mirror/borg
1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2024-12-26 01:37:20 +00:00
Code Issues Releases Wiki Activity

refactor: borg.key.uses_same_id_hash(key_old, key_new)

Browse source
This commit is contained in:
Thomas Waldmann 2022-05-03 21:32:35 +02:00
parent 3239836dce
commit af776ce7a6
1 changed files with 16 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
src/borg/crypto/key.py
View file

@ -124,6 +124,21 @@ def tam_required(repository):
return os.path.isfile(file) return os.path.isfile(file)
def uses_same_id_hash(other_key, key):
"""other_key -> key upgrade: is the id hash the same?"""
# avoid breaking the deduplication by changing the id hash
old_hmac_sha256_ids = (RepoKey, KeyfileKey)
new_hmac_sha256_ids = (AESOCBRepoKey, AESOCBKeyfileKey, CHPORepoKey, CHPOKeyfileKey)
old_blake2_ids = (Blake2RepoKey, Blake2KeyfileKey)
new_blake2_ids = (Blake2AESOCBRepoKey, Blake2AESOCBKeyfileKey, Blake2CHPORepoKey, Blake2CHPOKeyfileKey)
same_ids = (
isinstance(other_key, old_hmac_sha256_ids + new_hmac_sha256_ids) and isinstance(key, new_hmac_sha256_ids)
or
isinstance(other_key, old_blake2_ids + new_blake2_ids) and isinstance(key, new_blake2_ids)
)
return same_ids
class KeyBase: class KeyBase:
# Numeric key type ID, must fit in one byte. # Numeric key type ID, must fit in one byte.
TYPE = None # override in subclasses TYPE = None # override in subclasses
@ -595,20 +610,7 @@ def create(cls, repository, args, *, other_key=None):
if isinstance(key, AESKeyBase): if isinstance(key, AESKeyBase):
# user must use an AEADKeyBase subclass (AEAD modes with session keys) # user must use an AEADKeyBase subclass (AEAD modes with session keys)
raise Error("Copying key material to an AES-CTR based mode is insecure and unsupported.") raise Error("Copying key material to an AES-CTR based mode is insecure and unsupported.")
# avoid breaking the deduplication by changing the id hash if not uses_same_id_hash(other_key, key):
old_hmac_sha256_ids = (RepoKey, KeyfileKey)
new_hmac_sha256_ids = (AESOCBRepoKey, AESOCBKeyfileKey, CHPORepoKey, CHPOKeyfileKey)
old_blake2_ids = (Blake2RepoKey, Blake2KeyfileKey)
new_blake2_ids = (Blake2AESOCBRepoKey, Blake2AESOCBKeyfileKey, Blake2CHPORepoKey, Blake2CHPOKeyfileKey)
same_ids = (
isinstance(other_key, old_hmac_sha256_ids + new_hmac_sha256_ids)
and isinstance(key, new_hmac_sha256_ids)
or
isinstance(other_key, old_blake2_ids + new_blake2_ids)
and isinstance(key, new_blake2_ids)
)
if not same_ids:
# either keep HMAC-SHA256 or keep BLAKE2b!
raise Error("You must keep the same ID hash (HMAC-SHA256 or BLAKE2b) or deduplication will break.") raise Error("You must keep the same ID hash (HMAC-SHA256 or BLAKE2b) or deduplication will break.")
key.init_from_given_data( key.init_from_given_data(
enc_key=other_key.enc_key, enc_key=other_key.enc_key,