[openssl-project] Release Criteria Update
We have 2 outstanding 1.1.1 PRs. These are: #7144 ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes Owner: Richard Awaiting updates following review feedback #7145 SipHash: add separate setter for the hash size Owner: Richard Awaiting updates following review feedback There are also 2 outstanding 1.1.1 issues. Both of those are addressed by the above PRs. Strictly speaking we are now "green" for the open issues/PR part of the release criteria. The above two PRs/issues will be less than 2 weeks old at the time of release: "All open github issues/PRs older than 2 weeks at the time of release to be assessed for relevance to 1.1.1. Any flagged with the 1.1.1 milestone to be closed (see below)" We should still aim to close them though if at all possible. However, travis has gone red. This looks like an environmental issue since we're getting lots of lines like this all of a sudden in the pyca external tests: /home/travis/build/openssl/openssl/pyca-cryptography/tests/conftest.py:22: RemovedInPytest4Warning: MarkInfo objects are deprecated as they contain merged marks which are hard to deal with correctly. Please use node.get_closest_marker(name) or node.iter_markers(name). Docs: https://docs.pytest.org/en/latest/mark.html#updating-code for mark in request.node.get_marker("requires_backend_interface") Until eventually we get this: "The log length has exceeded the limit of 4 MB (this usually means that the test suite is raising the same exception over and over). The job has been terminated" Ideally we should see what we can do to fix this. I don't think it should hold up our release though. I intend to freeze the repo 48 hours before the release (i.e. on Sunday) to ensure stability of the build. Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On 07/09/18 10:09, Richard Levitte wrote: > In message on Fri, 7 Sep > 2018 09:56:01 +0100, Matt Caswell said: > >> >> >> On 07/09/18 01:51, Richard Levitte wrote: >>> I think this one should be part of the lot as well: >>> >>> #7144 >>> ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes >>> >>> For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable >>> in 1.1.1, because pre-1.1.1 encodes the version indicator (zero) as >>> 02 00 (zero length INTEGER, which is invalid) instead of 02 01 00 >>> (proper zero). That's simply because the internal version number was >>> changed from a LONG (custom ASN.1 type, mapping to a C long) to a INT32 >>> (new custom ASN.1 type, mapping to a C int32). >>> (no, we don't want to go back to using LONG) >> >> So...that PR seems to be labelled for 1.1.0 too? So why is the problem >> specific to 1.1.1? > > Because of commit 6a32a3c058dbd9fa7cec5b020e4f027808972e4a, which is > only present in master. In that commit, we switch a number of uses of > LONGs (all the remaining) to INT32. > > Of course, one way would be to revert that commit, but that doesn't > fix the actual issue with INT32 not reading in a backward compatible > way (that issue exists in 1.1.0 as well). > > So yeah, in summary, it's a regression that exists only in 1.1.1, but > is really caused by a bug that exists in 1.1.0 as well. > > I hope that's a good enough explanation. Makes sense. Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
In message on Fri, 7 Sep 2018 09:56:01 +0100, Matt Caswell said: > > > On 07/09/18 01:51, Richard Levitte wrote: > > I think this one should be part of the lot as well: > > > > #7144 > > ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes > > > > For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable > > in 1.1.1, because pre-1.1.1 encodes the version indicator (zero) as > > 02 00 (zero length INTEGER, which is invalid) instead of 02 01 00 > > (proper zero). That's simply because the internal version number was > > changed from a LONG (custom ASN.1 type, mapping to a C long) to a INT32 > > (new custom ASN.1 type, mapping to a C int32). > > (no, we don't want to go back to using LONG) > > So...that PR seems to be labelled for 1.1.0 too? So why is the problem > specific to 1.1.1? Because of commit 6a32a3c058dbd9fa7cec5b020e4f027808972e4a, which is only present in master. In that commit, we switch a number of uses of LONGs (all the remaining) to INT32. Of course, one way would be to revert that commit, but that doesn't fix the actual issue with INT32 not reading in a backward compatible way (that issue exists in 1.1.0 as well). So yeah, in summary, it's a regression that exists only in 1.1.1, but is really caused by a bug that exists in 1.1.0 as well. I hope that's a good enough explanation. Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On 07/09/18 01:51, Richard Levitte wrote: > I think this one should be part of the lot as well: > > #7144 > ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes > > For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable > in 1.1.1, because pre-1.1.1 encodes the version indicator (zero) as > 02 00 (zero length INTEGER, which is invalid) instead of 02 01 00 > (proper zero). That's simply because the internal version number was > changed from a LONG (custom ASN.1 type, mapping to a C long) to a INT32 > (new custom ASN.1 type, mapping to a C int32). > (no, we don't want to go back to using LONG) So...that PR seems to be labelled for 1.1.0 too? So why is the problem specific to 1.1.1? Matt > > Cheers, > Richard > > In message on Thu, 6 Sep > 2018 23:41:59 +0100, Matt Caswell said: > >> We currently have 8 1.1.1 PRs that are open. 3 of which are in the >> "ready" state. There are 2 which are alternative implementations of the >> same thing - so there are really on 4 issues currently being addressed: >> >> #7145 SipHash: add separate setter for the hash size >> >> Owner: Richard >> Awaiting review (CIs are failing) >> >> >> #7141 Ensure certificate callbacks work correctly in TLSv1.3 >> >> Owner: Matt >> Trivial change. Awaiting review >> >> >> #7139 Remove a reference to SSL_force_post_handshake_auth() >> >> Owner: Matt >> Trivial change. Awaiting review >> >> >> #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify >> Alternative implementation for #7058 >> >> Owner: Matt >> Awaiting review. Anyone? >> >> >> There 5 1.1.1 issues open - 3 of which should be solved by outstanding >> PRS. The remaining 2 are: >> >> >> #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of >> 18-Aug) >> >> We thought we had a fix for this, but the PR in question does not seem >> to have solved the OPs issue >> >> >> #7133 X509_sign SIGSEGVs with NULL private key >> >> Should be an easy fix >> >> >> Matt >> ___ >> openssl-project mailing list >> openssl-project@openssl.org >> https://mta.openssl.org/mailman/listinfo/openssl-project >> > ___ > openssl-project mailing list > openssl-project@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
In message <20180907.025152.1131079938025695690.levi...@openssl.org> on Fri, 07 Sep 2018 02:51:52 +0200 (CEST), Richard Levitte said: > For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable That was a bit of an over-statement... but it seems that there are things in the wild that were accepted in 1.1.0 (because LONG is used) that aren't accepted in 1.1.1. A regression still, even though with less drama. -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
I think this one should be part of the lot as well: #7144 ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable in 1.1.1, because pre-1.1.1 encodes the version indicator (zero) as 02 00 (zero length INTEGER, which is invalid) instead of 02 01 00 (proper zero). That's simply because the internal version number was changed from a LONG (custom ASN.1 type, mapping to a C long) to a INT32 (new custom ASN.1 type, mapping to a C int32). (no, we don't want to go back to using LONG) Cheers, Richard In message on Thu, 6 Sep 2018 23:41:59 +0100, Matt Caswell said: > We currently have 8 1.1.1 PRs that are open. 3 of which are in the > "ready" state. There are 2 which are alternative implementations of the > same thing - so there are really on 4 issues currently being addressed: > > #7145 SipHash: add separate setter for the hash size > > Owner: Richard > Awaiting review (CIs are failing) > > > #7141 Ensure certificate callbacks work correctly in TLSv1.3 > > Owner: Matt > Trivial change. Awaiting review > > > #7139 Remove a reference to SSL_force_post_handshake_auth() > > Owner: Matt > Trivial change. Awaiting review > > > #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify > Alternative implementation for #7058 > > Owner: Matt > Awaiting review. Anyone? > > > There 5 1.1.1 issues open - 3 of which should be solved by outstanding > PRS. The remaining 2 are: > > > #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of > 18-Aug) > > We thought we had a fix for this, but the PR in question does not seem > to have solved the OPs issue > > > #7133 X509_sign SIGSEGVs with NULL private key > > Should be an easy fix > > > Matt > ___ > openssl-project mailing list > openssl-project@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
PR for 7133 submitted. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Tim Hudson [mailto:t...@cryptsoft.com] Sent: Friday, 7 September 2018 8:51 AM To: openssl-project@openssl.org Subject: Re: [openssl-project] Release Criteria Update All PRs except #7145 now reviewed and marked ready. Tim On Fri, Sep 7, 2018 at 8:41 AM, Matt Caswell mailto:m...@openssl.org"m...@openssl.org> wrote: We currently have 8 1.1.1 PRs that are open. 3 of which are in the "ready" state. There are 2 which are alternative implementations of the same thing - so there are really on 4 issues currently being addressed: #7145 SipHash: add separate setter for the hash size Owner: Richard Awaiting review (CIs are failing) #7141 Ensure certificate callbacks work correctly in TLSv1.3 Owner: Matt Trivial change. Awaiting review #7139 Remove a reference to SSL_force_post_handshake_auth() Owner: Matt Trivial change. Awaiting review #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify Alternative implementation for #7058 Owner: Matt Awaiting review. Anyone? There 5 1.1.1 issues open - 3 of which should be solved by outstanding PRS. The remaining 2 are: #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of 18-Aug) We thought we had a fix for this, but the PR in question does not seem to have solved the OPs issue #7133 X509_sign SIGSEGVs with NULL private key Should be an easy fix Matt ___ openssl-project mailing list HYPERLINK "mailto:openssl-project@openssl.org"openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
All PRs except #7145 now reviewed and marked ready. Tim On Fri, Sep 7, 2018 at 8:41 AM, Matt Caswell wrote: > We currently have 8 1.1.1 PRs that are open. 3 of which are in the > "ready" state. There are 2 which are alternative implementations of the > same thing - so there are really on 4 issues currently being addressed: > > #7145 SipHash: add separate setter for the hash size > > Owner: Richard > Awaiting review (CIs are failing) > > > #7141 Ensure certificate callbacks work correctly in TLSv1.3 > > Owner: Matt > Trivial change. Awaiting review > > > #7139 Remove a reference to SSL_force_post_handshake_auth() > > Owner: Matt > Trivial change. Awaiting review > > > #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify > Alternative implementation for #7058 > > Owner: Matt > Awaiting review. Anyone? > > > There 5 1.1.1 issues open - 3 of which should be solved by outstanding > PRS. The remaining 2 are: > > > #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of > 18-Aug) > > We thought we had a fix for this, but the PR in question does not seem > to have solved the OPs issue > > > #7133 X509_sign SIGSEGVs with NULL private key > > Should be an easy fix > > > Matt > ___ > openssl-project mailing list > openssl-project@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] Release Criteria Update
We currently have 8 1.1.1 PRs that are open. 3 of which are in the "ready" state. There are 2 which are alternative implementations of the same thing - so there are really on 4 issues currently being addressed: #7145 SipHash: add separate setter for the hash size Owner: Richard Awaiting review (CIs are failing) #7141 Ensure certificate callbacks work correctly in TLSv1.3 Owner: Matt Trivial change. Awaiting review #7139 Remove a reference to SSL_force_post_handshake_auth() Owner: Matt Trivial change. Awaiting review #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify Alternative implementation for #7058 Owner: Matt Awaiting review. Anyone? There 5 1.1.1 issues open - 3 of which should be solved by outstanding PRS. The remaining 2 are: #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of 18-Aug) We thought we had a fix for this, but the PR in question does not seem to have solved the OPs issue #7133 X509_sign SIGSEGVs with NULL private key Should be an easy fix Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
> On Sep 6, 2018, at 6:25 PM, Matt Caswell wrote: > > I'm not keen on that. What do others think? No objections to issuing a release. We're unlikely to have to change the API/ABI or feature set based on further beta feedback. Any late bugs can be fixed in 1.1.1a, and unless they trigger CVEs, there's no compelling reason to wait. Barring specific concerns, I am not opposed to release as planned. -- Viktor. ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
We need to get this release out and available - there are a lot of people waiting on the "production"release - and who won't go forward on a beta (simple fact of life there). I don't see the outstanding items as release blockers - and they will be wrapped up in time. Having the release date as a drive I think helps for a lot of focus - and more stuff has gone into 1.1.1 that we originally anticipated because we held it open waiting on TLSv1.3 finalisation. So a +1 for keeping to the release date. Tim. On Fri, Sep 7, 2018 at 8:25 AM, Matt Caswell wrote: > > > On 06/09/18 17:32, Kurt Roeckx wrote: > > On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote: > >> Current status of the 1.1.1 PRs/issues: > > > > Since we did make a lot of changes, including things that > > applications can run into, would it make sense to have an other > > beta release? > > I'm not keen on that. What do others think? > > Matt > > ___ > openssl-project mailing list > openssl-project@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-project > ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On 06/09/18 17:32, Kurt Roeckx wrote: > On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote: >> Current status of the 1.1.1 PRs/issues: > > Since we did make a lot of changes, including things that > applications can run into, would it make sense to have an other > beta release? I'm not keen on that. What do others think? Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote: > Current status of the 1.1.1 PRs/issues: Since we did make a lot of changes, including things that applications can run into, would it make sense to have an other beta release? Kurt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On Wed, Sep 05, 2018 at 06:04:08PM -0500, Benjamin Kaduk wrote: > On Wed, Sep 05, 2018 at 11:59:34PM +0100, Matt Caswell wrote: > > Today's update is that we still have 6 open PRs for 1.1.1. 5 of these > > are the same as yesterday. The 1 that was marked as "ready" yesterday > > has now been merged, and a new PR addressing issue #7014 has been opened. > > > > There are still 2 open issues for 1.1.1 but both of these are now being > > addressed by one of the open PRs. > > > > That means there are still 4 "critical path" PRs open: > > > > #7115 Restore historical SSL_get_servername() behavior > > > > Updates made following earlier review. Ready for another round of reviews?? > > Owner: Ben. > > I believe it's ready for another round of reviews, yes. > Do we think we want to wait for confirmation from @MSP-Greg? I see that Matt has marked this one as Ready. I'm going to be "on a plane" (not exactly, but effectively so) for the next 9-ish hours and am not confident that I'll be able to merge it until tomorrow. I also see that the original reporter is still not having success; is anyone in a position to try to set up those Ruby EventMachine tests (it's unclear if it needs to be on windows or not)? -Ben ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On Thu, Sep 6, 2018 at 8:59 AM, Matt Caswell wrote: > #7113 An alternative to address the SM2 ID issues > (an alternative to the older PR, #6757) > > Updates made following earlier review. Awaiting another round of reviews. > Owner: Paul Yang All the previous comments have been addressed. I noted two missing SM2err calls on malloc failure and a typo in SM2.pod. I've approved it conditional on those being fixed. Tim. ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On Wed, Sep 05, 2018 at 11:59:34PM +0100, Matt Caswell wrote: > Today's update is that we still have 6 open PRs for 1.1.1. 5 of these > are the same as yesterday. The 1 that was marked as "ready" yesterday > has now been merged, and a new PR addressing issue #7014 has been opened. > > There are still 2 open issues for 1.1.1 but both of these are now being > addressed by one of the open PRs. > > That means there are still 4 "critical path" PRs open: > > #7115 Restore historical SSL_get_servername() behavior > > Updates made following earlier review. Ready for another round of reviews?? > Owner: Ben. I believe it's ready for another round of reviews, yes. Do we think we want to wait for confirmation from @MSP-Greg? -Ben ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
Today's update is that we still have 6 open PRs for 1.1.1. 5 of these are the same as yesterday. The 1 that was marked as "ready" yesterday has now been merged, and a new PR addressing issue #7014 has been opened. There are still 2 open issues for 1.1.1 but both of these are now being addressed by one of the open PRs. That means there are still 4 "critical path" PRs open: #7115 Restore historical SSL_get_servername() behavior Updates made following earlier review. Ready for another round of reviews?? Owner: Ben. #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify (an alternative to the older PR, #7058) Currently in review. Awaiting some updates following review feedback. Owner: Matt. #7113 An alternative to address the SM2 ID issues (an alternative to the older PR, #6757) Updates made following earlier review. Awaiting another round of reviews. Owner: Paul Yang #7073 Support EdDSA in apps/speed Updates made following earlier review. Awaiting another round of reviews. Owner: Paul Yang Matt On 04/09/18 17:11, Matt Caswell wrote: > Current status of the 1.1.1 PRs/issues: > > There are currently 6 open PRs for 1.1.1. However in 2 cases there are 2 > alternative implementations for the same thing - so really there are > only 4 issues being addressed. One of these is in the "ready" state. > > The remaining 3 are: > > #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify > (an alternative to the older PR, #7058) > > Awaiting review > Owner: Matt > > #7113 An alternative to address the SM2 ID issues > (an alternative to the older PR, #6757) > > Currently being reviewed > Owner: Paul Yang > > #7073 Support EdDSA in apps/speed > > Awaiting updates following review comments > Owner: Paul Yang > > > There are 2 open issues for 1.1.1. One of these is being addressed by > PR#7073 above. The other one is: > > #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of > 18-Aug) > > This one seems stuck!! No clear way forward as yet. > > Ben - any views? > > > Matt > ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Re: [openssl-project] Release Criteria Update
On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote: > There are 2 open issues for 1.1.1. One of these is being addressed by > PR#7073 above. The other one is: > > #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of > 18-Aug) > > This one seems stuck!! No clear way forward as yet. > > Ben - any views? I'm thinking that the ABI stability argument is going to win me over and we should continue to return the client's offered SNI in all cases until 1.2.0. Hoping to get a patch out this morning (US pacific) -- yesterday was a national holiday. -Ben ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] Release Criteria Update
Current status of the 1.1.1 PRs/issues: There are currently 6 open PRs for 1.1.1. However in 2 cases there are 2 alternative implementations for the same thing - so really there are only 4 issues being addressed. One of these is in the "ready" state. The remaining 3 are: #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify (an alternative to the older PR, #7058) Awaiting review Owner: Matt #7113 An alternative to address the SM2 ID issues (an alternative to the older PR, #6757) Currently being reviewed Owner: Paul Yang #7073 Support EdDSA in apps/speed Awaiting updates following review comments Owner: Paul Yang There are 2 open issues for 1.1.1. One of these is being addressed by PR#7073 above. The other one is: #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of 18-Aug) This one seems stuck!! No clear way forward as yet. Ben - any views? Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project