From: Andy Polyakov <appro@openssl.org>
Date: Wed, 7 Nov 2018 21:07:22 +0000 (+0100)
Subject: rsa/rsa_eay.c: cache MONT_CTX for public modulus earlier.
X-Git-Tag: OpenSSL_1_0_2r~26
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=23bfb5b556a4e534fd61fb30719851d4b7b1fc82

rsa/rsa_eay.c: cache MONT_CTX for public modulus earlier.

Blinding is performed more efficiently and securely if MONT_CTX for public
modulus is available by the time blinding parameter are instantiated. So
make sure it's the case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

(manually cherry picked from commit 2cc3f68cde77af23c61fbad65470602ee86f2575)

(Merged from https://github.com/openssl/openssl/pull/7586)
---

diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index be948a4cf8..1155583d88 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -397,6 +397,11 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
         goto err;
     }
 
+    if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
+                                    rsa->n, ctx))
+            goto err;
+
     if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
         blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
         if (blinding == NULL) {
@@ -431,11 +436,6 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
         } else
             d = rsa->d;
 
-        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
-            if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA,
-                                        rsa->n, ctx))
-                goto err;
-
         if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
                                    rsa->_method_mod_n))
             goto err;