Re: Issues and pull requests are largely getting ignored

2019-03-26 Thread Benjamin Kaduk
On Tue, Mar 26, 2019 at 02:20:28PM +0100, Kurt Roeckx wrote: > On Tue, Mar 26, 2019 at 09:53:22AM +, Matt Caswell wrote: > > > > So the real problem there is a mismatch between the opening rate and the > > closing > > rate, i.e. it is NOT that we are ignoring these issues. I see it more as a

Re: Thoughts on OSSL_ALGORITHM

2019-03-23 Thread Benjamin Kaduk
I also like the provider data approach. -Ben On Sat, Mar 23, 2019 at 09:11:23AM +1000, Dr Paul Dale wrote: > I’ve no issue having a provider data field there. It will be useful for more > than just this (S390 AES e.g. holds data differently to other > implementations). > > I also don’t think

Re: [openssl-project] OpenSSL 3.0 and FIPS Update

2019-02-14 Thread Benjamin Kaduk
On Wed, Feb 13, 2019 at 03:28:30PM -0500, Michael Richardson wrote: > > Matt Caswell wrote: > > Please see my blog post for an OpenSSL 3.0 and FIPS Update: > > > https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/ > > Thank you, it is very useful to have these plans made up

Re: [openssl-project] Proposed vote text for the SSL_CB_HANDSHAKE_START change

2019-01-30 Thread Benjamin Kaduk
On Wed, Jan 30, 2019 at 09:02:30AM +0100, Kurt Roeckx wrote: > On Tue, Jan 29, 2019 at 02:07:09PM +, Matt Caswell wrote: > > So I plan to start the vote soon for merging PR#8096 and backporting it to > > 1.1.1. This is a breaking change as previously discussed. > > > > My proposed vote text

Re: [openssl-project] Proposed vote text for the SSL_CB_HANDSHAKE_START change

2019-01-29 Thread Benjamin Kaduk
On Tue, Jan 29, 2019 at 01:27:24PM -0600, David Benjamin wrote: > On Tue, Jan 29, 2019 at 11:31 AM Kurt Roeckx wrote: > > > On Tue, Jan 29, 2019 at 02:07:09PM +, Matt Caswell wrote: > > > So I plan to start the vote soon for merging PR#8096 and backporting it > > to > > > 1.1.1. This is a

Re: [openssl-project] inline functions

2019-01-28 Thread Benjamin Kaduk
On Mon, Jan 28, 2019 at 07:10:55AM +0100, Richard Levitte wrote: > On Mon, 28 Jan 2019 06:17:35 +0100, > Dr Paul Dale wrote: > > Richard wrote: > > > > Not really, since they are static inline. This is by design, that for > > any file you want to use > > a safestack in, you just start

Re: [openssl-project] QUIC, again

2018-11-12 Thread Benjamin Kaduk
Between last time we discussed it and now, waiting seems to have been prudent, as the TLS/QUIC interaction got significantly revamped. The current QUIC drafts have TLS exporting key material and plaintext handshake messages, with QUIC record protection used on the wire and not TLS record

Re: [openssl-project] FYI: [postfix & TLS1.3 problems]

2018-10-11 Thread Benjamin Kaduk
I would guess that the misbehaving clients are early openssl betas that receive the real TLS 1.3 version and then try to interpret as whatever draft versino they actually implemnet. -Ben On Thu, Oct 11, 2018 at 01:18:03PM -0400, Viktor Dukhovni wrote: > > Apparently, some SMTP clients set

Re: [openssl-project] A proposal for an updated OpenSSL version scheme (v2)

2018-09-23 Thread Benjamin Kaduk
On Sat, Sep 22, 2018 at 01:02:29AM -0400, Viktor Dukhovni wrote: > > > > On Sep 22, 2018, at 12:59 AM, Richard Levitte wrote: > > > > So in summary, do we agree on this, and that it's a good path forward? > > > > - semantic versioning scheme good, we should adopt it. > > - we need to agree on

Re: [openssl-project] A proposal for an updated OpenSSL version scheme (v2)

2018-09-23 Thread Benjamin Kaduk
On Sat, Sep 22, 2018 at 01:12:21AM -0400, Viktor Dukhovni wrote: > > > > On Sep 22, 2018, at 12:50 AM, Tim Hudson wrote: > > > > The impact of the breaking change on anyone actually following our > > documented encoding cannot. > > i.e. openssh as one example Richard pointed out. > > The

Re: [openssl-project] coverity defect release criteria (Fwd: New Defects reported by Coverity Scan for openssl/openssl)

2018-09-09 Thread Benjamin Kaduk
penssl/openssl/pull/7158 > > *** CID 1201571: Error handling issues (CHECKED_RETURN) > todo > > if anybody wants to fix one of the CIDs marked 'todo', no problem. Just drop > a note on the openssl-project list. > > Matthias > > > > -Ursprüng

[openssl-project] coverity defect release criteria (Fwd: New Defects reported by Coverity Scan for openssl/openssl)

2018-09-09 Thread Benjamin Kaduk
I see that Matthias has opened pull requests for a couple of these already; are you planning to work through the rest of them as well? -Ben On Sun, Sep 09, 2018 at 09:28:12AM +, scan-ad...@coverity.com wrote: > Hi, > > Please find the latest report on new defect(s) introduced to

Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Benjamin Kaduk
On Wed, Sep 05, 2018 at 06:04:08PM -0500, Benjamin Kaduk wrote: > On Wed, Sep 05, 2018 at 11:59:34PM +0100, Matt Caswell wrote: > > Today's update is that we still have 6 open PRs for 1.1.1. 5 of these > > are the same as yesterday. The 1 that was marked as "ready" y

Re: [openssl-project] Release Criteria Update

2018-09-05 Thread Benjamin Kaduk
On Wed, Sep 05, 2018 at 11:59:34PM +0100, Matt Caswell wrote: > Today's update is that we still have 6 open PRs for 1.1.1. 5 of these > are the same as yesterday. The 1 that was marked as "ready" yesterday > has now been merged, and a new PR addressing issue #7014 has been opened. > > There are

Re: [openssl-project] Release Criteria Update

2018-09-04 Thread Benjamin Kaduk
On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote: > There are 2 open issues for 1.1.1. One of these is being addressed by > PR#7073 above. The other one is: > > #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of > 18-Aug) > > This one seems stuck!! No clear way

Re: [openssl-project] Late thoughts on the 1.1.1 release - are we fooling ourselves?

2018-08-17 Thread Benjamin Kaduk
On Fri, Aug 17, 2018 at 06:39:54PM +0200, Richard Levitte wrote: > In message <20180817162909.ga10...@roeckx.be> on Fri, 17 Aug 2018 18:29:09 > +0200, Kurt Roeckx said: > > kurt> On Fri, Aug 17, 2018 at 01:55:13PM +0200, Richard Levitte wrote: > kurt> > Personally, I see this as a showstopper

Re: [openssl-project] Speaking of broken master, have a look at Travis

2018-07-24 Thread Benjamin Kaduk
On Tue, Jul 24, 2018 at 08:34:28PM +0200, Kurt Roeckx wrote: > On Tue, Jul 24, 2018 at 07:54:58PM +0200, Richard Levitte wrote: > > ... > > go test: FAILED (ServerNameExtensionServer-TLS1) > > go test: unexpected failure: local error 'read tcp4 > > 127.0.0.1:41729->127.0.0.1:60574:

Re: [openssl-project] To distribute just the repo file, or the result of 'make dist'?

2018-07-24 Thread Benjamin Kaduk
On Tue, Jul 24, 2018 at 02:28:40PM +0200, Kurt Roeckx wrote: > On Tue, Jul 24, 2018 at 02:08:46PM +0200, Richard Levitte wrote: > > > > The original intention (way back, I think we're even talking SSLeay > > time here, but at the very least pre-1.0.0 time) was to make a tarball > > that can be

[openssl-project] thread-unsafety in SNI handling with SSL_SESSION

2018-07-02 Thread Benjamin Kaduk
Hi folks, https://github.com/openssl/openssl/pull/4519 introduced some thread-unsafe behavior, and we had some discussion on that (closed) PR back in May, which led to the creation of https://github.com/openssl/openssl/pull/6378 . The latter one has languished for a while, partly because I was

Re: [openssl-project] Milestones and the 1.1.1 release

2018-06-26 Thread Benjamin Kaduk
On Tue, Jun 26, 2018 at 07:43:45PM +, Salz, Rich wrote: > That's interesting. Would we put a bugfix in 1.1.0, not put the fix in 1.1.1 > until our first "a" release? > > Or are you saying that if it's in 1.1.0, then we don't have to fix it until > after 1.1.1 comes out? That seems

Re: [openssl-project] Milestones and the 1.1.1 release

2018-06-26 Thread Benjamin Kaduk
On Tue, Jun 26, 2018 at 04:56:26PM +0100, Matt Caswell wrote: > I'm thinking that we should maybe re-asses the current milestones in github. > > We currently use the following milestones: > > Assessed - Anything against this milestone isn't relevant to the 1.1.1 > release (e.g. 1.0.2 specific

Re: [openssl-project] GitHub labels

2018-06-21 Thread Benjamin Kaduk
On Wed, Jun 20, 2018 at 10:29:37PM +0200, Richard Levitte wrote: > In message on Wed, 20 Jun > 2018 19:59:02 +, "Dr. Matthias St. Pierre" > said: > > Matthias.St.Pierre> III) VERSION NUMBER LABELS > Matthias.St.Pierre> > Matthias.St.Pierre> It seems like the version number labels

Re: [openssl-project] To use or not use the iconv API, and to use or not use other libraries

2018-06-07 Thread Benjamin Kaduk
On Thu, Jun 07, 2018 at 05:55:27PM +0200, Andy Polyakov wrote: > > Regarding general use of other libraries, please think carefully before > > voting, 'cause this *is* tricky. If you have a look, you will see that we > > *currently* depend on certain standard libraries, such as, for example, >

Re: [openssl-project] Is Mac a supported platform?

2018-06-01 Thread Benjamin Kaduk
On Fri, Jun 01, 2018 at 06:52:21PM +, Salz, Rich wrote: > Our INSTALL doesn’t mention it. We have config’s for it. I think we should > say we support it and update the various docs. Thoughts? The PR associated with the thread around

Re: [openssl-project] Help deciding on PR 6341 (facilitate reading PKCS#12 objects in OSSL_STORE)

2018-06-01 Thread Benjamin Kaduk
On Fri, Jun 01, 2018 at 12:23:39PM +, Salz, Rich wrote: > >I think that the gist of the difference of opinion is whether it's OK > to use locale dependent functions such as mbstowcs in libcrypto or > not. > > > Thanks for the summary. > > I am against use locale-dependent

Re: [openssl-project] build/test before merging

2018-05-23 Thread Benjamin Kaduk
On Wed, May 23, 2018 at 03:12:30PM +, Dr. Matthias St. Pierre wrote: > > So do you guys use the ghmerge script or own procedures? I'm curious. > > At the beginnning, I tried to use ghmerge but it was not flexible > enough for my needs. In particular, it only gives me the choice > between

Re: [openssl-project] build/test before merging

2018-05-22 Thread Benjamin Kaduk
On Wed, May 23, 2018 at 12:43:58AM +, Salz, Rich wrote: > > I do the same, but I am reluctant having a script doing it for me using > some fixed recipe... > > >I'm happy doing the build/test manually before merging, too. > > > So do you guys use the ghmerge script or own

Re: [openssl-project] build/test before merging

2018-05-22 Thread Benjamin Kaduk
On Tue, May 22, 2018 at 08:39:21PM -0400, Viktor Dukhovni wrote: > > > > On May 22, 2018, at 8:37 PM, Salz, Rich wrote: > > > > No, I'm sure it does not. I think the safer thing is to do a full build, > > to catch things like make update errors, and such. I also run the

Re: [openssl-project] OpenSSL 1.1.1 library(OpenSSL 1.1.0 compile) Postfix to Postfix test

2018-04-28 Thread Benjamin Kaduk
On Tue, Apr 24, 2018 at 10:21:28AM -0400, Viktor Dukhovni wrote: > > > > On Apr 24, 2018, at 9:29 AM, Benjamin Kaduk <ka...@mit.edu> wrote: > > > > To be clear, the current draft explicitly says "Servers SHOULD issue > > new tickets wi

Re: [openssl-project] OpenSSL 1.1.1 library(OpenSSL 1.1.0 compile) Postfix to Postfix test

2018-04-24 Thread Benjamin Kaduk
On Mon, Apr 23, 2018 at 09:34:18PM -0400, Viktor Dukhovni wrote: > > > > On Apr 22, 2018, at 9:49 PM, Viktor Dukhovni > > wrote: > > > > - Client-side diagnostics - > > On the server side I see that even when the ticket callback returns "0" to > accept

Re: [openssl-project] The problem of (implicit) relinking and changed behaviour

2018-04-15 Thread Benjamin Kaduk
On Sun, Apr 15, 2018 at 01:49:29PM +0200, Richard Levitte wrote: > In message on Sun, 15 Apr > 2018 13:27:15 +0200, Andy Polyakov said: > > appro> To summarize, failing tests in 110 should be revisited to see if they > appro>

Re: [openssl-project] Proto over ciphers or ciphers over proto? (was: The problem of (implicit) relinking and changed behaviour)

2018-04-15 Thread Benjamin Kaduk
On Sun, Apr 15, 2018 at 12:15:55PM -0400, Viktor Dukhovni wrote: > > > That said, I'm puzzled by the notion of "A certificate that is incompatible > with TLS1.3". A certificate is a certificate, and introducing TLS 1.3 does > not in any change the validity of the certificate, TLS 1.3 did not

Re: [openssl-project] FW: April Crypto Bulletin from Cryptosense

2018-04-06 Thread Benjamin Kaduk
On Fri, Apr 06, 2018 at 04:23:02PM +0200, Andy Polyakov wrote: > > This is one reason why keeping around old assembly code can have a cost. :( > > > > https://github.com/openssl/openssl/pull/5320 > > There is nothing I can add to what I've already said. To quote myself. > "None of what I say

Re: [openssl-project] About PR 5702, etc.

2018-03-29 Thread Benjamin Kaduk
On Thu, Mar 29, 2018 at 12:15:39PM +0200, Richard Levitte wrote: > In message <4e32b364-3ed3-9101-158c-09338f96e...@openssl.org> on Thu, 29 Mar > 2018 11:06:46 +0100, Matt Caswell said: > > matt> How about this for the vote text: > matt> > matt> "Feature changes in 1.1.1

Re: [openssl-project] Code Repo

2018-03-20 Thread Benjamin Kaduk
On Wed, Mar 21, 2018 at 12:27:13AM +1000, Tim Hudson wrote: > We have been holding off on post-1.1.1 feature development for a long time > now - on the grounds that TLSv1.3 was just around the corner etc and the > release was close - and then we formed a release plan which we pushed back > a week.

Re: [openssl-project] DRBGs, threads and locking

2018-03-13 Thread Benjamin Kaduk
On Wed, Mar 14, 2018 at 01:27:47AM +0100, Kurt Roeckx wrote: > My solution is to just have 1 master DRBG, and a public and > private DRBG per thread. The only lock that then is needed is when > the public or private DRBG needs to reseed. All the rest of the > code can stay just as it is, but we

Re: [openssl-project] External contributors and the next release

2018-03-06 Thread Benjamin Kaduk
mean another PR? Yup, I meant #3802, sorry. (tmshort is my team lead at work) > #3958 approved (in case Richard doesn't get back to it) > #1130 approved > #3958 approved Thanks! -Ben > Tim. > > > > On Wed, Mar 7, 2018 at 2:40 PM, Benjamin Kaduk <ka...@mit.edu>

Re: [openssl-project] External contributors and the next release

2018-03-06 Thread Benjamin Kaduk
On Wed, Mar 07, 2018 at 01:20:41AM +, Salz, Rich wrote: > I think we should make sure to set aside time to review as many of the > non-project pull requests as possible. I think it is important to show a > commitment to the larger community. I agree. I started looking at this last week,

Re: [openssl-project] Next release is beta1

2018-03-04 Thread Benjamin Kaduk
On Sun, Mar 04, 2018 at 05:30:32PM +0100, Kurt Roeckx wrote: > On Sun, Mar 04, 2018 at 02:44:01PM +, Salz, Rich wrote: > > I also intend to merge the config file .include PR (5351), and I want us to > > decide about 4848. > > I have to agree that I want to resolv 4848 (reading config file to

Re: [openssl-project] Potentially adding TLS record header to TLS 1.3 AAD

2018-02-26 Thread Benjamin Kaduk
On Mon, Feb 26, 2018 at 12:33:20PM +, Matt Caswell wrote: > > > On 24/02/18 18:57, Benjamin Kaduk wrote: > > Hi all, > > > > There's a pull request open against the TLS 1.3 spec to include the > > record header in the AAD for record protection > > (h

[openssl-project] Potentially adding TLS record header to TLS 1.3 AAD

2018-02-24 Thread Benjamin Kaduk
Hi all, There's a pull request open against the TLS 1.3 spec to include the record header in the AAD for record protection (https://github.com/tlswg/tls13-spec/pull/1158). We're somewhat on the fence about this, with the main advantage seeming to be for DTLS and not plain TLS, but it would

Re: [openssl-project] release tools now in the 'tools' repository

2018-02-03 Thread Benjamin Kaduk
On Sat, Feb 03, 2018 at 11:40:42PM +, Salz, Rich wrote: > We have cleaned up and posted the release tools as part of the tools > repository. Thanks to Richard Levitte for a great deal of feedback and > review. > > I had thought someone opened an issue for this, but I can’t find it; anyone

Re: [openssl-project] Local kid does good

2018-01-30 Thread Benjamin Kaduk
On Tue, Jan 30, 2018 at 04:14:52PM +, Matt Caswell wrote: > > > On 30/01/18 16:13, Salz, Rich wrote: > > One of our own, Ben Kaduk, was just picked to be the Security Area > > co-Director in the IETF! > > Awesome! Well done Ben! Thanks! It does seem likely to imply that I will be spending

[openssl-project] travis builds failing with aligment errors?

2018-01-30 Thread Benjamin Kaduk
It seems that we've started getting issues with a single build configuration, e.g., https://travis-ci.org/openssl/openssl/jobs/335110257 Lots of complaints about alignment, like: crypto/modes/gcm128.c:1090:36: runtime error: load of misaligned address 0x02350ce5 for type 'const size_t' (aka

Re: [openssl-project] Style guide updates

2018-01-27 Thread Benjamin Kaduk
On Fri, Jan 26, 2018 at 01:26:58PM +, Salz, Rich wrote: > Some things I think we should add to the style guide. Let’s discuss here. > > No space after sizeof, use parens. (But see ssl/record/rec_layer_{d1,s3}.c ) > > Multiline conditionals, such as in an if, should be broken before the

Re: [openssl-project] Issues review

2018-01-23 Thread Benjamin Kaduk
On Tue, Jan 23, 2018 at 06:11:50PM +, Matt Caswell wrote: > > > On 23/01/18 18:05, Benjamin Kaduk wrote: > > On Tue, Jan 23, 2018 at 05:51:41PM +, Matt Caswell wrote: > >> > >> > >> On 23/01/18 17:49, Matt Caswell wrote: > >>> I comp

Re: [openssl-project] Issues review

2018-01-23 Thread Benjamin Kaduk
On Tue, Jan 23, 2018 at 05:51:41PM +, Matt Caswell wrote: > > > On 23/01/18 17:49, Matt Caswell wrote: > > I completed my first pass review of all issues. I still need to look at > > PRs. I have put all PRs against a milestone using the following criteria: > > I have put all *issues*