From c1b0a3871777383e63128efe01ebca243a010853 Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Wed, 18 Mar 2026 23:52:30 +0000
Subject: [PATCH 1/2] fix: check PEM write return values in key export
 functions

PEM_write_bio_PrivateKey_traditional(), PEM_write_bio_RSAPublicKey(),
and PEM_write_bio_PUBKEY() return values were unchecked. On failure,
callers would silently return garbage/partial PEM data instead of
croaking with an OpenSSL error.

Also removes a trailing semicolon from the PEM_write_bio_PUBKEY macro
on the OpenSSL 3.x path that prevented using the return value in
expressions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 RSA.xs | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/RSA.xs b/RSA.xs
index 21fd402..8f4de4d 100644
--- a/RSA.xs
+++ b/RSA.xs
@@ -37,7 +37,7 @@
 #define PEM_read_bio_PrivateKey PEM_read_bio_PrivateKey
 #define PEM_read_bio_RSAPublicKey PEM_read_bio_PUBKEY
 #define PEM_read_bio_RSA_PUBKEY PEM_read_bio_PUBKEY
-#define PEM_write_bio_PUBKEY(o,p) PEM_write_bio_PUBKEY(o,p);
+#define PEM_write_bio_PUBKEY(o,p) PEM_write_bio_PUBKEY(o,p)
 #define PEM_write_bio_PrivateKey_traditional(m, n, o, p, q, r, s) PEM_write_bio_PrivateKey_traditional(m, n, o, p, q, r, s)
 #else
 #define UNSIGNED_CHAR char
@@ -490,8 +490,12 @@ get_private_key_string(p_rsa, passphase_SV=&PL_sv_undef, cipher_name_SV=&PL_sv_u
     }
 
     CHECK_OPEN_SSL(stringBIO = BIO_new(BIO_s_mem()));
-    PEM_write_bio_PrivateKey_traditional(
-        stringBIO, p_rsa->rsa, enc, (unsigned char* ) passphase, passphaseLength, NULL, NULL);
+    if (!PEM_write_bio_PrivateKey_traditional(
+        stringBIO, p_rsa->rsa, enc, (unsigned char* ) passphase, passphaseLength, NULL, NULL))
+    {
+        BIO_free(stringBIO);
+        croakSsl(__FILE__, __LINE__);
+    }
     RETVAL = extractBioString(stringBIO);
 
   OUTPUT:
@@ -525,7 +529,11 @@ get_public_key_string(p_rsa)
         CHECK_OPEN_SSL(0);
     pubkey_done:
 #else
-    PEM_write_bio_RSAPublicKey(stringBIO, p_rsa->rsa);
+    if (!PEM_write_bio_RSAPublicKey(stringBIO, p_rsa->rsa))
+    {
+        BIO_free(stringBIO);
+        croakSsl(__FILE__, __LINE__);
+    }
 #endif
     RETVAL = extractBioString(stringBIO);
 
@@ -539,7 +547,11 @@ get_public_key_x509_string(p_rsa)
     BIO* stringBIO;
   CODE:
     CHECK_OPEN_SSL(stringBIO = BIO_new(BIO_s_mem()));
-    PEM_write_bio_PUBKEY(stringBIO, p_rsa->rsa);
+    if (!PEM_write_bio_PUBKEY(stringBIO, p_rsa->rsa))
+    {
+        BIO_free(stringBIO);
+        croakSsl(__FILE__, __LINE__);
+    }
     RETVAL = extractBioString(stringBIO);
 
   OUTPUT:

From cd17688dc4a6957a19ed09ea8a6c1e1936917480 Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Thu, 19 Mar 2026 03:00:01 +0000
Subject: [PATCH 2/2] rebase: apply review feedback on #120

---
 RSA.xs | 22 ++++++----------------
 1 file changed, 6 insertions(+), 16 deletions(-)

diff --git a/RSA.xs b/RSA.xs
index 8f4de4d..65c8078 100644
--- a/RSA.xs
+++ b/RSA.xs
@@ -88,6 +88,8 @@ void croakSsl(char* p_file, int p_line)
 }
 
 #define CHECK_OPEN_SSL(p_result) if (!(p_result)) croakSsl(__FILE__, __LINE__);
+#define CHECK_OPEN_SSL_BIO(p_result, bio) \
+    if (!(p_result)) { BIO_free(bio); croakSsl(__FILE__, __LINE__); }
 
 #define PACKAGE_CROAK(p_message) croak("%s", (p_message))
 #define CHECK_NEW(p_var, p_size, p_type) \
@@ -490,12 +492,8 @@ get_private_key_string(p_rsa, passphase_SV=&PL_sv_undef, cipher_name_SV=&PL_sv_u
     }
 
     CHECK_OPEN_SSL(stringBIO = BIO_new(BIO_s_mem()));
-    if (!PEM_write_bio_PrivateKey_traditional(
-        stringBIO, p_rsa->rsa, enc, (unsigned char* ) passphase, passphaseLength, NULL, NULL))
-    {
-        BIO_free(stringBIO);
-        croakSsl(__FILE__, __LINE__);
-    }
+    CHECK_OPEN_SSL_BIO(PEM_write_bio_PrivateKey_traditional(
+        stringBIO, p_rsa->rsa, enc, (unsigned char* ) passphase, passphaseLength, NULL, NULL), stringBIO);
     RETVAL = extractBioString(stringBIO);
 
   OUTPUT:
@@ -529,11 +527,7 @@ get_public_key_string(p_rsa)
         CHECK_OPEN_SSL(0);
     pubkey_done:
 #else
-    if (!PEM_write_bio_RSAPublicKey(stringBIO, p_rsa->rsa))
-    {
-        BIO_free(stringBIO);
-        croakSsl(__FILE__, __LINE__);
-    }
+    CHECK_OPEN_SSL_BIO(PEM_write_bio_RSAPublicKey(stringBIO, p_rsa->rsa), stringBIO);
 #endif
     RETVAL = extractBioString(stringBIO);
 
@@ -547,11 +541,7 @@ get_public_key_x509_string(p_rsa)
     BIO* stringBIO;
   CODE:
     CHECK_OPEN_SSL(stringBIO = BIO_new(BIO_s_mem()));
-    if (!PEM_write_bio_PUBKEY(stringBIO, p_rsa->rsa))
-    {
-        BIO_free(stringBIO);
-        croakSsl(__FILE__, __LINE__);
-    }
+    CHECK_OPEN_SSL_BIO(PEM_write_bio_PUBKEY(stringBIO, p_rsa->rsa), stringBIO);
     RETVAL = extractBioString(stringBIO);
 
   OUTPUT: