X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=oYrseMw/4R0vp2Hf038Um86nJOWgpruPOGeoHPK33Tf
	OOlbzA7+xiWhAp3lg5qDim36V075ZsVtzzAEsBEpHF9NkNzWo1bF0wLO0VlMOAra
	PVwPUl/A8bnMgs3jlYfwMqQhgH/0ENdKGoVCvZu4EYAPXe107LDY2J+hot5/OBk8
	=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:content-type:content-transfer-encoding;
	 s=default; bh=46qgnBVZhM98oyqyb5MzfMuXeng=; b=uYPHRLPmd0FZJNVAV
	ATEEtOXEqdPGJlalkJ7yiq+M3qaccd7KeNKZvLsem++lNF+qjrnR7VNDlwIRB7Hl
	INlnJhWPXYy09Y5DE/Qxqy9utswqstNig4DT+D9D+SNNYQwakjhnul5Ea67DPqAv
	USVI+HHkVfAxB2Vq048yXGOfJg=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=AWL,BAYES_20,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=steven, unsubscribe-simple, unsubscribesimple, efforts
X-HELO: mail-vs1-f45.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=20161025;        h=mime-version:references:in-reply-to:from:date:message-id:subject:to         :content-transfer-encoding;        bh=p1wPwNwChVM8/NGVT1MKLYVMi0WHIRWA4wkM1Ii0ZaE=;        b=lz5a4yZfsLcVsEL2uxkIo/MxKsOQ4dLVbb5EcY3OmGsBu0lPZHEwvFB1qO77Rqeg3B         1cu+LJXR1zOuPgPB2M4ORfmRkK37OpOT0ydjynCziTngiC9RGrYP9pNutc7RIW0i0V2Z         Y/6Y+oS0BGV+Qm3BU4nt+lQYubu4vl6fuYKo6fXtNrlItpqA37+U+ArIu43wqYohvUgD         mnLVrrU7lM8Dj0OUdw9j18+aGCJ8dAjtyHbxANUKi6sOsLN0aQ+DEImP/1BtDORWj7KC         1aMe1pUN3AGJ9WYeAGkXbgRPtqivbJRcb8dqrg+OAqYsxTfUmhUv5+adgFbJkV3Lp0Ri         s0Cg==
MIME-Version: 1.0
References: <d1f44f95-0ec4-bdce-7f84-fd98a4372c84 AT SystematicSw DOT ab DOT ca> <5cf5a0f7 DOT 1c69fb81 DOT cfbf0 DOT b1e6 AT mx DOT google DOT com>
In-Reply-To: <5cf5a0f7.1c69fb81.cfbf0.b1e6@mx.google.com>
From: Benjamin Baratte <benjamin DOT baratte AT gmail DOT com>
Date: Tue, 4 Jun 2019 16:32:21 +0200
Message-ID: <CABTpe5_kr=-zEYZ2uqYeuVO5x747faY-8YXp=NP2VQ5GNPNF_A@mail.gmail.com>
Subject: Re: Question regarding OpenSSL 1.1.1b package configuration against OpenSSL 1.0.2r
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset="UTF-8"
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id x54EXBwi012106

Hi Guys,

Thanks for your feedback.

I have recompile the openssl package with Cygport and this has allowed
me to point out the differences between the OpenSSL mainline and the
Cygwin pacakge.
Actually the Cygwin package follow the spec from Fedora package where
it has been decided to remove some patented algorithms.
After some readings on wikipedia, the implementation of the Brainpool
curves may requires patented method to be as efficient as NIST curves.
(https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Implementation)

I don't know if OpenSSL use such optimization algorithm but I find out
that we can use the Brainpool curves by providing the ECC parameters
to OpenSSL 1.1.1b Fedora version.
(https://bitnuts.de/articles/using_brainpool_ecc_in_openssl.html)

Therefore the patch will remove builtin support of RFC defined
Brainpool curves (and others) and keep only NIST which are optimized
remove only the named curves but not the algorithms behind.
I'm not legal person therefore I can't tell if this is really make any
difference but I think the algorithm is still embedded in the OpenSSL
package.

I think that the default ECC implementation is not optimized of all
curves except for NIST curves.

May be this needs to be check with OpenSSL team ?

Anyway, Steven you are right compiling a package like OpenSSL is not
straightforward even with Cygport but still feasable with reasonnable
efforts (I guess because I'm used to have unsual setup where automatic
tool does not work out of the box :) )

Regarding the CVE-2016-7055 pointed by Brian, as far as I have read
this is impacting only the Brainpool P 512 curve and this is not
compromizing the private key and I think we could restrict the
restriction to this curves only.
(https://nvd.nist.gov/vuln/detail/CVE-2016-7055)

Best Regards,

Ben


Le mar. 4 juin 2019 à 00:36, Steven Penny <svnpenn AT gmail DOT com> a écrit :
>
> On Mon, 3 Jun 2019 14:35:29, Brian Inglis wrote:
> > You can easily rebuild the package yourself with the cygport utility, to check
> > that works, then change the build config to include the Brainpool ECs, and
> > rebuild the way you want it.
>
> Please do not presume someones technical prowess. It might be easy *to you*, but
> its certainly not easy in an objective sense, and definitely not to a novice
> Cygwin user.
>
> This is coming from someone who has built hundreds of Cygwin and Mingw64
> packages. Have some perspective.
>
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple