src/backup/crypt_config.rs: new method to get hmac signer
This commit is contained in:
parent
a762ce54fd
commit
cb0eea29d9
@ -7,7 +7,6 @@
|
|||||||
//! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption)
|
//! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption)
|
||||||
//! for a short introduction.
|
//! for a short introduction.
|
||||||
use failure::*;
|
use failure::*;
|
||||||
use proxmox::tools;
|
|
||||||
use openssl::pkcs5::pbkdf2_hmac;
|
use openssl::pkcs5::pbkdf2_hmac;
|
||||||
use openssl::hash::MessageDigest;
|
use openssl::hash::MessageDigest;
|
||||||
use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
|
use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
|
||||||
@ -22,9 +21,12 @@ pub struct CryptConfig {
|
|||||||
// the Cipher
|
// the Cipher
|
||||||
cipher: Cipher,
|
cipher: Cipher,
|
||||||
// A secrect key use to provide the chunk digest name space.
|
// A secrect key use to provide the chunk digest name space.
|
||||||
id_key: Vec<u8>,
|
id_key: [u8; 32],
|
||||||
|
// Openssl hmac PKey of id_key
|
||||||
|
id_pkey: openssl::pkey::PKey<openssl::pkey::Private>,
|
||||||
// The private key used by the cipher.
|
// The private key used by the cipher.
|
||||||
enc_key: [u8; 32],
|
enc_key: [u8; 32],
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
impl CryptConfig {
|
impl CryptConfig {
|
||||||
@ -35,7 +37,7 @@ impl CryptConfig {
|
|||||||
/// key is used in compute_digest.
|
/// key is used in compute_digest.
|
||||||
pub fn new(enc_key: [u8; 32]) -> Result<Self, Error> {
|
pub fn new(enc_key: [u8; 32]) -> Result<Self, Error> {
|
||||||
|
|
||||||
let mut id_key = tools::vec::undefined(32);
|
let mut id_key = [0u8; 32];
|
||||||
|
|
||||||
pbkdf2_hmac(
|
pbkdf2_hmac(
|
||||||
&enc_key,
|
&enc_key,
|
||||||
@ -44,7 +46,9 @@ impl CryptConfig {
|
|||||||
MessageDigest::sha256(),
|
MessageDigest::sha256(),
|
||||||
&mut id_key)?;
|
&mut id_key)?;
|
||||||
|
|
||||||
Ok(Self { id_key, enc_key, cipher: Cipher::aes_256_gcm() })
|
let id_pkey = openssl::pkey::PKey::hmac(&id_key).unwrap();
|
||||||
|
|
||||||
|
Ok(Self { id_key, id_pkey, enc_key, cipher: Cipher::aes_256_gcm() })
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Compute a chunk digest using a secret name space.
|
/// Compute a chunk digest using a secret name space.
|
||||||
@ -62,13 +66,16 @@ impl CryptConfig {
|
|||||||
digest
|
digest
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn data_signer(&self) -> openssl::sign::Signer {
|
||||||
|
openssl::sign::Signer::new(MessageDigest::sha256(), &self.id_pkey).unwrap()
|
||||||
|
}
|
||||||
|
|
||||||
/// Compute authentication tag (hmac/sha256)
|
/// Compute authentication tag (hmac/sha256)
|
||||||
///
|
///
|
||||||
/// Computes an SHA256 HMAC using some secret data (derived
|
/// Computes an SHA256 HMAC using some secret data (derived
|
||||||
/// from the secret key) and the provided data.
|
/// from the secret key) and the provided data.
|
||||||
pub fn compute_auth_tag(&self, data: &[u8]) -> [u8; 32] {
|
pub fn compute_auth_tag(&self, data: &[u8]) -> [u8; 32] {
|
||||||
let key = openssl::pkey::PKey::hmac(&self.id_key).unwrap();
|
let mut signer = self.data_signer();
|
||||||
let mut signer = openssl::sign::Signer::new(MessageDigest::sha256(), &key).unwrap();
|
|
||||||
signer.update(data).unwrap();
|
signer.update(data).unwrap();
|
||||||
let mut tag = [0u8; 32];
|
let mut tag = [0u8; 32];
|
||||||
signer.sign(&mut tag).unwrap();
|
signer.sign(&mut tag).unwrap();
|
||||||
|
Loading…
Reference in New Issue
Block a user