forcedecode: tighten checks

...and fix a few golint issues and print a scary warning message on mount.

Also, force the fs to ro,noexec.

5 files changed, 24 insertions, 17 deletions

diff --git a/internal/contentenc/content.go b/internal/contentenc/content.go
index 9998c06..8220d89 100644
--- a/internal/contentenc/content.go
+++ b/internal/contentenc/content.go
@@ -86,7 +86,9 @@ func (be *ContentEnc) DecryptBlocks(ciphertext []byte, firstBlockNo uint64, file
 		var pBlock []byte
 		pBlock, err = be.DecryptBlock(cBlock, firstBlockNo, fileID)
 		if err != nil {
-			if be.forceDecode == false || (be.forceDecode == true && stupidgcm.AuthError != err) {
+			if be.forceDecode && err == stupidgcm.ErrAuth {
+				tlog.Warn.Printf("DecryptBlocks: authentication failure in block #%d, overriden by forcedecode", firstBlockNo)
+			} else {
 				break
 			}
 		}
@@ -139,11 +141,10 @@ func (be *ContentEnc) DecryptBlock(ciphertext []byte, blockNo uint64, fileID []b
 	if err != nil {
 		tlog.Warn.Printf("DecryptBlock: %s, len=%d", err.Error(), len(ciphertextOrig))
 		tlog.Debug.Println(hex.Dump(ciphertextOrig))
-		if be.forceDecode == true {
+		if be.forceDecode && err == stupidgcm.ErrAuth {
 			return plaintext, err
-		} else {
-			return nil, err
 		}
+		return nil, err
 	}
 
 	return plaintext, nil
diff --git a/internal/fusefrontend/file.go b/internal/fusefrontend/file.go
index 4d75d64..111775c 100644
--- a/internal/fusefrontend/file.go
+++ b/internal/fusefrontend/file.go
@@ -18,6 +18,7 @@ import (
 
 	"github.com/rfjakob/gocryptfs/internal/contentenc"
 	"github.com/rfjakob/gocryptfs/internal/serialize_reads"
+	"github.com/rfjakob/gocryptfs/internal/stupidgcm"
 	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )
@@ -200,9 +201,14 @@ func (f *file) doRead(off uint64, length uint64) ([]byte, fuse.Status) {
 	// Decrypt it
 	plaintext, err := f.contentEnc.DecryptBlocks(ciphertext, firstBlockNo, fileID)
 	if err != nil {
-		curruptBlockNo := firstBlockNo + f.contentEnc.PlainOffToBlockNo(uint64(len(plaintext)))
-		tlog.Warn.Printf("ino%d: doRead: corrupt block #%d: %v", f.devIno.ino, curruptBlockNo, err)
-		if (f.fs.args.ForceDecode == false) {
+		if f.fs.args.ForceDecode && err == stupidgcm.ErrAuth {
+			// We do not have the information which block was corrupt here anymore,
+			// but DecryptBlocks() has already logged it anyway.
+			tlog.Warn.Printf("ino%d: doRead off=%d len=%d: returning corrupt data due to forcedecode",
+				f.devIno.ino, off, length)
+		} else {
+			curruptBlockNo := firstBlockNo + f.contentEnc.PlainOffToBlockNo(uint64(len(plaintext)))
+			tlog.Warn.Printf("ino%d: doRead: corrupt block #%d: %v", f.devIno.ino, curruptBlockNo, err)
 			return nil, fuse.EIO
 		}
 	}
diff --git a/internal/stupidgcm/autherr.go b/internal/stupidgcm/autherr.go
new file mode 100644
index 0000000..e59f92e
--- /dev/null
+++ b/internal/stupidgcm/autherr.go
@@ -0,0 +1,8 @@
+package stupidgcm
+
+import (
+	"fmt"
+)
+
+// ErrAuth is returned when the message authentication fails
+var ErrAuth = fmt.Errorf("stupidgcm: message authentication failed")
diff --git a/internal/stupidgcm/stupidgcm.go b/internal/stupidgcm/stupidgcm.go
index 133ee1a..5cc6c3c 100644
--- a/internal/stupidgcm/stupidgcm.go
+++ b/internal/stupidgcm/stupidgcm.go
@@ -10,7 +10,6 @@ import "C"
 
 import (
 	"crypto/cipher"
-	"fmt"
 	"log"
 	"unsafe"
 )
@@ -30,9 +29,6 @@ type stupidGCM struct {
 	forceDecode bool
 }
 
-//authentication error
-var AuthError error = fmt.Errorf("stupidgcm: message authentication failed")
-
 var _ cipher.AEAD = &stupidGCM{}
 
 // New returns a new cipher.AEAD implementation..
@@ -193,10 +189,9 @@ func (g stupidGCM) Open(dst, iv, in, authData []byte) ([]byte, error) {
 		// The error code must always be checked by the calling function, because the decrypted buffer
 		// may contain corrupted data that we are returning in case the user forced reads
 		if g.forceDecode == true {
-			return append(dst, buf...), AuthError
-		} else {
-			return nil, AuthError
+			return append(dst, buf...), ErrAuth
 		}
+		return nil, ErrAuth
 	}
 
 	return append(dst, buf...), nil
diff --git a/internal/stupidgcm/without_openssl.go b/internal/stupidgcm/without_openssl.go
index 52d8fa0..1c6ebcf 100644
--- a/internal/stupidgcm/without_openssl.go
+++ b/internal/stupidgcm/without_openssl.go
@@ -14,9 +14,6 @@ const (
 	BuiltWithoutOpenssl = true
 )
 
-//authentication error - needed to compile as same varaible is exported when openssl is enable via stupidgcm.go
-var AuthError error = fmt.Errorf("stupidgcm: message authentication failed with openssl disabled!")
-
 func errExit() {
 	fmt.Fprintln(os.Stderr, "gocryptfs has been compiled without openssl support but you are still trying to use openssl")
 	os.Exit(2)