Re: Question regarding OpenSSL 1.1.1b package configuration against OpenSSL 1.0.2r

[Benjamin Baratte <benjamin.baratte@gmail.com>]

Hi Guys,

Thanks for your feedback.

I have recompile the openssl package with Cygport and this has allowed
me to point out the differences between the OpenSSL mainline and the
Cygwin pacakge.
Actually the Cygwin package follow the spec from Fedora package where
it has been decided to remove some patented algorithms.
After some readings on wikipedia, the implementation of the Brainpool
curves may requires patented method to be as efficient as NIST curves.
(https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Implementation)

I don't know if OpenSSL use such optimization algorithm but I find out
that we can use the Brainpool curves by providing the ECC parameters
to OpenSSL 1.1.1b Fedora version.
(https://bitnuts.de/articles/using_brainpool_ecc_in_openssl.html)

Therefore the patch will remove builtin support of RFC defined
Brainpool curves (and others) and keep only NIST which are optimized
remove only the named curves but not the algorithms behind.
I'm not legal person therefore I can't tell if this is really make any
difference but I think the algorithm is still embedded in the OpenSSL
package.

I think that the default ECC implementation is not optimized of all
curves except for NIST curves.

May be this needs to be check with OpenSSL team ?

Anyway, Steven you are right compiling a package like OpenSSL is not
straightforward even with Cygport but still feasable with reasonnable
efforts (I guess because I'm used to have unsual setup where automatic
tool does not work out of the box :) )

Regarding the CVE-2016-7055 pointed by Brian, as far as I have read
this is impacting only the Brainpool P 512 curve and this is not
compromizing the private key and I think we could restrict the
restriction to this curves only.
(https://nvd.nist.gov/vuln/detail/CVE-2016-7055)

Best Regards,

Ben


Le mar. 4 juin 2019 à 00:36, Steven Penny <svnpenn@gmail.com> a écrit :
>
> On Mon, 3 Jun 2019 14:35:29, Brian Inglis wrote:
> > You can easily rebuild the package yourself with the cygport utility, to check
> > that works, then change the build config to include the Brainpool ECs, and
> > rebuild the way you want it.
>
> Please do not presume someones technical prowess. It might be easy *to you*, but
> its certainly not easy in an objective sense, and definitely not to a novice
> Cygwin user.
>
> This is coming from someone who has built hundreds of Cygwin and Mingw64
> packages. Have some perspective.
>
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple