(self, id, data)
| 847 | MAX_IV = 2**48 - 1 |
| 848 | |
| 849 | def assert_id(self, id, data): |
| 850 | # Comparing the id hash here would not be needed any more for the new AEAD crypto **IF** we |
| 851 | # could be sure that chunks were created by normal (not tampered, not evil) borg code: |
| 852 | # We put the id into AAD when storing the chunk, so it gets into the authentication tag computation. |
| 853 | # when decrypting, we provide the id we **want** as AAD for the auth tag verification, so |
| 854 | # decrypting only succeeds if we got the ciphertext we wrote **for that chunk id**. |
| 855 | # So, basically the **repository** can not cheat on us by giving us a different chunk. |
| 856 | # |
| 857 | # **BUT**, if chunks are created by tampered, evil borg code, the borg client code could put |
| 858 | # a wrong chunkid into AAD and then AEAD-encrypt-and-auth this and store it into the |
| 859 | # repository using this bad chunkid as key (violating the usual chunkid == id_hash(data)). |
| 860 | # Later, when reading such a bad chunk, AEAD-auth-and-decrypt would not notice any |
| 861 | # issue and decrypt successfully. |
| 862 | # Thus, to notice such evil borg activity, we must check for such violations here: |
| 863 | if id and id != Manifest.MANIFEST_ID: |
| 864 | id_computed = self.id_hash(data) |
| 865 | if not hmac.compare_digest(id_computed, id): |
| 866 | raise IntegrityError("Chunk %s: id verification failed" % bin_to_hex(id)) |
| 867 | |
| 868 | def encrypt(self, id, data): |
| 869 | # to encrypt new data in this session we use always self.cipher and self.sessionid |
nothing calls this directly
no test coverage detected