2019-06-21 09:32:07 +00:00
|
|
|
use failure::*;
|
|
|
|
use std::convert::TryInto;
|
|
|
|
|
2019-07-01 08:36:59 +00:00
|
|
|
use proxmox::tools::io::{ReadExt, WriteExt};
|
2019-06-22 11:24:29 +00:00
|
|
|
|
2019-08-09 09:49:06 +00:00
|
|
|
const MAX_BLOB_SIZE: usize = 128*1024*1024;
|
|
|
|
|
2019-06-21 09:32:07 +00:00
|
|
|
use super::*;
|
|
|
|
|
|
|
|
/// Data blob binary storage format
|
|
|
|
///
|
2019-08-09 08:22:56 +00:00
|
|
|
/// Data blobs store arbitrary binary data (< 128MB), and can be
|
2019-06-21 09:32:07 +00:00
|
|
|
/// compressed and encrypted. A simply binary format is used to store
|
|
|
|
/// them on disk or transfer them over the network. Please use index
|
|
|
|
/// files to store large data files (".fidx" of ".didx").
|
|
|
|
///
|
|
|
|
pub struct DataBlob {
|
|
|
|
raw_data: Vec<u8>, // tagged, compressed, encryped data
|
|
|
|
}
|
|
|
|
|
|
|
|
impl DataBlob {
|
|
|
|
|
2019-08-12 09:32:26 +00:00
|
|
|
pub fn header_size(magic: &[u8; 8]) -> usize {
|
|
|
|
match magic {
|
|
|
|
&UNCOMPRESSED_CHUNK_MAGIC_1_0 => std::mem::size_of::<DataChunkHeader>(),
|
|
|
|
&COMPRESSED_CHUNK_MAGIC_1_0 => std::mem::size_of::<DataChunkHeader>(),
|
|
|
|
&ENCRYPTED_CHUNK_MAGIC_1_0 => std::mem::size_of::<EncryptedDataChunkHeader>(),
|
|
|
|
&ENCR_COMPR_CHUNK_MAGIC_1_0 => std::mem::size_of::<EncryptedDataChunkHeader>(),
|
|
|
|
|
|
|
|
&UNCOMPRESSED_BLOB_MAGIC_1_0 => std::mem::size_of::<DataBlobHeader>(),
|
|
|
|
&COMPRESSED_BLOB_MAGIC_1_0 => std::mem::size_of::<DataBlobHeader>(),
|
|
|
|
&ENCRYPTED_BLOB_MAGIC_1_0 => std::mem::size_of::<EncryptedDataBlobHeader>(),
|
|
|
|
&ENCR_COMPR_BLOB_MAGIC_1_0 => std::mem::size_of::<EncryptedDataBlobHeader>(),
|
|
|
|
&AUTHENTICATED_BLOB_MAGIC_1_0 => std::mem::size_of::<AuthenticatedDataBlobHeader>(),
|
|
|
|
&AUTH_COMPR_BLOB_MAGIC_1_0 => std::mem::size_of::<AuthenticatedDataBlobHeader>(),
|
|
|
|
_ => panic!("unknown blob magic"),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-06-21 09:32:07 +00:00
|
|
|
/// accessor to raw_data field
|
|
|
|
pub fn raw_data(&self) -> &[u8] {
|
|
|
|
&self.raw_data
|
|
|
|
}
|
|
|
|
|
2019-06-23 07:48:23 +00:00
|
|
|
/// Consume self and returns raw_data
|
|
|
|
pub fn into_inner(self) -> Vec<u8> {
|
|
|
|
self.raw_data
|
|
|
|
}
|
|
|
|
|
2019-06-21 09:32:07 +00:00
|
|
|
/// accessor to chunk type (magic number)
|
|
|
|
pub fn magic(&self) -> &[u8; 8] {
|
|
|
|
self.raw_data[0..8].try_into().unwrap()
|
|
|
|
}
|
|
|
|
|
2019-06-21 15:24:21 +00:00
|
|
|
/// accessor to crc32 checksum
|
|
|
|
pub fn crc(&self) -> u32 {
|
2019-06-22 07:12:25 +00:00
|
|
|
let crc_o = proxmox::tools::offsetof!(DataBlobHeader, crc);
|
|
|
|
u32::from_le_bytes(self.raw_data[crc_o..crc_o+4].try_into().unwrap())
|
2019-06-21 15:24:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// set the CRC checksum field
|
|
|
|
pub fn set_crc(&mut self, crc: u32) {
|
2019-06-22 07:12:25 +00:00
|
|
|
let crc_o = proxmox::tools::offsetof!(DataBlobHeader, crc);
|
|
|
|
self.raw_data[crc_o..crc_o+4].copy_from_slice(&crc.to_le_bytes());
|
2019-06-21 15:24:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/// compute the CRC32 checksum
|
2019-06-23 07:48:23 +00:00
|
|
|
pub fn compute_crc(&self) -> u32 {
|
2019-06-21 15:24:21 +00:00
|
|
|
let mut hasher = crc32fast::Hasher::new();
|
2019-08-12 09:32:26 +00:00
|
|
|
let start = Self::header_size(self.magic()); // start after HEAD
|
2019-06-22 07:12:25 +00:00
|
|
|
hasher.update(&self.raw_data[start..]);
|
2019-06-21 15:24:21 +00:00
|
|
|
hasher.finalize()
|
|
|
|
}
|
|
|
|
|
2019-06-26 07:54:25 +00:00
|
|
|
/// verify the CRC32 checksum
|
|
|
|
pub fn verify_crc(&self) -> Result<(), Error> {
|
|
|
|
let expected_crc = self.compute_crc();
|
|
|
|
if expected_crc != self.crc() {
|
|
|
|
bail!("Data blob has wrong CRC checksum.");
|
|
|
|
}
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2019-08-02 07:56:01 +00:00
|
|
|
/// Create a DataBlob, optionally compressed and/or encrypted
|
2019-06-21 09:32:07 +00:00
|
|
|
pub fn encode(
|
|
|
|
data: &[u8],
|
|
|
|
config: Option<&CryptConfig>,
|
|
|
|
compress: bool,
|
|
|
|
) -> Result<Self, Error> {
|
|
|
|
|
2019-08-09 09:49:06 +00:00
|
|
|
if data.len() > MAX_BLOB_SIZE {
|
2019-06-21 09:32:07 +00:00
|
|
|
bail!("data blob too large ({} bytes).", data.len());
|
|
|
|
}
|
|
|
|
|
2019-08-06 09:42:14 +00:00
|
|
|
let mut blob = if let Some(config) = config {
|
2019-06-21 09:32:07 +00:00
|
|
|
|
2019-06-22 11:02:53 +00:00
|
