📅 Original date posted:2015-08-18
📝 Original message:Back to the list (from github) in case anyone finds this via Google.
The patch that I posted here a few days ago did not fix the issue for Tamas.
I spent some time tracking down this edge-case because
libbitcoinconsensus needs to be as bullet-proof as possible. Thanks to
Tamas for creating a bare-bones test case after some discussion.
I finally managed to reproduce the issue on OSX. It's subtle and
likely rare in the real-world, though obviously not impossible given
the report here. For posterity, here's a rundown (braindump) of the
issue.
When calling EC_KEY_new_by_curve_name(), openssl internally checks to
see how to setup the curve's EC_METHOD (simple, montgomery, or nist).
Unfortunately, in all released OpenSSL versions (as far as I can tell
master is the only branch that has fixed this issue), it's tested like
so:
- Try a method. If it fails, set a global error and return.
- If the global error is set, try a different method.
Prior to OpenSSL 1.0.0, these were tested in the order:
EC_GFp_nist_method -> EC_GFp_mont_method. The secp256k1 curve fails
the ec_GFp_nist_group_set_curve test and sets the global error. That
error is then checked for failure, and EC_GFp_mont_method is tried
(and succeeds).
Obviously that global error usage is dangerous, especially since it
happens for _each_ transaction verification in libbitcoinconsensus. In
a multi-threaded environment, a crash is guaranteed within a few
seconds.
However, OpenSSL 1.0.1 reversed the order, trying EC_GFp_mont_method
first, so that the global error doesn't end up being used:
https://github.com/openssl/openssl/commit/17674bfdf75bffa4e225f8328b9d42cb74504005
This was backported from master back to 1.0.1, but not to 1.0.0 or 0.9.8.
So that change (accidentally) "solved" the problem. As you can see,
it's still possible to hit the reversed order in the
!defined(OPENSSL_BN_ASM_MONT) case. That's easily tested by building
OpenSSL with the -no-asm config option. It's probably also the case
for obscure architectures and OSs, but I haven't looked deeply into
that. In that case, it's reasonable to assume that this crash would
likely occur on such platforms.
Also, OSX, even the latest version (10.10 as of now), still ships with
OpenSSL 0.9.8. Which is how Tamas ran into it.
Since Bitcoin Core and libbitcoinconsensus are switching away from
OpenSSL for verification in the near future, I don't think this is
much of an issue. Especially since the problem manifests as a
controlled assertion failure/abort. However, I've prepared a patch for
anyone who may run into the issue in the short-term:
https://github.com/theuni/bitcoin/commit/adf0a691ee1c2f02e26828f976cfe5b78896b507
I'll open a pull-request for Bitcoin Core to discuss whether it's
worth merging or not.
Regards,
Cory
On Fri, Aug 14, 2015 at 5:10 PM, Cory Fields <lists at coryfields.com> wrote:
> Ugh, what an unfortunate oversight!
>
> The good news is that this issue should be solved in future versions
> when we switch to the new libsecp256k1 lib for validation.
>
> For now, I've thrown together a quick hack to allow a user-specifiable
> callback for libbitcoinconsensus. I think it's not worth messing with
> the official API since it will be fixed soon, but rather hacked in as
> a temporary work-around as needed. It _should_ be documented as an
> issue with the current version, though.
>
> Please see here for a work-around to try:
> https://github.com/theuni/bitcoin/commits/openssl-consensus-threads
> Unfortunately it's not pretty, but it works fine here. Note that you
> should give this some _serious_ testing before deploying in any real
> way. It should mimic the way we do it in Core, though.
>
> That's on top of current master, but it should be trivial to apply to
> release tags.
>
> Please let me know how it works out.
>
> Regards,
> Cory
>
> On Fri, Aug 14, 2015 at 12:37 PM, Tamas Blummer via bitcoin-dev
> <bitcoin-dev at lists.linuxfoundation.org> wrote:
>> We integrated libconsensus into bits of proof. It works well, in-line for all test cases with our Java engine and is about 50% faster on a single thread.
>>
>> The performance advantage unfortunatelly reverses if libconsensus is executed on several threads simultaneously as we do with the Java engine, since an error:
>>
>> Assertion failed: (pkey != NULL), function CECKey, file ecwrapper.cpp, line 96.
>>
>> arises under that stress.
>>
>> I guess that the cause is that thread callbacks as advised for OpenSSL on https://www.openssl.org/docs/crypto/threads.html are not registered.
>> Registering those however would require access to OpenSSL functions, not exported from the lib.
>>
>> I’d be thankful for a pointer to a workaround.
>>
>> Tamas Blummer
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev at lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
Cory Fields [ARCHIVE] /
npub19r…yj32s
2023-06-07 15:46:59
in reply to nevent1q…x04j
Author Public Key
npub19r53ufymeycp9wzk3yzru55y5u46e4vva2lj7nak4zrn6yhrna7qsyj32sSeen on
wss://relay.nostr.bandPublished at
2023-06-07 15:46:59Event JSON
{
"id": "ff456fe12eaae0cd271ac19a9b3cd55c99027068caee73df46c2492afb87c9a2",
"pubkey": "28e91e249bc93012b85689043e5284a72bacd58ceabf2f4fb6a8873d12e39f7c",
"created_at": 1686152819,
"kind": 1,
"tags": [
[
"e",
"f9cdbcb2f8408a8617a32357a9cd9ec7781e0a2acb315808f6e58178dd97a111",
"",
"root"
],
[
"e",
"dd45a0d2164faf3b73610c057ad045253d55e8341202a19bd21195820d3305d2",
"",
"reply"
],
[
"p",
"28e91e249bc93012b85689043e5284a72bacd58ceabf2f4fb6a8873d12e39f7c"
]
],
"content": "📅 Original date posted:2015-08-18\n📝 Original message:Back to the list (from github) in case anyone finds this via Google.\n\nThe patch that I posted here a few days ago did not fix the issue for Tamas.\n\nI spent some time tracking down this edge-case because\nlibbitcoinconsensus needs to be as bullet-proof as possible. Thanks to\nTamas for creating a bare-bones test case after some discussion.\n\nI finally managed to reproduce the issue on OSX. It's subtle and\nlikely rare in the real-world, though obviously not impossible given\nthe report here. For posterity, here's a rundown (braindump) of the\nissue.\n\nWhen calling EC_KEY_new_by_curve_name(), openssl internally checks to\nsee how to setup the curve's EC_METHOD (simple, montgomery, or nist).\n\nUnfortunately, in all released OpenSSL versions (as far as I can tell\nmaster is the only branch that has fixed this issue), it's tested like\nso:\n\n- Try a method. If it fails, set a global error and return.\n- If the global error is set, try a different method.\n\nPrior to OpenSSL 1.0.0, these were tested in the order:\nEC_GFp_nist_method -\u003e EC_GFp_mont_method. The secp256k1 curve fails\nthe ec_GFp_nist_group_set_curve test and sets the global error. That\nerror is then checked for failure, and EC_GFp_mont_method is tried\n(and succeeds).\n\nObviously that global error usage is dangerous, especially since it\nhappens for _each_ transaction verification in libbitcoinconsensus. In\na multi-threaded environment, a crash is guaranteed within a few\nseconds.\n\nHowever, OpenSSL 1.0.1 reversed the order, trying EC_GFp_mont_method\nfirst, so that the global error doesn't end up being used:\nhttps://github.com/openssl/openssl/commit/17674bfdf75bffa4e225f8328b9d42cb74504005\n\nThis was backported from master back to 1.0.1, but not to 1.0.0 or 0.9.8.\n\nSo that change (accidentally) \"solved\" the problem. As you can see,\nit's still possible to hit the reversed order in the\n!defined(OPENSSL_BN_ASM_MONT) case. That's easily tested by building\nOpenSSL with the -no-asm config option. It's probably also the case\nfor obscure architectures and OSs, but I haven't looked deeply into\nthat. In that case, it's reasonable to assume that this crash would\nlikely occur on such platforms.\n\nAlso, OSX, even the latest version (10.10 as of now), still ships with\nOpenSSL 0.9.8. Which is how Tamas ran into it.\n\nSince Bitcoin Core and libbitcoinconsensus are switching away from\nOpenSSL for verification in the near future, I don't think this is\nmuch of an issue. Especially since the problem manifests as a\ncontrolled assertion failure/abort. However, I've prepared a patch for\nanyone who may run into the issue in the short-term:\nhttps://github.com/theuni/bitcoin/commit/adf0a691ee1c2f02e26828f976cfe5b78896b507\n\nI'll open a pull-request for Bitcoin Core to discuss whether it's\nworth merging or not.\n\nRegards,\nCory\n\nOn Fri, Aug 14, 2015 at 5:10 PM, Cory Fields \u003clists at coryfields.com\u003e wrote:\n\u003e Ugh, what an unfortunate oversight!\n\u003e\n\u003e The good news is that this issue should be solved in future versions\n\u003e when we switch to the new libsecp256k1 lib for validation.\n\u003e\n\u003e For now, I've thrown together a quick hack to allow a user-specifiable\n\u003e callback for libbitcoinconsensus. I think it's not worth messing with\n\u003e the official API since it will be fixed soon, but rather hacked in as\n\u003e a temporary work-around as needed. It _should_ be documented as an\n\u003e issue with the current version, though.\n\u003e\n\u003e Please see here for a work-around to try:\n\u003e https://github.com/theuni/bitcoin/commits/openssl-consensus-threads\n\u003e Unfortunately it's not pretty, but it works fine here. Note that you\n\u003e should give this some _serious_ testing before deploying in any real\n\u003e way. It should mimic the way we do it in Core, though.\n\u003e\n\u003e That's on top of current master, but it should be trivial to apply to\n\u003e release tags.\n\u003e\n\u003e Please let me know how it works out.\n\u003e\n\u003e Regards,\n\u003e Cory\n\u003e\n\u003e On Fri, Aug 14, 2015 at 12:37 PM, Tamas Blummer via bitcoin-dev\n\u003e \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e\u003e We integrated libconsensus into bits of proof. It works well, in-line for all test cases with our Java engine and is about 50% faster on a single thread.\n\u003e\u003e\n\u003e\u003e The performance advantage unfortunatelly reverses if libconsensus is executed on several threads simultaneously as we do with the Java engine, since an error:\n\u003e\u003e\n\u003e\u003e Assertion failed: (pkey != NULL), function CECKey, file ecwrapper.cpp, line 96.\n\u003e\u003e\n\u003e\u003e arises under that stress.\n\u003e\u003e\n\u003e\u003e I guess that the cause is that thread callbacks as advised for OpenSSL on https://www.openssl.org/docs/crypto/threads.html are not registered.\n\u003e\u003e Registering those however would require access to OpenSSL functions, not exported from the lib.\n\u003e\u003e\n\u003e\u003e I’d be thankful for a pointer to a workaround.\n\u003e\u003e\n\u003e\u003e Tamas Blummer\n\u003e\u003e\n\u003e\u003e _______________________________________________\n\u003e\u003e bitcoin-dev mailing list\n\u003e\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\u003e",
"sig": "ea2334a85bc82d9998e898c648a73c23e7c61f901715d84cbbbdfbbfa062300ce6b5c996724e80d69b2b94f8cdc7ee0f9bce7137f1328d27e776ffd173aa71a8"
}