diff options
author | Jakob Unterwurzacher | 2015-11-27 00:03:10 +0100 |
---|---|---|
committer | Jakob Unterwurzacher | 2015-11-27 00:03:10 +0100 |
commit | decfc1ab798055234e16a2e9c0782f56ae50669b (patch) | |
tree | bdff27eb861a17399b66e28883abfd2624b184c1 | |
parent | fe2fcf6c162a8370670fd1262b90925bf321f199 (diff) |
diriv: Convert filename encryption users to diriv
-rw-r--r-- | cryptfs/cryptfs_names.go | 48 | ||||
-rw-r--r-- | cryptfs/names_diriv.go | 69 | ||||
-rw-r--r-- | cryptfs/names_test.go | 4 | ||||
-rw-r--r-- | integration_tests/main_test.go | 10 | ||||
-rw-r--r-- | pathfs_frontend/fs.go | 156 | ||||
-rw-r--r-- | pathfs_frontend/names.go | 11 |
6 files changed, 219 insertions, 79 deletions
diff --git a/cryptfs/cryptfs_names.go b/cryptfs/cryptfs_names.go index 1282f53..37a769f 100644 --- a/cryptfs/cryptfs_names.go +++ b/cryptfs/cryptfs_names.go @@ -12,15 +12,15 @@ import ( ) const ( - ENCRYPT = true - DECRYPT = false + OpEncrypt = iota + OpDecrypt ) -// DecryptName - decrypt filename -func (be *CryptFS) decryptName(cipherName string) (string, error) { +// DecryptName - decrypt base64-encoded encrypted filename "cipherName" +func (be *CryptFS) decryptName(cipherName string, iv []byte) (string, error) { // Make sure relative symlinks still work after encryption - // by passing these trough unchanged + // by passing these through unchanged if cipherName == "." || cipherName == ".." { return cipherName, nil } @@ -34,7 +34,6 @@ func (be *CryptFS) decryptName(cipherName string) (string, error) { return "", fmt.Errorf("Decoded length %d is not a multiple of the AES block size", len(bin)) } - iv := make([]byte, aes.BlockSize) // TODO ? cbc := cipher.NewCBCDecrypter(be.blockCipher, iv) cbc.CryptBlocks(bin, bin) @@ -48,7 +47,7 @@ func (be *CryptFS) decryptName(cipherName string) (string, error) { } // EncryptName - encrypt filename -func (be *CryptFS) encryptName(plainName string) string { +func (be *CryptFS) encryptName(plainName string, iv []byte) string { // Make sure relative symlinks still work after encryption // by passing these trough unchanged @@ -59,7 +58,6 @@ func (be *CryptFS) encryptName(plainName string) string { bin := []byte(plainName) bin = be.pad16(bin) - iv := make([]byte, 16) // TODO ? cbc := cipher.NewCBCEncrypter(be.blockCipher, iv) cbc.CryptBlocks(bin, bin) @@ -67,9 +65,10 @@ func (be *CryptFS) encryptName(plainName string) string { return cipherName64 } -// TranslatePath - encrypt or decrypt path. Just splits the string on "/" -// and hands the parts to EncryptName() / DecryptName() -func (be *CryptFS) translatePath(path string, op bool) (string, error) { + +// TranslatePathZeroIV - encrypt or decrypt path using CBC with a constant all-zero IV. +// Just splits the string on "/" and hands the parts to encryptName() / decryptName() +func (be *CryptFS) TranslatePathZeroIV(path string, op int) (string, error) { var err error // Empty string means root directory @@ -77,6 +76,8 @@ func (be *CryptFS) translatePath(path string, op bool) (string, error) { return path, err } + zeroIV := make([]byte, DIRIV_LEN) + // Run operation on each path component var translatedParts []string parts := strings.Split(path, "/") @@ -88,10 +89,10 @@ func (be *CryptFS) translatePath(path string, op bool) (string, error) { continue } var newPart string - if op == ENCRYPT { - newPart = be.encryptName(part) + if op == OpEncrypt { + newPart = be.encryptName(part, zeroIV) } else { - newPart, err = be.decryptName(part) + newPart, err = be.decryptName(part, zeroIV) if err != nil { return "", err } @@ -102,23 +103,6 @@ func (be *CryptFS) translatePath(path string, op bool) (string, error) { return strings.Join(translatedParts, "/"), err } -// EncryptPath - encrypt filename or path. Just hands it to translatePath(). -func (be *CryptFS) EncryptPath(path string) string { - if be.plaintextNames { - return path - } - newPath, _ := be.translatePath(path, ENCRYPT) - return newPath -} - -// DecryptPath - decrypt filename or path. Just hands it to translatePath(). -func (be *CryptFS) DecryptPath(path string) (string, error) { - if be.plaintextNames { - return path, nil - } - return be.translatePath(path, DECRYPT) -} - // pad16 - pad filename to 16 byte blocks using standard PKCS#7 padding // https://tools.ietf.org/html/rfc5652#section-6.3 func (be *CryptFS) pad16(orig []byte) (padded []byte) { @@ -171,3 +155,5 @@ func (be *CryptFS) unPad16(orig []byte) ([]byte, error) { } return orig[0:newLen], nil } + + diff --git a/cryptfs/names_diriv.go b/cryptfs/names_diriv.go new file mode 100644 index 0000000..c9debab --- /dev/null +++ b/cryptfs/names_diriv.go @@ -0,0 +1,69 @@ +package cryptfs + +import ( + "path/filepath" + "io/ioutil" + "fmt" + "strings" +) + +// readDirIV - read the "gocryptfs.diriv" file from "dir" (absolute path) +func (be *CryptFS) readDirIV(dir string) (iv []byte, err error) { + ivfile := filepath.Join(dir, DIRIV_FILENAME) + iv, err = ioutil.ReadFile(ivfile) + if err != nil { + Warn.Printf("readDirIV: %v\n", err) + return nil, err + } + if len(iv) != DIRIV_LEN { + return nil, fmt.Errorf("readDirIV: Invalid length %d\n", len(iv)) + } + return iv, nil +} + +// EncryptPathDirIV - encrypt path using CBC with DirIV +func (be *CryptFS) EncryptPathDirIV(plainPath string, rootDir string) (string, error) { + if be.plaintextNames { + return plainPath, nil + } + // Empty string means root directory + if plainPath == "" { + return plainPath, nil + } + var wd = rootDir + var encryptedNames []string + plainNames := strings.Split(plainPath, "/") + for _, plainName := range plainNames { + iv, err := be.readDirIV(wd) + if err != nil { + return "", err + } + encryptedName := be.encryptName(plainName, iv) + encryptedNames = append(encryptedNames, encryptedName) + wd = filepath.Join(wd, encryptedName) + } + return filepath.Join(encryptedNames...), nil +} + +// DecryptPathDirIV - encrypt path using CBC with DirIV +func (be *CryptFS) DecryptPathDirIV(encryptedPath string, rootDir string) (string, error) { + if be.plaintextNames { + return encryptedPath, nil + } + var wd = rootDir + var plainNames []string + encryptedNames := strings.Split(encryptedPath, "/") + for _, encryptedName := range encryptedNames { + iv, err := be.readDirIV(wd) + if err != nil { + return "", err + } + plainName, err := be.decryptName(encryptedName, iv) + if err != nil { + return "", err + } + plainNames = append(plainNames, plainName) + wd = filepath.Join(wd, encryptedName) + } + return filepath.Join(plainNames...), nil +} diff --git a/cryptfs/names_test.go b/cryptfs/names_test.go index ccf08df..1ad3391 100644 --- a/cryptfs/names_test.go +++ b/cryptfs/names_test.go @@ -15,8 +15,8 @@ func TestTranslatePath(t *testing.T) { fs := NewCryptFS(key, true, false) for _, n := range s { - c := fs.EncryptPath(n) - d, err := fs.DecryptPath(c) + c, err := fs.TranslatePathZeroIV(n, OpEncrypt) + d, err := fs.TranslatePathZeroIV(c, OpDecrypt) if err != nil { t.Errorf("Got error from DecryptName: %s", err) } diff --git a/integration_tests/main_test.go b/integration_tests/main_test.go index 4b2c11e..e46e2e4 100644 --- a/integration_tests/main_test.go +++ b/integration_tests/main_test.go @@ -60,16 +60,18 @@ func TestMain(m *testing.M) { func testWriteN(t *testing.T, fn string, n int) string { file, err := os.Create(defaultPlainDir + fn) if err != nil { - t.FailNow() + t.Fatal(err) } d := make([]byte, n) written, err := file.Write(d) if err != nil || written != len(d) { - fmt.Printf("err=\"%s\", written=%d\n", err, written) - t.Fail() + t.Errorf("err=\"%s\", written=%d\n", err, written) + } + err = file.Close() + if err != nil { + t.Error(err) } - file.Close() verifySize(t, defaultPlainDir+fn, n) diff --git a/pathfs_frontend/fs.go b/pathfs_frontend/fs.go index 9c809df..48ea4a2 100644 --- a/pathfs_frontend/fs.go +++ b/pathfs_frontend/fs.go @@ -1,6 +1,7 @@ package pathfs_frontend import ( + "encoding/base64" "fmt" "sync" "syscall" @@ -17,9 +18,9 @@ import ( type FS struct { *cryptfs.CryptFS - pathfs.FileSystem // loopbackFileSystem, see go-fuse/fuse/pathfs/loopback.go - backing string // Backing directory - dirivLock sync.RWMutex // Global lock that is taken if any "gocryptfs.diriv" file is modified + pathfs.FileSystem // loopbackFileSystem, see go-fuse/fuse/pathfs/loopback.go + backingDir string // Backing directory, cipherdir + dirivLock sync.RWMutex // Global lock that is taken if any "gocryptfs.diriv" file is modified } // Encrypted FUSE overlay filesystem @@ -27,14 +28,18 @@ func NewFS(key []byte, backing string, useOpenssl bool, plaintextNames bool) *FS return &FS{ CryptFS: cryptfs.NewCryptFS(key, useOpenssl, plaintextNames), FileSystem: pathfs.NewLoopbackFileSystem(backing), - backing: backing, + backingDir: backing, } } -// GetPath - get the absolute encrypted path of the backing file +// GetBackingPath - get the absolute encrypted path of the backing file // from the relative plaintext path "relPath" -func (fs *FS) GetPath(relPath string) string { - return filepath.Join(fs.backing, fs.EncryptPath(relPath)) +func (fs *FS) getBackingPath(relPath string) (string, error) { + encrypted, err := fs.encryptPath(relPath) + if err != nil { + return "", err + } + return filepath.Join(fs.backingDir, encrypted), nil } func (fs *FS) GetAttr(name string, context *fuse.Context) (*fuse.Attr, fuse.Status) { @@ -42,7 +47,10 @@ func (fs *FS) GetAttr(name string, context *fuse.Context) (*fuse.Attr, fuse.Stat if fs.CryptFS.IsFiltered(name) { return nil, fuse.EPERM } - cName := fs.EncryptPath(name) + cName, err := fs.encryptPath(name) + if err != nil { + return nil, fuse.ToStatus(err) + } a, status := fs.FileSystem.GetAttr(cName, context) if a == nil { cryptfs.Debug.Printf("FS.GetAttr failed: %s\n", status.String()) @@ -59,7 +67,11 @@ func (fs *FS) GetAttr(name string, context *fuse.Context) (*fuse.Attr, fuse.Stat func (fs *FS) OpenDir(dirName string, context *fuse.Context) ([]fuse.DirEntry, fuse.Status) { cryptfs.Debug.Printf("OpenDir(%s)\n", dirName) - cipherEntries, status := fs.FileSystem.OpenDir(fs.EncryptPath(dirName), context) + cDirName, err := fs.encryptPath(dirName) + if err != nil { + return nil, fuse.ToStatus(err) + } + cipherEntries, status := fs.FileSystem.OpenDir(cDirName, context) var plain []fuse.DirEntry if cipherEntries != nil { for i := range cipherEntries { @@ -72,7 +84,7 @@ func (fs *FS) OpenDir(dirName string, context *fuse.Context) ([]fuse.DirEntry, f // silently ignore "gocryptfs.diriv" everywhere continue } - name, err := fs.DecryptPath(cName) + name, err := fs.decryptPath(cName) if err != nil { cryptfs.Warn.Printf("Invalid name \"%s\" in dir \"%s\": %s\n", cName, dirName, err) continue @@ -103,7 +115,11 @@ func (fs *FS) Open(path string, flags uint32, context *fuse.Context) (fuseFile n return nil, fuse.EPERM } iflags, writeOnly := fs.mangleOpenFlags(flags) - f, err := os.OpenFile(fs.GetPath(path), iflags, 0666) + cPath, err := fs.getBackingPath(path) + if err != nil { + return nil, fuse.ToStatus(err) + } + f, err := os.OpenFile(cPath, iflags, 0666) if err != nil { return nil, fuse.ToStatus(err) } @@ -116,7 +132,11 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte return nil, fuse.EPERM } iflags, writeOnly := fs.mangleOpenFlags(flags) - f, err := os.OpenFile(fs.GetPath(path), iflags|os.O_CREATE, os.FileMode(mode)) + cPath, err := fs.getBackingPath(path) + if err != nil { + return nil, fuse.ToStatus(err) + } + f, err := os.OpenFile(cPath, iflags|os.O_CREATE, os.FileMode(mode)) if err != nil { return nil, fuse.ToStatus(err) } @@ -127,21 +147,33 @@ func (fs *FS) Chmod(path string, mode uint32, context *fuse.Context) (code fuse. if fs.CryptFS.IsFiltered(path) { return fuse.EPERM } - return fs.FileSystem.Chmod(fs.EncryptPath(path), mode, context) + cPath, err := fs.encryptPath(path) + if err != nil { + return fuse.ToStatus(err) + } + return fs.FileSystem.Chmod(cPath, mode, context) } func (fs *FS) Chown(path string, uid uint32, gid uint32, context *fuse.Context) (code fuse.Status) { if fs.CryptFS.IsFiltered(path) { return fuse.EPERM } - return fs.FileSystem.Chown(fs.EncryptPath(path), uid, gid, context) + cPath, err := fs.encryptPath(path) + if err != nil { + return fuse.ToStatus(err) + } + return fs.FileSystem.Chown(cPath, uid, gid, context) } -func (fs *FS) Mknod(name string, mode uint32, dev uint32, context *fuse.Context) (code fuse.Status) { - if fs.CryptFS.IsFiltered(name) { +func (fs *FS) Mknod(path string, mode uint32, dev uint32, context *fuse.Context) (code fuse.Status) { + if fs.CryptFS.IsFiltered(path) { return fuse.EPERM } - return fs.FileSystem.Mknod(fs.EncryptPath(name), mode, dev, context) + cPath, err := fs.encryptPath(path) + if err != nil { + return fuse.ToStatus(err) + } + return fs.FileSystem.Mknod(cPath, mode, dev, context) } func (fs *FS) Truncate(path string, offset uint64, context *fuse.Context) (code fuse.Status) { @@ -153,15 +185,23 @@ func (fs *FS) Utimens(path string, Atime *time.Time, Mtime *time.Time, context * if fs.CryptFS.IsFiltered(path) { return fuse.EPERM } - return fs.FileSystem.Utimens(fs.EncryptPath(path), Atime, Mtime, context) + cPath, err := fs.encryptPath(path) + if err != nil { + return fuse.ToStatus(err) + } + return fs.FileSystem.Utimens(cPath, Atime, Mtime, context) } -func (fs *FS) Readlink(name string, context *fuse.Context) (out string, status fuse.Status) { - dst, status := fs.FileSystem.Readlink(fs.EncryptPath(name), context) +func (fs *FS) Readlink(path string, context *fuse.Context) (out string, status fuse.Status) { + cPath, err := fs.encryptPath(path) + if err != nil { + return "", fuse.ToStatus(err) + } + dst, status := fs.FileSystem.Readlink(cPath, context) if status != fuse.OK { return "", status } - dstPlain, err := fs.DecryptPath(dst) + dstPlain, err := fs.decryptPath(dst) if err != nil { cryptfs.Warn.Printf("Failed decrypting symlink: %s\n", err.Error()) return "", fuse.EIO @@ -173,11 +213,14 @@ func (fs *FS) Mkdir(relPath string, mode uint32, context *fuse.Context) (code fu if fs.CryptFS.IsFiltered(relPath) { return fuse.EPERM } - encPath := fs.GetPath(relPath) + encPath, err := fs.getBackingPath(relPath) + if err != nil { + return fuse.ToStatus(err) + } diriv := cryptfs.RandBytes(cryptfs.DIRIV_LEN) dirivPath := filepath.Join(encPath, cryptfs.DIRIV_FILENAME) // Create directory - err := os.Mkdir(encPath, os.FileMode(mode)) + err = os.Mkdir(encPath, os.FileMode(mode)) if err != nil { return fuse.ToStatus(err) } @@ -196,20 +239,22 @@ func (fs *FS) Mkdir(relPath string, mode uint32, context *fuse.Context) (code fu return fuse.OK } -func (fs *FS) Unlink(name string, context *fuse.Context) (code fuse.Status) { - if fs.CryptFS.IsFiltered(name) { +func (fs *FS) Unlink(path string, context *fuse.Context) (code fuse.Status) { + if fs.CryptFS.IsFiltered(path) { return fuse.EPERM } - cName := fs.EncryptPath(name) - code = fs.FileSystem.Unlink(cName, context) - if code != fuse.OK { - cryptfs.Debug.Printf("Unlink failed on %s [%s], code=%s\n", name, cName, code.String()) + cPath, err := fs.getBackingPath(path) + if err != nil { + return fuse.ToStatus(err) } - return code + return fuse.ToStatus(syscall.Unlink(cPath)) } func (fs *FS) Rmdir(name string, context *fuse.Context) (code fuse.Status) { - encPath := fs.GetPath(name) + encPath, err := fs.getBackingPath(name) + if err != nil { + return fuse.ToStatus(err) + } // If the directory is not empty besides gocryptfs.diriv, do not even // attempt the dance around gocryptfs.diriv. @@ -264,34 +309,61 @@ func (fs *FS) Rmdir(name string, context *fuse.Context) (code fuse.Status) { return fuse.OK } -func (fs *FS) Symlink(pointedTo string, linkName string, context *fuse.Context) (code fuse.Status) { +func (fs *FS) Symlink(target string, linkName string, context *fuse.Context) (code fuse.Status) { + cryptfs.Debug.Printf("Symlink(\"%s\", \"%s\")\n", target, linkName) if fs.CryptFS.IsFiltered(linkName) { return fuse.EPERM } - // TODO symlink encryption - cryptfs.Debug.Printf("Symlink(\"%s\", \"%s\")\n", pointedTo, linkName) - return fs.FileSystem.Symlink(fs.EncryptPath(pointedTo), fs.EncryptPath(linkName), context) + cName, err := fs.encryptPath(linkName) + if err != nil { + return fuse.ToStatus(err) + } + + cBinTarget := fs.CryptFS.EncryptBlock([]byte(target), 0, nil) + cTarget := base64.URLEncoding.EncodeToString(cBinTarget) + + return fuse.ToStatus(os.Symlink(cTarget, cName)) } func (fs *FS) Rename(oldPath string, newPath string, context *fuse.Context) (code fuse.Status) { if fs.CryptFS.IsFiltered(newPath) { return fuse.EPERM } - return fs.FileSystem.Rename(fs.EncryptPath(oldPath), fs.EncryptPath(newPath), context) + cOldPath, err := fs.getBackingPath(oldPath) + if err != nil { + return fuse.ToStatus(err) + } + cNewPath, err := fs.getBackingPath(newPath) + if err != nil { + return fuse.ToStatus(err) + } + return fs.FileSystem.Rename(cOldPath, cNewPath, context) } -func (fs *FS) Link(orig string, newName string, context *fuse.Context) (code fuse.Status) { - if fs.CryptFS.IsFiltered(newName) { +func (fs *FS) Link(oldPath string, newPath string, context *fuse.Context) (code fuse.Status) { + if fs.CryptFS.IsFiltered(newPath) { return fuse.EPERM } - return fs.FileSystem.Link(fs.EncryptPath(orig), fs.EncryptPath(newName), context) + cOldPath, err := fs.getBackingPath(oldPath) + if err != nil { + return fuse.ToStatus(err) + } + cNewPath, err := fs.getBackingPath(newPath) + if err != nil { + return fuse.ToStatus(err) + } + return fuse.ToStatus(os.Link(cOldPath, cNewPath)) } -func (fs *FS) Access(name string, mode uint32, context *fuse.Context) (code fuse.Status) { - if fs.CryptFS.IsFiltered(name) { +func (fs *FS) Access(path string, mode uint32, context *fuse.Context) (code fuse.Status) { + if fs.CryptFS.IsFiltered(path) { return fuse.EPERM } - return fs.FileSystem.Access(fs.EncryptPath(name), mode, context) + cPath, err := fs.getBackingPath(path) + if err != nil { + return fuse.ToStatus(err) + } + return fuse.ToStatus(syscall.Access(cPath, mode)) } func (fs *FS) GetXAttr(name string, attr string, context *fuse.Context) ([]byte, fuse.Status) { diff --git a/pathfs_frontend/names.go b/pathfs_frontend/names.go new file mode 100644 index 0000000..5842d83 --- /dev/null +++ b/pathfs_frontend/names.go @@ -0,0 +1,11 @@ +package pathfs_frontend + +// This file handles filename encryption + +func (fs *FS) encryptPath(plainPath string) (string, error) { + return fs.CryptFS.EncryptPathDirIV(plainPath, fs.backingDir) +} + +func (fs *FS) decryptPath(cipherPath string) (string, error) { + return fs.CryptFS.DecryptPathDirIV(cipherPath, fs.backingDir) +} |