Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
Hi, Andy, http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=750398acd85a7ae220d272d28a76dff7bb269c31 works around this one. Serguei, could you test if it fixes even your problem[s]? Thank you. OK, ectest passed. -- Sorry for my bests English. Sternberg Astronom. w:+7(495)780-4820 USSR,Moscow,127018,Sushchevskij val 16-5 Institute, MSU h:+7(495)318-1146 USSR,Moscow,113303,Kakhovka 6-40 m:+7(916)686-1081 SMS: http://www.mts.ru/sms http://lnfm1.sai.msu.ru/~leo 14.02.2013, в 12:56, Andy Polyakov via RT r...@openssl.org написал(а): Probably this strict aliasing 64-bit optimization bug for crypto/bn/bn_nist.c What bug are you talking about? There doesn't seem to be a strict aliasing warning in that file, and they use a union to get around the problem. Mac OSX compiler fail test/ectest: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 Mac OSX compiler test/ectest OK: gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.3 [clang version 3.3 (trunk 173279)] I can at least reproduce the problem with clang 3.0. Oh, that I managed to reproduce. http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=750398acd85a7ae220d272d28a76dff7bb269c31 works around this one. Serguei, could you test if it fixes even your problem[s]? PS: I think at least this patch makes sense, but doesn't change anything: --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -530,7 +530,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; - const unsigned int *bp=(const unsigned int *)buf; + const unsigned int *bp=(const unsigned int *)buf.ui; acc = rp[0]; acc -= bp[7-7]; acc -= bp[11-7]; rp[0] = (unsigned int)acc; acc = 32; The typo will be fixed as we go. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
Probably this strict aliasing 64-bit optimization bug for crypto/bn/bn_nist.c What bug are you talking about? There doesn't seem to be a strict aliasing warning in that file, and they use a union to get around the problem. Mac OSX compiler fail test/ectest: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 Mac OSX compiler test/ectest OK: gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.3 [clang version 3.3 (trunk 173279)] I can at least reproduce the problem with clang 3.0. Oh, that I managed to reproduce. http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=750398acd85a7ae220d272d28a76dff7bb269c31 works around this one. Serguei, could you test if it fixes even your problem[s]? PS: I think at least this patch makes sense, but doesn't change anything: --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -530,7 +530,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; - const unsigned int *bp=(const unsigned int *)buf; + const unsigned int *bp=(const unsigned int *)buf.ui; acc = rp[0]; acc -= bp[7-7]; acc -= bp[11-7]; rp[0] = (unsigned int)acc; acc = 32; The typo will be fixed as we go. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
Hi, For reference. Why does it show up with no-asm? bn_nist.c is collection of functions for specific moduli, but it's perfectly possible to calculate the result using general-purpose subroutines. It was found that general-purpose *assembly* code paths deliver better performance and it was arranged so that bn_nist is not invoked in asm builds (look for #if defined(OPENSSL_BN_ASM_MONT) in crypto/ec/ec_cvt.c). If Configure invoke without no-asm flag, then bn_nist.c compiled, but function BN_nist_mod_{192,224,256,384} don't called. If Configure invoke with no-asm, OpenSSL use BN_nist_mod_{192,224,256,384} functions. Right? Yes. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
Hi, Please, reply and keep replying to r...@openssl.org, so that proceedings are kept together. Probably this strict aliasing 64-bit optimization bug for crypto/bn/bn_nist.c Mac OSX compiler fail test/ectest: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 Mac OSX compiler test/ectest OK: gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.3 [clang version 3.3 (trunk 173279)] In other words it's at least obvious that it varies with compiler version. One can argue about where the bug is, compiler or bn_nist.c, but it's not matter of probability. Anyway as I can't reproduce the problem you'd have to assist. For reference. Why does it show up with no-asm? bn_nist.c is collection of functions for specific moduli, but it's perfectly possible to calculate the result using general-purpose subroutines. It was found that general-purpose *assembly* code paths deliver better performance and it was arranged so that bn_nist is not invoked in asm builds (look for #if defined(OPENSSL_BN_ASM_MONT) in crypto/ec/ec_cvt.c). After patch: Could you test following *instead*? In every #if defined(NIST_INT64) section you'll see a number of references to bp[something]. Can you replace them with buf.ui[samething] and run the test? Currently bp is constified buf.ui and it might give overeager compiler idea to reorder references to buf in #if defined(NIST_IN64) section and [inlined] nist_cp_bn_0 and cause the mayhem. $ diff -u ../openssl-SNAP-20130212/crypto/bn/bn_nist.c crypto/bn/bn_nist.c --- ../openssl-SNAP-20130212/crypto/bn/bn_nist.c 2013-01-11 18:13:43.0 +0400 +++ crypto/bn/bn_nist.c 2013-02-12 13:51:12.0 +0400 @@ -421,7 +421,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; @@ -701,7 +701,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP, BN_NIST_256_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; @@ -906,7 +906,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP, BN_NIST_384_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; Mac OSX compiler fail test/ectest: gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 Mac OSX compiler test/ectest OK: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 clang-mp-3.3 [clang version 3.3 (trunk 173279)] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
On Wed, Feb 13, 2013 at 12:19:19PM +0100, Andy Polyakov via RT wrote: Probably this strict aliasing 64-bit optimization bug for crypto/bn/bn_nist.c What bug are you talking about? There doesn't seem to be a strict aliasing warning in that file, and they use a union to get around the problem. Mac OSX compiler fail test/ectest: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 Mac OSX compiler test/ectest OK: gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.3 [clang version 3.3 (trunk 173279)] I can at least reproduce the problem with clang 3.0. It works without problems with gcc 4.7. Could you test following *instead*? In every #if defined(NIST_INT64) section you'll see a number of references to bp[something]. Can you replace them with buf.ui[samething] and run the test? Currently bp is constified buf.ui and it might give overeager compiler idea to reorder references to buf in #if defined(NIST_IN64) section and [inlined] nist_cp_bn_0 and cause the mayhem. That doesn't change anything. I still get: testing internal curves: ... EC_GROUP_check() failed with curve secp384r1 . EC_GROUP_check() failed with curve prime192v1 EC_GROUP_check() failed with curve prime192v2 EC_GROUP_check() failed with curve prime192v3 ... EC_GROUP_check() failed with curve prime256v1 ... failed ectest.c:1268: ABORT Kurt PS: I think at least this patch makes sense, but doesn't change anything: --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -530,7 +530,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; - const unsigned int *bp=(const unsigned int *)buf; + const unsigned int *bp=(const unsigned int *)buf.ui; acc = rp[0]; acc -= bp[7-7]; acc -= bp[11-7]; rp[0] = (unsigned int)acc; acc = 32; __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
Hi, Kurt, On Wed, Feb 13, 2013 at 12:19:19PM +0100, Andy Polyakov via RT wrote: Probably this strict aliasing 64-bit optimization bug for crypto/bn/bn_nist.c What bug are you talking about? There doesn't seem to be a strict aliasing warning in that file, and they use a union to get around the problem. Sorry, I mean about compilers bug of -fstrict-aliasing optimization. I can at least reproduce the problem with clang 3.0. It works without problems with gcc 4.7. gcc-mp-4.7 gcc-mp-4.8 not affected. But Apple Xcode compiler and MacPorts clang compilers affected (based on llvm version 3.0-3.2). Number MacPorts user report about this problem, see https://trac.macports.org/ticket/38015 PS: I think at least this patch makes sense, but doesn't change anything: - const unsigned int *bp=(const unsigned int *)buf; + const unsigned int *bp=(const unsigned int *)buf.ui; This patch inefficient. Workaround: leom:openssl-SNAP-20130212.test-x86_64 leo$ diff -u ../openssl-SNAP-20130212/crypto/bn/bn_nist.c crypto/bn/bn_nist.c --- ../openssl-SNAP-20130212/crypto/bn/bn_nist.c2013-01-11 18:13:43.0 +0400 +++ crypto/bn/bn_nist.c 2013-02-14 03:06:43.0 +0400 @@ -424,7 +424,7 @@ #if defined(NIST_INT64) { NIST_INT64 acc;/* accumulator */ - unsigned int*rp=(unsigned int *)r_d; + volatile unsigned int *rp=(unsigned int *)r_d; const unsigned int *bp=(const unsigned int *)buf.ui; acc = rp[0]; acc += bp[3*2-6]; @@ -556,7 +556,7 @@ #if defined(NIST_INT64) BN_BITS2!