tools: add read_and_verify_password helper

add a helper to perform some basic checks on password prompts.
- verification (asks for a 2nd time)
- check length

also use the new helper where password input in tty is taken to reduce
duplicate code.

this helper should be used when creating keys, changing passphrases etc.

note: this helper can be extended later on to provide better checks for
password strength.

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
This commit is contained in:
Oguz Bektas 2020-01-13 16:05:28 +01:00 committed by Dietmar Maurer
parent ea5061979b
commit cbe01dc5c7
2 changed files with 21 additions and 22 deletions

View File

@ -1682,7 +1682,7 @@ fn key_create(
bail!("unable to read passphrase - no tty"); bail!("unable to read passphrase - no tty");
} }
let password = crate::tools::tty::read_password("Encryption Key Password: ")?; let password = crate::tools::tty::read_and_verify_password("Encryption Key Password: ")?;
let key_config = encrypt_key_with_passphrase(&key, &password)?; let key_config = encrypt_key_with_passphrase(&key, &password)?;
@ -1752,16 +1752,8 @@ fn key_create_master_key(
let rsa = openssl::rsa::Rsa::generate(4096)?; let rsa = openssl::rsa::Rsa::generate(4096)?;
let pkey = openssl::pkey::PKey::from_rsa(rsa)?; let pkey = openssl::pkey::PKey::from_rsa(rsa)?;
let new_pw = String::from_utf8(crate::tools::tty::read_password("Master Key Password: ")?)?;
let verify_pw = String::from_utf8(crate::tools::tty::read_password("Verify Password: ")?)?;
if new_pw != verify_pw { let password = String::from_utf8(crate::tools::tty::read_and_verify_password("Master Key Password: ")?)?;
bail!("Password verification fail!");
}
if new_pw.len() < 5 {
bail!("Password is too short!");
}
let pub_key: Vec<u8> = pkey.public_key_to_pem()?; let pub_key: Vec<u8> = pkey.public_key_to_pem()?;
let filename_pub = "master-public.pem"; let filename_pub = "master-public.pem";
@ -1769,7 +1761,7 @@ fn key_create_master_key(
replace_file(filename_pub, pub_key.as_slice(), CreateOptions::new())?; replace_file(filename_pub, pub_key.as_slice(), CreateOptions::new())?;
let cipher = openssl::symm::Cipher::aes_256_cbc(); let cipher = openssl::symm::Cipher::aes_256_cbc();
let priv_key: Vec<u8> = pkey.private_key_to_pem_pkcs8_passphrase(cipher, new_pw.as_bytes())?; let priv_key: Vec<u8> = pkey.private_key_to_pem_pkcs8_passphrase(cipher, password.as_bytes())?;
let filename_priv = "master-private.pem"; let filename_priv = "master-private.pem";
println!("Writing private master key to {}", filename_priv); println!("Writing private master key to {}", filename_priv);
@ -1798,18 +1790,9 @@ fn key_change_passphrase(
if kdf == "scrypt" { if kdf == "scrypt" {
let new_pw = String::from_utf8(crate::tools::tty::read_password("New Password: ")?)?; let password = crate::tools::tty::read_and_verify_password("New Password: ")?;
let verify_pw = String::from_utf8(crate::tools::tty::read_password("Verify Password: ")?)?;
if new_pw != verify_pw { let mut new_key_config = encrypt_key_with_passphrase(&key, &password)?;
bail!("Password verification fail!");
}
if new_pw.len() < 5 {
bail!("Password is too short!");
}
let mut new_key_config = encrypt_key_with_passphrase(&key, new_pw.as_bytes())?;
new_key_config.created = created; // keep original value new_key_config.created = created; // keep original value
store_key_config(&path, true, new_key_config)?; store_key_config(&path, true, new_key_config)?;

View File

@ -86,3 +86,19 @@ pub fn read_password(query: &str) -> Result<Vec<u8>, Error> {
Err(e) => Err(e), Err(e) => Err(e),
} }
} }
pub fn read_and_verify_password(prompt: &str) -> Result<Vec<u8>, Error> {
let password = String::from_utf8(crate::tools::tty::read_password(prompt)?)?;
let verify_password = String::from_utf8(crate::tools::tty::read_password("Verify Password: ")?)?;
if password != verify_password {
bail!("Passwords do not match!");
}
if password.len() < 5 {
bail!("Password too short!");
}
Ok(password.into_bytes())
}