Opened 9 years ago
Closed 7 years ago
#197 closed Bug / Defect (fixed)
Avoid use of deprecated RSA_generate_key() function.
| Reported by: | Palatinux | Owned by: | Steffan Karger |
|---|---|---|---|
| Priority: | critical | Milestone: | release 2.4 |
| Component: | Crypto | Version: | OpenVPN 2.2.2 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | openssl RSA_generate_key |
| Cc: | andj, Gert Döring, David Sommerseth |
Description
When Openssl 1.0.1 is compiled with 'configure -no-deprecated' OpenVPN produces this error during build:
''ssl.c:367:46: error: 'RSA_F4' undeclared (first use in this function)''
Deprecated RSA_generate_key() should also be replaced with the RSA_generate_key_ex() function.
Example: RSA_generate_key_ex(rsa, 4096, e, NULL)
Thank you,
The Fortress Linux Security Team.
http://www.fortresslinux.org
Change History (9)
comment:1 Changed 8 years ago by
| Cc: | andj added |
|---|---|
| Keywords: | openssl added; RSA_F4 removed |
| Milestone: | → release 2.3 |
| Owner: | set to andj |
| Priority: | blocker → critical |
| Severity: | Patch Queue: Awaiting updated patch → Not set (if unsure, select this one) |
| Status: | new → assigned |
comment:2 Changed 8 years ago by
comment:3 Changed 8 years ago by
| Cc: | Gert Döring David Sommerseth added |
|---|
comment:4 Changed 8 years ago by
FYI the android version of openssl is also build with --no-depracted has uses a compat/rsa-generate.c to include the old function to build.
comment:5 Changed 8 years ago by
If I understood this correctly, Fortresslinux OpenSSL packages have been compiled without support for deprecated (=compatibility) functions. In our case, one such function is RSA_generate_key(), and we should switch to RSA_generate_key_ex() instead. The deprecated function is called in src/openvpn/ssl_openssl.c.
Switching to the non-deprecated (_ex) function should be safe, as it's included in OpenSSL 0.9.8 and later.
comment:6 Changed 7 years ago by
| Milestone: | release 2.3 → release 2.4 |
|---|
I think we should fix this in 2.4 at latest, or even in the next 2.3 release.
comment:7 Changed 7 years ago by
does syzzer have a trac account? might be better to give the ticket to him than andj
comment:8 Changed 7 years ago by
| Owner: | changed from andj to Steffan Karger |
|---|
comment:9 Changed 7 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Zap!
For 2.3, this has been changed to RSA_generate_key_ex(), and for 2.4, the whole code path is gone as it would only be used for weak ciphers that we don't want in the first place.
shall we fix this in 2.3.1? I have no idea what this is about, but we should at least decide something