src/backup/crypt_config.rs: make code more flexible
Allow to pass magic numbers as parameters.
This commit is contained in:
parent
c38266c18d
commit
077a8cae63
@ -64,7 +64,18 @@ impl CryptConfig {
|
|||||||
/// Compress and encrypt data using a random 16 byte IV.
|
/// Compress and encrypt data using a random 16 byte IV.
|
||||||
///
|
///
|
||||||
/// Return the encrypted data, including IV and MAC (MAGIC || IV || MAC || ENC_DATA).
|
/// Return the encrypted data, including IV and MAC (MAGIC || IV || MAC || ENC_DATA).
|
||||||
pub fn encode_chunk(&self, data: &[u8], compress: bool) -> Result<Vec<u8>, Error> {
|
/// If compression does not help, we return the uncompresssed, encrypted data.
|
||||||
|
pub fn encode_chunk(
|
||||||
|
&self,
|
||||||
|
// The data you want to encode
|
||||||
|
data: &[u8],
|
||||||
|
// Whether try to compress data before encryption
|
||||||
|
compress: bool,
|
||||||
|
// Magic number used for uncompressed results
|
||||||
|
uncomp_magic: &[u8; 8],
|
||||||
|
// Magic number used for compressed results
|
||||||
|
comp_magic: &[u8; 8],
|
||||||
|
) -> Result<Vec<u8>, Error> {
|
||||||
|
|
||||||
let iv = proxmox::sys::linux::random_data(16)?;
|
let iv = proxmox::sys::linux::random_data(16)?;
|
||||||
let mut c = Crypter::new(self.cipher, Mode::Encrypt, &self.enc_key, Some(&iv))?;
|
let mut c = Crypter::new(self.cipher, Mode::Encrypt, &self.enc_key, Some(&iv))?;
|
||||||
@ -76,7 +87,7 @@ impl CryptConfig {
|
|||||||
if compr_data.len() < data.len() {
|
if compr_data.len() < data.len() {
|
||||||
let mut enc = vec![0; compr_data.len()+40+self.cipher.block_size()];
|
let mut enc = vec![0; compr_data.len()+40+self.cipher.block_size()];
|
||||||
|
|
||||||
enc[0..8].copy_from_slice(&super::ENCR_COMPR_CHUNK_MAGIC_1_0);
|
enc[0..8].copy_from_slice(comp_magic);
|
||||||
enc[8..24].copy_from_slice(&iv);
|
enc[8..24].copy_from_slice(&iv);
|
||||||
|
|
||||||
let count = c.update(&compr_data, &mut enc[40..])?;
|
let count = c.update(&compr_data, &mut enc[40..])?;
|
||||||
@ -91,7 +102,7 @@ impl CryptConfig {
|
|||||||
|
|
||||||
let mut enc = vec![0; data.len()+40+self.cipher.block_size()];
|
let mut enc = vec![0; data.len()+40+self.cipher.block_size()];
|
||||||
|
|
||||||
enc[0..8].copy_from_slice(&super::ENCRYPTED_CHUNK_MAGIC_1_0);
|
enc[0..8].copy_from_slice(uncomp_magic);
|
||||||
enc[8..24].copy_from_slice(&iv);
|
enc[8..24].copy_from_slice(&iv);
|
||||||
|
|
||||||
let count = c.update(data, &mut enc[40..])?;
|
let count = c.update(data, &mut enc[40..])?;
|
||||||
@ -105,19 +116,18 @@ impl CryptConfig {
|
|||||||
|
|
||||||
/// Decompress and decrypt chunk, verify MAC.
|
/// Decompress and decrypt chunk, verify MAC.
|
||||||
///
|
///
|
||||||
/// Binrary ``data`` is expected to be in format returned by encode_chunk.
|
/// Binrary ``data`` is expected to be in format returned by encode_chunk. The magic number
|
||||||
pub fn decode_chunk(&self, data: &[u8]) -> Result<Vec<u8>, Error> {
|
/// is not used here.
