Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. gcrypt
Export regulations and DES-only crypto and 'Ohhhh jeeee'
lanas at securenet
Aug 6, 2008, 4:19 PM
Post #1 of 5 (2453 views)
Permalink
Hi,

Export regulations makes it so that libcrypt has to be limited to
56-bit, to be included in a product. So, until there's another way of
settling this, I'm trying to use the enable-ciphers configure option
like so:

./configure --enable-ciphers="des rfc2268"

I've seen that if RC2 is not included, then the build fails. It
looks OK to include it as the last comment about it in the Changelog
mentions that only the 40-bit version is supported.

libgcrypt builds fine. But the make check stage bails out with:

PASS: prime
PASS: register
Ohhhh jeeee: cipher 3 not found
/bin/sh: line 4: 9483 Aborted ${dir}$tst

I don't know what the erro is and how to correct it. Surely you
have, throughout the years, seen this situation where the crypto
algorithms have to be seriously trimmed down for some (stupid)
regulations. Is this the right way to do it ? Anyone seen that error
before in this context ?

So 'make check' reports an error. It nevertheless outputs some stats
and 3DES is present. So, in cipher.c I comment out the line with
GCRY_CIPHER_3DES in the #if USE_DES block and rebuild. Same Ohhhh jeee
error.

I'd appreciate very much any comments/hints/suggestions.

Cheers.


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: Export regulations and DES-only crypto and 'Ohhhh jeeee' [ In reply to ]
wk at gnupg
Aug 7, 2008, 12:00 AM
Post #2 of 5 (2356 views)
Permalink
On Thu, 7 Aug 2008 01:19, lanas@securenet.net said:

> Export regulations makes it so that libcrypt has to be limited to
> 56-bit, to be included in a product. So, until there's another way of

Assuming you are in the US, that is not true. These restrictions have
been dropped several years ago. Except for some banned countries.

> ./configure --enable-ciphers="des rfc2268"
>
> I've seen that if RC2 is not included, then the build fails. It

I doubt that. rc2 is not different from the other ciphers.

> PASS: prime
> PASS: register
> Ohhhh jeeee: cipher 3 not found

Yhjis is CAST5. There might be a bug in the configure code. Check
whether USE_CAST5 is defined in config.h - it should not be defined with
your configure options.

Best would be to

grep USE_ config.h

to see what features are actually included.



Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: Export regulations and DES-only crypto and 'Ohhhh jeeee' [ In reply to ]
lanas at securenet
Aug 7, 2008, 3:31 PM
Post #3 of 5 (2343 views)
Permalink
Hallo,

> Assuming you are in the US, that is not true. These
> restrictions have been dropped several years ago. Except for
> some banned countries.

It's not the US. It's a more conservative country (regarding this)
located north of the US ;-)

>> ./configure --enable-ciphers="des rfc2268"
>> I've seen that if RC2 is not included, then the build fails. It

> I doubt that. rc2 is not different from the other ciphers.

You are right as far as I've verified the version that was used. It
was 1.2.3 so I upgraded to 1.4.1 before doing anything else new. The
problem was there in 1.2.3, but not in 1.4.1 now.

So now I'm using 1.4.1.

In a vague attempt at finding out the cause of the problem, I've also
added a printf() statement in:

cipher.c:

cipher_get_keylen (int algorithm)
{
[...]
ath_mutex_lock (&ciphers_registered_lock);
printf("Looking for algorithm: %d\n", algorithm);
[...]
}

The above will be shown in the results below.

So now I'm doing:

./configure --enable-ciphers="des"
make
make check

And the result is:

PASS: ac-schemes
PASS: ac-data
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 2
Looking for algorithm: 2
Looking for algorithm: 2
Looking for algorithm: 2
Looking for algorithm: 2
Looking for algorithm: 2
aes-cbc-cts, grcy_open_cipher failed: Invalid cipher algorithm
cbc-mac algo 7, grcy_open_cipher failed: Invalid cipher algorithm
aes-ctr, grcy_open_cipher failed: Invalid cipher algorithm
aes-cfb, grcy_open_cipher failed: Invalid cipher algorithm
aes-ofb, grcy_open_cipher failed: Invalid cipher algorithm
FAIL: basic

Further down we find the results of some tests:

ECB CBC
--------------- --------------- etc...
Looking for algorithm: 2
3DES 140ms 150ms 150ms 160ms
Looking for algorithm: 302
DES 60ms 60ms 60ms 60ms

And of course, the error is reported at the conclusion:

PASS: benchmark
========================================
1 of 16 tests failed
Please report to bug-libgcrypt@gnupg.org
========================================

make[2]: *** [check-TESTS] Error 1
make[2]: Leaving directory
`/data/debian386/rr1/dists/rr1/sandbox/libgcrypt11/libgcrypt11-1.4.1.rr1/tests'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory
`/data/debian386/rr1/dists/rr1/sandbox/libgcrypt11/libgcrypt11-1.4.1.rr1/tests'
make: *** [check-recursive] Error 1

So this is one problem.

Now, since I do not want 3DES, I edit cipher.c to comment it out:

../cipher/cipher.c

#if USE_DES
{ &_gcry_cipher_spec_des, GCRY_CIPHER_DES },
/* { &_gcry_cipher_spec_tripledes, GCRY_CIPHER_3DES }, */
#endif

A grep on USE_CAST5, done after the configure step below,returns:

grep -r USE_CAST5 *
cipher/cipher.c:#if USE_CAST5
config.h:/* #undef USE_CAST5 */
config.h.in:#undef USE_CAST5
configure:#define USE_CAST5 1
configure.ac: AC_DEFINE(USE_CAST5, 1, [Defined if this module should be included])
tests/basic.c:#if USE_CAST5

And then I do:

make clean
./configure --enable-ciphers="des"
make
make check

(I probably do not need to reconfigure ...)

And then, we do not have the above error, but instead we have the Ohhh
jeee error:

PASS: ac-schemes
PASS: ac-data
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 2
Ohhhh jeeee: cipher 2 not found
/bin/sh: line 4: 24082 Aborted ${dir}$tst
FAIL: basic

ECB CBC
--------------- --------------- etc...
Looking for algorithm: 302
DES 60ms 60ms 60ms 70ms

And everything else passes OK, amd one error is reported at the end at
the conclusion.

I do not see why it tries to access algorithm # 2 even though it's
comment out of the definition. Could it be that a DES structure
implicitly makes a reference to 3DES even though it's, in this case,
not wanted ?

Let me know if I can be of any help.

Vielen dank für ihre Hilfe !

Tschüß.


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: Export regulations and DES-only crypto and 'Ohhhh jeeee' [ In reply to ]
wk at gnupg
Aug 8, 2008, 1:13 AM
Post #4 of 5 (2348 views)
Permalink
On Fri, 8 Aug 2008 00:31, lanas@securenet.net said:

> ./configure --enable-ciphers="des"
> make
> make check

You may just do

cd tests
./basic --verbose

> I do not see why it tries to access algorithm # 2 even though it's
> comment out of the definition. Could it be that a DES structure

That is because tests/basic.c requires plain DES. grep for
GCRY_CIPHER_DES.



Salam-Shalom,

Werner


--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Re: Export regulations and DES-only crypto and 'Ohhhh jeeee' [ In reply to ]
lanas at securenet
Aug 11, 2008, 3:58 PM
Post #5 of 5 (2331 views)
Permalink
Le Vendredi, 08 Août 2008 10:13:03 +0200,
Werner Koch <wk@gnupg.org> a écrit :

> On Fri, 8 Aug 2008 00:31, lanas@securenet.net said:
>
> > ./configure --enable-ciphers="des"
> > make
> > make check
>
> You may just do
>
> cd tests
> ./basic --verbose
>
> > I do not see why it tries to access algorithm # 2 even though it's
> > comment out of the definition. Could it be that a DES structure
>
> That is because tests/basic.c requires plain DES. grep for
> GCRY_CIPHER_DES.

Thanks for pointing this out. Now I also comment out the 3DES component
of GCRY_CIPHER_DES in basic.c

libgcrypt-1.4.1/tests/basic.c:991
#if USE_DES
GCRY_CIPHER_DES,
/* GCRY_CIPHER_3DES, */
#endif

And I comment the following tests:

check_ciphers ();
// check_aes128_cbc_cts_cipher ();
// check_cbc_mac_cipher ();
// check_ctr_cipher ();
// check_cfb_cipher ();
// check_ofb_cipher ();
check_digests ();
check_hmac ();

And everything's seems fine. Well, as far as crippled crypto is
concerned ! ;-(

Tschüß.


_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal