From wk at gnupg.org Fri Aug 1 09:14:28 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 01 Aug 2008 09:14:28 +0200 Subject: Encrypted line changes on each run . In-Reply-To: <489225DC.4090101@gmail.com> (Jabka Atu's message of "Thu, 31 Jul 2008 23:51:40 +0300") References: <489225DC.4090101@gmail.com> Message-ID: <87bq0ddx63.fsf@wheatstone.g10code.de> On Thu, 31 Jul 2008 22:51, mashrom.head at gmail.com said: > I wrote a small application to understand ARCFOUR use . Hust a few comments on the code: > plain_text = ( char * ) malloc ( size_of_plain_text ); > out = ( char * ) malloc ( size_of_buffers ); > deout = ( char * ) malloc ( size_of_buffers ); Please don't cast thye result of a malloc; Fro ages malloc returned a void pinter which has been introduced to get rid of such casts. Note that C and C++ are different languages. > //Just null all > > for ( i = 0 ;i < size_of_buffers; i++ ) > { > out[i] = '0'; > deout[i] = '0'; > } memset (out, 0, size_of_buffers); memset (deout, 0, size_of_buffers); is easier to understand. > err = gcry_cipher_open ( &handle2, > GCRY_CIPHER_ARCFOUR,GCRY_CIPHER_MODE_STREAM,0 ); > err = gcry_cipher_open ( &handle, > GCRY_CIPHER_ARCFOUR,GCRY_CIPHER_MODE_STREAM,0 ); > > if ( err ) That is a severe bug - you wont catch an error from handle2. Fix is: err = gcry_cipher_open ( &handle2, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0 ); if (!err) err = gcry_cipher_open ( &handle, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0 ); if (err) { .... > err = gcry_cipher_setkey ( handle , key ,256 ); > err = gcry_cipher_setkey ( handle2 , key,256 ); Same here. > write2 ( "/tmp/encrypt",out,size_of_buffers ); > for ( i = 0 ;i < size_of_buffers; i++ ) > out[i] = '0'; Use memset for clarity. > read2 ( "/tmp/encrypt",out,size_of_buffers ); > err = gcry_cipher_encrypt ( handle2, > ( unsigned char * ) deout, > size_of_buffers, ( const unsigned char * ) out,size_of_buffers ); I guess you wanted to use gcry_cipher_decrypt. And again: Do not use Arcfour if you do not understand all the subtle gotchas to use Arcfour in a secure way. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From lanas at securenet.net Thu Aug 7 01:19:11 2008 From: lanas at securenet.net (lanas) Date: Wed, 6 Aug 2008 19:19:11 -0400 Subject: Export regulations and DES-only crypto and 'Ohhhh jeeee' Message-ID: <20080806191911.1fd1fa43@mistral.stie> Hi, Export regulations makes it so that libcrypt has to be limited to 56-bit, to be included in a product. So, until there's another way of settling this, I'm trying to use the enable-ciphers configure option like so: ./configure --enable-ciphers="des rfc2268" I've seen that if RC2 is not included, then the build fails. It looks OK to include it as the last comment about it in the Changelog mentions that only the 40-bit version is supported. libgcrypt builds fine. But the make check stage bails out with: PASS: prime PASS: register Ohhhh jeeee: cipher 3 not found /bin/sh: line 4: 9483 Aborted ${dir}$tst I don't know what the erro is and how to correct it. Surely you have, throughout the years, seen this situation where the crypto algorithms have to be seriously trimmed down for some (stupid) regulations. Is this the right way to do it ? Anyone seen that error before in this context ? So 'make check' reports an error. It nevertheless outputs some stats and 3DES is present. So, in cipher.c I comment out the line with GCRY_CIPHER_3DES in the #if USE_DES block and rebuild. Same Ohhhh jeee error. I'd appreciate very much any comments/hints/suggestions. Cheers. From wk at gnupg.org Thu Aug 7 09:00:23 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Aug 2008 09:00:23 +0200 Subject: Export regulations and DES-only crypto and 'Ohhhh jeeee' In-Reply-To: <20080806191911.1fd1fa43@mistral.stie> (lanas@securenet.net's message of "Wed, 6 Aug 2008 19:19:11 -0400") References: <20080806191911.1fd1fa43@mistral.stie> Message-ID: <87fxph5myg.fsf@wheatstone.g10code.de> On Thu, 7 Aug 2008 01:19, lanas at securenet.net said: > Export regulations makes it so that libcrypt has to be limited to > 56-bit, to be included in a product. So, until there's another way of Assuming you are in the US, that is not true. These restrictions have been dropped several years ago. Except for some banned countries. > ./configure --enable-ciphers="des rfc2268" > > I've seen that if RC2 is not included, then the build fails. It I doubt that. rc2 is not different from the other ciphers. > PASS: prime > PASS: register > Ohhhh jeeee: cipher 3 not found Yhjis is CAST5. There might be a bug in the configure code. Check whether USE_CAST5 is defined in config.h - it should not be defined with your configure options. Best would be to grep USE_ config.h to see what features are actually included. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From lanas at securenet.net Fri Aug 8 00:31:24 2008 From: lanas at securenet.net (lanas) Date: Thu, 7 Aug 2008 18:31:24 -0400 Subject: Export regulations and DES-only crypto and 'Ohhhh jeeee' Message-ID: <20080807183124.602ed9c3@mistral.stie> Hallo, > Assuming you are in the US, that is not true. These > restrictions have been dropped several years ago. Except for > some banned countries. It's not the US. It's a more conservative country (regarding this) located north of the US ;-) >> ./configure --enable-ciphers="des rfc2268" >> I've seen that if RC2 is not included, then the build fails. It > I doubt that. rc2 is not different from the other ciphers. You are right as far as I've verified the version that was used. It was 1.2.3 so I upgraded to 1.4.1 before doing anything else new. The problem was there in 1.2.3, but not in 1.4.1 now. So now I'm using 1.4.1. In a vague attempt at finding out the cause of the problem, I've also added a printf() statement in: cipher.c: cipher_get_keylen (int algorithm) { [...] ath_mutex_lock (&ciphers_registered_lock); printf("Looking for algorithm: %d\n", algorithm); [...] } The above will be shown in the results below. So now I'm doing: ./configure --enable-ciphers="des" make make check And the result is: PASS: ac-schemes PASS: ac-data Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 2 Looking for algorithm: 2 Looking for algorithm: 2 Looking for algorithm: 2 Looking for algorithm: 2 Looking for algorithm: 2 aes-cbc-cts, grcy_open_cipher failed: Invalid cipher algorithm cbc-mac algo 7, grcy_open_cipher failed: Invalid cipher algorithm aes-ctr, grcy_open_cipher failed: Invalid cipher algorithm aes-cfb, grcy_open_cipher failed: Invalid cipher algorithm aes-ofb, grcy_open_cipher failed: Invalid cipher algorithm FAIL: basic Further down we find the results of some tests: ECB CBC --------------- --------------- etc... Looking for algorithm: 2 3DES 140ms 150ms 150ms 160ms Looking for algorithm: 302 DES 60ms 60ms 60ms 60ms And of course, the error is reported at the conclusion: PASS: benchmark ======================================== 1 of 16 tests failed Please report to bug-libgcrypt at gnupg.org ======================================== make[2]: *** [check-TESTS] Error 1 make[2]: Leaving directory `/data/debian386/rr1/dists/rr1/sandbox/libgcrypt11/libgcrypt11-1.4.1.rr1/tests' make[1]: *** [check-am] Error 2 make[1]: Leaving directory `/data/debian386/rr1/dists/rr1/sandbox/libgcrypt11/libgcrypt11-1.4.1.rr1/tests' make: *** [check-recursive] Error 1 So this is one problem. Now, since I do not want 3DES, I edit cipher.c to comment it out: ../cipher/cipher.c #if USE_DES { &_gcry_cipher_spec_des, GCRY_CIPHER_DES }, /* { &_gcry_cipher_spec_tripledes, GCRY_CIPHER_3DES }, */ #endif A grep on USE_CAST5, done after the configure step below,returns: grep -r USE_CAST5 * cipher/cipher.c:#if USE_CAST5 config.h:/* #undef USE_CAST5 */ config.h.in:#undef USE_CAST5 configure:#define USE_CAST5 1 configure.ac: AC_DEFINE(USE_CAST5, 1, [Defined if this module should be included]) tests/basic.c:#if USE_CAST5 And then I do: make clean ./configure --enable-ciphers="des" make make check (I probably do not need to reconfigure ...) And then, we do not have the above error, but instead we have the Ohhh jeee error: PASS: ac-schemes PASS: ac-data Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 302 Looking for algorithm: 2 Ohhhh jeeee: cipher 2 not found /bin/sh: line 4: 24082 Aborted ${dir}$tst FAIL: basic ECB CBC --------------- --------------- etc... Looking for algorithm: 302 DES 60ms 60ms 60ms 70ms And everything else passes OK, amd one error is reported at the end at the conclusion. I do not see why it tries to access algorithm # 2 even though it's comment out of the definition. Could it be that a DES structure implicitly makes a reference to 3DES even though it's, in this case, not wanted ? Let me know if I can be of any help. Vielen dank f?r ihre Hilfe ! Tsch??. From wk at gnupg.org Fri Aug 8 10:13:03 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 08 Aug 2008 10:13:03 +0200 Subject: Export regulations and DES-only crypto and 'Ohhhh jeeee' In-Reply-To: <20080807183124.602ed9c3@mistral.stie> (lanas@securenet.net's message of "Thu, 7 Aug 2008 18:31:24 -0400") References: <20080807183124.602ed9c3@mistral.stie> Message-ID: <87tzdvylf4.fsf@wheatstone.g10code.de> On Fri, 8 Aug 2008 00:31, lanas at securenet.net said: > ./configure --enable-ciphers="des" > make > make check You may just do cd tests ./basic --verbose > I do not see why it tries to access algorithm # 2 even though it's > comment out of the definition. Could it be that a DES structure That is because tests/basic.c requires plain DES. grep for GCRY_CIPHER_DES. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From lanas at securenet.net Tue Aug 12 00:58:37 2008 From: lanas at securenet.net (lanas) Date: Mon, 11 Aug 2008 18:58:37 -0400 Subject: Export regulations and DES-only crypto and 'Ohhhh jeeee' In-Reply-To: <87tzdvylf4.fsf@wheatstone.g10code.de> References: <20080807183124.602ed9c3@mistral.stie> <87tzdvylf4.fsf@wheatstone.g10code.de> Message-ID: <20080811185837.634da43b@mistral.stie> Le Vendredi, 08 Ao?t 2008 10:13:03 +0200, Werner Koch a ?crit : > On Fri, 8 Aug 2008 00:31, lanas at securenet.net said: > > > ./configure --enable-ciphers="des" > > make > > make check > > You may just do > > cd tests > ./basic --verbose > > > I do not see why it tries to access algorithm # 2 even though it's > > comment out of the definition. Could it be that a DES structure > > That is because tests/basic.c requires plain DES. grep for > GCRY_CIPHER_DES. Thanks for pointing this out. Now I also comment out the 3DES component of GCRY_CIPHER_DES in basic.c libgcrypt-1.4.1/tests/basic.c:991 #if USE_DES GCRY_CIPHER_DES, /* GCRY_CIPHER_3DES, */ #endif And I comment the following tests: check_ciphers (); // check_aes128_cbc_cts_cipher (); // check_cbc_mac_cipher (); // check_ctr_cipher (); // check_cfb_cipher (); // check_ofb_cipher (); check_digests (); check_hmac (); And everything's seems fine. Well, as far as crippled crypto is concerned ! ;-( Tsch??.