[openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

Salz, Rich via RT rt at openssl.org
Tue Apr 26 15:21:25 UTC 2016


> I can live with it.
> The only solution without some type of change was :
> 
>      RSA_set0_key(rsa, n, e, NULL);
>      /* other stuff done, such as calculating d */
>      n_new = BN_dup(n);
>      e_new = BN_dup(e);
>      RSA_set0_key(rsa, n_new, e_new, d);
> 
> It is really gross, and is not intuitive.

Do the dup calls before the RSA_set0_key call.  Once that function returns, you have lost all rights to use n and e :)  Or perhaps do this:
	RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);

> Since you all appear to not want to support individual calls to set0 and get0
> for each BIGNUM, a developer of other code is faced with a major rewrite of
> existing code just to work with OpenSSL-1.1.0-pre5.

I understand your frustration about having to change code.  But I think major rewrite is a bit of an overstatement.

> [S]o to maintain a code base that can be compiled with OpenSSL version
> 0.9.7 through 1.1.0 with only a few #if OPENSSL_VERSION_NUMBER we are
> taking an approach to convert the code to the 1.1.0 API and create defines
> and macros for the older versions of OpenSSL in a header file The
> introduction of these *_get0_* *_set0_* have complicated the process even
> more, requiring us to inline versions of them for the older versions of
> OpenSSL.

We would love to see such a compatibility "get ready for 1.1" facility, and if there were a git repo we could point to, we would gladly do so.

"Our code builds with every version of OpenSSL for the past 20 years" is kind of a neat thing to say, but outside of bragging rights, I'm not sure it's worth the effort.  But it's your code, not ours, so do what you want :)


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4518
Please log in as guest with password guest if prompted



More information about the openssl-dev mailing list