Monthly Status Report (March 2022)
My key activities this month were: - triage of newly reported issues, investigating bugs, and responding to questions - participation on the meetings - cooperation with Mark and Tim on the hiring process - participation on QUIC design, proposal for congestion control pluggable algorithm API - participation on the CVE-2022-0778 handling including the release review - reviews of various PRs: - I've reviewed more than 80 PRs this month - Notable PRs reviewed: - Add TFO support to socket BIO and s_client/s_server #8962 - enable CMS sign/verify for provider-implemented PKEYs #17733 - Add ASYNC_set_mem_functions ASYNC_get_mem_functions #17762 - adding external oqsprovider testing #17832 - Add SSL_kDHEPSK and SSL_kECDHEPSK as PFS ciphersuites for SECLEVEL >= 3 #17763 - EVP_MD performance fix (refcount cache contention) #17857 - Remove statistics tracking from LHASH #17935 - Decoder resolution performance optimizations #17921 - submitted 15 PRs: - In particular: - The PRs for all the branches handling CVE-2022-0778 - Replace handling of negative verification result with SSL_set_retry_verify() #17825 - DH: Make padding always on when X9.42 KDF is used #17859 - tls_process_server_hello: Disallow repeated HRR #17936 - Import only named params into FIPS module #17998 -- Tomáš Mráz, OpenSSL
Monthly Status Report (March)
As well as normal reviews, attending regular OMC and OTC meetings,
attending daily stand up meetings, responding to user queries, wiki user
requests, OMC business, sys-admin, support customer issues, CLA
submissions, handling security reports, etc., key activities this month:
Wrote the QUIC SSL API proposal
Responded to various feedback on the QUIC SSL API proposal
Updates to the SSL API proposal following OTC review
Proposed and started the vote on new primary platforms
Created an SSL Record layer strawman API proposal
Wrote a draft record layer design document
Handled pre-notification for the security issue
Developed a patch for missing pthread_atfork
Wrote up documentation on how to use ZenHub
Reviewed lots of "New Issues" in ZenHub awaiting triage
Prepared for the 3.0.2/1.1.1n and 1.0.2zd releases
Performed the 3.0.2/1.1.1n and 1.0.2zd releases
Responded to press and other enquiries regarding the release as well as
other follow ups
Took part in workshops on the SSL record layer proposal
Updated the record layer proposal based on feedback received
Significant review of PR#5257
Updates to the technical requirements document
Investigated a test failure in PR#17936
Reviewed the congestion control design and took part in a congestion
control workshop
Investigated ZenHub permissions issue for new contractors
Investigated an aarch64 issue resulting in TLSv1.3 failed connections
Reviewed the reference ("demo") client applications and investigated an
EOF problem and other related issues
Organised some on-boarding releated items for the new manager
Investigated a security report (result was "not a CVE")
Matt
Monthly Status Report (March 2022)
Apart from normal business, attending daily standup meetings, attending OTC meetings, sprint planning meetings, etc., key activities this month: - Read RFCs 8446 (TLS 1.3), 8999, 9000, 9001, 9002 (QUIC), draft-ietf-quic-http, draft-ietf-dprive-dnsoquic - Familiarised with/replied to #17184, #17185, #17253, #17577 (QUIC design issues) - PR #17782 to fix bug #17736 (openssl req -x509 bug) - PR #17783 to fix bug #17648 (BN_mod_exp2_mont bug) - PR #17787 backporting fix for #17648 (BN_mod_exp2_mont bug) - PR #17788 to fix #17503 (s_server -sendfile KTLS bug) - Created issue #17789 (docs) - PR #17790 (manpage typo) - PR #17793 (EVP demo: SIPHASH) fixing #14121 - PR #17796 (EVP demo: Poly1305) fixing #14122 - PR #17799 (EVP demo: X25519) fixing #14118 - PR #17800 (EVP demo: RSA-PSS direct, hashed) fixing #14113 - Investigated, handled issue #17797 (CMS line ending issue) - PR #17805 (backport of #17782) - PR #17803 (EVP demo: XOF SHAKE256) fixing #14106 - (Experimental) PR #17807 rough draft of progress towards fixing #17267 (testing of s_server, s_client) - Investigated