|
|
let compr_data;
|
|
|
|
let (_compress, data, magic) = if compress {
|
|
|
|
compr_data = zstd::block::compress(data, 1)?;
|
|
|
|
// Note: We only use compression if result is shorter
|
|
|
|
if compr_data.len() < data.len() {
|
|
|
|
(true, &compr_data[..], ENCR_COMPR_BLOB_MAGIC_1_0)
|
|
|
|
} else {
|
|
|
|
(false, data, ENCRYPTED_BLOB_MAGIC_1_0)
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
(false, data, ENCRYPTED_BLOB_MAGIC_1_0)
|
|
|
|
};
|
|
|
|
|
|
|
|
let header_len = std::mem::size_of::<EncryptedDataBlobHeader>();
|
|
|
|
let mut raw_data = Vec::with_capacity(data.len() + header_len);
|
|
|
|
|
|
|
|
let dummy_head = EncryptedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic: [0u8; 8], crc: [0; 4] },
|
|
|
|
iv: [0u8; 16],
|
|
|
|
tag: [0u8; 16],
|
|
|
|
};
|
2019-07-01 08:36:59 +00:00
|
|
|
unsafe {
|
|
|
|
raw_data.write_le_value(dummy_head)?;
|
|
|
|
}
|
2019-06-22 11:02:53 +00:00
|
|
|
|
|
|
|
let (iv, tag) = config.encrypt_to(data, &mut raw_data)?;
|
|
|
|
|
|
|
|
let head = EncryptedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic, crc: [0; 4] }, iv, tag,
|
|
|
|
};
|
|
|
|
|
2019-07-01 08:36:59 +00:00
|
|
|
unsafe {
|
|
|
|
(&mut raw_data[0..header_len]).write_le_value(head)?;
|
|
|
|
}
|
2019-06-22 11:02:53 +00:00
|
|
|
|
2019-08-06 09:42:14 +00:00
|
|
|
DataBlob { raw_data }
|
2019-06-21 09:32:07 +00:00
|
|
|
} else {
|
|
|
|
|
2019-06-22 07:12:25 +00:00
|
|
|
let max_data_len = data.len() + std::mem::size_of::<DataBlobHeader>();
|
2019-06-21 09:32:07 +00:00
|
|
|
if compress {
|
2019-06-22 07:12:25 +00:00
|
|
|
let mut comp_data = Vec::with_capacity(max_data_len);
|
2019-06-21 09:32:07 +00:00
|
|
|
|
2019-06-22 07:12:25 +00:00
|
|
|
let head = DataBlobHeader {
|
|
|
|
magic: COMPRESSED_BLOB_MAGIC_1_0,
|
|
|
|
crc: [0; 4],
|
|
|
|
};
|
2019-07-01 08:36:59 +00:00
|
|
|
unsafe {
|
|
|
|
comp_data.write_le_value(head)?;
|
|
|
|
}
|
2019-06-21 15:24:21 +00:00
|
|
|
|
2019-06-21 09:32:07 +00:00
|
|
|
zstd::stream::copy_encode(data, &mut comp_data, 1)?;
|
|
|
|
|
2019-06-22 07:12:25 +00:00
|
|
|
if comp_data.len() < max_data_len {
|
2019-08-07 06:29:38 +00:00
|
|
|
let mut blob = DataBlob { raw_data: comp_data };
|
|
|
|
blob.set_crc(blob.compute_crc());
|
|
|
|
return Ok(blob);
|
2019-06-21 09:32:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-06-22 07:12:25 +00:00
|
|
|
let mut raw_data = Vec::with_capacity(max_data_len);
|
2019-06-21 09:32:07 +00:00
|
|
|
|
2019-06-22 07:12:25 +00:00
|
|
|
let head = DataBlobHeader {
|
|
|
|
magic: UNCOMPRESSED_BLOB_MAGIC_1_0,
|
|
|
|
crc: [0; 4],
|
|
|
|
};
|
2019-07-01 08:36:59 +00:00
|
|
|
unsafe {
|
|
|
|
raw_data.write_le_value(head)?;
|
|
|
|
}
|
2019-06-21 09:32:07 +00:00
|
|
|
raw_data.extend_from_slice(data);
|
|
|
|
|
2019-08-06 09:42:14 +00:00
|
|
|
DataBlob { raw_data }
|
|
|
|
};
|
|
|
|
|
|
|
|
blob.set_crc(blob.compute_crc());
|
|
|
|
|
|
|
|
Ok(blob)
|
2019-06-21 09:32:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/// Decode blob data
|
|
|
|
pub fn decode(self, config: Option<&CryptConfig>) -> Result<Vec<u8>, Error> {
|
|
|
|
|
|
|
|
let magic = self.magic();
|
|
|
|
|
|
|
|
if magic == &UNCOMPRESSED_BLOB_MAGIC_1_0 {
|
2019-06-22 07:12:25 +00:00
|
|
|
let data_start = std::mem::size_of::<DataBlobHeader>();
|
|
|
|
return Ok(self.raw_data[data_start..].to_vec());
|
2019-06-21 09:32:07 +00:00
|
|
|
} else if magic == &COMPRESSED_BLOB_MAGIC_1_0 {
|
2019-06-22 07:12:25 +00:00
|
|
|
let data_start = std::mem::size_of::<DataBlobHeader>();
|
2019-08-09 09:49:06 +00:00
|
|
|
let data = zstd::block::decompress(&self.raw_data[data_start..], MAX_BLOB_SIZE)?;
|
2019-06-21 09:32:07 +00:00
|
|
|
return Ok(data);
|
|
|
|
} else if magic == &ENCR_COMPR_BLOB_MAGIC_1_0 || magic == &ENCRYPTED_BLOB_MAGIC_1_0 {
|
2019-06-22 11:24:29 +00:00
|
|
|
let header_len = std::mem::size_of::<EncryptedDataBlobHeader>();
|
2019-06-22 14:29:10 +00:00
|
|
|
let head = unsafe {
|
|
|
|
(&self.raw_data[..header_len]).read_le_value::<EncryptedDataBlobHeader>()?
|
|
|
|
};
|
2019-06-22 11:24:29 +00:00
|
|
|
|
2019-06-21 09:32:07 +00:00
|
|
|
if let Some(config) = config {
|
|
|
|
let data = if magic == &ENCR_COMPR_BLOB_MAGIC_1_0 {
|
2019-06-22 11:24:29 +00:00
|
|
|
config.decode_compressed_chunk(&self.raw_data[header_len..], &head.iv, &head.tag)?
|
2019-06-21 09:32:07 +00:00
|
|
|
} else {
|
2019-06-22 11:24:29 +00:00
|
|
|
config.decode_uncompressed_chunk(&self.raw_data[header_len..], &head.iv, &head.tag)?
|
2019-06-21 09:32:07 +00:00
|
|
|
};
|
|
|
|
return Ok(data);
|
|
|
|
} else {
|
|
|
|
bail!("unable to decrypt blob - missing CryptConfig");
|
|
|
|
}
|
2019-08-02 07:56:01 +00:00
|
|
|
} else if magic == &AUTH_COMPR_BLOB_MAGIC_1_0 || magic == &AUTHENTICATED_BLOB_MAGIC_1_0 {
|
|
|
|
let header_len = std::mem::size_of::<AuthenticatedDataBlobHeader>();
|
|
|
|
let head = unsafe {
|
|
|
|
(&self.raw_data[..header_len]).read_le_value::<AuthenticatedDataBlobHeader>()?
|
|
|
|
};
|
|
|
|
|
|
|
|
let data_start = std::mem::size_of::<AuthenticatedDataBlobHeader>();
|
|
|
|
|
|
|
|
// Note: only verify if we have a crypt config
|
|
|
|
if let Some(config) = config {
|
|
|
|
let signature = config.compute_auth_tag(&self.raw_data[data_start..]);
|
|
|
|
if signature != head.tag {
|
|
|
|
bail!("verifying blob signature failed");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if magic == &AUTH_COMPR_BLOB_MAGIC_1_0 {
|
|
|
|
let data = zstd::block::decompress(&self.raw_data[data_start..], 16*1024*1024)?;
|
|
|
|
return Ok(data);
|
|
|
|
} else {
|
|
|
|
return Ok(self.raw_data[data_start..].to_vec());
|
|
|
|
}
|
2019-06-21 09:32:07 +00:00
|
|
|
} else {
|
|
|
|
bail!("Invalid blob magic number.");
|
|
|
|
}
|
|
|
|
}
|
2019-06-23 07:35:44 +00:00
|
|
|
|
2019-08-02 07:56:01 +00:00
|
|
|
/// Create a signed DataBlob, optionally compressed
|
|
|
|
pub fn create_signed(
|
|
|
|
data: &[u8],
|
|
|
|
config: &CryptConfig,
|
|
|
|
compress: bool,
|
|
|
|
) -> Result<Self, Error> {
|
|
|
|
|
2019-08-09 09:49:06 +00:00
|
|
|
if data.len() > MAX_BLOB_SIZE {
|
2019-08-02 07:56:01 +00:00
|
|
|
bail!("data blob too large ({} bytes).", data.len());
|
|
|
|
}
|
|
|
|
|
|
|
|
let compr_data;
|
|
|
|
let (_compress, data, magic) = if compress {
|
|
|
|
compr_data = zstd::block::compress(data, 1)?;
|
|
|
|
// Note: We only use compression if result is shorter
|
|
|
|
if compr_data.len() < data.len() {
|
|
|
|
(true, &compr_data[..], AUTH_COMPR_BLOB_MAGIC_1_0)
|
|
|
|
} else {
|
|
|
|
(false, data, AUTHENTICATED_BLOB_MAGIC_1_0)
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
(false, data, AUTHENTICATED_BLOB_MAGIC_1_0)
|
|
|
|
};
|
|
|
|
|
|
|
|
let header_len = std::mem::size_of::<AuthenticatedDataBlobHeader>();
|
|
|
|
let mut raw_data = Vec::with_capacity(data.len() + header_len);
|
|
|
|
|
|
|
|
let head = AuthenticatedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic, crc: [0; 4] },
|
|
|
|
tag: config.compute_auth_tag(data),
|
|
|
|
};
|
|
|
|
unsafe {
|
|
|
|
raw_data.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
raw_data.extend_from_slice(data);
|
|
|
|
|
2019-08-06 09:42:14 +00:00
|
|
|
let mut blob = DataBlob { raw_data };
|
|
|
|
blob.set_crc(blob.compute_crc());
|
|
|
|
|
|
|
|
return Ok(blob);
|
2019-08-02 07:56:01 +00:00
|
|
|
}
|
|
|
|
|
2019-06-23 07:35:44 +00:00
|
|
|
/// Create Instance from raw data
|
|
|
|
pub fn from_raw(data: Vec<u8>) -> Result<Self, Error> {
|
|
|
|
|
|
|
|
if data.len() < std::mem::size_of::<DataBlobHeader>() {
|
|
|
|
bail!("blob too small ({} bytes).", data.len());
|
|
|
|
}
|
|
|
|
|
|
|
|
let magic = &data[0..8];
|
|
|
|
|
|
|
|
if magic == ENCR_COMPR_BLOB_MAGIC_1_0 || magic == ENCRYPTED_BLOB_MAGIC_1_0 {
|
|
|
|
|
|
|
|
if data.len() < std::mem::size_of::<EncryptedDataBlobHeader>() {
|
|
|
|
bail!("encrypted blob too small ({} bytes).", data.len());
|
|
|
|
}
|
|
|
|
|
|
|
|
let blob = DataBlob { raw_data: data };
|
|
|
|
|
|
|
|
Ok(blob)
|
|
|
|
} else if magic == COMPRESSED_BLOB_MAGIC_1_0 || magic == UNCOMPRESSED_BLOB_MAGIC_1_0 {
|
|
|
|
|
|
|
|
let blob = DataBlob { raw_data: data };
|
|
|
|
|
2019-08-02 07:56:01 +00:00
|
|
|
Ok(blob)
|
|
|
|
} else if magic == AUTH_COMPR_BLOB_MAGIC_1_0 || magic == AUTHENTICATED_BLOB_MAGIC_1_0 {
|
|
|
|
if data.len() < std::mem::size_of::<AuthenticatedDataBlobHeader>() {
|
|
|
|
bail!("authenticated blob too small ({} bytes).", data.len());
|
|
|
|
}
|
|
|
|
|
|
|
|
let blob = DataBlob { raw_data: data };
|
|
|
|
|
2019-06-23 07:35:44 +00:00
|
|
|
Ok(blob)
|
|
|
|
} else {
|
|
|
|
bail!("unable to parse raw blob - wrong magic");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-06-21 09:32:07 +00:00
|
|
|
}
|
2019-08-11 09:32:36 +00:00
|
|
|
|
2019-08-12 15:20:41 +00:00
|
|
|
use std::io::{Read, BufRead, BufReader, Write, Seek, SeekFrom};
|
2019-08-11 09:32:36 +00:00
|
|
|
|
2019-08-13 11:07:13 +00:00
|
|
|
struct CryptReader<R> {
|
|
|
|
reader: R,
|
|
|
|
block_size: usize,
|
|
|
|
crypter: openssl::symm::Crypter,
|
|
|
|
finalized: bool,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl <R: BufRead> CryptReader<R> {
|
|
|
|
|
|
|
|
fn new(reader: R, iv: [u8; 16], tag: [u8; 16], config: &CryptConfig) -> Result<Self, Error> {
|
|
|
|
let block_size = config.cipher().block_size();
|
|
|
|
if block_size.count_ones() != 1 || block_size > 1024 {
|
|
|
|
bail!("unexpected Cipher block size {}", block_size);
|
|
|
|
}
|
|
|
|
let mut crypter = config.data_crypter(&iv, openssl::symm::Mode::Decrypt)?;
|
|
|
|
crypter.set_tag(&tag)?;
|
|
|
|
Ok(Self { reader, crypter, block_size, finalized: false })
|
|
|
|
}
|
|
|
|
|
|
|
|
fn finish(self) -> Result<R, Error> {
|
|
|
|
if !self.finalized {
|
|
|
|
bail!("CryptReader not successfully finalized.");
|
|
|
|
}
|
|
|
|
Ok(self.reader)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl <R: BufRead> Read for CryptReader<R> {
|
|
|
|
|
|
|
|
fn read(&mut self, buf: &mut [u8]) -> Result<usize, std::io::Error> {
|
|
|
|
if buf.len() <= 2*self.block_size {
|
|
|
|
panic!("CryptReader read buffer too small!");
|
|
|
|
}
|
|
|
|
|
|
|
|
let data = self.reader.fill_buf()?;
|
|
|
|
|
|
|
|
if data.len() == 0 { // EOF
|
|
|
|
let rest = self.crypter.finalize(buf)?;
|
|
|
|
self.finalized = true;
|
|
|
|
Ok(rest)
|
|
|
|
} else {
|
|
|
|
let mut read_size = buf.len() - self.block_size;
|
|
|
|
if read_size > data.len() {
|
|
|
|
read_size = data.len();
|
|
|
|
}
|
|
|
|
let count = self.crypter.update(&data[..read_size], buf)?;
|
|
|
|
self.reader.consume(read_size);
|
|
|
|
Ok(count)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-12 08:08:00 +00:00
|
|
|
struct CryptWriter<W> {
|
|
|
|
writer: W,
|
|
|
|
encr_buf: [u8; 64*1024],
|
|
|
|
iv: [u8; 16],
|
|
|
|
crypter: openssl::symm::Crypter,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl <W: Write> CryptWriter<W> {
|
|
|
|
|
|
|
|
fn new(writer: W, config: &CryptConfig) -> Result<Self, Error> {
|
|
|
|
let mut iv = [0u8; 16];
|
|
|
|
proxmox::sys::linux::fill_with_random_data(&mut iv)?;
|
|
|
|
|
2019-08-12 09:57:29 +00:00
|
|
|
let crypter = config.data_crypter(&iv, openssl::symm::Mode::Encrypt)?;
|
2019-08-12 08:08:00 +00:00
|
|
|
|
|
|
|
Ok(Self { writer, iv, crypter, encr_buf: [0u8; 64*1024] })
|
|
|
|
}
|
|
|
|
|
|
|
|
fn finish(mut self) -> Result<(W, [u8; 16], [u8; 16]), Error> {
|
|
|
|
let rest = self.crypter.finalize(&mut self.encr_buf)?;
|
|
|
|
if rest > 0 {
|
|
|
|
self.writer.write_all(&self.encr_buf[..rest])?;
|
|
|
|
}
|
|
|
|
|
|
|
|
self.writer.flush()?;
|
|
|
|
|
|
|
|
let mut tag = [0u8; 16];
|
|
|
|
self.crypter.get_tag(&mut tag)?;
|
|
|
|
|
|
|
|
Ok((self.writer, self.iv, tag))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl <W: Write> Write for CryptWriter<W> {
|
|
|
|
|
|
|
|
fn write(&mut self, buf: &[u8]) -> Result<usize, std::io::Error> {
|
|
|
|
let count = self.crypter.update(buf, &mut self.encr_buf)
|
|
|
|
.map_err(|err| {
|
|
|
|
std::io::Error::new(
|
|
|
|
std::io::ErrorKind::Other,
|
|
|
|
format!("crypter update failed - {}", err))
|
|
|
|
})?;
|
|
|
|
|
|
|
|
self.writer.write_all(&self.encr_buf[..count])?;
|
|
|
|
|
|
|
|
Ok(count)
|
|
|
|
}
|
|
|
|
|
|
|
|
fn flush(&mut self) -> Result<(), std::io::Error> {
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-12 06:53:53 +00:00
|
|
|
struct ChecksumWriter<'a, W> {
|
|
|
|
writer: W,
|
|
|
|
hasher: crc32fast::Hasher,
|
|
|
|
signer: Option<openssl::sign::Signer<'a>>,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl <'a, W: Write> ChecksumWriter<'a, W> {
|
|
|
|
|
|
|
|
fn new(writer: W, signer: Option<openssl::sign::Signer<'a>>) -> Self {
|
|
|
|
let hasher = crc32fast::Hasher::new();
|
|
|
|
Self { writer, hasher, signer }
|
|
|
|
}
|
|
|
|
|
|
|
|
pub fn finish(mut self) -> Result<(W, u32, Option<[u8; 32]>), Error> {
|
|
|
|
let crc = self.hasher.finalize();
|
|
|
|
|
|
|
|
if let Some(ref mut signer) = self.signer {
|
|
|
|
let mut tag = [0u8; 32];
|
|
|
|
signer.sign(&mut tag)?;
|
|
|
|
Ok((self.writer, crc, Some(tag)))
|
|
|
|
} else {
|
|
|
|
Ok((self.writer, crc, None))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl <'a, W: Write> Write for ChecksumWriter<'a, W> {
|
|
|
|
|
|
|
|
fn write(&mut self, buf: &[u8]) -> Result<usize, std::io::Error> {
|
|
|
|
self.hasher.update(buf);
|
|
|
|
if let Some(ref mut signer) = self.signer {
|
2019-08-12 08:08:00 +00:00
|
|
|
signer.update(buf)
|
|
|
|
.map_err(|err| {
|
2019-08-12 06:53:53 +00:00
|
|
|
std::io::Error::new(
|
|
|
|
std::io::ErrorKind::Other,
|
|
|
|
format!("hmac update failed - {}", err))
|
|
|
|
})?;
|
|
|
|
}
|
|
|
|
self.writer.write(buf)
|
|
|
|
}
|
|
|
|
|
|
|
|
fn flush(&mut self) -> Result<(), std::io::Error> {
|
|
|
|
self.writer.flush()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-12 05:34:41 +00:00
|
|
|
enum BlobWriterState<'a, W: Write> {
|
2019-08-12 06:53:53 +00:00
|
|
|
Uncompressed { csum_writer: ChecksumWriter<'a, W> },
|
|
|
|
Compressed { compr: zstd::stream::write::Encoder<ChecksumWriter<'a, W>> },
|
|
|
|
Signed { csum_writer: ChecksumWriter<'a, W> },
|
2019-08-12 07:01:08 +00:00
|
|
|
SignedCompressed { compr: zstd::stream::write::Encoder<ChecksumWriter<'a, W>> },
|
2019-08-12 08:08:00 +00:00
|
|
|
Encrypted { crypt_writer: CryptWriter<ChecksumWriter<'a, W>> },
|
2019-08-12 08:16:42 +00:00
|
|
|
EncryptedCompressed { compr: zstd::stream::write::Encoder<CryptWriter<ChecksumWriter<'a, W>>> },
|
2019-08-11 10:07:37 +00:00
|
|
|
}
|
|
|
|
|
2019-08-11 09:32:36 +00:00
|
|
|
/// Write compressed data blobs
|
2019-08-12 05:34:41 +00:00
|
|
|
pub struct DataBlobWriter<'a, W: Write> {
|
|
|
|
state: BlobWriterState<'a, W>,
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
|
|
|
|
2019-08-12 05:34:41 +00:00
|
|
|
impl <'a, W: Write + Seek> DataBlobWriter<'a, W> {
|
2019-08-11 10:07:37 +00:00
|
|
|
|
|
|
|
pub fn new_uncompressed(mut writer: W) -> Result<Self, Error> {
|
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
|
|
|
let head = DataBlobHeader { magic: UNCOMPRESSED_BLOB_MAGIC_1_0, crc: [0; 4] };
|
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
2019-08-12 06:53:53 +00:00
|
|
|
let csum_writer = ChecksumWriter::new(writer, None);
|
|
|
|
Ok(Self { state: BlobWriterState::Uncompressed { csum_writer }})
|
2019-08-11 10:07:37 +00:00
|
|
|
}
|
2019-08-11 09:32:36 +00:00
|
|
|
|
2019-08-11 10:07:37 +00:00
|
|
|
pub fn new_compressed(mut writer: W) -> Result<Self, Error> {
|
2019-08-12 06:53:53 +00:00
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
2019-08-11 09:32:36 +00:00
|
|
|
let head = DataBlobHeader { magic: COMPRESSED_BLOB_MAGIC_1_0, crc: [0; 4] };
|
|
|
|
unsafe {
|
2019-08-11 10:07:37 +00:00
|
|
|
writer.write_le_value(head)?;
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
2019-08-12 06:53:53 +00:00
|
|
|
let csum_writer = ChecksumWriter::new(writer, None);
|
|
|
|
let compr = zstd::stream::write::Encoder::new(csum_writer, 1)?;
|
|
|
|
Ok(Self { state: BlobWriterState::Compressed { compr }})
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
|
|
|
|
2019-08-12 05:34:41 +00:00
|
|
|
pub fn new_signed(mut writer: W, config: &'a CryptConfig) -> Result<Self, Error> {
|
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
|
|
|
let head = AuthenticatedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic: AUTHENTICATED_BLOB_MAGIC_1_0, crc: [0; 4] },
|
|
|
|
tag: [0u8; 32],
|
|
|
|
};
|
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
let signer = config.data_signer();
|
2019-08-12 06:53:53 +00:00
|
|
|
let csum_writer = ChecksumWriter::new(writer, Some(signer));
|
|
|
|
Ok(Self { state: BlobWriterState::Signed { csum_writer }})
|
2019-08-12 05:34:41 +00:00
|
|
|
}
|
|
|
|
|
2019-08-12 07:01:08 +00:00
|
|
|
pub fn new_signed_compressed(mut writer: W, config: &'a CryptConfig) -> Result<Self, Error> {
|
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
|
|
|
let head = AuthenticatedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic: AUTH_COMPR_BLOB_MAGIC_1_0, crc: [0; 4] },
|
|
|
|
tag: [0u8; 32],
|
|
|
|
};
|
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
let signer = config.data_signer();
|
|
|
|
let csum_writer = ChecksumWriter::new(writer, Some(signer));
|
|
|
|
let compr = zstd::stream::write::Encoder::new(csum_writer, 1)?;
|
|
|
|
Ok(Self { state: BlobWriterState::SignedCompressed { compr }})
|
|
|
|
}
|
|
|
|
|
2019-08-12 08:08:00 +00:00
|
|
|
pub fn new_encrypted(mut writer: W, config: &'a CryptConfig) -> Result<Self, Error> {
|
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
|
|
|
let head = EncryptedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic: ENCRYPTED_BLOB_MAGIC_1_0, crc: [0; 4] },
|
|
|
|
iv: [0u8; 16],
|
|
|
|
tag: [0u8; 16],
|
|
|
|
};
|
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let csum_writer = ChecksumWriter::new(writer, None);
|
|
|
|
let crypt_writer = CryptWriter::new(csum_writer, config)?;
|
|
|
|
Ok(Self { state: BlobWriterState::Encrypted { crypt_writer }})
|
|
|
|
}
|
|
|
|
|
2019-08-12 08:16:42 +00:00
|
|
|
pub fn new_encrypted_compressed(mut writer: W, config: &'a CryptConfig) -> Result<Self, Error> {
|
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
|
|
|
let head = EncryptedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic: ENCR_COMPR_BLOB_MAGIC_1_0, crc: [0; 4] },
|
|
|
|
iv: [0u8; 16],
|
|
|
|
tag: [0u8; 16],
|
|
|
|
};
|
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let csum_writer = ChecksumWriter::new(writer, None);
|
|
|
|
let crypt_writer = CryptWriter::new(csum_writer, config)?;
|
|
|
|
let compr = zstd::stream::write::Encoder::new(crypt_writer, 1)?;
|
|
|
|
Ok(Self { state: BlobWriterState::EncryptedCompressed { compr }})
|
|
|
|
}
|
|
|
|
|
2019-08-11 10:07:37 +00:00
|
|
|
pub fn finish(self) -> Result<W, Error> {
|
|
|
|
match self.state {
|
2019-08-12 06:53:53 +00:00
|
|
|
BlobWriterState::Uncompressed { csum_writer } => {
|
2019-08-11 10:07:37 +00:00
|
|
|
// write CRC
|
2019-08-12 06:53:53 +00:00
|
|
|
let (mut writer, crc, _) = csum_writer.finish()?;
|
2019-08-12 08:46:05 +00:00
|
|
|
let head = DataBlobHeader { magic: UNCOMPRESSED_BLOB_MAGIC_1_0, crc: crc.to_le_bytes() };
|
2019-08-11 09:32:36 +00:00
|
|
|
|
2019-08-11 10:07:37 +00:00
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
2019-08-11 09:32:36 +00:00
|
|
|
|
2019-08-11 10:07:37 +00:00
|
|
|
return Ok(writer)
|
|
|
|
}
|
2019-08-12 06:53:53 +00:00
|
|
|
BlobWriterState::Compressed { compr } => {
|
|
|
|
let csum_writer = compr.finish()?;
|
|
|
|
let (mut writer, crc, _) = csum_writer.finish()?;
|
2019-08-11 10:07:37 +00:00
|
|
|
|
|
|
|
let head = DataBlobHeader { magic: COMPRESSED_BLOB_MAGIC_1_0, crc: crc.to_le_bytes() };
|
2019-08-11 09:32:36 +00:00
|
|
|
|
2019-08-11 10:07:37 +00:00
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
|
2019-08-12 05:34:41 +00:00
|
|
|
return Ok(writer)
|
|
|
|
}
|
2019-08-12 06:53:53 +00:00
|
|
|
BlobWriterState::Signed { csum_writer } => {
|
|
|
|
let (mut writer, crc, tag) = csum_writer.finish()?;
|
2019-08-12 05:34:41 +00:00
|
|
|
|
2019-08-12 06:53:53 +00:00
|
|
|
let head = AuthenticatedDataBlobHeader {
|
2019-08-12 05:34:41 +00:00
|
|
|
head: DataBlobHeader { magic: AUTHENTICATED_BLOB_MAGIC_1_0, crc: crc.to_le_bytes() },
|
2019-08-12 06:53:53 +00:00
|
|
|
tag: tag.unwrap(),
|
2019-08-12 05:34:41 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
|
2019-08-12 07:01:08 +00:00
|
|
|
return Ok(writer)
|
|
|
|
}
|
|
|
|
BlobWriterState::SignedCompressed { compr } => {
|
|
|
|
let csum_writer = compr.finish()?;
|
|
|
|
let (mut writer, crc, tag) = csum_writer.finish()?;
|
|
|
|
|
|
|
|
let head = AuthenticatedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic: AUTH_COMPR_BLOB_MAGIC_1_0, crc: crc.to_le_bytes() },
|
|
|
|
tag: tag.unwrap(),
|
|
|
|
};
|
|
|
|
|
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
|
2019-08-11 10:07:37 +00:00
|
|
|
return Ok(writer)
|
|
|
|
}
|
2019-08-12 08:08:00 +00:00
|
|
|
BlobWriterState::Encrypted { crypt_writer } => {
|
|
|
|
let (csum_writer, iv, tag) = crypt_writer.finish()?;
|
|
|
|
let (mut writer, crc, _) = csum_writer.finish()?;
|
|
|
|
|
|
|
|
let head = EncryptedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic: ENCRYPTED_BLOB_MAGIC_1_0, crc: crc.to_le_bytes() },
|
|
|
|
iv, tag,
|
|
|
|
};
|
2019-08-12 09:57:29 +00:00
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
2019-08-12 08:08:00 +00:00
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
return Ok(writer)
|
|
|
|
}
|
2019-08-12 08:16:42 +00:00
|
|
|
BlobWriterState::EncryptedCompressed { compr } => {
|
|
|
|
let crypt_writer = compr.finish()?;
|
|
|
|
let (csum_writer, iv, tag) = crypt_writer.finish()?;
|
|
|
|
let (mut writer, crc, _) = csum_writer.finish()?;
|
|
|
|
|
|
|
|
let head = EncryptedDataBlobHeader {
|
|
|
|
head: DataBlobHeader { magic: ENCR_COMPR_BLOB_MAGIC_1_0, crc: crc.to_le_bytes() },
|
|
|
|
iv, tag,
|
|
|
|
};
|
2019-08-12 09:57:29 +00:00
|
|
|
writer.seek(SeekFrom::Start(0))?;
|
2019-08-12 08:16:42 +00:00
|
|
|
unsafe {
|
|
|
|
writer.write_le_value(head)?;
|
|
|
|
}
|
|
|
|
return Ok(writer)
|
|
|
|
}
|
2019-08-11 10:07:37 +00:00
|
|
|
}
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-12 05:34:41 +00:00
|
|
|
impl <'a, W: Write + Seek> Write for DataBlobWriter<'a, W> {
|
2019-08-11 09:32:36 +00:00
|
|
|
|
|
|
|
fn write(&mut self, buf: &[u8]) -> Result<usize, std::io::Error> {
|
2019-08-11 10:07:37 +00:00
|
|
|
match self.state {
|
2019-08-12 06:53:53 +00:00
|
|
|
BlobWriterState::Uncompressed { ref mut csum_writer } => {
|
|
|
|
csum_writer.write(buf)
|
2019-08-11 10:07:37 +00:00
|
|
|
}
|
2019-08-12 06:53:53 +00:00
|
|
|
BlobWriterState::Compressed { ref mut compr } => {
|
2019-08-11 10:07:37 +00:00
|
|
|
compr.write(buf)
|
|
|
|
}
|
2019-08-12 06:53:53 +00:00
|
|
|
BlobWriterState::Signed { ref mut csum_writer } => {
|
|
|
|
csum_writer.write(buf)
|
|
|
|
}
|
2019-08-12 07:01:08 +00:00
|
|
|
BlobWriterState::SignedCompressed { ref mut compr } => {
|
|
|
|
compr.write(buf)
|
|
|
|
}
|
2019-08-12 08:08:00 +00:00
|
|
|
BlobWriterState::Encrypted { ref mut crypt_writer } => {
|
|
|
|
crypt_writer.write(buf)
|
|
|
|
}
|
2019-08-12 08:16:42 +00:00
|
|
|
BlobWriterState::EncryptedCompressed { ref mut compr } => {
|
|
|
|
compr.write(buf)
|
|
|
|
}
|
2019-08-11 10:07:37 +00:00
|
|
|
}
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
fn flush(&mut self) -> Result<(), std::io::Error> {
|
2019-08-11 10:07:37 +00:00
|
|
|
match self.state {
|
2019-08-12 06:53:53 +00:00
|
|
|
BlobWriterState::Uncompressed { ref mut csum_writer } => {
|
|
|
|
csum_writer.flush()
|
2019-08-11 10:07:37 +00:00
|
|
|
}
|
2019-08-12 06:53:53 +00:00
|
|
|
BlobWriterState::Compressed { ref mut compr } => {
|
2019-08-11 10:07:37 +00:00
|
|
|
compr.flush()
|
|
|
|
}
|
2019-08-12 06:53:53 +00:00
|
|
|
BlobWriterState::Signed { ref mut csum_writer } => {
|
|
|
|
csum_writer.flush()
|
2019-08-12 05:34:41 +00:00
|
|
|
}
|
2019-08-12 07:01:08 +00:00
|
|
|
BlobWriterState::SignedCompressed { ref mut compr } => {
