[openssl.org #3149] [patch] Fast and side channel protected implementation of the NIST P-256 Elliptic Curve, for x86-64 platforms
Thanks for the submission! It seems that the BN_MONT_CTX-related code (used in crypto/ecdsa for constant-time signing) is entirely independent of the remainder of the patch, and should be considered separately. Regarding your reference 'S.Gueron and V.Krasnov, Fast Prime Field Elliptic Curve Cryptography with 256 Bit Primes' for you NIST P-256 code, is that document available? (Web search only pointed me back to your patch.) I've noticed that for secret-independent constant-time memory access, your code relies on the scattering approach. However http://cryptojedi.org/peter/data/chesrump-20130822.pdf points out that apparently this doesn't actually work as intended. (Dan Bernstein's earlier references: Sections 14, 15 in http://cr.yp.to/papers.html#cachetiming; http://cr.yp.to/mac/athlon.html.) Note that in your code, OPENSSL_ia32cap_P-dependent initialization of global variables is not done in a thread-safe way. How about entirely avoiding this global state, and passing pointers down to the implementations? Your ec_p256_points_mul implementation is much worse than necessary when then input comprises many points (more precisely, more than one point other than the group generator), because you call ec_p256_windowed_mul multiple times separately and add the results. I'd suggest instead to implement this modeled on ec_GFp_nistp256_points_mul instead to benefit from interleaved left-to-right point multiplication. (This avoids the additional point-double operations from the separate point multiplication algorithm executions going through each additional scalar.) Your approach for precomputation also is different (using fewer point operations based on a larger precomputed table than the one we currently use in ec_GFp_nistp256_points_mul) -- that table size still seems appropriate, so keeping that probably makes sense. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3150] Bug Report (with trivial fix): fips module segfault
On 10/23/2013 06:16 AM, Stephen Henson via RT wrote: What version of OpenSSL are you using? This was worked around in 1.0.1e due to the difficulty of changing the FIPS module. Ah, okay; I see the drbg_free_entropy functions are checking for NULL there now, which works (even though it's probably still FIPS's bad). We're using (modified) Ubuntu Precise's openssl1.0.0 (really 1.0.1) debian package, which looks to have cherry-picked security fixes from 1.0.1e (and prior), but probably didn't grab the FIPS stuff under consideration of the fact that they don't _build_ with FIPS stuff. For my curiosity, what's difficult about modifying FIPS? More involved change-vetting process? -mjc __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl.org #3150] Bug Report (with trivial fix): fips module segfault
At an extremely high level, the FIPS module is validated by independent assessors and only that /exact/ version of the module is allowed to run in FIPS mode. That assessment is expensive and slow. There are other concerns too, but you should probably just read about them from the source. See http://www.openssl.org/docs/fips/fipsnotes.html Patrick Watson, CISSP Software Engineer Data Security Electronic Payment Systems NCR Retail -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Micah Cowan Sent: Wednesday, October 23, 2013 3:06 PM To: r...@openssl.org Cc: openssl-dev@openssl.org Subject: Re: [openssl.org #3150] Bug Report (with trivial fix): fips module segfault On 10/23/2013 06:16 AM, Stephen Henson via RT wrote: What version of OpenSSL are you using? This was worked around in 1.0.1e due to the difficulty of changing the FIPS module. Ah, okay; I see the drbg_free_entropy functions are checking for NULL there now, which works (even though it's probably still FIPS's bad). We're using (modified) Ubuntu Precise's openssl1.0.0 (really 1.0.1) debian package, which looks to have cherry-picked security fixes from 1.0.1e (and prior), but probably didn't grab the FIPS stuff under consideration of the fact that they don't _build_ with FIPS stuff. For my curiosity, what's difficult about modifying FIPS? More involved change-vetting process? -mjc __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl.org #3150] Bug Report (with trivial fix): fips module segfault
At an extremely high level, the FIPS module is validated by independent assessors and only that /exact/ version of the module is allowed to run in FIPS mode. That assessment is expensive and slow. There are other concerns too, but you should probably just read about them from the source. See http://www.openssl.org/docs/fips/fipsnotes.html Patrick Watson, CISSP Software Engineer Data Security Electronic Payment Systems NCR Retail -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Micah Cowan Sent: Wednesday, October 23, 2013 3:06 PM To: r...@openssl.org Cc: openssl-dev@openssl.org Subject: Re: [openssl.org #3150] Bug Report (with trivial fix): fips module segfault On 10/23/2013 06:16 AM, Stephen Henson via RT wrote: What version of OpenSSL are you using? This was worked around in 1.0.1e due to the difficulty of changing the FIPS module. Ah, okay; I see the drbg_free_entropy functions are checking for NULL there now, which works (even though it's probably still FIPS's bad). We're using (modified) Ubuntu Precise's openssl1.0.0 (really 1.0.1) debian package, which looks to have cherry-picked security fixes from 1.0.1e (and prior), but probably didn't grab the FIPS stuff under consideration of the fact that they don't _build_ with FIPS stuff. For my curiosity, what's difficult about modifying FIPS? More involved change-vetting process? -mjc __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
