libgocryptfs: update to gocryptfs v2.2.0
This commit is contained in:
commit
bd5d53f50e
@ -301,7 +301,7 @@ func (cf *ConfFile) WriteFile() error {
|
|||||||
err = fd.Sync()
|
err = fd.Sync()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// This can happen on network drives: FRITZ.NAS mounted on MacOS returns
|
// This can happen on network drives: FRITZ.NAS mounted on MacOS returns
|
||||||
// "operation not supported": https://github.com/rfjakob/gocryptfs/v2/issues/390
|
// "operation not supported": https://github.com/rfjakob/gocryptfs/issues/390
|
||||||
// Try sync instead
|
// Try sync instead
|
||||||
syscall.Sync()
|
syscall.Sync()
|
||||||
}
|
}
|
||||||
@ -322,8 +322,8 @@ func getKeyEncrypter(scryptHash []byte, useHKDF bool) *contentenc.ContentEnc {
|
|||||||
if useHKDF {
|
if useHKDF {
|
||||||
IVLen = contentenc.DefaultIVBits
|
IVLen = contentenc.DefaultIVBits
|
||||||
}
|
}
|
||||||
cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, IVLen, useHKDF, false)
|
cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, IVLen, useHKDF)
|
||||||
ce := contentenc.New(cc, 4096, false)
|
ce := contentenc.New(cc, 4096)
|
||||||
return ce
|
return ce
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -10,7 +10,6 @@ import (
|
|||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
"../cryptocore"
|
"../cryptocore"
|
||||||
"../stupidgcm"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -40,8 +39,6 @@ type ContentEnc struct {
|
|||||||
allZeroBlock []byte
|
allZeroBlock []byte
|
||||||
// All-zero block of size IVBitLen/8, for fast compares
|
// All-zero block of size IVBitLen/8, for fast compares
|
||||||
allZeroNonce []byte
|
allZeroNonce []byte
|
||||||
// Force decode even if integrity check fails (openSSL only)
|
|
||||||
forceDecode bool
|
|
||||||
|
|
||||||
// Ciphertext block "sync.Pool" pool. Always returns cipherBS-sized byte
|
// Ciphertext block "sync.Pool" pool. Always returns cipherBS-sized byte
|
||||||
// slices (usually 4128 bytes).
|
// slices (usually 4128 bytes).
|
||||||
@ -59,7 +56,7 @@ type ContentEnc struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// New returns an initialized ContentEnc instance.
|
// New returns an initialized ContentEnc instance.
|
||||||
func New(cc *cryptocore.CryptoCore, plainBS uint64, forceDecode bool) *ContentEnc {
|
func New(cc *cryptocore.CryptoCore, plainBS uint64) *ContentEnc {
|
||||||
if MAX_KERNEL_WRITE%plainBS != 0 {
|
if MAX_KERNEL_WRITE%plainBS != 0 {
|
||||||
log.Panicf("unaligned MAX_KERNEL_WRITE=%d", MAX_KERNEL_WRITE)
|
log.Panicf("unaligned MAX_KERNEL_WRITE=%d", MAX_KERNEL_WRITE)
|
||||||
}
|
}
|
||||||
@ -77,7 +74,6 @@ func New(cc *cryptocore.CryptoCore, plainBS uint64, forceDecode bool) *ContentEn
|
|||||||
cipherBS: cipherBS,
|
cipherBS: cipherBS,
|
||||||
allZeroBlock: make([]byte, cipherBS),
|
allZeroBlock: make([]byte, cipherBS),
|
||||||
allZeroNonce: make([]byte, cc.IVLen),
|
allZeroNonce: make([]byte, cc.IVLen),
|
||||||
forceDecode: forceDecode,
|
|
||||||
cBlockPool: newBPool(int(cipherBS)),
|
cBlockPool: newBPool(int(cipherBS)),
|
||||||
CReqPool: newBPool(cReqSize),
|
CReqPool: newBPool(cReqSize),
|
||||||
pBlockPool: newBPool(int(plainBS)),
|
pBlockPool: newBPool(int(plainBS)),
|
||||||
@ -107,10 +103,8 @@ func (be *ContentEnc) DecryptBlocks(ciphertext []byte, firstBlockNo uint64, file
|
|||||||
var pBlock []byte
|
var pBlock []byte
|
||||||
pBlock, err = be.DecryptBlock(cBlock, blockNo, fileID)
|
pBlock, err = be.DecryptBlock(cBlock, blockNo, fileID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if !(be.forceDecode && err == stupidgcm.ErrAuth) {
|
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
|
||||||
pBuf.Write(pBlock)
|
pBuf.Write(pBlock)
|
||||||
be.pBlockPool.Put(pBlock)
|
be.pBlockPool.Put(pBlock)
|
||||||
blockNo++
|
blockNo++
|
||||||
@ -159,7 +153,7 @@ func (be *ContentEnc) DecryptBlock(ciphertext []byte, blockNo uint64, fileID []b
|
|||||||
nonce := ciphertext[:be.cryptoCore.IVLen]
|
nonce := ciphertext[:be.cryptoCore.IVLen]
|
||||||
if bytes.Equal(nonce, be.allZeroNonce) {
|
if bytes.Equal(nonce, be.allZeroNonce) {
|
||||||
// Bug in tmpfs?
|
// Bug in tmpfs?
|
||||||
// https://github.com/rfjakob/gocryptfs/v2/issues/56
|
// https://github.com/rfjakob/gocryptfs/issues/56
|
||||||
// http://www.spinics.net/lists/kernel/msg2370127.html
|
// http://www.spinics.net/lists/kernel/msg2370127.html
|
||||||
return nil, errors.New("all-zero nonce")
|
return nil, errors.New("all-zero nonce")
|
||||||
}
|
}
|
||||||
@ -172,9 +166,6 @@ func (be *ContentEnc) DecryptBlock(ciphertext []byte, blockNo uint64, fileID []b
|
|||||||
plaintext, err := be.cryptoCore.AEADCipher.Open(plaintext, nonce, ciphertext, aData)
|
plaintext, err := be.cryptoCore.AEADCipher.Open(plaintext, nonce, ciphertext, aData)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if be.forceDecode && err == stupidgcm.ErrAuth {
|
|
||||||
return plaintext, err
|
|
||||||
}
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -31,11 +31,11 @@ type AEADTypeEnum struct {
|
|||||||
NonceSize int
|
NonceSize int
|
||||||
}
|
}
|
||||||
|
|
||||||
// BackendOpenSSL specifies the OpenSSL backend.
|
// BackendOpenSSL specifies the OpenSSL AES-256-GCM backend.
|
||||||
// "AES-GCM-256-OpenSSL" in gocryptfs -speed.
|
// "AES-GCM-256-OpenSSL" in gocryptfs -speed.
|
||||||
var BackendOpenSSL AEADTypeEnum = AEADTypeEnum{"AES-GCM-256-OpenSSL", 16}
|
var BackendOpenSSL AEADTypeEnum = AEADTypeEnum{"AES-GCM-256-OpenSSL", 16}
|
||||||
|
|
||||||
// BackendGoGCM specifies the Go based GCM backend.
|
// BackendGoGCM specifies the Go based AES-256-GCM backend.
|
||||||
// "AES-GCM-256-Go" in gocryptfs -speed.
|
// "AES-GCM-256-Go" in gocryptfs -speed.
|
||||||
var BackendGoGCM AEADTypeEnum = AEADTypeEnum{"AES-GCM-256-Go", 16}
|
var BackendGoGCM AEADTypeEnum = AEADTypeEnum{"AES-GCM-256-Go", 16}
|
||||||
|
|
||||||
@ -47,6 +47,9 @@ var BackendAESSIV AEADTypeEnum = AEADTypeEnum{"AES-SIV-512-Go", siv_aead.NonceSi
|
|||||||
// "XChaCha20-Poly1305-Go" in gocryptfs -speed.
|
// "XChaCha20-Poly1305-Go" in gocryptfs -speed.
|
||||||
var BackendXChaCha20Poly1305 AEADTypeEnum = AEADTypeEnum{"XChaCha20-Poly1305-Go", chacha20poly1305.NonceSizeX}
|
var BackendXChaCha20Poly1305 AEADTypeEnum = AEADTypeEnum{"XChaCha20-Poly1305-Go", chacha20poly1305.NonceSizeX}
|
||||||
|
|
||||||
|
// BackendXChaCha20Poly1305OpenSSL specifies XChaCha20-Poly1305-OpenSSL.
|
||||||
|
var BackendXChaCha20Poly1305OpenSSL AEADTypeEnum = AEADTypeEnum{"XChaCha20-Poly1305-OpenSSL", chacha20poly1305.NonceSizeX}
|
||||||
|
|
||||||
// CryptoCore is the low level crypto implementation.
|
// CryptoCore is the low level crypto implementation.
|
||||||
type CryptoCore struct {
|
type CryptoCore struct {
|
||||||
// EME is used for filename encryption.
|
// EME is used for filename encryption.
|
||||||
@ -69,7 +72,7 @@ type CryptoCore struct {
|
|||||||
//
|
//
|
||||||
// Note: "key" is either the scrypt hash of the password (when decrypting
|
// Note: "key" is either the scrypt hash of the password (when decrypting
|
||||||
// a config file) or the masterkey (when finally mounting the filesystem).
|
// a config file) or the masterkey (when finally mounting the filesystem).
|
||||||
func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDecode bool) *CryptoCore {
|
func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool) *CryptoCore {
|
||||||
if len(key) != KeyLen {
|
if len(key) != KeyLen {
|
||||||
log.Panicf("Unsupported key length of %d bytes", len(key))
|
log.Panicf("Unsupported key length of %d bytes", len(key))
|
||||||
}
|
}
|
||||||
@ -113,7 +116,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
|
|||||||
if IVBitLen != 128 {
|
if IVBitLen != 128 {
|
||||||
log.Panicf("stupidgcm only supports 128-bit IVs, you wanted %d", IVBitLen)
|
log.Panicf("stupidgcm only supports 128-bit IVs, you wanted %d", IVBitLen)
|
||||||
}
|
}
|
||||||
aeadCipher = stupidgcm.New(gcmKey, forceDecode)
|
aeadCipher = stupidgcm.NewAES256GCM(gcmKey)
|
||||||
case BackendGoGCM:
|
case BackendGoGCM:
|
||||||
goGcmBlockCipher, err := aes.NewCipher(gcmKey)
|
goGcmBlockCipher, err := aes.NewCipher(gcmKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -123,6 +126,8 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
log.Panic(err)
|
log.Panic(err)
|
||||||
}
|
}
|
||||||
|
default:
|
||||||
|
log.Panicf("BUG: unhandled case: %v", aeadType)
|
||||||
}
|
}
|
||||||
for i := range gcmKey {
|
for i := range gcmKey {
|
||||||
gcmKey[i] = 0
|
gcmKey[i] = 0
|
||||||
@ -147,7 +152,7 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
|
|||||||
for i := range key64 {
|
for i := range key64 {
|
||||||
key64[i] = 0
|
key64[i] = 0
|
||||||
}
|
}
|
||||||
} else if aeadType == BackendXChaCha20Poly1305 {
|
} else if aeadType == BackendXChaCha20Poly1305 || aeadType == BackendXChaCha20Poly1305OpenSSL {
|
||||||
// We don't support legacy modes with XChaCha20-Poly1305
|
// We don't support legacy modes with XChaCha20-Poly1305
|
||||||
if IVBitLen != chacha20poly1305.NonceSizeX*8 {
|
if IVBitLen != chacha20poly1305.NonceSizeX*8 {
|
||||||
log.Panicf("XChaCha20-Poly1305 must use 192-bit IVs, you wanted %d", IVBitLen)
|
log.Panicf("XChaCha20-Poly1305 must use 192-bit IVs, you wanted %d", IVBitLen)
|
||||||
@ -156,7 +161,13 @@ func New(key []byte, aeadType AEADTypeEnum, IVBitLen int, useHKDF bool, forceDec
|
|||||||
log.Panic("XChaCha20-Poly1305 must use HKDF, but it is disabled")
|
log.Panic("XChaCha20-Poly1305 must use HKDF, but it is disabled")
|
||||||
}
|
}
|
||||||
derivedKey := hkdfDerive(key, hkdfInfoXChaChaPoly1305Content, chacha20poly1305.KeySize)
|
derivedKey := hkdfDerive(key, hkdfInfoXChaChaPoly1305Content, chacha20poly1305.KeySize)
|
||||||
|
if aeadType == BackendXChaCha20Poly1305 {
|
||||||
aeadCipher, err = chacha20poly1305.NewX(derivedKey)
|
aeadCipher, err = chacha20poly1305.NewX(derivedKey)
|
||||||
|
} else if aeadType == BackendXChaCha20Poly1305OpenSSL {
|
||||||
|
aeadCipher = stupidgcm.NewXchacha20poly1305(derivedKey)
|
||||||
|
} else {
|
||||||
|
log.Panicf("BUG: unhandled case: %v", aeadType)
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Panic(err)
|
log.Panic(err)
|
||||||
}
|
}
|
||||||
|
@ -67,7 +67,7 @@ func WriteDirIVAt(dirfd int) error {
|
|||||||
iv := cryptocore.RandBytes(DirIVLen)
|
iv := cryptocore.RandBytes(DirIVLen)
|
||||||
// 0400 permissions: gocryptfs.diriv should never be modified after creation.
|
// 0400 permissions: gocryptfs.diriv should never be modified after creation.
|
||||||
// Don't use "ioutil.WriteFile", it causes trouble on NFS:
|
// Don't use "ioutil.WriteFile", it causes trouble on NFS:
|
||||||
// https://github.com/rfjakob/gocryptfs/v2/commit/7d38f80a78644c8ec4900cc990bfb894387112ed
|
// https://github.com/rfjakob/gocryptfs/commit/7d38f80a78644c8ec4900cc990bfb894387112ed
|
||||||
fd, err := syscallcompat.Openat(dirfd, DirIVFilename, os.O_WRONLY|os.O_CREATE|os.O_EXCL, dirivPerms)
|
fd, err := syscallcompat.Openat(dirfd, DirIVFilename, os.O_WRONLY|os.O_CREATE|os.O_EXCL, dirivPerms)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -6,14 +6,14 @@ const (
|
|||||||
// never chmod'ed or chown'ed.
|
// never chmod'ed or chown'ed.
|
||||||
//
|
//
|
||||||
// Group-readable so the FS can be mounted by several users in the same group
|
// Group-readable so the FS can be mounted by several users in the same group
|
||||||
// (see https://github.com/rfjakob/gocryptfs/v2/issues/387 ).
|
// (see https://github.com/rfjakob/gocryptfs/issues/387 ).
|
||||||
//
|
//
|
||||||
// Note that gocryptfs.conf is still created with 0400 permissions so the
|
// Note that gocryptfs.conf is still created with 0400 permissions so the
|
||||||
// owner must explicitly chmod it to permit access.
|
// owner must explicitly chmod it to permit access.
|
||||||
//
|
//
|
||||||
// World-readable so an encrypted directory can be copied by the non-root
|
// World-readable so an encrypted directory can be copied by the non-root
|
||||||
// owner when gocryptfs is running as root
|
// owner when gocryptfs is running as root
|
||||||
// ( https://github.com/rfjakob/gocryptfs/v2/issues/539 ).
|
// ( https://github.com/rfjakob/gocryptfs/issues/539 ).
|
||||||
dirivPerms = 0444
|
dirivPerms = 0444
|
||||||
|
|
||||||
// Permissions for gocryptfs.longname.[sha256].name files.
|
// Permissions for gocryptfs.longname.[sha256].name files.
|
||||||
|
1
internal/stupidgcm/.gitignore
vendored
Normal file
1
internal/stupidgcm/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
*.o
|
18
internal/stupidgcm/Makefile
Normal file
18
internal/stupidgcm/Makefile
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
.PHONY: test
|
||||||
|
test: gcc
|
||||||
|
# All three ways of building this must work
|
||||||
|
go build
|
||||||
|
go build -tags without_openssl
|
||||||
|
CGO_ENABLED=0 go build -tags without_openssl
|
||||||
|
# Likewise, all three ways of testing this must work
|
||||||
|
go test -v
|
||||||
|
go test -v -tags without_openssl
|
||||||
|
CGO_ENABLED=0 go test -v -tags without_openssl
|
||||||
|
|
||||||
|
.PHONY: gcc
|
||||||
|
gcc:
|
||||||
|
gcc -Wall -Wextra -Wformat-security -Wconversion -lcrypto -c *.c
|
||||||
|
|
||||||
|
.PHONY: format
|
||||||
|
format:
|
||||||
|
clang-format --style=WebKit -i *.c *.h
|
54
internal/stupidgcm/chacha.go
Normal file
54
internal/stupidgcm/chacha.go
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
// +build !without_openssl
|
||||||
|
|
||||||
|
package stupidgcm
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/cipher"
|
||||||
|
"log"
|
||||||
|
|
||||||
|
"golang.org/x/crypto/chacha20poly1305"
|
||||||
|
)
|
||||||
|
|
||||||
|
/*
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
*/
|
||||||
|
import "C"
|
||||||
|
|
||||||
|
type stupidChacha20poly1305 struct {
|
||||||
|
stupidAEADCommon
|
||||||
|
}
|
||||||
|
|
||||||
|
// Verify that we satisfy the cipher.AEAD interface
|
||||||
|
var _ cipher.AEAD = &stupidChacha20poly1305{}
|
||||||
|
|
||||||
|
// _EVP_chacha20_poly1305 caches C.EVP_chacha20_poly1305() to avoid the Cgo call
|
||||||
|
// overhead for each instantiation of NewChacha20poly1305.
|
||||||
|
var _EVP_chacha20_poly1305 *C.EVP_CIPHER
|
||||||
|
|
||||||
|
func init() {
|
||||||
|
_EVP_chacha20_poly1305 = C.EVP_chacha20_poly1305()
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewChacha20poly1305 returns a new instance of the OpenSSL ChaCha20-Poly1305 AEAD
|
||||||
|
// cipher ( https://www.openssl.org/docs/man1.1.1/man3/EVP_chacha20_poly1305.html ).
|
||||||
|
//
|
||||||
|
// gocryptfs only uses ChaCha20-Poly1305 as a building block for OpenSSL
|
||||||
|
// XChaCha20-Poly1305. This function is hot because it gets called once for each
|
||||||
|
// block by XChaCha20-Poly1305.
|
||||||
|
//
|
||||||
|
// Only 32-bytes keys and 12-byte IVs are supported.
|
||||||
|
func NewChacha20poly1305(key []byte) cipher.AEAD {
|
||||||
|
if len(key) != chacha20poly1305.KeySize {
|
||||||
|
log.Panicf("Only %d-byte keys are supported, you passed %d bytes", chacha20poly1305.KeySize, len(key))
|
||||||
|
}
|
||||||
|
// private copy
|
||||||
|
key2 := make([]byte, chacha20poly1305.KeySize)
|
||||||
|
copy(key2, key)
|
||||||
|
return &stupidChacha20poly1305{
|
||||||
|
stupidAEADCommon{
|
||||||
|
key: key2,
|
||||||
|
openSSLEVPCipher: _EVP_chacha20_poly1305,
|
||||||
|
nonceSize: chacha20poly1305.NonceSize,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
70
internal/stupidgcm/common.go
Normal file
70
internal/stupidgcm/common.go
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
// +build !without_openssl
|
||||||
|
|
||||||
|
package stupidgcm
|
||||||
|
|
||||||
|
import (
|
||||||
|
"log"
|
||||||
|
)
|
||||||
|
|
||||||
|
/*
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
*/
|
||||||
|
import "C"
|
||||||
|
|
||||||
|
type stupidAEADCommon struct {
|
||||||
|
wiped bool
|
||||||
|
key []byte
|
||||||
|
openSSLEVPCipher *C.EVP_CIPHER
|
||||||
|
nonceSize int
|
||||||
|
}
|
||||||
|
|
||||||
|
// Overhead returns the number of bytes that are added for authentication.
|
||||||
|
//
|
||||||
|
// Part of the cipher.AEAD interface.
|
||||||
|
func (c *stupidAEADCommon) Overhead() int {
|
||||||
|
return tagLen
|
||||||
|
}
|
||||||
|
|
||||||
|
// NonceSize returns the required size of the nonce / IV
|
||||||
|
//
|
||||||
|
// Part of the cipher.AEAD interface.
|
||||||
|
func (c *stupidAEADCommon) NonceSize() int {
|
||||||
|
return c.nonceSize
|
||||||
|
}
|
||||||
|
|
||||||
|
// Seal encrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||||
|
//
|
||||||
|
// Part of the cipher.AEAD interface.
|
||||||
|
func (c *stupidAEADCommon) Seal(dst, iv, in, authData []byte) []byte {
|
||||||
|
return openSSLSeal(c, dst, iv, in, authData)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Open decrypts "in" using "iv" and "authData" and append the result to "dst"
|
||||||
|
//
|
||||||
|
// Part of the cipher.AEAD interface.
|
||||||
|
func (c *stupidAEADCommon) Open(dst, iv, in, authData []byte) ([]byte, error) {
|
||||||
|
return openSSLOpen(c, dst, iv, in, authData)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Wipe tries to wipe the key from memory by overwriting it with zeros.
|
||||||
|
//
|
||||||
|
// This is not bulletproof due to possible GC copies, but
|
||||||
|
// still raises the bar for extracting the key.
|
||||||
|
func (c *stupidAEADCommon) Wipe() {
|
||||||
|
key := c.key
|
||||||
|
c.wiped = true
|
||||||
|
c.key = nil
|
||||||
|
for i := range key {
|
||||||
|
key[i] = 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *stupidAEADCommon) Wiped() bool {
|
||||||
|
if c.wiped {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
if len(c.key) != keyLen {
|
||||||
|
log.Panicf("wrong key length %d", len(c.key))
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
59
internal/stupidgcm/doc.go
Normal file
59
internal/stupidgcm/doc.go
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
// Package stupidgcm wraps OpenSSL to provide a cipher.AEAD interface for
|
||||||
|
// authenticated encryption algorithms.
|
||||||
|
//
|
||||||
|
// The supported algorithms are:
|
||||||
|
//
|
||||||
|
// (1) AES-GCM-256 (OpenSSL EVP_aes_256_gcm)
|
||||||
|
//
|
||||||
|
// (2) ChaCha20-Poly1305 (OpenSSL EVP_chacha20_poly1305)
|
||||||
|
//
|
||||||
|
// (3) XChaCha20-Poly1305 (OpenSSL EVP_chacha20_poly1305 + Go HChaCha20)
|
||||||
|
//
|
||||||
|
// The golang.org/x/crypto libraries provides implementations for all algorithms,
|
||||||
|
// and the test suite verifies that the implementation in this package gives
|
||||||
|
// the exact same results.
|
||||||
|
//
|
||||||
|
// However, OpenSSL has optimized assembly for almost all platforms, which Go
|
||||||
|
// does not. Example for a 32-bit ARM device (Odroid XU4):
|
||||||
|
//
|
||||||
|
// $ gocrypts -speed
|
||||||
|
// gocryptfs v2.1-68-gedf9d4c.stupidchacha; go-fuse v2.1.1-0.20210825171523-3ab5d95a30ae; 2021-09-04 go1.16.7 linux/arm
|
||||||
|
// AES-GCM-256-OpenSSL 56.84 MB/s (selected in auto mode)
|
||||||
|
// AES-GCM-256-Go 16.61 MB/s
|
||||||
|
// AES-SIV-512-Go 16.49 MB/s
|
||||||
|
// XChaCha20-Poly1305-Go 39.08 MB/s (use via -xchacha flag)
|
||||||
|
// XChaCha20-Poly1305-OpenSSL 141.82 MB/s
|
||||||
|
//
|
||||||
|
// This package is "stupid" in the sense that it only supports a narrow set of
|
||||||
|
// key- and iv-lengths, and panics if it does not like what you pass it.
|
||||||
|
// See the constructor functions for which restrictions apply for each algorithm.
|
||||||
|
// Also, it is only tested for block lengths up to 5000 bytes, because this is
|
||||||
|
// what gocryptfs uses.
|
||||||
|
//
|
||||||
|
// Corrupt ciphertexts never cause a panic. Instead, ErrAuth is returned on
|
||||||
|
// decryption.
|
||||||
|
//
|
||||||
|
// XChaCha20-Poly1305
|
||||||
|
//
|
||||||
|
// The XChaCha20-Poly1305 implementation is more complicated than the others,
|
||||||
|
// because OpenSSL does not support XChaCha20-Poly1305 directly. Follow
|
||||||
|
// https://github.com/openssl/openssl/issues/5523 to get notified when it is
|
||||||
|
// accepted into OpenSSL.
|
||||||
|
//
|
||||||
|
// Fortunately, XChaCha20-Poly1305 is just ChaCha20-Poly1305 with some key+iv
|
||||||
|
// mixing using HChaCha20 in front:
|
||||||
|
//
|
||||||
|
// key (32 bytes), iv (24 bytes)
|
||||||
|
// |
|
||||||
|
// v
|
||||||
|
// HChaCha20 (provided by golang.org/x/crypto/chacha20)
|
||||||
|
// |
|
||||||
|
// v
|
||||||
|
// key2 (32 bytes), iv2 (16 bytes)
|
||||||
|
// |
|
||||||
|
// v
|
||||||
|
// ChaCha20-Poly1305 (OpenSSL EVP_chacha20_poly1305)
|
||||||
|
//
|
||||||
|
// As HChaCha20 is very fast, XChaCha20-Poly1305 gets almost the same throughput
|
||||||
|
// as ChaCha20-Poly1305 (for 4kiB blocks).
|
||||||
|
package stupidgcm
|
41
internal/stupidgcm/gcm.go
Normal file
41
internal/stupidgcm/gcm.go
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
// +build !without_openssl
|
||||||
|
|
||||||
|
package stupidgcm
|
||||||
|
|
||||||
|
// #include <openssl/evp.h>
|
||||||
|
import "C"
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/cipher"
|
||||||
|
"log"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// BuiltWithoutOpenssl indicates if openssl been disabled at compile-time
|
||||||
|
BuiltWithoutOpenssl = false
|
||||||
|
|
||||||
|
keyLen = 32
|
||||||
|
ivLen = 16
|
||||||
|
tagLen = 16
|
||||||
|
)
|
||||||
|
|
||||||
|
type stupidGCM struct {
|
||||||
|
stupidAEADCommon
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewAES256GCM returns a new AES-256-GCM cipher that satisfies the cipher.AEAD interface.
|
||||||
|
//
|
||||||
|
// Only 32-bytes keys and 16-byte IVs are supported.
|
||||||
|
func NewAES256GCM(keyIn []byte) cipher.AEAD {
|
||||||
|
if len(keyIn) != keyLen {
|
||||||
|
log.Panicf("Only %d-byte keys are supported", keyLen)
|
||||||
|
}
|
||||||
|
return &stupidGCM{
|
||||||
|
stupidAEADCommon{
|
||||||
|
// Create a private copy of the key
|
||||||
|
key: append([]byte{}, keyIn...),
|
||||||
|
openSSLEVPCipher: C.EVP_aes_256_gcm(),
|
||||||
|
nonceSize: ivLen,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
123
internal/stupidgcm/openssl.go
Normal file
123
internal/stupidgcm/openssl.go
Normal file
@ -0,0 +1,123 @@
|
|||||||
|
// +build !without_openssl
|
||||||
|
|
||||||
|
package stupidgcm
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
)
|
||||||
|
|
||||||
|
/*
|
||||||
|
#include "openssl_aead.h"
|
||||||
|
#cgo pkg-config: libcrypto
|
||||||
|
*/
|
||||||
|
import "C"
|
||||||
|
|
||||||
|
func openSSLSeal(a *stupidAEADCommon, dst, iv, in, authData []byte) []byte {
|
||||||
|
if a.Wiped() {
|
||||||
|
log.Panic("BUG: tried to use wiped key")
|
||||||
|
}
|
||||||
|
if len(iv) != a.NonceSize() {
|
||||||
|
log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv))
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the "dst" slice is large enough we can use it as our output buffer
|
||||||
|
outLen := len(in) + tagLen
|
||||||
|
var buf []byte
|
||||||
|
inplace := false
|
||||||
|
if cap(dst)-len(dst) >= outLen {
|
||||||
|
inplace = true
|
||||||
|
buf = dst[len(dst) : len(dst)+outLen]
|
||||||
|
} else {
|
||||||
|
buf = make([]byte, outLen)
|
||||||
|
}
|
||||||
|
|
||||||
|
res := int(C.openssl_aead_seal(a.openSSLEVPCipher,
|
||||||
|
slicePointerOrNull(in),
|
||||||
|
C.int(len(in)),
|
||||||
|
(*C.uchar)(&authData[0]),
|
||||||
|
C.int(len(authData)),
|
||||||
|
(*C.uchar)(&a.key[0]),
|
||||||
|
C.int(len(a.key)),
|
||||||
|
(*C.uchar)(&iv[0]),
|
||||||
|
C.int(len(iv)),
|
||||||
|
(*C.uchar)(&buf[0]),
|
||||||
|
C.int(len(buf))))
|
||||||
|
|
||||||
|
if res != outLen {
|
||||||
|
log.Panicf("expected length %d, got %d", outLen, res)
|
||||||
|
}
|
||||||
|
|
||||||
|
if inplace {
|
||||||
|
return dst[:len(dst)+outLen]
|
||||||
|
}
|
||||||
|
return append(dst, buf...)
|
||||||
|
}
|
||||||
|
|
||||||
|
func openSSLOpen(a *stupidAEADCommon, dst, iv, in, authData []byte) ([]byte, error) {
|
||||||
|
if a.Wiped() {
|
||||||
|
log.Panic("BUG: tried to use wiped key")
|
||||||
|
}
|
||||||
|
if len(iv) != a.NonceSize() {
|
||||||
|
log.Panicf("Only %d-byte IVs are supported, you passed %d bytes", a.NonceSize(), len(iv))
|
||||||
|
}
|
||||||
|
if len(in) < tagLen {
|
||||||
|
return nil, fmt.Errorf("stupidChacha20poly1305: input data too short (%d bytes)", len(in))
|
||||||
|
}
|
||||||
|
|
||||||
|
// If the "dst" slice is large enough we can use it as our output buffer
|
||||||
|
outLen := len(in) - tagLen
|
||||||
|
var buf []byte
|
||||||
|
inplace := false
|
||||||
|
if cap(dst)-len(dst) >= outLen {
|
||||||
|
inplace = true
|
||||||
|
buf = dst[len(dst) : len(dst)+outLen]
|
||||||
|
} else {
|
||||||
|
buf = make([]byte, len(in)-tagLen)
|
||||||
|
}
|
||||||
|
|
||||||
|
ciphertext := in[:len(in)-tagLen]
|
||||||
|
tag := in[len(in)-tagLen:]
|
||||||
|
|
||||||
|
res := int(C.openssl_aead_open(a.openSSLEVPCipher,
|
||||||
|
slicePointerOrNull(ciphertext),
|
||||||
|
C.int(len(ciphertext)),
|
||||||
|
(*C.uchar)(&authData[0]),
|
||||||
|
C.int(len(authData)),
|
||||||
|
(*C.uchar)(&tag[0]),
|
||||||
|
C.int(len(tag)),
|
||||||
|
(*C.uchar)(&a.key[0]),
|
||||||
|
C.int(len(a.key)),
|
||||||
|
(*C.uchar)(&iv[0]),
|
||||||
|
C.int(len(iv)),
|
||||||
|
slicePointerOrNull(buf),
|
||||||
|
C.int(len(buf))))
|
||||||
|
|
||||||
|
if res < 0 {
|
||||||
|
return nil, ErrAuth
|
||||||
|
}
|
||||||
|
if res != outLen {
|
||||||
|
log.Panicf("unexpected length %d", res)
|
||||||
|
}
|
||||||
|
|
||||||
|
if inplace {
|
||||||
|
return dst[:len(dst)+outLen], nil
|
||||||
|
}
|
||||||
|
return append(dst, buf...), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// slicePointerOrNull returns a C pointer to the beginning of the byte slice,
|
||||||
|
// or NULL if the byte slice is empty. This is useful for slices that can be
|
||||||
|
// empty, otherwise you can directly use "(*C.uchar)(&s[0])".
|
||||||
|
func slicePointerOrNull(s []byte) (ptr *C.uchar) {
|
||||||
|
if len(s) == 0 {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return (*C.uchar)(&s[0])
|
||||||
|
}
|
||||||
|
|
||||||
|
// This functions exists to benchmark the C call overhead from Go.
|
||||||
|
// See BenchmarkCCall for resuts.
|
||||||
|
func noopCFunction() {
|
||||||
|
C.noop_c_function()
|
||||||
|
}
|
185
internal/stupidgcm/openssl_aead.c
Normal file
185
internal/stupidgcm/openssl_aead.c
Normal file
@ -0,0 +1,185 @@
|
|||||||
|
// +build !without_openssl
|
||||||
|
|
||||||
|
#include "openssl_aead.h"
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
//#cgo pkg-config: libcrypto
|
||||||
|
|
||||||
|
static void panic(const char* const msg)
|
||||||
|
{
|
||||||
|
fprintf(stderr, "panic in C code: %s\n", msg);
|
||||||
|
__builtin_trap();
|
||||||
|
}
|
||||||
|
|
||||||
|
// We only support 16-byte tags
|
||||||
|
static const int supportedTagLen = 16;
|
||||||
|
|
||||||
|
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
|
||||||
|
int openssl_aead_seal(
|
||||||
|
const EVP_CIPHER* evpCipher,
|
||||||
|
const unsigned char* const plaintext,
|
||||||
|
const int plaintextLen,
|
||||||
|
const unsigned char* const authData,
|
||||||
|
const int authDataLen,
|
||||||
|
const unsigned char* const key,
|
||||||
|
const int keyLen,
|
||||||
|
const unsigned char* const iv,
|
||||||
|
const int ivLen,
|
||||||
|
unsigned char* const ciphertext,
|
||||||
|
const int ciphertextBufLen)
|
||||||
|
{
|
||||||
|
// Create scratch space "ctx"
|
||||||
|
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
|
||||||
|
if (!ctx) {
|
||||||
|
panic("EVP_CIPHER_CTX_new failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set cipher
|
||||||
|
if (EVP_EncryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) {
|
||||||
|
panic("EVP_EncryptInit_ex set cipher failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check keyLen by trying to set it (fails if keyLen != 32)
|
||||||
|
if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) {
|
||||||
|
panic("keyLen mismatch");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set IV length so we do not depend on the default
|
||||||
|
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) {
|
||||||
|
panic("EVP_CTRL_AEAD_SET_IVLEN failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set key and IV
|
||||||
|
if (EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv) != 1) {
|
||||||
|
panic("EVP_EncryptInit_ex set key & iv failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Provide authentication data
|
||||||
|
int outLen = 0;
|
||||||
|
if (EVP_EncryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) {
|
||||||
|
panic("EVP_EncryptUpdate authData failed");
|
||||||
|
}
|
||||||
|
if (outLen != authDataLen) {
|
||||||
|
panic("EVP_EncryptUpdate authData: unexpected length");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encrypt "plaintext" into "ciphertext"
|
||||||
|
if (plaintextLen > ciphertextBufLen) {
|
||||||
|
panic("plaintext overflows output buffer");
|
||||||
|
}
|
||||||
|
if (EVP_EncryptUpdate(ctx, ciphertext, &outLen, plaintext, plaintextLen) != 1) {
|
||||||
|
panic("EVP_EncryptUpdate ciphertext failed");
|
||||||
|
}
|
||||||
|
if (outLen != plaintextLen) {
|
||||||
|
panic("EVP_EncryptUpdate ciphertext: unexpected length");
|
||||||
|
}
|
||||||
|
int ciphertextLen = outLen;
|
||||||
|
|
||||||
|
// Finalise encryption
|
||||||
|
// Normally ciphertext bytes may be written at this stage, but this does not occur in GCM mode
|
||||||
|
if (EVP_EncryptFinal_ex(ctx, ciphertext + plaintextLen, &outLen) != 1) {
|
||||||
|
panic("EVP_EncryptFinal_ex failed");
|
||||||
|
}
|
||||||
|
if (outLen != 0) {
|
||||||
|
panic("EVP_EncryptFinal_ex: unexpected length");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Get MAC tag and append it to the ciphertext
|
||||||
|
if (ciphertextLen + supportedTagLen > ciphertextBufLen) {
|
||||||
|
panic("tag overflows output buffer");
|
||||||
|
}
|
||||||
|
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, supportedTagLen, ciphertext + plaintextLen) != 1) {
|
||||||
|
panic("EVP_CTRL_AEAD_GET_TAG failed");
|
||||||
|
}
|
||||||
|
ciphertextLen += supportedTagLen;
|
||||||
|
|
||||||
|
// Free scratch space
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
|
||||||
|
return ciphertextLen;
|
||||||
|
}
|
||||||
|
|
||||||
|
int openssl_aead_open(
|
||||||
|
const EVP_CIPHER* evpCipher,
|
||||||
|
const unsigned char* const ciphertext,
|
||||||
|
const int ciphertextLen,
|
||||||
|
const unsigned char* const authData,
|
||||||
|
const int authDataLen,
|
||||||
|
unsigned char* const tag,
|
||||||
|
const int tagLen,
|
||||||
|
const unsigned char* const key,
|
||||||
|
const int keyLen,
|
||||||
|
const unsigned char* const iv,
|
||||||
|
const int ivLen,
|
||||||
|
unsigned char* const plaintext,
|
||||||
|
const int plaintextBufLen)
|
||||||
|
{
|
||||||
|
// Create scratch space "ctx"
|
||||||
|
EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
|
||||||
|
if (!ctx) {
|
||||||
|
panic("EVP_CIPHER_CTX_new failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set cipher
|
||||||
|
if (EVP_DecryptInit_ex(ctx, evpCipher, NULL, NULL, NULL) != 1) {
|
||||||
|
panic("EVP_DecryptInit_ex set cipher failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check keyLen by trying to set it (fails if keyLen != 32)
|
||||||
|
if (EVP_CIPHER_CTX_set_key_length(ctx, keyLen) != 1) {
|
||||||
|
panic("keyLen mismatch");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set IV length so we do not depend on the default
|
||||||
|
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivLen, NULL) != 1) {
|
||||||
|
panic("EVP_CTRL_AEAD_SET_IVLEN failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set key and IV
|
||||||
|
if (EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv) != 1) {
|
||||||
|
panic("EVP_DecryptInit_ex set key & iv failed");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Provide authentication data
|
||||||
|
int outLen = 0;
|
||||||
|
if (EVP_DecryptUpdate(ctx, NULL, &outLen, authData, authDataLen) != 1) {
|
||||||
|
panic("EVP_DecryptUpdate authData failed");
|
||||||
|
}
|
||||||
|
if (outLen != authDataLen) {
|
||||||
|
panic("EVP_DecryptUpdate authData: unexpected length");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Decrypt "ciphertext" into "plaintext"
|
||||||
|
if (ciphertextLen > plaintextBufLen) {
|
||||||
|
panic("ciphertextLen overflows output buffer");
|
||||||
|
}
|
||||||
|
if (EVP_DecryptUpdate(ctx, plaintext, &outLen, ciphertext, ciphertextLen) != 1) {
|
||||||
|
panic("EVP_DecryptUpdate failed");
|
||||||
|
}
|
||||||
|
int plaintextLen = outLen;
|
||||||
|
|
||||||
|
// Check tag
|
||||||
|
if (tagLen != supportedTagLen) {
|
||||||
|
panic("unsupported tag length");
|
||||||
|
}
|
||||||
|
if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tagLen, tag) != 1) {
|
||||||
|
panic("EVP_CTRL_AEAD_SET_TAG failed");
|
||||||
|
}
|
||||||
|
if (EVP_DecryptFinal_ex(ctx, plaintext + plaintextLen, &outLen) != 1) {
|
||||||
|
// authentication failed
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if (outLen != 0) {
|
||||||
|
panic("EVP_EncryptFinal_ex: unexpected length");
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Clean up */
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
|
||||||
|
return plaintextLen;
|
||||||
|
}
|
||||||
|
|
||||||
|
// This functions exists to benchmark the C call overhead from Go.
|
||||||
|
void noop_c_function(void) {
|
||||||
|
return;
|
||||||
|
}
|
31
internal/stupidgcm/openssl_aead.h
Normal file
31
internal/stupidgcm/openssl_aead.h
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
|
int openssl_aead_seal(
|
||||||
|
const EVP_CIPHER* evpCipher,
|
||||||
|
const unsigned char* const plaintext,
|
||||||
|
const int plaintextLen,
|
||||||
|
const unsigned char* const authData,
|
||||||
|
const int authDataLen,
|
||||||
|
const unsigned char* const key,
|
||||||
|
const int keyLen,
|
||||||
|
const unsigned char* const iv,
|
||||||
|
const int ivLen,
|
||||||
|
unsigned char* const ciphertext,
|
||||||
|
const int ciphertextBufLen);
|
||||||
|
|
||||||
|
int openssl_aead_open(
|
||||||
|
const EVP_CIPHER* evpCipher,
|
||||||
|
const unsigned char* const ciphertext,
|
||||||
|
const int ciphertextLen,
|
||||||
|
const unsigned char* const authData,
|
||||||
|
const int authDataLen,
|
||||||
|
unsigned char* const tag,
|
||||||
|
const int tagLen,
|
||||||
|
const unsigned char* const key,
|
||||||
|
const int keyLen,
|
||||||
|
const unsigned char* const iv,
|
||||||
|
const int ivLen,
|
||||||
|
unsigned char* const plaintext,
|
||||||
|
const int plaintextBufLen);
|
||||||
|
|
||||||
|
void noop_c_function(void);
|
@ -6,7 +6,8 @@ import (
|
|||||||
"golang.org/x/sys/cpu"
|
"golang.org/x/sys/cpu"
|
||||||
)
|
)
|
||||||
|
|
||||||
// PreferOpenSSL tells us if OpenSSL is faster than Go GCM on this machine.
|
// PreferOpenSSLAES256GCM tells us if OpenSSL AES-256-GCM is faster than Go stdlib
|
||||||
|
// on this machine.
|
||||||
//
|
//
|
||||||
// Go GCM is only faster if the CPU either:
|
// Go GCM is only faster if the CPU either:
|
||||||
//
|
//
|
||||||
@ -14,22 +15,46 @@ import (
|
|||||||
// 2) Is ARM64 && has AES instructions && Go is v1.11 or higher
|
// 2) Is ARM64 && has AES instructions && Go is v1.11 or higher
|
||||||
// (commit https://github.com/golang/go/commit/4f1f503373cda7160392be94e3849b0c9b9ebbda)
|
// (commit https://github.com/golang/go/commit/4f1f503373cda7160392be94e3849b0c9b9ebbda)
|
||||||
//
|
//
|
||||||
// See https://github.com/rfjakob/gocryptfs/v2/wiki/CPU-Benchmarks
|
// See https://github.com/rfjakob/gocryptfs/wiki/CPU-Benchmarks
|
||||||
// for benchmarks.
|
// for benchmarks.
|
||||||
func PreferOpenSSL() bool {
|
func PreferOpenSSLAES256GCM() bool {
|
||||||
if BuiltWithoutOpenssl {
|
if BuiltWithoutOpenssl {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
// Safe to call on other architectures - will just read false.
|
// If the CPU has AES acceleration, Go stdlib is faster
|
||||||
if cpu.X86.HasAES || cpu.ARM64.HasAES {
|
if CpuHasAES() {
|
||||||
// Go stdlib is probably faster
|
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
// On the Apple M1, Go stdlib is faster than OpenSSL, despite cpu.ARM64.HasAES
|
// Otherwise OpenSSL is probably faster
|
||||||
// reading false: https://github.com/rfjakob/gocryptfs/v2/issues/556#issuecomment-848079309
|
|
||||||
if runtime.GOOS == "darwin" && runtime.GOARCH == "arm64" {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
// OpenSSL is probably faster
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PreferOpenSSLXchacha20poly1305 returns true if OpenSSL Xchacha20poly1305 is
|
||||||
|
// faster than Go stdlib on this machine.
|
||||||
|
func PreferOpenSSLXchacha20poly1305() bool {
|
||||||
|
if BuiltWithoutOpenssl {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
// Go x/crypto has optimized assembly for amd64:
|
||||||
|
// https://github.com/golang/crypto/blob/master/chacha20poly1305/chacha20poly1305_amd64.s
|
||||||
|
if runtime.GOARCH == "amd64" {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
// On arm64 and arm, OpenSSL is faster. Probably everwhere else too.
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// CpuHasAES tells you if the CPU we are running has AES acceleration that is
|
||||||
|
// usable by the Go crypto library.
|
||||||
|
func CpuHasAES() bool {
|
||||||
|
// Safe to call on other architectures - will just read false.
|
||||||
|
if cpu.X86.HasAES || cpu.ARM64.HasAES {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
// On the Apple M1, the CPU has AES acceleration, despite cpu.ARM64.HasAES
|
||||||
|
// reading false: https://github.com/rfjakob/gocryptfs/issues/556#issuecomment-848079309
|
||||||
|
if runtime.GOOS == "darwin" && runtime.GOARCH == "arm64" {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
@ -1,249 +0,0 @@
|
|||||||
// +build !without_openssl
|
|
||||||
|
|
||||||
// Package stupidgcm is a thin wrapper for OpenSSL's GCM encryption and
|
|
||||||
// decryption functions. It only support 32-byte keys and 16-bit IVs.
|
|
||||||
package stupidgcm
|
|
||||||
|
|
||||||
// #include <openssl/evp.h>
|
|
||||||
// #cgo pkg-config: libcrypto
|
|
||||||
import "C"
|
|
||||||
|
|
||||||
import (
|
|
||||||
"crypto/cipher"
|
|
||||||
"fmt"
|
|
||||||
"log"
|
|
||||||
"unsafe"
|
|
||||||
)
|
|
||||||
|
|
||||||
const (
|
|
||||||
// BuiltWithoutOpenssl indicates if openssl been disabled at compile-time
|
|
||||||
BuiltWithoutOpenssl = false
|
|
||||||
|
|
||||||
keyLen = 32
|
|
||||||
ivLen = 16
|
|
||||||
tagLen = 16
|
|
||||||
)
|
|
||||||
|
|
||||||
// StupidGCM implements the cipher.AEAD interface
|
|
||||||
type StupidGCM struct {
|
|
||||||
key []byte
|
|
||||||
forceDecode bool
|
|
||||||
}
|
|
||||||
|
|
||||||
// Verify that we satisfy the cipher.AEAD interface
|
|
||||||
var _ cipher.AEAD = &StupidGCM{}
|
|
||||||
|
|
||||||
// New returns a new cipher.AEAD implementation..
|
|
||||||
func New(keyIn []byte, forceDecode bool) cipher.AEAD {
|
|
||||||
if len(keyIn) != keyLen {
|
|
||||||
log.Panicf("Only %d-byte keys are supported", keyLen)
|
|
||||||
}
|
|
||||||
// Create a private copy of the key
|
|
||||||
key := append([]byte{}, keyIn...)
|
|
||||||
return &StupidGCM{key: key, forceDecode: forceDecode}
|
|
||||||
}
|
|
||||||
|
|
||||||
// NonceSize returns the required size of the nonce / IV.
|
|
||||||
func (g *StupidGCM) NonceSize() int {
|
|
||||||
return ivLen
|
|
||||||
}
|
|
||||||
|
|
||||||
// Overhead returns the number of bytes that are added for authentication.
|
|
||||||
func (g *StupidGCM) Overhead() int {
|
|
||||||
return tagLen
|
|
||||||
}
|
|
||||||
|
|
||||||
// Seal encrypts "in" using "iv" and "authData" and append the result to "dst"
|
|
||||||
func (g *StupidGCM) Seal(dst, iv, in, authData []byte) []byte {
|
|
||||||
if len(iv) != ivLen {
|
|
||||||
log.Panicf("Only %d-byte IVs are supported", ivLen)
|
|
||||||
}
|
|
||||||
if len(in) == 0 {
|
|
||||||
log.Panic("Zero-length input data is not supported")
|
|
||||||
}
|
|
||||||
if len(g.key) != keyLen {
|
|
||||||
log.Panicf("Wrong key length: %d. Key has been wiped?", len(g.key))
|
|
||||||
}
|
|
||||||
|
|
||||||
// If the "dst" slice is large enough we can use it as our output buffer
|
|
||||||
outLen := len(in) + tagLen
|
|
||||||
var buf []byte
|
|
||||||
inplace := false
|
|
||||||
if cap(dst)-len(dst) >= outLen {
|
|
||||||
inplace = true
|
|
||||||
buf = dst[len(dst) : len(dst)+outLen]
|
|
||||||
} else {
|
|
||||||
buf = make([]byte, outLen)
|
|
||||||
}
|
|
||||||
|
|
||||||
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
|
|
||||||
|
|
||||||
// Create scratch space "context"
|
|
||||||
ctx := C.EVP_CIPHER_CTX_new()
|
|
||||||
if ctx == nil {
|
|
||||||
log.Panic("EVP_CIPHER_CTX_new failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Set cipher to AES-256
|
|
||||||
if C.EVP_EncryptInit_ex(ctx, C.EVP_aes_256_gcm(), nil, nil, nil) != 1 {
|
|
||||||
log.Panic("EVP_EncryptInit_ex I failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Use 16-byte IV
|
|
||||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_SET_IVLEN, ivLen, nil) != 1 {
|
|
||||||
log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_GCM_SET_IVLEN failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Set key and IV
|
|
||||||
if C.EVP_EncryptInit_ex(ctx, nil, nil, (*C.uchar)(&g.key[0]), (*C.uchar)(&iv[0])) != 1 {
|
|
||||||
log.Panic("EVP_EncryptInit_ex II failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Provide authentication data
|
|
||||||
var resultLen C.int
|
|
||||||
if C.EVP_EncryptUpdate(ctx, nil, &resultLen, (*C.uchar)(&authData[0]), C.int(len(authData))) != 1 {
|
|
||||||
log.Panic("EVP_EncryptUpdate authData failed")
|
|
||||||
}
|
|
||||||
if int(resultLen) != len(authData) {
|
|
||||||
log.Panicf("Unexpected length %d", resultLen)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Encrypt "in" into "buf"
|
|
||||||
if C.EVP_EncryptUpdate(ctx, (*C.uchar)(&buf[0]), &resultLen, (*C.uchar)(&in[0]), C.int(len(in))) != 1 {
|
|
||||||
log.Panic("EVP_EncryptUpdate failed")
|
|
||||||
}
|
|
||||||
if int(resultLen) != len(in) {
|
|
||||||
log.Panicf("Unexpected length %d", resultLen)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Finalise encryption
|
|
||||||
// Because GCM is a stream encryption, this will not write out any data.
|
|
||||||
dummy := make([]byte, 16)
|
|
||||||
if C.EVP_EncryptFinal_ex(ctx, (*C.uchar)(&dummy[0]), &resultLen) != 1 {
|
|
||||||
log.Panic("EVP_EncryptFinal_ex failed")
|
|
||||||
}
|
|
||||||
if resultLen != 0 {
|
|
||||||
log.Panicf("Unexpected length %d", resultLen)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Get GMAC tag and append it to the ciphertext in "buf"
|
|
||||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_GET_TAG, tagLen, (unsafe.Pointer)(&buf[len(in)])) != 1 {
|
|
||||||
log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_GCM_GET_TAG failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Free scratch space
|
|
||||||
C.EVP_CIPHER_CTX_free(ctx)
|
|
||||||
|
|
||||||
if inplace {
|
|
||||||
return dst[:len(dst)+outLen]
|
|
||||||
}
|
|
||||||
return append(dst, buf...)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Open decrypts "in" using "iv" and "authData" and append the result to "dst"
|
|
||||||
func (g *StupidGCM) Open(dst, iv, in, authData []byte) ([]byte, error) {
|
|
||||||
if len(iv) != ivLen {
|
|
||||||
log.Panicf("Only %d-byte IVs are supported", ivLen)
|
|
||||||
}
|
|
||||||
if len(g.key) != keyLen {
|
|
||||||
log.Panicf("Wrong key length: %d. Key has been wiped?", len(g.key))
|
|
||||||
}
|
|
||||||
if len(in) <= tagLen {
|
|
||||||
return nil, fmt.Errorf("stupidgcm: input data too short (%d bytes)", len(in))
|
|
||||||
}
|
|
||||||
|
|
||||||
// If the "dst" slice is large enough we can use it as our output buffer
|
|
||||||
outLen := len(in) - tagLen
|
|
||||||
var buf []byte
|
|
||||||
inplace := false
|
|
||||||
if cap(dst)-len(dst) >= outLen {
|
|
||||||
inplace = true
|
|
||||||
buf = dst[len(dst) : len(dst)+outLen]
|
|
||||||
} else {
|
|
||||||
buf = make([]byte, len(in)-tagLen)
|
|
||||||
}
|
|
||||||
|
|
||||||
ciphertext := in[:len(in)-tagLen]
|
|
||||||
tag := in[len(in)-tagLen:]
|
|
||||||
|
|
||||||
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode
|
|
||||||
|
|
||||||
// Create scratch space "context"
|
|
||||||
ctx := C.EVP_CIPHER_CTX_new()
|
|
||||||
if ctx == nil {
|
|
||||||
log.Panic("EVP_CIPHER_CTX_new failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Set cipher to AES-256
|
|
||||||
if C.EVP_DecryptInit_ex(ctx, C.EVP_aes_256_gcm(), nil, nil, nil) != 1 {
|
|
||||||
log.Panic("EVP_DecryptInit_ex I failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Use 16-byte IV
|
|
||||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_SET_IVLEN, ivLen, nil) != 1 {
|
|
||||||
log.Panic("EVP_CIPHER_CTX_ctrl EVP_CTRL_GCM_SET_IVLEN failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Set key and IV
|
|
||||||
if C.EVP_DecryptInit_ex(ctx, nil, nil, (*C.uchar)(&g.key[0]), (*C.uchar)(&iv[0])) != 1 {
|
|
||||||
log.Panic("EVP_DecryptInit_ex II failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Set expected GMAC tag
|
|
||||||
if C.EVP_CIPHER_CTX_ctrl(ctx, C.EVP_CTRL_GCM_SET_TAG, tagLen, (unsafe.Pointer)(&tag[0])) != 1 {
|
|
||||||
log.Panic("EVP_CIPHER_CTX_ctrl failed")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Provide authentication data
|
|
||||||
var resultLen C.int
|
|
||||||
if C.EVP_DecryptUpdate(ctx, nil, &resultLen, (*C.uchar)(&authData[0]), C.int(len(authData))) != 1 {
|
|
||||||
log.Panic("EVP_DecryptUpdate authData failed")
|
|
||||||
}
|
|
||||||
if int(resultLen) != len(authData) {
|
|
||||||
log.Panicf("Unexpected length %d", resultLen)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Decrypt "ciphertext" into "buf"
|
|
||||||
if C.EVP_DecryptUpdate(ctx, (*C.uchar)(&buf[0]), &resultLen, (*C.uchar)(&ciphertext[0]), C.int(len(ciphertext))) != 1 {
|
|
||||||
log.Panic("EVP_DecryptUpdate failed")
|
|
||||||
}
|
|
||||||
if int(resultLen) != len(ciphertext) {
|
|
||||||
log.Panicf("Unexpected length %d", resultLen)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check GMAC
|
|
||||||
dummy := make([]byte, 16)
|
|
||||||
res := C.EVP_DecryptFinal_ex(ctx, (*C.uchar)(&dummy[0]), &resultLen)
|
|
||||||
if resultLen != 0 {
|
|
||||||
log.Panicf("Unexpected length %d", resultLen)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Free scratch space
|
|
||||||
C.EVP_CIPHER_CTX_free(ctx)
|
|
||||||
|
|
||||||
if res != 1 {
|
|
||||||
// The error code must always be checked by the calling function, because the decrypted buffer
|
|
||||||
// may contain corrupted data that we are returning in case the user forced reads
|
|
||||||
if g.forceDecode {
|
|
||||||
return append(dst, buf...), ErrAuth
|
|
||||||
}
|
|
||||||
return nil, ErrAuth
|
|
||||||
}
|
|
||||||
|
|
||||||
if inplace {
|
|
||||||
return dst[:len(dst)+outLen], nil
|
|
||||||
}
|
|
||||||
return append(dst, buf...), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// Wipe tries to wipe the AES key from memory by overwriting it with zeros
|
|
||||||
// and setting the reference to nil.
|
|
||||||
//
|
|
||||||
// This is not bulletproof due to possible GC copies, but
|
|
||||||
// still raises to bar for extracting the key.
|
|
||||||
func (g *StupidGCM) Wipe() {
|
|
||||||
for i := range g.key {
|
|
||||||
g.key[i] = 0
|
|
||||||
}
|
|
||||||
g.key = nil
|
|
||||||
}
|
|
117
internal/stupidgcm/xchacha.go
Normal file
117
internal/stupidgcm/xchacha.go
Normal file
@ -0,0 +1,117 @@
|
|||||||
|
// +build !without_openssl
|
||||||
|
|
||||||
|
// Copyright 2018 The Go Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
//
|
||||||
|
// Copied from
|
||||||
|
// https://github.com/golang/crypto/blob/32db794688a5a24a23a43f2a984cecd5b3d8da58/chacha20poly1305/xchacha20poly1305.go
|
||||||
|
// and adapted for stupidgcm by @rfjakob.
|
||||||
|
|
||||||
|
package stupidgcm
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/cipher"
|
||||||
|
"errors"
|
||||||
|
"log"
|
||||||
|
|
||||||
|
"golang.org/x/crypto/chacha20"
|
||||||
|
"golang.org/x/crypto/chacha20poly1305"
|
||||||
|
)
|
||||||
|
|
||||||
|
type stupidXchacha20poly1305 struct {
|
||||||
|
// array instead of byte slice like
|
||||||
|
// `struct xchacha20poly1305` in x/crypto/chacha20poly1305
|
||||||
|
key [chacha20poly1305.KeySize]byte
|
||||||
|
wiped bool
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewXchacha20poly1305 returns a XChaCha20-Poly1305 cipher that satisfied the
|
||||||
|
// cipher.AEAD interface.
|
||||||
|
//
|
||||||
|
// XChaCha20-Poly1305 is a ChaCha20-Poly1305 variant that takes a longer nonce,
|
||||||
|
// suitable to be generated randomly without risk of collisions. It should be
|
||||||
|
// preferred when nonce uniqueness cannot be trivially ensured, or whenever
|
||||||
|
// nonces are randomly generated.
|
||||||
|
//
|
||||||
|
// Only 32-bytes keys and 24-byte IVs are supported.
|
||||||
|
func NewXchacha20poly1305(key []byte) cipher.AEAD {
|
||||||
|
if len(key) != chacha20poly1305.KeySize {
|
||||||
|
log.Panic("bad key length")
|
||||||
|
}
|
||||||
|
ret := new(stupidXchacha20poly1305)
|
||||||
|
copy(ret.key[:], key)
|
||||||
|
return ret
|
||||||
|
}
|
||||||
|
|
||||||
|
func (*stupidXchacha20poly1305) NonceSize() int {
|
||||||
|
return chacha20poly1305.NonceSizeX
|
||||||
|
}
|
||||||
|
|
||||||
|
func (*stupidXchacha20poly1305) Overhead() int {
|
||||||
|
return tagLen
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *stupidXchacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
|
||||||
|
if x.wiped {
|
||||||
|
log.Panic("BUG: tried to use wiped key")
|
||||||
|
}
|
||||||
|
if len(nonce) != chacha20poly1305.NonceSizeX {
|
||||||
|
log.Panic("bad nonce length passed to Seal")
|
||||||
|
}
|
||||||
|
|
||||||
|
// XChaCha20-Poly1305 technically supports a 64-bit counter, so there is no
|
||||||
|
// size limit. However, since we reuse the ChaCha20-Poly1305 implementation,
|
||||||
|
// the second half of the counter is not available. This is unlikely to be
|
||||||
|
// an issue because the cipher.AEAD API requires the entire message to be in
|
||||||
|
// memory, and the counter overflows at 256 GB.
|
||||||
|
if uint64(len(plaintext)) > (1<<38)-64 {
|
||||||
|
log.Panic("plaintext too large")
|
||||||
|
}
|
||||||
|
|
||||||
|
hKey, _ := chacha20.HChaCha20(x.key[:], nonce[0:16])
|
||||||
|
c := NewChacha20poly1305(hKey).(*stupidChacha20poly1305)
|
||||||
|
defer c.Wipe()
|
||||||
|
|
||||||
|
// The first 4 bytes of the final nonce are unused counter space.
|
||||||
|
cNonce := make([]byte, chacha20poly1305.NonceSize)
|
||||||
|
copy(cNonce[4:12], nonce[16:24])
|
||||||
|
|
||||||
|
return c.Seal(dst, cNonce[:], plaintext, additionalData)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *stupidXchacha20poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
|
||||||
|
if x.wiped {
|
||||||
|
log.Panic("BUG: tried to use wiped key")
|
||||||
|
}
|
||||||
|
if len(nonce) != chacha20poly1305.NonceSizeX {
|
||||||
|
log.Panic("bad nonce length passed to Open")
|
||||||
|
}
|
||||||
|
if len(ciphertext) < 16 {
|
||||||
|
return nil, errors.New("message too short")
|
||||||
|
}
|
||||||
|
if uint64(len(ciphertext)) > (1<<38)-48 {
|
||||||
|
log.Panic("ciphertext too large")
|
||||||
|
}
|
||||||
|
|
||||||
|
hKey, _ := chacha20.HChaCha20(x.key[:], nonce[0:16])
|
||||||
|
c := NewChacha20poly1305(hKey).(*stupidChacha20poly1305)
|
||||||
|
defer c.Wipe()
|
||||||
|
|
||||||
|
// The first 4 bytes of the final nonce are unused counter space.
|
||||||
|
cNonce := make([]byte, chacha20poly1305.NonceSize)
|
||||||
|
copy(cNonce[4:12], nonce[16:24])
|
||||||
|
|
||||||
|
return c.Open(dst, cNonce[:], ciphertext, additionalData)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Wipe tries to wipe the key from memory by overwriting it with zeros.
|
||||||
|
//
|
||||||
|
// This is not bulletproof due to possible GC copies, but
|
||||||
|
// still raises the bar for extracting the key.
|
||||||
|
func (g *stupidXchacha20poly1305) Wipe() {
|
||||||
|
g.wiped = true
|
||||||
|
for i := range g.key {
|
||||||
|
g.key[i] = 0
|
||||||
|
}
|
||||||
|
}
|
@ -12,7 +12,7 @@ import (
|
|||||||
// https://github.com/golang/go/blob/d2a80f3fb5b44450e0b304ac5a718f99c053d82a/src/os/file_posix.go#L243
|
// https://github.com/golang/go/blob/d2a80f3fb5b44450e0b304ac5a718f99c053d82a/src/os/file_posix.go#L243
|
||||||
//
|
//
|
||||||
// This is needed because CIFS throws lots of EINTR errors:
|
// This is needed because CIFS throws lots of EINTR errors:
|
||||||
// https://github.com/rfjakob/gocryptfs/v2/issues/483
|
// https://github.com/rfjakob/gocryptfs/issues/483
|
||||||
//
|
//
|
||||||
// Don't use retryEINTR() with syscall.Close()!
|
// Don't use retryEINTR() with syscall.Close()!
|
||||||
// See https://code.google.com/p/chromium/issues/detail?id=269623 .
|
// See https://code.google.com/p/chromium/issues/detail?id=269623 .
|
||||||
|
@ -19,7 +19,7 @@ const sizeofDirent = int(unsafe.Sizeof(unix.Dirent{}))
|
|||||||
|
|
||||||
// maxReclen sanity check: Reclen should never be larger than this.
|
// maxReclen sanity check: Reclen should never be larger than this.
|
||||||
// Due to padding between entries, it is 280 even on 32-bit architectures.
|
// Due to padding between entries, it is 280 even on 32-bit architectures.
|
||||||
// See https://github.com/rfjakob/gocryptfs/v2/issues/197 for details.
|
// See https://github.com/rfjakob/gocryptfs/issues/197 for details.
|
||||||
const maxReclen = 280
|
const maxReclen = 280
|
||||||
|
|
||||||
type DirEntry struct {
|
type DirEntry struct {
|
||||||
|
@ -35,7 +35,7 @@ func EnospcPrealloc(fd int, off int64, len int64) (err error) {
|
|||||||
}
|
}
|
||||||
if err == syscall.EOPNOTSUPP {
|
if err == syscall.EOPNOTSUPP {
|
||||||
// ZFS and ext3 do not support fallocate. Warn but continue anyway.
|
// ZFS and ext3 do not support fallocate. Warn but continue anyway.
|
||||||
// https://github.com/rfjakob/gocryptfs/v2/issues/22
|
// https://github.com/rfjakob/gocryptfs/issues/22
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
|
3
main.go
3
main.go
@ -1,3 +1,6 @@
|
|||||||
|
// gocryptfs is an encrypted overlay filesystem written in Go.
|
||||||
|
// See README.md ( https://github.com/rfjakob/gocryptfs/blob/master/README.md )
|
||||||
|
// and the official website ( https://nuetzlich.net/gocryptfs/ ) for details.
|
||||||
package main
|
package main
|
||||||
|
|
||||||
func main() {}
|
func main() {}
|
||||||
|
38
volume.go
38
volume.go
@ -64,18 +64,25 @@ func registerNewVolume(rootCipherDir string, masterkey []byte, cf *configfile.Co
|
|||||||
|
|
||||||
newVolume.plainTextNames = cf.IsFeatureFlagSet(configfile.FlagPlaintextNames)
|
newVolume.plainTextNames = cf.IsFeatureFlagSet(configfile.FlagPlaintextNames)
|
||||||
|
|
||||||
// Init crypto backend
|
cryptoBackend, err := cf.ContentEncryption()
|
||||||
cryptoBackend := cryptocore.BackendGoGCM
|
if err != nil {
|
||||||
if cf.IsFeatureFlagSet(configfile.FlagAESSIV) {
|
return -1
|
||||||
cryptoBackend = cryptocore.BackendAESSIV
|
}
|
||||||
} else if stupidgcm.PreferOpenSSL() {
|
if cryptoBackend == cryptocore.BackendXChaCha20Poly1305 && stupidgcm.PreferOpenSSLXchacha20poly1305() {
|
||||||
|
cryptoBackend = cryptocore.BackendXChaCha20Poly1305OpenSSL
|
||||||
|
} else if cryptoBackend == cryptocore.BackendGoGCM && stupidgcm.PreferOpenSSLAES256GCM() {
|
||||||
cryptoBackend = cryptocore.BackendOpenSSL
|
cryptoBackend = cryptocore.BackendOpenSSL
|
||||||
}
|
}
|
||||||
forcedecode := false
|
newVolume.cryptoCore = cryptocore.New(masterkey, cryptoBackend, cryptoBackend.NonceSize*8, cf.IsFeatureFlagSet(configfile.FlagHKDF))
|
||||||
newVolume.cryptoCore = cryptocore.New(masterkey, cryptoBackend, contentenc.DefaultIVBits, true, forcedecode)
|
newVolume.contentEnc = contentenc.New(newVolume.cryptoCore, contentenc.DefaultBS)
|
||||||
newVolume.contentEnc = contentenc.New(newVolume.cryptoCore, contentenc.DefaultBS, forcedecode)
|
|
||||||
var badname []string
|
var badname []string
|
||||||
newVolume.nameTransform = nametransform.New(newVolume.cryptoCore.EMECipher, true, true, badname, false)
|
newVolume.nameTransform = nametransform.New(
|
||||||
|
newVolume.cryptoCore.EMECipher,
|
||||||
|
true,
|
||||||
|
cf.IsFeatureFlagSet(configfile.FlagRaw64),
|
||||||
|
badname,
|
||||||
|
!cf.IsFeatureFlagSet(configfile.FlagDirIV),
|
||||||
|
)
|
||||||
|
|
||||||
//copying rootCipherDir
|
//copying rootCipherDir
|
||||||
var grcd strings.Builder
|
var grcd strings.Builder
|
||||||
@ -155,7 +162,16 @@ func gcf_change_password(rootCipherDir string, oldPassword, givenScryptHash, new
|
|||||||
}
|
}
|
||||||
|
|
||||||
//export gcf_create_volume
|
//export gcf_create_volume
|
||||||
func gcf_create_volume(rootCipherDir string, password []byte, plaintextNames bool, logN int, creator string) bool {
|
func gcf_create_volume(rootCipherDir string, password []byte, plaintextNames bool, xchacha int8, logN int, creator string) bool {
|
||||||
|
var useXChaCha bool
|
||||||
|
switch xchacha {
|
||||||
|
case 1:
|
||||||
|
useXChaCha = true
|
||||||
|
case 0:
|
||||||
|
useXChaCha = false
|
||||||
|
default:
|
||||||
|
useXChaCha = !stupidgcm.CpuHasAES()
|
||||||
|
}
|
||||||
err := configfile.Create(&configfile.CreateArgs{
|
err := configfile.Create(&configfile.CreateArgs{
|
||||||
Filename: filepath.Join(rootCipherDir, configfile.ConfDefaultName),
|
Filename: filepath.Join(rootCipherDir, configfile.ConfDefaultName),
|
||||||
Password: password,
|
Password: password,
|
||||||
@ -164,7 +180,7 @@ func gcf_create_volume(rootCipherDir string, password []byte, plaintextNames boo
|
|||||||
Creator: creator,
|
Creator: creator,
|
||||||
AESSIV: false,
|
AESSIV: false,
|
||||||
DeterministicNames: false,
|
DeterministicNames: false,
|
||||||
XChaCha20Poly1305: false,
|
XChaCha20Poly1305: useXChaCha,
|
||||||
})
|
})
|
||||||
if err == nil {
|
if err == nil {
|
||||||
if plaintextNames {
|
if plaintextNames {
|
||||||
|
Loading…
Reference in New Issue
Block a user