Merge from dlitz/master

1 files changed, 17 insertions, 2 deletions

diff --git a/lib/Crypto/PublicKey/RSA.py b/lib/Crypto/PublicKey/RSA.py
index d95f2cf..0e0f2a1 100644
--- a/lib/Crypto/PublicKey/RSA.py
+++ b/lib/Crypto/PublicKey/RSA.py
@@ -33,6 +33,9 @@ if sys.version_info[0] == 2 and sys.version_info[1] == 1:
     from Crypto.Util.py21compat import *
 from Crypto.Util.py3compat import *
 
+
+from Crypto.Util.number import getRandomRange
+
 from Crypto.PublicKey import _RSA, _slowmath, pubkey
 from Crypto import Random
 
@@ -47,9 +50,12 @@ except ImportError:
 class _RSAobj(pubkey.pubkey):
     keydata = ['n', 'e', 'd', 'p', 'q', 'u']
 
-    def __init__(self, implementation, key):
+    def __init__(self, implementation, key, randfunc=None):
         self.implementation = implementation
         self.key = key
+        if randfunc is None:
+            randfunc = Random.new().read
+        self._randfunc = randfunc
 
     def __getattr__(self, attrname):
         if attrname in self.keydata:
@@ -68,7 +74,16 @@ class _RSAobj(pubkey.pubkey):
                                # instead, but this is more compatible and we're
                                # going to replace the Crypto.PublicKey API soon
                                # anyway.
-        return self.key._decrypt(ciphertext)
+
+        # Blinded RSA decryption (to prevent timing attacks):
+        # Step 1: Generate random secret blinding factor r, such that 0 < r < n-1
+        r = getRandomRange(1, self.key.n-1, randfunc=self._randfunc)
+        # Step 2: Compute c' = c * r**e mod n
+        cp = self.key._blind(ciphertext, r)
+        # Step 3: Compute m' = c'**d mod n       (ordinary RSA decryption)
+        mp = self.key._decrypt(cp)
+        # Step 4: Compute m = m**(r-1) mod n
+        return self.key._unblind(mp, r)
 
     def _blind(self, m, r):
         return self.key._blind(m, r)