From 7fe7e1ed6bcd0e342aed7c0f890962dda616aa0d Mon Sep 17 00:00:00 2001
From: djm <>
Date: Tue, 27 Jun 2006 05:07:03 +0000
Subject: resolve conflicts

---
 src/lib/libcrypto/bn/asm/sparcv8plus.S |  16 ++-
 src/lib/libcrypto/bn/bn.h              |  34 +++++
 src/lib/libcrypto/bn/bn_asm.c          |   2 +-
 src/lib/libcrypto/bn/bn_err.c          |  92 +++++++------
 src/lib/libcrypto/bn/bn_exp.c          | 244 ++++++++++++++++++++++++++++++++-
 src/lib/libcrypto/bn/bn_lcl.h          |  39 ++++++
 src/lib/libcrypto/bn/bn_mont.c         |  20 +++
 src/lib/libcrypto/bn/bntest.c          |  56 ++++++++
 src/lib/libcrypto/bn/expspeed.c        |   2 +-
 src/lib/libcrypto/bn/exptest.c         |  18 ++-
 10 files changed, 473 insertions(+), 50 deletions(-)

(limited to 'src/lib/libcrypto/bn')

diff --git a/src/lib/libcrypto/bn/asm/sparcv8plus.S b/src/lib/libcrypto/bn/asm/sparcv8plus.S
index 0074dfdb75..8c56e2e7e7 100644
--- a/src/lib/libcrypto/bn/asm/sparcv8plus.S
+++ b/src/lib/libcrypto/bn/asm/sparcv8plus.S
@@ -162,10 +162,14 @@
  * BN_ULONG w;
  */
 bn_mul_add_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_mul_add_words_proceed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_mul_add_words_proceed:
 	srl	%o3,%g0,%o3	! clruw	%o3
@@ -260,10 +264,14 @@ bn_mul_add_words:
  * BN_ULONG w;
  */
 bn_mul_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_mul_words_proceeed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_mul_words_proceeed:
 	srl	%o3,%g0,%o3	! clruw	%o3
@@ -344,10 +352,14 @@ bn_mul_words:
  * int n;
  */
 bn_sqr_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_sqr_words_proceeed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_sqr_words_proceeed:
 	andcc	%o2,-4,%g0
@@ -445,6 +457,7 @@ bn_div_words:
  * int n;
  */
 bn_add_words:
+	sra	%o3,%g0,%o3	! signx %o3
 	brgz,a	%o3,.L_bn_add_words_proceed
 	lduw	[%o1],%o4
 	retl
@@ -454,7 +467,6 @@ bn_add_words:
 	andcc	%o3,-4,%g0
 	bz,pn	%icc,.L_bn_add_words_tail
 	addcc	%g0,0,%g0	! clear carry flag
-	nop
 
 .L_bn_add_words_loop:		! wow! 32 aligned!
 	dec	4,%o3
@@ -523,6 +535,7 @@ bn_add_words:
  * int n;
  */
 bn_sub_words:
+	sra	%o3,%g0,%o3	! signx %o3
 	brgz,a	%o3,.L_bn_sub_words_proceed
 	lduw	[%o1],%o4
 	retl
@@ -532,7 +545,6 @@ bn_sub_words:
 	andcc	%o3,-4,%g0
 	bz,pn	%icc,.L_bn_sub_words_tail
 	addcc	%g0,0,%g0	! clear carry flag
-	nop
 
 .L_bn_sub_words_loop:		! wow! 32 aligned!
 	dec	4,%o3
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 3da6d8ced9..1251521c54 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -225,10 +225,23 @@ extern "C" {
 
 #define BN_FLG_MALLOCED		0x01
 #define BN_FLG_STATIC_DATA	0x02
+#define BN_FLG_EXP_CONSTTIME	0x04 /* avoid leaking exponent information through timings
+                            	      * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
 #define BN_FLG_FREE		0x8000	/* used for debuging */
 #define BN_set_flags(b,n)	((b)->flags|=(n))
 #define BN_get_flags(b,n)	((b)->flags&(n))
 
