Clarify use of blinding in RSA private key operations

commit: 9d5785be8ff5b681d7b0a0688c7fb91ce5634e9f [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Mon Nov 06 15:06:25 2017 +0000
committer: Hanno Becker <hanno.becker@arm.com> Mon Nov 06 15:06:25 2017 +0000
tree: c822c480f0826324ce59e0a3fa0378d79fc41e93
parent: 41a38dfed6cef8867b448ca5e01a3a7da16475df [diff] [blame]
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index 6b2e54b..8e34e62 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h

@@ -220,7 +220,7 @@
  * \brief          Do an RSA private key operation
  *
  * \param ctx      RSA context
- * \param f_rng    RNG function (Needed for blinding)
+ * \param f_rng    RNG function (used for blinding)
  * \param p_rng    RNG parameter
  * \param input    input buffer
  * \param output   output buffer
@@ -229,6 +229,18 @@
  *
  * \note           The input and output buffers must be large
  *                 enough (eg. 128 bytes if RSA-1024 is used).
+ *
+ * \note           Blinding is used if and only if a PRNG is provided.
+ *
+ * \note           If blinding is used, both the base of exponentation
+ *                 and the exponent are blinded, providing protection
+ *                 against some side-channel attacks.
+ *
+ * \warning        It is deprecated and a security risk to not provide
+ *                 a PRNG here and thereby prevent the use of blinding.
+ *                 Future versions of the library may enforce the presence
+ *                 of a PRNG.
+ *
  */
 int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
                  int (*f_rng)(void *, unsigned char *, size_t),
commit	9d5785be8ff5b681d7b0a0688c7fb91ce5634e9f	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Mon Nov 06 15:06:25 2017 +0000
committer	Hanno Becker <hanno.becker@arm.com>	Mon Nov 06 15:06:25 2017 +0000
tree	c822c480f0826324ce59e0a3fa0378d79fc41e93
parent	41a38dfed6cef8867b448ca5e01a3a7da16475df [diff] [blame]