Remove flags for disabling constant-time operations.

This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME,
and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally
constant-time.

Based on the original patch by César Pereid.  ok beck@

8 files changed, 87 insertions, 177 deletions

diff --git a/lib/libssl/src/crypto/dh/dh.h b/lib/libssl/src/crypto/dh/dh.h
index a20467c9d00..631cd5c6859 100644
--- a/lib/libssl/src/crypto/dh/dh.h
+++ b/lib/libssl/src/crypto/dh/dh.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.h,v 1.16 2014/06/12 15:49:28 deraadt Exp $ */
+/* $OpenBSD: dh.h,v 1.17 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -78,13 +78,6 @@
 #endif
 
 #define DH_FLAG_CACHE_MONT_P     0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
-                                       * implementation now uses constant time
-                                       * modular exponentiation for secret exponents
-                                       * by default. This flag causes the
-                                       * faster variable sliding window method to
-                                       * be used for all exponents.
-                                       */
 
 /* If this flag is set the DH method is FIPS compliant and can be used
  * in FIPS mode. This is set in the validated module method. If an
diff --git a/lib/libssl/src/crypto/dh/dh_key.c b/lib/libssl/src/crypto/dh/dh_key.c
index 31bc7b3dfd5..25e8968ef59 100644
--- a/lib/libssl/src/crypto/dh/dh_key.c
+++ b/lib/libssl/src/crypto/dh/dh_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.23 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: dh_key.c,v 1.24 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -147,21 +147,16 @@ generate_key(DH *dh)
 	}
 
 	{
-		BIGNUM local_prk;
-		BIGNUM *prk;
+		BIGNUM prk;
 
-		if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-			BN_init(&local_prk);
-			prk = &local_prk;
-			BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
-		} else
-			prk = priv_key;
+		BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
 
-		if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, prk, dh->p, ctx,
-		    mont))
+		if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx,
+		    mont)) {
 			goto err;
+		}
 	}
-		
+
 	dh->pub_key = pub_key;
 	dh->priv_key = priv_key;
 	ok = 1;
@@ -206,10 +201,9 @@ compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 	if (dh->flags & DH_FLAG_CACHE_MONT_P) {
 		mont = BN_MONT_CTX_set_locked(&dh->method_mont_p,
 		    CRYPTO_LOCK_DH, dh->p, ctx);
-		if ((dh->flags & DH_FLAG_NO_EXP_CONSTTIME) == 0) {
-			/* XXX */
-			BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
-		}
+
+		BN_set_flags(dh->priv_key, BN_FLG_CONSTTIME);
+
 		if (!mont)
 			goto err;
 	}
@@ -238,16 +232,7 @@ static int
 dh_bn_mod_exp(const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
 {
-	/*
-	 * If a is only one word long and constant time is false, use the faster
-	 * exponenentiation function.
-	 */
-	if (a->top == 1 && (dh->flags & DH_FLAG_NO_EXP_CONSTTIME) != 0) {
-		BN_ULONG A = a->d[0];
-
-		return BN_mod_exp_mont_word(r, A, p, m, ctx, m_ctx);
-	} else
-		return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
+	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }
 
 static int
diff --git a/lib/libssl/src/crypto/dsa/dsa.h b/lib/libssl/src/crypto/dsa/dsa.h
index f7f81cfa948..b4d7c1ff0f7 100644
--- a/lib/libssl/src/crypto/dsa/dsa.h
+++ b/lib/libssl/src/crypto/dsa/dsa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa.h,v 1.20 2016/06/21 04:16:53 bcook Exp $ */
+/* $OpenBSD: dsa.h,v 1.21 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -89,9 +89,6 @@
 #endif
 
 #define DSA_FLAG_CACHE_MONT_P	0x01
-#define DSA_FLAG_NO_EXP_CONSTTIME       0x00 /* Does nothing. Previously this switched off 
-                                              * constant time behaviour.
-                                              */
 
 /* If this flag is set the DSA method is FIPS compliant and can be used
  * in FIPS mode. This is set in the validated module method. If an
diff --git a/lib/libssl/src/crypto/dsa/dsa_key.c b/lib/libssl/src/crypto/dsa/dsa_key.c
index 4732c471eda..fc4eb9c4331 100644
--- a/lib/libssl/src/crypto/dsa/dsa_key.c
+++ b/lib/libssl/src/crypto/dsa/dsa_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_key.c,v 1.21 2016/06/21 04:16:53 bcook Exp $ */
+/* $OpenBSD: dsa_key.c,v 1.22 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -104,18 +104,12 @@ dsa_builtin_keygen(DSA *dsa)
 		pub_key=dsa->pub_key;
 	
 	{
-		BIGNUM *prk = BN_new();
+		BIGNUM prk;
 
-		if (prk == NULL)
-			goto err;
-
-		BN_with_flags(prk, priv_key, BN_FLG_CONSTTIME);
+		BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME);
 
-		if (!BN_mod_exp(pub_key, dsa->g, prk, dsa->p, ctx)) {
-			BN_free(prk);
+		if (!BN_mod_exp(pub_key, dsa->g, &prk, dsa->p, ctx))
 			goto err;
-		}
-		BN_free(prk);
 	}
 
 	dsa->priv_key = priv_key;
diff --git a/lib/libssl/src/crypto/rsa/rsa.h b/lib/libssl/src/crypto/rsa/rsa.h
index 4045a6cbf37..d240294809f 100644
--- a/lib/libssl/src/crypto/rsa/rsa.h
+++ b/lib/libssl/src/crypto/rsa/rsa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.h,v 1.27 2015/02/14 15:10:39 miod Exp $ */
+/* $OpenBSD: rsa.h,v 1.28 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -194,16 +194,6 @@ struct rsa_st {
  */
 #define RSA_FLAG_NO_BLINDING		0x0080
 
-/*
- * The built-in RSA implementation uses constant time operations by default
- * in private key operations, e.g., constant time modular exponentiation,
- * modular inverse without leaking branches, division without leaking branches.
- * This flag disables these constant time operations and results in faster RSA
- * private key operations.
- */
-#define RSA_FLAG_NO_CONSTTIME		0x0100
-
-
 #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \
 	EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \
 				pad, NULL)
diff --git a/lib/libssl/src/crypto/rsa/rsa_crpt.c b/lib/libssl/src/crypto/rsa/rsa_crpt.c
index 809dd14c928..b50e4a4a6fc 100644
--- a/lib/libssl/src/crypto/rsa/rsa_crpt.c
+++ b/lib/libssl/src/crypto/rsa/rsa_crpt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_crpt.c,v 1.14 2015/02/11 03:19:37 doug Exp $ */
+/* $OpenBSD: rsa_crpt.c,v 1.15 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -169,8 +169,8 @@ err:
 BN_BLINDING *
 RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
 {
-	BIGNUM local_n;
-	BIGNUM *e, *n;
+	BIGNUM *e;
+	BIGNUM n;
 	BN_CTX *ctx;
 	BN_BLINDING *ret = NULL;
 
@@ -192,15 +192,11 @@ RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
 	} else
 		e = rsa->e;
 
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-		/* Set BN_FLG_CONSTTIME flag */
-		n = &local_n;
-		BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
-	} else
-		n = rsa->n;
+	BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
 
-	ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
+	ret = BN_BLINDING_create_param(NULL, e, &n, ctx, rsa->meth->bn_mod_exp,
 	    rsa->_method_mod_n);
+
 	if (ret == NULL) {
 		RSAerr(RSA_F_RSA_SETUP_BLINDING, ERR_R_BN_LIB);
 		goto err;
diff --git a/lib/libssl/src/crypto/rsa/rsa_eay.c b/lib/libssl/src/crypto/rsa/rsa_eay.c
index 76863e7220e..6edfd7e5fdc 100644
--- a/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.40 2015/09/10 15:56:25 jsing Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.41 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -177,11 +177,13 @@ RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
 
 	if ((ctx = BN_CTX_new()) == NULL)
 		goto err;
+
 	BN_CTX_start(ctx);
 	f = BN_CTX_get(ctx);
 	ret = BN_CTX_get(ctx);
 	num = BN_num_bytes(rsa->n);
 	buf = malloc(num);
+
 	if (f == NULL || ret == NULL || buf == NULL) {
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -362,11 +364,13 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
 
 	if ((ctx = BN_CTX_new()) == NULL)
 		goto err;
+
 	BN_CTX_start(ctx);
 	f = BN_CTX_get(ctx);
 	ret = BN_CTX_get(ctx);
 	num = BN_num_bytes(rsa->n);
 	buf = malloc(num);
+
 	if (f == NULL || ret == NULL || buf == NULL) {
 		RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -426,24 +430,19 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
 		if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
 			goto err;
 	} else {
-		BIGNUM local_d;
-		BIGNUM *d = NULL;
+		BIGNUM d;
 
-		if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-			BN_init(&local_d);
-			d = &local_d;
-			BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-		} else
-			d = rsa->d;
+		BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
 
 		if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
 			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
 			    CRYPTO_LOCK_RSA, rsa->n, ctx))
 				goto err;
 
-		if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
-		    rsa->_method_mod_n))
+		if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
+		    rsa->_method_mod_n)) {
 			goto err;
+		}
 	}
 
 	if (blinding)
@@ -499,11 +498,13 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
 
 	if ((ctx = BN_CTX_new()) == NULL)
 		goto err;
+
 	BN_CTX_start(ctx);
 	f = BN_CTX_get(ctx);
 	ret = BN_CTX_get(ctx);
 	num = BN_num_bytes(rsa->n);
 	buf = malloc(num);
+
 	if (!f || !ret || !buf) {
 		RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -553,22 +554,19 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
 		if (!rsa->meth->rsa_mod_exp(ret, f, rsa, ctx))
 			goto err;
 	} else {
-		BIGNUM local_d;
-		BIGNUM *d = NULL;
+		BIGNUM d;
 
-		if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-			d = &local_d;
-			BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-		} else
-			d = rsa->d;
+		BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
 
 		if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
 			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n,
 			    CRYPTO_LOCK_RSA, rsa->n, ctx))
 				goto err;
-		if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
-		    rsa->_method_mod_n))
+
+		if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx,
+		    rsa->_method_mod_n)) {
 			goto err;
+		}
 	}
 
 	if (blinding)
@@ -645,11 +643,13 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
 
 	if ((ctx = BN_CTX_new()) == NULL)
 		goto err;
+
 	BN_CTX_start(ctx);
 	f = BN_CTX_get(ctx);
 	ret = BN_CTX_get(ctx);
 	num = BN_num_bytes(rsa->n);
 	buf = malloc(num);
+
 	if (!f || !ret || !buf) {
 		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, ERR_R_MALLOC_FAILURE);
 		goto err;
@@ -723,8 +723,7 @@ static int
 RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 {
 	BIGNUM *r1, *m1, *vrfy;
-	BIGNUM local_dmp1, local_dmq1, local_c, local_r1;
-	BIGNUM *dmp1, *dmq1, *c, *pr1;
+	BIGNUM dmp1, dmq1, c, pr1;
 	int ret = 0;
 
 	BN_CTX_start(ctx);
@@ -737,33 +736,22 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 	}
 
 	{
-		BIGNUM local_p, local_q;
-		BIGNUM *p = NULL, *q = NULL;
+		BIGNUM p, q;
 
 		/*
 		 * Make sure BN_mod_inverse in Montgomery intialization uses the
-		 * BN_FLG_CONSTTIME flag (unless RSA_FLAG_NO_CONSTTIME is set)
+		 * BN_FLG_CONSTTIME flag
 		 */
-		if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-			BN_init(&local_p);
-			p = &local_p;
-			BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-
-			BN_init(&local_q);
-			q = &local_q;
-			BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
-		} else {
-			p = rsa->p;
-			q = rsa->q;
-		}
+		BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
+		BN_with_flags(&q, rsa->q, BN_FLG_CONSTTIME);
 
 		if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
 			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p,
-			    CRYPTO_LOCK_RSA, p, ctx))
-				goto err;
-			if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
-			    CRYPTO_LOCK_RSA, q, ctx))
+			     CRYPTO_LOCK_RSA, &p, ctx) ||
+			    !BN_MONT_CTX_set_locked(&rsa->_method_mod_q,
+			     CRYPTO_LOCK_RSA, &q, ctx)) {
 				goto err;
+			}
 		}
 	}
 
@@ -773,49 +761,34 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 			goto err;
 
 	/* compute I mod q */
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-		c = &local_c;
-		BN_with_flags(c, I, BN_FLG_CONSTTIME);
-		if (!BN_mod(r1, c, rsa->q, ctx))
-			goto err;
-	} else {
-		if (!BN_mod(r1, I, rsa->q, ctx))
-			goto err;
-	}
+	BN_with_flags(&c, I, BN_FLG_CONSTTIME);
+
+	if (!BN_mod(r1, &c, rsa->q, ctx))
+		goto err;
 
 	/* compute r1^dmq1 mod q */
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-		dmq1 = &local_dmq1;
-		BN_with_flags(dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
-	} else
-		dmq1 = rsa->dmq1;
-	if (!rsa->meth->bn_mod_exp(m1, r1, dmq1, rsa->q, ctx,
+	BN_with_flags(&dmq1, rsa->dmq1, BN_FLG_CONSTTIME);
+
+	if (!rsa->meth->bn_mod_exp(m1, r1, &dmq1, rsa->q, ctx,
 	    rsa->_method_mod_q))
 		goto err;
 
