From 48df727a3547375dae8622c34fb55bdf5ef2c44c Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sat, 21 Jan 2017 11:00:47 +0000
Subject: Add ct and nonct versions of BN_mod_inverse for internal use ok
 jsing@

---
 src/lib/libcrypto/bn/bn.h       |  4 +++-
 src/lib/libcrypto/bn/bn_blind.c |  4 ++--
 src/lib/libcrypto/bn/bn_gcd.c   | 30 ++++++++++++++++++++++++------
 src/lib/libcrypto/bn/bn_lcl.h   |  6 +++++-
 src/lib/libcrypto/bn/bn_mont.c  |  8 ++++----
 src/lib/libcrypto/bn/bn_x931p.c |  8 +++++---
 6 files changed, 43 insertions(+), 17 deletions(-)

(limited to 'src/lib/libcrypto/bn')

diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index fd9a62fe3f..5d5de7e43a 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.34 2017/01/21 10:38:29 beck Exp $ */
+/* $OpenBSD: bn.h,v 1.35 2017/01/21 11:00:46 beck Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -454,8 +454,10 @@ int 	BN_dec2bn(BIGNUM **a, const char *str);
 int	BN_asc2bn(BIGNUM **a, const char *str);
 int	BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
 int	BN_kronecker(const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx); /* returns -2 for error */
+#ifndef LIBRESSL_INTERNAL
 BIGNUM *BN_mod_inverse(BIGNUM *ret,
     const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
+#endif
 BIGNUM *BN_mod_sqrt(BIGNUM *ret,
     const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
 
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c
index 01874f6208..28c6276751 100644
--- a/src/lib/libcrypto/bn/bn_blind.c
+++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_blind.c,v 1.15 2017/01/21 09:38:58 beck Exp $ */
+/* $OpenBSD: bn_blind.c,v 1.16 2017/01/21 11:00:46 beck Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -351,7 +351,7 @@ BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m,
 	do {
 		if (!BN_rand_range(ret->A, ret->mod))
 			goto err;
-		if (BN_mod_inverse(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
+		if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
 			/* this should almost never happen for good RSA keys */
 			unsigned long error = ERR_peek_last_error();
 			if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index 3c8ff5b405..4eab1b36d2 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gcd.c,v 1.11 2017/01/21 10:38:29 beck Exp $ */
+/* $OpenBSD: bn_gcd.c,v 1.12 2017/01/21 11:00:46 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -231,17 +231,16 @@ err:
 static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a,
     const BIGNUM *n, BN_CTX *ctx);
 
-BIGNUM *
-BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+static BIGNUM *
+BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
+    int ct)
 {
 	BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
 	BIGNUM *ret = NULL;
 	int sign;
 
-	if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) ||
-	    (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) {
+	if (ct)
 		return BN_mod_inverse_no_branch(in, a, n, ctx);
-	}
 
 	bn_check_top(a);
 	bn_check_top(n);
@@ -524,6 +523,25 @@ err:
 	return (ret);
 }
 
+BIGNUM *
+BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+{
+	int ct = ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) ||
+	    (BN_get_flags(n, BN_FLG_CONSTTIME) != 0));
+	return BN_mod_inverse_internal(in, a, n, ctx, ct);
+}
+
+BIGNUM *
+BN_mod_inverse_nonct(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+{
+	return BN_mod_inverse_internal(in, a, n, ctx, 0);
+}
+
+BIGNUM *
+BN_mod_inverse_ct(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+{
+	return BN_mod_inverse_internal(in, a, n, ctx, 1);
+}
 
 /* BN_mod_inverse_no_branch is a special version of BN_mod_inverse.
  * It does not contain branches that may leak sensitive information.
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index 59d9036d01..75c35499a8 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lcl.h,v 1.25 2017/01/21 10:38:29 beck Exp $ */
+/* $OpenBSD: bn_lcl.h,v 1.26 2017/01/21 11:00:46 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -599,5 +599,9 @@ int BN_div_ct(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
     BN_CTX *ctx);
 #define BN_mod_ct(rem,m,d,ctx) BN_div_ct(NULL,(rem),(m),(d),(ctx))
 #define BN_mod_nonct(rem,m,d,ctx) BN_div_nonct(NULL,(rem),(m),(d),(ctx))
+BIGNUM *BN_mod_inverse_ct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n,
+    BN_CTX *ctx);
+BIGNUM *BN_mod_inverse_nonct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n,
+    BN_CTX *ctx);
 __END_HIDDEN_DECLS
 #endif
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index 3496502435..eeac046826 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mont.c,v 1.25 2017/01/21 10:38:29 beck Exp $ */
+/* $OpenBSD: bn_mont.c,v 1.26 2017/01/21 11:00:46 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -400,7 +400,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		if ((buf[1] = mod->top > 1 ? mod->d[1] : 0))
 			tmod.top = 2;
 
-		if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
+		if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL)
 			goto err;
 		if (!BN_lshift(Ri, Ri, 2 * BN_BITS2))
 			goto err; /* R*Ri */
@@ -433,7 +433,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		buf[1] = 0;
 		tmod.top = buf[0] != 0 ? 1 : 0;
 		/* Ri = R^-1 mod N*/
-		if ((BN_mod_inverse(Ri, R, &tmod, ctx)) == NULL)
+		if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL)
 			goto err;
 		if (!BN_lshift(Ri, Ri, BN_BITS2))
 			goto err; /* R*Ri */
@@ -461,7 +461,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
 		if (!BN_set_bit(R, mont->ri))
 			goto err;  /* R = 2^ri */
 		/* Ri = R^-1 mod N*/
-		if ((BN_mod_inverse(Ri, R, &mont->N, ctx)) == NULL)
+		if ((BN_mod_inverse_ct(Ri, R, &mont->N, ctx)) == NULL)
 			goto err;
 		if (!BN_lshift(Ri, Ri, mont->ri))
 			goto err; /* R*Ri */
diff --git a/src/lib/libcrypto/bn/bn_x931p.c b/src/lib/libcrypto/bn/bn_x931p.c
index 1948bc8e71..84c998d4e1 100644
--- a/src/lib/libcrypto/bn/bn_x931p.c
+++ b/src/lib/libcrypto/bn/bn_x931p.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_x931p.c,v 1.8 2015/04/29 00:11:12 doug Exp $ */
+/* $OpenBSD: bn_x931p.c,v 1.9 2017/01/21 11:00:46 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -59,6 +59,8 @@
 #include <stdio.h>
 #include <openssl/bn.h>
 
+#include "bn_lcl.h"
+
 /* X9.31 routines for prime derivation */
 
 /* X9.31 prime derivation. This is used to generate the primes pi
@@ -134,13 +136,13 @@ BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp,
 
 	/* First set p to value of Rp */
 
-	if (!BN_mod_inverse(p, p2, p1, ctx))
+	if (!BN_mod_inverse_ct(p, p2, p1, ctx))
 		goto err;
 
 	if (!BN_mul(p, p, p2, ctx))
 		goto err;
 
-	if (!BN_mod_inverse(t, p1, p2, ctx))
+	if (!BN_mod_inverse_ct(t, p1, p2, ctx))
 		goto err;
 
 	if (!BN_mul(t, t, p1, ctx))
-- 
cgit v1.2.3-55-g6feb