Make explicit _ct and _nonct versions of bn_mod_exp funcitons that

matter for constant time, and make the public interface only used
external to the library.

This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.

Add regress tests for same.
ok jsing@

5 files changed, 143 insertions, 8 deletions

diff --git a/regress/lib/libcrypto/bn/general/Makefile b/regress/lib/libcrypto/bn/general/Makefile
index 18207ffb01f..d578d0fe120 100644
--- a/regress/lib/libcrypto/bn/general/Makefile
+++ b/regress/lib/libcrypto/bn/general/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.3 2016/12/21 15:51:05 jsing Exp $
+#	$OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $
 
 .include "../../Makefile.inc"
 
@@ -6,6 +6,6 @@ PROG=	bntest
 LDADD=	${CRYPTO_INT}
 DPADD=	${LIBCRYPTO}
 WARNINGS=	Yes
-CFLAGS+=	-DLIBRESSL_INTERNAL -Werror
+CFLAGS+=	-Werror
 
 .include <bsd.regress.mk>
diff --git a/regress/lib/libcrypto/bn/general/bntest.c b/regress/lib/libcrypto/bn/general/bntest.c
index 0247dacaa49..7e5e6ed81b9 100644
--- a/regress/lib/libcrypto/bn/general/bntest.c
+++ b/regress/lib/libcrypto/bn/general/bntest.c
@@ -84,6 +84,15 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 
+int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
 int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
 
 const int num0 = 100; /* number of tests */
@@ -1037,6 +1046,14 @@ test_mod_exp(BIO *bp, BN_CTX *ctx)
 		fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
 		return (0);
 	}
+	if (BN_mod_exp_ct(d, a, b, c, ctx)) {
+		fprintf(stderr, "BN_mod_exp_ct with zero modulus succeeded!\n");
+		return (0);
+	}
+	if (BN_mod_exp_nonct(d, a, b, c, ctx)) {
+		fprintf(stderr, "BN_mod_exp_nonct with zero modulus succeeded!\n");
+		return (0);
+	}
 
 	BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
 	for (i = 0; i < num2; i++) {
@@ -1069,6 +1086,70 @@ test_mod_exp(BIO *bp, BN_CTX *ctx)
 			break;
 		}
 	}
+
+	BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
+	for (i = 0; i < num2; i++) {
+		BN_bntest_rand(a, 20 + i * 5, 0, 0);
+		BN_bntest_rand(b, 2 + i, 0, 0);
+
+		if (!BN_mod_exp_ct(d, a, b, c, ctx)) {
+			rc = 0;
+			break;
+		}
+
+		if (bp != NULL) {
+			if (!results) {
+				BN_print(bp, a);
+				BIO_puts(bp, " ^ ");
+				BN_print(bp, b);
+				BIO_puts(bp, " % ");
+				BN_print(bp, c);
+				BIO_puts(bp, " - ");
+			}
+			BN_print(bp, d);
+			BIO_puts(bp, "\n");
+		}
+		BN_exp(e, a, b, ctx);
+		BN_sub(e, e, d);
+		BN_div(a, b, e, c, ctx);
+		if (!BN_is_zero(b)) {
+			fprintf(stderr, "Modulo exponentiation test failed!\n");
+			rc = 0;
+			break;
+		}
+	}
+
+	BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
+	for (i = 0; i < num2; i++) {
+		BN_bntest_rand(a, 20 + i * 5, 0, 0);
+		BN_bntest_rand(b, 2 + i, 0, 0);
+
+		if (!BN_mod_exp_nonct(d, a, b, c, ctx)) {
+			rc = 0;
+			break;
+		}
+
+		if (bp != NULL) {
+			if (!results) {
+				BN_print(bp, a);
+				BIO_puts(bp, " ^ ");
+				BN_print(bp, b);
+				BIO_puts(bp, " % ");
+				BN_print(bp, c);
+				BIO_puts(bp, " - ");
+			}
+			BN_print(bp, d);
+			BIO_puts(bp, "\n");
+		}
+		BN_exp(e, a, b, ctx);
+		BN_sub(e, e, d);
+		BN_div(a, b, e, c, ctx);
+		if (!BN_is_zero(b)) {
+			fprintf(stderr, "Modulo exponentiation test failed!\n");
+			rc = 0;
+			break;
+		}
+	}
 	BN_free(a);
 	BN_free(b);
 	BN_free(c);
diff --git a/regress/lib/libcrypto/bn/mont/Makefile b/regress/lib/libcrypto/bn/mont/Makefile
index eda36001a37..55c48220d44 100644
--- a/regress/lib/libcrypto/bn/mont/Makefile
+++ b/regress/lib/libcrypto/bn/mont/Makefile
@@ -1,9 +1,9 @@
-#	$OpenBSD: Makefile,v 1.2 2014/07/08 15:53:52 jsing Exp $
+#	$OpenBSD: Makefile,v 1.3 2017/01/21 09:38:58 beck Exp $
 
 PROG=	mont
 LDADD=	-lcrypto
 DPADD=	${LIBCRYPTO}
 WARNINGS=	Yes
-CFLAGS+=	-DLIBRESSL_INTERNAL -Werror
+CFLAGS+=	-Werror
 
