[PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function

Maxim Dounin mdounin at mdounin.ru
Mon Jul 7 01:13:15 UTC 2014 

Hello!

On Sun, Jul 06, 2014 at 04:50:50PM -0700, Piotr Sikora wrote:

> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1404690074 25200
> #      Sun Jul 06 16:41:14 2014 -0700
> # Node ID e015093a00f2d8ebdbcdd8adcb16d87b291765f8
> # Parent  2ca8a17cedfd35da799b258d5d17427d7bee62b2
> SSL: stop using deprecated RSA_generate_key() function.
> 
> Fixes build with -DOPENSSL_NO_DEPRECATED.
> 
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
> 
> diff -r 2ca8a17cedfd -r e015093a00f2 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c	Sun Jul 06 16:41:13 2014 -0700
> +++ b/src/event/ngx_event_openssl.c	Sun Jul 06 16:41:14 2014 -0700
> @@ -650,6 +650,10 @@ RSA *
>  ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
>      int key_length)
>  {
> +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
> +    RSA         *rsa;
> +    BIGNUM      *e;
> +#endif
>      static RSA  *key;
>  
>      if (key_length != 512) {
> @@ -657,7 +661,42 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn
>      }
>  
>      if (key == NULL) {
> +
> +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
> +
> +        rsa = RSA_new();
> +        if (rsa == NULL) {
> +            return NULL;
> +        }
> +
> +        e = BN_new();
> +        if (e == NULL) {
> +            RSA_free(rsa);
> +            return NULL;
> +        }
> +
> +        if (BN_set_word(e, RSA_F4) == 0) {
> +            BN_free(e);
> +            RSA_free(rsa);
> +            return NULL;
> +        }
> +
> +        if (RSA_generate_key_ex(rsa, 512, e, NULL) == 0) {
> +            BN_free(e);
> +            RSA_free(rsa);
> +            return NULL;
> +        }
> +
> +        BN_free(e);
> +
> +        key = rsa;
> +
> +#else
> +
>          key = RSA_generate_key(512, RSA_F4, NULL, NULL);
> +
> +#endif
> +
>      }
>  
>      return key;

I can't say I like this change - it introduces lots of code for no 
real reason.

And I don't think we should follow some arbitrarily set 
"deprecated" flag introduced for an unknown reasons years ago and 
still undocumented in the latest release (much like the 
replacement function).  Moreover, the RSA_generate_key() is still 
used in OpenSSL's own codebase, as well as in multiple demos and 
man pages.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list