fix the rsa exponent to 65537

There isn't a realistic reason to ever use e = 4294967297. Fortunately its codepath wasn't reachable to users and can be safetly removed. Keep in mind the `dns_key_generate` header comment was outdated. e = 3 hasn't been used since 2006 so there isn't a reason to panic. The toggle was the public exponents between 65537 and 4294967297.
2025-08-31 14:35:26 +00:00 · 2024-07-09 16:32:51 +03:00
parent 9397251eb3
commit 2a76352b37
3 changed files with 10 additions and 17 deletions
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -678,11 +678,13 @@ err:
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */

 static isc_result_t
-opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+opensslrsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	isc_result_t ret;
 	BIGNUM *e = BN_new();
 	EVP_PKEY *pkey = NULL;

+	UNUSED(unused);
+
 	if (e == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@@ -714,15 +716,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 		UNREACHABLE();
 	}

-	if (exp == 0) {
-		/* RSA_F4 0x10001 */
-		BN_set_bit(e, 0);
-		BN_set_bit(e, 16);
-	} else {
-		/* (phased-out) F5 0x100000001 */
-		BN_set_bit(e, 0);
-		BN_set_bit(e, 32);
-	}
+	/* e = 65537 (0x10001, F4) */
+	BN_set_bit(e, 0);
+	BN_set_bit(e, 16);

 	ret = opensslrsa_generate_pkey(key->key_size, key->label, e, callback,
 				       &pkey);