cleanup KeyConfig
This commit is contained in:
parent
82a103c8f9
commit
9a045790ed
@ -24,7 +24,6 @@ use crate::{
|
|||||||
self,
|
self,
|
||||||
drive::check_drive_exists,
|
drive::check_drive_exists,
|
||||||
},
|
},
|
||||||
backup::decrypt_key_config,
|
|
||||||
api2::{
|
api2::{
|
||||||
types::{
|
types::{
|
||||||
UPID_SCHEMA,
|
UPID_SCHEMA,
|
||||||
@ -485,7 +484,7 @@ pub async fn restore_key(
|
|||||||
|
|
||||||
if let Some(key_config) = key_config {
|
if let Some(key_config) = key_config {
|
||||||
let password_fn = || { Ok(password.as_bytes().to_vec()) };
|
let password_fn = || { Ok(password.as_bytes().to_vec()) };
|
||||||
let key = match decrypt_key_config(&key_config, &password_fn) {
|
let key = match key_config.decrypt(&password_fn) {
|
||||||
Ok((key, ..)) => key,
|
Ok((key, ..)) => key,
|
||||||
Err(_) => {
|
Err(_) => {
|
||||||
match key_config.hint {
|
match key_config.hint {
|
||||||
|
@ -3,6 +3,8 @@ use anyhow::{bail, format_err, Context, Error};
|
|||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
|
|
||||||
use crate::backup::{CryptConfig, Fingerprint};
|
use crate::backup::{CryptConfig, Fingerprint};
|
||||||
|
use std::io::Write;
|
||||||
|
use std::path::Path;
|
||||||
|
|
||||||
use proxmox::api::api;
|
use proxmox::api::api;
|
||||||
use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
|
use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
|
||||||
@ -99,43 +101,36 @@ pub struct KeyConfig {
|
|||||||
pub hint: Option<String>,
|
pub hint: Option<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn store_key_config(
|
impl KeyConfig {
|
||||||
path: &std::path::Path,
|
|
||||||
replace: bool,
|
|
||||||
key_config: KeyConfig,
|
|
||||||
) -> Result<(), Error> {
|
|
||||||
|
|
||||||
let data = serde_json::to_string(&key_config)?;
|
pub fn new(passphrase: &[u8], kdf: Kdf) -> Result<([u8;32], Self), Error> {
|
||||||
|
let mut key = [0u8; 32];
|
||||||
use std::io::Write;
|
proxmox::sys::linux::fill_with_random_data(&mut key)?;
|
||||||
|
let key_config = Self::with_key(&key, passphrase, kdf)?;
|
||||||
try_block!({
|
Ok((key, key_config))
|
||||||
if replace {
|
|
||||||
let mode = nix::sys::stat::Mode::S_IRUSR | nix::sys::stat::Mode::S_IWUSR;
|
|
||||||
replace_file(&path, data.as_bytes(), CreateOptions::new().perm(mode))?;
|
|
||||||
} else {
|
|
||||||
use std::os::unix::fs::OpenOptionsExt;
|
|
||||||
|
|
||||||
let mut file = std::fs::OpenOptions::new()
|
|
||||||
.write(true)
|
|
||||||
.mode(0o0600)
|
|
||||||
.create_new(true)
|
|
||||||
.open(&path)?;
|
|
||||||
|
|
||||||
file.write_all(data.as_bytes())?;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
pub fn without_password(raw_key: [u8; 32]) -> Self {
|
||||||
}).map_err(|err: Error| format_err!("Unable to create file {:?} - {}", path, err))?;
|
let created = proxmox::tools::time::epoch_i64();
|
||||||
|
Self {
|
||||||
|
kdf: None,
|
||||||
|
created,
|
||||||
|
modified: created,
|
||||||
|
data: raw_key.to_vec(),
|
||||||
|
fingerprint: None,
|
||||||
|
hint: None,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
Ok(())
|
pub fn with_key(
|
||||||
}
|
|
||||||
|
|
||||||
pub fn encrypt_key_with_passphrase(
|
|
||||||
raw_key: &[u8],
|
raw_key: &[u8],
|
||||||
passphrase: &[u8],
|
passphrase: &[u8],
|
||||||
kdf: Kdf,
|
kdf: Kdf,
|
||||||
) -> Result<KeyConfig, Error> {
|
) -> Result<Self, Error> {
|
||||||
|
|
||||||
|
if raw_key.len() != 32 {
|
||||||
|
bail!("got strange key length ({} != 32)", raw_key.len())
|
||||||
|
}
|
||||||
|
|
||||||
let salt = proxmox::sys::linux::random_data(32)?;
|
let salt = proxmox::sys::linux::random_data(32)?;
|
||||||
|
|
||||||
@ -178,7 +173,7 @@ pub fn encrypt_key_with_passphrase(
|
|||||||
|
|
||||||
let created = proxmox::tools::time::epoch_i64();
|
let created = proxmox::tools::time::epoch_i64();
|
||||||
|
|
||||||
Ok(KeyConfig {
|
Ok(Self {
|
||||||
kdf: Some(kdf),
|
kdf: Some(kdf),
|
||||||
created,
|
created,
|
||||||
modified: created,
|
modified: created,
|
||||||
@ -186,33 +181,23 @@ pub fn encrypt_key_with_passphrase(
|
|||||||
fingerprint: None,
|
fingerprint: None,
|
||||||
hint: None,
|
hint: None,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn load_and_decrypt_key(
|
/// Loads a KeyConfig from path
|
||||||
path: &std::path::Path,
|
pub fn load<P: AsRef<Path>>(path: P) -> Result<KeyConfig, Error> {
|
||||||
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
let keydata = file_get_contents(path)?;
|
||||||
) -> Result<([u8;32], i64, Fingerprint), Error> {
|
|
||||||
decrypt_key(&file_get_contents(&path)?, passphrase)
|
|
||||||
.with_context(|| format!("failed to load decryption key from {:?}", path))
|
|
||||||
}
|
|
||||||
|
|
||||||
/// Loads a KeyConfig from path
|
|
||||||
pub fn load_key_config(
|
|
||||||
path: &std::path::Path,
|
|
||||||
) -> Result<KeyConfig, Error> {
|
|
||||||
let keydata = file_get_contents(&path)?;
|
|
||||||
let key_config: KeyConfig = serde_json::from_reader(&keydata[..])?;
|
let key_config: KeyConfig = serde_json::from_reader(&keydata[..])?;
|
||||||
Ok(key_config)
|
Ok(key_config)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn decrypt_key_config(
|
pub fn decrypt(
|
||||||
key_config: &KeyConfig,
|
&self,
|
||||||
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
||||||
) -> Result<([u8;32], i64, Fingerprint), Error> {
|
) -> Result<([u8;32], i64, Fingerprint), Error> {
|
||||||
|
|
||||||
let raw_data = &key_config.data;
|
let raw_data = &self.data;
|
||||||
|
|
||||||
let key = if let Some(ref kdf) = key_config.kdf {
|
let key = if let Some(ref kdf) = self.kdf {
|
||||||
|
|
||||||
let passphrase = passphrase()?;
|
let passphrase = passphrase()?;
|
||||||
if passphrase.len() < 5 {
|
if passphrase.len() < 5 {
|
||||||
@ -234,7 +219,7 @@ pub fn decrypt_key_config(
|
|||||||
cipher,
|
cipher,
|
||||||
&derived_key,
|
&derived_key,
|
||||||
Some(&iv),
|
Some(&iv),
|
||||||
b"", //??
|
b"",
|
||||||
&enc_data,
|
&enc_data,
|
||||||
&tag,
|
&tag,
|
||||||
).map_err(|err| format_err!("Unable to decrypt key (wrong password?) - {}", err))?
|
).map_err(|err| format_err!("Unable to decrypt key (wrong password?) - {}", err))?