+/* get a clone of a BIGNUM with changed flags, for *temporary* use only
+ * (the two BIGNUMs cannot not be used in parallel!) */
+#define BN_with_flags(dest,b,n)  ((dest)->d=(b)->d, \
+                                  (dest)->top=(b)->top, \
+                                  (dest)->dmax=(b)->dmax, \
+                                  (dest)->neg=(b)->neg, \
+                                  (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \
+                                                 |  ((b)->flags & ~BN_FLG_MALLOCED) \
+                                                 |  BN_FLG_STATIC_DATA \
+                                                 |  (n)))
+
 typedef struct bignum_st
 	{
 	BN_ULONG *d;	/* Pointer to an array of 'BN_BITS2' bit chunks. */
@@ -378,6 +391,8 @@ int	BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	const BIGNUM *m,BN_CTX *ctx);
 int	BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
 int	BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
 	const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 int	BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
@@ -423,6 +438,19 @@ int	BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
 	void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
 	int do_trial_division);
 
+#ifdef OPENSSL_FIPS
+int BN_X931_derive_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+			void (*cb)(int, int, void *), void *cb_arg,
+			const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
+			const BIGNUM *e, BN_CTX *ctx);
+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
+int BN_X931_generate_prime(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+			BIGNUM *Xp1, BIGNUM *Xp2,
+			const BIGNUM *Xp,
+			const BIGNUM *e, BN_CTX *ctx,
+			void (*cb)(int, int, void *), void *cb_arg);
+#endif
+
 BN_MONT_CTX *BN_MONT_CTX_new(void );
 void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
 int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
@@ -434,6 +462,8 @@ int BN_from_montgomery(BIGNUM *r,const BIGNUM *a,
 void BN_MONT_CTX_free(BN_MONT_CTX *mont);
 int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx);
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+					const BIGNUM *mod, BN_CTX *ctx);
 
 BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
 void BN_BLINDING_free(BN_BLINDING *b);
@@ -510,11 +540,15 @@ void ERR_load_BN_strings(void);
 #define BN_F_BN_CTX_GET					 116
 #define BN_F_BN_CTX_NEW					 106
 #define BN_F_BN_DIV					 107
+#define BN_F_BN_EXP					 123
 #define BN_F_BN_EXPAND2					 108
 #define BN_F_BN_EXPAND_INTERNAL				 120
 #define BN_F_BN_MOD_EXP2_MONT				 118
 #define BN_F_BN_MOD_EXP_MONT				 109
+#define BN_F_BN_MOD_EXP_MONT_CONSTTIME			 124
 #define BN_F_BN_MOD_EXP_MONT_WORD			 117
+#define BN_F_BN_MOD_EXP_RECP				 125
+#define BN_F_BN_MOD_EXP_SIMPLE				 126
 #define BN_F_BN_MOD_INVERSE				 110
 #define BN_F_BN_MOD_LSHIFT_QUICK			 119
 #define BN_F_BN_MOD_MUL_RECIPROCAL			 111
diff --git a/src/lib/libcrypto/bn/bn_asm.c b/src/lib/libcrypto/bn/bn_asm.c
index be8aa3ffc5..19978085b2 100644
--- a/src/lib/libcrypto/bn/bn_asm.c
+++ b/src/lib/libcrypto/bn/bn_asm.c
@@ -237,7 +237,7 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
 	if (d == 0) return(BN_MASK2);
 
 	i=BN_num_bits_word(d);
-	assert((i == BN_BITS2) || (h > (BN_ULONG)1<<i));
+	assert((i == BN_BITS2) || (h <= (BN_ULONG)1<<i));
 
 	i=BN_BITS2-i;
 	if (h >= d) h-=d;
diff --git a/src/lib/libcrypto/bn/bn_err.c b/src/lib/libcrypto/bn/bn_err.c
index fb84ee96d8..5dfac00c88 100644
--- a/src/lib/libcrypto/bn/bn_err.c
+++ b/src/lib/libcrypto/bn/bn_err.c
@@ -1,6 +1,6 @@
 /* crypto/bn/bn_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -64,52 +64,60 @@
 
 /* BEGIN ERROR CODES */
 #ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_BN,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_BN,0,reason)
+
 static ERR_STRING_DATA BN_str_functs[]=
 	{
-{ERR_PACK(0,BN_F_BN_BLINDING_CONVERT,0),	"BN_BLINDING_convert"},
-{ERR_PACK(0,BN_F_BN_BLINDING_INVERT,0),	"BN_BLINDING_invert"},
-{ERR_PACK(0,BN_F_BN_BLINDING_NEW,0),	"BN_BLINDING_new"},
-{ERR_PACK(0,BN_F_BN_BLINDING_UPDATE,0),	"BN_BLINDING_update"},
-{ERR_PACK(0,BN_F_BN_BN2DEC,0),	"BN_bn2dec"},
-{ERR_PACK(0,BN_F_BN_BN2HEX,0),	"BN_bn2hex"},
-{ERR_PACK(0,BN_F_BN_CTX_GET,0),	"BN_CTX_get"},
-{ERR_PACK(0,BN_F_BN_CTX_NEW,0),	"BN_CTX_new"},
-{ERR_PACK(0,BN_F_BN_DIV,0),	"BN_div"},
-{ERR_PACK(0,BN_F_BN_EXPAND2,0),	"bn_expand2"},
-{ERR_PACK(0,BN_F_BN_EXPAND_INTERNAL,0),	"BN_EXPAND_INTERNAL"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP2_MONT,0),	"BN_mod_exp2_mont"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT,0),	"BN_mod_exp_mont"},
-{ERR_PACK(0,BN_F_BN_MOD_EXP_MONT_WORD,0),	"BN_mod_exp_mont_word"},
-{ERR_PACK(0,BN_F_BN_MOD_INVERSE,0),	"BN_mod_inverse"},
-{ERR_PACK(0,BN_F_BN_MOD_LSHIFT_QUICK,0),	"BN_mod_lshift_quick"},
-{ERR_PACK(0,BN_F_BN_MOD_MUL_RECIPROCAL,0),	"BN_mod_mul_reciprocal"},
-{ERR_PACK(0,BN_F_BN_MOD_SQRT,0),	"BN_mod_sqrt"},
-{ERR_PACK(0,BN_F_BN_MPI2BN,0),	"BN_mpi2bn"},
-{ERR_PACK(0,BN_F_BN_NEW,0),	"BN_new"},
-{ERR_PACK(0,BN_F_BN_RAND,0),	"BN_rand"},
-{ERR_PACK(0,BN_F_BN_RAND_RANGE,0),	"BN_rand_range"},
-{ERR_PACK(0,BN_F_BN_USUB,0),	"BN_usub"},
+{ERR_FUNC(BN_F_BN_BLINDING_CONVERT),	"BN_BLINDING_convert"},
+{ERR_FUNC(BN_F_BN_BLINDING_INVERT),	"BN_BLINDING_invert"},
+{ERR_FUNC(BN_F_BN_BLINDING_NEW),	"BN_BLINDING_new"},
+{ERR_FUNC(BN_F_BN_BLINDING_UPDATE),	"BN_BLINDING_update"},
+{ERR_FUNC(BN_F_BN_BN2DEC),	"BN_bn2dec"},
+{ERR_FUNC(BN_F_BN_BN2HEX),	"BN_bn2hex"},
+{ERR_FUNC(BN_F_BN_CTX_GET),	"BN_CTX_get"},
+{ERR_FUNC(BN_F_BN_CTX_NEW),	"BN_CTX_new"},
+{ERR_FUNC(BN_F_BN_DIV),	"BN_div"},
+{ERR_FUNC(BN_F_BN_EXP),	"BN_exp"},
+{ERR_FUNC(BN_F_BN_EXPAND2),	"bn_expand2"},
+{ERR_FUNC(BN_F_BN_EXPAND_INTERNAL),	"BN_EXPAND_INTERNAL"},
+{ERR_FUNC(BN_F_BN_MOD_EXP2_MONT),	"BN_mod_exp2_mont"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT),	"BN_mod_exp_mont"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_CONSTTIME),	"BN_mod_exp_mont_consttime"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_MONT_WORD),	"BN_mod_exp_mont_word"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_RECP),	"BN_mod_exp_recp"},
+{ERR_FUNC(BN_F_BN_MOD_EXP_SIMPLE),	"BN_mod_exp_simple"},
+{ERR_FUNC(BN_F_BN_MOD_INVERSE),	"BN_mod_inverse"},
+{ERR_FUNC(BN_F_BN_MOD_LSHIFT_QUICK),	"BN_mod_lshift_quick"},
+{ERR_FUNC(BN_F_BN_MOD_MUL_RECIPROCAL),	"BN_mod_mul_reciprocal"},
+{ERR_FUNC(BN_F_BN_MOD_SQRT),	"BN_mod_sqrt"},
+{ERR_FUNC(BN_F_BN_MPI2BN),	"BN_mpi2bn"},
+{ERR_FUNC(BN_F_BN_NEW),	"BN_new"},
+{ERR_FUNC(BN_F_BN_RAND),	"BN_rand"},
+{ERR_FUNC(BN_F_BN_RAND_RANGE),	"BN_rand_range"},
+{ERR_FUNC(BN_F_BN_USUB),	"BN_usub"},
 {0,NULL}
 	};
 
