Monthly Status Report (May)
As well as normal reviews, attending regular OMC and OTC meetings, attending daily stand up and sprint planning meetings, responding to user queries, wiki user requests, OMC business, sys-admin, support customer issues, responding to public github issues, CLA submissions, handling security reports, etc., key activities this month: Performed the 3.0.3, 1.1.1o and 1.0.2ze releases Started the vote on the security policy Wrote up various issues for problems that occurred during the release Reviewed the latest API proposal Completed the conversion of TLSv1.3 decryption code to the new record layer Reorganised files in the new record layer to make things clearer Implemented KTLS in the new record layer Took part in a retrospective of the recent release Implemented support for moving data from one epoch to the next in the record layer Incorporated oqs-provider updates into record layer changes to fix CI issue Removed use of SSL_IS_TLS13() from the record layer methods Removed use of SSL_USE_EXPLICIT_IV() from the record layer methods Removed use of s->hello_retry_request from the record layer methods Removed use of ossl_statem_in_error from the record layer methods Made the read record layer EtM aware Reviewed the competing event queue designs Reviewed the wire format encoding implementation Moved the read sequence storage into the record layer Removed dependence on SSL object for record layer early data code Add record layer specific msg callback and ssl_security callback Removed separation between enc_read_ctx and enc_write_ctx in the record layer Removed separation between read_hash and write_hash in the record layer Removed some final SSL object references in the record layer Located and fixed 2 memory leaks in the decoder code Located and fixed a memory leak in the provider doall code Located and fixed a memory leak when constructing a new provider Started implementation of DTLS in the read record layer Attended an interview for the new Business Administrator role Matt
Monthly Status Report (May 2022)
My key activities this month were: - triage of newly reported issues, investigating bugs, and responding to questions - participation on the meetings - Youtrack workflow experimentation and proposal - participation on QUIC design and implementation - preparation of Technical Policies changes proposals - reviews of various PRs: - I've reviewed more than 80 PRs this month - Notable PRs reviewed: - X509{,_LOOKUP}: Improve distinction between not found and fatal/internal error #14417 - Make configuration (and therefore builds) leaner #16378 - Clear method store / query cache confusion #18151 - tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above #18236 - Non-locale dependent OPENSSL_strcasecmp #18344 - QUIC wire format support #18382 - http_client.c: trace HTTP requests and responses when enabled #18386 - submitted 15 PRs: - In particular: - Fix build on OPENSSL_SYS_TANDEM and older POSIXes #18241 - Add design requirements for QUIC packet demuxer #18249 - Add a testcase for OSSL_PROVIDER_unload() being fully effective #18254 - OPENSSL_strcasecmp build, cleanup, and initialization fixes #18282 - Always try to construct methods as new provider might be added #18269 - QUIC empty protocol implementation #18307 - ossl_namemap_name2_num: Avoid unnecessary OPENSSL_strndup(). #18341 - High level overview of QUIC Implementation #18406 I also took 1 day off this month. -- Tomáš Mráz, OpenSSL
Monthly Status Report (May 2022)
Apart from normal business, attending daily standup meetings, attending OTC meetings, sprint planning meetings, etc., key activities this month: - Wrote up discussion of options for BIO_dgram API - PR #18238 (synthesized API proposals and DDD diffs into single PR) - PR #18270 (BIO_dgram sendmmsg/recvmmsg implementation work) - Updated lhash deprecation PR to implement chosen option - Setup YouTrack instance - Backported a bug fix to 1.0.2 for a premium support customer - PR #18305 fixing #18243 and #18242 (dev/release.sh --release) - PR tools#117 fixiing tools#116 (addrev release mode) - PR to fix Git hooks (release mode) - PR #18320 porting 1.1 EC compression compatibility tests to 3.x and incorporating changes from #16624 - Investiigated #18226 (OSSL_LIB_CTX_load_config thread safety) - PR #18323 (move modules lists to OSSL_LIB_CTX) - PR #18331 (make OSSL_LIB_CTX_load_config thread safe) fixing #18226 - Proposed deprecating long (#18338, technical-poliicies#51) - Moved YouTrack instance to production - Setup VCS integrations with YouTrack - Patched YouTrack GitHub importer to work with GHE and imported issues - PR #18382 (QUIC wire format support) - Implemented BIO_dgram_pair - Attended SSL object structure workshop - Attended 3.1 release and risk assessment meetings
Monthly status report: May 2022
Significant activities throughout February included: * Investigation and mitigation of performance problems with MS QUIC. * Banned older TLS/DTLS & SSL protocols as security levels above zero. * Removed unused and untested _fetch_by_number functions. * Design and implementation of a timer subsystem. * Investigated code generation problem with clang-14 (strict aliasing being broken in a non-obvious way). * Review of event queue design. * Merge event queue and timer subsystems. * Blog post about Spectre gadgets in our source code. * Participating in ongoing FIPS related discussions. * Fixes for Coverity raise problems. * Fix case insensitive string comparisons so that they don't rely on locale support. * Wrote (unpublished) blog post and emails relevant parties (also unpublished). * Begin working on the QUIC packisation design. * Reviews the substantial feature PRs. This is in addition to the usual nightly meetings, issue triage, small pull requests, pull request reviews and responding to questions etc Pauli
Monthly Status Report (May 2021)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - FIPS module checksums: add scripts and Makefile rule (PR openssl/openssl#8871) - DOCS: Mention that libcrypto has helper functions for OSSL_PARAMs (PR openssl/openssl#15073) - APPS: Set a default passphrase UI for the "ec" command (PR openssl/openssl#15119) - Drop libimplementations.a (PR openssl/openssl#15171) - ASN1: Fix i2d_provided() return value (PR openssl/openssl#15277) - APPS: Make the cmp Mock server output the accept address and port (PR openssl/openssl#15281) - test/evp_extra_test2.c: Try EVP_PKEY_export() with a legacy RSA key (PR openssl/openssl#15292) - EVP: Modity EVP_PKEY_export() to handle legacy EVP_PKEYs (PR openssl/openssl#15293) - Rework how a build file (Makefile, ...) is produced (PR openssl/openssl#15310) - Adapt building OpenSSL 3.0 for VMS (PR openssl/openssl#15317) - Disable loader_attic on VMS (PR openssl/openssl#15320) - Small fixes for VMS (SIZE_MAX in a couple more places, and strtoumax / strtoimax) (PR openssl/openssl#15366) - VMS: don't use app_malloc() in apps/lib/vms_decc_argv.c (PR openssl/openssl#15368) - Configurations/descrip.mms.tmpl: rework the inclusion hacks (PR openssl/openssl#15369) - PROV: Relegate most of the FIPS provider code to libfips.a (PR openssl/openssl#15370) - DOCS: Fixups of the migration guide and the FIPS module manual (PR openssl/openssl#15377) - VMS: Fix run of generic generator programs in descrip.mms.tmpl (PR openssl/openssl#15397) - Fix 'openssl req' to be able to use provided keytypes (PR openssl/openssl#15400) - DOCS: Don't mention internal functions in public documentation (PR openssl/openssl#15422) - Rework how providers/fipsmodule.cnf is produced, and have a separate test/fipsmodule.cnf (PR openssl/openssl#15436) - util/fix-doc-nits: Fix link detection in collectnames() to be kinder (PR openssl/openssl#15450) - Rearrange the check of providers/fips.so dependencies (PR openssl/openssl#15514) - Add .asn1 dependencies for files generated from providers/common/der/*.in (PR openssl/openssl#15533) * Web: * Internal: - Worked on numerous details of the FIPS buildbot master * Sysadm: - Updated some configurations for newer Ubuntu installations (18.04 and 20.04) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Monthly Status Report (May)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, support customer issues, CLA submissions, handling security reports, etc., key activities this month: - Miscellaneous buildbot admin (setting up workers) - Completed implementation of core BIO API - Significant amount of working implementing child provider library contexts - Performed the alpha 16 release - Implemented mirroring of global properties in child providers - Significant time spent reviewing the migration guide - Fixed a mem leak in the pkcs12 test helpers - Fixed a problem within initialisation of child providers happening too late - Add a missing CHANGES entry for the fully pluggable groups code - Fixed a use-after-free in the child provider code - Implemented better error messages if no decoders/encoders/store loaders are available - Implemented symlink creation during man page installation - Cleaned up various problems in the missing*.txt files - Performed the alpha 17 release - Fixed a problem in the decoders that avoids using the same decoder multiple times - Significant work to enable the use of provider keys read from DER encoded data. This led to a number of related fixes including: - Add a special case for SM2 when decoding due to abuse of the EC OID - Fix cert creation in the store to use libctx/propq - Teaching EC EVP_PKEYs to say whether they were decoded from explicit params - Teaching ASN1_item_verify_ctx() how to handle provided keys - Updating the function check_sig_alg_match() to work with provided keys Matt
Monthly Status Report (May 2021)
My key activities this month were: - triage of newly reported issues and responding to questions - re-triage of issues/PRs in Post 1.1.1 and Assessed milestones - participation on the meetings - reviews of various PRs: - I've reviewed more than 100 PRs this month - Notable PRs reviewed: - FIPS module checksums: add scripts and Makefile rule #8871 - Add BIO_new_from_core_bio() to the public API #15072 - Alpha 16 release - PSK and key_share compliance fixes for RFC 8446 #14749 - Export/import flags for FFC params changed to seperate fields. #15210 - HTTP: Implement persistent connections (keep-alive) etc. #15053 - Init the child providers immediately on creation of the child libctx #15270 - EVP: Modify EVP_PKEY_export() to handle legacy EVP_PKEYs #15293 - Disable client-initiated renegotiation by default #15184 - checksum: include header files in the checksumming output #15365 - Rework how providers/fipsmodule.cnf is produced, and have a separate test/fipsmodule.cnf #15436 - Update Cipher documentation. #15416 - submitted 29 PRs: - In particular: - Multiple PRs for FIPS checksum CI job fine tunnings - Replace EVP_PKEY_supports_digest_nid #15198 - Allow arbitrary digests with ECDSA and DSA #15220 - Add some basic Windows builds to the Windows CI workflow #15349 and follow-up Enable FIPS in the Windows CI 64 bit shared build and fix related issues #15550 - Rename all getters to use get/get0 in name #15405 - Deprecate old style BIO callback calls #15440 - Fix possible infinite loop in pem_read_bio_key_decoder() #15441 -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]
Monthly Status Report (May 2020)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development - [not_yet_merged] [WIP] Refactor CPUID code (PR openssl/openssl#11311) - EVP: Only use the engine when one is defined, in pkey_mac_ctrl() (PR openssl/openssl#11674) - WPACKET: don't write DER length when we don't want to (PR openssl/openssl#11703) - util/perl/OpenSSL/OID.pm: remove the included unit test (PR openssl/openssl#11704) - Fix reason code clash (PR openssl/openssl#11708) - PSS pack: Add provider support for PSS parameters (PR openssl/openssl#11710) - Configure: avoid perl regexp bugs (PR openssl/openssl#11737) - EVP: when setting the operation to EVP_PKEY_OP_UNDEFINED, clean up! (PR openssl/openssl#11750) - Warn that objects with opaque types must never be passed on. (PR openssl/openssl#11754) - OSSL_STORE additions (PR openssl/openssl#11756) - Fix some misunderstandings in our providers' main modules (PR openssl/openssl#11777) - Fix d2i_PrivateKey_ex() to work as documented (PR openssl/openssl#11787) - Fix CHANGES.md issues reported by markdownlint (PR openssl/openssl#11788) - Remove explicit dependency on configdata.pm when processing .in files (PR openssl/openssl#11790) - PROV: Add a proper provider context structure for OpenSSL providers (PR openssl/openssl#11803) - SSL: refactor ssl_cert_lookup_by_pkey() to work with