Set up the RSA's _method_mod_n before the initial blinding - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2023-04-05 11:30:12 +0000
committer	tb <>	2023-04-05 11:30:12 +0000
commit	e8c1a52cfab8796d0aed6aead31cc8e12c4b09d3 (patch)
tree	a5d86bc2769c8a5d18b67654d35de99abf413540 /src/lib/libcrypto/dsa
parent	2db0dca691f89b76656d40a20829357632754405 (diff)
download	openbsd-e8c1a52cfab8796d0aed6aead31cc8e12c4b09d3.tar.gz openbsd-e8c1a52cfab8796d0aed6aead31cc8e12c4b09d3.tar.bz2 openbsd-e8c1a52cfab8796d0aed6aead31cc8e12c4b09d3.zip

Set up the RSA's _method_mod_n before the initial blinding

As observed by Bernd Edlinger, the main part of the RSA timing leak that was recently made public is that the initial blinding isn't done with Montgomery exponentiation but rather with plain exponentiation. Pull up the initialization of the cached Montgomery context to ensure we use Montgomery exponentiation. Do this for private_{de,en}crypt(). Interestingly, the latter was fixed in OpenSSL a while ago by Andy Polyakov as part of the "smooth CRT-RSA" addition. If this code was anything but completely insane this would never have been an issue in the first place. But it's libcrypto... ok jsing

Diffstat (limited to 'src/lib/libcrypto/dsa')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: