fix the rsa exponent to 65537

There isn't a realistic reason to ever use e = 4294967297. Fortunately its codepath wasn't reachable to users and can be safetly removed. Keep in mind the `dns_key_generate` header comment was outdated. e = 3 hasn't been used since 2006 so there isn't a reason to panic. The toggle was the public exponents between 65537 and 4294967297.
2025-09-03 16:15:27 +00:00 · 2024-07-09 16:32:51 +03:00
parent 9397251eb3
commit 2a76352b37
3 changed files with 10 additions and 17 deletions
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -253,7 +253,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	char filename[255];
 	char algstr[DNS_SECALG_FORMATSIZE];
 	uint16_t flags = 0;
-	int param = 0;
 	bool null_key = false;
 	bool conflict = false;
 	bool show_progress = false;
@@ -614,12 +613,12 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 				ctx->keystore, name, ctx->policy, ctx->rdclass,
 				mctx, ctx->alg, ctx->size, flags, &key);
 		} else if (!ctx->quiet && show_progress) {
-			ret = dst_key_generate(name, ctx->alg, ctx->size, param,
+			ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
 					       flags, ctx->protocol,
 					       ctx->rdclass, NULL, mctx, &key,
 					       &progress);
 		} else {
-			ret = dst_key_generate(name, ctx->alg, ctx->size, param,
+			ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
 					       flags, ctx->protocol,
 					       ctx->rdclass, NULL, mctx, &key,
 					       NULL);
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -640,10 +640,8 @@ dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
 * Generate a DST key (or keypair) with the supplied parameters.  The
 * interpretation of the "param" field depends on the algorithm:
 * \code
- * 	RSA:	exponent
- * 		0	use exponent 3
- * 		!0	use Fermat4 (2^16 + 1)
- * 	DSA:	unused
+ * 	RSA:	unused
+ * 	ECDSA:	unused
 * 	HMACMD5: entropy
 *		0	default - require good entropy
 *		!0	lack of good entropy is ok
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -678,11 +678,13 @@ err:
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */

 static isc_result_t
-opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+opensslrsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	isc_result_t ret;
 	BIGNUM *e = BN_new();
 	EVP_PKEY *pkey = NULL;

+	UNUSED(unused);
+
 	if (e == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@@ -714,15 +716,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 		UNREACHABLE();
 	}

-	if (exp == 0) {
-		/* RSA_F4 0x10001 */
+	/* e = 65537 (0x10001, F4) */
 	BN_set_bit(e, 0);
 	BN_set_bit(e, 16);
-	} else {
-		/* (phased-out) F5 0x100000001 */
-		BN_set_bit(e, 0);
-		BN_set_bit(e, 32);
-	}

 	ret = opensslrsa_generate_pkey(key->key_size, key->label, e, callback,
 				       &pkey);