1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2024-12-27 10:18:12 +00:00

keyfile: improve key sanity check, fixes #7561

check key file structure, make sure the binary key
is not way too short (or zero) length.

if key file looks strange, emit warnings.
This commit is contained in:
Thomas Waldmann 2023-06-27 20:32:57 +02:00
parent ec1f2dfbf1
commit 58d3dbcec0
No known key found for this signature in database
GPG key ID: 243ACFA951F78E01

View file

@ -1,3 +1,4 @@
import binascii
import hmac import hmac
import os import os
import textwrap import textwrap
@ -615,7 +616,31 @@ def sanity_check(self, filename, id):
raise KeyfileInvalidError(self.repository._location.canonical_path(), filename) raise KeyfileInvalidError(self.repository._location.canonical_path(), filename)
if fd.read(len(repo_id)) != repo_id: if fd.read(len(repo_id)) != repo_id:
raise KeyfileMismatchError(self.repository._location.canonical_path(), filename) raise KeyfileMismatchError(self.repository._location.canonical_path(), filename)
return filename # we get here if it really looks like a borg key for this repo,
# do some more checks that are close to how borg reads/parses the key.
with open(filename, "r") as fd:
lines = fd.readlines()
if len(lines) < 2:
logger.warning(f"borg key sanity check: expected 2+ lines total. [{filename}]")
raise KeyfileInvalidError(self.repository._location.canonical_path(), filename)
if len(lines[0].rstrip()) > len(file_id) + len(repo_id):
logger.warning(f"borg key sanity check: key line 1 seems too long. [{filename}]")
raise KeyfileInvalidError(self.repository._location.canonical_path(), filename)
key_b64 = "".join(lines[1:])
try:
key = a2b_base64(key_b64)
except binascii.Error:
logger.warning(f"borg key sanity check: key line 2+ does not look like base64. [{filename}]")
raise KeyfileInvalidError(self.repository._location.canonical_path(), filename)
if len(key) < 20:
# this is in no way a precise check, usually we have about 400b key data.
logger.warning(
f"borg key sanity check: binary encrypted key data from key line 2+ suspiciously short."
f" [{filename}]"
)
raise KeyfileInvalidError(self.repository._location.canonical_path(), filename)
# looks good!
return filename
def find_key(self): def find_key(self):
if self.STORAGE == KeyBlobStorage.KEYFILE: if self.STORAGE == KeyBlobStorage.KEYFILE: