Mail Archives: cygwin/2019/06/03/17:08:10

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2019/06/03/17:08:10

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:to:references:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; q=dns; s=default; b=KJOHfIh0J7o2ZcnZ

B3QhxdljdCsf1X3+ejAxK0irWfxjbwpV/eL4Igg+67XeENGpYLTK/hqx11Ln5t+f

GtHUE7r7KQQ+2GbC3FAlyKBJU23RfET7lEMAbxt/YP7jTVuqEiUi1qcdZ2Pr87sa

K354jBcQntzL3HlUr5GvXOAdpwE=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:subject:to:references:from:message-id

:date:mime-version:in-reply-to:content-type

:content-transfer-encoding; s=default; bh=Aoi9HiyKHu2vDusYbYD36e

sJct0=; b=TuRTbNP1fpY/iZC1vqZ2Ktxo6UxlSx2lBLEEG60tLukk2yJF6JJHB7

RzAPM82VFeHV90fm9yrpmq9r0hr3Jz6ya2IswRpi+0j+F6MXMbc6VUZYSSLE5lhV

SkFaIFVp6QEpzzwo9GorPudBnuRfdEPvtKxdpApo15kFgbq4LU5xM=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Spam-SWARE-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=Morgan, Benjamin, morgan, manifest

X-HELO: smtp-out-so.shaw.ca

Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca

Subject: Re: Question regarding OpenSSL 1.1.1b package configuration against OpenSSL 1.0.2r

To: cygwin AT cygwin DOT com

References: <CABTpe59pFoH-MsGKKa4oNdFTs42opV64motaSFpeijJCq0Dqcw AT mail DOT gmail DOT com>

From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>

Openpgp: preference=signencrypt

Message-ID: <d1f44f95-0ec4-bdce-7f84-fd98a4372c84@SystematicSw.ab.ca>

Date: Mon, 3 Jun 2019 14:35:29 -0600

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0

MIME-Version: 1.0

In-Reply-To: <CABTpe59pFoH-MsGKKa4oNdFTs42opV64motaSFpeijJCq0Dqcw@mail.gmail.com>

X-IsSubscribed: yes

On 2019-06-03 06:09, Benjamin Baratte wrote:
> I would like to understand why the OpenSSL 1.1.1b package only includes the
> NIST EC curves support ?
> I'm basically try to use brainpool curves and I have noticed that the
> package 1.1.1b does not includes these curves and more generally only
> includes NIST curves

> From what I have found in Google, the cygwin OpenSSL 1.1.1b package is
> bound to the fedora package spec which is deactivating brainpool curves.
> 
> I'm a bit surprised by the differences in the 2 OpenSSL packages. But I
> need to use Brainpool curves.
> 
> On top of that, the installer is proposing the OpenSSL 1.1.1b-1 package as
> the newest one prevailing to OpenSSL 1.0.2r-1 package. Is it possible to
> get back the brainpool curves into the OpenSSL 1.1.1b-1 package ?
> if not, could please explain to me why only NIST curves are now supported
> in the official package ?

I have seen comments about legal liability, poor performance limited by choice
of random keys, small size of random keys, another model specific Intel FP bug:

https://github.com/openssl/openssl/blob/master/CHANGES
"Montgomery multiplication may produce incorrect results

     There is a carry propagating bug in the Broadwell-specific Montgomery
     multiplication procedure that handles input lengths divisible by, but
     longer than 256 bits. ... Otherwise the bug can manifest itself as
     transient authentication and key negotiation failures or reproducible
     erroneous outcome of public-key operations with specially crafted input.
     Among EC algorithms only Brainpool P-512 curves are affected and one
     presumably can attack ECDH key negotiation. ...

     This issue was publicly reported as transient failures and was not
     initially recognized as a security issue. Thanks to Richard Morgan for
     providing reproducible case.
     (CVE-2016-7055)
     [Andy Polyakov]"

You can easily rebuild the package yourself with the cygport utility, to check
that works, then change the build config to include the Brainpool ECs, and
rebuild the way you want it.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=KJOHfIh0J7o2ZcnZ
	B3QhxdljdCsf1X3+ejAxK0irWfxjbwpV/eL4Igg+67XeENGpYLTK/hqx11Ln5t+f
	GtHUE7r7KQQ+2GbC3FAlyKBJU23RfET7lEMAbxt/YP7jTVuqEiUi1qcdZ2Pr87sa
	K354jBcQntzL3HlUr5GvXOAdpwE=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:subject:to:references:from:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=Aoi9HiyKHu2vDusYbYD36e
	sJct0=; b=TuRTbNP1fpY/iZC1vqZ2Ktxo6UxlSx2lBLEEG60tLukk2yJF6JJHB7
	RzAPM82VFeHV90fm9yrpmq9r0hr3Jz6ya2IswRpi+0j+F6MXMbc6VUZYSSLE5lhV
	SkFaIFVp6QEpzzwo9GorPudBnuRfdEPvtKxdpApo15kFgbq4LU5xM=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Spam-SWARE-Status:	No, score=-3.0 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 spammy=Morgan, Benjamin, morgan, manifest
X-HELO:	smtp-out-so.shaw.ca
Reply-To:	Brian DOT Inglis AT SystematicSw DOT ab DOT ca
Subject:	Re: Question regarding OpenSSL 1.1.1b package configuration against OpenSSL 1.0.2r
To:	cygwin AT cygwin DOT com
References:	<CABTpe59pFoH-MsGKKa4oNdFTs42opV64motaSFpeijJCq0Dqcw AT mail DOT gmail DOT com>
From:	Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Openpgp:	preference=signencrypt
Message-ID:	<d1f44f95-0ec4-bdce-7f84-fd98a4372c84@SystematicSw.ab.ca>
Date:	Mon, 3 Jun 2019 14:35:29 -0600
User-Agent:	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version:	1.0
In-Reply-To:	<CABTpe59pFoH-MsGKKa4oNdFTs42opV64motaSFpeijJCq0Dqcw@mail.gmail.com>
X-IsSubscribed:	yes