mirror of https://github.com/borgbackup/borg.git
crypto: use OpenSSL 1.1 HMAC API
This breaks it on OpenSSL 1.0.x as there is no HMAC_CTX_new/free() yet. OTOH, this change is consistent with the previous change done for EVP_CIPHER_CTX (which works on 1.0 and 1.1).
This commit is contained in:
parent
67567fc432
commit
ee604ab390
|
@ -111,6 +111,9 @@ cdef extern from "openssl/hmac.h":
|
|||
void HMAC_CTX_init(HMAC_CTX *ctx)
|
||||
void HMAC_CTX_cleanup(HMAC_CTX *ctx)
|
||||
|
||||
HMAC_CTX *HMAC_CTX_new()
|
||||
void HMAC_CTX_free(HMAC_CTX *a)
|
||||
|
||||
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md, ENGINE *impl)
|
||||
int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len)
|
||||
int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
|
||||
|
@ -183,7 +186,7 @@ cdef class AES256_CTR_HMAC_SHA256:
|
|||
# Layout: HEADER + HMAC 32 + IV 8 + CT (same as attic / borg < 1.2 IF HEADER = TYPE_BYTE, no AAD)
|
||||
|
||||
cdef EVP_CIPHER_CTX *ctx
|
||||
cdef HMAC_CTX hmac_ctx
|
||||
cdef HMAC_CTX *hmac_ctx
|
||||
cdef unsigned char *mac_key
|
||||
cdef unsigned char *enc_key
|
||||
cdef unsigned char iv[16]
|
||||
|
@ -200,11 +203,11 @@ cdef class AES256_CTR_HMAC_SHA256:
|
|||
|
||||
def __cinit__(self, mac_key, enc_key, iv=None):
|
||||
self.ctx = EVP_CIPHER_CTX_new()
|
||||
HMAC_CTX_init(&self.hmac_ctx) # XXX
|
||||
self.hmac_ctx = HMAC_CTX_new()
|
||||
|
||||
def __dealloc__(self):
|
||||
EVP_CIPHER_CTX_free(self.ctx)
|
||||
HMAC_CTX_cleanup(&self.hmac_ctx) # XXX
|
||||
HMAC_CTX_free(self.hmac_ctx)
|
||||
|
||||
def encrypt(self, data, header=b'', aad_offset=0):
|
||||
"""
|
||||
|
@ -241,13 +244,13 @@ cdef class AES256_CTR_HMAC_SHA256:
|
|||
if not rc:
|
||||
raise CryptoError('EVP_EncryptFinal_ex failed')
|
||||
offset += olen
|
||||
if not HMAC_Init_ex(&self.hmac_ctx, self.mac_key, 32, EVP_sha256(), NULL):
|
||||
if not HMAC_Init_ex(self.hmac_ctx, self.mac_key, 32, EVP_sha256(), NULL):
|
||||
raise CryptoError('HMAC_Init_ex failed')
|
||||
if not HMAC_Update(&self.hmac_ctx, <const unsigned char *> hdata.buf+aoffset, alen):
|
||||
if not HMAC_Update(self.hmac_ctx, <const unsigned char *> hdata.buf+aoffset, alen):
|
||||
raise CryptoError('HMAC_Update failed')
|
||||
if not HMAC_Update(&self.hmac_ctx, odata+hlen+32, offset-hlen-32):
|
||||
if not HMAC_Update(self.hmac_ctx, odata+hlen+32, offset-hlen-32):
|
||||
raise CryptoError('HMAC_Update failed')
|
||||
if not HMAC_Final(&self.hmac_ctx, odata+hlen, NULL):
|
||||
if not HMAC_Final(self.hmac_ctx, odata+hlen, NULL):
|
||||
raise CryptoError('HMAC_Final failed')
|
||||
self.blocks += num_aes_blocks(ilen)
|
||||
return odata[:offset]
|
||||
|
@ -272,13 +275,13 @@ cdef class AES256_CTR_HMAC_SHA256:
|
|||
cdef unsigned char hmac_buf[32]
|
||||
cdef Py_buffer idata = ro_buffer(envelope)
|
||||
try:
|
||||
if not HMAC_Init_ex(&self.hmac_ctx, self.mac_key, 32, EVP_sha256(), NULL):
|
||||
if not HMAC_Init_ex(self.hmac_ctx, self.mac_key, 32, EVP_sha256(), NULL):
|
||||
raise CryptoError('HMAC_Init_ex failed')
|
||||
if not HMAC_Update(&self.hmac_ctx, <const unsigned char *> idata.buf+aoffset, alen):
|
||||
if not HMAC_Update(self.hmac_ctx, <const unsigned char *> idata.buf+aoffset, alen):
|
||||
raise CryptoError('HMAC_Update failed')
|
||||
if not HMAC_Update(&self.hmac_ctx, <const unsigned char *> idata.buf+hlen+32, ilen-hlen-32):
|
||||
if not HMAC_Update(self.hmac_ctx, <const unsigned char *> idata.buf+hlen+32, ilen-hlen-32):
|
||||
raise CryptoError('HMAC_Update failed')
|
||||
if not HMAC_Final(&self.hmac_ctx, hmac_buf, NULL):
|
||||
if not HMAC_Final(self.hmac_ctx, hmac_buf, NULL):
|
||||
raise CryptoError('HMAC_Final failed')
|
||||
if CRYPTO_memcmp(hmac_buf, idata.buf+hlen, 32):
|
||||
raise IntegrityError('HMAC Authentication failed')
|
||||
|
|
Loading…
Reference in New Issue