boringssl

History

Brian Smith 86361a3910 Require the public exponent to be available in RSA blinding. Require the public exponent to be available unless \|RSA_FLAG_NO_BLINDING\| is set on the key. Also, document this. If the public exponent \|e\| is not available, then we could compute it from \|p\|, \|q\|, and \|d\|. However, there's no reasonable situation in which we'd have \|p\| or \|q\| but not \|e\|; either we have all the CRT parameters, or we have (e, d, n), or we have only (d, n). The calculation to compute \|e\| exposes the private key to risk of side channel attacks. Also, it was particularly wasteful to compute \|e\| for each \|BN_BLINDING\| created, instead of just once before the first \|BN_BLINDING\| was created. \|BN_BLINDING\| now no longer needs to contain a duplicate copy of \|e\|, so it is now more space-efficient. Note that the condition \|b->e != NULL\| in \|bn_blinding_update\| was always true since commit `cbf56a5683`. Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4 Reviewed-on: https://boringssl-review.googlesource.com/7594 Reviewed-by: David Benjamin <davidben@google.com>	2016-04-18 23:34:46 +00:00
..
openssl	Require the public exponent to be available in RSA blinding.	2016-04-18 23:34:46 +00:00

Brian Smith 86361a3910 Require the public exponent to be available in RSA blinding.

Require the public exponent to be available unless
|RSA_FLAG_NO_BLINDING| is set on the key. Also, document this.

If the public exponent |e| is not available, then we could compute it
from |p|, |q|, and |d|. However, there's no reasonable situation in
which we'd have |p| or |q| but not |e|; either we have all the CRT
parameters, or we have (e, d, n), or we have only (d, n). The
calculation to compute |e| exposes the private key to risk of side
channel attacks.

Also, it was particularly wasteful to compute |e| for each
|BN_BLINDING| created, instead of just once before the first
|BN_BLINDING| was created.

|BN_BLINDING| now no longer needs to contain a duplicate copy of |e|,
so it is now more space-efficient.

Note that the condition |b->e != NULL| in |bn_blinding_update| was
always true since commit cbf56a5683.

Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4
Reviewed-on: https://boringssl-review.googlesource.com/7594
Reviewed-by: David Benjamin <davidben@google.com>

2016-04-18 23:34:46 +00:00

openssl Require the public exponent to be available in RSA blinding. 2016-04-18 23:34:46 +00:00