[openssl-dev] [ARM] sha1_block_armv8 caller
Hi, I see that there is function named sha1_block_armv8 defined in crypto/sha/asm/sha1-armv8.pl, but I cannot find any function that calls it. Cata -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Openssl apps linker errors after adding new cipher
On 07/10/2016 09:13 PM, Wang Hao Lee wrote: > > After I changed these files. Compiling using ./config fips; make > depend; make was successful and the apps can link nicely. I > even manage to test my cipher via the EVP interface: openssl speed > -evp mynewcipher. > > However, when I build by configuring with ./config fips shared; make > depend; make to generate shared objects for libcrypto and libssl I get > the following linker error: > If I remember correctly, the Debian packaging adds a layer that uses and export symbol list to restrict what symbols can be used from the shared library; presumably Ubuntu has also picked up that bit of code. Look at openssl.ld in your source tree. -Ben -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4614] pthread_once and malloc failures
On Mon, Jul 11, 2016 at 04:20:29PM +, Kurt Roeckx via RT wrote: > Hi, > > When trying to check what happens if we simulate malloc() > returning NULL I'm running into a problem that I'm not sure how to > deal with. > > We have CRYPTO_THREAD_run_once(), which takes an init() function > that returns void, so it can't return failures. At least the > pthread_once() function also has it as void. > > But if those functions call malloc() and that returns NULL, we now > don't catch that error, and later just try to use a NULL pointer. > > Anybody a good idea how to solve this? As Viktor said, init_once is generally used to initialize some kind of global state, so you can try to check the result after the CRYPTO_THREAD_run_once() call. Cheers signature.asc Description: PGP signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4614] pthread_once and malloc failures
On Mon, Jul 11, 2016 at 05:48:06PM +, Salz, Rich via RT wrote: > Previously we've changed return-types from void to int. If there's still > time, that seems like the thing to do here. With pthread_once and friends the pattern is to use void init functions, and as necessary check for success by examining the resulting state after the fact. The init function passed to pthread_once() is defined to take no arguments and return no results. -- Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4614] pthread_once and malloc failures
Previously we've changed return-types from void to int. If there's still time, that seems like the thing to do here. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4614 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t
Hello, In 1.0.1s OpenSSL disabled SSLv2 by default in the build. So use perl Configure no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32 Excerpt from CHANGES "Changes between 1.0.1r and 1.0.1s [1 Mar 2016]" “ Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. (CVE-2016-0800)” I highly advise you to stay clear of SSLv2 as it has numerous flaws. You are receiving crashes because SSLv2_server_method() returns NULL and SSL_CTX_new() returns NULL because the input argument (the server method) is NULL. You should check the return value of SSL_CTX_new() no matter what because it can fail. Kurt Cancemi k...@x64architecture.com > On Jul 11, 2016, at 08:10, Dmytro Shamatrin via RTwrote: > > Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with > OpenSSL-1.0.1t > > After upgrade from OpenSSL-1.0.1L version to 1.0.1t we got Appcrash on > windows machine. After investigation I found that it started to happen after > R version. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t
Hello, In 1.0.1s OpenSSL disabled SSLv2 by default in the build. So use perl Configure no-asm enable-ssl2 -DOPENSSL_USE_IPV6=0 VC-WIN32 Excerpt from CHANGES "Changes between 1.0.1r and 1.0.1s [1 Mar 2016]" “ Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. (CVE-2016-0800)” I highly advise you to stay clear of SSLv2 as it has numerous flaws. You are receiving crashes because SSLv2_server_method() returns NULL and SSL_CTX_new() returns NULL because the input argument (the server method) is NULL. You should check the return value of SSL_CTX_new() no matter what because it can fail. Kurt Cancemi k...@x64architecture.com > On Jul 11, 2016, at 08:10, Dmytro Shamatrin via RTwrote: > > Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with > OpenSSL-1.0.1t > > After upgrade from OpenSSL-1.0.1L version to 1.0.1t we got Appcrash on > windows machine. After investigation I found that it started to happen after > R version. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4614] pthread_once and malloc failures
Hi, When trying to check what happens if we simulate malloc() returning NULL I'm running into a problem that I'm not sure how to deal with. We have CRYPTO_THREAD_run_once(), which takes an init() function that returns void, so it can't return failures. At least the pthread_once() function also has it as void. But if those functions call malloc() and that returns NULL, we now don't catch that error, and later just try to use a NULL pointer. Anybody a good idea how to solve this? Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4614 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4611] PKCS12_create() not thread-safe for ECDSA
ah, you're right, the lock in EC_KEY should be used. thanks. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4611 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4602] Missing accessors
On Mon, 2016-07-11 at 13:08 +, Mattias Ellert via RT wrote: > > > Looking at the various places in the code where get_issuer > and check_issued are accessed, they mostly use the context rather than > the store. Here are the places I have found: > > https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71 > > https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581 > > https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588 > > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367 > > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059 > > https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997 > > And the following one actually uses the store and not the context: > > https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448 I was using store.get_issuer() in OpenConnect too, because I need to manually build the trust chain to include it on the wire — because even today the server might *still* suffer RT#1942 and fail to trust our client cert unless we help it by providing the *right* chain. I've worked around the lack of access to get_issuer() by doing a dummy call to X509_verify_cert(), throwing away its result and then hoping that we have something useful in store.chain (which we *can* still access). That seems to work but I'm not stunningly happy with it; if we can have an accessor I'd much rather go back to doing it the old way. http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0 (in workaround_openssl_certchain_bug() in the hunk around line 1306) -- dwmw2 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4602] Missing accessors
On Mon, 2016-07-11 at 13:08 +, Mattias Ellert via RT wrote: > > > Looking at the various places in the code where get_issuer > and check_issued are accessed, they mostly use the context rather than > the store. Here are the places I have found: > > https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71 > > https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581 > > https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588 > > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367 > > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059 > > https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997 > > And the following one actually uses the store and not the context: > > https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448 I was using store.get_issuer() in OpenConnect too, because I need to manually build the trust chain to include it on the wire — because even today the server might *still* suffer RT#1942 and fail to trust our client cert unless we help it by providing the *right* chain. I've worked around the lack of access to get_issuer() by doing a dummy call to X509_verify_cert(), throwing away its result and then hoping that we have something useful in store.chain (which we *can* still access). That seems to work but I'm not stunningly happy with it; if we can have an accessor I'd much rather go back to doing it the old way. http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0 (in workaround_openssl_certchain_bug() in the hunk around line 1306) -- dwmw2 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4602] Missing accessors
fre 2016-07-08 klockan 06:08 + skrev Richard Levitte via RT: > On Thu Jul 07 21:29:09 2016, levitte wrote: > > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote: > > > /* Add to include/openssl/x509_vfy.h : */ > > > > > > typedef int (*X509_STORE_CTX_get_issuer)(X509 **issuer, > > > X509_STORE_CTX > > > *ctx, X509 *x); > > > typedef int (*X509_STORE_CTX_check_issued)(X509_STORE_CTX *ctx, > > > X509 > > > *x, X509 *issuer); > > > > > > void X509_STORE_CTX_set_get_issuer(X509_STORE_CTX *ctx, > > > X509_STORE_CTX_get_issuer > > > get_issuer); > > > X509_STORE_CTX_get_issuer > > > X509_STORE_CTX_get_get_issuer(X509_STORE_CTX > > > *ctx); > > > void X509_STORE_CTX_set_check_issued(X509_STORE_CTX *ctx, > > > X509_STORE_CTX_check_issued > > > check_issued); > > > X509_STORE_CTX_check_issued > > > X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx); > > > > For this part, https://github.com/openssl/openssl/pull/1294 > > So, looking at this again after some sleep, there's a part of this > solution > that I'm unsure of, and it all comes back to X509_STORE_CTX_init(), > where the > X509_STORE context gets initialised from the X509_STORE, including > all the > function pointers. This has me wonder if the X509_STORE_CTX setters > should > really be made available (perhaps with the exception of the verify > and > verify_cb ones). Doesn't it make more sense to set those function > pointers when > creating the X509_STORE itself? Why would those functions need to be > changed in > the context? > > Cheers, > Richard > > -- > Richard Levitte > levi...@openssl.org > Looking at the various places in the code where get_issuer and check_issued are accessed, they mostly use the context rather than the store. Here are the places I have found: https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71 https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581 https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588 https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367 https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059 https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997 And the following one actually uses the store and not the context: https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448 Mattias -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Bug#829272: Info received (Fwd: [openssl.org #4602] Missing accessors)
Thank you for the additional information you have supplied regarding this Bug report. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Debian OpenSSL TeamIf you wish to submit further information on this problem, please send it to 829...@bugs.debian.org. Please do not send mail to ow...@bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 829272: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829272 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4613] openssl RSA key: verify error 1.0.1t
Can you use a more recent version? 1.0.1 is end of life and only getting security fixes (and then only for the rest of the year). -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4613 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [ARM] sha1_block_armv8 caller
Hi, I see that there is function named sha1_block_armv8 defined in crypto/sha/asm/sha1-armv8.pl, but I cannot find any function that calls it. Which function calls sha1_block_armv8? Cata -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4602] Missing accessors
On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > fre 2016-07-08 klockan 00:42 +0200 skrev Kurt Roeckx: > > Mattias, > > > > Can you explain why this is needed, what the code is trying to do? > > > > > > Kurt > > > > Hi! > > The modification of the extension flags happens in at least four > different packages. The modification they do is to add the > EXFLAG_PROXY > bit to the flags. Ok, I just had a look: > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L692 This looks like an old workaround, and I wonder if it's really needed any more. If it's still needed, I'd say this may uncover a bug within OpenSSL, but in that case, I'd rather fix that in 1.1 > https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1665 > https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1740 I see what this code does, it makes a name constraint check that should have been present in OpenSSL but wasn't... until 1.1. However, there's other stuff in that function that looks odd.. > https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1655 > https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1719 This is the same code as the voms you pointed at above. > https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L184 This is the same code as the globus-gsi-callback pointer above. > I guess having a more restrictive accessor that only sets the > EXFLAG_PROXY bit could work. I suggested the more general solution of > having set/clear accessors for arbitrary flags since it was - well > more > general. Mm, I'm really unsure about this one. ex_flags is part of a cache of information that OpenSSL fiddles with whenever it checks the extensions for a certificate. Calling anything that ends up calling X509_check_issued(), X509_check_ca() or X509_check_purpose() will cause values to be checked and cached for the certificates involved in the call of those functions. In the proxy certificate case, EXFLAG_PROXY will be set for a certificate any time the proxyCertInfo is found among its extensions. To be blunt, I would much rather see a bug report that shows when that cache isn't being built properly, and possibly a fix for it. Cheers, Richard -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t
SSLv2 method returns NULL now. Listed in the CHANGES file. SSLv2 has been removed for security reasons. Do not use it. Also do not use such an old release. :) Closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4613] openssl RSA key: verify error 1.0.1t
| | | | | | | Dear I was trying to install openssl 1.0.1t on AIX5.3, and it report error when running "make test". Below is the error test. CMS consistency test /usr/bin/perl cms-test.pl CMS => PKCS#7 compatibility tests signed content DER format, RSA key: verify error make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 2. Could you please help to confirm whether it's a BUG, or Could you please to give me some advice about this error. Thanks very much. -- Gao Wenchao 高文超 * Phone:13731461987 Mail:gaochaochao...@126.com | | | | | | | -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4613 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4612] Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t
Appcrash on SSL_CTX_new(SSLv2_server_method()) on windows 7 x64 with OpenSSL-1.0.1t After upgrade from OpenSSL-1.0.1L version to 1.0.1t we got Appcrash on windows machine. After investigation I found that it started to happen after R version. #include #include #include #include #include #include #include #include #include #include int main() { unsigned int off = 0; SSL_CTX *sslctx; OpenSSL_add_all_algorithms(); SSL_load_error_strings(); ERR_load_crypto_strings(); SSL_library_init(); sslctx = SSL_CTX_new(SSLv2_server_method()); // Next line causes an issue SSL_CTX_set_options(sslctx, 0); return 0; } I used following command to compile this program: cl /I"." ost.c /link out32dll\ssleay32.lib out32dll\libeay32.lib If you replace ssleay32.dll and libeay32.dll T with dlls from L version, everything will be working fine. My OpenSSL compiled with VC6. To confirm that issue is not in the compiler, I've compiled openssl with VC10 and got the same issue. I've configured OpenSSL and built OpenSSL with: perl Configure no-asm -DOPENSSL_USE_IPV6=0 VC-WIN32 ms\do_ms nmake -f ms\ntdll.mak nmake -f ms\ntdll.mak test nmake -f ms\ntdll.mak install We can't use x64 compiler, because we use perl, which was compiled many years ago with VC6 x86. I also can provide my binaries, if required. Thanks. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4612 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4602] Missing accessors
fre 2016-07-08 klockan 00:42 +0200 skrev Kurt Roeckx: > On Thu, Jul 07, 2016 at 09:40:24PM +, Richard Levitte via RT > wrote: > > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote: > > > /* Add to include/openssl/x509v3.h */ > > > > > > void X509_set_extension_flags(X509 *x, uint32_t ex_flags); > > > void X509_clear_extension_flags(X509 *x, uint32_t ex_flags); > > > > > > > > > /* Add to crypto/x509v3/v3_purp.c */ > > > > > > void X509_set_extension_flags(X509 *x, uint32_t ex_flags) > > > { > > > x->ex_flags |= ex_flags; > > > } > > > > > > void X509_clear_extension_flags(X509 *x, uint32_t ex_flags) > > > { > > > x->ex_flags &= ~ex_flags; > > > } > > > > This gives me the heebie jeebies. ex_flags is used a lot > > internally, and I > > can't begin to imagine the consequences of letting external code > > manipulate > > this. I understand that in some cases, it seems easy and quick, > > but... > > > > So, if someone else wants to have a go at this and can make > > something sensible, > > please be my guest. Me, I'm backing off from this particular idea. > > Mattias, > > Can you explain why this is needed, what the code is trying to do? > > > Kurt > Hi! The modification of the extension flags happens in at least four different packages. The modification they do is to add the EXFLAG_PROXY bit to the flags. https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L692 https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1665 https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1740 https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1655 https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1719 https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L184 I guess having a more restrictive accessor that only sets the EXFLAG_PROXY bit could work. I suggested the more general solution of having set/clear accessors for arbitrary flags since it was - well more general. Mattias Ellert -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] MGF1-OAEP with SHA2
On Sat, Jul 09, 2016 at 08:42:39PM +0200, c.hol...@ades.at wrote: > Hi! > > I tried with Openssl 1.0.1t from current Debian testing. > But I get > undefined symbol: EVP_PKEY_CTX_set_rsa_oaep_md 1.0.1t is in stable, not testing. 1.0.1 doesn't have that function, 1.0.2 does. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev