Fix thread safety issue in RSA operations

The race was due to mpi_exp_mod storing a Montgomery coefficient in the
context (RM, RP, RQ).

The fix was verified with -fsanitize-thread using ssl_pthread_server and two
concurrent clients.

A more fine-grained fix should be possible, locking just enough time to check
if those values are OK and set them if not, rather than locking for the whole
mpi_exp_mod() operation, but it will be for later.
diff --git a/ChangeLog b/ChangeLog
index c9f2e10..2c68696 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@
      errors on use of deprecated functions.
 
 Bugfix
+   * Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
    * Fix hardclock() (only used in the benchmarking program) with some
      versions of mingw64 (found by kxjhlele).
    * Fix warnings from mingw64 in timing.c (found by kxjklele).