|
||||||
@ -248,7 +233,7 @@ pub fn decrypt_key_config(
|
|||||||
|
|
||||||
let crypt_config = CryptConfig::new(result.clone())?;
|
let crypt_config = CryptConfig::new(result.clone())?;
|
||||||
let fingerprint = crypt_config.fingerprint();
|
let fingerprint = crypt_config.fingerprint();
|
||||||
if let Some(ref stored_fingerprint) = key_config.fingerprint {
|
if let Some(ref stored_fingerprint) = self.fingerprint {
|
||||||
if &fingerprint != stored_fingerprint {
|
if &fingerprint != stored_fingerprint {
|
||||||
bail!(
|
bail!(
|
||||||
"KeyConfig contains wrong fingerprint {}, contained key has fingerprint {}",
|
"KeyConfig contains wrong fingerprint {}, contained key has fingerprint {}",
|
||||||
@ -257,7 +242,45 @@ pub fn decrypt_key_config(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok((result, key_config.created, fingerprint))
|
Ok((result, self.created, fingerprint))
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn store<P: AsRef<Path>>(&self, path: P, replace: bool) -> Result<(), Error> {
|
||||||
|
|
||||||
|
let path: &Path = path.as_ref();
|
||||||
|
|
||||||
|
let data = serde_json::to_string(self)?;
|
||||||
|
|
||||||
|
try_block!({
|
||||||
|
if replace {
|
||||||
|
let mode = nix::sys::stat::Mode::S_IRUSR | nix::sys::stat::Mode::S_IWUSR;
|
||||||
|
replace_file(path, data.as_bytes(), CreateOptions::new().perm(mode))?;
|
||||||
|
} else {
|
||||||
|
use std::os::unix::fs::OpenOptionsExt;
|
||||||
|
|
||||||
|
let mut file = std::fs::OpenOptions::new()
|
||||||
|
.write(true)
|
||||||
|
.mode(0o0600)
|
||||||
|
.create_new(true)
|
||||||
|
.open(&path)?;
|
||||||
|
|
||||||
|
file.write_all(data.as_bytes())?;
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}).map_err(|err: Error| format_err!("Unable to store key file {:?} - {}", path, err))?;
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
pub fn load_and_decrypt_key(
|
||||||
|
path: &std::path::Path,
|
||||||
|
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
||||||
|
) -> Result<([u8;32], i64, Fingerprint), Error> {
|
||||||
|
decrypt_key(&file_get_contents(&path)?, passphrase)
|
||||||
|
.with_context(|| format!("failed to load decryption key from {:?}", path))
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn decrypt_key(
|
pub fn decrypt_key(
|
||||||
@ -265,7 +288,7 @@ pub fn decrypt_key(
|
|||||||
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
passphrase: &dyn Fn() -> Result<Vec<u8>, Error>,
|
||||||
) -> Result<([u8;32], i64, Fingerprint), Error> {
|
) -> Result<([u8;32], i64, Fingerprint), Error> {
|
||||||
let key_config: KeyConfig = serde_json::from_reader(&mut keydata)?;
|
let key_config: KeyConfig = serde_json::from_reader(&mut keydata)?;
|
||||||
decrypt_key_config(&key_config, passphrase)
|
key_config.decrypt(passphrase)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn rsa_encrypt_key_config(
|
pub fn rsa_encrypt_key_config(
|
||||||
|
@ -24,11 +24,7 @@ use proxmox_backup::{
|
|||||||
PASSWORD_HINT_SCHEMA,
|
PASSWORD_HINT_SCHEMA,
|
||||||
},
|
},
|
||||||
backup::{
|
backup::{
|
||||||
encrypt_key_with_passphrase,
|
|
||||||
load_key_config,
|
|
||||||
decrypt_key_config,
|
|
||||||
rsa_decrypt_key_config,
|
rsa_decrypt_key_config,
|
||||||
store_key_config,
|
|
||||||
CryptConfig,
|
CryptConfig,
|
||||||
Kdf,
|
Kdf,
|
||||||
KeyConfig,
|
KeyConfig,
|
||||||
@ -129,31 +125,20 @@ fn create(
|
|||||||
|
|
||||||
let kdf = kdf.unwrap_or_default();
|
let kdf = kdf.unwrap_or_default();
|
||||||
|
|
||||||
let mut key_array = [0u8; 32];
