libgocryptfs/internal/configfile/feature_flags.go
Jakob Unterwurzacher 97d8340bd8 configfile: add Validate() function, support FlagXChaCha20Poly1305
We used to do validation using lists of mandatory feature flags.

With the introduction of XChaCha20Poly1305, this became too
simplistic, as it uses a different IV length, hence disabling
GCMIV128.

Add a dedicated function, Validate(), with open-coded validation
logic.

The validation and creation logic also gets XChaCha20Poly1305
support, and gocryptfs -init -xchacha now writes the flag into
gocryptfs.conf.
2021-08-23 16:00:41 +02:00

70 lines
2.2 KiB
Go

package configfile
type flagIota int
const (
// FlagPlaintextNames indicates that filenames are unencrypted.
FlagPlaintextNames flagIota = iota
// FlagDirIV indicates that a per-directory IV file is used.
FlagDirIV
// FlagEMENames indicates EME (ECB-Mix-ECB) filename encryption.
// This flag is mandatory since gocryptfs v1.0.
FlagEMENames
// FlagGCMIV128 indicates 128-bit GCM IVs.
// This flag is mandatory since gocryptfs v1.0,
// except when XChaCha20Poly1305 is used.
FlagGCMIV128
// FlagLongNames allows file names longer than 176 bytes.
FlagLongNames
// FlagAESSIV selects an AES-SIV based crypto backend.
FlagAESSIV
// FlagRaw64 enables raw (unpadded) base64 encoding for file names
FlagRaw64
// FlagHKDF enables HKDF-derived keys for use with GCM, EME and SIV
// instead of directly using the master key (GCM and EME) or the SHA-512
// hashed master key (SIV).
// Note that this flag does not change the password hashing algorithm
// which always is scrypt.
FlagHKDF
// FlagFIDO2 means that "-fido2" was used when creating the filesystem.
// The masterkey is protected using a FIDO2 token instead of a password.
FlagFIDO2
// FlagXChaCha20Poly1305 means we use XChaCha20-Poly1305 file content encryption
FlagXChaCha20Poly1305
)
// knownFlags stores the known feature flags and their string representation
var knownFlags = map[flagIota]string{
FlagPlaintextNames: "PlaintextNames",
FlagDirIV: "DirIV",
FlagEMENames: "EMENames",
FlagGCMIV128: "GCMIV128",
FlagLongNames: "LongNames",
FlagAESSIV: "AESSIV",
FlagRaw64: "Raw64",
FlagHKDF: "HKDF",
FlagFIDO2: "FIDO2",
FlagXChaCha20Poly1305: "XChaCha20Poly1305",
}
// isFeatureFlagKnown verifies that we understand a feature flag.
func isFeatureFlagKnown(flag string) bool {
for _, knownFlag := range knownFlags {
if knownFlag == flag {
return true
}
}
return false
}
// IsFeatureFlagSet returns true if the feature flag "flagWant" is enabled.
func (cf *ConfFile) IsFeatureFlagSet(flagWant flagIota) bool {
flagString := knownFlags[flagWant]
for _, flag := range cf.FeatureFlags {
if flag == flagString {
return true
}
}
return false
}