We cache a montgomery form for 'n' if the PUBLIC flag is set, not PRIVATE.
Also, I've added handling for other mod_exp calls that were not using any
cached montgomery forms. These cases matter only for special RSA keys (eg.
ones that are missing information) so are unlikely to be used in normal
circumstances.
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 04cefd3..24c7769 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -269,7 +269,9 @@
{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
else
{
- if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+ if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,
+ rsa->_method_mod_n)) goto err;
}
if (rsa->flags & RSA_FLAG_BLINDING)
@@ -349,7 +351,9 @@
{ if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
else
{
- if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
+ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+ if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,
+ rsa->_method_mod_n))
goto err;
}
@@ -481,7 +485,7 @@
MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
- MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+ MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
@@ -526,7 +530,8 @@
/* 'I' and 'vrfy' aren't congruent mod n. Don't leak
* miscalculated CRT output, just do a raw (slower)
* mod_exp and return that instead. */
- if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
+ if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,
+ rsa->_method_mod_n)) goto err;
}
ret=1;
err:
