aboutsummaryrefslogtreecommitdiff
path: root/internal/nametransform/names.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/nametransform/names.go')
-rw-r--r--internal/nametransform/names.go84
1 files changed, 84 insertions, 0 deletions
diff --git a/internal/nametransform/names.go b/internal/nametransform/names.go
new file mode 100644
index 0000000..8a7e260
--- /dev/null
+++ b/internal/nametransform/names.go
@@ -0,0 +1,84 @@
+package nametransform
+
+// Filename encryption / decryption functions
+
+import (
+ "crypto/aes"
+ "crypto/cipher"
+ "encoding/base64"
+ "fmt"
+
+ "github.com/rfjakob/eme"
+
+ "github.com/rfjakob/gocryptfs/internal/cryptocore"
+)
+
+type NameTransform struct {
+ cryptoCore *cryptocore.CryptoCore
+ useEME bool
+ longNames bool
+ DirIVCache dirIVCache
+}
+
+func New(c *cryptocore.CryptoCore, useEME bool, longNames bool) *NameTransform {
+ return &NameTransform{
+ cryptoCore: c,
+ longNames: longNames,
+ useEME: useEME,
+ }
+}
+
+// DecryptName - decrypt base64-encoded encrypted filename "cipherName"
+// Used by DecryptPathDirIV().
+// The encryption is either CBC or EME, depending on "useEME".
+//
+// This function is exported because it allows for a very efficient readdir
+// implementation (read IV once, decrypt all names using this function).
+func (n *NameTransform) DecryptName(cipherName string, iv []byte) (string, error) {
+
+ bin, err := base64.URLEncoding.DecodeString(cipherName)
+ if err != nil {
+ return "", err
+ }
+
+ if len(bin)%aes.BlockSize != 0 {
+ return "", fmt.Errorf("Decoded length %d is not a multiple of the AES block size", len(bin))
+ }
+
+ if n.useEME {
+ bin = eme.Transform(n.cryptoCore.BlockCipher, iv, bin, eme.DirectionDecrypt)
+ } else {
+ cbc := cipher.NewCBCDecrypter(n.cryptoCore.BlockCipher, iv)
+ cbc.CryptBlocks(bin, bin)
+ }
+
+ bin, err = unPad16(bin)
+ if err != nil {
+ return "", err
+ }
+
+ plain := string(bin)
+ return plain, err
+}
+
+// encryptName - encrypt "plainName", return base64-encoded "cipherName64".
+// Used internally by EncryptPathDirIV().
+// The encryption is either CBC or EME, depending on "useEME".
+//
+// This function is exported because fusefrontend needs access to the full (not hashed)
+// name if longname is used. Otherwise you should use EncryptPathDirIV()
+func (n *NameTransform) EncryptName(plainName string, iv []byte) (cipherName64 string) {
+
+ bin := []byte(plainName)
+ bin = pad16(bin)
+
+ if n.useEME {
+ bin = eme.Transform(n.cryptoCore.BlockCipher, iv, bin, eme.DirectionEncrypt)
+ } else {
+ cbc := cipher.NewCBCEncrypter(n.cryptoCore.BlockCipher, iv)
+ cbc.CryptBlocks(bin, bin)
+ }
+
+ cipherName64 = base64.URLEncoding.EncodeToString(bin)
+ return cipherName64
+}