|
let mut key = [0u8; 32];
|
||||||
proxmox::sys::linux::fill_with_random_data(&mut key_array)?;
|
proxmox::sys::linux::fill_with_random_data(&mut key)?;
|
||||||
let crypt_config = CryptConfig::new(key_array.clone())?;
|
let crypt_config = CryptConfig::new(key.clone())?;
|
||||||
let key = key_array.to_vec();
|
|
||||||
|
|
||||||
match kdf {
|
match kdf {
|
||||||
Kdf::None => {
|
Kdf::None => {
|
||||||
let created = proxmox::tools::time::epoch_i64();
|
|
||||||
|
|
||||||
if hint.is_some() {
|
if hint.is_some() {
|
||||||
bail!("password hint not allowed for Kdf::None");
|
bail!("password hint not allowed for Kdf::None");
|
||||||
}
|
}
|
||||||
|
|
||||||
store_key_config(
|
let mut key_config = KeyConfig::without_password(key);
|
||||||
&path,
|
key_config.fingerprint = Some(crypt_config.fingerprint());
|
||||||
false,
|
|
||||||
KeyConfig {
|
key_config.store(path, false)?;
|
||||||
kdf: None,
|
|
||||||
created,
|
|
||||||
modified: created,
|
|
||||||
data: key,
|
|
||||||
fingerprint: Some(crypt_config.fingerprint()),
|
|
||||||
hint: None,
|
|
||||||
},
|
|
||||||
)?;
|
|
||||||
}
|
}
|
||||||
Kdf::Scrypt | Kdf::PBKDF2 => {
|
Kdf::Scrypt | Kdf::PBKDF2 => {
|
||||||
// always read passphrase from tty
|
// always read passphrase from tty
|
||||||
@ -163,11 +148,11 @@ fn create(
|
|||||||
|
|
||||||
let password = tty::read_and_verify_password("Encryption Key Password: ")?;
|
let password = tty::read_and_verify_password("Encryption Key Password: ")?;
|
||||||
|
|
||||||
let mut key_config = encrypt_key_with_passphrase(&key, &password, kdf)?;
|
let mut key_config = KeyConfig::with_key(&key, &password, kdf)?;
|
||||||
key_config.fingerprint = Some(crypt_config.fingerprint());
|
key_config.fingerprint = Some(crypt_config.fingerprint());
|
||||||
key_config.hint = hint;
|
key_config.hint = hint;
|
||||||
|
|
||||||
store_key_config(&path, false, key_config)?;
|
key_config.store(&path, false)?;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -235,34 +220,26 @@ async fn import_with_master_key(
|
|||||||
let kdf = kdf.unwrap_or_default();
|
let kdf = kdf.unwrap_or_default();
|
||||||
match kdf {
|
match kdf {
|
||||||
Kdf::None => {
|
Kdf::None => {
|
||||||
let modified = proxmox::tools::time::epoch_i64();
|
|
||||||
|
|
||||||
if hint.is_some() {
|
if hint.is_some() {
|
||||||
bail!("password hint not allowed for Kdf::None");
|
bail!("password hint not allowed for Kdf::None");
|
||||||
}
|
}
|
||||||
|
|
||||||
store_key_config(
|
let mut key_config = KeyConfig::without_password(key);
|
||||||
&path,
|
key_config.created = created; // keep original value
|
||||||
true,
|
key_config.fingerprint = Some(fingerprint);
|
||||||
KeyConfig {
|
|
||||||
kdf: None,
|
key_config.store(path, true)?;
|
||||||
created, // keep original value
|
|
||||||
modified,
|
|
||||||
data: key.to_vec(),
|
|
||||||
fingerprint: Some(fingerprint),
|
|
||||||
hint: None,
|
|
||||||
},
|
|
||||||
)?;
|
|
||||||
}
|
}
|
||||||
Kdf::Scrypt | Kdf::PBKDF2 => {
|
Kdf::Scrypt | Kdf::PBKDF2 => {
|
||||||
let password = tty::read_and_verify_password("New Password: ")?;
|
let password = tty::read_and_verify_password("New Password: ")?;
|
||||||
|
|
||||||
let mut new_key_config = encrypt_key_with_passphrase(&key, &password, kdf)?;
|
let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
|
||||||
new_key_config.created = created; // keep original value
|
new_key_config.created = created; // keep original value
|
||||||
new_key_config.fingerprint = Some(fingerprint);
|
