liz/veilid
1
0
Fork 0
Code Pull Requests Packages Releases Activity

checkpoint

Browse Source
This commit is contained in:
John Smith
2023-05-26 00:53:07 +01:00
parent cefbeed09a
commit 5b0bfcef48
8 changed files with 178 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
veilid-core/src/core_context.rs
View File

@@ -88,11 +88,7 @@ impl ServicesContext {
// Set up crypto
trace!("init crypto");
let crypto = Crypto::new(
self.config.clone(),
table_store.clone(),
protected_store.clone(),
);
let crypto = Crypto::new(self.config.clone(), table_store.clone());
if let Err(e) = crypto.init().await {
error!("failed to init crypto: {}", e);
self.shutdown().await;

8
veilid-core/src/crypto/mod.rs
View File

@@ -82,7 +82,6 @@ struct CryptoInner {
struct CryptoUnlockedInner {
config: VeilidConfig,
table_store: TableStore,
protected_store: ProtectedStore,
}
/// Crypto factory implementation
@@ -104,16 +103,11 @@ impl Crypto {
}
}
pub fn new(
config: VeilidConfig,
table_store: TableStore,
protected_store: ProtectedStore,
) -> Self {
pub fn new(config: VeilidConfig, table_store: TableStore) -> Self {
let out = Self {
unlocked_inner: Arc::new(CryptoUnlockedInner {
config,
table_store,
protected_store,
}),
inner: Arc::new(Mutex::new(Self::new_inner())),
};

96
veilid-core/src/table_store/table_store.rs
View File

@@ -163,19 +163,87 @@ impl TableStore {
self.flush().await;
}
async fn load_device_encryption_key(&self) -> EyreResult<Option<TypedSharedSecret>> {
let dek_bytes: Option<Vec<u8>> = self
.protected_store
.load_user_secret("device_encryption_key")
.await?;
let Some(dek_bytes) = dek_bytes else {
return Ok(None);
};
// Ensure the key is at least as long as necessary if unencrypted
if dek_bytes.len() < (4 + SHARED_SECRET_LENGTH) {
bail!("device encryption key is not valid");
}
// Get cryptosystem
let kind = FourCC::try_from(&dek_bytes[0..4]).unwrap();
let crypto = self.inner.lock().crypto.as_ref().unwrap().clone();
let Some(vcrypto) = crypto.get(kind) else {
bail!("unsupported cryptosystem");
};
// Decrypt encryption key if we have it
let device_encryption_key_password = {
let c = self.config.get();
c.protected_store.device_encryption_key_password.clone()
};
if !device_encryption_key_password.is_empty() {
if dek_bytes.len()
!= (4 + SHARED_SECRET_LENGTH + vcrypto.aead_overhead() + NONCE_LENGTH)
{
bail!("password protected device encryption key is not valid");
}
let protected_key = &dek_bytes[4..(4 + SHARED_SECRET_LENGTH + vcrypto.aead_overhead())];
let nonce = &dek_bytes[(4 + SHARED_SECRET_LENGTH + vcrypto.aead_overhead())..];
let shared_secret = vcrypto
.derive_shared_secret(device_encryption_key_password.as_bytes(), &nonce)
.wrap_err("failed to derive shared secret")?;
let unprotected_key = vcrypto
.decrypt_aead(
&protected_key,
&Nonce::try_from(nonce).wrap_err("invalid nonce")?,
&shared_secret,
None,
)
.wrap_err("failed to decrypt device encryption key")?;
return Ok(Some(TypedSharedSecret::new(
kind,
SharedSecret::try_from(unprotected_key.as_slice())
.wrap_err("invalid shared secret")?,
)));
}
Ok(Some(TypedSharedSecret::new(
kind,
SharedSecret::try_from(&dek_bytes[4..])?,
)))
}
async fn save_device_encryption_key(
&self,
device_encryption_key: Option<TypedSharedSecret>,
) -> EyreResult<()> {
// Save the new device encryption key
self.protected_store
.save_user_secret_json("device_encryption_key", &device_encryption_key)
.await?;
xxxx
Ok(())
}
pub(crate) async fn init(&self) -> EyreResult<()> {
let _async_guard = self.async_lock.lock().await;
// Get device encryption key from protected store
let mut encryption_key: Option<TypedSharedSecret> = self
.protected_store
.load_user_secret_json("device_encryption_key")
.await?;
if let Some(encryption_key) = encryption_key {
let mut device_encryption_key = self.load_device_encryption_key().await?;
let mut device_encryption_key_changed = false;
if let Some(device_encryption_key) = device_encryption_key {
// If encryption in current use is not the best encryption, then run table migration
let best_kind = best_crypto_kind();
if encryption_key.kind != best_kind {
if device_encryption_key.kind != best_kind {
// XXX: Run migration. See issue #209
}
} else {
@@ -183,14 +251,14 @@ impl TableStore {
let best_kind = best_crypto_kind();
let mut shared_secret = SharedSecret::default();
random_bytes(&mut shared_secret.bytes);
let device_encryption_key = TypedSharedSecret::new(best_kind, shared_secret);
// Save the new device encryption key
self.protected_store
.save_user_secret_json("device_encryption_key", &device_encryption_key)
device_encryption_key = Some(TypedSharedSecret::new(best_kind, shared_secret));
device_encryption_key_changed = true;
}
if device_encryption_key_changed {
self.save_device_encryption_key(device_encryption_key)
.await?;
encryption_key = Some(device_encryption_key);
}
// Deserialize all table names
@@ -220,7 +288,7 @@ impl TableStore {
{
let mut inner = self.inner.lock();
inner.encryption_key = encryption_key;
inner.encryption_key = device_encryption_key;
inner.all_tables_db = Some(all_tables_db);
}

6
veilid-core/src/veilid_config.rs
View File

@@ -431,6 +431,8 @@ pub struct VeilidConfigProtectedStore {
pub always_use_insecure_storage: bool,
pub directory: String,
pub delete: bool,
pub device_encryption_key_password: String,
pub new_device_encryption_key_password: Option<String>,
}
#[derive(
@@ -632,6 +634,8 @@ impl VeilidConfig {
get_config!(inner.protected_store.always_use_insecure_storage);
get_config!(inner.protected_store.directory);
get_config!(inner.protected_store.delete);
get_config!(inner.protected_store.device_encryption_key_password);
get_config!(inner.protected_store.new_device_encryption_key_password);
get_config!(inner.network.connection_initial_timeout_ms);
get_config!(inner.network.connection_inactivity_timeout_ms);
get_config!(inner.network.max_connections_per_ip4);
@@ -925,7 +929,7 @@ impl VeilidConfig {
Ok(())
}
//xxx#[cfg(not(test))]
#[cfg(not(test))]
async fn init_node_id(
&self,
vcrypto: CryptoSystemVersion,