From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id BC9BF1FF13A for ; Wed, 29 Apr 2026 16:38:28 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9103510E77; Wed, 29 Apr 2026 16:38:28 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox-backup 1/1] sync: pull: refuse to overwrite pre-existing encrypted snapshot Date: Wed, 29 Apr 2026 16:37:40 +0200 Message-ID: <20260429143740.886870-1-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1777473374452 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [pull.rs] Message-ID-Hash: SNW3MB6NBB2TEPQSUTN5D7ROCVXBZ3FI X-Message-ID-Hash: SNW3MB6NBB2TEPQSUTN5D7ROCVXBZ3FI X-MailFrom: c.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: If the source snapshot is not encrypted, the target snapshot however is pre-existing and there is no decryption key which would detect the mismatch, the unencrypted source will overwrite the encrypted target due to resync because of mismatching raw manifests. Further, currently regular syncs of two potentially clashing snapshots from different sources would lead to overwritig of the target snapshot as well, since byte wise manifests differ. Protect against this by extending the key matching checks, refusing to overwrite any locally encrypted by a not decrypted source as well as comparing content by calculating the signature using a dummy key if both, source and pre-existing target are not encrypted. Reported-by: Daniel Kral Signed-off-by: Christian Ebner --- src/server/pull.rs | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/server/pull.rs b/src/server/pull.rs index 5fa18cefa..7c4cd9332 100644 --- a/src/server/pull.rs +++ b/src/server/pull.rs @@ -942,6 +942,19 @@ async fn optionally_use_decryption_key( log_sender: Arc, ) -> Result<(Option>, bool), Error> { let Some(key_fp) = manifest.fingerprint().with_context(|| prefix.clone())? else { + if let Some(existing_manifest) = existing_target_manifest { + if existing_manifest.fingerprint()?.is_some() { + bail!("Local encrypted or signed snapshot detected, but source is not encrypted, refuse to sync"); + } else { + // just used to detect unsigned source and pre-existing target clashes + let dummy = CryptConfig::new([0u8; 32])?; + if existing_manifest.signature(&dummy)? != manifest.signature(&dummy)? { + // neighther source nor target encrypted, but manifests differ + bail!("Different content for pre-existing local snapshot and source snapshot detected, refuse to sync"); + } + } + } + return Ok((None, false)); // no fingerprint on source, regular pull }; -- 2.47.3