Avoid a harmless data race in RSA decryption

Both threads called Modular_Reducer::reduce on m, which caused the significant words result to be written twice in an unsynchronized way. By calling it once beforehand it is computed and cached and so no additional writes occur. Found with helgrind.
author: Jack Lloyd <[email protected]> 2019-01-28 19:08:08 -0500
committer: Jack Lloyd <[email protected]> 2019-01-28 19:08:08 -0500
commit: 93e9c8ffed8b2eee294b7e8140935c7e7dd43641 (patch)
tree: d1641e5c5828af628c05d49146da30e6a6731732
parent: e1b305fc482cec42e156adda59e6448c74fa99ab (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/src/lib/pubkey/rsa/rsa.cpp b/src/lib/pubkey/rsa/rsa.cpp
index 441127984..0cd8bbdf4 100644
--- a/src/lib/pubkey/rsa/rsa.cpp
+++ b/src/lib/pubkey/rsa/rsa.cpp
@@ -249,6 +249,13 @@ class RSA_Private_Operation
 #endif
 
 #if defined(BOTAN_RSA_USE_ASYNC)
+         /*
+         * Precompute m.sig_words in the main thread before calling async. Otherwise
+         * the two threads race (during Modular_Reducer::reduce) and while the output
+         * is correct in both threads, helgrind warns.
+         */
+         m.sig_words();
+
          auto future_j1 = std::async(std::launch::async, [this, &m, &d1_mask, powm_window]() {
 #endif
          const BigInt masked_d1 = m_key.get_d1() + (d1_mask * (m_key.get_p() - 1));
author	Jack Lloyd <[email protected]>	2019-01-28 19:08:08 -0500
committer	Jack Lloyd <[email protected]>	2019-01-28 19:08:08 -0500
commit	93e9c8ffed8b2eee294b7e8140935c7e7dd43641 (patch)
tree	d1641e5c5828af628c05d49146da30e6a6731732
parent	e1b305fc482cec42e156adda59e6448c74fa99ab (diff)