Commit 5970d480 authored by Andy Polyakov's avatar Andy Polyakov Committed by Matt Caswell
Browse files

rsa/rsa_ossl.c: cache MONT_CTX for public modulus earlier. 



Blinding is performed more efficiently and securely if MONT_CTX for public
modulus is available by the time blinding parameter are instantiated. So
make sure it's the case.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7586)

(cherry picked from commit 2cc3f68cde77af23c61fbad65470602ee86f2575)
parent 49fabf6b

crypto/rsa/rsa_ossl.c

+5 −7
Original line number Diff line number Diff line
@@ -286,6 +286,11 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, 
        goto err;

    }



    if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)

        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,

                                    rsa->n, ctx))

            goto err;



    if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {

        blinding = rsa_get_blinding(rsa, &local_blinding, ctx);

        if (blinding == NULL) {
@@ -318,13 +323,6 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, 
        }

        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);



        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)

            if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,

                                        rsa->n, ctx)) {

                BN_free(d);

                goto err;

            }



        if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,

                                   rsa->_method_mod_n)) {

            BN_free(d);