src/backup/crypt_config.rs: new method to get hmac signer

This commit is contained in:
Dietmar Maurer 2019-08-12 07:33:15 +02:00
parent a762ce54fd
commit cb0eea29d9

View File

@ -7,7 +7,6 @@
//! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption) //! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption)
//! for a short introduction. //! for a short introduction.
use failure::*; use failure::*;
use proxmox::tools;
use openssl::pkcs5::pbkdf2_hmac; use openssl::pkcs5::pbkdf2_hmac;
use openssl::hash::MessageDigest; use openssl::hash::MessageDigest;
use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode}; use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
@ -22,9 +21,12 @@ pub struct CryptConfig {
// the Cipher // the Cipher
cipher: Cipher, cipher: Cipher,
// A secrect key use to provide the chunk digest name space. // A secrect key use to provide the chunk digest name space.
id_key: Vec<u8>, id_key: [u8; 32],
// Openssl hmac PKey of id_key
id_pkey: openssl::pkey::PKey<openssl::pkey::Private>,
// The private key used by the cipher. // The private key used by the cipher.
enc_key: [u8; 32], enc_key: [u8; 32],
} }
impl CryptConfig { impl CryptConfig {
@ -35,7 +37,7 @@ impl CryptConfig {
/// key is used in compute_digest. /// key is used in compute_digest.
pub fn new(enc_key: [u8; 32]) -> Result<Self, Error> { pub fn new(enc_key: [u8; 32]) -> Result<Self, Error> {
let mut id_key = tools::vec::undefined(32); let mut id_key = [0u8; 32];
pbkdf2_hmac( pbkdf2_hmac(
&enc_key, &enc_key,
@ -44,7 +46,9 @@ impl CryptConfig {
MessageDigest::sha256(), MessageDigest::sha256(),
&mut id_key)?; &mut id_key)?;
Ok(Self { id_key, enc_key, cipher: Cipher::aes_256_gcm() }) let id_pkey = openssl::pkey::PKey::hmac(&id_key).unwrap();
Ok(Self { id_key, id_pkey, enc_key, cipher: Cipher::aes_256_gcm() })
} }
/// Compute a chunk digest using a secret name space. /// Compute a chunk digest using a secret name space.
@ -62,13 +66,16 @@ impl CryptConfig {
digest digest
} }
pub fn data_signer(&self) -> openssl::sign::Signer {
openssl::sign::Signer::new(MessageDigest::sha256(), &self.id_pkey).unwrap()
}
/// Compute authentication tag (hmac/sha256) /// Compute authentication tag (hmac/sha256)
/// ///
/// Computes an SHA256 HMAC using some secret data (derived /// Computes an SHA256 HMAC using some secret data (derived
/// from the secret key) and the provided data. /// from the secret key) and the provided data.
pub fn compute_auth_tag(&self, data: &[u8]) -> [u8; 32] { pub fn compute_auth_tag(&self, data: &[u8]) -> [u8; 32] {
let key = openssl::pkey::PKey::hmac(&self.id_key).unwrap(); let mut signer = self.data_signer();
let mut signer = openssl::sign::Signer::new(MessageDigest::sha256(), &key).unwrap();
signer.update(data).unwrap(); signer.update(data).unwrap();
let mut tag = [0u8; 32]; let mut tag = [0u8; 32];
signer.sign(&mut tag).unwrap(); signer.sign(&mut tag).unwrap();