Gentoo Archives: gentoo-project

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-dev@l.g.o, gentoo-project@l.g.o
Cc: licenses@g.o
Subject: [gentoo-project] RFC: dev-libs/openssl USE=bindist removal
Date: Mon, 27 Sep 2021 22:50:17
Message-Id: robbat2-20210927T220812-097274637Z@orbis-terrarum.net
1 Deadline for responses: 2021/10/14!
2
3 The Foundation would like to propose that RedHat/Fedora "hobble" patch
4 presently applied when USE=bindist is true shall be removed from
5 dev-libs/openssl.
6
7 RedHat's stated reasons for the patch were originally to avoid any patent
8 concerns, but they have also morphed over time to present some "insecure"
9 things from being used entirely:
10 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
11 "All ECC curves < 224 bits (since RHEL 6)"
12 "All binary field ECC curves (since RHEL 6)"
13
14 However, the Foundation would also like to be sure that no users feel that
15 patchset provides something critical to their usage of Gentoo.
16
17 If nobody speaks up as saying that the "hobble" patch is REQUIRED for their use
18 cases, the Foundation proposes that usage of the patchset be dropped from the
19 main tree.
20
21 Any users who might be concerned about patent compliance are encouraged to do
22 their own due diligence, as OpenSSL was the only Gentoo package that shipped
23 this type of patch, and even Fedora's upstream did not completely patch out EC
24 in other packages.
25
26 Below shows which EC curves are present in major distributions.
27 - RHEL/Fedora is the most restrictive list, with only 5 curves kept
28 - OpenSUSE is next, with 41 curves
29 - Gentoo, Debian, Ubuntu all have the same 88 curves available.
30
31 Fedora # openssl ecparam -list_curves
32 secp224r1 : NIST/SECG curve over a 224 bit prime field
33 secp256k1 : SECG curve over a 256 bit prime field
34 secp384r1 : NIST/SECG curve over a 384 bit prime field
35 secp521r1 : NIST/SECG curve over a 521 bit prime field
36 prime256v1: X9.62/SECG curve over a 256 bit prime field
37
38 OpenSUSE Leap # openssl ecparam -list_curves
39 secp112r1 : SECG/WTLS curve over a 112 bit prime field
40 secp112r2 : SECG curve over a 112 bit prime field
41 secp128r1 : SECG curve over a 128 bit prime field
42 secp128r2 : SECG curve over a 128 bit prime field
43 secp160k1 : SECG curve over a 160 bit prime field
44 secp160r1 : SECG curve over a 160 bit prime field
45 secp160r2 : SECG/WTLS curve over a 160 bit prime field
46 secp192k1 : SECG curve over a 192 bit prime field
47 secp224k1 : SECG curve over a 224 bit prime field
48 secp224r1 : NIST/SECG curve over a 224 bit prime field
49 secp256k1 : SECG curve over a 256 bit prime field
50 secp384r1 : NIST/SECG curve over a 384 bit prime field
51 secp521r1 : NIST/SECG curve over a 521 bit prime field
52 prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
53 prime192v2: X9.62 curve over a 192 bit prime field
54 prime192v3: X9.62 curve over a 192 bit prime field
55 prime239v1: X9.62 curve over a 239 bit prime field
56 prime239v2: X9.62 curve over a 239 bit prime field
57 prime239v3: X9.62 curve over a 239 bit prime field
58 prime256v1: X9.62/SECG curve over a 256 bit prime field
59 wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
60 wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
61 wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
62 wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
63 wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
64 brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
65 brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
66 brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
67 brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
68 brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
69 brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
70 brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
71 brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
72 brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
73 brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
74 brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
75 brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
76 brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
77 brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
78 SM2 : SM2 curve over a 256 bit prime field
79
80 Gentoo, Ubuntu, Debian # openssl ecparam -list_curves
81 secp112r1 : SECG/WTLS curve over a 112 bit prime field
82 secp112r2 : SECG curve over a 112 bit prime field
83 secp128r1 : SECG curve over a 128 bit prime field
84 secp128r2 : SECG curve over a 128 bit prime field
85 secp160k1 : SECG curve over a 160 bit prime field
86 secp160r1 : SECG curve over a 160 bit prime field
87 secp160r2 : SECG/WTLS curve over a 160 bit prime field
88 secp192k1 : SECG curve over a 192 bit prime field
89 secp224k1 : SECG curve over a 224 bit prime field
90 secp224r1 : NIST/SECG curve over a 224 bit prime field
91 secp256k1 : SECG curve over a 256 bit prime field
92 secp384r1 : NIST/SECG curve over a 384 bit prime field
93 secp521r1 : NIST/SECG curve over a 521 bit prime field
94 prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
95 prime192v2: X9.62 curve over a 192 bit prime field
96 prime192v3: X9.62 curve over a 192 bit prime field
97 prime239v1: X9.62 curve over a 239 bit prime field
98 prime239v2: X9.62 curve over a 239 bit prime field
99 prime239v3: X9.62 curve over a 239 bit prime field
100 prime256v1: X9.62/SECG curve over a 256 bit prime field
101 sect113r1 : SECG curve over a 113 bit binary field
102 sect113r2 : SECG curve over a 113 bit binary field
103 sect131r1 : SECG/WTLS curve over a 131 bit binary field
104 sect131r2 : SECG curve over a 131 bit binary field
105 sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
106 sect163r1 : SECG curve over a 163 bit binary field
107 sect163r2 : NIST/SECG curve over a 163 bit binary field
108 sect193r1 : SECG curve over a 193 bit binary field
109 sect193r2 : SECG curve over a 193 bit binary field
110 sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
111 sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
112 sect239k1 : SECG curve over a 239 bit binary field
113 sect283k1 : NIST/SECG curve over a 283 bit binary field
114 sect283r1 : NIST/SECG curve over a 283 bit binary field
115 sect409k1 : NIST/SECG curve over a 409 bit binary field
116 sect409r1 : NIST/SECG curve over a 409 bit binary field
117 sect571k1 : NIST/SECG curve over a 571 bit binary field
118 sect571r1 : NIST/SECG curve over a 571 bit binary field
119 c2pnb163v1: X9.62 curve over a 163 bit binary field
120 c2pnb163v2: X9.62 curve over a 163 bit binary field
121 c2pnb163v3: X9.62 curve over a 163 bit binary field
122 c2pnb176v1: X9.62 curve over a 176 bit binary field
123 c2tnb191v1: X9.62 curve over a 191 bit binary field
124 c2tnb191v2: X9.62 curve over a 191 bit binary field
125 c2tnb191v3: X9.62 curve over a 191 bit binary field
126 c2pnb208w1: X9.62 curve over a 208 bit binary field
127 c2tnb239v1: X9.62 curve over a 239 bit binary field
128 c2tnb239v2: X9.62 curve over a 239 bit binary field
129 c2tnb239v3: X9.62 curve over a 239 bit binary field
130 c2pnb272w1: X9.62 curve over a 272 bit binary field
131 c2pnb304w1: X9.62 curve over a 304 bit binary field
132 c2tnb359v1: X9.62 curve over a 359 bit binary field
133 c2pnb368w1: X9.62 curve over a 368 bit binary field
134 c2tnb431r1: X9.62 curve over a 431 bit binary field
135 wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
136 wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
137 wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
138 wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
139 wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
140 wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
141 wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
142 wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
143 wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
144 wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
145 wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
146 Oakley-EC2N-3:
147 IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
148 Not suitable for ECDSA.
149 Questionable extension field!
150 Oakley-EC2N-4:
151 IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
152 Not suitable for ECDSA.
153 Questionable extension field!
154 brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
155 brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
156 brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
157 brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
158 brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
159 brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
160 brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
161 brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
162 brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
163 brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
164 brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
165 brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
166 brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
167 brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
168 SM2 : SM2 curve over a 256 bit prime field
169
170 --
171 Robin Hugh Johnson
172 Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
173 E-Mail : robbat2@g.o
174 GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
175 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies