From pauli at openssl.org Sun May 2 07:11:45 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Sun, 2 May 2021 17:11:45 +1000 Subject: Monthly status: April Message-ID: <26ce27b9-7ffd-733b-93a5-cb7bf00f9382@openssl.org> Significant activities throughout April were: * Coverity triage and fixes * AES-CBC speed fix * KMAC buffer overflow fix * Removal of EVP_sha() and friends in favour of EVP_MD_fetch() * SipHash control fix * Document different returns from control functions * Fix double free issue * Triage and fix all failing run-checker jobs (ongoing) * Add additional run-checker jobs to cover missing options (ongoing) * EVP_MAC proposal for XOF MACs * Disable ACVP test code by default * Fix a threading problem in EVP_fetch with the default library context. In addition were minor pull requests, reviewing, OMC and OTC business, et al. Pauli -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomas at openssl.org Mon May 3 09:17:05 2021 From: tomas at openssl.org (Tomas Mraz) Date: Mon, 03 May 2021 11:17:05 +0200 Subject: Monthly Status Report (April 2021) Message-ID: <527031d060c9dabc724117aededbdb5c513a65c2.camel@openssl.org> My key activities this month were: - triage of newly reported issues and responding to questions - participation on the meetings - AppVeyor reconfiguration to run only on pushes to master - reviews of various PRs: - I've reviewed about 90 PRs this month - Notable PRs reviewed: - Configure/Makefile: fix some FIPS installation issues #13684 - Add library context and property query support into the PKCS12 APIs #14434 - Add OIDs among algorithm names + don't go via NIDs when fetching an algorithm from a ASN1_OBJECT #14498 - Fix d2i_PrivateKey() and PEM_X509_INFO_read_bio_ex() etc. loading private keys #14647 - Add OSSL_ALGORITHM description field + API to use them #14656 - Only enable KTLS if it is explicitly configured #14799 - Alpha 14 release - Store some FIPS global variables in the FIPS_GLOBAL structure #14814 - ENCODER & DECODER: Allow decoder implementations to specify "carry on" #14834 - Fix dh_rfc5114 option in genpkey. #14883 - Alpha 15 release - STORE: Use the 'expect' param to limit the amount of decoders used #15066 - submitted 30 PRs: - In particular: - Deprecate the EVP_PKEY controls for CMS and PKCS#7 #14760 - Implement provider-side keymgmt_dup function #14793 - Detect low-level engine based keys #14859 - Add type_name member to provided methods and use it #14898 - Prefer fetch over get_digestby... or get_cipherby... where appropriate #15028 - Implement pem_read_key directly through OSSL_DECODER #15045 - Correct the SM2 handling of DIGEST and DIGEST_SIZE parameters #15074 - Add -latomic to threads enabled 32bit linux builds #15086 - Make the -inform option to be respected if possible #15100 -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From matt at openssl.org Tue May 4 10:06:30 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 4 May 2021 11:06:30 +0100 Subject: Final alpha release In-Reply-To: <7ad114cc-7cdc-2d72-7c56-cbd96e6303e7@openssl.org> References: <7ad114cc-7cdc-2d72-7c56-cbd96e6303e7@openssl.org> Message-ID: <8407854e-ba1c-afe0-1246-1cfe6a359dee@openssl.org> Hi all Final reminder: The final 3.0 alpha release is still planned for 20th May. Please ensure you have your PRs for new features, APIs or breaking changes submitted, approved and merged by this date. We won't be sending further reminders of this! Matt On 08/04/2021 10:08, Matt Caswell wrote: > The OMC are currently planning that the final alpha release of OpenSSL > 3.0 will be made available on 20th May 2021. Anyone wanting new > features, APIs or breaking changes to be included in 3.0 should aim to > get their PRs submitted, approved and merged by this date. > > Thanks > > Matt From nic.tuv at gmail.com Tue May 4 10:06:58 2021 From: nic.tuv at gmail.com (Nicola Tuveri) Date: Tue, 4 May 2021 13:06:58 +0300 Subject: OpenSSF Security Metrics Initiative Message-ID: Hi, I wanted to point out to the OMC and to openssl-project a new initiative from the [Open Source Security Foundation](www.openssf.org): the Security Metrics Initiative. A more detailed description is available at < https://openssf.org/blog/2021/05/03/introducing-the-security-metrics-project/ >. It should be remarked that the service is to be considered alpha, and that changes in the API, in data sources might occur at this stage, and that there might be inaccuracies in the reported data. Here is a direct link to what the initiative reports for the OpenSSL project: < https://metrics.openssf.org/grafana/d/default/metric-dashboard?orgId=1&var-PackageURL=pkg%3Agithub/openssl/openssl >. In particular it seems we score quite low on the OpenSSF Scorecard (30.8% as I am writing this mail) and, also for the data coming from the OpenSSF Best Practices Badge Program, it looks like the project has many negative marks. It should also be noted that the description field in the project information for `github:/openssl/openssl` reports: > This is a historical badge entry for the OpenSSL project before the Heartbleed vulnerability was reported, circa February 2014. Please note that the OpenSSL project's status has changed substantially since then. For the current state of OpenSSL, see the current OpenSSL badge entry. [...] So maybe it is not too alarming that many of the negative marks are coming from unexpected entries: e.g. it seems at the moment it reports we don't have/use static/dynamic analysis, we don't have vulnerability reporting, code review, CI Tests or Pull Requests. Nonetheless given this tool might soon be used to pick among alternatives when making critical infrastructure design choices, or affect funding decisions or resource planning, it might be a good thing for the OMC to get proactive and reach out to straighten the record for current OpenSSL releases, to offer suggestions on alternative metrics to be considered, on redefining criteria for existing metrics, and possibly incorporate feedback from the Security Metrics initiative to adapt plans regarding future roadmap for OpenSSL. I finish reporting in this email the last paragraph from the Security Metrics Initiative announcement, as it might be of interest for all subscribers to openssl-project: > Your [feedback](https://github.com/ossf/Project-Security-Metrics/issues) is most welcome, and if you're interested in learning more or joining this effort, please reach out to [Michael Scovetta](mailto:// michael.scovetta at microsoft.com) or join us at our next [working group]( https://github.com/ossf/wg-identifying-security-threats) meeting. Best regards, Nicola Tuveri -------------- next part -------------- An HTML attachment was scrubbed... URL: From nic.tuv at gmail.com Tue May 4 10:17:51 2021 From: nic.tuv at gmail.com (Nicola Tuveri) Date: Tue, 4 May 2021 13:17:51 +0300 Subject: OTC VOTE: Reject PR#14759 In-Reply-To: References: Message-ID: The vote is now closed: it passed, and PR#14759 is rejected. ---------------- topic: Reject PR#14759 Proposed by Nicola Tuveri Public: yes opened: 2021-04-20 closed: 2021-05-04 accepted: yes (for: 3, against: 2, abstained: 4, not voted: 2) Matt [ 0] Mark [ ] Pauli [-0] Viktor [ ] Tim [-1] Richard [ 0] Shane [+1] Tomas [-1] Kurt [+1] Matthias [ 0] Nicola [+1] Best regards, Nicola Tuveri -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Tue May 4 13:27:48 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 4 May 2021 14:27:48 +0100 Subject: Monthly Status Report (April) Message-ID: <5bd44637-4804-b9ac-20d9-840e3ebf6dae@openssl.org> As well as normal reviews, responding to user queries, wiki user requests, OMC business, support customer issues, CLA submissions, handling security reports, etc., key activities this month: - Completed and merged a man page giving a libcrypto overview - Performed alpha14 release - Changed KTLS to only enable it if explicitly configured - Removed the EVP_PKEY_set_alias_type function - Fixed problem with 128 bit int detection - Refactored some FIPS global variables to store them in the FIPS_GLOBAL structure instead - Removed a TODO from X509_PUBKEY_set - Changed the default MANSUFFIX - Fixed some TODOs in ssl/t1_lib.c - Removed a TODO from the unix Makefile template - Removed a TODO from keymgmt_lib.c - Changed the semantics of OSSL_LIB_CTX_set0_default NULL handling to resolve a reported issue - Fix to libssl to defer finished MAC handling until after the state transition (in DTLS) - Performed the alpha15 release - Implemented a draft PR to enable providers to use other providers from the application libctx - Fixed access to the provider flag_activated field to ensure it was thread safe - Fixed a thread safety issue the provider config module - Fixed no-dtls1_2 - Ongoing investigation into a potential 1.1.1 memory issue (#15046) - Implemented the new public API function BIO_new_from_core_bio() Matt From Michael.Scovetta at microsoft.com Tue May 4 14:27:50 2021 From: Michael.Scovetta at microsoft.com (Michael Scovetta) Date: Tue, 4 May 2021 14:27:50 +0000 Subject: OpenSSF Security Metrics Initiative In-Reply-To: References: Message-ID: Hi Nicola! Thanks for reaching out! (And for understanding that the metric dashboard is alpha quality, and on a good day, an approximation of the health of a project. So yes, many of the items don?t reflect reality. For OpenSSL, the Scorecard data is gathered by this project (which I?m just a consumer of): ossf/scorecard: Security Scorecards - Security health metrics for Open Source (github.com) For example, the SECURITY.md, it appears that project is just looking for a file with that name in either the root for the .github folder. Similarly for the others, but I will go through OpenSSL today to make sure it?s at least *technically* working correctly. As we move this project forward, we want to be able to pull out metrics on non-GitHub projects as well. I?ll also add a note to the dashboard page itself about the content being alpha quality, etc. But to the larger going forward point, yes, on behalf of the working group, we would greatly appreciate additional insight and thoughts into how we can make this useful and reflect reality ? the intent isn?t to make *any* project look ?bad?, especially due to our implementation. Thanks again! Mike From: Nicola Tuveri Sent: Tuesday, May 4, 2021 3:12 AM To: OpenSSL Project; otc at openssl.org Cc: Michael Scovetta Subject: OpenSSF Security Metrics Initiative Hi, I wanted to point out to the OMC and to openssl-project a new initiative from the [Open Source Security Foundation](www.openssf.org): the Security Metrics Initiative. A more detailed description is available at >. It should be remarked that the > service is to be considered alpha, and that changes in the API, in data sources might occur at this stage, and that there might be inaccuracies in the reported data. Here is a direct link to what the initiative reports for the OpenSSL project: >. In particular it seems we score quite low on the OpenSSF Scorecard (30.8% as I am writing this mail) and, also for the data coming from the OpenSSF Best Practices Badge Program, it looks like the project has many negative marks. It should also be noted that the description field in the project information for `github:/openssl/openssl` reports: > This is a historical badge entry for the OpenSSL project before the Heartbleed vulnerability was reported, circa February 2014. Please note that the OpenSSL project's status has changed substantially since then. For the current state of OpenSSL, see the current OpenSSL badge entry. [...] So maybe it is not too alarming that many of the negative marks are coming from unexpected entries: e.g. it seems at the moment it reports we don't have/use static/dynamic analysis, we don't have vulnerability reporting, code review, CI Tests or Pull Requests. Nonetheless given this tool might soon be used to pick among alternatives when making critical infrastructure design choices, or affect funding decisions or resource planning, it might be a good thing for the OMC to get proactive and reach out to straighten the record for current OpenSSL releases, to offer suggestions on alternative metrics to be considered, on redefining criteria for existing metrics, and possibly incorporate feedback from the Security Metrics initiative to adapt plans regarding future roadmap for OpenSSL. I finish reporting in this email the last paragraph from the Security Metrics Initiative announcement, as it might be of interest for all subscribers to openssl-project: > Your [feedback](https://github.com/ossf/Project-Security-Metrics/issues) is most welcome, and if you're interested in learning more or joining this effort, please reach out to [Michael Scovetta](mailto://michael.scovetta at microsoft.com) or join us at our next [working group](https://github.com/ossf/wg-identifying-security-threats) meeting. Best regards, Nicola Tuveri -------------- next part -------------- An HTML attachment was scrubbed... URL: From pauli at openssl.org Thu May 6 03:29:38 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Thu, 6 May 2021 13:29:38 +1000 Subject: Freeze Message-ID: I've frozen the repository for the next alpha release on Thursday. From openssl at openssl.org Thu May 6 12:45:32 2021 From: openssl at openssl.org (OpenSSL) Date: Thu, 6 May 2021 12:45:32 +0000 Subject: OpenSSL version 3.0.0-alpha16 published Message-ID: <20210506124532.GA16280@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 3.0 alpha 16 released ===================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 16 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha16.tar.gz Size: 14491795 SHA1 checksum: 9719fde1203a21f768c5688dd7bd579c6b5a8ae4 SHA256 checksum: 08ce8244b59d75f40f91170dfcb012bf25309cdcb1fef9502e39d694f883d1d1 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha16.tar.gz openssl sha256 openssl-3.0.0-alpha16.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCT3csACgkQ2cTSbQ5g RJFT+AgAr7HK6rYxwu3cmgutVCaMH1kZyvwaQPowm7br7xMiFM1aJpd2hTCqETTw NydbsWOFL7M8ASowY1HjLjEL+NzFV0o9WMF3oi7SUkSny32eIQozwFTia1NDqf1i aD1Ou7Y/E4RLykXFGpSyhtNudFjGWtNVgTzsjCEN/1XrkJqHmWliKvHt0y2phoWR cR9sBAyHlkBzoYxjYDBDTlkt1/Q8n79giIb6CSsTU+XaOgClUCuJ5NEPrBqOitPC Plt6WcOKEXXotezJFrL+alB/0mhCxZa+TWAb8AiTN0ptDHRSg0PBmfJED+yRfwLh j+COkLymdQvO9XWp/jevKgEyPxwGTw== =X9gN -----END PGP SIGNATURE----- From matt at openssl.org Thu May 6 12:51:23 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 6 May 2021 13:51:23 +0100 Subject: Freeze In-Reply-To: References: Message-ID: <7e08804f-4eac-ddfd-f154-888e2ff9eb45@openssl.org> The release has now been completed and the repo is thawed. Matt On 06/05/2021 04:29, Dr Paul Dale wrote: > I've frozen the repository for the next alpha release on Thursday. > From levitte at openssl.org Fri May 7 07:21:55 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 07 May 2021 09:21:55 +0200 Subject: Late Monthly Status Report (November 2020) Message-ID: <875yzvvwj0.wl-levitte@openssl.org> Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - [WIP] APPS: Refactoring dsaparam and dhparam (PR openssl/openssl#12072) - EVP: Adapt EVP_PKEY2PKCS8() to better handle provider-native keys (PR openssl/openssl#12995) - Deprecate RSA harder (PR openssl/openssl#13096) - Add new provider encoders implementations for more output standards, take 2 (PR openssl/openssl#13167) - util/fix-deprecation: DEPRECATEDIN conversion util for public headers (PR openssl/openssl#13239) - Simplify and clarify doc/internal/man7/deprecation.pod (PR openssl/openssl#13240) - test/endecoder_legacy_test.c: new test for legacy comparison (PR openssl/openssl#13262) - test/recipes/90-test_shlibload.t: Skip when address sanitizer enabled (PR openssl/openssl#13281) - Cleanup error reporting in crypto/ (PR openssl/openssl#13318) - Cleanup error reporting providers (PR openssl/openssl#13319) - Really deprecate the old NAMEerr() macros (PR openssl/openssl#13320) - Fix test/recipes/80-test_ca.t to skip_all properly in a subtest (PR openssl/openssl#13331) - EVP: Have all EVP_PKEY check functions export to provider if possible (PR openssl/openssl#13334) - Small passphrase reading fixes (PR openssl/openssl#13346) - ERR: deprecate all old ERR_load_ and stop producing new ones (PR openssl/openssl#13390) - Fix SUPPORT.md for better readability (PR openssl/openssl#13398) - DOC: Fixup the description of the -x509_strict option (PR openssl/openssl#13412) - util/mkrc.pl: Make sure FILEVERSION and PRODUCTVERSION have four numbers (PR openssl/openssl#13415) - util/find-doc-nits: check podchecker() return value (PR openssl/openssl#13416) - DOC: Fix example in OSSL_PARAM_int.pod (PR openssl/openssl#13426) - SSL: Change SSLerr() to ERR_raise() (PR openssl/openssl#13450) - TEST: Make our test data binary (PR openssl/openssl#13477) - DOC: Add note on how to terminate an OSSL_PARAM array (PR openssl/openssl#13478) - APPS: Guard use of IPv6 functions and constants with a check of AF_INET6 (PR openssl/openssl#13484) - ERR: Restore the similarity of ERR_print_error_cb() and ERR_error_string_n() (PR openssl/openssl#13510) - APPS: Modify the way apps/cmp.c silences the UI_METHOD when -batch is given (PR openssl/openssl#13512) - EVP_PKEY & DSA: Make DSA EVP_PKEY_CTX parameter ctrls / setters more available (PR openssl/openssl#13530) - TEST: Fix path length in test/ossl_store_test.c (PR openssl/openssl#13546) - RSA: correct digestinfo_ripemd160_der[] (PR openssl/openssl#13562) * Web: - REVIEWED: Update newsflash for alpha 8 release (PR openssl/web#206 by mattcaswell) - REVIEWED: Update newsflash for new release (PR openssl/web#208 by mattcaswell) -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Fri May 7 07:22:45 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 07 May 2021 09:22:45 +0200 Subject: Late Monthly Status Report (December 2020) Message-ID: <874kffvwhm.wl-levitte@openssl.org> Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - [not_yet_closed] [tentative] ECDH provider side implementation doesn't care about peer key parameters, should it? (Issue openssl/openssl#11491) - DISCUSSED: Is OAEP working as expected? (Issue openssl/openssl#12981 by mattcaswell) - Add EVP_PKEY_get_group_name and use that in libssl instead of evp_pkey_get_EC_KEY_curve_nid() (PR openssl/openssl#13436) - Switch deprecation method (PR openssl/openssl#13460) - TEST: Add a simple module loader, and test the FIPS module with it (PR openssl/openssl#13507) - APPS: Check that all apps really consume all command line arguments (Issue openssl/openssl#13527) - Does EVP_ENCODER_CTX_new_by_EVP_PKEY() need an explicit library context? (Issue openssl/openssl#13544) - ENCODER: Don't pass libctx to OSSL_ENCODER_CTX_new_by_EVP_PKEY() (PR openssl/openssl#13545) - PEM: Add a more generic way to implement PEM _ex functions for libctx (PR openssl/openssl#13547) - Make algorithm specific EVP_PKEY_CTX setters and getters more available (Issue openssl/openssl#13550) - APPS: Add OSSL_STORE loader for engine keys, and use it (PR openssl/openssl#13570) - DOCS: Update OSSL_DECODER_CTX_new_by_EVP_PKEY.pod to match declarations (PR openssl/openssl#13581) - Make DH & EC EVP_PKEY_CTX parameter ctrls / setters more available (PR openssl/openssl#13589) - CHANGES: Move misplaced change item (PR openssl/openssl#13605) - DSA: Make DSA_bits() and DSA_size() check that there are key parameters (PR openssl/openssl#13611) - providers/common/der/build.info: Improve checks of disabled algos (PR openssl/openssl#13626) - DOCS: Improve documentation of the EVP_PKEY type (PR openssl/openssl#13629) - Deprecate DSA harder (cont. from #13187) (PR openssl/openssl#13638) - PROV: Add MSBLOB and PVK encoders (PR openssl/openssl#13645) - PEM: Unlock MSBLOB and PVK functions from 'no-dsa' and 'no-rc4' (PR openssl/openssl#13648) - [URGENT] Fix sanitizer build (PR openssl/openssl#13661) - Building: Fix the library file names for MSVC builds to include multilib (PR openssl/openssl#13670) - Drop OPENSSL_NO_RSA everywhere (PR openssl/openssl#13700) - GitHub CI: Add 'check-update' and 'check-docs' (PR openssl/openssl#13701) - TEST: Fix test/endecode_test.c for 'no-legacy' (PR openssl/openssl#13705) - Fix 'no-deprecated' (PR openssl/openssl#13706) -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Fri May 7 07:23:24 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 07 May 2021 09:23:24 +0200 Subject: Late Monthly Status Report (January 2021) Message-ID: <8735uzvwgj.wl-levitte@openssl.org> Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - [not_yet_closed] Add support for PKCS#8 v2 (RFC 5958 - Asymmetric Key Packages) (Issue openssl/openssl#10468) - Use centralized fetching errors (PR openssl/openssl#13467) - Deprecate EVP_PKEY_new_CMAC_key_ex() and EVP_PKEY_new_CMAC_key() ? (Issue openssl/openssl#13628) - Configure: Check all SOURCE declarations, to ensure consistency (PR openssl/openssl#13824) - Make the OSSL_trace manual conform with man-pages(7) (PR openssl/openssl#13842) - Make header references conform with man-pages(7) in all manuals (PR openssl/openssl#13843) - Make the OSSL_PROVIDER manual conform with man-pages(7) (PR openssl/openssl#13845) - Make the OSSL_CMP manual conform with man-pages(7) (PR openssl/openssl#13846) - Make the OSSL_HTTP manual conform with man-pages(7) (PR openssl/openssl#13847) - Make the OSSL_PARAM manual conform with man-pages(7) (PR openssl/openssl#13848) - Make the OSSL_SELF_TEST manual conform with man-pages(7) (PR openssl/openssl#13849) - A couple of small no-deprecated fixes (PR openssl/openssl#13866) - REVIEWED: Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity (PR openssl/openssl#13870 by t8m) - Unix Makefile generator: separate "simple" shared libraries from import libraries (PR openssl/openssl#13875) - DOCS: Fix the last few remaining pass phrase options references (PR openssl/openssl#13885) - DOCS: Fix incorrect pass phrase options references [1.1.1] (PR openssl/openssl#13886) - Unix Makefile generator: Fix empty basename calls (PR openssl/openssl#13935) - Drop Travis [master] (PR openssl/openssl#13940) - Drop Travis [1.1.1] (PR openssl/openssl#13941) - Clean away unnecessary length related OSSL_PARAM key names (PR openssl/openssl#13946) - DOC: Fix a few minor issues in OSSL_ENCODER / OSSL_DECODER docs (PR openssl/openssl#13954) - Fix OSSL_PARAM_allocate_from_text() for EBCDIC (PR openssl/openssl#13961) - APPS: Restore inclusions (PR openssl/openssl#13989) - Update NEWS.md before alpha11 release (PR openssl/openssl#13996) - Update copyright year for files changed since last alpha release (PR openssl/openssl#13999) - Release OpenSSL 3.0.0-alpha11 (PR openssl/openssl#14000) * Web: - Upgrade our use of jQuery to 3.5.1 (PR openssl/web#213) - DISCUSSED: use local copy of jquery-min (Issue openssl/web#215 by richsalz) - Add newsflash about the release of OpenSSL 3.0 alpha11 (PR openssl/web#216) -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Fri May 7 07:24:02 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 07 May 2021 09:24:02 +0200 Subject: Late Monthly Status Report (February 2021) Message-ID: <871rajvwfh.wl-levitte@openssl.org> Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - [not_yet_closed] Lack of verbosity in verbose test display (environment variables) (Issue openssl/openssl#12024) - EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters() (PR openssl/openssl#13341) - ERR: drop function code macro generation (PR openssl/openssl#13392) - Remove the old DEPRECATEDIN macros (PR openssl/openssl#13461) - appveyor.yml: clarify conditions for building the plain configuration (PR openssl/openssl#13537) - VMS documentation fixes [1.1.1] (PR openssl/openssl#13834) - VMS documentation fixes [master] (PR openssl/openssl#13835) - EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs (PR openssl/openssl#13913) - EVP: Don't find standard EVP_PKEY_METHODs automatically (PR openssl/openssl#13973) - [WIP] X509: Refactor X509_PUBKEY processing to include provider side keys (PR openssl/openssl#13994) - PROV: Add SM2 encoders and decoders, as well as support functionality (PR openssl/openssl#14028) - PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID (PR openssl/openssl#14030) - Allow the sshkdf type to be passed as a single character (PR openssl/openssl#14035) - CORE & PROV: clean away OSSL_FUNC_mac_size() (PR openssl/openssl#14048) - TEST: Add an algorithm ID tester for libcrypto vs provider (PR openssl/openssl#14049) - Dirty count for provider native keys + cleanup (PR openssl/openssl#14056) - DOCS: Update the internal documentation on EVP_PKEY. (PR openssl/openssl#14059) - dev/release.sh: Fix typo (PR openssl/openssl#14061) - DOCS: Remove the "global" dependency on writing .pod files from .pod.in (PR openssl/openssl#14067) - configdata.pm: Better display of enabled/disabled options (PR openssl/openssl#14081) - Configuration: ensure that 'no-tests' works correctly (PR openssl/openssl#14082) - Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries (PR openssl/openssl#14152) - OSSL_PARAM: Correct the assumptions on the UTF8 string length (PR openssl/openssl#14168) - Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i() (PR openssl/openssl#14196) - TEST: Add missing initialization (PR openssl/openssl#14204) - [not_yet_closed] It would be nice to have internal libcrypto routines to query the defined algorithm properies (Issue openssl/openssl#14217) - DECODER: Use the data structure from the last decoder to select the next (PR openssl/openssl#14233) - Generate doc/build.info with 'make update' rather than on the fly (PR openssl/openssl#14269) - util/perl/OpenSSL/config.pm: Fix determine_compiler_settings() (PR openssl/openssl#14270) - X509: Refactor X509_PUBKEY processing to include provider side keys (PR openssl/openssl#14281) - Make i2d_PublicKey() work with provider side EC EVP_PKEYs (PR openssl/openssl#14291) - Makefile: Only update doc/build.info when there's an actual change (PR openssl/openssl#14309) * Web: - Fix bin/mk-manpages3 to handle spurious & in the description (PR openssl/web#214) -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Fri May 7 07:24:50 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 07 May 2021 09:24:50 +0200 Subject: Late Monthly Status Report (March 2021) Message-ID: <87zgx7uhtp.wl-levitte@openssl.org> Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - [not_yet_merged] Configure: add -fkeep-inline-functions to --strict-warnings (PR openssl/openssl#8955) - [not_yet_closed] Propagate the no_store flag + consequences for evp_pkey_export_to_provider() (Issue openssl/openssl#14164) - [not_yet_closed] OpenSSL 3.0 currently doesn't build on OpenVMS, adaptation needed (Issue openssl/openssl#14247) - EVP_RAND should be renamed to OSSL_RAND (Issue openssl/openssl#14297) - Provider side encoders and decoders need to stop using EVP_PKEY (Issue openssl/openssl#14306) - Stop using EVP_PKEY in encoders and decoders (PR openssl/openssl#14314) - Make 'tests' depend on a generated 'providers/fipsmodule.cnf' (PR openssl/openssl#14320) - Fix threading issues in crypto/provider_core.c (PR openssl/openssl#14354) - test/threadstest.c: Add a test to load providers concurrently (PR openssl/openssl#14372) - DOCS: Fix provider-mac.pod and the docs of our implementations (PR openssl/openssl#14380) - DOCS: Document OSSL_STORE_INFO_PUBKEY in doc/man3/OSSL_STORE_INFO.pod (PR openssl/openssl#14415) - Undo passing of params to provider side init/derive/instantiate (PR openssl/openssl#14435) - [not_yet_closed] Introduce EVP level fetchable sigalg functionality (Issue openssl/openssl#14467) - PROV: use EVP_CIPHER_CTX_set_params() rather than EVP_CIPHER_CTX_ctrl() (PR openssl/openssl#14484) - TEST: Cleanup test recipes (PR openssl/openssl#14505) - [not_yet_closed] Introduce EVP level fetchable PRF functionality (Issue openssl/openssl#14543) - Configure: check all DEPEND values against GENERATE, not just .h files (PR openssl/openssl#14598) - Fix a missing rand -> ossl_rand rename (PR openssl/openssl#14609) - ASN1: Reset the content dump flag after dumping (PR openssl/openssl#14627) - RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value (PR openssl/openssl#14676) - [not_yet_closed] test/pkits-test.pl not suitable for current OpenSSL (Issue openssl/openssl#14709) - Unix build file template: symlink "simple" to "full" shlib selectively (PR openssl/openssl#14726) - Re-implement ANSI C building with a Github workflow (PR openssl/openssl#14729) * Web: - REVIEWED: Update newsflash for the 3.0 alpha13 release (PR openssl/web#223 by mattcaswell) - Complete the transition changelog.txt -> changelog.md (PR openssl/web#224) * Other: - Started over with buildbot master development / configuration / setup -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Fri May 7 07:25:31 2021 From: levitte at openssl.org (Richard Levitte) Date: Fri, 07 May 2021 09:25:31 +0200 Subject: Monthly Status Report (April 2021) Message-ID: <87y2cruhsk.wl-levitte@openssl.org> Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - Key generation in OpenSSL 3.0-dev is inflexible compared to OpenSSL 1.1.1 (Issue openssl/openssl#14054) - [master] 'openssl enc' can't access ciphers that libcrypto doesn't know about (Issue openssl/openssl#14178) - [master] 'openssl dgst' can't access digests that libcrypto doesn't know about (Issue openssl/openssl#14179) - [not_yet_closed] [master] Allow the 'openssl enc' command to set a key length (Issue openssl/openssl#14180) - Resolve PKCS#7/CMS related backend hack (Issue openssl/openssl#14276) - Add OIDs among algorithm names + don't go via NIDs when fetching an algorithm from a ASN1_OBJECT (Issue openssl/openssl#14278) - Decoder implementations must be able to signal "please carry on" even if they can't decode the input (Issue openssl/openssl#14423) - Add OIDs among algorithm names + don't go via NIDs when fetching an algorithm from a ASN1_OBJECT (PR openssl/openssl#14498) - Add a description field to OSSL_ALGORITHM and use that as "long name" for provider implemented algos (Issue openssl/openssl#14514) - [not_yet_closed] Should we change the suffix of the resulting file name for modules on MacOS X, in 3.0? (Issue openssl/openssl#14602) - Add OSSL_ALGORITHM description field + API to use them (PR openssl/openssl#14656) - [not_yet_closed] Add more error recording in provider code (Issue openssl/openssl#14745) - Github workflows: re-implement a no-shared build (PR openssl/openssl#14753) - Refactor CPUID code, take 2 (PR openssl/openssl#14755) - test/recipes/02-test_errstr.t: Do not test negative system error codes (PR openssl/openssl#14779) - ENCODER & DECODER: Allow decoder implementations to specify "carry on" (PR openssl/openssl#14834) - ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse (PR openssl/openssl#14938) - Makefile in master removes possible current release tarball (Issue openssl/openssl#14981) - Don't remove $(TARFILE) when cleaning (PR openssl/openssl#14985) - Windows bulding: Make dependency generation not quite as talkative (PR openssl/openssl#15006) - crypto/store/ossl_result.c: Better filtering of errors (PR openssl/openssl#15008) - STORE: Fix the repeated prompting of passphrase (PR openssl/openssl#15064) - STORE: Use the 'expect' param to limit the amount of decoders used (PR openssl/openssl#15066) - [not_yet_closed] Unix: link with libraries by direct file name (Issue openssl/openssl#15083) * Web: - bin/mk-latest: Make the adapation for the OpenSSL 3.0 version scheme work (PR openssl/web#232) - Makefile: Add FUTURESERIES, for series that have no final release yet (PR openssl/web#233) - Reorder the old source directory list in source/old/ (PR openssl/web#236) * Internal: - release-tools: Separate do-release.pl docs from mkrelease.pl docs (dir internal/tools) [9d9c86fe443afcb8a13a8ae40b91674a6afefcd3] * Sysadm: - Add new instruction on how to extend GHE storage space (dir admin/admin) [4d95719e6fef8bc50f20ad7dc0dfad89e0e9eb0d] -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From openssl at openssl.org Thu May 20 13:53:22 2021 From: openssl at openssl.org (OpenSSL) Date: Thu, 20 May 2021 13:53:22 +0000 Subject: OpenSSL version 3.0.0-alpha17 published Message-ID: <20210520135322.GA26288@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 3.0 alpha 17 released ===================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 17 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/manmaster/man7/migration_guide.html The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha17.tar.gz Size: 14551193 SHA1 checksum: c026f0451988a4d3799b0ac8cc6aae45d05eddc5 SHA256 checksum: fcf7f7d732209904a8f994d6af5df10b1ca5df7bd18618e40805a2e32aa44f47 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha17.tar.gz openssl sha256 openssl-3.0.0-alpha17.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCmZHoACgkQ2cTSbQ5g RJFr9QgAiw+HwvyEf+uTsqeGMaKnfgUrBxZBsjDH4AwEhomsF7vZlA8TDDabf0s3 tHoAwjlqOlEO3LDUGy+xraofmkA/NRvJsEgdXHP03WSYkQwb+iYnJ1RPPwjSpny7 ujq2kFfDU9l7uwnucD3FHRzhUH/lvTVSl2sg3s9bNKhArcu6vLVCSYWRhz4ISKfe BxYpp1HjYNE6jS6lIkUVaE50PKL+L29UDf0VzZhQCHQrBvRJq9cj6rUMx50e5vbF PUEQhqkHFZpQgBnanQ8auf0Lzr+4EUdvJ52Y24uPb6bZAZMoAP/UYc3YM0jjGxhp x9G11J5xuS6H/76XUevfyo8RnqXoXA== =vyTR -----END PGP SIGNATURE----- From tomas at openssl.org Fri May 21 06:56:58 2021 From: tomas at openssl.org (Tomas Mraz) Date: Fri, 21 May 2021 08:56:58 +0200 Subject: OTC VOTE: Set PR 13817 milestone to Post 3.0 In-Reply-To: References: <6c96e71b0ceb9a60701e63b940cb4271dfff0dea.camel@openssl.org> Message-ID: <03e3efe5b334c7f71506c4bee4200489121a3086.camel@openssl.org> This vote is now closed. accepted: yes (for: 2, against: 0, abstained: 7, not voted: 2) On Thu, 2021-04-22 at 23:28 +0200, Kurt Roeckx wrote: > On Tue, Apr 20, 2021 at 12:17:17PM +0200, Tomas Mraz wrote: > > topic: Set PR 13817 milestone to Post 3.0 > > 0 > > > Kurt > -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]