diff options
| -rw-r--r-- | encrypt.py | 44 | ||||
| -rw-r--r-- | filecrypt.py | 35 | ||||
| -rw-r--r-- | server.py | 3 |
3 files changed, 58 insertions, 24 deletions
@@ -1,20 +1,50 @@ #!/usr/bin/env python3 -import os - -from filecrypt import encrypt_file - if __name__ == '__main__': + import os + import configparser import argparse - parser = argparse.ArgumentParser() + + from tqdm import tqdm + + from filecrypt import generate_keys, payload_size + + parser = argparse.ArgumentParser(description='Filecrypt secure file download encryption tool.' + 'Encrypts a file for use with the filecrypt server, and output the generated download link.') parser.add_argument('infile') + parser.add_argument('-c', '--config', default=None, help='Config file location (default; $XDG_CONFIG_HOME/filecrypt.conf)') + parser.add_argument('-b', '--base-url', default=None, help='Base URL for link (also as config option)') + parser.add_argument('-q', '--no-progress', action='store_true', help='Hide progress bar') + parser.add_argument('-p', '--progress', action='store_true', help='Show progress bar (default, also as config option)') args = parser.parse_args() + progress = (not args.no_progress) or args.progress + config_path = args.config or os.environ.get('XDG_CONFIG_HOME', os.environ.get('HOME') + '/.config') + '/filecrypt.conf' + base_url = args.base_url + if os.path.isfile(config_path): + with open(config_path) as f: + config = configparser.ConfigParser(defaults={'url_base': ''}) + config.read_string('[DEFAULT]\n'+f.read()) # doesn't parse simple key=value file by default m( + + if base_url is None: + base_url = config.get('DEFAULT', 'base_url', fallback='').rstrip('/') + if not (args.no_progress or args.progress): + progress = config.getboolean('DEFAULT', 'progress', fallback=True) + if not os.path.isfile(args.infile): print(f'{infile} is not a file or directory, exiting.') os.exit(2) download_filename = os.path.basename(args.infile) - file_id, token = encrypt_file(args.infile, download_filename) - print(f'/{file_id}/{token}/{download_filename}') + + file_id, token, encrypt = generate_keys(download_filename) + print(f'{base_url}/{file_id}/{token}/{download_filename}') + + if progress: + with tqdm(total=payload_size(args.infile), unit='B', unit_scale=True) as pbar: + for progress in encrypt(args.infile): + pbar.update(progress) + else: + for _progress in encrypt(args.infile): + pass diff --git a/filecrypt.py b/filecrypt.py index da0db9b..755e857 100644 --- a/filecrypt.py +++ b/filecrypt.py @@ -5,12 +5,13 @@ import struct import subprocess import binascii import os +from contextlib import contextmanager FILE_ID_LENGTH = 22 TOKEN_LENGTH = 22 HEADER_LENGTH = 56 -def encrypt_file(filename_in, download_filename, chunk_size=1000000//16): +def generate_keys(download_filename, chunk_size=1000000//16): file_id = secrets.token_urlsafe(16) auth_secret = secrets.token_bytes(16) key = secrets.token_bytes(16) @@ -19,25 +20,27 @@ def encrypt_file(filename_in, download_filename, chunk_size=1000000//16): token_cipher = AES.new(auth_secret, AES.MODE_GCM) token_cipher.update(download_filename.encode()) ciphertext, token_tag = token_cipher.encrypt_and_digest(key) - token = base64.b64encode(ciphertext).rstrip(b'=').decode() + token = base64.b64encode(ciphertext, b'+-').rstrip(b'=').decode() - with open(f'{file_id}.enc', 'wb') as fout, open(filename_in, 'rb') as fin: - fout.write(token_cipher.nonce) # 16 bytes - fout.write(token_tag) # 16 bytes - fout.write(auth_secret) # 16 bytes - fout.write(data_nonce) # 8 bytes - assert fout.tell() == HEADER_LENGTH + def encrypt(filename_in): + with open(f'{file_id}.enc', 'wb') as fout, open(filename_in, 'rb') as fin: + fout.write(token_cipher.nonce) # 16 bytes + fout.write(token_tag) # 16 bytes + fout.write(auth_secret) # 16 bytes + fout.write(data_nonce) # 8 bytes + assert fout.tell() == HEADER_LENGTH - cipher = AES.new(key, AES.MODE_CTR, - initial_value=struct.pack('<Q', 0), nonce=data_nonce) + cipher = AES.new(key, AES.MODE_CTR, + initial_value=struct.pack('<Q', 0), nonce=data_nonce) - block = fin.read(cipher.block_size*chunk_size) - while block: - data = cipher.encrypt(block) - fout.write(data) block = fin.read(cipher.block_size*chunk_size) + while block: + data = cipher.encrypt(block) + fout.write(data) + yield len(data) + block = fin.read(cipher.block_size*chunk_size) - return file_id, token + return file_id, token, encrypt def payload_size(path): return os.stat(path).st_size - HEADER_LENGTH @@ -50,7 +53,7 @@ def decrypt_generator(filename, download_filename, token, seek=0, end=None, chun data_nonce = fin.read(8) assert fin.tell() == HEADER_LENGTH - ciphertext = base64.b64decode(token + '='*((3-len(token)%3)%3)) + ciphertext = base64.b64decode(token + '='*((3-len(token)%3)%3), b'+-') token_cipher = AES.new(auth_secret, AES.MODE_GCM, nonce=token_nonce) token_cipher.update(download_filename.encode()) key = token_cipher.decrypt_and_verify(ciphertext, token_tag) @@ -8,6 +8,7 @@ from flask import Flask, abort, request, Response import filecrypt app = Flask(__name__) +app.config.from_envvar('SECURE_DOWNLOAD_SETTINGS') BASE64_RE = re.compile('^[A-Za-z0-9+-_]+=*$') @app.route('/<file_id>/<token>/<filename>') @@ -17,7 +18,7 @@ def download(file_id, token, filename): if not BASE64_RE.match(token) or len(token) != filecrypt.TOKEN_LENGTH: abort(400, 'Invalid token format') - path = f'{file_id}.enc' + path = f'{app.config["SERVE_PATH"]}/{file_id}.enc' if not os.path.isfile(path): abort(403) # forbidden |