|
||||||
|
pub fn decode_compressed_chunk(&self, data: &[u8]) -> Result<Vec<u8>, Error> {
|
||||||
|
|
||||||
if data.len() < 40 {
|
if data.len() < 40 {
|
||||||
bail!("Invalid chunk len (<40)");
|
bail!("Invalid chunk len (<40)");
|
||||||
}
|
}
|
||||||
|
|
||||||
let magic = &data[0..8];
|
// let magic = &data[0..8];
|
||||||
let iv = &data[8..24];
|
let iv = &data[8..24];
|
||||||
let mac = &data[24..40];
|
let mac = &data[24..40];
|
||||||
|
|
||||||
if magic == super::ENCR_COMPR_CHUNK_MAGIC_1_0 {
|
|
||||||
|
|
||||||
let dec = Vec::with_capacity(1024*1024);
|
let dec = Vec::with_capacity(1024*1024);
|
||||||
|
|
||||||
let mut decompressor = zstd::stream::write::Decoder::new(dec)?;
|
let mut decompressor = zstd::stream::write::Decoder::new(dec)?;
|
||||||
@ -149,9 +159,23 @@ impl CryptConfig {
|
|||||||
|
|
||||||
decompressor.flush()?;
|
decompressor.flush()?;
|
||||||
|
|
||||||
return Ok(decompressor.into_inner());
|
Ok(decompressor.into_inner())
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Decrypt chunk, verify MAC.
|
||||||
|
///
|
||||||
|
/// Binrary ``data`` is expected to be in format returned by encode_chunk. The magic number
|
||||||
|
/// is not used here.
|
||||||
|
pub fn decode_uncompressed_chunk(&self, data: &[u8]) -> Result<Vec<u8>, Error> {
|
||||||
|
|
||||||
|
if data.len() < 40 {
|
||||||
|
bail!("Invalid chunk len (<40)");
|
||||||
|
}
|
||||||
|
|
||||||
|
// let magic = &data[0..8];
|
||||||
|
let iv = &data[8..24];
|
||||||
|
let mac = &data[24..40];
|
||||||
|
|
||||||
} else if magic == super::ENCRYPTED_CHUNK_MAGIC_1_0 {
|
|
||||||
let decr_data = decrypt_aead(
|
let decr_data = decrypt_aead(
|
||||||
self.cipher,
|
self.cipher,
|
||||||
&self.enc_key,
|
&self.enc_key,
|
||||||
@ -160,9 +184,7 @@ impl CryptConfig {
|
|||||||
&data[40..],
|
&data[40..],
|
||||||
mac,
|
mac,
|
||||||
)?;
|
)?;
|
||||||
return Ok(decr_data);
|
|
||||||
} else {
|
Ok(decr_data)
|
||||||
bail!("Invalid magic number (expected encrypted chunk).");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -66,7 +66,12 @@ impl DataChunk {
|
|||||||
|
|
||||||
if let Some(config) = config {
|
if let Some(config) = config {
|
||||||
|
|
||||||
let enc_data = config.encode_chunk(data, compress)?;
|
let enc_data = config.encode_chunk(
|
||||||
|
data,
|
||||||
|
compress,
|
||||||
|
&ENCRYPTED_CHUNK_MAGIC_1_0,
|
||||||
|
&ENCR_COMPR_CHUNK_MAGIC_1_0,
|
||||||
|
)?;
|
||||||
let chunk = DataChunk { digest, raw_data: enc_data };
|
let chunk = DataChunk { digest, raw_data: enc_data };
|
||||||
|
|
||||||
Ok(chunk)
|
Ok(chunk)
|
||||||
@ -108,8 +113,11 @@ impl DataChunk {
|
|||||||
|
|
||||||
} else if magic == &ENCR_COMPR_CHUNK_MAGIC_1_0 || magic == &ENCRYPTED_CHUNK_MAGIC_1_0 {
|
} else if magic == &ENCR_COMPR_CHUNK_MAGIC_1_0 || magic == &ENCRYPTED_CHUNK_MAGIC_1_0 {
|
||||||
if let Some(config) = config {
|
if let Some(config) = config {
|
||||||
let data = config.decode_chunk(&self.raw_data)?;
|
let data = if magic == &ENCR_COMPR_CHUNK_MAGIC_1_0 {
|
||||||
|
config.decode_compressed_chunk(&self.raw_data)?
|
||||||
|
} else {
|
||||||
|
config.decode_uncompressed_chunk(&self.raw_data)?
|
||||||
|
};
|
||||||
return Ok(data);
|
return Ok(data);
|
||||||
} else {
|
} else {
|
||||||
bail!("unable to decrypt chunk - missing CryptConfig");
|
bail!("unable to decrypt chunk - missing CryptConfig");
|
||||||
|
Loading…
Reference in New Issue
Block a user