Add support for KERN_ARND to get random bytes on NetBSD

[openssl.git] / crypto / rsa / rsa_gen.c

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index b092bbab434e51dec06b4eb89f9d4a6534a43f9b..7f0a25648140c4e89d0497bdc5c105fd7002b6c2 100644 (file)
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -71,29 +71,16 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
     STACK_OF(RSA_PRIME_INFO) *prime_infos = NULL;
     BN_CTX *ctx = NULL;
     BN_ULONG bitst = 0;
+    unsigned long error = 0;
 
-    /*
-     * From Github pull request #4241:
-     *
-     * We are in disagreement on how to handle security trade-off, in other
-     * words:
-     *
-     * mechanical-check-for-maximum-of-16-prime-factors vs.
-     * limiting-number-depending-on-length-less-factors-for-shorter-keys.
-     */
-
-    /*
-     * When generating ridiculously small keys, we can get stuck
-     * continually regenerating the same prime values.
-     */
-    if (bits < 16) {
+    if (bits < RSA_MIN_MODULUS_BITS) {
         ok = 0;             /* we set our own err */
         RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL);
         goto err;
     }
 
-    if (primes < RSA_DEFAULT_PRIME_NUM
-        || primes > RSA_MAX_PRIME_NUM || bits <= primes) {
+    if (primes < RSA_DEFAULT_PRIME_NUM || primes > rsa_multip_cap(bits)) {
+        ok = 0;             /* we set our own err */
         RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_PRIME_NUM_INVALID);
         goto err;
     }
@@ -112,20 +99,6 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
     quo = bits / primes;
     rmd = bits % primes;
 
-    if (primes > RSA_DEFAULT_PRIME_NUM && quo < RSA_MIN_PRIME_SIZE) {
-        /*
-         * this means primes are too many for the key bits.
-         *
-         * This only affects multi-prime keys. For normal RSA,
-         * it's limited above (bits >= 16, hence each prime >= 8).
-         *
-         * This is done in this way because the original normal
-         * RSA's behavior should not alter at least in OpenSSL 1.1.1.
-         */
-        RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_PRIME_NUM_INVALID);
-        goto err;
-    }
-
     for (i = 0; i < primes; i++)
         bitsr[i] = (i < rmd) ? quo + 1 : quo;
 
@@ -184,6 +157,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
             pinfo = sk_RSA_PRIME_INFO_value(prime_infos, i - 2);
             prime = pinfo->r;
         }
+        BN_set_flags(prime, BN_FLG_CONSTTIME);
 
         for (;;) {
  redo:
@@ -214,10 +188,20 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
             }
             if (!BN_sub(r2, prime, BN_value_one()))
                 goto err;
-            if (!BN_gcd(r1, r2, rsa->e, ctx))
-                goto err;
-            if (BN_is_one(r1))
+            ERR_set_mark();
+            BN_set_flags(r2, BN_FLG_CONSTTIME);
+            if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+               /* GCD == 1 since inverse exists */
                 break;
+            }
+            error = ERR_peek_last_error();
+            if (ERR_GET_LIB(error) == ERR_LIB_BN
+                && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+                /* GCD != 1 */
+                ERR_pop_to_mark();
+            } else {
+                goto err;
+            }
             if (!BN_GENCB_call(cb, 2, n++))
                 goto err;
         }