[Bug 2130576] Re: Missing ec_nistp_64_gcc_128 optimization on non-x86_64 architectures

Ravi Kant Sharma 2130576 at bugs.launchpad.net
Tue Dec 16 11:27:24 UTC 2025 

Getting upstream opinion on the fix
https://github.com/openssl/openssl/pull/29417

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2130576

Title:
  Missing ec_nistp_64_gcc_128 optimization on non-x86_64 architectures

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Jammy:
  Confirmed
Status in openssl source package in Noble:
  Confirmed
Status in openssl source package in Plucky:
  Fix Released
Status in openssl source package in Questing:
  Fix Released
Status in openssl source package in Resolute:
  Fix Released

Bug description:
  Original report

  ================================================================================
  Problem Description

  Ubuntu 24.04’s OpenSSL packaging currently enables the enable-
  ec_nistp_64_gcc_128 configure option only on amd64:

  ifeq ($(DEB_HOST_ARCH_CPU), amd64)
  CONFARGS += enable-ec_nistp_64_gcc_128
  endif

  However, Debian’s OpenSSL packaging (which should serve as the
  reference) enables this optimization on multiple 64-bit architectures:

  ifneq ($(filter amd64 arm64 ppc64el riscv64,$(DEB_HOST_ARCH_CPU)),)
  CONFARGS += enable-ec_nistp_64_gcc_128
  endif

  Security Impact

  This packaging discrepancy is not just a performance issue but has
  security implications:

  D(HE)at-like Attack Vector: Slow elliptic curve operations
  significantly increase the computational cost of ECDHE and ECDSA
  operations during TLS handshakes. Servers running Ubuntu 24.04 on
  aarch64, ppc64el, or riscv64 are more vulnerable to resource
  exhaustion attacks that exploit slow handshake processing.

  Asymmetric Defense: The optimization is only enabled on x86_64,
  creating an attack surface inequality across different architectures.
  This means the same server hardware type running x86_64 vs aarch64
  would have different resistance to ECDHE-based DoS attacks.

  TLS Performance: The P-256 curve is widely used in TLS, and without this optimization, handshake processing is substantially slower, making servers more susceptible to overwhelming during traffic bursts.
  ================================================================================

  [ Impact ]

   * Fix performance issue on all 64-bit architectures.

   * The upload enables enable-ec_nistp_64_gcc_128 (support for optimised implementations of some commonly used NIST
   elliptic curves) on arm64, ppc64el, and riscv64.

  [ Test Plan ]

   * run `nm /usr/lib/x86_64-linux-gnu/libcrypto.a | grep EC_GFp_nistp224_method`, the symbol should be missing on arm64, ppc64el, and riscv64.
   * run it again with patched release, the symbol should be present.
   * Build time test cases should pass on amd64, arm64, ppc64el, and riscv64.
   * for reference, you can run the same nm command on amd64 where symbols were present before this patch. 

  [ Where problems could occur ]

   * I can't think of a scenario where enabling this optimization will
  lead to a problem.

  [ Other Info ]

   * I am also adding a low prio fix as part of this SRU.
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107167

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2130576/+subscriptions

More information about the foundations-bugs mailing list