File 0001-engine-Enable-RSA-blinding-and-offload-bli... of Package openssl-ibmca

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-engine-Enable-RSA-blinding-and-offload-blinding-setu.patch of Package openssl-ibmca

From f8de68aa5edd882c6ec7393fb88b8298f7b6d1e1 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 22 Mar 2023 09:53:23 +0100
Subject: [PATCH] engine: Enable RSA blinding and offload blinding setup to
 libica

For whatever reason RSA blinding was disabled for the IBMCA engine. One
possible reason is that setting up the blinding factors also requires a
mod-expo operation, and this operation does not get offloaded to libica,
unless a Montgomery context for the public key (modulus) was setup before.

Do no longer disable blinding, but make sure that the Montgomery contexts
for the public and private keys are cached, like it is done without an
engine. That way the mod-expo operation used for setting up the blinding
context is also offloaded via ibmca_mod_exp().

Note: Due to a bug in OpenSSL code, the offloading of the mod-expo for the
blinding setup does currently not work for private decrypt operations, but
only for private encrypt (signature create) operations. Once that bug is fixed
in OpenSSL, it will also work for private decrypt operations without an
additional change in the IBMCA engine.
Related OpenSSL issue: https://github.com/openssl/openssl/issues/20579

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
 src/ibmca_rsa.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/ibmca_rsa.c b/src/ibmca_rsa.c
index 9467ab9..4f9f8b1 100644
--- a/src/ibmca_rsa.c
+++ b/src/ibmca_rsa.c
@@ -295,7 +295,16 @@ end:
 
 static int ibmca_rsa_init(RSA * rsa)
 {
-    RSA_blinding_off(rsa);
+    /*
+     * Ensure that the MONT_CTXs for public and private keys are cached.
+     * This enables that ibmca_mod_exp_mont() is also called during
+     * (re-)setup of the RSA blinding factors.
+     */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    RSA_set_flags(rsa, RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
+#else
+    rsa->flags |= RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
+#endif
 
     return 1;
 }
-- 
2.16.2.windows.1

Places

File 0001-engine-Enable-RSA-blinding-and-offload-blinding-setu.patch of Package openssl-ibmca

Places