=64 { NIST_INT64 acc;/* accumulator */ - unsigned int*rp=(unsigned int *)r_d; + volatile unsigned int *rp=(unsigned int *)r_d; const unsigned int *bp=(const unsigned int *)buf.ui; acc = rp[0]; acc -= bp[7-7]; @@ -704,7 +704,7 @@ #if defined(NIST_INT64) { NIST_INT64 acc;/* accumulator */ - unsigned int*rp=(unsigned int *)r_d; + volatile unsigned int *rp=(unsigned int *)r_d; const unsigned int *bp=(const unsigned int *)buf.ui; acc = rp[0];acc += bp[8-8]; @@ -909,7 +909,7 @@ #if defined(NIST_INT64) { NIST_INT64 acc;/* accumulator */ - unsigned int*rp=(unsigned int *)r_d; + volatile unsigned int *rp=(unsigned int *)r_d; const unsigned int *bp=(const unsigned int *)buf.ui; acc = rp[0];acc += bp[12-12]; -- Sorry for my bests English. Serguei E. Leontiev w:+7(495)939-2382 USSR,Moscow,Universitetskij 13 Sternberg Astronom. w:+7(495)780-4820 USSR,Moscow,127018,Sushchevskij val 16-5 Institute, MSU h:+7(495)318-1146 USSR,Moscow,113303,Kakhovka 6-40 m:+7(916)686-1081 SMS: http://www.mts.ru/sms http://lnfm1.sai.msu.ru/~leo 13.02.2013, в 23:23, Kurt Roeckx k...@roeckx.be написал(а): On Wed, Feb 13, 2013 at 12:19:19PM +0100, Andy Polyakov via RT wrote: Probably this strict aliasing 64-bit optimization bug for crypto/bn/bn_nist.c What bug are you talking about? There doesn't seem to be a strict aliasing warning in that file, and they use a union to get around the problem. Mac OSX compiler fail test/ectest: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 Mac OSX compiler test/ectest OK: gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.3 [clang version 3.3 (trunk 173279)] I can at least reproduce the problem with clang 3.0. It works without problems with gcc 4.7. Could you test following *instead*? In every #if defined(NIST_INT64) section you'll see a number of references to bp[something]. Can you replace them with buf.ui[samething] and run the test? Currently bp is constified buf.ui and it might give overeager compiler idea to reorder references to buf in #if defined(NIST_IN64) section and [inlined] nist_cp_bn_0 and cause the mayhem. That doesn't change anything. I still get: testing internal curves: ... EC_GROUP_check() failed with curve secp384r1 . EC_GROUP_check() failed with curve prime192v1 EC_GROUP_check() failed with curve prime192v2 EC_GROUP_check() failed with curve prime192v3 ... EC_GROUP_check() failed with curve prime256v1 ... failed ectest.c:1268: ABORT Kurt PS: I think at least this patch makes sense, but doesn't change anything: --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -530,7 +530,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, { NIST_INT64 acc;/* accumulator */ unsigned int
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
Hi, Andy, For reference. Why does it show up with no-asm? bn_nist.c is collection of functions for specific moduli, but it's perfectly possible to calculate the result using general-purpose subroutines. It was found that general-purpose *assembly* code paths deliver better performance and it was arranged so that bn_nist is not invoked in asm builds (look for #if defined(OPENSSL_BN_ASM_MONT) in crypto/ec/ec_cvt.c). If Configure invoke without no-asm flag, then bn_nist.c compiled, but function BN_nist_mod_{192,224,256,384} don't called. If Configure invoke with no-asm, OpenSSL use BN_nist_mod_{192,224,256,384} functions. Right? -- Sorry for my bests English. Serguei E. Leontiev w:+7(495)939-2382 USSR,Moscow,Universitetskij 13 Sternberg Astronom. w:+7(495)780-4820 USSR,Moscow,127018,Sushchevskij val 16-5 Institute, MSU h:+7(495)318-1146 USSR,Moscow,113303,Kakhovka 6-40 m:+7(916)686-1081 SMS: http://www.mts.ru/sms http://lnfm1.sai.msu.ru/~leo 13.02.2013, в 15:19, Andy Polyakov via RT r...@openssl.org написал(а): Hi, Please, reply and keep replying to r...@openssl.org, so that proceedings are kept together. Probably this strict aliasing 64-bit optimization bug for crypto/bn/bn_nist.c Mac OSX compiler fail test/ectest: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 Mac OSX compiler test/ectest OK: gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.3 [clang version 3.3 (trunk 173279)] In other words it's at least obvious that it varies with compiler version. One can argue about where the bug is, compiler or bn_nist.c, but it's not matter of probability. Anyway as I can't reproduce the problem you'd have to assist. For reference. Why does it show up with no-asm? bn_nist.c is collection of functions for specific moduli, but it's perfectly possible to calculate the result using general-purpose subroutines. It was found that general-purpose *assembly* code paths deliver better performance and it was arranged so that bn_nist is not invoked in asm builds (look for #if defined(OPENSSL_BN_ASM_MONT) in crypto/ec/ec_cvt.c). After patch: Could you test following *instead*? In every #if defined(NIST_INT64) section you'll see a number of references to bp[something]. Can you replace them with buf.ui[samething] and run the test? Currently bp is constified buf.ui and it might give overeager compiler idea to reorder references to buf in #if defined(NIST_IN64) section and [inlined] nist_cp_bn_0 and cause the mayhem. $ diff -u ../openssl-SNAP-20130212/crypto/bn/bn_nist.c crypto/bn/bn_nist.c --- ../openssl-SNAP-20130212/crypto/bn/bn_nist.c 2013-01-11 18:13:43.0 +0400 +++ crypto/bn/bn_nist.c 2013-02-12 13:51:12.0 +0400 @@ -421,7 +421,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; @@ -701,7 +701,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP, BN_NIST_256_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; @@ -906,7 +906,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP, BN_NIST_384_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; Mac OSX compiler fail test/ectest: gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 Mac OSX compiler test/ectest OK: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 clang-mp-3.3 [clang version 3.3 (trunk 173279)] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
P.S. 64-bit test elliptic curves fail for openssl-SNAP-20130212.test-x86_64 with no-asm flag. $ ./Configure darwin64-x86_64-cc no-asm $ make depend $ make $ make test ... test elliptic curves ../util/shlib_wrap.sh ./ectest Curve defined by Weierstrass equation y^2 = x^3 + a*x + b (mod 0x17) a = 0x1 b = 0x1 A cyclic subgroup: ... long/negative scalar tests ... ok combined multiplication . ok testing internal curves: ... EC_GROUP_check() failed with curve secp384r1 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2981] BUG: 1.0.1e 64-bit C implementation ECDHE* chiphersuites incompatible with https://google.com
Hi, Probably this strict aliasing 64-bit optimization bug for crypto/bn/bn_nist.c Mac OSX compiler fail test/ectest: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 Mac OSX compiler test/ectest OK: gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.3 [clang version 3.3 (trunk 173279)] After patch: $ diff -u ../openssl-SNAP-20130212/crypto/bn/bn_nist.c crypto/bn/bn_nist.c --- ../openssl-SNAP-20130212/crypto/bn/bn_nist.c2013-01-11 18:13:43.0 +0400 +++ crypto/bn/bn_nist.c 2013-02-12 13:51:12.0 +0400 @@ -421,7 +421,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; @@ -701,7 +701,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_256_TOP, top - BN_NIST_256_TOP, BN_NIST_256_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; @@ -906,7 +906,7 @@ nist_cp_bn_0(buf.bn, a_d + BN_NIST_384_TOP, top - BN_NIST_384_TOP, BN_NIST_384_TOP); -#if defined(NIST_INT64) +#if defined(NIST_INT64) (BN_BITS2!=64 || defined(NO_BUG_CLANG_GCC_64BIT)) { NIST_INT64 acc;/* accumulator */ unsigned int*rp=(unsigned int *)r_d; Mac OSX compiler fail test/ectest: gcc-mp-4.3 gcc-mp-4.4 gcc-mp-4.5 gcc-mp-4.6 Mac OSX compiler test/ectest OK: cc [Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)] gcc-apple-4.2 gcc-mp-4.7 gcc-mp-4.8 [gcc-mp-4.8 (MacPorts gcc48 4.8-20130203_0+universal) 4.8.0 20130203 (experimental)] clang-mp-2.9 clang-mp-3.0 clang-mp-3.1 clang-mp-3.2 clang-mp-3.3 [clang version 3.3 (trunk 173279)] -- Sorry for my bests English. Serguei E. Leontiev w:+7(495)939-2382 USSR,Moscow,Universitetskij 13 Sternberg Astronom. w:+7(495)780-4820 USSR,Moscow,127018,Sushchevskij val 16-5 Institute, MSU h:+7(495)318-1146 USSR,Moscow,113303,Kakhovka 6-40 m:+7(916)686-1081 SMS: http://www.mts.ru/sms http://lnfm1.sai.msu.ru/~leo 12.02.2013, в 13:21, Serguei E. Leontiev via RT r...@openssl.org написал(а): P.S. 64-bit test elliptic curves fail for openssl-SNAP-20130212.test-x86_64 with no-asm flag. $ ./Configure darwin64-x86_64-cc no-asm $ make depend $ make $ make test ... test elliptic curves ../util/shlib_wrap.sh ./ectest Curve defined by Weierstrass equation y^2 = x^3 + a*x + b (mod 0x17) a = 0x1 b = 0x1 A cyclic subgroup: ... long/negative scalar tests ... ok combined multiplication . ok testing internal curves: ... EC_GROUP_check() failed with curve secp384r1 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org