key.py 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877
  1. from binascii import hexlify, a2b_base64, b2a_base64
  2. from getpass import getpass
  3. import os
  4. import msgpack
  5. import textwrap
  6. from collections import namedtuple
  7. import hmac
  8. from hashlib import sha1, sha256, sha512
  9. import zlib
  10. try:
  11. import lzma # python >= 3.3
  12. except ImportError:
  13. try:
  14. from backports import lzma # backports.lzma from pypi
  15. except ImportError:
  16. lzma = None
  17. try:
  18. import blosc
  19. except ImportError:
  20. blosc = None
  21. from attic.crypto import pbkdf2_sha256, get_random_bytes, AES, AES_CTR_MODE, AES_GCM_MODE, \
  22. bytes_to_int, increment_iv
  23. from attic.helpers import IntegrityError, get_keys_dir, Error
  24. # we do not store the full IV on disk, as the upper 8 bytes are expected to be
  25. # zero anyway as the full IV is a 128bit counter. PREFIX are the upper 8 bytes,
  26. # stored_iv are the lower 8 Bytes.
  27. PREFIX = b'\0' * 8
  28. Meta = namedtuple('Meta', 'compr_type, key_type, mac_type, cipher_type, iv, legacy')
  29. class UnsupportedPayloadError(Error):
  30. """Unsupported payload type {}. A newer version is required to access this repository.
  31. """
  32. class sha512_256(object): # note: can't subclass sha512
  33. """sha512, but digest truncated to 256bit - faster than sha256 on 64bit platforms"""
  34. digestsize = digest_size = 32
  35. block_size = 64
  36. def __init__(self, data=None):
  37. self.name = 'sha512-256'
  38. self._h = sha512()
  39. if data:
  40. self.update(data)
  41. def update(self, data):
  42. self._h.update(data)
  43. def digest(self):
  44. return self._h.digest()[:self.digest_size]
  45. def hexdigest(self):
  46. return self._h.hexdigest()[:self.digest_size * 2]
  47. def copy(self):
  48. new = sha512_256.__new__(sha512_256)
  49. new._h = self._h.copy()
  50. return new
  51. # HASH / MAC stuff below all has a mac-like interface, so it can be used in the same way.
  52. # special case: hashes do not use keys (and thus, do not sign/authenticate)
  53. class HASH: # note: we can't subclass sha1/sha256/sha512
  54. TYPE = 0 # override in subclass
  55. digest_size = 0 # override in subclass
  56. hash_func = None # override in subclass
  57. def __init__(self, key, data=b''):
  58. # signature is like for a MAC, we ignore the key as this is a simple hash
  59. if key is not None:
  60. raise Exception("use a HMAC if you have a key")
  61. self.h = self.hash_func(data)
  62. def update(self, data):
  63. self.h.update(data)
  64. def digest(self):
  65. return self.h.digest()
  66. def hexdigest(self):
  67. return self.h.hexdigest()
  68. class SHA256(HASH):
  69. TYPE = 0
  70. digest_size = 32
  71. hash_func = sha256
  72. class SHA512_256(HASH):
  73. TYPE = 1
  74. digest_size = 32
  75. hash_func = sha512_256
  76. class GHASH:
  77. TYPE = 2
  78. digest_size = 16
  79. def __init__(self, key, data=b''):
  80. # signature is like for a MAC, we ignore the key as this is a simple hash
  81. if key is not None:
  82. raise Exception("use a MAC if you have a key")
  83. self.mac_cipher = AES(mode=AES_GCM_MODE, is_encrypt=True, key=b'\0' * 32, iv=b'\0' * 16)
  84. if data:
  85. self.update(data)
  86. def update(self, data):
  87. # GMAC = aes-gcm with all data as AAD, no data as to-be-encrypted data
  88. self.mac_cipher.add(bytes(data))
  89. def digest(self):
  90. hash, _ = self.mac_cipher.compute_mac_and_encrypt(b'')
  91. return hash
  92. class SHA1(HASH):
  93. TYPE = 3
  94. digest_size = 20
  95. hash_func = sha1
  96. class SHA512(HASH):
  97. TYPE = 4
  98. digest_size = 64
  99. hash_func = sha512
  100. class HMAC(hmac.HMAC):
  101. TYPE = 0 # override in subclass
  102. digest_size = 0 # override in subclass
  103. hash_func = None # override in subclass
  104. def __init__(self, key, data):
  105. if key is None:
  106. raise Exception("do not use HMAC if you don't have a key")
  107. super().__init__(key, data, self.hash_func)
  108. def update(self, msg):
  109. # Workaround a bug in Python < 3.4 Where HMAC does not accept memoryviews
  110. self.inner.update(msg)
  111. class HMAC_SHA256(HMAC):
  112. TYPE = 10
  113. digest_size = 32
  114. hash_func = sha256
  115. class HMAC_SHA512_256(HMAC):
  116. TYPE = 11
  117. digest_size = 32
  118. hash_func = sha512_256
  119. class HMAC_SHA1(HMAC):
  120. TYPE = 13
  121. digest_size = 20
  122. hash_func = sha1
  123. class HMAC_SHA512(HMAC):
  124. TYPE = 14
  125. digest_size = 64
  126. hash_func = sha512
  127. class GMAC(GHASH):
  128. TYPE = 20
  129. digest_size = 16
  130. def __init__(self, key, data=b''):
  131. if key is None:
  132. raise Exception("do not use GMAC if you don't have a key")
  133. self.mac_cipher = AES(mode=AES_GCM_MODE, is_encrypt=True, key=key, iv=b'\0' * 16)
  134. if data:
  135. self.update(data)
  136. # defaults are optimized for speed on modern CPUs with AES hw support
  137. HASH_DEFAULT = GHASH.TYPE
  138. MAC_DEFAULT = GMAC.TYPE
  139. # compressor classes, all same interface
  140. # special case: zlib level 0 is "no compression"
  141. class NullCompressor(object): # uses 0 in the mapping
  142. TYPE = 0
  143. def compress(self, data):
  144. return bytes(data)
  145. def decompress(self, data):
  146. return bytes(data)
  147. class ZlibCompressor(object): # uses 1..9 in the mapping
  148. TYPE = 0
  149. LEVELS = range(10)
  150. def compress(self, data):
  151. level = self.TYPE - ZlibCompressor.TYPE
  152. return zlib.compress(data, level)
  153. def decompress(self, data):
  154. return zlib.decompress(data)
  155. class LzmaCompressor(object): # uses 10..19 in the mapping
  156. TYPE = 10
  157. PRESETS = range(10)
  158. def __init__(self):
  159. if lzma is None:
  160. raise NotImplemented("lzma compression needs Python >= 3.3 or backports.lzma from PyPi")
  161. def compress(self, data):
  162. preset = self.TYPE - LzmaCompressor.TYPE
  163. return lzma.compress(data, preset=preset)
  164. def decompress(self, data):
  165. return lzma.decompress(data)
  166. class BLOSCCompressor(object):
  167. TYPE = 0 # override in subclass
  168. LEVELS = range(10)
  169. CNAME = '' # override in subclass
  170. def __init__(self):
  171. if blosc is None:
  172. raise NotImplemented("%s compression needs blosc from PyPi" % self.CNAME)
  173. if self.CNAME not in blosc.compressor_list():
  174. raise NotImplemented("%s compression is not supported by blosc" % self.CNAME)
  175. blosc.set_blocksize(16384) # 16kiB is the minimum, so 64kiB are enough for 4 threads
  176. def _get_level(self):
  177. raise NotImplemented
  178. def compress(self, data):
  179. return blosc.compress(bytes(data), 1, cname=self.CNAME, clevel=self._get_level())
  180. def decompress(self, data):
  181. return blosc.decompress(data)
  182. class LZ4Compressor(BLOSCCompressor):
  183. TYPE = 20
  184. CNAME = 'lz4'
  185. def _get_level(self):
  186. return self.TYPE - LZ4Compressor.TYPE
  187. class LZ4HCCompressor(BLOSCCompressor):
  188. TYPE = 30
  189. CNAME = 'lz4hc'
  190. def _get_level(self):
  191. return self.TYPE - LZ4HCCompressor.TYPE
  192. class BLOSCLZCompressor(BLOSCCompressor):
  193. TYPE = 40
  194. CNAME = 'blosclz'
  195. def _get_level(self):
  196. return self.TYPE - BLOSCLZCompressor.TYPE
  197. class SnappyCompressor(BLOSCCompressor):
  198. TYPE = 50
  199. CNAME = 'snappy'
  200. def _get_level(self):
  201. return self.TYPE - SnappyCompressor.TYPE
  202. class BLOSCZlibCompressor(BLOSCCompressor):
  203. TYPE = 60
  204. CNAME = 'zlib'
  205. def _get_level(self):
  206. return self.TYPE - BLOSCZlibCompressor.TYPE
  207. # default is optimized for speed
  208. COMPR_DEFAULT = NullCompressor.TYPE # no compression
  209. # ciphers - AEAD (authenticated encryption with assoc. data) style interface
  210. # special case: PLAIN dummy does not encrypt / authenticate
  211. class PLAIN:
  212. TYPE = 0
  213. enc_iv = None # dummy
  214. def __init__(self, **kw):
  215. pass
  216. def compute_mac_and_encrypt(self, meta, data):
  217. return None, data
  218. def check_mac_and_decrypt(self, mac, meta, data):
  219. return data
  220. def get_aad(meta):
  221. """get additional authenticated data for AEAD ciphers"""
  222. if meta.legacy:
  223. # legacy format computed the mac over (iv_last8 + data)
  224. return meta.iv[8:]
  225. else:
  226. return msgpack.packb(meta)
  227. class AES_CTR_HMAC:
  228. TYPE = 1
  229. def __init__(self, enc_key=b'\0' * 32, enc_iv=b'\0' * 16, enc_hmac_key=b'\0' * 32, **kw):
  230. self.hmac_key = enc_hmac_key
  231. self.enc_iv = enc_iv
  232. self.enc_cipher = AES(mode=AES_CTR_MODE, is_encrypt=True, key=enc_key, iv=enc_iv)
  233. self.dec_cipher = AES(mode=AES_CTR_MODE, is_encrypt=False, key=enc_key)
  234. def compute_mac_and_encrypt(self, meta, data):
  235. self.enc_cipher.reset(iv=meta.iv)
  236. _, data = self.enc_cipher.compute_mac_and_encrypt(data)
  237. self.enc_iv = increment_iv(meta.iv, len(data))
  238. aad = get_aad(meta)
  239. mac = HMAC(self.hmac_key, aad + data, sha256).digest() # XXX mac / hash flexibility
  240. return mac, data
  241. def check_mac_and_decrypt(self, mac, meta, data):
  242. aad = get_aad(meta)
  243. if HMAC(self.hmac_key, aad + data, sha256).digest() != mac:
  244. raise IntegrityError('Encryption envelope checksum mismatch')
  245. self.dec_cipher.reset(iv=meta.iv)
  246. data = self.dec_cipher.check_mac_and_decrypt(None, data)
  247. return data
  248. class AES_GCM:
  249. TYPE = 2
  250. def __init__(self, enc_key=b'\0' * 32, enc_iv=b'\0' * 16, **kw):
  251. # note: hmac_key is not used for aes-gcm, it does aes+gmac in 1 pass
  252. self.enc_iv = enc_iv
  253. self.enc_cipher = AES(mode=AES_GCM_MODE, is_encrypt=True, key=enc_key, iv=enc_iv)
  254. self.dec_cipher = AES(mode=AES_GCM_MODE, is_encrypt=False, key=enc_key)
  255. def compute_mac_and_encrypt(self, meta, data):
  256. self.enc_cipher.reset(iv=meta.iv)
  257. aad = get_aad(meta)
  258. self.enc_cipher.add(aad)
  259. mac, data = self.enc_cipher.compute_mac_and_encrypt(data)
  260. self.enc_iv = increment_iv(meta.iv, len(data))
  261. return mac, data
  262. def check_mac_and_decrypt(self, mac, meta, data):
  263. self.dec_cipher.reset(iv=meta.iv)
  264. aad = get_aad(meta)
  265. self.dec_cipher.add(aad)
  266. try:
  267. data = self.dec_cipher.check_mac_and_decrypt(mac, data)
  268. except Exception:
  269. raise IntegrityError('Encryption envelope checksum mismatch')
  270. return data
  271. # cipher default is optimized for speed on modern CPUs with AES hw support
  272. PLAIN_DEFAULT = PLAIN.TYPE
  273. CIPHER_DEFAULT = AES_GCM.TYPE
  274. # misc. types of keys
  275. # special case: no keys (thus: no encryption, no signing/authentication)
  276. class KeyBase(object):
  277. TYPE = 0x00 # override in derived classes
  278. def __init__(self, compressor_cls, maccer_cls, cipher_cls):
  279. self.compressor = compressor_cls()
  280. self.maccer_cls = maccer_cls # hasher/maccer used by id_hash
  281. self.cipher_cls = cipher_cls # plaintext dummy or AEAD cipher
  282. self.cipher = cipher_cls()
  283. self.id_key = None
  284. def id_hash(self, data):
  285. """Return a HASH (no id_key) or a MAC (using the "id_key" key)
  286. XXX do we need a cryptographic hash function here or is a keyed hash
  287. function like GMAC / GHASH good enough? See NIST SP 800-38D.
