Use BN_swap_ct() instead of BN_consttime_swap() in

ec_GF2m_montgomery_point_multiply().  The new BN_swap_ct() API is an
improved version of the public BN_consttime_swap() function: it allows
error checking, doesn't assert(), and has fewer assumptions on the input.
This diff eliminates the last use of BN_consttime_swap() in our tree.

ok inoguchi, jsing

1 files changed, 10 insertions, 5 deletions

diff --git a/lib/libcrypto/ec/ec2_mult.c b/lib/libcrypto/ec/ec2_mult.c
index b4f771b2b5d..3e5d1dca853 100644
--- a/lib/libcrypto/ec/ec2_mult.c
+++ b/lib/libcrypto/ec/ec2_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_mult.c,v 1.12 2018/07/15 16:27:39 tb Exp $ */
+/* $OpenBSD: ec2_mult.c,v 1.13 2018/07/23 18:24:22 tb Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -71,6 +71,7 @@
 
 #include <openssl/err.h>
 
+#include "bn_lcl.h"
 #include "ec_lcl.h"
 
 #ifndef OPENSSL_NO_EC2M
@@ -324,14 +325,18 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
 	for (; i >= 0; i--) {
 		word = scalar->d[i];
 		while (mask) {
-			BN_consttime_swap(word & mask, x1, x2, group->field.top);
-			BN_consttime_swap(word & mask, z1, z2, group->field.top);
+			if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
+				goto err;
+			if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
+				goto err;
 			if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
 				goto err;
 			if (!gf2m_Mdouble(group, x1, z1, ctx))
 				goto err;
-			BN_consttime_swap(word & mask, x1, x2, group->field.top);
-			BN_consttime_swap(word & mask, z1, z2, group->field.top);
+			if (!BN_swap_ct(word & mask, x1, x2, group->field.top))
+				goto err;
+			if (!BN_swap_ct(word & mask, z1, z2, group->field.top))
+				goto err;
 			mask >>= 1;
 		}
 		mask = BN_TBIT;