introduce a CryptMode enum

This also replaces the recently introduced --encryption parameter on the client with a --crypt-mode parameter. This can be "none", "encrypt" or "sign-only". Note that this introduces various changes in the API types which previously did not take the above distinction into account properly: Both `BackupContent` and the manifest's `FileInfo`: lose `encryption: Option<bool>` gain `crypt_mode: Option<CryptMode>` Within the backup manifest itself, the "crypt-mode" property will always be set. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-07-07 15:20:20 +02:00
parent 56b814e378
commit f28d9088ed
6 changed files with 134 additions and 81 deletions
--- a/src/backup/crypt_config.rs
+++ b/src/backup/crypt_config.rs
@ -6,12 +6,40 @@
 //! See the Wikipedia Artikel for [Authenticated
 //! encryption](https://en.wikipedia.org/wiki/Authenticated_encryption)
 //! for a short introduction.
-use anyhow::{bail, Error};
-use openssl::pkcs5::pbkdf2_hmac;
-use openssl::hash::MessageDigest;
-use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
+
 use std::io::Write;
+
+use anyhow::{bail, Error};
 use chrono::{Local, TimeZone, DateTime};
+use openssl::hash::MessageDigest;
+use openssl::pkcs5::pbkdf2_hmac;
+use openssl::symm::{decrypt_aead, Cipher, Crypter, Mode};
+use serde::{Deserialize, Serialize};
+
+use proxmox::api::api;
+
+#[api(default: "encrypt")]
+#[derive(Copy, Clone, Debug, Eq, PartialEq, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+/// Defines whether data is encrypted (using an AEAD cipher), only signed, or neither.
+pub enum CryptMode {
+    /// Don't encrypt.
+    None,
+    /// Encrypt.
+    Encrypt,
+    /// Only sign.
+    SignOnly,
+}
+
+impl CryptMode {
+    /// Maps values other than `None` to `SignOnly`.
+    pub fn sign_only(self) -> Self {
+        match self {
+            CryptMode::None => CryptMode::None,
+            _ => CryptMode::SignOnly,
+        }
+    }
+}

 /// Encryption Configuration with secret key
 ///
@ -26,7 +54,6 @@ pub struct CryptConfig {
    id_pkey: openssl::pkey::PKey<openssl::pkey::Private>,
    // The private key used by the cipher.
    enc_key: [u8; 32],
-
 }

 impl CryptConfig {