| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421 |
- from binascii import hexlify, a2b_base64, b2a_base64
- import configparser
- import getpass
- import os
- import sys
- import textwrap
- from hmac import HMAC, compare_digest
- from hashlib import sha256, pbkdf2_hmac
- from .helpers import IntegrityError, get_keys_dir, Error
- from .logger import create_logger
- logger = create_logger()
- from .crypto import AES, bytes_to_long, long_to_bytes, bytes_to_int, num_aes_blocks
- from .compress import Compressor, COMPR_BUFFER
- import msgpack
- PREFIX = b'\0' * 8
- class UnsupportedPayloadError(Error):
- """Unsupported payload type {}. A newer version is required to access this repository."""
- class KeyfileNotFoundError(Error):
- """No key file for repository {} found in {}."""
- class RepoKeyNotFoundError(Error):
- """No key entry found in the config of repository {}."""
- def key_creator(repository, args):
- if args.encryption == 'keyfile':
- return KeyfileKey.create(repository, args)
- elif args.encryption == 'repokey':
- return RepoKey.create(repository, args)
- else:
- return PlaintextKey.create(repository, args)
- def key_factory(repository, manifest_data):
- key_type = manifest_data[0]
- if key_type == KeyfileKey.TYPE:
- return KeyfileKey.detect(repository, manifest_data)
- elif key_type == RepoKey.TYPE:
- return RepoKey.detect(repository, manifest_data)
- elif key_type == PassphraseKey.TYPE:
- # we just dispatch to repokey mode and assume the passphrase was migrated to a repokey.
- # see also comment in PassphraseKey class.
- return RepoKey.detect(repository, manifest_data)
- elif key_type == PlaintextKey.TYPE:
- return PlaintextKey.detect(repository, manifest_data)
- else:
- raise UnsupportedPayloadError(key_type)
- class KeyBase:
- TYPE = None # override in subclasses
- def __init__(self, repository):
- self.TYPE_STR = bytes([self.TYPE])
- self.repository = repository
- self.target = None # key location file path / repo obj
- self.compressor = Compressor('none', buffer=COMPR_BUFFER)
- def id_hash(self, data):
- """Return HMAC hash using the "id" HMAC key
- """
- def encrypt(self, data):
- pass
- def decrypt(self, id, data):
- pass
- class PlaintextKey(KeyBase):
- TYPE = 0x02
- chunk_seed = 0
- @classmethod
- def create(cls, repository, args):
- logger.info('Encryption NOT enabled.\nUse the "--encryption=repokey|keyfile" to enable encryption.')
- return cls(repository)
- @classmethod
- def detect(cls, repository, manifest_data):
- return cls(repository)
- def id_hash(self, data):
- return sha256(data).digest()
- def encrypt(self, data):
- return b''.join([self.TYPE_STR, self.compressor.compress(data)])
- def decrypt(self, id, data):
- if data[0] != self.TYPE:
- raise IntegrityError('Invalid encryption envelope')
- data = self.compressor.decompress(memoryview(data)[1:])
- if id and sha256(data).digest() != id:
- raise IntegrityError('Chunk id verification failed')
- return data
- class AESKeyBase(KeyBase):
- """Common base class shared by KeyfileKey and PassphraseKey
- Chunks are encrypted using 256bit AES in Counter Mode (CTR)
- Payload layout: TYPE(1) + HMAC(32) + NONCE(8) + CIPHERTEXT
- To reduce payload size only 8 bytes of the 16 bytes nonce is saved
- in the payload, the first 8 bytes are always zeros. This does not
- affect security but limits the maximum repository capacity to
- only 295 exabytes!
- """
- PAYLOAD_OVERHEAD = 1 + 32 + 8 # TYPE + HMAC + NONCE
- def id_hash(self, data):
- """Return HMAC hash using the "id" HMAC key
- """
- return HMAC(self.id_key, data, sha256).digest()
- def encrypt(self, data):
- data = self.compressor.compress(data)
- self.enc_cipher.reset()
- data = b''.join((self.enc_cipher.iv[8:], self.enc_cipher.encrypt(data)))
- hmac = HMAC(self.enc_hmac_key, data, sha256).digest()
- return b''.join((self.TYPE_STR, hmac, data))
- def decrypt(self, id, data):
- if not (data[0] == self.TYPE or
- data[0] == PassphraseKey.TYPE and isinstance(self, RepoKey)):
- raise IntegrityError('Invalid encryption envelope')
- hmac_given = memoryview(data)[1:33]
- hmac_computed = memoryview(HMAC(self.enc_hmac_key, memoryview(data)[33:], sha256).digest())
- if not compare_digest(hmac_computed, hmac_given):
- raise IntegrityError('Encryption envelope checksum mismatch')
- self.dec_cipher.reset(iv=PREFIX + data[33:41])
- data = self.compressor.decompress(self.dec_cipher.decrypt(data[41:]))
- if id:
- hmac_given = id
- hmac_computed = HMAC(self.id_key, data, sha256).digest()
- if not compare_digest(hmac_computed, hmac_given):
- raise IntegrityError('Chunk id verification failed')
- return data
- def extract_nonce(self, payload):
- if not (payload[0] == self.TYPE or
- payload[0] == PassphraseKey.TYPE and isinstance(self, RepoKey)):
- raise IntegrityError('Invalid encryption envelope')
- nonce = bytes_to_long(payload[33:41])
- return nonce
- def init_from_random_data(self, data):
- self.enc_key = data[0:32]
- self.enc_hmac_key = data[32:64]
- self.id_key = data[64:96]
- self.chunk_seed = bytes_to_int(data[96:100])
- # Convert to signed int32
- if self.chunk_seed & 0x80000000:
- self.chunk_seed = self.chunk_seed - 0xffffffff - 1
- def init_ciphers(self, enc_iv=b''):
- self.enc_cipher = AES(is_encrypt=True, key=self.enc_key, iv=enc_iv)
- self.dec_cipher = AES(is_encrypt=False, key=self.enc_key)
- class Passphrase(str):
- @classmethod
- def env_passphrase(cls, default=None):
- passphrase = os.environ.get('BORG_PASSPHRASE', default)
- if passphrase is not None:
- return cls(passphrase)
- @classmethod
- def getpass(cls, prompt):
- return cls(getpass.getpass(prompt))
- @classmethod
- def new(cls, allow_empty=False):
- passphrase = cls.env_passphrase()
- if passphrase is not None:
- return passphrase
- while True:
- passphrase = cls.getpass('Enter new passphrase: ')
- if allow_empty or passphrase:
- passphrase2 = cls.getpass('Enter same passphrase again: ')
- if passphrase == passphrase2:
- logger.info('Remember your passphrase. Your data will be inaccessible without it.')
- return passphrase
- else:
- print('Passphrases do not match', file=sys.stderr)
- else:
- print('Passphrase must not be blank', file=sys.stderr)
- def __repr__(self):
- return '<Passphrase "***hidden***">'
- def kdf(self, salt, iterations, length):
- return pbkdf2_hmac('sha256', self.encode('utf-8'), salt, iterations, length)
- class PassphraseKey(AESKeyBase):
- # This mode was killed in borg 1.0, see: https://github.com/borgbackup/borg/issues/97
- # Reasons:
- # - you can never ever change your passphrase for existing repos.
- # - you can never ever use a different iterations count for existing repos.
- # "Killed" means:
- # - there is no automatic dispatch to this class via type byte
- # - --encryption=passphrase is an invalid argument now
- # This class is kept for a while to support migration from passphrase to repokey mode.
- TYPE = 0x01
- iterations = 100000 # must not be changed ever!
- @classmethod
- def create(cls, repository, args):
- key = cls(repository)
- logger.warning('WARNING: "passphrase" mode is unsupported since borg 1.0.')
- passphrase = Passphrase.new(allow_empty=False)
- key.init(repository, passphrase)
- return key
- @classmethod
- def detect(cls, repository, manifest_data):
- prompt = 'Enter passphrase for %s: ' % repository._location.orig
- key = cls(repository)
- passphrase = Passphrase.env_passphrase()
- if passphrase is None:
- passphrase = Passphrase.getpass(prompt)
- while True:
- key.init(repository, passphrase)
- try:
- key.decrypt(None, manifest_data)
- num_blocks = num_aes_blocks(len(manifest_data) - 41)
- key.init_ciphers(PREFIX + long_to_bytes(key.extract_nonce(manifest_data) + num_blocks))
- return key
- except IntegrityError:
- passphrase = Passphrase.getpass(prompt)
- def change_passphrase(self):
- class ImmutablePassphraseError(Error):
- """The passphrase for this encryption key type can't be changed."""
- raise ImmutablePassphraseError
- def init(self, repository, passphrase):
- self.init_from_random_data(passphrase.kdf(repository.id, self.iterations, 100))
- self.init_ciphers()
- class KeyfileKeyBase(AESKeyBase):
- @classmethod
- def detect(cls, repository, manifest_data):
- key = cls(repository)
- target = key.find_key()
- prompt = 'Enter passphrase for key %s: ' % target
- passphrase = Passphrase.env_passphrase(default='')
- while not key.load(target, passphrase):
- passphrase = Passphrase.getpass(prompt)
- num_blocks = num_aes_blocks(len(manifest_data) - 41)
- key.init_ciphers(PREFIX + long_to_bytes(key.extract_nonce(manifest_data) + num_blocks))
- return key
- def find_key(self):
- raise NotImplementedError
- def load(self, target, passphrase):
- raise NotImplementedError
- def _load(self, key_data, passphrase):
- cdata = a2b_base64(key_data)
- data = self.decrypt_key_file(cdata, passphrase)
- if data:
- key = msgpack.unpackb(data)
- if key[b'version'] != 1:
- raise IntegrityError('Invalid key file header')
- self.repository_id = key[b'repository_id']
- self.enc_key = key[b'enc_key']
- self.enc_hmac_key = key[b'enc_hmac_key']
- self.id_key = key[b'id_key']
- self.chunk_seed = key[b'chunk_seed']
- return True
- return False
- def decrypt_key_file(self, data, passphrase):
- d = msgpack.unpackb(data)
- assert d[b'version'] == 1
- assert d[b'algorithm'] == b'sha256'
- key = passphrase.kdf(d[b'salt'], d[b'iterations'], 32)
- data = AES(is_encrypt=False, key=key).decrypt(d[b'data'])
- if HMAC(key, data, sha256).digest() == d[b'hash']:
- return data
- def encrypt_key_file(self, data, passphrase):
- salt = os.urandom(32)
- iterations = 100000
- key = passphrase.kdf(salt, iterations, 32)
- hash = HMAC(key, data, sha256).digest()
- cdata = AES(is_encrypt=True, key=key).encrypt(data)
- d = {
- 'version': 1,
- 'salt': salt,
- 'iterations': iterations,
- 'algorithm': 'sha256',
- 'hash': hash,
- 'data': cdata,
- }
- return msgpack.packb(d)
- def _save(self, passphrase):
- key = {
- 'version': 1,
- 'repository_id': self.repository_id,
- 'enc_key': self.enc_key,
- 'enc_hmac_key': self.enc_hmac_key,
- 'id_key': self.id_key,
- 'chunk_seed': self.chunk_seed,
- }
- data = self.encrypt_key_file(msgpack.packb(key), passphrase)
- key_data = '\n'.join(textwrap.wrap(b2a_base64(data).decode('ascii')))
- return key_data
- def change_passphrase(self):
- passphrase = Passphrase.new(allow_empty=True)
- self.save(self.target, passphrase)
- logger.info('Key updated')
- @classmethod
- def create(cls, repository, args):
- passphrase = Passphrase.new(allow_empty=True)
- key = cls(repository)
- key.repository_id = repository.id
- key.init_from_random_data(os.urandom(100))
- key.init_ciphers()
- target = key.get_new_target(args)
- key.save(target, passphrase)
- logger.info('Key in "%s" created.' % target)
- logger.info('Keep this key safe. Your data will be inaccessible without it.')
- return key
- def save(self, target, passphrase):
- raise NotImplementedError
- def get_new_target(self, args):
- raise NotImplementedError
- class KeyfileKey(KeyfileKeyBase):
- TYPE = 0x00
- FILE_ID = 'BORG_KEY'
- def find_key(self):
- id = hexlify(self.repository.id).decode('ascii')
- keys_dir = get_keys_dir()
- for name in os.listdir(keys_dir):
- filename = os.path.join(keys_dir, name)
- with open(filename, 'r') as fd:
- line = fd.readline().strip()
- if line.startswith(self.FILE_ID) and line[len(self.FILE_ID) + 1:] == id:
- return filename
- raise KeyfileNotFoundError(self.repository._location.canonical_path(), get_keys_dir())
- def get_new_target(self, args):
- filename = args.location.to_key_filename()
- path = filename
- i = 1
- while os.path.exists(path):
- i += 1
- path = filename + '.%d' % i
- return path
- def load(self, target, passphrase):
- with open(target, 'r') as fd:
- key_data = ''.join(fd.readlines()[1:])
- success = self._load(key_data, passphrase)
- if success:
- self.target = target
- return success
- def save(self, target, passphrase):
- key_data = self._save(passphrase)
- with open(target, 'w') as fd:
- fd.write('%s %s\n' % (self.FILE_ID, hexlify(self.repository_id).decode('ascii')))
- fd.write(key_data)
- fd.write('\n')
- self.target = target
- class RepoKey(KeyfileKeyBase):
- TYPE = 0x03
- def find_key(self):
- loc = self.repository._location.canonical_path()
- try:
- self.repository.load_key()
- return loc
- except configparser.NoOptionError:
- raise RepoKeyNotFoundError(loc) from None
- def get_new_target(self, args):
- return self.repository
- def load(self, target, passphrase):
- # what we get in target is just a repo location, but we already have the repo obj:
- target = self.repository
- key_data = target.load_key()
- key_data = key_data.decode('utf-8') # remote repo: msgpack issue #99, getting bytes
- success = self._load(key_data, passphrase)
- if success:
- self.target = target
- return success
- def save(self, target, passphrase):
- key_data = self._save(passphrase)
- key_data = key_data.encode('utf-8') # remote repo: msgpack issue #99, giving bytes
- target.save_key(key_data)
- self.target = target
|
