Forum OpenACS Q&A: RSA blinding in openssl-0.9.7b is supposedly thread-safe

Collapse
Posted by Andrew Piskorski on
The RSA_FLAG_NO_BLINDING and RSA_FLAG_BLINDING defines, on the other hand, are indeed used in the code.

The openssl-0.9.7b CHANGES file has this to say:

Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]   

 *) Turn on RSA blinding by default in the default implementation 
    to avoid a timing attack. Applications that don't want it can call 
    RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 
    They would be ill-advised to do so in most cases. 
    [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] 

 *) Change RSA blinding code so that it works when the PRNG is not 
    seeded (in this case, the secret RSA exponent is abused as 
    an unpredictable seed -- if it is not unpredictable, there 
    is no point in blinding anyway).  Make RSA blinding thread-safe 
    by remembering the creator's thread ID in rsa->blinding and 
    having all other threads use local one-time blinding factors 
    (this requires more computation than sharing rsa->blinding, but 
    avoids excessive locking; and if an RSA object is not shared 
    between threads, blinding will still be very fast). 
    [Bodo Moeller]

If that's true, and it works, then no one should be seeing any thread safety problems. Thoughts?

I've had a nsopenssl 2.1a dynamically linked against openssl-0.9.7b and running on a Dev server with no problems for a week or so now, but it hardly gets any load at all so that doesn't prove much.

A Google groups search seems to show that the OpenSSL folks do indeed believe that the RSA blinding thread-safety issues were fixed back in April.