reverse: switch from GCM-SIV to AES-SIV

GCM-SIV is not yet finalized, and the reference implemenation is painfully slow at about 2 MB/s. Switch to AES-SIV.
2016-09-26 23:25:13 +02:00 · 2016-09-26 23:25:13 +02:00 · e9bb8b800c
parent d9fc652df0
commit e9bb8b800c
13 changed files with 50 additions and 57 deletions
--- a/Documentation/MANPAGE.md
+++ b/Documentation/MANPAGE.md
@ -30,6 +30,9 @@ DESCRIPTION
 Options:
 **-aessiv**
 :	Use the AES-SIV encryption mode (implied by -reverse)
 **-allow_other**
 :	By default, the Linux kernel prevents any other user (even root) to
 access a mounted FUSE filesystem. Settings this option allows access for
@ -58,9 +61,6 @@ to mount the gocryptfs filesytem without user interaction.
 **-fusedebug**
 :	Enable fuse library debug output
 **-gcmsiv**
 :	Use the GCM-SIV encryption mode (implied by -reverse)
 **-init**
 :	Initialize encrypted directory
--- a/cli_args.go
+++ b/cli_args.go
@ -14,7 +14,7 @@ import (
 type argContainer struct {
 	debug, init, zerokey, fusedebug, openssl, passwd, foreground, version,
 	plaintextnames, quiet, nosyslog, wpanic,
-	longnames, allow_other, ro, reverse, gcmsiv bool
+	longnames, allow_other, ro, reverse, aessiv bool
 	masterkey, mountpoint, cipherdir, cpuprofile, extpass,
 	memprofile, o string
 	// Configuration file name override
@ -51,7 +51,7 @@ func parseCliOpts() (args argContainer) {
 		"Only works if user_allow_other is set in /etc/fuse.conf.")
 	flagSet.BoolVar(&args.ro, "ro", false, "Mount the filesystem read-only")
 	flagSet.BoolVar(&args.reverse, "reverse", false, "Reverse mode")
-	flagSet.BoolVar(&args.gcmsiv, "gcmsiv", false, "GCM-SIV encryption")
+	flagSet.BoolVar(&args.aessiv, "aessiv", false, "AES-SIV encryption")
 	flagSet.StringVar(&args.masterkey, "masterkey", "", "Mount with explicit master key")
 	flagSet.StringVar(&args.cpuprofile, "cpuprofile", "", "Write cpu profile to specified file")
 	flagSet.StringVar(&args.memprofile, "memprofile", "", "Write memory profile to specified file")
--- a/init_dir.go
+++ b/init_dir.go
@ -39,7 +39,7 @@ func initDir(args *argContainer) {
 	}
 	password := readpassword.Twice(args.extpass)
 	creator := tlog.ProgramName + " " + GitVersion
-	err = configfile.CreateConfFile(args.config, password, args.plaintextnames, args.scryptn, creator, args.gcmsiv)
+	err = configfile.CreateConfFile(args.config, password, args.plaintextnames, args.scryptn, creator, args.aessiv)
 	if err != nil {
 		tlog.Fatal.Println(err)
 		os.Exit(ERREXIT_INIT)
--- a/internal/configfile/config_file.go
+++ b/internal/configfile/config_file.go
@ -45,7 +45,7 @@ type ConfFile struct {
 // CreateConfFile - create a new config with a random key encrypted with
 // "password" and write it to "filename".
 // Uses scrypt with cost parameter logN.
