Home Explore Help
Sign In
mirrors
/
borg
mirror of https://github.com/borgbackup/borg
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

rcreate: remove legacy encryption modes for new repos, fixes #6490

These are legacy crypto modes based on AES-CTR mode:
(repokey|keyfile)[-blake2]

New crypto modes with session keys and AEAD ciphers:

(repokey|keyfile)[-blake2]-(aes-ocb|chacha20-poly1305)

Tests needed some changes:
- most used repokey/keyfile, changed to new modes
- some nonce tests removed, the new crypto code does not generate
  the repo side nonces any more (were only used for AES-CTR)
Thomas Waldmann 2 years ago
parent
677de50364
commit
dc2f2f47a8
3 changed files with 161 additions and 146 deletions
Split View Show Diff Stats
  1. 23 17
      src/borg/archiver.py
  2. 14 7
      src/borg/crypto/key.py
  3. 124 122
      src/borg/testsuite/archiver.py

+ 23 - 17
src/borg/archiver.py
View File 

@@ -48,6 +48,8 @@ try:
 
     from .compress import CompressionSpec, ZLIB, ZLIB_legacy, ObfuscateSize
 
     from .crypto.key import key_creator, key_argument_names, tam_required_file, tam_required
 
     from .crypto.key import RepoKey, KeyfileKey, Blake2RepoKey, Blake2KeyfileKey, FlexiKey
 
+    from .crypto.key import AESOCBRepoKey, CHPORepoKey, Blake2AESOCBRepoKey, Blake2CHPORepoKey
 
+    from .crypto.key import AESOCBKeyfileKey, CHPOKeyfileKey, Blake2AESOCBKeyfileKey, Blake2CHPOKeyfileKey
 
     from .crypto.keymanager import KeyManager
 
     from .helpers import EXIT_SUCCESS, EXIT_WARNING, EXIT_ERROR, EXIT_SIGNAL_BASE
 
     from .helpers import Error, NoManifestError, set_ec
 
@@ -503,28 +505,32 @@ class Archiver:
 
             return EXIT_ERROR
 
 
         if args.key_mode == 'keyfile':
 
-            if isinstance(key, RepoKey):
 
-                key_new = KeyfileKey(repository)
 
-            elif isinstance(key, Blake2RepoKey):
 
-                key_new = Blake2KeyfileKey(repository)
 
-            elif isinstance(key, (KeyfileKey, Blake2KeyfileKey)):
 
-                print(f"Location already is {args.key_mode}")
 
-                return EXIT_SUCCESS
 
+            if isinstance(key, AESOCBRepoKey):
 
+                key_new = AESOCBKeyfileKey(repository)
 
+            elif isinstance(key, CHPORepoKey):
 
+                key_new = CHPOKeyfileKey(repository)
 
+            elif isinstance(key, Blake2AESOCBRepoKey):
 
+                key_new = Blake2AESOCBKeyfileKey(repository)
 
+            elif isinstance(key, Blake2CHPORepoKey):
 
+                key_new = Blake2CHPOKeyfileKey(repository)
 
             else:
 
-                raise Error("Unsupported key type")
 
+                print("Change not needed or not supported.")
 
+                return EXIT_WARNING
 
         if args.key_mode == 'repokey':
 
-            if isinstance(key, KeyfileKey):
 
-                key_new = RepoKey(repository)
 
-            elif isinstance(key, Blake2KeyfileKey):
 
-                key_new = Blake2RepoKey(repository)
 
-            elif isinstance(key, (RepoKey, Blake2RepoKey)):
 
-                print(f"Location already is {args.key_mode}")
 
-                return EXIT_SUCCESS
 
+            if isinstance(key, AESOCBKeyfileKey):
 
+                key_new = AESOCBRepoKey(repository)
 
+            elif isinstance(key, CHPOKeyfileKey):
 
+                key_new = CHPORepoKey(repository)
 
+            elif isinstance(key, Blake2AESOCBKeyfileKey):
 
+                key_new = Blake2AESOCBRepoKey(repository)
 
+            elif isinstance(key, Blake2CHPOKeyfileKey):
 
+                key_new = Blake2CHPORepoKey(repository)
 
             else:
 
-                raise Error("Unsupported key type")
 
+                print("Change not needed or not supported.")
 
+                return EXIT_WARNING
 
 
         for name in ('repository_id', 'enc_key', 'enc_hmac_key', 'id_key', 'chunk_seed',
 
-                     'tam_required', 'nonce_manager', 'cipher'):
 
+                     'tam_required', 'sessionid', 'cipher'):
 
             value = getattr(key, name)
 
             setattr(key_new, name, value)

+ 14 - 7
src/borg/crypto/key.py
View File 

@@ -98,7 +98,7 @@ def identify_key(manifest_data):
 
     if key_type == KeyType.PASSPHRASE:  # legacy, see comment in KeyType class.
 
         return RepoKey
 
 
-    for key in AVAILABLE_KEY_TYPES:
 
+    for key in LEGACY_KEY_TYPES + AVAILABLE_KEY_TYPES:
 
         if key.TYPE == key_type:
 
             return key
 
     else:
 
@@ -977,7 +977,7 @@ class CHPORepoKey(ID_HMAC_SHA_256, AEADKeyBase, FlexiKey):
 
 class Blake2AESOCBKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
 
     TYPES_ACCEPTABLE = {KeyType.BLAKE2AESOCBKEYFILE, KeyType.BLAKE2AESOCBREPO}
 
     TYPE = KeyType.BLAKE2AESOCBKEYFILE
 
-    NAME = 'key file Blake2b AES-OCB'
 
+    NAME = 'key file BLAKE2b AES-OCB'
 
     ARG_NAME = 'keyfile-blake2-aes-ocb'
 
     STORAGE = KeyBlobStorage.KEYFILE
 
     CIPHERSUITE = AES256_OCB
 
@@ -986,7 +986,7 @@ class Blake2AESOCBKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
 
 class Blake2AESOCBRepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
 
     TYPES_ACCEPTABLE = {KeyType.BLAKE2AESOCBKEYFILE, KeyType.BLAKE2AESOCBREPO}
 
     TYPE = KeyType.BLAKE2AESOCBREPO
 
-    NAME = 'repokey Blake2b AES-OCB'
 
+    NAME = 'repokey BLAKE2b AES-OCB'
 
     ARG_NAME = 'repokey-blake2-aes-ocb'
 
     STORAGE = KeyBlobStorage.REPO
 
     CIPHERSUITE = AES256_OCB
 
@@ -995,7 +995,7 @@ class Blake2AESOCBRepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
 
 class Blake2CHPOKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
 
     TYPES_ACCEPTABLE = {KeyType.BLAKE2CHPOKEYFILE, KeyType.BLAKE2CHPOREPO}
 
     TYPE = KeyType.BLAKE2CHPOKEYFILE
 
-    NAME = 'key file Blake2b ChaCha20-Poly1305'
 
+    NAME = 'key file BLAKE2b ChaCha20-Poly1305'
 
     ARG_NAME = 'keyfile-blake2-chacha20-poly1305'
 
     STORAGE = KeyBlobStorage.KEYFILE
 
     CIPHERSUITE = CHACHA20_POLY1305
 
@@ -1004,16 +1004,23 @@ class Blake2CHPOKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
 
 class Blake2CHPORepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
 
     TYPES_ACCEPTABLE = {KeyType.BLAKE2CHPOKEYFILE, KeyType.BLAKE2CHPOREPO}
 
     TYPE = KeyType.BLAKE2CHPOREPO
 
-    NAME = 'repokey Blake2b ChaCha20-Poly1305'
 
+    NAME = 'repokey BLAKE2b ChaCha20-Poly1305'
 
     ARG_NAME = 'repokey-blake2-chacha20-poly1305'
 
     STORAGE = KeyBlobStorage.REPO
 
     CIPHERSUITE = CHACHA20_POLY1305
 
 
 
+LEGACY_KEY_TYPES = (
 
+    # legacy (AES-CTR based) crypto
 
+    KeyfileKey, RepoKey,
 
+    Blake2KeyfileKey, Blake2RepoKey,
 
+)
 
+
 
 AVAILABLE_KEY_TYPES = (
 
+    # these are available encryption modes for new repositories
 
+    # not encrypted modes
 
     PlaintextKey,
 
-    KeyfileKey, RepoKey, AuthenticatedKey,
 
-    Blake2KeyfileKey, Blake2RepoKey, Blake2AuthenticatedKey,
 
+    AuthenticatedKey, Blake2AuthenticatedKey,
 
     # new crypto
 
     AESOCBKeyfileKey, AESOCBRepoKey,
 
     CHPOKeyfileKey, CHPORepoKey,

File diff suppressed because it is too large
+ 124 - 122
src/borg/testsuite/archiver.py


Some files were not shown because too many files changed in this diff