dissect.fve 4.5.dev4__tar.gz → 4.5.dev5__tar.gz

{dissect_fve-4.5.dev4/dissect.fve.egg-info → dissect_fve-4.5.dev5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dissect.fve
-Version: 4.5.dev4
+Version: 4.5.dev5
 Summary: A Dissect module implementing a parsers for full volume encryption implementations, currently Linux Unified Key Setup (LUKS1 and LUKS2) and Microsoft's Bitlocker Disk Encryption
 Author-email: Dissect Team <dissect@fox-it.com>
 License-Expression: AGPL-3.0-or-later

dissect_fve-4.5.dev5/dissect/fve/__init__.py

@@ -0,0 +1,5 @@
+from dissect.fve.exception import Error
+
+__all__ = [
+    "Error",
+]

{dissect_fve-4.5.dev4 → dissect_fve-4.5.dev5}/dissect/fve/bde/bde.py

@@ -31,9 +31,9 @@ from dissect.fve.bde.c_bde import (
 )
 from dissect.fve.bde.eow import EowInformation
 from dissect.fve.bde.information import Dataset, Information, KeyDatum, VmkInfoDatum
-from dissect.fve.bde.keys import derive_recovery_key, derive_user_key, stretch
+from dissect.fve.bde.key import derive_recovery_key, derive_user_key, stretch
 from dissect.fve.crypto import create_cipher
-from dissect.fve.exceptions import InvalidHeaderError
+from dissect.fve.exception import InvalidHeaderError
 
 if TYPE_CHECKING:
     from collections.abc import Iterator
@@ -159,8 +159,7 @@ class BDE:
 
     def unlock_with_clear_key(self) -> BDE:
         """Unlock this volume with the clear/obfuscated key."""
-        vmk = self.information.dataset.find_clear_vmk()
-        if not vmk:
+        if not (vmk := self.information.dataset.find_clear_vmk()):
             raise ValueError("No clear VMK found")
 
         return self.unlock(vmk.decrypt(vmk.clear_key()))
@@ -168,25 +167,31 @@ class BDE:
     def unlock_with_recovery_password(self, recovery_password: str, identifier: UUID | str | None = None) -> BDE:
         """Unlock this volume with the recovery password."""
         recovery_key = derive_recovery_key(recovery_password)
-        return self._unlock_with_user_key(self.information.dataset.find_recovery_vmk(), recovery_key, identifier)
+        try:
+            return self._unlock_with_user_key(self.information.dataset.find_recovery_vmk(), recovery_key, identifier)
+        except ValueError as e:
+            raise ValueError("Unable to unlock with given recovery password") from e
 
     def unlock_with_passphrase(self, passphrase: str, identifier: UUID | str | None = None) -> BDE:
         """Unlock this volume with the user passphrase."""
         user_key = derive_user_key(passphrase)
-        return self._unlock_with_user_key(self.information.dataset.find_passphrase_vmk(), user_key, identifier)
+        try:
+            return self._unlock_with_user_key(self.information.dataset.find_passphrase_vmk(), user_key, identifier)
+        except ValueError as e:
+            raise ValueError("Unable to unlock with given passphrase") from e
 
     def unlock_with_bek(self, bek_fh: BinaryIO) -> BDE:
         """Unlock this volume with a BEK file."""
         bek_ds = Dataset(bek_fh)
         startup_key = bek_ds.find_startup_key()
         if not startup_key:
-            raise ValueError("No startup key found")
+            raise ValueError("Unable to unlock with BEK, no startup key found")
 
         for vmk in self.information.dataset.find_external_vmk():
             if vmk.identifier == startup_key.identifier:
                 break
         else:
-            raise ValueError("No compatible VMK found")
+            raise ValueError("Unable to unlock with BEK, no matching VMK found")
 
         decrypted_key = vmk.decrypt(startup_key.external_key())
         return self.unlock(decrypted_key)
@@ -217,7 +222,7 @@ class BDE:
             except ValueError:
                 continue
         else:
-            raise ValueError("No compatible VMK found")
+            raise ValueError("No compatible VMK found, incorrect key or identifier")
 
         return self.unlock(decrypted_key)
 