  288. IMPORTANT: in 1 repo, there should be only 1 kind of id_hash, otherwise
  289. data hashed/maced with one id_hash might result in same ID as already
  290. exists in the repo for other data created with another id_hash method.
  291. somehow unlikely considering 128 or 256bits, but still.
  292. """
  293. return self.maccer_cls(self.id_key, data).digest()
  294. def encrypt(self, data):
  295. data = self.compressor.compress(data)
  296. meta = Meta(compr_type=self.compressor.TYPE, key_type=self.TYPE,
  297. mac_type=self.maccer_cls.TYPE, cipher_type=self.cipher.TYPE,
  298. iv=self.cipher.enc_iv, legacy=False)
  299. mac, data = self.cipher.compute_mac_and_encrypt(meta, data)
  300. return generate(mac, meta, data)
  301. def decrypt(self, id, data):
  302. mac, meta, data = parser(data)
  303. compressor, keyer, maccer, cipher = get_implementations(meta)
  304. assert isinstance(self, keyer)
  305. assert self.maccer_cls is maccer
  306. assert self.cipher_cls is cipher
  307. data = self.cipher.check_mac_and_decrypt(mac, meta, data)
  308. data = self.compressor.decompress(data)
  309. if id and self.id_hash(data) != id:
  310. raise IntegrityError('Chunk id verification failed')
  311. return data
  312. class PlaintextKey(KeyBase):
  313. TYPE = 0x02
  314. chunk_seed = 0
  315. @classmethod
  316. def create(cls, repository, args):
  317. print('Encryption NOT enabled.\nUse the "--encryption=passphrase|keyfile" to enable encryption.')
  318. compressor = compressor_creator(args)
  319. maccer = maccer_creator(args, cls)
  320. cipher = cipher_creator(args, cls)
  321. return cls(compressor, maccer, cipher)
  322. @classmethod
  323. def detect(cls, repository, manifest_data):
  324. mac, meta, data = parser(manifest_data)
  325. compressor, keyer, maccer, cipher = get_implementations(meta)
  326. return cls(compressor, maccer, cipher)
  327. class AESKeyBase(KeyBase):
  328. """Common base class shared by KeyfileKey and PassphraseKey
  329. Chunks are encrypted using 256bit AES in CTR or GCM mode.
  330. Chunks are authenticated by a GCM GMAC or a HMAC.
  331. Payload layout: TYPE(1) + MAC(32) + NONCE(8) + CIPHERTEXT
  332. To reduce payload size only 8 bytes of the 16 bytes nonce is saved
  333. in the payload, the first 8 bytes are always zeros. This does not
  334. affect security but limits the maximum repository capacity to
  335. only 295 exabytes!
  336. """
  337. def extract_iv(self, payload):
  338. _, meta, _ = parser(payload)
  339. return meta.iv
  340. def init_from_random_data(self, data):
  341. self.enc_key = data[0:32]
  342. self.enc_hmac_key = data[32:64]
  343. self.id_key = data[64:96]
  344. self.chunk_seed = bytes_to_int(data[96:100])
  345. # Convert to signed int32
  346. if self.chunk_seed & 0x80000000:
  347. self.chunk_seed = self.chunk_seed - 0xffffffff - 1
  348. def init_ciphers(self, enc_iv=b'\0' * 16):
  349. self.cipher = self.cipher_cls(enc_key=self.enc_key, enc_iv=enc_iv,
  350. enc_hmac_key=self.enc_hmac_key)
  351. @property
  352. def enc_iv(self):
  353. return self.cipher.enc_iv
  354. class PassphraseKey(AESKeyBase):
  355. TYPE = 0x01
  356. iterations = 100000
  357. @classmethod
  358. def create(cls, repository, args):
  359. compressor = compressor_creator(args)
  360. maccer = maccer_creator(args, cls)
  361. cipher = cipher_creator(args, cls)
  362. key = cls(compressor, maccer, cipher)
  363. passphrase = os.environ.get('ATTIC_PASSPHRASE')
  364. if passphrase is not None:
  365. passphrase2 = passphrase
  366. else:
  367. passphrase, passphrase2 = 1, 2
  368. while passphrase != passphrase2:
  369. passphrase = getpass('Enter passphrase: ')
  370. if not passphrase:
  371. print('Passphrase must not be blank')
  372. continue
  373. passphrase2 = getpass('Enter same passphrase again: ')
  374. if passphrase != passphrase2:
  375. print('Passphrases do not match')
  376. key.init(repository, passphrase)
  377. if passphrase:
  378. print('Remember your passphrase. Your data will be inaccessible without it.')