method of fixing #17797 for 1.1 - PR #17808 fixing #13008 for 1.1 (OBJ_nid2obj error reporting) - PR #17810 documenting bug in 1.1 (CMS -binary) - Evaluated and responded to QUIC strawman API design (#17184) - (Superceded) PR #17812 (revert #13906) - PR #17815 (manpage for SSL_get_certificate, SSL_get_privatekey) - Investigated feasibility of refactoring launch code out of TLSProxy - Wrote up thoughts on QUIC connection migration - Investigated alternative for SSL verification callback retry - PR #17823 (fix bug using tests without TAP::Parser::Aggregator) - PR #17824 (EVP demo: RSA keygen) fixing #14111 - PR #17826 (EVP demo: RSA key encode/decode) fixing #14116 - Investigated #17064 (performance issue) and wrote up findings - PR #17857 implementing partial fix to #17064 (MAC) - PR #17862 implementing further fix to #17064 (IV length caching) - Investigated #16791 (msquic slowdown) - PR #17870 to fix #17869 (signed integer overflow) - PR #17872 to fix #17871 (signed integer overflow, 1.1) - PR #17873 to fix bug in scrypt KDF provider - PR #17881 (refactoring of libctx) - Created an experimental rebase of quictls fork on master - Reprofiling of #15199 and investigation of performance fixes - PR #17912 fixing #17911 (declaration inconsistency) - PR #17914 fixing #17909 (documentation) - PR #17915 fixing #17910 (documentation) - PR #17921 partially fixing #15199 (decoder optimization) - (Superceded) PR #17931 (performance, LHASH operation counts) - PR #17935 removing LHASH statistics - (WIP) PR #17937 deprecating LHASH statistics functions - Investigated libssl API usage as used by various FOSS projects - Investigated #17950 (d2i_X509 performance issue) - Wrote up demo-driven design proposal (#17939) - Wrote the DDD demos - Attended record layer design workshop - Attended congestion control workshop - PR #17977 fixing #17976 (manpage typo) - PR #17991 merging DDD demos into OpenSSL repository - Wrote a DDD blogpost - Developed and published proposed diffs to DDD demos - Cleanup of old issues which were still open despite fixes being merged (#17089, #17588)
Late Monthly Status Report (March 2021)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - [not_yet_merged] Configure: add -fkeep-inline-functions to --strict-warnings (PR openssl/openssl#8955) - [not_yet_closed] Propagate the no_store flag + consequences for evp_pkey_export_to_provider() (Issue openssl/openssl#14164) - [not_yet_closed] OpenSSL 3.0 currently doesn't build on OpenVMS, adaptation needed (Issue openssl/openssl#14247) - EVP_RAND should be renamed to OSSL_RAND (Issue openssl/openssl#14297) - Provider side encoders and decoders need to stop using EVP_PKEY (Issue openssl/openssl#14306) - Stop using EVP_PKEY in encoders and decoders (PR openssl/openssl#14314) - Make 'tests' depend on a generated 'providers/fipsmodule.cnf' (PR openssl/openssl#14320) - Fix threading issues in crypto/provider_core.c (PR openssl/openssl#14354) - test/threadstest.c: Add a test to load providers concurrently (PR openssl/openssl#14372) - DOCS: Fix provider-mac.pod and the docs of our implementations (PR openssl/openssl#14380) - DOCS: Document OSSL_STORE_INFO_PUBKEY in doc/man3/OSSL_STORE_INFO.pod (PR openssl/openssl#14415) - Undo passing of params to provider side init/derive/instantiate (PR openssl/openssl#14435) - [not_yet_closed] Introduce EVP level fetchable sigalg functionality (Issue openssl/openssl#14467) - PROV: use EVP_CIPHER_CTX_set_params() rather than EVP_CIPHER_CTX_ctrl() (PR openssl/openssl#14484) - TEST: Cleanup test recipes (PR openssl/openssl#14505) - [not_yet_closed] Introduce EVP level fetchable PRF functionality (Issue openssl/openssl#14543) - Configure: check all DEPEND values against GENERATE, not just .h files (PR openssl/openssl#14598) - Fix a missing rand -> ossl_rand rename (PR openssl/openssl#14609) - ASN1: Reset the content dump flag after dumping (PR openssl/openssl#14627) - RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value (PR openssl/openssl#14676) - [not_yet_closed] test/pkits-test.pl not suitable for current OpenSSL (Issue openssl/openssl#14709) - Unix build file template: symlink "simple" to "full" shlib selectively (PR openssl/openssl#14726) - Re-implement ANSI C building with a Github workflow (PR openssl/openssl#14729) * Web: - REVIEWED: Update newsflash for the 3.0 alpha13 release (PR openssl/web#223 by mattcaswell) - Complete the transition changelog.txt -> changelog.md (PR openssl/web#224) * Other: - Started over with buildbot master development / configuration / setup -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Monthly Status Report (March)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, support customer issues, CLA submissions, handling security reports, etc., key activities this month: - Provided support to a number of support customers - Fixed an error in evp_extra_test - Significant work on getting the 1.1.1 tests to run against master. Noted numerous issues as a result and report written about the results - Completed and merged PR to cache legacy keys instead of downgrading them - Fixed the check for suitable groups being available for TLSv1.3 - Added numerous missing entries in CHANGES.md - Fixed a crash when using a "pkeyopt" without a ":" - Performed the alpha13 release - Addressed some TODO(3.0) comments in the code - Updated the README-FIPS.md document with 3.0 information - Fixed an issue where thread handlers were not being deregistered in the event that the provider init fails - Co-ordinated the response to CVE-2021-3449 and provided numerous related code updates - Added missing RUN_ONCE calls in rand_lib.c - Did some investigation work for CVE-2021-3450 - Co-ordinated and performed the release of 1.1.1k - Fixed an issue where too many symbols were copied into both libcrypto and legacy.so - Wrote a libcrypto overview man page - Took part in numerous planning meetings for 3.0 - Provided an improved implementation of X509_STORE_CTX_get1_issuer() (later superceded by work by Tomas) - Fixed an inadvertent behaviour change of the ctrl EVP_PKEY_CTRL_RSA_KEYGEN_BITS Matt
Monthly Status Report (March 2021)
My key activities this month were: - triage of newly reported issues and responding to questions - participation on the meetings - participated on the openssl-1.1.1k security release by reviewing and doing the CVE-2021-3450 fix - reviews of various PRs: - I've reviewed about 90 PRs this month - Major PRs reviewed: - Stop using EVP_PKEY in encoders and decoders #14314 - Make 'tests' depend on a generated 'providers/fipsmodule.cnf' #14320 - Add testing for non-default library context into evp_extra_test #14478 - ESS for TSP and CAdES-BES: Correct logic of ts_check_signing_certs() relating cert IDs to chain members #14503 - KDF life-cycle documentation #14522 - Fix Coverity resource leaks #14596 - Fix DER reading from stdin for BIO_f_readbuffer #14599 - HTTP: Fix method_POST param by moving it to OSSL_HTTP_REQ_CTX_set_request_line() #14699 - submitted 31 PRs: - In particular: - TODO cleanups in test, ssl, and providers directories #14367 - Another set of TODO 3.0 cleanups - this time mostly in crypto #14404 - CI: add job with external tests (temporarily krb5 and gost_engine only) #14416 - Change default algorithms in PKCS12_create() and PKCS12_set_mac() #14450 - Do not call RAND_get0_public from within the FIPS provider initialization #14497 - Make EVP_PKEY_missing_parameters work properly on provided RSA keys #14511 - Added functions for printing EVP_PKEYs to FILE * #14577 - Implement EVP_PKEY_dup() function #14624 - EVP_PKCS82PKEY: Create provided keys if possible #14659 - Cleanups related to legacy nid support #14703 - Add "save-parameters" encoder parameter #14746 - Provider side decoder API documentation #14756 -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]