{dissect_fve-4.5.dev4 → dissect_fve-4.5.dev5}/dissect/fve/bde/eow.py

@@ -14,7 +14,7 @@ from dissect.fve.bde.c_bde import (
     EOW_SIGNATURE,
     c_bde,
 )
-from dissect.fve.exceptions import InvalidHeaderError
+from dissect.fve.exception import InvalidHeaderError
 
 if TYPE_CHECKING:
     from collections.abc import Iterator

{dissect_fve-4.5.dev4 → dissect_fve-4.5.dev5}/dissect/fve/bde/information.py

@@ -20,7 +20,7 @@ from dissect.fve.bde.c_bde import (
     FVE_STATE,
     c_bde,
 )
-from dissect.fve.exceptions import InvalidHeaderError
+from dissect.fve.exception import InvalidHeaderError
 
 if TYPE_CHECKING:
     import datetime

{dissect_fve-4.5.dev4 → dissect_fve-4.5.dev5}/dissect/fve/crypto/_pycryptodome.py

@@ -13,7 +13,7 @@ from dissect.fve.crypto.base import DECRYPT, ENCRYPT, IV, Cipher
 
 if platform.python_implementation() == "CPython":
     # On CPython, our own "pure Python" XOR is somehow faster than the one from pycryptodome
-    from dissect.fve.crypto.utils import xor
+    from dissect.fve.crypto.util import xor
 else:
     # On PyPy the opposite is true, and also just use this as the default fallback
     from Crypto.Util.strxor import strxor as xor

{dissect_fve-4.5.dev4 → dissect_fve-4.5.dev5}/dissect/fve/luks/af.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 
 import hashlib
 
-from dissect.fve.crypto.utils import xor
+from dissect.fve.crypto.util import xor
 
 DIGEST_SIZE = {
     "sha1": 20,

{dissect_fve-4.5.dev4 → dissect_fve-4.5.dev5/dissect.fve.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dissect.fve
-Version: 4.5.dev4
+Version: 4.5.dev5
 Summary: A Dissect module implementing a parsers for full volume encryption implementations, currently Linux Unified Key Setup (LUKS1 and LUKS2) and Microsoft's Bitlocker Disk Encryption
 Author-email: Dissect Team <dissect@fox-it.com>
 License-Expression: AGPL-3.0-or-later

{dissect_fve-4.5.dev4 → dissect_fve-4.5.dev5}/dissect.fve.egg-info/SOURCES.txt

@@ -12,7 +12,7 @@ dissect.fve.egg-info/requires.txt
 dissect.fve.egg-info/top_level.txt
 dissect/fve/__init__.py
 dissect/fve/_build.py
-dissect/fve/exceptions.py
+dissect/fve/exception.py
 dissect/fve/_native/__init__.pyi
 dissect/fve/_native.src/Cargo.lock
 dissect/fve/_native.src/Cargo.toml
@@ -26,14 +26,14 @@ dissect/fve/bde/bde.py
 dissect/fve/bde/c_bde.py
 dissect/fve/bde/eow.py
 dissect/fve/bde/information.py
-dissect/fve/bde/keys.py
+dissect/fve/bde/key.py
 dissect/fve/crypto/__init__.py
 dissect/fve/crypto/_pycryptodome.py
 dissect/fve/crypto/argon2.py
 dissect/fve/crypto/base.py
 dissect/fve/crypto/dmcrypt.py
 dissect/fve/crypto/elephant.py
-dissect/fve/crypto/utils.py
+dissect/fve/crypto/util.py
 dissect/fve/luks/__init__.py
 dissect/fve/luks/af.py
 dissect/fve/luks/c_luks.py
@@ -42,14 +42,8 @@ dissect/fve/luks/metadata.py
 dissect/fve/tools/__init__.py
 dissect/fve/tools/dd.py
 tests/__init__.py
-tests/_utils.py
+tests/_util.py
 tests/conftest.py
-tests/test_bde.py
-tests/test_bde_eow_bitmap.py
-tests/test_crypto.py
-tests/test_luks.py
-tests/test_luks_kdf.py
-tests/test_luks_metadata.py
 tests/_data/bde/aes-xts_128.bin.gz
 tests/_data/bde/aes-xts_256.bin.gz
 tests/_data/bde/aes_128.bin.gz
@@ -76,4 +70,14 @@ tests/_data/luks2/aes-xts-plain64.bin.gz
 tests/_data/luks2/multiple-slots.bin.gz
 tests/_docs/Makefile
 tests/_docs/conf.py
-tests/_docs/index.rst
+tests/_docs/index.rst
+tests/bde/__init__.py
+tests/bde/conftest.py
+tests/bde/test_bde.py
+tests/bde/test_eow.py
+tests/crypto/__init__.py
+tests/crypto/test_crypto.py
+tests/crypto/test_elephant.py
+tests/luks/__init__.py
+tests/luks/test_luks.py
+tests/luks/test_metadata.py

{dissect_fve-4.5.dev4/tests → dissect_fve-4.5.dev5/tests/bde}/conftest.py

@@ -4,18 +4,12 @@ from typing import TYPE_CHECKING, BinaryIO
 
 import pytest
 
-from tests._utils import open_file_gz
+from tests._util import open_file_gz
 
 if TYPE_CHECKING:
     from collections.abc import Iterator
 
 
-def pytest_addoption(parser: pytest.Parser) -> None:
-    parser.addoption(
-        "--force-native", action="store_true", default=False, help="run native tests, not allowing fallbacks"
-    )
-
-
 @pytest.fixture
 def bde_aes_128() -> Iterator[BinaryIO]:
     yield from open_file_gz("_data/bde/aes_128.bin.gz")

{dissect_fve-4.5.dev4/tests → dissect_fve-4.5.dev5/tests/bde}/test_bde.py

@@ -7,7 +7,7 @@ from typing import BinaryIO
 import pytest
 
 from dissect.fve.bde import bde, c_bde, is_bde_volume
-from tests._utils import open_file, open_file_gz
+from tests._util import open_file, open_file_gz
 
 
 def _verify_crypto_stream(bde_obj: bde.BDE) -> None:
@@ -271,3 +271,24 @@ def test_bde_eow_partial(bde_eow_partial: BinaryIO) -> None:
 
 def test_is_bde_volume(bde_aes_128: BinaryIO) -> None:
     assert is_bde_volume(bde_aes_128)
+
+
+def test_bde_wrong_keys() -> None:
+    """Test that wrong keys raise a sensible error message."""
+    with contextlib.contextmanager(open_file_gz)("_data/bde/aes_128.bin.gz") as fh:
+        bde_obj = bde.BDE(fh)
+
+        with pytest.raises(ValueError, match="Unable to unlock with given passphrase"):
+            bde_obj.unlock_with_passphrase("wrongpassword")
+
+        with pytest.raises(ValueError, match="Unable to unlock with given recovery password"):
+            bde_obj.unlock_with_recovery_password("000000-000000-000000-000000-000000-000000-000000-000000")
+
+    with (
+        contextlib.contextmanager(open_file_gz)("_data/bde/recovery_key.bin.gz") as fh,
+        contextlib.contextmanager(open_file)("_data/bde/startup_key.bek") as bek_fh,
+    ):
+        bde_obj = bde.BDE(fh)
+
+        with pytest.raises(ValueError, match="Unable to unlock with BEK"):
+            bde_obj.unlock_with_bek(bek_fh)

dissect_fve-4.5.dev5/tests/conftest.py

@@ -0,0 +1,12 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    import pytest
+
+
+def pytest_addoption(parser: pytest.Parser) -> None:
+    parser.addoption(
+        "--force-native", action="store_true", default=False, help="run native tests, not allowing fallbacks"
+    )

{dissect_fve-4.5.dev4/tests → dissect_fve-4.5.dev5/tests/crypto}/test_crypto.py

@@ -4,7 +4,7 @@ import hashlib
 
 import pytest
 
-from dissect.fve.crypto import create_cipher, elephant, parse_cipher_spec
+from dissect.fve.crypto import create_cipher, parse_cipher_spec
 
 
 @pytest.mark.parametrize(
@@ -201,32 +201,6 @@ def test_crypto_ciphers(cipher_spec: str, key: str, buf: str, sector: int, expec
     assert cipher.encrypt(out, sector) == buf
 
 
-def test_crypto_elephant_diffuser_a() -> None:
-    buffer = bytearray(b"a" * 512)
-    view = memoryview(buffer)
-
-    elephant.diffuser_a_encrypt(view, 512)
-
-    assert hashlib.sha256(buffer).hexdigest() == "f58aa15c1219f893c4ed355d363d8f831bcc0c4a82c6bbffcca321aada9e86ec"
-
-    elephant.diffuser_a_decrypt(view, 512)
-
-    assert buffer == b"a" * 512
-
-
-def test_crypto_elephant_diffuser_b() -> None:
-    buffer = bytearray(b"a" * 512)
-    view = memoryview(buffer)
-
-    elephant.diffuser_b_encrypt(view, 512)
-
-    assert hashlib.sha256(buffer).hexdigest() == "1d5a51ae0d0b6309f1f8661376af9ebd880b1274601f6841f5aaeb5273580133"
-
-    elephant.diffuser_b_decrypt(view, 512)
-
-    assert buffer == b"a" * 512
-
-
 @pytest.mark.parametrize(
     ("spec", "key_size", "key_size_hint", "expected"),
     [

dissect_fve-4.5.dev5/tests/crypto/test_elephant.py

@@ -0,0 +1,31 @@
+from __future__ import annotations
+
+import hashlib
+
+from dissect.fve.crypto import elephant
+
+
+def test_crypto_elephant_diffuser_a() -> None:
+    buffer = bytearray(b"a" * 512)
+    view = memoryview(buffer)
+
+    elephant.diffuser_a_encrypt(view, 512)
+
+    assert hashlib.sha256(buffer).hexdigest() == "f58aa15c1219f893c4ed355d363d8f831bcc0c4a82c6bbffcca321aada9e86ec"
+
+    elephant.diffuser_a_decrypt(view, 512)
+
+    assert buffer == b"a" * 512
+
+
+def test_crypto_elephant_diffuser_b() -> None:
+    buffer = bytearray(b"a" * 512)
+    view = memoryview(buffer)
+
+    elephant.diffuser_b_encrypt(view, 512)
+
+    assert hashlib.sha256(buffer).hexdigest() == "1d5a51ae0d0b6309f1f8661376af9ebd880b1274601f6841f5aaeb5273580133"
+
+    elephant.diffuser_b_decrypt(view, 512)
+
+    assert buffer == b"a" * 512

dissect_fve-4.5.dev4/tests/test_luks_kdf.py → dissect_fve-4.5.dev5/tests/luks/test_luks.py

@@ -1,10 +1,68 @@
 from __future__ import annotations
 
+import contextlib
+from typing import BinaryIO
+
 import pytest
 
 from dissect.fve.crypto import argon2
-from dissect.fve.luks.luks import derive_passphrase_key
+from dissect.fve.luks.luks import LUKS, derive_passphrase_key
 from dissect.fve.luks.metadata import Keyslot
+from tests._util import open_file_gz
+
+
+def _verify_crypto_stream(luks_obj: LUKS) -> None:
+    stream = luks_obj.open()
+    for i in range(4):
+        assert stream.read(512) == bytes([i] * 512)
+
+
+def _verify_passphrase_crypto(test_file: BinaryIO, passphrase: str, cipher_type: str) -> None:
+    luks_obj = LUKS(test_file)
+
+    assert not luks_obj.unlocked
+    assert luks_obj.keyslots
+
+    try:
+        luks_obj.unlock_with_passphrase(passphrase)
+    except ValueError as e:
+        if "Hashing failed: out of memory" in str(e):
+            pytest.skip("Argon2 failed due to insufficient memory, skipping")
+        raise
+
+    assert luks_obj.find_segment(luks_obj._active_keyslot_id).encryption == cipher_type
+    _verify_crypto_stream(luks_obj)
+
+
+@pytest.mark.parametrize(
+    ("test_file", "password", "cipher"),
+    [
+        pytest.param("_data/luks1/aes-ecb.bin.gz", "password", "aes-ecb", id="luks1-aes-ecb"),
+        pytest.param("_data/luks1/sha1.bin.gz", "password", "aes-ecb", id="luks1-aes-ecb-sha1"),
+        pytest.param("_data/luks2/aes-cbc-plain.bin.gz", "password", "aes-cbc-plain", id="luks2-aes-cbc-plain"),
+        pytest.param("_data/luks2/aes-cbc-essiv.bin.gz", "password", "aes-cbc-essiv:sha256", id="luks2-aes-cbc-essiv"),
+        pytest.param("_data/luks2/aes-ecb-pbkdf2.bin.gz", "password", "aes-ecb", id="luks2-aes-ecb-pbkdf2"),
+        pytest.param("_data/luks2/aes-xts-plain64.bin.gz", "password", "aes-xts-plain64", id="luks2-aes-xts-plain64"),
+        pytest.param("_data/luks2/multiple-slots.bin.gz", "password", "aes-cbc-plain", id="luks2-multiple-slots-1"),
+        pytest.param("_data/luks2/multiple-slots.bin.gz", "another", "aes-cbc-plain", id="luks2-multiple-slots-2"),
+    ],
+)
+def test_luks(test_file: str, password: str, cipher: str, request: pytest.FixtureRequest) -> None:
+    if (
+        request.node.callspec.id
+        in (
+            "luks2-aes-cbc-plain",
+            "luks2-aes-cbc-essiv",
+            "luks2-aes-xts-plain64",
+            "luks2-multiple-slots-1",
+            "luks2-multiple-slots-2",
+        )
+        and not argon2.HAS_ARGON2
+    ):
+        pytest.skip("Argon2 is not available, skipping")
+
+    with contextlib.contextmanager(open_file_gz)(test_file) as fh:
+        _verify_passphrase_crypto(fh, password, cipher)
 
