looks good to me.
ok inoguchi@
On Sat, Jul 14, 2018 at 02:46:17PM +0200, Theo Buehler wrote:
> The new BN_swap_ct() API is an improved version of the public
> BN_consttime_swap() function: it allows for error checking doesn't
> assert() and has fewer assumptions on the input.
>
> This eliminates the last use of the latter in our tree. With the next
> major libcrypto bump, we could replace BN_consttime_swap() with the new
> version. In the meantime let's just avoid using it.
>
> This adds a second reacharound from ec/ to bn/ but that is hopefully
> only temporary.
>
> Index: ec/ec2_mult.c
> ===================================================================
> RCS file: /var/cvs/src/lib/libcrypto/ec/ec2_mult.c,v
> retrieving revision 1.10
> diff -u -p -r1.10 ec2_mult.c
> --- ec/ec2_mult.c 10 Jul 2018 22:06:14 -0000 1.10
> +++ ec/ec2_mult.c 14 Jul 2018 12:34:47 -0000
> @@ -71,6 +71,7 @@
>
> #include <openssl/err.h>
>
> +#include "bn_lcl.h"
> #include "ec_lcl.h"
>
> #ifndef OPENSSL_NO_EC2M
> @@ -324,14 +325,18 @@ ec_GF2m_montgomery_point_multiply(const
> for (; i >= 0; i--) {
> word = scalar->d[i];
> while (mask) {
> - BN_consttime_swap(word & mask, x1, x2,
> group->field.top);
> - BN_consttime_swap(word & mask, z1, z2,
> group->field.top);
> + if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
> + goto err;
> + if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
> + goto err;
> if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
> goto err;
> if (!gf2m_Mdouble(group, x1, z1, ctx))
> goto err;
> - BN_consttime_swap(word & mask, x1, x2,
> group->field.top);
> - BN_consttime_swap(word & mask, z1, z2,
> group->field.top);
> + if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
> + goto err;
> + if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
> + goto err;
> mask >>= 1;
> }
> mask = BN_TBIT;
>