 .include <bsd.regress.mk>
diff --git a/regress/lib/libcrypto/exp/Makefile b/regress/lib/libcrypto/exp/Makefile
index 39142014315..890b38e9fe9 100644
--- a/regress/lib/libcrypto/exp/Makefile
+++ b/regress/lib/libcrypto/exp/Makefile
@@ -1,9 +1,9 @@
-#	$OpenBSD: Makefile,v 1.3 2014/07/08 15:53:52 jsing Exp $
+#	$OpenBSD: Makefile,v 1.4 2017/01/21 09:38:58 beck Exp $
 
 PROG=	exptest
-LDADD=	-lcrypto
+LDADD=	${CRYPTO_INT}
 DPADD=	${LIBCRYPTO}
 WARNINGS=	Yes
-CFLAGS+=	-DLIBRESSL_INTERNAL -Werror
+CFLAGS+=	-Werror
 
 .include <bsd.regress.mk>
diff --git a/regress/lib/libcrypto/exp/exptest.c b/regress/lib/libcrypto/exp/exptest.c
index 45ca5ac5f57..375628cb251 100644
--- a/regress/lib/libcrypto/exp/exptest.c
+++ b/regress/lib/libcrypto/exp/exptest.c
@@ -64,6 +64,15 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 
+int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx);
+int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
 #define NUM_BITS	(BN_BITS*2)
 
 /*
@@ -116,6 +125,18 @@ static int test_exp_mod_zero(void)
 	if (!a_is_zero_mod_one("BN_mod_exp", &r, &a))
 		failed = 1;
 
+	if (!BN_mod_exp_ct(&r, &a, &p, &m, ctx))
+		goto err;
+
+	if (!a_is_zero_mod_one("BN_mod_exp_ct", &r, &a))
+		failed = 1;
+
+	if (!BN_mod_exp_nonct(&r, &a, &p, &m, ctx))
+		goto err;
+
+	if (!a_is_zero_mod_one("BN_mod_exp_nonct", &r, &a))
+		failed = 1;
+
 	if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx))
 		goto err;
 
@@ -134,6 +155,18 @@ static int test_exp_mod_zero(void)
 	if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a))
 		failed = 1;
 
+	if (!BN_mod_exp_mont_ct(&r, &a, &p, &m, ctx, NULL))
+		goto err;
+
+	if (!a_is_zero_mod_one("BN_mod_exp_mont_ct", &r, &a))
+		failed = 1;
+
+	if (!BN_mod_exp_mont_nonct(&r, &a, &p, &m, ctx, NULL))
+		goto err;
+
+	if (!a_is_zero_mod_one("BN_mod_exp_mont_nonct", &r, &a))
+		failed = 1;
+
 	if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) {
 		goto err;
 	}
@@ -175,7 +208,8 @@ int main(int argc, char *argv[])
 	BIO *out = NULL;
 	int i, ret;
 	unsigned char c;
-	BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple, *a, *b, *m;
+	BIGNUM *r_mont, *r_mont_const, *r_recp, *r_simple,
+	    *r_mont_ct, *r_mont_nonct, *a, *b, *m;
 
 	ERR_load_BN_strings();
 
@@ -184,6 +218,8 @@ int main(int argc, char *argv[])
 		exit(1);
 	r_mont = BN_new();
 	r_mont_const = BN_new();
+	r_mont_ct = BN_new();
+	r_mont_nonct = BN_new();
 	r_recp = BN_new();
 	r_simple = BN_new();
 	a = BN_new();
@@ -221,6 +257,20 @@ int main(int argc, char *argv[])
 			exit(1);
 		}
 
+		ret = BN_mod_exp_mont_ct(r_mont_ct, a, b, m, ctx, NULL);
+		if (ret <= 0) {
+			printf("BN_mod_exp_mont_ct() problems\n");
+			ERR_print_errors(out);
+			exit(1);
+		}
+
+		ret = BN_mod_exp_mont_nonct(r_mont_nonct, a, b, m, ctx, NULL);
+		if (ret <= 0) {
+			printf("BN_mod_exp_mont_nonct() problems\n");
+			ERR_print_errors(out);
+			exit(1);
+		}
+
 		ret = BN_mod_exp_recp(r_recp, a, b, m, ctx);
 		if (ret <= 0) {
 			printf("BN_mod_exp_recp() problems\n");
@@ -254,6 +304,10 @@ int main(int argc, char *argv[])
 				printf("\nsimple and mont const time results differ\n");
 			if (BN_cmp(r_simple, r_recp) != 0)
 				printf("\nsimple and recp results differ\n");
+			if (BN_cmp(r_mont, r_mont_ct) != 0)
+				printf("\nmont_ct and mont results differ\n");
+			if (BN_cmp(r_mont_ct, r_mont_nonct) != 0)
+				printf("\nmont_ct and mont_nonct results differ\n");
 
 			printf("a (%3d) = ", BN_num_bits(a));
 			BN_print(out, a);