diff options
Diffstat (limited to 'cryptfs/fs.go')
-rw-r--r-- | cryptfs/fs.go | 201 |
1 files changed, 0 insertions, 201 deletions
diff --git a/cryptfs/fs.go b/cryptfs/fs.go deleted file mode 100644 index f5781e2..0000000 --- a/cryptfs/fs.go +++ /dev/null @@ -1,201 +0,0 @@ -package cryptfs - -import ( - "crypto/cipher" - "crypto/aes" - "fmt" - "strings" - "encoding/base64" - "errors" - "os" -) - -const ( - NONCE_LEN = 12 - AUTH_TAG_LEN = 16 - DEFAULT_PLAINBS = 4096 - - ENCRYPT = true - DECRYPT = false -) - -type CryptFS struct { - blockCipher cipher.Block - gcm cipher.AEAD - plainBS int64 - cipherBS int64 -} - -func NewCryptFS(key [16]byte) *CryptFS { - - b, err := aes.NewCipher(key[:]) - if err != nil { - panic(err) - } - - g, err := cipher.NewGCM(b) - if err != nil { - panic(err) - } - - return &CryptFS{ - blockCipher: b, - gcm: g, - plainBS: DEFAULT_PLAINBS, - cipherBS: DEFAULT_PLAINBS + NONCE_LEN + AUTH_TAG_LEN, - } -} - -func (fs *CryptFS) NewFile(f *os.File) *CryptFile { - return &CryptFile { - file: f, - gcm: fs.gcm, - plainBS: fs.plainBS, - cipherBS: fs.cipherBS, - } -} - -// DecryptName - decrypt filename -func (be *CryptFS) decryptName(cipherName string) (string, error) { - - bin, err := base64.URLEncoding.DecodeString(cipherName) - if err != nil { - return "", err - } - - if len(bin) % aes.BlockSize != 0 { - return "", errors.New(fmt.Sprintf("Name len=%d is not a multiple of 16", len(bin))) - } - - iv := make([]byte, aes.BlockSize) // TODO ? - cbc := cipher.NewCBCDecrypter(be.blockCipher, iv) - cbc.CryptBlocks(bin, bin) - - bin, err = be.unPad16(bin) - if err != nil { - return "", err - } - - plain := string(bin) - return plain, err -} - -// EncryptName - encrypt filename -func (be *CryptFS) encryptName(plainName string) string { - - bin := []byte(plainName) - bin = be.pad16(bin) - - iv := make([]byte, 16) // TODO ? - cbc := cipher.NewCBCEncrypter(be.blockCipher, iv) - cbc.CryptBlocks(bin, bin) - - cipherName64 := base64.URLEncoding.EncodeToString(bin) - - return cipherName64 -} - -// TranslatePath - encrypt or decrypt path. Just splits the string on "/" -// and hands the parts to EncryptName() / DecryptName() -func (be *CryptFS) translatePath(path string, op bool) (string, error) { - var err error - - // Empty string means root directory - if path == "" { - return path, err - } - - // Run operation on each path component - var translatedParts []string - parts := strings.Split(path, "/") - for _, part := range parts { - var newPart string - if op == ENCRYPT { - newPart = be.encryptName(part) - } else { - newPart, err = be.decryptName(part) - if err != nil { - return "", err - } - } - translatedParts = append(translatedParts, newPart) - } - - return strings.Join(translatedParts, "/"), err -} - -// EncryptPath - encrypt filename or path. Just hands it to TranslatePath(). -func (be *CryptFS) EncryptPath(path string) string { - newPath, _ := be.translatePath(path, ENCRYPT) - return newPath -} - -// DecryptPath - decrypt filename or path. Just hands it to TranslatePath(). -func (be *CryptFS) DecryptPath(path string) (string, error) { - return be.translatePath(path, DECRYPT) -} - -// plainSize - calculate plaintext size from ciphertext size -func (be *CryptFS) PlainSize(s int64) int64 { - // Zero sized files stay zero-sized - if s > 0 { - // Number of blocks - n := s / be.cipherBS + 1 - overhead := be.cipherBS - be.plainBS - s -= n * overhead - } - return s -} - -// pad16 - pad filename to 16 byte blocks using standard PKCS#7 padding -// https://tools.ietf.org/html/rfc5652#section-6.3 -func (be *CryptFS) pad16(orig []byte) (padded []byte) { - oldLen := len(orig) - if oldLen == 0 { - panic("Padding zero-length string makes no sense") - } - padLen := aes.BlockSize - oldLen % aes.BlockSize - if padLen == 0 { - padLen = aes.BlockSize - } - newLen := oldLen + padLen - padded = make([]byte, newLen) - copy(padded, orig) - padByte := byte(padLen) - for i := oldLen; i < newLen; i++ { - padded[i] = padByte - } - return padded -} - -// unPad16 - remove padding -func (be *CryptFS) unPad16(orig []byte) ([]byte, error) { - oldLen := len(orig) - if oldLen % aes.BlockSize != 0 { - return nil, errors.New("Unaligned size") - } - // The last byte is always a padding byte - padByte := orig[oldLen -1] - // The padding byte's value is the padding length - padLen := int(padByte) - // Padding must be at least 1 byte - if padLen <= 0 { - return nil, errors.New("Padding cannot be zero-length") - } - // Larger paddings make no sense - if padLen > aes.BlockSize { - return nil, errors.New("Padding cannot be larger than 16") - } - // All padding bytes must be identical - for i := oldLen - padLen; i < oldLen; i++ { - if orig[i] != padByte { - return nil, errors.New(fmt.Sprintf("Padding byte at i=%d is invalid", i)) - } - } - newLen := oldLen - padLen - // Padding an empty string makes no sense - if newLen == 0 { - return nil, errors.New("Unpadded length is zero") - } - return orig[0:newLen], nil -} |