6 files changed, 43 insertions, 17 deletions
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index fd9a62fe3f..5d5de7e43a 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.34 2017/01/21 10:38:29 beck Exp $ */
+/* $OpenBSD: bn.h,v 1.35 2017/01/21 11:00:46 beck Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -454,8 +454,10 @@ int 	BN_dec2bn(BIGNUM **a, const char *str);
 int     BN_asc2bn(BIGNUM **a, const char *str);
 int     BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
 int     BN_kronecker(const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx); /* returns -2 for error */
+#ifndef LIBRESSL_INTERNAL
 BIGNUM *BN_mod_inverse(BIGNUM *ret,
    const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
+#endif
 BIGNUM *BN_mod_sqrt(BIGNUM *ret,
    const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c
index 01874f6208..28c6276751 100644
--- a/src/lib/libcrypto/bn/bn_blind.c
+++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_blind.c,v 1.15 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn_blind.c,v 1.16 2017/01/21 11:00:46 beck Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -351,7 +351,7 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m,
        do {
                if (!BN_rand_range(ret->A, ret->mod))
                        goto err;
-                if (BN_mod_inverse(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
+                if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
                        /* this should almost never happen for good RSA keys */
                        unsigned long error = ERR_peek_last_error();
                        if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index 3c8ff5b405..4eab1b36d2 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gcd.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
+/* $OpenBSD: bn_gcd.c,v 1.12 2017/01/21 11:00:46 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -231,17 +231,16 @@ err:
 static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a,
    const BIGNUM *n, BN_CTX *ctx);
-BIGNUM *
+static BIGNUM *
-BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
+    int ct)
 {
        BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
        BIGNUM *ret = NULL;
        int sign;
-        if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) ||
+        if (ct)
-            (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) {
                return BN_mod_inverse_no_branch(in, a, n, ctx);
-        }
        bn_check_top(a);
        bn_check_top(n);
@@ -524,6 +523,25 @@ err:
        return (ret);
 }
+BIGNUM *
+BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+{
+        int ct = ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) ||
+            (BN_get_flags(n, BN_FLG_CONSTTIME) != 0));
+        return BN_mod_inverse_internal(in, a, n, ctx, ct);
+}
+BIGNUM *
+BN_mod_inverse_nonct(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+{
+        return BN_mod_inverse_internal(in, a, n, ctx, 0);
+}
+BIGNUM *
+BN_mod_inverse_ct(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+{
+        return BN_mod_inverse_internal(in, a, n, ctx, 1);
+}
 /* BN_mod_inverse_no_branch is a special version of BN_mod_inverse.
 * It does not contain branches that may leak sensitive information.
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index 59d9036d01..75c35499a8 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lcl.h,v 1.25 2017/01/21 10:38:29 beck Exp $ */
+/* $OpenBSD: bn_lcl.h,v 1.26 2017/01/21 11:00:46 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -599,5 +599,9 @@ int BN_div_ct(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
    BN_CTX *ctx);
 #define BN_mod_ct(rem,m,d,ctx) BN_div_ct(NULL,(rem),(m),(d),(ctx))
 #define BN_mod_nonct(rem,m,d,ctx) BN_div_nonct(NULL,(rem),(m),(d),(ctx))
+BIGNUM *BN_mod_inverse_ct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n,
+    BN_CTX *ctx);
+BIGNUM *BN_mod_inverse_nonct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n,
+    BN_CTX *ctx);
 __END_HIDDEN_DECLS
 #endif
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index 3496502435..eeac046826 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mont.c,v 1.25 2017/01/21 10:38:29 beck Exp $ */
+/* $OpenBSD: bn_mont.c,v 1.26 2017/01/21 11:00:46 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -400,7 +400,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                if ((buf[1] = mod->top > 1 ? mod->d[1] : 0))
                        tmod.top = 2;
-                if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
+                if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL)
                        goto err;
                if (!BN_lshift(Ri, Ri, 2 * BN_BITS2))
                        goto err; /* R*Ri */
@@ -433,7 +433,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                buf[1] = 0;
                tmod.top = buf[0] != 0 ? 1 : 0;
                /* Ri = R^-1 mod N*/
-                if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
+                if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL)
                        goto err;
                if (!BN_lshift(Ri, Ri, BN_BITS2))
                        goto err; /* R*Ri */
@@ -461,7 +461,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                if (!BN_set_bit(R, mont->ri))
                        goto err;  /* R = 2^ri */
                /* Ri = R^-1 mod N*/
-                if ((BN_mod_inverse(Ri, R, &mont->N, ctx)) == NULL)
+                if ((BN_mod_inverse_ct(Ri, R, &mont->N, ctx)) == NULL)
                        goto err;
                if (!BN_lshift(Ri, Ri, mont->ri))
                        goto err; /* R*Ri */
diff --git a/src/lib/libcrypto/bn/bn_x931p.c b/src/lib/libcrypto/bn/bn_x931p.c
index 1948bc8e71..84c998d4e1 100644
--- a/src/lib/libcrypto/bn/bn_x931p.c
+++ b/src/lib/libcrypto/bn/bn_x931p.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_x931p.c,v 1.8 2015/04/29 00:11:12 doug Exp $ */
+/* $OpenBSD: bn_x931p.c,v 1.9 2017/01/21 11:00:46 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -59,6 +59,8 @@
 #include <stdio.h>
 #include <openssl/bn.h>
+#include "bn_lcl.h"
 /* X9.31 routines for prime derivation */
 /* X9.31 prime derivation. This is used to generate the primes pi
@@ -134,13 +136,13 @@ BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp,
        /* First set p to value of Rp */
-        if (!BN_mod_inverse(p, p2, p1, ctx))
+        if (!BN_mod_inverse_ct(p, p2, p1, ctx))
                goto err;
        if (!BN_mul(p, p, p2, ctx))
                goto err;
-        if (!BN_mod_inverse(t, p1, p2, ctx))
+        if (!BN_mod_inverse_ct(t, p1, p2, ctx))
                goto err;
        if (!BN_mul(t, t, p1, ctx))