mpz_powm_sec not exist in Sage built libgmp.so.16 [closed]

asked 2016-05-10 06:01:27 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

(I already read question/25708/warning-message-when-with-notebook/ and question/25183/powminsecurewarning-how-do-i-rebuild-using-libgmp-5/, here some extra finding about gmp)

With Sage 7.1, I ran

sage: notebook(interface='', port=53432, automatic_login=False, secure=True)
:
/local/redhat/apps/sage-7.1/local/lib/python2.7/site-packages/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
_warn("Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning) :

then looking number.py, line 57 to 58:

if _fastmath is not None and not _fastmath.HAVE_DECL_MPZ_POWM_SEC:
_warn("Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)

$ ldd /local/redhat/apps/sage-7.1/local/lib/python2.7/site-packages/Crypto/PublicKey/_fastmath.so
linux-vdso.so.1 => (0x00007ffdefd4e000)
libgmp.so.16 => /local/redhat/apps/sage-7.1/local/lib/libgmp.so.16 (0x00007fbcfd25e000)
:

check libgmp.so (built by Sage)

$ nm -D /local/redhat/apps/sage-7.1/local/lib/libgmp.so.16 | grep mpz_powm
000000000002c110 T __gmpz_powm
000000000002ced0 T __gmpz_powm_ui

mpz_powm_sec isn't there, so the warning.

However, libgmp.so come from RHEL7:

nm -D /usr/lib64/libgmp.so.10 | grep mpz_powm
000000000001eef0 T __gmpz_powm
000000000001f9e0 T __gmpz_powm_sec
0000000000020040 T __gmpz_powm_ui
$ rpm -qf /usr/lib64/libgmp.so.10
gmp-6.0.0-12.el7_1.x86_64

Why libgmp built by Sage doesn't have mpz_powm_sec?

In Sage config.log:

configure:7024: result: gmp-5.1.3

In logs/install.log:

checking for __gmpz_init in -lgmp... yes
checking for __gmpz_init in -lmpir... yes
checking whether mpz_powm is declared... yes
checking whether mpz_powm_sec is declared... no

I couldn't find the source code Sage used to build libgmp.

edit retag flag offensive reopen merge delete

Closed for the following reason not a real question by Ling
close date 2016-05-12 19:44:17.697461

Comments

I may find out the solution.

gmp is an optional package to Sage. So,

sage -i gmp

After that libgmp.so.10.1.3 appears in local/lib. Manually update libgmp.so link.Then in the Sage top tree,

make

(this'll take a while, will come back to confirm this fix the warning)

The message "You should rebuild using libgmp >= 5" isn't clear. It'd say "install optional package gmp then rebuild sage".

Ling gravatar imageLing ( 2016-05-10 23:58:21 -0500 )edit

No, Sage is sort of hard-coded to use mpir, even gmp is present.

Someone please update local/lib/python2.7/site-packages/Crypto/Util/number.py to change the warning.

Ling gravatar imageLing ( 2016-05-12 19:43:36 -0500 )edit