fix the rsa exponent to 65537

There isn't a realistic reason to ever use e = 4294967297. Fortunately
its codepath wasn't reachable to users and can be safetly removed.

Keep in mind the `dns_key_generate` header comment was outdated. e = 3
hasn't been used since 2006 so there isn't a reason to panic. The
toggle was the public exponents between 65537 and 4294967297.

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 4742a06febae9fd1eba02ee0c3ef273930a2fb3a..20de2b36705170eba73f963293aacbf58a1ce9de 100644 (file)
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -253,7 +253,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
        char filename[255];
        char algstr[DNS_SECALG_FORMATSIZE];
        uint16_t flags = 0;
-       int param = 0;
        bool null_key = false;
        bool conflict = false;
        bool show_progress = false;
@@ -614,12 +613,12 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
                                ctx->keystore, name, ctx->policy, ctx->rdclass,
                                mctx, ctx->alg, ctx->size, flags, &key);
                } else if (!ctx->quiet && show_progress) {
-                       ret = dst_key_generate(name, ctx->alg, ctx->size, param,
+                       ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
                                               flags, ctx->protocol,
                                               ctx->rdclass, NULL, mctx, &key,
                                               &progress);
                } else {
-                       ret = dst_key_generate(name, ctx->alg, ctx->size, param,
+                       ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
                                               flags, ctx->protocol,
                                               ctx->rdclass, NULL, mctx, &key,
                                               NULL);

diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 9ddfacd92ae49307dfe6fd1e5dc205acc2d4516d..dc6b5a15b84151b7590890532f87cf5c18ee8432 100644 (file)
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -640,10 +640,8 @@ dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
  * Generate a DST key (or keypair) with the supplied parameters.  The
  * interpretation of the "param" field depends on the algorithm:
  * \code
- *     RSA:    exponent
- *             0       use exponent 3
- *             !0      use Fermat4 (2^16 + 1)
- *     DSA:    unused
+ *     RSA:    unused
+ *     ECDSA:  unused
  *     HMACMD5: entropy
  *             0       default - require good entropy
  *             !0      lack of good entropy is ok

diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 6e26f8651bfcf482865a6b271cbdd20768e1d1d9..878fae17e38480ddfb9a86ee94534780e80ff7e9 100644 (file)
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -678,11 +678,13 @@ err:
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 static isc_result_t
-opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+opensslrsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
        isc_result_t ret;
        BIGNUM *e = BN_new();
        EVP_PKEY *pkey = NULL;
 
+       UNUSED(unused);
+
        if (e == NULL) {
                DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
        }
@@ -714,15 +716,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
                UNREACHABLE();
        }
 
-       if (exp == 0) {
-               /* RSA_F4 0x10001 */
-               BN_set_bit(e, 0);
-               BN_set_bit(e, 16);
-       } else {
-               /* (phased-out) F5 0x100000001 */
-               BN_set_bit(e, 0);
-               BN_set_bit(e, 32);
-       }
+       /* e = 65537 (0x10001, F4) */
+       BN_set_bit(e, 0);
+       BN_set_bit(e, 16);
 
        ret = opensslrsa_generate_pkey(key->key_size, key->label, e, callback,
                                       &pkey);