 static ERR_STRING_DATA BN_str_reasons[]=
 	{
-{BN_R_ARG2_LT_ARG3                       ,"arg2 lt arg3"},
-{BN_R_BAD_RECIPROCAL                     ,"bad reciprocal"},
-{BN_R_BIGNUM_TOO_LONG                    ,"bignum too long"},
-{BN_R_CALLED_WITH_EVEN_MODULUS           ,"called with even modulus"},
-{BN_R_DIV_BY_ZERO                        ,"div by zero"},
-{BN_R_ENCODING_ERROR                     ,"encoding error"},
-{BN_R_EXPAND_ON_STATIC_BIGNUM_DATA       ,"expand on static bignum data"},
-{BN_R_INPUT_NOT_REDUCED                  ,"input not reduced"},
-{BN_R_INVALID_LENGTH                     ,"invalid length"},
-{BN_R_INVALID_RANGE                      ,"invalid range"},
-{BN_R_NOT_A_SQUARE                       ,"not a square"},
-{BN_R_NOT_INITIALIZED                    ,"not initialized"},
-{BN_R_NO_INVERSE                         ,"no inverse"},
-{BN_R_P_IS_NOT_PRIME                     ,"p is not prime"},
-{BN_R_TOO_MANY_ITERATIONS                ,"too many iterations"},
-{BN_R_TOO_MANY_TEMPORARY_VARIABLES       ,"too many temporary variables"},
+{ERR_REASON(BN_R_ARG2_LT_ARG3)           ,"arg2 lt arg3"},
+{ERR_REASON(BN_R_BAD_RECIPROCAL)         ,"bad reciprocal"},
+{ERR_REASON(BN_R_BIGNUM_TOO_LONG)        ,"bignum too long"},
+{ERR_REASON(BN_R_CALLED_WITH_EVEN_MODULUS),"called with even modulus"},
+{ERR_REASON(BN_R_DIV_BY_ZERO)            ,"div by zero"},
+{ERR_REASON(BN_R_ENCODING_ERROR)         ,"encoding error"},
+{ERR_REASON(BN_R_EXPAND_ON_STATIC_BIGNUM_DATA),"expand on static bignum data"},
+{ERR_REASON(BN_R_INPUT_NOT_REDUCED)      ,"input not reduced"},
+{ERR_REASON(BN_R_INVALID_LENGTH)         ,"invalid length"},
+{ERR_REASON(BN_R_INVALID_RANGE)          ,"invalid range"},
+{ERR_REASON(BN_R_NOT_A_SQUARE)           ,"not a square"},
+{ERR_REASON(BN_R_NOT_INITIALIZED)        ,"not initialized"},
+{ERR_REASON(BN_R_NO_INVERSE)             ,"no inverse"},
+{ERR_REASON(BN_R_P_IS_NOT_PRIME)         ,"p is not prime"},
+{ERR_REASON(BN_R_TOO_MANY_ITERATIONS)    ,"too many iterations"},
+{ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),"too many temporary variables"},
 {0,NULL}
 	};
 
@@ -123,8 +131,8 @@ void ERR_load_BN_strings(void)
 		{
 		init=0;
 #ifndef OPENSSL_NO_ERR
-		ERR_load_strings(ERR_LIB_BN,BN_str_functs);
-		ERR_load_strings(ERR_LIB_BN,BN_str_reasons);
+		ERR_load_strings(0,BN_str_functs);
+		ERR_load_strings(0,BN_str_reasons);
 #endif
 
 		}
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index afdfd580fb..9e1e88abe8 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -113,6 +113,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
+/* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE	32
 
 /* this one works - simple but works */
@@ -121,6 +122,13 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
 	int i,bits,ret=0;
 	BIGNUM *v,*rr;
 
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_EXP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	BN_CTX_start(ctx);
 	if ((r == a) || (r == p))
 		rr = BN_CTX_get(ctx);
@@ -204,7 +212,7 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	if (BN_is_odd(m))
 		{
 #  ifdef MONT_EXP_WORD
-		if (a->top == 1 && !a->neg)
+		if (a->top == 1 && !a->neg && (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) == 0))
 			{
 			BN_ULONG A = a->d[0];
 			ret=BN_mod_exp_mont_word(r,A,p,m,ctx,NULL);
@@ -234,6 +242,13 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	BIGNUM val[TABLE_SIZE];
 	BN_RECP_CTX recp;
 
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_MOD_EXP_RECP,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	bits=BN_num_bits(p);
 
 	if (bits == 0)
@@ -361,6 +376,11 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 	BIGNUM val[TABLE_SIZE];
 	BN_MONT_CTX *mont=NULL;
 
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont);
+		}
+
 	bn_check_top(a);
 	bn_check_top(p);
 	bn_check_top(m);
@@ -493,6 +513,212 @@ err:
 	return(ret);
 	}
 
+
+/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
+ * so that accessing any of these table values shows the same access pattern as far
+ * as cache lines are concerned.  The following functions are used to transfer a BIGNUM
+ * from/to that table. */
+
+static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+	{
+	size_t i, j;
+
+	if (bn_wexpand(b, top) == NULL)
+		return 0;
+	while (b->top < top)
+		{
+		b->d[b->top++] = 0;
+		}
+	
+	for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+		{
+		buf[j] = ((unsigned char*)b->d)[i];
+		}
+
+	bn_fix_top(b);
+	return 1;
+	}
+
+static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
+	{
+	size_t i, j;
+
+	if (bn_wexpand(b, top) == NULL)
+		return 0;
+
+	for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
+		{
+		((unsigned char*)b->d)[i] = buf[j];
+		}
+
+	b->top = top;
+	bn_fix_top(b);
+	return 1;
+	}	
+
+/* Given a pointer value, compute the next address that is a cache line multiple. */
+#define MOD_EXP_CTIME_ALIGN(x_) \
+	((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
+
+/* This variant of BN_mod_exp_mont() uses fixed windows and the special
+ * precomputation memory layout to limit data-dependency to a minimum
+ * to protect secret exponents (cf. the hyper-threading timing attacks
+ * pointed out by Colin Percival,
+ * http://www.daemonology.net/hyperthreading-considered-harmful/)
+ */
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+		    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+	{
+	int i,bits,ret=0,idx,window,wvalue;
+	int top;
+ 	BIGNUM *r;
+	const BIGNUM *aa;
+	BN_MONT_CTX *mont=NULL;
+
+	int numPowers;
+	unsigned char *powerbufFree=NULL;
+	int powerbufLen = 0;
+	unsigned char *powerbuf=NULL;
+	BIGNUM *computeTemp=NULL, *am=NULL;
+
+	bn_check_top(a);
+	bn_check_top(p);
+	bn_check_top(m);
+
+	top = m->top;
+
+	if (!(m->d[0] & 1))
+		{
+		BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME,BN_R_CALLED_WITH_EVEN_MODULUS);
+		return(0);
+		}
+	bits=BN_num_bits(p);
+	if (bits == 0)
+		{
+		ret = BN_one(rr);
+		return ret;
+		}
+
+ 	/* Initialize BIGNUM context and allocate intermediate result */
+	BN_CTX_start(ctx);
+	r = BN_CTX_get(ctx);
+	if (r == NULL) goto err;
+
+	/* Allocate a montgomery context if it was not supplied by the caller.
+	 * If this is not done, things will break in the montgomery part.
+ 	 */
+	if (in_mont != NULL)
+		mont=in_mont;
+	else
+		{
+		if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+		if (!BN_MONT_CTX_set(mont,m,ctx)) goto err;
+		}
+
+	/* Get the window size to use with size of p. */
+	window = BN_window_bits_for_ctime_exponent_size(bits);
+
+	/* Allocate a buffer large enough to hold all of the pre-computed
+	 * powers of a.
+	 */
+	numPowers = 1 << window;
+	powerbufLen = sizeof(m->d[0])*top*numPowers;
+	if ((powerbufFree=(unsigned char*)OPENSSL_malloc(powerbufLen+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
+		goto err;
+		
+	powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
+	memset(powerbuf, 0, powerbufLen);
+
+ 	/* Initialize the intermediate result. Do this early to save double conversion,
+	 * once each for a^0 and intermediate result.
+	 */
+ 	if (!BN_to_montgomery(r,BN_value_one(),mont,ctx)) goto err;
+	if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) goto err;
+
+	/* Initialize computeTemp as a^1 with montgomery precalcs */
+	computeTemp = BN_CTX_get(ctx);
+	am = BN_CTX_get(ctx);
+	if (computeTemp==NULL || am==NULL) goto err;
+
+	if (a->neg || BN_ucmp(a,m) >= 0)
+		{
+		if (!BN_mod(am,a,m,ctx))
+			goto err;
+		aa= am;
+		}
+	else
+		aa=a;
+	if (!BN_to_montgomery(am,aa,mont,ctx)) goto err;
+	if (!BN_copy(computeTemp, am)) goto err;
+	if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) goto err;
+
+	/* If the window size is greater than 1, then calculate
+	 * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
+	 * (even powers could instead be computed as (a^(i/2))^2
+	 * to use the slight performance advantage of sqr over mul).
+	 */
+	if (window > 1)
+		{
+		for (i=2; i<numPowers; i++)
+			{
+			/* Calculate a^i = a^(i-1) * a */
+			if (!BN_mod_mul_montgomery(computeTemp,am,computeTemp,mont,ctx))
+				goto err;
+			if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, numPowers)) goto err;
+			}
+		}
+
+ 	/* Adjust the number of bits up to a multiple of the window size.
+ 	 * If the exponent length is not a multiple of the window size, then
+ 	 * this pads the most significant bits with zeros to normalize the
+ 	 * scanning loop to there's no special cases.
+ 	 *
+ 	 * * NOTE: Making the window size a power of two less than the native
+	 * * word size ensures that the padded bits won't go past the last
+ 	 * * word in the internal BIGNUM structure. Going past the end will
+ 	 * * still produce the correct result, but causes a different branch
+ 	 * * to be taken in the BN_is_bit_set function.
+ 	 */
+ 	bits = ((bits+window-1)/window)*window;
+ 	idx=bits-1;	/* The top bit of the window */
+
+ 	/* Scan the exponent one window at a time starting from the most
+ 	 * significant bits.
+ 	 */
+ 	while (idx >= 0)
+  		{
+ 		wvalue=0; /* The 'value' of the window */
+ 		
+ 		/* Scan the window, squaring the result as we go */
+ 		for (i=0; i<window; i++,idx--)
+ 			{
+			if (!BN_mod_mul_montgomery(r,r,r,mont,ctx))	goto err;
+			wvalue = (wvalue<<1)+BN_is_bit_set(p,idx);
+  			}
+ 		
+		/* Fetch the appropriate pre-computed value from the pre-buf */
+		if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(computeTemp, top, powerbuf, wvalue, numPowers)) goto err;
+
+ 		/* Multiply the result into the intermediate result */
+ 		if (!BN_mod_mul_montgomery(r,r,computeTemp,mont,ctx)) goto err;
+  		}
+
+ 	/* Convert the final result from montgomery to standard format */
+	if (!BN_from_montgomery(rr,r,mont,ctx)) goto err;
+	ret=1;
+err:
+	if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
+	if (powerbuf!=NULL)
+		{
+		OPENSSL_cleanse(powerbuf,powerbufLen);
+		OPENSSL_free(powerbufFree);
+		}
+ 	if (am!=NULL) BN_clear(am);
+ 	if (computeTemp!=NULL) BN_clear(computeTemp);
+	BN_CTX_end(ctx);
+	return(ret);
+	}
+
 int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
 	{
@@ -517,6 +743,13 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 #define BN_TO_MONTGOMERY_WORD(r, w, mont) \
 		(BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
 
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_MOD_EXP_MONT_WORD,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	bn_check_top(p);
 	bn_check_top(m);
 
@@ -644,6 +877,13 @@ int BN_mod_exp_simple(BIGNUM *r,
 	BIGNUM *d;
 	BIGNUM val[TABLE_SIZE];
 
