There is a (mostly theoretical) bug in the RSA_blinding_on method in
crypto/rsa/rsa_lib.c. Specifically, the following code:
if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
{
/* if PRNG is not properly seeded, resort to secret exponent as
unpredictable seed */
RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
}
else
{
if (!BN_rand_range(A,rsa->n)) goto err;
}
if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
The problem here is that if (the randomly chosen) A happens to be
divisible by rsa->p or rsa->q, then A will have no inverse modulo
rsa->n, and the call to BN_mod_inverse in the last line above will
generate an error.
Of course, in practical applications, there is a vanishingly small
chance of this happening; I only came about this in doing some tests
using intentionally small values of p and q.
I'm attaching a patch which I believe fixes the problem, although
undoubtedly in a less than optimal fashion. Rather than picking A
between 0 and n, it first picks 0<Ap<p and 0<Aq<q, and then lets A =
Aq*p*pi + Ap*q*qi (mod n), where qi*q = 1 mod p and pi * p = 1 mod q.
- Ian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
