From 2d8624dae26734f55d1bd9aaad1abefc084b2e57 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Tue, 21 Nov 2023 09:46:43 +0000
Subject: [PATCH] Extend blinding to RSA result check

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 library/rsa.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/library/rsa.c b/library/rsa.c
index c559f110ac..9dc0ec505c 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1125,8 +1125,6 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
         goto cleanup;
     }
 
-    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
-
     /*
      * Blinding
      * T = T * Vi mod N
@@ -1135,6 +1133,8 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
     MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&T, &T, &ctx->Vi));
     MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&T, &T, &ctx->N));
 
+    MBEDTLS_MPI_CHK(mbedtls_mpi_copy(&I, &T));
+
     /*
      * Exponent blinding
      */
@@ -1203,12 +1203,6 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
     MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&T, &TQ, &TP));
 #endif /* MBEDTLS_RSA_NO_CRT */
 
-    /*
-     * Unblind
-     * T = T * Vf mod N
-     */
-    MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
-
     /* Verify the result to prevent glitching attacks. */
     MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&C, &T, &ctx->E,
                                         &ctx->N, &ctx->RN));
@@ -1217,6 +1211,12 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
         goto cleanup;
     }
 
+    /*
+     * Unblind
+     * T = T * Vf mod N
+     */
+    MBEDTLS_MPI_CHK(rsa_unblind(&T, &ctx->Vf, &ctx->N));
+
     olen = ctx->len;
     MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));