 
 def test_luks_kdf_pbkdf2() -> None:

dissect_fve-4.5.dev4/dissect/fve/__init__.py

@@ -1,5 +0,0 @@
-from dissect.fve.exceptions import Error
-
-__all__ = [
-    "Error",
-]

dissect_fve-4.5.dev4/tests/test_luks.py

@@ -1,64 +0,0 @@
-from __future__ import annotations
-
-import contextlib
-from typing import BinaryIO
-
-import pytest
-
-from dissect.fve.crypto import argon2
-from dissect.fve.luks.luks import LUKS
-from tests._utils import open_file_gz
-
-
-def _verify_crypto_stream(luks_obj: LUKS) -> None:
-    stream = luks_obj.open()
-    for i in range(4):
-        assert stream.read(512) == bytes([i] * 512)
-
-
-def _verify_passphrase_crypto(test_file: BinaryIO, passphrase: str, cipher_type: str) -> None:
-    luks_obj = LUKS(test_file)
-
-    assert not luks_obj.unlocked
-    assert luks_obj.keyslots
-
-    try:
-        luks_obj.unlock_with_passphrase(passphrase)
-    except ValueError as e:
-        if "Hashing failed: out of memory" in str(e):
-            pytest.skip("Argon2 failed due to insufficient memory, skipping")
-        raise
-
-    assert luks_obj.find_segment(luks_obj._active_keyslot_id).encryption == cipher_type
-    _verify_crypto_stream(luks_obj)
-
-
-@pytest.mark.parametrize(
-    ("test_file", "password", "cipher"),
-    [
-        pytest.param("_data/luks1/aes-ecb.bin.gz", "password", "aes-ecb", id="luks1-aes-ecb"),
-        pytest.param("_data/luks1/sha1.bin.gz", "password", "aes-ecb", id="luks1-aes-ecb-sha1"),
-        pytest.param("_data/luks2/aes-cbc-plain.bin.gz", "password", "aes-cbc-plain", id="luks2-aes-cbc-plain"),
-        pytest.param("_data/luks2/aes-cbc-essiv.bin.gz", "password", "aes-cbc-essiv:sha256", id="luks2-aes-cbc-essiv"),
-        pytest.param("_data/luks2/aes-ecb-pbkdf2.bin.gz", "password", "aes-ecb", id="luks2-aes-ecb-pbkdf2"),
-        pytest.param("_data/luks2/aes-xts-plain64.bin.gz", "password", "aes-xts-plain64", id="luks2-aes-xts-plain64"),
-        pytest.param("_data/luks2/multiple-slots.bin.gz", "password", "aes-cbc-plain", id="luks2-multiple-slots-1"),
-        pytest.param("_data/luks2/multiple-slots.bin.gz", "another", "aes-cbc-plain", id="luks2-multiple-slots-2"),
-    ],
-)
-def test_luks(test_file: str, password: str, cipher: str, request: pytest.FixtureRequest) -> None:
-    if (
-        request.node.callspec.id
-        in (
-            "luks2-aes-cbc-plain",
-            "luks2-aes-cbc-essiv",
-            "luks2-aes-xts-plain64",
-            "luks2-multiple-slots-1",
-            "luks2-multiple-slots-2",
-        )
-        and not argon2.HAS_ARGON2
-    ):
-        pytest.skip("Argon2 is not available, skipping")
-
-    with contextlib.contextmanager(open_file_gz)(test_file) as fh:
-        _verify_passphrase_crypto(fh, password, cipher)