Make explicit _ct and _nonct versions of bn_mod_exp funcitons that

matter for constant time, and make the public interface only used
external to the library.

This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.

Add regress tests for same.
ok jsing@

19 files changed, 249 insertions, 47 deletions

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 29b6669a12..3fb904b470 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.13 2016/12/21 15:49:29 jsing Exp $
+# $OpenBSD: Makefile,v 1.14 2017/01/21 09:38:58 beck Exp $
 
 LIB=    crypto
 
@@ -24,7 +24,8 @@ CFLAGS+= -DLIBRESSL_INTERNAL
 CFLAGS+= -DOPENSSL_NO_HW_PADLOCK # XXX enable this?
 
 CFLAGS+= -I${LCRYPTO_SRC}
-CFLAGS+= -I${LCRYPTO_SRC}/modes -I${LCRYPTO_SRC}/asn1 -I${LCRYPTO_SRC}/evp
+CFLAGS+= -I${LCRYPTO_SRC}/asn1 -I${LCRYPTO_SRC}/bn -I${LCRYPTO_SRC}/evp
+CFLAGS+= -I${LCRYPTO_SRC}/modes
 
 VERSION_SCRIPT= Symbols.map
 SYMBOL_LIST=    ${.CURDIR}/Symbols.list
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 5f8278faa8..16ba8ae981 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.32 2016/12/21 15:49:29 jsing Exp $ */
+/* $OpenBSD: bn.h,v 1.33 2017/01/21 09:38:58 beck Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -418,10 +418,12 @@ int	BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
 int     BN_lshift1(BIGNUM *r, const BIGNUM *a);
 int     BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
 
+#ifndef LIBRESSL_INTERNAL
 int     BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     const BIGNUM *m, BN_CTX *ctx);
 int     BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
 int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
 int     BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c
index c842f76c6f..01874f6208 100644
--- a/src/lib/libcrypto/bn/bn_blind.c
+++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_blind.c,v 1.14 2014/07/12 16:03:36 miod Exp $ */
+/* $OpenBSD: bn_blind.c,v 1.15 2017/01/21 09:38:58 beck Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -372,7 +372,7 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m,
                     ctx, ret->m_ctx))
                         goto err;
         } else {
-                if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
+                if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx))
                         goto err;
         }
 
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index 83c62be25a..ed4bc666bf 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.27 2017/01/21 04:34:16 beck Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.28 2017/01/21 09:38:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -172,9 +172,9 @@ err:
         return (ret);
 }
 
-int
-BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
-    BN_CTX *ctx)
+static int
+BN_mod_exp_internal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx, int ct)
 {
         int ret;
 
@@ -213,12 +213,11 @@ BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
          */
 
         if (BN_is_odd(m)) {
-                if (a->top == 1 && !a->neg &&
-                    (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)) {
+                if (a->top == 1 && !a->neg && !ct) {
                         BN_ULONG A = a->d[0];
                         ret = BN_mod_exp_mont_word(r, A,p, m,ctx, NULL);
                 } else
-                        ret = BN_mod_exp_mont(r, a,p, m,ctx, NULL);
+                        ret = BN_mod_exp_mont_ct(r, a,p, m,ctx, NULL);
         } else  {
                 ret = BN_mod_exp_recp(r, a,p, m, ctx);
         }
@@ -228,6 +227,30 @@ BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 }
 
 int
+BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx)
+{
+        return BN_mod_exp_internal(r, a, p, m, ctx,
+            (BN_get_flags(p, BN_FLG_CONSTTIME) != 0));
+}
+
+int
+BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx)
+{
+        return BN_mod_exp_internal(r, a, p, m, ctx, 1);
+}
+
+
+int
+BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx)
+{
+        return BN_mod_exp_internal(r, a, p, m, ctx, 0);
+}
+
+
+int
 BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
     BN_CTX *ctx)
 {
@@ -361,9 +384,9 @@ err:
         return (ret);
 }
 
-int
-BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
-    BN_CTX *ctx, BN_MONT_CTX *in_mont)
+static int
+BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx, BN_MONT_CTX *in_mont, int ct)
 {
         int i, j, bits, ret = 0, wstart, wend, window, wvalue;
         int start = 1;
@@ -373,7 +396,7 @@ BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
         BIGNUM *val[TABLE_SIZE];
         BN_MONT_CTX *mont = NULL;
 
-        if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+        if (ct) {
                 return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
         }
 
@@ -513,6 +536,27 @@ err:
         return (ret);
 }
 
+int
+BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+        return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont,
+            (BN_get_flags(p, BN_FLG_CONSTTIME) != 0));
+}
+
+int
+BN_mod_exp_mont_ct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+        return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 1);
+}
+
+int
+BN_mod_exp_mont_nonct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+        return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 0);
+}
 
 /* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
  * so that accessing any of these table values shows the same access pattern as far
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index ca130a63cb..f8ce4bdc51 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lcl.h,v 1.23 2016/12/21 15:49:29 jsing Exp $ */
+/* $OpenBSD: bn_lcl.h,v 1.24 2017/01/21 09:38:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -584,6 +584,16 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int
 
 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
 
+/* Explicitly const time / non-const time versions for internal use */
+int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
 __END_HIDDEN_DECLS
 
 #endif
diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c
index fb39756de2..b2f32684e4 100644
--- a/src/lib/libcrypto/bn/bn_prime.c
+++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_prime.c,v 1.15 2016/07/05 02:54:35 bcook Exp $ */
+/* $OpenBSD: bn_prime.c,v 1.16 2017/01/21 09:38:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -369,7 +369,7 @@ static int
 witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1, const BIGNUM *a1_odd,
     int k, BN_CTX *ctx, BN_MONT_CTX *mont)
 {
-        if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont))
+        if (!BN_mod_exp_mont_ct(w, w, a1_odd, a, ctx, mont))
                 /* w := w^a1_odd mod a */
                 return -1;
         if (BN_is_one(w))
diff --git a/src/lib/libcrypto/bn/bn_sqrt.c b/src/lib/libcrypto/bn/bn_sqrt.c
index e5231d2a95..5928dfc79d 100644
--- a/src/lib/libcrypto/bn/bn_sqrt.c
+++ b/src/lib/libcrypto/bn/bn_sqrt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_sqrt.c,v 1.7 2016/11/08 01:40:22 guenther Exp $ */
+/* $OpenBSD: bn_sqrt.c,v 1.8 2017/01/21 09:38:58 beck Exp $ */
 /* Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * and Bodo Moeller for the OpenSSL project. */
 /* ====================================================================
@@ -149,7 +149,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                 q->neg = 0;
                 if (!BN_add_word(q, 1))
                         goto end;
-                if (!BN_mod_exp(ret, A, q, p, ctx))
+                if (!BN_mod_exp_ct(ret, A, q, p, ctx))
                         goto end;
                 err = 0;
                 goto vrfy;
@@ -190,7 +190,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                 if (!BN_rshift(q, p, 3))
                         goto end;
                 q->neg = 0;
-                if (!BN_mod_exp(b, t, q, p, ctx))
+                if (!BN_mod_exp_ct(b, t, q, p, ctx))
                         goto end;
 
                 /* y := b^2 */
@@ -272,7 +272,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 
         /* Now that we have some non-square, we can find an element
          * of order  2^e  by computing its q'th power. */
-        if (!BN_mod_exp(y, y, q, p, ctx))
+        if (!BN_mod_exp_ct(y, y, q, p, ctx))
                 goto end;
         if (BN_is_one(y)) {
                 BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
@@ -314,7 +314,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                 } else if (!BN_one(x))
                         goto end;
         } else {
-                if (!BN_mod_exp(x, A, t, p, ctx))
+                if (!BN_mod_exp_ct(x, A, t, p, ctx))
                         goto end;
                 if (BN_is_zero(x)) {
                         /* special case: a == 0  (mod p) */
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 6eb1365bf6..5b365cdd06 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.25 2016/07/07 11:53:12 bcook Exp $ */
+/* $OpenBSD: dh_key.c,v 1.26 2017/01/21 09:38:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,6 +62,8 @@
 #include <openssl/dh.h>
 #include <openssl/err.h>
 
+#include "bn_lcl.h"
+
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a,
@@ -233,7 +235,7 @@ static int
 dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 {
-        return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+        return BN_mod_exp_mont_ct(r, a, p, m, ctx, m_ctx);
 }
 
 static int
diff --git a/src/lib/libcrypto/dsa/dsa_ameth.c b/src/lib/libcrypto/dsa/dsa_ameth.c
index 3e434701aa..92ad02e187 100644
--- a/src/lib/libcrypto/dsa/dsa_ameth.c
+++ b/src/lib/libcrypto/dsa/dsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ameth.c,v 1.20 2016/10/19 16:49:11 jsing Exp $ */
+/* $OpenBSD: dsa_ameth.c,v 1.21 2017/01/21 09:38:59 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -66,8 +66,8 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 
-
 #include "asn1_locl.h"
+#include "bn_lcl.h"
 
 static int
 dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
@@ -224,7 +224,7 @@ dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
                 goto dsaerr;
         }
 
-        if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
+        if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
                 DSAerr(DSA_F_DSA_PRIV_DECODE,DSA_R_BN_ERROR);
                 goto dsaerr;
         }
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index 7ddb7fec5e..d627e5ae9c 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_gen.c,v 1.22 2015/07/15 18:34:37 miod Exp $ */
+/* $OpenBSD: dsa_gen.c,v 1.23 2017/01/21 09:38:59 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -68,6 +68,7 @@
 #include <openssl/evp.h>
 #include <openssl/sha.h>
 
+#include "bn_lcl.h"
 #include "dsa_locl.h"
 
 int
@@ -315,7 +316,7 @@ end:
 
         for (;;) {
                 /* g=test^r0%p */
-                if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont))
+                if (!BN_mod_exp_mont_ct(g, test, r0, p, ctx, mont))
                         goto err;
                 if (!BN_is_one(g))
                         break;
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index fc4eb9c433..cb95e1369c 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_key.c,v 1.22 2016/06/30 02:02:06 bcook Exp $ */
+/* $OpenBSD: dsa_key.c,v 1.23 2017/01/21 09:38:59 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,6 +65,7 @@
 
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
+#include "bn_lcl.h"
 
 static int dsa_builtin_keygen(DSA *dsa);
 
@@ -108,7 +109,7 @@ dsa_builtin_keygen(DSA *dsa)
 
                 BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
 
-                if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx))
+                if (!BN_mod_exp_ct(pub_key, dsa->g, &prk, dsa->p, ctx))
                         goto err;
         }
 
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index a28d3e9d1a..3f01a83a44 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.26 2016/06/21 04:16:53 bcook Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.27 2017/01/21 09:38:59 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,6 +66,8 @@
 #include <openssl/err.h>
 #include <openssl/sha.h>
 
+#include "bn_lcl.h"
+
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
             BIGNUM **rp);
@@ -238,7 +240,7 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                                         dsa->method_mont_p))
                         goto err;
         } else {
-                if (!BN_mod_exp_mont(r, dsa->g, &k, dsa->p, ctx, dsa->method_mont_p))
+                if (!BN_mod_exp_mont_ct(r, dsa->g, &k, dsa->p, ctx, dsa->method_mont_p))
                         goto err;
         }
 
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index 7a9045396c..0a33a24b9f 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.16 2016/03/02 14:28:14 beck Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.17 2017/01/21 09:38:59 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -73,6 +73,8 @@
 #include <openssl/dsa.h>
 #include <openssl/rsa.h>
 
+#include "bn_lcl.h"
+
 /* Utility function: read a DWORD (4 byte unsigned integer) in little endian
  * format
  */
@@ -340,7 +342,7 @@ b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen,
                         goto memerr;
                 if (!(ctx = BN_CTX_new()))
                         goto memerr;
-                if (!BN_mod_exp(dsa->pub_key, dsa->g,
+                if (!BN_mod_exp_ct(dsa->pub_key, dsa->g,
                     dsa->priv_key, dsa->p, ctx))
                         goto memerr;
                 BN_CTX_free(ctx);
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index af76541c28..640ed9a0d6 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.43 2016/09/09 11:39:11 tb Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.44 2017/01/21 09:38:59 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,6 +118,8 @@
 #include <openssl/err.h>
 #include <openssl/rsa.h>
 
+#include "bn_lcl.h"
+
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
     unsigned char *to, RSA *rsa, int padding);
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
@@ -137,7 +139,7 @@ static RSA_METHOD rsa_pkcs1_eay_meth = {
         .rsa_priv_enc = RSA_eay_private_encrypt, /* signing */
         .rsa_priv_dec = RSA_eay_private_decrypt,
         .rsa_mod_exp = RSA_eay_mod_exp,
-        .bn_mod_exp = BN_mod_exp_mont, /* XXX probably we should not use Montgomery if  e == 3 */
+        .bn_mod_exp = BN_mod_exp_mont_ct, /* XXX probably we should not use Montgomery if  e == 3 */
         .init = RSA_eay_init,
         .finish = RSA_eay_finish,
 };
diff --git a/src/regress/lib/libcrypto/bn/general/Makefile b/src/regress/lib/libcrypto/bn/general/Makefile
index 18207ffb01..d578d0fe12 100644
--- a/src/regress/lib/libcrypto/bn/general/Makefile
+++ b/src/regress/lib/libcrypto/bn/general/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.3 2016/12/21 15:51:05 jsing Exp $
+#       $OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $
 
 .include "../../Makefile.inc"
 
@@ -6,6 +6,6 @@ PROG=	bntest
 LDADD=  ${CRYPTO_INT}
 DPADD=  ${LIBCRYPTO}
 WARNINGS=       Yes
-CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
+CFLAGS+=        -Werror
 
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/bn/general/bntest.c b/src/regress/lib/libcrypto/bn/general/bntest.c
index 0247dacaa4..7e5e6ed81b 100644
--- a/src/regress/lib/libcrypto/bn/general/bntest.c
+++ b/src/regress/lib/libcrypto/bn/general/bntest.c
@@ -84,6 +84,15 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 
+int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
 
 const int num0 = 100; /* number of tests */
@@ -1037,6 +1046,14 @@ test_mod_exp(BIO *bp, BN_CTX *ctx)
                 fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
                 return (0);
         }
+        if (BN_mod_exp_ct(d, a, b, c, ctx)) {
+                fprintf(stderr, "BN_mod_exp_ct with zero modulus succeeded!\n");
+                return (0);
+        }
+        if (BN_mod_exp_nonct(d, a, b, c, ctx)) {
+                fprintf(stderr, "BN_mod_exp_nonct with zero modulus succeeded!\n");
+                return (0);
+        }
 
         BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
         for (i = 0; i < num2; i++) {
@@ -1069,6 +1086,70 @@ test_mod_exp(BIO *bp, BN_CTX *ctx)
                         break;
                 }
         }
+
+        BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
+        for (i = 0; i < num2; i++) {
+                BN_bntest_rand(a, 20 + i * 5, 0, 0);
+                BN_bntest_rand(b, 2 + i, 0, 0);
+
+                if (!BN_mod_exp_ct(d, a, b, c, ctx)) {
+                        rc = 0;
+                        break;
+                }
+
+                if (bp != NULL) {
+                        if (!results) {
+                                BN_print(bp, a);
+                                BIO_puts(bp, " ^ ");
+                                BN_print(bp, b);
+                                BIO_puts(bp, " % ");
+                                BN_print(bp, c);
+                                BIO_puts(bp, " - ");
+                        }
+                        BN_print(bp, d);
+                        BIO_puts(bp, "\n");
+                }
+                BN_exp(e, a, b, ctx);
+                BN_sub(e, e, d);
+                BN_div(a, b, e, c, ctx);
+                if (!BN_is_zero(b)) {
+                        fprintf(stderr, "Modulo exponentiation test failed!\n");
+                        rc = 0;
+                        break;
+                }
+        }
+
+        BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
+        for (i = 0; i < num2; i++) {
+                BN_bntest_rand(a, 20 + i * 5, 0, 0);
+                BN_bntest_rand(b, 2 + i, 0, 0);
+
+                if (!BN_mod_exp_nonct(d, a, b, c, ctx)) {
+                        rc = 0;
+                        break;
+                }
+
+                if (bp != NULL) {
+                        if (!results) {
+                                BN_print(bp, a);
+                                BIO_puts(bp, " ^ ");
+                                BN_print(bp, b);
+                                BIO_puts(bp, " % ");
+                                BN_print(bp, c);
+                                BIO_puts(bp, " - ");
+                        }
+                        BN_print(bp, d);
+                        BIO_puts(bp, "\n");
+                }
+                BN_exp(e, a, b, ctx);
+                BN_sub(e, e, d);
+                BN_div(a, b, e, c, ctx);
+                if (!BN_is_zero(b)) {
+                        fprintf(stderr, "Modulo exponentiation test failed!\n");
+                        rc = 0;
+                        break;
+                }
+        }
         BN_free(a);
         BN_free(b);
         BN_free(c);
diff --git a/src/regress/lib/libcrypto/bn/mont/Makefile b/src/regress/lib/libcrypto/bn/mont/Makefile
index eda36001a3..55c48220d4 100644
--- a/src/regress/lib/libcrypto/bn/mont/Makefile
+++ b/src/regress/lib/libcrypto/bn/mont/Makefile
@@ -1,9 +1,9 @@
-#       $OpenBSD: Makefile,v 1.2 2014/07/08 15:53:52 jsing Exp $
+#       $OpenBSD: Makefile,v 1.3 2017/01/21 09:38:58 beck Exp $
 
 PROG=   mont
 LDADD=  -lcrypto
 DPADD=  ${LIBCRYPTO}
 WARNINGS=       Yes
-CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
+CFLAGS+=        -Werror
 
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/exp/Makefile b/src/regress/lib/libcrypto/exp/Makefile
index 3914201431..890b38e9fe 100644
--- a/src/regress/lib/libcrypto/exp/Makefile
+++ b/src/regress/lib/libcrypto/exp/Makefile
@@ -1,9 +1,9 @@
-#       $OpenBSD: Makefile,v 1.3 2014/07/08 15:53:52 jsing Exp $
+#       $OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $
 
 PROG=   exptest
-LDADD=  -lcrypto
+LDADD=  ${CRYPTO_INT}
 DPADD=  ${LIBCRYPTO}
 WARNINGS=       Yes
-CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
+CFLAGS+=        -Werror
 
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/exp/exptest.c b/src/regress/lib/libcrypto/exp/exptest.c
index 45ca5ac5f5..375628cb25 100644
--- a/src/regress/lib/libcrypto/exp/exptest.c
+++ b/src/regress/lib/libcrypto/exp/exptest.c
@@ -64,6 +64,15 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 
+int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
 #define NUM_BITS        (BN_BITS*2)
 
 /*
@@ -116,6 +125,18 @@ static int test_exp_mod_zero(void)
         if (!a_is_zero_mod_one("BN_mod_exp", &r, &a))
                 failed = 1;
 
+        if (!BN_mod_exp_ct(&r, &a, &p, &m, ctx))
+                goto err;
+
+        if (!a_is_zero_mod_one("BN_mod_exp_ct", &r, &a))
+                failed = 1;
+
+        if (!BN_mod_exp_nonct(&r, &a, &p, &m, ctx))
+                goto err;
+
+        if (!a_is_zero_mod_one("BN_mod_exp_nonct", &r, &a))
+                failed = 1;
+
         if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx))
                 goto err;
 
@@ -134,6 +155,18 @@ static int test_exp_mod_zero(void)
         if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a))
                 failed = 1;
 
+        if (!BN_mod_exp_mont_ct(&r, &a, &p, &m, ctx, NULL))
+                goto err;
+
+        if (!a_is_zero_mod_one("BN_mod_exp_mont_ct", &r, &a))
+                failed = 1;
+
+        if (!BN_mod_exp_mont_nonct(&r, &a, &p, &m, ctx, NULL))
+                goto err;
+
+        if (!a_is_zero_mod_one("BN_mod_exp_mont_nonct", &r, &a))
+                failed = 1;
+
         if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) {
                 goto err;
         }
@@ -175,7 +208,8 @@ int main(int argc, char *argv[])
         BIO *out = NULL;
         int i, ret;
         unsigned char c;
-        BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple, *a, *b, *m;
+        BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple,
+            *r_mont_ct, *r_mont_nonct, *a, *b, *m;
 
         ERR_load_BN_strings();
 
@@ -184,6 +218,8 @@ int main(int argc, char *argv[])
                 exit(1);
         r_mont = BN_new();
         r_mont_const = BN_new();
+        r_mont_ct = BN_new();
+        r_mont_nonct = BN_new();
         r_recp = BN_new();
         r_simple = BN_new();
         a = BN_new();
@@ -221,6 +257,20 @@ int main(int argc, char *argv[])
                         exit(1);
                 }
 
+                ret = BN_mod_exp_mont_ct(r_mont_ct, a, b, m, ctx, NULL);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_mont_ct() problems\n");
+                        ERR_print_errors(out);
+                        exit(1);
+                }
+
+                ret = BN_mod_exp_mont_nonct(r_mont_nonct, a, b, m, ctx, NULL);
+                if (ret <= 0) {
+                        printf("BN_mod_exp_mont_nonct() problems\n");
+                        ERR_print_errors(out);
+                        exit(1);
+                }
+
                 ret = BN_mod_exp_recp(r_recp, a, b, m, ctx);
                 if (ret <= 0) {
                         printf("BN_mod_exp_recp() problems\n");
@@ -254,6 +304,10 @@ int main(int argc, char *argv[])
                                 printf("\nsimple and mont const time results differ\n");
                         if (BN_cmp(r_simple, r_recp) != 0)
                                 printf("\nsimple and recp results differ\n");
+                        if (BN_cmp(r_mont, r_mont_ct) != 0)
+                                printf("\nmont_ct and mont results differ\n");
+                        if (BN_cmp(r_mont_ct, r_mont_nonct) != 0)
+                                printf("\nmont_ct and mont_nonct results differ\n");
 
                         printf("a (%3d) = ", BN_num_bits(a));
                         BN_print(out, a);