forked from TrueCloudLab/restic
server: Only save crypto.Key
At the moment, the server doesn't need the full server.Key (master and user key), just the master key.
This commit is contained in:
parent
08fac28e73
commit
1213d87b1a
5 changed files with 34 additions and 26 deletions
|
@ -9,8 +9,8 @@ import (
|
||||||
"github.com/restic/restic"
|
"github.com/restic/restic"
|
||||||
"github.com/restic/restic/backend"
|
"github.com/restic/restic/backend"
|
||||||
"github.com/restic/restic/chunker"
|
"github.com/restic/restic/chunker"
|
||||||
|
"github.com/restic/restic/crypto"
|
||||||
"github.com/restic/restic/pack"
|
"github.com/restic/restic/pack"
|
||||||
"github.com/restic/restic/server"
|
|
||||||
. "github.com/restic/restic/test"
|
. "github.com/restic/restic/test"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -24,7 +24,7 @@ type Rdr interface {
|
||||||
io.ReaderAt
|
io.ReaderAt
|
||||||
}
|
}
|
||||||
|
|
||||||
func benchmarkChunkEncrypt(b testing.TB, buf, buf2 []byte, rd Rdr, key *server.Key) {
|
func benchmarkChunkEncrypt(b testing.TB, buf, buf2 []byte, rd Rdr, key *crypto.Key) {
|
||||||
ch := restic.GetChunker("BenchmarkChunkEncrypt")
|
ch := restic.GetChunker("BenchmarkChunkEncrypt")
|
||||||
rd.Seek(0, 0)
|
rd.Seek(0, 0)
|
||||||
ch.Reset(rd, testPol)
|
ch.Reset(rd, testPol)
|
||||||
|
@ -44,7 +44,7 @@ func benchmarkChunkEncrypt(b testing.TB, buf, buf2 []byte, rd Rdr, key *server.K
|
||||||
OK(b, err)
|
OK(b, err)
|
||||||
Assert(b, uint(n) == chunk.Length, "invalid length: got %d, expected %d", n, chunk.Length)
|
Assert(b, uint(n) == chunk.Length, "invalid length: got %d, expected %d", n, chunk.Length)
|
||||||
|
|
||||||
_, err = key.Encrypt(buf2, buf)
|
_, err = crypto.Encrypt(key, buf2, buf)
|
||||||
OK(b, err)
|
OK(b, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -72,7 +72,7 @@ func BenchmarkChunkEncrypt(b *testing.B) {
|
||||||
restic.FreeChunkBuf("BenchmarkChunkEncrypt", buf2)
|
restic.FreeChunkBuf("BenchmarkChunkEncrypt", buf2)
|
||||||
}
|
}
|
||||||
|
|
||||||
func benchmarkChunkEncryptP(b *testing.PB, buf []byte, rd Rdr, key *server.Key) {
|
func benchmarkChunkEncryptP(b *testing.PB, buf []byte, rd Rdr, key *crypto.Key) {
|
||||||
ch := restic.GetChunker("BenchmarkChunkEncryptP")
|
ch := restic.GetChunker("BenchmarkChunkEncryptP")
|
||||||
rd.Seek(0, 0)
|
rd.Seek(0, 0)
|
||||||
ch.Reset(rd, testPol)
|
ch.Reset(rd, testPol)
|
||||||
|
@ -86,7 +86,7 @@ func benchmarkChunkEncryptP(b *testing.PB, buf []byte, rd Rdr, key *server.Key)
|
||||||
// reduce length of chunkBuf
|
// reduce length of chunkBuf
|
||||||
buf = buf[:chunk.Length]
|
buf = buf[:chunk.Length]
|
||||||
io.ReadFull(chunk.Reader(rd), buf)
|
io.ReadFull(chunk.Reader(rd), buf)
|
||||||
key.Encrypt(buf, buf)
|
crypto.Encrypt(key, buf, buf)
|
||||||
}
|
}
|
||||||
|
|
||||||
restic.FreeChunker("BenchmarkChunkEncryptP", ch)
|
restic.FreeChunker("BenchmarkChunkEncryptP", ch)
|
||||||
|
|
|
@ -121,7 +121,7 @@ func (cmd CmdCat) Execute(args []string) error {
|
||||||
fmt.Println(string(buf))
|
fmt.Println(string(buf))
|
||||||
return nil
|
return nil
|
||||||
case "masterkey":
|
case "masterkey":
|
||||||
buf, err := json.MarshalIndent(s.Key().Master(), "", " ")
|
buf, err := json.MarshalIndent(s.Key(), "", " ")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -42,7 +42,7 @@ func listKeys(s *server.Server) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
var current string
|
var current string
|
||||||
if name == s.Key().Name() {
|
if name == s.KeyName() {
|
||||||
current = "*"
|
current = "*"
|
||||||
} else {
|
} else {
|
||||||
current = " "
|
current = " "
|
||||||
|
@ -75,7 +75,7 @@ func addKey(s *server.Server) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func deleteKey(s *server.Server, name string) error {
|
func deleteKey(s *server.Server, name string) error {
|
||||||
if name == s.Key().Name() {
|
if name == s.KeyName() {
|
||||||
return errors.New("refusing to remove key currently used to access repository")
|
return errors.New("refusing to remove key currently used to access repository")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -103,7 +103,7 @@ func changePassword(s *server.Server) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// remove old key
|
// remove old key
|
||||||
err = s.Remove(backend.Key, s.Key().Name())
|
err = s.Remove(backend.Key, s.KeyName())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -132,7 +132,7 @@ func LoadKey(s *Server, name string) (*Key, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// AddKey adds a new key to an already existing repository.
|
// AddKey adds a new key to an already existing repository.
|
||||||
func AddKey(s *Server, password string, template *Key) (*Key, error) {
|
func AddKey(s *Server, password string, template *crypto.Key) (*Key, error) {
|
||||||
// fill meta data about key
|
// fill meta data about key
|
||||||
newkey := &Key{
|
newkey := &Key{
|
||||||
Created: time.Now(),
|
Created: time.Now(),
|
||||||
|
@ -170,7 +170,7 @@ func AddKey(s *Server, password string, template *Key) (*Key, error) {
|
||||||
newkey.master = crypto.NewRandomKey()
|
newkey.master = crypto.NewRandomKey()
|
||||||
} else {
|
} else {
|
||||||
// copy master keys from old key
|
// copy master keys from old key
|
||||||
newkey.master = template.master
|
newkey.master = template
|
||||||
}
|
}
|
||||||
|
|
||||||
// encrypt master keys (as json) with user key
|
// encrypt master keys (as json) with user key
|
||||||
|
|
|
@ -14,6 +14,7 @@ import (
|
||||||
|
|
||||||
"github.com/restic/restic/backend"
|
"github.com/restic/restic/backend"
|
||||||
"github.com/restic/restic/chunker"
|
"github.com/restic/restic/chunker"
|
||||||
|
"github.com/restic/restic/crypto"
|
||||||
"github.com/restic/restic/debug"
|
"github.com/restic/restic/debug"
|
||||||
"github.com/restic/restic/pack"
|
"github.com/restic/restic/pack"
|
||||||
)
|
)
|
||||||
|
@ -27,10 +28,11 @@ type Config struct {
|
||||||
|
|
||||||
// Server is used to access a repository in a backend.
|
// Server is used to access a repository in a backend.
|
||||||
type Server struct {
|
type Server struct {
|
||||||
be backend.Backend
|
be backend.Backend
|
||||||
Config Config
|
Config Config
|
||||||
key *Key
|
key *crypto.Key
|
||||||
idx *Index
|
keyName string
|
||||||
|
idx *Index
|
||||||
|
|
||||||
pm sync.Mutex
|
pm sync.Mutex
|
||||||
packs []*pack.Packer
|
packs []*pack.Packer
|
||||||
|
@ -158,7 +160,7 @@ func (s *Server) LoadJSONUnpacked(t backend.Type, id backend.ID, item interface{
|
||||||
defer rd.Close()
|
defer rd.Close()
|
||||||
|
|
||||||
// decrypt
|
// decrypt
|
||||||
decryptRd, err := s.key.DecryptFrom(rd)
|
decryptRd, err := crypto.DecryptFrom(s.key, rd)
|
||||||
defer decryptRd.Close()
|
defer decryptRd.Close()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -191,7 +193,7 @@ func (s *Server) LoadJSONPack(t pack.BlobType, id backend.ID, item interface{})
|
||||||
defer rd.Close()
|
defer rd.Close()
|
||||||
|
|
||||||
// decrypt
|
// decrypt
|
||||||
decryptRd, err := s.key.DecryptFrom(rd)
|
decryptRd, err := crypto.DecryptFrom(s.key, rd)
|
||||||
defer decryptRd.Close()
|
defer decryptRd.Close()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -236,7 +238,7 @@ func (s *Server) findPacker(size uint) (*pack.Packer, error) {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
debug.Log("Server.findPacker", "create new pack %p", blob)
|
debug.Log("Server.findPacker", "create new pack %p", blob)
|
||||||
return pack.NewPacker(s.key.Master(), blob), nil
|
return pack.NewPacker(s.key, blob), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// insertPacker appends p to s.packs.
|
// insertPacker appends p to s.packs.
|
||||||
|
@ -382,7 +384,7 @@ func (s *Server) SaveJSONUnpacked(t backend.Type, item interface{}) (backend.ID,
|
||||||
hw := backend.NewHashingWriter(blob, sha256.New())
|
hw := backend.NewHashingWriter(blob, sha256.New())
|
||||||
|
|
||||||
// encrypt blob
|
// encrypt blob
|
||||||
ewr := s.key.EncryptTo(hw)
|
ewr := crypto.EncryptTo(s.key, hw)
|
||||||
|
|
||||||
enc := json.NewEncoder(ewr)
|
enc := json.NewEncoder(ewr)
|
||||||
err = enc.Encode(item)
|
err = enc.Encode(item)
|
||||||
|
@ -454,7 +456,7 @@ func (s *Server) SaveIndex() (backend.ID, error) {
|
||||||
hw := backend.NewHashingWriter(blob, sha256.New())
|
hw := backend.NewHashingWriter(blob, sha256.New())
|
||||||
|
|
||||||
// encrypt blob
|
// encrypt blob
|
||||||
ewr := s.key.EncryptTo(hw)
|
ewr := crypto.EncryptTo(s.key, hw)
|
||||||
|
|
||||||
err = s.idx.Encode(ewr)
|
err = s.idx.Encode(ewr)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -507,7 +509,7 @@ func (s *Server) loadIndex(id string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// decrypt
|
// decrypt
|
||||||
decryptRd, err := s.key.DecryptFrom(rd)
|
decryptRd, err := crypto.DecryptFrom(s.key, rd)
|
||||||
defer decryptRd.Close()
|
defer decryptRd.Close()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -572,7 +574,8 @@ func (s *Server) SearchKey(password string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
s.key = key
|
s.key = key.Master()
|
||||||
|
s.keyName = key.Name()
|
||||||
return s.loadConfig(&s.Config)
|
return s.loadConfig(&s.Config)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -592,7 +595,8 @@ func (s *Server) CreateMasterKey(password string) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
s.key = key
|
s.key = key.Master()
|
||||||
|
s.keyName = key.Name()
|
||||||
return s.createConfig()
|
return s.createConfig()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -601,7 +605,7 @@ func (s *Server) Decrypt(ciphertext []byte) ([]byte, error) {
|
||||||
return nil, errors.New("key for server not set")
|
return nil, errors.New("key for server not set")
|
||||||
}
|
}
|
||||||
|
|
||||||
return s.key.Decrypt(nil, ciphertext)
|
return crypto.Decrypt(s.key, nil, ciphertext)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) Encrypt(ciphertext, plaintext []byte) ([]byte, error) {
|
func (s *Server) Encrypt(ciphertext, plaintext []byte) ([]byte, error) {
|
||||||
|
@ -609,13 +613,17 @@ func (s *Server) Encrypt(ciphertext, plaintext []byte) ([]byte, error) {
|
||||||
return nil, errors.New("key for server not set")
|
return nil, errors.New("key for server not set")
|
||||||
}
|
}
|
||||||
|
|
||||||
return s.key.Encrypt(ciphertext, plaintext)
|
return crypto.Encrypt(s.key, ciphertext, plaintext)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *Server) Key() *Key {
|
func (s *Server) Key() *crypto.Key {
|
||||||
return s.key
|
return s.key
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *Server) KeyName() string {
|
||||||
|
return s.keyName
|
||||||
|
}
|
||||||
|
|
||||||
// Count returns the number of blobs of a given type in the backend.
|
// Count returns the number of blobs of a given type in the backend.
|
||||||
func (s *Server) Count(t backend.Type) (n uint) {
|
func (s *Server) Count(t backend.Type) (n uint) {
|
||||||
for _ = range s.be.List(t, nil) {
|
for _ = range s.be.List(t, nil) {
|
||||||
|
|
Loading…
Reference in a new issue