2019-06-08 07:51:49 +00:00
|
|
|
//! Wrappers for OpenSSL crypto functions
|
|
|
|
//!
|
|
|
|
//! We use this to encrypt and decryprt data chunks. Cipher is
|
|
|
|
//! AES_256_GCM, which is fast and provides authenticated encryption.
|
|
|
|
//!
|
|
|
|
//! See the Wikipedia Artikel for [Authenticated
|
|
|
|
//! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption)
|
|
|
|
//! for a short introduction.
|
2020-07-07 13:20:20 +00:00
|
|
|
|
2020-11-20 16:38:31 +00:00
|
|
|
use std::fmt;
|
|
|
|
use std::fmt::Display;
|
2020-07-07 13:20:20 +00:00
|
|
|
use std::io::Write;
|
|
|
|
|
2020-12-16 13:41:07 +00:00
|
|
|
use anyhow::{Error};
|
2019-06-08 07:51:49 +00:00
|
|
|
use openssl::hash::MessageDigest;
|
2020-07-07 13:20:20 +00:00
|
|
|
use openssl::pkcs5::pbkdf2_hmac;
|
2019-06-10 07:56:06 +00:00
|
|
|
use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
|
2020-07-07 13:20:20 +00:00
|
|
|
use serde::{Deserialize, Serialize};
|
|
|
|
|
2020-11-20 16:38:32 +00:00
|
|
|
use crate::tools::format::{as_fingerprint, bytes_as_fingerprint};
|
|
|
|
|
2020-07-07 13:20:20 +00:00
|
|
|
use proxmox::api::api;
|
|
|
|
|
2020-11-20 16:38:31 +00:00
|
|
|
// openssl::sha::sha256(b"Proxmox Backup Encryption Key Fingerprint")
|
|
|
|
const FINGERPRINT_INPUT: [u8; 32] = [ 110, 208, 239, 119, 71, 31, 255, 77,
|
|
|
|
85, 199, 168, 254, 74, 157, 182, 33,
|
|
|
|
97, 64, 127, 19, 76, 114, 93, 223,
|
|
|
|
48, 153, 45, 37, 236, 69, 237, 38, ];
|
2020-07-07 13:20:20 +00:00
|
|
|
#[api(default: "encrypt")]
|
|
|
|
#[derive(Copy, Clone, Debug, Eq, PartialEq, Deserialize, Serialize)]
|
|
|
|
#[serde(rename_all = "kebab-case")]
|
|
|
|
/// Defines whether data is encrypted (using an AEAD cipher), only signed, or neither.
|
|
|
|
pub enum CryptMode {
|
|
|
|
/// Don't encrypt.
|
|
|
|
None,
|
|
|
|
/// Encrypt.
|
|
|
|
Encrypt,
|
|
|
|
/// Only sign.
|
|
|
|
SignOnly,
|
|
|
|
}
|
|
|
|
|
2020-11-20 16:38:32 +00:00
|
|
|
#[derive(Debug, Eq, PartialEq, Deserialize, Serialize)]
|
|
|
|
#[serde(transparent)]
|
2020-11-20 16:38:31 +00:00
|
|
|
/// 32-byte fingerprint, usually calculated with SHA256.
|
|
|
|
pub struct Fingerprint {
|
2020-11-20 16:38:32 +00:00
|
|
|
#[serde(with = "bytes_as_fingerprint")]
|
2020-11-20 16:38:31 +00:00
|
|
|
bytes: [u8; 32],
|
|
|
|
}
|
|
|
|
|
2020-11-24 13:05:19 +00:00
|
|
|
impl Fingerprint {
|
2020-11-25 06:56:37 +00:00
|
|
|
pub fn new(bytes: [u8; 32]) -> Self {
|
|
|
|
Self { bytes }
|
|
|
|
}
|
2020-11-24 13:05:19 +00:00
|
|
|
pub fn bytes(&self) -> &[u8; 32] {
|
|
|
|
&self.bytes
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-11-20 16:38:32 +00:00
|
|
|
/// Display as short key ID
|
2020-11-20 16:38:31 +00:00
|
|
|
impl Display for Fingerprint {
|
|
|
|
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
2020-11-20 16:38:32 +00:00
|
|
|
write!(f, "{}", as_fingerprint(&self.bytes[0..8]))
|
2020-11-20 16:38:31 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-06-08 07:51:49 +00:00
|
|
|
/// Encryption Configuration with secret key
|
|
|
|
///
|
|
|
|
/// This structure stores the secret key and provides helpers for
|
|
|
|
/// authenticated encryption.
|
|
|
|
pub struct CryptConfig {
|
|
|
|
// the Cipher
|
|
|
|
cipher: Cipher,
|
|
|
|
// A secrect key use to provide the chunk digest name space.
|
2019-08-12 05:33:15 +00:00
|
|
|
id_key: [u8; 32],
|
|
|
|
// Openssl hmac PKey of id_key
|
|
|
|
id_pkey: openssl::pkey::PKey<openssl::pkey::Private>,
|
2019-06-08 07:51:49 +00:00
|
|
|
// The private key used by the cipher.
|
|
|
|
enc_key: [u8; 32],
|
|
|
|
}
|
|
|
|
|
|
|
|
impl CryptConfig {
|
|
|
|
|
|
|
|
/// Create a new instance.
|
|
|
|
///
|
|
|
|
/// We compute a derived 32 byte key using pbkdf2_hmac. This second
|
|
|
|
/// key is used in compute_digest.
|
|
|
|
pub fn new(enc_key: [u8; 32]) -> Result<Self, Error> {
|
|
|
|
|
2019-08-12 05:33:15 +00:00
|
|
|
let mut id_key = [0u8; 32];
|
2019-06-08 07:51:49 +00:00
|
|
|
|
|
|
|
pbkdf2_hmac(
|
|
|
|
&enc_key,
|
|
|
|
b"_id_key",
|
|
|
|
10,
|
|
|
|
MessageDigest::sha256(),
|
|
|
|
&mut id_key)?;
|
|
|
|
|
2019-08-12 05:33:15 +00:00
|
|
|
let id_pkey = openssl::pkey::PKey::hmac(&id_key).unwrap();
|
|
|
|
|
|
|
|
Ok(Self { id_key, id_pkey, enc_key, cipher: Cipher::aes_256_gcm() })
|
2019-06-08 07:51:49 +00:00
|
|
|
}
|
|
|
|
|
2019-08-13 11:07:13 +00:00
|
|
|
/// Expose Cipher
|
|
|
|
pub fn cipher(&self) -> &Cipher {
|
|
|
|
&self.cipher
|
|
|
|
}
|
|
|
|
|
2019-06-08 07:51:49 +00:00
|
|
|
/// Compute a chunk digest using a secret name space.
|
|
|
|
///
|
|
|
|
/// Computes an SHA256 checksum over some secret data (derived
|
|
|
|
/// from the secret key) and the provided data. This ensures that
|
|
|
|
/// chunk digest values do not clash with values computed for
|
|
|
|
/// other sectret keys.
|
|
|
|
pub fn compute_digest(&self, data: &[u8]) -> [u8; 32] {
|
|
|
|
let mut hasher = openssl::sha::Sha256::new();
|
|
|
|
hasher.update(data);
|
2020-07-08 10:49:21 +00:00
|
|
|
hasher.update(&self.id_key); // at the end, to avoid length extensions attacks
|
2019-10-25 16:44:51 +00:00
|
|
|
hasher.finish()
|
2019-06-08 07:51:49 +00:00
|
|
|
}
|
|
|
|
|
2019-08-12 05:33:15 +00:00
|
|
|
pub fn data_signer(&self) -> openssl::sign::Signer {
|
|
|
|
openssl::sign::Signer::new(MessageDigest::sha256(), &self.id_pkey).unwrap()
|
|
|
|
}
|
|
|
|
|
2019-08-02 06:55:37 +00:00
|
|
|
/// Compute authentication tag (hmac/sha256)
|
|
|
|
///
|
|
|
|
/// Computes an SHA256 HMAC using some secret data (derived
|
|
|
|
/// from the secret key) and the provided data.
|
|
|
|
pub fn compute_auth_tag(&self, data: &[u8]) -> [u8; 32] {
|
2019-08-12 05:33:15 +00:00
|
|
|
let mut signer = self.data_signer();
|
2019-08-02 06:55:37 +00:00
|
|
|
signer.update(data).unwrap();
|
|
|
|
let mut tag = [0u8; 32];
|
|
|
|
signer.sign(&mut tag).unwrap();
|
|
|
|
tag
|
|
|
|
}
|
|
|
|
|
2020-11-20 16:38:31 +00:00
|
|
|
pub fn fingerprint(&self) -> Fingerprint {
|
2020-11-25 06:56:37 +00:00
|
|
|
Fingerprint::new(self.compute_digest(&FINGERPRINT_INPUT))
|
2020-11-20 16:38:31 +00:00
|
|
|
}
|
|
|
|
|
2019-08-12 09:57:29 +00:00
|
|
|
pub fn data_crypter(&self, iv: &[u8; 16], mode: Mode) -> Result<Crypter, Error> {
|
|
|
|
let mut crypter = openssl::symm::Crypter::new(self.cipher, mode, &self.enc_key, Some(iv))?;
|
2019-08-12 08:06:51 +00:00
|
|
|
crypter.aad_update(b"")?; //??
|
|
|
|
Ok(crypter)
|
|
|
|
}
|
|
|
|
|
2019-06-22 10:25:04 +00:00
|
|
|
/// Encrypt data using a random 16 byte IV.
|
|
|
|
///
|
|
|
|
/// Writes encrypted data to ``output``, Return the used IV and computed MAC.
|
|
|
|
pub fn encrypt_to<W: Write>(
|
|
|
|
&self,
|
|
|
|
data: &[u8],
|
|
|
|
mut output: W,
|
|
|
|
) -> Result<([u8;16], [u8;16]), Error> {
|
|
|
|
|
|
|
|
let mut iv = [0u8; 16];
|
|
|
|
proxmox::sys::linux::fill_with_random_data(&mut iv)?;
|
|
|
|
|
|
|
|
let mut tag = [0u8; 16];
|
|
|
|
|
2019-08-12 09:57:29 +00:00
|
|
|
let mut c = self.data_crypter(&iv, Mode::Encrypt)?;
|
2019-06-22 10:25:04 +00:00
|
|
|
|
|
|
|
const BUFFER_SIZE: usize = 32*1024;
|
|
|
|
|
|
|
|
let mut encr_buf = [0u8; BUFFER_SIZE];
|
|
|
|
let max_encoder_input = BUFFER_SIZE - self.cipher.block_size();
|
|
|
|
|
|
|
|
let mut start = 0;
|
|
|
|
loop {
|
|
|
|
let mut end = start + max_encoder_input;
|
|
|
|
if end > data.len() { end = data.len(); }
|
|
|
|
if end > start {
|
|
|
|
let count = c.update(&data[start..end], &mut encr_buf)?;
|
|
|
|
output.write_all(&encr_buf[..count])?;
|
|
|
|
start = end;
|
|
|
|
} else {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
let rest = c.finalize(&mut encr_buf)?;
|
|
|
|
if rest > 0 { output.write_all(&encr_buf[..rest])?; }
|
|
|
|
|
|
|
|
output.flush()?;
|
|
|
|
|
|
|
|
c.get_tag(&mut tag)?;
|
|
|
|
|
|
|
|
Ok((iv, tag))
|
|
|
|
}
|
|
|
|
|
2019-08-02 06:29:40 +00:00
|
|
|
/// Decompress and decrypt data, verify MAC.
