Changes

Revision history for Perl extension Crypt::OpenSSL::RSA.

0.41 Apr 24 2026

  [Bug Fixes]
  - PR #181: Skip OpenSSL 3.x-specific tests on LibreSSL. LibreSSL
    reports version >= 3.0 via Crypt::OpenSSL::Guess's openssl_version()
    but internally uses the pre-3.x code path
    (OPENSSL_VERSION_NUMBER < 0x30000000L), causing two CPAN Testers
    failures on OpenBSD: t/padding.t (use_sslv23_padding is still a
    valid XS function on LibreSSL because RSA_SSLV23_PADDING exists)
    and t/pkcs1_sign.t (RSA_verify on pre-3.x/LibreSSL ignores the
    padding mode, so cross-padding verification succeeds). LibreSSL
    is now detected by parsing `openssl version` output for the
    "LibreSSL" string, using find_openssl_exec(find_openssl_prefix())
    from Crypt::OpenSSL::Guess to locate the correct binary. The
    earlier approach of detecting LibreSSL via an undefined patch
    level was not reliable.

0.39 Apr 23 2026

  [Bug Fixes]
  - PR #171 GH #170: Fix macOS compile warnings. The OLD_CRUFTY_SSL_VERSION
    macro used defined() inside a #define (undefined behavior when expanded
    in #if directives); split into #ifdef/#else branches. Also cast
    SvPV_nolen() result to UNSIGNED_CHAR* to silence the pointer-sign
    mismatch in _load_rsa_key().
  - PR #173: Reject non-RSA keys (EC, DSA, etc.) in _new_public_key_x509_der()
    on OpenSSL 3.x. d2i_PUBKEY_bio() accepts any key type, unlike pre-3.x
    d2i_RSA_PUBKEY_bio(); without validation a non-RSA DER key would be
    stored in the rsaData struct and produce confusing failures later.
  - PR #177: Check padding compatibility before message length in
    private_encrypt() and public_decrypt(). Previously, calling these with
    the default OAEP padding (or PSS) produced a misleading "plaintext too
    long" error that hid the real issue (OAEP/PSS are fundamentally
    incompatible with private_encrypt/public_decrypt). The clear
    "OAEP/PSS padding is not supported" error is now emitted regardless of
    data size, and the rejection extends to pre-3.x OpenSSL (previously
    only checked on 3.x inside rsa_crypt()).
  - PR #178: Validate key size in generate_key() before calling OpenSSL.
    Reject negative, zero, and sub-512-bit key sizes with a clear croak
    instead of letting OpenSSL produce cryptic errors or hang.
  - PR #179 GH #174: Restore the lost configure_requires prereq on
    Crypt::OpenSSL::Guess in Makefile.PL.
  - PR #179 GH #175: Fix failing test 'Padding method pkcs1_pss is valid
    for signing with ripemd160'.

  [Improvements]
  - PR #180: Add optional passphrase argument to new_private_key_der(),
    enabling decryption of encrypted PKCS#8 DER (EncryptedPrivateKeyInfo)
    private keys. On OpenSSL 3.x the passphrase is passed to the existing
    OSSL_DECODER_CTX; on pre-3.x a d2i_PKCS8PrivateKey_bio() helper is
    used. Previously only PEM-encoded keys supported a passphrase.

  [Maintenance]
  - PR #172: Fix 'passphase' -> 'passphrase' typo throughout the codebase
    (RSA.xs internal names, RSA.pm POD for get_private_key_string, and the
    test variable in t/format.t). The typo dates to the original 0.33
    passphrase support. No functional change -- all renames are internal.

0.38 Apr 23 2026

  [Bug Fixes]
  - PR #103 GH #61: Re-enable PKCS#1 v1.5 padding for sign()/verify().  It
    was incorrectly disabled in 0.35; the Marvin attack only affects
    decryption, not signatures.
  - PR #168: Fix croak message to reference use_pkcs1_oaep_padding() (not
    use_pkcs1_padding()) when non-OAEP padding is used for encrypt/decrypt.
  - PR #165: Fix OAEP overhead calculation that was hardcoded for SHA-1;
    correct overhead is now computed per the configured hash algorithm.
  - PR #141: Reject non-RSA keys (EC, DSA, RSA-PSS) loaded via
    _load_rsa_key() on OpenSSL 3.x with a clear error instead of a
    confusing failure later.
  - PR #118: Fix private_encrypt() and public_decrypt() broken on OpenSSL
    3.x with any padding except NO_PADDING; rsa_crypt() now distinguishes
    encrypt vs. sign paths.
  - PR #142: Free signature buffer on RSA_sign() failure on pre-3.x.
  - PR #164 GH #152: Drain OpenSSL error queue after _get_key_parameters()
    on OpenSSL 3.x so a failed optional-param lookup does not pollute the
    error queue for subsequent operations.
  - PR #161 GH #152: Cache is_private_key flag in rsaData struct to avoid a
    per-call BIGNUM heap allocation on OpenSSL 3.x.
  - PR #159 GH #155: Check return values of EVP_PKEY_get_bn_param() in
    _get_key_parameters(); a failed mandatory param (n or e) now croaks
    instead of silently returning undef.
  - PR #160 GH #156: Use THROW macro for make_rsa_obj() result in
    _new_key_from_parameters() to prevent resource leak on a NULL return.
  - PR #158 GH #154: Extract setup_pss_sign_ctx() helper to deduplicate
    PSS context setup in sign() and verify(); the two paths could previously
    diverge silently.
  - PR #157 GH #153: Eliminate duplicate NID-to-name table in
    get_message_digest(); fixes whirlpool on OpenSSL 3.x where the old
    low-level WHIRLPOOL() API path was being used instead of EVP_MD_fetch().
  - PR #145: Fix BIO resource leak in extractBioString() error paths.
  - PR #143: Validate that a private key is present before attempting export
    in get_private_key_string().
  - PR #140: NULL out BIGNUMs after freeing them in _new_key_from_parameters()
    to prevent a double-free when make_rsa_obj() fails after they are freed.
  - PR #137: Use BN_clear_free() (instead of BN_free()) for private key
    BIGNUMs in _get_key_parameters() to scrub sensitive material.
  - PR #136: Remove static buffer in get_message_digest() that caused
    thread-safety problems under Perl ithreads.
  - PR #134: Add Perl-level stub for use_sslv23_padding() on OpenSSL 3.x
    where the underlying RSA_SSLV23_PADDING constant was removed.
  - PR #133: Fix PSS MGF1 setup to inspect the correct padding fields
    (sign_pad/verify_pad) instead of p_rsa->padding, preventing wrong
    MGF1 hash on auto-promoted PSS operations.
  - PR #120: Check PEM_write_bio_* return values in key export functions
    so failures are reported rather than silently ignored.
  - PR #119: Migrate SHA* digest calls to EVP_Q_digest() on OpenSSL 3.x,
    replacing deprecated low-level SHA*() functions.
  - PR #109: Drain the full OpenSSL error queue in croakSsl() and report
    the last (most specific) error rather than the oldest one.
  - PR #104: Guard croakSsl() against a NULL error string from
    ERR_reason_error_string() to prevent a NULL-deref croak.
  - PR #76: Do not include whrlpool.h when whirlpool support is disabled.
  - Memory leak fixes across OpenSSL 3.x code paths (PR #75, PR #77, PR #78,
    PR #79, PR #80, PR #81, PR #83, PR #87, PR #90, PR #99, PR #101, PR #108,
    PR #112, PR #114, PR #127, PR #128, PR #129, PR #131): plugged leaks in
    generate_key(), sign(), verify(), rsa_crypt(), check_key(),
    get_public_key_string(), _new_key_from_parameters(), and
    _get_key_parameters() across success and error paths.

  [Improvements]
  - PR #169: Make Crypt::OpenSSL::Bignum a hard runtime requirement (moved
    from recommended to required in Makefile.PL and added hard import in
    RSA.pm); it was already required in practice for get_key_parameters().
  - PR #126: new_public_key() now accepts DER-encoded public keys in addition
    to PEM; format is detected automatically via ASN.1 OID inspection.
  - PR #124: Add get_private_key_pkcs8_string() to export private keys in
    PKCS#8 PEM format.
  - PR #110: Add get_public_key_pkcs1_string() as an alias for
    get_public_key_string() for API symmetry with the X.509/PKCS#1 naming.
  - PR #111: Add optional check=>1 parameter to new_key_from_parameters()
    to validate the constructed key via check_key() before returning it.
  - PR #135: Add plaintext length pre-validation in rsa_crypt() with a
    descriptive croak before attempting the OpenSSL operation.
  - PR #151: Reject invalid (even-numbered) RSA exponents before passing
    them to OpenSSL, preventing a potential hang during key generation.

  [Maintenance]
  - PR #163: Add CONTRIBUTING.md and SECURITY.md to satisfy CPANTS
    experimental kwalitee metrics.
  - PR #144: Clean up Makefile.PL metadata: remove dead -DPERL5 and
    -DOPENSSL_NO_KRB5 defines; derive version dynamically from RSA.pm.
  - PR #130: Add test coverage for generate_key() with custom public
    exponents and exponent validation.
  - PR #121: Add test coverage for private_encrypt() and public_decrypt().
  - PR #148: Add PKCS#1 v1.5 signing regression tests (PR #148).
  - PR #95: Add error-path and edge-case test coverage (t/error.t).
  - PR #115, PR #116: Add encrypt/decrypt and sign/verify edge-case tests.
  - PR #85, PR #86, PR #88, PR #91: Improve test assertions — replace bare
    ok() calls with is()/like() and add descriptive test names throughout.
  - PR #84: Add macOS CI job covering both system LibreSSL and Homebrew
    OpenSSL 3.x.
  - PR #123: Add Valgrind memory-leak detection CI job on Debian bookworm.
  - PR #73: Fix META URLs, remove duplicate .gitignore entries, fix
    build_requires; add Debian trixie (OpenSSL 3.4.x) to CI matrix.
  - PR #72: Bump actions/checkout from v4 to v6.
  - PR #82: Bump perl-actions/perl-versions from 1 to 2.
  - PR #70: Add Dependabot for automatic GitHub Actions version updates.
  - PR #69: Remove Debian buster from CI matrix (EOL).

0.37 Oct 29 2025
     - Fix libressl bitwise logic error in RSA.xs

0.36 Oct 29 2025
     - Fix old openssl on strawberry does not include whrlpool.h
     - libressl message digest functions md cannot be NULL
     - Don't support whirlpool in libressl
     - Add support for use_pkcs1_pss_padding with fatal error if RSA-PSS is used for encryption operations

0.35 May 7 2025
    - Disable PKCS#1 v1.5 padding. It's not practical to mitigate marvin attacks so we will instead disable this and require alternatives to address the issue.
      - Resolves #42 - CVE-2024-2467.

0.34 May 5 2025
    - Production release.

0.34_03 May 4 2025
    - Fix bug in rsa_crypt. Need to pass NULL

0.34_02 May 4 2025
    - t/rsa.t needs to tolerate sha1 being disabled on rhel.

0.34_01 May 3 2025
    - docs - plaintext = decrypt(cyphertext)
    - #44 - Fix issue when libz is not linked on AIX
    - #50 - Correct openssl version may not be found
    - #52 - Out of memory on openssl 1.1.1w hpux
    - #47 - Update FSF address and LGPL name in LICENSE
    - #55 - stop using AutoLoader
    - #48 - Whirlpool is missing the header
    - Move github repo to cpan-authors
    - Fully support openSSL 3.x API

0.33 July 7 2022
    - Update for windows github CI
    - Remove duplicit 'LICENSE' key
    - Remove EUMM Remove version check
    - #31 by removing reference to RSA_SSLV23_PADDING (removed from OpenSSL starting from v3.0.0)
    - support passphase protected private key load
    - fix 'unsupported encryption' error on old library versions
    - Clarify croak message for missing passphrase on older cyphers
    - More structs opaqued in LibreSSL 3.5
    - Use a macro for dealing with older SSL lacking macros
    - more CI fixups. Drop testing for 5.10 and 5.8. Something is broken upstream.

0.32 Wed Sep 8 2021
    - Prefix internal bn2sv function so it doesn't collide with Net::SSLeay
    - Ensure that verify() leaves openssl error stack clean on failure
    - Fixed broken SEE ALSO links.
    - prevent outer $SIG{__DIE__} handler from being called during optional require.
    - omit done_testing since it does not work for older perl versions

0.31 Mon Sep 24 2018
    - Remove default of SHA256 for RSA keys. This has caused significant
      problems with downstream modules and it has always been possible to
      do $key->use_sha256_hash()

0.30 Tue May 1 2018
    - Working windows library detection
    - Actively testing on appveyor for windows now.
    - work correctly on LibreSSL

0.29_03  Mon Apr 16 2018
    - Add whirlpool hash support.
    - Crypt::OpenSSL::Random is now required at comnpile-time.
    - Use the new interface to RSA_generate_key if available
    - Add library paths to LIBS from Crypt::OpenSSL::Guess

0.29_02  Sun Apr 15 2018
    - Add missing require of Config::OpenSSL::Guess

0.29_01  Fri Apr 13 2018
    - Adapt to OpenSSL 1.1.0 (dur-randir)
    - Move issue tracker to github.
    - Modernization as in Crypt::OpenSSL::Random.
    - better MSWin32 hints, fixes MSVC libraries,
    - more meta tests,
    - prefer hash mode NID_sha256 over NID_sha1 for sign

0.28  Thu Aug 25 2011 - Moritz Onken (PERLER)
    - RT 56454 - Win32 compatibility patch (kmx@cpan.org)

0.27  Wed Jun 29 2011 - Todd Rinaldo (TODDR)
    - RT 65947 - Fix RSA.pm break with perl 5.14+

0.26  Sun Nov 22 2009 11:01:13
    - Change subclassing test to generate a 512 bit key in order to work
          around an odd issue seen on some 64-bit redhat systems. (CPAN bug 45498)

0.25  Sun May 20 2007 12:56:11
    - Add a LICENSE file.
    - Fix a bug (reported by many) in rsa.t - we were incorrectly counting
      the number of tests in situations where use_sha512_hash was
      not available.

0.24  Mon Nov 13 2006 08:21:14
    - Fix a bug reported by Mark Martinec <Mark.Martinec@ijs.si>
      where encrypt could segfault if called with insufficient
      data; it now informatively croaks instead.
    - Fix a bug reported by Mark Martinec where check_key would
      segfault instead of croaking when called on a public key.
    - Fix decrypt and private_encrypt to croak instead of segfault when
      called on a public key.
    - Add an is_private method.
    - Silence a few compiler warnings about ignoring return values
      from certain BIO_* methods.

0.23  Wed Apr 12 2006 00:06:10
    - Provide 32 bytes of seeding in tests, up from 19.
    - Stop relying on implicit includes, which disappeared in the 0.98
      release of OpenSSL.
    - Apply patch from Jim Radford <radford@blackbean.org> to add support
      for SHA{224,256,384,512}

0.22  Mon Nov 15 2005 21:13:20
    - Add public_decrypt, private_encrypt methods, contributed
      by Paul G. Weiss <paul@weiss.name>
    - Some changes to help builds on Redhat9
    - Remove deprecated methods:
      * the no-arg new constructor - use new_from_public_key,
    new_from_private_key or Crypt::OpenSSL::RSA->generate_key instead
      * load_public_key - use new_from_public_key
      * load_private_key - use new_from_private_key
      * generate_key as an instance method - use it as a class constructor
    method instead.
      * set_padding_mode - use use_no_padding, use_pkcs1_padding,
    use_pkcs1_oaep_padding, or use_sslv23_padding instead.
      * get_padding_mode
    - Eliminate all(most all) memory leaks.
    - fix email address
    - Stop returning true from methods just to indicate success.
    - Change default public exponent from 65535 to 65537


0.21  Sun Feb 15 2004 21:13:45
    - Include t/format.t in the MANIFEST file, so that it is
      actually included in the distribution.

0.20  Sun Feb 15 2004 15:21:40
    - Finally add support for the public key format produced by
      "openssl rsa -pubout".
    - Add comment in readme about locating kerberos files on redhat systems

0.19  Sun Apr 27 2003 18:33:48
    - Revert back to old declaration style so that we no longer
      break under perl 5.005 (spotted by Rob Brown <bbb@cpan.org>).
    - Add some needed use statements in legacy.t and rsa.t (patch
      submitted by Rob Brown).
    - Fix typo in docs spotted by Daniel Drown <dan@drown.org>
    - Update copyright dates.

0.18  Sun Feb 23 2003 20:44:35
    - Add two new methods, new_key_from_parameters and
      get_key_parameters, which, working with
      Crypt::OpenSSL::Bignum, allow working directly with the
      paramaters of an rsa key.

0.17  Mon Jan 06 2003 22:43:31
    - Workaround for gcc 3.2 compile problems:
      "/usr/include/openssl/des.h:193: parse error before '&' token"
      (Patch by Rob Brown <bbb@cpan.org>)
    - Deprecate no-arg constructor, load_*_key methods and the
      instance method generate_key; switch to three constructors:
      new_public_key, new_private_key and generate_key (as a class
      method)
    - Deprecate set_padding_mode method; replace with
      use_xxx_padding.
    - move tests into t directory, use Test as a framework

0.16  Tue Jun 11 22:01:45
    - Fix bug reported by Rob McMillin <rlm@pricegrabber.com> which
      prevented subclassing.

0.15  Fri Jun 07 09:13:12
    - Fix two bugs reported by Gordon Lack <gml4410@ggr.co.uk>: use
      IV, not I32, for pointers, and cast the right-hand, not
      left-hand, value when doing an assignment from an SV to an HV

0.14  Sun May 19 12:35:21
    - Fix bug reported by Charles Jardine <cj10@cam.ac.uk>: use
      Safefree, not free, to release memory allocated by New

0.13  Thu Mar 21 00:10:30
    - Incorporating patch from Matthias Bauer
      <bauerm@immd1.informatik.uni-erlangen.de>, which provides
      signing and verification, as well as uses OpenSSL's internal
      error reporting system.  This patch also fixes a bug with the
      RSA_NO_PADDING_MODE.  Thanks, Matthias!
    - Deprecate set_padding_mode in favor of use_xxx_padding.
    - Rather than returning true on success, false on failure, just
      croak when there are problems.
    - Plug memory leaks.
    - Fix my email address (it's cpan.org, not cpan.com)

0.12  Thu Sep 06 22:44:17
    - Fixing bug with Crypt::OpenSSL::Random interoperability
    - Implementing patch from Thomas Linden <scip@daemon.de>
      fixing a keysize bug
    - Fixing email address in docs.

0.11  Tue Apr 10 22:45:31
    - Fixing bug in test.pl.

0.10  Mon Apr 09 18:25:41
    - Moving random routines into Crypt::OpenSSL::Random
    - Use New instead of malloc

0.09  Mon Apr 02 12:27:10
    - Typo fix, and always exercise test random_seed in testing.

0.08  Sun Apr 01 23:04:31
    - Changing method names to match convention

0.07  Thu Mar 08 3:31:41 2001
    - Allow seeding of the PRNG

0.06  Thu Mar 08 12:40:04 2001
    - Adding a readme file.

0.05  Mon Feb 26 10:50:43 2001
    - Removing signing and verification, due to bizarre bugs

0.04  Fri Feb 23 10:41:33 2001
    - Removing Base64 functionality and dependence

0.01  Wed Feb 14 11:21:42 2001
    - original version; created by h2xs 1.19