From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Dietmar Maurer <dietmar@proxmox.com>,
Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: [pbs-devel] applied: [RFC proxmox-backup 7/7] KeyConfig: always calculate fingerprint
Date: Thu, 17 Dec 2020 11:37:30 +0100 [thread overview]
Message-ID: <1608201300.y6l7ox15n0.astroid@nora.none> (raw)
In-Reply-To: <1787984161.1830.1608184506364@webmail.proxmox.com>
On December 17, 2020 6:55 am, Dietmar Maurer wrote:
>
>> On 12/16/2020 2:41 PM Fabian Grünbichler <f.gruenbichler@proxmox.com> wrote:
>>
>>
>> and warn if stored and calculated fingerprint don't match.
>
> applied, but I wonder why this is only a warning (should generate an error instead)?
as discussed this morning, switched to bail! and adapted the test cases:
commit c01742855ae95231d0b964bd9434c74d2e9dffd1
Author: Fabian Grünbichler <f.gruenbichler@proxmox.com>
AuthorDate: Thu Dec 17 10:53:21 2020 +0100
Commit: Fabian Grünbichler <f.gruenbichler@proxmox.com>
CommitDate: Thu Dec 17 11:27:06 2020 +0100
KeyConfig: bail on wrong fingerprint
instead of just logging the error. this should never happen in practice
unless someone is messing with the keyfile, in which case, it's better
to abort.
update tests accordingly (wrong fingerprint should fail, no fingerprint
should get the expected one).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
diff --git a/src/backup/key_derivation.rs b/src/backup/key_derivation.rs
index 7e8480d3..a215670a 100644
--- a/src/backup/key_derivation.rs
+++ b/src/backup/key_derivation.rs
@@ -239,7 +239,7 @@ pub fn decrypt_key(
let fingerprint = crypt_config.fingerprint();
if let Some(stored_fingerprint) = key_config.fingerprint {
if fingerprint != stored_fingerprint {
- eprintln!(
+ bail!(
"KeyConfig contains wrong fingerprint {}, contained key has fingerprint {}",
stored_fingerprint, fingerprint
);
@@ -316,6 +316,11 @@ fn encrypt_decrypt_test() -> Result<(), Error> {
assert_eq!(key.data, decrypted);
assert_eq!(key.fingerprint, Some(fingerprint));
+ Ok(())
+}
+
+#[test]
+fn fingerprint_checks() -> Result<(), Error> {
let key = KeyConfig {
kdf: None,
created: proxmox::tools::time::epoch_i64(),
@@ -323,15 +328,30 @@ fn encrypt_decrypt_test() -> Result<(), Error> {
data: (0u8..32u8).collect(),
fingerprint: Some(Fingerprint::new([0u8; 32])), // wrong FP
};
- let encrypted = rsa_encrypt_key_config(public.clone(), &key).expect("encryption failed");
- let (decrypted, created, fingerprint) =
- rsa_decrypt_key_config(private.clone(), &encrypted, &passphrase)
- .expect("decryption failed");
+ let expected_fingerprint = Fingerprint::new([
+ 14, 171, 212, 70, 11, 110, 185, 202, 52, 80, 35, 222, 226, 183, 120, 199, 144, 229, 74,
+ 22, 131, 185, 101, 156, 10, 87, 174, 25, 144, 144, 21, 155,
+ ]);
+
+ let mut data = serde_json::to_vec(&key).expect("encoding KeyConfig failed");
+ decrypt_key(&mut data, &{ || { Ok(Vec::new()) }}).expect_err("decoding KeyConfig with wrong fingerprint worked");
+
+ let key = KeyConfig {
+ kdf: None,
+ created: proxmox::tools::time::epoch_i64(),
+ modified: proxmox::tools::time::epoch_i64(),
+ data: (0u8..32u8).collect(),
+ fingerprint: None,
+ };
+
+
+ let mut data = serde_json::to_vec(&key).expect("encoding KeyConfig failed");
+ let (key_data, created, fingerprint) = decrypt_key(&mut data, &{ || { Ok(Vec::new()) }}).expect("decoding KeyConfig without fingerprint failed");
+
+ assert_eq!(key.data, key_data);
assert_eq!(key.created, created);
- assert_eq!(key.data, decrypted);
- // wrong FP update by round-trip through encrypt/decrypt
- assert_ne!(key.fingerprint, Some(fingerprint));
+ assert_eq!(expected_fingerprint, fingerprint);
Ok(())
}
next prev parent reply other threads:[~2020-12-17 10:37 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-16 13:41 [pbs-devel] [PATCH proxmox-backup 0/7] master key improvements Fabian Grünbichler
2020-12-16 13:41 ` [pbs-devel] [PATCH proxmox-backup 1/7] master key: store blob name in constant Fabian Grünbichler
2020-12-16 13:41 ` [pbs-devel] [PATCH proxmox-backup 2/7] fix #3197: skip fingerprint check when restoring key Fabian Grünbichler
2020-12-16 13:41 ` [pbs-devel] [PATCH proxmox-backup 3/7] key: move RSA-encryption to KeyConfig Fabian Grünbichler
2020-12-16 13:41 ` [pbs-devel] [PATCH proxmox-backup 4/7] client: add 'import-with-master-key' command Fabian Grünbichler
2020-12-16 13:41 ` [pbs-devel] [PATCH proxmox-backup 5/7] docs: replace openssl command with client Fabian Grünbichler
2020-12-16 13:41 ` [pbs-devel] [PATCH proxmox-backup 6/7] KeyConfig: add encrypt/decrypt test Fabian Grünbichler
2020-12-16 13:41 ` [pbs-devel] [RFC proxmox-backup 7/7] KeyConfig: always calculate fingerprint Fabian Grünbichler
2020-12-17 5:55 ` Dietmar Maurer
2020-12-17 10:37 ` Fabian Grünbichler [this message]
2020-12-17 5:53 ` [pbs-devel] applied: [PATCH proxmox-backup 0/7] master key improvements Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1608201300.y6l7ox15n0.astroid@nora.none \
--to=f.gruenbichler@proxmox.com \
--cc=dietmar@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox