summaryrefslogtreecommitdiff
path: root/mount.go
diff options
context:
space:
mode:
Diffstat (limited to 'mount.go')
-rw-r--r--mount.go17
1 files changed, 14 insertions, 3 deletions
diff --git a/mount.go b/mount.go
index d7cd7db..b1c76dd 100644
--- a/mount.go
+++ b/mount.go
@@ -259,7 +259,11 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
cryptoBackend = cryptocore.BackendAESSIV
}
if args.xchacha {
- cryptoBackend = cryptocore.BackendXChaCha20Poly1305
+ if args.openssl {
+ cryptoBackend = cryptocore.BackendXChaCha20Poly1305OpenSSL
+ } else {
+ cryptoBackend = cryptocore.BackendXChaCha20Poly1305
+ }
IVBits = chacha20poly1305.NonceSizeX * 8
}
// forceOwner implies allow_other, as documented.
@@ -291,6 +295,7 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
frontendArgs.DeterministicNames = !confFile.IsFeatureFlagSet(configfile.FlagDirIV)
args.raw64 = confFile.IsFeatureFlagSet(configfile.FlagRaw64)
args.hkdf = confFile.IsFeatureFlagSet(configfile.FlagHKDF)
+ // Note: this will always return the non-openssl variant
cryptoBackend, err = confFile.ContentEncryption()
if err != nil {
tlog.Fatal.Printf("%v", err)
@@ -301,8 +306,14 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
tlog.Fatal.Printf("AES-SIV is required by reverse mode, but not enabled in the config file")
os.Exit(exitcodes.Usage)
}
- if cryptoBackend == cryptocore.BackendGoGCM && args.openssl {
- cryptoBackend = cryptocore.BackendOpenSSL
+ // Upgrade to OpenSSL variant if requested
+ if args.openssl {
+ switch cryptoBackend {
+ case cryptocore.BackendGoGCM:
+ cryptoBackend = cryptocore.BackendOpenSSL
+ case cryptocore.BackendXChaCha20Poly1305:
+ cryptoBackend = cryptocore.BackendXChaCha20Poly1305OpenSSL
+ }
}
}
// If allow_other is set and we run as root, try to give newly created files to