Re: [openssl-dev] [openssl.org #4667] Issue with OpenSSL v1.1.0 on AIX with XLC and GCC and -O

2016-09-02 Thread Andy Polyakov via RT 
> - GCC 6.1.0 is: KO, 64 & 32 bits:
> #   Failed test 'running evp_test evptests.txt'
> #   at ../test/recipes/30-test_evp.t line 18.
> # Looks like you failed 1 test of 1.
> ../test/recipes/30-test_evp.t ..
> Dubious, test returned 1 (wstat 256, 0x100)
> Failed 1/1 subtests

Phew! Mystery solved! Verify attached patch. Trouble was that vector
ChaCha subroutine relies on its alignment in memory. But on AIX it's
impossible to *control* alignment with desired granularity without
specifying higher alignment for .text segment itself. And .text
directive was missing in chacha-ppc module :-( So it's not exactly
optimizations of ppccap.o that mattered, but its changing size depending
on optimization options that was affecting chacha subroutine's
alignment. It actually *could* be vice versa, i.e. work with
optimizations on and fail without, it's all about a coincidence.


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4667
Please log in as guest with password guest if prompted

diff --git a/crypto/chacha/asm/chacha-ppc.pl b/crypto/chacha/asm/chacha-ppc.pl
index b978f58..8a54cba 100755
--- a/crypto/chacha/asm/chacha-ppc.pl
+++ b/crypto/chacha/asm/chacha-ppc.pl
@@ -133,6 +133,7 @@ my 
($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
 
 $code.=<<___;
 .machine   "any"
+.text
 
 .globl .ChaCha20_ctr32_int
 .align 5
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Certificate torture test

2016-09-02 Thread Salz, Rich 
> I've started collecting a certificate torture test suite at
> http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/
> Makefile.am

I think this is cool, and splitting it off is a good idea.  I think some IETF 
folks would be interested, too.

--  
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz


-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] Certificate torture test

2016-09-02 Thread David Woodhouse 
I've started collecting a certificate torture test suite at
http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/Makefile.am

It has RSA, DSA and EC keys in various forms (PKCS#1, PKCS#8, PKCS#12
with varying encryptions), and PKCS#11.

I'm vaguely thinking about separating it from OpenConnect and making it
available as a generic test suite — and then perhaps trying to set
expectations that any application that can use SSL client certs/keys
should pass it.

Currently, every application you encounter on a Linux system will
support a *different* subset of the keys here. It would be nice to have
a bit of consistency.

Does that seem reasonable? Is there anything I'm missing from the tests
above? I know I need to add some non-ASCII password tests, and I need a
PKCS#11 test case where the certificate isn't visible until you log in
to the token. What else? Should I add PKCS#12 in PEM form for
completeness?

FWIW I hate all crypto libraries... there isn't *one* which simply has
a function that'll do the right thing and load a certificate given a
string which identifies it (by filename or PKCS#11 URI). GnuTLS comes
closest, I think, but we still have to jump through hoops in the
*application* to work out what kind of file we're looking at and ask
for it to be loaded. The library *really* ought to make that simple.

-- 
dwmw2




smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Rich Salz via RT 
The title now has the URL. Closing. Fixed as it's gonna get :)

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4668
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4660] error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object

2016-09-02 Thread Glen Matthews via RT 
Hi

Are you saying that it was full?

glen

-Original Message-
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Stephen 
Henson via RT
Sent: Friday, September 02, 2016 12:00 PM
To: 1047941...@qq.com
Cc: openssl-dev@openssl.org
Subject: [openssl-dev] [openssl.org #4660] 
error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object

On Sat Aug 27 14:01:11 2016, 1047941...@qq.com wrote:
> hello:
> i want to use libcurl with openssl, and i build openssl use this
> cmd:
> "perl configure VC-WIN32 no-asm -DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi
> -DOPENSSL_CAPIENG_DIALO"
>
>
> when i use curl get url,eg "curl -k 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__-2A.com=DQICAg=ZgVRmm3mf2P1-XDAyDsu4A=en90exXQg079MaPhrg6ehRKNiY_fq-tJFa8EsFg1CLY=GiaQ-aXTEAz2LIGw86R8W_YUndEECrAdv2HNMrMYIKs=IuQq7WSAP9cJ_y-1fyCdn_8WwrZkjkgpnDza8tOuE7w=
>  ",return the error:
> error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object
>

Quick answer: use OpenSSL 1.1.0 . Alternatively disable TLS 1.2 (e.g. curl 
command line option) or indicate support only for SHA1+RSA for client signature 
algorithms (don't think there is a curl command line option for this).

Long answer: the capi ENGINE in OpenSSL 1.0.2 and earlier uses the CSP attached 
to the key for cryptographic operations. Unfortunately this means that SHA2 
algorithms are not supported for client authentication.

OpenSSL 1.1.0 adds a workaround for this issue. If you disable TLS 1.2 in 
earlier versions of OpenSSL it will not use SHA2 for client auth so that will 
also work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openssl.org=DQICAg=ZgVRmm3mf2P1-XDAyDsu4A=en90exXQg079MaPhrg6ehRKNiY_fq-tJFa8EsFg1CLY=GiaQ-aXTEAz2LIGw86R8W_YUndEECrAdv2HNMrMYIKs=vd-4WnAUoA49neABl9NK-g38u00nQ2f7vJWLpope-KA=
 

--
Ticket here: 
https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.openssl.org_Ticket_Display.html-3Fid-3D4660=DQICAg=ZgVRmm3mf2P1-XDAyDsu4A=en90exXQg079MaPhrg6ehRKNiY_fq-tJFa8EsFg1CLY=GiaQ-aXTEAz2LIGw86R8W_YUndEECrAdv2HNMrMYIKs=d_EFK2MpG35FfJdpz5zxneka6JHkljpl79ksuSy143s=
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev=DQICAg=ZgVRmm3mf2P1-XDAyDsu4A=en90exXQg079MaPhrg6ehRKNiY_fq-tJFa8EsFg1CLY=GiaQ-aXTEAz2LIGw86R8W_YUndEECrAdv2HNMrMYIKs=_OR1SdBBZFy-d7W2zBYnsW_arfIKATUXmzPP9xSdAXA=
 


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4660
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4660] error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object

2016-09-02 Thread Glen Matthews 
Hi

Are you saying that it was full?

glen

-Original Message-
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Stephen 
Henson via RT
Sent: Friday, September 02, 2016 12:00 PM
To: 1047941...@qq.com
Cc: openssl-dev@openssl.org
Subject: [openssl-dev] [openssl.org #4660] 
error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object

On Sat Aug 27 14:01:11 2016, 1047941...@qq.com wrote:
> hello:
> i want to use libcurl with openssl, and i build openssl use this
> cmd:
> "perl configure VC-WIN32 no-asm -DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi
> -DOPENSSL_CAPIENG_DIALO"
>
>
> when i use curl get url,eg "curl -k 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__-2A.com=DQICAg=ZgVRmm3mf2P1-XDAyDsu4A=en90exXQg079MaPhrg6ehRKNiY_fq-tJFa8EsFg1CLY=GiaQ-aXTEAz2LIGw86R8W_YUndEECrAdv2HNMrMYIKs=IuQq7WSAP9cJ_y-1fyCdn_8WwrZkjkgpnDza8tOuE7w=
>  ",return the error:
> error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object
>

Quick answer: use OpenSSL 1.1.0 . Alternatively disable TLS 1.2 (e.g. curl 
command line option) or indicate support only for SHA1+RSA for client signature 
algorithms (don't think there is a curl command line option for this).

Long answer: the capi ENGINE in OpenSSL 1.0.2 and earlier uses the CSP attached 
to the key for cryptographic operations. Unfortunately this means that SHA2 
algorithms are not supported for client authentication.

OpenSSL 1.1.0 adds a workaround for this issue. If you disable TLS 1.2 in 
earlier versions of OpenSSL it will not use SHA2 for client auth so that will 
also work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openssl.org=DQICAg=ZgVRmm3mf2P1-XDAyDsu4A=en90exXQg079MaPhrg6ehRKNiY_fq-tJFa8EsFg1CLY=GiaQ-aXTEAz2LIGw86R8W_YUndEECrAdv2HNMrMYIKs=vd-4WnAUoA49neABl9NK-g38u00nQ2f7vJWLpope-KA=
 

--
Ticket here: 
https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.openssl.org_Ticket_Display.html-3Fid-3D4660=DQICAg=ZgVRmm3mf2P1-XDAyDsu4A=en90exXQg079MaPhrg6ehRKNiY_fq-tJFa8EsFg1CLY=GiaQ-aXTEAz2LIGw86R8W_YUndEECrAdv2HNMrMYIKs=d_EFK2MpG35FfJdpz5zxneka6JHkljpl79ksuSy143s=
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev=DQICAg=ZgVRmm3mf2P1-XDAyDsu4A=en90exXQg079MaPhrg6ehRKNiY_fq-tJFa8EsFg1CLY=GiaQ-aXTEAz2LIGw86R8W_YUndEECrAdv2HNMrMYIKs=_OR1SdBBZFy-d7W2zBYnsW_arfIKATUXmzPP9xSdAXA=
 
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4660] error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object

2016-09-02 Thread Stephen Henson via RT 
On Sat Aug 27 14:01:11 2016, 1047941...@qq.com wrote:
> hello:
> i want to use libcurl with openssl, and i build openssl use this
> cmd:
> "perl configure VC-WIN32 no-asm -DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi
> -DOPENSSL_CAPIENG_DIALO"
>
>
> when i use curl get url,eg "curl -k https://*.com",return the error:
> error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object
>

Quick answer: use OpenSSL 1.1.0 . Alternatively disable TLS 1.2 (e.g. curl
command line option) or indicate support only for SHA1+RSA for client signature
algorithms (don't think there is a curl command line option for this).

Long answer: the capi ENGINE in OpenSSL 1.0.2 and earlier uses the CSP attached
to the key for cryptographic operations. Unfortunately this means that SHA2
algorithms are not supported for client authentication.

OpenSSL 1.1.0 adds a workaround for this issue. If you disable TLS 1.2 in
earlier versions of OpenSSL it will not use SHA2 for client auth so that will
also work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4660
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Salz, Rich via RT 
> Errr, yes. That's because all pages include the same header, which has:
> 
> OpenSSL
> 
> I thought that was by design...

No, it was because the person who rebuilt the web doesn't know much about the 
web.


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4668
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

2016-09-02 Thread Salz, Rich 
Yeah, something like that for 1.0.2; simpler for 1.1.0.  I'll do it.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

2016-09-02 Thread Salz, Rich via RT 
Yeah, something like that for 1.0.2; simpler for 1.1.0.  I'll do it.


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Richard Levitte via RT 
On Fri Sep 02 14:37:30 2016, rs...@akamai.com wrote:
> There is a bug. Navigate around and then right-click on the back
> button. All the pages just say openssl.

Errr, yes. That's because all pages include the same header, which has:

OpenSSL

I thought that was by design...

Cheers,
Richard

--
Richard Levitte
levi...@openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4668
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Salz, Rich via RT 
There is a bug.  Navigate around and then right-click on the back button.  All 
the pages just say openssl.
Re-opening.


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4668
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4641] [openssl-1.1.0-pre6] make test stops with solaris64-x86_64-gcc

2016-09-02 Thread Kiyoshi KANAZAWA via RT 
I forgot writing.

crypto/x86_64cpuid.s generated by 64 bit perl & generated by rebuilt 32 bit perl
is the same.

Regards,

--- Kiyoshi 


> With my old 32 bit perl,built by default except for prefix,
>   perl -e 'use integer; printf 
> "%d\n",0x<<32>>32'
> prints 0.
> 64 bit perl prints -1.
> 
> After rebuilding 32 bit perl with Configuring "-Duse64bitint", output 
> was changed to -1.
> With this rebuilt 32 bit perl, openssl-1.1.0 "make test" passes.
> 
> 
> (I checked perl-5.24.0, building both with gcc 5.4.0 & developerstudio12.5 
> cc,
> and had the same results.)
> 
> Regards,
> 
> --- Kiyoshi 
> 
> 
>> 
>>>   Note that a 32-bit Perl can be compiled with or without support for 
> 64-bit 
>>  integers.
>>>   That fact hit me once doing OpenSSL builds, some 64-bit constants were 
> not
>>>   calculated correctly, however that showed up at build time so not 
> likely
>>>   to be the case here. However, it might be helpful checking if the 
> 32-bit 
>>  perl
>>>   in question supports 64-bit or not.
>> 
>>  Those problems were addressed and both configurations are known to work.
>>  For example 32-bit perl I use by default on Linux is *not* compiled with
>>  64-bit integers, while 32-bit perl I have on Solaris is. No problem with
>>  either. It appears to me that problem is likely to occur at sign
>>  extension when processing effective addresses. To demonstrate this with
>>  one-liner:
>> 
>>  perl -e 'use integer; printf 
>>  "%d\n",0x<<32>>32'
>> 
>>  It should print -1 in either combination of bitnesses.
>> 
>> 
>>  -- 
>>  Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4641
>>  Please log in as guest with password guest if prompted
>> 
>


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4641
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

2016-09-02 Thread Steffen Nurpmeso via RT 
Richard Levitte via RT  wrote:
 |On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote:
 |> From the documentation i cannot tell what is wrong with the
 |> following:
 |>
 |> echo abc > a; echo def > b; echo ghi > c
 |> openssl genpkey -algorithm RSA -out k.prv
 |> openssl pkey -in k.prv -pubout -out k.pub
 |> openssl dgst -sha512 -sign k.prv -out .sig a b c
 |> openssl dgst -sha512 -verify k.pub -signature .sig a b c
 |> rm k.prv k.pub a b c
 |
 |The manual for dgst has this little note
 |
 |The signing and verify options should only be used if a single file \
 |is being
 |signed or verified.
 |In other words, don't do that.

I really haven't seen that.  It is the second last sentence.  Hm.

 |While I can understand the desire to do multiple files in one swoop, the
 |signature file (.sig in this case) isn't formatted in any special way, it's
 |litterally just a stream of bytes. So it does contain all the signatures, \
 |but
 |in an unstructured format. Verification will read that file and use \
 |the first n
 |bytes from it when verifying each file you give it. That's why you \
 |get correct
 |verification on the first file but not the others.
 |
 |The solution to this is to enhance dgst so it loudly refuses to sign \
 |or verify
 |more than one file.

If that is your way.  I haven't actually tried it, but the
following should do what you want?!
Ciao,

--- dgst.c.orig 2016-09-02 15:06:08.952110179 +0200
+++ dgst.c  2016-09-02 15:13:57.592904667 +0200
@@ -369,6 +369,14 @@ int dgst_main(int argc, char **argv)
 if (md)
 md_name = EVP_MD_name(md);
 }
+
+if (argc > 1 && (sigbuf != NULL || sigkey != NULL)){
+BIO_printf(bio_err, "Signing and verifying cannot be used with 
"
+   "multiple files\n");
+ret = 1;
+goto end;
+}
+
 ret = 0;
 for (i = 0; i < argc; i++) {
 int r;

--steffen


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

2016-09-02 Thread Steffen Nurpmeso 
Richard Levitte via RT  wrote:
 |On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote:
 |> From the documentation i cannot tell what is wrong with the
 |> following:
 |>
 |> echo abc > a; echo def > b; echo ghi > c
 |> openssl genpkey -algorithm RSA -out k.prv
 |> openssl pkey -in k.prv -pubout -out k.pub
 |> openssl dgst -sha512 -sign k.prv -out .sig a b c
 |> openssl dgst -sha512 -verify k.pub -signature .sig a b c
 |> rm k.prv k.pub a b c
 |
 |The manual for dgst has this little note
 |
 |The signing and verify options should only be used if a single file \
 |is being
 |signed or verified.
 |In other words, don't do that.

I really haven't seen that.  It is the second last sentence.  Hm.

 |While I can understand the desire to do multiple files in one swoop, the
 |signature file (.sig in this case) isn't formatted in any special way, it's
 |litterally just a stream of bytes. So it does contain all the signatures, \
 |but
 |in an unstructured format. Verification will read that file and use \
 |the first n
 |bytes from it when verifying each file you give it. That's why you \
 |get correct
 |verification on the first file but not the others.
 |
 |The solution to this is to enhance dgst so it loudly refuses to sign \
 |or verify
 |more than one file.

If that is your way.  I haven't actually tried it, but the
following should do what you want?!
Ciao,

--- dgst.c.orig 2016-09-02 15:06:08.952110179 +0200
+++ dgst.c  2016-09-02 15:13:57.592904667 +0200
@@ -369,6 +369,14 @@ int dgst_main(int argc, char **argv)
 if (md)
 md_name = EVP_MD_name(md);
 }
+
+if (argc > 1 && (sigbuf != NULL || sigkey != NULL)){
+BIO_printf(bio_err, "Signing and verifying cannot be used with 
"
+   "multiple files\n");
+ret = 1;
+goto end;
+}
+
 ret = 0;
 for (i = 0; i < argc; i++) {
 int r;

--steffen
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Steffen Nurpmeso via RT 
Richard Levitte via RT  wrote:
 |On Thu Sep 01 13:13:44 2016, stef...@sdaoden.eu wrote:
 |> Before sending the last message i looked around on the website (it
 |> has become particularly complicated to find the bug tracker), and
 |> looking at the "go-back" list i saw dozens of "OpenSSL" entries,
 |> rather than rt, "Getting started as a contributor", etc.
 |
 |Not sure what you're on about... I just had a look through the whole set of
 |files, and there's only one page that has that string. This one:
 |https://www.openssl.org/community/getting-started.html
 |
 |As for page titles, all our pages have the title 'OpenSSL'

My name is Hare and i know nothing.
I don't have a Github account (they don't accept hard cash), but
i have found a repository there which seems to be this web page.
The makefile etc. seem to follow security-by-obscurity, but it
seems that you use SSI to generate some load.
If that is really true, the pages could very well be changed to
have a

  

that is repeated in the  further down via

  

I must admit that i don't know whether that is working, the last
time i have used SSI was, i think, and if i recall correctly, with
the Xitami webserver, and before 1999?  Can this be correct?  I am
not lying this, anyway.

 |To sum it up, I don't think we have a problem here. Closing this ticket.

I could place this on my (pretty long) TODO and adjust the web
pages as above at some later time.  Because i think you are
mistaken: to me it seems to be bad style and impolite; the latter
not so much because of the filenames, but these you don't see in
the browser navigation buttons of my graphical browser, only in
the history.
Just my one penny.  Ciao.

--steffen


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4668
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Steffen Nurpmeso 
Richard Levitte via RT  wrote:
 |On Thu Sep 01 13:13:44 2016, stef...@sdaoden.eu wrote:
 |> Before sending the last message i looked around on the website (it
 |> has become particularly complicated to find the bug tracker), and
 |> looking at the "go-back" list i saw dozens of "OpenSSL" entries,
 |> rather than rt, "Getting started as a contributor", etc.
 |
 |Not sure what you're on about... I just had a look through the whole set of
 |files, and there's only one page that has that string. This one:
 |https://www.openssl.org/community/getting-started.html
 |
 |As for page titles, all our pages have the title 'OpenSSL'

My name is Hare and i know nothing.
I don't have a Github account (they don't accept hard cash), but
i have found a repository there which seems to be this web page.
The makefile etc. seem to follow security-by-obscurity, but it
seems that you use SSI to generate some load.
If that is really true, the pages could very well be changed to
have a

  

that is repeated in the  further down via

  

I must admit that i don't know whether that is working, the last
time i have used SSI was, i think, and if i recall correctly, with
the Xitami webserver, and before 1999?  Can this be correct?  I am
not lying this, anyway.

 |To sum it up, I don't think we have a problem here. Closing this ticket.

I could place this on my (pretty long) TODO and adjust the web
pages as above at some later time.  Because i think you are
mistaken: to me it seems to be bad style and impolite; the latter
not so much because of the filenames, but these you don't see in
the browser navigation buttons of my graphical browser, only in
the history.
Just my one penny.  Ciao.

