* move RSA_BLINDING to options.h

--HG-- extra : convert_revision : e3f32a86aafc1d806b2bee9405020368f9706d85
author: Matt Johnston <matt@ucc.asn.au> 2005-07-08 13:19:10 +0000
committer: Matt Johnston <matt@ucc.asn.au> 2005-07-08 13:19:10 +0000
commit: 8f75480ebc3578529a55a717577100ea7ce8bf47 (patch)
tree: 55a6d384a48745a96325ea75a03156b9b5e7fe78
parent: 975b94c5f2f5bbb8aa455445ffb26092d01568e5 (diff)
2 files changed, 5 insertions, 1 deletions
diff --git a/options.h b/options.h
index d75ee09..7fa2ea0 100644
--- a/options.h
+++ b/options.h
@@ -90,6 +90,11 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
 #define DROPBEAR_RSA
 #define DROPBEAR_DSS
 
+/* RSA can be vulnerable to timing attacks which use the time required for
+ * signing to guess the private key. Blinding avoids this attack, though makes
+ * signing operations slightly slower. */
+#define RSA_BLINDING
+
 /* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss,
  * rather than just from the random byte source. Undefining this will save you
  * ~4k in binary size with static uclibc, but your DSS hostkey could be exposed
diff --git a/rsa.c b/rsa.c
index f86fdd9..7248bed 100644
--- a/rsa.c
+++ b/rsa.c
@@ -275,7 +275,6 @@ void buf_put_rsa_sign(buffer* buf, rsa_key *key, const unsigned char* data,
 
 	/* the actual signing of the padded data */
 
-#define RSA_BLINDING
 #ifdef RSA_BLINDING
 
 	/* With blinding, s = (r^(-1))((em)*r^e)^d mod n */
author	Matt Johnston <matt@ucc.asn.au>	2005-07-08 13:19:10 +0000
committer	Matt Johnston <matt@ucc.asn.au>	2005-07-08 13:19:10 +0000
commit	8f75480ebc3578529a55a717577100ea7ce8bf47 (patch)
tree	55a6d384a48745a96325ea75a03156b9b5e7fe78
parent	975b94c5f2f5bbb8aa455445ffb26092d01568e5 (diff)