Commit Graph

124 Commits

Author SHA1 Message Date
Jakob Unterwurzacher
bb52937834 cryptocore: derive 512-bit key for AES-SIV
AES-SIV uses 1/2 of the key for authentication, 1/2 for
encryption, so we need a 64-byte key for AES-256. Derive
it from the master key by hashing it with SHA-512.
2016-10-04 00:16:56 +02:00
Jakob Unterwurzacher
46018785b4 siv_aead: Overhead is always 16
Add a test for that.

Also test operations using a 64-byte key.
2016-10-03 23:58:19 +02:00
Jakob Unterwurzacher
a2510efe12 reverse: use per-purpose nonce generation
Also pull all the deterministic nonce code into fusefrontend_reverse
to greatly simplify the normal code path.
2016-09-29 21:56:49 +02:00
Jakob Unterwurzacher
bce96b5095 reverse: move newDirIVFile into virtualfile.go
After all, is's a virtual file.
2016-09-28 23:30:13 +02:00
Jakob Unterwurzacher
e9bb8b800c reverse: switch from GCM-SIV to AES-SIV
GCM-SIV is not yet finalized, and the reference implemenation is
painfully slow at about 2 MB/s. Switch to AES-SIV.
2016-09-26 23:25:13 +02:00
Jakob Unterwurzacher
d9fc652df0 siv_aead: add AES-SIV AEAD wrapper 2016-09-26 23:06:40 +02:00
Jakob Unterwurzacher
0e277ba19e stupidgcm: add GCM-SIV benchmark
On a CPU without AES-NI:

$ go test -bench .
Benchmark4kEncStupidGCM-2   	   50000	     24155 ns/op	 169.57 MB/s
Benchmark4kEncGoGCM-2       	   20000	     93965 ns/op	  43.59 MB/s
Benchmark4kEncGCMSIV-2      	     500	   2576193 ns/op	   1.59 MB/s
2016-09-25 20:04:55 +02:00
Jakob Unterwurzacher
28838a489d nametransform: downgrade invalid length warning
This happens all the time in reverse mode when somebody stats
an encrypted symlink target.
2016-09-25 19:50:16 +02:00
Jakob Unterwurzacher
5f4b16c00f Implement changes proposed by gosimple.
Also delete the unused "dirIVNameStruct", found by deadcode.
2016-09-25 19:48:21 +02:00
Jakob Unterwurzacher
166ba74a05 tests: enable all go vet checks
...and fix reported errors:

internal/fusefrontend_reverse/rfile.go:40: github.com/rfjakob/gocryptfs/internal/contentenc.FileHeader composite literal uses unkeyed fields
internal/fusefrontend_reverse/rfs.go:249: github.com/hanwen/go-fuse/fuse.DirEntry composite literal uses unkeyed fields
internal/fusefrontend_reverse/rfs.go:264: github.com/hanwen/go-fuse/fuse.DirEntry composite literal uses unkeyed fields
2016-09-25 19:02:12 +02:00
Jakob Unterwurzacher
c7b3150afc nametransform: delete unused function DecryptPathDirIV 2016-09-25 18:56:23 +02:00
Jakob Unterwurzacher
abd61d968d contentenc: rename constant "IVBitLen" to "DefaultIVBits" and clarify comment
128-bit IVs are NOT used everywhere.
2016-09-25 18:40:29 +02:00
Jakob Unterwurzacher
b883dd10a6 reverse: add symlink encryption and Readlink support 2016-09-25 18:01:24 +02:00
Jakob Unterwurzacher
12808138ef contentenc: add "ExternalNonce" mode
This will be used for strong symlink encryption in reverse mode.
2016-09-25 17:44:19 +02:00
Jakob Unterwurzacher
32e55261ca fusefrontend: handle Readlink directly
Calling into go-fuse's loopbackFileSystem does not add
any value here.
2016-09-25 17:01:39 +02:00
Jakob Unterwurzacher
2050c7f3b3 reverse: add gcmsiv flag and associated tests 2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
7bbf6ad6ea reverse: derive file ID and block IVs from file paths 2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
52a6f4f71e reverse: add longnameParentCache
findLongnameParent has to read the whole directory to find the
right file; add a simple cache to avoid most directory scans.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
a6a7b424f8 reverse: resolve long names in Open and GetAttr
The last patch added functionality for generating gocryptfs.longname.*
files, this patch adds support for mapping them back to the full
filenames.

Note that resolving a long name needs a full readdir. A cache
will be implemented later on to improve performance.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
35bcc2dca2 reverse: transform long names in OpenDir 2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
b34a665da4 nametransform: implement ReadDirIV without Openat
As ReadDirIV operates on a path anyway, opening the directory
has no clear safety advantage w.r.t. concurrent renames.

If the backing directory is a reverse-mounted gocryptfs filesystem,
each directory open is an OPENDIR, and this causes a full directory
read!

This patch improves the "ls -lR" performance of an

  DIR --> gocryptfs-reverse --> gocryptfs

chain by a factor of ~10.

OPENDIR counts for ls -lR:
  Before 15570
  After   2745
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
01c18dbcab nametransform: return EINVAL on invalid padding
With the generic fmt.Errorf we trigger a warning from go-fuse:

  2016/09/21 21:42:31 can't convert error type: Invalid padding
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
d76e7aadb4 reverse: use dynamic inode numbers
...with stable mappings for hard-linked files.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
5f726aaa9d contentenc: add GCM-SIV support
Also add ReverseDummyNonce nonce generation.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
7f87ed78f2 cryptocore: add support for GCM-SIV 2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
d1762c5b95 reverse: fix GetAttr for gocryptfs.conf
And also don't return the encrypted version of
.gocryptfs.reverse.conf in readdir.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
3d59c7dd6a reverse: add gocryptfs.conf passthrough 2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
1932248446 reverse: get rid of debug message 2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
ce22ab36e1 reverse: gocryptfs.diriv content was generated from wrong path
Should be derived from the directory name only.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
7faa267bd4 reverse: rename readFile to clearer readBackingFile
Also refactor the header generation for nicer code.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
be9dfe3a89 reverse: implement dynamic diriv
Introduce a unique per-directory diriv that is generated
by hashing the encrypted directory path.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
10f38e8870 reverse: generate file header for Read()
Also create virtual gocryptfs.diriv entries (no content yet).
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
ac1221395e nametransform: export DirIVLen constant
Will be needed by reverse mode.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
e42ab3908d reverse: print value in file offset panic 2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
777eb8e62f reverse: rename types to reverseXYZ
...to prevent confusion with the forward variants.

FS   -> reverseFS
file -> reverseFile

Also add an incomplete read implementation.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
5931eea387 contentenc: add helpers for reverse mode
Add the reverse variant of DecryptBlocks etc:

* EncryptBlocks
* JointPlaintextRange
* ExplodeCipherRange
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
1d4c6288f2 main: initial support for reverse mode 2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
1d62086742 conentenc: handle zero-sized files in PlainSizeToCipherSize
Previously caused an integer underflow.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
9237b4f53e reverse: add skeleton
Compiles but does not do much else.
2016-09-25 16:43:17 +02:00
Jakob Unterwurzacher
fca1b82417 fusefrontend: relay Utimens to go-fuse
Commit af5441dcd9 has caused a
regression ( https://github.com/rfjakob/gocryptfs/issues/35 )
that is fixed by this commit.

The go-fuse library by now has all the syscall wrappers in
place to correctly handle Utimens, also for symlinks.

Instead of duplicating the effort here just call into go-fuse.

Closes #35
2016-09-25 16:30:29 +02:00
Jakob Unterwurzacher
af5441dcd9 fusefrontend: use NsecToTimespec() for Utimens
This fixes a build problem on 32-bit hosts:

  internal/fusefrontend/file.go:400: cannot use a.Unix() (type int64) as
  type int32 in assignment
  internal/fusefrontend/file.go:406: cannot use m.Unix() (type int64) as
  type int32 in assignment

It also enables full nanosecond timestamps for dates
after 1970.
2016-08-09 22:18:46 +02:00
Jakob Unterwurzacher
7395b8e990 cryptocore: comment why 96-bit IVs are still supported 2016-07-31 13:36:38 +02:00
Jakob Unterwurzacher
e8a234f658 Add godoc comments to all internal packages 2016-07-06 21:51:25 +02:00
Jakob Unterwurzacher
603e144f5e prefer_openssl: OSX: get rid of /proc warnings
OSX does not have /proc/cpuinfo, but let's not warn
the user about it.
2016-07-04 08:19:26 +02:00
Jakob Unterwurzacher
52655843ab stupidgcm: use __builtin_trap()
[...]/stupidgcm/locking.go:16:2:
  warning: indirection of non-volatile null pointer will
  be deleted, not trap [-Wnull-dereference]
  [...]/stupidgcm/locking.go:16:2:
  note: consider using __builtin_trap() or qualifying
  pointer with 'volatile'

https://github.com/rfjakob/gocryptfs/issues/15
2016-07-04 08:14:24 +02:00
Jakob Unterwurzacher
741bf0726e syscallcompat: OSX: add Mknodat wrapper
Protip: find naked *at syscalls using:

   git grep "syscall." | grep "at(" | grep -v syscallcompat
2016-07-03 20:22:22 +02:00
Jakob Unterwurzacher
d8524c7369 syscallcompat: OSX: add Unlinkat wrapper
Also, replace remaining naked syscall.Openat calls.
2016-07-03 20:17:40 +02:00
Jakob Unterwurzacher
1d7728959c fusefrontend: downgrade Renameat log message to debug 2016-07-03 20:08:09 +02:00
Jakob Unterwurzacher
79851bf6cc syscallcompat: OSX: add Renamat wrapper
Adds a poor man's renameat implementation for OSX.
2016-07-03 20:05:32 +02:00
Jakob Unterwurzacher
9b725c15cf syscallcompat: OSX: add Fallocate and Openat wrappers
...and convert all calls to syscall.{Fallocate,Openat}
to syscallcompat .

Both syscalls are not available on OSX. We emulate Openat and just
return EOPNOTSUPP for Fallocate.
2016-07-03 19:18:34 +02:00