Conversation

the "open" in openssl refers to the security holes.

Elliptic Curve code without ASM is broken with Clang 14 · Issue #18225 · openssl/openssl

Hello, It looks like on Linux (x86_64), starting with Clang 14, the code for Elliptic Curves (when assembler is not enabled) is broken when compiled with optimizations (O2/O3). It is totally fine w...

1

20

74

in this case, openssl initially rejects the notion that the openssl code could have a strict aliasing violation, and instead blames clang. meanwhile, libressl and boringssl correctly fix the bug, e.g.

Remove unions in EC_SCALAR and EC_FELEM. · google/boringssl@227ff6e

When introducing EC_SCALAR and EC_FELEM, I used unions as convenience for converting to and from the byte representation. However, type-punning with unions is not allowed in C++ and hard to use cor...

1

2

22

the openssl fix, however, is entirely wrong from an ISO C point of view, and only fixes the immediate problem: github.com/openssl/openss if Clang starts applying this specific (and valid) optimization at the block level, then the code breaks again as it still invokes UB.

bn_nist: fix strict aliasing problem · openssl/openssl@d8a3b6e

As of clang-14 the strict aliasing is causing code to magically disappear. By explicitly inlining the code, the aliasing problem evaporates. Fixes #18225 Reviewed-by: Tomas Mraz

2

7

26

furthermore, this issue should have been assigned a CVE because it resulted in incorrect elliptic curve behavior in builds where assembly code was not used

1

4

19

the reason the FOSS world is stuck with OpenSSL has nothing to do with there not being capable forks to replace it, but with the fact that OpenSSL is FIPS certified, and therefore can be "white label FIPS certified". an example of this being:

Cryptographic Module Validation Program | CSRC | CSRC

Welcome to the CMVP The Cryptographic Module Validation Program (CMVP) is a joint effort between the National Institute of Standards and Technology under the Department of Commerce and the Canadian...

1

11

38

vendors such as redhat and canonical do these "white label" FIPS certifications which cost much less than doing a new FIPS certification from scratch. they then charge for FIPS as a separate SKU, and make a lot of money. that money does not improve OpenSSL, however.

2

9

26

Replying to

There's a subset of BoringSSL that's FIPS certified (boringssl.googlesource.com/boringssl/+/ma). 6th generation Pixels have a fips partition for enabling a FIPS mode where the cryptography including disk encryption is crippled by not using inline SoC encryption hardware with wrapped keys, etc.

2

2

3

Replying to

and

BoringSSL isn't used much outside Android and Chromium because it doesn't have any API / ABI stability guarantees. They improve the API and remove things that are obsolete / deprecated. Most projects can't cope with modernization. They also remove some things others may want.

9:31 PM · May 12, 2022Twitter Web App

Replying to

and

Android put in a HUGE effort to get rid of all the cryptography / TLS implementations other than BoringSSL. It implements the Java standard library, BouncyCastle, conscrypt and other APIs on top it and did that mostly transparently, so everything in the OS using BoringSSL now.

1

3

Replying to

and

I think there used to be at least 3 TLS implementations and even more cryptography libraries. Nothing like the dozens of them that are in a traditional Linux distribution. Has Fedora / RHEL ever gotten around to undoing their horrible choice to use NSS as much as they could?

2