File openssl-CVE-2018-0737.patch of Package compat-openssl098.11471
Squash of OpenSSL_1_0_2-stable commits:
0b199a883e9170cdfe8e61c150bbaf8d8951f3e7
64eb614ccc7ccf30cc412b736f509f1d82bbf897
0d6710289307d277ebc3354105c965b6e8ba8eb0
349a41da1ad88ad87825414752a8ff5fdd6a6c3f
Index: openssl-0.9.8j/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-0.9.8j.orig/crypto/rsa/rsa_gen.c 2008-09-16 16:55:26.000000000 +0200
+++ openssl-0.9.8j/crypto/rsa/rsa_gen.c 2018-08-13 11:38:12.072205036 +0200
@@ -91,6 +91,7 @@ static int rsa_builtin_keygen(RSA *rsa,
BIGNUM *pr0,*d,*p;
int bitsp,bitsq,ok= -1,n=0;
BN_CTX *ctx=NULL;
+ unsigned long error = 0;
ctx=BN_CTX_new();
if (ctx == NULL) goto err;
@@ -116,14 +117,28 @@ static int rsa_builtin_keygen(RSA *rsa,
BN_copy(rsa->e, e_value);
+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+ BN_set_flags(r2, BN_FLG_CONSTTIME);
/* generate p and q */
for (;;)
{
if(!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
goto err;
if (!BN_sub(r2,rsa->p,BN_value_one())) goto err;
- if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
- if (BN_is_one(r1)) break;
+ ERR_set_mark();
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+ /* GCD == 1 since inverse exists */
+ break;
+ }
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+ /* GCD != 1 */
+ ERR_pop_to_mark();
+ } else {
+ goto err;
+ }
if(!BN_GENCB_call(cb, 2, n++))
goto err;
}
@@ -147,9 +162,19 @@ static int rsa_builtin_keygen(RSA *rsa,
goto err;
}
if (!BN_sub(r2,rsa->q,BN_value_one())) goto err;
- if (!BN_gcd(r1,r2,rsa->e,ctx)) goto err;
- if (BN_is_one(r1))
- break;
+ ERR_set_mark();
+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+ /* GCD == 1 since inverse exists */
+ break;
+ }
+ error = ERR_peek_last_error();
+ if (ERR_GET_LIB(error) == ERR_LIB_BN
+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+ /* GCD != 1 */
+ ERR_pop_to_mark();
+ } else {
+ goto err;
+ }
if(!BN_GENCB_call(cb, 2, n++))
goto err;
}