Skip to content
Browse files
RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both ge…
…t called with BN_FLG_CONSTTIME flag set.


Reviewed-by: Rich Salz <>
Reviewed-by: Matt Caswell <>
  • Loading branch information
bbbrumley authored and mattcaswell committed Apr 16, 2018
1 parent e4fa7cc commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787
Showing with 2 additions and 0 deletions.
  1. +2 −0 crypto/rsa/rsa_gen.c
@@ -89,6 +89,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (BN_copy(rsa->e, e_value) == NULL)
goto err;

BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
BN_set_flags(r2, BN_FLG_CONSTTIME);
/* generate p and q */
for (;;) {

2 comments on commit 6939eab


This comment has been minimized.

Copy link

@YanAnzouyijun YanAnzouyijun replied Dec 27, 2018

@bbbrumley , @mattcaswell hello ,is the cve-2018-0737 has affected the openssl version1.1.0g?i have seen that the cve-2018-0737 has affected the 1.1.0-1.1.0h from the official website.but the version of 1.1.0g does not use the function of BN_mod_inverse. so can i consider that the cve-2018-0737 does not affect the 1.1.0g?
if cve-2018-0737 affect the 1.1.0g . so can i copy the two line BN_set_flags to 1.1.0g?can you give me some suggestions to fix it ?


This comment has been minimized.

Copy link
Contributor Author

@bbbrumley bbbrumley replied Jan 9, 2019

@YanAnzouyijun It does affect 1.1.0g. Read our advice and/or check e.g. the Ubuntu patches.

Please sign in to comment.