From 3bf7b2e9d08a467ea2298c99b1328391a5298bf5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Tue, 14 Apr 2020 18:55:37 +0200
Subject: [PATCH] Choose blinding factor relatively prime to N

This is a requirement for RSA blinding, but wasn't implemented yet.
---
 CHANGELOG.txt | 10 ++++++----
 rsa/key.py    | 11 +++++++++--
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 3a12e64..2704e69 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -4,11 +4,13 @@ Python-RSA changelog
 Version 4.3 - released 2020-06-12
 ----------------------------------------
 
-Version 4.3 is a re-tagged release of version 4.0. It is the last to support
-Python 2.7. This is now made explicit in the `python_requires` argument in
-`setup.py`.
+Version 4.3 is almost a re-tagged release of version 4.0. It is the last to
+support Python 2.7. This is now made explicit in the `python_requires` argument
+in `setup.py`.
 
-There are no functional differences.
+Two security fixes have also been backported, so 4.3 = 4.0 + these two fixes.
+
+- Choose blinding factor relatively prime to N. Thanks Christian Heimes for pointing this out.
 
 
 Version 4.0 - released 2018-09-16
diff --git a/rsa/key.py b/rsa/key.py
index 1004412..1e2f6fe 100644
--- a/rsa/key.py
+++ b/rsa/key.py
@@ -417,6 +417,13 @@ def __ne__(self, other):
     def __hash__(self):
         return hash((self.n, self.e, self.d, self.p, self.q, self.exp1, self.exp2, self.coef))
 
+    def _get_blinding_factor(self):
+        for _ in range(1000):
+            blind_r = rsa.randnum.randint(self.n - 1)
+            if rsa.prime.are_relatively_prime(self.n, blind_r):
+                return blind_r
+        raise RuntimeError('unable to find blinding factor')
+
     def blinded_decrypt(self, encrypted):
         """Decrypts the message using blinding to prevent side-channel attacks.
 
@@ -427,7 +434,7 @@ def blinded_decrypt(self, encrypted):
         :rtype: int
         """
 
-        blind_r = rsa.randnum.randint(self.n - 1)
+        blind_r = self._get_blinding_factor()
         blinded = self.blind(encrypted, blind_r)  # blind before decrypting
         decrypted = rsa.core.decrypt_int(blinded, self.d, self.n)
 
@@ -443,7 +450,7 @@ def blinded_encrypt(self, message):
         :rtype: int
         """
 
-        blind_r = rsa.randnum.randint(self.n - 1)
+        blind_r = self._get_blinding_factor()
         blinded = self.blind(message, blind_r)  # blind before encrypting
         encrypted = rsa.core.encrypt_int(blinded, self.d, self.n)
         return self.unblind(encrypted, blind_r)