From gitlab at mg.gitlab.com Fri Jun 5 18:50:05 2020 From: gitlab at mg.gitlab.com (Gary E. Miller) Date: Fri, 05 Jun 2020 18:50:05 +0000 Subject: [Git][NTPsec/ntpsec][master] intpclients/ntplogtemp.py: Catch renamed error. Message-ID: <5eda93dde6e80_3c933f84d7bd975036589@sidekiq-low-urgency-cpu-bound-08-sv-gprd.mail> Gary E. Miller pushed to branch master at NTPsec / ntpsec Commits: 4efd47be by Gary E. Miller at 2020-06-05T11:48:03-07:00 intpclients/ntplogtemp.py: Catch renamed error. ValueError became TypeError. - - - - - 1 changed file: - ntpclients/ntplogtemp.py Changes: ===================================== ntpclients/ntplogtemp.py ===================================== @@ -183,7 +183,7 @@ class Temper: now = int(time.time()) data.append('%d %s %s' % (now, _device, temp)) break - except ValueError: + except (TypeError, ValueError): # bad data, ignore it, for a bit if args.verbose: sys.stderr.write("TEMPer-poll failed\n") View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/4efd47be329d9cde69999bd8e28ee9baed8ad3c8 -- View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/4efd47be329d9cde69999bd8e28ee9baed8ad3c8 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at mg.gitlab.com Mon Jun 15 19:01:15 2020 From: gitlab at mg.gitlab.com (Eric S. Raymond) Date: Mon, 15 Jun 2020 19:01:15 +0000 Subject: [Git][NTPsec/ntpsec][master] Revert "Exit if config file fails to open" Message-ID: <5ee7c57bf02ca_82afe006e09c8876f9@gitlab-sidekiq-low-urgency-cpu-bound-v1-d8868b5c-v256k.mail> Eric S. Raymond pushed to branch master at NTPsec / ntpsec Commits: 22842e6f by Eric S. Raymond at 2020-06-15T14:57:12-04:00 Revert "Exit if config file fails to open" This reversion resolves GitLab issue #649: /etc/ntp.d/ is not scanned if /etc/ntp.conf fails to be opened. Designer's intention is that if ntp.conf does not exist or is inaccessible, configuration files in ntp.d should still be parsed. - - - - - 1 changed file: - ntpd/ntp_scanner.c Changes: ===================================== ntpd/ntp_scanner.c ===================================== @@ -153,9 +153,7 @@ lex_open( stream->fpi = fopen(path, mode); if (NULL == stream->fpi) { free(stream); - msyslog(LOG_ERR, "CONFIG: failed to open \'%s\': %s", - path, strerror(errno)); - exit(1); + stream = NULL; } } return stream; View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/22842e6fe0455572598e35222d63b27f9ddeb2cb -- View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/22842e6fe0455572598e35222d63b27f9ddeb2cb You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at mg.gitlab.com Tue Jun 16 03:46:00 2020 From: gitlab at mg.gitlab.com (Hal Murray) Date: Tue, 16 Jun 2020 03:46:00 +0000 Subject: [Git][NTPsec/ntpsec][master] 3 commits: Tweaks needed for OpenSSL 3.0.0-alpha Message-ID: <5ee84078cd9a0_92b0e5936cb48897b1@gitlab-sidekiq-low-urgency-cpu-bound-v1-9d8f69c5-vtddj.mail> Hal Murray pushed to branch master at NTPsec / ntpsec Commits: bbb6fe2a by Hal Murray at 2020-06-15T20:26:11-07:00 Tweaks needed for OpenSSL 3.0.0-alpha - - - - - 2869657f by Hal Murray at 2020-06-15T20:26:11-07:00 Add attic/cmac-timing.c Remove CMAC corner from attic/digest-timing.c - - - - - 90ba5f45 by Hal Murray at 2020-06-15T20:26:11-07:00 Add tweak to wscript to look in /usr/local/ssl/ and notes in HOWTO-OpenSSL - - - - - 6 changed files: - + HOWTO-OpenSSL - + attic/cmac-timing.c - attic/digest-timing.c - attic/wscript - wafhelpers/openssl.py - wscript Changes: ===================================== HOWTO-OpenSSL ===================================== @@ -0,0 +1,54 @@ +NTS needs TLS 1.3 or newer. +That was first supported in OpenSSL 1.1.1 + (1.1.1a is broken) +Some OSes/Distros don't support a new enough version of OpenSSL +This file contains notes on how to download, build, and install 1.1.1g +It also works for testing 3.0.0 alpha + +It's rough. Don't be surprised by bugs/oversights. +Corrections encouraged. + +OpenSSL source here: + https://www.openssl.org/source/ + https://www.openssl.org/source/old/1.1.1/ + +You should be able to cut/paste many of these lines. + +cd xxx +mkdir OpenSSL +cd OpenSSL +for OpenSSL 1.1.1g + wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz + tar -xzf openssl-1.1.1g.tar.gz + cd openssl-1.1.1g +for OpenSSL 3.0.0 alpha3 + wget https://www.openssl.org/source/openssl-3.0.0-alpha3.tar.gz + tar -xzf openssl-3.0.0-alpha3.tar.gz + cd openssl-3.0.0-alpha3 + +# Check NOTES.PERL +# for CentOS, you need + sudo yum install perl-core +For make test on Fedora + sudo dnf install perl-Test-Harness perl perl-Pod-Html + +On Linux + ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared + enable-des +make +sudo make install + +cd /etc/ld.so.conf.d +echo "/usr/local/ssl/lib" > openssl-1.1.1g.conf +echo "/usr/local/ssl/lib" > openssl-3.0.0-alpha.conf +ldconfig + +# check with +/usr/local/ssl/bin/openssl version + +# Note that the directories in the above config line need to +# match where wscript looks for your OS. +# The above works for CentOS 7 + +CentOS 7 needs this if you use real certificates: + nts ca /etc/pki/tls/certs/ca-bundle.trust.crt ===================================== attic/cmac-timing.c ===================================== @@ -0,0 +1,481 @@ +/* Last modified on Sat Aug 28 14:30:11 PDT 1999 by murray */ + +/* Hack to time various implementations of CMAC. + * + * This is just the CMAC timing. + * It doesn't include the copy or compare or finding the right key. + * + * Beware of overflows in the timing computations. + * + * Disable AES-NI (Intel hardware: NI == New Instruction) with: + * OPENSSL_ia32cap="~0x200000200000000" + * Check /proc/cpuinfo flags for "aes" to see if you have it. + */ + +#define CMAC_VERSION_CUTOFF 0x10000003 + +#include +#include +#include +#include +#include +#include + +/* Silence warnings from CMAC routines in OpenSSL 3.0.0 */ +#define OPENSSL_SUPPRESS_DEPRECATED 1 + +#include +#include +#include +#include +#include +#include +#include +#if OPENSSL_VERSION_NUMBER > 0x20000000L +#include +#endif + +#define UNUSED_ARG(arg) ((void)(arg)) + + +int NUM = 1000000; + +#define PACKET_LENGTH 48 +#define MAX_KEY_LENGTH 64 + +CMAC_CTX *cmac; +#if OPENSSL_VERSION_NUMBER > 0x20000000L +EVP_MAC_CTX *evp; +#endif + +unsigned char answer[EVP_MAX_MD_SIZE]; + +static void ssl_init(void) +{ +#if OPENSSL_VERSION_NUMBER > 0x20000000L + EVP_MAC *mac; +#endif + ERR_load_crypto_strings(); + OpenSSL_add_all_digests(); + OpenSSL_add_all_ciphers(); + cmac = CMAC_CTX_new(); +#if OPENSSL_VERSION_NUMBER > 0x20000000L + mac = EVP_MAC_fetch(NULL, "cmac", NULL); + if (NULL == mac) + printf("## Oops, EVP_MAC_fetch() failed.\n"); + evp = EVP_MAC_CTX_new(mac); + if (NULL == evp) + printf("## Oops, EVP_MAC_CTX_new() failed.\n"); +#endif +} + +static const EVP_CIPHER *CheckCipher(const char *name) { + const EVP_CIPHER *cipher; + char cbc[100]; + snprintf(cbc, sizeof(cbc), "%s-CBC", name); + cipher = EVP_get_cipherbyname(cbc); + if (0 && NULL == cipher) { + /* no error available */ + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops: EVP_get_cipherbyname() failed: %s\n %s\n", cbc, str); + return NULL; + } + return cipher; +} + +static void PrintHex(const unsigned char* bytes, int length) { + printf(" "); + for (int i=0; i 0x10101000L +static size_t One_PKEY( + EVP_PKEY *pkey, + EVP_MD_CTX *ctx, /* context */ + uint8_t *pkt, /* packet pointer */ + int pktlength /* packet length */ +) { + size_t len = EVP_MAX_MD_SIZE; + if (1 != EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey)) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_DigestSignInit() failed:\n %s.\n", str); + return 0; + } + EVP_DigestSign(ctx, answer, &len, pkt, pktlength); + return len; +} + + +static void DoPKEY( + const char *name, /* name of cipher */ + uint8_t *key, /* key pointer */ + int keylength, /* key length */ + uint8_t *pkt, /* packet pointer */ + int pktlength /* packet length */ +) +{ + struct timespec start, stop; + double fast; + unsigned long digestlength = 0; + + const EVP_CIPHER *cipher = CheckCipher(name); + EVP_PKEY *pkey; + EVP_MD_CTX *ctx; + + if (NULL == cipher) { + return; + } + + pkey = EVP_PKEY_new_CMAC_key(NULL, key, keylength, cipher); + if (NULL == pkey) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_PKEY_new_CMAC_key() failed: %s\n %s.\n", \ + name, str); + return; + } + ctx = EVP_MD_CTX_new(); + if (NULL == ctx) { + printf("## Oops, EVP_MD_CTX_new() failed.\n"); + return; + } + + clock_gettime(CLOCK_MONOTONIC, &start); + for (int i = 0; i < NUM; i++) { + digestlength = One_PKEY(pkey, ctx, pkt, pktlength); + } + clock_gettime(CLOCK_MONOTONIC, &stop); + fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec); + printf("%12s %2d %2d %2lu %6.0f %6.3f", + name, keylength, pktlength, digestlength, fast/NUM, fast/1E9); + PrintHex(answer, digestlength); + printf("\n"); + EVP_MD_CTX_free(ctx); + EVP_PKEY_free(pkey); +} +#endif + +#if OPENSSL_VERSION_NUMBER > 0x20000000L +static size_t One_EVP_MAC( + EVP_MAC_CTX *ctx, /* context */ + char *cipher, + uint8_t *key, /* key pointer */ + int keylength, /* key length */ + uint8_t *pkt, /* packet pointer */ + int pktlength /* packet length */ +) { + OSSL_PARAM params[3]; + size_t len = EVP_MAX_MD_SIZE; + + params[0] = + OSSL_PARAM_construct_utf8_string("cipher", cipher, 0); + params[1] = + OSSL_PARAM_construct_octet_string("key", key, keylength); + params[2] = OSSL_PARAM_construct_end(); + if (0 == EVP_MAC_CTX_set_params(ctx, params)) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_MAC_CTX_set_params() failed: %s.\n", str); + return 0; + } + + if (0 == EVP_MAC_init(ctx)) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_MAC_init() failed: %s.\n", str); + return 0; + } + if (0 == EVP_MAC_update(ctx, pkt, pktlength)) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_MAC_init() failed: %s.\n", str); + return 0; + } + if (0 == EVP_MAC_final(ctx, answer, &len, sizeof(answer))) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_MAC_init() failed: %s.\n", str); + return 0; + } + return len; +} + + +static void Do_EVP_MAC( + const char *name, /* name of cipher */ + uint8_t *key, /* key pointer */ + int keylength, /* key length */ + uint8_t *pkt, /* packet pointer */ + int pktlength /* packet length */ +) +{ + const EVP_CIPHER *cipher = CheckCipher(name); + struct timespec start, stop; + double fast; + unsigned long digestlength = 0; + char cbc[100]; + + if (NULL == cipher) { + return; + } + snprintf(cbc, sizeof(cbc), "%s-CBC", name); + + + clock_gettime(CLOCK_MONOTONIC, &start); + for (int i = 0; i < NUM; i++) { + digestlength = One_EVP_MAC(evp, cbc, key, keylength, pkt, pktlength); +if (0 == digestlength) break; + } + clock_gettime(CLOCK_MONOTONIC, &stop); + fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec); + printf("%12s %2d %2d %2lu %6.0f %6.3f", + name, keylength, pktlength, digestlength, fast/NUM, fast/1E9); + PrintHex(answer, digestlength); + printf("\n"); +} +static size_t One_EVP_MAC2( + EVP_MAC_CTX *ctx, /* context */ + uint8_t *pkt, /* packet pointer */ + int pktlength /* packet length */ +) { + size_t len = EVP_MAX_MD_SIZE; + + if (0 == EVP_MAC_init(ctx)) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_MAC_init() failed: %s.\n", str); + return 0; + } + if (0 == EVP_MAC_update(ctx, pkt, pktlength)) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_MAC_init() failed: %s.\n", str); + return 0; + } + if (0 == EVP_MAC_final(ctx, answer, &len, sizeof(answer))) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_MAC_init() failed: %s.\n", str); + return 0; + } + return len; +} + + +static void Do_EVP_MAC2( + const char *name, /* name of cipher */ + uint8_t *key, /* key pointer */ + int keylength, /* key length */ + uint8_t *pkt, /* packet pointer */ + int pktlength /* packet length */ +) +{ + struct timespec start, stop; + double fast; + unsigned long digestlength = 0; + char cbc[100]; + const EVP_CIPHER *cipher = CheckCipher(name); + OSSL_PARAM params[3]; + + if (NULL == cipher) { + return; + } + snprintf(cbc, sizeof(cbc), "%s-CBC", name); + + params[0] = + OSSL_PARAM_construct_utf8_string("cipher", cbc, 0); + params[1] = + OSSL_PARAM_construct_octet_string("key", key, keylength); + params[2] = OSSL_PARAM_construct_end(); + if (0 == EVP_MAC_CTX_set_params(evp, params)) { + unsigned long err = ERR_get_error(); + char * str = ERR_error_string(err, NULL); + printf("## Oops, EVP_MAC_CTX_set_params() failed: %s.\n", str); + return; + } + + + clock_gettime(CLOCK_MONOTONIC, &start); + for (int i = 0; i < NUM; i++) { + digestlength = One_EVP_MAC2(evp, pkt, pktlength); +if (0 == digestlength) break; + } + clock_gettime(CLOCK_MONOTONIC, &stop); + fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec); + printf("%12s %2d %2d %2lu %6.0f %6.3f", + name, keylength, pktlength, digestlength, fast/NUM, fast/1E9); + PrintHex(answer, digestlength); + printf("\n"); +} +#endif + +int main(int argc, char *argv[]) +{ + uint8_t key[MAX_KEY_LENGTH]; + uint8_t packet[PACKET_LENGTH]; + + UNUSED_ARG(argc); + UNUSED_ARG(argv); + + setlinebuf(stdout); + + ssl_init(); + RAND_bytes((unsigned char *)&key, MAX_KEY_LENGTH); + RAND_bytes((unsigned char *)&packet, PACKET_LENGTH); + for (int i=0; i< MAX_KEY_LENGTH; i++) key[i]=i*i+0x23; + for (int i=0; i< PACKET_LENGTH; i++) packet[i]=i*i+0x31; + + printf("# %s\n", OPENSSL_VERSION_TEXT); + + printf("\n"); + printf("# KL=key length, PL=packet length, CL=CMAC length\n"); + printf("# CMAC KL PL CL ns/op sec/run\n"); + +#if OPENSSL_VERSION_NUMBER < 0x20000000L +/* Hangs on 3.0.0 Checking OPENSSL_NO_DES doesn't work. */ + DoCMAC("DES", key, 8, packet, PACKET_LENGTH); +#endif + DoCMAC("DES-EDE", key, 16, packet, PACKET_LENGTH); + DoCMAC("DES-EDE3", key, 24, packet, PACKET_LENGTH); +#ifndef OPENSSL_NO_SM4 + DoCMAC("SM4", key, 16, packet, PACKET_LENGTH); +#endif + DoCMAC("AES-128", key, 16, packet, PACKET_LENGTH); + DoCMAC("AES-192", key, 24, packet, PACKET_LENGTH); + DoCMAC("AES-256", key, 32, packet, PACKET_LENGTH); + DoCMAC("CAMELLIA-128", key, 16, packet, PACKET_LENGTH); + DoCMAC("CAMELLIA-192", key, 24, packet, PACKET_LENGTH); + DoCMAC("CAMELLIA-256", key, 32, packet, PACKET_LENGTH); + DoCMAC("ARIA-128", key, 16, packet, PACKET_LENGTH); + DoCMAC("ARIA-192", key, 24, packet, PACKET_LENGTH); + DoCMAC("ARIA-256", key, 32, packet, PACKET_LENGTH); + +#if OPENSSL_VERSION_NUMBER > 0x10101000L + printf("\n"); + printf("# KL=key length, PL=packet length, CL=CMAC length\n"); + printf("# PKEY KL PL CL ns/op sec/run\n"); + +#if OPENSSL_VERSION_NUMBER < 0x20000000L + DoPKEY("DES", key, 8, packet, PACKET_LENGTH); +#endif + DoPKEY("DES-EDE", key, 16, packet, PACKET_LENGTH); + DoPKEY("DES-EDE3", key, 24, packet, PACKET_LENGTH); +#ifndef OPENSSL_NO_SM4 + DoPKEY("SM4", key, 16, packet, PACKET_LENGTH); +#endif + DoPKEY("AES-128", key, 16, packet, PACKET_LENGTH); + DoPKEY("AES-192", key, 24, packet, PACKET_LENGTH); + DoPKEY("AES-256", key, 32, packet, PACKET_LENGTH); + DoPKEY("CAMELLIA-128", key, 16, packet, PACKET_LENGTH); + DoPKEY("CAMELLIA-192", key, 24, packet, PACKET_LENGTH); + DoPKEY("CAMELLIA-256", key, 32, packet, PACKET_LENGTH); + DoPKEY("ARIA-128", key, 16, packet, PACKET_LENGTH); + DoPKEY("ARIA-192", key, 24, packet, PACKET_LENGTH); + DoPKEY("ARIA-256", key, 32, packet, PACKET_LENGTH); +#endif + +#if OPENSSL_VERSION_NUMBER > 0x20000000L + printf("\n"); + printf("# KL=key length, PL=packet length, CL=CMAC length\n"); + printf("# EVP_MAC KL PL CL ns/op sec/run\n"); + + Do_EVP_MAC("DES-EDE", key, 16, packet, PACKET_LENGTH); + Do_EVP_MAC("DES-EDE3", key, 24, packet, PACKET_LENGTH); +#ifndef OPENSSL_NO_SM4 + Do_EVP_MAC("SM4", key, 16, packet, PACKET_LENGTH); +#endif + Do_EVP_MAC("AES-128", key, 16, packet, PACKET_LENGTH); + Do_EVP_MAC("AES-192", key, 24, packet, PACKET_LENGTH); + Do_EVP_MAC("AES-256", key, 32, packet, PACKET_LENGTH); + Do_EVP_MAC("CAMELLIA-128", key, 16, packet, PACKET_LENGTH); + Do_EVP_MAC("CAMELLIA-192", key, 24, packet, PACKET_LENGTH); + Do_EVP_MAC("CAMELLIA-256", key, 32, packet, PACKET_LENGTH); + Do_EVP_MAC("ARIA-128", key, 16, packet, PACKET_LENGTH); + Do_EVP_MAC("ARIA-192", key, 24, packet, PACKET_LENGTH); + Do_EVP_MAC("ARIA-256", key, 32, packet, PACKET_LENGTH); + + printf("\n"); + printf("Preload cipher and key.\n"); + Do_EVP_MAC2("DES-EDE", key, 16, packet, PACKET_LENGTH); + Do_EVP_MAC2("DES-EDE3", key, 24, packet, PACKET_LENGTH); +#ifndef OPENSSL_NO_SM4 + Do_EVP_MAC2("SM4", key, 16, packet, PACKET_LENGTH); +#endif + Do_EVP_MAC2("AES-128", key, 16, packet, PACKET_LENGTH); + Do_EVP_MAC2("AES-192", key, 24, packet, PACKET_LENGTH); + Do_EVP_MAC2("AES-256", key, 32, packet, PACKET_LENGTH); + Do_EVP_MAC2("CAMELLIA-128", key, 16, packet, PACKET_LENGTH); + Do_EVP_MAC2("CAMELLIA-192", key, 24, packet, PACKET_LENGTH); + Do_EVP_MAC2("CAMELLIA-256", key, 32, packet, PACKET_LENGTH); + Do_EVP_MAC2("ARIA-128", key, 16, packet, PACKET_LENGTH); + Do_EVP_MAC2("ARIA-192", key, 24, packet, PACKET_LENGTH); + Do_EVP_MAC2("ARIA-256", key, 32, packet, PACKET_LENGTH); +#endif + + return 0; +} ===================================== attic/digest-timing.c ===================================== @@ -16,7 +16,6 @@ * 0x10000003 1.0.0b fails * 0x1000105fL 1.0.1e works. */ -#define CMAC_VERSION_CUTOFF 0x10000003 #include #include @@ -26,9 +25,6 @@ #include #include -#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF -#include -#endif #include #include #include @@ -60,9 +56,6 @@ int NUM = 1000000; #define MAX_KEY_LENGTH 64 EVP_MD_CTX *ctx; -#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF -CMAC_CTX *cmac; -#endif static void ssl_init(void) { @@ -70,9 +63,6 @@ static void ssl_init(void) OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); ctx = EVP_MD_CTX_new(); -#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF - cmac = CMAC_CTX_new(); -#endif } static unsigned int SSL_Digest( @@ -111,24 +101,6 @@ static unsigned int SSL_DigestSlow( return len; } -#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF -static size_t SSL_CMAC( - const EVP_CIPHER *cipher, /* cipher algorithm */ - uint8_t *key, /* key pointer */ - int keylength, /* key size */ - uint8_t *pkt, /* packet pointer */ - int pktlength /* packet length */ -) { - unsigned char answer[EVP_MAX_MD_SIZE]; - size_t len; - CMAC_resume(cmac); - CMAC_Init(cmac, key, keylength, cipher, NULL); - CMAC_Update(cmac, pkt, pktlength); - CMAC_Final(cmac, answer, &len); - return len; -} -#endif - static void DoDigest( const char *name, /* type of digest */ uint8_t *key, /* key pointer */ @@ -169,37 +141,6 @@ static void DoDigest( printf("\n"); } -#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF -static void DoCMAC( - const char *name, /* name of cipher */ - const EVP_CIPHER *cipher, - uint8_t *key, /* key pointer */ - int keylength, /* key length */ - uint8_t *pkt, /* packet pointer */ - int pktlength /* packet length */ -) -{ - struct timespec start, stop; - double fast; - unsigned long digestlength = 0; - - if (NULL == cipher) { - return; - } - - clock_gettime(CLOCK_MONOTONIC, &start); - for (int i = 0; i < NUM; i++) { - digestlength = SSL_CMAC(cipher, key, keylength, pkt, pktlength); - } - clock_gettime(CLOCK_MONOTONIC, &stop); - fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec); - printf("%10s %2d %2d %2lu %6.0f %6.3f", - name, keylength, pktlength, digestlength, fast/NUM, fast/1E9); - - printf("\n"); -} -#endif - int main(int argc, char *argv[]) { @@ -237,21 +178,5 @@ int main(int argc, char *argv[]) DoDigest("RIPEMD160", key, 20, packet, PACKET_LENGTH); DoDigest("RIPEMD160", key, 32, packet, PACKET_LENGTH); -#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF - printf("\n"); - printf("# KL=key length, PL=packet length, CL=CMAC length\n"); - printf("# CMAC KL PL CL ns/op sec/run\n"); - - DoCMAC("DES", EVP_des_cbc(), key, 8, packet, PACKET_LENGTH); - DoCMAC("AES-128", EVP_aes_128_cbc(), key, 16, packet, PACKET_LENGTH); - DoCMAC("AES-192", EVP_aes_192_cbc(), key, 24, packet, PACKET_LENGTH); - DoCMAC("AES-256", EVP_aes_256_cbc(), key, 32, packet, PACKET_LENGTH); -#ifndef OPENSSL_NO_CAMELLIA - DoCMAC("CAM-128", EVP_camellia_128_cbc(), key, 16, packet, PACKET_LENGTH); - DoCMAC("CAM-192", EVP_camellia_192_cbc(), key, 24, packet, PACKET_LENGTH); - DoCMAC("CAM-256", EVP_camellia_256_cbc(), key, 32, packet, PACKET_LENGTH); -#endif -#endif - return 0; } ===================================== attic/wscript ===================================== @@ -1,6 +1,7 @@ def build(ctx): util = [ 'sht', - 'digest-find', 'digest-timing', 'clocks', "random", + 'digest-find', 'clocks', "random", + 'digest-timing', 'cmac-timing', 'backwards'] for name in util: ===================================== wafhelpers/openssl.py ===================================== @@ -14,7 +14,7 @@ int main(void) { def check_libssl_tls13(ctx): ctx.check_cc( fragment=SNIP_LIBSSL_TLS13_CHECK, - use="SSL", + use="SSL CRYPTO", msg="Checking for OpenSSL with TLSv1.3 support", ) @@ -35,6 +35,6 @@ int main(void) { def check_openssl_bad_version(ctx): ctx.check_cc( fragment=SNIP_OPENSSL_BAD_VERSION_CHECK, - use="SSL", + use="SSL CRYPTO", msg="Checking for OpenSSL != 1.1.1a", ) ===================================== wscript ===================================== @@ -503,6 +503,13 @@ int main(int argc, char **argv) { ctx.env.INCLUDES = ["/usr/pkg/include"] ctx.env.LIBPATH = ["/usr/pkg/lib"] ctx.env.LDFLAGS += ["-rpath=/usr/pkg/lib"] + elif ctx.env.DEST_OS == "linux" and os.path.isdir("/usr/local/ssl/"): + # This supports building OpenSSL from source + # That allows using OpenSSL 1.1.1 on older CentOS + # or testing pre-release versions of OpenSSL + # see HOWTO-OpenSSL + ctx.env.INCLUDES = ["/usr/local/ssl/include"] + ctx.env.LIBPATH = ["/usr/local/ssl/lib"] elif ctx.env.DEST_OS == "darwin": # macports location if os.path.isdir("/opt/local/include"): View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/22842e6fe0455572598e35222d63b27f9ddeb2cb...90ba5f453f43ba2b691a1dab381e45a95d0e18f9 -- View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/22842e6fe0455572598e35222d63b27f9ddeb2cb...90ba5f453f43ba2b691a1dab381e45a95d0e18f9 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at mg.gitlab.com Tue Jun 16 13:00:29 2020 From: gitlab at mg.gitlab.com (Eric S. Raymond) Date: Tue, 16 Jun 2020 13:00:29 +0000 Subject: [Git][NTPsec/ntpsec][master] A warning is appropriate when ntp.conf can't be opened. Message-ID: <5ee8c26deeece_82ae5cb7b2b8c66923@gitlab-sidekiq-low-urgency-cpu-bound-v1-9d8f69c5-jg64c.mail> Eric S. Raymond pushed to branch master at NTPsec / ntpsec Commits: e2eda5d0 by Eric S. Raymond at 2020-06-16T09:00:09-04:00 A warning is appropriate when ntp.conf can't be opened. - - - - - 1 changed file: - ntpd/ntp_scanner.c Changes: ===================================== ntpd/ntp_scanner.c ===================================== @@ -153,6 +153,8 @@ lex_open( stream->fpi = fopen(path, mode); if (NULL == stream->fpi) { free(stream); + msyslog(LOG_ERR, "CONFIG: failed to open \'%s\': %s", + path, strerror(errno)); stream = NULL; } } View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/e2eda5d072d8888e198d81a05700a405229acee0 -- View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/e2eda5d072d8888e198d81a05700a405229acee0 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: