From pauli at openssl.org Wed Sep 1 04:51:44 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Wed, 1 Sep 2021 14:51:44 +1000 Subject: Monthly Status: August Message-ID: <366c1f4d-9afd-9e50-351d-a24c03f36671@openssl.org> Significant activities throughout August were: * Fixing TLS 1.3 KDF for FIPS validation * Fix bugs in dgst command * Investigation of threading issues (several different ones) * Investigation of 3DES wrap cipher in 1.1.1 and master * Fix problems with AES wrap * Add additional CI test loops (run checker, compiler zoo) * Chase down failures in CIs * Documentation for the 3.0 release (multiple items) * Various future planning investigations In addition were minor pull requests, reviewing, OMC and OTC business, et al. Pauli -------------- next part -------------- An HTML attachment was scrubbed... URL: From tomas at openssl.org Wed Sep 1 12:37:18 2021 From: tomas at openssl.org (Tomas Mraz) Date: Wed, 01 Sep 2021 14:37:18 +0200 Subject: Monthly Status Report (August 2021) Message-ID: <13f84082a1e28e0b56f9e464a0f0e3084c289203.camel@openssl.org> My key activities this month were: - triage of newly reported issues and responding to questions - participation on the meetings - sysadmin: fixing disabled CLA check on GitHub PRs - moved the script from discontinued license.openssl.org to status.openssl.org - continued studying the Buildbot documentation - reviews of various PRs: ? - I've reviewed about 50 PRs this month ? - Notable PRs reviewed: ??? - Fix d2i_ECPKParameters_fp and i2d_ECPKParameters_fp macroes #16355 and #12457 - Add a specialised TLS 1.3 KDF implementation #16203 - Fix s390x AES OFB/CFB cipher implementation on updating IV #16291 and #16292 - aes-wrap: improve error handling #16391 - Fix leak if config run multiple times #16425 - Ensure that we check the ASN.1 type of an "otherName" before using it #16443 - Rationalize provider locking #16469 - submitted 20 PRs: ? - In particular: - Windows, VMS: Do install_fips on install if fips is enabled #16208 - Prevent recursive call of OPENSSL_INIT_LOAD_CONFIG #16210 - Multiple fixes for getting pub key from legacy DH PKEY #16253 - rsa: Try legacy encoding functions for pubkey #16289 - EVP_DigestSign/VerifyFinal: Duplicate the pctx to allow multiple calls #16422 - Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests #16433 and #16441 I had also 1 full week time off. -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. ??????????????????????????????????????????????Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From tomas at openssl.org Mon Sep 6 08:46:19 2021 From: tomas at openssl.org (Tomas Mraz) Date: Mon, 06 Sep 2021 10:46:19 +0200 Subject: Freeze Message-ID: I've frozen the repository for the final OpenSSL 3.0 release on Tuesday. Regards, -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. ??????????????????????????????????????????????Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From pauli at openssl.org Mon Sep 6 09:24:45 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Mon, 6 Sep 2021 19:24:45 +1000 Subject: OMC vote: PR #16498 Message-ID: topic: Accept PR 16498 in 3.0 subject to our normal review process. Proposed by Pauli. Public: yes opened: 2021-08-03 closed: 2021-08-06 ONE WEEK VOTE ? Matt?????? [+1] ? Mark?????? [ 0] ? Pauli????? [+1] ? Tim??????? [+1] ? Richard??? [+1] ? Kurt?????? [? ] Vote passed From matt at openssl.org Mon Sep 6 14:02:51 2021 From: matt at openssl.org (Matt Caswell) Date: Mon, 6 Sep 2021 15:02:51 +0100 Subject: Monthly Status Report (August) Message-ID: As well as normal reviews, responding to user queries, wiki user requests, OMC business, support customer issues, CLA submissions, handling security reports, etc., key activities this month: - Implemented the (extended) patch CVE-2021-3712 as well as significant analysis time spent on this issue - Analysed and developed the patch for CVE-2021-3711 - Co-ordinated and performed the security release for OpenSSL 1.1.1l and OpenSSL 1.0.2za - Investigated, created reproducer for, and subsequently developed the fix for an issue where leaks occurred due to loading the config file into the same libctx twice - Investigated with Tomas problems with the clacheck script following the removal of the "license"host - Significant investigation work for OMC related tasks - Updates to the release instructions following problems with the last release - Helped investigate a solaris linking issue - Fixed a bug where we need to check the asn.1 type of an "otherName" before we attempt to read it - Refactored and rationalized provider locking to deal with "lock inversion" errors being reported from thread sanitizer Matt From openssl at openssl.org Tue Sep 7 12:04:20 2021 From: openssl at openssl.org (OpenSSL) Date: Tue, 7 Sep 2021 12:04:20 +0000 Subject: OpenSSL version 3.0.0 published Message-ID: <20210907120420.GA3531@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 OpenSSL version 3.0.0 released ============================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 3.0.0 of our open source toolkit for SSL/TLS. For details of the changes, see the release notes at: https://www.openssl.org/news/openssl-3.0-notes.html Specific notes on upgrading to OpenSSL 3.0 from previous versions are available in the OpenSSL Migration Guide, here: https://www.openssl.org/docs/man3.0/man7/migration_guide.html OpenSSL 3.0.0 is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0.tar.gz Size: 14978663 SHA1 checksum: 3be896f1b33bc01af874ccca701a6f700af9de20 SHA256 checksum: 59eedfcb46c25214c9bd37ed6078297b4df01d012267fe9e9eee31f61bc70536 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0.tar.gz openssl sha256 openssl-3.0.0.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAmE3US4ACgkQ1enkP335 7owe+w/9FdP6I9XEuuo5O6ZOhYyzTuS8v9DGuzIzBEsBWpsA+gfOxF5Bx4WlnGAt kB+2qfNfOgt00OrSUHntgn1+ubFvN+xteaslYsF3fN9FCPX2iQzXMPVM47UqYpA5 tCm0XrJo+PAZB4mEnOH6QBXZWPTE7E84HGUNyS8LfYeEbbLKEcc/xQBPpRovL3fA 6TnMrAvypIwEqgljyNzuMq7iD5WDA0Y26JwjCCtk0vNOVkDQDooGQHMY180BLfQT Rk65hEt3/UkpLVCwCknrZsMWixXzTgcFb+403EPXMisyyQLEgxevrsGpQgINxraD 1JyRNnwJpIJuxl+j1oYjpdCbNQrQr7QKAj8pL5OGNVxXvyuZe9YyLrKmHvh09Q6M nxbJFQmCyrZQvxCya+YR2VU9KxkYiXbiX2pHl06qN8n3MOhtVaxJPKM6WUwJLlo9 qD9JmLtW4gXCH4qHcqnb8jS0Zoxja1bzWwgvQx1A9XI4s2drhRvXkQmt+lxEUdcM MiT3LrBgjfKgNa7XWmTOZxyLa74WyETVcjvI3ovJxiS4RAB7s7ssDVa8tnTUeeZG gtXSTv49+l0j+DQcz8nxQeILimOusHzE5JO3JvGQKPbSQbdUQbNrsbTEvz5mIMu9 k/VuvJd1ezjYySp9pnZ3UTxrB1RozJ97iupq8MSzwElkSfUigrg= =R5PX -----END PGP SIGNATURE----- From tomas at openssl.org Tue Sep 14 07:07:59 2021 From: tomas at openssl.org (Tomas Mraz) Date: Tue, 14 Sep 2021 09:07:59 +0200 Subject: Blog post about Let's Encrypt root certificate expiration and OpenSSL 1.0.2 Message-ID: <85fcaa4a7ab407cbe8d0ca3ac31642b59d5ea889.camel@openssl.org> I've written a blog post to explain the situation with the old Let's Encrypt root certificate expiration which will happen on 2021-09-30 and the behavior of OpenSSL 1.0.2 with that root certificate. Please read, if interested: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ Regards, -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. ??????????????????????????????????????????????Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From matt at openssl.org Tue Sep 14 10:13:13 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Sep 2021 11:13:13 +0100 Subject: OTC VOTE: Restart merging of non-breaking small features Message-ID: topic: Allow the restart of merging of non-breaking small features to the master branch Proposed by Matt Caswell Public: yes opened: 2021-09-14 closed: 2021-09-14 accepted: yes (for: 5, against: 1, abstained: 1, not voted: 2) Dmitry [+1] Matt [+1] Pauli [ ] Tim [-1] Richard [+1] Shane [ 0] Tomas [+1] Kurt [ ] Matthias [+1] Nicola [+1] From pauli at openssl.org Tue Sep 14 10:23:16 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Tue, 14 Sep 2021 20:23:16 +1000 Subject: OTC VOTE: Restart merging of non-breaking small features In-Reply-To: References: Message-ID: <9b009d55-723a-fc95-a078-9838eca3646f@openssl.org> +1 Pauli On 14/9/21 8:13 pm, Matt Caswell wrote: > topic: Allow the restart of merging of non-breaking small features to > the master > ?????? branch > Proposed by Matt Caswell > Public: yes > opened: 2021-09-14 > closed: 2021-09-14 > accepted:? yes? (for: 5, against: 1, abstained: 1, not voted: 2) > > ? Dmitry???? [+1] > ? Matt?????? [+1] > ? Pauli????? [? ] > ? Tim??????? [-1] > ? Richard??? [+1] > ? Shane????? [ 0] > ? Tomas????? [+1] > ? Kurt?????? [? ] > ? Matthias?? [+1] > ? Nicola???? [+1] > From tomas at openssl.org Wed Sep 15 07:01:35 2021 From: tomas at openssl.org (Tomas Mraz) Date: Wed, 15 Sep 2021 09:01:35 +0200 Subject: Milestones to choose from when OTC starts review of Post 3.0.0 Message-ID: <978ae0152ea2402c7348f6630ea1cc73d55d16a8.camel@openssl.org> I've added a few new milestones to choose from during triage when OTC starts reviewing Post 3.0.0 items in GitHub. 3.0.1 milestone is a milestone for consideration and affirmation if something is a blocker for the 3.0.1 release. (An issue/PR is a blocker if 'triaged: OTC evaluated' label is applied.) 3.1.0 milestone is a milestone for consideration and affirmation if something is a blocker for the 3.1.0 release. Post 3.1.0 milestone is a milestone for items which we do not want in 3.1.0 but they are not breaking API/ABI so they do not need to be postponed to the 4.0 release. -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. ??????????????????????????????????????????????Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From kurt at roeckx.be Wed Sep 15 11:15:08 2021 From: kurt at roeckx.be (Kurt Roeckx) Date: Wed, 15 Sep 2021 13:15:08 +0200 Subject: OTC VOTE: Restart merging of non-breaking small features In-Reply-To: References: Message-ID: On Tue, Sep 14, 2021 at 11:13:13AM +0100, Matt Caswell wrote: > topic: Allow the restart of merging of non-breaking small features to the > master > branch +1 Kurt From pauli at openssl.org Tue Sep 21 09:14:51 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Tue, 21 Sep 2021 19:14:51 +1000 Subject: OTC vote: include Keccak digests in OpenSSL Message-ID: Accept PR#16594 into master subject to the normal review process This doesn't meet the "is a standard" requirement but it is in use and we have the implementation.? It just isn't exposed. ? Dmitry???? [+1] ? Matt?????? [ 0] ? Pauli????? [+1] ? Tim??????? [+0] ? Richard??? [+1] ? Shane????? [+1] ? Tomas????? [+1] ? Kurt?????? [? ] ? Matthias?? [? ] ? Nicola???? [+0] The vote passed. From matt at openssl.org Tue Sep 21 10:08:40 2021 From: matt at openssl.org (Matt Caswell) Date: Tue, 21 Sep 2021 11:08:40 +0100 Subject: OTC VOTE: Increase the default security level from 1 to 2 Message-ID: <53cb2e02-32e4-def8-e711-d3f3313eb7a9@openssl.org> topic: Increase the default security level from 1 to 2 in master Proposed by Matt Caswell Public: yes opened: 2021-09-21 closed: 2021-09-21 accepted: yes (for: 7, against: 1, abstained: 1, not voted: 1) Dmitry [+1] Matt [+1] Pauli [+1] Tim [+0] Richard [+1] Shane [-1] Tomas [+1] Kurt [ ] Matthias [+1] Nicola [+1] From kurt at roeckx.be Tue Sep 21 16:32:39 2021 From: kurt at roeckx.be (Kurt Roeckx) Date: Tue, 21 Sep 2021 18:32:39 +0200 Subject: OTC vote: include Keccak digests in OpenSSL In-Reply-To: References: Message-ID: On Tue, Sep 21, 2021 at 07:14:51PM +1000, Dr Paul Dale wrote: > Accept PR#16594 into master subject to the normal review process > > > > This doesn't meet the "is a standard" requirement but it is in use and we > have the implementation.? It just isn't exposed. Can you describe where it is in use? Kurt From kurt at roeckx.be Tue Sep 21 16:32:54 2021 From: kurt at roeckx.be (Kurt Roeckx) Date: Tue, 21 Sep 2021 18:32:54 +0200 Subject: OTC VOTE: Increase the default security level from 1 to 2 In-Reply-To: <53cb2e02-32e4-def8-e711-d3f3313eb7a9@openssl.org> References: <53cb2e02-32e4-def8-e711-d3f3313eb7a9@openssl.org> Message-ID: On Tue, Sep 21, 2021 at 11:08:40AM +0100, Matt Caswell wrote: > topic: Increase the default security level from 1 to 2 in master +1 Kurt From tomas at openssl.org Tue Sep 21 16:37:42 2021 From: tomas at openssl.org (Tomas Mraz) Date: Tue, 21 Sep 2021 18:37:42 +0200 Subject: OTC vote: include Keccak digests in OpenSSL In-Reply-To: References: Message-ID: On Tue, 2021-09-21 at 18:32 +0200, Kurt Roeckx wrote: > On Tue, Sep 21, 2021 at 07:14:51PM +1000, Dr Paul Dale wrote: > > Accept PR#16594 into master subject to the normal review process > > > > > > > > This doesn't meet the "is a standard" requirement but it is in use > > and we > > have the implementation.? It just isn't exposed. > > Can you describe where it is in use? > Citation from the issue #13033 linked from the PR: "Ethereum and after it many cryptographic applications use the original pre-NIST variant of SHA3-256, these days named keccak256, where the delimiter byte is 0x1 rather than 0x6." -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. ??????????????????????????????????????????????Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From kurt at roeckx.be Tue Sep 21 16:41:38 2021 From: kurt at roeckx.be (Kurt Roeckx) Date: Tue, 21 Sep 2021 18:41:38 +0200 Subject: OTC vote: include Keccak digests in OpenSSL In-Reply-To: References: Message-ID: On Tue, Sep 21, 2021 at 06:37:42PM +0200, Tomas Mraz wrote: > On Tue, 2021-09-21 at 18:32 +0200, Kurt Roeckx wrote: > > On Tue, Sep 21, 2021 at 07:14:51PM +1000, Dr Paul Dale wrote: > > > Accept PR#16594 into master subject to the normal review process > > > > > > > > > > > > This doesn't meet the "is a standard" requirement but it is in use > > > and we > > > have the implementation.? It just isn't exposed. > > > > Can you describe where it is in use? > > > > Citation from the issue #13033 linked from the PR: > > "Ethereum and after it many cryptographic applications use the original > pre-NIST variant of SHA3-256, these days named keccak256, where the > delimiter byte is 0x1 rather than 0x6." +1 Kurt From Matthias.St.Pierre at ncp-e.com Tue Sep 21 17:34:35 2021 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Tue, 21 Sep 2021 17:34:35 +0000 Subject: OTC vote: include Keccak digests in OpenSSL In-Reply-To: References: Message-ID: +1 Note: please use the vote topic (as stated in votes.txt) as the mail subject line to avoid confusion for late voters > -----Original Message----- > From: openssl-project On Behalf Of Dr Paul Dale > Sent: Tuesday, September 21, 2021 11:15 AM > To: openssl-project at openssl.org > Subject: OTC vote: include Keccak digests in OpenSSL > > Accept PR#16594 into master subject to the normal review process > > > > This doesn't meet the "is a standard" requirement but it is in use and > we have the implementation.? It just isn't exposed. > > ? Dmitry???? [+1] > ? Matt?????? [ 0] > ? Pauli????? [+1] > ? Tim??????? [+0] > ? Richard??? [+1] > ? Shane????? [+1] > ? Tomas????? [+1] > ? Kurt?????? [? ] > ? Matthias?? [? ] > ? Nicola???? [+0] > > > The vote passed. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 7494 bytes Desc: not available URL: From matt at openssl.org Thu Sep 23 19:31:31 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 23 Sep 2021 20:31:31 +0100 Subject: Blog post about FIPS submission Message-ID: <182bba4e-032b-3e43-85c0-bbb5ec765a6a@openssl.org> FYI, please see my blog post about the OpenSSL 3 FIPS submission here: https://www.openssl.org/blog/blog/2021/09/22/OpenSSL3-fips-submission/ Matt From beldmit at gmail.com Thu Sep 23 19:42:01 2021 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Thu, 23 Sep 2021 21:42:01 +0200 Subject: Blog post about FIPS submission In-Reply-To: <182bba4e-032b-3e43-85c0-bbb5ec765a6a@openssl.org> References: <182bba4e-032b-3e43-85c0-bbb5ec765a6a@openssl.org> Message-ID: Hello Matt, The link https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-processmodules-in-process-list (You can see the official listing for the submission *here*) seems to be not working On Thu, Sep 23, 2021 at 9:31 PM Matt Caswell wrote: > FYI, please see my blog post about the OpenSSL 3 FIPS submission here: > > https://www.openssl.org/blog/blog/2021/09/22/OpenSSL3-fips-submission/ > > Matt > > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From kurt at roeckx.be Thu Sep 23 20:51:57 2021 From: kurt at roeckx.be (Kurt Roeckx) Date: Thu, 23 Sep 2021 22:51:57 +0200 Subject: Blog post about FIPS submission In-Reply-To: References: <182bba4e-032b-3e43-85c0-bbb5ec765a6a@openssl.org> Message-ID: On Thu, Sep 23, 2021 at 09:42:01PM +0200, Dmitry Belyavsky wrote: > Hello Matt, > > The link > https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-processmodules-in-process-list > (You can see the official listing for the submission *here*) seems to be > not working It seems to be: https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list (A missing /, the URL is also case insensitive.) Kurt From matt at openssl.org Thu Sep 23 22:18:53 2021 From: matt at openssl.org (Matt Caswell) Date: Thu, 23 Sep 2021 23:18:53 +0100 Subject: Blog post about FIPS submission In-Reply-To: References: <182bba4e-032b-3e43-85c0-bbb5ec765a6a@openssl.org> Message-ID: <667e221f-7aa7-8f86-c7ff-b7fd10605e1b@openssl.org> On 23/09/2021 21:51, Kurt Roeckx wrote: > On Thu, Sep 23, 2021 at 09:42:01PM +0200, Dmitry Belyavsky wrote: >> Hello Matt, >> >> The link >> https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-processmodules-in-process-list >> (You can see the official listing for the submission *here*) seems to be >> not working > It seems to be: > https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list > > (A missing /, the URL is also case insensitive.) Fixed. Matt From rsbecker at nexbridge.com Thu Sep 23 19:53:50 2021 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Thu, 23 Sep 2021 15:53:50 -0400 Subject: Blog post about FIPS submission In-Reply-To: <182bba4e-032b-3e43-85c0-bbb5ec765a6a@openssl.org> References: <182bba4e-032b-3e43-85c0-bbb5ec765a6a@openssl.org> Message-ID: <038301d7b0b4$be44f0f0$3aced2d0$@nexbridge.com> On September 23, 2021 3:32 PM, Matt Caswell wrote: >FYI, please see my blog post about the OpenSSL 3 FIPS submission here: > >https://www.openssl.org/blog/blog/2021/09/22/OpenSSL3-fips-submission/ FYI: We have successfully tested OpenSSL 3 FIPS on the HPE NonStop TNS/X platform (RVU L20.10 - which is the OS version) and do so on an ongoing basis. Regards, Randall From tomas at openssl.org Tue Sep 28 07:03:15 2021 From: tomas at openssl.org (Tomas Mraz) Date: Tue, 28 Sep 2021 09:03:15 +0200 Subject: Meeting link for today's OTC meeting Message-ID: <5ae5c34a0ec16c8e123e95ab237ab6ed0008143e.camel@openssl.org> Hi all, as Matt will not be available today for the OTC meeting we will use the following link for the OTC meeting: https://meet.google.com/oah-kxuu-mct I am sorry for the late notice. Regards, Tom?? From pauli at openssl.org Thu Sep 30 22:47:22 2021 From: pauli at openssl.org (Dr Paul Dale) Date: Fri, 1 Oct 2021 08:47:22 +1000 Subject: Monthly Status: September Message-ID: <807a5872-76f8-ba26-f7e7-8099791c9f41@openssl.org> Significant activities throughout August were: * Lots of research into possible futures for the project o Reading RFCs, guides, source code o Discussions and meetings * Infrastructure planning * Various odd tasks relating to the 3.0 branch * Update several post 3.0 pull requests and get them through the review/merge o PVK KDF o Making OBJ thread safe o ... * Investigation of RAND double free issue and do half of the fix * CCM8 ciphers security strength change * Adding operating system zoo to GitHub Action CIs * Start investigating how to have a "must be finished before" option in github * Providing input to and drafting job descriptions In addition were minor pull requests, reviewing, OMC and OTC business, et al. Pauli -------------- next part -------------- An HTML attachment was scrubbed... URL: