key.py 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422
  1. from binascii import hexlify, a2b_base64, b2a_base64
  2. import configparser
  3. import getpass
  4. import os
  5. import textwrap
  6. import hmac
  7. from hashlib import sha256
  8. from .helpers import IntegrityError, get_keys_dir, Error, have_cython
  9. from .logger import create_logger
  10. logger = create_logger()
  11. if have_cython():
  12. from .crypto import pbkdf2_sha256, get_random_bytes, AES, bytes_to_long, long_to_bytes, bytes_to_int, num_aes_blocks
  13. from .compress import Compressor, COMPR_BUFFER
  14. import msgpack
  15. PREFIX = b'\0' * 8
  16. class UnsupportedPayloadError(Error):
  17. """Unsupported payload type {}. A newer version is required to access this repository.
  18. """
  19. class KeyfileNotFoundError(Error):
  20. """No key file for repository {} found in {}.
  21. """
  22. class RepoKeyNotFoundError(Error):
  23. """No key entry found in the config of repository {}.
  24. """
  25. class HMAC(hmac.HMAC):
  26. """Workaround a bug in Python < 3.4 Where HMAC does not accept memoryviews
  27. """
  28. def update(self, msg):
  29. self.inner.update(msg)
  30. def key_creator(repository, args):
  31. if args.encryption == 'keyfile':
  32. return KeyfileKey.create(repository, args)
  33. elif args.encryption == 'repokey':
  34. return RepoKey.create(repository, args)
  35. elif args.encryption == 'passphrase': # deprecated, kill in 1.x
  36. return PassphraseKey.create(repository, args)
  37. else:
  38. return PlaintextKey.create(repository, args)
  39. def key_factory(repository, manifest_data):
  40. key_type = manifest_data[0]
  41. if key_type == KeyfileKey.TYPE:
  42. return KeyfileKey.detect(repository, manifest_data)
  43. elif key_type == RepoKey.TYPE:
  44. return RepoKey.detect(repository, manifest_data)
  45. elif key_type == PassphraseKey.TYPE: # deprecated, kill in 1.x
  46. return PassphraseKey.detect(repository, manifest_data)
  47. elif key_type == PlaintextKey.TYPE:
  48. return PlaintextKey.detect(repository, manifest_data)
  49. else:
  50. raise UnsupportedPayloadError(key_type)
  51. class KeyBase:
  52. TYPE = None # override in subclasses
  53. def __init__(self, repository):
  54. self.TYPE_STR = bytes([self.TYPE])
  55. self.repository = repository
  56. self.target = None # key location file path / repo obj
  57. self.compressor = Compressor('none', buffer=COMPR_BUFFER)
  58. def id_hash(self, data):
  59. """Return HMAC hash using the "id" HMAC key
  60. """
  61. def encrypt(self, data):
  62. pass
  63. def decrypt(self, id, data):
  64. pass
  65. class PlaintextKey(KeyBase):
  66. TYPE = 0x02
  67. chunk_seed = 0
  68. @classmethod
  69. def create(cls, repository, args):
  70. logger.info('Encryption NOT enabled.\nUse the "--encryption=repokey|keyfile|passphrase" to enable encryption.')
  71. return cls(repository)
  72. @classmethod
  73. def detect(cls, repository, manifest_data):
  74. return cls(repository)
  75. def id_hash(self, data):
  76. return sha256(data).digest()
  77. def encrypt(self, data):
  78. return b''.join([self.TYPE_STR, self.compressor.compress(data)])
  79. def decrypt(self, id, data):
  80. if data[0] != self.TYPE:
  81. raise IntegrityError('Invalid encryption envelope')
  82. data = self.compressor.decompress(memoryview(data)[1:])
  83. if id and sha256(data).digest() != id:
  84. raise IntegrityError('Chunk id verification failed')
  85. return data
  86. class AESKeyBase(KeyBase):
  87. """Common base class shared by KeyfileKey and PassphraseKey
  88. Chunks are encrypted using 256bit AES in Counter Mode (CTR)
  89. Payload layout: TYPE(1) + HMAC(32) + NONCE(8) + CIPHERTEXT
  90. To reduce payload size only 8 bytes of the 16 bytes nonce is saved
  91. in the payload, the first 8 bytes are always zeros. This does not
  92. affect security but limits the maximum repository capacity to
  93. only 295 exabytes!
