From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 6259A60738 for ; Tue, 17 Nov 2020 18:57:50 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5251B13A7B for ; Tue, 17 Nov 2020 18:57:50 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 552EB13A71 for ; Tue, 17 Nov 2020 18:57:49 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 1F960437E8 for ; Tue, 17 Nov 2020 18:57:49 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Tue, 17 Nov 2020 18:57:20 +0100 Message-Id: <20201117175725.3634238-3-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20201117175725.3634238-1-f.gruenbichler@proxmox.com> References: <20201117175725.3634238-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.023 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [mount.rs, format.rs, key.rs, catalog.rs, benchmark.rs, proxmox-backup-client.rs] Subject: [pbs-devel] [PATCH proxmox-backup 2/7] key: add fingerprint to key config X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2020 17:57:50 -0000 and set/generate it on - key creation - key passphrase change - key decryption if not already set (not persisted, but returned) - key encryption with master key Signed-off-by: Fabian Grünbichler --- Notes: an existing passwordless key can be 'updated' non-interactively with proxmox-backup-client key change-passphrase $path --kdf none something like this could go into the/some postinst to retro-actively give all the PVE generated storage keys a fingerprint field. this only affects the 'key show' subcommand (introduced later in this series) or manual checks of the key file, any operations actually using the key have access to its CryptConfig and thus the fingerprint() function anyway.. src/backup/crypt_config.rs | 8 ++- src/backup/key_derivation.rs | 23 +++++++-- src/bin/proxmox-backup-client.rs | 6 +-- src/bin/proxmox_backup_client/benchmark.rs | 2 +- src/bin/proxmox_backup_client/catalog.rs | 4 +- src/bin/proxmox_backup_client/key.rs | 17 +++++-- src/bin/proxmox_backup_client/mount.rs | 2 +- src/tools/format.rs | 58 ++++++++++++++++++++++ 8 files changed, 105 insertions(+), 15 deletions(-) diff --git a/src/backup/crypt_config.rs b/src/backup/crypt_config.rs index 01ab0942..177923b3 100644 --- a/src/backup/crypt_config.rs +++ b/src/backup/crypt_config.rs @@ -228,7 +228,13 @@ impl CryptConfig { ) -> Result, Error> { let modified = proxmox::tools::time::epoch_i64(); - let key_config = super::KeyConfig { kdf: None, created, modified, data: self.enc_key.to_vec() }; + let key_config = super::KeyConfig { + kdf: None, + created, + modified, + data: self.enc_key.to_vec(), + fingerprint: Some(self.fingerprint()), + }; let data = serde_json::to_string(&key_config)?.as_bytes().to_vec(); let mut buffer = vec![0u8; rsa.size() as usize]; diff --git a/src/backup/key_derivation.rs b/src/backup/key_derivation.rs index 2c807723..dcf18cfa 100644 --- a/src/backup/key_derivation.rs +++ b/src/backup/key_derivation.rs @@ -2,6 +2,8 @@ use anyhow::{bail, format_err, Context, Error}; use serde::{Deserialize, Serialize}; +use crate::backup::CryptConfig; + use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions}; use proxmox::try_block; @@ -66,6 +68,10 @@ pub struct KeyConfig { pub modified: i64, #[serde(with = "proxmox::tools::serde::bytes_as_base64")] pub data: Vec, + #[serde(skip_serializing_if = "Option::is_none")] + #[serde(default)] + #[serde(with = "crate::tools::format::opt_sha256_as_fingerprint")] + pub fingerprint: Option<[u8; 32]>, } pub fn store_key_config( @@ -142,13 +148,14 @@ pub fn encrypt_key_with_passphrase( created, modified: created, data: enc_data, + fingerprint: None, }) } pub fn load_and_decrypt_key( path: &std::path::Path, passphrase: &dyn Fn() -> Result, Error>, -) -> Result<([u8;32], i64), Error> { +) -> Result<([u8;32], i64, [u8;32]), Error> { do_load_and_decrypt_key(path, passphrase) .with_context(|| format!("failed to load decryption key from {:?}", path)) } @@ -156,14 +163,14 @@ pub fn load_and_decrypt_key( fn do_load_and_decrypt_key( path: &std::path::Path, passphrase: &dyn Fn() -> Result, Error>, -) -> Result<([u8;32], i64), Error> { +) -> Result<([u8;32], i64, [u8;32]), Error> { decrypt_key(&file_get_contents(&path)?, passphrase) } pub fn decrypt_key( mut keydata: &[u8], passphrase: &dyn Fn() -> Result, Error>, -) -> Result<([u8;32], i64), Error> { +) -> Result<([u8;32], i64, [u8;32]), Error> { let key_config: KeyConfig = serde_json::from_reader(&mut keydata)?; let raw_data = key_config.data; @@ -203,5 +210,13 @@ pub fn decrypt_key( let mut result = [0u8; 32]; result.copy_from_slice(&key); - Ok((result, created)) + let fingerprint = match key_config.fingerprint { + Some(fingerprint) => fingerprint, + None => { + let crypt_config = CryptConfig::new(result.clone())?; + crypt_config.fingerprint() + }, + }; + + Ok((result, created, fingerprint)) } diff --git a/src/bin/proxmox-backup-client.rs b/src/bin/proxmox-backup-client.rs index 70aba77f..c63c7eb6 100644 --- a/src/bin/proxmox-backup-client.rs +++ b/src/bin/proxmox-backup-client.rs @@ -1069,7 +1069,7 @@ async fn create_backup( let (crypt_config, rsa_encrypted_key) = match keydata { None => (None, None), Some(key) => { - let (key, created) = decrypt_key(&key, &key::get_encryption_key_password)?; + let (key, created, _fingerprint) = decrypt_key(&key, &key::get_encryption_key_password)?; let crypt_config = CryptConfig::new(key)?; @@ -1380,7 +1380,7 @@ async fn restore(param: Value) -> Result { let crypt_config = match keydata { None => None, Some(key) => { - let (key, _) = decrypt_key(&key, &key::get_encryption_key_password)?; + let (key, _, _) = decrypt_key(&key, &key::get_encryption_key_password)?; Some(Arc::new(CryptConfig::new(key)?)) } }; @@ -1538,7 +1538,7 @@ async fn upload_log(param: Value) -> Result { let crypt_config = match keydata { None => None, Some(key) => { - let (key, _created) = decrypt_key(&key, &key::get_encryption_key_password)?; + let (key, _created, _) = decrypt_key(&key, &key::get_encryption_key_password)?; let crypt_config = CryptConfig::new(key)?; Some(Arc::new(crypt_config)) } diff --git a/src/bin/proxmox_backup_client/benchmark.rs b/src/bin/proxmox_backup_client/benchmark.rs index b0d769e8..e53e43ce 100644 --- a/src/bin/proxmox_backup_client/benchmark.rs +++ b/src/bin/proxmox_backup_client/benchmark.rs @@ -151,7 +151,7 @@ pub async fn benchmark( let crypt_config = match keyfile { None => None, Some(path) => { - let (key, _) = load_and_decrypt_key(&path, &crate::key::get_encryption_key_password)?; + let (key, _, _) = load_and_decrypt_key(&path, &crate::key::get_encryption_key_password)?; let crypt_config = CryptConfig::new(key)?; Some(Arc::new(crypt_config)) } diff --git a/src/bin/proxmox_backup_client/catalog.rs b/src/bin/proxmox_backup_client/catalog.rs index e4931e10..37ad842f 100644 --- a/src/bin/proxmox_backup_client/catalog.rs +++ b/src/bin/proxmox_backup_client/catalog.rs @@ -73,7 +73,7 @@ async fn dump_catalog(param: Value) -> Result { let crypt_config = match keydata { None => None, Some(key) => { - let (key, _created) = decrypt_key(&key, &get_encryption_key_password)?; + let (key, _created, _fingerprint) = decrypt_key(&key, &get_encryption_key_password)?; let crypt_config = CryptConfig::new(key)?; Some(Arc::new(crypt_config)) } @@ -170,7 +170,7 @@ async fn catalog_shell(param: Value) -> Result<(), Error> { let crypt_config = match keydata { None => None, Some(key) => { - let (key, _created) = decrypt_key(&key, &get_encryption_key_password)?; + let (key, _created, _fingerprint) = decrypt_key(&key, &get_encryption_key_password)?; let crypt_config = CryptConfig::new(key)?; Some(Arc::new(crypt_config)) } diff --git a/src/bin/proxmox_backup_client/key.rs b/src/bin/proxmox_backup_client/key.rs index 8b802b3e..915ee970 100644 --- a/src/bin/proxmox_backup_client/key.rs +++ b/src/bin/proxmox_backup_client/key.rs @@ -11,7 +11,11 @@ use proxmox::sys::linux::tty; use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions}; use proxmox_backup::backup::{ - encrypt_key_with_passphrase, load_and_decrypt_key, store_key_config, KeyConfig, + encrypt_key_with_passphrase, + load_and_decrypt_key, + store_key_config, + CryptConfig, + KeyConfig, }; use proxmox_backup::tools; @@ -121,6 +125,9 @@ fn create(kdf: Option, path: Option) -> Result<(), Error> { let kdf = kdf.unwrap_or_default(); let key = proxmox::sys::linux::random_data(32)?; + use std::convert::TryInto; + let key_array: [u8; 32] = key.clone()[0..32].try_into().unwrap(); + let crypt_config = CryptConfig::new(key_array)?; match kdf { Kdf::None => { @@ -134,6 +141,7 @@ fn create(kdf: Option, path: Option) -> Result<(), Error> { created, modified: created, data: key, + fingerprint: Some(crypt_config.fingerprint()), }, )?; } @@ -145,7 +153,8 @@ fn create(kdf: Option, path: Option) -> Result<(), Error> { let password = tty::read_and_verify_password("Encryption Key Password: ")?; - let key_config = encrypt_key_with_passphrase(&key, &password)?; + let mut key_config = encrypt_key_with_passphrase(&key, &password)?; + key_config.fingerprint = Some(crypt_config.fingerprint()); store_key_config(&path, false, key_config)?; } @@ -188,7 +197,7 @@ fn change_passphrase(kdf: Option, path: Option) -> Result<(), Error bail!("unable to change passphrase - no tty"); } - let (key, created) = load_and_decrypt_key(&path, &get_encryption_key_password)?; + let (key, created, fingerprint) = load_and_decrypt_key(&path, &get_encryption_key_password)?; match kdf { Kdf::None => { @@ -202,6 +211,7 @@ fn change_passphrase(kdf: Option, path: Option) -> Result<(), Error created, // keep original value modified, data: key.to_vec(), + fingerprint: Some(fingerprint), }, )?; } @@ -210,6 +220,7 @@ fn change_passphrase(kdf: Option, path: Option) -> Result<(), Error let mut new_key_config = encrypt_key_with_passphrase(&key, &password)?; new_key_config.created = created; // keep original value + new_key_config.fingerprint = Some(fingerprint); store_key_config(&path, true, new_key_config)?; } diff --git a/src/bin/proxmox_backup_client/mount.rs b/src/bin/proxmox_backup_client/mount.rs index 415fbf9d..6283961e 100644 --- a/src/bin/proxmox_backup_client/mount.rs +++ b/src/bin/proxmox_backup_client/mount.rs @@ -182,7 +182,7 @@ async fn mount_do(param: Value, pipe: Option) -> Result { let crypt_config = match keyfile { None => None, Some(path) => { - let (key, _) = load_and_decrypt_key(&path, &crate::key::get_encryption_key_password)?; + let (key, _, _) = load_and_decrypt_key(&path, &crate::key::get_encryption_key_password)?; Some(Arc::new(CryptConfig::new(key)?)) } }; diff --git a/src/tools/format.rs b/src/tools/format.rs index 8fe6aa82..c16559a7 100644 --- a/src/tools/format.rs +++ b/src/tools/format.rs @@ -102,6 +102,64 @@ impl From for HumanByte { } } +pub fn as_fingerprint(bytes: &[u8]) -> String { + proxmox::tools::digest_to_hex(bytes) + .as_bytes() + .chunks(2) + .map(|v| std::str::from_utf8(v).unwrap()) + .collect::>().join(":") +} + +pub mod opt_sha256_as_fingerprint { + use serde::{self, Serializer, Deserializer}; + + pub fn serialize( + csum: &Option<[u8; 32]>, + serializer: S, + ) -> Result + where + S: Serializer, + { + crate::tools::format::sha256_as_fingerprint::serialize(&csum.unwrap(), serializer) + } + + pub fn deserialize<'de, D>( + deserializer: D, + ) -> Result, D::Error> + where + D: Deserializer<'de>, + { + crate::tools::format::sha256_as_fingerprint::deserialize(deserializer) + .map(|digest| Some(digest)) + } +} + +pub mod sha256_as_fingerprint { + use serde::{self, Deserialize, Serializer, Deserializer}; + + pub fn serialize( + csum: &[u8; 32], + serializer: S, + ) -> Result + where + S: Serializer, + { + let s = crate::tools::format::as_fingerprint(csum); + serializer.serialize_str(&s) + } + + pub fn deserialize<'de, D>( + deserializer: D, + ) -> Result<[u8; 32], D::Error> + where + D: Deserializer<'de>, + { + let mut s = String::deserialize(deserializer)?; + s.retain(|c| c != ':'); + proxmox::tools::hex_to_digest(&s).map_err(serde::de::Error::custom) + } +} + #[test] fn correct_byte_convert() { fn convert(b: usize) -> String { -- 2.20.1