]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Improve OpenSSL RSA key extraction
authorTimo Teräs <timo.teras@iki.fi>
Wed, 25 Jan 2023 18:56:41 +0000 (20:56 +0200)
committerTimo Teräs <timo.teras@iki.fi>
Wed, 25 Jan 2023 19:04:27 +0000 (21:04 +0200)
Add check for extracting the public 'n' component on OpenSSL 3.0
path. This is mandatory component, and it's presence is checked
already on the other code path.

Also document the reason why private key component getting errors
are ignored.

lib/dns/opensslrsa_link.c

index e143df0276e572d01270a00c2b7c1038554ef45d..0a254cb73813e2e876df37e10ee305efb5921ac7 100644 (file)
@@ -61,13 +61,26 @@ opensslrsa_components_get(const dst_key_t *key, rsa_components_t *c,
        if (private && priv == NULL) {
                return (DST_R_INVALIDPRIVATEKEY);
        }
+       /*
+        * NOTE: Errors regarding private compoments are ignored.
+        *
+        * OpenSSL allows omitting the parameters for CRT based calculations
+        * (factors, exponents, coefficients). Only the 'd'  parameter is
+        * mandatory for software keys.
+        *
+        * However, for a label based keys, all private key component queries
+        * can fail if they key is e.g. on a hardware device.
+        */
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
        if (EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_E,
                                  (BIGNUM **)&c->e) == 1)
        {
                c->bnfree = true;
-               (void)EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_N,
-                                           (BIGNUM **)&c->n);
+               if (EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_N,
+                                         (BIGNUM **)&c->n) != 1)
+               {
+                       return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+               }
                if (!private) {
                        return (ISC_R_SUCCESS);
                }