Monthly Status Report (January)
As well as normal reviews, attending regular OMC and OTC meetings, attending daily stand up meetings, responding to user queries, wiki user requests, OMC business, sys-admin, support customer issues, CLA submissions, handling security reports, etc., key activities this month: Created a PR to clarify the EVP_PKEY_get_int_param() documentation (and similar functions) Investigated trust checking question Investigated and fixed a problem with OSSL_DECODER_fetch Backported an EVP_DigestInit_ex() memory leak fix to 1.1.1 Worked on the OMC voting policy, and tweaked the OTC one Worked on the OTC testing policy Wrote some documentation for X509_STORE_CTX_set0_purpose() and related functions Wrote a proposal for a QUIC Proof of Concept Reviewed the TFO submission Investigated KTLS issues Created a QUIC technical requirements document Investigated OPENSSL_init_crypto problems and interaction with atexit Started implementing a toy protocol for the API PoC Started work on an SSL compat layer proof of concept based on a toy protocol Looked at possible design for a generic comms API Investigated the TAPS API (https://datatracker.ietf.org/doc/draft-ietf-taps-interface/) Worked with other staff to consider estimates and forward planning of releases beyond 3.1 Wrote a demo to illustrate a problem with PR17483 Took part in various discussions about the future of atexit() Fixed a problem with openssl ciphers not honouring a propquery Investigated and resolved an issue for a user regarding "openssl req" Backported X509_STORE_CTX_set0_purpose() fix to 3.0 and 1.1.1 Issued security advisory for CVE-2021-4160 Matt
Monthly Status Report (January 2022)
My key activities this month were: - triage of newly reported issues, investigating bugs, and responding to questions - participation on the OTC meetings - cooperation with Mark and Tim on job interviews with candidates, scheduling things, etc. - reviews of various PRs: - I've reviewed about 70 PRs this month - Notable PRs reviewed: - OSSL_STORE: Prevent spurious error during loading private keys #15283 - Fix CMP mock server w.r.t. use of reference certificate for KUR and RR #16050 - Fix malloc failure handling of X509_ALGOR_set0() #16251 - property: use a stack to efficiently convert index to string #17325 - Fix Decoder, Encoder and Store loader fetching #17459 - Fix invalid malloc failures in PEM_write_bio_PKCS8PrivateKey*() #17507 - submitted 15 PRs: - In particular: - Check that we imported a key when using EVP_PKEY_fromdata with EVP_PKEY_KEYPAIR #17408 - EVP_PKEY_fromdata(): Do not return newly allocated pkey on failure #17411 - EVP_PKEY_derive_set_peer_ex: Export the peer key to proper keymgmt #17425 - Properly return error on EVP_PKEY_CTX_set_dh_nid and EVP_PKEY_CTX_set_dhx_rfc5114 #17498 - store_result: Add fallback for fetching the keymgmt from the store provider #17554 -- Tomáš Mráz, OpenSSL
Monthly Status Report (January)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, support customer issues, CLA submissions, handling security reports, etc., key activities this month: - Attendance at the regular OTC meetings - Attendance at the OMC meeting - Attended meetings with the FIPS lab - Fixed a bug with TLS stitched stream ciphers - Performed alpha10 release - Fixed the "enable-weak-ssl-ciphers" option - Completed the PR started in December fixing various threading issues (finally fixing 6 different issues in one PR) - Implemented an SRP constant time fix as a result of a security report - Removed some dubious code that copied key parameters from the private key into the public key in libssl - Fixed a bug relating to obtaining the default digest for an EVP_PKEY when using provider side keys - Fixed the no-dh and no-dsa options - Implemented a large PR to remove compile time algorithm checks from libssl - Provided a fix to ensure that it was still possible to use EC keys which don't have the public key set - Fixed running mingw dhparam test under wine - Implemented a second PR to fix various additional threading issues Matt
Monthly Status Report (January 2021)
My key activities this month were: - triage of newly reported issues and responding to questions - participation on the OTC meetings - reviews of various PRs: - I've reviewed about 80 PRs this month, merged many of them submitted by 3rd party contributors - Major PRs reviewed: - 3.0 alpha 11 release review - Update CMP doc on cert and key sources and extend use of PKCS#10 input #13841 - Deprecate EVP_KEY_new_CMAC_key #13829 - [crypto/dh] side channel hardening for computing DH shared keys #13783 - x509_vfy.c: Fix a regression in find_issuer(); extend and re-organize some tests #13762 - X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert #13755 - Major improvemens of pkey app and bugfix on IS_HTTP(S) macros #13712 - X509 app: major cleanup of user guidance, documentation, and code structure #13711 - Fix a crash with multi-threaded applications using the FIPS module #13660 - apps/{req,x509,ca}.c Make sure certs have SKID and AKID by default #13658 - Use centralized fetching errors #13467 - Remove pkey_downgrade from PKCS7 code #13435 - Test CLI key validation and SM2 key validation #13359 - EVP: fix keygen for EVP_PKEY_RSA_PSS #13099 - submitted 11 PRs: - In particular: - chacha20: Properly reinitialize the cipher context with NULL key #13850 - Deprecation of the remaining functions related to X9.31 RSA key generation #13921 - Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity #13870 - Fixes in DH derivation related to DH support in CMS #13869 - Implement missing algorithm id generation for the RSA-PSS signatures #13988 - took over the PR for deprecation of EC_KEY and related functions (#13139) from Shane, finalized it -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]
Late Monthly Status Report (January 2020)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development - [not_yet_merged] WIP: OSSL_STORE for providers (PR openssl/openssl#9389) - CORE & EVP: Adapt KEYEXCH, SIGNATURE and ASYM_CIPHER to handle key types better (PR openssl/openssl#10647) - Configuration: synchronise the variables on the build file templates (PR openssl/openssl#10753) - EVP: Fix method to determine if a PKEY is legacy or not (PR openssl/openssl#10758) - DOCS: The interpretation of OPENSSL_API_COMPAT has changed, update docs (PR openssl/openssl#10765) - Add missing inclusion of "internal/deprecated.h" (PR openssl/openssl#10766) - EVP: If a key can't be exported to provider, fallback to legacy (PR openssl/openssl#10771) - Add the DSA serializers to the default provider tools (PR openssl/openssl#10772) - EVP: make EVP_PKEY_{bits,security_bits,size} work with provider only keys (PR openssl/openssl#10778) - PROV: Fix mixup between general and specialized GCM implementations (PR openssl/openssl#10783) - Configure: use $list_separator_re only for defines and includes (PR openssl/openssl#10793) - Eliminate some EVP_PKEY_size() uses (PR openssl/openssl#10798) - EVP: clear error when falling back from failed EVP_KEYMGMT_fetch() (PR openssl/openssl#10803) - CORE: renumber OSSL_FUNC_KEYMGMT macros (PR openssl/openssl#10804) - Fix documentation for EVP_DigestSign* and EVP_DigestVerify* (PR openssl/openssl#10805) - Fix EVP_Digest{Sign,Verify}Final() and EVP_Digest{Sign,Verify}() for provider only keys (PR openssl/openssl#10806) - EVP: Adapt EVP_PKEY Seal and Open for provider keys (PR openssl/openssl#10808) - Move the definition of OPENSSL_BUILDING_OPENSSL (PR openssl/openssl#10813) - Change returned -2 to 0 in EVP_Digest{Sign,Verify}Init() (PR openssl/openssl#10815) - Add EVP_PKEY_get_default_digest_name() (PR openssl/openssl#10824) - CRYPTO: Remove support for ex_data fields when building the FIPS module (PR openssl/openssl#10837) - Modify EVP_CIPHER_is_a() and EVP_MD_is_a() to handle legacy methods too (PR openssl/openssl#10845) - Move the stored namemap pre-population to namemap construction (PR openssl/openssl#10846) - [1.1.1] Fix documentation of return value for EVP_Digest{Sign,Verify}Init() (PR openssl/openssl#10847) - Build file templates: Use explicit files instead of $< or $? for pods (PR openssl/openssl#10849) - EVP: Add evp_pkey_make_provided() and refactor around it (PR openssl/openssl#10850) - Adapt X509_PUBKEY_set() for use with provided implementations (PR openssl/openssl#10851) - For all assembler scripts where it matters, recognise clang > 9.x (PR openssl/openssl#10855) - Add GNU properties note for Intel CET in x86_64-xlate.pl (PR openssl/openssl#10875) - Configure: Better detection of '-static' in @{$config{LDFLAGS}} (PR openssl/openssl#10878) - PROV: Fix bignum printout in text serializers (PR openssl/openssl#10891) - OpenSSL::Test: bring back the relative paths (PR openssl/openssl#10913) - Adapt ASN1_item_sign_ctx() for use with provided keypairs (PR openssl/openssl#10920) - Add internal maxsize macros (PR openssl/openssl#10928) - test/recipes/30-test_evp.t: Fix multiple definition of @bffiles (PR openssl/openssl#10944) * Administration - Stop making snaps for 1.1.0 and 1.0.2, and make 3.0-dev snaps - Switch final review to be for OTC rather than OMC -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Late Monthly Status Report (January 2019)
[I've been too distracted to crank these out regularly, will do better] Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, etc., key activities this month: * Development - Significant work on the FIPS design/architecture - Finalized the first part of a major change in configuration and building (PR openssl/openssl#7473) - Finalized adding attributes for product files in build.info (PR openssl/openssl#7581) - Cleaned away build.info artifacts (PR openssl/openssl#8125) - Reviewed s390x related enhancements (PRs openssl/openssl#6919, openssl/openssl#7988) - Reviewed ppc related enhancements (PR openssl/openssl#8120) - Reviewed addition of "weak" symbol declarations (PR openssl/openssl#8087) - Reviewed addition of CAdES support (PR openssl/openssl#7893) - Started work on the OpenSSL 3.0 core: core types (PR openssl/openssl#8286) - Started work on the OpenSSL 3.0 core: provider object (PR openssl/openssl#8287) * Web - Implemented apropos-like list of manpages (PR openssl/web#102) - Reformat the FAQ for a more modern display, and also to make more direct use of markdown (PR openssl/web#103) - Added generation of HTML5 from markdown (PR openssl/web#108) - Reworked man-page generation to always generate the man1 / man3 / man5 / man7 structure, even of the source is the older apps / crypto / ssl form, as well as cross-referencing between man-pages of different OpenSSL versions (PR openssl/web#107) - Published the OpenSSL Strategic Architecture document (PR openssl/web#110) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
[openssl-project] Monthly Status Report (January)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Significant work on the FIPS design/architecture - Fixed no-cmac - Fixed no-sock - Finished and pushed the no-pinshared PR, and backported it to 1.1.1 - Fixed handling of the cryptopro extension - Review of the CMP PR - Review of the Kernel TLS receive side PR - Fixed compilation on sparc - Review of the async notification callback PR - Investigations related to CVE-2019-0190 - Added some additional return checking in the SRP code - Worked on various updates to the release strategy - Fixed a missing array initialiser - Implemented a fix for a DTLS timer buf - Fixed s_client to build properly on Windows - Fixed -verify_return_error in s_client - Created PR to allow more than 32 KeyUpdates per connection - Created PR to not signal post-handshake exchanges with SSL_CB_HANDSHAKE_START - Fixed memory leak from ERR_add_error_vdata() - Fixed no-dso - Fixed handling of -twopass option in pkcs12 app Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
[openssl-project] Monthly Status Report (January)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Attended Real World Crypto 2018 in Zürich in order to collect the Levchin prize on behalf of the team - Took part in an interview for RedHat - Reviewed a large number of historic commits wrt the licence change - IETF TLS WG discussions and updates to spec with respect to signature_algorithms_cert extension - Reviewed all outstanding issues and PRs in order to assign them to a milestone as part of 1.1.1 release planning. Closed 134 issues as part of this. - Co-ordinated discussions on the 1.1.1 release timetable and made a proposal that is currently part of an OMC vote - Ongoing work on the OpenSSL book - Ongoing work on the Curve448 primitives implementation - WIP implementation of configurable number of TLSv1.3 session tickets - Fixed a bug in s_client PSK usage in 1.1.1 - Fixed some instances of a wrong alert being sent - Discovered and fixed a bug wrt how renegotiation is handled - Updated and pushed the SSL_stateless implementation - Fixed a bug in speed which was attempting to use X25519 for ECDSA - Fixed a crash in ca - Fixed a timeout problem in TLSProxy - Fixed a problem with BN_FLG_CONSTTIME and BN_copy() - Fixed a problem in DTLS so that we now tolerate alerts with the wrong version number - Fixed a minor issue in the SSL_trace() code Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project