From 94e8004b6ce497dafd13e8c3f6f6596b49169970 Mon Sep 17 00:00:00 2001
From: Jakob Unterwurzacher
Date: Wed, 8 Sep 2021 20:32:16 +0200
Subject: Make -openssl also apply to xchacha

Now that stupidgcm supports xchacha, make it available
on mount.
---
 mount.go | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

(limited to 'mount.go')

diff --git a/mount.go b/mount.go
index d7cd7db..b1c76dd 100644
--- a/mount.go
+++ b/mount.go
@@ -259,7 +259,11 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
 		cryptoBackend = cryptocore.BackendAESSIV
 	}
 	if args.xchacha {
-		cryptoBackend = cryptocore.BackendXChaCha20Poly1305
+		if args.openssl {
+			cryptoBackend = cryptocore.BackendXChaCha20Poly1305OpenSSL
+		} else {
+			cryptoBackend = cryptocore.BackendXChaCha20Poly1305
+		}
 		IVBits = chacha20poly1305.NonceSizeX * 8
 	}
 	// forceOwner implies allow_other, as documented.
@@ -291,6 +295,7 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
 		frontendArgs.DeterministicNames = !confFile.IsFeatureFlagSet(configfile.FlagDirIV)
 		args.raw64 = confFile.IsFeatureFlagSet(configfile.FlagRaw64)
 		args.hkdf = confFile.IsFeatureFlagSet(configfile.FlagHKDF)
+		// Note: this will always return the non-openssl variant
 		cryptoBackend, err = confFile.ContentEncryption()
 		if err != nil {
 			tlog.Fatal.Printf("%v", err)
@@ -301,8 +306,14 @@ func initFuseFrontend(args *argContainer) (rootNode fs.InodeEmbedder, wipeKeys f
 			tlog.Fatal.Printf("AES-SIV is required by reverse mode, but not enabled in the config file")
 			os.Exit(exitcodes.Usage)
 		}
-		if cryptoBackend == cryptocore.BackendGoGCM && args.openssl {
-			cryptoBackend = cryptocore.BackendOpenSSL
+		// Upgrade to OpenSSL variant if requested
+		if args.openssl {
+			switch cryptoBackend {
+			case cryptocore.BackendGoGCM:
+				cryptoBackend = cryptocore.BackendOpenSSL
+			case cryptocore.BackendXChaCha20Poly1305:
+				cryptoBackend = cryptocore.BackendXChaCha20Poly1305OpenSSL
+			}
 		}
 	}
 	// If allow_other is set and we run as root, try to give newly created files to
-- 
cgit v1.2.3