Opened 5 years ago
Closed 4 years ago
#197 closed Bug / Defect (fixed)
Avoid use of deprecated RSA_generate_key() function.
| Reported by: | Palatinux | Owned by: | syzzer |
|---|---|---|---|
| Priority: | critical | Milestone: | release 2.4 |
| Component: | Crypto | Version: | 2.2.2 |
| Severity: | Not set (if unsure, select this one) | Keywords: | openssl RSA_generate_key |
| Cc: | andj, cron2, dazo |
Description
When Openssl 1.0.1 is compiled with 'configure -no-deprecated' OpenVPN produces this error during build:
''ssl.c:367:46: error: 'RSA_F4' undeclared (first use in this function)''
Deprecated RSA_generate_key() should also be replaced with the RSA_generate_key_ex() function.
Example: RSA_generate_key_ex(rsa, 4096, e, NULL)
Thank you,
The Fortress Linux Security Team.
http://www.fortresslinux.org
Change History (9)
comment:1 Changed 5 years ago by dazo
- Cc andj added
- Keywords openssl added; RSA_F4 removed
- Milestone set to release 2.3
- Owner set to andj
- Priority changed from blocker to critical
- Severity changed from Patch Queue: Awaiting updated patch to Not set (if unsure, select this one)
- Status changed from new to assigned
comment:2 Changed 4 years ago by cron2
comment:3 Changed 4 years ago by cron2
- Cc cron2 dazo added
comment:4 Changed 4 years ago by plaisthos
FYI the android version of openssl is also build with --no-depracted has uses a compat/rsa-generate.c to include the old function to build.
comment:5 Changed 4 years ago by samuli
If I understood this correctly, Fortresslinux OpenSSL packages have been compiled without support for deprecated (=compatibility) functions. In our case, one such function is RSA_generate_key(), and we should switch to RSA_generate_key_ex() instead. The deprecated function is called in src/openvpn/ssl_openssl.c.
Switching to the non-deprecated (_ex) function should be safe, as it's included in OpenSSL 0.9.8 and later.
comment:6 Changed 4 years ago by samuli
- Milestone changed from release 2.3 to release 2.4
I think we should fix this in 2.4 at latest, or even in the next 2.3 release.
comment:7 Changed 4 years ago by cron2
does syzzer have a trac account? might be better to give the ticket to him than andj
comment:8 Changed 4 years ago by cron2
- Owner changed from andj to syzzer
comment:9 Changed 4 years ago by cron2
- Resolution set to fixed
- Status changed from assigned to closed
Zap!
For 2.3, this has been changed to RSA_generate_key_ex(), and for 2.4, the whole code path is gone as it would only be used for weak ciphers that we don't want in the first place.
shall we fix this in 2.3.1? I have no idea what this is about, but we should at least decide something