Blinding RSA only active when f_rng is provided
diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h
index 5bc6881..4e85ca6 100644
--- a/include/polarssl/rsa.h
+++ b/include/polarssl/rsa.h
@@ -275,7 +275,7 @@
* the message padding
*
* \param ctx RSA context
- * \param f_rng RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param olen will contain the plaintext length
@@ -301,7 +301,7 @@
* \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
*
* \param ctx RSA context
- * \param f_rng RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param olen will contain the plaintext length
@@ -327,7 +327,7 @@
* \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
*
* \param ctx RSA context
- * \param f_rng RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param label buffer holding the custom label to use
@@ -393,7 +393,7 @@
* \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
*
* \param ctx RSA context
- * \param f_rng RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
@@ -456,7 +456,7 @@
* the message digest
*
* \param ctx points to an RSA public key
- * \param f_rng RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
@@ -489,7 +489,7 @@
* \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
*
* \param ctx points to an RSA public key
- * \param f_rng RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
@@ -517,7 +517,7 @@
* \brief Do a public RSA and check the message digest
*
* \param ctx points to an RSA public key
- * \param f_rng RNG function (Only required for RSA_PRIVATE)
+ * \param f_rng RNG function (Only needed for RSA_PRIVATE)
* \param p_rng RNG parameter
* \param mode RSA_PUBLIC or RSA_PRIVATE
* \param md_alg a POLARSSL_MD_* (use POLARSSL_MD_NONE for signing raw data)
diff --git a/library/rsa.c b/library/rsa.c
index da98336..c39a338 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -267,8 +267,6 @@
mpi T, T1, T2;
mpi A, X;
- if( f_rng == NULL )
- return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
mpi_init( &A ); mpi_init( &X );
@@ -283,15 +281,18 @@
#if defined(POLARSSL_RSA_NO_CRT)
MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
#else
- /*
- * RSA Blinding
- * A = rnd MPI
- * T = A^E * T mod N
- */
- MPI_CHK( mpi_fill_random( &A, ctx->len - 1, f_rng, p_rng ) );
- MPI_CHK( mpi_exp_mod( &X, &A, &ctx->E, &ctx->N, NULL ) );
- MPI_CHK( mpi_mul_mpi( &X, &X, &T ) );
- MPI_CHK( mpi_mod_mpi( &T, &X, &ctx->N ) );
+ if( f_rng != NULL )
+ {
+ /*
+ * RSA Blinding
+ * A = rnd MPI
+ * T = A^E * T mod N
+ */
+ MPI_CHK( mpi_fill_random( &A, ctx->len - 1, f_rng, p_rng ) );
+ MPI_CHK( mpi_exp_mod( &X, &A, &ctx->E, &ctx->N, NULL ) );
+ MPI_CHK( mpi_mul_mpi( &X, &X, &T ) );
+ MPI_CHK( mpi_mod_mpi( &T, &X, &ctx->N ) );
+ }
/*
* faster decryption using the CRT
@@ -310,18 +311,21 @@
MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
/*
- * X = T2 + T * Q
+ * T = T2 + T * Q
*/
MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
- MPI_CHK( mpi_add_mpi( &X, &T2, &T1 ) );
+ MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
- /*
- * Unblind
- * T = X / A mod N
- */
- MPI_CHK( mpi_inv_mod( &A, &A, &ctx->N ) );
- MPI_CHK( mpi_mul_mpi( &T, &X, &A ) );
- MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
+ if( f_rng != NULL )
+ {
+ /*
+ * Unblind
+ * T = T / A mod N
+ */
+ MPI_CHK( mpi_inv_mod( &A, &A, &ctx->N ) );
+ MPI_CHK( mpi_mul_mpi( &T, &T, &A ) );
+ MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
+ }
#endif
olen = ctx->len;