aboutsummaryrefslogtreecommitdiff
path: root/internal
diff options
context:
space:
mode:
authorJakob Unterwurzacher2017-03-05 18:03:03 +0100
committerJakob Unterwurzacher2017-03-05 18:03:03 +0100
commitb7328815183b7a4ff37156085fb78e8e86aff165 (patch)
tree650e24e8767ede99c76a5d78804de72f993eaf1a /internal
parenta8d154765ab1cea4f21cd9f7dd0b4d6ba7183cca (diff)
configfile: switch to 128-bit IVs for master key encryption
There is no security reason for doing this, but it will allow to consolidate the code once we drop compatibility with gocryptfs v1.2 (and earlier) filesystems.
Diffstat (limited to 'internal')
-rw-r--r--internal/configfile/config_file.go14
-rw-r--r--internal/contentenc/content.go3
-rw-r--r--internal/cryptocore/cryptocore.go4
3 files changed, 14 insertions, 7 deletions
diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go
index 1233d8a..d28b1d4 100644
--- a/internal/configfile/config_file.go
+++ b/internal/configfile/config_file.go
@@ -154,9 +154,15 @@ func LoadConfFile(filename string, password string) ([]byte, *ConfFile, error) {
scryptHash := cf.ScryptObject.DeriveKey(password)
// Unlock master key using password-based key
- // We use stock go GCM instead of OpenSSL here as we only use 96-bit IVs,
- // speed is not important and we get better error messages
- cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, 96)
+ // gocryptfs v1.2 and older used 96-bit IVs for master key encryption.
+ // v1.3 and up use 128 bits, which makes EncryptedKey longer (64 bytes).
+ IVLen := contentenc.DefaultIVBits
+ if len(cf.EncryptedKey) == 60 {
+ IVLen = 96
+ }
+ // We use stock Go GCM instead of OpenSSL as speed is not
+ // important and we get better error messages
+ cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, IVLen)
ce := contentenc.New(cc, 4096)
tlog.Warn.Enabled = false // Silence DecryptBlock() error messages on incorrect password
@@ -180,7 +186,7 @@ func (cf *ConfFile) EncryptKey(key []byte, password string, logN int) {
scryptHash := cf.ScryptObject.DeriveKey(password)
// Lock master key using password-based key
- cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, 96)
+ cc := cryptocore.New(scryptHash, cryptocore.BackendGoGCM, contentenc.DefaultIVBits)
ce := contentenc.New(cc, 4096)
cf.EncryptedKey = ce.EncryptBlock(key, 0, nil)
}
diff --git a/internal/contentenc/content.go b/internal/contentenc/content.go
index 322163a..a2a263c 100644
--- a/internal/contentenc/content.go
+++ b/internal/contentenc/content.go
@@ -20,7 +20,8 @@ const (
DefaultBS = 4096
// DefaultIVBits is the default length of IV, in bits.
// We always use 128-bit IVs for file content, but the
- // key in the config file is encrypted with a 96-bit IV.
+ // master key in the config file is encrypted with a 96-bit IV for
+ // gocryptfs v1.2 and earlier. v1.3 switched to 128 bit.
DefaultIVBits = 128
_ = iota // skip zero
diff --git a/internal/cryptocore/cryptocore.go b/internal/cryptocore/cryptocore.go
index 735c409..7e1d238 100644
--- a/internal/cryptocore/cryptocore.go
+++ b/internal/cryptocore/cryptocore.go
@@ -49,8 +49,8 @@ type CryptoCore struct {
// New returns a new CryptoCore object or panics.
//
// Even though the "GCMIV128" feature flag is now mandatory, we must still
-// support 96-bit IVs here because they are used for encrypting the master
-// key in gocryptfs.conf.
+// support 96-bit IVs here because they were used for encrypting the master
+// key in gocryptfs.conf up to gocryptfs v1.2. v1.3 switched to 128 bits.
func New(key []byte, aeadType AEADTypeEnum, IVBitLen int) *CryptoCore {
if len(key) != KeyLen {
log.Panic(fmt.Sprintf("Unsupported key length %d", len(key)))