@@ -561,7 +561,13 @@ int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
561561 goto err ;
562562 }
563563
564- if (!(rsa -> flags & RSA_FLAG_NO_BLINDING )) {
564+ /* We cannot do blinding or verification without |e|, and continuing without
565+ * those countermeasures is dangerous. However, the Java/Android RSA API
566+ * requires support for keys where only |d| and |n| (and not |e|) are known.
567+ * The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|. */
568+ int disable_security = (rsa -> flags & RSA_FLAG_NO_BLINDING ) && rsa -> e == NULL ;
569+
570+ if (!disable_security ) {
565571 /* Keys without public exponents must have blinding explicitly disabled to
566572 * be used. */
567573 if (rsa -> e == NULL ) {
@@ -605,20 +611,16 @@ int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
605611 * works when the CRT isn't used. That attack is much less likely to succeed
606612 * than the CRT attack, but there have likely been improvements since 1997.
607613 *
608- * This check is very cheap assuming |e| is small; it almost always is.
609- *
610- * XXX: It's unfortunate that we don't do this check when |rsa->e == NULL|. */
611- if (rsa -> e != NULL ) {
614+ * This check is cheap assuming |e| is small; it almost always is. */
615+ if (!disable_security ) {
612616 BIGNUM * vrfy = BN_CTX_get (ctx );
613617 if (vrfy == NULL ||
614618 !BN_mod_exp_mont (vrfy , result , rsa -> e , rsa -> n , ctx , rsa -> mont_n ) ||
615619 !BN_equal_consttime (vrfy , f )) {
616620 OPENSSL_PUT_ERROR (RSA , ERR_R_INTERNAL_ERROR );
617621 goto err ;
618622 }
619- }
620623
621- if (blinding ) {
622624 if (!BN_BLINDING_invert (result , blinding , rsa -> mont_n , ctx )) {
623625 goto err ;
624626 }
0 commit comments