Cleanup for cryptographic algorithms vs. compiler optimizations

C. P. Ghost cpghost at
Mon Jun 14 01:43:10 UTC 2010

On Sun, Jun 13, 2010 at 11:35 PM, Bernd Walter <ticso at> wrote:
> Crypto code wasn't aware of this problem and this is a way more
> obviuous optimization than function exchange.
> And I do believe that the programmers were clever people.
> Alarming, isn't it?
> Maybe paranoid users might consider compiling their OS with -O0, but
> I don't think this is the right way.

I think that most crypto code isn't compiled with strong optimizations
anyway, even when the rest of the OS or program is (or can be). After all,
we do have separate compilation units... as long as you don't enable LTO,
of course.

Turning off strong optimizations for crypto code may seem paradoxical,
but since most performance-critical routines often contain hand-optimized
assembly anyway, and compiler-optimizations may be counter-productive
here, the point is rather moot, usually.

> It is amazing how strong the influence of optimization is and how weak
> the programmers assumptions are.

Indeed. That's a classic trap that trips a lot of crypto programmers
in particular, and even seasoned C programmers occasionally.


Cordula's Web.

More information about the freebsd-current mailing list