Late Monthly Status Report (March 2020)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development - [not_yet_merged] WIP: apps: Switch to using OSSL_STORE for loading keys, certs, ... (PR openssl/openssl#7390) - Implement domparam and key generation (PR openssl/openssl#10289) - DOC: Add documentation related to X509_LOOKUPs [1.1.1] (PR openssl/openssl#11120) - Refactor CRMF_poposigningkey_init() to work with provider keys (PR openssl/openssl#11126) - Configuration: Add post module building check (PR openssl/openssl#11170) - build.info extensions: variable value substitutions and multi-item statements (PR openssl/openssl#11185) - .travis.yml: where it matters, have build and source nesting levels differ (PR openssl/openssl#11186) - crypto/perlasm/x86_64-xlate.pl: detect GNU as to deal with quirks (PR openssl/openssl#11191) - EVP: Check that key methods aren't foreign when exporting (PR openssl/openssl#11193) - Andoid cross compile: change ANDROID_NDK_HOME to ANDROID_NDK_ROOT (PR openssl/openssl#11206) - config, Configure: move the check of removed crypto/ sub-systems (PR openssl/openssl#11217) - Configurations: Fix "android" configuration target (PR openssl/openssl#11238) - util/wrap.pl: do not look at EXE_SHELL (PR openssl/openssl#11258) - Restructure documentation of implementations in providers (PR openssl/openssl#11270) - DOCS: Fix documentation on asymmetric keydata types (PR openssl/openssl#11275) - DOCS: Fix the description of OSSL_PARAM_allocate_from_text() (PR openssl/openssl#11279) - Refactor sm2_id (PR openssl/openssl#11302) - Fix RSA structure (PR openssl/openssl#11315) - Fix legacy_ctrl_to_param() to pay better attention to keytype (PR openssl/openssl#11329) - Refactor sm2_id - addendum (PR openssl/openssl#11335) - EVP: fetch the EVP_KEYMGMT earlier (PR openssl/openssl#11343) - [WIP] EVP: Fix EVP_PKEY_copy_parameters() for a newly allocated |to| (PR openssl/openssl#11368) - DH, DSA, EC_KEY: Fix exporters to allow domain parameter keys (PR openssl/openssl#11374) - EVP: Downgrade keys rather than upgrade (PR openssl/openssl#11375) - util/wrap.pl: Correct exit code when signalled (PR openssl/openssl#11379) - EC: Refactor ec_curve_name2nid() to accept NIST curve names (PR openssl/openssl#11391) - PROV: Fix EC_KEY exporters to allow domain parameter keys (PR openssl/openssl#11394) * Web - Fix 'make relupd' -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Monthly Status Report (March)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Ongoing reviews of the CMP contribution - Clarified the docs around usage of EVP_PKEY_get_raw_*_key() - Provided some tweaks/fixes to the Serializer code - Completed implementation of Ed25519 and Ed448 in the default provider - Implemented serializers for Ed25519 and Ed448 - Performed and coordinated the release of both 1.1.1e and 1.1.1f - Fix to handle the case where there is no digest in an EVP_MD_CTX - Significant effort in getting a simple TLSv1.2 connection working with FIPS only crypto - Created PR to make various updates to provider.pod - Made it possible to easily specify a libctx from EVP_DigestSign* - Made sure we were using the correct libctx when fetching a MAC in one scenario - Ensured we were using RAND_bytes_ex in various calls in crypto/rsa - Ensured we were using fetched ciphers/digests for TLS tickets - Fixed a number of spots in libssl where we weren't using the libctx - Fixed EVP_PKEY_new_mac_key() so that it doesn't fail if the specified MAC is not available in the default provider - Wrote code to update libssl to use EVP_MAC for its MAC rather than EVP_DigestSign*(). This work is currently on hold due to an unexpected impact on the GOST engine - Fixed more spots in libssl where fetched ciphers were not being used - Update to provide better diagnostics in the event of a fetch failure - Updated test TLS framework to provide better error information if a connection fails - Added libctx aware functions OCSP_RESPID_set_by_key_ex() and OCSP_RESPID_match_ex() - Added function to explicitly cache X509v3 extensions with a libctx - and used that function in libssl - Made the SRP library libctx aware, and updated libssl to use the new functions - Updated libssl to give a better error if we can't find a sig alg - Fixed a bug in libssl to avoid attempting to up-ref a cipher that is NULL - Fixed a bug to avoid double freeing a DH object in libssl Matt
Re: Monthly Status Report (March 2019)
There's an oops, the Web part is a copy of the February report.
Ignore it in this report.
On Tue, 16 Apr 2019 22:10:17 +0200,
Richard Levitte wrote:
>
> Apart from normal business, such as normal reviews, OMC business,
> normal system administration tasks, etc., key activities this month:
>
> * Development
>
> - Deprecated the "hw" configuration option and made "padlockeng"
> disablable
> (PR openssl/openssl#8380)
> - Finalized addition of generic trace API together with Matthias
> St Pierre
> (PR openssl/openssl#8198)
> - Finalized work on the basics for OpenSSL 3.0 replumbing: provider
> object
> (PRs openssl/openssl#8287)
> - Finalized work on the OpenSSL 3.0 core: generic method constructor
> (PR openssl/openssl#8340)
> - Finalized work on the OpenSSL 3.0 EVP: constructor for EVP methods
> (PR openssl/openssl#8341)
> - Reviewed the added OSSL_PARAM API
> (PR openssl/openssl#8451)
> - Reviewed further trace API work
> (PR openssl/openssl#8463)
> - Added mechanism for fallback providers and pre-populating the
> provider store with well known providers ("default")
> (PR openssl/openssl#8480)
> - Reviewed the addition of chacha20 and poly1305 assembler for ia64
> (PR openssl/openssl#8540)
> - Finally remove everything that has to do with "heartbeats"
> (PR openssl/openssl#1928)
> - Started work on the OpenSSL 3.0 core: config module for providers
> (PR openssl/openssl#8549)
> - Started work on OSSL_PARAM name registration and checking
> (PR openssl/openssl#8461)
> - Started work on tidying our common perl scripts
> (PR openssl/openssl#8525)
> - [unpublished] Started work on flexible installation commands for
> Makefiles
> - [unpublished] Continued work on flexible building commands for
> Makefiles
>
> * Web
>
> - Published the OpenSSL 3.0 Design document
> (PR openssl/web#113)
> - Reworked the release strategy to include the version scheme for
> OpenSSL 3.0 and on; generalised the criteria for alpha, beta and
> release; reviewed the new stability policy
> (PR openssl/web#82)
> - Reviewed the added extended support contract information
> (PR openssl/web#122)
> - Reworked web site building to centralise release information
> (PR openssl/web#120)
>
> --
> Richard Levitte levi...@openssl.org
> OpenSSL Project http://www.openssl.org/~levitte/
>
--
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
Monthly Status Report (March 2019)
Apart from normal business, such as normal reviews, OMC business,
normal system administration tasks, etc., key activities this month:
* Development
- Deprecated the "hw" configuration option and made "padlockeng"
disablable
(PR openssl/openssl#8380)
- Finalized addition of generic trace API together with Matthias
St Pierre
(PR openssl/openssl#8198)
- Finalized work on the basics for OpenSSL 3.0 replumbing: provider
object
(PRs openssl/openssl#8287)
- Finalized work on the OpenSSL 3.0 core: generic method constructor
(PR openssl/openssl#8340)
- Finalized work on the OpenSSL 3.0 EVP: constructor for EVP methods
(PR openssl/openssl#8341)
- Reviewed the added OSSL_PARAM API
(PR openssl/openssl#8451)
- Reviewed further trace API work
(PR openssl/openssl#8463)
- Added mechanism for fallback providers and pre-populating the
provider store with well known providers ("default")
(PR openssl/openssl#8480)
- Reviewed the addition of chacha20 and poly1305 assembler for ia64
(PR openssl/openssl#8540)
- Finally remove everything that has to do with "heartbeats"
(PR openssl/openssl#1928)
- Started work on the OpenSSL 3.0 core: config module for providers
(PR openssl/openssl#8549)
- Started work on OSSL_PARAM name registration and checking
(PR openssl/openssl#8461)
- Started work on tidying our common perl scripts
(PR openssl/openssl#8525)
- [unpublished] Started work on flexible installation commands for
Makefiles
- [unpublished] Continued work on flexible building commands for
Makefiles
* Web
- Published the OpenSSL 3.0 Design document
(PR openssl/web#113)
- Reworked the release strategy to include the version scheme for
OpenSSL 3.0 and on; generalised the criteria for alpha, beta and
release; reviewed the new stability policy
(PR openssl/web#82)
- Reviewed the added extended support contract information
(PR openssl/web#122)
- Reworked web site building to centralise release information
(PR openssl/web#120)
--
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
Monthly Status Report (March)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Fixed an issue where the ticket index was written to the session during the handshake, even though the session is supposed to be immutable - Significant review work on the Kernel TLS Receive side - Investigated (with others) and fixed an underflow in ecp_nistp521.c - Fixed an issue with long nonces in ChaCha20-Poly1305 (CVE-2019-1543) - Significant review work on the CRMF/CMP chunk 2 code - Changes to enable pkeyutl to work with Ed448 and Ed25519 - Updates to the pkeyutl documentation around the digest option - Fixed enable-zlib - Fixed some mem leaks in pkread.c demo file - Fixed no-dso - Fixed no-cmac, no-poly1305 and no-siphash - Added some missing OPENSSL_NO_SM2 guards - Worked on fix for no-posix-io (later replaced by a different PR) - Created the default provider and moved SHA256 into it - Created a PR for implementing a FIPS provider and moving SHA256 into it - Created a PR for implementing a legacy provider and moving MD2 into it - Fixed some MAC issues (Don't allow SHAKE128/SHAKE256 with HMAC) - Fixed a memory leak in ARIA GCM - Changes to tolerate 0 length input on Update functions - Fixed no-ec - Const fixes for OCSP_id_cmp and OCSP_id_issuer_cmp - Created PR for fixed error handling in X509_chain_up_ref - Created PR for supporting EVP_MD_block_size() with providers - Created PR for ensuring EVP_MD_CTX_md() returns the EVP_MD that was originally used. - Significant review work on various FIPS related PRs Matt
[openssl-project] Monthly Status Report (March)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Performed the 1.1.1 beta 1 (pre-3) release - Performed a security release for 1.1.0 and 1.0.2 - Carried out a number of different tasks around the re-licensing, reviewing and investigating old commits and rewriting some where required - Implemented the TLSv1.3 anti-replay mechanism - Fixed numerous "no-" compilation options - Investigated and fixed a text canonicalisation bug in CMS - Major overhaul of the genpkey documentation which was very out of date - Investigated and developed a fix for SSL config problems where engines cannot be loaded prior to the initialisation of libssl - Implemented changes to tolerate a Certificate using a non-supported group on the server side. - Fixed a bug where generating a key for certain unusual EC curves failed due to an attempt to write out the ASN.1 with a bad OID - Fixed a travis problem where builds were failing due to excessive log size - Fixed various problems with the ca application - Implemented a capability to import "raw" keys for various algorithms via EVP (e.g. X25519/Ed25519/X448/Ed448 etc). - Fixed a TLSv1.3 server side session caching issue - Implemented a new ciphersuite configuration approach for TLSv1.3 - Updated for support of TLSv1.3 draft-26 - Stopped ossl_shim from negotiating TLSv1.3 which was causing travis failures - Fixed some issues with SSL_stateless() in order to give more information to callers - Implemented fixes for PSK support to enable old-style PSKs to be used in TLSv1.3 - Completed and committed support for X448/Ed448 - Performed some interoperability testing for Ed25519/Ed448 Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
