Blame SOURCES/openssl-1.0.2k-cve-2018-0737.patch

7779df
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
7779df
index c7f1dc3..aa8a7c0 100644
7779df
--- a/crypto/rsa/rsa_gen.c
7779df
+++ b/crypto/rsa/rsa_gen.c
7779df
@@ -177,6 +177,17 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
7779df
     BIGNUM *pr0, *d, *p;
7779df
     int bitsp, bitsq, ok = -1, n = 0;
7779df
     BN_CTX *ctx = NULL;
7779df
+    unsigned long error = 0;
7779df
+
7779df
+    /*
7779df
+     * When generating ridiculously small keys, we can get stuck
7779df
+     * continually regenerating the same prime values.
7779df
+     */
7779df
+    if (bits < 16) {
7779df
+        ok = 0;             /* we set our own err */
7779df
+        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
7779df
+        goto err;
7779df
+    }
7779df
 
7779df
 #ifdef OPENSSL_FIPS
7779df
     if (FIPS_module_mode()) {
7779df
@@ -233,45 +244,55 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
7779df
     if (BN_copy(rsa->e, e_value) == NULL)
7779df
         goto err;
7779df
 
7779df
+    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
7779df
+    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
7779df
+    BN_set_flags(r2, BN_FLG_CONSTTIME);
7779df
     /* generate p and q */
7779df
     for (;;) {
7779df
         if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
7779df
             goto err;
7779df
         if (!BN_sub(r2, rsa->p, BN_value_one()))
7779df
             goto err;
7779df
-        if (!BN_gcd(r1, r2, rsa->e, ctx))
7779df
-            goto err;
7779df
-        if (BN_is_one(r1))
7779df
+        ERR_set_mark();
7779df
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
7779df
+            /* GCD == 1 since inverse exists */
7779df
             break;
7779df
+        }
7779df
+        error = ERR_peek_last_error();
7779df
+        if (ERR_GET_LIB(error) == ERR_LIB_BN
7779df
+            && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
7779df
+            /* GCD != 1 */
7779df
+            ERR_pop_to_mark();
7779df
+        } else {
7779df
+            goto err;
7779df
+        }
7779df
         if (!BN_GENCB_call(cb, 2, n++))
7779df
             goto err;
7779df
     }
7779df
     if (!BN_GENCB_call(cb, 3, 0))
7779df
         goto err;
7779df
     for (;;) {
7779df
-        /*
7779df
-         * When generating ridiculously small keys, we can get stuck
7779df
-         * continually regenerating the same prime values. Check for this and
7779df
-         * bail if it happens 3 times.
7779df
-         */
7779df
-        unsigned int degenerate = 0;
7779df
         do {
7779df
             if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
7779df
                 goto err;
7779df
             if (!BN_sub(r2, rsa->q, rsa->p))
7779df
                 goto err;
7779df
-        } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
7779df
-        if (degenerate == 3) {
7779df
-            ok = 0;             /* we set our own err */
7779df
-            RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
7779df
-            goto err;
7779df
-        }
7779df
+        } while (BN_ucmp(r2, r3) <= 0);
7779df
         if (!BN_sub(r2, rsa->q, BN_value_one()))
7779df
             goto err;
7779df
-        if (!BN_gcd(r1, r2, rsa->e, ctx))
7779df
-            goto err;
7779df
-        if (BN_is_one(r1))
7779df
+        ERR_set_mark();
7779df
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
7779df
+            /* GCD == 1 since inverse exists */
7779df
             break;
7779df
+        }
7779df
+        error = ERR_peek_last_error();
7779df
+        if (ERR_GET_LIB(error) == ERR_LIB_BN
7779df
+            && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
7779df
+            /* GCD != 1 */
7779df
+            ERR_pop_to_mark();
7779df
+        } else {
7779df
+            goto err;
7779df
+        }
7779df
         if (!BN_GENCB_call(cb, 2, n++))
7779df
             goto err;
7779df
     }