From: Aydın Mercan <aydin@isc.org>
Date: Tue, 9 Jul 2024 13:32:51 +0000 (+0300)
Subject: fix the rsa exponent to 65537
X-Git-Tag: alessio/regression/a26055f03e~3^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2a76352b37b9cfe90643e24cff9188309015158a;p=thirdparty%2Fbind9.git

fix the rsa exponent to 65537

There isn't a realistic reason to ever use e = 4294967297. Fortunately
its codepath wasn't reachable to users and can be safetly removed.

Keep in mind the `dns_key_generate` header comment was outdated. e = 3
hasn't been used since 2006 so there isn't a reason to panic. The
toggle was the public exponents between 65537 and 4294967297.
---

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 4742a06feba..20de2b36705 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -253,7 +253,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	char filename[255];
 	char algstr[DNS_SECALG_FORMATSIZE];
 	uint16_t flags = 0;
-	int param = 0;
 	bool null_key = false;
 	bool conflict = false;
 	bool show_progress = false;
@@ -614,12 +613,12 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 				ctx->keystore, name, ctx->policy, ctx->rdclass,
 				mctx, ctx->alg, ctx->size, flags, &key);
 		} else if (!ctx->quiet && show_progress) {
-			ret = dst_key_generate(name, ctx->alg, ctx->size, param,
+			ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
 					       flags, ctx->protocol,
 					       ctx->rdclass, NULL, mctx, &key,
 					       &progress);
 		} else {
-			ret = dst_key_generate(name, ctx->alg, ctx->size, param,
+			ret = dst_key_generate(name, ctx->alg, ctx->size, 0,
 					       flags, ctx->protocol,
 					       ctx->rdclass, NULL, mctx, &key,
 					       NULL);
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 9ddfacd92ae..dc6b5a15b84 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -640,10 +640,8 @@ dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
  * Generate a DST key (or keypair) with the supplied parameters.  The
  * interpretation of the "param" field depends on the algorithm:
  * \code
- * 	RSA:	exponent
- * 		0	use exponent 3
- * 		!0	use Fermat4 (2^16 + 1)
- * 	DSA:	unused
+ * 	RSA:	unused
+ * 	ECDSA:	unused
  * 	HMACMD5: entropy
  *		0	default - require good entropy
  *		!0	lack of good entropy is ok
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 6e26f8651bf..878fae17e38 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -678,11 +678,13 @@ err:
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
 
 static isc_result_t
-opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+opensslrsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	isc_result_t ret;
 	BIGNUM *e = BN_new();
 	EVP_PKEY *pkey = NULL;
 
+	UNUSED(unused);
+
 	if (e == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
@@ -714,15 +716,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 		UNREACHABLE();
 	}
 
-	if (exp == 0) {
-		/* RSA_F4 0x10001 */
-		BN_set_bit(e, 0);
-		BN_set_bit(e, 16);
-	} else {
-		/* (phased-out) F5 0x100000001 */
-		BN_set_bit(e, 0);
-		BN_set_bit(e, 32);
-	}
+	/* e = 65537 (0x10001, F4) */
+	BN_set_bit(e, 0);
+	BN_set_bit(e, 16);
 
 	ret = opensslrsa_generate_pkey(key->key_size, key->label, e, callback,
 				       &pkey);