File openssl-fips-rsagen-d-bits.patch of Package openssl-1_1.14087
Index: openssl-1.1.0i/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.1.0i.orig/crypto/rsa/rsa_gen.c 2019-01-18 13:08:37.886036263 +0100
+++ openssl-1.1.0i/crypto/rsa/rsa_gen.c 2019-01-18 13:16:49.909110119 +0100
@@ -174,6 +174,12 @@ static int fips_rsa_builtin_keygen(RSA *
goto err;
}
+ BN_copy(rsa->e, e_value);
+
+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
+ test = 1;
+
+retry:
/* prepare approximate minimum p and q */
if (!BN_set_word(r0, 0xB504F334))
goto err;
@@ -186,18 +192,12 @@ static int fips_rsa_builtin_keygen(RSA *
if (!BN_lshift(r3, r3, pbits - 100))
goto err;
- BN_copy(rsa->e, e_value);
-
- if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
- test = 1;
-
BN_set_flags(r0, BN_FLG_CONSTTIME);
BN_set_flags(r1, BN_FLG_CONSTTIME);
BN_set_flags(r2, BN_FLG_CONSTTIME);
BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
- retry:
/* generate p and q */
for (i = 0; i < 5 * pbits; i++) {
ploop:
@@ -332,6 +332,8 @@ static int fips_rsa_builtin_keygen(RSA *
goto err;
}
+ /* test 2^(bits/2) < d < LCM((p-1)*(q-1)) */
+ /* the LCM part is covered due to the generation by modulo above */
if (BN_num_bits(rsa->d) < pbits)
goto retry; /* d is too small */