[Git][NTPsec/ntpsec][master] 2 commits: Add attic/sign-timing to time public key signing.
Hal Murray (@hal.murray)
gitlab at mg.gitlab.com
Tue Feb 11 20:35:43 UTC 2025
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
0bc40c2b by Hal Murray at 2025-02-11T04:19:37-08:00
Add attic/sign-timing to time public key signing.
- - - - -
a6149244 by Hal Murray at 2025-02-11T04:29:47-08:00
Tighten compiler error/warning checks
Default --enable-warnings is now on.
Use --disable-warnings if you can't fix your code.
Default for -Werror is now on.
Use --disable-Werror if necessary.
(Old old Bison needs it.)
- - - - -
6 changed files:
- NEWS.adoc
- + attic/sign-timing.c
- attic/wscript
- wafhelpers/check_sizeof.py
- wafhelpers/options.py
- wscript
Changes:
=====================================
NEWS.adoc
=====================================
@@ -12,6 +12,11 @@ on user-visible changes.
## Repository Head
+* We have tightened the default compile time checking
+ The default is now --enable-warnings and -Werror
+ Use --disable-warnings and/or --disable-Werror if you can't fix your code.
+ (Old old Bison needs --disable-Werror)
+
* Fix ntpviz's skewness and kurtosis formulas. Fix suggested by by Frank Davis.
* ntpd now runs on FIPS mode systems.
=====================================
attic/sign-timing.c
=====================================
@@ -0,0 +1,232 @@
+/*
+ * Copyright the NTPsec project contributors
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+/* Hack to time signing calculations.
+ Build with:
+ cc -g -Wall -lcrypto -lssl -o sign-timing sign-timing.c
+
+ This uses strncpy because that is more portable.
+ (And our usage is trivial.)
+ */
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include <openssl/opensslv.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/md5.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/ssl.h>
+
+#define UNUSED_ARG(arg) ((void)(arg))
+
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+
+
+int NUM = 10000;
+
+#define SIGLEN 4096
+unsigned char sig[SIGLEN];
+#define TBSLEN 10000
+unsigned char tbs[TBSLEN];
+
+EVP_MD_CTX *ctx;
+
+BIO *bio_out;
+
+
+static void ssl_init(void) {
+
+ ctx = EVP_MD_CTX_new();
+ if (NULL == ctx) {
+ printf("EVP_MD_CTX_new() failed.\n");
+ exit(1);
+ }
+
+ bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
+}
+
+static void ShowError(void) {
+ char buff[256];
+ int err = ERR_get_error();
+ SSL_load_error_strings(); /* Needed on NetBSD */
+ while (0 != err) {
+ ERR_error_string_n(err, buff, sizeof(buff));
+ printf(" %s\n", buff);
+ err = ERR_get_error();
+ }
+
+}
+
+/* from man EVP_PKEY-DSA, openssl-genpkey: 2048 256 */
+static EVP_PKEY* key_gen(unsigned int pbits, unsigned int qbits) {
+ int gindex = 1;
+ OSSL_PARAM params[6];
+ EVP_PKEY *param_key = NULL;
+ EVP_PKEY *key = NULL;
+ EVP_PKEY_CTX *pctx = NULL;
+ EVP_PKEY_CTX *gctx = NULL;
+ int err;
+ char stupid_api[20];
+
+ pctx = EVP_PKEY_CTX_new_from_name(NULL, "ED25519", NULL);
+ if (NULL == ctx) {
+ printf("EVP_PKEY_CTX_new_from_name() failed.\n");
+ ShowError();
+ exit(1);
+ }
+ err = EVP_PKEY_paramgen_init(pctx);
+ if (1 != err) {
+ printf("EVP_PKEY_paramgen_init() failed.\n");
+ ShowError();
+ exit(1);
+ }
+ params[0] = OSSL_PARAM_construct_uint("pbits", &pbits);
+ params[1] = OSSL_PARAM_construct_uint("qbits", &qbits);
+ params[2] = OSSL_PARAM_construct_int("gindex", &gindex);
