6 files changed, 78 insertions, 22 deletions
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 5f8278faa8..16ba8ae981 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.32 2016/12/21 15:49:29 jsing Exp $ */
+/* $OpenBSD: bn.h,v 1.33 2017/01/21 09:38:58 beck Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -418,10 +418,12 @@ int	BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
 int     BN_lshift1(BIGNUM *r, const BIGNUM *a);
 int     BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+#ifndef LIBRESSL_INTERNAL
 int     BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
    const BIGNUM *m, BN_CTX *ctx);
 int     BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
 int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
 int     BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c
index c842f76c6f..01874f6208 100644
--- a/src/lib/libcrypto/bn/bn_blind.c
+++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_blind.c,v 1.14 2014/07/12 16:03:36 miod Exp $ */
+/* $OpenBSD: bn_blind.c,v 1.15 2017/01/21 09:38:58 beck Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -372,7 +372,7 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m,
                    ctx, ret->m_ctx))
                        goto err;
        } else {
-                if (!BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx))
+                if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx))
                        goto err;
        }
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index 83c62be25a..ed4bc666bf 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.27 2017/01/21 04:34:16 beck Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.28 2017/01/21 09:38:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -172,9 +172,9 @@ err:
        return (ret);
 }
-int
+static int
-BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+BN_mod_exp_internal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
-    BN_CTX *ctx)
+    BN_CTX *ctx, int ct)
 {
        int ret;
@@ -213,12 +213,11 @@ BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
         */
        if (BN_is_odd(m)) {
-                if (a->top == 1 && !a->neg &&
+                if (a->top == 1 && !a->neg && !ct) {
-                    (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)) {
                        BN_ULONG A = a->d[0];
                        ret = BN_mod_exp_mont_word(r, A,p, m,ctx, NULL);
                } else
-                        ret = BN_mod_exp_mont(r, a,p, m,ctx, NULL);
+                        ret = BN_mod_exp_mont_ct(r, a,p, m,ctx, NULL);
        } else  {
                ret = BN_mod_exp_recp(r, a,p, m, ctx);
        }
@@ -228,6 +227,30 @@ BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 }
 int
+BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx)
+{
+        return BN_mod_exp_internal(r, a, p, m, ctx,
+            (BN_get_flags(p, BN_FLG_CONSTTIME) != 0));
+}
+int
+BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx)
+{
+        return BN_mod_exp_internal(r, a, p, m, ctx, 1);
+}
+int
+BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx)
+{
+        return BN_mod_exp_internal(r, a, p, m, ctx, 0);
+}
+int
 BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
    BN_CTX *ctx)
 {
@@ -361,9 +384,9 @@ err:
        return (ret);
 }
-int
+static int
-BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
-    BN_CTX *ctx, BN_MONT_CTX *in_mont)
+    BN_CTX *ctx, BN_MONT_CTX *in_mont, int ct)
 {
        int i, j, bits, ret = 0, wstart, wend, window, wvalue;
        int start = 1;
@@ -373,7 +396,7 @@ BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
        BIGNUM *val[TABLE_SIZE];
        BN_MONT_CTX *mont = NULL;
-        if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
+        if (ct) {
                return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
        }
@@ -513,6 +536,27 @@ err:
        return (ret);
 }
+int
+BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+        return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont,
+            (BN_get_flags(p, BN_FLG_CONSTTIME) != 0));
+}
+int
+BN_mod_exp_mont_ct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+        return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 1);
+}
+int
+BN_mod_exp_mont_nonct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+    BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+        return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 0);
+}
 /* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
 * so that accessing any of these table values shows the same access pattern as far
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index ca130a63cb..f8ce4bdc51 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lcl.h,v 1.23 2016/12/21 15:49:29 jsing Exp $ */
+/* $OpenBSD: bn_lcl.h,v 1.24 2017/01/21 09:38:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -584,6 +584,16 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int
 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
+/* Explicitly const time / non-const time versions for internal use */
+int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 __END_HIDDEN_DECLS
 #endif
diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c
index fb39756de2..b2f32684e4 100644
--- a/src/lib/libcrypto/bn/bn_prime.c
+++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_prime.c,v 1.15 2016/07/05 02:54:35 bcook Exp $ */
+/* $OpenBSD: bn_prime.c,v 1.16 2017/01/21 09:38:58 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -369,7 +369,7 @@ static int
 witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1, const BIGNUM *a1_odd,
    int k, BN_CTX *ctx, BN_MONT_CTX *mont)
 {
-        if (!BN_mod_exp_mont(w, w, a1_odd, a, ctx, mont))
+        if (!BN_mod_exp_mont_ct(w, w, a1_odd, a, ctx, mont))
                /* w := w^a1_odd mod a */
                return -1;
        if (BN_is_one(w))
diff --git a/src/lib/libcrypto/bn/bn_sqrt.c b/src/lib/libcrypto/bn/bn_sqrt.c
index e5231d2a95..5928dfc79d 100644
--- a/src/lib/libcrypto/bn/bn_sqrt.c
+++ b/src/lib/libcrypto/bn/bn_sqrt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_sqrt.c,v 1.7 2016/11/08 01:40:22 guenther Exp $ */
+/* $OpenBSD: bn_sqrt.c,v 1.8 2017/01/21 09:38:58 beck Exp $ */
 /* Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * and Bodo Moeller for the OpenSSL project. */
 /* ====================================================================
@@ -149,7 +149,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                q->neg = 0;
                if (!BN_add_word(q, 1))
                        goto end;
-                if (!BN_mod_exp(ret, A, q, p, ctx))
+                if (!BN_mod_exp_ct(ret, A, q, p, ctx))
                        goto end;
                err = 0;
                goto vrfy;
@@ -190,7 +190,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                if (!BN_rshift(q, p, 3))
                        goto end;
                q->neg = 0;
-                if (!BN_mod_exp(b, t, q, p, ctx))
+                if (!BN_mod_exp_ct(b, t, q, p, ctx))
                        goto end;
                /* y := b^2 */
@@ -272,7 +272,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
        /* Now that we have some non-square, we can find an element
         * of order  2^e  by computing its q'th power. */
-        if (!BN_mod_exp(y, y, q, p, ctx))
+        if (!BN_mod_exp_ct(y, y, q, p, ctx))
                goto end;
        if (BN_is_one(y)) {
                BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
@@ -314,7 +314,7 @@ BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                } else if (!BN_one(x))
                        goto end;
        } else {
-                if (!BN_mod_exp(x, A, t, p, ctx))
+                if (!BN_mod_exp_ct(x, A, t, p, ctx))
                        goto end;
                if (BN_is_zero(x)) {
                        /* special case: a == 0  (mod p) */