Make -openssl also apply to xchacha

Now that stupidgcm supports xchacha, make it available on mount.
10 months ago · 94e8004b6c
3 changed files with 31 additions and 8 deletions
--- a/cli_args.go
+++ b/cli_args.go
@ -253,7 +253,11 @@ func parseCliOpts(osArgs []string) (args argContainer) {
 	}
 	// "-openssl" needs some post-processing
 	if opensslAuto == "auto" {
-		args.openssl = stupidgcm.PreferOpenSSLAES256GCM()
+		if args.xchacha {
+			args.openssl = stupidgcm.PreferOpenSSLXchacha20poly1305()
+		} else {
+			args.openssl = stupidgcm.PreferOpenSSLAES256GCM()
+		}
 	} else {
 		args.openssl, err = strconv.ParseBool(opensslAuto)
 		if err != nil {
--- a/internal/cryptocore/cryptocore.go
+++ b/internal/cryptocore/cryptocore.go
@ -32,11 +32,11 @@ type AEADTypeEnum struct {
 	NonceSize int
 }

-// BackendOpenSSL specifies the OpenSSL backend.
+// BackendOpenSSL specifies the OpenSSL AES-256-GCM backend.
 // "AES-GCM-256-OpenSSL" in gocryptfs -speed.
 var BackendOpenSSL AEADTypeEnum = AEADTypeEnum{"AES-GCM-256-OpenSSL", 16}

-// BackendGoGCM specifies the Go based GCM backend.
+// BackendGoGCM specifies the Go based AES-256-GCM backend.
 // "AES-GCM-256-Go" in gocryptfs -speed.
 var BackendGoGCM AEADTypeEnum = AEADTypeEnum{"AES-GCM-256-Go", 16}

@ -130,6 +130,8 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 			if err != nil {
 				log.Panic(err)
 			}
+		default:
+			log.Panicf("BUG: unhandled case: %v", aeadType)
 		}
 		for i := range gcmKey {
 			gcmKey[i] = 0
@ -154,7 +156,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 		for i := range key64 {
 			key64[i] = 0
 		}
-	} else if aeadType == BackendXChaCha20Poly1305 {
+	} else if aeadType == BackendXChaCha20Poly1305 || aeadType == BackendXChaCha20Poly1305OpenSSL {
 		// We don't support legacy modes with XChaCha20-Poly1305
 		if IVBitLen != chacha20poly1305.NonceSizeX*8 {
 			log.Panicf("XChaCha20-Poly1305 must use 192-bit IVs, you wanted %d", IVBitLen)
@ -163,7 +165,13 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
 			log.Panic("XChaCha20-Poly1305 must use HKDF, but it is disabled")
 		}
 		derivedKey := hkdfDerive(key, hkdfInfoXChaChaPoly1305Content, chacha20poly1305.KeySize)
-		aeadCipher, err = chacha20poly1305.NewX(derivedKey)
+		if aeadType == BackendXChaCha20Poly1305 {
+			aeadCipher, err = chacha20poly1305.NewX(derivedKey)
+		} else if aeadType == BackendXChaCha20Poly1305OpenSSL {
+			aeadCipher = stupidgcm.NewXchacha20poly1305(derivedKey)
+		} else {
+			log.Panicf("BUG: unhandled case: %v", aeadType)
+		}
 		if err != nil {
 			log.Panic(err)
 		}
--- a/mount.go
+++ b/mount.go
@ -259,7 +259,11 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
 		cryptoBackend = cryptocore.BackendAESSIV
 	}
 	if args.xchacha {
-		cryptoBackend = cryptocore.BackendXChaCha20Poly1305
+		if args.openssl {
+			cryptoBackend = cryptocore.BackendXChaCha20Poly1305OpenSSL
+		} else {
+			cryptoBackend = cryptocore.BackendXChaCha20Poly1305
+		}
 		IVBits = chacha20poly1305.NonceSizeX * 8
 	}
 	// forceOwner implies allow_other, as documented.
@ -291,6 +295,7 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
 		frontendArgs.DeterministicNames = !confFile.IsFeatureFlagSet(configfile.FlagDirIV)
 		args.raw64 = confFile.IsFeatureFlagSet(configfile.FlagRaw64)
 		args.hkdf = confFile.IsFeatureFlagSet(configfile.FlagHKDF)
+		// Note: this will always return the non-openssl variant
 		cryptoBackend, err = confFile.ContentEncryption()
 		if err != nil {
 			tlog.Fatal.Printf("%v", err)
@ -301,8 +306,14 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
 			tlog.Fatal.Printf("AES-SIV is required by reverse mode, but not enabled in the config file")
 			os.Exit(exitcodes.Usage)
 		}
-		if cryptoBackend == cryptocore.BackendGoGCM && args.openssl {
-			cryptoBackend = cryptocore.BackendOpenSSL
+		// Upgrade to OpenSSL variant if requested
+		if args.openssl {
+			switch cryptoBackend {
+			case cryptocore.BackendGoGCM:
+				cryptoBackend = cryptocore.BackendOpenSSL
+			case cryptocore.BackendXChaCha20Poly1305:
+				cryptoBackend = cryptocore.BackendXChaCha20Poly1305OpenSSL
+			}
 		}
 	}
 	// If allow_other is set and we run as root, try to give newly created files to