[PATCH proxmox-backup] sync: pull: fix double blob decoding when decrypting

[PATCH proxmox-backup] sync: pull: fix double blob decoding when decrypting

[Christian Ebner]

Commit 2f94320db ("sync: pull: decrypt blob files on pull if
encryption key is configured") introduced the logic to decrypt
encrypted data blob contents from the source on the fly when pulling
with a matching decryption key.

This however incorrectly performs a double blob decoding, as the
DataBlobReader already checks and strips the header while reading the
raw data from file, the DataBlob::load_from_reader() therefore
chocking when trying to check the now missing header.

Fix this by fully relying on the DataBlobReader to check, decode and
decrypt the blob, and add the still missing finish() call to verify
the reader state after decoding. Only then construct the new
decrypted blob and pass individual slices for checksum calculation
and writing to file, as the former consumes the slice.

Reported-by: Markus Frank <m.frank@proxmox.com>
Reported-by: Erik Fastermann <e.fastermann@proxmox.com>
Reported-by: Shan Shaji <s.shaji@proxmox.com>
Reported-by: Dominik Csapak <d.csapak@proxmox.com>
Fixes: 2f94320db ("sync: pull: decrypt blob files on pull if encryption key is configured")
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
 src/server/pull.rs | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/server/pull.rs b/src/server/pull.rs
index b4882718e..67ab70348 100644
--- a/src/server/pull.rs
+++ b/src/server/pull.rs
@@ -2,7 +2,7 @@
 
 use std::collections::hash_map::Entry;
 use std::collections::{HashMap, HashSet};
-use std::io::{BufReader, Seek};
+use std::io::{Read, Seek};
 use std::os::fd::AsRawFd;
 use std::sync::atomic::{AtomicU64, AtomicUsize, Ordering};
 use std::sync::{Arc, Mutex};
@@ -582,12 +582,15 @@ async fn pull_single_archive<'a>(
                 let (csum, size) = tokio::task::spawn_blocking(move || {
                     // must rewind again since after verifying cursor is at the end of the file
                     tmpfile.rewind()?;
-                    let mut reader = BufReader::new(DataBlobReader::new(tmpfile, crypt_config)?);
-                    let blob = DataBlob::load_from_reader(&mut reader)?;
-                    let mut raw_blob = blob.raw_data();
+                    let mut reader = DataBlobReader::new(tmpfile, crypt_config)?;
+                    let mut dec_raw_data = Vec::new();
+                    reader.read_to_end(&mut dec_raw_data)?;
+                    reader.finish()?;
 
-                    let (csum, size) = sha256(&mut raw_blob)?;
-                    replace_file(tmp_dec_path, raw_blob, CreateOptions::new(), true)?;
+                    let blob = DataBlob::encode(&dec_raw_data, None, true)?;
+
+                    let (csum, size) = sha256(&mut blob.raw_data())?;
+                    replace_file(tmp_dec_path, blob.raw_data(), CreateOptions::new(), true)?;
                     Ok((csum, size))
                 })
                 .await?
-- 
2.47.3

applied: [PATCH proxmox-backup] sync: pull: fix double blob decoding when decrypting

[Thomas Lamprecht]

On Sat, 25 Apr 2026 12:10:15 +0200, Christian Ebner wrote:
> Commit 2f94320db ("sync: pull: decrypt blob files on pull if
> encryption key is configured") introduced the logic to decrypt
> encrypted data blob contents from the source on the fly when pulling
> with a matching decryption key.
> 
> This however incorrectly performs a double blob decoding, as the
> DataBlobReader already checks and strips the header while reading the
> raw data from file, the DataBlob::load_from_reader() therefore
> chocking when trying to check the now missing header.
> 
> [...]

Applied, thanks!

[1/1] sync: pull: fix double blob decoding when decrypting
      commit: beafc2f0b06680acd6c860e76f411e63e9438a91