Bug 1164210

Summary:	Set enable-ec_nistp_64_gcc_128?
Product:	[Fedora] Fedora	Reporter:	Federico Leva <federicoleva>
Component:	openssl	Assignee:	Tomas Mraz <tmraz>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	dblack, fedora, hkario, shigorin, tmraz, tomek
Target Milestone:	---	Keywords:	FutureFeature
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	openssl-1.0.2e-1.fc23	Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-12-06 19:19:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Federico Leva 2014-11-14 11:06:49 UTC

I'm running a tor exit node and it works correctly, however:

Nov 14 11:59:12.000 [notice] We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.

See http://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options , maybe it's useful.

$ rpm -qa | grep -E '^(tor|openssl)'
openssl-devel-1.0.1e-40.fc20.x86_64
tor-0.2.4.25-1.fc20.x86_64
openssl-libs-1.0.1e-40.fc20.x86_64
tor-arm-1.4.5.0-6.fc20.noarch
openssl-1.0.1e-40.fc20.x86_64
torsocks-1.3-2.fc20.x86_64
openssl-libs-1.0.1e-40.fc20.i686

Comment 1 Tomas Mraz 2014-11-14 11:12:27 UTC

We do not support NIST P-224 at all due to legal reasons.

Comment 2 Michael Shigorin 2015-01-05 07:59:50 UTC

"Legal" as in certification issues, not swpats this time?

Comment 3 David Black 2015-08-13 12:04:21 UTC

Is the legal reason for not supporting NIST P-224 still in effect ?
If so is it specifically to do with NIST P-224 or to do with the code path enabled by compiling with enable-ec_nistp_64_gcc_128 ?

Regardless debian, ubuntu and a fair amount of other distributions compile with enable-ec_nistp_64_gcc_128 on at least amd64 by default. According to Adam Langley - 

> Bodo Moeller (from the OpenSSL core team, bodo AT openssl DOT org) had this to say when I asked him about this:

> "The main (or maybe only) reason this is not enabled automatically is that the 
>OpenSSL configure script is not clever enough to detect whether the compiler
>supports __uint128_t. If you can use this code, it is superior to the default in
> multiple regards (speed, and also security as the new implementations are secure against timing attacks)."
(https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1018522)

Comment 4 Alicja Kario 2015-11-02 12:25:19 UTC

While enabling P-224 is not really a good idea (it's weak and generally unused on the Internet). I don't see why we shouldn't be enabling faster implementation for P-256 and P-521.

Comment 5 Fedora Update System 2015-12-04 16:12:16 UTC

openssl-1.0.2e-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-605de37b7f

Comment 6 Fedora Update System 2015-12-06 17:21:06 UTC

openssl-1.0.2e-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update openssl'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-605de37b7f

Comment 7 Fedora Update System 2015-12-06 19:18:35 UTC

openssl-1.0.2e-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.