openssl/openssl-fips-rsagen-d-bits.patch

Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c	2016-04-14 10:23:50.941168136 +0200
+++ openssl-1.0.2g/crypto/rsa/rsa_gen.c	2016-04-14 10:47:56.651757817 +0200
@@ -237,6 +237,12 @@ static int FIPS_rsa_builtin_keygen(RSA *
         goto err;
     }
 
+    BN_copy(rsa->e, e_value);
+
+    if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
+        test = 1;
+
+retry:
     /* prepare approximate minimum p and q */
     if (!BN_set_word(r0, 0xB504F334))
         goto err;
@@ -249,12 +255,6 @@ static int FIPS_rsa_builtin_keygen(RSA *
     if (!BN_lshift(r3, r3, pbits - 100))
         goto err;
 
-    BN_copy(rsa->e, e_value);
-
-    if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
-        test = 1;
-
- retry:
     /* generate p and q */
     for (i = 0; i < 5 * pbits; i++) {
  ploop:
@@ -384,6 +384,8 @@ static int FIPS_rsa_builtin_keygen(RSA *
     if (!BN_mod_inverse(rsa->d, rsa->e, lcm_p1_q1, ctx))
         goto err;               /* d */
 
+    /* test 2^(bits/2) < d < LCM((p-1)*(q-1)) */
+    /* the LCM part is covered due to the generation by modulo above */
     if (BN_num_bits(rsa->d) < pbits)
         goto retry;             /* d is too small */