Bitcoin and Curve secp256k1 on Fedora

Like most stories, this one begins with a small task – helping a tiny nonprofit generate a ‘vanity’ bitcoin address, so donors can clearly recognize it as theirs.  The best tool to do that is Vanitygen, and the web is littered with horror stories about getting it to build on Fedora (my desktop OS of choice).  The reason is that the Fedora version of OpenSSL, which Vanitygen uses as a library, does not contain the cryptography needed for Bitcoin.

Currently, elliptic curve secp256k1 is not available in a default install of Fedora, or Fedora-derived systems (RHEL, CentOS, etc.).  It’s currently pending review by Redhat legal.  I’ve read that one major ecc patent was holding up secp256k1 in the industry in general, and that one expired two weeks ago, so assuming nobody else has a submarine claim on secp256k1, maybe we’ll make some progress there.

Due to this mess, the Fedora Project has a special build of openssl that ‘hobbles’ it, by stripping out several algorithms in the source code.  There is such reluctance to distribute these magic numbers (that is fear of prosecution, not arithmophobia) that this is one of the very few (only?) instances where Fedora doesn’t even distribute the upstream source and patch it – it distributes the already-hobbled sources (with a script to hobble it yourself, if you wish to prove the build).  Thank the legal system for granting patents on mathematics, against its charter.

The standard advice is to build the stock version of OpenSSL and install it in /opt.  There were several reasons I thought this was a bad idea:

  • it’s overkill – I only need one more algorithm.
  • it won’t get updates; a buildbot could easily handle rebuilding Fedora releases as they come out.
  • it does not benefit from all the other patches in the Fedora RPM that makes openssl integrate better into the Fedora ecosystem.
  • it makes builds slightly harder and requires EXPORTs or wrapper scripts to run with a library in /opt .
  • enabling _all_ of OpenSSL seems like a bad idea given all the fixes that are currently being applied to it.
  • it only helps me, not everybody else; it’s against the Open Source ethos.
  • it doesn’t help Fedora get ready for the next step.

One other option was to use the ringliberty.com openssl-compat-bitcoin libraries, but they did not work with Vanitygen:

$ ./vanitygen 1bfcc
./vanitygen: /opt/openssl-compat-bitcoin/lib/libcrypto.so.10: version `OPENSSL_1.0.1_EC' not found (required by ./vanitygen)

So then, how to unpatch the removal of secp256k1 from the Fedora build? For this algorithm it was a matter of changing two files with three modifications (patches here). Other NSA Ciphersuite B algorithms should be similar, but if you’re looking for a different cipher, you’ll just have to grep the source and patches. The layout is better than I expected after hearing the battlecries from OpenBSD-land.

Fetch the current OpenSSL source (e.g. yumdownloader –source –noplugins openssl) into your rpmbuild environment, patch the two SOURCE files with these patches, and then just build normally.  OpenSSL needs:

QA_RPATHS=$[ 0x0001|0x0010 ] rpmbuild openssl.spec

You might want to add a release tag if you’ll ever redistribute.

If you don’t build, you can download the RPMS, but you should really build essential security software yourself or get it signed by the distro.

Testing: I cannot claim these are extensively tested.  I’m neither a cryptomathematician nor an OpenSSL hacker, but regular operations of OpenSSH and Apache’s mod_ssl are working fine with this installed, and more importantly (for this blog post):

$ ./vanitygen 1bfcc
Difficulty: 264104224
[1.23 Mkey/s][total 23209216][Prob 8.4%][50% in 2.2min]
Pattern: 1bfcc
Address: 1bfccewL1Pneu4sGroaD9upZhuT79W5wr

So, for the purposes set forth here, this was a success.  With this change, building vanitygen was as simple as a ‘git clone’ and ‘make’.  So, Fedora is only 45 lines of code away from working with tools like this.  I haven’t yet tried building bitcoin-qt against it, but from the complaints I’ve read to date, that should work as well. Eventually we’ll get a full, normal bitcoin client into Fedora, all properly integrated with the ecosystem.