--steffen
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

2016-09-02 Thread Richard Levitte via RT 
On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote:
> Hello.
>
> From the documentation i cannot tell what is wrong with the
> following:
>
> echo abc > a; echo def > b; echo ghi > c
> openssl genpkey -algorithm RSA -out k.prv
> openssl pkey -in k.prv -pubout -out k.pub
> openssl dgst -sha512 -sign k.prv -out .sig a b c
> openssl dgst -sha512 -verify k.pub -signature .sig a b c
> rm k.prv k.pub a b c

The manual for dgst has this little note

The signing and verify options should only be used if a single file is being
signed or verified.
In other words, don't do that.

While I can understand the desire to do multiple files in one swoop, the
signature file (.sig in this case) isn't formatted in any special way, it's
litterally just a stream of bytes. So it does contain all the signatures, but
in an unstructured format. Verification will read that file and use the first n
bytes from it when verifying each file you give it. That's why you get correct
verification on the first file but not the others.

The solution to this is to enhance dgst so it loudly refuses to sign or verify
more than one file.

Cheers,
Richard
--
Richard Levitte
levi...@openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4669
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Richard Levitte via RT 
On Thu Sep 01 13:13:44 2016, stef...@sdaoden.eu wrote:
> Before sending the last message i looked around on the website (it
> has become particularly complicated to find the bug tracker), and
> looking at the "go-back" list i saw dozens of "OpenSSL" entries,
> rather than rt, "Getting started as a contributor", etc.

Not sure what you're on about... I just had a look through the whole set of
files, and there's only one page that has that string. This one:
https://www.openssl.org/community/getting-started.html

As for page titles, all our pages have the title 'OpenSSL'

To sum it up, I don't think we have a problem here. Closing this ticket.

Cheers,
Richard

--
Richard Levitte
levi...@openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4668
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Steffen Nurpmeso via RT 
"Salz, Rich"  wrote:
  ..
 |for and fix?  (I'm kinda slow sometimes)

Do you know the story of the couple that had been married for
decades when suddenly, at a Sunday morning breakfast, it has been
revealed that she, who was given the upper half of the bread rolls
for so long -- because he thought that was what she likes --,
would much rather have eaten the lower half, but didn't say
a word, because she thought it would have hurt him if she would
have done so?

This story is one of my childhood Traumatas, by the way. ^_^

--steffen


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4668
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4641] [openssl-1.1.0-pre6] make test stops with solaris64-x86_64-gcc

2016-09-02 Thread Kiyoshi KANAZAWA via RT 
With my old 32 bit perl,built by default except for prefix,
  perl -e 'use integer; printf "%d\n",0x<<32>>32'
prints 0.
64 bit perl prints -1.

After rebuilding 32 bit perl with Configuring "-Duse64bitint", output was 
changed to -1.
With this rebuilt 32 bit perl, openssl-1.1.0 "make test" passes.


(I checked perl-5.24.0, building both with gcc 5.4.0 & developerstudio12.5 cc,
and had the same results.)

Regards,

--- Kiyoshi 


> 
>>  Note that a 32-bit Perl can be compiled with or without support for 64-bit 
> integers.
>>  That fact hit me once doing OpenSSL builds, some 64-bit constants were not
>>  calculated correctly, however that showed up at build time so not likely
>>  to be the case here. However, it might be helpful checking if the 32-bit 
> perl
>>  in question supports 64-bit or not.
> 
> Those problems were addressed and both configurations are known to work.
> For example 32-bit perl I use by default on Linux is *not* compiled with
> 64-bit integers, while 32-bit perl I have on Solaris is. No problem with
> either. It appears to me that problem is likely to occur at sign
> extension when processing effective addresses. To demonstrate this with
> one-liner:
> 
> perl -e 'use integer; printf 
> "%d\n",0x<<32>>32'
> 
> It should print -1 in either combination of bitnesses.
> 
> 
> -- 
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4641
> Please log in as guest with password guest if prompted
>


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4641
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev