[openssl-dev] [ARM] sha1_block_armv8 caller

2016-07-11 Thread Catalin Vasile 
Hi,

I see that there is function named sha1_block_armv8 defined in 
crypto/sha/asm/sha1-armv8.pl, but I cannot find any function that calls it.

Cata
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Openssl apps linker errors after adding new cipher

2016-07-11 Thread Benjamin Kaduk 
On 07/10/2016 09:13 PM, Wang Hao Lee wrote:
>
> After I changed these files. Compiling using ./config fips; make
> depend; make was successful and the apps can link nicely. I
> even manage to test my cipher via the EVP interface: openssl speed
> -evp mynewcipher. 
>
> However, when I build by configuring with ./config fips shared; make
> depend; make to generate shared objects for libcrypto and libssl I get
> the following linker error:
>

If I remember correctly, the Debian packaging adds a layer that uses and
export symbol list to restrict what symbols can be used from the shared
library; presumably Ubuntu has also picked up that bit of code.  Look at
openssl.ld in your source tree.

-Ben
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4614] pthread_once and malloc failures

2016-07-11 Thread Alessandro Ghedini 
On Mon, Jul 11, 2016 at 04:20:29PM +, Kurt Roeckx via RT wrote:
> Hi,
> 
> When trying to check what happens if we simulate malloc()
> returning NULL I'm running into a problem that I'm not sure how to
> deal with.
> 
> We have CRYPTO_THREAD_run_once(), which takes an init() function
> that returns void, so it can't return failures.  At least the
> pthread_once() function also has it as void.
> 
> But if those functions call malloc() and that returns NULL, we now
> don't catch that error, and later just try to use a NULL pointer.
> 
> Anybody a good idea how to solve this?

As Viktor said, init_once is generally used to initialize some kind of global
state, so you can try to check the result after the CRYPTO_THREAD_run_once()
call.

Cheers


signature.asc
Description: PGP signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4614] pthread_once and malloc failures

2016-07-11 Thread Viktor Dukhovni 
On Mon, Jul 11, 2016 at 05:48:06PM +, Salz, Rich via RT wrote:

> Previously we've changed return-types from void to int.  If there's still 
> time, that seems like the thing to do here.

With pthread_once and friends the pattern is to use void init
functions, and as necessary check for success by examining the
resulting state after the fact.

The init function passed to pthread_once() is defined to take no
arguments and return no results.

-- 
Viktor.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4614] pthread_once and malloc failures

2016-07-11 Thread Salz, Rich via RT 
Previously we've changed return-types from void to int.  If there's still time, 
that seems like the thing to do here.


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4614
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t

2016-07-11 Thread Kurt Cancemi via RT 
Hello,

In 1.0.1s OpenSSL disabled SSLv2 by default in the build. So use perl Configure 
no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32

Excerpt from CHANGES

"Changes between 1.0.1r and 1.0.1s [1 Mar 2016]"
“
Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
is by default disabled at build-time.  Builds that are not configured with
"enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
will need to explicitly call either of:

SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client and
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.
(CVE-2016-0800)”

I highly advise you to stay clear of SSLv2 as it has numerous flaws. You are 
receiving crashes because SSLv2_server_method() returns NULL and SSL_CTX_new() 
returns NULL because the input argument (the server method) is NULL. You should 
check the return value of SSL_CTX_new() no matter what because it can fail.

Kurt Cancemi
k...@x64architecture.com

> On Jul 11, 2016, at 08:10, Dmytro Shamatrin via RT  wrote:
> 
> Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with 
> OpenSSL-1.0.1t
> 
> After upgrade from OpenSSL-1.0.1L version to 1.0.1t we got Appcrash on 
> windows machine. After investigation I found that it started to happen after 
> R version. 


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t

2016-07-11 Thread Kurt Cancemi 
Hello,

In 1.0.1s OpenSSL disabled SSLv2 by default in the build. So use perl Configure 
no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32

Excerpt from CHANGES

"Changes between 1.0.1r and 1.0.1s [1 Mar 2016]"
“
Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
is by default disabled at build-time.  Builds that are not configured with
"enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
will need to explicitly call either of:

SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client and
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.
(CVE-2016-0800)”

I highly advise you to stay clear of SSLv2 as it has numerous flaws. You are 
receiving crashes because SSLv2_server_method() returns NULL and SSL_CTX_new() 
returns NULL because the input argument (the server method) is NULL. You should 
check the return value of SSL_CTX_new() no matter what because it can fail.

