From paul.dale at oracle.com Mon Aug 3 21:22:03 2020 From: paul.dale at oracle.com (Dr Paul Dale) Date: Tue, 4 Aug 2020 07:22:03 +1000 Subject: RAND_DRBG futures Message-ID: I?ve closed the vote. Five for, none against, the vote passes. RAND_DRBG will be absent in 3.0. Pauli -- Dr Paul Dale | Distinguished Architect | Cryptographic Foundations Phone +61 7 3031 7217 Oracle Australia -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Aug 6 13:44:20 2020 From: openssl at openssl.org (OpenSSL) Date: Thu, 6 Aug 2020 13:44:20 +0000 Subject: OpenSSL version 3.0.0-alpha6 published Message-ID: <20200806134420.GA4809@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 3.0 alpha 6 released ==================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 6 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha6.tar.gz Size: 13963353 SHA1 checksum: bac4e232f5238c5f267c3e108227cfadbd4b7120 SHA256 checksum: 1e8143b152f33f76530da2eaedc5d841121ff9e7247a857390cceac6503f482b The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha6.tar.gz openssl sha256 openssl-3.0.0-alpha6.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl8r/u0ACgkQ2cTSbQ5g RJFJhgf8C6Wv+1W8JolzZ2erbPSDFXTUjOJGvqnR2+73wtYMkzZKMnYTpqiW9Jrx 5V6zQ2WIYhnWZ97nSP0woo/h3tr8rQIj71Cj3TPqO11zOrXda9Op+P9ncCNNXTuz /BS4HmnicV/pmrd2JMnFmo58tka9K47DhcACMKxuWPr32F40DJcr/yjvYnlf6k7y s5EWK7tv7NLYWu+UN+JO6LpJrTFWRTajQj2OEZh3+Gm07Qv98TaXXr3QeiEpimu6 xbDi8oCcAzA+bKr1WpTCNYIU9H6QZIc0QqPjhSsS9o64RDlK7laRQ6ETMmePxDUK u812RauTlxNuJHjy34a9k38kirPHaQ== =uzj7 -----END PGP SIGNATURE----- From matt at openssl.org Wed Aug 12 09:05:16 2020 From: matt at openssl.org (Matt Caswell) Date: Wed, 12 Aug 2020 10:05:16 +0100 Subject: Monthly Status Report (July) Message-ID: <6a34872c-d295-d9d7-d74b-0eb53e1d1fe4@openssl.org> As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Continued and completed work on PR to fix CMP related msan failures - Continued and completed work on moving TLS CBC code into the providers - Continued and completed work on fixing an issue in OSSL_PROVIDER_get_capabilities() - Ongoing review work on the KTLS patches - Fixed no-dh and no-dsa - Fixed no-e2m - Fixed a test failure in test_verify - Fixed an issue where Digest[Sign|Verify]Init were falling back to legacy code paths to easily - Fixed an issue with test_cmp_cli in the extended tests - Investigated and fixed and issue with EVP_default_properties_is_fips_enabled() not working as expected - Significant work on moving constant time MAC code out of libssl into providers - Significant work on moving legacy KDF bridge into the providers I also took a one week holiday during July. Matt From paul.dale at oracle.com Sun Aug 16 06:19:04 2020 From: paul.dale at oracle.com (Dr Paul Dale) Date: Sun, 16 Aug 2020 16:19:04 +1000 Subject: TLS 1.3 illustrated Message-ID: <012E7EF2-2262-43B1-9199-948B1360780B@oracle.com> This might be interesting to some: https://tls13.ulfheim.net Pauli -- Dr Paul Dale | Distinguished Architect | Cryptographic Foundations Phone +61 7 3031 7217 Oracle Australia -------------- next part -------------- An HTML attachment was scrubbed... URL: From Matthias.St.Pierre at ncp-e.com Sun Aug 16 09:59:52 2020 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Sun, 16 Aug 2020 09:59:52 +0000 Subject: TLS 1.3 illustrated In-Reply-To: <012E7EF2-2262-43B1-9199-948B1360780B@oracle.com> References: <012E7EF2-2262-43B1-9199-948B1360780B@oracle.com> Message-ID: Nice, thank you for the link. FWIW, there is also a TLS 1.2 illustrated page: https://tls12.ulfheim.net Matthias From: openssl-project On Behalf Of Dr Paul Dale Sent: Sunday, August 16, 2020 8:19 AM To: openssl-project at openssl.org Subject: TLS 1.3 illustrated This might be interesting to some: https://tls13.ulfheim.net Pauli -- Dr Paul Dale | Distinguished Architect | Cryptographic Foundations Phone +61 7 3031 7217 Oracle Australia -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthias.st.pierre at ncp-e.com Tue Aug 18 11:12:24 2020 From: matthias.st.pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Tue, 18 Aug 2020 13:12:24 +0200 Subject: VOTE: Rename OPENSSL_CTX to OSSL_LIB_CTX (as proposed by pull request #12621) Message-ID: <65423fc5-50b6-6d57-f8e2-79851c1bc124@ncp-e.com> The main rationale behind this change is consistency, because many of the new OpenSSL 3.0 types have an OSSL_ prefix, and OPENSSL_CTX is a notable exception. More details can be found in the description and thread of pull request #12621. There was a discussion on openssl-committers and an initial poll on doodle about the favourite replacements for OPENSSL_CTX (https://doodle.com/poll/drku9ziwvkp6tw25). Matthias From levitte at openssl.org Tue Aug 18 11:15:46 2020 From: levitte at openssl.org (Richard Levitte) Date: Tue, 18 Aug 2020 13:15:46 +0200 Subject: OTC VOTE in progress: Rename OSSL_SERIALIZER / OSSL_DESERIALIZER to OSSL_ENCODE / OSSL_DECODE Message-ID: <87a6ysxl0d.wl-levitte@openssl.org> topic: Rename OSSL_SERIALIZER / OSSL_DESERIALIZER to OSSL_ENCODE / OSSL_DECODE The rationale is that it makes things easier on programmers (encode / decode is easier to write than serialize / deserialize), and also avoids disputes on what is and isn't serialization. Associated issues and PRs: #12455, #12659 and #12660 Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ _______________________________________________ otc mailing list otc at openssl.org https://mta.openssl.org/mailman/listinfo/otc From levitte at openssl.org Thu Aug 20 06:44:07 2020 From: levitte at openssl.org (Richard Levitte) Date: Thu, 20 Aug 2020 08:44:07 +0200 Subject: OTC VOTE in progress: Rename OSSL_SERIALIZER / OSSL_DESERIALIZER to OSSL_ENCODE / OSSL_DECODE In-Reply-To: <87a6ysxl0d.wl-levitte@openssl.org> References: <87a6ysxl0d.wl-levitte@openssl.org> Message-ID: <87sgchx1e0.wl-levitte@openssl.org> Votes have been cast, and the verdict is: accepted: yes (for: 5, against: 1, abstained: 4, not voted: 1) Cheers, Richard On Tue, 18 Aug 2020 13:15:46 +0200, Richard Levitte wrote: > > topic: Rename OSSL_SERIALIZER / OSSL_DESERIALIZER to OSSL_ENCODE / OSSL_DECODE > > The rationale is that it makes things easier on programmers > (encode / decode is easier to write than serialize / deserialize), > and also avoids disputes on what is and isn't serialization. > > Associated issues and PRs: #12455, #12659 and #12660 > > Cheers, > Richard > > -- > Richard Levitte levitte at openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ > _______________________________________________ > otc mailing list > otc at openssl.org > https://mta.openssl.org/mailman/listinfo/otc > -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From matthias.st.pierre at ncp-e.com Thu Aug 20 08:35:25 2020 From: matthias.st.pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Thu, 20 Aug 2020 10:35:25 +0200 Subject: VOTE: Rename OPENSSL_CTX to OSSL_LIB_CTX (as proposed by pull request #12621) In-Reply-To: <65423fc5-50b6-6d57-f8e2-79851c1bc124@ncp-e.com> References: <65423fc5-50b6-6d57-f8e2-79851c1bc124@ncp-e.com> Message-ID: The vote has been closed, the verdict is: ??? accepted:? yes? (for: 5, against: 0, abstained: 4, not voted: 2) On 18.08.20 13:12, Dr. Matthias St. Pierre wrote: > The main rationale behind this change is consistency, because many of the new > OpenSSL 3.0 types have an OSSL_ prefix, and OPENSSL_CTX is a notable exception. > More details can be found in the description and thread of pull request #12621. > > There was a discussion on openssl-committers and an initial poll on doodle about the > favourite replacements for OPENSSL_CTX (https://doodle.com/poll/drku9ziwvkp6tw25). > > Matthias > From matt at openssl.org Wed Aug 26 15:58:26 2020 From: matt at openssl.org (Matt Caswell) Date: Wed, 26 Aug 2020 16:58:26 +0100 Subject: Beta1 PR deadline Message-ID: Hi all The OMC had a meeting today. Please can anyone with PRs that they wish to have included in OpenSSL 3.0 beta1 ensure that they are merged to master by 8th September. Note in particular that there is no PR at the moment to incorporate SM2 asymmetric encryption into OpenSSL 3.0. This feature currently exists in 1.1.1, so if no PR emerges by the above date then this feature is liable to be dropped in 3.0. (Note: PRs for SM2 signatures *do* exist and are expected to be present). Matt From paul.dale at oracle.com Wed Aug 26 16:02:51 2020 From: paul.dale at oracle.com (Dr Paul Dale) Date: Thu, 27 Aug 2020 02:02:51 +1000 Subject: Beta1 PR deadline In-Reply-To: References: Message-ID: <99E938A2-4CB6-4C62-9A65-1EDA92039BA7@oracle.com> It is also worth noting that new features will not be accepted during the beta period. Pauli -- Dr Paul Dale | Distinguished Architect | Cryptographic Foundations Phone +61 7 3031 7217 Oracle Australia > On 27 Aug 2020, at 1:58 am, Matt Caswell wrote: > > Hi all > > The OMC had a meeting today. > > Please can anyone with PRs that they wish to have included in OpenSSL > 3.0 beta1 ensure that they are merged to master by 8th September. > > Note in particular that there is no PR at the moment to incorporate SM2 > asymmetric encryption into OpenSSL 3.0. This feature currently exists in > 1.1.1, so if no PR emerges by the above date then this feature is liable > to be dropped in 3.0. (Note: PRs for SM2 signatures *do* exist and are > expected to be present). > > > Matt > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Wed Aug 26 16:11:36 2020 From: matt at openssl.org (Matt Caswell) Date: Wed, 26 Aug 2020 17:11:36 +0100 Subject: Beta1 PR deadline In-Reply-To: References: Message-ID: <9b5a6d71-781c-2baa-3d9f-5193001fdd6f@openssl.org> On 26/08/2020 17:02, Salz, Rich wrote: >> Please can anyone with PRs that they wish to have included in OpenSSL > 3.0 beta1 ensure that they are merged to master by 8th September. > > And how are non-committers supposed to do that > In the same way as normal. Ensure your PRs are raised asap, and encourage committers/OTC to review them. Matt From rsalz at akamai.com Wed Aug 26 16:02:23 2020 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 26 Aug 2020 16:02:23 +0000 Subject: Beta1 PR deadline In-Reply-To: References: Message-ID: > Please can anyone with PRs that they wish to have included in OpenSSL 3.0 beta1 ensure that they are merged to master by 8th September. And how are non-committers supposed to do that From matt at openssl.org Thu Aug 27 10:06:09 2020 From: matt at openssl.org (Matt Caswell) Date: Thu, 27 Aug 2020 11:06:09 +0100 Subject: OTC vote on PR11188 Message-ID: <930c7d61-38ed-39b0-230f-50ee6da5dd13@openssl.org> FYI, I have initiated the following vote on PR11188. Please see the comments in that PR for the background. I will report back with the result of the vote once known. topic: The performance improvements provided in PR11188 should be considered a bug fix and therefore acceptable for backport to 1.1.1 Proposed by Matt Caswell Public: yes opened: 2020-08-27 closed: 2020-mm-dd Matt From Matthias.St.Pierre at ncp-e.com Thu Aug 27 10:22:05 2020 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Thu, 27 Aug 2020 10:22:05 +0000 Subject: OTC vote on PR11188 In-Reply-To: <930c7d61-38ed-39b0-230f-50ee6da5dd13@openssl.org> References: <930c7d61-38ed-39b0-230f-50ee6da5dd13@openssl.org> Message-ID: <1a09e5f694184225ac8c6f1c28f38b0a@ncp-e.com> -0 > -----Original Message----- > From: openssl-project On Behalf Of Matt Caswell > Sent: Thursday, August 27, 2020 12:06 PM > To: openssl-project at openssl.org > Subject: OTC vote on PR11188 > > FYI, I have initiated the following vote on PR11188. Please see the > comments in that PR for the background. I will report back with the > result of the vote once known. > > topic: The performance improvements provided in PR11188 should be > considered a bug fix and therefore acceptable for backport to > 1.1.1 > Proposed by Matt Caswell > Public: yes > opened: 2020-08-27 > closed: 2020-mm-dd > > > Matt > From kris at amongbytes.com Wed Aug 26 08:49:00 2020 From: kris at amongbytes.com (Kris Kwiatkowski) Date: Wed, 26 Aug 2020 08:49:00 -0000 Subject: Integration of new algorithms In-Reply-To: References: Message-ID: Hey, I'm working on development of OpenSSL ENGINE that integrates post-quantum algorithms (new NIDs). During integration I need to modify OpenSSL code to add custom function, but would prefer not to need add anything to OpenSSL code (so engine can be dynmicaly loaded by any modern OpenSSL). So, In three cases, namely when the code is in callbacks for keygen, encryption and ctrl (called by EVP_PKEY_CTX_ctrl, EVP_PKEY_encrypt and EVP_PKEY_keygen) I need to get NID of the scheme. The problem is that, those functions are called with EVP_PKEY_CTX object provided as an argument. The NID is stored in the EVP_PKEY_CTX->pmeth->pkey_id. I think (AFAIK) there is no API which would return that value. I've added a simple function that returns pkey_id from the ctx, but that means that I need to change OpenSSL code. Is there any way to get NID without changing OpenSSL? Kind regards, Kris -------------- next part -------------- An HTML attachment was scrubbed... URL: