looks good to me. ok inoguchi@
On Sat, Jul 14, 2018 at 02:46:17PM +0200, Theo Buehler wrote: > The new BN_swap_ct() API is an improved version of the public > BN_consttime_swap() function: it allows for error checking doesn't > assert() and has fewer assumptions on the input. > > This eliminates the last use of the latter in our tree. With the next > major libcrypto bump, we could replace BN_consttime_swap() with the new > version. In the meantime let's just avoid using it. > > This adds a second reacharound from ec/ to bn/ but that is hopefully > only temporary. > > Index: ec/ec2_mult.c > =================================================================== > RCS file: /var/cvs/src/lib/libcrypto/ec/ec2_mult.c,v > retrieving revision 1.10 > diff -u -p -r1.10 ec2_mult.c > --- ec/ec2_mult.c 10 Jul 2018 22:06:14 -0000 1.10 > +++ ec/ec2_mult.c 14 Jul 2018 12:34:47 -0000 > @@ -71,6 +71,7 @@ > > #include <openssl/err.h> > > +#include "bn_lcl.h" > #include "ec_lcl.h" > > #ifndef OPENSSL_NO_EC2M > @@ -324,14 +325,18 @@ ec_GF2m_montgomery_point_multiply(const > for (; i >= 0; i--) { > word = scalar->d[i]; > while (mask) { > - BN_consttime_swap(word & mask, x1, x2, > group->field.top); > - BN_consttime_swap(word & mask, z1, z2, > group->field.top); > + if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) > + goto err; > + if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) > + goto err; > if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) > goto err; > if (!gf2m_Mdouble(group, x1, z1, ctx)) > goto err; > - BN_consttime_swap(word & mask, x1, x2, > group->field.top); > - BN_consttime_swap(word & mask, z1, z2, > group->field.top); > + if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) > + goto err; > + if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) > + goto err; > mask >>= 1; > } > mask = BN_TBIT; >