Add OpenSSL support for file content encryption/decryption
This brings streaming read performance from 30MB/s to 81MB/s (similar improvement for writes)
This commit is contained in:
parent
ad3a1a8899
commit
58d1e24b7c
@ -20,21 +20,26 @@ type CryptFS struct {
|
|||||||
cipherBS uint64
|
cipherBS uint64
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewCryptFS(key [16]byte) *CryptFS {
|
func NewCryptFS(key [16]byte, useOpenssl bool) *CryptFS {
|
||||||
|
|
||||||
b, err := aes.NewCipher(key[:])
|
b, err := aes.NewCipher(key[:])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
g, err := cipher.NewGCM(b)
|
var gcm cipher.AEAD
|
||||||
|
if useOpenssl {
|
||||||
|
gcm = opensslGCM{key}
|
||||||
|
} else {
|
||||||
|
gcm, err = cipher.NewGCM(b)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return &CryptFS{
|
return &CryptFS{
|
||||||
blockCipher: b,
|
blockCipher: b,
|
||||||
gcm: g,
|
gcm: gcm,
|
||||||
plainBS: DEFAULT_PLAINBS,
|
plainBS: DEFAULT_PLAINBS,
|
||||||
cipherBS: DEFAULT_PLAINBS + NONCE_LEN + AUTH_TAG_LEN,
|
cipherBS: DEFAULT_PLAINBS + NONCE_LEN + AUTH_TAG_LEN,
|
||||||
}
|
}
|
||||||
|
@ -49,8 +49,11 @@ func (be *CryptFS) DecryptBlock(ciphertext []byte) ([]byte, error) {
|
|||||||
|
|
||||||
// Decrypt
|
// Decrypt
|
||||||
var plaintext []byte
|
var plaintext []byte
|
||||||
|
|
||||||
plaintext, err := be.gcm.Open(plaintext, nonce, ciphertext, nil)
|
plaintext, err := be.gcm.Open(plaintext, nonce, ciphertext, nil)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
Warn.Printf("DecryptBlock: %s\n", err.Error())
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
93
cryptfs/openssl_aead.go
Normal file
93
cryptfs/openssl_aead.go
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
package cryptfs
|
||||||
|
|
||||||
|
// Implements cipher.AEAD with OpenSSL backend
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"github.com/spacemonkeygo/openssl"
|
||||||
|
)
|
||||||
|
|
||||||
|
type opensslGCM struct {
|
||||||
|
key [16]byte
|
||||||
|
}
|
||||||
|
|
||||||
|
func (be opensslGCM) Overhead() int {
|
||||||
|
return AUTH_TAG_LEN
|
||||||
|
}
|
||||||
|
|
||||||
|
func (be opensslGCM) NonceSize() int {
|
||||||
|
return NONCE_LEN
|
||||||
|
}
|
||||||
|
|
||||||
|
// Seal encrypts and authenticates plaintext, authenticates the
|
||||||
|
// additional data and appends the result to dst, returning the updated
|
||||||
|
// slice. The nonce must be NonceSize() bytes long and unique for all
|
||||||
|
// time, for a given key.
|
||||||
|
//
|
||||||
|
// The plaintext and dst may alias exactly or not at all.
|
||||||
|
func (be opensslGCM) Seal(dst, nonce, plaintext, data []byte) []byte {
|
||||||
|
|
||||||
|
cipherBuf := bytes.NewBuffer(dst)
|
||||||
|
|
||||||
|
ectx, err := openssl.NewGCMEncryptionCipherCtx(128, nil, be.key[:], nonce[:])
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
part, err := ectx.EncryptUpdate(plaintext)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
cipherBuf.Write(part)
|
||||||
|
part, err = ectx.EncryptFinal()
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
cipherBuf.Write(part)
|
||||||
|
part, err = ectx.GetTag()
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
cipherBuf.Write(part)
|
||||||
|
|
||||||
|
return cipherBuf.Bytes()
|
||||||
|
}
|
||||||
|
|
||||||
|
// Open decrypts and authenticates ciphertext, authenticates the
|
||||||
|
// additional data and, if successful, appends the resulting plaintext
|
||||||
|
// to dst, returning the updated slice. The nonce must be NonceSize()
|
||||||
|
// bytes long and both it and the additional data must match the
|
||||||
|
// value passed to Seal.
|
||||||
|
//
|
||||||
|
// The ciphertext and dst may alias exactly or not at all.
|
||||||
|
func (be opensslGCM) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
|
||||||
|
|
||||||
|
if len(data) > 0 {
|
||||||
|
panic("Extra data is not supported")
|
||||||
|
}
|
||||||
|
|
||||||
|
l := len(ciphertext)
|
||||||
|
tag := ciphertext[l-AUTH_TAG_LEN:l]
|
||||||
|
ciphertext = ciphertext[0:l-AUTH_TAG_LEN]
|
||||||
|
plainBuf := bytes.NewBuffer(dst)
|
||||||
|
|
||||||
|
dctx, err := openssl.NewGCMDecryptionCipherCtx(128, nil, be.key[:], nonce[:])
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
part, err := dctx.DecryptUpdate(ciphertext)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
plainBuf.Write(part)
|
||||||
|
err = dctx.SetTag(tag)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
part, err = dctx.DecryptFinal()
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
plainBuf.Write(part)
|
||||||
|
|
||||||
|
return plainBuf.Bytes(), nil
|
||||||
|
}
|
@ -27,14 +27,14 @@ type nullTracer struct {}
|
|||||||
|
|
||||||
func (nullTracer) Trace(op cluefs.FsOperTracer) {}
|
func (nullTracer) Trace(op cluefs.FsOperTracer) {}
|
||||||
|
|
||||||
func NewFS(key [16]byte, backing string) *FS {
|
func NewFS(key [16]byte, backing string, useOpenssl bool) *FS {
|
||||||
var nt nullTracer
|
var nt nullTracer
|
||||||
clfs, err := cluefs.NewClueFS(backing, nt)
|
clfs, err := cluefs.NewClueFS(backing, nt)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
return &FS {
|
return &FS {
|
||||||
CryptFS: cryptfs.NewCryptFS(key),
|
CryptFS: cryptfs.NewCryptFS(key, useOpenssl),
|
||||||
ClueFS: clfs,
|
ClueFS: clfs,
|
||||||
backing: backing,
|
backing: backing,
|
||||||
}
|
}
|
||||||
|
3
main.go
3
main.go
@ -11,6 +11,7 @@ import (
|
|||||||
|
|
||||||
const (
|
const (
|
||||||
PROGRAM_NAME = "gocryptfs"
|
PROGRAM_NAME = "gocryptfs"
|
||||||
|
USE_OPENSSL = true
|
||||||
)
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
@ -22,7 +23,7 @@ func main() {
|
|||||||
|
|
||||||
// Create the file system object
|
// Create the file system object
|
||||||
var key [16]byte
|
var key [16]byte
|
||||||
cfs := frontend.NewFS(key, conf.GetShadowDir())
|
cfs := frontend.NewFS(key, conf.GetShadowDir(), USE_OPENSSL)
|
||||||
|
|
||||||
// Mount the file system
|
// Mount the file system
|
||||||
mountOpts := []fuse.MountOption{
|
mountOpts := []fuse.MountOption{
|
||||||
|
Loading…
Reference in New Issue
Block a user