boringssl/crypto/rsa
Brian Smith 86361a3910 Require the public exponent to be available in RSA blinding.
Require the public exponent to be available unless
|RSA_FLAG_NO_BLINDING| is set on the key. Also, document this.

If the public exponent |e| is not available, then we could compute it
from |p|, |q|, and |d|. However, there's no reasonable situation in
which we'd have |p| or |q| but not |e|; either we have all the CRT
parameters, or we have (e, d, n), or we have only (d, n). The
calculation to compute |e| exposes the private key to risk of side
channel attacks.

Also, it was particularly wasteful to compute |e| for each
|BN_BLINDING| created, instead of just once before the first
|BN_BLINDING| was created.

|BN_BLINDING| now no longer needs to contain a duplicate copy of |e|,
so it is now more space-efficient.

Note that the condition |b->e != NULL| in |bn_blinding_update| was
always true since commit cbf56a5683.

Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4
Reviewed-on: https://boringssl-review.googlesource.com/7594
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 23:34:46 +00:00
..
blinding.c Require the public exponent to be available in RSA blinding. 2016-04-18 23:34:46 +00:00
CMakeLists.txt
internal.h Require the public exponent to be available in RSA blinding. 2016-04-18 23:34:46 +00:00
padding.c Make local functions static. 2016-03-20 16:37:58 +00:00
rsa_asn1.c Fix i2d_RSAPrivateKey, i2d_RSAPublicKey memory leaks 2016-03-07 15:48:21 +00:00
rsa_impl.c Require the public exponent to be available in RSA blinding. 2016-04-18 23:34:46 +00:00
rsa_test.cc Remove some easy obj.h dependencies. 2016-03-31 20:50:33 +00:00
rsa.c Use |memcmp| instead of |CRYPTO_memcmp| in |RSA_verify|. 2016-04-18 20:42:22 +00:00