Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

backups: change default HMAC algorithm to SHA512

Browse Source 
Backups should be safe also for long-term, so change HMAC to SHA512,
which should be usable much longer than SHA1.

See this thread for discussion:
https://groups.google.com/d/msg/qubes-devel/5X-WjdP9VqQ/4zI8-QWd0S4J

Additionally save guessed HMAC in artificial header data (when no real
header exists).
This commit is contained in:
Marek Marczykowski-Górecki 2014-09-18 08:25:58 +02:00
parent 603384b4c6
commit dba6798a60
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/backup.py
View File

@ -43,7 +43,7 @@ BACKUP_DEBUG = False
HEADER_FILENAME = 'backup-header'
DEFAULT_CRYPTO_ALGORITHM = 'aes-256-cbc'
DEFAULT_HMAC_ALGORITHM = 'SHA1'
DEFAULT_HMAC_ALGORITHM = 'SHA512'
# Maximum size of error message get from process stderr (including VM process)
MAX_STDERR_BYTES = 1024
# header + qubes.xml max size
@ -1174,6 +1174,8 @@ def restore_vm_dirs (backup_source, restore_tmpdir, passphrase, vms_dirs, vms,
encrypted = header_data[BackupHeader.encrypted]
os.unlink(filename)
else:
# if no header found, create one with guessed HMAC algo
header_data = { BackupHeader.hmac_algorithm: hmac_algorithm }
# If this isn't backup header, pass it to ExtractWorker
to_extract.put(filename)
# when tar do not find expected file in archive, it exit with