mirror of
https://github.com/borgbackup/borg.git
synced 2024-12-26 09:47:58 +00:00
key: uses key_cls.TYPES_ACCEPTABLE to dispatch
for now only a quite simple change, replacing the hardcoded PassphraseKey -> RepoKey dispatching.
This commit is contained in:
parent
6cd0f6de49
commit
d42e6f2c41
1 changed files with 12 additions and 5 deletions
|
@ -145,6 +145,8 @@ def tam_required(repository):
|
||||||
class KeyBase:
|
class KeyBase:
|
||||||
# Numeric key type ID, must fit in one byte.
|
# Numeric key type ID, must fit in one byte.
|
||||||
TYPE = None # override in subclasses
|
TYPE = None # override in subclasses
|
||||||
|
# set of key type IDs the class can handle as input
|
||||||
|
TYPES_ACCEPTABLE = None # override in subclasses
|
||||||
|
|
||||||
# Human-readable name
|
# Human-readable name
|
||||||
NAME = 'UNDEFINED'
|
NAME = 'UNDEFINED'
|
||||||
|
@ -259,6 +261,7 @@ def unpack_and_verify_manifest(self, data, force_tam_not_required=False):
|
||||||
|
|
||||||
class PlaintextKey(KeyBase):
|
class PlaintextKey(KeyBase):
|
||||||
TYPE = 0x02
|
TYPE = 0x02
|
||||||
|
TYPES_ACCEPTABLE = {TYPE}
|
||||||
NAME = 'plaintext'
|
NAME = 'plaintext'
|
||||||
ARG_NAME = 'none'
|
ARG_NAME = 'none'
|
||||||
STORAGE = KeyBlobStorage.NO_STORAGE
|
STORAGE = KeyBlobStorage.NO_STORAGE
|
||||||
|
@ -287,7 +290,7 @@ def encrypt(self, chunk):
|
||||||
return b''.join([self.TYPE_STR, data])
|
return b''.join([self.TYPE_STR, data])
|
||||||
|
|
||||||
def decrypt(self, id, data, decompress=True):
|
def decrypt(self, id, data, decompress=True):
|
||||||
if data[0] != self.TYPE:
|
if data[0] not in self.TYPES_ACCEPTABLE:
|
||||||
id_str = bin_to_hex(id) if id is not None else '(unknown)'
|
id_str = bin_to_hex(id) if id is not None else '(unknown)'
|
||||||
raise IntegrityError('Chunk %s: Invalid encryption envelope' % id_str)
|
raise IntegrityError('Chunk %s: Invalid encryption envelope' % id_str)
|
||||||
payload = memoryview(data)[1:]
|
payload = memoryview(data)[1:]
|
||||||
|
@ -367,8 +370,7 @@ def encrypt(self, chunk):
|
||||||
return self.cipher.encrypt(data, header=self.TYPE_STR, iv=next_iv)
|
return self.cipher.encrypt(data, header=self.TYPE_STR, iv=next_iv)
|
||||||
|
|
||||||
def decrypt(self, id, data, decompress=True):
|
def decrypt(self, id, data, decompress=True):
|
||||||
if not (data[0] == self.TYPE or
|
if data[0] not in self.TYPES_ACCEPTABLE:
|
||||||
data[0] == PassphraseKey.TYPE and isinstance(self, RepoKey)):
|
|
||||||
id_str = bin_to_hex(id) if id is not None else '(unknown)'
|
id_str = bin_to_hex(id) if id is not None else '(unknown)'
|
||||||
raise IntegrityError('Chunk %s: Invalid encryption envelope' % id_str)
|
raise IntegrityError('Chunk %s: Invalid encryption envelope' % id_str)
|
||||||
try:
|
try:
|
||||||
|
@ -396,8 +398,7 @@ def init_ciphers(self, manifest_data=None):
|
||||||
if manifest_data is None:
|
if manifest_data is None:
|
||||||
nonce = 0
|
nonce = 0
|
||||||
else:
|
else:
|
||||||
if not (manifest_data[0] == self.TYPE or
|
if manifest_data[0] not in self.TYPES_ACCEPTABLE:
|
||||||
manifest_data[0] == PassphraseKey.TYPE and isinstance(self, RepoKey)):
|
|
||||||
raise IntegrityError('Manifest: Invalid encryption envelope')
|
raise IntegrityError('Manifest: Invalid encryption envelope')
|
||||||
# manifest_blocks is a safe upper bound on the amount of cipher blocks needed
|
# manifest_blocks is a safe upper bound on the amount of cipher blocks needed
|
||||||
# to encrypt the manifest. depending on the ciphersuite and overhead, it might
|
# to encrypt the manifest. depending on the ciphersuite and overhead, it might
|
||||||
|
@ -641,6 +642,7 @@ def get_new_target(self, args):
|
||||||
|
|
||||||
class KeyfileKey(ID_HMAC_SHA_256, KeyfileKeyBase):
|
class KeyfileKey(ID_HMAC_SHA_256, KeyfileKeyBase):
|
||||||
TYPE = 0x00
|
TYPE = 0x00
|
||||||
|
TYPES_ACCEPTABLE = {TYPE}
|
||||||
NAME = 'key file'
|
NAME = 'key file'
|
||||||
ARG_NAME = 'keyfile'
|
ARG_NAME = 'keyfile'
|
||||||
STORAGE = KeyBlobStorage.KEYFILE
|
STORAGE = KeyBlobStorage.KEYFILE
|
||||||
|
@ -731,6 +733,7 @@ def save(self, target, passphrase, create=False):
|
||||||
|
|
||||||
class RepoKey(ID_HMAC_SHA_256, KeyfileKeyBase):
|
class RepoKey(ID_HMAC_SHA_256, KeyfileKeyBase):
|
||||||
TYPE = 0x03
|
TYPE = 0x03
|
||||||
|
TYPES_ACCEPTABLE = {TYPE, PassphraseKey.TYPE}
|
||||||
NAME = 'repokey'
|
NAME = 'repokey'
|
||||||
ARG_NAME = 'repokey'
|
ARG_NAME = 'repokey'
|
||||||
STORAGE = KeyBlobStorage.REPO
|
STORAGE = KeyBlobStorage.REPO
|
||||||
|
@ -770,6 +773,7 @@ def save(self, target, passphrase, create=False):
|
||||||
|
|
||||||
class Blake2KeyfileKey(ID_BLAKE2b_256, KeyfileKey):
|
class Blake2KeyfileKey(ID_BLAKE2b_256, KeyfileKey):
|
||||||
TYPE = 0x04
|
TYPE = 0x04
|
||||||
|
TYPES_ACCEPTABLE = {0x04}
|
||||||
NAME = 'key file BLAKE2b'
|
NAME = 'key file BLAKE2b'
|
||||||
ARG_NAME = 'keyfile-blake2'
|
ARG_NAME = 'keyfile-blake2'
|
||||||
STORAGE = KeyBlobStorage.KEYFILE
|
STORAGE = KeyBlobStorage.KEYFILE
|
||||||
|
@ -780,6 +784,7 @@ class Blake2KeyfileKey(ID_BLAKE2b_256, KeyfileKey):
|
||||||
|
|
||||||
class Blake2RepoKey(ID_BLAKE2b_256, RepoKey):
|
class Blake2RepoKey(ID_BLAKE2b_256, RepoKey):
|
||||||
TYPE = 0x05
|
TYPE = 0x05
|
||||||
|
TYPES_ACCEPTABLE = {TYPE}
|
||||||
NAME = 'repokey BLAKE2b'
|
NAME = 'repokey BLAKE2b'
|
||||||
ARG_NAME = 'repokey-blake2'
|
ARG_NAME = 'repokey-blake2'
|
||||||
STORAGE = KeyBlobStorage.REPO
|
STORAGE = KeyBlobStorage.REPO
|
||||||
|
@ -824,12 +829,14 @@ def decrypt(self, id, data, decompress=True):
|
||||||
|
|
||||||
class AuthenticatedKey(AuthenticatedKeyBase):
|
class AuthenticatedKey(AuthenticatedKeyBase):
|
||||||
TYPE = 0x07
|
TYPE = 0x07
|
||||||
|
TYPES_ACCEPTABLE = {TYPE}
|
||||||
NAME = 'authenticated'
|
NAME = 'authenticated'
|
||||||
ARG_NAME = 'authenticated'
|
ARG_NAME = 'authenticated'
|
||||||
|
|
||||||
|
|
||||||
class Blake2AuthenticatedKey(ID_BLAKE2b_256, AuthenticatedKeyBase):
|
class Blake2AuthenticatedKey(ID_BLAKE2b_256, AuthenticatedKeyBase):
|
||||||
TYPE = 0x06
|
TYPE = 0x06
|
||||||
|
TYPES_ACCEPTABLE = {TYPE}
|
||||||
NAME = 'authenticated BLAKE2b'
|
NAME = 'authenticated BLAKE2b'
|
||||||
ARG_NAME = 'authenticated-blake2'
|
ARG_NAME = 'authenticated-blake2'
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue