From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id E5F081FF146
	for <inbox@lore.proxmox.com>; Tue, 28 Apr 2026 11:45:15 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 96CA7CD46;
	Tue, 28 Apr 2026 11:45:15 +0200 (CEST)
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-backup] pull: decrypt: set and check
 change-detection-fingerprint
Date: Tue, 28 Apr 2026 11:44:17 +0200
Message-ID: <20260428094437.596604-1-f.gruenbichler@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1777369382168
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.054 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
	URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was
 blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [pull.rs]
Message-ID-Hash: NIGYYYS3HQ37SU7TI6YLWRZH4SZJEO75
X-Message-ID-Hash: NIGYYYS3HQ37SU7TI6YLWRZH4SZJEO75
X-MailFrom: f.gruenbichler@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

when decrypt-pulling a snapshot that was not created by encrypt-pushing, but by
a regular encrypted backup, resyncing requires matching the local plain text
manifest and the remote encrypted one.

in addition to storing a signature of the plain manifest when encrypt-pushing,
store the already existing signature of the encrypted source manifest when
decrypt-pulling, but only use it for matching if the former does not exist.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/server/pull.rs | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/server/pull.rs b/src/server/pull.rs
index 4a41ea7da..c519ed5d8 100644
--- a/src/server/pull.rs
+++ b/src/server/pull.rs
@@ -21,8 +21,8 @@ use tokio::io::AsyncWriteExt;
 
 use pbs_api_types::{
     print_store_and_ns, ArchiveType, Authid, BackupArchiveName, BackupDir, BackupGroup,
-    BackupNamespace, CryptMode, GroupFilter, Operation, RateLimitConfig, Remote, SnapshotListItem,
-    VerifyState, CLIENT_LOG_BLOB_NAME, MANIFEST_BLOB_NAME, MAX_NAMESPACE_DEPTH,
+    BackupNamespace, CryptMode, Fingerprint, GroupFilter, Operation, RateLimitConfig, Remote,
+    SnapshotListItem, VerifyState, CLIENT_LOG_BLOB_NAME, MANIFEST_BLOB_NAME, MAX_NAMESPACE_DEPTH,
     PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_BACKUP,
 };
 use pbs_client::BackupRepository;
@@ -878,6 +878,11 @@ async fn pull_snapshot<'a>(
             bail!("Encountered unexpected manifest without 'unprotected' section.");
         }
 
+        if let Some(expected) = &manifest.signature {
+            let expected: Fingerprint = expected.parse().with_context(|| prefix.clone())?;
+            new_manifest.set_change_detection_fingerprint(expected.bytes())?;
+        }
+
         let manifest_string = new_manifest.to_string(None)?;
         let manifest_blob = DataBlob::encode(manifest_string.as_bytes(), None, true)?;
         // update contents to be uploaded to backend
@@ -1021,6 +1026,20 @@ async fn optionally_use_decryption_key(
             } else {
                 bail!("Change detection fingerprint mismatch, refuse to continue!");
             }
+        } else if let Some(source_signature) = existing_manifest
+            .get_change_detection_fingerprint()
+            .context("failed to parse change detection fingerprint of existing target manifest")
+            .with_context(|| prefix.clone())?
+        {
+            let Some(expected) = &manifest.signature else {
+                bail!("No signature on source manifest.");
+            };
+            let expected: Fingerprint = expected.parse().with_context(|| prefix.clone())?;
+            if expected == source_signature {
+                skip_resync = true;
+            } else {
+                bail!("Change detection fingerprint mismatch, refuse to continue!");
+            }
         } else {
             bail!("No change detection fingerprint found, refuse to continue!");
         }
-- 
2.47.3