Re: port-sparc64/57472: OpenSSL broken, affects ecdsa keys in OpenSSH

To: port-sparc64-maintainer%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,logix%foobar.franken.de@localhost
Subject: Re: port-sparc64/57472: OpenSSL broken, affects ecdsa keys in OpenSSH
From: Harold Gutch <logix%foobar.franken.de@localhost>
Date: Thu, 22 Jun 2023 13:40:02 +0000 (UTC)

The following reply was made to PR port-sparc64/57472; it has been noted by GNATS.

From: Harold Gutch <logix%foobar.franken.de@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: port-sparc64/57472: OpenSSL broken, affects ecdsa keys in OpenSSH
Date: Thu, 22 Jun 2023 15:35:30 +0200

 --N/GrjenRD+RJfyz+
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

 On Sun, Jun 18, 2023 at 10:10:02AM +0000, Martin Husemann wrote:
 >  I verified that the test works against a native openssl build (their
 >  main branch at commit 6c0ecc2bce64cc86948a51f80f832b5e48a9ebea).

 Same here, the official OpenSSL 3.0.9 release built on sparc64 works
 for me.  That was really helpful because it allowed comparing various
 states there with the crossbuilt one.

 First, OPENSSL_NO_EC_NISTP_64_GCC_128 is defined in the
 native build and setting this fixes two of the three problematic
 curves, secp224r1 and secp521r1.  That leaves prime256v1, and the key
 difference there between the native build and the cross build is:

 native build:
   sizeof(BN_ULONG) = 4
   BN_BYTES = 4

 cross build:
   sizeof(BN_ULONG) = 8
   BN_BYTES = 8

 which down the line causes various conversions from and to BIGNUM to
 fail, as the crosscompiled one byteswaps in 8 byte chunks whereas the
 native one byteswaps in 4 byte chunks.

 BN_ULONG is defined in .../dist/include/openssl/bn.h .  For a quick
 test I just patched .../dist/include/openssl/configuration.h (see the
 attached diff), but this should actually go somewhere else, probably
 also somehow in .../bsd/openssl/lib/libcrypto/arch/sparc64 .

 I'll have a look where to fit this in, but if somebody else wants to
 pick up from here, go for it!

   Harold

 --N/GrjenRD+RJfyz+
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="openssl_sparc64.diff"

 --- lib/libcrypto/arch/sparc64/ec.inc.orig	2023-05-25 17:52:29.000000000 +0200
 +++ lib/libcrypto/arch/sparc64/ec.inc	2023-06-22 15:15:53.972571594 +0200
 @@ -1,7 +1,7 @@
  .PATH.S: ${.PARSEDIR}
  EC_SRCS += \
  ecp_nistz256-sparcv9.S
 -ECCPPFLAGS+= -DECP_NISTZ256_ASM
 +ECCPPFLAGS+= -DECP_NISTZ256_ASM -DOPENSSL_NO_EC_NISTP_64_GCC_128

  ECNI = yes
  .include "../../ec.inc"
 --- include/openssl/configuration.h.orig	2023-05-11 16:36:11.000000000 +0200
 +++ include/openssl/configuration.h	2023-06-22 13:59:35.382166208 +0200
 @@ -116,6 +116,14 @@
  /*
   * The following are cipher-specific, but are part of the public API.
   */
 +#ifdef __sparc__
 +#  undef BN_LLONG
 +#  undef SIXTY_FOUR_BIT
 +#   undef SIXTY_FOUR_BIT_LONG
 +#   define THIRTY_TWO_BIT
 +# undef _LP64
 +# undef _ILP64
 +#else
  # if !defined(OPENSSL_SYS_UEFI)
  #  undef BN_LLONG
  /* Only one for the following should be defined */
 @@ -128,6 +136,7 @@
  #   define THIRTY_TWO_BIT
  #  endif
  # endif
 +#endif

  # define RC4_INT unsigned int

 --N/GrjenRD+RJfyz+--

Prev by Date: Re: bin/57456: ftp fails for https in netbsd-10 due to missing certificates
Next by Date: kern/57480: Intel and Nouveau crashing when starting X
Previous by Thread: Re: port-sparc64/57472: OpenSSL broken, affects ecdsa keys in OpenSSH
Next by Thread: Re: port-sparc64/57472: OpenSSL broken, affects ecdsa keys in OpenSSH
Indexes:

Home | Main Index | Thread Index | Old Index