File openssl-CVE-2018-0737.patch of Package openssl.11292

Squash of OpenSSL_1_0_2-stable commits:
0b199a883e9170cdfe8e61c150bbaf8d8951f3e7
64eb614ccc7ccf30cc412b736f509f1d82bbf897
0d6710289307d277ebc3354105c965b6e8ba8eb0
349a41da1ad88ad87825414752a8ff5fdd6a6c3f

Index: openssl-1.0.1i/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.0.1i.orig/crypto/rsa/rsa_gen.c	2018-08-09 17:22:37.243510489 +0200
+++ openssl-1.0.1i/crypto/rsa/rsa_gen.c	2018-08-09 17:27:49.885680225 +0200
@@ -401,6 +401,7 @@ static int rsa_builtin_keygen(RSA *rsa,
 	BIGNUM *pr0,*d,*p;
 	int bitsp,bitsq,ok= -1,n=0;
 	BN_CTX *ctx=NULL;
+	unsigned long error = 0;
 
 #ifdef OPENSSL_FIPS
 	if (FIPS_module_mode())
@@ -448,6 +449,9 @@ static int rsa_builtin_keygen(RSA *rsa,
 
 	BN_copy(rsa->e, e_value);
 
+	BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+	BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+	BN_set_flags(r2, BN_FLG_CONSTTIME);
 	/* generate p and q */
 	for (;;)
 		{
@@ -456,8 +460,19 @@ static int rsa_builtin_keygen(RSA *rsa,
                 if (BN_cmp(rsa->p, r0) < 0)
                         continue;
 		if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
-		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
-		if (BN_is_one(r1)) break;
+        	ERR_set_mark();
+        	if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            		/* GCD == 1 since inverse exists */
+             		break;
+        	}
+        	error = ERR_peek_last_error();
+        	if (ERR_GET_LIB(error) == ERR_LIB_BN
+            	&& ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+            	/* GCD != 1 */
+            	ERR_pop_to_mark();
+        	} else {
+            		goto err;
+        	}
 		if(!BN_GENCB_call(cb, 2, n++))
 			goto err;
 		}
@@ -476,9 +491,19 @@ static int rsa_builtin_keygen(RSA *rsa,
 		if (BN_ucmp(r2, r3) <= 0)
 			continue;
 		if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
-		if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
-		if (BN_is_one(r1))
-			break;
+        	ERR_set_mark();
+        	if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            		/* GCD == 1 since inverse exists */
+            		break;
+        	}
+        	error = ERR_peek_last_error();
+        	if (ERR_GET_LIB(error) == ERR_LIB_BN
+            	&& ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+            		/* GCD != 1 */
+            		ERR_pop_to_mark();
+        	} else {
+            	goto err;
+        	}
 		if(!BN_GENCB_call(cb, 2, n++))
 			goto err;
 		}