crypto: remove support for: OpenSSL < 1.1.1, LibreSSL < 2.7.0

All these are unsupported since long.

Newer versions of LibreSSL have gained chacha20-poly1305 support,
but still lack aes256-ocb support.
Also they have the HMAC_CTX_new/free api now.

docs: openssl >= 1.1.1 is required now
anything older is out of support anyway.

docs/installation.rst

@@ -160,7 +160,7 @@ To install Borg from a source package (including pip), you have to install the
 following dependencies first:
 
 * `Python 3`_ >= 3.8.0, plus development headers.
-* OpenSSL_ >= 1.0.0, plus development headers.
+* OpenSSL_ >= 1.1.1, plus development headers.
 * libacl_ (which depends on libattr_), both plus development headers.
 * We have bundled code of the following packages, but borg by default (see
   setup.py if you want to change that) prefers a shared library if it can

src/borg/crypto/_crypto_helpers.c

@@ -1,36 +1,10 @@
-/* some helpers, so our code also works with OpenSSL 1.0.x */
+/* some helpers, so our code also works with LibreSSL */
 
-#include <string.h>
 #include <openssl/opensslv.h>
-#include <openssl/hmac.h>
+#include <openssl/evp.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
-HMAC_CTX *HMAC_CTX_new(void)
-{
-    HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
-    if (ctx != NULL) {
-        memset(ctx, 0, sizeof *ctx);
-        HMAC_CTX_cleanup(ctx);
-    }
-    return ctx;
-}
-
-void HMAC_CTX_free(HMAC_CTX *ctx)
-{
-    if (ctx != NULL) {
-        HMAC_CTX_cleanup(ctx);
-        OPENSSL_free(ctx);
-    }
-}
-#endif
-
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
 const EVP_CIPHER *EVP_aes_256_ocb(void){  /* dummy, so that code compiles */
     return NULL;
 }
-
-const EVP_CIPHER *EVP_chacha20_poly1305(void){  /* dummy, so that code compiles */
-    return NULL;
-}
 #endif

src/borg/crypto/_crypto_helpers.h

@@ -1,21 +1,12 @@
-/* some helpers, so our code also works with OpenSSL 1.0.x */
+/* some helpers, so our code also works with LibreSSL */
 
 #include <openssl/opensslv.h>
-#include <openssl/hmac.h>
 #include <openssl/evp.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
-HMAC_CTX *HMAC_CTX_new(void);
-void HMAC_CTX_free(HMAC_CTX *ctx);
-#endif
-
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
 const EVP_CIPHER *EVP_aes_256_ocb(void);  /* dummy, so that code compiles */
-const EVP_CIPHER *EVP_chacha20_poly1305(void);  /* dummy, so that code compiles */
 #endif
 
-
 #if !defined(LIBRESSL_VERSION_NUMBER)
 #define LIBRESSL_VERSION_NUMBER 0
 #endif

src/borg/crypto/low_level.pyx

@@ -109,17 +109,10 @@ cdef extern from "_crypto_helpers.h":
     long OPENSSL_VERSION_NUMBER
     long LIBRESSL_VERSION_NUMBER
 
-    ctypedef struct HMAC_CTX:
-        pass
-
-    HMAC_CTX *HMAC_CTX_new()
-    void HMAC_CTX_free(HMAC_CTX *a)
-
     const EVP_CIPHER *EVP_aes_256_ocb()  # dummy
-    const EVP_CIPHER *EVP_chacha20_poly1305()  # dummy
 
 
-openssl10 = OPENSSL_VERSION_NUMBER < 0x10100000 or LIBRESSL_VERSION_NUMBER
+is_libressl = bool(LIBRESSL_VERSION_NUMBER)
 
 
 import struct
@@ -217,8 +210,7 @@ cdef class AES256_CTR_BASE:
 
     @classmethod
     def requirements_check(cls):
-        if OPENSSL_VERSION_NUMBER < 0x10000000:
-            raise ValueError('AES CTR requires OpenSSL >= 1.0.0. Detected: OpenSSL %08x' % OPENSSL_VERSION_NUMBER)
+        pass
 
     def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
         self.requirements_check()
@@ -654,8 +646,8 @@ cdef class _CHACHA_BASE(_AEAD_BASE):
 cdef class AES256_OCB(_AES_BASE):
     @classmethod
     def requirements_check(cls):
-        if openssl10:
-            raise ValueError('AES OCB requires OpenSSL >= 1.1.0. Detected: OpenSSL %08x' % OPENSSL_VERSION_NUMBER)
+        if is_libressl:
+            raise ValueError('AES OCB is not implemented by LibreSSL (yet?).')
 
     def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
         self.requirements_check()
@@ -666,8 +658,7 @@ cdef class AES256_OCB(_AES_BASE):
 cdef class CHACHA20_POLY1305(_CHACHA_BASE):
     @classmethod
     def requirements_check(cls):
-        if openssl10:
-            raise ValueError('CHACHA20-POLY1305 requires OpenSSL >= 1.1.0. Detected: OpenSSL %08x' % OPENSSL_VERSION_NUMBER)
+        pass
 
     def __init__(self, mac_key, enc_key, iv=None, header_len=1, aad_offset=1):
         self.requirements_check()

src/borg/testsuite/crypto.py

@@ -1,7 +1,7 @@
 from binascii import hexlify, unhexlify
 
 from ..crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_OCB, CHACHA20_POLY1305, UNENCRYPTED, \
-                               IntegrityError, blake2b_128, blake2b_256, hmac_sha256, openssl10
+                               IntegrityError, blake2b_128, blake2b_256, hmac_sha256, is_libressl
 from ..crypto.low_level import bytes_to_long, bytes_to_int, long_to_bytes
 from ..crypto.low_level import hkdf_hmac_sha512
 
@@ -98,15 +98,15 @@ class CryptoTestCase(BaseTestCase):
         header = b'\x23'
         tests = [
             # (ciphersuite class, exp_mac, exp_cdata)
+            (CHACHA20_POLY1305,
+             b'fd08594796e0706cde1e8b461e3e0555',
+             b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775',)
         ]
-        if not openssl10:
+        if not is_libressl:
             tests += [
                 (AES256_OCB,
                  b'b6909c23c9aaebd9abbe1ff42097652d',
                  b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
-                (CHACHA20_POLY1305,
-                 b'fd08594796e0706cde1e8b461e3e0555',
-                 b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
             ]
         for cs_cls, exp_mac, exp_cdata in tests:
             # print(repr(cs_cls))
@@ -142,15 +142,15 @@ class CryptoTestCase(BaseTestCase):
         header = b'\x12\x34\x56'
         tests = [
             # (ciphersuite class, exp_mac, exp_cdata)
+            (CHACHA20_POLY1305,
+             b'b7e7c9a79f2404e14f9aad156bf091dd',
+             b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775',)
         ]
-        if not openssl10:
+        if not is_libressl:
             tests += [
                 (AES256_OCB,
                  b'f2748c412af1c7ead81863a18c2c1893',
                  b'877ce46d2f62dee54699cebc3ba41d9ab613f7c486778c1b3636664b1493', ),
-                (CHACHA20_POLY1305,
-                 b'b7e7c9a79f2404e14f9aad156bf091dd',
-                 b'a093e4b0387526f085d3c40cca84a35230a5c0dd766453b77ba38bcff775', )
             ]
         for cs_cls, exp_mac, exp_cdata in tests:
             # print(repr(cs_cls))