Use BN_swap_ct() instead of BN_consttime_swap() in

ec_GF2m_montgomery_point_multiply().  The new BN_swap_ct() API is an
improved version of the public BN_consttime_swap() function: it allows
error checking, doesn't assert(), and has fewer assumptions on the input.
This diff eliminates the last use of BN_consttime_swap() in our tree.

ok inoguchi, jsing

diff --git a/lib/libcrypto/ec/ec2_mult.c b/lib/libcrypto/ec/ec2_mult.c
index b4f771b..3e5d1dc 100644 (file)
--- a/lib/libcrypto/ec/ec2_mult.c
+++ b/lib/libcrypto/ec/ec2_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_mult.c,v 1.12 2018/07/15 16:27:39 tb Exp $ */
+/* $OpenBSD: ec2_mult.c,v 1.13 2018/07/23 18:24:22 tb Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -71,6 +71,7 @@
 
 #include <openssl/err.h>
 
+#include "bn_lcl.h"
 #include "ec_lcl.h"
 
 #ifndef OPENSSL_NO_EC2M
@@ -324,14 +325,18 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
        for (; i >= 0; i--) {
                word = scalar->d[i];
                while (mask) {
-                       BN_consttime_swap(word & mask, x1, x2, group->field.top);
-                       BN_consttime_swap(word & mask, z1, z2, group->field.top);
+                       if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
+                               goto err;
+                       if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
+                               goto err;
                        if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
                                goto err;
                        if (!gf2m_Mdouble(group, x1, z1, ctx))
                                goto err;
-                       BN_consttime_swap(word & mask, x1, x2, group->field.top);
-                       BN_consttime_swap(word & mask, z1, z2, group->field.top);
+                       if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
+                               goto err;
+                       if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
+                               goto err;
                        mask >>= 1;
                }
                mask = BN_TBIT;