[PATCH 3 of 4] SSL: stop using deprecated RSA_generate_key() function
Maxim Dounin
mdounin at mdounin.ru
Mon Jul 7 01:13:15 UTC 2014
Hello!
On Sun, Jul 06, 2014 at 04:50:50PM -0700, Piotr Sikora wrote:
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1404690074 25200
> # Sun Jul 06 16:41:14 2014 -0700
> # Node ID e015093a00f2d8ebdbcdd8adcb16d87b291765f8
> # Parent 2ca8a17cedfd35da799b258d5d17427d7bee62b2
> SSL: stop using deprecated RSA_generate_key() function.
>
> Fixes build with -DOPENSSL_NO_DEPRECATED.
>
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
>
> diff -r 2ca8a17cedfd -r e015093a00f2 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Sun Jul 06 16:41:13 2014 -0700
> +++ b/src/event/ngx_event_openssl.c Sun Jul 06 16:41:14 2014 -0700
> @@ -650,6 +650,10 @@ RSA *
> ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
> int key_length)
> {
> +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
> + RSA *rsa;
> + BIGNUM *e;
> +#endif
> static RSA *key;
>
> if (key_length != 512) {
> @@ -657,7 +661,42 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn
> }
>
> if (key == NULL) {
> +
> +#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
> +
> + rsa = RSA_new();
> + if (rsa == NULL) {
> + return NULL;
> + }
> +
> + e = BN_new();
> + if (e == NULL) {
> + RSA_free(rsa);
> + return NULL;
> + }
> +
> + if (BN_set_word(e, RSA_F4) == 0) {
> + BN_free(e);
> + RSA_free(rsa);
> + return NULL;
> + }
> +
> + if (RSA_generate_key_ex(rsa, 512, e, NULL) == 0) {
> + BN_free(e);
> + RSA_free(rsa);
> + return NULL;
> + }
> +
> + BN_free(e);
> +
> + key = rsa;
> +
> +#else
> +
> key = RSA_generate_key(512, RSA_F4, NULL, NULL);
> +
> +#endif
> +
> }
>
> return key;
I can't say I like this change - it introduces lots of code for no
real reason.
And I don't think we should follow some arbitrarily set
"deprecated" flag introduced for an unknown reasons years ago and
still undocumented in the latest release (much like the
replacement function). Moreover, the RSA_generate_key() is still
used in OpenSSL's own codebase, as well as in multiple demos and
man pages.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list