From 1c86893d9517805292b3cdc9091876165abbb0e3 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Thu, 21 Jan 2021 11:56:54 +0100 Subject: [PATCH] cleanup: always compute fingerprint in KeyConfig constructors --- src/api2/config/tape_encryption_keys.rs | 4 +--- src/backup/key_derivation.rs | 22 +++++++++++++++------- src/bin/proxmox-backup-client.rs | 3 +-- src/bin/proxmox_backup_client/key.rs | 18 +++++------------- src/config/tape_encryption_keys.rs | 16 ++-------------- 5 files changed, 24 insertions(+), 39 deletions(-) diff --git a/src/api2/config/tape_encryption_keys.rs b/src/api2/config/tape_encryption_keys.rs index 444babac..dcaab904 100644 --- a/src/api2/config/tape_encryption_keys.rs +++ b/src/api2/config/tape_encryption_keys.rs @@ -15,7 +15,6 @@ use crate::{ config::{ tape_encryption_keys::{ TAPE_KEYS_LOCKFILE, - generate_tape_encryption_key, load_keys, load_key_configs, save_keys, @@ -133,7 +132,6 @@ pub fn change_passphrase( let (key, created, fingerprint) = key_config.decrypt(&|| Ok(password.as_bytes().to_vec()))?; let mut new_key_config = KeyConfig::with_key(&key, new_password.as_bytes(), kdf)?; new_key_config.created = created; // keep original value - new_key_config.fingerprint = Some(fingerprint.clone()); new_key_config.hint = Some(hint); config_map.insert(fingerprint, new_key_config); @@ -178,7 +176,7 @@ pub fn create_key( bail!("Please specify a key derivation funktion (none is not allowed here)."); } - let (key, mut key_config) = generate_tape_encryption_key(password.as_bytes(), kdf)?; + let (key, mut key_config) = KeyConfig::new(password.as_bytes(), kdf)?; key_config.hint = Some(hint); let fingerprint = key_config.fingerprint.clone().unwrap(); diff --git a/src/backup/key_derivation.rs b/src/backup/key_derivation.rs index 67da9d1c..5b46a70c 100644 --- a/src/backup/key_derivation.rs +++ b/src/backup/key_derivation.rs @@ -117,21 +117,25 @@ impl KeyConfig { } /// Creates a new, unencrypted key. - pub fn without_password(raw_key: [u8; 32]) -> Self { + pub fn without_password(raw_key: [u8; 32]) -> Result { + // always compute fingerprint + let crypt_config = CryptConfig::new(raw_key.clone())?; + let fingerprint = Some(crypt_config.fingerprint()); + let created = proxmox::tools::time::epoch_i64(); - Self { + Ok(Self { kdf: None, created, modified: created, data: raw_key.to_vec(), - fingerprint: None, + fingerprint, hint: None, - } + }) } /// Creates a new instance, protect raw_key with passphrase. pub fn with_key( - raw_key: &[u8], + raw_key: &[u8; 32], passphrase: &[u8], kdf: Kdf, ) -> Result { @@ -170,7 +174,7 @@ impl KeyConfig { &derived_key, Some(&iv), b"", - &raw_key, + raw_key, &mut tag, )?; @@ -181,12 +185,16 @@ impl KeyConfig { let created = proxmox::tools::time::epoch_i64(); + // always compute fingerprint + let crypt_config = CryptConfig::new(raw_key.clone())?; + let fingerprint = Some(crypt_config.fingerprint()); + Ok(Self { kdf: Some(kdf), created, modified: created, data: enc_data, - fingerprint: None, + fingerprint, hint: None, }) } diff --git a/src/bin/proxmox-backup-client.rs b/src/bin/proxmox-backup-client.rs index 73fb1a16..041a670c 100644 --- a/src/bin/proxmox-backup-client.rs +++ b/src/bin/proxmox-backup-client.rs @@ -924,9 +924,8 @@ async fn create_backup( let pem_data = file_get_contents(path)?; let rsa = openssl::rsa::Rsa::public_key_from_pem(&pem_data)?; - let mut key_config = KeyConfig::without_password(key); + let mut key_config = KeyConfig::without_password(key)?; key_config.created = created; // keep original value - key_config.fingerprint = Some(fingerprint); let enc_key = rsa_encrypt_key_config(rsa, &key_config)?; println!("Master key '{:?}'", path); diff --git a/src/bin/proxmox_backup_client/key.rs b/src/bin/proxmox_backup_client/key.rs index d136309b..bbc60141 100644 --- a/src/bin/proxmox_backup_client/key.rs +++ b/src/bin/proxmox_backup_client/key.rs @@ -27,7 +27,6 @@ use proxmox_backup::{ }, backup::{ rsa_decrypt_key_config, - CryptConfig, KeyConfig, }, tools, @@ -127,7 +126,6 @@ fn create( let mut key = [0u8; 32]; proxmox::sys::linux::fill_with_random_data(&mut key)?; - let crypt_config = CryptConfig::new(key.clone())?; match kdf { Kdf::None => { @@ -135,8 +133,7 @@ fn create( bail!("password hint not allowed for Kdf::None"); } - let mut key_config = KeyConfig::without_password(key); - key_config.fingerprint = Some(crypt_config.fingerprint()); + let key_config = KeyConfig::without_password(key)?; key_config.store(path, false)?; } @@ -149,7 +146,6 @@ fn create( let password = tty::read_and_verify_password("Encryption Key Password: ")?; let mut key_config = KeyConfig::with_key(&key, &password, kdf)?; - key_config.fingerprint = Some(crypt_config.fingerprint()); key_config.hint = hint; key_config.store(&path, false)?; @@ -214,7 +210,7 @@ async fn import_with_master_key( .rsa() .map_err(|err| format_err!("not a valid private RSA key - {}", err))?; - let (key, created, fingerprint) = + let (key, created, _fingerprint) = rsa_decrypt_key_config(master_key, &encrypted_key, &get_encryption_key_password)?; let kdf = kdf.unwrap_or_default(); @@ -224,9 +220,8 @@ async fn import_with_master_key( bail!("password hint not allowed for Kdf::None"); } - let mut key_config = KeyConfig::without_password(key); + let mut key_config = KeyConfig::without_password(key)?; key_config.created = created; // keep original value - key_config.fingerprint = Some(fingerprint); key_config.store(path, true)?; @@ -236,7 +231,6 @@ async fn import_with_master_key( let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?; new_key_config.created = created; // keep original value - new_key_config.fingerprint = Some(fingerprint); new_key_config.hint = hint; new_key_config.store(path, true)?; @@ -289,7 +283,7 @@ fn change_passphrase( } let key_config = KeyConfig::load(&path)?; - let (key, created, fingerprint) = key_config.decrypt(&get_encryption_key_password)?; + let (key, created, _fingerprint) = key_config.decrypt(&get_encryption_key_password)?; match kdf { Kdf::None => { @@ -297,9 +291,8 @@ fn change_passphrase( bail!("password hint not allowed for Kdf::None"); } - let mut key_config = KeyConfig::without_password(key); + let mut key_config = KeyConfig::without_password(key)?; key_config.created = created; // keep original value - key_config.fingerprint = Some(fingerprint); key_config.store(&path, true)?; } @@ -308,7 +301,6 @@ fn change_passphrase( let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?; new_key_config.created = created; // keep original value - new_key_config.fingerprint = Some(fingerprint); new_key_config.hint = hint; new_key_config.store(&path, true)?; diff --git a/src/config/tape_encryption_keys.rs b/src/config/tape_encryption_keys.rs index 928a9fef..d3c607a2 100644 --- a/src/config/tape_encryption_keys.rs +++ b/src/config/tape_encryption_keys.rs @@ -11,11 +11,9 @@ use proxmox::tools::fs::{ }; use crate::{ - api2::types::Kdf, backup::{ Fingerprint, KeyConfig, - CryptConfig, }, }; @@ -52,17 +50,6 @@ pub struct EncryptionKeyInfo { pub key: [u8; 32], } -pub fn compute_tape_key_fingerprint(key: &[u8; 32]) -> Result { - let crypt_config = CryptConfig::new(*key)?; - Ok(crypt_config.fingerprint()) -} - -pub fn generate_tape_encryption_key(password: &[u8], kdf: Kdf) -> Result<([u8; 32], KeyConfig), Error> { - let (key, mut key_config) = KeyConfig::new(password, kdf)?; - key_config.fingerprint = Some(compute_tape_key_fingerprint(&key)?); - Ok((key, key_config)) -} - impl EncryptionKeyInfo { pub fn new(key: [u8; 32], fingerprint: Fingerprint) -> Self { Self { fingerprint, key } @@ -86,7 +73,8 @@ pub fn load_keys() -> Result<(HashMap, [u8;32]) let mut map = HashMap::new(); for item in key_list { - let expected_fingerprint = compute_tape_key_fingerprint(&item.key)?; + let key_config = KeyConfig::without_password(item.key)?; // to compute fingerprint + let expected_fingerprint = key_config.fingerprint.unwrap(); if item.fingerprint != expected_fingerprint { bail!( "inconsistent fingerprint ({} != {})", -- 2.39.2