1 //! Wrappers for OpenSSL crypto functions
3 //! We use this to encrypt and decryprt data chunks. Cipher is
4 //! AES_256_GCM, which is fast and provides authenticated encryption.
6 //! See the Wikipedia Artikel for [Authenticated
7 //! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption)
8 //! for a short introduction.
9 use anyhow
::{bail, Error}
;
10 use openssl
::pkcs5
::pbkdf2_hmac
;
11 use openssl
::hash
::MessageDigest
;
12 use openssl
::symm
::{decrypt_aead, Cipher, Crypter, Mode}
;
14 use chrono
::{Local, TimeZone, DateTime}
;
16 /// Encryption Configuration with secret key
18 /// This structure stores the secret key and provides helpers for
19 /// authenticated encryption.
20 pub struct CryptConfig
{
23 // A secrect key use to provide the chunk digest name space.
25 // Openssl hmac PKey of id_key
26 id_pkey
: openssl
::pkey
::PKey
<openssl
::pkey
::Private
>,
27 // The private key used by the cipher.
34 /// Create a new instance.
36 /// We compute a derived 32 byte key using pbkdf2_hmac. This second
37 /// key is used in compute_digest.
38 pub fn new(enc_key
: [u8; 32]) -> Result
<Self, Error
> {
40 let mut id_key
= [0u8; 32];
46 MessageDigest
::sha256(),
49 let id_pkey
= openssl
::pkey
::PKey
::hmac(&id_key
).unwrap();
51 Ok(Self { id_key, id_pkey, enc_key, cipher: Cipher::aes_256_gcm() }
)
55 pub fn cipher(&self) -> &Cipher
{
59 /// Compute a chunk digest using a secret name space.
61 /// Computes an SHA256 checksum over some secret data (derived
62 /// from the secret key) and the provided data. This ensures that
63 /// chunk digest values do not clash with values computed for
64 /// other sectret keys.
65 pub fn compute_digest(&self, data
: &[u8]) -> [u8; 32] {
66 // FIXME: use HMAC-SHA256 instead??
67 let mut hasher
= openssl
::sha
::Sha256
::new();
68 hasher
.update(&self.id_key
);
73 pub fn data_signer(&self) -> openssl
::sign
::Signer
{
74 openssl
::sign
::Signer
::new(MessageDigest
::sha256(), &self.id_pkey
).unwrap()
77 /// Compute authentication tag (hmac/sha256)
79 /// Computes an SHA256 HMAC using some secret data (derived
80 /// from the secret key) and the provided data.
81 pub fn compute_auth_tag(&self, data
: &[u8]) -> [u8; 32] {
82 let mut signer
= self.data_signer();
83 signer
.update(data
).unwrap();
84 let mut tag
= [0u8; 32];
85 signer
.sign(&mut tag
).unwrap();
89 pub fn data_crypter(&self, iv
: &[u8; 16], mode
: Mode
) -> Result
<Crypter
, Error
> {
90 let mut crypter
= openssl
::symm
::Crypter
::new(self.cipher
, mode
, &self.enc_key
, Some(iv
))?
;
91 crypter
.aad_update(b
"")?
; //??
95 /// Encrypt data using a random 16 byte IV.
97 /// Writes encrypted data to ``output``, Return the used IV and computed MAC.
98 pub fn encrypt_to
<W
: Write
>(
102 ) -> Result
<([u8;16], [u8;16]), Error
> {
104 let mut iv
= [0u8; 16];
105 proxmox
::sys
::linux
::fill_with_random_data(&mut iv
)?
;
107 let mut tag
= [0u8; 16];
109 let mut c
= self.data_crypter(&iv
, Mode
::Encrypt
)?
;
111 const BUFFER_SIZE
: usize = 32*1024;
113 let mut encr_buf
= [0u8; BUFFER_SIZE
];
114 let max_encoder_input
= BUFFER_SIZE
- self.cipher
.block_size();
118 let mut end
= start
+ max_encoder_input
;
119 if end
> data
.len() { end = data.len(); }
121 let count
= c
.update(&data
[start
..end
], &mut encr_buf
)?
;
122 output
.write_all(&encr_buf
[..count
])?
;
129 let rest
= c
.finalize(&mut encr_buf
)?
;
130 if rest
> 0 { output.write_all(&encr_buf[..rest])?; }
134 c
.get_tag(&mut tag
)?
;
139 /// Decompress and decrypt data, verify MAC.
140 pub fn decode_compressed_chunk(
145 ) -> Result
<Vec
<u8>, Error
> {
147 let dec
= Vec
::with_capacity(1024*1024);
149 let mut decompressor
= zstd
::stream
::write
::Decoder
::new(dec
)?
;
151 let mut c
= self.data_crypter(iv
, Mode
::Decrypt
)?
;
153 const BUFFER_SIZE
: usize = 32*1024;
155 let mut decr_buf
= [0u8; BUFFER_SIZE
];
156 let max_decoder_input
= BUFFER_SIZE
- self.cipher
.block_size();
160 let mut end
= start
+ max_decoder_input
;
161 if end
> data
.len() { end = data.len(); }
163 let count
= c
.update(&data
[start
..end
], &mut decr_buf
)?
;
164 decompressor
.write_all(&decr_buf
[0..count
])?
;
172 let rest
= c
.finalize(&mut decr_buf
)?
;
173 if rest
> 0 { decompressor.write_all(&decr_buf[..rest])?; }
175 decompressor
.flush()?
;
177 Ok(decompressor
.into_inner())
180 /// Decrypt data, verify tag.
181 pub fn decode_uncompressed_chunk(
186 ) -> Result
<Vec
<u8>, Error
> {
188 let decr_data
= decrypt_aead(
200 pub fn generate_rsa_encoded_key(
202 rsa
: openssl
::rsa
::Rsa
<openssl
::pkey
::Public
>,
203 created
: DateTime
<Local
>,
204 ) -> Result
<Vec
<u8>, Error
> {
206 let modified
= Local
.timestamp(Local
::now().timestamp(), 0);
207 let key_config
= super::KeyConfig { kdf: None, created, modified, data: self.enc_key.to_vec() }
;
208 let data
= serde_json
::to_string(&key_config
)?
.as_bytes().to_vec();
210 let mut buffer
= vec
![0u8; rsa
.size() as usize];
211 let len
= rsa
.public_encrypt(&data
, &mut buffer
, openssl
::rsa
::Padding
::PKCS1
)?
;
212 if len
!= buffer
.len() {
213 bail
!("got unexpected length from rsa.public_encrypt().");