tools: add read_and_verify_password helper
add a helper to perform some basic checks on password prompts. - verification (asks for a 2nd time) - check length also use the new helper where password input in tty is taken to reduce duplicate code. this helper should be used when creating keys, changing passphrases etc. note: this helper can be extended later on to provide better checks for password strength. Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
This commit is contained in:
parent
ea5061979b
commit
cbe01dc5c7
@ -1682,7 +1682,7 @@ fn key_create(
|
|||||||
bail!("unable to read passphrase - no tty");
|
bail!("unable to read passphrase - no tty");
|
||||||
}
|
}
|
||||||
|
|
||||||
let password = crate::tools::tty::read_password("Encryption Key Password: ")?;
|
let password = crate::tools::tty::read_and_verify_password("Encryption Key Password: ")?;
|
||||||
|
|
||||||
let key_config = encrypt_key_with_passphrase(&key, &password)?;
|
let key_config = encrypt_key_with_passphrase(&key, &password)?;
|
||||||
|
|
||||||
@ -1752,16 +1752,8 @@ fn key_create_master_key(
|
|||||||
let rsa = openssl::rsa::Rsa::generate(4096)?;
|
let rsa = openssl::rsa::Rsa::generate(4096)?;
|
||||||
let pkey = openssl::pkey::PKey::from_rsa(rsa)?;
|
let pkey = openssl::pkey::PKey::from_rsa(rsa)?;
|
||||||
|
|
||||||
let new_pw = String::from_utf8(crate::tools::tty::read_password("Master Key Password: ")?)?;
|
|
||||||
let verify_pw = String::from_utf8(crate::tools::tty::read_password("Verify Password: ")?)?;
|
|
||||||
|
|
||||||
if new_pw != verify_pw {
|
let password = String::from_utf8(crate::tools::tty::read_and_verify_password("Master Key Password: ")?)?;
|
||||||
bail!("Password verification fail!");
|
|
||||||
}
|
|
||||||
|
|
||||||
if new_pw.len() < 5 {
|
|
||||||
bail!("Password is too short!");
|
|
||||||
}
|
|
||||||
|
|
||||||
let pub_key: Vec<u8> = pkey.public_key_to_pem()?;
|
let pub_key: Vec<u8> = pkey.public_key_to_pem()?;
|
||||||
let filename_pub = "master-public.pem";
|
let filename_pub = "master-public.pem";
|
||||||
@ -1769,7 +1761,7 @@ fn key_create_master_key(
|
|||||||
replace_file(filename_pub, pub_key.as_slice(), CreateOptions::new())?;
|
replace_file(filename_pub, pub_key.as_slice(), CreateOptions::new())?;
|
||||||
|
|
||||||
let cipher = openssl::symm::Cipher::aes_256_cbc();
|
let cipher = openssl::symm::Cipher::aes_256_cbc();
|
||||||
let priv_key: Vec<u8> = pkey.private_key_to_pem_pkcs8_passphrase(cipher, new_pw.as_bytes())?;
|
let priv_key: Vec<u8> = pkey.private_key_to_pem_pkcs8_passphrase(cipher, password.as_bytes())?;
|
||||||
|
|
||||||
let filename_priv = "master-private.pem";
|
let filename_priv = "master-private.pem";
|
||||||
println!("Writing private master key to {}", filename_priv);
|
println!("Writing private master key to {}", filename_priv);
|
||||||
@ -1798,18 +1790,9 @@ fn key_change_passphrase(
|
|||||||
|
|
||||||
if kdf == "scrypt" {
|
if kdf == "scrypt" {
|
||||||
|
|
||||||
let new_pw = String::from_utf8(crate::tools::tty::read_password("New Password: ")?)?;
|
let password = crate::tools::tty::read_and_verify_password("New Password: ")?;
|
||||||
let verify_pw = String::from_utf8(crate::tools::tty::read_password("Verify Password: ")?)?;
|
|
||||||
|
|
||||||
if new_pw != verify_pw {
|
let mut new_key_config = encrypt_key_with_passphrase(&key, &password)?;
|
||||||
bail!("Password verification fail!");
|
|
||||||
}
|
|
||||||
|
|
||||||
if new_pw.len() < 5 {
|
|
||||||
bail!("Password is too short!");
|
|
||||||
}
|
|
||||||
|
|
||||||
let mut new_key_config = encrypt_key_with_passphrase(&key, new_pw.as_bytes())?;
|
|
||||||
new_key_config.created = created; // keep original value
|
new_key_config.created = created; // keep original value
|
||||||
|
|
||||||
store_key_config(&path, true, new_key_config)?;
|
store_key_config(&path, true, new_key_config)?;
|
||||||
|
@ -86,3 +86,19 @@ pub fn read_password(query: &str) -> Result<Vec<u8>, Error> {
|
|||||||
Err(e) => Err(e),
|
Err(e) => Err(e),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn read_and_verify_password(prompt: &str) -> Result<Vec<u8>, Error> {
|
||||||
|
|
||||||
|
let password = String::from_utf8(crate::tools::tty::read_password(prompt)?)?;
|
||||||
|
let verify_password = String::from_utf8(crate::tools::tty::read_password("Verify Password: ")?)?;
|
||||||
|
|
||||||
|
if password != verify_password {
|
||||||
|
bail!("Passwords do not match!");
|
||||||
|
}
|
||||||
|
|
||||||
|
if password.len() < 5 {
|
||||||
|
bail!("Password too short!");
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(password.into_bytes())
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user