Current File : //usr/lib64/python3.6/site-packages/borg/crypto/__pycache__/key.cpython-36.pyc
3

up�d���@s�ddlZddlZddlZddlZddlZddlZddlmZmZm	Z	ddl
mZmZm
Z
ddlmZmZddlmZe�ZddlTddlmZdd	lmZdd
lmZmZddlmZddlmZmZdd
lmZddlmZddlm Z ddlm!Z!ddlm"Z"ddl#m$Z$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1dfZ2de"kZ3Gdd�de�Z4Gdd�de�Z5Gdd�de�Z6Gd d!�d!e�Z7Gd"d#�d#e�Z8Gd$d%�d%e�Z9Gd&d'�d'e�Z:Gd(d)�d)e�Z;Gd*d+�d+e�Z<Gd,d-�d-e�Z=Gd.d/�d/e�Z>Gd0d1�d1e>�Z?Gd2d3�d3e�Z@Gd4d5�d5e�ZAGd6d7�d7e�ZBGd8d9�d9�ZCd:d;�ZDd<d=�ZEd>d?�ZFd@dA�ZGdBdC�ZHdDdE�ZIGdFdG�dG�ZJGdHdI�dIeJ�ZKdJdK�ZLGdLdM�dM�ZMGdNdO�dO�ZNGdPdQ�dQeJ�ZOGdRdS�dSeP�ZQGdTdU�dUeNeO�ZRGdVdW�dWeO�ZSGdXdY�dYeNeS�ZTGdZd[�d[eNeS�ZUGd\d]�d]eMeT�ZVGd^d_�d_eMeU�ZWGd`da�daeU�ZXGdbdc�dceX�ZYGddde�deeMeX�ZZeKeReTeUeYeVeWeZfZ[dS)g�N)�
a2b_base64�
b2a_base64�hexlify)�sha256�sha512�pbkdf2_hmac)�HMAC�compare_digest)�
create_logger�)�*)�
Compressor)�
StableDict)�Error�IntegrityError)�yes)�get_keys_dir�get_security_dir)�get_limited_unpacker)�
bin_to_hex)�prepare_subprocess_env)�msgpack)�workarounds)�Key�EncryptedKey)�SaveFile�)�NonceManager)�AES�
bytes_to_long�bytes_to_int�num_aes_blocks�hmac_sha256�blake2b_256�hkdf_hmac_sha512��Zauthenticated_no_keyc@seZdZdZdS)�NoPassphraseFailurez can not acquire a passphrase: {}N)�__name__�
__module__�__qualname__�__doc__�r,r,�/usr/lib64/python3.6/key.pyr'&sr'c@seZdZdZdS)�PassphraseWrongzcpassphrase supplied in BORG_PASSPHRASE, by BORG_PASSCOMMAND or via BORG_PASSPHRASE_FD is incorrect.N)r(r)r*r+r,r,r,r-r.*sr.c@seZdZdZdS)�PasscommandFailurez3passcommand supplied in BORG_PASSCOMMAND failed: {}N)r(r)r*r+r,r,r,r-r/.sr/c@seZdZdZdS)�PasswordRetriesExceededz%exceeded the maximum password retriesN)r(r)r*r+r,r,r,r-r02sr0c@seZdZdZdS)�UnsupportedPayloadErrorzSUnsupported payload type {}. A newer version is required to access this repository.N)r(r)r*r+r,r,r,r-r16sr1c@seZdZdZdS)�UnsupportedManifestErrorzUUnsupported manifest envelope. A newer version is required to access this repository.N)r(r)r*r+r,r,r,r-r2:sr2c@seZdZdZdS)�KeyfileNotFoundErrorz*No key file for repository {} found in {}.N)r(r)r*r+r,r,r,r-r3>sr3c@seZdZdZdS)�KeyfileInvalidErrorz/Invalid key file for repository {} found in {}.N)r(r)r*r+r,r,r,r-r4Bsr4c@seZdZdZdS)�KeyfileMismatchErrorz/Mismatch between repository {} and key file {}.N)r(r)r*r+r,r,r,r-r5Fsr5c@seZdZdZdS)�RepoKeyNotFoundErrorz2No key entry found in the config of repository {}.N)r(r)r*r+r,r,r,r-r6Jsr6c@seZdZejd�j�ZdZdS)�TAMRequiredErroraT
    Manifest is unauthenticated, but it is required for this repository.

    This either means that you are under attack, or that you modified this repository
    with a Borg version older than 1.0.9 after TAM authentication was enabled.

    In the latter case, use "borg upgrade --tam --force '{}'" to re-authenticate the manifest.
    FN)r(r)r*�textwrap�dedent�stripr+�	tracebackr,r,r,r-r7Ns
r7c@seZdZejd�j�ZdZdS)�ArchiveTAMRequiredErrorzR
    Archive '{}' is unauthenticated, but it is required for this repository.
    FN)r(r)r*r8r9r:r+r;r,r,r,r-r<Zs
r<cs&eZdZejZdZ�fdd�Z�ZS)�
TAMInvalidFcst�jd�dS)Nz&Manifest authentication did not verify)�super�__init__)�self)�	__class__r,r-r?eszTAMInvalid.__init__)r(r)r*rr+r;r?�
__classcell__r,r,)rAr-r=asr=cs&eZdZejZdZ�fdd�Z�ZS)�ArchiveTAMInvalidFcst�jd�dS)Nz%Archive authentication did not verify)r>r?)r@)rAr,r-r?nszArchiveTAMInvalid.__init__)r(r)r*rr+r;r?rBr,r,)rAr-rCjsrCc@seZdZdZdZdS)�TAMUnsupportedSuiteErrorzMCould not verify manifest: Unsupported suite {!r}; a newer version is needed.FN)r(r)r*r+r;r,r,r,r-rDssrDc@seZdZdZdZdZdS)�KeyBlobStorageZ
no_storage�keyfile�
repositoryN)r(r)r*�
NO_STORAGE�KEYFILE�REPOr,r,r,r-rExsrEcCsFx@tD]*}|j|jkr|jdk	s$t�|j||�SqWtd|j��dS)NzInvalid encryption mode "%s")�AVAILABLE_KEY_TYPES�ARG_NAMEZ
encryption�AssertionError�create�
ValueError)rG�args�keyr,r,r-�key_creator~s

rRcCsdd�tD�S)NcSsg|]}|jr|j�qSr,)rL)�.0rQr,r,r-�
<listcomp>�sz&key_argument_names.<locals>.<listcomp>)rKr,r,r,r-�key_argument_names�srUcCs>|d}|tjkrtSx"tD]}|j|kr|SqWt|��dS)Nr)�
PassphraseKey�TYPE�RepoKeyrKr1)�
manifest_dataZkey_typerQr,r,r-�identify_key�s


rZcCst|�j||�S)N)rZ�detect)rGrYr,r,r-�key_factory�sr\cCstt|j��}tjj|d�S)N�tam_required)rr�id�os�path�join)rGZsecurity_dirr,r,r-�tam_required_file�srbcCst|�}tjj|�S)N)rbr_r`�isfile)rG�filer,r,r-r]�sr]c@sveZdZdZdZdZejZdZ	dZ
dd�Zdd�Zdd	�Z
ddd�Zd
d�Zdd�Zddd�Zddd�Zddd�ZdS)�KeyBaseNZ	UNDEFINEDFcCs8t|jg�|_||_d|_td�|_|jj|_d|_dS)NZlz4T)	�bytesrW�TYPE_STRrG�targetr
�
compressor�
decompressr])r@rGr,r,r-r?�s

zKeyBase.__init__cCsdS)z1Return HMAC hash using the "id" HMAC key
        Nr,)r@�datar,r,r-�id_hash�szKeyBase.id_hashcCsdS)Nr,)r@�chunkr,r,r-�encrypt�szKeyBase.encryptTcCsdS)Nr,)r@r^rkrjr,r,r-�decrypt�szKeyBase.decryptcCs,|r(|j|�}t||�s(tdt|���dS)Nz Chunk %s: id verification failed)rlr	rr)r@r^rkZid_computedr,r,r-�	assert_id�s

