mirror of https://github.com/borgbackup/borg.git
rcreate: remove legacy encryption modes for new repos, fixes #6490
These are legacy crypto modes based on AES-CTR mode: (repokey|keyfile)[-blake2] New crypto modes with session keys and AEAD ciphers: (repokey|keyfile)[-blake2]-(aes-ocb|chacha20-poly1305) Tests needed some changes: - most used repokey/keyfile, changed to new modes - some nonce tests removed, the new crypto code does not generate the repo side nonces any more (were only used for AES-CTR)
This commit is contained in:
parent
677de50364
commit
dc2f2f47a8
|
@ -48,6 +48,8 @@ try:
|
||||||
from .compress import CompressionSpec, ZLIB, ZLIB_legacy, ObfuscateSize
|
from .compress import CompressionSpec, ZLIB, ZLIB_legacy, ObfuscateSize
|
||||||
from .crypto.key import key_creator, key_argument_names, tam_required_file, tam_required
|
from .crypto.key import key_creator, key_argument_names, tam_required_file, tam_required
|
||||||
from .crypto.key import RepoKey, KeyfileKey, Blake2RepoKey, Blake2KeyfileKey, FlexiKey
|
from .crypto.key import RepoKey, KeyfileKey, Blake2RepoKey, Blake2KeyfileKey, FlexiKey
|
||||||
|
from .crypto.key import AESOCBRepoKey, CHPORepoKey, Blake2AESOCBRepoKey, Blake2CHPORepoKey
|
||||||
|
from .crypto.key import AESOCBKeyfileKey, CHPOKeyfileKey, Blake2AESOCBKeyfileKey, Blake2CHPOKeyfileKey
|
||||||
from .crypto.keymanager import KeyManager
|
from .crypto.keymanager import KeyManager
|
||||||
from .helpers import EXIT_SUCCESS, EXIT_WARNING, EXIT_ERROR, EXIT_SIGNAL_BASE
|
from .helpers import EXIT_SUCCESS, EXIT_WARNING, EXIT_ERROR, EXIT_SIGNAL_BASE
|
||||||
from .helpers import Error, NoManifestError, set_ec
|
from .helpers import Error, NoManifestError, set_ec
|
||||||
|
@ -503,28 +505,32 @@ class Archiver:
|
||||||
return EXIT_ERROR
|
return EXIT_ERROR
|
||||||
|
|
||||||
if args.key_mode == 'keyfile':
|
if args.key_mode == 'keyfile':
|
||||||
if isinstance(key, RepoKey):
|
if isinstance(key, AESOCBRepoKey):
|
||||||
key_new = KeyfileKey(repository)
|
key_new = AESOCBKeyfileKey(repository)
|
||||||
elif isinstance(key, Blake2RepoKey):
|
elif isinstance(key, CHPORepoKey):
|
||||||
key_new = Blake2KeyfileKey(repository)
|
key_new = CHPOKeyfileKey(repository)
|
||||||
elif isinstance(key, (KeyfileKey, Blake2KeyfileKey)):
|
elif isinstance(key, Blake2AESOCBRepoKey):
|
||||||
print(f"Location already is {args.key_mode}")
|
key_new = Blake2AESOCBKeyfileKey(repository)
|
||||||
return EXIT_SUCCESS
|
elif isinstance(key, Blake2CHPORepoKey):
|
||||||
|
key_new = Blake2CHPOKeyfileKey(repository)
|
||||||
else:
|
else:
|
||||||
raise Error("Unsupported key type")
|
print("Change not needed or not supported.")
|
||||||
|
return EXIT_WARNING
|
||||||
if args.key_mode == 'repokey':
|
if args.key_mode == 'repokey':
|
||||||
if isinstance(key, KeyfileKey):
|
if isinstance(key, AESOCBKeyfileKey):
|
||||||
key_new = RepoKey(repository)
|
key_new = AESOCBRepoKey(repository)
|
||||||
elif isinstance(key, Blake2KeyfileKey):
|
elif isinstance(key, CHPOKeyfileKey):
|
||||||
key_new = Blake2RepoKey(repository)
|
key_new = CHPORepoKey(repository)
|
||||||
elif isinstance(key, (RepoKey, Blake2RepoKey)):
|
elif isinstance(key, Blake2AESOCBKeyfileKey):
|
||||||
print(f"Location already is {args.key_mode}")
|
key_new = Blake2AESOCBRepoKey(repository)
|
||||||
return EXIT_SUCCESS
|
elif isinstance(key, Blake2CHPOKeyfileKey):
|
||||||
|
key_new = Blake2CHPORepoKey(repository)
|
||||||
else:
|
else:
|
||||||
raise Error("Unsupported key type")
|
print("Change not needed or not supported.")
|
||||||
|
return EXIT_WARNING
|
||||||
|
|
||||||
for name in ('repository_id', 'enc_key', 'enc_hmac_key', 'id_key', 'chunk_seed',
|
for name in ('repository_id', 'enc_key', 'enc_hmac_key', 'id_key', 'chunk_seed',
|
||||||
'tam_required', 'nonce_manager', 'cipher'):
|
'tam_required', 'sessionid', 'cipher'):
|
||||||
value = getattr(key, name)
|
value = getattr(key, name)
|
||||||
setattr(key_new, name, value)
|
setattr(key_new, name, value)
|
||||||
|
|
||||||
|
|
|
@ -98,7 +98,7 @@ def identify_key(manifest_data):
|
||||||
if key_type == KeyType.PASSPHRASE: # legacy, see comment in KeyType class.
|
if key_type == KeyType.PASSPHRASE: # legacy, see comment in KeyType class.
|
||||||
return RepoKey
|
return RepoKey
|
||||||
|
|
||||||
for key in AVAILABLE_KEY_TYPES:
|
for key in LEGACY_KEY_TYPES + AVAILABLE_KEY_TYPES:
|
||||||
if key.TYPE == key_type:
|
if key.TYPE == key_type:
|
||||||
return key
|
return key
|
||||||
else:
|
else:
|
||||||
|
@ -977,7 +977,7 @@ class CHPORepoKey(ID_HMAC_SHA_256, AEADKeyBase, FlexiKey):
|
||||||
class Blake2AESOCBKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
class Blake2AESOCBKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||||
TYPES_ACCEPTABLE = {KeyType.BLAKE2AESOCBKEYFILE, KeyType.BLAKE2AESOCBREPO}
|
TYPES_ACCEPTABLE = {KeyType.BLAKE2AESOCBKEYFILE, KeyType.BLAKE2AESOCBREPO}
|
||||||
TYPE = KeyType.BLAKE2AESOCBKEYFILE
|
TYPE = KeyType.BLAKE2AESOCBKEYFILE
|
||||||
NAME = 'key file Blake2b AES-OCB'
|
NAME = 'key file BLAKE2b AES-OCB'
|
||||||
ARG_NAME = 'keyfile-blake2-aes-ocb'
|
ARG_NAME = 'keyfile-blake2-aes-ocb'
|
||||||
STORAGE = KeyBlobStorage.KEYFILE
|
STORAGE = KeyBlobStorage.KEYFILE
|
||||||
CIPHERSUITE = AES256_OCB
|
CIPHERSUITE = AES256_OCB
|
||||||
|
@ -986,7 +986,7 @@ class Blake2AESOCBKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||||
class Blake2AESOCBRepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
class Blake2AESOCBRepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||||
TYPES_ACCEPTABLE = {KeyType.BLAKE2AESOCBKEYFILE, KeyType.BLAKE2AESOCBREPO}
|
TYPES_ACCEPTABLE = {KeyType.BLAKE2AESOCBKEYFILE, KeyType.BLAKE2AESOCBREPO}
|
||||||
TYPE = KeyType.BLAKE2AESOCBREPO
|
TYPE = KeyType.BLAKE2AESOCBREPO
|
||||||
NAME = 'repokey Blake2b AES-OCB'
|
NAME = 'repokey BLAKE2b AES-OCB'
|
||||||
ARG_NAME = 'repokey-blake2-aes-ocb'
|
ARG_NAME = 'repokey-blake2-aes-ocb'
|
||||||
STORAGE = KeyBlobStorage.REPO
|
STORAGE = KeyBlobStorage.REPO
|
||||||
CIPHERSUITE = AES256_OCB
|
CIPHERSUITE = AES256_OCB
|
||||||
|
@ -995,7 +995,7 @@ class Blake2AESOCBRepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||||
class Blake2CHPOKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
class Blake2CHPOKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||||
TYPES_ACCEPTABLE = {KeyType.BLAKE2CHPOKEYFILE, KeyType.BLAKE2CHPOREPO}
|
TYPES_ACCEPTABLE = {KeyType.BLAKE2CHPOKEYFILE, KeyType.BLAKE2CHPOREPO}
|
||||||
TYPE = KeyType.BLAKE2CHPOKEYFILE
|
TYPE = KeyType.BLAKE2CHPOKEYFILE
|
||||||
NAME = 'key file Blake2b ChaCha20-Poly1305'
|
NAME = 'key file BLAKE2b ChaCha20-Poly1305'
|
||||||
ARG_NAME = 'keyfile-blake2-chacha20-poly1305'
|
ARG_NAME = 'keyfile-blake2-chacha20-poly1305'
|
||||||
STORAGE = KeyBlobStorage.KEYFILE
|
STORAGE = KeyBlobStorage.KEYFILE
|
||||||
CIPHERSUITE = CHACHA20_POLY1305
|
CIPHERSUITE = CHACHA20_POLY1305
|
||||||
|
@ -1004,16 +1004,23 @@ class Blake2CHPOKeyfileKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||||
class Blake2CHPORepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
class Blake2CHPORepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey):
|
||||||
TYPES_ACCEPTABLE = {KeyType.BLAKE2CHPOKEYFILE, KeyType.BLAKE2CHPOREPO}
|
TYPES_ACCEPTABLE = {KeyType.BLAKE2CHPOKEYFILE, KeyType.BLAKE2CHPOREPO}
|
||||||
TYPE = KeyType.BLAKE2CHPOREPO
|
TYPE = KeyType.BLAKE2CHPOREPO
|
||||||
NAME = 'repokey Blake2b ChaCha20-Poly1305'
|
NAME = 'repokey BLAKE2b ChaCha20-Poly1305'
|
||||||
ARG_NAME = 'repokey-blake2-chacha20-poly1305'
|
ARG_NAME = 'repokey-blake2-chacha20-poly1305'
|
||||||
STORAGE = KeyBlobStorage.REPO
|
STORAGE = KeyBlobStorage.REPO
|
||||||
CIPHERSUITE = CHACHA20_POLY1305
|
CIPHERSUITE = CHACHA20_POLY1305
|
||||||
|
|
||||||
|
|
||||||
|
LEGACY_KEY_TYPES = (
|
||||||
|
# legacy (AES-CTR based) crypto
|
||||||
|
KeyfileKey, RepoKey,
|
||||||
|
Blake2KeyfileKey, Blake2RepoKey,
|
||||||
|
)
|
||||||
|
|
||||||
AVAILABLE_KEY_TYPES = (
|
AVAILABLE_KEY_TYPES = (
|
||||||
|
# these are available encryption modes for new repositories
|
||||||
|
# not encrypted modes
|
||||||
PlaintextKey,
|
PlaintextKey,
|
||||||
KeyfileKey, RepoKey, AuthenticatedKey,
|
AuthenticatedKey, Blake2AuthenticatedKey,
|
||||||
Blake2KeyfileKey, Blake2RepoKey, Blake2AuthenticatedKey,
|
|
||||||
# new crypto
|
# new crypto
|
||||||
AESOCBKeyfileKey, AESOCBRepoKey,
|
AESOCBKeyfileKey, AESOCBRepoKey,
|
||||||
CHPOKeyfileKey, CHPORepoKey,
|
CHPOKeyfileKey, CHPORepoKey,
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue