File openssl-fips-rsagen-d-bits.patch of Package openssl.1633

Index: openssl-1.0.1i/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.0.1i.orig/crypto/rsa/rsa_gen.c
+++ openssl-1.0.1i/crypto/rsa/rsa_gen.c
@@ -222,6 +222,12 @@ static int FIPS_rsa_builtin_keygen(RSA *
 		goto err;
 		}
 
+	BN_copy(rsa->e, e_value);
+
+	if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
+		test = 1;
+
+retry:
 	/* prepare approximate minimum p and q */
 	if (!BN_set_word(r0, 0xB504F334)) goto err;
 	if (!BN_lshift(r0, r0, pbits - 32)) goto err;
@@ -230,11 +236,6 @@ static int FIPS_rsa_builtin_keygen(RSA *
 	if (!BN_one(r3)) goto err;
 	if (!BN_lshift(r3, r3, pbits - 100)) goto err;
 
-	BN_copy(rsa->e, e_value);
-
-	if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
-		test = 1;
-
 	/* generate p and q */
 	for (i = 0; i < 5 * pbits; i++)
 		{
@@ -341,6 +342,10 @@ static int FIPS_rsa_builtin_keygen(RSA *
 	if (!BN_div(lcm_p1_q1,NULL,pr0,gcd_p1_q1,ctx)) goto err;
 	if (!BN_mod_inverse(rsa->d,rsa->e,lcm_p1_q1,ctx)) goto err;	/* d */
 
+	/* test 2^(bits/2) < d < LCM((p-1)*(q-1)) */
+	/* The LCM part is covered due to the generation by modulo above */
+	if (BN_num_bits(rsa->d) < pbits) goto retry; /* d is too small */
+
 	/* set up d for correct BN_FLG_CONSTTIME flag */
 	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
 		{