[SOLVED] OpenSSL with sect233k1

bbKid · 08-19-2019, 10:01 AM

Hi. An app failed with "AssertionError: Elliptic curve sect233k1 is not available on this system." I found out the reason of this error is OpenSSL wasn't enable this.

Quote:

openssl ecparam -list_curves
secp112r1 : SECG/WTLS curve over a 112 bit prime field
secp112r2 : SECG curve over a 112 bit prime field
secp128r1 : SECG curve over a 128 bit prime field
secp128r2 : SECG curve over a 128 bit prime field
secp160k1 : SECG curve over a 160 bit prime field
secp160r1 : SECG curve over a 160 bit prime field
secp160r2 : SECG/WTLS curve over a 160 bit prime field
secp192k1 : SECG curve over a 192 bit prime field
secp224k1 : SECG curve over a 224 bit prime field
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
SM2 : SM2 curve over a 256 bit prime field

So, how I can recompire OpenSSL with enabled "sect233k1"? Thanks.

ponce · 08-19-2019, 11:23 AM

in my 14.2 updated system I got sect233k1 support

Code:

$ openssl ecparam -list_curves | grep sect233k1
  sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field

try applying the updates to your installation.

bbKid · 08-19-2019, 11:28 AM

Quote:

Originally Posted by ponce

in my 14.2 updated system I got sect233k1 support

Code:

$ openssl ecparam -list_curves | grep sect233k1
  sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field

try applying the updates to your installation.

I use Slackware64-current from 2019.08.15. There is OpenSSL haven't "sect233k1"
But sect233k1 exist in source code of OpenSSL

ponce · 08-19-2019, 01:27 PM

I think it's because openssl in current is built with the config option

Code:

no-ec2m

that, according to the INSTALL doc

Code:

  no-ec2m
                   Don't build support for binary Elliptic Curves

I think Pat can surely clarify this better than anyone...

volkerdi · 08-19-2019, 02:00 PM

I believe EC2M is still covered by Certicom patents.

ponce · 08-20-2019, 01:38 AM

Quote:

Originally Posted by bbKid

Hi. An app failed with "AssertionError: Elliptic curve sect233k1 is not available on this system." I found out the reason of this error is OpenSSL wasn't enable this.

Quote:

Originally Posted by ponce

I think it's because openssl in current is built with the config option

Code:

no-ec2m

Quote:

Originally Posted by volkerdi

I believe EC2M is still covered by Certicom patents.

Thanks, Pat!

Quote:

Originally Posted by bbKid

So, how I can recompire OpenSSL with enabled "sect233k1"? Thanks.

then, for a personal use (not for redistributing it), I suppose you can just delete that option from the config in the SlackBuild and rebuild the package.

Labinnah · 08-20-2019, 03:11 AM

Pat, can you check this? I have no idea what are that explicit patents. But, according to this: https://en.wikipedia.org/wiki/ECC_patents most patents expired in 2015-2018. And at one marked unclear, entering patent page shows that it expires just today

.

bbKid · 08-21-2019, 08:28 AM

Quote:

Originally Posted by volkerdi

I believe EC2M is still covered by Certicom patents.

Could I use previous compiled packet of OpenSSL?

Labinnah · 08-21-2019, 09:31 AM

Quote:

Originally Posted by bbKid

Could I use previous compiled packet of OpenSSL?

If version differs only by letter at the end, everything should work fine. Otherwise probably not.

In any case you must reconsider security risk using older releases.

bbKid · 08-21-2019, 01:16 PM

Quote:

Originally Posted by Labinnah

If version differs only by letter at the end, everything should work fine. Otherwise probably not.

In any case you must reconsider security risk using older releases.

I get it, but is some way to enable "sect233k1" with current version (1.1.1c)?

Labinnah · 08-21-2019, 01:32 PM

You could download openssl slackbuild from slackware repository (i.e. ftp://ftp.slackware.com/pub/slackwar...urce/n/openssl), remove no-ec2m option from it, and rebuild package.

ponce · 08-21-2019, 01:34 PM

I wrote it above, maybe you missed it

Quote:

Originally Posted by ponce

for a personal use (not for redistributing it), I suppose you can just delete that option from the config in the SlackBuild and rebuild the package.

I'll try to gice a more detailed answer:

dowload all the components needed for building an openssl and openssl-solibs slackware packages using, for example, lftp

Code:

lftp -c mirror ftp://ftp.slackware.com/pub/slackware/slackware64-current/source/n/openssl/

enter the just downloaded openssl directory and edit openssl.SlackBuild removing this (delete the whole line 136)

Code:

 no-ec2m \

rebuild (as root) the openssl and openssl-solibs packages

Code:

BUILD=1_bbkid ./openssl.SlackBuild

upgrade the openssl and openssl-solibs packages with the ones just built

Code:

upgradepkg /tmp/openssl-1.1.1c-x86_64-1_bbkid.txz /tmp/openssl-solibs-1.1.1c-x86_64-1_bbkid.txz

volkerdi · 08-21-2019, 02:21 PM

Quote:

Originally Posted by Labinnah

Pat, can you check this? I have no idea what are that explicit patents. But, according to this: https://en.wikipedia.org/wiki/ECC_patents most patents expired in 2015-2018. And at one marked unclear, entering patent page shows that it expires just today

.

Interesting! But I think I'll still wait for IBM/Red Hat's pack of skilled patent attorneys to take the lead on this one.

bbKid · 08-21-2019, 02:28 PM

Quote:

Originally Posted by ponce

I wrote it above, maybe you missed it

I'll try to gice a more detailed answer:

dowload all the components needed for building an openssl and openssl-solibs slackware packages using, for example, lftp

Code:

lftp -c mirror ftp://ftp.slackware.com/pub/slackware/slackware64-current/source/n/openssl/

enter the just downloaded openssl directory and edit openssl.SlackBuild removing this (delete the whole line 136)

Code:

 no-ec2m \

rebuild (as root) the openssl and openssl-solibs packages

Code:

BUILD=1_bbkid ./openssl.SlackBuild

upgrade the openssl and openssl-solibs packages with the ones just built

Code:

upgradepkg /tmp/openssl-1.1.1c-x86_64-1_bbkid.txz /tmp/openssl-solibs-1.1.1c-x86_64-1_bbkid.txz

Thanks a lot, this works for me.