From 2b746147ec31882e7147239288387c7864f6c957 Mon Sep 17 00:00:00 2001 From: tabudz Date: Sat, 7 Mar 2026 23:34:58 +0800 Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set. CVE-2018-0737 Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (cherry picked from commit 6939eab) --- 3rdparty/openssl/crypto/rsa/rsa_gen.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/3rdparty/openssl/crypto/rsa/rsa_gen.c b/3rdparty/openssl/crypto/rsa/rsa_gen.c index 082c8da2..98d8129a 100644 --- a/3rdparty/openssl/crypto/rsa/rsa_gen.c +++ b/3rdparty/openssl/crypto/rsa/rsa_gen.c @@ -145,6 +145,10 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, if (BN_copy(rsa->e, e_value) == NULL) goto err; + BN_set_flags(rsa->p, BN_FLG_CONSTTIME); + BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))