make BN_FLG_CONSTTIME semantics more fool-proof

CHANGES

@@ -493,9 +493,9 @@
      BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
      respectively, which are slower, but avoid the security-relevant
      conditional branches.  These are automatically called by BN_div()
-     and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for the
-     modulus.  Also, BN_is_bit_set() has been changed to remove a
-     conditional branch.
+     and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
+     of the input BIGNUMs.  Also, BN_is_bit_set() has been changed to
+     remove a conditional branch.
 
      BN_FLG_CONSTTIME is the new name for the previous
      BN_FLG_EXP_CONSTTIME flag, since it now affects more than just

crypto/bn/bn_div.c

@@ -185,7 +185,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 	BN_ULONG d0,d1;
 	int num_n,div_n;
 
-	if (BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
+	if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
 		{
 		return BN_div_no_branch(dv, rm, num, divisor, ctx);
 		}

crypto/bn/bn_gcd.c

@@ -210,7 +210,7 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
 	BIGNUM *ret=NULL;
 	int sign;
 
-	if (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)
+	if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0))
 		{
 		return BN_mod_inverse_no_branch(in, a, n, ctx);
 		}