Improve documentation on the use of blinding in RSA

commit: 26f1f6061deabc15400835d278763cadb39aad71 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Fri Mar 09 10:47:30 2018 +0000
committer: Hanno Becker <hanno.becker@arm.com> Fri Mar 09 10:47:30 2018 +0000
tree: 51d567ddc0592a3768fdee96dc35f046e54ce062
parent: e856e84de3990ea3f6da009b05cbf0270e80724d [diff] [blame]
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index fb2f77f..5548f3c 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h

@@ -518,6 +518,18 @@
  *
  * \note           The input and output buffers must be large
  *                 enough. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           Blinding is used if and only if a PRNG is provided.
+ *
+ * \note           If blinding is used, both the base of exponentation
+ *                 and the exponent are blinded, providing protection
+ *                 against some side-channel attacks.
+ *
+ * \warning        It is deprecated and a security risk to not provide
+ *                 a PRNG here and thereby prevent the use of blinding.
+ *                 Future versions of the library may enforce the presence
+ *                 of a PRNG.
+ *
  */
 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
                  int (*f_rng)(void *, unsigned char *, size_t),
commit	26f1f6061deabc15400835d278763cadb39aad71	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Fri Mar 09 10:47:30 2018 +0000
committer	Hanno Becker <hanno.becker@arm.com>	Fri Mar 09 10:47:30 2018 +0000
tree	51d567ddc0592a3768fdee96dc35f046e54ce062
parent	e856e84de3990ea3f6da009b05cbf0270e80724d [diff] [blame]