+ strncpy(stupid_api, "SHA256", sizeof(stupid_api));
+ params[3] = OSSL_PARAM_construct_utf8_string("digest", stupid_api, 0);
+ params[4] = OSSL_PARAM_construct_end();
+ err = EVP_PKEY_CTX_set_params(pctx, params);
+ if (1 != err ) {
+ printf("EVP_PKEY_CTX_set_params() failed.\n");
+ ShowError();
+ exit(1);
+ }
+ err = EVP_PKEY_generate(pctx, ¶m_key);
+ if (1 != err ) {
+ printf("EVP_PKEY_generate()#1 failed.\n");
+ ShowError();
+ exit(1);
+ }
+ EVP_PKEY_CTX_free(pctx);
+
+ gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL);
+ EVP_PKEY_keygen_init(gctx);
+ err = EVP_PKEY_generate(gctx, &key);
+ if (1 != err ) {
+ printf("EVP_PKEY_generate()#2 failed.\n");
+ ShowError();
+ exit(1);
+ }
+ EVP_PKEY_CTX_free(gctx);
+
+ if (0)
+ EVP_PKEY_print_params(bio_out, key, 0, NULL);
+
+ return key;
+}
+
+
+/* man EVP_KEYMGMT-ED25519 EVP_SIGNATURE-ED25519 */
+static void DoSign(
+ unsigned int pbits,
+ unsigned int qbits,
+ size_t tbslen /* data length */
+) {
+ EVP_PKEY *key = key_gen(pbits, qbits);
+ struct timespec start, stop;
+ struct timespec t1, t2, t3;
+ uint64_t init = 0, data = 0;
+ double fast;
+ size_t siglen = SIGLEN;
+ int err;
+ char stupid_api1[20];
+ char stupid_api2[50];
+
+ const char* context = "RoughTime v1 delegation signature-";
+ int contextlen = strlen(context)+1;
+ OSSL_PARAM params[3];
+
+ strncpy(stupid_api1, "Ed25519ctx", sizeof(stupid_api1));
+ params[0] = OSSL_PARAM_construct_utf8_string("instance", stupid_api1, 0);
+ strncpy(stupid_api2, context, sizeof(stupid_api2));
+ params[1] = OSSL_PARAM_construct_octet_string("context-string", stupid_api2, contextlen);
+ params[2] = OSSL_PARAM_construct_end();
+ err = EVP_DigestSignInit_ex(ctx, NULL, NULL, NULL, NULL, key, params);
+ if (1 != err ) {
+ printf("EVP_DigestSignInit_ex()1 failed.\n");
+ ShowError();
+ exit(1);
+ }
+
+
+ clock_gettime(CLOCK_MONOTONIC, &start);
+ for (int i = 0; i < NUM; i++) {
+ clock_gettime(CLOCK_MONOTONIC, &t1);
+ err = EVP_DigestSignInit_ex(ctx, NULL, NULL, NULL, NULL, NULL, NULL);
+ if (1 != err ) {
+ printf("EVP_DigestSignInit_ex()2 failed.\n");
+ ShowError();
+ exit(1);
+ }
+ clock_gettime(CLOCK_MONOTONIC, &t2);
+ err = EVP_DigestSign(ctx, sig, &siglen, tbs, tbslen);
+ if (1 != err ) {
+ printf("EVP_DigestSign() failed, %d.\n", i);
+ ShowError();
+ exit(1);
+ }
+ clock_gettime(CLOCK_MONOTONIC, &t3);
+ init += (t2.tv_sec-t1.tv_sec)*1E9 + (t2.tv_nsec-t1.tv_nsec);
+ data += (t3.tv_sec-t2.tv_sec)*1E9 + (t3.tv_nsec-t2.tv_nsec);
+ }
+ clock_gettime(CLOCK_MONOTONIC, &stop);
+
+ fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec);
+ printf("%7u %5u %6llu %5llu %8.0f %6.3f %6llu %5llu\n",
+ pbits, qbits, (unsigned long long)siglen, (unsigned long long)tbslen,
+ fast/NUM, fast/1E9, (unsigned long long)init/NUM, (unsigned long long)data/NUM);
+
+ EVP_PKEY_free(key);
+}
+
+int main(int argc, char *argv[])
+{
+ UNUSED_ARG(argc);
+ UNUSED_ARG(argv);
+
+ setlinebuf(stdout);
+
+ ssl_init();
+ RAND_bytes((unsigned char *)&tbs, TBSLEN);
+
+ printf("# %s\n", OPENSSL_VERSION_TEXT);
+ printf("# pbits qbits siglen data ns/sign \n");
+
+ DoSign(2048, 256, 32);
+ DoSign(2048, 256, 32);
+ DoSign(2048, 256, 128);
+ DoSign(2048, 256, 1024);
+ DoSign(1024, 256, 32);
+ DoSign(1024, 256, 128);
+ DoSign(1024, 256, 1024);
+ DoSign(4096, 256, 32);
+ DoSign(4096, 256, 128);
+ DoSign(4096, 256, 1024);
+
+ DoSign(2048, 512, 32);
+ DoSign(2048, 512, 128);
+ DoSign(2048, 512, 1024);
+
+ return 0;
+}
+
+#else /* #if OPENSSL_VERSION_NUMBER */
+int main(int argc, char *argv[])
+{
+ UNUSED_ARG(argc);
+ UNUSED_ARG(argv);
+ return(0);
+}
+#endif
+
=====================================
attic/wscript
=====================================
@@ -6,7 +6,8 @@ def build(ctx):
util = [ 'sht',
'digest-find', 'cipher-find',
'clocks', "random",
- 'digest-timing', 'cmac-timing', 'exp-timing', 'timestamp-info',
+ 'digest-timing', 'cmac-timing', 'exp-timing', 'sign-timing',
+ 'timestamp-info',
'backwards']
if not ctx.env.DISABLE_NTS:
=====================================
wafhelpers/check_sizeof.py
=====================================
@@ -9,7 +9,7 @@ SIZE_FRAG = """
%s
#include <stdio.h>
int main(void) {
- printf("%%lu", sizeof(%s));
+ printf("%%lu", (unsigned long)sizeof(%s));
return 0;
}
"""
=====================================
wafhelpers/options.py
=====================================
@@ -81,7 +81,11 @@ ext, ffi, or none. defaults to ffi.""", nargs=1)
grp.add_option('--check', action='store_true', default=False,
help="Run tests")
grp.add_option('--enable-warnings', action='store_true',
- default=False, help="Enable annoying CC warnings")
+ default=False, help="Ignored, default is on")
+ grp.add_option('--disable-warnings', action='store_true',
+ default=False, help="Enable more CC warnings")
+ grp.add_option('--disable-Werror', action='store_true',
+ default=False, help="turn off -Werror")
grp.add_option(
'--define', type='string', action="callback",
callback=callback_flags,
=====================================
wscript
=====================================
@@ -342,8 +342,13 @@ def configure(ctx):
ctx.define("DEBUG", 1, comment="Enable debug mode")
ctx.env.BISONFLAGS += ["--debug"]
- if ctx.options.enable_warnings:
- # turn on some annoying warnings
+ if not ctx.options.disable_Werror:
+ ctx.env.CFLAGS = [
+ "-Werror", # Turn warnings into errors
+ ] + ctx.env.CFLAGS
+
+ if not ctx.options.disable_warnings:
+ # turn on some more warnings
ctx.env.CFLAGS = [
# "-Wall", # for masochists
# "-Waggregate-return", # breaks ldiv(), ntpcal_daysplit(), etc.
@@ -667,10 +672,10 @@ int main(int argc, char **argv) {
('EVP_MD_CTX_new', ["openssl/evp.h"], "CRYPTO", False),
# MacOS doesn't have timer_create ??
('timer_create', ["signal.h", "time.h"], "RT", False),
- # Very old versions of OpenSSL don't have cmac.h
- # We could add ifdefs, but old crypto is deprecated in favor of CMAC
- # and so far, all the systems that we want to support are new enough.
- ('CMAC_CTX_new', ["openssl/cmac.h"], "CRYPTO", True),
+ ## Very old versions of OpenSSL don't have cmac.h
+ ## We used to test for CMAC_CTX_new here to generate a sane error
+ ## Now that gets a Deprecated warning with OpenSSL 3
+ ## ('CMAC_CTX_new', ["openssl/cmac.h"], "CRYPTO", True),
# Next should be above, but it needs a library
# EVP_PKEY_new_CMAC_key added in OpenSSL 1.1.1
('EVP_PKEY_new_CMAC_key', ["openssl/cmac.h"], "CRYPTO", False))
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/29d475a1eefaffce8306699412ef0cab561b0612...a614924427522a1c18a7729987380516bab901d4
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/29d475a1eefaffce8306699412ef0cab561b0612...a614924427522a1c18a7729987380516bab901d4
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20250211/1115edb9/attachment-0001.htm>
More information about the vc
mailing list