Split out BN_div and BN_mod into ct and nonct versions for Internal use.

ok jsing@

17 files changed, 92 insertions, 58 deletions

diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 16ba8ae981..fd9a62fe3f 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.33 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn.h,v 1.34 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -387,9 +387,11 @@ void	BN_set_negative(BIGNUM *b, int n);
  */
 #define BN_is_negative(a) ((a)->neg != 0)
 
+#ifndef LIBRESSL_INTERNAL
 int     BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
     BN_CTX *ctx);
 #define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx))
+#endif
 int     BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
 int     BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
 int     BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m);
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index fefc53f9fa..a8f7c9f384 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_div.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: bn_div.c,v 1.24 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -116,9 +116,9 @@
  *     rm->neg == num->neg                 (unless the remainder is zero)
  * If 'dv' or 'rm' is NULL, the respective value is not returned.
  */
-int
-BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
-    BN_CTX *ctx)
+static int
+BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+    BN_CTX *ctx, int ct)
 {
         int norm_shift, i, loop;
         BIGNUM *tmp, wnum, *snum, *sdiv, *res;
@@ -137,10 +137,8 @@ BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 
         bn_check_top(num);
 
-        if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) ||
-            (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
+        if (ct)
                 no_branch = 1;
-        }
 
         bn_check_top(dv);
         bn_check_top(rm);
@@ -379,3 +377,27 @@ err:
         BN_CTX_end(ctx);
         return (0);
 }
+
+int
+BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+    BN_CTX *ctx)
+{
+        int ct = ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) ||
+            (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0));
+
+        return BN_div_internal(dv, rm, num, divisor, ctx, ct);
+}
+
+int
+BN_div_nonct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+    BN_CTX *ctx)
+{
+        return BN_div_internal(dv, rm, num, divisor, ctx, 0);
+}
+
+int
+BN_div_ct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+    BN_CTX *ctx)
+{
+        return BN_div_internal(dv, rm, num, divisor, ctx, 1);
+}
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index ed4bc666bf..f650e94b09 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.28 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.29 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -735,7 +735,7 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 
         /* prepare a^1 in Montgomery domain */
         if (a->neg || BN_ucmp(a, m) >= 0) {
-                if (!BN_mod(&am, a,m, ctx))
+                if (!BN_mod_ct(&am, a,m, ctx))
                         goto err;
                 if (!BN_to_montgomery(&am, &am, mont, ctx))
                         goto err;
@@ -924,7 +924,7 @@ BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m,
 #define BN_MOD_MUL_WORD(r, w, m) \
                 (BN_mul_word(r, (w)) && \
                 (/* BN_ucmp(r, (m)) < 0 ? 1 :*/  \
-                        (BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
+                        (BN_mod_ct(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
                 /* BN_MOD_MUL_WORD is only used with 'w' large,
                  * so the BN_ucmp test is probably more overhead
                  * than always using BN_mod (which uses BN_copy if
diff --git a/src/lib/libcrypto/bn/bn_exp2.c b/src/lib/libcrypto/bn/bn_exp2.c
index 38bf467a38..1d938d3818 100644
--- a/src/lib/libcrypto/bn/bn_exp2.c
+++ b/src/lib/libcrypto/bn/bn_exp2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp2.c,v 1.10 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: bn_exp2.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -175,7 +175,7 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
          * Build table for a1:   val1[i] := a1^(2*i + 1) mod m  for i = 0 .. 2^(window1-1)
          */
         if (a1->neg || BN_ucmp(a1, m) >= 0) {
-                if (!BN_mod(val1[0], a1, m, ctx))
+                if (!BN_mod_ct(val1[0], a1, m, ctx))
                         goto err;
                 a_mod_m = val1[0];
         } else
@@ -206,7 +206,7 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
          * Build table for a2:   val2[i] := a2^(2*i + 1) mod m  for i = 0 .. 2^(window2-1)
          */
         if (a2->neg || BN_ucmp(a2, m) >= 0) {
-                if (!BN_mod(val2[0], a2, m, ctx))
+                if (!BN_mod_ct(val2[0], a2, m, ctx))
                         goto err;
                 a_mod_m = val2[0];
         } else
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index da9c29a8e5..3c8ff5b405 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gcd.c,v 1.10 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: bn_gcd.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -421,7 +421,7 @@ BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
                                         }
                                 }
                         } else {
-                                if (!BN_div(D, M, A, B, ctx))
+                                if (!BN_div_ct(D, M, A, B, ctx))
                                         goto err;
                         }
 
@@ -605,7 +605,7 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
                 BN_with_flags(pA, A, BN_FLG_CONSTTIME);
 
                 /* (D, M) := (A/B, A%B) ... */
-                if (!BN_div(D, M, pA, B, ctx))
+                if (!BN_div_ct(D, M, pA, B, ctx))
                         goto err;
 
                 /* Now
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index f8ce4bdc51..59d9036d01 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lcl.h,v 1.24 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn_lcl.h,v 1.25 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -593,7 +593,11 @@ int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-
+int BN_div_nonct(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+    BN_CTX *ctx);
+int BN_div_ct(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+    BN_CTX *ctx);
+#define BN_mod_ct(rem,m,d,ctx) BN_div_ct(NULL,(rem),(m),(d),(ctx))
+#define BN_mod_nonct(rem,m,d,ctx) BN_div_nonct(NULL,(rem),(m),(d),(ctx))
 __END_HIDDEN_DECLS
-
 #endif
diff --git a/src/lib/libcrypto/bn/bn_mod.c b/src/lib/libcrypto/bn/bn_mod.c
index eb2d5b072e..4c30c098d4 100644
--- a/src/lib/libcrypto/bn/bn_mod.c
+++ b/src/lib/libcrypto/bn/bn_mod.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mod.c,v 1.10 2016/11/05 10:47:16 miod Exp $ */
+/* $OpenBSD: bn_mod.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project. */
 /* ====================================================================
@@ -121,7 +121,7 @@ BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
         /* like BN_mod, but returns non-negative remainder
          * (i.e.,  0 <= r < |d|  always holds) */
 
-        if (!(BN_mod(r, m,d, ctx)))
+        if (!(BN_mod_ct(r, m,d, ctx)))
                 return 0;
         if (!r->neg)
                 return 1;
@@ -212,7 +212,7 @@ BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
         if (!BN_sqr(r, a, ctx))
                 return 0;
         /* r->neg == 0,  thus we don't need BN_nnmod */
-        return BN_mod(r, r, m, ctx);
+        return BN_mod_ct(r, r, m, ctx);
 }
 
 int
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index 3eb9913a9e..3496502435 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mont.c,v 1.24 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: bn_mont.c,v 1.25 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -418,7 +418,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                         Ri->d[1] = BN_MASK2;
                         Ri->top = 2;
                 }
-                if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
+                if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx))
                         goto err;
                 /* Ni = (R*Ri-1)/N,
                  * keep only couple of least significant words: */
@@ -446,7 +446,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                         if (!BN_set_word(Ri, BN_MASK2))
                                 goto err;  /* Ri-- (mod word size) */
                 }
-                if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
+                if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx))
                         goto err;
                 /* Ni = (R*Ri-1)/N,
                  * keep only least significant word: */
@@ -468,7 +468,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                 if (!BN_sub_word(Ri, 1))
                         goto err;
                 /* Ni = (R*Ri-1) / N */
-                if (!BN_div(&(mont->Ni), NULL, Ri, &mont->N, ctx))
+                if (!BN_div_ct(&(mont->Ni), NULL, Ri, &mont->N, ctx))
                         goto err;
         }
 #endif
@@ -477,7 +477,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
         BN_zero(&(mont->RR));
         if (!BN_set_bit(&(mont->RR), mont->ri*2))
                 goto err;
-        if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
+        if (!BN_mod_ct(&(mont->RR), &(mont->RR), &(mont->N), ctx))
                 goto err;
 
         ret = 1;
diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c
index b2f32684e4..ec8217ef69 100644
--- a/src/lib/libcrypto/bn/bn_prime.c
+++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_prime.c,v 1.16 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn_prime.c,v 1.17 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -443,7 +443,7 @@ probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem,
 
         /* we need ((rnd-rem) % add) == 0 */
 
-        if (!BN_mod(t1, rnd, add, ctx))
+        if (!BN_mod_ct(t1, rnd, add, ctx))
                 goto err;
         if (!BN_sub(rnd, rnd, t1))
                 goto err;
@@ -500,7 +500,7 @@ probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
                 goto err;
 
         /* we need ((rnd-rem) % add) == 0 */
-        if (!BN_mod(t1, q,qadd, ctx))
+        if (!BN_mod_ct(t1, q,qadd, ctx))
                 goto err;
         if (!BN_sub(q, q, t1))
                 goto err;
diff --git a/src/lib/libcrypto/bn/bn_recp.c b/src/lib/libcrypto/bn/bn_recp.c
index b0bd0aa4df..aae7c7ef85 100644
--- a/src/lib/libcrypto/bn/bn_recp.c
+++ b/src/lib/libcrypto/bn/bn_recp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_recp.c,v 1.13 2015/04/29 00:11:12 doug Exp $ */
+/* $OpenBSD: bn_recp.c,v 1.14 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -251,7 +251,7 @@ BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx)
         if (!BN_set_bit(t, len))
                 goto err;
 
-        if (!BN_div(r, NULL, t,m, ctx))
+        if (!BN_div_ct(r, NULL, t,m, ctx))
                 goto err;
 
         ret = len;
diff --git a/src/lib/libcrypto/dsa/dsa_ameth.c b/src/lib/libcrypto/dsa/dsa_ameth.c
index 92ad02e187..b589d39892 100644
--- a/src/lib/libcrypto/dsa/dsa_ameth.c
+++ b/src/lib/libcrypto/dsa/dsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ameth.c,v 1.21 2017/01/21 09:38:59 beck Exp $ */
+/* $OpenBSD: dsa_ameth.c,v 1.22 2017/01/21 10:38:29 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -501,7 +501,7 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
         if (BN_sub(p1, dsa->p, BN_value_one()) == 0)
                 goto err;
         /* j = (p - 1) / q */
-        if (BN_div(j, NULL, p1, dsa->q, ctx) == 0)
+        if (BN_div_ct(j, NULL, p1, dsa->q, ctx) == 0)
                 goto err;
         /* q * j should == p - 1 */
         if (BN_mul(newp1, dsa->q, j, ctx) == 0)
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index d627e5ae9c..b6bbb8ab08 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_gen.c,v 1.23 2017/01/21 09:38:59 beck Exp $ */
+/* $OpenBSD: dsa_gen.c,v 1.24 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -271,7 +271,7 @@ dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
                         /* step 9 */
                         if (!BN_lshift1(r0, q))
                                 goto err;
-                        if (!BN_mod(c, X, r0, ctx))
+                        if (!BN_mod_ct(c, X, r0, ctx))
                                 goto err;
                         if (!BN_sub(r0, c, BN_value_one()))
                                 goto err;
@@ -306,7 +306,7 @@ end:
         /* Set r0=(p-1)/q */
         if (!BN_sub(test, p, BN_value_one()))
                 goto err;
-        if (!BN_div(r0, NULL, test, q, ctx))
+        if (!BN_div_ct(r0, NULL, test, q, ctx))
                 goto err;
 
         if (!BN_set_word(test, h))
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 3f01a83a44..4177557d0e 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.27 2017/01/21 09:38:59 beck Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.28 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -244,7 +244,7 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                         goto err;
         }
 
-        if (!BN_mod(r,r,dsa->q,ctx))
+        if (!BN_mod_ct(r,r,dsa->q,ctx))
                 goto err;
 
         /* Compute  part of 's = inv(k) (m + xr) mod q' */
@@ -351,10 +351,10 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
                                                 mont))
                         goto err;
         }
-                
+
         /* BN_copy(&u1,&t1); */
         /* let u1 = u1 mod q */
-        if (!BN_mod(&u1, &t1, dsa->q, ctx))
+        if (!BN_mod_ct(&u1, &t1, dsa->q, ctx))
                 goto err;
 
         /* V is now in u1.  If the signature is correct, it will be
diff --git a/src/lib/libcrypto/gost/gostr341001.c b/src/lib/libcrypto/gost/gostr341001.c
index c6221e4a01..5fb494009c 100644
--- a/src/lib/libcrypto/gost/gostr341001.c
+++ b/src/lib/libcrypto/gost/gostr341001.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gostr341001.c,v 1.4 2015/02/14 06:40:04 jsing Exp $ */
+/* $OpenBSD: gostr341001.c,v 1.5 2017/01/21 10:38:29 beck Exp $ */
 /*
  * Copyright (c) 2014 Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
  * Copyright (c) 2005-2006 Cryptocom LTD
@@ -57,6 +57,8 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/gost.h>
+
+#include "bn_lcl.h"
 #include "gost_locl.h"
 
 /* Convert little-endian byte array into bignum */
@@ -175,7 +177,7 @@ gost2001_do_sign(BIGNUM *md, GOST_KEY *eckey)
         priv_key = GOST_KEY_get0_private_key(eckey);
         if ((e = BN_CTX_get(ctx)) == NULL)
                 goto err;
-        if (BN_mod(e, md, order, ctx) == 0)
+        if (BN_mod_ct(e, md, order, ctx) == 0)
                 goto err;
         if (BN_is_zero(e))
                 BN_one(e);
@@ -288,7 +290,7 @@ gost2001_do_verify(BIGNUM *md, ECDSA_SIG *sig, GOST_KEY *ec)
                 goto err;
         }
 
-        if (BN_mod(e, md, order, ctx) == 0)
+        if (BN_mod_ct(e, md, order, ctx) == 0)
                 goto err;
         if (BN_is_zero(e))
                 BN_one(e);
@@ -310,7 +312,7 @@ gost2001_do_verify(BIGNUM *md, ECDSA_SIG *sig, GOST_KEY *ec)
                 GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_EC_LIB);
                 goto err;
         }
-        if (BN_mod(R, X, order, ctx) == 0)
+        if (BN_mod_ct(R, X, order, ctx) == 0)
                 goto err;
         if (BN_cmp(R, sig->r) != 0) {
                 GOSTerr(GOST_F_GOST2001_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH);
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
index c247a8d80e..efe9431f2d 100644
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_chk.c,v 1.9 2014/07/10 07:43:11 jsing Exp $ */
+/* $OpenBSD: rsa_chk.c,v 1.10 2017/01/21 10:38:29 beck Exp $ */
 /* ====================================================================
  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
@@ -52,6 +52,8 @@
 #include <openssl/err.h>
 #include <openssl/rsa.h>
 
+#include "bn_lcl.h"
+
 int
 RSA_check_key(const RSA *key)
 {
@@ -132,7 +134,7 @@ RSA_check_key(const RSA *key)
                 ret = -1;
                 goto err;
         }
-        r = BN_div(k, NULL, l, m, ctx); /* remainder is 0 */
+        r = BN_div_ct(k, NULL, l, m, ctx); /* remainder is 0 */
         if (!r) {
                 ret = -1;
                 goto err;
@@ -157,7 +159,7 @@ RSA_check_key(const RSA *key)
                         goto err;
                 }
 
-                r = BN_mod(j, key->d, i, ctx);
+                r = BN_mod_ct(j, key->d, i, ctx);
                 if (!r) {
                         ret = -1;
                         goto err;
@@ -176,7 +178,7 @@ RSA_check_key(const RSA *key)
                         goto err;
                 }
 
-                r = BN_mod(j, key->d, i, ctx);
+                r = BN_mod_ct(j, key->d, i, ctx);
                 if (!r) {
                         ret = -1;
                         goto err;
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 640ed9a0d6..c4da147ddf 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.44 2017/01/21 09:38:59 beck Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.45 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -770,7 +770,7 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
         BN_init(&c);
         BN_with_flags(&c, I, BN_FLG_CONSTTIME);
 
-        if (!BN_mod(r1, &c, rsa->q, ctx))
+        if (!BN_mod_ct(r1, &c, rsa->q, ctx))
                 goto err;
 
         /* compute r1^dmq1 mod q */
@@ -784,7 +784,7 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
         /* compute I mod p */
         BN_with_flags(&c, I, BN_FLG_CONSTTIME);
 
-        if (!BN_mod(r1, &c, rsa->p, ctx))
+        if (!BN_mod_ct(r1, &c, rsa->p, ctx))
                 goto err;
 
         /* compute r1^dmp1 mod p */
@@ -813,7 +813,7 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
         BN_init(&pr1);
         BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
 
-        if (!BN_mod(r0, &pr1, rsa->p, ctx))
+        if (!BN_mod_ct(r0, &pr1, rsa->p, ctx))
                 goto err;
 
         /*
@@ -844,7 +844,7 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
                  */
                 if (!BN_sub(vrfy, vrfy, I))
                         goto err;
-                if (!BN_mod(vrfy, vrfy, rsa->n, ctx))
+                if (!BN_mod_ct(vrfy, vrfy, rsa->n, ctx))
                         goto err;
                 if (BN_is_negative(vrfy))
                         if (!BN_add(vrfy, vrfy, rsa->n))
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index d46f4f2478..817f177e96 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.19 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -69,6 +69,8 @@
 #include <openssl/err.h>
 #include <openssl/rsa.h>
 
+#include "bn_lcl.h"
+
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
 
 /*
@@ -202,11 +204,11 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
         BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
 
         /* calculate d mod (p-1) */
-        if (!BN_mod(rsa->dmp1, &d, r1, ctx))
+        if (!BN_mod_ct(rsa->dmp1, &d, r1, ctx))
                 goto err;
 
         /* calculate d mod (q-1) */
-        if (!BN_mod(rsa->dmq1, &d, r2, ctx))
+        if (!BN_mod_ct(rsa->dmq1, &d, r2, ctx))
                 goto err;
 
         /* calculate inverse of q mod p */