|
 |
7779df |
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
|
|
|
7779df |
index c7f1dc3..aa8a7c0 100644
|
|
|
7779df |
--- a/crypto/rsa/rsa_gen.c
|
|
|
7779df |
+++ b/crypto/rsa/rsa_gen.c
|
|
|
7779df |
@@ -177,6 +177,17 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
|
|
|
7779df |
BIGNUM *pr0, *d, *p;
|
|
|
7779df |
int bitsp, bitsq, ok = -1, n = 0;
|
|
|
7779df |
BN_CTX *ctx = NULL;
|
|
|
7779df |
+ unsigned long error = 0;
|
|
|
7779df |
+
|
|
|
7779df |
+ /*
|
|
|
7779df |
+ * When generating ridiculously small keys, we can get stuck
|
|
|
7779df |
+ * continually regenerating the same prime values.
|
|
|
7779df |
+ */
|
|
|
7779df |
+ if (bits < 16) {
|
|
|
7779df |
+ ok = 0; /* we set our own err */
|
|
|
7779df |
+ RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
|
|
|
7779df |
+ goto err;
|
|
|
7779df |
+ }
|
|
|
7779df |
|
|
|
7779df |
#ifdef OPENSSL_FIPS
|
|
|
7779df |
if (FIPS_module_mode()) {
|
|
|
7779df |
@@ -233,45 +244,55 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
|
|
|
7779df |
if (BN_copy(rsa->e, e_value) == NULL)
|
|
|
7779df |
goto err;
|
|
|
7779df |
|
|
|
7779df |
+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
|
|
|
7779df |
+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
|
|
|
7779df |
+ BN_set_flags(r2, BN_FLG_CONSTTIME);
|
|
|
7779df |
/* generate p and q */
|
|
|
7779df |
for (;;) {
|
|
|
7779df |
if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
|
|
|
7779df |
goto err;
|
|
|
7779df |
if (!BN_sub(r2, rsa->p, BN_value_one()))
|
|
|
7779df |
goto err;
|
|
|
7779df |
- if (!BN_gcd(r1, r2, rsa->e, ctx))
|
|
|
7779df |
- goto err;
|
|
|
7779df |
- if (BN_is_one(r1))
|
|
|
7779df |
+ ERR_set_mark();
|
|
|
7779df |
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
|
|
|
7779df |
+ /* GCD == 1 since inverse exists */
|
|
|
7779df |
break;
|
|
|
7779df |
+ }
|
|
|
7779df |
+ error = ERR_peek_last_error();
|
|
|
7779df |
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
|
|
|
7779df |
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
|
|
|
7779df |
+ /* GCD != 1 */
|
|
|
7779df |
+ ERR_pop_to_mark();
|
|
|
7779df |
+ } else {
|
|
|
7779df |
+ goto err;
|
|
|
7779df |
+ }
|
|
|
7779df |
if (!BN_GENCB_call(cb, 2, n++))
|
|
|
7779df |
goto err;
|
|
|
7779df |
}
|
|
|
7779df |
if (!BN_GENCB_call(cb, 3, 0))
|
|
|
7779df |
goto err;
|
|
|
7779df |
for (;;) {
|
|
|
7779df |
- /*
|
|
|
7779df |
- * When generating ridiculously small keys, we can get stuck
|
|
|
7779df |
- * continually regenerating the same prime values. Check for this and
|
|
|
7779df |
- * bail if it happens 3 times.
|
|
|
7779df |
- */
|
|
|
7779df |
- unsigned int degenerate = 0;
|
|
|
7779df |
do {
|
|
|
7779df |
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
|
|
|
7779df |
goto err;
|
|
|
7779df |
if (!BN_sub(r2, rsa->q, rsa->p))
|
|
|
7779df |
goto err;
|
|
|
7779df |
- } while ((BN_ucmp(r2, r3) <= 0) && (++degenerate < 3));
|
|
|
7779df |
- if (degenerate == 3) {
|
|
|
7779df |
- ok = 0; /* we set our own err */
|
|
|
7779df |
- RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
|
|
|
7779df |
- goto err;
|
|
|
7779df |
- }
|
|
|
7779df |
+ } while (BN_ucmp(r2, r3) <= 0);
|
|
|
7779df |
if (!BN_sub(r2, rsa->q, BN_value_one()))
|
|
|
7779df |
goto err;
|
|
|
7779df |
- if (!BN_gcd(r1, r2, rsa->e, ctx))
|
|
|
7779df |
- goto err;
|
|
|
7779df |
- if (BN_is_one(r1))
|
|
|
7779df |
+ ERR_set_mark();
|
|
|
7779df |
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
|
|
|
7779df |
+ /* GCD == 1 since inverse exists */
|
|
|
7779df |
break;
|
|
|
7779df |
+ }
|
|
|
7779df |
+ error = ERR_peek_last_error();
|
|
|
7779df |
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
|
|
|
7779df |
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
|
|
|
7779df |
+ /* GCD != 1 */
|
|
|
7779df |
+ ERR_pop_to_mark();
|
|
|
7779df |
+ } else {
|
|
|
7779df |
+ goto err;
|
|
|
7779df |
+ }
|
|
|
7779df |
if (!BN_GENCB_call(cb, 2, n++))
|
|
|
7779df |
goto err;
|
|
|
7779df |
}
|