Welcome! Log In Create A New Profile

Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function

Forum List Message List New Topic Print View

Maxim Dounin

July 06, 2014 09:14PM

Hello!

On Sun, Jul 06, 2014 at 04:50:50PM -0700, Piotr Sikora wrote:

> # HG changeset patch
> # User Piotr Sikora <piotr@cloudflare.com>
> # Date 1404690074 25200
> # Sun Jul 06 16:41:14 2014 -0700
> # Node ID e015093a00f2d8ebdbcdd8adcb16d87b291765f8
> # Parent 2ca8a17cedfd35da799b258d5d17427d7bee62b2
> SSL: stop using deprecated RSA_generate_key() function.
>
> Fixes build with -DOPENSSL_NO_DEPRECATED.
>
> Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
>
> diff -r 2ca8a17cedfd -r e015093a00f2 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Sun Jul 06 16:41:13 2014 -0700
> +++ b/src/event/ngx_event_openssl.c Sun Jul 06 16:41:14 2014 -0700
> @@ -650,6 +650,10 @@ RSA *
> ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
> int key_length)
> {
> +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
> + RSA *rsa;
> + BIGNUM *e;
> +#endif
> static RSA *key;
>
> if (key_length != 512) {
> @@ -657,7 +661,42 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn
> }
>
> if (key == NULL) {
> +
> +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
> +
> + rsa = RSA_new();
> + if (rsa == NULL) {
> + return NULL;
> + }
> +
> + e = BN_new();
> + if (e == NULL) {
> + RSA_free(rsa);
> + return NULL;
> + }
> +
> + if (BN_set_word(e, RSA_F4) == 0) {
> + BN_free(e);
> + RSA_free(rsa);
> + return NULL;
> + }
> +
> + if (RSA_generate_key_ex(rsa, 512, e, NULL) == 0) {
> + BN_free(e);
> + RSA_free(rsa);
> + return NULL;
> + }
> +
> + BN_free(e);
> +
> + key = rsa;
> +
> +#else
> +
> key = RSA_generate_key(512, RSA_F4, NULL, NULL);
> +
> +#endif
> +
> }
>
> return key;

I can't say I like this change - it introduces lots of code for no
real reason.

And I don't think we should follow some arbitrarily set
"deprecated" flag introduced for an unknown reasons years ago and
still undocumented in the latest release (much like the
replacement function). Moreover, the RSA_generate_key() is still
used in OpenSSL's own codebase, as well as in multiple demos and
man pages.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 1 of 4] SSL: include correct OpenSSL headers	Piotr Sikora	662	July 06, 2014 07:52PM
[PATCH 2 of 4] SSL: return temporary RSA key only when the key length matches	Piotr Sikora	354	July 06, 2014 07:52PM
[PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Piotr Sikora	393	July 06, 2014 07:52PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Maxim Dounin	372	July 06, 2014 09:14PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Piotr Sikora	337	July 06, 2014 10:18PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Maxim Dounin	638	July 07, 2014 09:06AM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Piotr Sikora	351	July 07, 2014 06:04PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Maxim Dounin	522	July 07, 2014 07:34PM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Piotr Sikora	290	July 08, 2014 06:24AM
Re: [PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function	Maxim Dounin	446	July 08, 2014 09:52PM
[PATCH 4 of 4] SSL: stop accessing SSL_SESSION's fields directly	Piotr Sikora	418	July 06, 2014 07:52PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 146

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018