From 936f72c641c0953cc288d01de30a2dd811b5f8ac Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Thu, 7 Sep 2017 10:56:10 +0100
Subject: [PATCH] Disable MBEDTLS_RSA_FORCE_BLINDING by default

This commit disables the new MBEDTLS_RSA_FORCE_BLINDING option by default to preserve backwards
compatibility. Further, it deprecates disabling to prepare for a future release in which blinding will be
unconditionally enforced.
---
 include/mbedtls/config.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index d54f0c382..741ce416a 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -980,6 +980,11 @@
  * Comment this macro to allow RSA private key operations
  * without blinding.
  *
+ * \deprecated Disabling this option is deprecated and only
+ *             disabled by default for backwards compatibility.
+ *             Future versions of Mbed TLS will remove this
+ *             option and enforce blinding unconditionally.
+ *
  * \warning   Disabling this can be a security risk!
  *            Blinding RSA private key operations is a way
  *            to prevent statistical timing attacks as in
@@ -998,7 +1003,7 @@
  *            private key operations, see the documentation
  *            of \c mbedtls_rsa_private.
  */
-#define MBEDTLS_RSA_FORCE_BLINDING
+//#define MBEDTLS_RSA_FORCE_BLINDING
 
 /**
  * \def MBEDTLS_RSA_NO_CRT