[Bug 2130576] Re: Missing ec_nistp_64_gcc_128 optimization on non-x86_64 architectures

Tobias Heider 2130576 at bugs.launchpad.net
Thu Nov 6 15:27:25 UTC 2025 

Doesn't seem to be a serious security issue so I reclassified this bug
as public

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/2130576

Title:
  Missing ec_nistp_64_gcc_128 optimization on non-x86_64 architectures

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Jammy:
  Confirmed
Status in openssl source package in Noble:
  Confirmed
Status in openssl source package in Plucky:
  Fix Released
Status in openssl source package in Questing:
  Fix Released
Status in openssl source package in Resolute:
  Fix Released

Bug description:
  Problem Description

  Ubuntu 24.04’s OpenSSL packaging currently enables the enable-
  ec_nistp_64_gcc_128 configure option only on amd64:

  ifeq ($(DEB_HOST_ARCH_CPU), amd64)
  CONFARGS += enable-ec_nistp_64_gcc_128
  endif

  However, Debian’s OpenSSL packaging (which should serve as the
  reference) enables this optimization on multiple 64-bit architectures:

  ifneq ($(filter amd64 arm64 ppc64el riscv64,$(DEB_HOST_ARCH_CPU)),)
  CONFARGS += enable-ec_nistp_64_gcc_128
  endif

  Security Impact

  This packaging discrepancy is not just a performance issue but has
  security implications:

  D(HE)at-like Attack Vector: Slow elliptic curve operations
  significantly increase the computational cost of ECDHE and ECDSA
  operations during TLS handshakes. Servers running Ubuntu 24.04 on
  aarch64, ppc64el, or riscv64 are more vulnerable to resource
  exhaustion attacks that exploit slow handshake processing.

  Asymmetric Defense: The optimization is only enabled on x86_64,
  creating an attack surface inequality across different architectures.
  This means the same server hardware type running x86_64 vs aarch64
  would have different resistance to ECDHE-based DoS attacks.

  TLS Performance: The P-256 curve is widely used in TLS, and without
  this optimization, handshake processing is substantially slower,
  making servers more susceptible to overwhelming during traffic bursts.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2130576/+subscriptions

More information about the foundations-bugs mailing list