From 3409ade2723d931097560fbbe35e461553c5912c Mon Sep 17 00:00:00 2001
From: Jakob Unterwurzacher
Date: Mon, 24 Apr 2017 00:25:02 +0200
Subject: forcedecode: tighten checks

...and fix a few golint issues and print a scary warning message on mount.

Also, force the fs to ro,noexec.
---
 internal/contentenc/content.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'internal/contentenc/content.go')

diff --git a/internal/contentenc/content.go b/internal/contentenc/content.go
index 9998c06..8220d89 100644
--- a/internal/contentenc/content.go
+++ b/internal/contentenc/content.go
@@ -86,7 +86,9 @@ func (be *ContentEnc) DecryptBlocks(ciphertext []byte, firstBlockNo uint64, file
 		var pBlock []byte
 		pBlock, err = be.DecryptBlock(cBlock, firstBlockNo, fileID)
 		if err != nil {
-			if be.forceDecode == false || (be.forceDecode == true && stupidgcm.AuthError != err) {
+			if be.forceDecode && err == stupidgcm.ErrAuth {
+				tlog.Warn.Printf("DecryptBlocks: authentication failure in block #%d, overriden by forcedecode", firstBlockNo)
+			} else {
 				break
 			}
 		}
@@ -139,11 +141,10 @@ func (be *ContentEnc) DecryptBlock(ciphertext []byte, blockNo uint64, fileID []b
 	if err != nil {
 		tlog.Warn.Printf("DecryptBlock: %s, len=%d", err.Error(), len(ciphertextOrig))
 		tlog.Debug.Println(hex.Dump(ciphertextOrig))
-		if be.forceDecode == true {
+		if be.forceDecode && err == stupidgcm.ErrAuth {
 			return plaintext, err
-		} else {
-			return nil, err
 		}
+		return nil, err
 	}
 
 	return plaintext, nil
-- 
cgit v1.2.3