From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-216877-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 108611 invoked by alias); 4 Jun 2019 14:32:37 -0000
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Received: (qmail 108604 invoked by uid 89); 4 Jun 2019 14:32:37 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=AWL,BAYES_20,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=steven, unsubscribe-simple, unsubscribesimple, efforts
X-HELO: mail-vs1-f45.google.com
Received: from mail-vs1-f45.google.com (HELO mail-vs1-f45.google.com) (209.85.217.45) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 04 Jun 2019 14:32:35 +0000
Received: by mail-vs1-f45.google.com with SMTP id c24so13627395vsp.7        for <cygwin@cygwin.com>; Tue, 04 Jun 2019 07:32:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=20161025;        h=mime-version:references:in-reply-to:from:date:message-id:subject:to         :content-transfer-encoding;        bh=p1wPwNwChVM8/NGVT1MKLYVMi0WHIRWA4wkM1Ii0ZaE=;        b=lz5a4yZfsLcVsEL2uxkIo/MxKsOQ4dLVbb5EcY3OmGsBu0lPZHEwvFB1qO77Rqeg3B         1cu+LJXR1zOuPgPB2M4ORfmRkK37OpOT0ydjynCziTngiC9RGrYP9pNutc7RIW0i0V2Z         Y/6Y+oS0BGV+Qm3BU4nt+lQYubu4vl6fuYKo6fXtNrlItpqA37+U+ArIu43wqYohvUgD         mnLVrrU7lM8Dj0OUdw9j18+aGCJ8dAjtyHbxANUKi6sOsLN0aQ+DEImP/1BtDORWj7KC         1aMe1pUN3AGJ9WYeAGkXbgRPtqivbJRcb8dqrg+OAqYsxTfUmhUv5+adgFbJkV3Lp0Ri         s0Cg==
MIME-Version: 1.0
References: <d1f44f95-0ec4-bdce-7f84-fd98a4372c84@SystematicSw.ab.ca> <5cf5a0f7.1c69fb81.cfbf0.b1e6@mx.google.com>
In-Reply-To: <5cf5a0f7.1c69fb81.cfbf0.b1e6@mx.google.com>
From: Benjamin Baratte <benjamin.baratte@gmail.com>
Date: Tue, 04 Jun 2019 14:32:00 -0000
Message-ID: <CABTpe5_kr=-zEYZ2uqYeuVO5x747faY-8YXp=NP2VQ5GNPNF_A@mail.gmail.com>
Subject: Re: Question regarding OpenSSL 1.1.1b package configuration against OpenSSL 1.0.2r
To: cygwin@cygwin.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-IsSubscribed: yes
X-SW-Source: 2019-06/txt/msg00026.txt.bz2

Hi Guys,

Thanks for your feedback.

I have recompile the openssl package with Cygport and this has allowed
me to point out the differences between the OpenSSL mainline and the
Cygwin pacakge.
Actually the Cygwin package follow the spec from Fedora package where
it has been decided to remove some patented algorithms.
After some readings on wikipedia, the implementation of the Brainpool
curves may requires patented method to be as efficient as NIST curves.
(https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Implementation)

I don't know if OpenSSL use such optimization algorithm but I find out
that we can use the Brainpool curves by providing the ECC parameters
to OpenSSL 1.1.1b Fedora version.
(https://bitnuts.de/articles/using_brainpool_ecc_in_openssl.html)

Therefore the patch will remove builtin support of RFC defined
Brainpool curves (and others) and keep only NIST which are optimized
remove only the named curves but not the algorithms behind.
I'm not legal person therefore I can't tell if this is really make any
difference but I think the algorithm is still embedded in the OpenSSL
package.

I think that the default ECC implementation is not optimized of all
curves except for NIST curves.

May be this needs to be check with OpenSSL team ?

Anyway, Steven you are right compiling a package like OpenSSL is not
straightforward even with Cygport but still feasable with reasonnable
efforts (I guess because I'm used to have unsual setup where automatic
tool does not work out of the box :) )

Regarding the CVE-2016-7055 pointed by Brian, as far as I have read
this is impacting only the Brainpool P 512 curve and this is not
compromizing the private key and I think we could restrict the
restriction to this curves only.
(https://nvd.nist.gov/vuln/detail/CVE-2016-7055)

Best Regards,

Ben


Le mar. 4 juin 2019 =C3=A0 00:36, Steven Penny <svnpenn@gmail.com> a =C3=A9=
crit :
>
> On Mon, 3 Jun 2019 14:35:29, Brian Inglis wrote:
> > You can easily rebuild the package yourself with the cygport utility, t=
o check
> > that works, then change the build config to include the Brainpool ECs, =
and
> > rebuild the way you want it.
>
> Please do not presume someones technical prowess. It might be easy *to yo=
u*, but
> its certainly not easy in an objective sense, and definitely not to a nov=
ice
> Cygwin user.
>
> This is coming from someone who has built hundreds of Cygwin and Mingw64
> packages. Have some perspective.
>
>
> --
> Problem reports:       http://cygwin.com/problems.html
> FAQ:                   http://cygwin.com/faq/
> Documentation:         http://cygwin.com/docs.html
> Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple