Opened 6 years ago

Closed 4 years ago

#197 closed Bug / Defect (fixed)

Avoid use of deprecated RSA_generate_key() function.

Reported by: Palatinux Owned by: Steffan Karger
Priority: critical Milestone: release 2.4
Component: Crypto Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: openssl RSA_generate_key
Cc: andj, Gert Döring, David Sommerseth

Description

When Openssl 1.0.1 is compiled with 'configure -no-deprecated' OpenVPN produces this error during build:

''ssl.c:367:46: error: 'RSA_F4' undeclared (first use in this function)''

Deprecated RSA_generate_key() should also be replaced with the RSA_generate_key_ex() function.

Example: RSA_generate_key_ex(rsa, 4096, e, NULL)

Thank you,

The Fortress Linux Security Team.
http://www.fortresslinux.org

Change History (9)

comment:1 Changed 6 years ago by David Sommerseth

Cc: andj added
Keywords: openssl added; RSA_F4 removed
Milestone: release 2.3
Owner: set to andj
Priority: blockercritical
Severity: Patch Queue: Awaiting updated patchNot set (if unsure, select this one)
Status: newassigned

comment:2 Changed 5 years ago by Gert Döring

shall we fix this in 2.3.1? I have no idea what this is about, but we should at least decide something

comment:3 Changed 5 years ago by Gert Döring

Cc: Gert Döring David Sommerseth added

comment:4 Changed 5 years ago by plaisthos

FYI the android version of openssl is also build with --no-depracted has uses a compat/rsa-generate.c to include the old function to build.

comment:5 Changed 5 years ago by Samuli Seppänen

If I understood this correctly, Fortresslinux OpenSSL packages have been compiled without support for deprecated (=compatibility) functions. In our case, one such function is RSA_generate_key(), and we should switch to RSA_generate_key_ex() instead. The deprecated function is called in src/openvpn/ssl_openssl.c.

Switching to the non-deprecated (_ex) function should be safe, as it's included in OpenSSL 0.9.8 and later.

comment:6 Changed 4 years ago by Samuli Seppänen

Milestone: release 2.3release 2.4

I think we should fix this in 2.4 at latest, or even in the next 2.3 release.

comment:7 Changed 4 years ago by Gert Döring

does syzzer have a trac account? might be better to give the ticket to him than andj

comment:8 Changed 4 years ago by Gert Döring

Owner: changed from andj to Steffan Karger

comment:9 Changed 4 years ago by Gert Döring

Resolution: fixed
Status: assignedclosed

Zap!

For 2.3, this has been changed to RSA_generate_key_ex(), and for 2.4, the whole code path is gone as it would only be used for weak ciphers that we don't want in the first place.

Note: See TracTickets for help on using tickets.