From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9704E605DE for ; Fri, 5 Feb 2021 16:37:23 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8B5CDB256 for ; Fri, 5 Feb 2021 16:36:53 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 919B7B24B for ; Fri, 5 Feb 2021 16:36:52 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5FB40461EC for ; Fri, 5 Feb 2021 16:36:52 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Fri, 5 Feb 2021 16:35:34 +0100 Message-Id: <20210205153535.2578184-10-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210205153535.2578184-1-f.gruenbichler@proxmox.com> References: <20210205153535.2578184-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.026 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox-backup-client.rs] Subject: [pbs-devel] [PATCH proxmox-backup 08/10] client: refactor crypto_parameter handling X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Feb 2021 15:37:23 -0000 pull out the crypt-mode to logically group arms and make the whole mess a bit more "human-parsable". Signed-off-by: Fabian Grünbichler --- IMHO this makes more sense this way, otherwise we have too many combinations that we have to keep in mind in a single match.. src/bin/proxmox-backup-client.rs | 117 ++++++++++++++++--------------- 1 file changed, 59 insertions(+), 58 deletions(-) diff --git a/src/bin/proxmox-backup-client.rs b/src/bin/proxmox-backup-client.rs index 76e82184..89d77d04 100644 --- a/src/bin/proxmox-backup-client.rs +++ b/src/bin/proxmox-backup-client.rs @@ -694,87 +694,88 @@ fn crypto_parameters(param: &Value) -> Result { } }; - Ok(match (keydata, master_pubkey_data, mode) { - // no parameters: - (None, None, None) => match key::read_optional_default_encryption_key()? { - None => CryptoParams { mode: CryptMode::None, enc_key: None, master_pubkey: None }, - enc_key => { - eprintln!("Encrypting with default encryption key!"); - let master_pubkey = key::read_optional_default_master_pubkey()?; - CryptoParams { - mode: CryptMode::Encrypt, - enc_key, - master_pubkey, - } + let res = match mode { + // no crypt mode, enable encryption if keys are available + None => match (keydata, master_pubkey_data) { + // only default keys if available + (None, None) => match key::read_optional_default_encryption_key()? { + None => CryptoParams { mode: CryptMode::None, enc_key: None, master_pubkey: None }, + enc_key => { + eprintln!("Encrypting with default encryption key!"); + let master_pubkey = key::read_optional_default_master_pubkey()?; + CryptoParams { + mode: CryptMode::Encrypt, + enc_key, + master_pubkey, + } + }, + }, + + // explicit master key, default enc key needed + (None, master_pubkey) => match key::read_optional_default_encryption_key()? { + None => bail!("--master-pubkey-file/--master-pubkey-fd specified, but no key available"), + enc_key => { + eprintln!("Encrypting with default encryption key!"); + CryptoParams { + mode: CryptMode::Encrypt, + enc_key, + master_pubkey, + } + }, }, - }, - // just --crypt-mode=none - (None, None, Some(CryptMode::None)) => CryptoParams { mode: CryptMode::None, enc_key: None, master_pubkey: None }, + // explicit keyfile, maybe default master key + (enc_key, None) => CryptoParams { mode: CryptMode::Encrypt, enc_key, master_pubkey: key::read_optional_default_master_pubkey()? }, - // --keyfile and --crypt-mode=none - (Some(_), _, Some(CryptMode::None)) => { - bail!("--keyfile/--keyfd and --crypt-mode=none are mutually exclusive"); + // explicit keyfile and master key + (enc_key, master_pubkey) => CryptoParams { mode: CryptMode::Encrypt, enc_key, master_pubkey }, }, - // --master-pubkey-file and --crypt-mode=none - (_, Some(_), Some(CryptMode::None)) => { - bail!("--master-pubkey-file/--master-pubkey-fd and --crypt-mode=none are mutually exclusive"); + // explicitly disabled encryption + Some(CryptMode::None) => match (keydata, master_pubkey_data) { + // no keys => OK, no encryption + (None, None) => CryptoParams { mode: CryptMode::None, enc_key: None, master_pubkey: None }, + + // --keyfile and --crypt-mode=none + (Some(_), _) => bail!("--keyfile/--keyfd and --crypt-mode=none are mutually exclusive"), + + // --master-pubkey-file and --crypt-mode=none + (_, Some(_)) => bail!("--master-pubkey-file/--master-pubkey-fd and --crypt-mode=none are mutually exclusive"), }, - // --master-pubkey-file and nothing else - (None, master_pubkey, None) => { - match key::read_optional_default_encryption_key()? { - None => bail!("--master-pubkey-file/--master-pubkey-fd specified, but no key available"), + // explicitly enabled encryption + Some(mode) => match (keydata, master_pubkey_data) { + // no key, maybe master key + (None, master_pubkey) => match key::read_optional_default_encryption_key()? { + None => bail!("--crypt-mode without --keyfile and no default key file available"), enc_key => { eprintln!("Encrypting with default encryption key!"); + let master_pubkey = match master_pubkey { + None => key::read_optional_default_master_pubkey()?, + master_pubkey => master_pubkey, + }; + CryptoParams { - mode: CryptMode::Encrypt, + mode, enc_key, master_pubkey, } }, - } - }, + }, - // --crypt-mode other than none, without keyfile, with or without master key - (None, master_pubkey, Some(mode)) => match key::read_optional_default_encryption_key()? { - None => bail!("--crypt-mode without --keyfile and no default key file available"), - enc_key => { - eprintln!("Encrypting with default encryption key!"); + // --keyfile and --crypt-mode other than none + (enc_key, master_pubkey) => { let master_pubkey = match master_pubkey { None => key::read_optional_default_master_pubkey()?, master_pubkey => master_pubkey, }; - CryptoParams { - mode, - enc_key, - master_pubkey, - } + CryptoParams { mode, enc_key, master_pubkey } }, - } - - // just --keyfile - (enc_key, master_pubkey, None) => { - let master_pubkey = match master_pubkey { - None => key::read_optional_default_master_pubkey()?, - master_pubkey => master_pubkey, - }; - - CryptoParams { mode: CryptMode::Encrypt, enc_key, master_pubkey } }, + }; - // --keyfile and --crypt-mode other than none - (enc_key, master_pubkey, Some(mode)) => { - let master_pubkey = match master_pubkey { - None => key::read_optional_default_master_pubkey()?, - master_pubkey => master_pubkey, - }; - - CryptoParams { mode, enc_key, master_pubkey } - }, - }) + Ok(res) } #[test] -- 2.20.1