From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 23C2161574
 for <pbs-devel@lists.proxmox.com>; Thu, 17 Dec 2020 11:37:38 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 139C124770
 for <pbs-devel@lists.proxmox.com>; Thu, 17 Dec 2020 11:37:38 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 784F324765
 for <pbs-devel@lists.proxmox.com>; Thu, 17 Dec 2020 11:37:37 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 3DC7B45244
 for <pbs-devel@lists.proxmox.com>; Thu, 17 Dec 2020 11:37:37 +0100 (CET)
Date: Thu, 17 Dec 2020 11:37:30 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Dietmar Maurer <dietmar@proxmox.com>,
 Proxmox Backup Server development discussion <pbs-devel@lists.proxmox.com>
References: <20201216134111.445581-1-f.gruenbichler@proxmox.com>
 <20201216134111.445581-8-f.gruenbichler@proxmox.com>
 <1787984161.1830.1608184506364@webmail.proxmox.com>
In-Reply-To: <1787984161.1830.1608184506364@webmail.proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid)
Message-Id: <1608201300.y6l7ox15n0.astroid@nora.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.025 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pbs-devel] applied: [RFC proxmox-backup 7/7] KeyConfig: always
 calculate fingerprint
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2020 10:37:38 -0000

On December 17, 2020 6:55 am, Dietmar Maurer wrote:
>=20
>> On 12/16/2020 2:41 PM Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.co=
m> wrote:
>>=20
>> =20
>> and warn if stored and calculated fingerprint don't match.
>=20
> applied, but I wonder why this is only a warning (should generate an erro=
r instead)?

as discussed this morning, switched to bail! and adapted the test cases:

commit c01742855ae95231d0b964bd9434c74d2e9dffd1
Author:     Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com>
AuthorDate: Thu Dec 17 10:53:21 2020 +0100
Commit:     Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com>
CommitDate: Thu Dec 17 11:27:06 2020 +0100

    KeyConfig: bail on wrong fingerprint
   =20
    instead of just logging the error. this should never happen in practice
    unless someone is messing with the keyfile, in which case, it's better
    to abort.
   =20
    update tests accordingly (wrong fingerprint should fail, no fingerprint
    should get the expected one).
   =20
    Signed-off-by: Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com>

diff --git a/src/backup/key_derivation.rs b/src/backup/key_derivation.rs
index 7e8480d3..a215670a 100644
--- a/src/backup/key_derivation.rs
+++ b/src/backup/key_derivation.rs
@@ -239,7 +239,7 @@ pub fn decrypt_key(
     let fingerprint =3D crypt_config.fingerprint();
     if let Some(stored_fingerprint) =3D key_config.fingerprint {
         if fingerprint !=3D stored_fingerprint {
-            eprintln!(
+            bail!(
                 "KeyConfig contains wrong fingerprint {}, contained key ha=
s fingerprint {}",
                 stored_fingerprint, fingerprint
             );
@@ -316,6 +316,11 @@ fn encrypt_decrypt_test() -> Result<(), Error> {
     assert_eq!(key.data, decrypted);
     assert_eq!(key.fingerprint, Some(fingerprint));
=20
+    Ok(())
+}
+
+#[test]
+fn fingerprint_checks() -> Result<(), Error> {
     let key =3D KeyConfig {
         kdf: None,
         created: proxmox::tools::time::epoch_i64(),
@@ -323,15 +328,30 @@ fn encrypt_decrypt_test() -> Result<(), Error> {
         data: (0u8..32u8).collect(),
         fingerprint: Some(Fingerprint::new([0u8; 32])), // wrong FP
     };
-    let encrypted =3D rsa_encrypt_key_config(public.clone(), &key).expect(=
"encryption failed");
-    let (decrypted, created, fingerprint) =3D
-        rsa_decrypt_key_config(private.clone(), &encrypted, &passphrase)
-            .expect("decryption failed");
=20
+    let expected_fingerprint =3D Fingerprint::new([
+            14, 171, 212, 70, 11, 110, 185, 202, 52, 80, 35, 222, 226, 183=
, 120, 199, 144, 229, 74,
+            22, 131, 185, 101, 156, 10, 87, 174, 25, 144, 144, 21, 155,
+        ]);
+
+    let mut data =3D serde_json::to_vec(&key).expect("encoding KeyConfig f=
ailed");
+    decrypt_key(&mut data, &{ || { Ok(Vec::new()) }}).expect_err("decoding=
 KeyConfig with wrong fingerprint worked");
+
+    let key =3D KeyConfig {
+        kdf: None,
+        created: proxmox::tools::time::epoch_i64(),
+        modified: proxmox::tools::time::epoch_i64(),
+        data: (0u8..32u8).collect(),
+        fingerprint: None,
+    };
+
+
+    let mut data =3D serde_json::to_vec(&key).expect("encoding KeyConfig f=
ailed");
+    let (key_data, created, fingerprint) =3D decrypt_key(&mut data, &{ || =
{ Ok(Vec::new()) }}).expect("decoding KeyConfig without fingerprint failed"=
);
+
+    assert_eq!(key.data, key_data);
     assert_eq!(key.created, created);
-    assert_eq!(key.data, decrypted);
-    // wrong FP update by round-trip through encrypt/decrypt
-    assert_ne!(key.fingerprint, Some(fingerprint));
+    assert_eq!(expected_fingerprint, fingerprint);
=20
     Ok(())
 }
=