crypto: remove support for: OpenSSL < 1.1.1, LibreSSL < 2.7.0

All these are unsupported since long. Newer versions of LibreSSL have gained chacha20-poly1305 support, but still lack aes256-ocb support. Also they have the HMAC_CTX_new/free api now. docs: openssl >= 1.1.1 is required now anything older is out of support anyway.
2022-02-22 22:00:22 +01:00 · 2022-02-22 22:00:22 +01:00 · d1d3d1dfa4
parent 428efa221d
commit d1d3d1dfa4
5 changed files with 20 additions and 64 deletions
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -160,7 +160,7 @@ To install Borg from a source package (including pip), you have to install the
 following dependencies first:

 * `Python 3`_ >= 3.8.0, plus development headers.
-* OpenSSL_ >= 1.0.0, plus development headers.
+* OpenSSL_ >= 1.1.1, plus development headers.
 * libacl_ (which depends on libattr_), both plus development headers.
 * We have bundled code of the following packages, but borg by default (see
  setup.py if you want to change that) prefers a shared library if it can
--- a/src/borg/crypto/_crypto_helpers.c
+++ b/src/borg/crypto/_crypto_helpers.c
@ -1,36 +1,10 @@
-/* some helpers, so our code also works with OpenSSL 1.0.x */
+/* some helpers, so our code also works with LibreSSL */

-#include <string.h>
 #include <openssl/opensslv.h>
-#include <openssl/hmac.h>
+#include <openssl/evp.h>

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
-HMAC_CTX *HMAC_CTX_new(void)
-{
-    HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
-    if (ctx != NULL) {
-        memset(ctx, 0, sizeof *ctx);
-        HMAC_CTX_cleanup(ctx);
-    }
-    return ctx;
-}
-
-void HMAC_CTX_free(HMAC_CTX *ctx)
-{
-    if (ctx != NULL) {
-        HMAC_CTX_cleanup(ctx);
-        OPENSSL_free(ctx);
-    }
-}
-#endif
-
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
 const EVP_CIPHER *EVP_aes_256_ocb(void){  /* dummy, so that code compiles */
    return NULL;
 }
-
-const EVP_CIPHER *EVP_chacha20_poly1305(void){  /* dummy, so that code compiles */
-    return NULL;
-}
 #endif
--- a/src/borg/crypto/_crypto_helpers.h
+++ b/src/borg/crypto/_crypto_helpers.h
@ -1,21 +1,12 @@
-/* some helpers, so our code also works with OpenSSL 1.0.x */
+/* some helpers, so our code also works with LibreSSL */

 #include <openssl/opensslv.h>
-#include <openssl/hmac.h>
 #include <openssl/evp.h>

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
-HMAC_CTX *HMAC_CTX_new(void);
-void HMAC_CTX_free(HMAC_CTX *ctx);
-#endif
-
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
 const EVP_CIPHER *EVP_aes_256_ocb(void);  /* dummy, so that code compiles */
-const EVP_CIPHER *EVP_chacha20_poly1305(void);  /* dummy, so that code compiles */
 #endif

-
 #if !defined(LIBRESSL_VERSION_NUMBER)
 #define LIBRESSL_VERSION_NUMBER 0
 #endif
--- a/src/borg/crypto/low_level.pyx
+++ b/src/borg/crypto/low_level.pyx
@ -109,17 +109,10 @@ cdef extern from "_crypto_helpers.h":
    long OPENSSL_VERSION_NUMBER
    long LIBRESSL_VERSION_NUMBER

-    ctypedef struct HMAC_CTX:
-        pass
-
-    HMAC_CTX *HMAC_CTX_new()
-    void HMAC_CTX_free(HMAC_CTX *a)
-
    const EVP_CIPHER *EVP_aes_256_ocb()  # dummy
-    const EVP_CIPHER *EVP_chacha20_poly1305()  # dummy


-openssl10 = OPENSSL_VERSION_NUMBER < 0x10100000 or LIBRESSL_VERSION_NUMBER
+is_libressl = bool(LIBRESSL_VERSION_NUMBER)


 import struct
@ -217,8 +210,7 @@ cdef class AES256_CTR_BASE:

    @classmethod
    def requirements_check(cls):
-        if OPENSSL_VERSION_NUMBER < 0x10000000:
-            raise ValueError('AES CTR requires OpenSSL >= 1.0.0. Detected: OpenSSL %08x' % OPENSSL_VERSION_NUMBER)
+        pass

    def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
        self.requirements_check()
@ -654,8 +646,8 @@ cdef class _CHACHA_BASE(_AEAD_BASE):
 cdef class AES256_OCB(_AES_BASE):
    @classmethod
    def requirements_check(cls):
-        if openssl10:
-            raise ValueError('AES OCB requires OpenSSL >= 1.1.0. Detected: OpenSSL %08x' % OPENSSL_VERSION_NUMBER)
+        if is_libressl:
+            raise ValueError('AES OCB is not implemented by LibreSSL (yet?).')

    def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
        self.requirements_check()
@ -666,8 +658,7 @@ cdef class AES256_OCB(_AES_BASE):
 cdef class CHACHA20_POLY1305(_CHACHA_BASE):
    @classmethod
    def requirements_check(cls):
-        if openssl10:
-            raise ValueError('CHACHA20-POLY1305 requires OpenSSL >= 1.1.0. Detected: OpenSSL %08x' % OPENSSL_VERSION_NUMBER)
+        pass

    def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
        self.requirements_check()
--- a/src/borg/testsuite/crypto.py
+++ b/src/borg/testsuite/crypto.py
@ -1,7 +1,7 @@
 from binascii import hexlify, unhexlify

 from ..crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_OCB, CHACHA20_POLY1305, UNENCRYPTED, \
-                               IntegrityError, blake2b_128, blake2b_256, hmac_sha256, openssl10
+                               IntegrityError, blake2b_128, blake2b_256, hmac_sha256, is_libressl
 from ..crypto.low_level import bytes_to_long, bytes_to_int, long_to_bytes
 from ..crypto.low_level import hkdf_hmac_sha512

@ -98,15 +98,15 @@ class CryptoTestCase(BaseTestCase):
        header = b'\x23'
        tests = [
            # (ciphersuite class, exp_mac, exp_cdata)
+            (CHACHA20_POLY1305,
+             b'fd08594796e0706cde1e8b461e3e0555',
+             b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775',)
        ]
-        if not openssl10:
+        if not is_libressl:
            tests += [
                (AES256_OCB,
                 b'b6909c23c9aaebd9abbe1ff42097652d',
                 b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
-                (CHACHA20_POLY1305,
-                 b'fd08594796e0706cde1e8b461e3e0555',
-                 b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
            ]
        for cs_cls, exp_mac, exp_cdata in tests:
            # print(repr(cs_cls))
@ -142,15 +142,15 @@ class CryptoTestCase(BaseTestCase):
        header = b'\x12\x34\x56'
        tests = [
            # (ciphersuite class, exp_mac, exp_cdata)
+            (CHACHA20_POLY1305,
+             b'b7e7c9a79f2404e14f9aad156bf091dd',
+             b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775',)
        ]
-        if not openssl10:
+        if not is_libressl:
            tests += [
                (AES256_OCB,
                 b'f2748c412af1c7ead81863a18c2c1893',
                 b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
-                (CHACHA20_POLY1305,
-                 b'b7e7c9a79f2404e14f9aad156bf091dd',
-                 b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
            ]
        for cs_cls, exp_mac, exp_cdata in tests:
            # print(repr(cs_cls))