Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openbsd: use openssl, remove libressl support, fixes #6474 #6593

Merged
merged 2 commits into from
Apr 14, 2022
Merged

openbsd: use openssl, remove libressl support, fixes #6474 #6593

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c592b20
use openssl on openbsd, fixes #6474
ThomasWaldmann Apr 14, 2022
be9e7d3
remove libressl support
ThomasWaldmann Apr 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions Vagrantfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ def packages_openbsd
pkg_add lz4
pkg_add zstd
pkg_add git # no fakeroot
pkg_add openssl%1.1
pkg_add py3-pip
pkg_add py3-virtualenv
EOF
Expand Down
2 changes: 1 addition & 1 deletion docs/installation.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ following dependencies first:
* `Python 3`_ >= 3.9.0, plus development headers.
* Libraries (library plus development headers):

- OpenSSL_ >= 1.1.1
- OpenSSL_ >= 1.1.1 (LibreSSL will not work)
- libacl_ (which depends on libattr_)
- liblz4_ >= 1.7.0 (r129)
- libzstd_ >= 1.3.0
Expand Down
11 changes: 9 additions & 2 deletions setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import setup_docs

is_win32 = sys.platform.startswith('win32')
is_openbsd = sys.platform.startswith('openbsd')

# Number of threads to use for cythonize, not used on windows
cpu_threads = multiprocessing.cpu_count() if multiprocessing and multiprocessing.get_start_method() != 'spawn' else None
Expand All @@ -48,7 +49,6 @@

compress_source = 'src/borg/compress.pyx'
crypto_ll_source = 'src/borg/crypto/low_level.pyx'
crypto_helpers = 'src/borg/crypto/_crypto_helpers.c'
chunker_source = 'src/borg/chunker.pyx'
hashindex_source = 'src/borg/hashindex.pyx'
item_source = 'src/borg/item.pyx'
Expand Down Expand Up @@ -156,17 +156,24 @@ def lib_ext_kwargs(pc, prefix_env_var, lib_name, lib_pkg_name, pc_version, lib_s
f"or ensure {lib_pkg_name}.pc is in PKG_CONFIG_PATH."
)

crypto_ldflags = []
if is_win32:
crypto_ext_lib = lib_ext_kwargs(
pc, 'BORG_OPENSSL_PREFIX', 'libcrypto', 'libcrypto', '>=1.1.1', lib_subdir='')
elif is_openbsd:
# use openssl (not libressl) because we need AES-OCB and CHACHA20-POLY1305 via EVP api
crypto_ext_lib = lib_ext_kwargs(
pc, 'BORG_OPENSSL_PREFIX', 'crypto', 'libecrypto11', '>=1.1.1')
crypto_ldflags += ['-Wl,-rpath=/usr/local/lib/eopenssl11']
else:
crypto_ext_lib = lib_ext_kwargs(
pc, 'BORG_OPENSSL_PREFIX', 'crypto', 'libcrypto', '>=1.1.1')

crypto_ext_kwargs = members_appended(
dict(sources=[crypto_ll_source, crypto_helpers]),
dict(sources=[crypto_ll_source]),
crypto_ext_lib,
dict(extra_compile_args=cflags),
dict(extra_link_args=crypto_ldflags),
)

compress_ext_kwargs = members_appended(
Expand Down
12 changes: 4 additions & 8 deletions src/borg/archiver.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -602,7 +602,6 @@ def chunkit(chunker_name, *args, **kwargs):

from borg.crypto.low_level import AES256_CTR_BLAKE2b, AES256_CTR_HMAC_SHA256
from borg.crypto.low_level import AES256_OCB, CHACHA20_POLY1305
from borg.crypto.low_level import is_libressl
print("Encryption =====================================================")
size = "1GB"

Expand All @@ -611,14 +610,11 @@ def chunkit(chunker_name, *args, **kwargs):
key_256, key_256, iv=key_128, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
("aes-256-ctr-blake2b", lambda: AES256_CTR_BLAKE2b(
key_256*4, key_256, iv=key_128, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
("aes-256-ocb", lambda: AES256_OCB(
key_256, iv=key_96, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
("chacha20-poly1305", lambda: CHACHA20_POLY1305(
key_256, iv=key_96, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
]
if not is_libressl:
tests.extend([
("aes-256-ocb", lambda: AES256_OCB(
key_256, iv=key_96, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
("chacha20-poly1305", lambda: CHACHA20_POLY1305(
key_256, iv=key_96, header_len=1, aad_offset=1).encrypt(random_10M, header=b'X')),
])
for spec, func in tests:
print(f"{spec:<24} {size:<10} {timeit(func, number=100):.3f}s")

Expand Down
14 changes: 0 additions & 14 deletions src/borg/crypto/_crypto_helpers.c
View file
Open in desktop

This file was deleted.

13 changes: 0 additions & 13 deletions src/borg/crypto/_crypto_helpers.h
View file
Open in desktop

This file was deleted.

18 changes: 4 additions & 14 deletions src/borg/crypto/low_level.pyx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ API_VERSION = '1.3_01'
cdef extern from "openssl/crypto.h":
int CRYPTO_memcmp(const void *a, const void *b, size_t len)

cdef extern from "openssl/opensslv.h":
long OPENSSL_VERSION_NUMBER
ThomasWaldmann marked this conversation as resolved.
Show resolved Hide resolved

cdef extern from "openssl/evp.h":
ctypedef struct EVP_MD:
Expand Down Expand Up @@ -92,16 +94,6 @@ cdef extern from "openssl/hmac.h":
const unsigned char *data, int data_len,
unsigned char *md, unsigned int *md_len) nogil

cdef extern from "_crypto_helpers.h":
long OPENSSL_VERSION_NUMBER
long LIBRESSL_VERSION_NUMBER

const EVP_CIPHER *EVP_aes_256_ocb() # dummy
const EVP_CIPHER *EVP_chacha20_poly1305() # dummy


is_libressl = bool(LIBRESSL_VERSION_NUMBER)


import struct

Expand Down Expand Up @@ -600,8 +592,7 @@ cdef class _AEAD_BASE:
cdef class AES256_OCB(_AEAD_BASE):
@classmethod
def requirements_check(cls):
if is_libressl:
raise ValueError('AES OCB is not implemented by LibreSSL (yet?).')
pass

def __init__(self, key, iv=None, header_len=0, aad_offset=0):
self.requirements_check()
Expand All @@ -613,8 +604,7 @@ cdef class AES256_OCB(_AEAD_BASE):
cdef class CHACHA20_POLY1305(_AEAD_BASE):
@classmethod
def requirements_check(cls):
if is_libressl:
raise ValueError('CHACHA20-POLY1305 is not implemented by LibreSSL (yet?).')
pass

def __init__(self, key, iv=None, header_len=0, aad_offset=0):
self.requirements_check()
Expand Down
37 changes: 14 additions & 23 deletions src/borg/testsuite/crypto.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@
import unittest


from ..crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_OCB, CHACHA20_POLY1305, UNENCRYPTED, \
IntegrityError, is_libressl
from ..crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_OCB, CHACHA20_POLY1305, UNENCRYPTED, IntegrityError
from ..crypto.low_level import bytes_to_long, bytes_to_int, long_to_bytes
from ..crypto.low_level import hkdf_hmac_sha512
from ..crypto.low_level import AES, hmac_sha256
Expand Down Expand Up @@ -103,16 +102,13 @@ def test_AE(self):
header = b'\x23' + iv_int.to_bytes(12, 'big')
tests = [
# (ciphersuite class, exp_mac, exp_cdata)
(AES256_OCB,
b'b6909c23c9aaebd9abbe1ff42097652d',
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
(CHACHA20_POLY1305,
b'fd08594796e0706cde1e8b461e3e0555',
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
]
if not is_libressl:
tests += [
(AES256_OCB,
b'b6909c23c9aaebd9abbe1ff42097652d',
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
(CHACHA20_POLY1305,
b'fd08594796e0706cde1e8b461e3e0555',
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
]
for cs_cls, exp_mac, exp_cdata in tests:
# print(repr(cs_cls))
# encrypt/mac
Expand Down Expand Up @@ -146,16 +142,13 @@ def test_AEAD(self):
header = b'\x12\x34\x56' + iv_int.to_bytes(12, 'big')
tests = [
# (ciphersuite class, exp_mac, exp_cdata)
(AES256_OCB,
b'f2748c412af1c7ead81863a18c2c1893',
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
(CHACHA20_POLY1305,
b'b7e7c9a79f2404e14f9aad156bf091dd',
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
]
if not is_libressl:
tests += [
(AES256_OCB,
b'f2748c412af1c7ead81863a18c2c1893',
b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
(CHACHA20_POLY1305,
b'b7e7c9a79f2404e14f9aad156bf091dd',
b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
]
for cs_cls, exp_mac, exp_cdata in tests:
# print(repr(cs_cls))
# encrypt/mac
Expand Down Expand Up @@ -187,9 +180,7 @@ def test_AEAD_with_more_AAD(self):
iv_int = 0
data = b'foo' * 10
header = b'\x12\x34'
tests = []
if not is_libressl:
tests += [AES256_OCB, CHACHA20_POLY1305]
tests = [AES256_OCB, CHACHA20_POLY1305]
for cs_cls in tests:
# encrypt/mac
cs = cs_cls(key, iv_int, header_len=len(header), aad_offset=0)
Expand Down