Kurt Cancemi
k...@x64architecture.com

> On Jul 11, 2016, at 08:10, Dmytro Shamatrin via RT  wrote:
> 
> Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with 
> OpenSSL-1.0.1t
> 
> After upgrade from OpenSSL-1.0.1L version to 1.0.1t we got Appcrash on 
> windows machine. After investigation I found that it started to happen after 
> R version. 

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4614] pthread_once and malloc failures

2016-07-11 Thread Kurt Roeckx via RT 
Hi,

When trying to check what happens if we simulate malloc()
returning NULL I'm running into a problem that I'm not sure how to
deal with.

We have CRYPTO_THREAD_run_once(), which takes an init() function
that returns void, so it can't return failures.  At least the
pthread_once() function also has it as void.

But if those functions call malloc() and that returns NULL, we now
don't catch that error, and later just try to use a NULL pointer.

Anybody a good idea how to solve this?


Kurt


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4614
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4611] PKCS12_create() not thread-safe for ECDSA

2016-07-11 Thread Rich Salz via RT 
ah, you're right, the lock in EC_KEY should be used. thanks.

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4611
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4602] Missing accessors

2016-07-11 Thread David Woodhouse via RT 
On Mon, 2016-07-11 at 13:08 +, Mattias Ellert via RT wrote:
> 
> 
> Looking at the various places in the code where get_issuer
> and check_issued are accessed, they mostly use the context rather than
> the store. Here are the places I have found:
> 
> https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71
> 
> https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581
> 
> https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588
> 
> https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367
> 
> https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059
> 
> https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997
> 
> And the following one actually uses the store and not the context:
> 
> https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448

I was using store.get_issuer() in OpenConnect too, because I need to
manually build the trust chain to include it on the wire — because
even today the server might *still* suffer RT#1942 and fail to trust
our client cert unless we help it by providing the *right* chain.

I've worked around the lack of access to get_issuer() by doing a dummy
call to X509_verify_cert(), throwing away its result and then hoping
that we have something useful in store.chain (which we *can* still
access). That seems to work but I'm not stunningly happy with it; if we
can have an accessor I'd much rather go back to doing it the old way.

http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0
(in workaround_openssl_certchain_bug() in the hunk around line 1306)


-- 
dwmw2


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4602] Missing accessors

2016-07-11 Thread David Woodhouse 
On Mon, 2016-07-11 at 13:08 +, Mattias Ellert via RT wrote:
> 
> 
> Looking at the various places in the code where get_issuer
> and check_issued are accessed, they mostly use the context rather than
> the store. Here are the places I have found:
> 
> https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71
> 
> https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581
> 
> https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588
> 
> https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367
> 
> https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059
> 
> https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997
> 
> And the following one actually uses the store and not the context:
> 
> https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448

I was using store.get_issuer() in OpenConnect too, because I need to
manually build the trust chain to include it on the wire — because
even today the server might *still* suffer RT#1942 and fail to trust
our client cert unless we help it by providing the *right* chain.

I've worked around the lack of access to get_issuer() by doing a dummy
call to X509_verify_cert(), throwing away its result and then hoping
that we have something useful in store.chain (which we *can* still
access). That seems to work but I'm not stunningly happy with it; if we
can have an accessor I'd much rather go back to doing it the old way.

http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0
(in workaround_openssl_certchain_bug() in the hunk around line 1306)


-- 
dwmw2
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4602] Missing accessors

