Opened 6 years ago

Closed 5 years ago

#10383 closed defect (fixed)

TBB 3.5's OpenSSL was not built with NIST P224 and P256 curve support

Reported by: isis Owned by: isis
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: easy, gitian, MikePerry201403R
Cc: isis, mikeperry, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When launching a freshly unzipped TBB-3.5-rc1 (only build 1, I think), and configuring a bridge in the TorLauncher first run dialogue, I get the following log message from tor:

Dec 13 00:42:38.000 [notice] We were built to run on a 64-bit CPU, with OpenSSL
 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated
 support for the NIST P-224 and P-256 groups. Building openssl with such support
 (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make
 ECDH much faster.

Child Tickets

Attachments (1)

build.log (470.8 KB) - added by mikeperry 6 years ago.
build failure log for openssl with enable-ec_nistp_64_gcc_128

Download all attachments as: .zip

Change History (13)

comment:1 Changed 6 years ago by isis

Cc: mikeperry added
Owner: changed from mikeperry to isis
Status: newassigned

comment:2 Changed 6 years ago by isis

Status: assignedneeds_review

This is fixed in my branch fix/10383-openssl-nistp-build-flags.

It's here on github, or here on my personal git server (you can't pull from the second one, not even over HTTPS, unless I already have your SSH key, sorry).

comment:3 Changed 6 years ago by nickm

FWIW, the subject line is mildly inaccurate. These curves are supported by default: that message just means that they aren't accelerated by default.

comment:4 Changed 6 years ago by mikeperry

Resolution: fixed
Status: needs_reviewclosed

Merged. All hail the NSA! We can totally trust their crypto primitives, right?

Out of curiosity, does anyone have any idea if the accelerated versions of the curves are any more or less safe against sidechannel/implementation issues than the default versions? Did agl write both versions?

Changed 6 years ago by mikeperry

Attachment: build.log added

build failure log for openssl with enable-ec_nistp_64_gcc_128

comment:5 Changed 6 years ago by mikeperry

Resolution: fixed
Status: closedreopened

Sadly this failed. It appears that the configure option is enable-ec_nistp_64_gcc_128, not --enable-ec_nistp_64_gcc_128. However, the problems go beyond that. The Linux tor build fails on the inline assembly. Possibly the gcc on Ubuntu 10.04 LTS is too old for this code?

I attached the build log if anyone wants to dig deeper.

comment:6 Changed 6 years ago by mikeperry

Status: reopenedneeds_revision

comment:7 Changed 6 years ago by gk

Cc: gk added

comment:8 Changed 6 years ago by cypherpunks

In my experience this is working only on linux64 environment : it fails like it is reported in the attached log if the build platform is linux32

comment:9 in reply to:  4 Changed 6 years ago by nickm

Replying to mikeperry:

Out of curiosity, does anyone have any idea if the accelerated versions of the curves are any more or less safe against sidechannel/implementation issues than the default versions?

The accelerated versions should have better side-channel resistance.

comment:10 in reply to:  8 ; Changed 6 years ago by nickm

Replying to cypherpunks:

In my experience this is working only on linux64 environment : it fails like it is reported in the attached log if the build platform is linux32

Well, that would explain it. The "64" in these options mean that they only work on X86_64 (aka AMD64).

comment:11 in reply to:  10 Changed 6 years ago by mikeperry

Keywords: MikePerry201403R added

Replying to nickm:

Replying to cypherpunks:

In my experience this is working only on linux64 environment : it fails like it is reported in the attached log if the build platform is linux32

Well, that would explain it. The "64" in these options mean that they only work on X86_64 (aka AMD64).

Ok, I think we should be able to tweak this to only apply on 64bit targets easily enough. I will see if I can apply this patch with a conditional that checks for target bitwidth and get it to work.

comment:12 Changed 5 years ago by mikeperry

Resolution: fixed
Status: needs_revisionclosed

Ok, I pushed a conditional fix to the Linux descriptor. Should appear in the next nightly and the next TBB release.

Note: See TracTickets for help on using tickets.