|
|
|
|
compr.flush()
|
|
|
|
}
|
2019-08-12 08:08:00 +00:00
|
|
|
BlobWriterState::Encrypted { ref mut crypt_writer } => {
|
|
|
|
crypt_writer.flush()
|
|
|
|
}
|
2019-08-12 08:16:42 +00:00
|
|
|
BlobWriterState::EncryptedCompressed { ref mut compr } => {
|
|
|
|
compr.flush()
|
|
|
|
}
|
2019-08-11 10:07:37 +00:00
|
|
|
}
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-12 15:20:41 +00:00
|
|
|
struct ChecksumReader<'a, R> {
|
|
|
|
reader: R,
|
|
|
|
hasher: crc32fast::Hasher,
|
|
|
|
signer: Option<openssl::sign::Signer<'a>>,
|
|
|
|
}
|
|
|
|
|
|
|
|
impl <'a, R: Read> ChecksumReader<'a, R> {
|
|
|
|
|
|
|
|
fn new(reader: R, signer: Option<openssl::sign::Signer<'a>>) -> Self {
|
|
|
|
let hasher = crc32fast::Hasher::new();
|
|
|
|
Self { reader, hasher, signer }
|
|
|
|
}
|
|
|
|
|
|
|
|
pub fn finish(mut self) -> Result<(R, u32, Option<[u8; 32]>), Error> {
|
|
|
|
let crc = self.hasher.finalize();
|
|
|
|
|
|
|
|
if let Some(ref mut signer) = self.signer {
|
|
|
|
let mut tag = [0u8; 32];
|
|
|
|
signer.sign(&mut tag)?;
|
|
|
|
Ok((self.reader, crc, Some(tag)))
|
|
|
|
} else {
|
|
|
|
Ok((self.reader, crc, None))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl <'a, R: Read> Read for ChecksumReader<'a, R> {
|
|
|
|
|
|
|
|
fn read(&mut self, buf: &mut [u8]) -> Result<usize, std::io::Error> {
|
|
|
|
let count = self.reader.read(buf)?;
|
|
|
|
if count > 0 {
|
|
|
|
self.hasher.update(&buf[..count]);
|
|
|
|
if let Some(ref mut signer) = self.signer {
|
|
|
|
signer.update(&buf[..count])
|
|
|
|
.map_err(|err| {
|
|
|
|
std::io::Error::new(
|
|
|
|
std::io::ErrorKind::Other,
|
|
|
|
format!("hmac update failed - {}", err))
|
|
|
|
})?;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
Ok(count)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
enum BlobReaderState<'a, R: Read> {
|
|
|
|
Uncompressed { expected_crc: u32, csum_reader: ChecksumReader<'a, R> },
|
|
|
|
Compressed { expected_crc: u32, decompr: zstd::stream::read::Decoder<BufReader<ChecksumReader<'a, R>>> },
|
2019-08-12 15:41:25 +00:00
|
|
|
Signed { expected_crc: u32, expected_hmac: [u8; 32], csum_reader: ChecksumReader<'a, R> },
|
2019-08-12 15:47:25 +00:00
|
|
|
SignedCompressed { expected_crc: u32, expected_hmac: [u8; 32], decompr: zstd::stream::read::Decoder<BufReader<ChecksumReader<'a, R>>> },
|
2019-08-13 11:07:13 +00:00
|
|
|
Encrypted { expected_crc: u32, decrypt_reader: CryptReader<BufReader<ChecksumReader<'a, R>>> },
|
2019-08-13 11:16:14 +00:00
|
|
|
EncryptedCompressed { expected_crc: u32, decompr: zstd::stream::read::Decoder<BufReader<CryptReader<BufReader<ChecksumReader<'a, R>>>>> },
|
2019-08-12 15:20:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/// Read data blobs
|
|
|
|
pub struct DataBlobReader<'a, R: Read> {
|
|
|
|
state: BlobReaderState<'a, R>,
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
|
|
|
|
2019-08-12 15:20:41 +00:00
|
|
|
impl <'a, R: Read> DataBlobReader<'a, R> {
|
2019-08-11 09:32:36 +00:00
|
|
|
|
2019-08-12 15:41:25 +00:00
|
|
|
pub fn new(mut reader: R, config: Option<&'a CryptConfig>) -> Result<Self, Error> {
|
2019-08-11 09:32:36 +00:00
|
|
|
|
|
|
|
let head: DataBlobHeader = unsafe { reader.read_le_value()? };
|
2019-08-12 15:20:41 +00:00
|
|
|
match head.magic {
|
|
|
|
UNCOMPRESSED_BLOB_MAGIC_1_0 => {
|
|
|
|
let expected_crc = u32::from_le_bytes(head.crc);
|
|
|
|
let csum_reader = ChecksumReader::new(reader, None);
|
|
|
|
Ok(Self { state: BlobReaderState::Uncompressed { expected_crc, csum_reader }})
|
|
|
|
}
|
|
|
|
COMPRESSED_BLOB_MAGIC_1_0 => {
|
|
|
|
let expected_crc = u32::from_le_bytes(head.crc);
|
|
|
|
let csum_reader = ChecksumReader::new(reader, None);
|
|
|
|
|
|
|
|
let decompr = zstd::stream::read::Decoder::new(csum_reader)?;
|
|
|
|
Ok(Self { state: BlobReaderState::Compressed { expected_crc, decompr }})
|
|
|
|
}
|
2019-08-12 15:41:25 +00:00
|
|
|
AUTHENTICATED_BLOB_MAGIC_1_0 => {
|
|
|
|
let expected_crc = u32::from_le_bytes(head.crc);
|
|
|
|
let mut expected_hmac = [0u8; 32];
|
|
|
|
reader.read_exact(&mut expected_hmac)?;
|
|
|
|
let signer = config.map(|c| c.data_signer());
|
|
|
|
let csum_reader = ChecksumReader::new(reader, signer);
|
|
|
|
Ok(Self { state: BlobReaderState::Signed { expected_crc, expected_hmac, csum_reader }})
|
|
|
|
}
|
2019-08-12 15:47:25 +00:00
|
|
|
AUTH_COMPR_BLOB_MAGIC_1_0 => {
|
|
|
|
let expected_crc = u32::from_le_bytes(head.crc);
|
|
|
|
let mut expected_hmac = [0u8; 32];
|
|
|
|
reader.read_exact(&mut expected_hmac)?;
|
|
|
|
let signer = config.map(|c| c.data_signer());
|
|
|
|
let csum_reader = ChecksumReader::new(reader, signer);
|
|
|
|
|
|
|
|
let decompr = zstd::stream::read::Decoder::new(csum_reader)?;
|
|
|
|
Ok(Self { state: BlobReaderState::SignedCompressed { expected_crc, expected_hmac, decompr }})
|
|
|
|
}
|
2019-08-13 11:07:13 +00:00
|
|
|
ENCRYPTED_BLOB_MAGIC_1_0 => {
|
|
|
|
let expected_crc = u32::from_le_bytes(head.crc);
|
|
|
|
let mut iv = [0u8; 16];
|
|
|
|
let mut expected_tag = [0u8; 16];
|
|
|
|
reader.read_exact(&mut iv)?;
|
|
|
|
reader.read_exact(&mut expected_tag)?;
|
|
|
|
let csum_reader = ChecksumReader::new(reader, None);
|
|
|
|
let decrypt_reader = CryptReader::new(BufReader::with_capacity(64*1024,csum_reader), iv, expected_tag, config.unwrap())?;
|
|
|
|
Ok(Self { state: BlobReaderState::Encrypted { expected_crc, decrypt_reader }})
|
|
|
|
}
|
2019-08-13 11:16:14 +00:00
|
|
|
ENCR_COMPR_BLOB_MAGIC_1_0 => {
|
|
|
|
let expected_crc = u32::from_le_bytes(head.crc);
|
|
|
|
let mut iv = [0u8; 16];
|
|
|
|
let mut expected_tag = [0u8; 16];
|
|
|
|
reader.read_exact(&mut iv)?;
|
|
|
|
reader.read_exact(&mut expected_tag)?;
|
|
|
|
let csum_reader = ChecksumReader::new(reader, None);
|
|
|
|
let decrypt_reader = CryptReader::new(BufReader::with_capacity(64*1024,csum_reader), iv, expected_tag, config.unwrap())?;
|
|
|
|
let decompr = zstd::stream::read::Decoder::new(decrypt_reader)?;
|
|
|
|
Ok(Self { state: BlobReaderState::EncryptedCompressed { expected_crc, decompr }})
|
|
|
|
}
|
2019-08-12 15:20:41 +00:00
|
|
|
_ => bail!("got wrong magic number {:?}", head.magic)
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
2019-08-12 15:20:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
pub fn finish(self) -> Result<R, Error> {
|
2019-08-12 15:41:25 +00:00
|
|
|
match self.state {
|
|
|
|
BlobReaderState::Uncompressed { csum_reader, expected_crc } => {
|
|
|
|
let (reader, crc, _) = csum_reader.finish()?;
|
|
|
|
if crc != expected_crc {
|
|
|
|
bail!("blob crc check failed");
|
|
|
|
}
|
|
|
|
Ok(reader)
|
|
|
|
}
|
|
|
|
BlobReaderState::Compressed { expected_crc, decompr } => {
|
|
|
|
let csum_reader = decompr.finish().into_inner();
|
|
|
|
let (reader, crc, _) = csum_reader.finish()?;
|
|
|
|
if crc != expected_crc {
|
|
|
|
bail!("blob crc check failed");
|
|
|
|
}
|
|
|
|
Ok(reader)
|
|
|
|
}
|
|
|
|
BlobReaderState::Signed { csum_reader, expected_crc, expected_hmac } => {
|
|
|
|
let (reader, crc, hmac) = csum_reader.finish()?;
|
|
|
|
if crc != expected_crc {
|
|
|
|
bail!("blob crc check failed");
|
|
|
|
}
|
|
|
|
if let Some(hmac) = hmac {
|
|
|
|
if hmac != expected_hmac {
|
|
|
|
bail!("blob signature check failed");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
Ok(reader)
|
|
|
|
}
|
2019-08-12 15:47:25 +00:00
|
|
|
BlobReaderState::SignedCompressed { expected_crc, expected_hmac, decompr } => {
|
|
|
|
let csum_reader = decompr.finish().into_inner();
|
|
|
|
let (reader, crc, hmac) = csum_reader.finish()?;
|
|
|
|
if crc != expected_crc {
|
|
|
|
bail!("blob crc check failed");
|
|
|
|
}
|
|
|
|
if let Some(hmac) = hmac {
|
|
|
|
if hmac != expected_hmac {
|
|
|
|
bail!("blob signature check failed");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
Ok(reader)
|
|
|
|
}
|
2019-08-13 11:07:13 +00:00
|
|
|
BlobReaderState::Encrypted { expected_crc, decrypt_reader } => {
|
|
|
|
let csum_reader = decrypt_reader.finish()?.into_inner();
|
|
|
|
let (reader, crc, _) = csum_reader.finish()?;
|
|
|
|
if crc != expected_crc {
|
|
|
|
bail!("blob crc check failed");
|
|
|
|
}
|
|
|
|
Ok(reader)
|
|
|
|
}
|
2019-08-13 11:16:14 +00:00
|
|
|
BlobReaderState::EncryptedCompressed { expected_crc, decompr } => {
|
|
|
|
let decrypt_reader = decompr.finish().into_inner();
|
|
|
|
let csum_reader = decrypt_reader.finish()?.into_inner();
|
|
|
|
let (reader, crc, _) = csum_reader.finish()?;
|
|
|
|
if crc != expected_crc {
|
|
|
|
bail!("blob crc check failed");
|
|
|
|
}
|
|
|
|
Ok(reader)
|
|
|
|
}
|
2019-08-12 15:41:25 +00:00
|
|
|
}
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-12 15:20:41 +00:00
|
|
|
impl <'a, R: BufRead> Read for DataBlobReader<'a, R> {
|
2019-08-11 09:32:36 +00:00
|
|
|
|
|
|
|
fn read(&mut self, buf: &mut [u8]) -> Result<usize, std::io::Error> {
|
2019-08-12 15:20:41 +00:00
|
|
|
match &mut self.state {
|
|
|
|
BlobReaderState::Uncompressed { csum_reader, .. } => {
|
|
|
|
csum_reader.read(buf)
|
|
|
|
}
|
|
|
|
BlobReaderState::Compressed { decompr, .. } => {
|
|
|
|
decompr.read(buf)
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
2019-08-12 15:41:25 +00:00
|
|
|
BlobReaderState::Signed { csum_reader, .. } => {
|
|
|
|
csum_reader.read(buf)
|
|
|
|
}
|
2019-08-12 15:47:25 +00:00
|
|
|
BlobReaderState::SignedCompressed { decompr, .. } => {
|
|
|
|
decompr.read(buf)
|
|
|
|
}
|
2019-08-13 11:07:13 +00:00
|
|
|
BlobReaderState::Encrypted { decrypt_reader, .. } => {
|
|
|
|
decrypt_reader.read(buf)
|
|
|
|
}
|
2019-08-13 11:16:14 +00:00
|
|
|
BlobReaderState::EncryptedCompressed { decompr, .. } => {
|
|
|
|
decompr.read(buf)
|
|
|
|
}
|
2019-08-11 09:32:36 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|