From cbe01dc5c794843df56a803aac42281befc1f687 Mon Sep 17 00:00:00 2001 From: Oguz Bektas Date: Mon, 13 Jan 2020 16:05:28 +0100 Subject: [PATCH] tools: add read_and_verify_password helper add a helper to perform some basic checks on password prompts. - verification (asks for a 2nd time) - check length also use the new helper where password input in tty is taken to reduce duplicate code. this helper should be used when creating keys, changing passphrases etc. note: this helper can be extended later on to provide better checks for password strength. Signed-off-by: Oguz Bektas --- src/bin/proxmox-backup-client.rs | 27 +++++---------------------- src/tools/tty.rs | 16 ++++++++++++++++ 2 files changed, 21 insertions(+), 22 deletions(-) diff --git a/src/bin/proxmox-backup-client.rs b/src/bin/proxmox-backup-client.rs index 07b2189a..94c46144 100644 --- a/src/bin/proxmox-backup-client.rs +++ b/src/bin/proxmox-backup-client.rs @@ -1682,7 +1682,7 @@ fn key_create( bail!("unable to read passphrase - no tty"); } - let password = crate::tools::tty::read_password("Encryption Key Password: ")?; + let password = crate::tools::tty::read_and_verify_password("Encryption Key Password: ")?; let key_config = encrypt_key_with_passphrase(&key, &password)?; @@ -1752,16 +1752,8 @@ fn key_create_master_key( let rsa = openssl::rsa::Rsa::generate(4096)?; let pkey = openssl::pkey::PKey::from_rsa(rsa)?; - let new_pw = String::from_utf8(crate::tools::tty::read_password("Master Key Password: ")?)?; - let verify_pw = String::from_utf8(crate::tools::tty::read_password("Verify Password: ")?)?; - if new_pw != verify_pw { - bail!("Password verification fail!"); - } - - if new_pw.len() < 5 { - bail!("Password is too short!"); - } + let password = String::from_utf8(crate::tools::tty::read_and_verify_password("Master Key Password: ")?)?; let pub_key: Vec = pkey.public_key_to_pem()?; let filename_pub = "master-public.pem"; @@ -1769,7 +1761,7 @@ fn key_create_master_key( replace_file(filename_pub, pub_key.as_slice(), CreateOptions::new())?; let cipher = openssl::symm::Cipher::aes_256_cbc(); - let priv_key: Vec = pkey.private_key_to_pem_pkcs8_passphrase(cipher, new_pw.as_bytes())?; + let priv_key: Vec = pkey.private_key_to_pem_pkcs8_passphrase(cipher, password.as_bytes())?; let filename_priv = "master-private.pem"; println!("Writing private master key to {}", filename_priv); @@ -1798,18 +1790,9 @@ fn key_change_passphrase( if kdf == "scrypt" { - let new_pw = String::from_utf8(crate::tools::tty::read_password("New Password: ")?)?; - let verify_pw = String::from_utf8(crate::tools::tty::read_password("Verify Password: ")?)?; + let password = crate::tools::tty::read_and_verify_password("New Password: ")?; - if new_pw != verify_pw { - bail!("Password verification fail!"); - } - - if new_pw.len() < 5 { - bail!("Password is too short!"); - } - - let mut new_key_config = encrypt_key_with_passphrase(&key, new_pw.as_bytes())?; + let mut new_key_config = encrypt_key_with_passphrase(&key, &password)?; new_key_config.created = created; // keep original value store_key_config(&path, true, new_key_config)?; diff --git a/src/tools/tty.rs b/src/tools/tty.rs index a3ece89a..69b94264 100644 --- a/src/tools/tty.rs +++ b/src/tools/tty.rs @@ -86,3 +86,19 @@ pub fn read_password(query: &str) -> Result, Error> { Err(e) => Err(e), } } + +pub fn read_and_verify_password(prompt: &str) -> Result, Error> { + + let password = String::from_utf8(crate::tools::tty::read_password(prompt)?)?; + let verify_password = String::from_utf8(crate::tools::tty::read_password("Verify Password: ")?)?; + + if password != verify_password { + bail!("Passwords do not match!"); + } + + if password.len() < 5 { + bail!("Password too short!"); + } + + Ok(password.into_bytes()) +}