Remove flags for disabling constant-time operations.

This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME,
and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally
constant-time.

Based on the original patch by César Pereid.  ok beck@

2 files changed, 12 insertions, 34 deletions

diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h
index a20467c9d0..631cd5c685 100644
--- a/src/lib/libcrypto/dh/dh.h
+++ b/src/lib/libcrypto/dh/dh.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.h,v 1.16 2014/06/12 15:49:28 deraadt Exp $ */
+/* $OpenBSD: dh.h,v 1.17 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -78,13 +78,6 @@
 #endif
 
 #define DH_FLAG_CACHE_MONT_P     0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-                                       * implementation now uses constant time
-                                       * modular exponentiation for secret exponents
-                                       * by default. This flag causes the
-                                       * faster variable sliding window method to
-                                       * be used for all exponents.
-                                       */
 
 /* If this flag is set the DH method is FIPS compliant and can be used
  * in FIPS mode. This is set in the validated module method. If an
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 31bc7b3dfd..25e8968ef5 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: dh_key.c,v 1.24 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -147,21 +147,16 @@ generate_key(DH *dh)
         }
 
         {
-                BIGNUM local_prk;
-                BIGNUM *prk;
+                BIGNUM prk;
 
-                if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-                        BN_init(&local_prk);
-                        prk = &local_prk;
-                        BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
-                } else
-                        prk = priv_key;
+                BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
 
-                if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
-                    mont))
+                if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx,
+                    mont)) {
                         goto err;
+                }
         }
-                
+
         dh->pub_key = pub_key;
         dh->priv_key = priv_key;
         ok = 1;
@@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         if (dh->flags & DH_FLAG_CACHE_MONT_P) {
                 mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
                     CRYPTO_LOCK_DH, dh->p, ctx);
-                if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-                        /* XXX */
-                        BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
-                }
+
+                BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+
                 if (!mont)
                         goto err;
         }
@@ -238,16 +232,7 @@ static int
 dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 {
-        /*
-         * If a is only one word long and constant time is false, use the faster
-         * exponenentiation function.
-         */
-        if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
-                BN_ULONG A = a->d[0];
-
-                return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
-        } else
-                return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
 
 static int