10 files changed, 61 insertions, 33 deletions
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 16ba8ae981..fd9a62fe3f 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.33 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn.h,v 1.34 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -387,9 +387,11 @@ void	BN_set_negative(BIGNUM *b, int n);
 */
 #define BN_is_negative(a) ((a)->neg != 0)
+#ifndef LIBRESSL_INTERNAL
 int     BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
    BN_CTX *ctx);
 #define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx))
+#endif
 int     BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
 int     BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
 int     BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m);
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index fefc53f9fa..a8f7c9f384 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_div.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: bn_div.c,v 1.24 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -116,9 +116,9 @@
 *     rm->neg == num->neg                 (unless the remainder is zero)
 * If 'dv' or 'rm' is NULL, the respective value is not returned.
 */
-int
+static int
-BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
-    BN_CTX *ctx)
+    BN_CTX *ctx, int ct)
 {
        int norm_shift, i, loop;
        BIGNUM *tmp, wnum, *snum, *sdiv, *res;
@@ -137,10 +137,8 @@ BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
        bn_check_top(num);
-        if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) ||
+        if (ct)
-            (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
                no_branch = 1;
-        }
        bn_check_top(dv);
        bn_check_top(rm);
@@ -379,3 +377,27 @@ err:
        BN_CTX_end(ctx);
        return (0);
 }
+int
+BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+    BN_CTX *ctx)
+{
+        int ct = ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) ||
+            (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0));
+        return BN_div_internal(dv, rm, num, divisor, ctx, ct);
+}
+int
+BN_div_nonct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+    BN_CTX *ctx)
+{
+        return BN_div_internal(dv, rm, num, divisor, ctx, 0);
+}
+int
+BN_div_ct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
+    BN_CTX *ctx)
+{
+        return BN_div_internal(dv, rm, num, divisor, ctx, 1);
+}
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index ed4bc666bf..f650e94b09 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.28 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.29 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -735,7 +735,7 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
        /* prepare a^1 in Montgomery domain */
        if (a->neg || BN_ucmp(a, m) >= 0) {
-                if (!BN_mod(&am, a,m, ctx))
+                if (!BN_mod_ct(&am, a,m, ctx))
                        goto err;
                if (!BN_to_montgomery(&am, &am, mont, ctx))
                        goto err;
@@ -924,7 +924,7 @@ BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m,
 #define BN_MOD_MUL_WORD(r, w, m) \
                (BN_mul_word(r, (w)) && \
                (/* BN_ucmp(r, (m)) < 0 ? 1 :*/  \
-                        (BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
+                        (BN_mod_ct(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
                /* BN_MOD_MUL_WORD is only used with 'w' large,
                 * so the BN_ucmp test is probably more overhead
                 * than always using BN_mod (which uses BN_copy if
diff --git a/src/lib/libcrypto/bn/bn_exp2.c b/src/lib/libcrypto/bn/bn_exp2.c
index 38bf467a38..1d938d3818 100644
--- a/src/lib/libcrypto/bn/bn_exp2.c
+++ b/src/lib/libcrypto/bn/bn_exp2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp2.c,v 1.10 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: bn_exp2.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -175,7 +175,7 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
         * Build table for a1:   val1[i] := a1^(2*i + 1) mod m  for i = 0 .. 2^(window1-1)
         */
        if (a1->neg || BN_ucmp(a1, m) >= 0) {
-                if (!BN_mod(val1[0], a1, m, ctx))
+                if (!BN_mod_ct(val1[0], a1, m, ctx))
                        goto err;