provider side keys (PR openssl/openssl#11828) - test/evp_extra_test.c: Add OPENSSL_NO_CMAC around CMAC test (PR openssl/openssl#11833) - CORE: Fix a couple of bugs in algorithm_do_this() (PR openssl/openssl#11837) - CORE: query for operations only once per provider (unless no_store is true) (PR openssl/openssl#11842) - Add OSSL_PROVIDER_do_all() (PR openssl/openssl#11858) - Refactor the provider side DER constants and writers (PR openssl/openssl#11868) - rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(): fix check of |md| (PR openssl/openssl#11869) - STORE: Make try_decode_PrivateKey() ENGINE aware (PR openssl/openssl#11872) - Fix d2i_PrivateKey() to work as documented [1.1.1] (PR openssl/openssl#11888) - PROV: Fix RSA-OAEP memory leak (PR openssl/openssl#11927) - Add header file docs for openssl/core_numbers.h and openssl/core_names.h (PR openssl/openssl#11963) - util/mkpod2html.pl: Fix unbalanced quotes (PR openssl/openssl#11969) - Fix EVP_CIPHER_fetch race condition (PR openssl/openssl#11977) - [not_yet_merged] [WIP] EVP: retrieve EVP_CIPHER constants in the evp_cipher_from_dispatch() (PR openssl/openssl#11980) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Monthly Status Report (May)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Investigated a mysterious perl crash during Configure on some platforms - Attended regular weekly dev team calls, and fortnightly FIPS sponsor calls - Created PR to ensure we don't offer accept ciphersuites that we don't support - Continued work on PR to centralise environment variables in the tests - Created PR to document some missing s_server options - Completed PR fixing raw provider keys - Published OpenSSL 1.0.2v for premium support customers - Implemented stricter type discipline in the provider<->libcrypto interface - Performed the OpenSSL 3.0 alpha 2 release - Fixed the alignment calculation in ssl3_setup_write - Continued review work on the CMP submission - Fixed an issue where we were incorrectly falling back to legacy if a fetch of the EVP_KEYMGMT failed. - Deleted the redundant sslprovidertest - Ensured that we check the availability of sigalgs before we offer or accept them - Removed some deliberate downgrading of keys in libssl - Investigated and fixed issues in the CMAC implementation Matt
Late Monthly Status Report (May 2019)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, etc., key activities this month: * Development - [not yet merged] Created a FIPS module checksum script and modified the Makefile rules to use it (PR openssl/openssl#8871) - [not yet merged] Started work to move all MAC implementations to the providers (PR openssl/openssl#8877) - Created internal dynamic id number<->name mapping API, to replace the legacy NID<->name database, and made the generic EVP fetching mechanism use it (PR openssl/openssl#8878) - [not yet merged] Added a .pragma directive for configuration files and added a pragma that allows '$' to be considered a symbol character unless followed by a brace. (PR openssl/openssl#8882) - [not yet merged] Modify the VMS entropy gathering unit to use the upcoming system servive SYS$GET_ENTROPY (PR openssl/openssl#8926) - [not yet merged] Added new X509_LOOKUP method that works with OSSL_STORE and a new command line options -CAstore that takes an OSSL_STORE URI (PR openssl/openssl#8442) - [not yet merged] Modified the internal dynamic id number<->name map to handle multiple names for the same id number (PR openssl/openssl#8967) - [not yet merged] Provided a couple of alternatives for populating the internal dynamic id number<->name map with aliases (PR openssl/openssl#8984 pre-populates the map with hard-coded aliases within the EVP sub-system) (PR openssl/openssl#8985 makes it possible for providers to provide aliases) - Attended the OMC f2f in Vancouver - Attended the ICMC conference in Vancouver - Clarified the requirements for X509_LOOKUP methods as to what side effects are expected when looking up diverse objects (PR openssl/openssl#8755) - Join the x509 and x509v3 directories (PR openssl/openssl#8925) - Constify OSSL_PROVIDER getter input parameters (PR openssl/openssl#9054) - Released OpenSSL 1.1.1c, 1.1.0k and 1.0.2s - Backport making make C++ build tests optional and configurable to 1.1.1 (PRs openssl/openssl#8370 and openssl/openssl#9016) * Internal - Recorded a number of committers that accepted their invitations while in Vancouver * System administration - Worked on our Apache configs to remove some kinks -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Monthly Status Report (May)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Moved various global data items to use OPENSSL_CTX instead in preparation for making EVP available from within the FIPS module - Preparation for 2 ICMC panels (OpenSSL panel and TLS panel) - Improved DSA to reject obviously invalid parameters during signing - Significant review of the CMP PRs - Attended the OMC f2f in Vancouver - Attended the ICMC conference in Vancouver - Enabled EVP from within the FIPS module - Proposed alternative fix to the problem where NULL is passed to EVP_EncryptUpdate - Added CAVS test vectors for CCM - Assisted with the releases of 1.1.1c, 1.1.0k and 1.0.2s - Significant work to make the RAND code available from within the FIPS Module - PR to make the basic AES ciphers available from within FIPS module - PR to make the threading code provider aware - Fixed an error in the test framework that meant, for some tests, a failure didn't really mean failure Matt
[openssl-project] Monthly Status Report (May)
[appologies for the delay] Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, etc., key activities this month: Development: - Attended the OMC f2f in Ottawa (remotely) - Started as contact with legal advisor - Adapted VMS random seeding to the new DRBG methods - Documented our current handling of passphrase encoding and proposed a few ways to deal with it (still ongoing) - Proposed building docs as part of the build instead of during installation (PR pending) - Supported the 1.1.1-pre7 release - Small refinements in preparation for the final release Others: - Worked on platform support database (yet unpublished) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] Monthly Status Report (May)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Fixed a mem leak in CMS_RecipientInfo_set0_pkey() and added some CMS tests - Added a note around performance and Nagle's algorithm on the SSL_connect() man page - Performend the 1.1.1 pre6 release - Fixed some errors and missing info in the CMS docs - Add getter for X509_VERIFY_PARAM_get_hostflags - Fixed SSL_get_shared_ciphers() to actually return the shared ciphers rather than the client ciphers - Fixed SSL_has_pending() in DTLS - Attended the OMC f2f in Ottawa - Fixed a failure in the event of an out-of-order CCS in DTLS - Fixed s_server/s_client to correctly use the DTLS timer - Ensure we resend the last DTLS flight if we don't get any app data from the peer - Fixed the ticket callbacks in TLSv1.3 and added associated tests - Fixed various "no" config options (multiple times in the month!) - Implemented a preference for SHA-256 when using "old style" PSKs to aid backwards compatibility - Fixed a DTLS problem where we did a memcpy of a NULL pointer of zero length, which is undefined behaviour - Implemented configurable number of TLSv1.3 session tickets - Implemented support for TLSv1.3 drafts 26/27/28 all at the same time - Made BN_GF2m_mod_arr more constant time as a defence against side channel attacks - Reverted an earlier change to pkeyutl to avoid EVP_PKEY_sign() for EdDSA. Also fixed a number of other issues with this application. - Fixed "ca" so that it can use EdDSA - Fixed some undefined behaviour in X509_NAME_cmp() - Modified TLSv1.3 stateless tickets so that they are not cached unnecessarily - Fixed a bug where post-handshake auth Finished messages used the wrong key - Added some sanity checks for a point to check it is defined for the right curve before we perform operations on it - Updated the "Connected Commands" section of the s_server/s_client docs - Create a PR (ongoing) for doing auto-retry in shutdown to fix test issues reported in CPython - Fixed mathematics error in calculating "a ^ 0 mod -1" - Performed the 1.1.1 pre7 release - Fixed most of the outstanding Coverity defects - Major tidy up of the SM2 code Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project