2016-07-11 Thread Mattias Ellert via RT 
fre 2016-07-08 klockan 06:08 + skrev Richard Levitte via RT:
> On Thu Jul 07 21:29:09 2016, levitte wrote:
> > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote:
> > > /* Add to include/openssl/x509_vfy.h : */
> > > 
> > > typedef int (*X509_STORE_CTX_get_issuer)(X509 **issuer,
> > > X509_STORE_CTX
> > > *ctx, X509 *x);
> > > typedef int (*X509_STORE_CTX_check_issued)(X509_STORE_CTX *ctx,
> > > X509
> > > *x, X509 *issuer);
> > > 
> > > void X509_STORE_CTX_set_get_issuer(X509_STORE_CTX *ctx,
> > > X509_STORE_CTX_get_issuer
> > > get_issuer);
> > > X509_STORE_CTX_get_issuer
> > > X509_STORE_CTX_get_get_issuer(X509_STORE_CTX
> > > *ctx);
> > > void X509_STORE_CTX_set_check_issued(X509_STORE_CTX *ctx,
> > > X509_STORE_CTX_check_issued
> > > check_issued);
> > > X509_STORE_CTX_check_issued
> > > X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
> > 
> > For this part, https://github.com/openssl/openssl/pull/1294
> 
> So, looking at this again after some sleep, there's a part of this
> solution
> that I'm unsure of, and it all comes back to X509_STORE_CTX_init(),
> where the
> X509_STORE context gets initialised from the X509_STORE, including
> all the
> function pointers. This has me wonder if the X509_STORE_CTX setters
> should
> really be made available (perhaps with the exception of the verify
> and
> verify_cb ones). Doesn't it make more sense to set those function
> pointers when
> creating the X509_STORE itself? Why would those functions need to be
> changed in
> the context?
> 
> Cheers,
> Richard
> 
> --
> Richard Levitte
> levi...@openssl.org
> 

Looking at the various places in the code where get_issuer
and check_issued are accessed, they mostly use the context rather than
the store. Here are the places I have found:

https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71

https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581

https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588

https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367

https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059

https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997

And the following one actually uses the store and not the context:

https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448

Mattias


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] Bug#829272: Info received (Fwd: [openssl.org #4602] Missing accessors)

2016-07-11 Thread 829...@bugs.debian.org via RT 
Thank you for the additional information you have supplied regarding
this Bug report.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 Debian OpenSSL Team 

If you wish to submit further information on this problem, please
send it to 829...@bugs.debian.org.

Please do not send mail to ow...@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.

-- 
829272: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829272
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4613] openssl RSA key: verify error 1.0.1t

2016-07-11 Thread Salz, Rich via RT 
Can you use a more recent version?  1.0.1 is end of life and only getting 
security fixes (and then only for the rest of the year).

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4613
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [ARM] sha1_block_armv8 caller

2016-07-11 Thread Catalin Vasile 
Hi,

I see that there is function named sha1_block_armv8 defined in 
crypto/sha/asm/sha1-armv8.pl, but I cannot find any function that calls it.
Which function calls sha1_block_armv8?

Cata
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4602] Missing accessors

2016-07-11 Thread Richard Levitte via RT 
On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote:
> fre 2016-07-08 klockan 00:42 +0200 skrev Kurt Roeckx:
> > Mattias,
> >
> > Can you explain why this is needed, what the code is trying to do?
> >
> >
> > Kurt
> >
>
> Hi!
>
> The modification of the extension flags happens in at least four
> different packages. The modification they do is to add the
> EXFLAG_PROXY
> bit to the flags.

Ok, I just had a look:

>
https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L692

This looks like an old workaround, and I wonder if it's really needed any more.
If it's still needed, I'd say this may uncover a bug within OpenSSL, but in
that case, I'd rather fix that in 1.1

> https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1665
> https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1740

I see what this code does, it makes a name constraint check that should have
been present in OpenSSL but wasn't... until 1.1. However, there's other stuff
in that function that looks odd..

> https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1655
> https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1719

This is the same code as the voms you pointed at above.

>
https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L184

This is the same code as the globus-gsi-callback pointer above.

> I guess having a more restrictive accessor that only sets the
> EXFLAG_PROXY bit could work. I suggested the more general solution of
> having set/clear accessors for arbitrary flags since it was - well
> more
> general.

Mm, I'm really unsure about this one. ex_flags is part of a cache of
information that OpenSSL fiddles with whenever it checks the extensions for a
certificate. Calling anything that ends up calling X509_check_issued(),
X509_check_ca() or X509_check_purpose() will cause values to be checked and
cached for the certificates involved in the call of those functions. In the
proxy certificate case, EXFLAG_PROXY will be set for a certificate any time the
proxyCertInfo is found among its extensions.

To be blunt, I would much rather see a bug report that shows when that cache
isn't being built properly, and possibly a fix for it.

Cheers,
Richard

--
Richard Levitte
levi...@openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t

2016-07-11 Thread Rich Salz via RT 
SSLv2 method returns NULL now. Listed in the CHANGES file. SSLv2 has been
removed for security reasons. Do not use it. Also do not use such an old
release. :)

Closing ticket.

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4613] openssl RSA key: verify error 1.0.1t

2016-07-11 Thread gaowenchao via RT 
| |   | |
| |
|
Dear

I was trying to install openssl 1.0.1t on AIX5.3, and it report error when 
running "make test". Below is the error test.

CMS consistency test
/usr/bin/perl cms-test.pl
CMS => PKCS#7 compatibility tests
signed content DER format, RSA key: verify error
make: 1254-004 The error code from the last command is 1.

Stop.
make: 1254-004 The error code from the last command is 2.

Could you please help to confirm whether it's a BUG, or Could you please to 
give me some advice about this error.

Thanks very much.



--
Gao Wenchao 高文超
*
Phone:13731461987
Mail:gaochaochao...@126.com











|
| |
| |   | |
-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4613
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t

2016-07-11 Thread Dmytro Shamatrin via RT 
Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with 
OpenSSL-1.0.1t

After upgrade from OpenSSL-1.0.1L version to 1.0.1t we got Appcrash on windows 
machine. After investigation I found that it started to happen after R version. 

  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  int main()
  {
unsigned int off = 0;
SSL_CTX *sslctx;
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
ERR_load_crypto_strings();
SSL_library_init();
sslctx = SSL_CTX_new(SSLv2_server_method());
// Next line causes an issue
SSL_CTX_set_options(sslctx, 0);
return 0;
  }

I used following command to compile this program:

cl /I"." ost.c /link out32dll\ssleay32.lib out32dll\libeay32.lib

If you replace ssleay32.dll and libeay32.dll T with dlls from L version, 
everything will be working fine.

My OpenSSL compiled with VC6. To confirm that issue is not in the compiler, 
I've compiled openssl with VC10 and got the same issue.

I've configured OpenSSL and built OpenSSL with:
perl Configure no-asm -DOPENSSL_USE_IPV6=0 VC-WIN32
ms\do_ms
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test
nmake -f ms\ntdll.mak install

We can't use x64 compiler, because we use perl, which was compiled many years 
ago with VC6 x86.
I also can provide my binaries, if required.

Thanks.

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4602] Missing accessors

2016-07-11 Thread Mattias Ellert via RT 
fre 2016-07-08 klockan 00:42 +0200 skrev Kurt Roeckx:
> On Thu, Jul 07, 2016 at 09:40:24PM +, Richard Levitte via RT
> wrote:
> > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote:
> > > /* Add to include/openssl/x509v3.h */
> > > 
> > > void X509_set_extension_flags(X509 *x, uint32_t ex_flags);
> > > void X509_clear_extension_flags(X509 *x, uint32_t ex_flags);
> > > 
> > > 
> > > /* Add to crypto/x509v3/v3_purp.c */
> > > 
> > > void X509_set_extension_flags(X509 *x, uint32_t ex_flags)
> > > {
> > > x->ex_flags |= ex_flags;
> > > }
> > > 
> > > void X509_clear_extension_flags(X509 *x, uint32_t ex_flags)
> > > {
> > > x->ex_flags &= ~ex_flags;
> > > }
> > 
> > This gives me the heebie jeebies. ex_flags is used a lot
> > internally, and I
> > can't begin to imagine the consequences of letting external code
> > manipulate
> > this. I understand that in some cases, it seems easy and quick,
> > but...
> > 
> > So, if someone else wants to have a go at this and can make
> > something sensible,
> > please be my guest. Me, I'm backing off from this particular idea.
> 
> Mattias,
> 
> Can you explain why this is needed, what the code is trying to do?
> 
> 
> Kurt
> 

Hi!

The modification of the extension flags happens in at least four
different packages. The modification they do is to add the EXFLAG_PROXY
bit to the flags.

https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L692

https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1665
https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1740

https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1655
https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1719

https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L184

I guess having a more restrictive accessor that only sets the
EXFLAG_PROXY bit could work. I suggested the more general solution of
having set/clear accessors for arbitrary flags since it was - well more
general.

Mattias Ellert

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] MGF1-OAEP with SHA2

2016-07-11 Thread Kurt Roeckx 
On Sat, Jul 09, 2016 at 08:42:39PM +0200, c.hol...@ades.at wrote:
> Hi!
> 
> I tried with Openssl 1.0.1t from current Debian testing.
> But I get
> undefined symbol: EVP_PKEY_CTX_set_rsa_oaep_md

1.0.1t is in stable, not testing.

1.0.1 doesn't have that function, 1.0.2 does.


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev