]>
Commit | Line | Data |
---|---|---|
48b4b40b DM |
1 | //! Wrappers for OpenSSL crypto functions |
2 | //! | |
f323e906 | 3 | //! We use this to encrypt and decrypt data chunks. Cipher is |
48b4b40b DM |
4 | //! AES_256_GCM, which is fast and provides authenticated encryption. |
5 | //! | |
6 | //! See the Wikipedia Artikel for [Authenticated | |
7 | //! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption) | |
8 | //! for a short introduction. | |
f28d9088 | 9 | |
8acfd15d | 10 | use anyhow::{Error}; |
48b4b40b | 11 | use openssl::hash::MessageDigest; |
f28d9088 | 12 | use openssl::pkcs5::pbkdf2_hmac; |
ed208076 | 13 | use openssl::symm::{Cipher, Crypter, Mode}; |
f28d9088 | 14 | |
ea584a75 | 15 | pub use pbs_api_types::{CryptMode, Fingerprint}; |
770a36e5 | 16 | |
05cdc053 | 17 | // openssl::sha::sha256(b"Proxmox Backup Encryption Key Fingerprint") |
feb1645f DM |
18 | /// This constant is used to compute fingerprints. |
19 | const FINGERPRINT_INPUT: [u8; 32] = [ | |
20 | 110, 208, 239, 119, 71, 31, 255, 77, | |
21 | 85, 199, 168, 254, 74, 157, 182, 33, | |
22 | 97, 64, 127, 19, 76, 114, 93, 223, | |
23 | 48, 153, 45, 37, 236, 69, 237, 38, | |
24 | ]; | |
84cbdb35 | 25 | |
48b4b40b DM |
26 | /// Encryption Configuration with secret key |
27 | /// | |
28 | /// This structure stores the secret key and provides helpers for | |
29 | /// authenticated encryption. | |
30 | pub struct CryptConfig { | |
31 | // the Cipher | |
32 | cipher: Cipher, | |
33 | // A secrect key use to provide the chunk digest name space. | |
cb0eea29 DM |
34 | id_key: [u8; 32], |
35 | // Openssl hmac PKey of id_key | |
36 | id_pkey: openssl::pkey::PKey<openssl::pkey::Private>, | |
48b4b40b DM |
37 | // The private key used by the cipher. |
38 | enc_key: [u8; 32], | |
39 | } | |
40 | ||
41 | impl CryptConfig { | |
42 | ||
43 | /// Create a new instance. | |
44 | /// | |
45 | /// We compute a derived 32 byte key using pbkdf2_hmac. This second | |
46 | /// key is used in compute_digest. | |
47 | pub fn new(enc_key: [u8; 32]) -> Result<Self, Error> { | |
48 | ||
cb0eea29 | 49 | let mut id_key = [0u8; 32]; |
48b4b40b DM |
50 | |
51 | pbkdf2_hmac( | |
52 | &enc_key, | |
53 | b"_id_key", | |
54 | 10, | |
55 | MessageDigest::sha256(), | |
56 | &mut id_key)?; | |
57 | ||
cb0eea29 DM |
58 | let id_pkey = openssl::pkey::PKey::hmac(&id_key).unwrap(); |
59 | ||
60 | Ok(Self { id_key, id_pkey, enc_key, cipher: Cipher::aes_256_gcm() }) | |
48b4b40b DM |
61 | } |
62 | ||
ed208076 | 63 | /// Expose Cipher (AES_256_GCM) |
2aa0bfff DM |
64 | pub fn cipher(&self) -> &Cipher { |
65 | &self.cipher | |
66 | } | |
67 | ||
ed208076 DM |
68 | /// Expose encryption key |
69 | pub fn enc_key(&self) -> &[u8; 32] { | |
70 | &self.enc_key | |
71 | } | |
72 | ||
48b4b40b DM |
73 | /// Compute a chunk digest using a secret name space. |
74 | /// | |
75 | /// Computes an SHA256 checksum over some secret data (derived | |
76 | /// from the secret key) and the provided data. This ensures that | |
77 | /// chunk digest values do not clash with values computed for | |
78 | /// other sectret keys. | |
79 | pub fn compute_digest(&self, data: &[u8]) -> [u8; 32] { | |
80 | let mut hasher = openssl::sha::Sha256::new(); | |
48b4b40b | 81 | hasher.update(data); |
c1ff544e | 82 | hasher.update(&self.id_key); // at the end, to avoid length extensions attacks |
834a2f95 | 83 | hasher.finish() |
48b4b40b DM |
84 | } |
85 | ||
ed208076 | 86 | /// Returns an openssl Signer using SHA256 |
cb0eea29 DM |
87 | pub fn data_signer(&self) -> openssl::sign::Signer { |
88 | openssl::sign::Signer::new(MessageDigest::sha256(), &self.id_pkey).unwrap() | |
89 | } | |
90 | ||
93205f94 DM |
91 | /// Compute authentication tag (hmac/sha256) |
92 | /// | |
93 | /// Computes an SHA256 HMAC using some secret data (derived | |
94 | /// from the secret key) and the provided data. | |
95 | pub fn compute_auth_tag(&self, data: &[u8]) -> [u8; 32] { | |
cb0eea29 | 96 | let mut signer = self.data_signer(); |
93205f94 DM |
97 | signer.update(data).unwrap(); |
98 | let mut tag = [0u8; 32]; | |
99 | signer.sign(&mut tag).unwrap(); | |
100 | tag | |
101 | } | |
102 | ||
ed208076 DM |
103 | /// Computes a fingerprint for the secret key. |
104 | /// | |
105 | /// This computes a digest using the derived key (id_key) in order | |
106 | /// to hinder brute force attacks. | |
05cdc053 | 107 | pub fn fingerprint(&self) -> Fingerprint { |
a303e002 | 108 | Fingerprint::new(self.compute_digest(&FINGERPRINT_INPUT)) |
05cdc053 FG |
109 | } |
110 | ||
ed208076 | 111 | /// Returns an openssl Crypter using AES_256_GCM, |
a32bd8a5 DM |
112 | pub fn data_crypter(&self, iv: &[u8; 16], mode: Mode) -> Result<Crypter, Error> { |
113 | let mut crypter = openssl::symm::Crypter::new(self.cipher, mode, &self.enc_key, Some(iv))?; | |
c57ec43a DM |
114 | crypter.aad_update(b"")?; //?? |
115 | Ok(crypter) | |
116 | } | |
48b4b40b | 117 | } |