From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001 From: Billy Brumley Date: Wed, 11 Apr 2018 10:10:58 +0300 Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set. CVE-2018-0737 Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) --- crypto/rsa/rsa_gen.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 9ca5dfefb7..42b89a8dfa 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, if (BN_copy(rsa->e, e_value) == NULL) goto err; + BN_set_flags(rsa->p, BN_FLG_CONSTTIME); + BN_set_flags(rsa->q, BN_FLG_CONSTTIME); BN_set_flags(r2, BN_FLG_CONSTTIME); /* generate p and q */ for (;;) { -- 2.25.1