From e032539e2c09cd4d1f007d33d7ef97b0fec689ed Mon Sep 17 00:00:00 2001 From: Jakob Unterwurzacher Date: Sun, 5 Mar 2017 13:58:24 +0100 Subject: cryptocore: use eme v1.1 interface Version 1.1 of the EME package (github.com/rfjakob/eme) added a more convenient interface. Use it. Note that you have to upgrade your EME package (go get -u)! --- internal/cryptocore/cryptocore.go | 11 +++++++---- internal/fusefrontend/fs.go | 2 +- internal/fusefrontend_reverse/rfs.go | 2 +- internal/nametransform/names.go | 15 +++++++-------- 4 files changed, 16 insertions(+), 14 deletions(-) (limited to 'internal') diff --git a/internal/cryptocore/cryptocore.go b/internal/cryptocore/cryptocore.go index 13b278f..d3af7de 100644 --- a/internal/cryptocore/cryptocore.go +++ b/internal/cryptocore/cryptocore.go @@ -9,6 +9,8 @@ import ( "fmt" "log" + "github.com/rfjakob/eme" + "github.com/rfjakob/gocryptfs/internal/siv_aead" "github.com/rfjakob/gocryptfs/internal/stupidgcm" ) @@ -33,8 +35,8 @@ const ( // CryptoCore is the low level crypto implementation. type CryptoCore struct { - // AES-256 block cipher. This is used for EME filename encryption. - BlockCipher cipher.Block + // EME is used for filename encryption. + EMECipher *eme.EMECipher // GCM or AES-SIV. This is used for content encryption. AEADCipher cipher.AEAD // Which backend is behind AEADCipher? @@ -56,12 +58,13 @@ func New(key []byte, backend BackendTypeEnum, IVBitLen int) *CryptoCore { // We want the IV size in bytes IVLen := IVBitLen / 8 - // Name encryption always uses built-in Go AES through BlockCipher. + // Name encryption always uses built-in Go AES through blockCipher. // Content encryption uses BlockCipher only if useOpenssl=false. blockCipher, err := aes.NewCipher(key) if err != nil { log.Panic(err) } + emeCipher := eme.New(blockCipher) var aeadCipher cipher.AEAD switch backend { @@ -90,7 +93,7 @@ func New(key []byte, backend BackendTypeEnum, IVBitLen int) *CryptoCore { } return &CryptoCore{ - BlockCipher: blockCipher, + EMECipher: emeCipher, AEADCipher: aeadCipher, AEADBackend: backend, IVGenerator: &nonceGenerator{nonceLen: IVLen}, diff --git a/internal/fusefrontend/fs.go b/internal/fusefrontend/fs.go index e6e9bdf..e0fdc48 100644 --- a/internal/fusefrontend/fs.go +++ b/internal/fusefrontend/fs.go @@ -42,7 +42,7 @@ var _ pathfs.FileSystem = &FS{} // Verify that interface is implemented. func NewFS(args Args) *FS { cryptoCore := cryptocore.New(args.Masterkey, args.CryptoBackend, contentenc.DefaultIVBits) contentEnc := contentenc.New(cryptoCore, contentenc.DefaultBS) - nameTransform := nametransform.New(cryptoCore, args.LongNames, args.Raw64) + nameTransform := nametransform.New(cryptoCore.EMECipher, args.LongNames, args.Raw64) return &FS{ FileSystem: pathfs.NewLoopbackFileSystem(args.Cipherdir), diff --git a/internal/fusefrontend_reverse/rfs.go b/internal/fusefrontend_reverse/rfs.go index bb3b0e5..55431b6 100644 --- a/internal/fusefrontend_reverse/rfs.go +++ b/internal/fusefrontend_reverse/rfs.go @@ -59,7 +59,7 @@ func NewFS(args fusefrontend.Args) *ReverseFS { initLongnameCache() cryptoCore := cryptocore.New(args.Masterkey, args.CryptoBackend, contentenc.DefaultIVBits) contentEnc := contentenc.New(cryptoCore, contentenc.DefaultBS) - nameTransform := nametransform.New(cryptoCore, args.LongNames, args.Raw64) + nameTransform := nametransform.New(cryptoCore.EMECipher, args.LongNames, args.Raw64) return &ReverseFS{ // pathfs.defaultFileSystem returns ENOSYS for all operations diff --git a/internal/nametransform/names.go b/internal/nametransform/names.go index ddb5faa..feec017 100644 --- a/internal/nametransform/names.go +++ b/internal/nametransform/names.go @@ -8,13 +8,12 @@ import ( "github.com/rfjakob/eme" - "github.com/rfjakob/gocryptfs/internal/cryptocore" "github.com/rfjakob/gocryptfs/internal/tlog" ) // NameTransform is used to transform filenames. type NameTransform struct { - cryptoCore *cryptocore.CryptoCore + emeCipher *eme.EMECipher longNames bool DirIVCache dirIVCache // b64 = either base64.URLEncoding or base64.RawURLEncoding @@ -22,15 +21,15 @@ type NameTransform struct { } // New returns a new NameTransform instance. -func New(c *cryptocore.CryptoCore, longNames bool, raw64 bool) *NameTransform { +func New(e *eme.EMECipher, longNames bool, raw64 bool) *NameTransform { b64 := base64.URLEncoding if raw64 { b64 = getRaw64Encoding() } return &NameTransform{ - cryptoCore: c, - longNames: longNames, - b64: b64, + emeCipher: e, + longNames: longNames, + b64: b64, } } @@ -47,7 +46,7 @@ func (n *NameTransform) DecryptName(cipherName string, iv []byte) (string, error tlog.Debug.Printf("DecryptName %q: decoded length %d is not a multiple of 16", cipherName, len(bin)) return "", syscall.EINVAL } - bin = eme.Transform(n.cryptoCore.BlockCipher, iv, bin, eme.DirectionDecrypt) + bin = n.emeCipher.Decrypt(iv, bin) bin, err = unPad16(bin) if err != nil { tlog.Debug.Printf("pad16 error detail: %v", err) @@ -69,7 +68,7 @@ func (n *NameTransform) DecryptName(cipherName string, iv []byte) (string, error func (n *NameTransform) EncryptName(plainName string, iv []byte) (cipherName64 string) { bin := []byte(plainName) bin = pad16(bin) - bin = eme.Transform(n.cryptoCore.BlockCipher, iv, bin, eme.DirectionEncrypt) + bin = n.emeCipher.Encrypt(iv, bin) cipherName64 = n.b64.EncodeToString(bin) return cipherName64 } -- cgit v1.2.3