summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--encrypt.py44
-rw-r--r--filecrypt.py35
-rw-r--r--server.py3
3 files changed, 58 insertions, 24 deletions
diff --git a/encrypt.py b/encrypt.py
index e813d36..e13df79 100644
--- a/encrypt.py
+++ b/encrypt.py
@@ -1,20 +1,50 @@
#!/usr/bin/env python3
-import os
-
-from filecrypt import encrypt_file
-
if __name__ == '__main__':
+ import os
+ import configparser
import argparse
- parser = argparse.ArgumentParser()
+
+ from tqdm import tqdm
+
+ from filecrypt import generate_keys, payload_size
+
+ parser = argparse.ArgumentParser(description='Filecrypt secure file download encryption tool.'
+ 'Encrypts a file for use with the filecrypt server, and output the generated download link.')
parser.add_argument('infile')
+ parser.add_argument('-c', '--config', default=None, help='Config file location (default; $XDG_CONFIG_HOME/filecrypt.conf)')
+ parser.add_argument('-b', '--base-url', default=None, help='Base URL for link (also as config option)')
+ parser.add_argument('-q', '--no-progress', action='store_true', help='Hide progress bar')
+ parser.add_argument('-p', '--progress', action='store_true', help='Show progress bar (default, also as config option)')
args = parser.parse_args()
+ progress = (not args.no_progress) or args.progress
+ config_path = args.config or os.environ.get('XDG_CONFIG_HOME', os.environ.get('HOME') + '/.config') + '/filecrypt.conf'
+ base_url = args.base_url
+ if os.path.isfile(config_path):
+ with open(config_path) as f:
+ config = configparser.ConfigParser(defaults={'url_base': ''})
+ config.read_string('[DEFAULT]\n'+f.read()) # doesn't parse simple key=value file by default m(
+
+ if base_url is None:
+ base_url = config.get('DEFAULT', 'base_url', fallback='').rstrip('/')
+ if not (args.no_progress or args.progress):
+ progress = config.getboolean('DEFAULT', 'progress', fallback=True)
+
if not os.path.isfile(args.infile):
print(f'{infile} is not a file or directory, exiting.')
os.exit(2)
download_filename = os.path.basename(args.infile)
- file_id, token = encrypt_file(args.infile, download_filename)
- print(f'/{file_id}/{token}/{download_filename}')
+
+ file_id, token, encrypt = generate_keys(download_filename)
+ print(f'{base_url}/{file_id}/{token}/{download_filename}')
+
+ if progress:
+ with tqdm(total=payload_size(args.infile), unit='B', unit_scale=True) as pbar:
+ for progress in encrypt(args.infile):
+ pbar.update(progress)
+ else:
+ for _progress in encrypt(args.infile):
+ pass
diff --git a/filecrypt.py b/filecrypt.py
index da0db9b..755e857 100644
--- a/filecrypt.py
+++ b/filecrypt.py
@@ -5,12 +5,13 @@ import struct
import subprocess
import binascii
import os
+from contextlib import contextmanager
FILE_ID_LENGTH = 22
TOKEN_LENGTH = 22
HEADER_LENGTH = 56
-def encrypt_file(filename_in, download_filename, chunk_size=1000000//16):
+def generate_keys(download_filename, chunk_size=1000000//16):
file_id = secrets.token_urlsafe(16)
auth_secret = secrets.token_bytes(16)
key = secrets.token_bytes(16)
@@ -19,25 +20,27 @@ def encrypt_file(filename_in, download_filename, chunk_size=1000000//16):
token_cipher = AES.new(auth_secret, AES.MODE_GCM)
token_cipher.update(download_filename.encode())
ciphertext, token_tag = token_cipher.encrypt_and_digest(key)
- token = base64.b64encode(ciphertext).rstrip(b'=').decode()
+ token = base64.b64encode(ciphertext, b'+-').rstrip(b'=').decode()
- with open(f'{file_id}.enc', 'wb') as fout, open(filename_in, 'rb') as fin:
- fout.write(token_cipher.nonce) # 16 bytes
- fout.write(token_tag) # 16 bytes
- fout.write(auth_secret) # 16 bytes
- fout.write(data_nonce) # 8 bytes
- assert fout.tell() == HEADER_LENGTH
+ def encrypt(filename_in):
+ with open(f'{file_id}.enc', 'wb') as fout, open(filename_in, 'rb') as fin:
+ fout.write(token_cipher.nonce) # 16 bytes
+ fout.write(token_tag) # 16 bytes
+ fout.write(auth_secret) # 16 bytes
+ fout.write(data_nonce) # 8 bytes
+ assert fout.tell() == HEADER_LENGTH
- cipher = AES.new(key, AES.MODE_CTR,
- initial_value=struct.pack('<Q', 0), nonce=data_nonce)
+ cipher = AES.new(key, AES.MODE_CTR,
+ initial_value=struct.pack('<Q', 0), nonce=data_nonce)
- block = fin.read(cipher.block_size*chunk_size)
- while block:
- data = cipher.encrypt(block)
- fout.write(data)
block = fin.read(cipher.block_size*chunk_size)
+ while block:
+ data = cipher.encrypt(block)
+ fout.write(data)
+ yield len(data)
+ block = fin.read(cipher.block_size*chunk_size)
- return file_id, token
+ return file_id, token, encrypt
def payload_size(path):
return os.stat(path).st_size - HEADER_LENGTH
@@ -50,7 +53,7 @@ def decrypt_generator(filename, download_filename, token, seek=0, end=None, chun
data_nonce = fin.read(8)
assert fin.tell() == HEADER_LENGTH
- ciphertext = base64.b64decode(token + '='*((3-len(token)%3)%3))
+ ciphertext = base64.b64decode(token + '='*((3-len(token)%3)%3), b'+-')
token_cipher = AES.new(auth_secret, AES.MODE_GCM, nonce=token_nonce)
token_cipher.update(download_filename.encode())
key = token_cipher.decrypt_and_verify(ciphertext, token_tag)
diff --git a/server.py b/server.py
index 694b1ac..4d8e4dc 100644
--- a/server.py
+++ b/server.py
@@ -8,6 +8,7 @@ from flask import Flask, abort, request, Response
import filecrypt
app = Flask(__name__)
+app.config.from_envvar('SECURE_DOWNLOAD_SETTINGS')
BASE64_RE = re.compile('^[A-Za-z0-9+-_]+=*$')
@app.route('/<file_id>/<token>/<filename>')
@@ -17,7 +18,7 @@ def download(file_id, token, filename):
if not BASE64_RE.match(token) or len(token) != filecrypt.TOKEN_LENGTH:
abort(400, 'Invalid token format')
- path = f'{file_id}.enc'
+ path = f'{app.config["SERVE_PATH"]}/{file_id}.enc'
if not os.path.isfile(path):
abort(403) # forbidden