** Description changed:
+ Original report
+
+
================================================================================
Problem Description
Ubuntu 24.04’s OpenSSL packaging currently enables the enable-
ec_nistp_64_gcc_128 configure option only on amd64:
ifeq ($(DEB_HOST_ARCH_CPU), amd64)
CONFARGS += enable-ec_nistp_64_gcc_128
endif
However, Debian’s OpenSSL packaging (which should serve as the
reference) enables this optimization on multiple 64-bit architectures:
ifneq ($(filter amd64 arm64 ppc64el riscv64,$(DEB_HOST_ARCH_CPU)),)
CONFARGS += enable-ec_nistp_64_gcc_128
endif
Security Impact
This packaging discrepancy is not just a performance issue but has
security implications:
D(HE)at-like Attack Vector: Slow elliptic curve operations significantly
increase the computational cost of ECDHE and ECDSA operations during TLS
handshakes. Servers running Ubuntu 24.04 on aarch64, ppc64el, or riscv64
are more vulnerable to resource exhaustion attacks that exploit slow
handshake processing.
Asymmetric Defense: The optimization is only enabled on x86_64, creating
an attack surface inequality across different architectures. This means
the same server hardware type running x86_64 vs aarch64 would have
different resistance to ECDHE-based DoS attacks.
- TLS Performance: The P-256 curve is widely used in TLS, and without this
- optimization, handshake processing is substantially slower, making
- servers more susceptible to overwhelming during traffic bursts.
+ TLS Performance: The P-256 curve is widely used in TLS, and without this
optimization, handshake processing is substantially slower, making servers more
susceptible to overwhelming during traffic bursts.
+
================================================================================
+
+ [ Impact ]
+
+ * Fix performance issue on all 64-bit architectures.
+
+ * The upload enables enable-ec_nistp_64_gcc_128 (support for optimised
implementations of some commonly used NIST
+ 682 elliptic curves) on arm64, ppc64el, and riscv64.
+
+ [ Test Plan ]
+
+ * run `nm /usr/lib/x86_64-linux-gnu/libcrypto.a | grep
EC_GFp_nistp224_method`, the symbol should be missing on arm64, ppc64el, and
riscv64.
+ * run it again with patched release, the symbol should be present.
+ * Build time test cases should pass on amd64, arm64, ppc64el, and riscv64.
+
+ [ Where problems could occur ]
+
+ * I can't think of a scenario where enabling this optimization will
+ lead to a problem.
+
+ [ Other Info ]
+
+ * I am also adding a low prio fix as part of this SRU.
+ https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107167
** Description changed:
Original report
================================================================================
Problem Description
Ubuntu 24.04’s OpenSSL packaging currently enables the enable-
ec_nistp_64_gcc_128 configure option only on amd64:
ifeq ($(DEB_HOST_ARCH_CPU), amd64)
CONFARGS += enable-ec_nistp_64_gcc_128
endif
However, Debian’s OpenSSL packaging (which should serve as the
reference) enables this optimization on multiple 64-bit architectures:
ifneq ($(filter amd64 arm64 ppc64el riscv64,$(DEB_HOST_ARCH_CPU)),)
CONFARGS += enable-ec_nistp_64_gcc_128
endif
Security Impact
This packaging discrepancy is not just a performance issue but has
security implications:
D(HE)at-like Attack Vector: Slow elliptic curve operations significantly
increase the computational cost of ECDHE and ECDSA operations during TLS
handshakes. Servers running Ubuntu 24.04 on aarch64, ppc64el, or riscv64
are more vulnerable to resource exhaustion attacks that exploit slow
handshake processing.
Asymmetric Defense: The optimization is only enabled on x86_64, creating
an attack surface inequality across different architectures. This means
the same server hardware type running x86_64 vs aarch64 would have
different resistance to ECDHE-based DoS attacks.
TLS Performance: The P-256 curve is widely used in TLS, and without this
optimization, handshake processing is substantially slower, making servers more
susceptible to overwhelming during traffic bursts.
================================================================================
[ Impact ]
- * Fix performance issue on all 64-bit architectures.
+ * Fix performance issue on all 64-bit architectures.
- * The upload enables enable-ec_nistp_64_gcc_128 (support for optimised
implementations of some commonly used NIST
- 682 elliptic curves) on arm64, ppc64el, and riscv64.
+ * The upload enables enable-ec_nistp_64_gcc_128 (support for optimised
implementations of some commonly used NIST
+ elliptic curves) on arm64, ppc64el, and riscv64.
[ Test Plan ]
- * run `nm /usr/lib/x86_64-linux-gnu/libcrypto.a | grep
EC_GFp_nistp224_method`, the symbol should be missing on arm64, ppc64el, and
riscv64.
- * run it again with patched release, the symbol should be present.
- * Build time test cases should pass on amd64, arm64, ppc64el, and riscv64.
-
+ * run `nm /usr/lib/x86_64-linux-gnu/libcrypto.a | grep
EC_GFp_nistp224_method`, the symbol should be missing on arm64, ppc64el, and
riscv64.
+ * run it again with patched release, the symbol should be present.
+ * Build time test cases should pass on amd64, arm64, ppc64el, and riscv64.
+
[ Where problems could occur ]
- * I can't think of a scenario where enabling this optimization will
+ * I can't think of a scenario where enabling this optimization will
lead to a problem.
[ Other Info ]
- * I am also adding a low prio fix as part of this SRU.
+ * I am also adding a low prio fix as part of this SRU.
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107167
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2130576
Title:
Missing ec_nistp_64_gcc_128 optimization on non-x86_64 architectures
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2130576/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