-func CreateConfFile(filename string, password string, plaintextNames bool, logN int, creator string, gcmsiv bool) error {
+func CreateConfFile(filename string, password string, plaintextNames bool, logN int, creator string, aessiv bool) error {
 	var cf ConfFile
 	cf.filename = filename
 	cf.Creator = creator
@ -59,7 +59,7 @@ func CreateConfFile(filename string, password string, plaintextNames bool, logN
 	cf.EncryptKey(key, password, logN)
 	// Set feature flags
-	cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagGCMIV128]) // 128-bit IVs
+	cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagGCMIV128])
 	if plaintextNames {
 		cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagPlaintextNames])
 	} else {
@ -67,8 +67,8 @@ func CreateConfFile(filename string, password string, plaintextNames bool, logN
 		cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagEMENames])
 		cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagLongNames])
 	}
-	if gcmsiv {
+	if aessiv {
-		cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagGCMSIV]) // GCM-SIV encryption mode
+		cf.FeatureFlags = append(cf.FeatureFlags, knownFlags[FlagAESSIV])
 	}
 	// Write file to disk
--- a/internal/configfile/config_test.go
+++ b/internal/configfile/config_test.go
@ -71,7 +71,7 @@ func TestCreateConfFile(t *testing.T) {
 }
-func TestCreateConfFileGCMSIV(t *testing.T) {
+func TestCreateConfFileAESSIV(t *testing.T) {
 	err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", true)
 	if err != nil {
 		t.Fatal(err)
@ -80,14 +80,14 @@ func TestCreateConfFileGCMSIV(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if !c.IsFeatureFlagSet(FlagGCMSIV) {
+	if !c.IsFeatureFlagSet(FlagAESSIV) {
-		t.Error("GCMSIV flag should be set but is not")
+		t.Error("AESSIV flag should be set but is not")
 	}
 }
 func TestIsFeatureFlagKnown(t *testing.T) {
 	// Test a few hardcoded values
-	testKnownFlags := []string{"DirIV", "PlaintextNames", "EMENames", "GCMIV128", "LongNames", "GCMSIV"}
+	testKnownFlags := []string{"DirIV", "PlaintextNames", "EMENames", "GCMIV128", "LongNames", "AESSIV"}
 	// And also everything in knownFlags (yes, it is likely that we end up with
 	// some duplicates. Does not matter.)
 	for _, f := range knownFlags {
--- a/internal/configfile/feature_flags.go
+++ b/internal/configfile/feature_flags.go
@ -8,7 +8,7 @@ const (
 	FlagEMENames
 	FlagGCMIV128
 	FlagLongNames
-	FlagGCMSIV
+	FlagAESSIV
 )
 // knownFlags stores the known feature flags and their string representation
@ -18,7 +18,7 @@ var knownFlags map[flagIota]string = map[flagIota]string{
 	FlagEMENames:       "EMENames",
 	FlagGCMIV128:       "GCMIV128",
 	FlagLongNames:      "LongNames",
-	FlagGCMSIV:         "GCMSIV",
+	FlagAESSIV:         "AESSIV",
 }
 // Filesystems that do not have these feature flags set are deprecated.
--- a/internal/contentenc/content.go
+++ b/internal/contentenc/content.go
@ -105,8 +105,8 @@ func (be *ContentEnc) DecryptBlock(ciphertext []byte, blockNo uint64, fileId []b
 	// Extract nonce
 	nonce := ciphertext[:be.cryptoCore.IVLen]
-	if bytes.Equal(nonce, be.allZeroNonce) && be.cryptoCore.AEADBackend != cryptocore.BackendGCMSIV {
+	if bytes.Equal(nonce, be.allZeroNonce) {
-		panic("Hit an all-zero nonce with GCMSIV off. This MUST NOT happen!")
+		panic("Hit an all-zero nonce. This MUST NOT happen!")
 	}
 	ciphertextOrig := ciphertext
 	ciphertext = ciphertext[be.cryptoCore.IVLen:]
@ -150,13 +150,13 @@ func (be *ContentEnc) EncryptBlock(plaintext []byte, blockNo uint64, fileID []by
 	var nonce []byte
 	switch nMode {
 	case ExternalNonce:
-		if be.cryptoCore.AEADBackend != cryptocore.BackendGCMSIV {
+		if be.cryptoCore.AEADBackend != cryptocore.BackendAESSIV {
-			panic("MUST NOT use deterministic nonces unless in GCMSIV mode!")
+			panic("MUST NOT use deterministic nonces unless in AESSIV mode!")
 		}
 		nonce = externalNonce
 	case ReverseDeterministicNonce:
-		if be.cryptoCore.AEADBackend != cryptocore.BackendGCMSIV {
+		if be.cryptoCore.AEADBackend != cryptocore.BackendAESSIV {
-			panic("MUST NOT use deterministic nonces unless in GCMSIV mode!")
+			panic("MUST NOT use deterministic nonces unless in AESSIV mode!")
 		}
 		l := be.cryptoCore.IVLen
 		nonce = make([]byte, l)
--- a/internal/cryptocore/cryptocore.go
+++ b/internal/cryptocore/cryptocore.go
@ -7,9 +7,8 @@ import (
 	"crypto/cipher"
 	"fmt"
 	"github.com/rfjakob/gocryptfs/internal/siv_aead"
 	"github.com/rfjakob/gocryptfs/internal/stupidgcm"
 	"github.com/rfjakob/gcmsiv"
 )
 type BackendTypeEnum int
@ -21,13 +20,13 @@ const (
 	_                              = iota // Skip zero
 	BackendOpenSSL BackendTypeEnum = iota
 	BackendGoGCM   BackendTypeEnum = iota
-	BackendGCMSIV  BackendTypeEnum = iota
+	BackendAESSIV  BackendTypeEnum = iota
 )
 type CryptoCore struct {
 	// AES-256 block cipher. This is used for EME filename encryption.
 	BlockCipher cipher.Block
-	// GCM or GCM-SIV. This is used for content encryption.
+	// GCM or AES-SIV. This is used for content encryption.
 	AEADCipher cipher.AEAD
 	// Which backend is behind AEADCipher?
 	AEADBackend BackendTypeEnum
@ -64,8 +63,8 @@ func New(key []byte, backend BackendTypeEnum, IVBitLen int) *CryptoCore {
 		gcm = stupidgcm.New(key)
 	case BackendGoGCM:
 		gcm, err = goGCMWrapper(blockCipher, IVLen)
-	case BackendGCMSIV:
+	case BackendAESSIV:
-		gcm, err = gcmsiv.NewGCMSIV(key)
+		gcm = siv_aead.New(key)
 	default:
 		panic("unknown backend cipher")
 	}
--- a/internal/stupidgcm/stupidgcm_test.go
+++ b/internal/stupidgcm/stupidgcm_test.go
@ -15,7 +15,8 @@ import (
 	"encoding/hex"
 	"testing"
-	"github.com/rfjakob/gcmsiv"
+	// For benchmark comparison
 	"github.com/rfjakob/gocryptfs/internal/siv_aead"
 )
 // Get "n" random bytes from /dev/urandom or panic
@ -162,16 +163,13 @@ func Benchmark4kEncGoGCM(b *testing.B) {
 	}
 }
-func Benchmark4kEncGCMSIV(b *testing.B) {
+func Benchmark4kEncAESSIV(b *testing.B) {
 	key := randBytes(32)
 	authData := randBytes(24)
 	iv := randBytes(16)
 	in := make([]byte, 4096)
 	b.SetBytes(int64(len(in)))
-	gGCM, err := gcmsiv.NewGCMSIV(key)
+	gGCM := siv_aead.New(key)
 	if err != nil {
 		b.Fatal(err)
 	}
 	for i := 0; i < b.N; i++ {
 		// Encrypt and append to nonce
 		gGCM.Seal(iv, iv, in, authData)
--- a/main.go
+++ b/main.go
@ -150,9 +150,9 @@ func main() {
 	if args.quiet {
 		tlog.Info.Enabled = false
 	}
-	// "-reverse" implies "-gcmsiv"
+	// "-reverse" implies "-aessiv"
 	if args.reverse {
-		args.gcmsiv = true
+		args.aessiv = true
 	}
 	// "-config"
 	if args.config != "" {
@ -290,8 +290,8 @@ func initFuseFrontend(key []byte, args argContainer, confFile *configfile.ConfFi
 	if args.openssl {
 		cryptoBackend = cryptocore.BackendOpenSSL
 	}
-	if args.gcmsiv {
+	if args.aessiv {
-		cryptoBackend = cryptocore.BackendGCMSIV
+		cryptoBackend = cryptocore.BackendAESSIV
 	}
 	frontendArgs := fusefrontend.Args{
 		Cipherdir:      args.cipherdir,
@ -304,10 +304,10 @@ func initFuseFrontend(key []byte, args argContainer, confFile *configfile.ConfFi
 	if confFile != nil {
 		// Settings from the config file override command line args
 		frontendArgs.PlaintextNames = confFile.IsFeatureFlagSet(configfile.FlagPlaintextNames)
-		if confFile.IsFeatureFlagSet(configfile.FlagGCMSIV) {
+		if confFile.IsFeatureFlagSet(configfile.FlagAESSIV) {
-			frontendArgs.CryptoBackend = cryptocore.BackendGCMSIV
+			frontendArgs.CryptoBackend = cryptocore.BackendAESSIV
 		} else if args.reverse {
-			tlog.Fatal.Printf("GCM-SIV is required by reverse mode, but not enabled in the config file")
+			tlog.Fatal.Printf("AES-SIV is required by reverse mode, but not enabled in the config file")
 			os.Exit(ERREXIT_USAGE)
 		}
 	}
@ -318,11 +318,6 @@ func initFuseFrontend(key []byte, args argContainer, confFile *configfile.ConfFi
 	}
 	jsonBytes, _ := json.MarshalIndent(frontendArgs, "", "\t")
 	tlog.Debug.Printf("frontendArgs: %s", string(jsonBytes))
 	if frontendArgs.CryptoBackend == cryptocore.BackendGCMSIV {
 		tlog.Info.Printf(tlog.ColorYellow +
 			"Warning: The GCM-SIV format used by reverse mode is not yet finalized.\n" +
 			"The on-disk format will change in the future." + tlog.ColorReset)
 	}
 	var finalFs pathfs.FileSystem
 	if args.reverse {
 		finalFs = fusefrontend_reverse.NewFS(frontendArgs)
--- a/tests/normal/cli_test.go
+++ b/tests/normal/cli_test.go
@ -27,20 +27,20 @@ func TestInit(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if c.IsFeatureFlagSet(configfile.FlagGCMSIV) {
+	if c.IsFeatureFlagSet(configfile.FlagAESSIV) {
-		t.Error("GCMSIV flag should not be set")
+		t.Error("AESSIV flag should not be set")
 	}
 }
-// Test -init with -gcmsiv
+// Test -init with -aessiv
-func TestInitGcmsiv(t *testing.T) {
+func TestInitAessiv(t *testing.T) {
-	dir := test_helpers.InitFS(t, "-gcmsiv")
+	dir := test_helpers.InitFS(t, "-aessiv")
 	_, c, err := configfile.LoadConfFile(dir+"/"+configfile.ConfDefaultName, "test")
 	if err != nil {
 		t.Fatal(err)
 	}
-	if !c.IsFeatureFlagSet(configfile.FlagGCMSIV) {
+	if !c.IsFeatureFlagSet(configfile.FlagAESSIV) {
-		t.Error("GCMSIV flag should be set but is not")
+		t.Error("AESSIV flag should be set but is not")
 	}
 }
@ -51,8 +51,8 @@ func TestInitReverse(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if !c.IsFeatureFlagSet(configfile.FlagGCMSIV) {
+	if !c.IsFeatureFlagSet(configfile.FlagAESSIV) {
-		t.Error("GCMSIV flag should be set but is not")
+		t.Error("AESSIV flag should be set but is not")
 	}
 }
--- a/tests/reverse/linux-tarball-test.bash
+++ b/tests/reverse/linux-tarball-test.bash
@ -28,4 +28,5 @@ gocryptfs -q -extpass="echo test" b c
 # Check md5 sums
 cd c
 echo "Checking md5 sums"
-md5sum --status -c $MD5
+set -o pipefail
 md5sum -c $MD5 | pv -l -s 36782 -N "files checked" | (grep -v ": OK" || true)
--- a/tests/reverse/main_test.go
+++ b/tests/reverse/main_test.go
@ -26,7 +26,7 @@ func TestMain(m *testing.M) {
 		panic(err)
 	}
 	test_helpers.MountOrExit(dirA, dirB, "-zerokey", "-reverse")
-	test_helpers.MountOrExit(dirB, dirC, "-zerokey", "-gcmsiv")
+	test_helpers.MountOrExit(dirB, dirC, "-zerokey", "-aessiv")
 	r := m.Run()
 	test_helpers.UnmountPanic(dirC)
 	test_helpers.UnmountPanic(dirB)