  379. return key
  380. @classmethod
  381. def detect(cls, repository, manifest_data):
  382. prompt = 'Enter passphrase for %s: ' % repository._location.orig
  383. mac, meta, data = parser(manifest_data)
  384. compressor, keyer, maccer, cipher = get_implementations(meta)
  385. key = cls(compressor, maccer, cipher)
  386. passphrase = os.environ.get('ATTIC_PASSPHRASE')
  387. if passphrase is None:
  388. passphrase = getpass(prompt)
  389. while True:
  390. key.init(repository, passphrase)
  391. try:
  392. key.decrypt(None, manifest_data)
  393. key.init_ciphers(increment_iv(key.extract_iv(manifest_data), len(data)))
  394. return key
  395. except IntegrityError:
  396. passphrase = getpass(prompt)
  397. def change_passphrase(self):
  398. class ImmutablePassphraseError(Error):
  399. """The passphrase for this encryption key type can't be changed."""
  400. raise ImmutablePassphraseError
  401. def init(self, repository, passphrase):
  402. self.init_from_random_data(pbkdf2_sha256(passphrase.encode('utf-8'), repository.id, self.iterations, 100))
  403. self.init_ciphers()
  404. class KeyfileKey(AESKeyBase):
  405. FILE_ID = 'ATTIC KEY'
  406. TYPE = 0x00
  407. @classmethod
  408. def detect(cls, repository, manifest_data):
  409. mac, meta, data = parser(manifest_data)
  410. compressor, keyer, maccer, cipher = get_implementations(meta)
  411. key = cls(compressor, maccer, cipher)
  412. path = cls.find_key_file(repository)
  413. prompt = 'Enter passphrase for key file %s: ' % path
  414. passphrase = os.environ.get('ATTIC_PASSPHRASE', '')
  415. while not key.load(path, passphrase):
  416. passphrase = getpass(prompt)
  417. key.init_ciphers(increment_iv(key.extract_iv(manifest_data), len(data)))
  418. return key
  419. @classmethod
  420. def find_key_file(cls, repository):
  421. id = hexlify(repository.id).decode('ascii')
  422. keys_dir = get_keys_dir()
  423. for name in os.listdir(keys_dir):
  424. filename = os.path.join(keys_dir, name)
  425. with open(filename, 'r') as fd:
  426. line = fd.readline().strip()
  427. if line and line.startswith(cls.FILE_ID) and line[10:] == id:
  428. return filename
  429. raise Exception('Key file for repository with ID %s not found' % id)
  430. def load(self, filename, passphrase):
  431. with open(filename, 'r') as fd:
  432. cdata = a2b_base64(''.join(fd.readlines()[1:]).encode('ascii')) # .encode needed for Python 3.[0-2]
  433. data = self.decrypt_key_file(cdata, passphrase)
  434. if data:
  435. key = msgpack.unpackb(data)
  436. if key[b'version'] != 1:
  437. raise IntegrityError('Invalid key file header')
  438. self.repository_id = key[b'repository_id']
  439. self.enc_key = key[b'enc_key']
  440. self.enc_hmac_key = key[b'enc_hmac_key']
  441. self.id_key = key[b'id_key']
  442. self.chunk_seed = key[b'chunk_seed']
  443. self.path = filename
  444. return True
  445. def decrypt_key_file(self, data, passphrase):
  446. d = msgpack.unpackb(data)
  447. assert d[b'version'] == 1
  448. assert d[b'algorithm'] == b'gmac'
  449. key = pbkdf2_sha256(passphrase.encode('utf-8'), d[b'salt'], d[b'iterations'], 32)
  450. try:
  451. cipher = AES(mode=AES_GCM_MODE, is_encrypt=False, key=key, iv=b'\0'*16)
  452. data = cipher.check_mac_and_decrypt(d[b'hash'], d[b'data'])
  453. return data
  454. except Exception:
  455. return None
  456. def encrypt_key_file(self, data, passphrase):
  457. salt = get_random_bytes(32)
  458. iterations = 100000
  459. key = pbkdf2_sha256(passphrase.encode('utf-8'), salt, iterations, 32)
  460. cipher = AES(mode=AES_GCM_MODE, is_encrypt=True, key=key, iv=b'\0'*16)
  461. mac, cdata = cipher.compute_mac_and_encrypt(data)
  462. d = {
  463. 'version': 1,
  464. 'salt': salt,
  465. 'iterations': iterations,
  466. 'algorithm': 'gmac',
  467. 'hash': mac,
  468. 'data': cdata,
  469. }
  470. return msgpack.packb(d)
  471. def save(self, path, passphrase):
  472. key = {
  473. 'version': 1,
  474. 'repository_id': self.repository_id,
  475. 'enc_key': self.enc_key,
  476. 'enc_hmac_key': self.enc_hmac_key,
  477. 'id_key': self.id_key,
  478. 'chunk_seed': self.chunk_seed,
  479. }
  480. data = self.encrypt_key_file(msgpack.packb(key), passphrase)
  481. with open(path, 'w') as fd:
  482. fd.write('%s %s\n' % (self.FILE_ID, hexlify(self.repository_id).decode('ascii')))
  483. fd.write('\n'.join(textwrap.wrap(b2a_base64(data).decode('ascii'))))
  484. fd.write('\n')
  485. self.path = path
  486. def change_passphrase(self):
  487. passphrase, passphrase2 = 1, 2
  488. while passphrase != passphrase2:
  489. passphrase = getpass('New passphrase: ')
  490. passphrase2 = getpass('Enter same passphrase again: ')
  491. if passphrase != passphrase2:
  492. print('Passphrases do not match')
  493. self.save(self.path, passphrase)
  494. print('Key file "%s" updated' % self.path)
  495. @classmethod
  496. def create(cls, repository, args):
  497. filename = args.repository.to_key_filename()
  498. path = filename
  499. i = 1
  500. while os.path.exists(path):
  501. i += 1
  502. path = filename + '.%d' % i
  503. passphrase = os.environ.get('ATTIC_PASSPHRASE')
  504. if passphrase is not None:
  505. passphrase2 = passphrase
  506. else:
  507. passphrase, passphrase2 = 1, 2
  508. while passphrase != passphrase2:
  509. passphrase = getpass('Enter passphrase (empty for no passphrase):')
  510. passphrase2 = getpass('Enter same passphrase again: ')
  511. if passphrase != passphrase2:
  512. print('Passphrases do not match')
  513. compressor = compressor_creator(args)
  514. maccer = maccer_creator(args, cls)
  515. cipher = cipher_creator(args, cls)
  516. key = cls(compressor, maccer, cipher)
  517. key.repository_id = repository.id
  518. key.init_from_random_data(get_random_bytes(100))
  519. key.init_ciphers()
  520. key.save(path, passphrase)
  521. print('Key file "%s" created.' % key.path)
  522. print('Keep this file safe. Your data will be inaccessible without it.')
  523. return key
  524. # note: key 0 nicely maps to a zlib compressor with level 0 which means "no compression"
  525. compressor_mapping = {}
  526. for level in ZlibCompressor.LEVELS:
  527. compressor_mapping[ZlibCompressor.TYPE + level] = \
  528. type('ZlibCompressorLevel%d' % level, (ZlibCompressor, ), dict(TYPE=ZlibCompressor.TYPE + level))
  529. for preset in LzmaCompressor.PRESETS:
  530. compressor_mapping[LzmaCompressor.TYPE + preset] = \
  531. type('LzmaCompressorPreset%d' % preset, (LzmaCompressor, ), dict(TYPE=LzmaCompressor.TYPE + preset))
  532. for level in LZ4Compressor.LEVELS:
  533. compressor_mapping[LZ4Compressor.TYPE + level] = \
  534. type('LZ4CompressorLevel%d' % level, (LZ4Compressor, ), dict(TYPE=LZ4Compressor.TYPE + level))
  535. for level in LZ4HCCompressor.LEVELS:
  536. compressor_mapping[LZ4HCCompressor.TYPE + level] = \
  537. type('LZ4HCCompressorLevel%d' % level, (LZ4HCCompressor, ), dict(TYPE=LZ4HCCompressor.TYPE + level))
  538. for level in BLOSCLZCompressor.LEVELS:
  539. compressor_mapping[BLOSCLZCompressor.TYPE + level] = \
  540. type('BLOSCLZCompressorLevel%d' % level, (BLOSCLZCompressor, ), dict(TYPE=BLOSCLZCompressor.TYPE + level))
  541. for level in SnappyCompressor.LEVELS:
  542. compressor_mapping[SnappyCompressor.TYPE + level] = \
  543. type('SnappyCompressorLevel%d' % level, (SnappyCompressor, ), dict(TYPE=SnappyCompressor.TYPE + level))
  544. for level in BLOSCZlibCompressor.LEVELS:
  545. compressor_mapping[BLOSCZlibCompressor.TYPE + level] = \
  546. type('BLOSCZlibCompressorLevel%d' % level, (BLOSCZlibCompressor, ), dict(TYPE=BLOSCZlibCompressor.TYPE + level))
  547. # overwrite 0 with NullCompressor
  548. compressor_mapping[NullCompressor.TYPE] = NullCompressor
  549. keyer_mapping = {
  550. KeyfileKey.TYPE: KeyfileKey,
  551. PassphraseKey.TYPE: PassphraseKey,
  552. PlaintextKey.TYPE: PlaintextKey,
  553. }
  554. maccer_mapping = {
  555. # simple hashes, not MACs (but MAC-like class __init__ method signature):
  556. SHA1.TYPE: SHA1,
  557. SHA256.TYPE: SHA256,
  558. SHA512_256.TYPE: SHA512_256,
  559. SHA512.TYPE: SHA512,
  560. GHASH.TYPE: GHASH,
  561. # MACs:
  562. HMAC_SHA1.TYPE: HMAC_SHA1,
  563. HMAC_SHA256.TYPE: HMAC_SHA256,
  564. HMAC_SHA512_256.TYPE: HMAC_SHA512_256,
  565. HMAC_SHA512.TYPE: HMAC_SHA512,
  566. GMAC.TYPE: GMAC,
  567. }
  568. cipher_mapping = {
  569. # no cipher (but cipher-like class __init__ method signature):
  570. PLAIN.TYPE: PLAIN,
  571. # AEAD cipher implementations
  572. AES_CTR_HMAC.TYPE: AES_CTR_HMAC,
  573. AES_GCM.TYPE: AES_GCM,
  574. }
  575. def get_implementations(meta):
  576. try:
  577. compressor = compressor_mapping[meta.compr_type]
  578. keyer = keyer_mapping[meta.key_type]
  579. maccer = maccer_mapping[meta.mac_type]
  580. cipher = cipher_mapping[meta.cipher_type]
  581. except KeyError:
  582. raise UnsupportedPayloadError("compr_type %x key_type %x mac_type %x cipher_type %x" % (
  583. meta.compr_type, meta.key_type, meta.mac_type, meta.cipher_type))
  584. return compressor, keyer, maccer, cipher
  585. def legacy_parser(all_data, key_type): # all rather hardcoded
  586. """
  587. Payload layout:
  588. no encryption: TYPE(1) + data
  589. with encryption: TYPE(1) + HMAC(32) + NONCE(8) + data
  590. data is compressed with zlib level 6 and (in the 2nd case) encrypted.
  591. To reduce payload size only 8 bytes of the 16 bytes nonce is saved
  592. in the payload, the first 8 bytes are always zeros. This does not
  593. affect security but limits the maximum repository capacity to
  594. only 295 exabytes!
  595. """
  596. offset = 1
  597. if key_type == PlaintextKey.TYPE:
  598. mac_type = SHA256.TYPE
  599. mac = None
  600. cipher_type = PLAIN.TYPE
  601. iv = None
  602. data = all_data[offset:]
  603. else:
  604. mac_type = HMAC_SHA256.TYPE
  605. mac = all_data[offset:offset+32]
  606. cipher_type = AES_CTR_HMAC.TYPE
  607. iv = PREFIX + all_data[offset+32:offset+40]
  608. data = all_data[offset+40:]
  609. meta = Meta(compr_type=6, key_type=key_type, mac_type=mac_type,
  610. cipher_type=cipher_type, iv=iv, legacy=True)
  611. return mac, meta, data
  612. def parser00(all_data):
  613. return legacy_parser(all_data, KeyfileKey.TYPE)
  614. def parser01(all_data):
  615. return legacy_parser(all_data, PassphraseKey.TYPE)
  616. def parser02(all_data):
  617. return legacy_parser(all_data, PlaintextKey.TYPE)
  618. def parser03(all_data): # new & flexible
  619. """
  620. Payload layout:
  621. always: TYPE(1) + MSGPACK((mac, meta, data))
  622. meta is a Meta namedtuple and contains all required information about data.
  623. data is maybe compressed (see meta) and maybe encrypted (see meta).
  624. """
  625. max_len = 10000000 # XXX formula?
  626. unpacker = msgpack.Unpacker(
  627. use_list=False,
  628. # avoid memory allocation issues causes by tampered input data.
  629. max_buffer_size=max_len, # does not work in 0.4.6 unpackb C implementation
  630. max_array_len=10, # meta_tuple
  631. max_bin_len=max_len, # data
  632. max_str_len=0, # not used yet
  633. max_map_len=0, # not used yet
  634. max_ext_len=0, # not used yet
  635. )
  636. unpacker.feed(all_data[1:])
  637. mac, meta_tuple, data = unpacker.unpack()
  638. meta = Meta(*meta_tuple)
  639. return mac, meta, data
  640. def parser(data):
  641. parser_mapping = {
  642. 0x00: parser00,
  643. 0x01: parser01,
  644. 0x02: parser02,
  645. 0x03: parser03,
  646. }
  647. header_type = data[0]
  648. parser_func = parser_mapping[header_type]
  649. return parser_func(data)
  650. def key_factory(repository, manifest_data):
  651. mac, meta, data = parser(manifest_data)
  652. compressor, keyer, maccer, cipher = get_implementations(meta)
  653. return keyer.detect(repository, manifest_data)
  654. def generate(mac, meta, data):
  655. # always create new-style 0x03 format
  656. return b'\x03' + msgpack.packb((mac, meta, data), use_bin_type=True)
  657. def compressor_creator(args):
  658. # args == None is used by unit tests
  659. compression = COMPR_DEFAULT if args is None else args.compression
  660. compressor = compressor_mapping.get(compression)
  661. if compressor is None:
  662. raise NotImplementedError("no compression %d" % args.compression)
  663. return compressor
  664. def key_creator(args):
  665. if args.encryption == 'keyfile':
  666. return KeyfileKey
  667. if args.encryption == 'passphrase':
  668. return PassphraseKey
  669. if args.encryption == 'none':
  670. return PlaintextKey
  671. raise NotImplemented("no encryption %s" % args.encryption)
  672. def maccer_creator(args, key_cls):
  673. # args == None is used by unit tests
  674. mac = None if args is None else args.mac
  675. if mac is None:
  676. if key_cls is PlaintextKey:
  677. mac = HASH_DEFAULT
  678. elif key_cls in (KeyfileKey, PassphraseKey):
  679. mac = MAC_DEFAULT
  680. else:
  681. raise NotImplementedError("unknown key class")
  682. maccer = maccer_mapping.get(mac)
  683. if maccer is None:
  684. raise NotImplementedError("no mac %d" % args.mac)
  685. return maccer
  686. def cipher_creator(args, key_cls):
  687. # args == None is used by unit tests
  688. cipher = None if args is None else args.cipher
  689. if cipher is None:
  690. if key_cls is PlaintextKey:
  691. cipher = PLAIN_DEFAULT
  692. elif key_cls in (KeyfileKey, PassphraseKey):
  693. cipher = CIPHER_DEFAULT
  694. else:
  695. raise NotImplementedError("unknown key class")
  696. cipher = cipher_mapping.get(cipher)
  697. if cipher is None:
  698. raise NotImplementedError("no cipher %d" % args.cipher)
  699. return cipher