aboutsummaryrefslogtreecommitdiff
path: root/mount.go
diff options
context:
space:
mode:
Diffstat (limited to 'mount.go')
-rw-r--r--mount.go22
1 files changed, 21 insertions, 1 deletions
diff --git a/mount.go b/mount.go
index 810f008..f8347f1 100644
--- a/mount.go
+++ b/mount.go
@@ -19,6 +19,8 @@ import (
"syscall"
"time"
+ "golang.org/x/crypto/chacha20poly1305"
+
"github.com/hanwen/go-fuse/v2/fs"
"github.com/hanwen/go-fuse/v2/fuse"
@@ -249,12 +251,17 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
// Reconciliate CLI and config file arguments into a fusefrontend.Args struct
// that is passed to the filesystem implementation
cryptoBackend := cryptocore.BackendGoGCM
+ IVBits := contentenc.DefaultIVBits
if args.openssl {
cryptoBackend = cryptocore.BackendOpenSSL
}
if args.aessiv {
cryptoBackend = cryptocore.BackendAESSIV
}
+ if args.xchacha {
+ cryptoBackend = cryptocore.BackendXChaCha20Poly1305
+ IVBits = chacha20poly1305.NonceSizeX * 8
+ }
// forceOwner implies allow_other, as documented.
// Set this early, so args.allow_other can be relied on below this point.
if args._forceOwner != nil {
@@ -287,10 +294,23 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
args.hkdf = confFile.IsFeatureFlagSet(configfile.FlagHKDF)
if confFile.IsFeatureFlagSet(configfile.FlagAESSIV) {
cryptoBackend = cryptocore.BackendAESSIV
+ IVBits = contentenc.DefaultIVBits
} else if args.reverse {
tlog.Fatal.Printf("AES-SIV is required by reverse mode, but not enabled in the config file")
os.Exit(exitcodes.Usage)
}
+ if confFile.IsFeatureFlagSet(configfile.FlagXChaCha20Poly1305) {
+ cryptoBackend = cryptocore.BackendXChaCha20Poly1305
+ IVBits = chacha20poly1305.NonceSizeX * 8
+ }
+ // If neither AES-SIV nor XChaCha are selected, we must be using AES-GCM
+ if !confFile.IsFeatureFlagSet(configfile.FlagAESSIV) && !confFile.IsFeatureFlagSet(configfile.FlagXChaCha20Poly1305) {
+ cryptoBackend = cryptocore.BackendGoGCM
+ if args.openssl {
+ cryptoBackend = cryptocore.BackendOpenSSL
+ }
+ IVBits = contentenc.DefaultIVBits
+ }
}
// If allow_other is set and we run as root, try to give newly created files to
// the right user.
@@ -299,7 +319,7 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
}
// Init crypto backend
- cCore := cryptocore.New(masterkey, cryptoBackend, contentenc.DefaultIVBits, args.hkdf, args.forcedecode)
+ cCore := cryptocore.New(masterkey, cryptoBackend, IVBits, args.hkdf, args.forcedecode)
cEnc := contentenc.New(cCore, contentenc.DefaultBS, args.forcedecode)
nameTransform := nametransform.New(cCore.EMECipher, frontendArgs.LongNames,
args.raw64, []string(args.badname), frontendArgs.DeterministicNames)