From: Aydın Mercan Date: Mon, 8 Dec 2025 14:46:27 +0000 (+0300) Subject: set parameters in batch for rsa keygen X-Git-Tag: v9.21.18~2^2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe617aa83079fd2a59e7c2da664b1ccb8ee350f6;p=thirdparty%2Fbind9.git set parameters in batch for rsa keygen On top on improving readability, doing so allows us to use a uint32_t for setting the e value, getting rid of allocating an unneccessary BIGNUM. --- diff --git a/lib/isc/ossl_wrap/ossl3.c b/lib/isc/ossl_wrap/ossl3.c index 0bd116f3816..f5b73e0513b 100644 --- a/lib/isc/ossl_wrap/ossl3.c +++ b/lib/isc/ossl_wrap/ossl3.c @@ -463,15 +463,18 @@ isc_ossl_wrap_generate_rsa_key(void (*callback)(int), size_t bit_size, EVP_PKEY **pkeyp) { isc_result_t result; EVP_PKEY_CTX *ctx; - BIGNUM *e; + uint32_t e = 65537; REQUIRE(pkeyp != NULL && *pkeyp == NULL); - e = BN_new(); - - /* e = 65537 (0x10001, F4) */ - BN_set_bit(e, 0); - BN_set_bit(e, 16); + /* + * https://docs.openssl.org/master/man7/EVP_PKEY-RSA/#rsa-key-generation-parameters + */ + const OSSL_PARAM params[3] = { + OSSL_PARAM_uint(OSSL_PKEY_PARAM_RSA_E, &e), + OSSL_PARAM_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bit_size), + OSSL_PARAM_END, + }; ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); if (ctx == NULL) { @@ -482,12 +485,8 @@ isc_ossl_wrap_generate_rsa_key(void (*callback)(int), size_t bit_size, CLEANUP(OSSL_WRAP_ERROR("EVP_PKEY_keygen_init")); } - if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bit_size) != 1) { - CLEANUP(OSSL_WRAP_ERROR("EVP_PKEY_CTX_set_rsa_keygen_bits")); - } - - if (EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, e) != 1) { - CLEANUP(OSSL_WRAP_ERROR("EVP_PKEY_CTX_set1_rsa_keygen_pubexp")); + if (EVP_PKEY_CTX_set_params(ctx, params) != 1) { + CLEANUP(OSSL_WRAP_ERROR("EVP_PKEY_CTX_set_params")); } if (callback != NULL) { @@ -495,7 +494,15 @@ isc_ossl_wrap_generate_rsa_key(void (*callback)(int), size_t bit_size, EVP_PKEY_CTX_set_cb(ctx, rsa_keygen_progress_cb); } - if (EVP_PKEY_keygen(ctx, pkeyp) != 1) { + /* + * EVP_PKEY_keygen is an older function now equivalent to + * EVP_PKEY_generate with an additional check that EVP_PKEY_CTX has been + * initialized with EVP_PKEY_keygen_init. + * + * Since we can guarantee such condition we use EVP_PKEY_generate + * directly. + */ + if (EVP_PKEY_generate(ctx, pkeyp) != 1) { CLEANUP(OSSL_WRAP_ERROR("EVP_PKEY_keygen")); } @@ -503,7 +510,6 @@ isc_ossl_wrap_generate_rsa_key(void (*callback)(int), size_t bit_size, cleanup: EVP_PKEY_CTX_free(ctx); - BN_free(e); return result; } @@ -511,15 +517,21 @@ isc_result_t isc_ossl_wrap_generate_pkcs11_rsa_key(char *uri, size_t bit_size, EVP_PKEY **pkeyp) { EVP_PKEY_CTX *ctx = NULL; - OSSL_PARAM params[4]; isc_result_t result; int status; - - params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0); - params[1] = OSSL_PARAM_construct_utf8_string( - "pkcs11_key_usage", (char *)"digitalSignature", 0); - params[2] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &bit_size); - params[3] = OSSL_PARAM_construct_end(); + size_t len; + + len = strlen(uri); + INSIST(len != 0); + + /* NUL-terminator should be left out */ + const OSSL_PARAM params[] = { + OSSL_PARAM_utf8_string("pkcs11_uri", uri, len), + OSSL_PARAM_utf8_string("pkcs11_key_usage", pkcs11_key_usage, + sizeof(pkcs11_key_usage) - 1), + OSSL_PARAM_size_t(OSSL_PKEY_PARAM_RSA_BITS, &bit_size), + OSSL_PARAM_END, + }; ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11"); if (ctx == NULL) {