make sure RSA blinding works when the PRNG is not properly seeded;

enable it automatically for the built-in engine

1 files changed, 17 insertions, 4 deletions

diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 889c36d3a6..33ca8330c9 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -72,7 +72,9 @@ static const RSA_METHOD *default_RSA_meth=NULL;
 
 RSA *RSA_new(void)
 	{
-	return(RSA_new_method(NULL));
+	RSA *r=RSA_new_method(NULL);
+
+	return r;
 	}
 
 void RSA_set_default_method(const RSA_METHOD *meth)
@@ -307,7 +309,8 @@ void RSA_blinding_off(RSA *rsa)
 		BN_BLINDING_free(rsa->blinding);
 		rsa->blinding=NULL;
 		}
-	rsa->flags&= ~RSA_FLAG_BLINDING;
+	rsa->flags &= ~RSA_FLAG_BLINDING;
+	rsa->flags |= RSA_FLAG_NO_BLINDING;
 	}
 
 int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
@@ -328,13 +331,23 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
 
 	BN_CTX_start(ctx);
 	A = BN_CTX_get(ctx);
-	if (!BN_rand_range(A,rsa->n)) goto err;
+	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+		{
+		/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+		RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+		if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+		}
+	else
+		{
+		if (!BN_rand_range(A,rsa->n)) goto err;
+		}
 	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
 
 	if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
 	    goto err;
 	rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
-	rsa->flags|=RSA_FLAG_BLINDING;
+	rsa->flags |= RSA_FLAG_BLINDING;
+	rsa->flags &= ~RSA_FLAG_NO_BLINDING;
 	BN_free(Ai);
 	ret=1;
 err: