[tahoe-lafs-trac-stream] [pycryptopp] #85: disable asm

pycryptopp trac at tahoe-lafs.org
Tue Jul 22 19:22:15 UTC 2014 

#85: disable asm
---------------------------------+------------------------
Reporter:  zooko                 |          Owner:  warner
    Type:  enhancement           |         Status:  new
Priority:  major                 |      Milestone:
 Version:  0.5.29                |     Resolution:
Keywords:  design-review-needed  |  Launchpad Bug:
---------------------------------+------------------------

Comment (by zooko):

 We had already agreed to disable assembly optimizations in pycryptopp,
 because there seem to have been a lot of bugs in the optimized assembly
 code in the past, and because the added speed really makes no difference
 to our uses, as far as I know.

 However, in order to explain and justify to other people (e.g. Debian
 packagers) why we are doing this, and why they should consider doing the
 same thing themselves, I just read through the entire history of issues in
 pycryptopp and classified whether they were runtime errors (and therefore
 potential security bugs) or build-time errors (therefore probably not),
 and whether they would have been avoided if we had been disabling assembly
 optimizations all along. Here are the results. They clearly show that we
 should disable the optimized assembly! About half of all the security-
 threatening bugs we've had would never have been an issue if we'd avoided
 assembly from the beginning.

 By the way, in my opinion the author of Crypto++, Wei Dai, is an
 *exceptionally* skilled, careful, and experienced coder, and I would
 assume that if Crypto++ has had this many security-threatening bugs in its
 optimized assembly code, then other crypto libraries that also use
 optimized assembly code have also had at least as many.


 === bugs that cause run-time failures ===

 (These bugs are potential security issues.)

 * would have been avoided by DISABLE_ASM:
   - #24
   - #31
   - #45 (three *different* bugs in the assembly implementation)
   - #67
   - #84
   - #86

 * unclear if it would have been avoided if we'd used DISABLE_ASM:
   - #65

 * would not have been avoided by DISABLE_ASM:
   - #17
   - #44
   - #83

 * would not have been avoided by DISABLE_ASM (but would have been avoided
 by using cffi instead of CPython API)
   - #19
   - #70
   - #80

 * would have been avoided if we *didn't* use DISABLE_ASM! (A bug only in
 the non-ASM version!)
   - #66


 === bugs that cause deterministic build or compilation failures ===


 (These bugs are *typically* not potential security issues but they can be,
 and in any case they are engineering/deployment issues.)

 * would have been avoided by DISABLE_ASM:
   - #37
   - #96

 * would not have been avoided by DISABLE_ASM:
   - #22
   - #23
   - #32
   - #39
   - #62
   - #77
   - #78

--
Ticket URL: <https://tahoe-lafs.org/trac/pycryptopp/ticket/85#comment:20>
pycryptopp <https://tahoe-lafs.org/trac/pycryptopp>

More information about the tahoe-lafs-trac-stream mailing list