Skip to content

Commit

Permalink
RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both ge…
Browse files Browse the repository at this point in the history
…t called with BN_FLG_CONSTTIME flag set.

CVE-2018-0737

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
  • Loading branch information
bbbrumley authored and mattcaswell committed Apr 16, 2018
1 parent e4fa7cc commit 6939eab
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions crypto/rsa/rsa_gen.c
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
if (BN_copy(rsa->e, e_value) == NULL)
goto err;

BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
BN_set_flags(r2, BN_FLG_CONSTTIME);
/* generate p and q */
for (;;) {
Expand Down

2 comments on commit 6939eab

@YanAnzouyijun
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bbbrumley , @mattcaswell hello ,is the cve-2018-0737 has affected the openssl version1.1.0g?i have seen that the cve-2018-0737 has affected the 1.1.0-1.1.0h from the official website.but the version of 1.1.0g does not use the function of BN_mod_inverse. so can i consider that the cve-2018-0737 does not affect the 1.1.0g?
if cve-2018-0737 affect the 1.1.0g . so can i copy the two line BN_set_flags to 1.1.0g?can you give me some suggestions to fix it ?
thanks

@bbbrumley
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@YanAnzouyijun It does affect 1.1.0g. Read our advice and/or check e.g. the Ubuntu patches.

Please sign in to comment.