zKeyBase.assert_idcCs"t|j|j|j|d|dd�S)Nsborg-metadata-authentication-�@)Zikm�salt�infoZ
output_length)r$�id_key�enc_key�enc_hmac_key)r@rr�contextr,r,r-�_tam_key�s
zKeyBase._tam_key�manifestcCsr|dkrtjd�}t|�}tdtd�|d��}|d<tj|dd�}|j||�}t||t�j	�|d<tj|dd�S)Nrq�HKDF_HMAC_SHA512)�type�hmacrr�tam�surrogateescape)Zunicode_errorsr|)
r_�urandomrrfr�packbrxrr�digest)r@Z
metadata_dictrwrrr}Zpacked�tam_keyr,r,r-�pack_and_authenticate_metadata�s
z&KeyBase.pack_and_authenticate_metadatac
Cs~|jd�rt��|j}|r,|r,tjd�d}t|�}td�}|j|�|j�}t	rZ|dfSd|kr�|rxt
|jjj
���ntjd�|dfS|jdd	�}t|t�s�t��|jd
d�jdd
�}|dkr�|r�tt|���ntjd|�|dfS|jd�}|jd�}	t|	t��st|t��rt��|j|�}
td�||
|
d�<|j|	dd�}t||t�j�}t||��slt��tjd�|dfS)z8Unpack msgpacked *data* and return (object, did_verify).���z!Manifest authentication DISABLED.FZmanifestTstamz'Manifest TAM not found and not requiredNstypes<none>�ascii�replacerzzPIgnoring manifest TAM made with unsupported suite, since TAM is not required: %rshmacssaltrqsmanifest)rwzTAM-verified manifests����)�
startswithr2r]�logger�warning�	bytearrayr�feed�unpack�AUTHENTICATED_NO_KEYr7rG�	_location�canonical_path�debug�pop�
isinstance�dictr=�get�decoderD�reprrf�indexrxrrr�r	)
r@rk�force_tam_not_requiredr]�unpacker�unpackedr}�tam_type�tam_hmac�tam_salt�offsetr��calculated_hmacr,r,r-�unpack_and_verify_manifest�sL








z"KeyBase.unpack_and_verify_manifestcCs�|j}|r|rtjd�d}t|�}td�}|j|�|j�}d|kr||rh|jdd�jdd�}t	|��ntjd	�|dd
fS|j
dd
�}t|t�s�t
��|jdd�jdd�}|d
kr�|r�tt|���ntjd|�|dd
fS|jd�}	|jd�}
t|
t��st|	t��rt
��|j|	�}td�|||d�<|j|
dd�}t||t�j�}
t|
|	��s~dtk�rxtjd�|dd
fSt
��tjd�|d|
fS)z>Unpack msgpacked *data* and return (object, did_verify, salt).z Archive authentication DISABLED.F�archivestamsnames	<unknown>r�r�z&Archive TAM not found and not requiredNstypes<none>rzzOIgnoring archive TAM made with unsupported suite, since TAM is not required: %rshmacssaltrqsarchive)rwZignore_invalid_archive_tamz4ignoring invalid archive TAM due to BORG_WORKAROUNDSzTAM-verified archiveT)r]r�r�r�rr�r�r�r�r<r�r�r�rCrDr�rfr�rxrrr�r	r)r@rkr�r]r�r�Zarchive_namer}r�r�r�r�r�r�r,r,r-�unpack_and_verify_archivesL













z!KeyBase.unpack_and_verify_archive)T)ryN)F)F)r(r)r*rW�NAMErLrErH�STORAGE�
chunk_seed�logically_encryptedr?rlrnrorprxr�r�r�r,r,r,r-re�s	



,recspeZdZdZdZdZejZdZ	dZ
�fdd�Zedd	��Z
ed
d��Zdd
�Zdd�Zddd�Zdd�Z�ZS)�PlaintextKeyrZ	plaintextZnonerFcst�j|�d|_dS)NF)r>r?r])r@rG)rAr,r-r?UszPlaintextKey.__init__cCstjd�||�S)NzTEncryption NOT enabled.
Use the "--encryption=repokey|keyfile" to enable encryption.)r�rs)�clsrGrPr,r,r-rNYs
zPlaintextKey.createcCs||�S)Nr,)r�rGrYr,r,r-r[^szPlaintextKey.detectcCst|�j�S)N)rr�)r@rkr,r,r-rlbszPlaintextKey.id_hashcCs|jj|�}dj|j|g�S)N�)ri�compressrarg)r@rmrkr,r,r-rneszPlaintextKey.encryptTcCs`|d|jkr.|dk	rt|�nd}td|��t|�dd�}|sF|S|j|�}|j||�|S)Nrz	(unknown)z%Chunk %s: Invalid encryption enveloper)rWrr�
memoryviewrjrp)r@r^rkrj�id_str�payloadr,r,r-rois
zPlaintextKey.decryptcCs||S)Nr,)r@rrrwr,r,r-rxtszPlaintextKey._tam_key)T)r(r)r*rWr�rLrErHr�r�r�r?�classmethodrNr[rlrnrorxrBr,r,)rAr-r�Ls
r�cCstjd�td�S)Nrq)r_rrfr,r,r,r-�random_blake2b_256_keyxsr�cs*eZdZdZdd�Zd�fdd�	Z�ZS)�ID_BLAKE2b_256zi
    Key mix-in class for using BLAKE2b-256 for the id key.

    The id_key length must be 32 bytes.
    cCst|j|�S)N)r#rt)r@rkr,r,r-rl�szID_BLAKE2b_256.id_hashNcs*|dkst�t�j�t�|_t�|_dS)N)rMr>�init_from_random_datar�rvrt)r@rk)rAr,r-r��s
z$ID_BLAKE2b_256.init_from_random_data)N)r(r)r*r+rlr�rBr,r,)rAr-r��sr�c@seZdZdZdd�ZdS)�ID_HMAC_SHA_256zj
    Key mix-in class for using HMAC-SHA-256 for the id key.

    The id_key length must be 32 bytes.
    cCst|j|�S)N)r"rt)r@rkr,r,r-rl�szID_HMAC_SHA_256.id_hashN)r(r)r*r+rlr,r,r,r-r��sr�c@sJeZdZdZdZeZdZdd�Zddd	�Z	d
d�Z
dd
d�Zddd�ZdS)�
AESKeyBasea�
    Common base class shared by KeyfileKey and PassphraseKey

    Chunks are encrypted using 256bit AES in Counter Mode (CTR)

    Payload layout: TYPE(1) + HMAC(32) + NONCE(8) + CIPHERTEXT

    To reduce payload size only 8 bytes of the 16 bytes nonce is saved
    in the payload, the first 8 bytes are always zeros. This does not
    affect security but limits the maximum repository capacity to
    only 295 exabytes!
    r� r&TcCs�|jj|�}|jjtt|���|jj�dj|jj	dd�|jj
|�f�}|jtkrdt|j
�dks�|jtkr|t|j
�dks�t�|j|j
|�}dj|j||f�S)Nr�r&�r�)rir��
nonce_managerZensure_reservationr!�len�
enc_cipher�resetra�ivrn�MACr#rvr"rMrg)r@rmrkr|r,r,r-rn�s
"zAESKeyBase.encryptc	Cs$|d|jkp$|dtjko$t|t�sF|dk	r6t|�nd}td|��t|�}|dd�}|jtkrrt	|j
�dks�|jtkr�t	|j
�dks�t�t|j|j
|dd���}t
||�s�|dk	r�t|�nd}td|��|jjt|dd	�d
�|jj|d	d��}|�s
|S|j|�}|j||�|S)Nrz	(unknown)z%Chunk %s: Invalid encryption enveloper�!r�r�z/Chunk %s: Encryption envelope checksum mismatch�))r�)rWrVr�rXrrr�r�r#r�rvr"rMr	�
dec_cipherr��PREFIXrorjrp)	r@r^rkrjr�Z	data_viewZ
hmac_givenZ
hmac_computedr�r,r,r-ro�s&

zAESKeyBase.decryptcCsB|d|jkp$|dtjko$t|t�s.td��t|dd��}|S)Nrz%Manifest: Invalid encryption enveloper�r�)rWrVr�rXrr)r@r�Znoncer,r,r-�
extract_nonce�s
zAESKeyBase.extract_nonceNcCsl|dkrtjd�}|dd�|_|dd�|_|dd�|_t|dd��|_|jd@rh|jdd|_dS)	N�drr�rq�`ll��r)r_rrurvrtr r�)r@rkr,r,r-r��s

z AESKeyBase.init_from_random_datarcCsBtd|j|jddd�d�|_t|j|j|�|_td|jd�|_dS)NT�Zbig)�	byteorder)�
is_encryptrQr�F)r�rQ)rru�to_bytesr�rrGr�r�)r@Zmanifest_noncer,r,r-�init_ciphers�szAESKeyBase.init_ciphersr�r�)T)N)r)
r(r)r*r+ZPAYLOAD_OVERHEADr"r�r�rnror�r�r�r,r,r,r-r��s


r�c@s�eZdZeddd��Zeddd��Zeddd��Zedd	��Zedd
d��Zedd
��Z	edd��Z
eddd��Zdd�Zdd�Z
dS)�
PassphraseNcCs"tjj||�}|dk	r||�SdS)N)r_�environr�)r��env_var�default�
passphraser,r,r-�_env_passphrase�szPassphrase._env_passphrasecCsD|jd|�}|dk	r|S|j�}|dk	r,|S|j�}|dk	r@|SdS)N�BORG_PASSPHRASE)r��env_passcommand�
fd_passphrase)r�r�r�r,r,r-�env_passphrase�szPassphrase.env_passphrasecCs~tjjdd�}|dk	rztdd�}ytjtj|�d|d�}Wn0tjt	fk
rj}zt
|��WYdd}~XnX||jd��SdS)N�BORG_PASSCOMMANDT)�system)Zuniversal_newlines�env�
)r_r�r�r�
subprocessZcheck_output�shlex�splitZCalledProcessError�FileNotFoundErrorr/�rstrip)r�r�Zpasscommandr�r��er,r,r-r�s
zPassphrase.env_passcommandcCs^yttjjd��}Wnttfk
r,dSXtj|dd��}|j�}WdQRX||jd��S)NZBORG_PASSPHRASE_FD�r)�moder�)	�intr_r�r�rO�	TypeError�fdopen�readr�)r��fd�fr�r,r,r-r�szPassphrase.fd_passphrasecCs|jd|�S)NZBORG_NEW_PASSPHRASE)r�)r�r�r,r,r-�env_new_passphraseszPassphrase.env_new_passphrasecCs�ytj|�}Wnttk
r�|r(t�g}x6dD].}tjj|�dk	}|jd||rVdndf�q2W|jd�tdj|��d�Yn
X||�SdS)	Nr�r�z	%s is %s.�setznot setz"Interactive password query failed.� )r�r�)	�getpass�EOFError�printr_r�r��appendr'ra)r��promptZpw�msgr�Zenv_var_setr,r,r-r�s

zPassphrase.getpasscCs�d}t||dddd�r�td|tjd�tdtjd�y|jd	�Wn>tk
r�td
t|jd��tjd�tdtjd�YnXdS)
NzDDo you want your passphrase to be displayed for verification? [yN]: zInvalid answer, try again.TZBORG_DISPLAY_PASSPHRASE)Z	retry_msgZinvalid_msg�retryZenv_var_overridez-Your passphrase (between double-quotes): "%s")rdzDMake sure the passphrase displayed above is exactly what you wanted.r�z+Your passphrase (UTF-8 encoding in hex): %szutf-8z�As you have a non-ASCII passphrase, it is recommended to keep the UTF-8 encoding in hex together with the passphrase at a safe place.)rr��sys�stderr�encode�UnicodeEncodeErrorr)r�r�r�r,r,r-�verification*s



zPassphrase.verificationFcCs�|j�}|dk	r|S|j�}|dk	r(|Sxptdd�D]^}|jd�}|sJ|r�|jd�}||krt|j|�tjd�|Stdtj	d�q4tdtj	d�q4Wt
�dS)	Nr�zEnter new passphrase: zEnter same passphrase again: zDRemember your passphrase. Your data will be inaccessible without it.zPassphrases do not match)rdzPassphrase must not be blank)r�r��ranger�r�r�rsr�r�r�r0)r��allow_emptyr�r�Zpassphrase2r,r,r-�new<s"



zPassphrase.newcCsdS)Nz<Passphrase "***hidden***">r,)r@r,r,r-�__repr__SszPassphrase.__repr__cCstd|jd�|||�S)Nrzutf-8)rr�)r@rr�
iterationsZlengthr,r,r-�kdfVszPassphrase.kdf)N)N)N)N)F)r(r)r*r�r�r�r�r�r�r�r�r�r�r�r,r,r,r-r��s
r�c@sJeZdZdZdZdZejZdZ	e
dd��Ze
dd��Zd	d
�Z
dd�ZdS)
rVrr�Ni��cCs.||�}tjd�tjdd�}|j||�|S)Nz9WARNING: "passphrase" mode is unsupported since borg 1.0.F)r�)r�r�r�r��init)r�rGrPrQr�r,r,r-rNjs

zPassphraseKey.createcCs�d|jj�}||�}tj�}|dkr0tj|�}x|tdd�D]j}|j||�y:|jd|�tt	|�d�}|j
|j|�|�||_|St
k
r�tj|�}Yq<Xq<Wt�dS)NzEnter passphrase for %s: r�r�)r�r�r�r�r�r�r�ror!r�r�r��_passphraserr0)r�rGrYr�rQr�r��
num_blocksr,r,r-r[rs 
zPassphraseKey.detectcCsGdd�dt�}|�dS)Nc@seZdZdZdS)zAPassphraseKey.change_passphrase.<locals>.ImmutablePassphraseErrorz=The passphrase for this encryption key type can't be changed.N)r(r)r*r+r,r,r,r-�ImmutablePassphraseError�sr�)r)r@r�r,r,r-�change_passphrase�szPassphraseKey.change_passphrasecCs*|j|j|j|jd��|j�d|_dS)Nr�F)r�r�r^r�r�r])r@rGr�r,r,r-r��szPassphraseKey.init)r(r)r*rWr�rLrErHr�r�r�rNr[rr�r,r,r,r-rVZs	rVc@speZdZedd��Zdd�Zdd�Zdd�Zd	d
�Zdd�Z	d
d�Z
ddd�Zedd��Zddd�Z
dd�ZdS)�KeyfileKeyBasec	Cs�||�}|j�}d|}tj�}|dkrlt�}|j||�s|x@tdd�D]}tj|�}|j||�rFPqFWt�n|j||�s|t�tt	|�d�}|j
|j|�|�||_|S)NzEnter passphrase for key %s: rr�r�)
�find_keyr�r��loadr�r�r0r.r!r�r�r�r�)	r�rGrYrQrhr�r�r�r�r,r,r-r[�s$
zKeyfileKeyBase.detectcCst�dS)N)�NotImplementedError)r@r,r,r-r�szKeyfileKeyBase.find_keycCst�dS)N)r)r@rhr�r,r,r-r�szKeyfileKeyBase.loadcCs�t|�}|j||�}|r~tj|�}t|d�}|jdkr>td��|j|_|j|_|j	|_	|j
|_
|j|_|jdt
|j��|_
dSdS)N)�
internal_dictrz5key version %d is not supported by this borg version.r]TF)r�decrypt_key_filerZunpackbr�versionr�
repository_idrurvrtr�r�r]rG)r@�key_datar��cdatarkrQr,r,r-�_load�s


