Export regulations and DES-only crypto and 'Ohhhh jeeee'

lanas lanas at securenet.net
Fri Aug 8 00:31:24 CEST 2008


Hallo,

> Assuming you are in the US, that is not true.  These
> restrictions have been dropped several years ago.  Except for
> some banned countries.

It's not the US.  It's a more conservative country (regarding this)
located north of the US ;-)

>> ./configure --enable-ciphers="des rfc2268" 
>>   I've seen that if RC2 is not included, then the build fails.  It

> I doubt that.  rc2 is not different from the other ciphers.

You are right as far as I've verified the version that was used.  It
was 1.2.3 so I upgraded to 1.4.1 before doing anything else new.  The
problem was there in 1.2.3, but not in 1.4.1 now.

So now I'm using 1.4.1.

In a vague attempt at finding out the cause of the problem, I've also
added a printf() statement in:

cipher.c: 

cipher_get_keylen (int algorithm)
{
[...]
  ath_mutex_lock (&ciphers_registered_lock);
  printf("Looking for algorithm: %d\n", algorithm);
[...]
}

The above will be shown in the results below.

So now I'm doing: 

./configure --enable-ciphers="des"
make
make check

And the result is:

PASS: ac-schemes
PASS: ac-data
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 2
Looking for algorithm: 2
Looking for algorithm: 2
Looking for algorithm: 2
Looking for algorithm: 2
Looking for algorithm: 2
aes-cbc-cts, grcy_open_cipher failed: Invalid cipher algorithm
cbc-mac algo 7, grcy_open_cipher failed: Invalid cipher algorithm
aes-ctr, grcy_open_cipher failed: Invalid cipher algorithm
aes-cfb, grcy_open_cipher failed: Invalid cipher algorithm
aes-ofb, grcy_open_cipher failed: Invalid cipher algorithm
FAIL: basic

Further down we find the results of some tests:

            ECB             CBC             
             --------------- ---------------  etc...
Looking for algorithm: 2
3DES           140ms   150ms   150ms   160ms
Looking for algorithm: 302
DES             60ms    60ms    60ms    60ms

And of course, the error is reported at the conclusion:

PASS: benchmark
========================================
1 of 16 tests failed
Please report to bug-libgcrypt at gnupg.org
========================================

make[2]: *** [check-TESTS] Error 1
make[2]: Leaving directory
`/data/debian386/rr1/dists/rr1/sandbox/libgcrypt11/libgcrypt11-1.4.1.rr1/tests'
make[1]: *** [check-am] Error 2
make[1]: Leaving directory
`/data/debian386/rr1/dists/rr1/sandbox/libgcrypt11/libgcrypt11-1.4.1.rr1/tests'
make: *** [check-recursive] Error 1

So this is one problem.

Now, since I do not want 3DES, I edit cipher.c to comment it out:

../cipher/cipher.c

#if USE_DES
    { &_gcry_cipher_spec_des,        GCRY_CIPHER_DES },
    /*    { &_gcry_cipher_spec_tripledes,  GCRY_CIPHER_3DES }, */
#endif

A grep on USE_CAST5, done after the configure step below,returns:

grep -r USE_CAST5 *
cipher/cipher.c:#if USE_CAST5
config.h:/* #undef USE_CAST5 */
config.h.in:#undef USE_CAST5
configure:#define USE_CAST5 1
configure.ac:   AC_DEFINE(USE_CAST5, 1, [Defined if this module should be included])
tests/basic.c:#if USE_CAST5

And then I do:

make clean
./configure --enable-ciphers="des"
make
make check

(I probably do not need to reconfigure ...)

And then, we do not have the above error, but instead we have the Ohhh
jeee error:

PASS: ac-schemes
PASS: ac-data
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 302
Looking for algorithm: 2
Ohhhh jeeee: cipher 2 not found
/bin/sh: line 4: 24082 Aborted                 ${dir}$tst
FAIL: basic

             ECB             CBC             
             --------------- ---------------   etc...
Looking for algorithm: 302
DES             60ms    60ms    60ms    70ms 

And everything else passes OK, amd one error is reported at the end at
the conclusion.

I do not see why it tries to access algorithm # 2 even though it's
comment out of the definition.  Could it be that a DES structure
implicitly makes a reference to 3DES even though it's, in this case,
not wanted ?

Let me know if I can be of any help.

Vielen dank für ihre Hilfe !

Tschüß.




More information about the Gcrypt-devel mailing list