Don't use DH blinding for ephemeral DH

commit: 032c34e206730f7c7cede6909724c8f73db83637 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Sat Sep 07 13:06:27 2013 +0200
committer: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Sat Sep 07 13:06:27 2013 +0200
tree: b74a3fad620cab23d51f1169f6687634c4e52345
parent: ce6352a791f5e4ce04fbaca60fc99514aab79cf0 [diff]
diff --git a/include/polarssl/dhm.h b/include/polarssl/dhm.h
index 4874bc8..09de70b 100644
--- a/include/polarssl/dhm.h
+++ b/include/polarssl/dhm.h

@@ -228,7 +228,12 @@
  * \return         0 if successful, or an POLARSSL_ERR_DHM_XXX error code
  *
  * \note           If f_rng is not NULL, it is used to blind the input as
- *                 countermeasure against timing attacks.
+ *                 countermeasure against timing attacks. This is only useful
+ *                 when this function is called repeatedly with the same
+ *                 secret value (X field), eg when using DH key exchange as
+ *                 opposed to DHE. It is recommended to use a non-NULL f_rng
+ *                 only when needed, since otherwise this countermeasure has
+ *                 high overhead.
  */
 int dhm_calc_secret( dhm_context *ctx,
                      unsigned char *output, size_t *olen,
commit	032c34e206730f7c7cede6909724c8f73db83637	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Sat Sep 07 13:06:27 2013 +0200
committer	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Sat Sep 07 13:06:27 2013 +0200
tree	b74a3fad620cab23d51f1169f6687634c4e52345
parent	ce6352a791f5e4ce04fbaca60fc99514aab79cf0 [diff]