Yes you are right. Blinding is for timing attacks. In get_rsa_blinding in
rsa_eay.c i make change. If threads are different a new blinding is
constructed and it is attached to the rsa object. I override that codes and if
threads are different a new blinding is return but i do not attach it to the
rsa object. Here the method codes:
static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
{
BN_BLINDING *ret;
int got_write_lock = 0;
CRYPTO_r_lock(CRYPTO_LOCK_RSA);
if (rsa->blinding == NULL)
{
CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
CRYPTO_w_lock(CRYPTO_LOCK_RSA);
got_write_lock = 1;
if (rsa->blinding == NULL)
rsa->blinding = RSA_setup_blinding(rsa, ctx);
}
ret = rsa->blinding;
if (ret == NULL)
goto err;
if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id())
{
/* rsa->blinding is ours! */
*local = 1;
}
else
{
/* resort to rsa->mt_blinding instead */
*local = 0; /* instructs rsa_blinding_convert(),
rsa_blinding_invert()
* that the BN_BLINDING is shared, meaning that
accesses
* require locks, and that the blinding factor must
be
* stored outside the BN_BLINDING
*/
#if 0
if (rsa->mt_blinding == NULL)
{
if (!got_write_lock)
{
CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
CRYPTO_w_lock(CRYPTO_LOCK_RSA);
got_write_lock = 1;
}
if (rsa->mt_blinding == NULL)
rsa->mt_blinding = RSA_setup_blinding(rsa, ctx);
}
ret = rsa->mt_blinding;
#else
ret= RSA_setup_blinding(rsa, ctx);
#endif
}
err:
if (got_write_lock)
CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
else
CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
return ret;
}
Then i did not get error. It is a kind of solution without closing binding.
And i think blinding is working truely.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
