diff --git a/docs/usage/general/environment.rst.inc b/docs/usage/general/environment.rst.inc index f80086309..16ff54dc0 100644 --- a/docs/usage/general/environment.rst.inc +++ b/docs/usage/general/environment.rst.inc @@ -115,6 +115,14 @@ General: Now you can init a fresh repo. Make sure you do not use the workaround any more. + ignore_invalid_archive_tam + Work around invalid archive TAMs created by borg < 1.2.5, see :issue:`7791`. + + This workaround likely needs to get used only once when following the upgrade + instructions for CVE-2023-36811, see :ref:`archives_tam_vuln`. + + In normal production operations, this workaround should never be used. + Some automatic "answerers" (if set, they automatically answer confirmation questions): BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes) For "Warning: Attempting to access a previously unknown unencrypted repository" diff --git a/src/borg/crypto/key.py b/src/borg/crypto/key.py index 6dea01d78..6f347e816 100644 --- a/src/borg/crypto/key.py +++ b/src/borg/crypto/key.py @@ -283,7 +283,7 @@ class KeyBase: return unpacked, True def unpack_and_verify_archive(self, data, force_tam_not_required=False): - """Unpack msgpacked *data* and return (object, did_verify).""" + """Unpack msgpacked *data* and return (object, did_verify, salt).""" tam_required = self.tam_required if force_tam_not_required and tam_required: # for a long time, borg only checked manifest for "tam_required" and @@ -320,7 +320,11 @@ class KeyBase: tam_key = self._tam_key(tam_salt, context=b'archive') calculated_hmac = HMAC(tam_key, data, sha512).digest() if not compare_digest(calculated_hmac, tam_hmac): - raise ArchiveTAMInvalid() + if 'ignore_invalid_archive_tam' in workarounds: + logger.debug('ignoring invalid archive TAM due to BORG_WORKAROUNDS') + return unpacked, False, None # same as if no TAM is present + else: + raise ArchiveTAMInvalid() logger.debug('TAM-verified archive') return unpacked, True, tam_salt