The new BN_swap_ct() API is an improved version of the public
BN_consttime_swap() function: it allows for error checking doesn't
assert() and has fewer assumptions on the input.
This eliminates the last use of the latter in our tree. With the next
major libcrypto bump, we could replace BN_consttime_swap() with the new
version. In the meantime let's just avoid using it.
This adds a second reacharound from ec/ to bn/ but that is hopefully
only temporary.
Index: ec/ec2_mult.c
===================================================================
RCS file: /var/cvs/src/lib/libcrypto/ec/ec2_mult.c,v
retrieving revision 1.10
diff -u -p -r1.10 ec2_mult.c
--- ec/ec2_mult.c 10 Jul 2018 22:06:14 -0000 1.10
+++ ec/ec2_mult.c 14 Jul 2018 12:34:47 -0000
@@ -71,6 +71,7 @@
#include <openssl/err.h>
+#include "bn_lcl.h"
#include "ec_lcl.h"
#ifndef OPENSSL_NO_EC2M
@@ -324,14 +325,18 @@ ec_GF2m_montgomery_point_multiply(const
for (; i >= 0; i--) {
word = scalar->d[i];
while (mask) {
- BN_consttime_swap(word & mask, x1, x2,
group->field.top);
- BN_consttime_swap(word & mask, z1, z2,
group->field.top);
+ if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
+ goto err;
+ if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
+ goto err;
if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
goto err;
if (!gf2m_Mdouble(group, x1, z1, ctx))
goto err;
- BN_consttime_swap(word & mask, x1, x2,
group->field.top);
- BN_consttime_swap(word & mask, z1, z2,
group->field.top);
+ if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
+ goto err;
+ if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
+ goto err;
mask >>= 1;
}
mask = BN_TBIT;
