borg/attic/crypto.pyx

"""A thin OpenSSL wrapper

This could be replaced by PyCrypto or something similar when the performance
of their PBKDF2 implementation is comparable to the OpenSSL version.
"""
from libc.stdlib cimport malloc, free

API_VERSION = 2

cdef extern from "openssl/rand.h":
    int  RAND_bytes(unsigned char *buf,int num)


cdef extern from "openssl/evp.h":
    ctypedef struct EVP_MD:
        pass
    ctypedef struct EVP_CIPHER:
        pass
    ctypedef struct EVP_CIPHER_CTX:
        unsigned char *iv
        pass
    ctypedef struct ENGINE:
        pass
    const EVP_MD *EVP_sha256()
    const EVP_CIPHER *EVP_aes_256_ctr()
    void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a)
    void EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a)

    int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
                           const unsigned char *key, const unsigned char *iv)
    int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
                          int *outl, const unsigned char *in_, int inl)

    int PKCS5_PBKDF2_HMAC(const char *password, int passwordlen,
                          const unsigned char *salt, int saltlen, int iter,
                          const EVP_MD *digest,
                          int keylen, unsigned char *out)

import struct

_int = struct.Struct('>I')
_long = struct.Struct('>Q')

bytes_to_int = lambda x, offset=0: _int.unpack_from(x, offset)[0]
bytes_to_long = lambda x, offset=0: _long.unpack_from(x, offset)[0]
long_to_bytes = lambda x: _long.pack(x)


def num_aes_blocks(length):
    """Return the number of AES blocks required to encrypt/decrypt *length* bytes of data
    """
    return (length + 15) // 16


def pbkdf2_sha256(password, salt, iterations, size):
    """Password based key derivation function 2 (RFC2898)
    """
    cdef unsigned char *key = <unsigned char *>malloc(size)
    if not key:
        raise MemoryError
    try:
        rv = PKCS5_PBKDF2_HMAC(password, len(password), salt, len(salt), iterations, EVP_sha256(), size, key)
        if not rv:
            raise Exception('PKCS5_PBKDF2_HMAC failed')
        return key[:size]
    finally:
        free(key)


def get_random_bytes(n):
    """Return n cryptographically strong pseudo-random bytes
    """
    cdef unsigned char *buf = <unsigned char *>malloc(n)
    if not buf:
        raise MemoryError
    try:
        if RAND_bytes(buf, n) < 1:
            raise Exception('RAND_bytes failed')
        return buf[:n]
    finally:
        free(buf)


cdef class AES:
    """A thin wrapper around the OpenSSL EVP cipher API
    """
    cdef EVP_CIPHER_CTX ctx

    def __cinit__(self, key, iv=None):
        EVP_CIPHER_CTX_init(&self.ctx)
        if not EVP_EncryptInit_ex(&self.ctx, EVP_aes_256_ctr(), NULL, NULL, NULL):
            raise Exception('EVP_EncryptInit_ex failed')
        self.reset(key, iv)

    def __dealloc__(self):
        EVP_CIPHER_CTX_cleanup(&self.ctx)

    def reset(self, key=None, iv=None):
        cdef const unsigned char *key2 = NULL
        cdef const unsigned char *iv2 = NULL
        if key:
            key2 = key
        if iv:
            iv2 = iv
        if not EVP_EncryptInit_ex(&self.ctx, NULL, NULL, key2, iv2):
            raise Exception('EVP_EncryptInit_ex failed')

    @property
    def iv(self):
        return self.ctx.iv[:16]

    def encrypt(self, data):
        cdef int inl = len(data)
        cdef int outl
        cdef unsigned char *out = <unsigned char *>malloc(inl)
        if not out:
            raise MemoryError
        try:
            if not EVP_EncryptUpdate(&self.ctx, out, &outl, data, inl):
                raise Exception('EVP_EncryptUpdate failed')
            return out[:inl]
        finally:
            free(out)
    decrypt = encrypt
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`"""A thin OpenSSL wrapper`

			`This could be replaced by PyCrypto or something similar when the performance`
			`of their PBKDF2 implementation is comparable to the OpenSSL version.`
			`"""`
			`from libc.stdlib cimport malloc, free`

crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`API_VERSION = 2`
Add a method to detect out of date binary extension modules 2014-03-18 21:04:08 +00:00
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`cdef extern from "openssl/rand.h":`
			`int RAND_bytes(unsigned char *buf,int num)`


			`cdef extern from "openssl/evp.h":`
			`ctypedef struct EVP_MD:`
			`pass`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`ctypedef struct EVP_CIPHER:`
			`pass`
			`ctypedef struct EVP_CIPHER_CTX:`
			`unsigned char *iv`
			`pass`
			`ctypedef struct ENGINE:`
			`pass`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`const EVP_MD *EVP_sha256()`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`const EVP_CIPHER *EVP_aes_256_ctr()`
crypto: store EVP_CIPHER_CTX on the stack 2014-05-13 21:18:32 +00:00			`void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a)`
			`void EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a)`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00
			`int EVP_EncryptInit_ex(EVP_CIPHER_CTX ctx,const EVP_CIPHER cipher, ENGINE *impl,`
			`const unsigned char key, const unsigned char iv)`
			`int EVP_EncryptUpdate(EVP_CIPHER_CTX ctx, unsigned char out,`
			`int outl, const unsigned char in_, int inl)`

crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`int PKCS5_PBKDF2_HMAC(const char *password, int passwordlen,`
			`const unsigned char *salt, int saltlen, int iter,`
			`const EVP_MD *digest,`
			`int keylen, unsigned char *out)`

			`import struct`

			`_int = struct.Struct('>I')`
			`_long = struct.Struct('>Q')`

			`bytes_to_int = lambda x, offset=0: _int.unpack_from(x, offset)[0]`
			`bytes_to_long = lambda x, offset=0: _long.unpack_from(x, offset)[0]`
			`long_to_bytes = lambda x: _long.pack(x)`


			`def num_aes_blocks(length):`
			`"""Return the number of AES blocks required to encrypt/decrypt length bytes of data`
			`"""`
			`return (length + 15) // 16`


			`def pbkdf2_sha256(password, salt, iterations, size):`
			`"""Password based key derivation function 2 (RFC2898)`
			`"""`
			`cdef unsigned char key = <unsigned char >malloc(size)`
			`if not key:`
			`raise MemoryError`
			`try:`
			`rv = PKCS5_PBKDF2_HMAC(password, len(password), salt, len(salt), iterations, EVP_sha256(), size, key)`
			`if not rv:`
			`raise Exception('PKCS5_PBKDF2_HMAC failed')`
			`return key[:size]`
			`finally:`
			`free(key)`


			`def get_random_bytes(n):`
			`"""Return n cryptographically strong pseudo-random bytes`
			`"""`
			`cdef unsigned char buf = <unsigned char >malloc(n)`
			`if not buf:`
			`raise MemoryError`
			`try:`
			`if RAND_bytes(buf, n) < 1:`
			`raise Exception('RAND_bytes failed')`
			`return buf[:n]`
			`finally:`
			`free(buf)`


			`cdef class AES:`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`"""A thin wrapper around the OpenSSL EVP cipher API`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`"""`
crypto: store EVP_CIPHER_CTX on the stack 2014-05-13 21:18:32 +00:00			`cdef EVP_CIPHER_CTX ctx`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00
			`def __cinit__(self, key, iv=None):`
crypto: store EVP_CIPHER_CTX on the stack 2014-05-13 21:18:32 +00:00			`EVP_CIPHER_CTX_init(&self.ctx)`
			`if not EVP_EncryptInit_ex(&self.ctx, EVP_aes_256_ctr(), NULL, NULL, NULL):`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`raise Exception('EVP_EncryptInit_ex failed')`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`self.reset(key, iv)`

crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`def __dealloc__(self):`
crypto: store EVP_CIPHER_CTX on the stack 2014-05-13 21:18:32 +00:00			`EVP_CIPHER_CTX_cleanup(&self.ctx)`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`def reset(self, key=None, iv=None):`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`cdef const unsigned char *key2 = NULL`
			`cdef const unsigned char *iv2 = NULL`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`if key:`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`key2 = key`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`if iv:`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`iv2 = iv`
crypto: store EVP_CIPHER_CTX on the stack 2014-05-13 21:18:32 +00:00			`if not EVP_EncryptInit_ex(&self.ctx, NULL, NULL, key2, iv2):`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`raise Exception('EVP_EncryptInit_ex failed')`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00
			`@property`
			`def iv(self):`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`return self.ctx.iv[:16]`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00
			`def encrypt(self, data):`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`cdef int inl = len(data)`
			`cdef int outl`
			`cdef unsigned char out = <unsigned char >malloc(inl)`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`if not out:`
			`raise MemoryError`
			`try:`
crypto: store EVP_CIPHER_CTX on the stack 2014-05-13 21:18:32 +00:00			`if not EVP_EncryptUpdate(&self.ctx, out, &outl, data, inl):`
crypto: Improved AES performance attic.crypto now uses the OpenSSL EVP API for AES encryption. This API uses AES-NI instructions when available resulting in a significant AES encryption performance improvement: Before: 80MiB/s After: 1931MiB/s Message size: 64kiB CPU: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz 2014-05-13 20:27:57 +00:00			`raise Exception('EVP_EncryptUpdate failed')`
			`return out[:inl]`
crypto: convert attic.crypto into a cython module This will give a slight performance boost and make the openssl detection/linking more robust. 2014-03-10 21:50:38 +00:00			`finally:`
			`free(out)`
			`decrypt = encrypt`