+	if (BN_get_flags(p, BN_FLG_EXP_CONSTTIME) != 0)
+		{
+		/* BN_FLG_EXP_CONSTTIME only supported by BN_mod_exp_mont() */
+		BNerr(BN_F_BN_MOD_EXP_SIMPLE,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		return -1;
+		}
+
 	bits=BN_num_bits(p);
 
 	if (bits == 0)
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index 253e195e23..a84998f2bd 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -177,6 +177,45 @@ struct bignum_ctx
 
 
 
+/* BN_mod_exp_mont_conttime is based on the assumption that the
+ * L1 data cache line width of the target processor is at least
+ * the following value.
+ */
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH	( 64 )
+#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK	(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
+
+/* Window sizes optimized for fixed window size modular exponentiation
+ * algorithm (BN_mod_exp_mont_consttime).
+ *
+ * To achieve the security goals of BN_mode_exp_mont_consttime, the
+ * maximum size of the window must not exceed
+ * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). 
+ *
+ * Window size thresholds are defined for cache line sizes of 32 and 64,
+ * cache line sizes where log_2(32)=5 and log_2(64)=6 respectively. A
+ * window size of 7 should only be used on processors that have a 128
+ * byte or greater cache line size.
+ */
+#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
+
+#  define BN_window_bits_for_ctime_exponent_size(b) \
+		((b) > 937 ? 6 : \
+		 (b) > 306 ? 5 : \
+		 (b) >  89 ? 4 : \
+		 (b) >  22 ? 3 : 1)
+#  define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE	(6)
+
+#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32
+
+#  define BN_window_bits_for_ctime_exponent_size(b) \
+		((b) > 306 ? 5 : \
+		 (b) >  89 ? 4 : \
+		 (b) >  22 ? 3 : 1)
+#  define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE	(5)
+
+#endif
+
+
 /* Pentium pro 16,16,16,32,64 */
 /* Alpha       16,16,16,16.64 */
 #define BN_MULL_SIZE_NORMAL			(16) /* 32 */
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index b79b1b60da..3572e5a690 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -347,3 +347,23 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
 	return(to);
 	}
 
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
+					const BIGNUM *mod, BN_CTX *ctx)
+	{
+	if (*pmont)
+		return *pmont;
+	CRYPTO_w_lock(lock);
+	if (!*pmont)
+		{
+		*pmont = BN_MONT_CTX_new();
+		if (*pmont && !BN_MONT_CTX_set(*pmont, mod, ctx))
+			{
+			BN_MONT_CTX_free(*pmont);
+			*pmont = NULL;
+			}
+		}
+	CRYPTO_w_unlock(lock);
+	return *pmont;
+	}
+		
+
diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c
index 79d813d85e..792a75ff4f 100644
--- a/src/lib/libcrypto/bn/bntest.c
+++ b/src/lib/libcrypto/bn/bntest.c
@@ -86,6 +86,7 @@ int test_mont(BIO *bp,BN_CTX *ctx);
 int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
+int test_mod_exp_mont_consttime(BIO *bp,BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
 int test_kron(BIO *bp,BN_CTX *ctx);
 int test_sqrt(BIO *bp,BN_CTX *ctx);
@@ -213,6 +214,10 @@ int main(int argc, char *argv[])
 	if (!test_mod_exp(out,ctx)) goto err;
 	BIO_flush(out);
 
+	message(out,"BN_mod_exp_mont_consttime");
+	if (!test_mod_exp_mont_consttime(out,ctx)) goto err;
+	BIO_flush(out);
+
 	message(out,"BN_exp");
 	if (!test_exp(out,ctx)) goto err;
 	BIO_flush(out);
@@ -813,6 +818,57 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
 	return(1);
 	}
 
+int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
+	{
+	BIGNUM *a,*b,*c,*d,*e;
+	int i;
+
+	a=BN_new();
+	b=BN_new();
+	c=BN_new();
+	d=BN_new();
+	e=BN_new();
+
+	BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */
+	for (i=0; i<num2; i++)
+		{
+		BN_bntest_rand(a,20+i*5,0,0); /**/
+		BN_bntest_rand(b,2+i,0,0); /**/
+
+		if (!BN_mod_exp_mont_consttime(d,a,b,c,ctx,NULL))
+			return(00);
+
+		if (bp != NULL)
+			{
+			if (!results)
+				{
+				BN_print(bp,a);
+				BIO_puts(bp," ^ ");
+				BN_print(bp,b);
+				BIO_puts(bp," % ");
+				BN_print(bp,c);
+				BIO_puts(bp," - ");
+				}
+			BN_print(bp,d);
+			BIO_puts(bp,"\n");
+			}
+		BN_exp(e,a,b,ctx);
+		BN_sub(e,e,d);
+		BN_div(a,b,e,c,ctx);
+		if(!BN_is_zero(b))
+		    {
+		    fprintf(stderr,"Modulo exponentiation test failed!\n");
+		    return 0;
+		    }
+		}
+	BN_free(a);
+	BN_free(b);
+	BN_free(c);
+	BN_free(d);
+	BN_free(e);
+	return(1);
+	}
+
 int test_exp(BIO *bp, BN_CTX *ctx)
 	{
 	BIGNUM *a,*b,*d,*e,*one;
diff --git a/src/lib/libcrypto/bn/expspeed.c b/src/lib/libcrypto/bn/expspeed.c
index 07a1bcf51c..4d5f221f33 100644
--- a/src/lib/libcrypto/bn/expspeed.c
+++ b/src/lib/libcrypto/bn/expspeed.c
@@ -321,7 +321,7 @@ void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx)
 #else /* TEST_SQRT */
 			"2*sqrt [prime == %d (mod 64)] %4d %4d mod %4d"
 #endif
-			" -> %8.3fms %5.1f (%ld)\n",
+			" -> %8.6fms %5.1f (%ld)\n",
 #ifdef TEST_SQRT
 			P_MOD_64,
 #endif
diff --git a/src/lib/libcrypto/bn/exptest.c b/src/lib/libcrypto/bn/exptest.c
index b09cf88705..28aaac2ac1 100644
--- a/src/lib/libcrypto/bn/exptest.c
+++ b/src/lib/libcrypto/bn/exptest.c
@@ -77,7 +77,7 @@ int main(int argc, char *argv[])
 	BIO *out=NULL;
 	int i,ret;
 	unsigned char c;
-	BIGNUM *r_mont,*r_recp,*r_simple,*a,*b,*m;
+	BIGNUM *r_mont,*r_mont_const,*r_recp,*r_simple,*a,*b,*m;
 
 	RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't
 	                                       * even check its return value
@@ -88,6 +88,7 @@ int main(int argc, char *argv[])
 	ctx=BN_CTX_new();
 	if (ctx == NULL) EXIT(1);
 	r_mont=BN_new();
+	r_mont_const=BN_new();
 	r_recp=BN_new();
 	r_simple=BN_new();
 	a=BN_new();
@@ -143,8 +144,17 @@ int main(int argc, char *argv[])
 			EXIT(1);
 			}
 
+		ret=BN_mod_exp_mont_consttime(r_mont_const,a,b,m,ctx,NULL);
+		if (ret <= 0)
+			{
+			printf("BN_mod_exp_mont_consttime() problems\n");
+			ERR_print_errors(out);
+			EXIT(1);
+			}
+
 		if (BN_cmp(r_simple, r_mont) == 0
-		    && BN_cmp(r_simple,r_recp) == 0)
+		    && BN_cmp(r_simple,r_recp) == 0
+			&& BN_cmp(r_simple,r_mont_const) == 0)
 			{
 			printf(".");
 			fflush(stdout);
@@ -153,6 +163,8 @@ int main(int argc, char *argv[])
 		  	{
 			if (BN_cmp(r_simple,r_mont) != 0)
 				printf("\nsimple and mont results differ\n");
+			if (BN_cmp(r_simple,r_mont) != 0)
+				printf("\nsimple and mont const time results differ\n");
 			if (BN_cmp(r_simple,r_recp) != 0)
 				printf("\nsimple and recp results differ\n");
 
@@ -162,11 +174,13 @@ int main(int argc, char *argv[])
 			printf("\nsimple   =");	BN_print(out,r_simple);
 			printf("\nrecp     =");	BN_print(out,r_recp);
 			printf("\nmont     ="); BN_print(out,r_mont);
+			printf("\nmont_ct  ="); BN_print(out,r_mont_const);
 			printf("\n");
 			EXIT(1);
 			}
 		}
 	BN_free(r_mont);
+	BN_free(r_mont_const);
 	BN_free(r_recp);
 	BN_free(r_simple);
 	BN_free(a);
-- 
cgit v1.2.3-55-g6feb