 	/* compute I mod p */
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-		c = &local_c;
-		BN_with_flags(c, I, BN_FLG_CONSTTIME);
-		if (!BN_mod(r1, c, rsa->p, ctx))
-			goto err;
-	} else {
-		if (!BN_mod(r1, I, rsa->p, ctx))
-			goto err;
-	}
+	BN_with_flags(&c, I, BN_FLG_CONSTTIME);
+
+	if (!BN_mod(r1, &c, rsa->p, ctx))
+		goto err;
 
 	/* compute r1^dmp1 mod p */
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-		dmp1 = &local_dmp1;
-		BN_with_flags(dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
-	} else
-		dmp1 = rsa->dmp1;
-	if (!rsa->meth->bn_mod_exp(r0, r1, dmp1, rsa->p, ctx,
+	BN_with_flags(&dmp1, rsa->dmp1, BN_FLG_CONSTTIME);
+
+	if (!rsa->meth->bn_mod_exp(r0, r1, &dmp1, rsa->p, ctx,
 	    rsa->_method_mod_p))
 		goto err;
 
 	if (!BN_sub(r0, r0, m1))
 		goto err;
+
 	/*
 	 * This will help stop the size of r0 increasing, which does
 	 * affect the multiply if it optimised for a power of 2 size
@@ -828,12 +801,9 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 		goto err;
 
 	/* Turn BN_FLG_CONSTTIME flag on before division operation */
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-		pr1 = &local_r1;
-		BN_with_flags(pr1, r1, BN_FLG_CONSTTIME);
-	} else
-		pr1 = r1;
-	if (!BN_mod(r0, pr1, rsa->p, ctx))
+	BN_with_flags(&pr1, r1, BN_FLG_CONSTTIME);
+
+	if (!BN_mod(r0, &pr1, rsa->p, ctx))
 		goto err;
 
 	/*
@@ -875,18 +845,14 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 			 * miscalculated CRT output, just do a raw (slower)
 			 * mod_exp and return that instead.
 			 */
+			BIGNUM d;
 
-			BIGNUM local_d;
-			BIGNUM *d = NULL;
+			BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
 
-			if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-				d = &local_d;
-				BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-			} else
-				d = rsa->d;
-			if (!rsa->meth->bn_mod_exp(r0, I, d, rsa->n, ctx,
-			    rsa->_method_mod_n))
+			if (!rsa->meth->bn_mod_exp(r0, I, &d, rsa->n, ctx,
+			    rsa->_method_mod_n)) {
 				goto err;
+			}
 		}
 	}
 	ret = 1;
diff --git a/lib/libssl/src/crypto/rsa/rsa_gen.c b/lib/libssl/src/crypto/rsa/rsa_gen.c
index f6f051c4427..d46f4f2478f 100644
--- a/lib/libssl/src/crypto/rsa/rsa_gen.c
+++ b/lib/libssl/src/crypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_gen.c,v 1.17 2015/02/09 15:49:22 jsing Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.18 2016/06/30 02:02:06 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -90,8 +90,7 @@ static int
 rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 {
 	BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
-	BIGNUM local_r0, local_d, local_p;
-	BIGNUM *pr0, *d, *p;
+	BIGNUM pr0, d, p;
 	int bitsp, bitsq, ok = -1, n = 0;
 	BN_CTX *ctx = NULL;
 
@@ -193,36 +192,26 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 		goto err;
 	if (!BN_mul(r0, r1, r2, ctx))			/* (p-1)(q-1) */
 		goto err;
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-		pr0 = &local_r0;
-		BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
-	} else
-		pr0 = r0;
-	if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))	/* d */
+
+	BN_with_flags(&pr0, r0, BN_FLG_CONSTTIME);
+
+	if (!BN_mod_inverse(rsa->d, rsa->e, &pr0, ctx)) /* d */
 		goto err;
 
 	/* set up d for correct BN_FLG_CONSTTIME flag */
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-		d = &local_d;
-		BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
-	} else
-		d = rsa->d;
+	BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME);
 
 	/* calculate d mod (p-1) */
-	if (!BN_mod(rsa->dmp1, d, r1, ctx))
+	if (!BN_mod(rsa->dmp1, &d, r1, ctx))
 		goto err;
 
 	/* calculate d mod (q-1) */
-	if (!BN_mod(rsa->dmq1, d, r2, ctx))
+	if (!BN_mod(rsa->dmq1, &d, r2, ctx))
 		goto err;
 
 	/* calculate inverse of q mod p */
-	if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
-		p = &local_p;
-		BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
-	} else
-		p = rsa->p;
-	if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+	BN_with_flags(&p, rsa->p, BN_FLG_CONSTTIME);
+	if (!BN_mod_inverse(rsa->iqmp, rsa->q, &p, ctx))
 		goto err;
 
 	ok = 1;