new_key_config.fingerprint = Some(fingerprint);
|
||||||
new_key_config.hint = hint;
|
new_key_config.hint = hint;
|
||||||
|
|
||||||
store_key_config(&path, true, new_key_config)?;
|
new_key_config.store(path, true)?;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -311,38 +288,30 @@ fn change_passphrase(
|
|||||||
bail!("unable to change passphrase - no tty");
|
bail!("unable to change passphrase - no tty");
|
||||||
}
|
}
|
||||||
|
|
||||||
let key_config = load_key_config(&path)?;
|
let key_config = KeyConfig::load(&path)?;
|
||||||
let (key, created, fingerprint) = decrypt_key_config(&key_config, &get_encryption_key_password)?;
|
let (key, created, fingerprint) = key_config.decrypt(&get_encryption_key_password)?;
|
||||||
|
|
||||||
match kdf {
|
match kdf {
|
||||||
Kdf::None => {
|
Kdf::None => {
|
||||||
let modified = proxmox::tools::time::epoch_i64();
|
|
||||||
|
|
||||||
if hint.is_some() {
|
if hint.is_some() {
|
||||||
bail!("password hint not allowed for Kdf::None");
|
bail!("password hint not allowed for Kdf::None");
|
||||||
}
|
}
|
||||||
|
|
||||||
store_key_config(
|
let mut key_config = KeyConfig::without_password(key);
|
||||||
&path,
|
key_config.created = created; // keep original value
|
||||||
true,
|
key_config.fingerprint = Some(fingerprint);
|
||||||
KeyConfig {
|
|
||||||
kdf: None,
|
key_config.store(&path, true)?;
|
||||||
created, // keep original value
|
|
||||||
modified,
|
|
||||||
data: key.to_vec(),
|
|
||||||
fingerprint: Some(fingerprint),
|
|
||||||
hint: None,
|
|
||||||
},
|
|
||||||
)?;
|
|
||||||
}
|
}
|
||||||
Kdf::Scrypt | Kdf::PBKDF2 => {
|
Kdf::Scrypt | Kdf::PBKDF2 => {
|
||||||
let password = tty::read_and_verify_password("New Password: ")?;
|
let password = tty::read_and_verify_password("New Password: ")?;
|
||||||
|
|
||||||
let mut new_key_config = encrypt_key_with_passphrase(&key, &password, kdf)?;
|
let mut new_key_config = KeyConfig::with_key(&key, &password, kdf)?;
|
||||||
new_key_config.created = created; // keep original value
|
new_key_config.created = created; // keep original value
|
||||||
new_key_config.fingerprint = Some(fingerprint);
|
new_key_config.fingerprint = Some(fingerprint);
|
||||||
new_key_config.hint = hint;
|
new_key_config.hint = hint;
|
||||||
store_key_config(&path, true, new_key_config)?;
|
|
||||||
|
new_key_config.store(&path, true)?;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -16,7 +16,6 @@ use crate::{
|
|||||||
Kdf,
|
Kdf,
|
||||||
KeyConfig,
|
KeyConfig,
|
||||||
CryptConfig,
|
CryptConfig,
|
||||||
encrypt_key_with_passphrase,
|
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -59,11 +58,7 @@ pub fn compute_tape_key_fingerprint(key: &[u8; 32]) -> Result<Fingerprint, Error
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub fn generate_tape_encryption_key(password: &[u8]) -> Result<([u8; 32], KeyConfig), Error> {
|
pub fn generate_tape_encryption_key(password: &[u8]) -> Result<([u8; 32], KeyConfig), Error> {
|
||||||
|
let (key, mut key_config) = KeyConfig::new(password, Kdf::Scrypt)?;
|
||||||
let mut key = [0u8; 32];
|
|
||||||
proxmox::sys::linux::fill_with_random_data(&mut key)?;
|
|
||||||
|
|
||||||
let mut key_config = encrypt_key_with_passphrase(&key, password, Kdf::Scrypt)?;
|
|
||||||
key_config.fingerprint = Some(compute_tape_key_fingerprint(&key)?);
|
key_config.fingerprint = Some(compute_tape_key_fingerprint(&key)?);
|
||||||
Ok((key, key_config))
|
Ok((key, key_config))
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user