HEX

File: //usr/lib64/python3.9/site-packages/borg/crypto/__pycache__/key.cpython-39.opt-1.pyc
a

HZ�h��@s�ddlZddlZddlZddlZddlZddlZddlZddlZddlZddlm	Z	m
Z
mZddlm
Z
mZmZddlmZe�ZddlmZddlTddlmZdd	lmZdd
lmZmZddlmZddlmZmZdd
lmZddlmZddlmZddlm Z ddl!m"Z"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0ddl(m1Z1m2Z2dej3vZ4Gdd�de�Z5Gdd�de�Z6Gdd�de�Z7Gdd�de�Z8Gd d!�d!e�Z9Gd"d#�d#e�Z:Gd$d%�d%e�Z;Gd&d'�d'e�Z<Gd(d)�d)e�Z=Gd*d+�d+e�Z>Gd,d-�d-e�Z?Gd.d/�d/e?�Z@Gd0d1�d1e�ZAGd2d3�d3e�ZBGd4d5�d5e�ZCGd6d7�d7�ZDd8d9�ZEd:d;�ZFd<d=�ZGd>d?�ZHd@dA�ZIdBdC�ZJGdDdE�dE�ZKGdFdG�dGeK�ZLdHdI�ZMGdJdK�dK�ZNGdLdM�dM�ZOGdNdO�dOeK�ZPGdPdQ�dQeQ�ZRGdRdS�dSeOeP�ZSGdTdU�dUeP�ZTGdVdW�dWeOeT�ZUGdXdY�dYeOeT�ZVGdZd[�d[eNeU�ZWGd\d]�d]eNeV�ZXGd^d_�d_eV�ZYGd`da�daeY�ZZGdbdc�dceNeY�Z[eLeSeUeVeZeWeXe[fZ\dS)d�N)�
a2b_base64�
b2a_base64�hexlify)�sha256�sha512�pbkdf2_hmac�)�
create_logger)�helpers)�*)�
Compressor)�
StableDict)�Error�IntegrityError)�yes)�get_keys_dir�get_security_dir)�get_limited_unpacker)�
bin_to_hex)�prepare_subprocess_env)�msgpack)�Key�EncryptedKey)�SaveFile�)�NonceManager)�AES�
bytes_to_long�
long_to_bytes�bytes_to_int�num_cipher_blocks�hmac_sha256�blake2b_256�hkdf_hmac_sha512)�AES256_CTR_HMAC_SHA256�AES256_CTR_BLAKE2bZauthenticated_no_keyc@seZdZdZdS)�NoPassphraseFailurez can not acquire a passphrase: {}N��__name__�
__module__�__qualname__�__doc__�r,r,�5/usr/lib64/python3.9/site-packages/borg/crypto/key.pyr&(sr&c@seZdZdZdS)�PassphraseWrongzcpassphrase supplied in BORG_PASSPHRASE, by BORG_PASSCOMMAND or via BORG_PASSPHRASE_FD is incorrect.Nr'r,r,r,r-r.,sr.c@seZdZdZdS)�PasscommandFailurez3passcommand supplied in BORG_PASSCOMMAND failed: {}Nr'r,r,r,r-r/0sr/c@seZdZdZdS)�PasswordRetriesExceededz%exceeded the maximum password retriesNr'r,r,r,r-r04sr0c@seZdZdZdS)�UnsupportedPayloadErrorzSUnsupported payload type {}. A newer version is required to access this repository.Nr'r,r,r,r-r18sr1c@seZdZdZdS)�UnsupportedManifestErrorzUUnsupported manifest envelope. A newer version is required to access this repository.Nr'r,r,r,r-r2<sr2c@seZdZdZdS)�KeyfileNotFoundErrorz*No key file for repository {} found in {}.Nr'r,r,r,r-r3@sr3c@seZdZdZdS)�KeyfileInvalidErrorz/Invalid key file for repository {} found in {}.Nr'r,r,r,r-r4Dsr4c@seZdZdZdS)�KeyfileMismatchErrorz/Mismatch between repository {} and key file {}.Nr'r,r,r,r-r5Hsr5c@seZdZdZdS)�RepoKeyNotFoundErrorz2No key entry found in the config of repository {}.Nr'r,r,r,r-r6Lsr6c@seZdZe�d���ZdZdS)�TAMRequiredErroraT
    Manifest is unauthenticated, but it is required for this repository.

    This either means that you are under attack, or that you modified this repository
    with a Borg version older than 1.0.9 after TAM authentication was enabled.

    In the latter case, use "borg upgrade --tam --force '{}'" to re-authenticate the manifest.
    TN�r(r)r*�textwrap�dedent�stripr+�	tracebackr,r,r,r-r7Psr7c@seZdZe�d���ZdZdS)�ArchiveTAMRequiredErrorzR
    Archive '{}' is unauthenticated, but it is required for this repository.
    TNr8r,r,r,r-r=\sr=cs&eZdZejZdZ�fdd�Z�ZS)�
TAMInvalidTcst��d�dS)Nz&Manifest authentication did not verify��super�__init__��self��	__class__r,r-rAgszTAMInvalid.__init__�r(r)r*rr+r<rA�
__classcell__r,r,rDr-r>csr>cs&eZdZejZdZ�fdd�Z�ZS)�ArchiveTAMInvalidTcst��d�dS)Nz%Archive authentication did not verifyr?rBrDr,r-rApszArchiveTAMInvalid.__init__rFr,r,rDr-rHlsrHc@seZdZdZdZdS)�TAMUnsupportedSuiteErrorzMCould not verify manifest: Unsupported suite {!r}; a newer version is needed.TN)r(r)r*r+r<r,r,r,r-rIusrIc@seZdZdZdZdZdS)�KeyBlobStorageZ
no_storage�keyfile�
repositoryN)r(r)r*�
NO_STORAGE�KEYFILE�REPOr,r,r,r-rJzsrJcCs8tD] }|j|jkr|�||�Sqtd|j��dS)NzInvalid encryption mode "%s")�AVAILABLE_KEY_TYPES�ARG_NAMEZ
encryption�create�
ValueError)rL�args�keyr,r,r-�key_creator�srVcCsdd�tD�S)NcSsg|]}|jr|j�qSr,)rQ)�.0rUr,r,r-�
<listcomp>��z&key_argument_names.<locals>.<listcomp>)rPr,r,r,r-�key_argument_names�srZcCs>|d}|tjkrtStD]}|j|kr|Sqt|��dS)Nr)�
PassphraseKey�TYPE�RepoKeyrPr1)�
manifest_dataZkey_typerUr,r,r-�identify_key�s


r_cCst|��||�S�N)r_�detect)rLr^r,r,r-�key_factory�srbcCstt|j��}tj�|d�S)N�tam_required)rr�id�os�path�join)rLZsecurity_dirr,r,r-�tam_required_file�srhcCst|�}tj�|�Sr`)rhrerf�isfile)rL�filer,r,r-rc�srcc@sveZdZdZdZdZejZdZ	dZ
dd�Zdd�Zdd	�Z
ddd�Zd
d�Zdd�Zddd�Zddd�Zddd�ZdS)�KeyBaseNZ	UNDEFINEDFcCs8t|jg�|_||_d|_td�|_|jj|_d|_dS)NZlz4T)	�bytesr\�TYPE_STRrL�targetr�
compressor�
decompressrc�rCrLr,r,r-rA�s

zKeyBase.__init__cCsdS)z1Return HMAC hash using the "id" HMAC key
        Nr,�rC�datar,r,r-�id_hash�szKeyBase.id_hashcCsdSr`r,)rC�chunkr,r,r-�encrypt�szKeyBase.encryptTcCsdSr`r,)rCrdrsrpr,r,r-�decrypt�szKeyBase.decryptcCs.|r*|�|�}t�||�s*tdt|���dS)Nz Chunk %s: id verification failed)rt�hmac�compare_digestrr)rCrdrsZid_computedr,r,r-�	assert_id�s
zKeyBase.assert_idcCs"t|j|j|j|d|dd�S)Nsborg-metadata-authentication-�@)Zikm�salt�infoZ
output_length)r#�id_key�enc_key�enc_hmac_key�rCr|�contextr,r,r-�_tam_key�s�zKeyBase._tam_key�manifestcCsh|durt�d�}t|�}tdtd�|d��}|d<t�|�}|�||�}t�||d�|d<t�|�S)Nr{�HKDF_HMAC_SHA512)�typerxr|�tamrrx)	re�urandomr
rlr�packbr�rx�digest)rCZ
metadata_dictr�r|r��packed�tam_keyr,r,r-�pack_and_authenticate_metadata�s
�
z&KeyBase.pack_and_authenticate_metadatac
Csz|�d�rt��|j}|r,|r,t�d�d}t|�}td�}|�|�|��}t	rZ|dfSd|vr�|rxt
|jj�
���nt�d�|dfS|�dd�}t|t�s�t��|�d	d
��dd�}|d
kr�|r�tt|���nt�d|�|dfS|�d�}|�d�}	t|	t��rt|t��st��|�|�}
td�||
|
d�<|j|	dd�}t�||d�}t�||��sht��t�d�|dfS)z8Unpack msgpacked *data* and return (object, did_verify).s����z!Manifest authentication DISABLED.FZmanifestT�tamz'Manifest TAM not found and not requiredN�type�<none>�ascii�replacer�zPIgnoring manifest TAM made with unsupported suite, since TAM is not required: %r�hmac�saltr{r��r�rzTAM-verified manifest)�
startswithr2rc�logger�warning�	bytearrayr�feed�unpack�AUTHENTICATED_NO_KEYr7rL�	_location�canonical_path�debug�pop�
isinstance�dictr>�get�decoderI�reprrl�indexr�rxr�ry)
rCrs�force_tam_not_requiredrc�unpacker�unpackedr��tam_type�tam_hmac�tam_salt�offsetr��calculated_hmacr,r,r-�unpack_and_verify_manifest�sL








z"KeyBase.unpack_and_verify_manifestcCs�|j}|r|rt�d�d}t|�}td�}|�|�|��}trL|ddfSd|vr�|rv|�dd��	d	d
�}t
|��nt�d�|ddfS|�dd�}t|t
�s�t��|�dd
��	d	d
�}|dkr�|r�tt|���nt�d|�|ddfS|�d�}	|�d�}
t|
t��rt|	t��st��|�|	�}td�|||d�<|j|
dd�}t�||d�}
t�|
|	��s�dtjv�r�t�d�|ddfSt��t�d�|d|
fS)z>Unpack msgpacked *data* and return (object, did_verify, salt).z Archive authentication DISABLED.F�archiveTNr�snames	<unknown>r�r�z&Archive TAM not found and not requiredr�r�r�zOIgnoring archive TAM made with unsupported suite, since TAM is not required: %rr�r�r{sarchiver�rZignore_invalid_archive_tamz4ignoring invalid archive TAM due to BORG_WORKAROUNDSzTAM-verified archive)rcr�r�r�rr�r�r�r�r�r=r�r�r�rHrIr�rlr�r�rxr�ryr
�workarounds)rCrsr�rcr�r��archive_namer�r�r�r�r�r�r�r,r,r-�unpack_and_verify_archivesP













z!KeyBase.unpack_and_verify_archive)T)r�N)F)F)r(r)r*r\�NAMErQrJrM�STORAGE�
chunk_seed�logically_encryptedrArtrvrwrzr�r�r�r�r,r,r,r-rk�s	



,rkcspeZdZdZdZdZejZdZ	dZ
�fdd�Zedd	��Z
ed
d��Zdd
�Zdd�Zddd�Zdd�Z�ZS)�PlaintextKeyrZ	plaintextZnonerFcst��|�d|_dS�NF)r@rArcrqrDr,r-rAYszPlaintextKey.__init__cCst�d�||�S)NzTEncryption NOT enabled.
Use the "--encryption=repokey|keyfile" to enable encryption.)r�r})�clsrLrTr,r,r-rR]s
zPlaintextKey.createcCs||�Sr`r,)r�rLr^r,r,r-rabszPlaintextKey.detectcCst|���Sr`)rr�rrr,r,r-rtfszPlaintextKey.id_hashcCs|j�|�}d�|j|g�S�NrY�ro�compressrgrm�rCrursr,r,r-rviszPlaintextKey.encryptTcCs`|d|jkr.|durt|�nd}td|��t|�dd�}|sF|S|�|�}|�||�|S)Nr�	(unknown)�%Chunk %s: Invalid encryption enveloper)r\rr�
memoryviewrprz�rCrdrsrp�id_str�payloadr,r,r-rwms
zPlaintextKey.decryptcCs||Sr`r,r�r,r,r-r�xszPlaintextKey._tam_key)T)r(r)r*r\r�rQrJrMr�r�r�rA�classmethodrRrartrvrwr�rGr,r,rDr-r�Ps


r�cCst�d�td�S)Nr{)rer�rlr,r,r,r-�random_blake2b_256_key|sr�cs*eZdZdZdd�Zd�fdd�	Z�ZS)�ID_BLAKE2b_256zi
    Key mix-in class for using BLAKE2b-256 for the id key.

    The id_key length must be 32 bytes.
    cCst|j|�Sr`)r"r~rrr,r,r-rt�szID_BLAKE2b_256.id_hashNcst���t�|_t�|_dSr`)r@�init_from_random_datar�r�r~rrrDr,r-r��s
z$ID_BLAKE2b_256.init_from_random_data)N)r(r)r*r+rtr�rGr,r,rDr-r��sr�c@seZdZdZdd�ZdS)�ID_HMAC_SHA_256zj
    Key mix-in class for using HMAC-SHA-256 for the id key.

    The id_key length must be 32 bytes.
    cCst|j|�Sr`)r!r~rrr,r,r-rt�szID_HMAC_SHA_256.id_hashN)r(r)r*r+rtr,r,r,r-r��sr�c@sBeZdZdZdZeZdZdd�Zd
dd�Z	dd	d
�Z
ddd�ZdS)�
AESKeyBasea�
    Common base class shared by KeyfileKey and PassphraseKey

    Chunks are encrypted using 256bit AES in Counter Mode (CTR)

    Payload layout: TYPE(1) + HMAC(32) + NONCE(8) + CIPHERTEXT

    To reduce payload size only 8 bytes of the 16 bytes nonce is saved
    in the payload, the first 8 bytes are always zeros. This does not
    affect security but limits the maximum repository capacity to
    only 295 exabytes!
    �)TcCs@|j�|�}|j�|j��|j�t|���}|jj||j	|d�S)N)�headerZiv)
ror��
nonce_managerZensure_reservation�cipher�next_ivZblock_count�lenrvrm)rCrursr�r,r,r-rv�s
�zAESKeyBase.encryptc
Cs�|d|jksF|dtjkr&t|t�sF|dur6t|�nd}td|��z|j�|�}WnBty�}z*tdt|��dt|��d���WYd}~n
d}~00|s�|S|�	|�}|�
||�|S)Nrr�r�zChunk z: Could not decrypt [�])r\r[r�r]rrr�rw�strrprz)rCrdrsrpr�r��er,r,r-rw�s ��4
zAESKeyBase.decryptNcCsl|durt�d�}|dd�|_|dd�|_|dd�|_t|dd��|_|jd@rh|jdd|_dS)	N�dr� r{�`ll��r)rer�rr�r~rr�rrr,r,r-r��s

z AESKeyBase.init_from_random_datacCs�|j|j|jddd�|_|dur&d}nJ|d|jksT|dtjkrLt|t�sTtd��t	t
|��}|j�|�|}|j�|�t
|j|�|_dS)Nr)Zmac_keyrZ
header_lenZ
aad_offsetr�%Manifest: Invalid encryption envelope)�CIPHERSUITEr�rr�r\r[r�r]rr r�Z
extract_ivZset_ivrrLr�)rCr^ZnonceZmanifest_blocksr,r,r-�init_ciphers�s��zAESKeyBase.init_ciphers)T)N)N)r(r)r*r+ZPAYLOAD_OVERHEADr$r�r�rvrwr�r�r,r,r,r-r��s


r�c@s�eZdZeddd��Zeddd��Zeddd��Zedd	��Zedd
d��Zedd
��Z	edd��Z
eddd��Zdd�Zdd�Z
dS)�
PassphraseNcCs"tj�||�}|dur||�SdSr`)re�environr�)r��env_var�default�
passphraser,r,r-�_env_passphrase�szPassphrase._env_passphrasecCsD|�d|�}|dur|S|��}|dur,|S|��}|dur@|SdS)N�BORG_PASSPHRASE)r��env_passcommand�
fd_passphrase)r�r�r�r,r,r-�env_passphrase�szPassphrase.env_passphrasec
Cs�tj�dd�}|dur|tdd�}ztjt�|�d|d�}Wn2tjt	fyl}zt
|��WYd}~n
d}~00||�d��SdS)N�BORG_PASSCOMMANDT)�system)Zuniversal_newlines�env�
)rer�r�r�
subprocessZcheck_output�shlex�splitZCalledProcessError�FileNotFoundErrorr/�rstrip)r�r�Zpasscommandr�r�r�r,r,r-r��s
zPassphrase.env_passcommandc	Csrzttj�d��}Wnttfy,YdS0tj|dd��}|��}Wd�n1sZ0Y||�d��S)NZBORG_PASSPHRASE_FD�r)�moder�)	�intrer�r�rS�	TypeError�fdopen�readr�)r��fd�fr�r,r,r-r�
s&zPassphrase.fd_passphrasecCs|�d|�S)NZBORG_NEW_PASSPHRASE)r�)r�r�r,r,r-�env_new_passphraseszPassphrase.env_new_passphrasec
Cs�zt�|�}Wnnty||r&t�g}dD].}tj�|�du}|�d�||rTdnd��q.|�d�td�	|��d�Yn
0||�SdS)N)r�r�z	{} is {}.�setznot setz"Interactive password query failed.� )
�getpass�EOFError�printrer�r��append�formatr&rg)r��promptZpw�msgr�Zenv_var_setr,r,r-r�s
zPassphrase.getpassc	Cs�d}t||dddd�r�td|tjd�tdtjd�z|�d	�Wn<ty�td
t|�d��tjd�tdtjd�Yn0dS)
NzDDo you want your passphrase to be displayed for verification? [yN]: zInvalid answer, try again.TZBORG_DISPLAY_PASSPHRASE)Z	retry_msgZinvalid_msg�retryZenv_var_overridez-Your passphrase (between double-quotes): "%s"�rjzDMake sure the passphrase displayed above is exactly what you wanted.r�z+Your passphrase (UTF-8 encoding in hex): %s�utf-8z�As you have a non-ASCII passphrase, it is recommended to keep the UTF-8 encoding in hex together with the passphrase at a safe place.)rr��sys�stderr�encode�UnicodeEncodeErrorr)r�r�r�r,r,r-�verification(s*������zPassphrase.verificationFcCs�|��}|dur|S|��}|dur(|Stdd�D]b}|�d�}|sH|r�|�d�}||krv|�|�t�d�|Stdtj	d�q2tdtj	d�q2t
�dS)	Nr�zEnter new passphrase: zEnter same passphrase again: zDRemember your passphrase. Your data will be inaccessible without it.zPassphrases do not matchrzPassphrase must not be blank)r�r��ranger�rr�r}r�rrr0)r��allow_emptyr�r�Zpassphrase2r,r,r-�new:s"



zPassphrase.newcCsdS)Nz<Passphrase "***hidden***">r,rBr,r,r-�__repr__QszPassphrase.__repr__cCstd|�d�|||�S)Nrr)rr)rCr|�
iterations�lengthr,r,r-�kdfTszPassphrase.kdf)N)N)N)N)F)r(r)r*r�r�r�r�r�r�r�rr
rrr,r,r,r-r��s$
	

r�c@sJeZdZdZdZdZejZdZ	e
dd��Ze
dd��Zd	d
�Z
dd�ZdS)
r[rr�Ni��cCs.||�}t�d�tjdd�}|�||�|S)Nz9WARNING: "passphrase" mode is unsupported since borg 1.0.F�r	)r�r�r�r
�init)r�rLrTrUr�r,r,r-rRhs

zPassphraseKey.createc	Cs�d|j��}||�}t��}|dur0t�|�}tdd�D]T}|�||�z&|�d|�|�|�||_	|WSt
y�t�|�}Yq:0q:t�dS)NzEnter passphrase for %s: r�)r�r�r�r�r�rrrwr��_passphraserr0)r�rLr^r�rUr�r�r,r,r-raps


zPassphraseKey.detectcCsGdd�dt�}|�dS)Nc@seZdZdZdS)zAPassphraseKey.change_passphrase.<locals>.ImmutablePassphraseErrorz=The passphrase for this encryption key type can't be changed.Nr'r,r,r,r-�ImmutablePassphraseError�sr)r)rCrr,r,r-�change_passphrase�szPassphraseKey.change_passphrasecCs*|�|�|j|jd��|��d|_dS)Nr�F)r�rrdrr�rc)rCrLr�r,r,r-r�szPassphraseKey.init)r(r)r*r\r�rQrJrMr�rr�rRrarrr,r,r,r-r[Xs	

r[c@speZdZedd��Zdd�Zdd�Zdd�Zd	d
�Zdd�Z	d
d�Z
ddd�Zedd��Zddd�Z
dd�ZdS)�KeyfileKeyBasecCs�||�}|��}d|}t��}|durjt�}|�||�sztdd�D]}t�|�}|�||�rDqzqDt�n|�||�szt�|�|�||_	|S)NzEnter passphrase for key %s: rr)
�find_keyr�r��loadrr�r0r.r�r)r�rLr^rUrnr�r�r�r,r,r-ra�s"

zKeyfileKeyBase.detectcCst�dSr`��NotImplementedErrorrBr,r,r-r�szKeyfileKeyBase.find_keycCst�dSr`r)rCrnr�r,r,r-r�szKeyfileKeyBase.loadcCs�t|�}|�||�}|r~t�|�}t|d�}|jdkr>td��|j|_|j|_|j	|_	|j
|_
|j|_|�dt
|j��|_
dSdS)N�Z
internal_dictrz5key version %d is not supported by this borg version.rcTF)r�decrypt_key_filerZunpackbr�versionr�
repository_idrr�r~r�r�rcrL)rC�key_datar��cdatarsrUr,r,r-�_load�s


zKeyfileKeyBase._loadcCs�td�}|�|�|��}t|d�}|jdkr<td|j��|jdkrTtd|j��|�|j|j	d�}t
|d��|j�}t
�t||�|j�r�|SdS)	NrUrrz?encrypted key version %d is not supported by this borg version.rzCencrypted key algorithm '%s' is not supported by this borg version.r��)rr�r�rrr�	algorithmrr|rrrwrsrxryr!�hash)rCrsr�r�rrUr,r,r-r�s



zKeyfileKeyBase.decrypt_key_filec	CsXt�d�}t}|�||d�}t||�}t|d��|�}td||d||d�}t�	|�
��S)Nr�r!rr)rr|rr"r#rs)rer�ZPBKDF2_ITERATIONSrr!rrvrrr��as_dict)	rCrsr�r|rrUr#rrr,r,r-�encrypt_key_file�s

�zKeyfileKeyBase.encrypt_key_filec	CsVtd|j|j|j|j|j|jd�}|�t�	|�
��|�}d�t�
t|��d���}|S)Nr)rrrr�r~r�rcr�r�)rrrr�r~r�rcr%rr�r$rgr9�wraprr�)rCr�rUrsrr,r,r-�_save�s�	zKeyfileKeyBase._saveNcCs&|durtjdd�}|�|j|�dS)NTr)r�r
�savern)rCr�r,r,r-r�sz KeyfileKeyBase.change_passphrasecCsbtjdd�}||�}|j|_|��|��|�|�}|j||dd�t�	d|�t�	d�|S)NTr�rRzKey in "%s" created.z>Keep this key safe. Your data will be inaccessible without it.)
r�r
rdrr�r��get_new_targetr(r�r})r�rLrTr�rUrnr,r,r-rR�s

zKeyfileKeyBase.createFcCst�dSr`r�rCrnr�rRr,r,r-r(�szKeyfileKeyBase.savecCst�dSr`r�rCrTr,r,r-r*�szKeyfileKeyBase.get_new_target)N)F)r(r)r*r�rarrr rr%r'rrRr(r*r,r,r,r-r�s



rc@sleZdZdZdZdZejZdZ	dd�Z
dd�Zd	d
�Zdd�Z
d
d�Zdd�Zdd�Zdd�Zddd�ZdS)�
KeyfileKeyrzkey filerK�BORG_KEYc		Cs�|j��d}t|�}t|d��X}|�t|��|krFt|jj�	�|��|�t|��|krjt
|jj�	�|��Wd�n1s~0Yt|d���}|��}t|�dkr�t�
d|�d��t|jj�	�|��t|d���t|�t|�k�rt�
d|�d��t|jj�	�|��d	�|d
d��}zt|�}Wn:tj�ylt�
d|�d��t|jj�	�|��Yn0t|�dk�r�t�
d
|�d��t|jj�	�|��Wd�n1�s�0Y|S)N� �rbr�rz1borg key sanity check: expected 2+ lines total. [r�rz3borg key sanity check: key line 1 seems too long. [�rz?borg key sanity check: key line 2+ does not look like base64. [�zWborg key sanity check: binary encrypted key data from key line 2+ suspiciously short. [)�FILE_IDrr�openr�r�r4rLr�r�r5�	readlinesr�r�r�rgr�binasciir)	rC�filenamerdZfile_idZrepo_idr��linesZkey_b64rUr,r,r-�sanity_check
s60"�
2zKeyfileKey.sanity_checkcCsL|��}|dur |�||jj�S|��}|dur4|St|jj��t���dSr`)	�_find_key_file_from_environmentr9rLrd�_find_key_in_keys_dirr3r�r�r�rCrKr,r,r-r,szKeyfileKey.find_keycCs2|��}|dur|S|��}|dur(|S|�|�Sr`)r:r;�_get_new_target_in_keys_dir�rCrTrKr,r,r-�get_existing_or_new_target5sz%KeyfileKey.get_existing_or_new_targetc
CsZ|jj}t�}t�|�D]<}tj�||�}z|�||�WStt	fyRYq0qdSr`)
rLrdrre�listdirrfrgr9r4r5)rCrdZkeys_dir�namer7r,r,r-r;>sz KeyfileKey._find_key_in_keys_dircCs|��}|dur|S|�|�Sr`)r:r=r>r,r,r-r*HszKeyfileKey.get_new_targetcCs tj�d�}|rtj�|�SdS)NZ
BORG_KEY_FILE)rer�r�rf�abspathr<r,r,r-r:Nsz*KeyfileKey._find_key_file_from_environmentcCs8|j��}|}d}tj�|�r4|d7}|d|}q|S)Nrz.%d)�locationZto_key_filenamererf�exists)rCrTr7rf�ir,r,r-r=Ss
z&KeyfileKey._get_new_target_in_keys_dircCsXt|��&}d�|��dd��}Wd�n1s40Y|�||�}|rT||_|S)Nr1r)r4rgr5r rn)rCrnr�r�r�successr,r,r-r\s
4zKeyfileKey.loadFcCs�|rtj�|�rtd|��|�|�}t|��B}|�|j�dt|j	��d��|�|�|�d�Wd�n1sv0Y||_
dS)Nz,Aborting because key in "%s" already exists.r�r�)rerfrirr'r�writer3rrrn)rCrnr�rRrr�r,r,r-r(ds


(zKeyfileKey.saveN)F)r(r)r*r\r�rQrJrNr�r3r9rr?r;r*r:r=rr(r,r,r,r-r-s"		
	r-c@s@eZdZdZdZdZejZdd�Z	dd�Z
dd�Zd
d
d�ZdS)r]rZrepokeycCs(|jj��}|j��}|s$t|�d�|Sr`)rLr�r��load_keyr6)rC�locrUr,r,r-rxs


zRepoKey.find_keycCs|jSr`)rLr,r,r,r-r*�szRepoKey.get_new_targetcCsT|dk|_|j}|��}|s0|j��}t|�d�|�d�}|�||�}|rP||_|S�Nr1r)	r�rLrHr�r�r6r�r rn)rCrnr�rrIrFr,r,r-r�s



zRepoKey.loadFcCs2|dk|_|�|�}|�d�}|�|�||_dSrJ)r�r'rZsave_keyrn)rCrnr�rRrr,r,r-r(�s




zRepoKey.saveN)F)
r(r)r*r\r�rQrJrOr�rr*rr(r,r,r,r-r]rsr]c@s&eZdZdZdZdZejZdZ	e
ZdS)�Blake2KeyfileKey�zkey file BLAKE2bzkeyfile-blake2r.N)r(r)r*r\r�rQrJrNr�r3r%r�r,r,r,r-rK�srKc@s"eZdZdZdZdZejZe	Z
dS)�
Blake2RepoKey�zrepokey BLAKE2bzrepokey-blake2N)r(r)r*r\r�rQrJrOr�r%r�r,r,r,r-rM�s
rMcs\eZdZejZdZ�fdd�Z�fdd�Zd�fdd�	Z	dd	d
�Z
dd�Zddd�Z�Z
S)�AuthenticatedKeyBaseFcsBtr4td�}||_||_||_||_d|_d|_dSt��	||�S)Nr�rFT)
r�rlrrr�r~r�rcr@r )rCrr�ZNOPErDr,r-r �szAuthenticatedKeyBase._loadcst��||�}d|_|Sr�)r@rr�)rCrnr�rFrDr,r-r�szAuthenticatedKeyBase.loadcst�j|||d�d|_dS)Nr)F)r@r(r�r+rDr,r-r(�szAuthenticatedKeyBase.saveNcCs"|dur|d|jkrtd��dS)Nrr�)r\r)rCr^r,r,r-r��sz!AuthenticatedKeyBase.init_cipherscCs|j�|�}d�|j|g�Sr�r�r�r,r,r-rv�szAuthenticatedKeyBase.encryptTcCsh|d|jkr.|durt|�nd}td|��t|�dd�}|sF|S|�|�}trX|S|�||�|S)Nrr�zChunk %s: Invalid enveloper)r\rrr�rpr�rzr�r,r,r-rw�s
zAuthenticatedKeyBase.decrypt)F)N)T)r(r)r*rJrOr�r�r rr(r�rvrwrGr,r,rDr-rO�s

rOc@seZdZdZdZdZdS)�AuthenticatedKey�Z
authenticatedN�r(r)r*r\r�rQr,r,r,r-rP�srPc@seZdZdZdZdZdS)�Blake2AuthenticatedKey�zauthenticated BLAKE2bzauthenticated-blake2NrRr,r,r,r-rS�srS)]r6Zconfigparserr�rxrer�rr9r�rrrZhashlibrrrr�r	r1r
Z	constantsr�rr
rrrrrrrrr�itemrr�platformrZnoncesrZ	low_levelrrrrr r!r"r#r$r%r�r�r&r.r/r0r1r2r3r4r5r6r7r=r>rHrIrJrVrZr_rbrhrcrkr�r�r�r�r�r�r�r[rr-r]rKrMrOrPrSrPr,r,r,r-�<module>s�(
			(,Em7sp+
	2