[crypto/ec] constant time P-384 EC_METHOD#12201
[crypto/ec] constant time P-384 EC_METHOD#12201bbbrumley wants to merge 1 commit intoopenssl:masterfrom
Conversation
|
After #12096 goes in, I will have to do silliness like this: A better approach would be, inside |
Yeah, actually the This is a discussion that deserves its own issue, but my recommendation if you decide to consolidate the flags is to leave |
crypto/ec/ecp_secp384r1.c
Outdated
There was a problem hiding this comment.
@mattcaswell @levitte are there potential licensing issues to address here?
There was a problem hiding this comment.
My understanding is that the fiat code is under the MIT license. I think that if we can't get this under the Apache license, we need an OMC exception to allow this.
There was a problem hiding this comment.
There's some prior discussion on this at mit-plv/fiat-crypto#678, in particular,
given the two institutions holding copyright on this project, and that any licensing changes at this point would be rather cumbersome and come at a significant cost of dev time better spent on improving the library.
So I think it's unlikely that we'll manage a license change at this point, though if it's important, we can look into it. (If you want me to reopen mit-plv/fiat-crypto#678, leave a comment there with your concerns and I can reopen it.)
There was a problem hiding this comment.
My understanding is that the fiat code is under the MIT license. I think that if we can't get this under the Apache license, we need an OMC exception to allow this.
I agree. I think this is likely to be a significant problem. I don't recall any previous occasion where the OMC has granted such an exception. Another issue is that we require all original authors to provide a CLA. Do we actually know who all the original authors of this code are?
There was a problem hiding this comment.
I've asked the OMC about this. I'm not feeling very hopeful.
There was a problem hiding this comment.
I've gotten confirmation from @zoep that she's fine with us relicensing, so if it'd help you, we can relicense to be dual-licensed, user's choice, MIT or Apache 2.0. However, my current understanding is that MIT doesn't permit us to sign CLA's, so I don't think you'll be able to get CLAs for fiat-crypto. Given this, would you like us to relicense fiat-crypto to allow use under Apache?
There was a problem hiding this comment.
Wow! @JasonGross - that's fantastic that you're willing to relicense!! What an amazing offer. However without a solution to the CLA problem we still have an issue. Are you sure about the MIT policy? I notice several mit.edu addresses in our CLA database. Presumably you individually own the copyright on your own submissions (not MIT as an institution), so these CLAs would be individual agreements?
There was a problem hiding this comment.
Sorry for the delay in getting back. I'm not sure what's going on in the other cases; in our case, MIT owns the copyright, and this is MIT's policy on code where it owns copyright.
There was a problem hiding this comment.
Some people on the Go issue tracker (golang/go#40171 (comment)) suggested:
An alternative solution to our problem of imposing new notice requirements on every Go binary would be if the generator outputs could be licensed under a non-attribution license such as MIT-0 or a source-code-attribution-only license such as BSD-1-Clause.
Would either of these licenses allow integration of the generated code into OpenSSL without us needing to sign CLAs?
There was a problem hiding this comment.
Well there are two issues: licence and CLAs. Your offer above to relicence to Apache 2.0 solves the licence issue. The CLA issue is independent of licensing. So, unfortunately, I don't think swapping to a different licence solves it.
|
I don't really understand the latest Travis failure. How can it pass on |
The failure is happening on ARM64, I can't look into details now and I have very limited availability until Sunday. |
This is now fixed. |
|
Rebased in 80dccc62c0fb6da37326f1b35b5fc41ca79a4127 (thanks @beldmit for merging #12096). We can see the test failure now: I will start working on the fix, then I think I can take this out of WiP. |
|
Do you mean unsigned on s390x?
|
I meant unsigned on armv7 and aarch64 :) This code should rarely get compiled in on s390x. |
|
I forgot that arm was unsigned too. powerpc would be the other that's unsigned. |
bbbrumley
changed the title
|
It was not clear that you took this out of WIP. Are you waiting for a review now? I see that NSS has just released a version with P384 and P521 based on this. |
From my perspective, yea it's ready :) |
|
Also the preprint is now live. Table 2 gives some benchmarks. |
crypto/ec/ecp_secp384r1.c
Outdated
There was a problem hiding this comment.
This line looks too long for our coding style.
There was a problem hiding this comment.
I was wrapping before but @romen gave me the clang-format option to preserve this one. Which I think makes sense.
crypto/ec/ecp_secp384r1.c
Outdated
There was a problem hiding this comment.
This looks a little weird. I wonder why there is an | 0, that doesn't seem to be doing much.
I'm also not sure why all the parentheses are there. Is the order important?
There was a problem hiding this comment.
Regarding the | 0, the template definition is much simpler if we include it; see https://github.com/mit-plv/fiat-crypto/blob/37daa2d8bb34e3e0a30c7396952226407e5e19a3/src/Arithmetic/WordByWordMontgomery.v#L122-L123
And we just didn't have a rule for eliminating this previously.
I've added such a rule in mit-plv/fiat-crypto@37daa2d, so if you regenerate the file, it should drop the | 0.
As far as the parentheses, we always emit parentheses around operations because it's simpler that way; if we didn't do this, we'd have to add in (unverified) pretty-printing logic for associativity and levels of operators (and there's not a universal convention across languages, for example, for which of & and | binds more tightly).
crypto/ec/ecp_secp384r1.c
Outdated
There was a problem hiding this comment.
I'm not sure if I should look at the coding style, since this is auto generated code. But our coding style would have the { on the next line, and have an empty line before this one.
There was a problem hiding this comment.
I don't think we'll be updating fiat-crypto to allow parameterizing over coding styles. And adding an extra line before this one would be annoying, as I'd have to extend the AST with a specific "blank line" constructor, which seems much more work and overhead than it's worth. So if you do want consistent style, even with the generated code, I'd suggest running the generated code through a code reformatter.
There was a problem hiding this comment.
our coding style would have
One of the last ECCKiila passes is clang-format. If there's something particularly egregious you see in the output, I'm happy to add it as an option there if you let me know what the option is -- I'm no clang-format expert. (E.g. @romen suggested the ReflowComments: false option.)
tjh-omc
added
the
hold: license clash
|
It will be very pity if this great work is not included in the OpenSSL because of the licence clash. |
This portable code comes from [ECCKiila](https://gitlab.com/nisec/ecckiila) that uses [Fiat](https://github.com/mit-plv/fiat-crypto) for the underlying field arithmetic. Co-authored-by: Luis Rivera-Zamarripa <[email protected]> Co-authored-by: Jesús-Javier Chi-Domínguez <[email protected]>
We had an OMC meeting today and discussed this quite a bit. Ultimately the OMC decided that we cannot make an exception to our CLA rules and so, unfortunately, this PR is not going to be acceptable. This is a great shame as I can see the value that having this code would bring (and I think that sentiment was shared by the rest of the OMC). I'd encourage looking at making this code available via a third party provider. |
|
Is the current code constant-time? If no, rejecting of this PR seems like leaving a vulnerability. |
No, the current code is not constant time. IMO this PR is highly desirable and it was my impression that others in the OMC agree. However we have to balance that against conflicting requirements for CLAs. |
That's unfortunate. If you change you mind, ECCKiila is there and you can generate whatever stack you want for any curve, not just P-384. So if there's a next time, you won't need me or my PR ;) |
|
I'm just copying @mattcaswell's most recent reply in the discussion on this PR
|
10 participants
We've been experimenting with tooling (edit: now public, called ECCKiila with preprint) that generates curve-specific
EC_METHODs. The idea is you get a whole stack similar toecp_nistp224.cecp_nistp256.cecp_nistp521.c. Features includestatic
So this is just a WiP PR to solicit feedback. Also, merge #12096 then I'll rebase and we should see CI failures ;)out of WiP with e84eaffc4908f6a926ec8fec264fa14ee3bc1ccdIt is really push-button stuff so whatever curve you think is important for the lib, it takes like 2min.
P-384 isn't the best curve to showcase the value of the tool because of size and limited GF optimization options. But nevertheless, maybe it's important for the lib because it's currently a gap in FIPS coverage.
Tagging @mattcaswell @romen
Before
After
The slight regression on ECDSA verify is because we haven't really put any effort there, and also it speaks to the efficiency of the old NAF code in OpenSSL.more performance improvements in 7e10f3b