mirror of https://github.com/borgbackup/borg.git
rcreate: remove legacy encryption modes for new repos, fixes #6490
These are legacy crypto modes based on AES-CTR mode: (repokey|keyfile)[-blake2] New crypto modes with session keys and AEAD ciphers: (repokey|keyfile)[-blake2]-(aes-ocb|chacha20-poly1305) Tests needed some changes: - most used repokey/keyfile, changed to new modes - some nonce tests removed, the new crypto code does not generate the repo side nonces any more (were only used for AES-CTR)
This commit is contained in:
parent
677de50364
commit
dc2f2f47a8
|
@ -48,6 +48,8 @@ try:
|
|||
from .compress import CompressionSpec, ZLIB, ZLIB_legacy, ObfuscateSize
|
||||
from .crypto.key import key_creator, key_argument_names, tam_required_file, tam_required
|
||||
from .crypto.key import RepoKey, KeyfileKey, Blake2RepoKey, Blake2KeyfileKey, FlexiKey
|
||||
from .crypto.key import AESOCBRepoKey, CHPORepoKey, Blake2AESOCBRepoKey, Blake2CHPORepoKey
|
||||
from .crypto.key import AESOCBKeyfileKey, CHPOKeyfileKey, Blake2AESOCBKeyfileKey, Blake2CHPOKeyfileKey
|
||||
from .crypto.keymanager import KeyManager
|
||||
from .helpers import EXIT_SUCCESS, EXIT_WARNING, EXIT_ERROR, EXIT_SIGNAL_BASE
|
||||
from .helpers import Error, NoManifestError, set_ec
|
||||
|
@ -503,28 +505,32 @@ class Archiver:
|
|||
return EXIT_ERROR
|
||||
|
||||
if args.key_mode == 'keyfile':
|
||||
if isinstance(key, RepoKey):
|
||||
key_new = KeyfileKey(repository)
|
||||
elif isinstance(key, Blake2RepoKey):
|
||||
key_new = Blake2KeyfileKey(repository)
|
||||
elif isinstance(key, (KeyfileKey, Blake2KeyfileKey)):
|
||||
print(f"Location already is {args.key_mode}")
|
||||
return EXIT_SUCCESS
|
||||
if isinstance(key, AESOCBRepoKey):
|
||||
key_new = AESOCBKeyfileKey(repository)
|
||||
elif isinstance(key, CHPORepoKey):
|
||||
key_new = CHPOKeyfileKey(repository)
|
||||
elif isinstance(key, Blake2AESOCBRepoKey):
|
||||
key_new = Blake2AESOCBKeyfileKey(repository)
|
||||
elif isinstance(key, Blake2CHPORepoKey):
|
||||
key_new = Blake2CHPOKeyfileKey(repository)
|
||||
else:
|
||||
raise Error("Unsupported key type")
|
||||
print("Change not needed or not supported.")
|
||||
return EXIT_WARNING
|
||||
if args.key_mode == 'repokey':
|
||||
if isinstance(key, KeyfileKey):
|
||||
key_new = RepoKey(repository)
|
||||
elif isinstance(key, Blake2KeyfileKey):
|
||||
key_new = Blake2RepoKey(repository)
|
||||
elif isinstance(key, (RepoKey, Blake2RepoKey)):
|
||||
print(f"Location already is {args.key_mode}")
|
||||
return EXIT_SUCCESS
|
||||
if isinstance(key, AESOCBKeyfileKey):
|
||||
key_new = AESOCBRepoKey(repository)
|
||||
elif isinstance(key, CHPOKeyfileKey):
|
||||
key_new = CHPORepoKey(repository)
|
||||
elif isinstance(key, Blake2AESOCBKeyfileKey):
|
||||
key_new = Blake2AESOCBRepoKey(repository)
|
||||
elif isinstance(key, Blake2CHPOKeyfileKey):
|
||||
key_new = Blake2CHPORepoKey(repository)
|
||||
else:
|
||||
raise Error("Unsupported key type")
|
||||
print("Change not needed or not supported.")
|
||||
return EXIT_WARNING
|
||||
|
||||
for name in ('repository_id', 'enc_key', 'enc_hmac_key', 'id_key', 'chunk_seed',
|
||||
'tam_required', 'nonce_manager', 'cipher'):
|
||||
'tam_required', 'sessionid', 'cipher'):
|
||||
value = getattr(key, name)
|
||||
setattr(key_new, name, value)
|
||||
|
||||
|
|
|
@ -98,7 +98,7 @@ def identify_key(manifest_data):
|
|||
if key_type == KeyType.PASSPHRASE: # legacy, see comment in KeyType class.
|
||||
return RepoKey
|
||||
|
||||
for key in AVAILABLE_KEY_TYPES:
|
||||
for key in LEGACY_KEY_TYPES + AVAILABLE_KEY_TYPES:
|
||||
if key.TYPE == key_type:
|
||||
return key
|
||||
else:
|
||||
|
@ -977,7 +977,7 @@ class CHPORepoKey(ID_HMAC_SHA_256, AEADKeyBase, FlexiKey):
|
|||
class Blake2AESOCBKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||
TYPES_ACCEPTABLE = {KeyType.BLAKE2AESOCBKEYFILE, KeyType.BLAKE2AESOCBREPO}
|
||||
TYPE = KeyType.BLAKE2AESOCBKEYFILE
|
||||
NAME = 'key file Blake2b AES-OCB'
|
||||
NAME = 'key file BLAKE2b AES-OCB'
|
||||
ARG_NAME = 'keyfile-blake2-aes-ocb'
|
||||
STORAGE = KeyBlobStorage.KEYFILE
|
||||
CIPHERSUITE = AES256_OCB
|
||||
|
@ -986,7 +986,7 @@ class Blake2AESOCBKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
|||
class Blake2AESOCBRepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||
TYPES_ACCEPTABLE = {KeyType.BLAKE2AESOCBKEYFILE, KeyType.BLAKE2AESOCBREPO}
|
||||
TYPE = KeyType.BLAKE2AESOCBREPO
|
||||
NAME = 'repokey Blake2b AES-OCB'
|
||||
NAME = 'repokey BLAKE2b AES-OCB'
|
||||
ARG_NAME = 'repokey-blake2-aes-ocb'
|
||||
STORAGE = KeyBlobStorage.REPO
|
||||
CIPHERSUITE = AES256_OCB
|
||||
|
@ -995,7 +995,7 @@ class Blake2AESOCBRepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
|||
class Blake2CHPOKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||
TYPES_ACCEPTABLE = {KeyType.BLAKE2CHPOKEYFILE, KeyType.BLAKE2CHPOREPO}
|
||||
TYPE = KeyType.BLAKE2CHPOKEYFILE
|
||||
NAME = 'key file Blake2b ChaCha20-Poly1305'
|
||||
NAME = 'key file BLAKE2b ChaCha20-Poly1305'
|
||||
ARG_NAME = 'keyfile-blake2-chacha20-poly1305'
|
||||
STORAGE = KeyBlobStorage.KEYFILE
|
||||
CIPHERSUITE = CHACHA20_POLY1305
|
||||
|
@ -1004,16 +1004,23 @@ class Blake2CHPOKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
|||
class Blake2CHPORepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||
TYPES_ACCEPTABLE = {KeyType.BLAKE2CHPOKEYFILE, KeyType.BLAKE2CHPOREPO}
|
||||
TYPE = KeyType.BLAKE2CHPOREPO
|
||||
NAME = 'repokey Blake2b ChaCha20-Poly1305'
|
||||
NAME = 'repokey BLAKE2b ChaCha20-Poly1305'
|
||||
ARG_NAME = 'repokey-blake2-chacha20-poly1305'
|
||||
STORAGE = KeyBlobStorage.REPO
|
||||
CIPHERSUITE = CHACHA20_POLY1305
|
||||
|
||||
|
||||
LEGACY_KEY_TYPES = (
|
||||
# legacy (AES-CTR based) crypto
|
||||
KeyfileKey, RepoKey,
|
||||
Blake2KeyfileKey, Blake2RepoKey,
|
||||
)
|
||||
|
||||
AVAILABLE_KEY_TYPES = (
|
||||
# these are available encryption modes for new repositories
|
||||
# not encrypted modes
|
||||
PlaintextKey,
|
||||
KeyfileKey, RepoKey, AuthenticatedKey,
|
||||
Blake2KeyfileKey, Blake2RepoKey, Blake2AuthenticatedKey,
|
||||
AuthenticatedKey, Blake2AuthenticatedKey,
|
||||
# new crypto
|
||||
AESOCBKeyfileKey, AESOCBRepoKey,
|
||||
CHPOKeyfileKey, CHPORepoKey,
|
||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue