ec3cb3adbc
Yo dawg I herd you like blinding so I put inversion blinding in your RSA blinding so you can randomly mask your random mask. This improves upon the current situation where we pretend that |BN_mod_inverse_no_branch| is constant-time, and it avoids the need to exert a lot of effort to make a actually-constant-time modular inversion function just for RSA blinding. Note that if the random number generator weren't working correctly then the blinding of the inversion wouldn't be very effective, but in that case the RSA blinding itself would probably be completely busted, so we're not really losing anything by relying on blinding to blind the blinding. Change-Id: I771100f0ad8ed3c24e80dd859ec22463ef2a194f Reviewed-on: https://boringssl-review.googlesource.com/8923 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> |
||
|---|---|---|
| .. | ||
| blinding.c | ||
| CMakeLists.txt | ||
| internal.h | ||
| padding.c | ||
| rsa_asn1.c | ||
| rsa_impl.c | ||
| rsa_test.cc | ||
| rsa.c | ||