mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 08:05:21 +00:00
Code Issues Releases Wiki Activity

fix the rsa exponent to 65537

Browse Source 
There isn't a realistic reason to ever use e = 4294967297. Fortunately
its codepath wasn't reachable to users and can be safetly removed.

Keep in mind the `dns_key_generate` header comment was outdated. e = 3
hasn't been used since 2006 so there isn't a reason to panic. The
toggle was the public exponents between 65537 and 4294967297.
This commit is contained in:
Aydın Mercan
2024-07-09 16:32:51 +03:00
committed by Ondřej Surý
parent 9397251eb3
commit 2a76352b37
3 changed files with 10 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
bin/dnssec/dnssec-keygen.c
View File

@@ -253,7 +253,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
char filename[255]; char filename[255];
char algstr[DNS_SECALG_FORMATSIZE]; char algstr[DNS_SECALG_FORMATSIZE];
uint16_t flags = 0; uint16_t flags = 0;
int param = 0;
bool null_key = false; bool null_key = false;
bool conflict = false; bool conflict = false;
bool show_progress = false; bool show_progress = false;
@@ -614,12 +613,12 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
ctx->keystore, name, ctx->policy, ctx->rdclass, ctx->keystore, name, ctx->policy, ctx->rdclass,
mctx, ctx->alg, ctx->size, flags, &key); mctx, ctx->alg, ctx->size, flags, &key);
} else if (!ctx->quiet && show_progress) { } else if (!ctx->quiet && show_progress) {
ret = dst_key_generate(name, ctx->alg, ctx->size, param, ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
flags, ctx->protocol, flags, ctx->protocol,
ctx->rdclass, NULL, mctx, &key, ctx->rdclass, NULL, mctx, &key,
&progress); &progress);
} else { } else {
ret = dst_key_generate(name, ctx->alg, ctx->size, param, ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
flags, ctx->protocol, flags, ctx->protocol,
ctx->rdclass, NULL, mctx, &key, ctx->rdclass, NULL, mctx, &key,
NULL); NULL);

6
lib/dns/include/dst/dst.h
View File

@@ -640,10 +640,8 @@ dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
* Generate a DST key (or keypair) with the supplied parameters. The * Generate a DST key (or keypair) with the supplied parameters. The
* interpretation of the "param" field depends on the algorithm: * interpretation of the "param" field depends on the algorithm:
* \code * \code
* RSA: exponent * RSA: unused
* 0 use exponent 3 * ECDSA: unused
* !0 use Fermat4 (2^16 + 1)
* DSA: unused
* HMACMD5: entropy * HMACMD5: entropy
* 0 default - require good entropy * 0 default - require good entropy
* !0 lack of good entropy is ok * !0 lack of good entropy is ok

16
lib/dns/opensslrsa_link.c
View File

@@ -678,11 +678,13 @@ err:
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
static isc_result_t static isc_result_t
opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { opensslrsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
isc_result_t ret; isc_result_t ret;
BIGNUM *e = BN_new(); BIGNUM *e = BN_new();
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
UNUSED(unused);
if (e == NULL) { if (e == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
} }
@@ -714,15 +716,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
UNREACHABLE(); UNREACHABLE();
} }
if (exp == 0) { /* e = 65537 (0x10001, F4) */
/* RSA_F4 0x10001 */ BN_set_bit(e, 0);
BN_set_bit(e, 0); BN_set_bit(e, 16);
BN_set_bit(e, 16);
} else {
/* (phased-out) F5 0x100000001 */
BN_set_bit(e, 0);
BN_set_bit(e, 32);
}
ret = opensslrsa_generate_pkey(key->key_size, key->label, e, callback, ret = opensslrsa_generate_pkey(key->key_size, key->label, e, callback,
&pkey); &pkey);