The new BN_swap_ct() API is an improved version of the public BN_consttime_swap() function: it allows for error checking doesn't assert() and has fewer assumptions on the input.
This eliminates the last use of the latter in our tree. With the next major libcrypto bump, we could replace BN_consttime_swap() with the new version. In the meantime let's just avoid using it. This adds a second reacharound from ec/ to bn/ but that is hopefully only temporary. Index: ec/ec2_mult.c =================================================================== RCS file: /var/cvs/src/lib/libcrypto/ec/ec2_mult.c,v retrieving revision 1.10 diff -u -p -r1.10 ec2_mult.c --- ec/ec2_mult.c 10 Jul 2018 22:06:14 -0000 1.10 +++ ec/ec2_mult.c 14 Jul 2018 12:34:47 -0000 @@ -71,6 +71,7 @@ #include <openssl/err.h> +#include "bn_lcl.h" #include "ec_lcl.h" #ifndef OPENSSL_NO_EC2M @@ -324,14 +325,18 @@ ec_GF2m_montgomery_point_multiply(const for (; i >= 0; i--) { word = scalar->d[i]; while (mask) { - BN_consttime_swap(word & mask, x1, x2, group->field.top); - BN_consttime_swap(word & mask, z1, z2, group->field.top); + if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) + goto err; + if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) + goto err; if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; - BN_consttime_swap(word & mask, x1, x2, group->field.top); - BN_consttime_swap(word & mask, z1, z2, group->field.top); + if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) + goto err; + if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) + goto err; mask >>= 1; } mask = BN_TBIT;