From 1c7727d98f4279760cde2908bbfe7e06b323c209 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sat, 2 Aug 2025 15:44:09 +0000
Subject: Provide constant time conditional selection between
 EC_FIELD_ELEMENTs.

Provide a ec_field_element_select() function that allows for constant time
conditional selection between two EC_FIELD_ELEMENTs. This will become a
building block for constant time point multiplication.

ok tb@
---
 src/lib/libcrypto/ec/ec_field.c    | 15 ++++++++++++++-
 src/lib/libcrypto/ec/ec_internal.h |  4 +++-
 2 files changed, 17 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/ec/ec_field.c b/src/lib/libcrypto/ec/ec_field.c
index ec1c7d11e0..0513b9f410 100644
--- a/src/lib/libcrypto/ec/ec_field.c
+++ b/src/lib/libcrypto/ec/ec_field.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ec_field.c,v 1.1 2025/05/25 05:12:05 jsing Exp $	*/
+/*	$OpenBSD: ec_field.c,v 1.2 2025/08/02 15:44:09 jsing Exp $	*/
 /*
  * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
  *
@@ -131,6 +131,19 @@ ec_field_element_copy(EC_FIELD_ELEMENT *dst, const EC_FIELD_ELEMENT *src)
 	memcpy(dst, src, sizeof(EC_FIELD_ELEMENT));
 }
 
+void
+ec_field_element_select(const EC_FIELD_MODULUS *fm, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b, int conditional)
+{
+	BN_ULONG mask;
+	int i;
+
+	mask = bn_ct_eq_zero_mask(conditional);
+
+	for (i = 0; i < fm->n; i++)
+		r->w[i] = (a->w[i] & mask) | (b->w[i] & ~mask);
+}
+
 int
 ec_field_element_equal(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *a,
     const EC_FIELD_ELEMENT *b)
diff --git a/src/lib/libcrypto/ec/ec_internal.h b/src/lib/libcrypto/ec/ec_internal.h
index 29b447e8c9..327d9ea94d 100644
--- a/src/lib/libcrypto/ec/ec_internal.h
+++ b/src/lib/libcrypto/ec/ec_internal.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ec_internal.h,v 1.1 2025/05/25 05:12:05 jsing Exp $	*/
+/*	$OpenBSD: ec_internal.h,v 1.2 2025/08/02 15:44:09 jsing Exp $	*/
 /*
  * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
  *
@@ -46,6 +46,8 @@ int ec_field_element_to_bn(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *f
     BIGNUM *bn, BN_CTX *ctx);
 
 void ec_field_element_copy(EC_FIELD_ELEMENT *dst, const EC_FIELD_ELEMENT *src);
+void ec_field_element_select(const EC_FIELD_MODULUS *fm, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b, int conditional);
 
 int ec_field_element_equal(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *a,
     const EC_FIELD_ELEMENT *b);
-- 
cgit v1.2.3-55-g6feb