[Git][NTPsec/ntpsec][master] 3 commits: Tweaks needed for OpenSSL 3.0.0-alpha
Hal Murray
gitlab at mg.gitlab.com
Tue Jun 16 03:46:00 UTC 2020
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
bbb6fe2a by Hal Murray at 2020-06-15T20:26:11-07:00
Tweaks needed for OpenSSL 3.0.0-alpha
- - - - -
2869657f by Hal Murray at 2020-06-15T20:26:11-07:00
Add attic/cmac-timing.c
Remove CMAC corner from attic/digest-timing.c
- - - - -
90ba5f45 by Hal Murray at 2020-06-15T20:26:11-07:00
Add tweak to wscript to look in /usr/local/ssl/
and notes in HOWTO-OpenSSL
- - - - -
6 changed files:
- + HOWTO-OpenSSL
- + attic/cmac-timing.c
- attic/digest-timing.c
- attic/wscript
- wafhelpers/openssl.py
- wscript
Changes:
=====================================
HOWTO-OpenSSL
=====================================
@@ -0,0 +1,54 @@
+NTS needs TLS 1.3 or newer.
+That was first supported in OpenSSL 1.1.1
+ (1.1.1a is broken)
+Some OSes/Distros don't support a new enough version of OpenSSL
+This file contains notes on how to download, build, and install 1.1.1g
+It also works for testing 3.0.0 alpha
+
+It's rough. Don't be surprised by bugs/oversights.
+Corrections encouraged.
+
+OpenSSL source here:
+ https://www.openssl.org/source/
+ https://www.openssl.org/source/old/1.1.1/
+
+You should be able to cut/paste many of these lines.
+
+cd xxx
+mkdir OpenSSL
+cd OpenSSL
+for OpenSSL 1.1.1g
+ wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
+ tar -xzf openssl-1.1.1g.tar.gz
+ cd openssl-1.1.1g
+for OpenSSL 3.0.0 alpha3
+ wget https://www.openssl.org/source/openssl-3.0.0-alpha3.tar.gz
+ tar -xzf openssl-3.0.0-alpha3.tar.gz
+ cd openssl-3.0.0-alpha3
+
+# Check NOTES.PERL
+# for CentOS, you need
+ sudo yum install perl-core
+For make test on Fedora
+ sudo dnf install perl-Test-Harness perl perl-Pod-Html
+
+On Linux
+ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared
+ enable-des
+make
+sudo make install
+
+cd /etc/ld.so.conf.d
+echo "/usr/local/ssl/lib" > openssl-1.1.1g.conf
+echo "/usr/local/ssl/lib" > openssl-3.0.0-alpha.conf
+ldconfig
+
+# check with
+/usr/local/ssl/bin/openssl version
+
+# Note that the directories in the above config line need to
+# match where wscript looks for your OS.
+# The above works for CentOS 7
+
+CentOS 7 needs this if you use real certificates:
+ nts ca /etc/pki/tls/certs/ca-bundle.trust.crt
=====================================
attic/cmac-timing.c
=====================================
@@ -0,0 +1,481 @@
+/* Last modified on Sat Aug 28 14:30:11 PDT 1999 by murray */
+
+/* Hack to time various implementations of CMAC.
+ *
+ * This is just the CMAC timing.
+ * It doesn't include the copy or compare or finding the right key.
+ *
+ * Beware of overflows in the timing computations.
+ *
+ * Disable AES-NI (Intel hardware: NI == New Instruction) with:
+ * OPENSSL_ia32cap="~0x200000200000000"
+ * Check /proc/cpuinfo flags for "aes" to see if you have it.
+ */
+
+#define CMAC_VERSION_CUTOFF 0x10000003
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+/* Silence warnings from CMAC routines in OpenSSL 3.0.0 */
+#define OPENSSL_SUPPRESS_DEPRECATED 1
+
+#include <openssl/opensslv.h>
+#include <openssl/err.h>
+#include <openssl/cmac.h>
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+#include <openssl/params.h>
+#endif
+
+#define UNUSED_ARG(arg) ((void)(arg))
+
+
+int NUM = 1000000;
+
+#define PACKET_LENGTH 48
+#define MAX_KEY_LENGTH 64
+
+CMAC_CTX *cmac;
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+EVP_MAC_CTX *evp;
+#endif
+
+unsigned char answer[EVP_MAX_MD_SIZE];
+
+static void ssl_init(void)
+{
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+ EVP_MAC *mac;
+#endif
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_digests();
+ OpenSSL_add_all_ciphers();
+ cmac = CMAC_CTX_new();
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+ mac = EVP_MAC_fetch(NULL, "cmac", NULL);
+ if (NULL == mac)
+ printf("## Oops, EVP_MAC_fetch() failed.\n");
+ evp = EVP_MAC_CTX_new(mac);
+ if (NULL == evp)
+ printf("## Oops, EVP_MAC_CTX_new() failed.\n");
+#endif
+}
+
+static const EVP_CIPHER *CheckCipher(const char *name) {
+ const EVP_CIPHER *cipher;
+ char cbc[100];
+ snprintf(cbc, sizeof(cbc), "%s-CBC", name);
+ cipher = EVP_get_cipherbyname(cbc);
+ if (0 && NULL == cipher) {
+ /* no error available */
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops: EVP_get_cipherbyname() failed: %s\n %s\n", cbc, str);
+ return NULL;
+ }
+ return cipher;
+}
+
+static void PrintHex(const unsigned char* bytes, int length) {
+ printf(" ");
+ for (int i=0; i<length; i++) {
+ printf("%02x", bytes[i]);
+ }
+}
+
+static size_t One_CMAC(
+ const EVP_CIPHER *cipher, /* cipher algorithm */
+ uint8_t *key, /* key pointer */
+ int keylength, /* key size */
+ uint8_t *pkt, /* packet pointer */
+ int pktlength /* packet length */
+) {
+ size_t len;
+ if (1 != CMAC_Init(cmac, key, keylength, cipher, NULL)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, CMAC_Init() failed:\n %s.\n", str);
+ return 0;
+ }
+ if (1 != CMAC_Update(cmac, pkt, pktlength)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, CMAC_Update() failed:\n %s.\n", str);
+ return 0;
+ }
+ if (1 != CMAC_Final(cmac, answer, &len)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, CMAC_Final() failed:\n %s.\n", str);
+ return 0;
+ }
+ return len;
+}
+
+
+static void DoCMAC(
+ const char *name, /* name of cipher */
+ uint8_t *key, /* key pointer */
+ int keylength, /* key length */
+ uint8_t *pkt, /* packet pointer */
+ int pktlength /* packet length */
+)
+{
+ const EVP_CIPHER *cipher = CheckCipher(name);
+ struct timespec start, stop;
+ double fast;
+ unsigned long digestlength = 0;
+
+ if (NULL == cipher) {
+ return;
+ }
+
+ clock_gettime(CLOCK_MONOTONIC, &start);
+ for (int i = 0; i < NUM; i++) {
+ digestlength = One_CMAC(cipher, key, keylength, pkt, pktlength);
+ if (0 == digestlength)
+ break;
+ }
+ clock_gettime(CLOCK_MONOTONIC, &stop);
+ fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec);
+ printf("%12s %2d %2d %2lu %6.0f %6.3f",
+ name, keylength, pktlength, digestlength, fast/NUM, fast/1E9);
+ PrintHex(answer, digestlength);
+ printf("\n");
+}
+
+#if OPENSSL_VERSION_NUMBER > 0x10101000L
+static size_t One_PKEY(
+ EVP_PKEY *pkey,
+ EVP_MD_CTX *ctx, /* context */
+ uint8_t *pkt, /* packet pointer */
+ int pktlength /* packet length */
+) {
+ size_t len = EVP_MAX_MD_SIZE;
+ if (1 != EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_DigestSignInit() failed:\n %s.\n", str);
+ return 0;
+ }
+ EVP_DigestSign(ctx, answer, &len, pkt, pktlength);
+ return len;
+}
+
+
+static void DoPKEY(
+ const char *name, /* name of cipher */
+ uint8_t *key, /* key pointer */
+ int keylength, /* key length */
+ uint8_t *pkt, /* packet pointer */
+ int pktlength /* packet length */
+)
+{
+ struct timespec start, stop;
+ double fast;
+ unsigned long digestlength = 0;
+
+ const EVP_CIPHER *cipher = CheckCipher(name);
+ EVP_PKEY *pkey;
+ EVP_MD_CTX *ctx;
+
+ if (NULL == cipher) {
+ return;
+ }
+
+ pkey = EVP_PKEY_new_CMAC_key(NULL, key, keylength, cipher);
+ if (NULL == pkey) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_PKEY_new_CMAC_key() failed: %s\n %s.\n", \
+ name, str);
+ return;
+ }
+ ctx = EVP_MD_CTX_new();
+ if (NULL == ctx) {
+ printf("## Oops, EVP_MD_CTX_new() failed.\n");
+ return;
+ }
+
+ clock_gettime(CLOCK_MONOTONIC, &start);
+ for (int i = 0; i < NUM; i++) {
+ digestlength = One_PKEY(pkey, ctx, pkt, pktlength);
+ }
+ clock_gettime(CLOCK_MONOTONIC, &stop);
+ fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec);
+ printf("%12s %2d %2d %2lu %6.0f %6.3f",
+ name, keylength, pktlength, digestlength, fast/NUM, fast/1E9);
+ PrintHex(answer, digestlength);
+ printf("\n");
+ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
+}
+#endif
+
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+static size_t One_EVP_MAC(
+ EVP_MAC_CTX *ctx, /* context */
+ char *cipher,
+ uint8_t *key, /* key pointer */
+ int keylength, /* key length */
+ uint8_t *pkt, /* packet pointer */
+ int pktlength /* packet length */
+) {
+ OSSL_PARAM params[3];
+ size_t len = EVP_MAX_MD_SIZE;
+
+ params[0] =
+ OSSL_PARAM_construct_utf8_string("cipher", cipher, 0);
+ params[1] =
+ OSSL_PARAM_construct_octet_string("key", key, keylength);
+ params[2] = OSSL_PARAM_construct_end();
+ if (0 == EVP_MAC_CTX_set_params(ctx, params)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_MAC_CTX_set_params() failed: %s.\n", str);
+ return 0;
+ }
+
+ if (0 == EVP_MAC_init(ctx)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_MAC_init() failed: %s.\n", str);
+ return 0;
+ }
+ if (0 == EVP_MAC_update(ctx, pkt, pktlength)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_MAC_init() failed: %s.\n", str);
+ return 0;
+ }
+ if (0 == EVP_MAC_final(ctx, answer, &len, sizeof(answer))) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_MAC_init() failed: %s.\n", str);
+ return 0;
+ }
+ return len;
+}
+
+
+static void Do_EVP_MAC(
+ const char *name, /* name of cipher */
+ uint8_t *key, /* key pointer */
+ int keylength, /* key length */
+ uint8_t *pkt, /* packet pointer */
+ int pktlength /* packet length */
+)
+{
+ const EVP_CIPHER *cipher = CheckCipher(name);
+ struct timespec start, stop;
+ double fast;
+ unsigned long digestlength = 0;
+ char cbc[100];
+
+ if (NULL == cipher) {
+ return;
+ }
+ snprintf(cbc, sizeof(cbc), "%s-CBC", name);
+
+
+ clock_gettime(CLOCK_MONOTONIC, &start);
+ for (int i = 0; i < NUM; i++) {
+ digestlength = One_EVP_MAC(evp, cbc, key, keylength, pkt, pktlength);
+if (0 == digestlength) break;
+ }
+ clock_gettime(CLOCK_MONOTONIC, &stop);
+ fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec);
+ printf("%12s %2d %2d %2lu %6.0f %6.3f",
+ name, keylength, pktlength, digestlength, fast/NUM, fast/1E9);
+ PrintHex(answer, digestlength);
+ printf("\n");
+}
+static size_t One_EVP_MAC2(
+ EVP_MAC_CTX *ctx, /* context */
+ uint8_t *pkt, /* packet pointer */
+ int pktlength /* packet length */
+) {
+ size_t len = EVP_MAX_MD_SIZE;
+
+ if (0 == EVP_MAC_init(ctx)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_MAC_init() failed: %s.\n", str);
+ return 0;
+ }
+ if (0 == EVP_MAC_update(ctx, pkt, pktlength)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_MAC_init() failed: %s.\n", str);
+ return 0;
+ }
+ if (0 == EVP_MAC_final(ctx, answer, &len, sizeof(answer))) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_MAC_init() failed: %s.\n", str);
+ return 0;
+ }
+ return len;
+}
+
+
+static void Do_EVP_MAC2(
+ const char *name, /* name of cipher */
+ uint8_t *key, /* key pointer */
+ int keylength, /* key length */
+ uint8_t *pkt, /* packet pointer */
+ int pktlength /* packet length */
+)
+{
+ struct timespec start, stop;
+ double fast;
+ unsigned long digestlength = 0;
+ char cbc[100];
+ const EVP_CIPHER *cipher = CheckCipher(name);
+ OSSL_PARAM params[3];
+
+ if (NULL == cipher) {
+ return;
+ }
+ snprintf(cbc, sizeof(cbc), "%s-CBC", name);
+
+ params[0] =
+ OSSL_PARAM_construct_utf8_string("cipher", cbc, 0);
+ params[1] =
+ OSSL_PARAM_construct_octet_string("key", key, keylength);
+ params[2] = OSSL_PARAM_construct_end();
+ if (0 == EVP_MAC_CTX_set_params(evp, params)) {
+ unsigned long err = ERR_get_error();
+ char * str = ERR_error_string(err, NULL);
+ printf("## Oops, EVP_MAC_CTX_set_params() failed: %s.\n", str);
+ return;
+ }
+
+
+ clock_gettime(CLOCK_MONOTONIC, &start);
+ for (int i = 0; i < NUM; i++) {
+ digestlength = One_EVP_MAC2(evp, pkt, pktlength);
+if (0 == digestlength) break;
+ }
+ clock_gettime(CLOCK_MONOTONIC, &stop);
+ fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec);
+ printf("%12s %2d %2d %2lu %6.0f %6.3f",
+ name, keylength, pktlength, digestlength, fast/NUM, fast/1E9);
+ PrintHex(answer, digestlength);
+ printf("\n");
+}
+#endif
+
+int main(int argc, char *argv[])
+{
+ uint8_t key[MAX_KEY_LENGTH];
+ uint8_t packet[PACKET_LENGTH];
+
+ UNUSED_ARG(argc);
+ UNUSED_ARG(argv);
+
+ setlinebuf(stdout);
+
+ ssl_init();
+ RAND_bytes((unsigned char *)&key, MAX_KEY_LENGTH);
+ RAND_bytes((unsigned char *)&packet, PACKET_LENGTH);
+ for (int i=0; i< MAX_KEY_LENGTH; i++) key[i]=i*i+0x23;
+ for (int i=0; i< PACKET_LENGTH; i++) packet[i]=i*i+0x31;
+
+ printf("# %s\n", OPENSSL_VERSION_TEXT);
+
+ printf("\n");
+ printf("# KL=key length, PL=packet length, CL=CMAC length\n");
+ printf("# CMAC KL PL CL ns/op sec/run\n");
+
+#if OPENSSL_VERSION_NUMBER < 0x20000000L
+/* Hangs on 3.0.0 Checking OPENSSL_NO_DES doesn't work. */
+ DoCMAC("DES", key, 8, packet, PACKET_LENGTH);
+#endif
+ DoCMAC("DES-EDE", key, 16, packet, PACKET_LENGTH);
+ DoCMAC("DES-EDE3", key, 24, packet, PACKET_LENGTH);
+#ifndef OPENSSL_NO_SM4
+ DoCMAC("SM4", key, 16, packet, PACKET_LENGTH);
+#endif
+ DoCMAC("AES-128", key, 16, packet, PACKET_LENGTH);
+ DoCMAC("AES-192", key, 24, packet, PACKET_LENGTH);
+ DoCMAC("AES-256", key, 32, packet, PACKET_LENGTH);
+ DoCMAC("CAMELLIA-128", key, 16, packet, PACKET_LENGTH);
+ DoCMAC("CAMELLIA-192", key, 24, packet, PACKET_LENGTH);
+ DoCMAC("CAMELLIA-256", key, 32, packet, PACKET_LENGTH);
+ DoCMAC("ARIA-128", key, 16, packet, PACKET_LENGTH);
+ DoCMAC("ARIA-192", key, 24, packet, PACKET_LENGTH);
+ DoCMAC("ARIA-256", key, 32, packet, PACKET_LENGTH);
+
+#if OPENSSL_VERSION_NUMBER > 0x10101000L
+ printf("\n");
+ printf("# KL=key length, PL=packet length, CL=CMAC length\n");
+ printf("# PKEY KL PL CL ns/op sec/run\n");
+
+#if OPENSSL_VERSION_NUMBER < 0x20000000L
+ DoPKEY("DES", key, 8, packet, PACKET_LENGTH);
+#endif
+ DoPKEY("DES-EDE", key, 16, packet, PACKET_LENGTH);
+ DoPKEY("DES-EDE3", key, 24, packet, PACKET_LENGTH);
+#ifndef OPENSSL_NO_SM4
+ DoPKEY("SM4", key, 16, packet, PACKET_LENGTH);
+#endif
+ DoPKEY("AES-128", key, 16, packet, PACKET_LENGTH);
+ DoPKEY("AES-192", key, 24, packet, PACKET_LENGTH);
+ DoPKEY("AES-256", key, 32, packet, PACKET_LENGTH);
+ DoPKEY("CAMELLIA-128", key, 16, packet, PACKET_LENGTH);
+ DoPKEY("CAMELLIA-192", key, 24, packet, PACKET_LENGTH);
+ DoPKEY("CAMELLIA-256", key, 32, packet, PACKET_LENGTH);
+ DoPKEY("ARIA-128", key, 16, packet, PACKET_LENGTH);
+ DoPKEY("ARIA-192", key, 24, packet, PACKET_LENGTH);
+ DoPKEY("ARIA-256", key, 32, packet, PACKET_LENGTH);
+#endif
+
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+ printf("\n");
+ printf("# KL=key length, PL=packet length, CL=CMAC length\n");
+ printf("# EVP_MAC KL PL CL ns/op sec/run\n");
+
+ Do_EVP_MAC("DES-EDE", key, 16, packet, PACKET_LENGTH);
+ Do_EVP_MAC("DES-EDE3", key, 24, packet, PACKET_LENGTH);
+#ifndef OPENSSL_NO_SM4
+ Do_EVP_MAC("SM4", key, 16, packet, PACKET_LENGTH);
+#endif
+ Do_EVP_MAC("AES-128", key, 16, packet, PACKET_LENGTH);
+ Do_EVP_MAC("AES-192", key, 24, packet, PACKET_LENGTH);
+ Do_EVP_MAC("AES-256", key, 32, packet, PACKET_LENGTH);
+ Do_EVP_MAC("CAMELLIA-128", key, 16, packet, PACKET_LENGTH);
+ Do_EVP_MAC("CAMELLIA-192", key, 24, packet, PACKET_LENGTH);
+ Do_EVP_MAC("CAMELLIA-256", key, 32, packet, PACKET_LENGTH);
+ Do_EVP_MAC("ARIA-128", key, 16, packet, PACKET_LENGTH);
+ Do_EVP_MAC("ARIA-192", key, 24, packet, PACKET_LENGTH);
+ Do_EVP_MAC("ARIA-256", key, 32, packet, PACKET_LENGTH);
+
+ printf("\n");
+ printf("Preload cipher and key.\n");
+ Do_EVP_MAC2("DES-EDE", key, 16, packet, PACKET_LENGTH);
+ Do_EVP_MAC2("DES-EDE3", key, 24, packet, PACKET_LENGTH);
+#ifndef OPENSSL_NO_SM4
+ Do_EVP_MAC2("SM4", key, 16, packet, PACKET_LENGTH);
+#endif
+ Do_EVP_MAC2("AES-128", key, 16, packet, PACKET_LENGTH);
+ Do_EVP_MAC2("AES-192", key, 24, packet, PACKET_LENGTH);
+ Do_EVP_MAC2("AES-256", key, 32, packet, PACKET_LENGTH);
+ Do_EVP_MAC2("CAMELLIA-128", key, 16, packet, PACKET_LENGTH);
+ Do_EVP_MAC2("CAMELLIA-192", key, 24, packet, PACKET_LENGTH);
+ Do_EVP_MAC2("CAMELLIA-256", key, 32, packet, PACKET_LENGTH);
+ Do_EVP_MAC2("ARIA-128", key, 16, packet, PACKET_LENGTH);
+ Do_EVP_MAC2("ARIA-192", key, 24, packet, PACKET_LENGTH);
+ Do_EVP_MAC2("ARIA-256", key, 32, packet, PACKET_LENGTH);
+#endif
+
+ return 0;
+}
=====================================
attic/digest-timing.c
=====================================
@@ -16,7 +16,6 @@
* 0x10000003 1.0.0b fails
* 0x1000105fL 1.0.1e works.
*/
-#define CMAC_VERSION_CUTOFF 0x10000003
#include <stdint.h>
#include <stdlib.h>
@@ -26,9 +25,6 @@
#include <openssl/opensslv.h>
#include <openssl/err.h>
-#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF
-#include <openssl/cmac.h>
-#endif
#include <openssl/evp.h>
#include <openssl/md5.h>
#include <openssl/rand.h>
@@ -60,9 +56,6 @@ int NUM = 1000000;
#define MAX_KEY_LENGTH 64
EVP_MD_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF
-CMAC_CTX *cmac;
-#endif
static void ssl_init(void)
{
@@ -70,9 +63,6 @@ static void ssl_init(void)
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
ctx = EVP_MD_CTX_new();
-#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF
- cmac = CMAC_CTX_new();
-#endif
}
static unsigned int SSL_Digest(
@@ -111,24 +101,6 @@ static unsigned int SSL_DigestSlow(
return len;
}
-#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF
-static size_t SSL_CMAC(
- const EVP_CIPHER *cipher, /* cipher algorithm */
- uint8_t *key, /* key pointer */
- int keylength, /* key size */
- uint8_t *pkt, /* packet pointer */
- int pktlength /* packet length */
-) {
- unsigned char answer[EVP_MAX_MD_SIZE];
- size_t len;
- CMAC_resume(cmac);
- CMAC_Init(cmac, key, keylength, cipher, NULL);
- CMAC_Update(cmac, pkt, pktlength);
- CMAC_Final(cmac, answer, &len);
- return len;
-}
-#endif
-
static void DoDigest(
const char *name, /* type of digest */
uint8_t *key, /* key pointer */
@@ -169,37 +141,6 @@ static void DoDigest(
printf("\n");
}
-#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF
-static void DoCMAC(
- const char *name, /* name of cipher */
- const EVP_CIPHER *cipher,
- uint8_t *key, /* key pointer */
- int keylength, /* key length */
- uint8_t *pkt, /* packet pointer */
- int pktlength /* packet length */
-)
-{
- struct timespec start, stop;
- double fast;
- unsigned long digestlength = 0;
-
- if (NULL == cipher) {
- return;
- }
-
- clock_gettime(CLOCK_MONOTONIC, &start);
- for (int i = 0; i < NUM; i++) {
- digestlength = SSL_CMAC(cipher, key, keylength, pkt, pktlength);
- }
- clock_gettime(CLOCK_MONOTONIC, &stop);
- fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec);
- printf("%10s %2d %2d %2lu %6.0f %6.3f",
- name, keylength, pktlength, digestlength, fast/NUM, fast/1E9);
-
- printf("\n");
-}
-#endif
-
int main(int argc, char *argv[])
{
@@ -237,21 +178,5 @@ int main(int argc, char *argv[])
DoDigest("RIPEMD160", key, 20, packet, PACKET_LENGTH);
DoDigest("RIPEMD160", key, 32, packet, PACKET_LENGTH);
-#if OPENSSL_VERSION_NUMBER > CMAC_VERSION_CUTOFF
- printf("\n");
- printf("# KL=key length, PL=packet length, CL=CMAC length\n");
- printf("# CMAC KL PL CL ns/op sec/run\n");
-
- DoCMAC("DES", EVP_des_cbc(), key, 8, packet, PACKET_LENGTH);
- DoCMAC("AES-128", EVP_aes_128_cbc(), key, 16, packet, PACKET_LENGTH);
- DoCMAC("AES-192", EVP_aes_192_cbc(), key, 24, packet, PACKET_LENGTH);
- DoCMAC("AES-256", EVP_aes_256_cbc(), key, 32, packet, PACKET_LENGTH);
-#ifndef OPENSSL_NO_CAMELLIA
- DoCMAC("CAM-128", EVP_camellia_128_cbc(), key, 16, packet, PACKET_LENGTH);
- DoCMAC("CAM-192", EVP_camellia_192_cbc(), key, 24, packet, PACKET_LENGTH);
- DoCMAC("CAM-256", EVP_camellia_256_cbc(), key, 32, packet, PACKET_LENGTH);
-#endif
-#endif
-
return 0;
}
=====================================
attic/wscript
=====================================
@@ -1,6 +1,7 @@
def build(ctx):
util = [ 'sht',
- 'digest-find', 'digest-timing', 'clocks', "random",
+ 'digest-find', 'clocks', "random",
+ 'digest-timing', 'cmac-timing',
'backwards']
for name in util:
=====================================
wafhelpers/openssl.py
=====================================
@@ -14,7 +14,7 @@ int main(void) {
def check_libssl_tls13(ctx):
ctx.check_cc(
fragment=SNIP_LIBSSL_TLS13_CHECK,
- use="SSL",
+ use="SSL CRYPTO",
msg="Checking for OpenSSL with TLSv1.3 support",
)
@@ -35,6 +35,6 @@ int main(void) {
def check_openssl_bad_version(ctx):
ctx.check_cc(
fragment=SNIP_OPENSSL_BAD_VERSION_CHECK,
- use="SSL",
+ use="SSL CRYPTO",
msg="Checking for OpenSSL != 1.1.1a",
)
=====================================
wscript
=====================================
@@ -503,6 +503,13 @@ int main(int argc, char **argv) {
ctx.env.INCLUDES = ["/usr/pkg/include"]
ctx.env.LIBPATH = ["/usr/pkg/lib"]
ctx.env.LDFLAGS += ["-rpath=/usr/pkg/lib"]
+ elif ctx.env.DEST_OS == "linux" and os.path.isdir("/usr/local/ssl/"):
+ # This supports building OpenSSL from source
+ # That allows using OpenSSL 1.1.1 on older CentOS
+ # or testing pre-release versions of OpenSSL
+ # see HOWTO-OpenSSL
+ ctx.env.INCLUDES = ["/usr/local/ssl/include"]
+ ctx.env.LIBPATH = ["/usr/local/ssl/lib"]
elif ctx.env.DEST_OS == "darwin":
# macports location
if os.path.isdir("/opt/local/include"):
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/22842e6fe0455572598e35222d63b27f9ddeb2cb...90ba5f453f43ba2b691a1dab381e45a95d0e18f9
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/22842e6fe0455572598e35222d63b27f9ddeb2cb...90ba5f453f43ba2b691a1dab381e45a95d0e18f9
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200616/68718806/attachment-0001.htm>
More information about the vc
mailing list