  94. """
  95. PAYLOAD_OVERHEAD = 1 + 32 + 8 # TYPE + HMAC + NONCE
  96. def id_hash(self, data):
  97. """Return HMAC hash using the "id" HMAC key
  98. """
  99. return HMAC(self.id_key, data, sha256).digest()
  100. def encrypt(self, data):
  101. data = self.compressor.compress(data)
  102. self.enc_cipher.reset()
  103. data = b''.join((self.enc_cipher.iv[8:], self.enc_cipher.encrypt(data)))
  104. hmac = HMAC(self.enc_hmac_key, data, sha256).digest()
  105. return b''.join((self.TYPE_STR, hmac, data))
  106. def decrypt(self, id, data):
  107. if data[0] != self.TYPE:
  108. raise IntegrityError('Invalid encryption envelope')
  109. hmac = memoryview(data)[1:33]
  110. if memoryview(HMAC(self.enc_hmac_key, memoryview(data)[33:], sha256).digest()) != hmac:
  111. raise IntegrityError('Encryption envelope checksum mismatch')
  112. self.dec_cipher.reset(iv=PREFIX + data[33:41])
  113. data = self.compressor.decompress(self.dec_cipher.decrypt(data[41:]))
  114. if id and HMAC(self.id_key, data, sha256).digest() != id:
  115. raise IntegrityError('Chunk id verification failed')
  116. return data
  117. def extract_nonce(self, payload):
  118. if payload[0] != self.TYPE:
  119. raise IntegrityError('Invalid encryption envelope')
  120. nonce = bytes_to_long(payload[33:41])
  121. return nonce
  122. def init_from_random_data(self, data):
  123. self.enc_key = data[0:32]
  124. self.enc_hmac_key = data[32:64]
  125. self.id_key = data[64:96]
  126. self.chunk_seed = bytes_to_int(data[96:100])
  127. # Convert to signed int32
  128. if self.chunk_seed & 0x80000000:
  129. self.chunk_seed = self.chunk_seed - 0xffffffff - 1
  130. def init_ciphers(self, enc_iv=b''):
  131. self.enc_cipher = AES(is_encrypt=True, key=self.enc_key, iv=enc_iv)
  132. self.dec_cipher = AES(is_encrypt=False, key=self.enc_key)
  133. class Passphrase(str):
  134. @classmethod
  135. def env_passphrase(cls, default=None):
  136. passphrase = os.environ.get('BORG_PASSPHRASE', default)
  137. if passphrase is not None:
  138. return cls(passphrase)
  139. @classmethod
  140. def getpass(cls, prompt):
  141. return cls(getpass.getpass(prompt))
  142. @classmethod
  143. def new(cls, allow_empty=False):
  144. passphrase = cls.env_passphrase()
  145. if passphrase is not None:
  146. return passphrase
  147. while True:
  148. passphrase = cls.getpass('Enter new passphrase: ')
  149. if allow_empty or passphrase:
  150. passphrase2 = cls.getpass('Enter same passphrase again: ')
  151. if passphrase == passphrase2:
  152. logger.info('Remember your passphrase. Your data will be inaccessible without it.')
  153. return passphrase
  154. else:
  155. print('Passphrases do not match', file=sys.stderr)
  156. else:
  157. print('Passphrase must not be blank', file=sys.stderr)
  158. def __repr__(self):
  159. return '<Passphrase "***hidden***">'
  160. def kdf(self, salt, iterations, length):
  161. return pbkdf2_sha256(self.encode('utf-8'), salt, iterations, length)
  162. class PassphraseKey(AESKeyBase):
  163. # This mode is DEPRECATED and will be killed at 1.0 release.
  164. # With this mode:
  165. # - you can never ever change your passphrase for existing repos.
  166. # - you can never ever use a different iterations count for existing repos.
  167. TYPE = 0x01
  168. iterations = 100000 # must not be changed ever!
  169. @classmethod
  170. def create(cls, repository, args):
  171. key = cls(repository)
  172. logger.warning('WARNING: "passphrase" mode is deprecated and will be removed in 1.0.')
  173. logger.warning('If you want something similar (but with less issues), use "repokey" mode.')
  174. passphrase = Passphrase.new(allow_empty=False)
  175. key.init(repository, passphrase)
  176. return key
  177. @classmethod
  178. def detect(cls, repository, manifest_data):
  179. prompt = 'Enter passphrase for %s: ' % repository._location.orig
  180. key = cls(repository)
  181. passphrase = Passphrase.env_passphrase()
  182. if passphrase is None:
  183. passphrase = Passphrase.getpass(prompt)
  184. while True:
  185. key.init(repository, passphrase)
  186. try:
  187. key.decrypt(None, manifest_data)
  188. num_blocks = num_aes_blocks(len(manifest_data) - 41)
  189. key.init_ciphers(PREFIX + long_to_bytes(key.extract_nonce(manifest_data) + num_blocks))
  190. return key
  191. except IntegrityError:
  192. passphrase = Passphrase.getpass(prompt)
  193. def change_passphrase(self):
  194. class ImmutablePassphraseError(Error):
  195. """The passphrase for this encryption key type can't be changed."""
  196. raise ImmutablePassphraseError
  197. def init(self, repository, passphrase):
  198. self.init_from_random_data(passphrase.kdf(repository.id, self.iterations, 100))
  199. self.init_ciphers()
  200. class KeyfileKeyBase(AESKeyBase):
  201. @classmethod
  202. def detect(cls, repository, manifest_data):
  203. key = cls(repository)
  204. target = key.find_key()
  205. prompt = 'Enter passphrase for key %s: ' % target
  206. passphrase = Passphrase.env_passphrase(default='')
  207. while not key.load(target, passphrase):
  208. passphrase = Passphrase.getpass(prompt)
  209. num_blocks = num_aes_blocks(len(manifest_data) - 41)
  210. key.init_ciphers(PREFIX + long_to_bytes(key.extract_nonce(manifest_data) + num_blocks))
  211. return key
  212. def find_key(self):
  213. raise NotImplementedError
  214. def load(self, target, passphrase):
  215. raise NotImplementedError
  216. def _load(self, key_data, passphrase):
  217. cdata = a2b_base64(key_data.encode('ascii')) # .encode needed for Python 3.[0-2]
  218. data = self.decrypt_key_file(cdata, passphrase)
  219. if data:
  220. key = msgpack.unpackb(data)
  221. if key[b'version'] != 1:
  222. raise IntegrityError('Invalid key file header')
  223. self.repository_id = key[b'repository_id']
  224. self.enc_key = key[b'enc_key']
  225. self.enc_hmac_key = key[b'enc_hmac_key']
  226. self.id_key = key[b'id_key']
  227. self.chunk_seed = key[b'chunk_seed']
  228. return True
  229. return False
  230. def decrypt_key_file(self, data, passphrase):
  231. d = msgpack.unpackb(data)
  232. assert d[b'version'] == 1
  233. assert d[b'algorithm'] == b'sha256'
  234. key = passphrase.kdf(d[b'salt'], d[b'iterations'], 32)
  235. data = AES(is_encrypt=False, key=key).decrypt(d[b'data'])
  236. if HMAC(key, data, sha256).digest() == d[b'hash']:
  237. return data
  238. def encrypt_key_file(self, data, passphrase):
  239. salt = get_random_bytes(32)
  240. iterations = 100000
  241. key = passphrase.kdf(salt, iterations, 32)
  242. hash = HMAC(key, data, sha256).digest()
  243. cdata = AES(is_encrypt=True, key=key).encrypt(data)
  244. d = {
  245. 'version': 1,
  246. 'salt': salt,
  247. 'iterations': iterations,
  248. 'algorithm': 'sha256',
  249. 'hash': hash,
  250. 'data': cdata,
  251. }
  252. return msgpack.packb(d)
  253. def _save(self, passphrase):
  254. key = {
  255. 'version': 1,
  256. 'repository_id': self.repository_id,
  257. 'enc_key': self.enc_key,
  258. 'enc_hmac_key': self.enc_hmac_key,
  259. 'id_key': self.id_key,
  260. 'chunk_seed': self.chunk_seed,
  261. }
  262. data = self.encrypt_key_file(msgpack.packb(key), passphrase)
  263. key_data = '\n'.join(textwrap.wrap(b2a_base64(data).decode('ascii')))
  264. return key_data
  265. def change_passphrase(self):
  266. passphrase = Passphrase.new(allow_empty=True)
  267. self.save(self.target, passphrase)
  268. logger.info('Key updated')
  269. @classmethod
  270. def create(cls, repository, args):
  271. passphrase = Passphrase.new(allow_empty=True)
  272. key = cls(repository)
  273. key.repository_id = repository.id
  274. key.init_from_random_data(get_random_bytes(100))
  275. key.init_ciphers()
  276. target = key.get_new_target(args)
  277. key.save(target, passphrase)
  278. logger.info('Key in "%s" created.' % target)
  279. logger.info('Keep this key safe. Your data will be inaccessible without it.')
  280. return key
  281. def save(self, target, passphrase):
  282. raise NotImplementedError
  283. def get_new_target(self, args):
  284. raise NotImplementedError
  285. class KeyfileKey(KeyfileKeyBase):
  286. TYPE = 0x00
  287. FILE_ID = 'BORG_KEY'
  288. def find_key(self):
  289. id = hexlify(self.repository.id).decode('ascii')
  290. keys_dir = get_keys_dir()
  291. for name in os.listdir(keys_dir):
  292. filename = os.path.join(keys_dir, name)
  293. with open(filename, 'r') as fd:
  294. line = fd.readline().strip()
  295. if line.startswith(self.FILE_ID) and line[len(self.FILE_ID)+1:] == id:
  296. return filename
  297. raise KeyfileNotFoundError(self.repository._location.canonical_path(), get_keys_dir())
  298. def get_new_target(self, args):
  299. filename = args.repository.to_key_filename()
  300. path = filename
  301. i = 1
  302. while os.path.exists(path):
  303. i += 1
  304. path = filename + '.%d' % i
  305. return path
  306. def load(self, target, passphrase):
  307. with open(target, 'r') as fd:
  308. key_data = ''.join(fd.readlines()[1:])
  309. success = self._load(key_data, passphrase)
  310. if success:
  311. self.target = target
  312. return success
  313. def save(self, target, passphrase):
  314. key_data = self._save(passphrase)
  315. with open(target, 'w') as fd:
  316. fd.write('%s %s\n' % (self.FILE_ID, hexlify(self.repository_id).decode('ascii')))
  317. fd.write(key_data)
  318. fd.write('\n')
  319. self.target = target
  320. class RepoKey(KeyfileKeyBase):
  321. TYPE = 0x03
  322. def find_key(self):
  323. loc = self.repository._location.canonical_path()
  324. try:
  325. self.repository.load_key()
  326. return loc
  327. except configparser.NoOptionError:
  328. raise RepoKeyNotFoundError(loc)
  329. def get_new_target(self, args):
  330. return self.repository
  331. def load(self, target, passphrase):
  332. # what we get in target is just a repo location, but we already have the repo obj:
  333. target = self.repository
  334. key_data = target.load_key()
  335. key_data = key_data.decode('utf-8') # remote repo: msgpack issue #99, getting bytes
  336. success = self._load(key_data, passphrase)
  337. if success:
  338. self.target = target
  339. return success
  340. def save(self, target, passphrase):
  341. key_data = self._save(passphrase)
  342. key_data = key_data.encode('utf-8') # remote repo: msgpack issue #99, giving bytes
  343. target.save_key(key_data)
  344. self.target = target