mirror of
https://github.com/borgbackup/borg.git
synced 2025-03-04 10:39:50 +00:00
crypto: remove support for: OpenSSL < 1.1.1, LibreSSL < 2.7.0
All these are unsupported since long. Newer versions of LibreSSL have gained chacha20-poly1305 support, but still lack aes256-ocb support. Also they have the HMAC_CTX_new/free api now. docs: openssl >= 1.1.1 is required now anything older is out of support anyway.
This commit is contained in:
Thomas Waldmann
parent
428efa221d
commit
d1d3d1dfa4
5 changed files with 20 additions and 64 deletions
|
|
@ -160,7 +160,7 @@ To install Borg from a source package (including pip), you have to install the
|
||||||
following dependencies first:
|
following dependencies first:
|
||||||
|
|
||||||
* `Python 3`_ >= 3.8.0, plus development headers.
|
* `Python 3`_ >= 3.8.0, plus development headers.
|
||||||
* OpenSSL_ >= 1.0.0, plus development headers.
|
* OpenSSL_ >= 1.1.1, plus development headers.
|
||||||
* libacl_ (which depends on libattr_), both plus development headers.
|
* libacl_ (which depends on libattr_), both plus development headers.
|
||||||
* We have bundled code of the following packages, but borg by default (see
|
* We have bundled code of the following packages, but borg by default (see
|
||||||
setup.py if you want to change that) prefers a shared library if it can
|
setup.py if you want to change that) prefers a shared library if it can
|
||||||
|
|
|
||||||
|
|
@ -1,36 +1,10 @@
|
||||||
/* some helpers, so our code also works with OpenSSL 1.0.x */
|
/* some helpers, so our code also works with LibreSSL */
|
||||||
|
|
||||||
#include <string.h>
|
|
||||||
#include <openssl/opensslv.h>
|
#include <openssl/opensslv.h>
|
||||||
#include <openssl/hmac.h>
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
|
#if defined(LIBRESSL_VERSION_NUMBER)
|
||||||
HMAC_CTX *HMAC_CTX_new(void)
|
|
||||||
{
|
|
||||||
HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
|
|
||||||
if (ctx != NULL) {
|
|
||||||
memset(ctx, 0, sizeof *ctx);
|
|
||||||
HMAC_CTX_cleanup(ctx);
|
|
||||||
}
|
|
||||||
return ctx;
|
|
||||||
}
|
|
||||||
|
|
||||||
void HMAC_CTX_free(HMAC_CTX *ctx)
|
|
||||||
{
|
|
||||||
if (ctx != NULL) {
|
|
||||||
HMAC_CTX_cleanup(ctx);
|
|
||||||
OPENSSL_free(ctx);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
const EVP_CIPHER *EVP_aes_256_ocb(void){ /* dummy, so that code compiles */
|
const EVP_CIPHER *EVP_aes_256_ocb(void){ /* dummy, so that code compiles */
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
const EVP_CIPHER *EVP_chacha20_poly1305(void){ /* dummy, so that code compiles */
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -1,21 +1,12 @@
|
||||||
/* some helpers, so our code also works with OpenSSL 1.0.x */
|
/* some helpers, so our code also works with LibreSSL */
|
||||||
|
|
||||||
#include <openssl/opensslv.h>
|
#include <openssl/opensslv.h>
|
||||||
#include <openssl/hmac.h>
|
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
|
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
|
#if defined(LIBRESSL_VERSION_NUMBER)
|
||||||
HMAC_CTX *HMAC_CTX_new(void);
|
|
||||||
void HMAC_CTX_free(HMAC_CTX *ctx);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
||||||
const EVP_CIPHER *EVP_aes_256_ocb(void); /* dummy, so that code compiles */
|
const EVP_CIPHER *EVP_aes_256_ocb(void); /* dummy, so that code compiles */
|
||||||
const EVP_CIPHER *EVP_chacha20_poly1305(void); /* dummy, so that code compiles */
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
#if !defined(LIBRESSL_VERSION_NUMBER)
|
#if !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
#define LIBRESSL_VERSION_NUMBER 0
|
#define LIBRESSL_VERSION_NUMBER 0
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -109,17 +109,10 @@ cdef extern from "_crypto_helpers.h":
|
||||||
long OPENSSL_VERSION_NUMBER
|
long OPENSSL_VERSION_NUMBER
|
||||||
long LIBRESSL_VERSION_NUMBER
|
long LIBRESSL_VERSION_NUMBER
|
||||||
|
|
||||||
ctypedef struct HMAC_CTX:
|
|
||||||
pass
|
|
||||||
|
|
||||||
HMAC_CTX *HMAC_CTX_new()
|
|
||||||
void HMAC_CTX_free(HMAC_CTX *a)
|
|
||||||
|
|
||||||
const EVP_CIPHER *EVP_aes_256_ocb() # dummy
|
const EVP_CIPHER *EVP_aes_256_ocb() # dummy
|
||||||
const EVP_CIPHER *EVP_chacha20_poly1305() # dummy
|
|
||||||
|
|
||||||
|
|
||||||
openssl10 = OPENSSL_VERSION_NUMBER < 0x10100000 or LIBRESSL_VERSION_NUMBER
|
is_libressl = bool(LIBRESSL_VERSION_NUMBER)
|
||||||
|
|
||||||
|
|
||||||
import struct
|
import struct
|
||||||
|
|
@ -217,8 +210,7 @@ cdef class AES256_CTR_BASE:
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def requirements_check(cls):
|
def requirements_check(cls):
|
||||||
if OPENSSL_VERSION_NUMBER < 0x10000000:
|
pass
|
||||||
raise ValueError('AES CTR requires OpenSSL >= 1.0.0. Detected: OpenSSL %08x' % OPENSSL_VERSION_NUMBER)
|
|
||||||
|
|
||||||
def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
|
def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
|
||||||
self.requirements_check()
|
self.requirements_check()
|
||||||
|
|
@ -654,8 +646,8 @@ cdef class _CHACHA_BASE(_AEAD_BASE):
|
||||||
cdef class AES256_OCB(_AES_BASE):
|
cdef class AES256_OCB(_AES_BASE):
|
||||||
@classmethod
|
@classmethod
|
||||||
def requirements_check(cls):
|
def requirements_check(cls):
|
||||||
if openssl10:
|
if is_libressl:
|
||||||
raise ValueError('AES OCB requires OpenSSL >= 1.1.0. Detected: OpenSSL %08x' % OPENSSL_VERSION_NUMBER)
|
raise ValueError('AES OCB is not implemented by LibreSSL (yet?).')
|
||||||
|
|
||||||
def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
|
def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
|
||||||
self.requirements_check()
|
self.requirements_check()
|
||||||
|
|
@ -666,8 +658,7 @@ cdef class AES256_OCB(_AES_BASE):
|
||||||
cdef class CHACHA20_POLY1305(_CHACHA_BASE):
|
cdef class CHACHA20_POLY1305(_CHACHA_BASE):
|
||||||
@classmethod
|
@classmethod
|
||||||
def requirements_check(cls):
|
def requirements_check(cls):
|
||||||
if openssl10:
|
pass
|
||||||
raise ValueError('CHACHA20-POLY1305 requires OpenSSL >= 1.1.0. Detected: OpenSSL %08x' % OPENSSL_VERSION_NUMBER)
|
|
||||||
|
|
||||||
def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
|
def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
|
||||||
self.requirements_check()
|
self.requirements_check()
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
from binascii import hexlify, unhexlify
|
from binascii import hexlify, unhexlify
|
||||||
|
|
||||||
from ..crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_OCB, CHACHA20_POLY1305, UNENCRYPTED, \
|
from ..crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_OCB, CHACHA20_POLY1305, UNENCRYPTED, \
|
||||||
IntegrityError, blake2b_128, blake2b_256, hmac_sha256, openssl10
|
IntegrityError, blake2b_128, blake2b_256, hmac_sha256, is_libressl
|
||||||
from ..crypto.low_level import bytes_to_long, bytes_to_int, long_to_bytes
|
from ..crypto.low_level import bytes_to_long, bytes_to_int, long_to_bytes
|
||||||
from ..crypto.low_level import hkdf_hmac_sha512
|
from ..crypto.low_level import hkdf_hmac_sha512
|
||||||
|
|
||||||
|
|
@ -98,15 +98,15 @@ class CryptoTestCase(BaseTestCase):
|
||||||
header = b'\x23'
|
header = b'\x23'
|
||||||
tests = [
|
tests = [
|
||||||
# (ciphersuite class, exp_mac, exp_cdata)
|
# (ciphersuite class, exp_mac, exp_cdata)
|
||||||
|
(CHACHA20_POLY1305,
|
||||||
|
b'fd08594796e0706cde1e8b461e3e0555',
|
||||||
|
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775',)
|
||||||
]
|
]
|
||||||
if not openssl10:
|
if not is_libressl:
|
||||||
tests += [
|
tests += [
|
||||||
(AES256_OCB,
|
(AES256_OCB,
|
||||||
b'b6909c23c9aaebd9abbe1ff42097652d',
|
b'b6909c23c9aaebd9abbe1ff42097652d',
|
||||||
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
|
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
|
||||||
(CHACHA20_POLY1305,
|
|
||||||
b'fd08594796e0706cde1e8b461e3e0555',
|
|
||||||
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
|
|
||||||
]
|
]
|
||||||
for cs_cls, exp_mac, exp_cdata in tests:
|
for cs_cls, exp_mac, exp_cdata in tests:
|
||||||
# print(repr(cs_cls))
|
# print(repr(cs_cls))
|
||||||
|
|
@ -142,15 +142,15 @@ class CryptoTestCase(BaseTestCase):
|
||||||
header = b'\x12\x34\x56'
|
header = b'\x12\x34\x56'
|
||||||
tests = [
|
tests = [
|
||||||
# (ciphersuite class, exp_mac, exp_cdata)
|
# (ciphersuite class, exp_mac, exp_cdata)
|
||||||
|
(CHACHA20_POLY1305,
|
||||||
|
b'b7e7c9a79f2404e14f9aad156bf091dd',
|
||||||
|
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775',)
|
||||||
]
|
]
|
||||||
if not openssl10:
|
if not is_libressl:
|
||||||
tests += [
|
tests += [
|
||||||
(AES256_OCB,
|
(AES256_OCB,
|
||||||
b'f2748c412af1c7ead81863a18c2c1893',
|
b'f2748c412af1c7ead81863a18c2c1893',
|
||||||
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
|
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
|
||||||
(CHACHA20_POLY1305,
|
|
||||||
b'b7e7c9a79f2404e14f9aad156bf091dd',
|
|
||||||
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
|
|
||||||
]
|
]
|
||||||
for cs_cls, exp_mac, exp_cdata in tests:
|
for cs_cls, exp_mac, exp_cdata in tests:
|
||||||
# print(repr(cs_cls))
|
# print(repr(cs_cls))
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue