Monthly Status Report (November)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Updated EVP_get_digestbyname() and EVP_get_cipherbyname() to know about the new namemap and use it where appropriate - Wrote and published bog with updates for 3.0 - Significant effort has been spent in conjunction with Richard Levitte reviewing old issues and triaging them. This is expected to be ongoing for some time. - Continued work from the previous month to get the asymmetric cipher support approved and pushed - Fixed no-dsa - Significant ongoing review work on the CMP contribution - Created PR to move the constant time RSA padding checks out of libssl and into the providers. - Fixed no-engine - Fixed no-cmac and no-camellia - Fixed no-blake2 - Fixed an uninitialised read in conf_def.c - Fixed a memory leak in confdump, and added confdump to .gitignore - Fixed a use-after-free after copying a cipher ctx - Finished off and pushed PR to fix various algorithm naming inconsistencies - Fixed EVP_CIPHER_CTX_set_keylen to ensure it does not succeed if a bad keylen is passed - Added some missing NULL pointer return checks - Fix for handling NULL with length 0 in EVP_Encrypt* functions - Updated and pushed PR to ensure the FIPS self tests are only run once - Created PR to deprecate the AES_ige_* functions - Further work on the PR to fix SSL_get_servername() Matt
Monthly Status Report (November)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, support customer issues, handling security reports, etc., key activities this month: - Investigated and prepared a fix where the nginx "ssl_reject_handshake" feature does not work in OpenSSL. - Completed and merged the PR to remove low-level DH use from libssl - Ongoing involvement in the regular OTC meetings (currently twice a week) - Improved the output from conf_diagnostics (some issues were being incorrectly suppressed from the error output) - Performed the alpha8 and alpha9 releases for OpenSSL 3.0 - Fixed the reading of DSA parameters files in the dsaparam app - Corrected system guessing for solaris64-x86_64-* targets - Fixed issues with the error "mark" system to enable multiple nested marks - Continued work on and merged the PR to change the default key generation type for DH/DSA - Cleaned up some functions in the apps to remove redundant error messages - Provided initial fix for clang10 issues (later superseded by a fix by Pauli) - Created a fix for RC4 based ciphersuites - Investigated and created an initial patch for the EDIPARTYNAME security issue - Investigated and fixed an issue where OSSL_STORE was forgetting the data type that we read from the PEM header when decoding the DER - Completed and merged the PR to ensure that the dhparam app no longer needs to use low level APIs - Investigated and fixed a fuzzing error in the Thawte Strong Extranet X509 extension - Removed deprecation warning suppression from genpkey - Fixed an error in missingcrypto111.txt related to ERR_load_KDF_strings - Moved some libssl global variables into SSL_CTX - Undeprecated the -dsaparam option in the dhparam app. The original motivation for this deprecation no longer applies - Implemented a Github CI solution as a replacement for Travis - Fixed no-rc2 - Fixed no-posix-io - Fixed no-err - Fixed no-engine - Completed and merged the PR to fully deprecate the DH low level APIs - Fixed the run-checker ubsan build - Fixed builds combining no-dh and no-ed Matt
Monthly Status Report (November)
As well as normal reviews, attending regular OMC and OTC meetings, attending daily stand up meetings, responding to user queries, wiki user requests, OMC business, sys-admin, support customer issues, CLA submissions, handling security reports, etc., key activities this month: - Investigated an issue where using a short ECX key resulted in an assertion failure. Created PR #17041 to fix this. - Investigated a segfault on program exit (#17040) which was caused by having multiple versions of OpenSSL linked at the same time - Wrote and subsequently merged the OTC design policy - Investigated and found a solution for a user with connectivity issues (#17039) - Wrote a proposed policy for accepting assembler optimisations - Fixed an SSL_get_error() problem when used in async mode - Fixed some errors in the EVP_PKEY_fromdata doc examples - Investigated a problem with encoding of EC Public keys - Investigated and fixed numerous threading issues - Clarified the PEM docs to explain how to use libctx/propq with them - Fixed an issue with incorrect detection of short ECX keys - Clarified the EVP_CTRL_AEAD_SET_TAG documentation - Investigated and fixed a symbol_presence test failure on windows - Attended numerous design meeting s - Investigated a report of custom RSA_METHOD code not working as expected - Investigated performance issues - Created PR to not remove the doc/html directories when cleaning - Attended a meeting with other open source groups regarding post quantum - Various work transitioning our internal git repositories to Github Enterprise Matt
Monthly Status Report (November 2021)
My key activities this month were: - triage of newly reported issues and responding to questions - participation on the OTC meetings - participation on the QUIC design meetings - created proposal for API changes allowed in minor releases - finally succeeded in ordering the HPE Proliant server via the SpaceNET - reviews of various PRs: - I've reviewed about 65 PRs this month - Notable PRs reviewed: - BIO_s_connect(): Enable BIO_gets() #16030 - X509: Fix handling of AKID and SKID extensions according to configuration #16342 - Add integer overflow helper functions #16930 - Fix some threading issues #16980 - Support different R_BITS lengths for KBKDF #17063 - Avoid loading of a dynamic engine twice #17073 - submitted 7 PRs: - In particular: - do_sigver_init: Allow reinitialization of an existing operation. #16964 - Add null digest implementation to the default provider #17016 - d2i_PublicKey: Make it work with EC parameters in a provided key #17065 There was 1 day national holiday and I was also somewhat slowed down by getting the COVID19 disease. Fortunately it was quite light but it impacted my work anyway. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]
[openssl-project] Monthly Status Report (November)
As well as normal reviews, responding to user queries, wiki user requests, OMC business, handling security reports, etc., key activities this month: - Significant review work on the Kernel TLS Socket API PR (5253) - Significant work on the FIPS Strategy and Design documents - Significnat review work on the SRP docs PR (7522) - Managed and performed the release of 1.1.1a/1.1.0j/1.0.2q - Added a missing SSLfatal call that could result in an assertion failure - Worked on PR 7442 (Don't negotiated TLSv1.3 if our EC cert isn't TLSv1.3 capable) - Worked on PR 7503 (Separate ca_names handling for client and server) - Produced and published advisory for CVE-2018-5407 - Fixed no-ec and no-tls1_2 - Fixed uninit read in siphash_internal_test - Created PR to add option to avoid atexit, and to avoid pinning of the libraries in memory (7647) - Fixed a failure in errtest affecting a number of platforms - Reviewed the BN_div constant time change (7589) - Investigated and advised on fix for 7660 (tls_construct_server_key_exchange internal error) - Investigated and created fix for Ed25519 signature maleability issue (PR 7697) - Attended the OpenSSL OMC face-2-face in Edinburgh - Attended the OpenSSL FIPS meeting in Edinburgh Matt ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
Late Monthly Status Report (November 2019)
Apart from normal business, such as normal reviews, OMC business,
normal system administration tasks, small fixes, etc., key activities
this month:
* Meetings, workshops, etc
- Worked through a significant amount of older issues together with
Matt Caswell, primarly to triage them, but in some cases to also
review them. We will continued with the seriously aged issues in
2020.
* Development
- BIO_s_connect: add an error state and use it
(PR openssl/openssl#7630)
- Configure: Make --strict-warnings meaningful with MSVC cl
(PR openssl/openssl#10287)
- VMS: Added new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
(PR openssl/openssl#8926)
- Fix OSSL_PARAM_set_BN() to fill the given buffer correctly.
(PR openssl/openssl#10326)
- Make EVP_PKEY_CTX initialization more precise
(PR openssl/openssl#10308)
- OSSL_STORE: constify the criterion parameter a bit more
(PR openssl/openssl#8442)
- X509_LOOKUP_store: new X509_LOOKUP_METHOD that works by OSSL_STORE URI
(PR openssl/openssl#8442)
- EVP: Make the KEYEXCH implementation leaner
(PR openssl/openssl#10305)
- EVP: Make the SIGNATURE implementation leaner
(PR openssl/openssl#10303)
- Rework ordinals
(PR openssl/openssl#10348)
- Change the logic and behaviour surrounding '--api' and 'no-deprecated'
(PR openssl/openssl#10364)
- Add EVP functionality to create domain params and keys by user data
(PR openssl/openssl#10187)
- Refactor PEM_read_bio_{PrivateKey,Parameters,DHparams}
(PR openssl/openssl#2746)
- Cleanup include/openssl/opensslv.h.in
(PR openssl/openssl#10218)
- Configuration: make Solaris builds with gcc recognise GNU ld
(PR openssl/openssl#8548)
- Final cleanup after move to leaner EVP_PKEY methods
(PR openssl/openssl#10309)
- Reinstate the KDF error macros
(PR openssl/openssl#10368)
- Add a .pragma directive for configuration files
(PR openssl/openssl#8882)
- [master] SSL: Document SSL_add_{file,dir,store}_cert_subjects_to_stack()
(PR openssl/openssl#10402)
- [1.1.1] SSL: Document SSL_add_{file,dir}_cert_subjects_to_stack()
(PR openssl/openssl#10403)
- CORE: Add a generic callback function type
(PR openssl/openssl#10412)
- CORE & PROV: make export of key data leaner through callback
(PR openssl/openssl#10414)
- PEM: constify PEM_write_ routines
(PR openssl/openssl#10452)
- Replumbing: pre-populate the EVP namemap with commonly known names
(PR openssl/openssl#8984)
- UI_UTIL_wrap_read_pem_callback(): when |cb| is NULL, use PEM_def_callback
(PR openssl/openssl#10447)
- doc/man7/proxy-certificates.pod: New guide for proxy certificates
(PR openssl/openssl#10507)
- configdata.pm.in, util/dofile.pl: load 'platform' unconditionally
(PR openssl/openssl#10514)
- Generate docs at build time instead of install time
(PR openssl/openssl#6236)
- SERIALIZER: New API for serialization of objects through providers
(PR openssl/openssl#10394)
- [1.1.1 only] i2b_PVK(): Use Encrypt, not Decrypt
(PR openssl/openssl#10521)
- [not yet merged] Implement domparam and key generation
(PR openssl/openssl#10289)
- [not yet merged] apps: Switch to using OSSL_STORE for loading
keys, certs, ...
(PR openssl/openssl#7390)
- [unpublished] Support serializers in 'openssl provider' and
'openssl list'
--
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
Late Monthly Status Report (November 2020)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, small fixes, etc., key activities this month: * Development: - [WIP] APPS: Refactoring dsaparam and dhparam (PR openssl/openssl#12072) - EVP: Adapt EVP_PKEY2PKCS8() to better handle provider-native keys (PR openssl/openssl#12995) - Deprecate RSA harder (PR openssl/openssl#13096) - Add new provider encoders implementations for more output standards, take 2 (PR openssl/openssl#13167) - util/fix-deprecation: DEPRECATEDIN conversion util for public headers (PR openssl/openssl#13239) - Simplify and clarify doc/internal/man7/deprecation.pod (PR openssl/openssl#13240) - test/endecoder_legacy_test.c: new test for legacy comparison (PR openssl/openssl#13262) - test/recipes/90-test_shlibload.t: Skip when address sanitizer enabled (PR openssl/openssl#13281) - Cleanup error reporting in crypto/ (PR openssl/openssl#13318) - Cleanup error reporting providers (PR openssl/openssl#13319) - Really deprecate the old NAMEerr() macros (PR openssl/openssl#13320) - Fix test/recipes/80-test_ca.t to skip_all properly in a subtest (PR openssl/openssl#13331) - EVP: Have all EVP_PKEY check functions export to provider if possible (PR openssl/openssl#13334) - Small passphrase reading fixes (PR openssl/openssl#13346) - ERR: deprecate all old ERR_load_ and stop producing new ones (PR openssl/openssl#13390) - Fix SUPPORT.md for better readability (PR openssl/openssl#13398) - DOC: Fixup the description of the -x509_strict option (PR openssl/openssl#13412) - util/mkrc.pl: Make sure FILEVERSION and PRODUCTVERSION have four numbers (PR openssl/openssl#13415) - util/find-doc-nits: check podchecker() return value (PR openssl/openssl#13416) - DOC: Fix example in OSSL_PARAM_int.pod (PR openssl/openssl#13426) - SSL: Change SSLerr() to ERR_raise() (PR openssl/openssl#13450) - TEST: Make our test data binary (PR openssl/openssl#13477) - DOC: Add note on how to terminate an OSSL_PARAM array (PR openssl/openssl#13478) - APPS: Guard use of IPv6 functions and constants with a check of AF_INET6 (PR openssl/openssl#13484) - ERR: Restore the similarity of ERR_print_error_cb() and ERR_error_string_n() (PR openssl/openssl#13510) - APPS: Modify the way apps/cmp.c silences the UI_METHOD when -batch is given (PR openssl/openssl#13512) - EVP_PKEY & DSA: Make DSA EVP_PKEY_CTX parameter ctrls / setters more available (PR openssl/openssl#13530) - TEST: Fix path length in test/ossl_store_test.c (PR openssl/openssl#13546) - RSA: correct digestinfo_ripemd160_der[] (PR openssl/openssl#13562) * Web: - REVIEWED: Update newsflash for alpha 8 release (PR openssl/web#206 by mattcaswell) - REVIEWED: Update newsflash for new release (PR openssl/web#208 by mattcaswell) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Re: [openssl-project] Monthly Status Report (November)
Apart from normal business, such as normal reviews, OMC business, normal system administration tasks, etc., key activities this month: Development: - Supported and reviewed the 1.1.1a/1.1.0j/1.0.2q releases - Worked on making the /dev/crypto engine a bit more efficient and to provide digest copy functionality (PR 7506) - Added the possibility to assign C macros on per object or end product files (PR 7553) - Added the possibility to specify sub-directories in build.info files (PR 7558) - Allowed parallell install, and made install targets depend more closely on build targets (PR 7583) - Added issue templates and user support page on Github (PR 7623 and 7632) - Fixed an rpath related issue in our tests (PR 7626) - Made the internal collection of system error messages smarter (PRs 7681 and 7701) - Changed our tarball creating procedure to use the script util/mktar.sh (PR 7692 and 7696) - Fixed a few VMS build issues for assembler (PR 7700 and 7703) - Reviewed a few EVP_MAC ports (PRs 7548, 7459, 7597) - Reviewed assembler fixups (PR 7643) - Reviewed interactive read of pkeyopts (PR 5697) - Reviewed constant-time RSA fixes - Attended the OpenSSL OMC face-2-face in Edinburgh - Attended the OpenSSL FIPS meeting in Edinburgh - Updating work on building docs at build time (PR 6236) - Reworking building to become more dynamic (PR 7473 and yet unsubmitted branches) - Fixing a BIO_s_connect crash on NULL issue (PR 7630) - Adding attributes to product files in build.info (PR 7581) - Reviewing the EVP_KDF work (PR 6674) - Reviewing the mac application (PR 7661) - Reviewing further /dev/crypto engine development (PR 7585) Admin: - Working on an update of Buildbot Others: - Fixed addrev / gitaddrev casing issues - Added progress spinner to copyright checker release script -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project
