diff --git a/cli_args.go b/cli_args.go index 7175006..d666b47 100644 --- a/cli_args.go +++ b/cli_args.go @@ -253,7 +253,11 @@ func parseCliOpts(osArgs []string) (args argContainer) { } // "-openssl" needs some post-processing if opensslAuto == "auto" { - args.openssl = stupidgcm.PreferOpenSSLAES256GCM() + if args.xchacha { + args.openssl = stupidgcm.PreferOpenSSLXchacha20poly1305() + } else { + args.openssl = stupidgcm.PreferOpenSSLAES256GCM() + } } else { args.openssl, err = strconv.ParseBool(opensslAuto) if err != nil { diff --git a/internal/cryptocore/cryptocore.go b/internal/cryptocore/cryptocore.go index d7b7527..dd7c98b 100644 --- a/internal/cryptocore/cryptocore.go +++ b/internal/cryptocore/cryptocore.go @@ -32,11 +32,11 @@ type AEADTypeEnum struct { NonceSize int } -// BackendOpenSSL specifies the OpenSSL backend. +// BackendOpenSSL specifies the OpenSSL AES-256-GCM backend. // "AES-GCM-256-OpenSSL" in gocryptfs -speed. var BackendOpenSSL AEADTypeEnum = AEADTypeEnum{"AES-GCM-256-OpenSSL", 16} -// BackendGoGCM specifies the Go based GCM backend. +// BackendGoGCM specifies the Go based AES-256-GCM backend. // "AES-GCM-256-Go" in gocryptfs -speed. var BackendGoGCM AEADTypeEnum = AEADTypeEnum{"AES-GCM-256-Go", 16} @@ -130,6 +130,8 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec if err != nil { log.Panic(err) } + default: + log.Panicf("BUG: unhandled case: %v", aeadType) } for i := range gcmKey { gcmKey[i] = 0 @@ -154,7 +156,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec for i := range key64 { key64[i] = 0 } - } else if aeadType == BackendXChaCha20Poly1305 { + } else if aeadType == BackendXChaCha20Poly1305 || aeadType == BackendXChaCha20Poly1305OpenSSL { // We don't support legacy modes with XChaCha20-Poly1305 if IVBitLen != chacha20poly1305.NonceSizeX*8 { log.Panicf("XChaCha20-Poly1305 must use 192-bit IVs, you wanted %d", IVBitLen) @@ -163,7 +165,13 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec log.Panic("XChaCha20-Poly1305 must use HKDF, but it is disabled") } derivedKey := hkdfDerive(key, hkdfInfoXChaChaPoly1305Content, chacha20poly1305.KeySize) - aeadCipher, err = chacha20poly1305.NewX(derivedKey) + if aeadType == BackendXChaCha20Poly1305 { + aeadCipher, err = chacha20poly1305.NewX(derivedKey) + } else if aeadType == BackendXChaCha20Poly1305OpenSSL { + aeadCipher = stupidgcm.NewXchacha20poly1305(derivedKey) + } else { + log.Panicf("BUG: unhandled case: %v", aeadType) + } if err != nil { log.Panic(err) } diff --git a/mount.go b/mount.go index d7cd7db..b1c76dd 100644 --- a/mount.go +++ b/mount.go @@ -259,7 +259,11 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f cryptoBackend = cryptocore.BackendAESSIV } if args.xchacha { - cryptoBackend = cryptocore.BackendXChaCha20Poly1305 + if args.openssl { + cryptoBackend = cryptocore.BackendXChaCha20Poly1305OpenSSL + } else { + cryptoBackend = cryptocore.BackendXChaCha20Poly1305 + } IVBits = chacha20poly1305.NonceSizeX * 8 } // forceOwner implies allow_other, as documented. @@ -291,6 +295,7 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f frontendArgs.DeterministicNames = !confFile.IsFeatureFlagSet(configfile.FlagDirIV) args.raw64 = confFile.IsFeatureFlagSet(configfile.FlagRaw64) args.hkdf = confFile.IsFeatureFlagSet(configfile.FlagHKDF) + // Note: this will always return the non-openssl variant cryptoBackend, err = confFile.ContentEncryption() if err != nil { tlog.Fatal.Printf("%v", err) @@ -301,8 +306,14 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f tlog.Fatal.Printf("AES-SIV is required by reverse mode, but not enabled in the config file") os.Exit(exitcodes.Usage) } - if cryptoBackend == cryptocore.BackendGoGCM && args.openssl { - cryptoBackend = cryptocore.BackendOpenSSL + // Upgrade to OpenSSL variant if requested + if args.openssl { + switch cryptoBackend { + case cryptocore.BackendGoGCM: + cryptoBackend = cryptocore.BackendOpenSSL + case cryptocore.BackendXChaCha20Poly1305: + cryptoBackend = cryptocore.BackendXChaCha20Poly1305OpenSSL + } } } // If allow_other is set and we run as root, try to give newly created files to