetShadowDir()) cfs := frontend.NewFS(key, conf.GetShadowDir(), USE_OPENSSL)
// Mount the file system // Mount the file system
mountOpts := []fuse.MountOption{ mountOpts := []fuse.MountOption{