|
2019-06-22 11:24:29 +00:00
|
|
|
pub fn decode_compressed_chunk(
|
|
|
|
&self,
|
|
|
|
data: &[u8],
|
|
|
|
iv: &[u8; 16],
|
|
|
|
tag: &[u8; 16],
|
|
|
|
) -> Result<Vec<u8>, Error> {
|
2019-06-09 09:44:17 +00:00
|
|
|
|
2019-06-21 08:41:39 +00:00
|
|
|
let dec = Vec::with_capacity(1024*1024);
|
2019-06-09 09:44:17 +00:00
|
|
|
|
2019-06-21 08:41:39 +00:00
|
|
|
let mut decompressor = zstd::stream::write::Decoder::new(dec)?;
|
2019-06-09 09:44:17 +00:00
|
|
|
|
2019-08-12 09:57:29 +00:00
|
|
|
let mut c = self.data_crypter(iv, Mode::Decrypt)?;
|
2019-06-09 09:44:17 +00:00
|
|
|
|
2019-06-21 08:41:39 +00:00
|
|
|
const BUFFER_SIZE: usize = 32*1024;
|
|
|
|
|
|
|
|
let mut decr_buf = [0u8; BUFFER_SIZE];
|
|
|
|
let max_decoder_input = BUFFER_SIZE - self.cipher.block_size();
|
|
|
|
|
2019-06-22 11:24:29 +00:00
|
|
|
let mut start = 0;
|
2019-06-21 08:41:39 +00:00
|
|
|
loop {
|
|
|
|
let mut end = start + max_decoder_input;
|
|
|
|
if end > data.len() { end = data.len(); }
|
|
|
|
if end > start {
|
|
|
|
let count = c.update(&data[start..end], &mut decr_buf)?;
|
|
|
|
decompressor.write_all(&decr_buf[0..count])?;
|
|
|
|
start = end;
|
|
|
|
} else {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2019-06-09 09:44:17 +00:00
|
|
|
|
2019-06-22 11:24:29 +00:00
|
|
|
c.set_tag(tag)?;
|
2019-06-21 08:41:39 +00:00
|
|
|
let rest = c.finalize(&mut decr_buf)?;
|
|
|
|
if rest > 0 { decompressor.write_all(&decr_buf[..rest])?; }
|
2019-06-09 09:44:17 +00:00
|
|
|
|
2019-06-21 08:41:39 +00:00
|
|
|
decompressor.flush()?;
|
2019-06-09 09:44:17 +00:00
|
|
|
|
2019-06-21 08:41:39 +00:00
|
|
|
Ok(decompressor.into_inner())
|
|
|
|
}
|
|
|
|
|
2019-06-22 11:24:29 +00:00
|
|
|
/// Decrypt data, verify tag.
|
|
|
|
pub fn decode_uncompressed_chunk(
|
|
|
|
&self,
|
|
|
|
data: &[u8],
|
|
|
|
iv: &[u8; 16],
|
|
|
|
tag: &[u8; 16],
|
|
|
|
) -> Result<Vec<u8>, Error> {
|
2019-06-21 08:41:39 +00:00
|
|
|
|
|
|
|
let decr_data = decrypt_aead(
|
|
|
|
self.cipher,
|
|
|
|
&self.enc_key,
|
|
|
|
Some(iv),
|
|
|
|
b"", //??
|
2019-06-22 11:24:29 +00:00
|
|
|
data,
|
|
|
|
tag,
|
2019-06-21 08:41:39 +00:00
|
|
|
)?;
|
|
|
|
|
|
|
|
Ok(decr_data)
|
2019-06-08 07:51:49 +00:00
|
|
|
}
|
|
|
|
}
|