[Git][NTPsec/ntpsec][master] 4 commits: Minor update to README-PYTHON

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Tue Nov 14 22:54:53 UTC 2023 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
bca93302 by Hal Murray at 2023-11-13T00:30:36-08:00
Minor update to README-PYTHON

- - - - -
fbe5663c by Hal Murray at 2023-11-14T11:31:10-08:00
More tweaks to HOWTO-OpenSSL

Fix a few typos -- thanks James.
Update the FreeBSD section -- they now provide 3 packages
for OpenSSL 3.0, 3.1. and 3.2

- - - - -
d25fb0a9 by Hal Murray at 2023-11-14T11:33:35-08:00
Cleanup attic/digest-find and digest-timing

The initialization area was broken.

- - - - -
8b4fb1dc by Hal Murray at 2023-11-14T12:27:58-08:00
Tweak wscript to build attic with --disable-nts

- - - - -


5 changed files:

- HOWTO-OpenSSL
- README-PYTHON
- attic/digest-find.c
- attic/digest-timing.c
- wscript


Changes:

=====================================
HOWTO-OpenSSL
=====================================
@@ -8,11 +8,19 @@ It it should be close for other 3.x.y versions
 It's rough.  Don't be surprised by bugs/oversights.
 Corrections, clarifications and feedback encouraged.
 
-FreeBSD 13.0 has OpenSSL 3.0.2 available as a package.
-You can just install it and ignore the rest of this note.
+In 2023-Nov, FreeBSD 13.2 has 1.1.1t as the main version.
+It also has 3 newer versions available as packages.
+You can just install one and ignore the rest of this note.
+waf will find the pkg version and use it.
   sudo pkg update
-  sudo pkg install openssl-devel-3.0.8
-openssl-devel-3.0.8            TLSv1.3 capable SSL and crypto library
+  sudo pkg search openssl
+openssl30-3.0.12_1             TLSv1.3 capable SSL and crypto library
+openssl31-3.1.4_1              TLSv1.3 capable SSL and crypto library
+openssl32-3.2.0.a2             TLSv1.3 capable SSL and crypto library
+  sudo pkg install openssl32
+Note: the "a2" is for "Alpha 2", not for production etc.
+The rest of this recipe works if you want to try a newer version from
+an OpenSSL tarball.
 
 
 Download OpenSSL source from here:
@@ -44,13 +52,13 @@ for OpenSSL 3.2.0
   sudo pkg install perl5
 
 By default, this recipe will install
-  libcrypto.so.3 and libsso.so.3
-  in /usr/local/ssh/lib64/
+  libcrypto.so.3 and libssl.so.3
+  in /usr/local/ssl/lib64/
 and they will be used by all software, not just ntpd.
 
 If you don't want that, edit VERSION.dat and change SHLIB_VERSION
 to something like 6.  That will install the libraries as
-  libcrypto.so.6 and libsso.so.6
+  libcrypto.so.6 and libssl.so.6
 and waf will setup ntpd to use them.
 openssl-3.2-beta breaks sudo on Fedora, so this is a good idea.   <======
 


=====================================
README-PYTHON
=====================================
@@ -8,7 +8,7 @@ where X and Y are the python version numbers.
 
 Unfortunately, that's not on the default search path of several
 OSes/distros, in particular Fedora and NetBSD.
-
+(Fixed in Fedora 39, Sep-2023, ??)
 
 Python has a search path that is used to find library modules when
 you import them.  You can see your search path with:
@@ -43,8 +43,8 @@ including root if root uses any ntp scripts.
 
 3: You can add to the default search path by setting up a .pth file
 with something like this:
-  echo /usr/local/lib/python2.7/site-packages > \
-    /usr/lib/python2.7/site-packages/ntpsec.pth
+  echo /usr/local/lib64/python3.11/site-packages > \
+    /usr/lib/python3.11/site-packages/ntpsec.pth
 This works for all users, including root.
 Note that the pth file must be on the default Python search path.
 
@@ -77,7 +77,7 @@ OTOH if you are running into something like:
         raise OSError("Can't find %s library" % LIB)
     OSError: Can't find ntpc library
 
-That means is that ntpc.py looked for libnptc.so in the usual places and could
+That means that ntpc.py looked for libnptc.so in the usual places and could
 not find it.  If it is being installed to the wrong location on your platform,
 you can correct the install location using: waf configure --libdir=  If you
 are intentionally installing to a non-default location, you can modify the


=====================================
attic/digest-find.c
=====================================
@@ -18,9 +18,7 @@
 #include <stdio.h>
 
 #include <openssl/objects.h>
-#if OPENSSL_VERSION_NUMBER > 0x20000000L
 #include <openssl/ssl.h>
-#endif
 #include <openssl/evp.h>
 
 #define UNUSED_ARG(arg)         ((void)(arg))
@@ -31,9 +29,12 @@
  */
 const char* digests[] = {
     "MD5",
+    "SHA",
     "SHA1",
+    "sha1",
+    "SHA-1",
     "SHA256", "SHA384",
-    "MD2", "MD4"
+    "MD2", "MD4",
     "SHA", "SHA3",
     "SHA224", "SHA512",
     "RMD160", "RIPEMD160",
@@ -52,15 +53,21 @@ main (
     UNUSED_ARG(argv);
 
 #if OPENSSL_VERSION_NUMBER > 0x20000000L
-    SSL_CTX *ssl = SSL_CTX_new(TLS_client_method());
+    SSL_CTX *ssl;
 #endif
 
     unsigned int versionNumber = OPENSSL_VERSION_NUMBER;
     const char *versionText = OPENSSL_VERSION_TEXT;
-    printf("OpenSSL xVersion is %x, %s\n", versionNumber, versionText);
+    printf("OpenSSL Version is %x, %s\n", versionNumber, versionText);
+
 
-    /* needed if OPENSSL_VERSION_NUMBER < 0x10100000L */
+
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS|OPENSSL_INIT_ADD_ALL_CIPHERS|OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+    ssl = SSL_CTX_new(TLS_client_method());
+#else
     OpenSSL_add_all_digests();
+#endif
 
 
     printf("      name type length\n");


=====================================
attic/digest-timing.c
=====================================
@@ -30,9 +30,7 @@
 #include <openssl/md5.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
-#if OPENSSL_VERSION_NUMBER > 0x20000000L
 #include <openssl/ssl.h>
-#endif
 
 #define UNUSED_ARG(arg)         ((void)(arg))
 
@@ -68,13 +66,19 @@ SSL_CTX *ssl;
 
 static void ssl_init(void)
 {
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+        OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS|OPENSSL_INIT_ADD_ALL_CIPHERS|OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+	ssl = SSL_CTX_new(TLS_client_method());
+	if (NULL == ssl) {
+		printf("SSL_CTX_new() failed.\n");
+		exit(1);
+	}
+#else
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_digests();
 	OpenSSL_add_all_ciphers();
-	ctx = EVP_MD_CTX_new();
-#if OPENSSL_VERSION_NUMBER > 0x20000000L
-	ssl = SSL_CTX_new(TLS_client_method());
 #endif
+	ctx = EVP_MD_CTX_new();
 }
 
 static unsigned int SSL_Digest(
@@ -94,7 +98,7 @@ static unsigned int SSL_Digest(
 }
 
 static unsigned int SSL_DigestSlow(
-  int type,               /* hash algorithm */
+  const char *name,       /* hash algorithm */
   uint8_t *key,           /* key pointer */
   int     keylength,      /* key size */
   uint8_t *pkt,           /* packet pointer */
@@ -104,7 +108,7 @@ static unsigned int SSL_DigestSlow(
 	unsigned char answer[EVP_MAX_MD_SIZE];
 	unsigned int len;
 	ctxx = EVP_MD_CTX_new();
-	EVP_DigestInit(ctxx, EVP_get_digestbynid(type));
+	EVP_DigestInit(ctxx, EVP_get_digestbyname(name));
 	EVP_DigestUpdate(ctxx, key, keylength);
 	EVP_DigestUpdate(ctxx, pkt, pktlength);
 	EVP_DigestFinal(ctxx, answer, &len);
@@ -120,8 +124,7 @@ static void DoDigest(
   int     pktlength       /* packet length */
 )
 {
-	int type = OBJ_sn2nid(name);
-	const EVP_MD *digest = EVP_get_digestbynid(type);
+	const EVP_MD *digest = EVP_get_digestbyname(name);
 	struct timespec start, stop;
 	double fast, slow;
 	unsigned int digestlength = 0;
@@ -154,7 +157,7 @@ static void DoDigest(
 #ifdef DoSLOW
 	clock_gettime(CLOCK_MONOTONIC, &start);
 	for (int i = 0; i < NUM; i++) {
-		digestlength = SSL_DigestSlow(type, key, keylength, pkt, pktlength);
+		digestlength = SSL_DigestSlow(name, key, keylength, pkt, pktlength);
 	}
 	clock_gettime(CLOCK_MONOTONIC, &stop);
 	slow = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec);


=====================================
wscript
=====================================
@@ -623,7 +623,8 @@ int main(int argc, char **argv) {
     for header, sizeof in sorted(sizeofs, key=lambda x: x[1:]):
         check_sizeof(ctx, header, sizeof)
 
-    if not ctx.options.disable_nts:
+    # Parts of attic need libssl
+    if not ctx.options.disable_nts or ctx.options.enable_attic:
         # Check via pkg-config first, then fall back to a direct search
         if not ctx.check_cfg(
             package='libssl', uselib_store='SSL',



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/42deba21dd9f7b87ed4badc7633efe027273f951...8b4fb1dc01db55633207ca40a891397d3cd4b994

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/42deba21dd9f7b87ed4badc7633efe027273f951...8b4fb1dc01db55633207ca40a891397d3cd4b994
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20231114/0fa543dc/attachment-0001.htm>

More information about the vc mailing list