Re: [openssl-project] Release Criteria Update

2018-09-08 Thread Matt Caswell



On 07/09/18 10:09, Richard Levitte wrote:
> In message  on Fri, 7 Sep 
> 2018 09:56:01 +0100, Matt Caswell  said:
> 
>>
>>
>> On 07/09/18 01:51, Richard Levitte wrote:
>>> I think this one should be part of the lot as well:
>>>
>>> #7144
>>> ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes
>>>
>>> For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable
>>> in 1.1.1, because pre-1.1.1 encodes the version indicator (zero) as
>>> 02 00 (zero length INTEGER, which is invalid) instead of 02 01 00
>>> (proper zero).  That's simply because the internal version number was
>>> changed from a LONG (custom ASN.1 type, mapping to a C long) to a INT32
>>> (new custom ASN.1 type, mapping to a C int32).
>>> (no, we don't want to go back to using LONG)
>>
>> So...that PR seems to be labelled for 1.1.0 too? So why is the problem
>> specific to 1.1.1?
> 
> Because of commit 6a32a3c058dbd9fa7cec5b020e4f027808972e4a, which is
> only present in master.  In that commit, we switch a number of uses of
> LONGs (all the remaining) to INT32.
> 
> Of course, one way would be to revert that commit, but that doesn't
> fix the actual issue with INT32 not reading in a backward compatible
> way (that issue exists in 1.1.0 as well).
> 
> So yeah, in summary, it's a regression that exists only in 1.1.1, but
> is really caused by a bug that exists in 1.1.0 as well.
> 
> I hope that's a good enough explanation.

Makes sense.

Matt

___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-08 Thread Richard Levitte
In message  on Fri, 7 Sep 
2018 09:56:01 +0100, Matt Caswell  said:

> 
> 
> On 07/09/18 01:51, Richard Levitte wrote:
> > I think this one should be part of the lot as well:
> > 
> > #7144
> > ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes
> > 
> > For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable
> > in 1.1.1, because pre-1.1.1 encodes the version indicator (zero) as
> > 02 00 (zero length INTEGER, which is invalid) instead of 02 01 00
> > (proper zero).  That's simply because the internal version number was
> > changed from a LONG (custom ASN.1 type, mapping to a C long) to a INT32
> > (new custom ASN.1 type, mapping to a C int32).
> > (no, we don't want to go back to using LONG)
> 
> So...that PR seems to be labelled for 1.1.0 too? So why is the problem
> specific to 1.1.1?

Because of commit 6a32a3c058dbd9fa7cec5b020e4f027808972e4a, which is
only present in master.  In that commit, we switch a number of uses of
LONGs (all the remaining) to INT32.

Of course, one way would be to revert that commit, but that doesn't
fix the actual issue with INT32 not reading in a backward compatible
way (that issue exists in 1.1.0 as well).

So yeah, in summary, it's a regression that exists only in 1.1.1, but
is really caused by a bug that exists in 1.1.0 as well.

I hope that's a good enough explanation.

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-08 Thread Matt Caswell



On 07/09/18 01:51, Richard Levitte wrote:
> I think this one should be part of the lot as well:
> 
> #7144
> ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes
> 
> For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable
> in 1.1.1, because pre-1.1.1 encodes the version indicator (zero) as
> 02 00 (zero length INTEGER, which is invalid) instead of 02 01 00
> (proper zero).  That's simply because the internal version number was
> changed from a LONG (custom ASN.1 type, mapping to a C long) to a INT32
> (new custom ASN.1 type, mapping to a C int32).
> (no, we don't want to go back to using LONG)

So...that PR seems to be labelled for 1.1.0 too? So why is the problem
specific to 1.1.1?

Matt


> 
> Cheers,
> Richard
> 
> In message  on Thu, 6 Sep 
> 2018 23:41:59 +0100, Matt Caswell  said:
> 
>> We currently have 8 1.1.1 PRs that are open. 3 of which are in the
>> "ready" state. There are 2 which are alternative implementations of the
>> same thing - so there are really on 4 issues currently being addressed:
>>
>> #7145 SipHash: add separate setter for the hash size
>>
>> Owner: Richard
>> Awaiting review (CIs are failing)
>>
>>
>> #7141 Ensure certificate callbacks work correctly in TLSv1.3
>>
>> Owner: Matt
>> Trivial change. Awaiting review
>>
>>
>> #7139 Remove a reference to SSL_force_post_handshake_auth()
>>
>> Owner: Matt
>> Trivial change. Awaiting review
>>
>>
>> #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify
>> Alternative implementation for #7058
>>
>> Owner: Matt
>> Awaiting review. Anyone?
>>
>>
>> There 5 1.1.1 issues open - 3 of which should be solved by outstanding
>> PRS. The remaining 2 are:
>>
>>
>> #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of
>> 18-Aug)
>>
>> We thought we had a fix for this, but the PR in question does not seem
>> to have solved the OPs issue
>>
>>
>> #7133 X509_sign SIGSEGVs with NULL private key
>>
>> Should be an easy fix
>>
>>
>> Matt
>> ___
>> openssl-project mailing list
>> openssl-project@openssl.org
>> https://mta.openssl.org/mailman/listinfo/openssl-project
>>
> ___
> openssl-project mailing list
> openssl-project@openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
> 
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Richard Levitte
In message <20180907.025152.1131079938025695690.levi...@openssl.org> on Fri, 07 
Sep 2018 02:51:52 +0200 (CEST), Richard Levitte  said:

> For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable

That was a bit of an over-statement...  but it seems that there are
things in the wild that were accepted in 1.1.0 (because LONG is used)
that aren't accepted in 1.1.1.  A regression still, even though with
less drama.

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Richard Levitte
I think this one should be part of the lot as well:

#7144
ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes

For example, *all* two-prime RSA keys from pre-1.1.1 become unreadable
in 1.1.1, because pre-1.1.1 encodes the version indicator (zero) as
02 00 (zero length INTEGER, which is invalid) instead of 02 01 00
(proper zero).  That's simply because the internal version number was
changed from a LONG (custom ASN.1 type, mapping to a C long) to a INT32
(new custom ASN.1 type, mapping to a C int32).
(no, we don't want to go back to using LONG)

Cheers,
Richard

In message  on Thu, 6 Sep 
2018 23:41:59 +0100, Matt Caswell  said:

> We currently have 8 1.1.1 PRs that are open. 3 of which are in the
> "ready" state. There are 2 which are alternative implementations of the
> same thing - so there are really on 4 issues currently being addressed:
> 
> #7145 SipHash: add separate setter for the hash size
> 
> Owner: Richard
> Awaiting review (CIs are failing)
> 
> 
> #7141 Ensure certificate callbacks work correctly in TLSv1.3
> 
> Owner: Matt
> Trivial change. Awaiting review
> 
> 
> #7139 Remove a reference to SSL_force_post_handshake_auth()
> 
> Owner: Matt
> Trivial change. Awaiting review
> 
> 
> #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify
> Alternative implementation for #7058
> 
> Owner: Matt
> Awaiting review. Anyone?
> 
> 
> There 5 1.1.1 issues open - 3 of which should be solved by outstanding
> PRS. The remaining 2 are:
> 
> 
> #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of
> 18-Aug)
> 
> We thought we had a fix for this, but the PR in question does not seem
> to have solved the OPs issue
> 
> 
> #7133 X509_sign SIGSEGVs with NULL private key
> 
> Should be an easy fix
> 
> 
> Matt
> ___
> openssl-project mailing list
> openssl-project@openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
> 
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Paul Dale
PR for 7133 submitted.

 

 

Pauli

-- 

Oracle

Dr Paul Dale | Cryptographer | Network Security & Encryption 

Phone +61 7 3031 7217

Oracle Australia

 

From: Tim Hudson [mailto:t...@cryptsoft.com] 
Sent: Friday, 7 September 2018 8:51 AM
To: openssl-project@openssl.org
Subject: Re: [openssl-project] Release Criteria Update

 

All PRs except #7145 now reviewed and marked ready.

 

Tim 

 

On Fri, Sep 7, 2018 at 8:41 AM, Matt Caswell mailto:m...@openssl.org"m...@openssl.org> wrote:

We currently have 8 1.1.1 PRs that are open. 3 of which are in the
"ready" state. There are 2 which are alternative implementations of the
same thing - so there are really on 4 issues currently being addressed:

#7145 SipHash: add separate setter for the hash size

Owner: Richard
Awaiting review (CIs are failing)


#7141 Ensure certificate callbacks work correctly in TLSv1.3

Owner: Matt
Trivial change. Awaiting review


#7139 Remove a reference to SSL_force_post_handshake_auth()

Owner: Matt
Trivial change. Awaiting review


#7114 Process KeyUpdate and NewSessionTicket messages after a close_notify
Alternative implementation for #7058

Owner: Matt
Awaiting review. Anyone?


There 5 1.1.1 issues open - 3 of which should be solved by outstanding
PRS. The remaining 2 are:


#7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of
18-Aug)

We thought we had a fix for this, but the PR in question does not seem
to have solved the OPs issue


#7133 X509_sign SIGSEGVs with NULL private key

Should be an easy fix


Matt
___
openssl-project mailing list
HYPERLINK "mailto:openssl-project@openssl.org"openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

 
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Tim Hudson
All PRs except #7145 now reviewed and marked ready.

Tim

On Fri, Sep 7, 2018 at 8:41 AM, Matt Caswell  wrote:

> We currently have 8 1.1.1 PRs that are open. 3 of which are in the
> "ready" state. There are 2 which are alternative implementations of the
> same thing - so there are really on 4 issues currently being addressed:
>
> #7145 SipHash: add separate setter for the hash size
>
> Owner: Richard
> Awaiting review (CIs are failing)
>
>
> #7141 Ensure certificate callbacks work correctly in TLSv1.3
>
> Owner: Matt
> Trivial change. Awaiting review
>
>
> #7139 Remove a reference to SSL_force_post_handshake_auth()
>
> Owner: Matt
> Trivial change. Awaiting review
>
>
> #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify
> Alternative implementation for #7058
>
> Owner: Matt
> Awaiting review. Anyone?
>
>
> There 5 1.1.1 issues open - 3 of which should be solved by outstanding
> PRS. The remaining 2 are:
>
>
> #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of
> 18-Aug)
>
> We thought we had a fix for this, but the PR in question does not seem
> to have solved the OPs issue
>
>
> #7133 X509_sign SIGSEGVs with NULL private key
>
> Should be an easy fix
>
>
> Matt
> ___
> openssl-project mailing list
> openssl-project@openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
>
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Viktor Dukhovni



> On Sep 6, 2018, at 6:25 PM, Matt Caswell  wrote:
> 
> I'm not keen on that. What do others think?

No objections to issuing a release.  We're unlikely to have to change the
API/ABI or feature set based on further beta feedback.  Any late bugs can
be fixed in 1.1.1a, and unless they trigger CVEs, there's no compelling
reason to wait.  Barring specific concerns, I am not opposed to release
as planned.

-- 
Viktor.

___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Tim Hudson
We need to get this release out and available - there are a lot of people
waiting on the "production"release - and who won't go forward on a beta
(simple fact of life there).

I don't see the outstanding items as release blockers - and they will be
wrapped up in time.

Having the release date as a drive I think helps for a lot of focus - and
more stuff has gone into 1.1.1 that we originally anticipated because we
held it open waiting on TLSv1.3 finalisation.

So a +1 for keeping to the release date.

Tim.


On Fri, Sep 7, 2018 at 8:25 AM, Matt Caswell  wrote:

>
>
> On 06/09/18 17:32, Kurt Roeckx wrote:
> > On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote:
> >> Current status of the 1.1.1 PRs/issues:
> >
> > Since we did make a lot of changes, including things that
> > applications can run into, would it make sense to have an other
> > beta release?
>
> I'm not keen on that. What do others think?
>
> Matt
>
> ___
> openssl-project mailing list
> openssl-project@openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
>
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Matt Caswell



On 06/09/18 17:32, Kurt Roeckx wrote:
> On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote:
>> Current status of the 1.1.1 PRs/issues:
> 
> Since we did make a lot of changes, including things that
> applications can run into, would it make sense to have an other
> beta release?

I'm not keen on that. What do others think?

Matt

___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Kurt Roeckx
On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote:
> Current status of the 1.1.1 PRs/issues:

Since we did make a lot of changes, including things that
applications can run into, would it make sense to have an other
beta release?


Kurt

___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-06 Thread Benjamin Kaduk
On Wed, Sep 05, 2018 at 06:04:08PM -0500, Benjamin Kaduk wrote:
> On Wed, Sep 05, 2018 at 11:59:34PM +0100, Matt Caswell wrote:
> > Today's update is that we still have 6 open PRs for 1.1.1. 5 of these
> > are the same as yesterday. The 1 that was marked as "ready" yesterday
> > has now been merged, and a new PR addressing issue #7014 has been opened.
> > 
> > There are still 2 open issues for 1.1.1 but both of these are now being
> > addressed by one of the open PRs.
> > 
> > That means there are still 4 "critical path" PRs open:
> > 
> > #7115 Restore historical SSL_get_servername() behavior
> > 
> > Updates made following earlier review. Ready for another round of reviews??
> > Owner: Ben.
> 
> I believe it's ready for another round of reviews, yes.
> Do we think we want to wait for confirmation from @MSP-Greg?

I see that Matt has marked this one as Ready.
I'm going to be "on a plane" (not exactly, but effectively so) for the next
9-ish hours and am not confident that I'll be able to merge it until
tomorrow.  I also see that the original reporter is still not having
success; is anyone in a position to try to set up those Ruby EventMachine
tests (it's unclear if it needs to be on windows or not)?

-Ben
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-05 Thread Tim Hudson
 On Thu, Sep 6, 2018 at 8:59 AM, Matt Caswell  wrote:
> #7113 An alternative to address the SM2 ID issues
> (an alternative to the older PR, #6757)
>
> Updates made following earlier review. Awaiting another round of reviews.
> Owner: Paul Yang

All the previous comments have been addressed. I noted two missing SM2err
calls on malloc failure and a typo in SM2.pod.
I've approved it conditional on those being fixed.

Tim.
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

Re: [openssl-project] Release Criteria Update

2018-09-05 Thread Benjamin Kaduk
On Wed, Sep 05, 2018 at 11:59:34PM +0100, Matt Caswell wrote:
> Today's update is that we still have 6 open PRs for 1.1.1. 5 of these
> are the same as yesterday. The 1 that was marked as "ready" yesterday
> has now been merged, and a new PR addressing issue #7014 has been opened.
> 
> There are still 2 open issues for 1.1.1 but both of these are now being
> addressed by one of the open PRs.
> 
> That means there are still 4 "critical path" PRs open:
> 
> #7115 Restore historical SSL_get_servername() behavior
> 
> Updates made following earlier review. Ready for another round of reviews??
> Owner: Ben.

I believe it's ready for another round of reviews, yes.
Do we think we want to wait for confirmation from @MSP-Greg?

-Ben
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-05 Thread Matt Caswell
Today's update is that we still have 6 open PRs for 1.1.1. 5 of these
are the same as yesterday. The 1 that was marked as "ready" yesterday
has now been merged, and a new PR addressing issue #7014 has been opened.

There are still 2 open issues for 1.1.1 but both of these are now being
addressed by one of the open PRs.

That means there are still 4 "critical path" PRs open:

#7115 Restore historical SSL_get_servername() behavior

Updates made following earlier review. Ready for another round of reviews??
Owner: Ben.

#7114 Process KeyUpdate and NewSessionTicket messages after a close_notify
(an alternative to the older PR, #7058)

Currently in review. Awaiting some updates following review feedback.
Owner: Matt.

#7113 An alternative to address the SM2 ID issues
(an alternative to the older PR, #6757)

Updates made following earlier review. Awaiting another round of reviews.
Owner: Paul Yang

#7073 Support EdDSA in apps/speed

Updates made following earlier review. Awaiting another round of reviews.
Owner: Paul Yang


Matt

On 04/09/18 17:11, Matt Caswell wrote:
> Current status of the 1.1.1 PRs/issues:
> 
> There are currently 6 open PRs for 1.1.1. However in 2 cases there are 2
> alternative implementations for the same thing - so really there are
> only 4 issues being addressed. One of these is in the "ready" state.
> 
> The remaining 3 are:
> 
> #7114 Process KeyUpdate and NewSessionTicket messages after a close_notify
> (an alternative to the older PR, #7058)
> 
> Awaiting review
> Owner: Matt
> 
> #7113 An alternative to address the SM2 ID issues
> (an alternative to the older PR, #6757)
> 
> Currently being reviewed
> Owner: Paul Yang
> 
> #7073 Support EdDSA in apps/speed
> 
> Awaiting updates following review comments
> Owner: Paul Yang
> 
> 
> There are 2 open issues for 1.1.1. One of these is being addressed by
> PR#7073 above. The other one is:
> 
> #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of
> 18-Aug)
> 
> This one seems stuck!! No clear way forward as yet.
> 
> Ben - any views?
> 
> 
> Matt
> 
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project


Re: [openssl-project] Release Criteria Update

2018-09-04 Thread Benjamin Kaduk
On Tue, Sep 04, 2018 at 05:11:41PM +0100, Matt Caswell wrote:
> There are 2 open issues for 1.1.1. One of these is being addressed by
> PR#7073 above. The other one is:
> 
> #7014 TLSv1.2 SNI hostname works in 1.1.0h, not in 1.1.1 master (as of
> 18-Aug)
> 
> This one seems stuck!! No clear way forward as yet.
> 
> Ben - any views?

I'm thinking that the ABI stability argument is going to win me over and
we should continue to return the client's offered SNI in all cases until
1.2.0.  Hoping to get a patch out this morning (US pacific) -- yesterday
was a national holiday.

-Ben
___
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project