The RSA_FLAG_NO_BLINDING and RSA_FLAG_BLINDING defines, on the other
hand, are indeed used in the code.
The openssl-0.9.7b CHANGES file has this to say:
Changes between 0.9.7a and 0.9.7b [10 Apr 2003]
*) Turn on RSA blinding by default in the default implementation
to avoid a timing attack. Applications that don't want it can call
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
They would be ill-advised to do so in most cases.
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
*) Change RSA blinding code so that it works when the PRNG is not
seeded (in this case, the secret RSA exponent is abused as
an unpredictable seed -- if it is not unpredictable, there
is no point in blinding anyway). Make RSA blinding thread-safe
by remembering the creator's thread ID in rsa->blinding and
having all other threads use local one-time blinding factors
(this requires more computation than sharing rsa->blinding, but
avoids excessive locking; and if an RSA object is not shared
between threads, blinding will still be very fast).
[Bodo Moeller]
If that's true, and it works, then no one should be seeing any thread
safety problems. Thoughts?
I've had a nsopenssl 2.1a dynamically linked against openssl-0.9.7b
and running on a Dev server with no problems for a week or so now, but
it hardly gets any load at all so that doesn't prove much.
