From: Timo Teräs Date: Wed, 25 Jan 2023 18:56:41 +0000 (+0200) Subject: Improve OpenSSL RSA key extraction X-Git-Tag: v9.19.10~17^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=91c4bca866a6f5fde74a6a70027392c15a48ee24;p=thirdparty%2Fbind9.git Improve OpenSSL RSA key extraction Add check for extracting the public 'n' component on OpenSSL 3.0 path. This is mandatory component, and it's presence is checked already on the other code path. Also document the reason why private key component getting errors are ignored. --- diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index e143df0276e..0a254cb7381 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -61,13 +61,26 @@ opensslrsa_components_get(const dst_key_t *key, rsa_components_t *c, if (private && priv == NULL) { return (DST_R_INVALIDPRIVATEKEY); } + /* + * NOTE: Errors regarding private compoments are ignored. + * + * OpenSSL allows omitting the parameters for CRT based calculations + * (factors, exponents, coefficients). Only the 'd' parameter is + * mandatory for software keys. + * + * However, for a label based keys, all private key component queries + * can fail if they key is e.g. on a hardware device. + */ #if OPENSSL_VERSION_NUMBER >= 0x30000000L if (EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_E, (BIGNUM **)&c->e) == 1) { c->bnfree = true; - (void)EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_N, - (BIGNUM **)&c->n); + if (EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_N, + (BIGNUM **)&c->n) != 1) + { + return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } if (!private) { return (ISC_R_SUCCESS); }