                a_mod_m = val1[0];
        } else
@@ -206,7 +206,7 @@ BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
         * Build table for a2:   val2[i] := a2^(2*i + 1) mod m  for i = 0 .. 2^(window2-1)
         */
        if (a2->neg || BN_ucmp(a2, m) >= 0) {
-                if (!BN_mod(val2[0], a2, m, ctx))
+                if (!BN_mod_ct(val2[0], a2, m, ctx))
                        goto err;
                a_mod_m = val2[0];
        } else
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index da9c29a8e5..3c8ff5b405 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gcd.c,v 1.10 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: bn_gcd.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -421,7 +421,7 @@ BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
                                        }
                                }
                        } else {
-                                if (!BN_div(D, M, A, B, ctx))
+                                if (!BN_div_ct(D, M, A, B, ctx))
                                        goto err;
                        }
@@ -605,7 +605,7 @@ BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n,
                BN_with_flags(pA, A, BN_FLG_CONSTTIME);
                /* (D, M) := (A/B, A%B) ... */
-                if (!BN_div(D, M, pA, B, ctx))
+                if (!BN_div_ct(D, M, pA, B, ctx))
                        goto err;
                /* Now
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index f8ce4bdc51..59d9036d01 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lcl.h,v 1.24 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn_lcl.h,v 1.25 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -593,7 +593,11 @@ int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_div_nonct(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+    BN_CTX *ctx);
+int BN_div_ct(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
+    BN_CTX *ctx);
+#define BN_mod_ct(rem,m,d,ctx) BN_div_ct(NULL,(rem),(m),(d),(ctx))
+#define BN_mod_nonct(rem,m,d,ctx) BN_div_nonct(NULL,(rem),(m),(d),(ctx))
 __END_HIDDEN_DECLS
 #endif
diff --git a/src/lib/libcrypto/bn/bn_mod.c b/src/lib/libcrypto/bn/bn_mod.c
index eb2d5b072e..4c30c098d4 100644
--- a/src/lib/libcrypto/bn/bn_mod.c
+++ b/src/lib/libcrypto/bn/bn_mod.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mod.c,v 1.10 2016/11/05 10:47:16 miod Exp $ */
+/* $OpenBSD: bn_mod.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project. */
 /* ====================================================================
@@ -121,7 +121,7 @@ BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
        /* like BN_mod, but returns non-negative remainder
         * (i.e.,  0 <= r < |d|  always holds) */
-        if (!(BN_mod(r, m,d, ctx)))
+        if (!(BN_mod_ct(r, m,d, ctx)))
                return 0;
        if (!r->neg)
                return 1;
@@ -212,7 +212,7 @@ BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
        if (!BN_sqr(r, a, ctx))
                return 0;
        /* r->neg == 0,  thus we don't need BN_nnmod */
-        return BN_mod(r, r, m, ctx);
+        return BN_mod_ct(r, r, m, ctx);
 }
 int
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index 3eb9913a9e..3496502435 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mont.c,v 1.24 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: bn_mont.c,v 1.25 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -418,7 +418,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                        Ri->d[1] = BN_MASK2;
                        Ri->top = 2;
                }
-                if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
+                if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx))
                        goto err;
                /* Ni = (R*Ri-1)/N,
                 * keep only couple of least significant words: */
@@ -446,7 +446,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                        if (!BN_set_word(Ri, BN_MASK2))
                                goto err;  /* Ri-- (mod word size) */
                }
-                if (!BN_div(Ri, NULL, Ri, &tmod, ctx))
+                if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx))
                        goto err;
                /* Ni = (R*Ri-1)/N,
                 * keep only least significant word: */
@@ -468,7 +468,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                if (!BN_sub_word(Ri, 1))
                        goto err;
                /* Ni = (R*Ri-1) / N */
-                if (!BN_div(&(mont->Ni), NULL, Ri, &mont->N, ctx))
+                if (!BN_div_ct(&(mont->Ni), NULL, Ri, &mont->N, ctx))
                        goto err;
        }
 #endif
@@ -477,7 +477,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
        BN_zero(&(mont->RR));
        if (!BN_set_bit(&(mont->RR), mont->ri*2))
                goto err;
-        if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))
+        if (!BN_mod_ct(&(mont->RR), &(mont->RR), &(mont->N), ctx))
                goto err;
        ret = 1;
diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c
index b2f32684e4..ec8217ef69 100644
--- a/src/lib/libcrypto/bn/bn_prime.c
+++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_prime.c,v 1.16 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn_prime.c,v 1.17 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -443,7 +443,7 @@ probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem,
        /* we need ((rnd-rem) % add) == 0 */
-        if (!BN_mod(t1, rnd, add, ctx))
+        if (!BN_mod_ct(t1, rnd, add, ctx))
                goto err;
        if (!BN_sub(rnd, rnd, t1))
                goto err;
@@ -500,7 +500,7 @@ probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
                goto err;
        /* we need ((rnd-rem) % add) == 0 */
-        if (!BN_mod(t1, q,qadd, ctx))
+        if (!BN_mod_ct(t1, q,qadd, ctx))
                goto err;
        if (!BN_sub(q, q, t1))
                goto err;
diff --git a/src/lib/libcrypto/bn/bn_recp.c b/src/lib/libcrypto/bn/bn_recp.c
index b0bd0aa4df..aae7c7ef85 100644
--- a/src/lib/libcrypto/bn/bn_recp.c
+++ b/src/lib/libcrypto/bn/bn_recp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_recp.c,v 1.13 2015/04/29 00:11:12 doug Exp $ */
+/* $OpenBSD: bn_recp.c,v 1.14 2017/01/21 10:38:29 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -251,7 +251,7 @@ BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx)
        if (!BN_set_bit(t, len))
                goto err;
-        if (!BN_div(r, NULL, t,m, ctx))
+        if (!BN_div_ct(r, NULL, t,m, ctx))
                goto err;
        ret = len;

diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h index 16ba8ae981..fd9a62fe3f 100644 --- a/src/lib/libcrypto/bn/bn.h +++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn.h,v 1.33 2017/01/21 09:38:58 beck Exp $ */	1	/* $OpenBSD: bn.h,v 1.34 2017/01/21 10:38:29 beck Exp $ */
2	/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -387,9 +387,11 @@ void BN_set_negative(BIGNUM *b, int n);
387	*/	387	*/
388	#define BN_is_negative(a) ((a)->neg != 0)	388	#define BN_is_negative(a) ((a)->neg != 0)
389		389
		390	#ifndef LIBRESSL_INTERNAL
390	int BN_div(BIGNUM dv, BIGNUM rem, const BIGNUM m, const BIGNUM d,	391	int BN_div(BIGNUM dv, BIGNUM rem, const BIGNUM m, const BIGNUM d,
391	BN_CTX *ctx);	392	BN_CTX *ctx);
392	#define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx))	393	#define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx))
		394	#endif
393	int BN_nnmod(BIGNUM r, const BIGNUM m, const BIGNUM d, BN_CTX ctx);	395	int BN_nnmod(BIGNUM r, const BIGNUM m, const BIGNUM d, BN_CTX ctx);
394	int BN_mod_add(BIGNUM r, const BIGNUM a, const BIGNUM b, const BIGNUM m, BN_CTX *ctx);	396	int BN_mod_add(BIGNUM r, const BIGNUM a, const BIGNUM b, const BIGNUM m, BN_CTX *ctx);
395	int BN_mod_add_quick(BIGNUM r, const BIGNUM a, const BIGNUM b, const BIGNUM m);	397	int BN_mod_add_quick(BIGNUM r, const BIGNUM a, const BIGNUM b, const BIGNUM m);


diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c index fefc53f9fa..a8f7c9f384 100644 --- a/src/lib/libcrypto/bn/bn_div.c +++ b/src/lib/libcrypto/bn/bn_div.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_div.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */	1	/* $OpenBSD: bn_div.c,v 1.24 2017/01/21 10:38:29 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -116,9 +116,9 @@
116	* rm->neg == num->neg (unless the remainder is zero)	116	* rm->neg == num->neg (unless the remainder is zero)
117	* If 'dv' or 'rm' is NULL, the respective value is not returned.	117	* If 'dv' or 'rm' is NULL, the respective value is not returned.
118	*/	118	*/
119	int	119	static int
120	BN_div(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,	120	BN_div_internal(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,
121	BN_CTX *ctx)	121	BN_CTX *ctx, int ct)
122	{	122	{
123	int norm_shift, i, loop;	123	int norm_shift, i, loop;
124	BIGNUM tmp, wnum, snum, sdiv, res;	124	BIGNUM tmp, wnum, snum, sdiv, res;
@@ -137,10 +137,8 @@ BN_div(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,
137		137
138	bn_check_top(num);	138	bn_check_top(num);
139		139
140	if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) \|\|	140	if (ct)
141	(BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
142	no_branch = 1;	141	no_branch = 1;
143	}
144		142
145	bn_check_top(dv);	143	bn_check_top(dv);
146	bn_check_top(rm);	144	bn_check_top(rm);
@@ -379,3 +377,27 @@ err:
379	BN_CTX_end(ctx);	377	BN_CTX_end(ctx);
380	return (0);	378	return (0);
381	}	379	}
		380
		381	int
		382	BN_div(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,
		383	BN_CTX *ctx)
		384	{
		385	int ct = ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) \|\|
		386	(BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0));
		387
		388	return BN_div_internal(dv, rm, num, divisor, ctx, ct);
		389	}
		390
		391	int
		392	BN_div_nonct(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,
		393	BN_CTX *ctx)
		394	{
		395	return BN_div_internal(dv, rm, num, divisor, ctx, 0);
		396	}
		397
		398	int
		399	BN_div_ct(BIGNUM dv, BIGNUM rm, const BIGNUM num, const BIGNUM divisor,
		400	BN_CTX *ctx)
		401	{
		402	return BN_div_internal(dv, rm, num, divisor, ctx, 1);
		403	}


diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c index ed4bc666bf..f650e94b09 100644 --- a/src/lib/libcrypto/bn/bn_exp.c +++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_exp.c,v 1.28 2017/01/21 09:38:58 beck Exp $ */	1	/* $OpenBSD: bn_exp.c,v 1.29 2017/01/21 10:38:29 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -735,7 +735,7 @@ BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
735		735
736	/* prepare a^1 in Montgomery domain */	736	/* prepare a^1 in Montgomery domain */
737	if (a->neg \|\| BN_ucmp(a, m) >= 0) {	737	if (a->neg \|\| BN_ucmp(a, m) >= 0) {
738	if (!BN_mod(&am, a,m, ctx))	738	if (!BN_mod_ct(&am, a,m, ctx))
739	goto err;	739	goto err;
740	if (!BN_to_montgomery(&am, &am, mont, ctx))	740	if (!BN_to_montgomery(&am, &am, mont, ctx))
741	goto err;	741	goto err;
@@ -924,7 +924,7 @@ BN_mod_exp_mont_word(BIGNUM rr, BN_ULONG a, const BIGNUM p, const BIGNUM *m,
924	#define BN_MOD_MUL_WORD(r, w, m) \	924	#define BN_MOD_MUL_WORD(r, w, m) \
925	(BN_mul_word(r, (w)) && \	925	(BN_mul_word(r, (w)) && \
926	(/* BN_ucmp(r, (m)) < 0 ? 1 :*/ \	926	(/* BN_ucmp(r, (m)) < 0 ? 1 :*/ \
927	(BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))	927	(BN_mod_ct(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
928	/* BN_MOD_MUL_WORD is only used with 'w' large,	928	/* BN_MOD_MUL_WORD is only used with 'w' large,
929	* so the BN_ucmp test is probably more overhead	929	* so the BN_ucmp test is probably more overhead
930	* than always using BN_mod (which uses BN_copy if	930	* than always using BN_mod (which uses BN_copy if


diff --git a/src/lib/libcrypto/bn/bn_exp2.c b/src/lib/libcrypto/bn/bn_exp2.c index 38bf467a38..1d938d3818 100644 --- a/src/lib/libcrypto/bn/bn_exp2.c +++ b/src/lib/libcrypto/bn/bn_exp2.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_exp2.c,v 1.10 2015/02/09 15:49:22 jsing Exp $ */	1	/* $OpenBSD: bn_exp2.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -175,7 +175,7 @@ BN_mod_exp2_mont(BIGNUM rr, const BIGNUM a1, const BIGNUM *p1,
175	* Build table for a1: val1[i] := a1^(2*i + 1) mod m for i = 0 .. 2^(window1-1)	175	* Build table for a1: val1[i] := a1^(2*i + 1) mod m for i = 0 .. 2^(window1-1)
176	*/	176	*/
177	if (a1->neg \|\| BN_ucmp(a1, m) >= 0) {	177	if (a1->neg \|\| BN_ucmp(a1, m) >= 0) {
178	if (!BN_mod(val1[0], a1, m, ctx))	178	if (!BN_mod_ct(val1[0], a1, m, ctx))
179	goto err;	179	goto err;
180	a_mod_m = val1[0];	180	a_mod_m = val1[0];
181	} else	181	} else
@@ -206,7 +206,7 @@ BN_mod_exp2_mont(BIGNUM rr, const BIGNUM a1, const BIGNUM *p1,
206	* Build table for a2: val2[i] := a2^(2*i + 1) mod m for i = 0 .. 2^(window2-1)	206	* Build table for a2: val2[i] := a2^(2*i + 1) mod m for i = 0 .. 2^(window2-1)
207	*/	207	*/
208	if (a2->neg \|\| BN_ucmp(a2, m) >= 0) {	208	if (a2->neg \|\| BN_ucmp(a2, m) >= 0) {
209	if (!BN_mod(val2[0], a2, m, ctx))	209	if (!BN_mod_ct(val2[0], a2, m, ctx))
210	goto err;	210	goto err;
211	a_mod_m = val2[0];	211	a_mod_m = val2[0];
212	} else	212	} else


diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c index da9c29a8e5..3c8ff5b405 100644 --- a/src/lib/libcrypto/bn/bn_gcd.c +++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_gcd.c,v 1.10 2015/02/09 15:49:22 jsing Exp $ */	1	/* $OpenBSD: bn_gcd.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -421,7 +421,7 @@ BN_mod_inverse(BIGNUM in, const BIGNUM a, const BIGNUM n, BN_CTX ctx)
421	}	421	}
422	}	422	}
423	} else {	423	} else {
424	if (!BN_div(D, M, A, B, ctx))	424	if (!BN_div_ct(D, M, A, B, ctx))
425	goto err;	425	goto err;
426	}	426	}
427		427
@@ -605,7 +605,7 @@ BN_mod_inverse_no_branch(BIGNUM in, const BIGNUM a, const BIGNUM *n,
605	BN_with_flags(pA, A, BN_FLG_CONSTTIME);	605	BN_with_flags(pA, A, BN_FLG_CONSTTIME);
606		606
607	/* (D, M) := (A/B, A%B) ... */	607	/* (D, M) := (A/B, A%B) ... */
608	if (!BN_div(D, M, pA, B, ctx))	608	if (!BN_div_ct(D, M, pA, B, ctx))
609	goto err;	609	goto err;
610		610
611	/* Now	611	/* Now


diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h index f8ce4bdc51..59d9036d01 100644 --- a/src/lib/libcrypto/bn/bn_lcl.h +++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_lcl.h,v 1.24 2017/01/21 09:38:58 beck Exp $ */	1	/* $OpenBSD: bn_lcl.h,v 1.25 2017/01/21 10:38:29 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -593,7 +593,11 @@ int BN_mod_exp_mont_ct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
593	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);	593	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
594	int BN_mod_exp_mont_nonct(BIGNUM r, const BIGNUM a, const BIGNUM *p,	594	int BN_mod_exp_mont_nonct(BIGNUM r, const BIGNUM a, const BIGNUM *p,
595	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);	595	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *m_ctx);
596		596	int BN_div_nonct(BIGNUM dv, BIGNUM rem, const BIGNUM m, const BIGNUM d,
		597	BN_CTX *ctx);
		598	int BN_div_ct(BIGNUM dv, BIGNUM rem, const BIGNUM m, const BIGNUM d,
		599	BN_CTX *ctx);
		600	#define BN_mod_ct(rem,m,d,ctx) BN_div_ct(NULL,(rem),(m),(d),(ctx))
		601	#define BN_mod_nonct(rem,m,d,ctx) BN_div_nonct(NULL,(rem),(m),(d),(ctx))
597	__END_HIDDEN_DECLS	602	__END_HIDDEN_DECLS
598
599	#endif	603	#endif


diff --git a/src/lib/libcrypto/bn/bn_mod.c b/src/lib/libcrypto/bn/bn_mod.c index eb2d5b072e..4c30c098d4 100644 --- a/src/lib/libcrypto/bn/bn_mod.c +++ b/src/lib/libcrypto/bn/bn_mod.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_mod.c,v 1.10 2016/11/05 10:47:16 miod Exp $ */	1	/* $OpenBSD: bn_mod.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>	2	/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
3	* for the OpenSSL project. */	3	* for the OpenSSL project. */
4	/* ====================================================================	4	/* ====================================================================
@@ -121,7 +121,7 @@ BN_nnmod(BIGNUM r, const BIGNUM m, const BIGNUM d, BN_CTX ctx)
121	/* like BN_mod, but returns non-negative remainder	121	/* like BN_mod, but returns non-negative remainder
122	* (i.e., 0 <= r < \|d\| always holds) */	122	* (i.e., 0 <= r < \|d\| always holds) */
123		123
124	if (!(BN_mod(r, m,d, ctx)))	124	if (!(BN_mod_ct(r, m,d, ctx)))
125	return 0;	125	return 0;
126	if (!r->neg)	126	if (!r->neg)
127	return 1;	127	return 1;
@@ -212,7 +212,7 @@ BN_mod_sqr(BIGNUM r, const BIGNUM a, const BIGNUM m, BN_CTX ctx)
212	if (!BN_sqr(r, a, ctx))	212	if (!BN_sqr(r, a, ctx))
213	return 0;	213	return 0;
214	/* r->neg == 0, thus we don't need BN_nnmod */	214	/* r->neg == 0, thus we don't need BN_nnmod */
215	return BN_mod(r, r, m, ctx);	215	return BN_mod_ct(r, r, m, ctx);
216	}	216	}
217		217
218	int	218	int


diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c index 3eb9913a9e..3496502435 100644 --- a/src/lib/libcrypto/bn/bn_mont.c +++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_mont.c,v 1.24 2015/02/09 15:49:22 jsing Exp $ */	1	/* $OpenBSD: bn_mont.c,v 1.25 2017/01/21 10:38:29 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -418,7 +418,7 @@ BN_MONT_CTX_set(BN_MONT_CTX mont, const BIGNUM mod, BN_CTX *ctx)
418	Ri->d[1] = BN_MASK2;	418	Ri->d[1] = BN_MASK2;
419	Ri->top = 2;	419	Ri->top = 2;
420	}	420	}
421	if (!BN_div(Ri, NULL, Ri, &tmod, ctx))	421	if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx))
422	goto err;	422	goto err;
423	/* Ni = (R*Ri-1)/N,	423	/* Ni = (R*Ri-1)/N,
424	* keep only couple of least significant words: */	424	* keep only couple of least significant words: */
@@ -446,7 +446,7 @@ BN_MONT_CTX_set(BN_MONT_CTX mont, const BIGNUM mod, BN_CTX *ctx)
446	if (!BN_set_word(Ri, BN_MASK2))	446	if (!BN_set_word(Ri, BN_MASK2))
447	goto err; /* Ri-- (mod word size) */	447	goto err; /* Ri-- (mod word size) */
448	}	448	}
449	if (!BN_div(Ri, NULL, Ri, &tmod, ctx))	449	if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx))
450	goto err;	450	goto err;
451	/* Ni = (R*Ri-1)/N,	451	/* Ni = (R*Ri-1)/N,
452	* keep only least significant word: */	452	* keep only least significant word: */
@@ -468,7 +468,7 @@ BN_MONT_CTX_set(BN_MONT_CTX mont, const BIGNUM mod, BN_CTX *ctx)
468	if (!BN_sub_word(Ri, 1))	468	if (!BN_sub_word(Ri, 1))
469	goto err;	469	goto err;
470	/* Ni = (RRi-1) / N /	470	/* Ni = (RRi-1) / N /
471	if (!BN_div(&(mont->Ni), NULL, Ri, &mont->N, ctx))	471	if (!BN_div_ct(&(mont->Ni), NULL, Ri, &mont->N, ctx))
472	goto err;	472	goto err;
473	}	473	}
474	#endif	474	#endif
@@ -477,7 +477,7 @@ BN_MONT_CTX_set(BN_MONT_CTX mont, const BIGNUM mod, BN_CTX *ctx)
477	BN_zero(&(mont->RR));	477	BN_zero(&(mont->RR));
478	if (!BN_set_bit(&(mont->RR), mont->ri*2))	478	if (!BN_set_bit(&(mont->RR), mont->ri*2))
479	goto err;	479	goto err;
480	if (!BN_mod(&(mont->RR), &(mont->RR), &(mont->N), ctx))	480	if (!BN_mod_ct(&(mont->RR), &(mont->RR), &(mont->N), ctx))
481	goto err;	481	goto err;
482		482
483	ret = 1;	483	ret = 1;


diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c index b2f32684e4..ec8217ef69 100644 --- a/src/lib/libcrypto/bn/bn_prime.c +++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_prime.c,v 1.16 2017/01/21 09:38:58 beck Exp $ */	1	/* $OpenBSD: bn_prime.c,v 1.17 2017/01/21 10:38:29 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -443,7 +443,7 @@ probable_prime_dh(BIGNUM rnd, int bits, const BIGNUM add, const BIGNUM *rem,
443		443
444	/* we need ((rnd-rem) % add) == 0 */	444	/* we need ((rnd-rem) % add) == 0 */
445		445
446	if (!BN_mod(t1, rnd, add, ctx))	446	if (!BN_mod_ct(t1, rnd, add, ctx))
447	goto err;	447	goto err;
448	if (!BN_sub(rnd, rnd, t1))	448	if (!BN_sub(rnd, rnd, t1))
449	goto err;	449	goto err;
@@ -500,7 +500,7 @@ probable_prime_dh_safe(BIGNUM p, int bits, const BIGNUM padd,
500	goto err;	500	goto err;
501		501
502	/* we need ((rnd-rem) % add) == 0 */	502	/* we need ((rnd-rem) % add) == 0 */
503	if (!BN_mod(t1, q,qadd, ctx))	503	if (!BN_mod_ct(t1, q,qadd, ctx))
504	goto err;	504	goto err;
505	if (!BN_sub(q, q, t1))	505	if (!BN_sub(q, q, t1))
506	goto err;	506	goto err;


diff --git a/src/lib/libcrypto/bn/bn_recp.c b/src/lib/libcrypto/bn/bn_recp.c index b0bd0aa4df..aae7c7ef85 100644 --- a/src/lib/libcrypto/bn/bn_recp.c +++ b/src/lib/libcrypto/bn/bn_recp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: bn_recp.c,v 1.13 2015/04/29 00:11:12 doug Exp $ */	1	/* $OpenBSD: bn_recp.c,v 1.14 2017/01/21 10:38:29 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -251,7 +251,7 @@ BN_reciprocal(BIGNUM r, const BIGNUM m, int len, BN_CTX *ctx)
251	if (!BN_set_bit(t, len))	251	if (!BN_set_bit(t, len))
252	goto err;	252	goto err;
253		253
254	if (!BN_div(r, NULL, t,m, ctx))	254	if (!BN_div_ct(r, NULL, t,m, ctx))
255	goto err;	255	goto err;
256		256
257	ret = len;	257	ret = len;