upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 02:29:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Improve OpenSSL RSA key extraction

Browse source 
Add check for extracting the public 'n' component on OpenSSL 3.0
path. This is mandatory component, and it's presence is checked
already on the other code path.

Also document the reason why private key component getting errors
are ignored.
This commit is contained in:
Timo Teräs 2023-01-25 20:56:41 +02:00
parent cdae45e9cf
commit 91c4bca866
1 changed files with 15 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
lib/dns/opensslrsa_link.c
View file

@ -61,13 +61,26 @@ opensslrsa_components_get(const dst_key_t *key, rsa_components_t *c,
if (private && priv == NULL) {
return (DST_R_INVALIDPRIVATEKEY);
}
/*
* NOTE: Errors regarding private compoments are ignored.
*
* OpenSSL allows omitting the parameters for CRT based calculations
* (factors, exponents, coefficients). Only the 'd' parameter is
* mandatory for software keys.
*
* However, for a label based keys, all private key component queries
* can fail if they key is e.g. on a hardware device.
*/
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_E,
(BIGNUM **)&c->e) == 1)
{
c->bnfree = true;
(void)EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_N,
(BIGNUM **)&c->n);
if (EVP_PKEY_get_bn_param(pub, OSSL_PKEY_PARAM_RSA_N,
(BIGNUM **)&c->n) != 1)
{
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
if (!private) {
return (ISC_R_SUCCESS);
}