From pauli at openssl.org Tue Jun 1 00:34:13 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Tue, 1 Jun 2021 10:34:13 +1000 Subject: Monthly Status: May Message-ID: <992aa2c7-dc27-fb1e-8426-f524d7dcd49d@openssl.org> Significant activities throughout April were: * Conversion of most run-checker jobs to GitHub Actions * Ongoing fixes to keep the run-checker builds working * Addition of cross compilation CI builds & fixes to get them passing * Fixes and improvements in the list, mac and kdf apps * Fixing Coverity issues each week * Fix provider store flushing * Allow property queries to use names before they are defined * Investigation of memory leak run running power up self tests on FIPS provider load * Several minor documentation updates * Threading test fixes * Fixes to the FIPS checksumming to include headers and dependencies * Cleaning up public symbols that aren't in our reserved name spaces * Addition of image files to the HTML documation installation * Added a MAC get block size call * Review of state diagram, vendor evidence and security policy documents for FIPS validation * Update RSA strengths in accordance with IG 7.5 * Add strengths to new RNG calls * Use size_t for lengths in new RAND calls * Cleaning up TODOs in codebase (ongoing) In addition were minor pull requests, reviewing, OMC and OTC business, et al. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomas at openssl.org Wed Jun 2 16:19:44 2021 From: tomas at openssl.org (Tomas Mraz) Date: Wed, 02 Jun 2021 18:19:44 +0200 Subject: Monthly Status Report (May 2021) Message-ID: My key activities this month were: - triage of newly reported issues and responding to questions - re-triage of issues/PRs in Post 1.1.1 and Assessed milestones - participation on the meetings - reviews of various PRs: - I've reviewed more than 100 PRs this month - Notable PRs reviewed: - FIPS module checksums: add scripts and Makefile rule #8871 - Add BIO_new_from_core_bio() to the public API #15072 - Alpha 16 release - PSK and key_share compliance fixes for RFC 8446 #14749 - Export/import flags for FFC params changed to seperate fields. #15210 - HTTP: Implement persistent connections (keep-alive) etc. #15053 - Init the child providers immediately on creation of the child libctx #15270 - EVP: Modify EVP_PKEY_export() to handle legacy EVP_PKEYs #15293 - Disable client-initiated renegotiation by default #15184 - checksum: include header files in the checksumming output #15365 - Rework how providers/fipsmodule.cnf is produced, and have a separate test/fipsmodule.cnf #15436 - Update Cipher documentation. #15416 - submitted 29 PRs: - In particular: - Multiple PRs for FIPS checksum CI job fine tunnings - Replace EVP_PKEY_supports_digest_nid #15198 - Allow arbitrary digests with ECDSA and DSA #15220 - Add some basic Windows builds to the Windows CI workflow #15349 and follow-up Enable FIPS in the Windows CI 64 bit shared build and fix related issues #15550 - Rename all getters to use get/get0 in name #15405 - Deprecate old style BIO callback calls #15440 - Fix possible infinite loop in pem_read_bio_key_decoder() #15441 -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From matt at openssl.org Thu Jun 3 14:41:33 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 3 Jun 2021 15:41:33 +0100 Subject: Monthly Status Report (May) Message-ID: <1e2f6492-144f-492e-aa41-8c9e145bf889@openssl.org> As well as normal reviews, responding to user queries, wiki user requests, OMC business, support customer issues, CLA submissions, handling security reports, etc., key activities this month: - Miscellaneous buildbot admin (setting up workers) - Completed implementation of core BIO API - Significant amount of working implementing child provider library contexts - Performed the alpha 16 release - Implemented mirroring of global properties in child providers - Significant time spent reviewing the migration guide - Fixed a mem leak in the pkcs12 test helpers - Fixed a problem within initialisation of child providers happening too late - Add a missing CHANGES entry for the fully pluggable groups code - Fixed a use-after-free in the child provider code - Implemented better error messages if no decoders/encoders/store loaders are available - Implemented symlink creation during man page installation - Cleaned up various problems in the missing*.txt files - Performed the alpha 17 release - Fixed a problem in the decoders that avoids using the same decoder multiple times - Significant work to enable the use of provider keys read from DER encoded data. This led to a number of related fixes including: - Add a special case for SM2 when decoding due to abuse of the EC OID - Fix cert creation in the store to use libctx/propq - Teaching EC EVP_PKEYs to say whether they were decoded from explicit params - Teaching ASN1_item_verify_ctx() how to handle provided keys - Updating the function check_sig_alg_match() to work with provided keys Matt From matt at openssl.org Tue Jun 15 09:53:03 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 15 Jun 2021 10:53:03 +0100 Subject: VOTE: 3.0 beta1 readiness Message-ID: topic: OTC approve the release of 3.0 beta1 on Thursday 17th June on the basis that: 1) all current approved PRs with the beta1 milestone are merged 2) issues #15755 and #15756 are resolved 3) We accept that VMS does not currently pass tests but expect it to do so before 3.0 final (issue #15757) Proposed by Matt Caswell Public: yes opened: 2021-06-15 closed: 2021-06-15 accepted: yes (for: 7, against: 0, abstained: 0, not voted: 2) Matt [+1] Pauli [+1] Tim [+1] Richard [+1] Shane [+1] Tomas [+1] Kurt [ ] Matthias [ ] Nicola [+1] From Matthias.St.Pierre at ncp-e.com Tue Jun 15 10:04:11 2021 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Tue, 15 Jun 2021 10:04:11 +0000 Subject: VOTE: 3.0 beta1 readiness In-Reply-To: References: Message-ID: +1 > -----Original Message----- > From: openssl-project On Behalf Of Matt Caswell > Sent: Tuesday, June 15, 2021 11:53 AM > To: openssl-project at openssl.org > Subject: VOTE: 3.0 beta1 readiness > > topic: OTC approve the release of 3.0 beta1 on Thursday 17th June on the > basis > that: 1) all current approved PRs with the beta1 milestone are > merged > 2) issues #15755 and #15756 are resolved 3) We accept that VMS > does not > currently pass tests but expect it to do so before 3.0 final (issue > #15757) > Proposed by Matt Caswell > Public: yes > opened: 2021-06-15 > closed: 2021-06-15 > accepted: yes (for: 7, against: 0, abstained: 0, not voted: 2) > > Matt [+1] > Pauli [+1] > Tim [+1] > Richard [+1] > Shane [+1] > Tomas [+1] > Kurt [ ] > Matthias [ ] > Nicola [+1] -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7494 bytes Desc: not available URL: From kurt at roeckx.be Tue Jun 15 18:01:01 2021 From: kurt at roeckx.be (Kurt Roeckx) Date: Tue, 15 Jun 2021 20:01:01 +0200 Subject: VOTE: 3.0 beta1 readiness In-Reply-To: References: Message-ID: On Tue, Jun 15, 2021 at 10:53:03AM +0100, Matt Caswell wrote: > topic: OTC approve the release of 3.0 beta1 on Thursday 17th June on the > basis > that: 1) all current approved PRs with the beta1 milestone are merged > 2) issues #15755 and #15756 are resolved 3) We accept that VMS does > not > currently pass tests but expect it to do so before 3.0 final (issue > #15757) 0 Kurt From pauli at openssl.org Wed Jun 16 09:21:54 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Wed, 16 Jun 2021 19:21:54 +1000 Subject: Repository Message-ID: <0e1ca826-9291-c22e-b509-6e732d4754ba@openssl.org> The repository is frozen in anticipation of the 3.0 beta release. Pauli From matt at openssl.org Wed Jun 16 14:48:27 2021 From: matt at openssl.org (Matt Caswell) Date: Wed, 16 Jun 2021 15:48:27 +0100 Subject: Repository In-Reply-To: <0e1ca826-9291-c22e-b509-6e732d4754ba@openssl.org> References: <0e1ca826-9291-c22e-b509-6e732d4754ba@openssl.org> Message-ID: I've now merged all PRs that I'm aware of for the beta release. If you have an approved PR that you were expecting would be included and it hasn't been, then please point me at it. Thanks Matt On 16/06/2021 10:21, Dr Paul Dale wrote: > The repository is frozen in anticipation of the 3.0 beta release. > > Pauli > From matt at openssl.org Thu Jun 17 13:36:33 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 17 Jun 2021 13:36:33 +0000 Subject: OpenSSL version 3.0.0-beta1 published Message-ID: <20210617133633.GA24818@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 3.0 beta 1 released =================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in beta. OpenSSL 3.0 beta 1 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/manmaster/man7/migration_guide.html The beta release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-beta1.tar.gz Size: 14878832 SHA1 checksum: 4b48947969bb3c989ba95ac4bdc4a78e70212d2b SHA256 checksum: 7bfedc9a1062cbd2aabc294acc93cbd5259e6e7bd5bbe38e454cc6a32564029f The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-beta1.tar.gz openssl sha256 openssl-3.0.0-beta1.tar.gz Please download and check this beta release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmDLSDUACgkQ2cTSbQ5g RJHPJQf9GACe9xem5BnK1EPAJtWkXxKZS3NOThT5rp6mCArFCVX3Vvrmui/PUgL2 +EPA9o96G6SJ/AypFyH/SUYfK2weC7LmPGgZ4kk0Od/rn/JE+Pkbk1IyqTb3QnUz LlMIB69m8vx/IJqP/FSCY224iP+gtCzyQvktxra1dLab7SJtDiTtcvvSKv20jd1+ 9V9GSPIrl1G7dU+aWG/jZRZ1g8lmVEoZ/d3wKpddU3A31mSWxyt8Yc5/gRC74NmU EGCHY+6hrrRIoJkIiywlk9HoFQNHf3OT0pK1F8Igfredos6dulUKxcK2jk0gJjQY IG7aAF+ZcysQZ5y0iUksHhb296mRNA== =Jk01 -----END PGP SIGNATURE----- From matt at openssl.org Thu Jun 17 13:41:00 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 17 Jun 2021 14:41:00 +0100 Subject: Repository In-Reply-To: References: <0e1ca826-9291-c22e-b509-6e732d4754ba@openssl.org> Message-ID: The repo is now thawed. OpenSSL 3.0 beta1 release is done!!!!! Matt On 16/06/2021 15:48, Matt Caswell wrote: > I've now merged all PRs that I'm aware of for the beta release. If you > have an approved PR that you were expecting would be included and it > hasn't been, then please point me at it. > > Thanks > > Matt > > > On 16/06/2021 10:21, Dr Paul Dale wrote: >> The repository is frozen in anticipation of the 3.0 beta release. >> >> Pauli >> From matt at openssl.org Thu Jun 17 13:42:30 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 17 Jun 2021 14:42:30 +0100 Subject: Blog post Message-ID: <02973d70-3b7d-0ed0-0fc4-c5ad4107d3d7@openssl.org> For anyone interested I've written a blog post to accompany the 3.0 beta 1 release. You can read it here: https://www.openssl.org/blog/blog/2021/06/17/OpenSSL3.0ReleaseCandidate/ Matt From beldmit at gmail.com Thu Jun 17 13:46:25 2021 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Thu, 17 Jun 2021 15:46:25 +0200 Subject: Repository In-Reply-To: References: <0e1ca826-9291-c22e-b509-6e732d4754ba@openssl.org> Message-ID: Congratulations! On Thu, Jun 17, 2021 at 3:41 PM Matt Caswell wrote: > The repo is now thawed. > > OpenSSL 3.0 beta1 release is done!!!!! > > Matt > > > On 16/06/2021 15:48, Matt Caswell wrote: > > I've now merged all PRs that I'm aware of for the beta release. If you > > have an approved PR that you were expecting would be included and it > > hasn't been, then please point me at it. > > > > Thanks > > > > Matt > > > > > > On 16/06/2021 10:21, Dr Paul Dale wrote: > >> The repository is frozen in anticipation of the 3.0 beta release. > >> > >> Pauli > >> > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Thu Jun 17 14:35:34 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 17 Jun 2021 15:35:34 +0100 Subject: Press Release Message-ID: <67ea58f5-56db-faae-a79a-650b3efb4d3b@openssl.org> FYI, our press release on 3.0 beta 1 is here: https://www.prnewswire.com/news-releases/openssl-3-0-release-candidate-now-available-301314821.html Matt From matt at openssl.org Thu Jun 17 18:42:57 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 17 Jun 2021 19:42:57 +0100 Subject: Blog post In-Reply-To: References: <02973d70-3b7d-0ed0-0fc4-c5ad4107d3d7@openssl.org> Message-ID: <6e13df42-808a-42f8-ae78-5b42f65edec0@openssl.org> On 17/06/2021 18:35, Ethan Rahn wrote: > Hello Matt, > > Love the blog post, and of course a hearty thanks to everyone who worked > on the project to get it to this point. > > Is the plan still to continue with the FIPS 140-2 validation instead of > 140-3? Apologies for the lack of a first party source but > https://www.leidos.com/insights/fips-140-and-common-criteria-industry-updates-march-2020 > > lists Sept 22, 2021 as the last day for FIPS 140-2 submissions. Is > OpenSSL 3.0 going to be submitted by then? Yes we plan to submit a 140-2 validation by the September deadline. Matt > > Cheers, > > Ethan > > On Thu, Jun 17, 2021, 06:43 Matt Caswell > wrote: > > For anyone interested I've written a blog post to accompany the 3.0 > beta > 1 release. You can read it here: > > https://www.openssl.org/blog/blog/2021/06/17/OpenSSL3.0ReleaseCandidate/ > > > Matt > From matt at openssl.org Tue Jun 22 10:07:52 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 22 Jun 2021 11:07:52 +0100 Subject: OTC VOTE: EVP_Q_mac and EVP_Q_digest outlen parameter Message-ID: <790a11eb-00f7-8c96-a864-a072c07d2219@openssl.org> topic: Change the outlen paramter from unsigned int * to size_t * for EVP_Q_mac and size from unsigned int * to size_t * for EVP_Q_digest. Proposed by Nicola Tuveri Public: yes opened: 2021-06-22 closed: 2021-06-22 accepted: yes (for: 5, against: 3, abstained: 0, not voted: 1) Matt [-1] Pauli [+1] Tim [-1] Richard [+1] Shane [-1] Tomas [+1] Kurt [+1] Matthias [ ] Nicola [+1] From matt at openssl.org Tue Jun 22 10:09:26 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 22 Jun 2021 11:09:26 +0100 Subject: OTC VOTE: Accept the refactor in PR 15854 Message-ID: <08b6c651-155d-c0e8-7dd4-f282b1e007e9@openssl.org> topic: Accept the concept of the refactor proposed in PR 15854 for 3.0 Proposed by Matt Caswell Public: yes opened: 2021-06-22 closed: 2021-06-22 accepted: yes (for: 5, against: 1, abstained: 2, not voted: 1) Matt [+1] Pauli [+1] Tim [-1] Richard [ 0] Shane [+1] Tomas [+1] Kurt [+1] Matthias [ ] Nicola [+0] From matt at openssl.org Tue Jun 29 09:48:25 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 29 Jun 2021 10:48:25 +0100 Subject: OTC VOTE: __owur specifiers for 3.0 Message-ID: topic: We will allow enabling of __owur specifiers for functions for 3.0 as a safe API-change exception. comment: See issue #15902 Proposed by Paul Dale Public: yes opened: 2021-06-29 closed: 2021-mm-dd accepted: yes/no (for: X, against: Y, abstained: Z, not voted: T) Matt [-1] Pauli [ ] Tim [-1] Richard [ 0] Shane [ ] Tomas [ 0] Kurt [ ] Matthias [+0] Nicola [+1] From matt at openssl.org Tue Jun 29 09:49:36 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 29 Jun 2021 10:49:36 +0100 Subject: OTC VOTE: API additions from PR #15790 Message-ID: <90256efc-0fec-55c9-88a6-a007373fe678@openssl.org> topic: Accept the API additions from pull request #15790 subject to the normal review process Proposed by Tomas Mraz Public: yes opened: 2021-06-29 closed: 2021-06-29 accepted: yes (for: 6, against: 1, abstained: 0, not voted: 2) Matt [+1] Pauli [+1] Tim [-1] Richard [+1] Shane [ ] Tomas [+1] Kurt [ ] Matthias [+1] Nicola [+1] From matt at openssl.org Tue Jun 29 09:50:36 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 29 Jun 2021 10:50:36 +0100 Subject: OTC VOTE: Accept PR #15763 Message-ID: topic: Accept PR #15763 for 1.1.1 subject to the normal review process Proposed by Matt Caswell Public: yes opened: 2021-06-29 closed: 2021-06-29 accepted: yes (for: 7, against: 0, abstained: 0, not voted: 2) Matt [+1] Pauli [+1] Tim [+1] Richard [+1] Shane [ ] Tomas [+1] Kurt [ ] Matthias [+1] Nicola [+1] From pauli at openssl.org Wed Jun 30 09:24:04 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Wed, 30 Jun 2021 19:24:04 +1000 Subject: Monthly Status: June Message-ID: Significant activities throughout June were: * Fix new Coverity issues 26 real, 4 false positives * Address all outstanding (ancient) Coverity issues * Fix threads test ordering problem * Fix address sanitiser problems in apps relating to uninitialised BN pointers * Investigation memory leak in dlopen() that's a known problem with valgrind * Investigate and fix memory leak when threading in property code * Investigation and remediation of several threading problems * Add locks to obj_dat.c and obj_xref.c to make the OBJ subsection thread safe (post 3.0 after discussion) * Added decoded caching to avoid lots of allocations and repeated algorithm recreation * Implemented a property list find function * Add a key manager check to better reuse existing key managers in light of algorithm cache flushes * Convert SHA one short functions to be functions not macros, to accept NULL arguments in a way compatible to 1.1.1 * Add a memory sanitiser build * Tweak the time of execution of CI jobs so they run more widely * Fix double to integer conversions in light of the VMS experience * Add integer size sanity checks in light of the VMS experience * Add tests to evp_test for EVP_Q_ functions * Change the way XTS and AEAD ciphers are filtered in apps to unify this behaviour * Earlier detection of bad digest in req command * Covert command line apps to use libctx and property query more extensively * Add a -digest option to spkac command * Fix auto DH problem where the chosen group didn't necessarily meet the current security level * Add RSA key size vs entropy checks in FIPS mode * Updates to the FIPS checksum script * Remove SM2 encoder and decoder from the FIPS provider ... hmmm. * Add digest, cipher and PKEY algorithm life cycle documentation (including pretty pictures) * Update platform policy to allow configuration additions to stable branches * Clean up all remaining TODO notes in the code * Update NEWS to current status * Fix documentation of up-calls from providers to libcrypto * Deprecation of ERR_GET_FUNC() * Create a list of things to do after 3.0 for future discussion In addition were minor pull requests, reviewing, OMC and OTC business, et al. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kurt at roeckx.be Wed Jun 30 17:09:59 2021 From: kurt at roeckx.be (Kurt Roeckx) Date: Wed, 30 Jun 2021 19:09:59 +0200 Subject: OTC VOTE: Accept PR #15763 In-Reply-To: References: Message-ID: On Tue, Jun 29, 2021 at 10:50:36AM +0100, Matt Caswell wrote: > topic: Accept PR #15763 for 1.1.1 subject to the normal review process +1 Kurt From kurt at roeckx.be Wed Jun 30 17:22:58 2021 From: kurt at roeckx.be (Kurt Roeckx) Date: Wed, 30 Jun 2021 19:22:58 +0200 Subject: OTC VOTE: API additions from PR #15790 In-Reply-To: <90256efc-0fec-55c9-88a6-a007373fe678@openssl.org> References: <90256efc-0fec-55c9-88a6-a007373fe678@openssl.org> Message-ID: On Tue, Jun 29, 2021 at 10:49:36AM +0100, Matt Caswell wrote: > topic: Accept the API additions from pull request #15790 subject to the > normal > review process It seems this is even already merged, so I'll vote 0. Kurt From kurt at roeckx.be Wed Jun 30 17:25:13 2021 From: kurt at roeckx.be (Kurt Roeckx) Date: Wed, 30 Jun 2021 19:25:13 +0200 Subject: OTC VOTE: __owur specifiers for 3.0 In-Reply-To: References: Message-ID: On Tue, Jun 29, 2021 at 10:48:25AM +0100, Matt Caswell wrote: > topic: We will allow enabling of __owur specifiers for functions for 3.0 as > a > safe API-change exception. If this was proposed before the beta, I would be happy with such a change. But at some point we need to stop changing the API, so I'll vote -1. Kurt