Opened 6 years ago

Closed 4 years ago

#197 closed Bug / Defect (fixed)

Avoid use of deprecated RSA_generate_key() function.

Reported by: Palatinux Owned by: syzzer
Priority: critical Milestone: release 2.4
Component: Crypto Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: openssl RSA_generate_key
Cc: andj, cron2, dazo


When Openssl 1.0.1 is compiled with 'configure -no-deprecated' OpenVPN produces this error during build:

''ssl.c:367:46: error: 'RSA_F4' undeclared (first use in this function)''

Deprecated RSA_generate_key() should also be replaced with the RSA_generate_key_ex() function.

Example: RSA_generate_key_ex(rsa, 4096, e, NULL)

Thank you,

The Fortress Linux Security Team.

Change History (9)

comment:1 Changed 5 years ago by dazo

  • Cc andj added
  • Keywords openssl added; RSA_F4 removed
  • Milestone set to release 2.3
  • Owner set to andj
  • Priority changed from blocker to critical
  • Severity changed from Patch Queue: Awaiting updated patch to Not set (if unsure, select this one)
  • Status changed from new to assigned

comment:2 Changed 5 years ago by cron2

shall we fix this in 2.3.1? I have no idea what this is about, but we should at least decide something

comment:3 Changed 5 years ago by cron2

  • Cc cron2 dazo added

comment:4 Changed 5 years ago by plaisthos

FYI the android version of openssl is also build with --no-depracted has uses a compat/rsa-generate.c to include the old function to build.

comment:5 Changed 5 years ago by samuli

If I understood this correctly, Fortresslinux OpenSSL packages have been compiled without support for deprecated (=compatibility) functions. In our case, one such function is RSA_generate_key(), and we should switch to RSA_generate_key_ex() instead. The deprecated function is called in src/openvpn/ssl_openssl.c.

Switching to the non-deprecated (_ex) function should be safe, as it's included in OpenSSL 0.9.8 and later.

comment:6 Changed 4 years ago by samuli

  • Milestone changed from release 2.3 to release 2.4

I think we should fix this in 2.4 at latest, or even in the next 2.3 release.

comment:7 Changed 4 years ago by cron2

does syzzer have a trac account? might be better to give the ticket to him than andj

comment:8 Changed 4 years ago by cron2

  • Owner changed from andj to syzzer

comment:9 Changed 4 years ago by cron2

  • Resolution set to fixed
  • Status changed from assigned to closed


For 2.3, this has been changed to RSA_generate_key_ex(), and for 2.4, the whole code path is gone as it would only be used for weak ciphers that we don't want in the first place.

Note: See TracTickets for help on using tickets.