File openssl-CVE-2018-0737-fips.patch of Package openssl.11276

Adjustments to fips_rsa_builtin_keygen along the lines
of the CVE-2018-0737 fix which consists of commits:
9db724cfede4ba7a3668bff533973ee70145ec07
011f82e66f4bf131c733fd41a8390039859aafb2
7150a4720af7913cae16f2e4eaf768b578c0b298
6939eab03a6e23d2bd2c3f5e34fe1d48e542e787

Index: openssl-1.0.1i/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.0.1i.orig/crypto/rsa/rsa_gen.c	2018-11-14 19:50:36.559337518 +0100
+++ openssl-1.0.1i/crypto/rsa/rsa_gen.c	2018-11-14 19:55:00.017023333 +0100
@@ -179,6 +179,7 @@ static int FIPS_rsa_builtin_keygen(RSA *
         int n = 0;
 	int test = 0;
         int pbits = bits/2;
+        unsigned long error = 0;
 
 	if(FIPS_selftest_failed())
 		{
@@ -236,6 +237,10 @@ retry:
 	if (!BN_one(r3)) goto err;
 	if (!BN_lshift(r3, r3, pbits - 100)) goto err;
 
+    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+    BN_set_flags(r2, BN_FLG_CONSTTIME);
+
 	/* generate p and q */
 	for (i = 0; i < 5 * pbits; i++)
 		{
@@ -249,13 +254,22 @@ retry:
                         }
 
 		if (!BN_sub(r2, rsa->p, BN_value_one())) goto err;
-		if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err;
-		if (BN_is_one(r1))
-                        {
+        ERR_set_mark();
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            /* GCD == 1 since inverse exists */
                         int r;
                         r = BN_is_prime_fasttest_ex(rsa->p, pbits>1024?4:5, ctx, 0, cb);
         		if (r == -1 || (test && r <= 0)) goto err;
         		if (r > 0) break;
+        } else {
+            error = ERR_peek_last_error();
+            if (ERR_GET_LIB(error) == ERR_LIB_BN
+                && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+                /* GCD != 1 */
+                ERR_pop_to_mark();
+            } else {
+                goto err;
+            }
                         } 
 
 		if(!BN_GENCB_call(cb, 2, n++))
@@ -287,13 +301,22 @@ retry:
                         }
 
 		if (!BN_sub(r2, rsa->q, BN_value_one())) goto err;
-		if (!BN_gcd(r1, r2, rsa->e, ctx)) goto err;
-		if (BN_is_one(r1))
-                        {
+        ERR_set_mark();
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            /* GCD == 1 since inverse exists */
                         int r;
                         r = BN_is_prime_fasttest_ex(rsa->q, pbits>1024?4:5, ctx, 0, cb);
         		if (r == -1 || (test && r <= 0)) goto err;
         		if (r > 0) break;
+        } else {
+            error = ERR_peek_last_error();
+            if (ERR_GET_LIB(error) == ERR_LIB_BN
+                && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+                /* GCD != 1 */
+                ERR_pop_to_mark();
+            } else {
+                goto err;
+            }
                         } 
 
 		if(!BN_GENCB_call(cb, 2, n++))
openSUSE Build Service is sponsored by