Monthly Status Report (February 2022)
My key activities this month were: - triage of newly reported issues, investigating bugs, and responding to questions - participation on the meetings - cooperation with Mark and Tim on the hiring process - onboarding of Daniel Fiala - studied QUIC implementations (ngtcp2, msquic) - reviews of various PRs: - I've reviewed about 60 PRs this month - Notable PRs reviewed: - add SSL_get0_iana_groups() & SSL_client_hello_get_extension_order() #16910 - Fix EVP todata and fromdata when used with selection of EVP_PKEY_PUBLIC_KEY #17200 - evp cipher: cache key and IV lengths in the context #17543 - Tests for do_updatedb (Issue 13944), alternate suggestion #17645 - submitted 4 PRs: - In particular: - Replace size check with more meaningful pubkey check #17630 - Test the FIPS provider from openssl-3.0 branch with the master and vice versa #17671 - Add back check for the DH public key size #17678 I took 4 days of vacation in February. -- Tomáš Mráz, OpenSSL
Monthly Status Report (February)
As well as normal reviews, attending regular OMC and OTC meetings, attending daily stand up meetings, responding to user queries, wiki user requests, OMC business, sys-admin, support customer issues, CLA submissions, handling security reports, etc., key activities this month: Worked on Proof of Concept for an SSL compatibility layer Reviewed the proposed documentation policy Reviewed the TCP Fast Open Submission Investigated a tsan error report Completed a proof-of-concept SSL compatibility layer using a toy protocol Investigated two different third party QUIC libraries for a proof of concept/learning purposes Fixed a compilation problem with "no-deprecated --api=1.1.1" Investigated a strange fragmentation problem with max_fragment_length=4096 Wrote two test client applications using two different third party QUIC libraries Updated the OTC requirements doc to include additional requirements, and split out the MVP requirements Wrote a strawman proposal for the QUIC SSL API Started the vote on the next LTS release Attended a workshop to discuss the QUIC SSL API Further refinement of the QUIC SSL API proposal Investigated some DTLS design deficiencies to feed into the SSL API proposal Wrote a demo client using the proposed QUIC SSL API Raised a PR to fix addrev to adhere to the new review rules Proposed an update to the commit hooks to adhere to the new review rules Performed 1.0.2zc release Investigated and fixed a 1.0.2 bug Set up a new committer Took part in sprint planning for the two sprints started during this month Reviewed Spectre issues Started onboarding process for the new developer Matt
Late Monthly Status Report (February 2021)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - [not_yet_closed] Lack of verbosity in verbose test display (environment variables) (Issue openssl/openssl#12024) - EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() (PR openssl/openssl#13341) - ERR: drop function code macro generation (PR openssl/openssl#13392) - Remove the old DEPRECATEDIN macros (PR openssl/openssl#13461) - appveyor.yml: clarify conditions for building the plain configuration (PR openssl/openssl#13537) - VMS documentation fixes [1.1.1] (PR openssl/openssl#13834) - VMS documentation fixes [master] (PR openssl/openssl#13835) - EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs (PR openssl/openssl#13913) - EVP: Don't find standard EVP_PKEY_METHODs automatically (PR openssl/openssl#13973) - [WIP] X509: Refactor X509_PUBKEY processing to include provider side keys (PR openssl/openssl#13994) - PROV: Add SM2 encoders and decoders, as well as support functionality (PR openssl/openssl#14028) - PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID (PR openssl/openssl#14030) - Allow the sshkdf type to be passed as a single character (PR openssl/openssl#14035) - CORE & PROV: clean away OSSL_FUNC_mac_size() (PR openssl/openssl#14048) - TEST: Add an algorithm ID tester for libcrypto vs provider (PR openssl/openssl#14049) - Dirty count for provider native keys + cleanup (PR openssl/openssl#14056) - DOCS: Update the internal documentation on EVP_PKEY. (PR openssl/openssl#14059) - dev/release.sh: Fix typo (PR openssl/openssl#14061) - DOCS: Remove the "global" dependency on writing .pod files from .pod.in (PR openssl/openssl#14067) - configdata.pm: Better display of enabled/disabled options (PR openssl/openssl#14081) - Configuration: ensure that 'no-tests' works correctly (PR openssl/openssl#14082) - Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries (PR openssl/openssl#14152) - OSSL_PARAM: Correct the assumptions on the UTF8 string length (PR openssl/openssl#14168) - Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() (PR openssl/openssl#14196) - TEST: Add missing initialization (PR openssl/openssl#14204) - [not_yet_closed] It would be nice to have internal libcrypto routines to query the defined algorithm properies (Issue openssl/openssl#14217) - DECODER: Use the data structure from the last decoder to select the next (PR openssl/openssl#14233) - Generate doc/build.info with 'make update' rather than on the fly (PR openssl/openssl#14269) - util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() (PR openssl/openssl#14270) - X509: Refactor X509_PUBKEY processing to include provider side keys (PR openssl/openssl#14281) - Make i2d_PublicKey() work with provider side EC EVP_PKEYs (PR openssl/openssl#14291) - Makefile: Only update doc/build.info when there's an actual change (PR openssl/openssl#14309) * Web: - Fix bin/mk-manpages3 to handle spurious & in the description (PR openssl/web#214) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Monthly Status Report (February 2021)
My key activities this month were: - triage of newly reported issues and responding to questions - participation on the meetings - reviews of various PRs: - I've reviewed about 70 PRs this month - Major PRs reviewed: - 3.0 alpha 12 release review - PROV: Add SM2 encoders and decoders, as well as support functionality #14028 - test/recipes: split 81_test_cmp_cli.t, add test using -engine loader_attic #13551 - Refactor x509_vfy.c for code cleanup #13070 - Remove compile time algorithm checks from libssl #13916 - Deprecate SRP #14132 - OSSL_PARAM: Correct the assumptions on the UTF8 string length #14168 - Add EVP_PKEY_public_check_quick. #14206 - EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs #13913 - Add context gettable and settable calls #14240 - Make i2d_PublicKey() work with provider side EC EVP_PKEYs #14291 - submitted 18 PRs: - In particular: - speed: Always use the EVP APIs for speed measurements #14228 - Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() #14279 - Various cleanups related to EVP_PKEY_CTX_ctrl related TODOs #14290 - EVP_PKEY_CTX_get/settable_params: pass provider operation context #14338 - Deprecate BN_pseudo_rand() and BN_pseudo_rand_range() #14080 - Make PROV_R_ reason codes public and do some cleanup of them #14086 - dsa_check: Perform simple parameter check if seed is not available #14148 - Rename OSSL_ENCODER_CTX_new_by_EVP_PKEY and OSSL_DECODER_CTX_new_by_EVP_PKEY #14155 Tomas
Monthly Status Report (February)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, support customer issues, CLA submissions, handling security reports, etc., key activities this month: - Completed and pushed the PR to remove compile time algorithm checks from libssl - Removed some TODO(OpenSSL1.2) references - Removed a DSA related TODO - Created a patch for the CipherUpdate overflow issue (CVE-2021-23840) - Wrote the security advisory for CVE-2021-23839/CVE-2021-23840/CVE-23841 - Deprecated the SRP APIs - Sprint planning for the Hydrogen sprint - Created a patch for the X509_issuer_and_serial_hash() issue (CVE-2021-23841) - Manged and performed the 1.1.1j and 1.0.2y security releases - Fixed "openssl dhparam -check" - Investigated memory allocation issue in OPENSSL_cleanup() - Fixed issues with the pem2der decoder where the type of thing we are loading could be forgotten when moving to the next decoder in the chain. - PR to duplicate the file and func error string to avoid a crash where a provider gets unloaded with errors still on the stack - Added documentation for all the remaining symbols that have been added since 1.1.1 but were still undocumented - Performed the alpha12 release - Fixed mingw build failure - Fixed an issue where a lock was held in ossl_namemap_doall_names while calling a user callback - Sprint planning for the Helium sprint - Implemented PR to cache legacy keys in an EVP_PKEY instead of downgrading it - Significant ongoing work to investigate 1.1.1 test failures when run against the 3.0 libraries Matt
Late Monthly Status Report (February 2020)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development - PROV: add RSA signature implementation (PR openssl/openssl#10557) - Disable devcryptoeng on newer OpenBSD versions [1.1.1] (PR openssl/openssl#10565) - EVP: Adapt EVP_PKEY checking, comparing and copying for provider keys (PR openssl/openssl#10807) - DOC: document in more detail what a BIO_read_ex() via BIO_f_buffer() does (PR openssl/openssl#10890) - Refactor SM2 (PR openssl/openssl#10942) - Decentralize legacy_ctrl_str_to_param() (PR openssl/openssl#10947) - config: ensure the perl Configure run is the last statement (PR openssl/openssl#10953) - EVP: Small refactor of keymgmt library code (PR openssl/openssl#10963) - DOC: Add documentation related to X509_LOOKUPs (PR openssl/openssl#10986) - Redesign the KEYMGMT libcrypto <-> provider interface (PR openssl/openssl#11006) - EVP: Adapt EVP_PKEY checking, comparing and copying for provider keys, take 2 (PR openssl/openssl#11025) - Configure: Add easy to use disabled deprecated functionality indicators (PR openssl/openssl#11027) - PROV: Ensure the AlgorithmIdentifier registers in DSA signature impl (PR openssl/openssl#11037) - X509_PUBKEY_set(): Fix memory leak (PR openssl/openssl#11038) - test/recipes/80-test_ssl_old.t: use 'openssl genpkey' (PR openssl/openssl#11041) - Make util/find-doc-nits runnable from the build tree (PR openssl/openssl#11045) - Refactor OSSL_PARAM_allocate_from_text() for better flexibility (PR openssl/openssl#11046) - Add OSSL_SERIALIZER_PUBKEY_TO_DER_PQ and friends (PR openssl/openssl#11055) - Adapt i2d_PrivateKey for provider only keys (PR openssl/openssl#11056) - Document OSSL_SERIALIZER_PUBKEY_TO_DER_PQ and friends (PR openssl/openssl#11071) - Refactor evp_pkey_make_provided() to do legacy to provider export (PR openssl/openssl#11074) - Adapt i2d_PUBKEY for provider only keys (PR openssl/openssl#11078) - TEST: Create test specific output directories (PR openssl/openssl#11080) - include/openssl/whrlpool.h: correct unbalanced deprecation guards (PR openssl/openssl#11087) - Fix VMS build [1.1.1 only] (PR openssl/openssl#11088) - PROV: Build the main FIPS module code with FIPS_MODE defined (PR openssl/openssl#11090) - TEST: add util/wrap.pl and use it #0 (PR openssl/openssl#0) - Rethink the EVP_PKEY cache of provider side keys (PR openssl/openssl#11148) - VMS: mitigate for the C++ compiler that doesn't understand certain pragmas (PR openssl/openssl#11159) - Deprecate ASN1_sign(), ASN1_verify() and ASN1_digest() (PR openssl/openssl#11161) - Fix util/mktar.sh to use the new VERSION information (PR openssl/openssl#11190) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Monthly Status Report (February)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Fixed no-ec builds - Fixed no-multiblock - Completed work on moving X25519/X448 to the default provider - Fixed no-tls1_3 - Fixed no-sm2 - Completed work making libssl provider aware - Fixed issue with running GOST engine in a no-deprecated build - Fixed issue where we were attempting to compile AESNI code even if we weren't AESNI capable - Completed work to make RSA_ASYM_CIPHER implementation available inside the FIPS provider - Fixed no-engine builds - Attended the RSA Conference 2020 - Prepared for and gave a talk at RSA Conference on OpenSSL and FIPS - Fixed no-des - Fixed a mem leak in libssl - Implemented serializers for X25519/X448 - Introduced the "provider" property - Contributed to and published the QUIC blog - Added all the *.d.tmp file to .gitignore Matt
Monthly Status Report (February)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Worked with Richard to publish the Design and Strategy documents and wrote a blog post about them - Created a PR to rewrite SSL_dup - Made OPENSSL_malloc_init() a no-op - Significant review time looking at new PRs related to 3.0/FIPS - Attended regular FIPS sponsor call meetings - Fixed the issue relating to post-handshake message exchange signally using SSL_CB_HANDSHAKE_START in the info callback - Fixed an issue to allow more than 32 KeyUpdates per connection - Significant review time on the Kernel TLS receive side PR - Significant review time on the CMP PR - Significant review time on the "const" PR - Fixed an issue which allowed interleaving of handshake and other record types in TLSv1.3 - Co-ordinated updates to the release strategy to introduce the new stability policy - Investigated and fixed intermittent failures in ecdsatest - Fixed rel=canonical issue on the website - Fixed no-stdio - Fixed an EVP_KDF_CTX leak on error found by Coverity - Performed the release of 1.1.1b and 1.0.2r - Fixed the aes128_cbc_hmac_sha1 cipher in the dasync engine - Fixed issue in bn_cmp_words - Published details about the extended support option for 1.0.2 - Fixed no-ec, no-sm2 and no-sm3 Matt
[openssl-project] Monthly Status Report (February)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Performed both the alpha1 and alpha2 1.1.1 releases - Completed work on the primitives, EVP layer and TLS implementation for X448 and Ed448. - Updated the TLSv1.3 blog post on the latest information - Implemented a PR for solving the issue where legacy ciphersuite configuration can end up disabling all TLSV1.3 ciphersuites leading to connection failures. - Fixed some documentation issues with Middlebox compat mode - Enabled TLSv1.3 by default - Fixed various no- options (no-nextprotoneg, no-chacha, no-poly1305, no-tls1_2) - Resolved an issue where the Finished MAC was being calculated twice - Fixed an interoperability issue due to overestimating the ticket age by up to 1s - Reviewed a lot of the outstanding Coverity issues and implemented fixes for a number of them - Updates for TLSv1.3 draft-24 - Investigated and fixed an issue in TLSProxy where a spurious additional byte was being sent - Investigated issues associated with a crash in the ca app (there is some ongoing work associated with this issue). - Currently working on improving the EVP API for curves 25519 and 448. - Performed some interoperability testing (mainly focused on X448/Ed448) with a few other implementations and fixed some issues as a result Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project