From f451bac0005fb7d4e3e335b824c87237b00148c3 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Fri, 30 Aug 2013 15:37:02 +0200
Subject: [PATCH] Blinding RSA only active when f_rng is provided

---
 include/polarssl/rsa.h | 14 +++++++-------
 library/rsa.c          | 44 +++++++++++++++++++++++-------------------
 2 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h
index 5bc688132..4e85ca6cc 100644
--- a/include/polarssl/rsa.h
+++ b/include/polarssl/rsa.h
@@ -275,7 +275,7 @@ int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
  *                 the message padding
  *
  * \param ctx      RSA context
- * \param f_rng    RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng    RNG function (Only needed for RSA_PRIVATE)
  * \param p_rng    RNG parameter
  * \param mode     RSA_PUBLIC or RSA_PRIVATE
  * \param olen     will contain the plaintext length
@@ -301,7 +301,7 @@ int rsa_pkcs1_decrypt( rsa_context *ctx,
  * \brief          Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
  *
  * \param ctx      RSA context
- * \param f_rng    RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng    RNG function (Only needed for RSA_PRIVATE)
  * \param p_rng    RNG parameter
  * \param mode     RSA_PUBLIC or RSA_PRIVATE
  * \param olen     will contain the plaintext length
@@ -327,7 +327,7 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
  * \brief          Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
  *
  * \param ctx      RSA context
- * \param f_rng    RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng    RNG function (Only needed for RSA_PRIVATE)
  * \param p_rng    RNG parameter
  * \param mode     RSA_PUBLIC or RSA_PRIVATE
  * \param label    buffer holding the custom label to use
@@ -393,7 +393,7 @@ int rsa_pkcs1_sign( rsa_context *ctx,
  * \brief          Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
  *
  * \param ctx      RSA context
- * \param f_rng    RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng    RNG function (Only needed for RSA_PRIVATE)
  * \param p_rng    RNG parameter
  * \param mode     RSA_PUBLIC or RSA_PRIVATE
  * \param md_alg   a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
@@ -456,7 +456,7 @@ int rsa_rsassa_pss_sign( rsa_context *ctx,
  *                 the message digest
  *
  * \param ctx      points to an RSA public key
- * \param f_rng    RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng    RNG function (Only needed for RSA_PRIVATE)
  * \param p_rng    RNG parameter
  * \param mode     RSA_PUBLIC or RSA_PRIVATE
  * \param md_alg   a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
@@ -489,7 +489,7 @@ int rsa_pkcs1_verify( rsa_context *ctx,
  * \brief          Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
  *
  * \param ctx      points to an RSA public key
- * \param f_rng    RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng    RNG function (Only needed for RSA_PRIVATE)
  * \param p_rng    RNG parameter
  * \param mode     RSA_PUBLIC or RSA_PRIVATE
  * \param md_alg   a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
@@ -517,7 +517,7 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
  * \brief          Do a public RSA and check the message digest
  *
  * \param ctx      points to an RSA public key
- * \param f_rng    RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng    RNG function (Only needed for RSA_PRIVATE)
  * \param p_rng    RNG parameter
  * \param mode     RSA_PUBLIC or RSA_PRIVATE
  * \param md_alg   a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
diff --git a/library/rsa.c b/library/rsa.c
index da9833698..c39a338a3 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -267,8 +267,6 @@ int rsa_private( rsa_context *ctx,
     mpi T, T1, T2;
     mpi A, X;
 
-    if( f_rng == NULL )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
     mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
     mpi_init( &A ); mpi_init( &X );
@@ -283,15 +281,18 @@ int rsa_private( rsa_context *ctx,
 #if defined(POLARSSL_RSA_NO_CRT)
     MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
 #else
-    /*
-     * RSA Blinding
-     * A = rnd MPI
-     * T = A^E * T mod N
-     */
-    MPI_CHK( mpi_fill_random( &A, ctx->len - 1, f_rng, p_rng ) );
-    MPI_CHK( mpi_exp_mod( &X, &A, &ctx->E, &ctx->N, NULL ) );
-    MPI_CHK( mpi_mul_mpi( &X, &X, &T ) );
-    MPI_CHK( mpi_mod_mpi( &T, &X, &ctx->N ) );
+    if( f_rng != NULL )
+    {
+        /*
+         * RSA Blinding
+         * A = rnd MPI
+         * T = A^E * T mod N
+         */
+        MPI_CHK( mpi_fill_random( &A, ctx->len - 1, f_rng, p_rng ) );
+        MPI_CHK( mpi_exp_mod( &X, &A, &ctx->E, &ctx->N, NULL ) );
+        MPI_CHK( mpi_mul_mpi( &X, &X, &T ) );
+        MPI_CHK( mpi_mod_mpi( &T, &X, &ctx->N ) );
+    }
 
     /*
      * faster decryption using the CRT
@@ -310,18 +311,21 @@ int rsa_private( rsa_context *ctx,
     MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
 
     /*
-     * X = T2 + T * Q
+     * T = T2 + T * Q
      */
     MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
-    MPI_CHK( mpi_add_mpi( &X, &T2, &T1 ) );
+    MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
 
-    /*
-     * Unblind
-     * T = X / A mod N
-     */
-    MPI_CHK( mpi_inv_mod( &A, &A, &ctx->N ) );
-    MPI_CHK( mpi_mul_mpi( &T, &X, &A ) );
-    MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
+    if( f_rng != NULL )
+    {
+        /*
+         * Unblind
+         * T = T / A mod N
+         */
+        MPI_CHK( mpi_inv_mod( &A, &A, &ctx->N ) );
+        MPI_CHK( mpi_mul_mpi( &T, &T, &A ) );
+        MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
+    }
 #endif
 
     olen = ctx->len;