introduce a CryptMode enum

This also replaces the recently introduced --encryption parameter on the client with a --crypt-mode parameter. This can be "none", "encrypt" or "sign-only". Note that this introduces various changes in the API types which previously did not take the above distinction into account properly: Both `BackupContent` and the manifest's `FileInfo`: lose `encryption: Option<bool>` gain `crypt_mode: Option<CryptMode>` Within the backup manifest itself, the "crypt-mode" property will always be set. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-07-07 15:20:20 +02:00
parent 56b814e378
commit f28d9088ed
6 changed files with 134 additions and 81 deletions
--- a/src/backup/crypt_config.rs
+++ b/src/backup/crypt_config.rs
@ -6,12 +6,40 @@
 //! See the Wikipedia Artikel for [Authenticated
 //! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption)
 //! for a short introduction.
-use anyhow::{bail, Error};
-use openssl::pkcs5::pbkdf2_hmac;
-use openssl::hash::MessageDigest;
-use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
+
 use std::io::Write;
+
+use anyhow::{bail, Error};
 use chrono::{Local, TimeZone, DateTime};
+use openssl::hash::MessageDigest;
+use openssl::pkcs5::pbkdf2_hmac;
+use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
+use serde::{Deserialize, Serialize};
+
+use proxmox::api::api;
+
+#[api(default: "encrypt")]
+#[derive(Copy, Clone, Debug, Eq, PartialEq, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+/// Defines whether data is encrypted (using an AEAD cipher), only signed, or neither.
+pub enum CryptMode {
+    /// Don't encrypt.
+    None,
+    /// Encrypt.
+    Encrypt,
+    /// Only sign.
+    SignOnly,
+}
+
+impl CryptMode {
+    /// Maps values other than `None` to `SignOnly`.
+    pub fn sign_only(self) -> Self {
+        match self {
+            CryptMode::None => CryptMode::None,
+            _ => CryptMode::SignOnly,
+        }
+    }
+}

 /// Encryption Configuration with secret key
 ///
@ -26,7 +54,6 @@ pub struct CryptConfig {
    id_pkey: openssl::pkey::PKey<openssl::pkey::Private>,
    // The private key used by the cipher.
    enc_key: [u8; 32],
-
 }

 impl CryptConfig {
--- a/src/backup/manifest.rs
+++ b/src/backup/manifest.rs
@ -4,14 +4,14 @@ use std::path::Path;

 use serde_json::{json, Value};

-use crate::backup::BackupDir;
+use crate::backup::{BackupDir, CryptMode};

 pub const MANIFEST_BLOB_NAME: &str = "index.json.blob";
 pub const CLIENT_LOG_BLOB_NAME: &str = "client.log.blob";

 pub struct FileInfo {
    pub filename: String,
-    pub encrypted: Option<bool>,
+    pub crypt_mode: CryptMode,
    pub size: u64,
    pub csum: [u8; 32],
 }
@ -49,9 +49,9 @@ impl BackupManifest {
        Self { files: Vec::new(), snapshot }
    }

-    pub fn add_file(&mut self, filename: String, size: u64, csum: [u8; 32], encrypted: Option<bool>) -> Result<(), Error> {
+    pub fn add_file(&mut self, filename: String, size: u64, csum: [u8; 32], crypt_mode: CryptMode) -> Result<(), Error> {
        let _archive_type = archive_type(&filename)?; // check type
-        self.files.push(FileInfo { filename, size, csum, encrypted });
+        self.files.push(FileInfo { filename, size, csum, crypt_mode });
        Ok(())
    }

@ -91,18 +91,12 @@ impl BackupManifest {
            "backup-time": self.snapshot.backup_time().timestamp(),
            "files": self.files.iter()
                .fold(Vec::new(), |mut acc, info| {
-                    let mut value = json!({
+                    acc.push(json!({
                        "filename": info.filename,
-                        "encrypted": info.encrypted,
+                        "crypt-mode": info.crypt_mode,
                        "size": info.size,
                        "csum": proxmox::tools::digest_to_hex(&info.csum),
-                    });
-
-                    if let Some(encrypted) = info.encrypted {
-                        value["encrypted"] = encrypted.into();
-                    }
-
-                    acc.push(value);
+                    }));
                    acc
                })
        })
@ -142,8 +136,8 @@ impl TryFrom<Value> for BackupManifest {
                let csum = required_string_property(item, "csum")?;
                let csum = proxmox::tools::hex_to_digest(csum)?;
                let size = required_integer_property(item, "size")? as u64;
-                let encrypted = item["encrypted"].as_bool();
-                manifest.add_file(filename, size, csum, encrypted)?;
+                let crypt_mode: CryptMode = serde_json::from_value(item["crypt-mode"].clone())?;
+                manifest.add_file(filename, size, csum, crypt_mode)?;
            }

            if manifest.files().is_empty() {