From ae7e2d97c84353dd12935654ec2545fb0211d4eb Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 23 Jul 2018 18:24:22 +0000 Subject: [PATCH] Use BN_swap_ct() instead of BN_consttime_swap() in ec_GF2m_montgomery_point_multiply(). The new BN_swap_ct() API is an improved version of the public BN_consttime_swap() function: it allows error checking, doesn't assert(), and has fewer assumptions on the input. This diff eliminates the last use of BN_consttime_swap() in our tree. ok inoguchi, jsing --- lib/libcrypto/ec/ec2_mult.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/lib/libcrypto/ec/ec2_mult.c b/lib/libcrypto/ec/ec2_mult.c index b4f771b2b5d..3e5d1dca853 100644 --- a/lib/libcrypto/ec/ec2_mult.c +++ b/lib/libcrypto/ec/ec2_mult.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec2_mult.c,v 1.12 2018/07/15 16:27:39 tb Exp $ */ +/* $OpenBSD: ec2_mult.c,v 1.13 2018/07/23 18:24:22 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -71,6 +71,7 @@ #include +#include "bn_lcl.h" #include "ec_lcl.h" #ifndef OPENSSL_NO_EC2M @@ -324,14 +325,18 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, for (; i >= 0; i--) { word = scalar->d[i]; while (mask) { - BN_consttime_swap(word & mask, x1, x2, group->field.top); - BN_consttime_swap(word & mask, z1, z2, group->field.top); + if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) + goto err; + if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) + goto err; if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; - BN_consttime_swap(word & mask, x1, x2, group->field.top); - BN_consttime_swap(word & mask, z1, z2, group->field.top); + if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) + goto err; + if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) + goto err; mask >>= 1; } mask = BN_TBIT; -- 2.20.1