[Git][NTPsec/ntpsec][master] 2 commits: Add attic/sign-timing to time public key signing.

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Tue Feb 11 20:35:43 UTC 2025



Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
0bc40c2b by Hal Murray at 2025-02-11T04:19:37-08:00
Add attic/sign-timing to time public key signing.

- - - - -
a6149244 by Hal Murray at 2025-02-11T04:29:47-08:00
Tighten compiler error/warning checks

Default --enable-warnings is now on.
  Use --disable-warnings if you can't fix your code.
Default for -Werror is now on.
  Use --disable-Werror if necessary.
  (Old old Bison needs it.)

- - - - -


6 changed files:

- NEWS.adoc
- + attic/sign-timing.c
- attic/wscript
- wafhelpers/check_sizeof.py
- wafhelpers/options.py
- wscript


Changes:

=====================================
NEWS.adoc
=====================================
@@ -12,6 +12,11 @@ on user-visible changes.
 
 ## Repository Head
 
+* We have tightened the default compile time checking
+  The default is now --enable-warnings and -Werror
+  Use --disable-warnings and/or --disable-Werror if you can't fix your code.
+  (Old old Bison needs --disable-Werror)
+
 * Fix ntpviz's skewness and kurtosis formulas. Fix suggested by by Frank Davis.
 
 * ntpd now runs on FIPS mode systems.


=====================================
attic/sign-timing.c
=====================================
@@ -0,0 +1,232 @@
+/*
+ * Copyright the NTPsec project contributors
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+/* Hack to time signing calculations.
+  Build with:
+    cc -g -Wall -lcrypto -lssl -o sign-timing sign-timing.c
+
+  This uses strncpy because that is more portable.
+    (And our usage is trivial.)
+ */
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include <openssl/opensslv.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/md5.h>
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/ssl.h>
+
+#define UNUSED_ARG(arg)         ((void)(arg))
+
+#if OPENSSL_VERSION_NUMBER > 0x20000000L
+
+
+int NUM = 10000;
+
+#define SIGLEN 4096
+unsigned char sig[SIGLEN];
+#define TBSLEN 10000
+unsigned char tbs[TBSLEN];
+
+EVP_MD_CTX *ctx;
+
+BIO *bio_out;
+
+
+static void ssl_init(void) {
+
+	ctx = EVP_MD_CTX_new();
+        if (NULL == ctx) {
+                printf("EVP_MD_CTX_new() failed.\n");
+                exit(1);
+        }
+
+	bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
+}
+
+static void ShowError(void) {
+        char buff[256];
+        int err = ERR_get_error();
+        SSL_load_error_strings();        /* Needed on NetBSD */
+        while (0 != err) {
+                ERR_error_string_n(err, buff, sizeof(buff));
+                printf("  %s\n", buff);
+                err = ERR_get_error();
+        }
+
+}
+
+/* from man EVP_PKEY-DSA, openssl-genpkey: 2048 256 */
+static EVP_PKEY* key_gen(unsigned int pbits, unsigned int qbits) {
+  int gindex = 1;
+  OSSL_PARAM params[6];
+  EVP_PKEY *param_key = NULL;
+  EVP_PKEY *key = NULL;
+  EVP_PKEY_CTX *pctx = NULL;
+  EVP_PKEY_CTX *gctx = NULL;
+  int err;
+  char stupid_api[20];
+
+  pctx = EVP_PKEY_CTX_new_from_name(NULL, "ED25519", NULL);
+  if (NULL == ctx) {
+    printf("EVP_PKEY_CTX_new_from_name() failed.\n");
+    ShowError();
+    exit(1);
+  }
+  err = EVP_PKEY_paramgen_init(pctx);
+  if (1 != err) {
+    printf("EVP_PKEY_paramgen_init() failed.\n");
+    ShowError();
+    exit(1);
+  }
+  params[0] = OSSL_PARAM_construct_uint("pbits", &pbits);
+  params[1] = OSSL_PARAM_construct_uint("qbits", &qbits);
+  params[2] = OSSL_PARAM_construct_int("gindex", &gindex);
+  strncpy(stupid_api, "SHA256", sizeof(stupid_api));
+  params[3] = OSSL_PARAM_construct_utf8_string("digest", stupid_api, 0);
+  params[4] = OSSL_PARAM_construct_end();
+  err = EVP_PKEY_CTX_set_params(pctx, params);
+  if (1 != err ) {
+    printf("EVP_PKEY_CTX_set_params() failed.\n");
+    ShowError();
+    exit(1);
+  }
+  err = EVP_PKEY_generate(pctx, &param_key);
+  if (1 != err ) {
+    printf("EVP_PKEY_generate()#1 failed.\n");
+    ShowError();
+    exit(1);
+  }
+  EVP_PKEY_CTX_free(pctx);
+
+  gctx = EVP_PKEY_CTX_new_from_pkey(NULL, param_key, NULL);
+  EVP_PKEY_keygen_init(gctx);
+  err = EVP_PKEY_generate(gctx, &key);
+  if (1 != err ) {
+    printf("EVP_PKEY_generate()#2 failed.\n");
+    ShowError();
+    exit(1);
+  }
+  EVP_PKEY_CTX_free(gctx);
+
+  if (0)
+    EVP_PKEY_print_params(bio_out, key, 0, NULL);
+
+  return key;
+}
+
+
+/* man EVP_KEYMGMT-ED25519 EVP_SIGNATURE-ED25519 */
+static void DoSign(
+  unsigned int pbits,
+  unsigned int qbits,
+  size_t tbslen        /* data length */
+) {
+  EVP_PKEY *key = key_gen(pbits, qbits);
+  struct timespec start, stop;
+  struct timespec t1, t2, t3;
+  uint64_t init = 0, data = 0;
+  double fast;
+  size_t siglen = SIGLEN;
+  int err;
+  char stupid_api1[20];
+  char stupid_api2[50];
+
+  const char* context = "RoughTime v1 delegation signature-";
+  int contextlen = strlen(context)+1;
+  OSSL_PARAM params[3];
+
+  strncpy(stupid_api1, "Ed25519ctx", sizeof(stupid_api1));
+  params[0] = OSSL_PARAM_construct_utf8_string("instance", stupid_api1, 0);
+  strncpy(stupid_api2, context, sizeof(stupid_api2));
+  params[1] = OSSL_PARAM_construct_octet_string("context-string", stupid_api2, contextlen);
+  params[2] = OSSL_PARAM_construct_end();
+  err = EVP_DigestSignInit_ex(ctx, NULL, NULL, NULL, NULL, key, params);
+  if (1 != err ) {
+    printf("EVP_DigestSignInit_ex()1 failed.\n");
+    ShowError();
+    exit(1);
+  }
+
+
+  clock_gettime(CLOCK_MONOTONIC, &start);
+  for (int i = 0; i < NUM; i++) {
+    clock_gettime(CLOCK_MONOTONIC, &t1);
+    err = EVP_DigestSignInit_ex(ctx, NULL, NULL, NULL, NULL, NULL, NULL);
+    if (1 != err ) {
+      printf("EVP_DigestSignInit_ex()2 failed.\n");
+      ShowError();
+      exit(1);
+    }
+    clock_gettime(CLOCK_MONOTONIC, &t2);
+    err = EVP_DigestSign(ctx, sig, &siglen, tbs, tbslen);
+    if (1 != err ) {
+      printf("EVP_DigestSign() failed, %d.\n", i);
+      ShowError();
+      exit(1);
+    }
+    clock_gettime(CLOCK_MONOTONIC, &t3);
+    init += (t2.tv_sec-t1.tv_sec)*1E9 + (t2.tv_nsec-t1.tv_nsec);
+    data += (t3.tv_sec-t2.tv_sec)*1E9 + (t3.tv_nsec-t2.tv_nsec);
+  }
+  clock_gettime(CLOCK_MONOTONIC, &stop);
+
+  fast = (stop.tv_sec-start.tv_sec)*1E9 + (stop.tv_nsec-start.tv_nsec);
+  printf("%7u %5u %6llu %5llu %8.0f  %6.3f %6llu %5llu\n",
+    pbits, qbits, (unsigned long long)siglen, (unsigned long long)tbslen,
+    fast/NUM, fast/1E9, (unsigned long long)init/NUM, (unsigned long long)data/NUM);
+
+  EVP_PKEY_free(key);
+}
+
+int main(int argc, char *argv[])
+{
+	UNUSED_ARG(argc);
+	UNUSED_ARG(argv);
+
+	setlinebuf(stdout);
+
+	ssl_init();
+	RAND_bytes((unsigned char *)&tbs, TBSLEN);
+
+	printf("# %s\n", OPENSSL_VERSION_TEXT);
+	printf("# pbits qbits siglen  data  ns/sign \n");
+
+	DoSign(2048, 256, 32);
+	DoSign(2048, 256, 32);
+	DoSign(2048, 256, 128);
+	DoSign(2048, 256, 1024);
+	DoSign(1024, 256, 32);
+	DoSign(1024, 256, 128);
+	DoSign(1024, 256, 1024);
+	DoSign(4096, 256, 32);
+	DoSign(4096, 256, 128);
+	DoSign(4096, 256, 1024);
+
+	DoSign(2048, 512, 32);
+	DoSign(2048, 512, 128);
+	DoSign(2048, 512, 1024);
+
+	return 0;
+}
+
+#else /* #if OPENSSL_VERSION_NUMBER */
+int main(int argc, char *argv[])
+{
+	UNUSED_ARG(argc);
+	UNUSED_ARG(argv);
+	return(0);
+}
+#endif
+


=====================================
attic/wscript
=====================================
@@ -6,7 +6,8 @@ def build(ctx):
     util = [    'sht',
                 'digest-find', 'cipher-find',
                 'clocks', "random",
-                'digest-timing', 'cmac-timing', 'exp-timing', 'timestamp-info',
+                'digest-timing', 'cmac-timing', 'exp-timing', 'sign-timing',
+		'timestamp-info',
                 'backwards']
 
     if not ctx.env.DISABLE_NTS:


=====================================
wafhelpers/check_sizeof.py
=====================================
@@ -9,7 +9,7 @@ SIZE_FRAG = """
 %s
 #include <stdio.h>
 int main(void) {
-    printf("%%lu", sizeof(%s));
+    printf("%%lu", (unsigned long)sizeof(%s));
     return 0;
 }
 """


=====================================
wafhelpers/options.py
=====================================
@@ -81,7 +81,11 @@ ext, ffi, or none. defaults to ffi.""", nargs=1)
     grp.add_option('--check', action='store_true', default=False,
                    help="Run tests")
     grp.add_option('--enable-warnings', action='store_true',
-                   default=False, help="Enable annoying CC warnings")
+                   default=False, help="Ignored, default is on")
+    grp.add_option('--disable-warnings', action='store_true',
+                   default=False, help="Enable more CC warnings")
+    grp.add_option('--disable-Werror', action='store_true',
+                   default=False, help="turn off -Werror")
     grp.add_option(
         '--define', type='string', action="callback",
         callback=callback_flags,


=====================================
wscript
=====================================
@@ -342,8 +342,13 @@ def configure(ctx):
         ctx.define("DEBUG", 1, comment="Enable debug mode")
         ctx.env.BISONFLAGS += ["--debug"]
 
-    if ctx.options.enable_warnings:
-        # turn on some annoying warnings
+    if not ctx.options.disable_Werror:
+        ctx.env.CFLAGS = [
+            "-Werror",                # Turn warnings into errors
+        ] + ctx.env.CFLAGS
+
+    if not ctx.options.disable_warnings:
+        # turn on some more warnings
         ctx.env.CFLAGS = [
             # "-Wall",                # for masochists
             # "-Waggregate-return",   # breaks ldiv(), ntpcal_daysplit(),  etc.
@@ -667,10 +672,10 @@ int main(int argc, char **argv) {
         ('EVP_MD_CTX_new', ["openssl/evp.h"], "CRYPTO", False),
         # MacOS doesn't have timer_create ??
         ('timer_create', ["signal.h", "time.h"], "RT", False),
-        # Very old versions of OpenSSL don't have cmac.h
-        #  We could add ifdefs, but old crypto is deprecated in favor of CMAC
-        #  and so far, all the systems that we want to support are new enough.
-        ('CMAC_CTX_new', ["openssl/cmac.h"], "CRYPTO", True),
+        ## Very old versions of OpenSSL don't have cmac.h
+        ## We used to test for CMAC_CTX_new here to generate a sane error
+        ## Now that gets a Deprecated warning with OpenSSL 3
+        ## ('CMAC_CTX_new', ["openssl/cmac.h"], "CRYPTO", True),
         # Next should be above, but it needs a library
         # EVP_PKEY_new_CMAC_key added in OpenSSL 1.1.1
         ('EVP_PKEY_new_CMAC_key', ["openssl/cmac.h"], "CRYPTO", False))



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/29d475a1eefaffce8306699412ef0cab561b0612...a614924427522a1c18a7729987380516bab901d4

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/29d475a1eefaffce8306699412ef0cab561b0612...a614924427522a1c18a7729987380516bab901d4
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20250211/1115edb9/attachment-0001.htm>


More information about the vc mailing list