configfile: switch to 128-bit IVs for master key encryption

There is no security reason for doing this, but it will allow
to consolidate the code once we drop compatibility with gocryptfs v1.2
(and earlier) filesystems.

1 files changed, 10 insertions, 4 deletions

diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go
index 1233d8a..d28b1d4 100644
--- a/internal/configfile/config_file.go
+++ b/internal/configfile/config_file.go
@@ -154,9 +154,15 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) {
 	scryptHash := cf.ScryptObject.DeriveKey(password)
 
 	// Unlock master key using password-based key
-	// We use stock go GCM instead of OpenSSL here as we only use 96-bit IVs,
-	// speed is not important and we get better error messages
-	cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, 96)
+	// gocryptfs v1.2 and older used 96-bit IVs for master key encryption.
+	// v1.3 and up use 128 bits, which makes EncryptedKey longer (64 bytes).
+	IVLen := contentenc.DefaultIVBits
+	if len(cf.EncryptedKey) == 60 {
+		IVLen = 96
+	}
+	// We use stock Go GCM instead of OpenSSL as speed is not
+	// important and we get better error messages
+	cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, IVLen)
 	ce := contentenc.New(cc, 4096)
 
 	tlog.Warn.Enabled = false // Silence DecryptBlock() error messages on incorrect password
@@ -180,7 +186,7 @@ func (cf *ConfFile) EncryptKey(key []byte, password string, logN int) {
 	scryptHash := cf.ScryptObject.DeriveKey(password)
 
 	// Lock master key using password-based key
-	cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, 96)
+	cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, contentenc.DefaultIVBits)
 	ce := contentenc.New(cc, 4096)
 	cf.EncryptedKey = ce.EncryptBlock(key, 0, nil)
 }