Skip to content

Commit

Permalink
Merge pull request #6593 from ThomasWaldmann/openbsd-openssl
Browse files Browse the repository at this point in the history
openbsd: use openssl, remove libressl support, fixes #6474
  • Loading branch information
ThomasWaldmann authored Apr 14, 2022
2 parents 3ef355a + be9e7d3 commit a1ba1c1
Show file tree
Hide file tree
Showing 8 changed files with 33 additions and 75 deletions.
1 change: 1 addition & 0 deletions Vagrantfile
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ def packages_openbsd
pkg_add lz4
pkg_add zstd
pkg_add git # no fakeroot
pkg_add openssl%1.1
pkg_add py3-pip
pkg_add py3-virtualenv
EOF
Expand Down
2 changes: 1 addition & 1 deletion docs/installation.rst
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ following dependencies first:
* `Python 3`_ >= 3.9.0, plus development headers.
* Libraries (library plus development headers):

- OpenSSL_ >= 1.1.1
- OpenSSL_ >= 1.1.1 (LibreSSL will not work)
- libacl_ (which depends on libattr_)
- liblz4_ >= 1.7.0 (r129)
- libzstd_ >= 1.3.0
Expand Down
11 changes: 9 additions & 2 deletions setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import setup_docs

is_win32 = sys.platform.startswith('win32')
is_openbsd = sys.platform.startswith('openbsd')

# Number of threads to use for cythonize, not used on windows
cpu_threads = multiprocessing.cpu_count() if multiprocessing and multiprocessing.get_start_method() != 'spawn' else None
Expand All @@ -48,7 +49,6 @@

compress_source = 'src/borg/compress.pyx'
crypto_ll_source = 'src/borg/crypto/low_level.pyx'
crypto_helpers = 'src/borg/crypto/_crypto_helpers.c'
chunker_source = 'src/borg/chunker.pyx'
hashindex_source = 'src/borg/hashindex.pyx'
item_source = 'src/borg/item.pyx'
Expand Down Expand Up @@ -156,17 +156,24 @@ def lib_ext_kwargs(pc, prefix_env_var, lib_name, lib_pkg_name, pc_version, lib_s
f"or ensure {lib_pkg_name}.pc is in PKG_CONFIG_PATH."
)

crypto_ldflags = []
if is_win32:
crypto_ext_lib = lib_ext_kwargs(
pc, 'BORG_OPENSSL_PREFIX', 'libcrypto', 'libcrypto', '>=1.1.1', lib_subdir='')
elif is_openbsd:
# use openssl (not libressl) because we need AES-OCB and CHACHA20-POLY1305 via EVP api
crypto_ext_lib = lib_ext_kwargs(
pc, 'BORG_OPENSSL_PREFIX', 'crypto', 'libecrypto11', '>=1.1.1')
crypto_ldflags += ['-Wl,-rpath=/usr/local/lib/eopenssl11']
else:
crypto_ext_lib = lib_ext_kwargs(
pc, 'BORG_OPENSSL_PREFIX', 'crypto', 'libcrypto', '>=1.1.1')

crypto_ext_kwargs = members_appended(
dict(sources=[crypto_ll_source, crypto_helpers]),
dict(sources=[crypto_ll_source]),
crypto_ext_lib,
dict(extra_compile_args=cflags),
dict(extra_link_args=crypto_ldflags),
)

compress_ext_kwargs = members_appended(
Expand Down
12 changes: 4 additions & 8 deletions src/borg/archiver.py
Original file line number Diff line number Diff line change
Expand Up @@ -602,7 +602,6 @@ def chunkit(chunker_name, *args, **kwargs):

from borg.crypto.low_level import AES256_CTR_BLAKE2b, AES256_CTR_HMAC_SHA256
from borg.crypto.low_level import AES256_OCB, CHACHA20_POLY1305
from borg.crypto.low_level import is_libressl
print("Encryption =====================================================")
size = "1GB"

Expand All @@ -611,14 +610,11 @@ def chunkit(chunker_name, *args, **kwargs):
key_256, key_256, iv=key_128, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
("aes-256-ctr-blake2b", lambda: AES256_CTR_BLAKE2b(
key_256*4, key_256, iv=key_128, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
("aes-256-ocb", lambda: AES256_OCB(
key_256, iv=key_96, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
("chacha20-poly1305", lambda: CHACHA20_POLY1305(
key_256, iv=key_96, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
]
if not is_libressl:
tests.extend([
("aes-256-ocb", lambda: AES256_OCB(
key_256, iv=key_96, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
("chacha20-poly1305", lambda: CHACHA20_POLY1305(
key_256, iv=key_96, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
])
for spec, func in tests:
print(f"{spec:<24} {size:<10} {timeit(func, number=100):.3f}s")

Expand Down
14 changes: 0 additions & 14 deletions src/borg/crypto/_crypto_helpers.c

This file was deleted.

13 changes: 0 additions & 13 deletions src/borg/crypto/_crypto_helpers.h

This file was deleted.

18 changes: 4 additions & 14 deletions src/borg/crypto/low_level.pyx
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ API_VERSION = '1.3_01'
cdef extern from "openssl/crypto.h":
int CRYPTO_memcmp(const void *a, const void *b, size_t len)

cdef extern from "openssl/opensslv.h":
long OPENSSL_VERSION_NUMBER

cdef extern from "openssl/evp.h":
ctypedef struct EVP_MD:
Expand Down Expand Up @@ -92,16 +94,6 @@ cdef extern from "openssl/hmac.h":
const unsigned char *data, int data_len,
unsigned char *md, unsigned int *md_len) nogil

cdef extern from "_crypto_helpers.h":
long OPENSSL_VERSION_NUMBER
long LIBRESSL_VERSION_NUMBER

const EVP_CIPHER *EVP_aes_256_ocb() # dummy
const EVP_CIPHER *EVP_chacha20_poly1305() # dummy


is_libressl = bool(LIBRESSL_VERSION_NUMBER)


import struct

Expand Down Expand Up @@ -600,8 +592,7 @@ cdef class _AEAD_BASE:
cdef class AES256_OCB(_AEAD_BASE):
@classmethod
def requirements_check(cls):
if is_libressl:
raise ValueError('AES OCB is not implemented by LibreSSL (yet?).')
pass

def __init__(self, key, iv=None, header_len=0, aad_offset=0):
self.requirements_check()
Expand All @@ -613,8 +604,7 @@ cdef class AES256_OCB(_AEAD_BASE):
cdef class CHACHA20_POLY1305(_AEAD_BASE):
@classmethod
def requirements_check(cls):
if is_libressl:
raise ValueError('CHACHA20-POLY1305 is not implemented by LibreSSL (yet?).')
pass

def __init__(self, key, iv=None, header_len=0, aad_offset=0):
self.requirements_check()
Expand Down
37 changes: 14 additions & 23 deletions src/borg/testsuite/crypto.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@
import unittest


from ..crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_OCB, CHACHA20_POLY1305, UNENCRYPTED, \
IntegrityError, is_libressl
from ..crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_OCB, CHACHA20_POLY1305, UNENCRYPTED, IntegrityError
from ..crypto.low_level import bytes_to_long, bytes_to_int, long_to_bytes
from ..crypto.low_level import hkdf_hmac_sha512
from ..crypto.low_level import AES, hmac_sha256
Expand Down Expand Up @@ -103,16 +102,13 @@ def test_AE(self):
header = b'\x23' + iv_int.to_bytes(12, 'big')
tests = [
# (ciphersuite class, exp_mac, exp_cdata)
(AES256_OCB,
b'b6909c23c9aaebd9abbe1ff42097652d',
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
(CHACHA20_POLY1305,
b'fd08594796e0706cde1e8b461e3e0555',
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
]
if not is_libressl:
tests += [
(AES256_OCB,
b'b6909c23c9aaebd9abbe1ff42097652d',
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
(CHACHA20_POLY1305,
b'fd08594796e0706cde1e8b461e3e0555',
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
]
for cs_cls, exp_mac, exp_cdata in tests:
# print(repr(cs_cls))
# encrypt/mac
Expand Down Expand Up @@ -146,16 +142,13 @@ def test_AEAD(self):
header = b'\x12\x34\x56' + iv_int.to_bytes(12, 'big')
tests = [
# (ciphersuite class, exp_mac, exp_cdata)
(AES256_OCB,
b'f2748c412af1c7ead81863a18c2c1893',
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
(CHACHA20_POLY1305,
b'b7e7c9a79f2404e14f9aad156bf091dd',
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
]
if not is_libressl:
tests += [
(AES256_OCB,
b'f2748c412af1c7ead81863a18c2c1893',
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
(CHACHA20_POLY1305,
b'b7e7c9a79f2404e14f9aad156bf091dd',
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
]
for cs_cls, exp_mac, exp_cdata in tests:
# print(repr(cs_cls))
# encrypt/mac
Expand Down Expand Up @@ -187,9 +180,7 @@ def test_AEAD_with_more_AAD(self):
iv_int = 0
data = b'foo' * 10
header = b'\x12\x34'
tests = []
if not is_libressl:
tests += [AES256_OCB, CHACHA20_POLY1305]
tests = [AES256_OCB, CHACHA20_POLY1305]
for cs_cls in tests:
# encrypt/mac
cs = cs_cls(key, iv_int, header_len=len(header), aad_offset=0)
Expand Down

0 comments on commit a1ba1c1

Please sign in to comment.