zKeyfileKeyBase._loadcCs�td�}|j|�|j�}t|d�}|jdkr<td|j��|jdkrTtd|j��|j|j|j	d�}t
d|d	�j|j�}t
t||�|j�r�|SdS)
NrQ)rrz?encrypted key version %d is not supported by this borg version.rzCencrypted key algorithm '%s' is not supported by this borg version.r�F)r�rQ)rr�r�rrr�	algorithmr�rrr�rrorkr	r"�hash)r@rkr�r�rurQr,r,r-r�s



zKeyfileKeyBase.decrypt_key_filec	CsZtjd�}t}|j||d�}t||�}td|d�j|�}td||d||d�}tj	|j
��S)Nr�T)r�rQrr)rrrr�rr
rk)r_rZPBKDF2_ITERATIONSr�r"rrnrrr��as_dict)	r@rkr�rrr�rQr
r
rur,r,r-�encrypt_key_file�s

zKeyfileKeyBase.encrypt_key_filec	CsVtd|j|j|j|j|j|jd�}|jtj	|j
��|�}djtj
t|�jd���}|S)Nr)rrrurvrtr�r]r�r�)rrrurvrtr�r]rrr�rrar8Zwraprr�)r@r�rQrkr	r,r,r-�_save�s
zKeyfileKeyBase._saveNcCs&|dkrtjdd�}|j|j|�dS)NT)r�)r�r��saverh)r@r�r,r,r-r�sz KeyfileKeyBase.change_passphrasecCsbtjdd�}||�}|j|_|j�|j�|j|�}|j||dd�tj	d|�tj	d�|S)NT)r�)rNzKey in "%s" created.z>Keep this key safe. Your data will be inaccessible without it.)
r�r�r^rr�r��get_new_targetrr�rs)r�rGrPr�rQrhr,r,r-rN�s

zKeyfileKeyBase.createFcCst�dS)N)r)r@rhr�rNr,r,r-r�szKeyfileKeyBase.savecCst�dS)N)r)r@rPr,r,r-rszKeyfileKeyBase.get_new_target)N)F)r(r)r*r�r[rrrrrrrrNrrr,r,r,r-r�s

rc@sLeZdZdZdZdZejZdZ	dd�Z
dd�Zd	d
�Zdd�Z
ddd�ZdS)�
KeyfileKeyrzkey filerF�BORG_KEYc
Csx|jj�d}t|�}t|d��N}|jt|��|krFt|jjj	�|��|jt|��|krjt
|jjj	�|��|SQRXdS)N� �rb)�FILE_IDr�r�openr�r�r4rGr�r�r5)r@�filenamer^Zfile_idZrepo_idr�r,r,r-�sanity_checkszKeyfileKey.sanity_checkc
Cs�|jj}tjjd�}|r,|jtjj|�|�St�}xFtj	|�D]8}tjj
||�}y|j||�Sttfk
rtYq>Xq>Wt
|jjj�t���dS)N�
BORG_KEY_FILE)rGr^r_r�r�rr`�abspathr�listdirrar4r5r3r�r�)r@r^rFZkeys_dir�namerr,r,r-rs
zKeyfileKey.find_keycCsXtjjd�}|rtjj|�S|jj�}|}d}x$tjj|�rR|d7}|d|}q0W|S)Nrrz.%d)r_r�r�r`r�locationZto_key_filename�exists)r@rPrFrr`�ir,r,r-r(s
zKeyfileKey.get_new_targetcCsFt|d��}dj|j�dd��}WdQRX|j||�}|rB||_|S)Nr��r)rra�	readlinesrrh)r@rhr�r�r	�successr,r,r-r4s zKeyfileKey.loadFcCsr|rtjj|�rtd|��|j|�}t|��4}|jd|jt|j	�f�|j|�|jd�WdQRX||_
dS)Nz,Aborting because key in "%s" already exists.z%s %s
r�)r_r`rcrrr�writerrrrh)r@rhr�rNr	r�r,r,r-r<s


zKeyfileKey.saveN)F)r(r)r*rWr�rLrErIr�rrrrrrr,r,r,r-rsrc@s@eZdZdZdZdZejZdd�Z	dd�Z
dd�Zd
d
d�ZdS)rXr�ZrepokeycCs(|jjj�}|jj�}|s$t|�d�|S)N)rGr�r��load_keyr6)r@�locrQr,r,r-rPs


zRepoKey.find_keycCs|jS)N)rG)r@rPr,r,r-rXszRepoKey.get_new_targetcCsT|dk|_|j}|j�}|s0|jj�}t|�d�|jd�}|j||�}|rP||_|S)Nr"zutf-8)	r�rGr&r�r�r6r�rrh)r@rhr�r	r'r$r,r,r-r[s



zRepoKey.loadFcCs2|dk|_|j|�}|jd�}|j|�||_dS)Nr"zutf-8)r�rr�Zsave_keyrh)r@rhr�rNr	r,r,r-rms




zRepoKey.saveN)F)
r(r)r*rWr�rLrErJr�rrrrr,r,r,r-rXJsrXc@s&eZdZdZdZdZejZdZ	e
ZdS)�Blake2KeyfileKeyr�zkey file BLAKE2bzkeyfile-blake2rN)r(r)r*rWr�rLrErIr�rr#r�r,r,r,r-r(usr(c@s"eZdZdZdZdZejZe	Z
dS)�
Blake2RepoKey�zrepokey BLAKE2bzrepokey-blake2N)r(r)r*rWr�rLrErJr�r#r�r,r,r,r-r)s
r)csZeZdZejZdZ�fdd�Z�fdd�Zd�fdd�	Z	dd	�Z
d
d�Zdd
d�Z�Z
S)�AuthenticatedKeyBaseFcsBtr4td�}||_||_||_||_d|_d|_dSt�j	||�S)Nr�rFT)
r�rfrrurvrtr�r]r>r)r@r	r�ZNOPE)rAr,r-r�szAuthenticatedKeyBase._loadcst�j||�}d|_|S)NF)r>rr�)r@rhr�r$)rAr,r-r�szAuthenticatedKeyBase.loadcst�j|||d�d|_dS)N)rNF)r>rr�)r@rhr�rN)rAr,r-r�szAuthenticatedKeyBase.savecCs|d|jkrtd��dS)Nrz%Manifest: Invalid encryption envelope�*)rWr)r@r�r,r,r-r��sz"AuthenticatedKeyBase.extract_noncecCs|jj|�}dj|j|g�S)Nr�)rir�rarg)r@rmrkr,r,r-rn�szAuthenticatedKeyBase.encryptTcCsX|d|jkrtdt|���t|�dd�}|s6|S|j|�}trH|S|j||�|S)NrzChunk %s: Invalid enveloper)rWrrr�rjr�rp)r@r^rkrjr�r,r,r-ro�s
zAuthenticatedKeyBase.decrypt)F)T)r(r)r*rErJr�r�rrrr�rnrorBr,r,)rAr-r+�s
r+c@seZdZdZdZdZdS)�AuthenticatedKey�Z
authenticatedN)r(r)r*rWr�rLr,r,r,r-r-�sr-c@seZdZdZdZdZdS)�Blake2AuthenticatedKey�zauthenticated BLAKE2bzauthenticated-blake2N)r(r)r*rWr�rLr,r,r,r-r/�sr/s)\r�r_r�r�r8r�ZbinasciirrrZhashlibrrrr|rr	Zborg.loggerr
r�Z	constantsr�r
Zhelpersrrrrrrrrrrr�itemrr�platformrZnoncesrZ	low_levelrrr r!r"r#r$r�r�r'r.r/r0r1r2r3r4r5r6r7r<r=rCrDrErRrUrZr\rbr]rer�r�r�r�r��strr�rVrrrXr(r)r+r-r/rKr,r,r,r-�<module>s�$			&,Km8tD+
	8