From d730aa517a8dec8fe42643cb613256183346a963 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Wed, 12 Nov 2014 16:21:24 +0100
Subject: [PATCH] Use blinding for RSA even without CRT

---
 ChangeLog     |  5 +++++
 library/rsa.c | 26 ++++++++++----------------
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 0c955a5bb..a547e263f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 PolarSSL ChangeLog
 
+= Version 1.2.z released not yet
+
+Changes
+   * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
+
 = Version 1.2.12 released 2014-10-24
 
 Security
diff --git a/library/rsa.c b/library/rsa.c
index 75e7a9aed..c7e9ae026 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -276,41 +276,35 @@ int rsa_private( rsa_context *ctx,
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
     }
 
-#if defined(POLARSSL_RSA_NO_CRT)
-    ((void) f_rng);
-    ((void) p_rng);
-    MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
-#else
+    /*
+     * Blinding: T = T * Vi mod N
+     */
     if( f_rng != NULL )
     {
         int count = 0;
 
-        /*
-         * Blinding
-         * T = T * Vi mod N
-         */
-        /* Unblinding value: Vf = random number */
+        /* Unblinding value: Vf = random number relatively prime to N */
         do {
             if( count++ > 10 )
                 return( POLARSSL_ERR_RSA_RNG_FAILED );
 
+            /* Use Vi as a temporary variable here */
             MPI_CHK( mpi_fill_random( &Vf, ctx->len - 1, f_rng, p_rng ) );
             MPI_CHK( mpi_gcd( &Vi, &Vf, &ctx->N ) );
         } while( mpi_cmp_int( &Vi, 1 ) != 0 );
 
-        /* Mathematically speaking, the algorithm should check Vf
-         * against 0, P and Q (Vf should be relatively prime to N, and 0 < Vf < N),
-         * so that Vf^-1 exists.
-         */
-
         /* Blinding value: Vi =  Vf^(-e) mod N */
         MPI_CHK( mpi_inv_mod( &Vi, &Vf, &ctx->N ) );
         MPI_CHK( mpi_exp_mod( &Vi, &Vi, &ctx->E, &ctx->N, &ctx->RN ) );
 
+        /* Apply blinding */
         MPI_CHK( mpi_mul_mpi( &T, &T, &Vi ) );
         MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
     }
 
+#if defined(POLARSSL_RSA_NO_CRT)
+    MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
+#else
     /*
      * faster decryption using the CRT
      *
@@ -332,6 +326,7 @@ int rsa_private( rsa_context *ctx,
      */
     MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
     MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
+#endif /* POLARSSL_RSA_NO_CRT */
 
     if( f_rng != NULL )
     {
@@ -342,7 +337,6 @@ int rsa_private( rsa_context *ctx,
         MPI_CHK( mpi_mul_mpi( &T, &T, &Vf ) );
         MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
     }
-#endif
 
     olen = ctx->len;
     MPI_CHK( mpi_write_binary( &T, output, olen ) );