Use RSA_generate_key_ex instead of deprecated RSA_generate_key

* Make use of RSA_generate_key_ex(). openssl 0.9.8 deprecated RSA_generate_key (see https://www.openssl.org/docs/man1.1.1/man3/RSA_generate_key.html) openssl 1.1.0 it is not possible anymore to generate the BN_GENCB structure directly (see https://www.openssl.org/docs/man1.1.1/man3/BN_GENCB_new.html) * RSA_generate_kex_ex(): add check for libreSSL see: #100 (comment) * SSLeay.xs: add error handling for RSA_new, BN_new and BN_GENCB calls. * Free more before calling croak.
radiator-software · Nov 21, 2018 · 178e646 · 178e646
1 parent 20ecb22
commit 178e646
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 8 deletions.
diff --git a/Changes b/Changes
@@ -1,5 +1,11 @@
 Revision history for Perl extension Net::SSLeay.
 
+??????? 2018-??-??
+ - Net::SSLeay::RSA_generate_key() now prefers using
+ RSA_generate_key_ex. This avois deprecated RSA_generate_key
+ and allows removing the only Android specific code in
+ SSLeay.xs. Fixes RT#127593. Thanks to Rouven Weiler.
+
 1.86_06 2018-09-29
  - Net::SSLeay::read() and SSL_peek() now check SSL_get_error()
  for SSL_ERROR_ZERO_RETURN for return values <= 0 to make

diff --git a/SSLeay.xs b/SSLeay.xs
@@ -5744,7 +5744,7 @@ SSL_set_tmp_rsa(ssl,rsa)
 
 #endif
 
-#ifdef __ANDROID__
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
 
 RSA *
 RSA_generate_key(bits,ee,perl_cb=&PL_sv_undef,perl_data=&PL_sv_undef)
@@ -5755,24 +5755,50 @@ RSA_generate_key(bits,ee,perl_cb=&PL_sv_undef,perl_data=&PL_sv_undef)
  PREINIT:
  simple_cb_data_t* cb_data = NULL;
  CODE:
- /* Android does not have RSA_generate_key. This equivalent is contributed by Brian Fraser for Android */
- /* but is not portable to old OpenSSLs where RSA_generate_key_ex is not available */
+ /* openssl 0.9.8 deprecated RSA_generate_key. */
+ /* This equivalent was contributed by Brian Fraser for Android, */
+ /* but was not portable to old OpenSSLs where RSA_generate_key_ex is not available. */
+ /* It should now be more versatile. */
+ /* as of openssl 1.1.0 it is not possible anymore to generate the BN_GENCB structure directly. */
+ /* instead BN_EGNCB_new() has to be used. */
  int rc;
  RSA * ret;
  BIGNUM *e;
  e = BN_new();
+ if(!e)
+ croak("Net::SSLeay: RSA_generate_key perl function could not create BN structure.\n");
  BN_set_word(e, ee);
  cb_data = simple_cb_data_new(perl_cb, perl_data);
- BN_GENCB new_cb;
- BN_GENCB_set_old(&new_cb, ssleay_RSA_generate_key_cb_invoke, cb_data);
 
  ret = RSA_new();
+ if(!ret) {
+ simple_cb_data_free(cb_data);
+ BN_free(e);
+ croak("Net::SSLeay: RSA_generate_key perl function could not create RSA structure.\n");
+ }
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
+ BN_GENCB *new_cb;
+ new_cb = BN_GENCB_new();
+ if(!new_cb) {
+ simple_cb_data_free(cb_data);
+ BN_free(e);
+ RSA_free(ret);
+ croak("Net::SSLeay: RSA_generate_key perl function could not create BN_GENCB structure.\n");
+ }
+ BN_GENCB_set_old(new_cb, ssleay_RSA_generate_key_cb_invoke, cb_data);
+ rc = RSA_generate_key_ex(ret, bits, e, new_cb);
+ BN_GENCB_free(new_cb);
+#else
+ BN_GENCB new_cb;
+ BN_GENCB_set_old(&new_cb, ssleay_RSA_generate_key_cb_invoke, cb_data);
  rc = RSA_generate_key_ex(ret, bits, e, &new_cb);
-
- if (rc == -1 || ret == NULL)
- croak("Couldn't generate RSA key");
+#endif
  simple_cb_data_free(cb_data);
  BN_free(e);
+ if (rc == -1 || ret == NULL) {
+ if (ret) RSA_free(ret);
+ croak("Net::SSLeay: Couldn't generate RSA key");
+ }
  e = NULL;
  RETVAL = ret;
  OUTPUT: