From 96c15b8aad15e0cb3d107ac281be215ce04241d8 Mon Sep 17 00:00:00 2001
From: Ben Laurie <ben@openssl.org>
Date: Tue, 18 Mar 2003 12:12:10 +0000
Subject: [PATCH] Turn on RSA blinding by default.

---
 CHANGES              |  6 ++++++
 crypto/rsa/rsa_eay.c | 27 +++++++++++++++++++++++----
 crypto/rsa/rsa_lib.c |  8 +++++++-
 3 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index ad3d0ae24b..6ab49d23a1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 0.9.7a and 0.9.7b  [xx XXX 2003]
 
+  *) Turn on RSA blinding by default, to avoid a timing attack. Applications
+     that don't want it can call RSA_blinding_off(). They would be ill-advised
+     to do so in most cases. The automatic enabling can also be turned off
+     by defining OPENSSL_FORCE_NO_RSA_BLINDING at compile-time.
+     [Ben Laurie, Steve Henson, Geoff Thorpe]
+
   *) Fixed a typo bug that would cause ENGINE_set_default() to set an
      ENGINE as defaults for all supported algorithms irrespective of
      the 'flags' parameter. 'flags' is now honoured, so applications
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 29ce4511bc..e4bcf499d0 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -195,6 +195,25 @@ err:
 	return(r);
 	}
 
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+	{
+	int ret = 1;
+	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+	/* Check again inside the lock - the macro's check is racey */
+	if(rsa->blinding == NULL)
+		ret = RSA_blinding_on(rsa, ctx);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+	return ret;
+	}
+
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+	do { \
+		if(((rsa)->flags & RSA_FLAG_BLINDING) && \
+				((rsa)->blinding == NULL) && \
+				!rsa_eay_blinding(rsa, ctx)) \
+			err_instr \
+	} while(0)
+
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
@@ -239,8 +258,8 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 		goto err;
 		}
 
-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-		RSA_blinding_on(rsa,ctx);
+	BLINDING_HELPER(rsa, ctx, goto err;);
+
 	if (rsa->flags & RSA_FLAG_BLINDING)
 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
 
@@ -318,8 +337,8 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
 		goto err;
 		}
 
-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-		RSA_blinding_on(rsa,ctx);
+	BLINDING_HELPER(rsa, ctx, goto err;);
+
 	if (rsa->flags & RSA_FLAG_BLINDING)
 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
 
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 889c36d3a6..f234ae0748 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -72,7 +72,13 @@ static const RSA_METHOD *default_RSA_meth=NULL;
 
 RSA *RSA_new(void)
 	{
-	return(RSA_new_method(NULL));
+	RSA *r=RSA_new_method(NULL);
+
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
+	r->flags|=RSA_FLAG_BLINDING;
+#endif
+
+	return r;
 	}
 
 void RSA_set_default_method(const RSA_METHOD *meth)
-- 
2.25.1